Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

How do I manage accounts on unsupported platforms

Safeguard for Privileged Passwords makes it possible for you to manage passwords for accounts on unsupported platforms by using a profile with a manual change password setting. For example, you might have an asset that is not on the network. The manual change password setting allows you to comply with your company policies to change account passwords on a regular schedule without using the Safeguard for Privileged Passwords automatic change password settings. Safeguard for Privileged Passwords notifies you by email, toast notification, or both on a set schedule to change account passwords manually. You can then reset the password yourself, or allow Safeguard for Privileged Passwords to generate a random password according to the password rule selected in the profile.

Important: After you change the password in Safeguard for Privileged Passwords you must remember to change the password on the account; Safeguard for Privileged Passwords does not do that automatically for you.

The following summarizes the general workflow for managing accounts on unsupported platforms.

To manage account passwords manually

  1. Configure a profile with a manual change password setting and assign asset accounts to it. For more information, see Adding change password settings.
  2. Ensure toast notifications or email notifications are properly configured. For more information, see Settings or Enabling email notifications.
  3. When notified to change an account password, choose the Set Password option you prefer:
    1. Generate Password - to have Safeguard for Privileged Passwords generate a new random password, that complies with the password rule that is set in the account's profile.
      1. Click (or tap) Generate Password to display the Password Change dialog.
      2. Click (or tap) Show Password to reveal the new password.
      3. Click (or tap)  Copy to place the value into your copy buffer.

        • Log into your device, using the old password, and change it to the password in your copy buffer.
      4. Click (or tap) Success to change the password in the Safeguard for Privileged Passwords database.
    2. Manual Password - to manually set the account password in the Safeguard for Privileged Passwords database.
      1. Click (or tap) Manual Password to display the Set Password dialog.
      2. Enter and save a new password.

        OK updates the Safeguard for Privileged Passwords database.

      3. Set the account password on the physical device to synchronize it with Safeguard for Privileged Passwords.

How do I modify the appliance configuration settings

You can modify the appliance configuration settings using the Web client or Windows desktop client (Administrative Tools | Settings | Appliance).

Note: This topic assumes you have already performed the initial appliance installation and configuration steps in the One Identity Safeguard for Privileged Passwords Appliance Setup Guide provided in the box with your hardware equipment.

To modify the appliance configuration settings (web client)

  1. Log into the Safeguard for Privileged Passwords Web client using the Appliance Administrator account.
  2. Select ; then, click (or tap) a to open the Appliance Settings pane.
  3. In the Application Settings pane, select Appliance Configuration.
  4. On the Appliance Configuration page, configure the following:

    NOTE: Click (or tap) the Edit icon to modify these settings. After editing a setting, you must save that individual setting before editing an additional setting.

    • Time: Enable Network Time Protocol (NTP) and set the primary and secondary NTP servers, if desired.
    • Network (X0): Enter the DNS Server address information for your primary interface.
    • Sessions (X1): Configure the sessions interface. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.

To modify the appliance configuration settings (Windows desktop client)

  1. Log in using the Appliance Administrator account.
  2. Navigate to Administrative Tools | Settings | Appliance.
  3. Expand the Time pane to enable NTP and set the primary and secondary NTP servers. Click (or tap) OK.
  4. Expand the Appliance Information pane to change the appliance name.

    1. To change the appliance's name, click (or tap) Edit next to the Appliance Name.

  5. Expand the Networking pane to add or modify DSN suffixes and to configure the network interface for the embedded sessions module for Safeguard for Privileged Passwords.

    1. To change the DNS suffixes for your primary interface, click (or tap) Edit next to the Network Interface X0 heading.

      • Enter the DSN suffixes to be used.
      • Click (or tap) OK.
    2. To configure the sessions interface, click (or tap) Edit next to the Network Interface X1 heading. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.

      • Enter the IP Address, netmask, and gateway information, and the DNS servers and suffixes.
      • Click (or tap) OK.

How do I prevent Safeguard for Privileged Passwords messages when making RDP connections

When making an RDP connection, you may encounter two different certificate messages.

  • Unsigned RDP file message

    This message occurs when Remote Desktop Connection opens the RDP file that is downloaded when you click (or tap) Play in the Safeguard for Privileged Passwords user interface.

    We are currently working on a solution that will allow Safeguard for Privileged Passwords to sign this RDP file to avoid this message.

  • Untrusted server certification message

    This message occurs when the workstation has not trusted the Safeguard for Privileged Passwords RDP Connection Signing Certificate.

    NOTE: The IP address of the connecting server is that of the Safeguard appliance.

    To avoid this message, you must trust the RDP Connection Signing Certificate and certificates in its chain of trust or replace the current certificate with an enterprise certificate and chain of trust that is trusted. For more information on certificate chain of trust, see Certificate chain of trust. For more information on replacing the RDP Connection Signing Certificate, see Sessions Certificates.

    One Identity recommends that you replace the entire configuration with your own trusted enterprise PKI. This would result in a structure such as:

    • Your Root CA
      • Your Issuing CA
        • Your RDP Signing Certificate (from Safeguard CSR)
          • <Sessions module generated certificate>

    The Root CA, Issuing CA, and RDP Signing Certificates can be distributed via Group Policy, Active Directory, or other distribution means.

Related Topics

Sessions Certificates

Certificate chain of trust

The default certificate chain of trust configuration that ships with Safeguard for Privileged Passwords is generated from the SafeguardCluster root certificate.

Figure 1: Default certificate chain of trust

When setting up RDP Connection Signing, the certificate chain of trust also includes the certificate issued to Safeguard for Privileged Passwords for RDP, as illustrated below.

Figure 2: Default certificate chain of trust when setting up RDP Connection Signing

NOTES:

  • The Safeguard for Privileged Passwords Cluster certificate must be added to the trusted root CA certificate store and the DefaultSessionRdpSigning certificate must be added to the intermediate CA certificate store of the workstations from which a session request is submitted.
  • Once configured, RDP sessions from any cluster member will be trusted (thus avoiding the Untrusted server certification message) because the certificate for each Safeguard for Privileged Passwords cluster member is issued the DefaultSessionRdpSigning certificate.
  • This also prevents receiving new messages should the IP address of the Safeguard for Privileged Passwords Appliance change.
Related Documents