Chat now with support
Chat with Support

Password Manager 5.12 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Working with Redistributable Secret Management account Email Templates
Password Policies Enable S2FA for Administrators and Enable S2FA for HelpDesk Users Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Appendix D: Feature imparities between the legacy and the new Self-Service Sites Glossary

Authenticate with Defender


  • Authenticating with Defender is an activity not supported with the current release of Password Manager ADLDS.
  • Change or Reset password in Active Directory and connected systems is not supported in ADLDS.

You can use this activity to configure Password Manager to use Defender to authenticate users.

Defender is a two-factor authentication solution that authenticates users without forcing them to remember another new password. Defender uses one-time passwords (OTP) generated by special hardware or software tokens. Even if an attacker captures the password, there will be no security violation, since the password is valid only for one-time-use and can never be re-used.

You can use the Defender authentication to authenticate users before resetting their passwords or unlocking their Q&A profiles.

Before configuring the settings in this activity, install and configure Defender as described in the Defender documentation.

IMPORTANT: To make Password Manager use the Defender authentication, you must install the Defender Client SDK on the server on which Password Manager Service is installed.

This activity has the following settings:

  • Defender Server (IP address or DNS name). Specify Defender Server IP address or DNS name.
  • Port number. Type the port number that the Defender Access Node uses to establish a connection with the Defender Server.
  • Server timeout. Specify Defender Server time-out (in minutes).
  • Defender shared secret. Provide the secret that the Defender Access Node will share when it attempts to establish a connection with the Defender Server.

Authenticate with RADIUS Two-Factor Authentication

Use this activity to configure Password Manager to use a RADIUS server for two-factor authentication.

It uses one-time passwords (OTP) generated by hardware or software tokens for authentication.

You can use RADIUS Two-Factor Authentication to authenticate users before allowing them to reset or change their passwords, to unlock accounts, or manage Questions and Answers profiles.

Before using RADIUS Two-Factor Authentication for authentication, users have to configure it in General Settings tab on the home page of the Administration site. For more information, see RADIUS Two-Factor Authentication .

Action Activities

This section describes activities that provide core actions of the helpdesk workflows, such as Reset password in AD LDS, Unlock account, etc.

Reset Password in AD LDS

Reset Password in AD LDS

This is a core activity of the Reset Password workflow. The activity allows helpdesk operators to reset user passwords in AD LDS instances only. If you want to enable helpdesk operators to reset passwords in several systems, configure the Reset password in AD LDS and connected systems activity. For more information on configuring this activity and using One Identity Quick Connect Sync Engine, see Reset Password in AD LDS and Connected Systems.

In this activity you can configure the Enforce password history option. Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused.

Before selecting this option, you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled:

  • Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value.
  • Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating