Chat now with support
Chat with Support

Identity Manager 9.2 - Password Capture Agent Administration Guide

The One Identity Manager Password Capture Agent Managing the Password Capture Agent Fine-tuning automated password synchronization The Password Capture Agent Windows PowerShell module Event log for the Password Capture Agent Customizing security for the Password Capture Agent service Achieving high availability for the web service with Windows Network Load Balancing Installing the Password Capture Agent with MSIEXEC Certificate lookup options Known error codes

Troubleshooting

When accessing https://ServiceCluster.democorp.com, I receive an invalid certificate error in my browser.

Because you are not accessing each host by its real host name, you must ensure that the SSL certificate is issued to the common name matching the cluster’s fully qualified domain name, and that the fully qualified domain name is set in the Subject Alternative Names (SAN) field.

When accessing https://ServiceCluster.democorp.com, Kerberos authentication fails.

Because you are accessing all servers in this cluster with the same fully qualified domain name, Kerberos authentication will fail. If you have NT Lan Manager disabled as fallback, authentication will not work.

Installing the Password Capture Agent with MSIEXEC

The Password Capture Agent setup can be automated using MSIEXEC parameters.

NOTE: MSIEXEC does not recognize 0 to clear check boxes; instead, for example, use PROP_FINAL_FUNCTION_TEST="".

Parameters for MSIEXEC

PROP_WEBSERVICE

Values: URL of the web service

Configuration after setup: Registry value Service\WebService_URL

PROP_CERTIFICATE

Values: One Identity Manager password encryption certificate

Configuration after setup: Registry value Service\CertificateThumbprint

PROP_ENCRYPTED_PASSWORD_TRANSMISSION

Values: 0 | 1

Default: 1

Configuration after setup: Registry value Service\EncryptedPasswordTransmission

PROP_ENCRYPTED_PASSWORD_TRANSMISSION_SIGNING

Values: 0 | 1

Default: 1

Configuration after setup: Registry value Service\EncryptedPasswordTransmissionSigning

PROP_WEB_SERVICE_TYPE

It is strongly recommended you use the One Identity Manager application server (REST). The One Identity ManagerSOAP Web Service support (Soap) is only included for backward compatibility to One Identity Manager version 6.x and should not be used anymore.

Values: REST | Soap

Configuration after setup: Set-ServiceConfig.exe WebServiceType

PROP_LOGGING_SUCCESSFUL_OPERATIONS

Values: 0 | 1

Default: 0

Configuration after setup: Registry value Driver\LoggingSuccessfulOperations

PROP_IGNORE_PASSWORD_RESET_OPERATIONS

Values: 0 | 1

Default: 0

Configuration after setup: Registry value Driver\Ignoring\PasswordResetOperations

PROP_BACKEND_CLIENT_CREDENTIAL_TYPE

Values: DialogUser | WebADS | ADSAccount

Default: DialogUser

Configuration after setup: Set-ServiceConfig.exe BackendClientCredentialType

PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME

Default: viCaptureAgent

Configuration after setup: Set-ServiceConfig.exe BackendClientCredentialUserName

PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD

Configuration after setup: Set-ServiceConfig.exe BackendClientCredentialUserPwd

PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD_ACCEPT_EMPTY

Values: 0 | 1

Default: 0

Configuration after setup: Set-ServiceConfig.exe BackendClientCredentialUserPwd_AcceptEmpty

PROP_WEB_SERVICE_CLIENT_SKIP_HTTPS_VALIDATION

Values: 0 | 1

Default: 0

Configuration after setup: Set-ServiceConfig.exe WebServiceClientSkipHttpsValidation

PROP_WEB_SERVICE_CLIENT_CREDENTIAL_TYPE

Values: WindowsIntegrated | Certificate

Default: WindowsIntegrated

Configuration after setup: Set-ServiceConfig.exe WebServiceClientCredentialType

PROP_WEB_SERVICE_CLIENT_CREDENTIAL_CERTIFICATE_FIND_BY_TYPE

Values: All values of the X509FindType-enumeration are allowed.

Default: FindByThumbprint

Configuration after setup: Set-ServiceConfig.Exe WebServiceClientCredentialCertificateFindByType

PROP_WEB_SERVICE_CLIENT_CREDENTIAL_CERTIFICATE

Configuration after setup: Set-ServiceConfig.Exe WebServiceClientCredentialCertificate

PROP_FINAL_FUNCTION_TEST

Only used by setup to determine whether final function test should be run. Failure will cause setup to fail.

Values: 0 | 1

Default: 1

Configuration after setup: Only used by setup.

Example 1: Silent install with default settings

msiexec.exe /i "<SETUP_MSI_FILE>" /quiet /norestart /L "<LOGFILE>"

Example 2: Silent install with parameters

msiexec.exe /i "<SETUP_MSI_FILE>" /quiet /norestart PROP_WEBSERVICE="<WEBSERVICE_URL>" PROP_WEB_SERVICE_TYPE="<WEBSERVICE_TYPE>" PROP_CERTIFICATE="<CERTIFICATE_THUMBPRINT>" PROP_ENCRYPTED_PASSWORD_TRANSMISSION="1" PROP_ENCRYPTED_PASSWORD_TRANSMISSION_SIGNING="1" PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME="<One Identity Manager system user>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD="<System user password>" PROP_FINAL_FUNCTION_TEST="1" PROP_IGNORE_PASSWORD_RESET_OPERATIONS="" /L "<LOGFILE>"

Example 3: Interactive installation

msiexec.exe /i "<SETUP_MSI_FILE>" /norestart PROP_WEBSERVICE="<WEBSERVICE_URL>" PROP_WEB_SERVICE_TYPE="<WEBSERVICE_TYPE>" PROP_CERTIFICATE="<CERTIFICATE_THUMBPRINT>" PROP_ENCRYPTED_PASSWORD_TRANSMISSION="1" PROP_ENCRYPTED_PASSWORD_TRANSMISSION_SIGNING="1" PROP_BACKEND_CLIENT_CREDENTIAL_TYPE="DialogUser" PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME="<One Identity Manager system user>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD="<System user password>" PROP_FINAL_FUNCTION_TEST="1" PROP_IGNORE_PASSWORD_RESET_OPERATIONS="" /L "<LOGFILE>"

Example 4: Uninstall

msiexec.exe /X{E7D3E2C0-0BD9-4EBB-A70C-E835D575611B} /quiet /norestart /L "<LOGFILE>"

Related topics

Certificate lookup options

Because certificates have a limited lifetime and therefore need to be renewed or updated, Password Capture Agent service has the option to configure the search for valid certificates. Note that not all configurable FindByTypes may be suitable for your needs.

Example: Use certificate from local trusted root certificate authority (Active Directory Certificate Services)

All certificates issued by DEMOCORP DEMO ROOT CA are valid for this purpose. Automatic enrollment is used to distribute the certificates, and new certificates will automatically be generated before expiration.

  • WebServiceClientCredentialCertificateFindByType = FindByIssuerName

  • WebServiceClientCredentialCertificate = "DEMOCORP DEMO ROOT CA"

- OR-

  • WebServiceClientCredentialCertificateFindByType = FindByIssuerDistinguishedName

  • WebServiceClientCredentialCertificate = "CN=DEMOCORP DEMO ROOT CA, DC=Democorp, DC=com"

Example: Use certificate based on subject

All certificates with the subject demoadmn are valid for this purpose.

  • WebServiceClientCredentialCertificateFindByType = FindBySubjectName

  • WebServiceClientCredentialCertificate = "demoadmn"

- OR-

  • WebServiceClientCredentialCertificateFindByType = FindBySubjectDistinguishedName

  • WebServiceClientCredentialCertificate = "CN=demoadmn, CN=Users, DC=Democorp, DC=com"

Example: Use static certificate by thumbprint and change manually when new certificate is available
  • WebServiceClientCredentialCertificateFindByType = FindByIssuerName

  • WebServiceClientCredentialCertificate = 0123456789ABCED0123456789ABCED0123456789

Known error codes

There are several known error codes that the VI_CaptureAgent_SetPassword script can use to reject a password change. The script is stored in the One Identity Manager database. If that script does not suit your needs, you can overwrite it.

Following is the list of possible errors and appropriate actions that are returned by the VI_CaptureAgent_SetPassword script.

Table 2: Errors and appropriate actions
Error code Error message Action Adminstration action

0

No Error. Change went through.

OK

1

Password cycle detected.

Skip

Check manual for password cycles.

2

Active Directory account is marked as privileged and will not be handled.

Skip

 

1212

Active Directory account has no domain.

Skip

 

1317

Active Directory account is not known by One Identity Manager.

Skip

Check if your Active Directory domain has been configured to be synchronized regularly within One Identity Manager.

1332

Active Directory account exists but is not mapped to an identity in One Identity Manager.

Skip

Check One Identity Manager configuration; you should not have Active Directory user accounts without mapped identities.

1355

Active Directory domain is not known by One Identity Manager.

Skip

Check if your Active Directory domain has been configured to be synchronized within One Identity Manager.

9901

More than one Active Directory account found in One Identity Manager database matching DOMAIN\SAMAccountName.

Skip

Check for duplicate entries in table ADSAccount within One Identity Manager.

9902

Failed to load identity mapped to Active Directory account from One Identity Manager database.

Skip

Check One Identity Manager for problems; try loading that identitywithin the Object Browser.

8205

Password encryption does not match the configuration in One Identity Manager.

Skip

Compare configuration of One Identity Manager and Password Capture Agent.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating