Chat now with support
Chat with Support

Password Manager 5.14 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring Access to the Administration Site Configuring Access to the Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Third-party contributions Glossary

Authenticate with Q&A Profile (Random Questions)

Use this activity to authenticate a user with the personal Questions and Answers profile. In this activity you can specify how many questions from the Questions and Answers profile the user must answer to be authenticated. But you cannot select specific questions from user’s Q&A profile. To require users to answer specific questions from their Q&A profiles, use the Authenticate with Q&A profile (specific questions) activity.

You can configure this activity to display all questions on a single page or only one or the specified number of questions at a time, so that users will not be able to see next questions before they answer the current ones. To display all questions on a single page, use this activity one time in a workflow. To display questions consecutively on several pages, use this activity several times in a workflow (place several Authenticate with Q&A profile (random questions) activities in a row).

This activity has the following settings:

  • All questions from user’s Q&A profile: Select this option to have users answer all questions from their Q&A profiles during authentication.

  • This number of randomly selected questions: Select this option to set the number of questions required to authenticate users. You can specify what types of secret questions (mandatory, optional or user-defined) should be used to authenticate the user by selecting corresponding check boxes.

  • Do the following if the number of questions in user’s Q&A profile is less than specified: Using this option you can either allow or prohibit authentication for users if their Q&A profiles do not have enough secret questions. If you allow authentication, then all questions from the Q&A profile will be used to authenticate a user. If you decide to prohibit authentication, the workflow in which this activity is used will not be performed. The user will have to update his Q&A profile first, after that he will be able to perform the task that contains this authentication activity.

  • Allow users to see what questions were answered incorrectly: Select this check box to allow users to see to what questions they have provided incorrect answers during authentication.

Authenticate with Q&A Profile (Specific Questions)

Use this activity to authenticate a user with the personal Questions and Answers profile. In this activity you can select specific questions from user’s Q&A profile that the user must answer to be authenticated.

You can configure this activity to display all questions on a single page or only one or specified number of questions at a time, so that users will not be able to see next questions before they answer the current ones. To display all questions on a single page, use this activity one time in a workflow and select the required questions. To display questions consecutively on several pages, use this activity several times in a workflow (place several Authenticate with Q&A profile (specific questions) activities in a row).

This activity has the following settings:

  • Mandatory questions: Specify mandatory questions from users’ Q&A profiles that users will answer during authentication.

  • Optional questions: Specify optional questions from users’ Q&A profiles that users will answer during authentication.

  • User-defined questions: Specify user-defined questions from users’ Q&A profiles that users will answer during authentication.

  • Allow users to see what questions were answered incorrectly: Select this check box to allow users to see to what questions they have provided incorrect answers during authentication.

IMPORTANT: If the questions you selected in this activity cannot be found in user’s Q&A profile, the user will not be authenticated and the workflow containing this activity will not be performed for this user. The user will have to update his Q&A profile to answer the required secret questions.

Authenticate with Q&A Profile (User-selected questions)

Use this activity to authenticate a user with the personal Questions and Answers profile. In this activity, you can specify how many questions from user's Q&A profile must be answered to be authenticated. Users will have to choose the required amount of questions from their Q&A profile and answer them.

This activity has the following settings:

  • Number of questions that a user must answer during authentication: Specify the number of questions users must answer to be authenticated.

  • Do the following, if the number of questions in user's Q&A profile is less than specified: Using this option you can either allow or prohibit authentication for users if their Q&A profiles do not have enough secret questions. If you allow authentication, then all questions from the Q&A profile will be used to authenticate a user. If you decide to prohibit authentication, the workflow in which this activity is used will not be performed. The user will have to update their Q&A profile first, after that they will be able to perform the task that contains this authentication activity.

  • Specify question categories which users will be able to choose from: Specify which question categories users can choose from when attempting to authenticate with this activity.

    • Use all questions from user's profile: This option will let users select any questions to authenticate with from their answered questions.

    • Specify questions categories: This option will let the administrators choose which question categories users can choose from when attempting to authenticate with this activity.

  • Allow users to see what questions were answered incorrectly: Select this check box to allow users to see which questions they have provided incorrect answers to during authentication.

Authenticate with Defender

IMPORTANT:

  • Authenticating with Defender is an activity not supported with the current release of Password Manager ADLDS.

  • Change or Reset password in Active Directory and connected systems is not supported in ADLDS.

You can use this activity to configure Password Manager to use Defender to authenticate users.

Defender is a two-factor authentication solution that authenticates users without forcing them to remember another new password. Defender uses one-time passwords (OTP) generated by special hardware or software tokens. Even if an attacker captures the password, there will be no security violation, since the password is valid only for one-time-use and can never be re-used.

You can use the Defender authentication to authenticate users before allowing them to reset or change their passwords, to unlock accounts, or manage Questions and Answers profiles.

Before configuring the settings in this activity, install and configure Defender as described in the Defender documentation.

IMPORTANT: To make Password Manager use the Defender authentication, you must install the Defender Client SDK on the server on which Password Manager Service is installed.

This activity has the following settings:

  • Defender Server: Specify the IP address of the computer running the Defender Server.

  • Port number: Type the port number that the Defender Access Node uses to establish a connection with the Defender Server.

  • Server timeout: Specify Defender Server time-out (in minutes).

  • Defender shared secret: Provide the secret that the Defender Access Node will share when it attempts to establish a connection with the Defender Server.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating