About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Instance Initialization
Installing Self-Service and Helpdesk Sites on a Standalone Server
Installing Multiple Instances of Password Manager
Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Web Sites
Step 1: Obtain and Install Custom Certificates From a TrustedWindows-Based Certification Authority
Step 2: Provide Certificate Issued for Server Computer to Password Manager Service
Step 3: Provide Certificate Issued for Client Computers to Self-Service and Helpdesk Sites
Configuring Management Policy
Configuring User Scope
Configuring Permissions for Domain Management Account
Adding Domain Connection
Specifying Advanced Options for Domain Connection
Changing Domain Management Account
Removing a Domain Connection
Adding Secret Questions
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
Password Policy Manager
Secure Password Extension
Offline Password Reset
Migration Wizard
Telesign
SQL Server Database and SQL Server Reporting Services
One Identity Quick Connect Sync Engine
Defender
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Quest Enterprise Single Sign-On
Typical Deployment Scenarios
Simple Deployment
Deployment of the Self-Service and Helpdesk Sites on Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Installing Password Manager in Perimeter Network with Read-Only Domain Controllers
Installing Password Manager in Perimeter Network with Reverse Proxy
Installing Password Manager in Perimeter Networ kwithout AD DS
Management Policy Overview
Password Policy Overview
Using One Identity Password Policies
Using Fine-Grained Password Policies
Applying Multiple Password Policies
Using Password Policy Manager
Secure Password Extension Overview
Locating Self-Service Site
reCAPTCHA Overview
Obtaining Self-Service Site URL from Service Connection Point
Changing Self-Service Site URL on the Administration Site
Launching User Notification
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Password Change and Reset Process Overview
Resetting and Changing Password in Connected Systems
Enforcing Password History When Resetting Password
Replicating Password Changes
Data Replication
Phone-Based Authentication Service Overview
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
General Settings
Specifying Advanced Options for Domain Connection
Changing Domain Management Account
Removing a Domain Connection
Configuring Questions and Answers Policy
Workflow Overview
Custom Workflows
Custom Activities
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
My Questions and Answers Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Self-Service Activities Overview
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Edit Q&A Profile
Reset Password in Active Directory
Change Password in Active Directory
Reset Password in Active Directory and Connected Systems
Change Password in Active Directory and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Issue BitLocker Recovery Key
Notification Activities
Verify User Identity
Assign Passcode
Reset Password
Unlock Account
Unlock Q&A Profile
Enforce Update of Q&A Profile
Helpdesk Activities Overview
Notification Activities
Customizing Notifications
Email User if Workflow Succeeds
Email User if Workflow Fails
Email Administrator if Workflow Succeeds
Email Administrator if Workflow Fails
User Enforcement Rules
General Settings Overview
Search and Logon Options
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Upgrading Password Manager
Invitation to Create/Update Q&A Profile Task
Reminder to Create/Update Q&A Profile Task
Reminder to Change Password Task
Maximum Password Age Policy Task
User Status Statistics Task
Environment Health Checker Task
Web Interface Customization
Instance Reinitialization
Realm Instances
Domain Connections
Using Domain Connections
Specifying Access Account for Domain Connections
Changing Access Account for Domain Connections
Specifying Advanced Options for Domain Connection
Removing a Domain Connection
Extensibility Features
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Email Templates
Upgrading from Password Manager 4.x
Secure Password Extension
Upgrading from Password Manager from 4.x to 5.6.3
Side-by-Side Upgrade
Upgrading from Password Manager 5.5.3 or later versions
Enabling Secure Password Extension Connection to Self-Service Site 4.x
Upgrading Secure Password Extension
Upgrading Password Policy Manager
Exporting Configuration Settings from Password Manager 4.x
Installing Password Manager 5.x.x
Importing Configuration Settings to Password Manager 5.6.3
Configuring Password Manager 5.6.3
Verifying Password Manager 5.6.3 Configuration
Upgrading Multiple Instances of Password Manager 5.6.3
Converting Q&A Profiles
Disabling Secure Password Extension Connection to Self-Service Site 4.x
Uninstalling Password Manager 4.x
In-Place Upgrade
Upgrading Password Manager to 5.7.1
Upgrading from Password Manager 5.6.2 (if security patch is not installed)
Upgrading Secure Password Extension
Upgrading Password Policy Manager
Important notes for upgrading to Password Manager 5.7.1
Running the Migration Wizard
Modifying the service account
Upgrading from Password Manager 5.6.3 (if security patch is not installed)
Configuring Access to Self-Service Site from Windows Logon Screen
Deploying and Configuring Secure Password Extension
Password Policies
Deploying Secure Password Extension
Configuring Secure Password Extension
Uninstalling Secure Password Extension
Overriding Automatic Self-Service Site Location
Password Manager Realm Affinity
Customizing the Logo for Secure Password Extension
Customizing Position of the Secure Password Extension Window
Managing Secure Password Extension UsingAdministrative Templates
About Password Policies
Installing Password Policy Manager
Uninstalling Password Policy Manager
Creating and Configuring a Password Policy
Managing Password Policy Scope
Deleting a Password Policy
Reporting
Reporting and User Action History Overview
Password Manager Integration
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Active Roles Web Interface
Appendixes
Basic Integration Requirements
Customizing Active Roles Home Page
Password Manager Self-Service Site Integration
Password Manager Helpdesk Site Integration
Quest Enterprise Single Sign-On (QESSO)
Appendix A: Accounts Used in Password Manager
Glossary
About us
Password Manager Service Account
Application Pool Identity
Domain Management Account
Password Policy Account
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of URLs to Self-Service Site from Other Applications
Customization of Password Policies List
Customization of Password Strength Meter
Customization of User Name
Password Manager Helpdesk Site Integration
Password Manager Integration > Active Roles Web Interface > Password Manager Helpdesk Site Integration
Password Manager Helpdesk Site Integration
Follow the steps below to integrate the Password Manager Helpdesk site with Active Roles Web Interface.
To integrate Password Manager Helpdesk site with Active Roles Web Interface
- On the Home page of the Web Interface site, click Customization.
- Click Customization Tasks, and then, click List Existing Menus on the left pane.
- In the right pane, click User.
- Click Create New Command.
- In the right pane, select Page View Task and then click Next.
- Type a name for the new item and the URL of the page you want the new item to open. Type any text to display in the item area, and change the picture for the item.
The URL must be entered in the following format: https://COMPUTER_NAME/PMHelpdesk/EntryPoint/?Integrated=Yes&ActionName=<ActionName>, where COMPUTER_NAME is the name of the server where Password Manager resides, and <ActionName> is one of the following:
- ResetPassword - specify this action to enable Active Roles Web Interface operators to reset user passwords.
- ManageQAProfile - specify this action to enable Active Roles Web Interface operators to manage user Questions and Answers profile in Password Manager.
- AssignPasscode - specify this action to enable Active Roles Web Interface operators to generate passcodes for users.
- UnlockAccount - specify this action to enable Active Roles Web Interface operators to unlock user’s accounts.
- Authentication - specify this action to enable Active Roles Web Interface operators to authenticate users.
Replace https:// with http:// if you do not use HTTPS.
|
|
IMPORTANT: It is strongly recommended that you enable HTTPS on the Password Manager server. |
- Click Finish.
- Click Save to save the changes to ARS Web Interface.
- Click Reload link that appears in the upper part of the window, to publish the customization changes to the Web Interface site.
- Click Directory Management.
- Select the corresponding domain and the user for whom you want to perform a password management task. The item you have created will be shown in the Command Menu.
Note, when you choose a user for a password management task, after clicking the created command you will be required to enter the user name and password of a helpdesk operator included in the helpdesk scope to access the Helpdesk site.
For more information on how to customize Active Roles Web Interface please refer to Active Roles documentation.
Quest Enterprise Single Sign-On (QESSO)
This section includes the information on how to configure Password Manager for use with Quest Enterprise Single Sign-On (QESSO). To implement the guidance in this section, you must have a working knowledge of Quest Enterprise Single Sign-On (QESSO).
Quest Enterprise Single Sign-on is a solution that provides users with the ability to access all applications on their desktop using a single user ID and password. After users have logged in, they can access password-protected applications on their desktop without the need to enter any further account details.
If an application requires login name and password to be entered, QESSO will remember the entered details. When the application is next started, QESSO will automatically enter the required login name and password.
The account details for password-protected applications are encrypted by using user logon password. When user resets or changes this password, the encrypted data is lost. To prevent data loss, Password Manager should be configured to notify QESSO about password changes and QESSO will re-encrypt the data using new password.
- Run the QESSO Client 32-bit or 64-bit wizard on the server where Password Manager resides. The wizard is located on the Individual Components tab of QESSO Autorun CD.
- Follow the wizard instructions.
- Install at least one of the following QESSO components on the server running a Password Manager instance:
- SSOWatch
- Advanced Login
- Enterprise SSO Console
- Restart the Password Manager Service.
- On the Administration site, open workflows for which you want to configure integration with QESSO. QESSO integration settings can be found in the following activities:
- Reset password in Active Directory
- Change password in Active Directory
- Reset password in Active Directory and connected systems
- Change password in Active Directory and connected systems
- In required activities, select the Enable QESSO integration check box.
- Provide the account details for the QESSO administrator to be used for password resets.
- Click OK.
For the complete information about installing and using QESSO, please refer to the documentation for QESSO.
Appendixes
Appendixes
- Appendix A: Accounts Used in Password Manager
- Appendix B: Open Communication Ports for Password Manager
- Appendix C: Customization Options Overview
Appendix A: Accounts Used in Password Manager
Appendix A: Accounts Used in Password Manager
The following accounts can be used in Password Manager:
- Password Manager Service account
- Application pool identity
- Domain management account
- Password policy account
- Account for One Identity Quick Connect Sync Engine