Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Password Manager 5.13.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable S2FA for Administrators & Enable S2FA for HelpDesk Users Reporting Password Manager Integration Accounts Used in Password Manager Open Communication Ports for Password Manager Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Glossary

Telephone Verification Feature License

Password Manager requires a separate license for the Telephone verification feature that allows users to authenticate themselves via one-time PINs received as text messages or through automated voice calls. For more information about this feature, see Phone-based authentication service overview.

You can install this license during Password Manager installation or provide the license file later on the Administration site. To install the license after Password Manager installation, see Updating the License.

You must specify a separate scope of users for telephone verification service. Only users included in the scope will have access to the service.

License violation occurs in the following cases

  • The actual number of users exceeds the maximum licensed number for the telephone verification service. In this case, users will not be able to authenticate via phone if you do not decrease the number of user accounts set in the scope or do not update the license.

  • The license for the telephone verification service expired. In this case, you will have a grace period of 30 days during which the telephone verification service is available. Once the grace period has expired, users will not be able to authenticate via phone, but, other authentication mechanisms such as Q&A, are not affected by expiry/non-compliance of this Telephone Verification license.

Checklist: Installing Password Manager

This checklist provides tasks that an administrator should perform when installing Password Manager.

  1. Before you install Password Manager, configure the Password Manager Service account and application pool identity. For more information, see Configuring Password Manager Service Account and Application Pool Identity.

  2. It is strongly recommended that you enable HTTPS on the server where Password Manager is installed. For more information, see Enabling HTTPS.

  3. Install an instance of Password Manager. For more information, see Installing Password Manager: Checklist.

Installing Password Manager

This section describes how to install Password Manager. You will learn how to configure Password Manager Service account and application pool identity. A separate section will guide you through the steps required to install Password Manager.

IMPORTANT: Password Manager for Active Directory (AD) and Password Manager for Active Directory Lightweight Directory Services (ADLDS) must not be installed on the same server.

Configuring Password Manager Service Account and Application Pool Identity

When installing Password Manager, you are prompted to specify two accounts: the Password Manager Service account and the application pool identity. The Password Manager Service account is an account under which Password Manager Service runs. You can also use the Password Manager Service account as a domain management account (the account that is necessary to add managed domains when configuring the user and Helpdesk scopes). To do this, ensure that the Password Manager Service account has the minimum permissions required to successfully perform password management tasks in the domain. For more information, see Configuring Permissions for Domain Management Account.

Application pool identity is an account under which the application pool's worker process runs. The account you specify as the application pool identity will be used to run Password Manager Web sites.

For Password Manager to run successfully, the accounts you specify when installing Password Manager must meet the following requirements:

  • The Password Manager Service account must be a member of the Administrators group on the web server where Password Manager is installed.

  • The Application pool identity account must be a member of the IIS_IUSRS local group on the web server in IIS 7.0 and must have permissions to create files in the <password-manager-installation-folderr>\App_Data folder.

  • The Application pool identity account must have the full control permission set for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager.

  • If the Application pool identity account is a domain user with minimal permission, provide the <password-manager-installation-folder>\Web folder with a full control permission set for the Application pool identity account.

Before you install Password Manager, make sure that the Password Manager Service account and the application pool identity account have the rights listed above.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating