Chat now with support
Chat with Support

Password Manager 5.14.3 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring access to the Administration Site Configuring access to the Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Glossary

Password Manager Credential Checker

The Password Manager Credential Checker is based on PowerShell scripts used to check if the user’s password is compromised. Credential Checker deals with actions related to change in password in Active Directory, reset password in Active Directory, change password in Active Directory and connected systems, or reset password in Active Directory and connected systems. By default, the Credential Checker PowerShell script implements VeriClouds CredVerify functionality for leaked password with hash segment.

IMPORTANT: If you prefer to use other credential checker service, modify the Credential Checker PowerShell script appropraitely.

Configuring Password Manager credential checker

  1. After Password Manager is installed, on the Password Manager Administrator portal, go to General settings > Extensibility and select Turn the credential checker mode on or off to enable the feature.

  2. On the Password Manager installation path, open the compromised_password_checker script. It is available in the <installation location\One Identity\Password Manager\Service\Resources\CredentialChecker> location.

  3. Edit the script to provide the Vericlouds credentials:

    $url=<valid URL>
    $api_key=<valid Key>
    $api_secret=<valid api secret>
  4. Save the file.

When you enter a new password on the Self-Service Site using any of the workflows, such as, Forgot Password or Manage My Passwords, the Credential Checker validates the new password and check if it matches with the passwords listed in the VeriClouds. If the password matches, Provided password is compromised, type another password. If you've ever used it anywhere before, change it! is displayed.

This feature is not applicable if the user changes the password using CTRL+ALT+DELETE on the Windows logon screen.

Typical deployment scenarios

This section describes typical deployment scenarios for Password Manager, including scenarios with installation of the Self-Service and Helpdesk sites on standalone servers, using realms, and others.

Simple deployment

In this scenario, you install all main Password Manager components, that is, the Password Manager Service, Administration, Self-Service and Helpdesk sites on a single server. This is the simplest deployment scenario, which can be used in small environments and for demonstration purposes.

Deployment of the Password Manager Self-Service and Helpdesk Sites on standalone servers

In this scenario, you install the Password Manager Self-Service Site, Helpdesk Site, or both on a standalone server. Note that the Administration Site cannot be installed separately from the Password Manager Service.

You can use this scenario to deploy Password Manager in an environment with a perimeter network. Installation of the Password Manager Self-Service Site in the perimeter network enhances the security of your environment while preventing access to your internal network.

When deploying Password Manager in an environment with the perimeter network, it is recommended to do a full installation of Password Manager in the internal corporate network, and then install the Self-Service Site in the perimeter network.

When you use this installation scenario, only one port should be open in the firewall between the corporate network and the perimeter network (by default, port number 8081 for the Password Manager Self-Service Site).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating