Chat now with support
Chat with Support

We are currently preforming website maintenance, any feature requiring sign-in is temporarily unavailable, if you have an issue requiring immediate assistance please call Technical Support.

Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Storing Data

There are two types of data stored by Password Manager: Password Manager configuration data and users’ Questions and Answers profiles. Password Manager configuration data contains all settings you configure in Password Manager. Users’ Questions and Answers profiles are stored apart from the configuration data.

Q&A profiles are stored in the attribute of a user account in AD LDS that you specify during instance initialization. By default, it is the comment attribute. You can also change it after initializing a Password Manager instance; for more information, see Instance Reinitialization.

Password Manager configuration data is stored in the C:\ProgramData\One Identity\Password Manager for AD LDS folder. This folder contains two files (Shared.storage and Local.storage) and the LocalizationStorage folder.

The Shared.storage file contains configuration data that is shared among all instances of a realm: Management Policies, general settings, AD LDS connections, custom activities and workflows, instance settings, etc.

The Local.storage file contains the instance-specific settings, such as the instance name and statistics about scheduled tasks.

The LocalizationStorage folder contains the user interface texts localized in several languages.

Replicating Data

If you install a realm (several Password Manager instances sharing the same configuration), changes in the configuration of one instance are automatically propagated to other instances. To propagate the data, Password Manager replicates the data from the shared.storage file and the LocalizationStorage folder to AD LDS.

Before being written to AD LDS, the data is split into several segments and archived.

To distribute the configuration data from one instance to another, Password Manager uses a scheduled task and the PMReplication container in a managed application directory partition to which the data is copied. The PMReplication container is an container that is automatically created in the Users container of the managed application directory partition. To this container, containers for each Password Manager realm are added. Names of these containers correspond to the realm affinity id. Each realm container has the containers for every instance belonging to this realm. Names of instance containers correspond to the instance ids.

In the instance container, several user accounts are created. The number of user accounts is one more than the number of data segments. For example, if there are twenty data segments, then the instance container has twenty one user accounts. Note, that the created user accounts are disabled.

The same attribute that you specify for storing users’ Q&A profiles is used to store the configuration data segments.The first user account stores the data replica id, all other accounts store the data segments.

Replication mechanism analyses all data segments from all instances, selects data with the latest changes and propagates it.

 Caution: It is not recommended to edit Password Manager settings simultaneously on multiple instances belonging to one realm. Simultaneous modification of settings on multiple Password Manager instances may cause data loss.

Note, that the access account must have the permission to create user accounts and containers in the Users container for configuration data to be replicated. For more information on configuring the access account, see Configuring Permissions for Access Account.

Changing Replication Settings

By default, the data to be replicated is divided into segments by a segment size (100 KB). Data can also be divided into segments according to a specified segment number.

You can also change the name of the storage container (by default, PMReplication) and the location for storing this container (by default, the Users container of a managed application directory partition), and the names of user accounts used to store data segments.

You can change replication settings by modifying the QPM.Service.Host.exe.config file located in the <Password Manager installation folder>\Service folder.

 Caution: Editing the configuration file may cause serious problems. It is recommended to back up the file before modifying it. Edit the QPM.Service.Host.exe.config file at your own risk.

To change replication settings

  1. On the computer where Password Manager is installed, open the QPM.Service.Host.exe.config file located in the <Password Manager installation folder>\Service folder with a text editor.
  2. In the replication node, specify the following:
    • To divide the configuration data into segments by a segment size, set the packetLimitMode to LimitSize (packetLimitMode="LimitSize").
    • To divide the configuration data into segments by a number of segments, set the packetLimitMode to LimitCount (packetLimitMode="LimitCount").
    • If you set the packetLimitMode to LimitSize, specify the maximum segment size in bytes in the maxPacketSize parameter. For example, maxPacketSize="100000". Set the maxPacketsCount parameter to zero (maxPacketsCount="0").
    • If you set the packetLimitMode to LimitCount, specify the maximum number of segments to be created in the maxPacketsCount parameter. For example, maxPacketCount="10". Note, that this value must be greater than 1. Set the maxPacketsSize parameter to zero (maxPacketsSize="0").
  3. In the storageManager node, specify the following:
    • To change the name of the storage container, in the storageContainerReplicationPath element specify the required name. The default value is CN=PMReplication.
    • To change the container for storing replication data, in the storageContainerPath element specify the required container. The default value is CN=Users.
    • To change the names of user accounts used to store data segments, in the storageContainerPartName element specify the required name. The default value is strg.
  4. Save the QPM.Service.Host.exe.config file.
  5. Restart the Password Manager Service in the Services console. Type services.msc at a command prompt, select Password Manager for AD LDS Service in the console, and click Restart.
  6. Repeat steps 1-4 on each instance belonging to a Password Manager realm.

Phone-Based Authentication Service Overview

One of the authentication options offered by Password Manager is a phone-based authentication. It enables you to require users to enter a verification code on the Self-Service or Helpdesk site. The verification code can be sent as an SMS or automated call. The phone-based authentication service is by provided by TeleSign.

Related Documents