When accessing https://ServiceCluster.democorp.com, I receive an invalid certificate error in my browser.
Because you are not accessing each host by its real host name, you must ensure that the SSL certificate is issued to the common name matching the cluster’s fully qualified domain name, and that the fully qualified domain name is set in the Subject Alternative Names (SAN) field.
When accessing https://ServiceCluster.democorp.com, Kerberos authentication fails.
Because you are accessing all servers in this cluster with the same fully qualified domain name, Kerberos authentication will fail. If you have NT Lan Manager disabled as fallback, authentication will not work.
Installing the Password Capture Agent with MSIEXEC
The Password Capture Agent setup can be automated using MSIEXEC parameters.
NOTE: MSIEXEC does not recognize 0 to clear check boxes; instead, for example, use PROP_FINAL_FUNCTION_TEST="".
Parameters for MSIEXEC
PROP_WEBSERVICE
Values: URL of the web service
Configuration after setup: Registry value Service\WebService_URL
PROP_CERTIFICATE
Values: One Identity Manager password encryption certificate
Configuration after setup: Registry value Service\CertificateThumbprint
PROP_ENCRYPTED_PASSWORD_TRANSMISSION
Values: 0 | 1
Default: 1
Configuration after setup: Registry value Service\EncryptedPasswordTransmission
PROP_ENCRYPTED_PASSWORD_TRANSMISSION_SIGNING
Values: 0 | 1
Default: 1
Configuration after setup: Registry value Service\EncryptedPasswordTransmissionSigning
PROP_WEB_SERVICE_TYPE
It is strongly recommended you use the One Identity Manager application server (REST). The One Identity ManagerSOAP Web Service support (Soap) is only included for backward compatibility to One Identity Manager version 6.x and should not be used anymore.
Values: REST | Soap
Configuration after setup: Set-ServiceConfig.exe WebServiceType
PROP_LOGGING_SUCCESSFUL_OPERATIONS
Values: 0 | 1
Default: 0
Configuration after setup: Registry value Driver\LoggingSuccessfulOperations
PROP_IGNORE_PASSWORD_RESET_OPERATIONS
Values: 0 | 1
Default: 0
Configuration after setup: Registry value Driver\Ignoring\PasswordResetOperations
PROP_BACKEND_CLIENT_CREDENTIAL_TYPE
Values: DialogUser | WebADS | ADSAccount
Default: DialogUser
Configuration after setup: Set-ServiceConfig.exe BackendClientCredentialType
PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME
Default: viCaptureAgent
Configuration after setup: Set-ServiceConfig.exe BackendClientCredentialUserName
PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD
Configuration after setup: Set-ServiceConfig.exe BackendClientCredentialUserPwd
PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD_ACCEPT_EMPTY
Values: 0 | 1
Default: 0
Configuration after setup: Set-ServiceConfig.exe BackendClientCredentialUserPwd_AcceptEmpty
PROP_WEB_SERVICE_CLIENT_SKIP_HTTPS_VALIDATION
Values: 0 | 1
Default: 0
Configuration after setup: Set-ServiceConfig.exe WebServiceClientSkipHttpsValidation
PROP_WEB_SERVICE_CLIENT_CREDENTIAL_TYPE
Values: WindowsIntegrated | Certificate
Default: WindowsIntegrated
Configuration after setup: Set-ServiceConfig.exe WebServiceClientCredentialType
PROP_WEB_SERVICE_CLIENT_CREDENTIAL_CERTIFICATE_FIND_BY_TYPE
Values: All values of the X509FindType-enumeration are allowed.
Default: FindByThumbprint
Configuration after setup: Set-ServiceConfig.Exe WebServiceClientCredentialCertificateFindByType
PROP_WEB_SERVICE_CLIENT_CREDENTIAL_CERTIFICATE
Configuration after setup: Set-ServiceConfig.Exe WebServiceClientCredentialCertificate
PROP_FINAL_FUNCTION_TEST
Only used by setup to determine whether final function test should be run. Failure will cause setup to fail.
Values: 0 | 1
Default: 1
Configuration after setup: Only used by setup.
Example 1: Silent install with default settings
msiexec.exe /i "<SETUP_MSI_FILE>" /quiet /norestart /L "<LOGFILE>"
Example 2: Silent install with parameters
msiexec.exe /i "<SETUP_MSI_FILE>" /quiet /norestart PROP_WEBSERVICE="<WEBSERVICE_URL>" PROP_WEB_SERVICE_TYPE="<WEBSERVICE_TYPE>" PROP_CERTIFICATE="<CERTIFICATE_THUMBPRINT>" PROP_ENCRYPTED_PASSWORD_TRANSMISSION="1" PROP_ENCRYPTED_PASSWORD_TRANSMISSION_SIGNING="1" PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME="<One Identity Manager system user>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD="<System user password>" PROP_FINAL_FUNCTION_TEST="1" PROP_IGNORE_PASSWORD_RESET_OPERATIONS="" /L "<LOGFILE>"
Example 3: Interactive installation
msiexec.exe /i "<SETUP_MSI_FILE>" /norestart PROP_WEBSERVICE="<WEBSERVICE_URL>" PROP_WEB_SERVICE_TYPE="<WEBSERVICE_TYPE>" PROP_CERTIFICATE="<CERTIFICATE_THUMBPRINT>" PROP_ENCRYPTED_PASSWORD_TRANSMISSION="1" PROP_ENCRYPTED_PASSWORD_TRANSMISSION_SIGNING="1" PROP_BACKEND_CLIENT_CREDENTIAL_TYPE="DialogUser" PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME="<One Identity Manager system user>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD="<System user password>" PROP_FINAL_FUNCTION_TEST="1" PROP_IGNORE_PASSWORD_RESET_OPERATIONS="" /L "<LOGFILE>"
Example 4: Uninstall
msiexec.exe /X{E7D3E2C0-0BD9-4EBB-A70C-E835D575611B} /quiet /norestart /L "<LOGFILE>"
Certificate lookup options
Because certificates have a limited lifetime and therefore need to be renewed or updated, Password Capture Agent service has the option to configure the search for valid certificates. Note that not all configurable FindByTypes may be suitable for your needs.
Example: Use certificate from local trusted root certificate authority (Active Directory Certificate Services)
All certificates issued by DEMOCORP DEMO ROOT CA are valid for this purpose. Automatic enrollment is used to distribute the certificates, and new certificates will automatically be generated before expiration.
- OR-
-
WebServiceClientCredentialCertificateFindByType = FindByIssuerDistinguishedName
-
WebServiceClientCredentialCertificate = "CN=DEMOCORP DEMO ROOT CA, DC=Democorp, DC=com"
Example: Use certificate based on subject
All certificates with the subject demoadmn are valid for this purpose.
- OR-
-
WebServiceClientCredentialCertificateFindByType = FindBySubjectDistinguishedName
-
WebServiceClientCredentialCertificate = "CN=demoadmn, CN=Users, DC=Democorp, DC=com"
Example: Use static certificate by thumbprint and change manually when new certificate is available
There are several known error codes that the VI_CaptureAgent_SetPassword script can use to reject a password change. The script is stored in the One Identity Manager database. If that script does not suit your needs, you can overwrite it.
Following is the list of possible errors and appropriate actions that are returned by the VI_CaptureAgent_SetPassword script.
Table 2: Errors and appropriate actions
0 |
No Error. Change went through. |
OK |
|
1 |
Password cycle detected. |
Skip |
Check manual for password cycles. |
2 |
Active Directory account is marked as privileged and will not be handled. |
Skip |
|
1212 |
Active Directory account has no domain. |
Skip |
|
1317 |
Active Directory account is not known by One Identity Manager. |
Skip |
Check if your Active Directory domain has been configured to be synchronized regularly within One Identity Manager. |
1332 |
Active Directory account exists but is not mapped to an identity in One Identity Manager. |
Skip |
Check One Identity Manager configuration; you should not have Active Directory user accounts without mapped identities. |
1355 |
Active Directory domain is not known by One Identity Manager. |
Skip |
Check if your Active Directory domain has been configured to be synchronized within One Identity Manager. |
9901 |
More than one Active Directory account found in One Identity Manager database matching DOMAIN\SAMAccountName. |
Skip |
Check for duplicate entries in table ADSAccount within One Identity Manager. |
9902 |
Failed to load identity mapped to Active Directory account from One Identity Manager database. |
Skip |
Check One Identity Manager for problems; try loading that identitywithin the Object Browser. |
8205 |
Password encryption does not match the configuration in One Identity Manager. |
Skip |
Compare configuration of One Identity Manager and Password Capture Agent. |