Chat now with support
Chat with Support

One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

How do I prevent Safeguard for Privileged Passwords messages when making RDP connections

When making an RDP connection, you may encounter two different certificate messages.

  • Unsigned RDP file message

    This message occurs when Remote Desktop Connection opens the RDP file that is downloaded when you click Play in the Safeguard for Privileged Passwords user interface.

    We are currently working on a solution that will allow Safeguard for Privileged Passwords to sign this RDP file to avoid this message.

  • Untrusted server certification message

    This message occurs when the workstation has not trusted the Safeguard for Privileged Passwords RDP Connection Signing Certificate.

    NOTE: The IP address of the connecting server is that of the Safeguard appliance.

    To avoid this message, you must trust the RDP Connection Signing Certificate and certificates in its chain of trust or replace the current certificate with an enterprise certificate and chain of trust that is trusted. For more information on certificate chain of trust, see Certificate chain of trust. For more information on replacing the RDP Connection Signing Certificate, see Sessions Certificates.

    One Identity recommends that you replace the entire configuration with your own trusted enterprise PKI. This would result in a structure such as:

    • Your Root CA
      • Your Issuing CA
        • Your RDP Signing Certificate (from Safeguard CSR)
          • <Sessions module generated certificate>

    The Root CA, Issuing CA, and RDP Signing Certificates can be distributed via Group Policy, Active Directory, or other distribution means.

Related Topics

Sessions Certificates

Certificate chain of trust

The default certificate chain of trust configuration that ships with Safeguard for Privileged Passwords is generated from the SafeguardCluster root certificate.

Figure 1: Default certificate chain of trust

When setting up RDP Connection Signing, the certificate chain of trust also includes the certificate issued to Safeguard for Privileged Passwords for RDP, as illustrated below.

Figure 2: Default certificate chain of trust when setting up RDP Connection Signing

NOTES:

  • The Safeguard for Privileged Passwords Cluster certificate must be added to the trusted root CA certificate store and the DefaultSessionRdpSigning certificate must be added to the intermediate CA certificate store of the workstations from which a session request is submitted.
  • Once configured, RDP sessions from any cluster member will be trusted (thus avoiding the Untrusted server certification message) because the certificate for each Safeguard for Privileged Passwords cluster member is issued the DefaultSessionRdpSigning certificate.
  • This also prevents receiving new messages should the IP address of the Safeguard for Privileged Passwords Appliance change.

How do I see which assets and/or accounts are governed by a profile

To see which assets and/or accounts are assigned to a profile, you must open the profile details window.

To view which assets or accounts are assigned to a partition profile

  1. In Partitions or Directories, switch to the Profiles tab.
  2. Select a profile and click the Details icon.
  3. In the profile dialog, select the Scope tab which provides a list of the assets and accounts currently being governed by the selected profile.

How do I set the appliance system time

Note: Changing appliance time can result in unintended consequences with processes running on the appliance. For example, there could be a disruption of password check and change profiles and audit log timestamps could be misleading.

TIP: As a best practice, set an NTP server to eliminate possible time-related issues. For more information, see Time.

To set the time on your appliance

  • Use the appliance API to change the appliance time (SystemTime). For information about using the API, see How do I access the API.
Related Documents