Chat now with support
Chat with Support

Password Manager 5.7.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings Upgrading Password Manager Secure Password Extension Password Policies Reporting Password Manager Integration Appendixes Glossary About us

Configuring Secure Password Extension

This section describes how to override automatic location of the Self-Service site and customize Secure Password Extension.

Overriding Automatic Self-Service Site Location

By default, Secure Password Extension uses service connection points published in Active Directory to locate the Self-Service site. If you need to override the default behavior and force Secure Password Extension to use a specific Self-Service site, you must manually specify the URL path and override the default behavior of Secure Password Extension.

To override automatic Self-Service site location on a computer running Windows Server 2008 R2 or later

  1. Click the Start button, click Run, and type mmc. Click OK.
  2. In the Console window on the File menu, click Add/Remove Snap-in.
  3. Double-click Group Policy Management Editor in the list of available snap-ins.
  4. In the Group Policy Wizard window, click Browse, select Default Domain Policy and click OK.
  5. Click Finish to exit Group Policy Wizard.
  6. Click OK.
  7. Expand Default Domain Policy | Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates.
  8. Click Add, browse for the prm_gina.adm or prm_gina.admx file, select it, and then click Open.
  9. Click Close to close the Add/Remove Templates dialog box.
  10. If you used the prm_gina.admx file, select Administrative Templates node, and then double-click the One Identity Password Manager template on the right pane.

- OR -

If you used the prm_gina.adm file, select Classic Administrative Templates (ADM) node, and then double-click the One Identity Password Manager template on the right pane.

  1. Double-click Generic Settings.
  2. Double-click Specify URL path to the Self-Service site.
  3. Select the Enabled option on the Settings tab and then enter the URL path to the Self-Service site into the entry field using the following format: https://COMPUTER_NAME/PMUser/, where COMPUTER_NAME is the name of the server n which the Self-Service site is installed. Substitute https:// with http:// if you don’t use HTTPS.

    IMPORTANT: It is strongly recommended that you enable HTTPS on the Password Manager server.
  4. Click OK. The specified URL will be used only if service connection points are unavailable or if the Self-Service site URL specified in the service connection point cannot be found. If you want Secure Password Extensions to always use the specified URL, perform the following steps.
  5. Double-click Override URL path to the Self-Service site.
  6. Select the Enabled option on the Settings tab.
  7. Click OK.
  8. Apply the updated policy to the computers in the managed domain.

    NOTE: Application of the updated policy to the computers in the managed domain may take some time to complete.

Password Manager Realm Affinity

In some instances, you may want Secure Password Extension to contact only specific Password Manager Service instances when locating the Self-Service site. You can force Secure Password Extension to use only Password Manager Service instances that belong to a specific Password Manager realm.

Password Manager realm is one or more Password Manager instances sharing common configuration (the same user and helpdesk scopes, Management Policies and workflow configuration, general settings). Normally, you add a member to a Password Manager realm by installing a new Password Manager instance and selecting the “A replica of an existing instance” option during instance initialization. To learn more about Password Manager realms, see Installing Multiple Instances of Password Manager.

To force Secure Password Extension to use only Password Manager Service from a specific realm, you must set the Secure Password Extension affinity for that realm.

To set Secure Password Extension affinity for a Password Manager realm on a computer running Windows Server 2008 R2 or later

  1. Open the Administration site of the Password Manager Service instance that belongs to the target realm.
  2. On the Administration site home page, click General Settings|Realm Instances.
  3. Select the value of the Realm affinity ID setting, right-click the selection and select Copy.
  4. Click the Start button, click Run, and type mmc. Click OK.
  5. In the Console window on the File menu, click Add/Remove Snap-in.
  6. Double-click Group Policy Management Editor in the list of available snap-ins.
  7. In the Group Policy Wizard window, click Browse, select Default Domain Policy and click OK.
  8. Click Finish to exit Group Policy Wizard.
  9. Click OK.
  10. Expand Default Domain Policy | Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates.
  11. Click Add, browse for the prm_gina.adm file or prm_gina.admx file, select it, and then click Open.
  12. Click Close to close the Add/Remove Templates dialog box.
  13. If you used the prm_gina.admx file, select Administrative Templates node, and then double-click the One Identity Password Manager template on the right pane.

- OR -

If you used the prm_gina.adm file, select Classic Administrative Templates (ADM) node, and then double-click the One Identity Password Manager template on the right pane.

  1. Click Generic Settings in the left pane.
  2. In the right pane, double-click Password Manager Realm Affinity.
  3. Select the Enabled option on the Settings tab, then right-click the Realm Affinity ID text box, and select Paste.
  4. Click OK.
  5. Apply the updated policy to the computers in the managed domain.

    NOTE: Application of the updated policy to the computers in the managed domain may take some time to complete.

Customizing the Logo for Secure Password Extension

To deploy a custom logo for Secure Password Extension on end-user computers

  1. Create a startup script to deploy your logo image. See a sample script below this procedure.
  2. Create your logo image and place it on a network share accessible to all network hosts against which the script is run.
  3. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template.
  4. Expand Computer Configuration/Administrative Templates and then click One Identity Password Manager.
  5. Under One Identity Password Manager, expand Pre-Windows Vista Settings/Secure Password Extension Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers.

The local path you specify in these policy settings must be the same as in the startup script specified later in this section.

  1. Expand Computer configuration/Windows Settings/Scripts (Startup/Shutdown) and double-click the Startup policy setting in the right pane.
  2. In the Startup Properties window, click Add, then browse for the script file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window.
  3. Click OK.

The following startup script is a batch file that runs on end-user computers during system startup, and copies the custom logo image from the network share to a local folder:

@echo off

rem "SPE startup script"

rem *Check target directory existence*

if exist "c:\Program Files\One Idetity\Secure Password Extension"

goto :COPY_FILE

md "c:\Program Files\One Idetity\Secure Password Extension"

rem *Copy BMP image - %1*

:COPY_FILE

copy [SharedDir]\%1 "c:\Program Files\One Idetity\Secure Password Extension\"

rem pause

:out

Exit

IMPORTANT: [SharedDir] is a shared domain directory that must be available during boot.

The script lines containing target path should be typed as a single line. The lines are wrapped in this article only for readability purposes.

You can modify the sample target path in the script as you need.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating