Chat now with support
Chat with Support

Identity Manager 9.2 - Secure Password Extension Administration Guide

Specifying the Password Reset Portal location

You must manually specify the URL path of the Password Reset Portal.

To specify the Password Reset Portal location on a computer running Windows Server 2012 R2 or later

  1. In Windows, click Start and open the Run application.

  2. In the Run dialog, enter mmc and click OK.

  3. In the Console window in the File menu, click Add/Remove Snap-in.

  4. In the Add or Remove Snap-ins dialog in the list of available snap-ins, double-click Group Policy Management Editor.

  5. In the Group Policy Wizard window, click Browse, select Default Domain Policy, and click OK.

  6. Click Finish.

  7. In the Add or Remove Snap-ins dialog, click OK.

  8. In the Console window in the left pane, expand Default Domain Policy > Computer Configuration.

  9. Right-click the Administrative Templates node and select Add/Remove Templates.

  10. In the Add/Remove Templates dialog, click Add.

  11. In the file browser, browse for the prm_gina.admx file, select it, and then click Open.

  12. In the Add/Remove Templates dialog, click Close.

  13. In the Console window under Computer Configuration, select the Administrative Templates node and then, on the right pane, double-click the One Identity Password Manager template.

  14. Double-click Generic Settings.

  15. Double-click Specify URL path to the Self-Service site.

  16. In the Specify URL path to the Self-Service site window in the Settings tab, select the Enabled option.

  17. In the field, enter the URL path to the Password Reset Portal (for example, https://example.com/PasswordWeb).

  18. Click OK.

  19. Double-click Override URL path to the Self-Service site.

  20. In the Settings tab, select the Enabled option.

  21. Click OK.

  22. Apply the updated policy to the computers in the managed domain.

NOTE: Application of the updated policy to the computers in the managed domain may take some time to complete.

Configuring Secure Password Extension using administrative templates

The administrative template features a powerful set of options that allow you to customize the behavior and appearance of Secure Password Extension according to your requirements.

The administrative template layout includes the following folder:

  • Generic settings: Includes policy settings that can be applied to computers running Windows 8.1, and Windows 10 operating systems.

Brief descriptions of the administrative template policy settings are outlined in the following sections.

Detailed information about this topic

Generic settings

The following table outlines generic administrative template policy settings you can use to customize the behavior of Secure Password Extension.

NOTE: One Identity Manager does not support all settings displayed in the administrative template. This document only lists settings supported by One Identity Manager.

Table 1: Generic administrative template policy settings

Policy name

Description

Generic Settings

Specify URL path to the Self-Service site

Specify the URL to access the Password Reset Portal from the Windows login screen. This link is opened when users click the Open the Self Service site link, which is displayed as default.

Override URL path to the Self-Service site

Enable the use of the URL to the Password Reset Portal specified in the Specify URL path to the Self-service site setting.

Maximum number of attempts to connect to the Self-Service site

Specify the maximum number of attempts to connect to the Password Reset Portal from Secure Password Extension.

If you disable or do not configure this policy setting, the maximum number of attempts is five.

Add the Forgot My Password link to credential provider tile

Enable this policy setting to add the Forgot my password link to the tile of the selected credential provider on the login screen.

You can select a credential provider from the list or specify the GUID of another credential provider. The GUID must be specified in the following format: {00000000-0000-0000-0000-000000000000}

If you disable or do not configure this policy setting, the Forgot my password link is added to the default Microsoft Password provider tile.

Refresh interval

Specify how often domain settings are refreshed for Secure Password Extension.

The default value is 5 minutes. If you want to reduce network load, you can increase the refresh interval. If you disable or do not configure this policy setting, the default refresh interval will be used.

Proxy Settings

Enable proxy server access

Enable this policy setting to establish the connection from the Windows login screen to the Password Reset Portal through a proxy server.

Configure required proxy settings

Specify the settings required to enable proxy server access to the Password Reset Portal from the Windows login screen.

Configure optional proxy settings

Specify optional settings for the proxy server access.

Shortcut Policies

Restore desktop shortcuts for the Self-Service site

Enable this policy setting to re-create the desktop shortcut to the Password Reset Portal on a user's computer by Secure Password Extension if the user deletes the desktop shortcut.

Do not create desktop shortcuts for the Self-Service site

Enable this policy setting if you do not want desktop shortcuts to be created by Secure Password Extension on end-user computers.

Do not create any shortcuts for the Self-Service site

Enable this policy setting if you do not want any shortcuts to be created by Secure Password Extension on end-user computers.

Secure Password Extension Title Settings

Display custom names for the Secure Password Extension window title

Enable this policy setting to use custom titles for the Secure Password Extension window.

Set custom name for the Secure Password Extension window title in <Language>

Specify a custom title for the Secure Password Extension window. You can specify the title for each of the required login languages. There are 36 language-specific policy settings available.

The title you specify must not exceed 32 characters. If you use a hieroglyphic font, the title must not exceed 14 characters (because of hieroglyph’s width). The URL length must not exceed 256 characters.

Usage Policy Settings

Display the usage policy button (command link)

Defines whether to display the usage policy buttons and command links for which you have specified the login language-specific names and URLs.

The usage policy command link on Windows operating system is displayed on the Windows login screen, and is intended to open a HTML document that describes the enterprise usage policy or contains any information that you may want to make available to end-users.

Set default URL

This policy lets you specify an URL referring to the usage policy document that will be opened by clicking the usage policy button (command link) if no login language-specific URLs are set. The default URL may refer to a a DOC, TXT, and HTML file.

Set name and URL for the usage policy button (command link) in <Language>

This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and URL for each of the required login languages. 36 language-specific policy settings are available.

The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters.

Credential Provider’s Description

NOTE: If the Credential Provider's Description and the Icon's Text Label in the ADMx template are configured with different custom labels, then as per Microsoft Windows 10 design, the Credential Provider Icon will get the same pop-up text(on hovering the Icon) as provided in the Credential Provider's Description instead of the label from the Icon's Text Label.

However, it is a different case with Windows 8.1 and other flavors of Windows released before Windows 8.1 and hence, the Credential Provider Icon will get the pop-up text from the Icon's Text Label and the title will have the label provided in the Credential Provider's Description.

Display custom description of the Secure Password Extension credential provider

This policy setting lets you define whether to replace the default description the Secure Password Extension credential provider with the text that you specify for required login languages. The credential provider description is displayed when users select the Secure Password Extension credential provider in the Sign-in options under their user tiles on the login screen. If you enable this policy setting, the customized description will be displayed for the Secure Password Extension credential provider. If you disable or do not configure this policy setting, then the default language-specific description of the Secure Password Extension credential provider will be displayed.

Set the custom description in <Language>

This policy setting lets you specify custom description of the Secure Password Extension credential provider in the selected language. If you enable this policy setting, then the custom text will be displayed when users select the Secure Password Extension credential provider in the Sign-in options under their user tiles on the login screen on computers that use the specified as the login language. If you disable or do not configure this policy setting, then the default language-specific description of the Secure Password Extension credential provider will be displayed.

NOTE: If the Display custom description of the Secure Password Extension credential provider policy is disabled, then this policy has no effect.

Icon’s Text Label

Display custom labels for the Secure Password Extension credential provider’s icon

This policy setting lets you define whether to replace the default text label for the Secure Password Extension credential provider’s icon with the text that you specify for required login languages. The text label for the credential provider icon appears in a pop-up when a user hovers over the credential provider’s icon under the Sign-in options on the login screen. If you enable this policy setting, the custom label will be displayed for the Secure Password Extension credential provider’s icon. If you disable or do not configure this policy setting, then the default language-specific label for the Secure Password Extension credential provider’s icon will be displayed.

Set the custom label in <Language>

This policy setting lets you specify custom text labels for the Secure Password Extension credential provider’s icon in the selected language. If you enable this policy setting, then the custom label will be displayed when users hover over the credential provider’s icon under the Sign-in options on the login screen on computers that use the specified language as the login language. If you disable or do not configure this policy setting, then the default language-specific label for the Secure Password Extension credential provider’s icon will be displayed.

NOTE: If the Display custom label for the Secure Password Extension credential provider’s icon policy is disabled, then this policy has no effect.

Link to the Self-Service Site

Display custom names of the Open the Self-Service site link

Specify a custom name for the Open the Password Reset Portal link. You can specify the name for each of the required login languages.

This link opens the Password Reset Portal from the login screen.

If you disable or do not configure this policy setting, the default language-specific name of the Open the Password Reset Portal link is displayed.

Set the custom names of the Open the Self-Service site link in <Language>

Specify a custom name for the Open the Password Reset Portal link. You can specify the name for each of the required login languages.

If you disable or do not configure this policy setting, the default language-specific name for the link is displayed.

Logging

For diagnostic purposes you can turn on logging in Secure Password Extension. The log file can contain the following information: exceptions and errors, debug messages and functions' returns, and so on. You can use this diagnostic data to identify issues with Secure Password Extension.

CAUTION: This section describes how to modify the registry. However, incorrectly modifying the registry may severely damage the system. Therefore, you should follow the steps carefully. It is also recommended to back up the registry before you modify it.

To enable logging

  1. In Windows, click Start and open the Run application.

  2. In the Run dialog, enter regedit and click OK.

  3. In the Registry Editor, create the following key: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging.

  4. Add a new string value to the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key by performing the following actions:

    1. Click the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key.

    2. In the menu bar, click Edit > New > String Value.

    3. Enter LogLevel and press Enter.

    4. Right-click the LogLevel value.

    5. In the context menu, click Modify.

    6. In the Edit String dialog under Value data, enter All.

    7. Click OK.

  5. Add a new string value to the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key by performing the following actions:

    1. Click the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key.

    2. In the menu bar, click Edit > New > String Value.

    3. Enter LogFolder and press Enter.

    4. Right-click the LogFolder value.

    5. In the context menu, click Modify.

    6. In the Edit String dialog under Value data, enter the path to the log file. For example, C:\Logs.

    7. Click OK.

  6. Exit the Registry Editor.

  7. Restart the computer.

To disable logging

  1. In Windows, click Start and open the Run application.

  2. In the Run dialog, enter regedit and click OK.

  3. In the Registry Editor, click the HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager\Logging registry key.

  4. Right-click the LogLevel value.

  5. In the context menu, click Modify.

  6. In the Value data box, enter Off.

  7. Click OK.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating