About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Instance Initialization
Installing Self-Service and Helpdesk Sites on a Standalone Server
Installing Multiple Instances of Password Manager
Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Web Sites
Step 1: Obtain and Install Custom Certificates From a TrustedWindows-Based Certification Authority
Step 2: Provide Certificate Issued for Server Computer to Password Manager Service
Step 3: Provide Certificate Issued for Client Computers to Self-Service and Helpdesk Sites
Configuring Management Policy
Configuring User Scope
Configuring Permissions for Domain Management Account
Adding Domain Connection
Specifying Advanced Options for Domain Connection
Changing Domain Management Account
Removing a Domain Connection
Adding Secret Questions
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
Password Policy Manager
Secure Password Extension
Offline Password Reset
Migration Wizard
Telesign
SQL Server Database and SQL Server Reporting Services
One Identity Quick Connect Sync Engine
Defender
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Quest Enterprise Single Sign-On
Typical Deployment Scenarios
Simple Deployment
Deployment of the Self-Service and Helpdesk Sites on Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Installing Password Manager in Perimeter Network with Read-Only Domain Controllers
Installing Password Manager in Perimeter Network with Reverse Proxy
Installing Password Manager in Perimeter Networ kwithout AD DS
Management Policy Overview
Password Policy Overview
Using One Identity Password Policies
Using Fine-Grained Password Policies
Applying Multiple Password Policies
Using Password Policy Manager
Secure Password Extension Overview
Locating Self-Service Site
reCAPTCHA Overview
Obtaining Self-Service Site URL from Service Connection Point
Changing Self-Service Site URL on the Administration Site
Launching User Notification
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Password Change and Reset Process Overview
Resetting and Changing Password in Connected Systems
Enforcing Password History When Resetting Password
Replicating Password Changes
Data Replication
Phone-Based Authentication Service Overview
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
General Settings
Specifying Advanced Options for Domain Connection
Changing Domain Management Account
Removing a Domain Connection
Configuring Questions and Answers Policy
Workflow Overview
Custom Workflows
Custom Activities
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
My Questions and Answers Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Self-Service Activities Overview
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Edit Q&A Profile
Reset Password in Active Directory
Change Password in Active Directory
Reset Password in Active Directory and Connected Systems
Change Password in Active Directory and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Issue BitLocker Recovery Key
Notification Activities
Verify User Identity
Assign Passcode
Reset Password
Unlock Account
Unlock Q&A Profile
Enforce Update of Q&A Profile
Helpdesk Activities Overview
Notification Activities
Customizing Notifications
Email User if Workflow Succeeds
Email User if Workflow Fails
Email Administrator if Workflow Succeeds
Email Administrator if Workflow Fails
User Enforcement Rules
General Settings Overview
Search and Logon Options
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Upgrading Password Manager
Invitation to Create/Update Q&A Profile Task
Reminder to Create/Update Q&A Profile Task
Reminder to Change Password Task
Maximum Password Age Policy Task
User Status Statistics Task
Environment Health Checker Task
Web Interface Customization
Instance Reinitialization
Realm Instances
Domain Connections
Using Domain Connections
Specifying Access Account for Domain Connections
Changing Access Account for Domain Connections
Specifying Advanced Options for Domain Connection
Removing a Domain Connection
Extensibility Features
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Email Templates
Upgrading from Password Manager 4.x
Secure Password Extension
Upgrading from Password Manager from 4.x to 5.6.3
Side-by-Side Upgrade
Upgrading from Password Manager 5.5.3 or later versions
Enabling Secure Password Extension Connection to Self-Service Site 4.x
Upgrading Secure Password Extension
Upgrading Password Policy Manager
Exporting Configuration Settings from Password Manager 4.x
Installing Password Manager 5.x.x
Importing Configuration Settings to Password Manager 5.6.3
Configuring Password Manager 5.6.3
Verifying Password Manager 5.6.3 Configuration
Upgrading Multiple Instances of Password Manager 5.6.3
Converting Q&A Profiles
Disabling Secure Password Extension Connection to Self-Service Site 4.x
Uninstalling Password Manager 4.x
In-Place Upgrade
Upgrading Password Manager to 5.7.1
Upgrading from Password Manager 5.6.2 (if security patch is not installed)
Upgrading Secure Password Extension
Upgrading Password Policy Manager
Important notes for upgrading to Password Manager 5.7.1
Running the Migration Wizard
Modifying the service account
Upgrading from Password Manager 5.6.3 (if security patch is not installed)
Configuring Access to Self-Service Site from Windows Logon Screen
Deploying and Configuring Secure Password Extension
Password Policies
Deploying Secure Password Extension
Configuring Secure Password Extension
Uninstalling Secure Password Extension
Overriding Automatic Self-Service Site Location
Password Manager Realm Affinity
Customizing the Logo for Secure Password Extension
Customizing Position of the Secure Password Extension Window
Managing Secure Password Extension UsingAdministrative Templates
About Password Policies
Installing Password Policy Manager
Uninstalling Password Policy Manager
Creating and Configuring a Password Policy
Managing Password Policy Scope
Deleting a Password Policy
Reporting
Reporting and User Action History Overview
Password Manager Integration
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Active Roles Web Interface
Appendixes
Basic Integration Requirements
Customizing Active Roles Home Page
Password Manager Self-Service Site Integration
Password Manager Helpdesk Site Integration
Quest Enterprise Single Sign-On (QESSO)
Appendix A: Accounts Used in Password Manager
Glossary
About us
Password Manager Service Account
Application Pool Identity
Domain Management Account
Password Policy Account
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of URLs to Self-Service Site from Other Applications
Customization of Password Policies List
Customization of Password Strength Meter
Customization of User Name
Running the Migration Wizard
|
|
NOTE: In the Shared.storage file in ProgramData folder of primary instance, verify whether AESEncryption value is true in all hosts. After installing Password Manager 5.7.1 and importing the configuration file into secondary instances, replication from all PM instances takes time to update the hosts’ information and to set AESEncryption value to true. If the AESEncryption value is not true, when you run the Migration Wizard 5.7.1, it displays the error message with the list of hosts which are not updated with Password Manager 5.7.1 configuration. |
|
|
NOTE: Set AESEncryption value to true in all the hosts and run the Migration Wizard 5.7.1 under Password Manager Service account. |
To run the Migration Wizard 5.7.1, see To update users’ Q&A profiles with new instance settings.
|
|
NOTE: In Password Manager 5.6.2, if you are using an existing database, after installing the Password Manager 5.7.1, connect to the database and execute the following query to alter the table:
Reset the SQL Server connection in the Administration site (Reporting->Edit Connection) and save it. |
|
|
NOTE: After installing Password Manager 5.7.1, if service account has to be modified, see Modifying the service account . |
Modifying the service account
Modifying the service account
|
|
NOTE: If you want to modify the service account after installing Password Manager 5.7.1, you cannot modify it by changing the account on Password Manager service because the new account will not be able to read the current configuration. |
To modify the service account after installing Password Manager 5.7.1:
- On the menu bar, click General Settings, then click the Import/Export tab and export the configuration file of the primary instance of Password Manager.
NOTE: Due to security enhancements, a complex password is generated while exporting the configuration. You must remember the password or store it in a secure place, to use while importing the configuration. - Stop the Password Manager Service.
- At the command prompt, type services.msc and select Password Manager Service in the console and change the log on details.
- Start the Password Manager Service.
NOTE: Before you continue, it is recommended to back up the One Identity folder at C:\ProgramData. - Delete the One Identity folder at C:\ProgramData.
- Restart the computer.
- Open the Administration site.
- On the Instance Initialization page, select Unique instance and click Save.
- On the menu bar, click General Settings, then click the Import/Export tab and import the configuration file, which was exported before changing the service account.
Upgrading from Password Manager 5.6.3 (if security patch is not installed)
Upgrading Password Manager > Upgrading from Password Manager 5.5.3 or later versions > Upgrading from Password Manager 5.6.3 (if security patch is not installed)
If the hotfix PasswordManager-5.6.3-SOL213268.exe, is not installed, to upgrade Password Manager 5.6.3 to 5.7.1, install Password Manager 5.7.1 and then follow the general upgrade instructions.
Prerequisites to upgrade to Password Manager 5.7.1:
- If there are two or more instances of Password Manager in a realm, ensure that replication works between primary and secondary instances of Password Manager. In case of a stand-alone server, it is recommended to enable the replication to avoid any replication issues when new Password Manager instances are added later.
- If there are two or more instances of Password Manager in a realm, ensure that one of the instances is set as primary and the remaining instances as secondary. Verify it in the Local.storage file present at C:\ProgramData\One Identity\Password Manager. In the file, search for <setting name=”role” value= and ensure that the value parameter for one of the servers or instances is set to Primary and all others are set to Secondary. If all servers display the value as Secondary, then select one as the main server and set it to Primary. For more information see the Knowledge article.
- Ensure that all the realm instances displayed under Realm Instances section of the General Settings on Administration site are in use. If any of the unused instances are displayed, then remove those instances from the realm by clicking on the Remove link of the corresponding instances.
|
|
NOTE: After upgrade, the storage version of all the storage files are updated to a newer version. Hence it is not possible to rollback. |
To upgrade to Password Manager 5.7.1, see To upgrade to Password Manager 5.7.1
|
|
NOTE: After installing Password Manager 5.7.1, if service account has to be modified, see Modifying the service account . |
|
|
NOTE: For details regarding the points to be taken care while installing Password Manager 5.7.1, see Important notes for upgrading to Password Manager 5.7.1. |
Upgrading Secure Password Extension
You can centrally upgrade workstations to the latest version of Secure Password Extension by assigning the software for deployment using Group Policy. It is recommended to remove the existing MSI package from the Software installation list, and then assign the latest-version package.
To remove the existing and assign a latest-version package
- Remove the assigned package (Quest One Secure Password Extension x86.msi or Quest One Secure Password Extension x64.msi) from the list of software to be installed.
- Add the latest-version MSI packages to the list of software to be installed.
When upgrading Secure Password Extension, do not forget to upgrade the prm_gina.adm(x) administrative template with the one located in the \Password Manager\Setup\Administrative Template\ folder of the installation CD.
During upgrade of prm_gina.adm(x) administrative template, the previously made template settings are preserved and picked up by newer versions.