Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Licensing

Licensing

The Password Manager license specifies the maximum number of user accounts enabled for management by Password Manager. When launching the Administration site, Password Manager counts the actual number of managed user accounts, and compares it with the maximum number specified by the license. If the actual number exceeds the maximum licensed number, a license violation occurs. A warning message is displayed on every connection to the Administration site of Password Manager.

In the event of a license violation, you have the following options:

  • Exclude a number of user accounts from the user accounts managed by Password Manager to bring your license count in line with the licensed value and reconnect to the Administration site to recalculate the license number.
  • Remove one or more managed AD LDS instance to decrease the number of managed user accounts.
  • Purchase a new license with a greater number of user accounts, and then update your license using the instructions provided later in this section.

Note that the following items are not limited by the license:

  • The number of computers connected to the Administration, Self-Service, and Helpdesk sites of Password Manager.
  • The number of Password Manager instances in a large enterprise, Password Manager can be installed on multiple computers for enhanced performance and fault tolerance.

Installing the License

Installing the License

The license is initially installed when you install the Password Manager:

  1. In the Installation Wizard, click Licenses to display the License status dialog box.
  2. Click Browse license, locate and open your license key file using the Select License File dialog box, and then click Close.

Some license types may include counters for managed persons and managed external persons along with a counter for user accounts. Managed persons are users that have several accounts; for example, one managed person can have three user accounts. Managed external persons are external or temporary employees. The same license violation policy is applied to managed persons and managed external persons as to user accounts. To specify these user groups, use the corresponding license scopes after you install Password Manager.

Note, that such scopes are available only if your license includes managed persons and managed external persons.

To add AD LDS instance to the managed persons scope

  1. On the menu bar of the Administration site, click Licensing.
  2. On the Licenses page, click the Managed Persons tab.
  3. On the Scope of Managed Persons page, click Connect to AD LDS instance.
  4. If connections already exist, select a connection from the list. If you want to create a new connection, click Add new connection.
  5. If you selected to create the new connection, in the Connect to AD LDS Instance dialog, configure the following options:
    • In the Server name on which AD LDS instance is installed text box, type the name of the server to which you want to connect.
    • In the Port number (LDAP or SSL) text box, enter the port number that you specified when installing the AD LDS instance. If you select the Use SSL check box, enter the SSL port number; otherwise, LDAP port number. It is recommended to use SSL in your production environment.
    • In the Application directory partition text box, enter the name of the application directory partition from the AD LDS instance to which you want to connect.
    • In the Application directory partition alias text box, type the alias for the application directory partition which will be used to address the partition on the Self-Service site.
    • In the Access account section, select Password Manager Service account to have Password Manager access the AD LDS instance using the Password Manager Service account, otherwise, select The following Active Directory account or The following AD LDS account radio button and enter the required user name and password.

For information on how to prepare the access account, see Configuring Permissions for Access Account.

  1. Click Save.

To specify groups or OUs included in the scope of managed persons

  1. On the menu bar of the Administration site, click Licensing.
  2. On the Licenses page, click the Managed Persons tab.
  3. On the Scope of Managed Persons page, select the connection for which you want to specify groups or OUs and click Edit.
  4. Do the following:
    • To specify the groups, click Add under Groups included into the scope of managed persons.
    • To specify the OUs, click Add under Organizational units included into the scope of managed persons.
  5. Click Save.

To specify groups or OUs excluded from the scope of managed persons

  1. On the menu bar of the Administration site, click Licensing.
  2. On the Licenses page, click the Managed Persons tab.
  3. On the Scope of Managed Persons page, select the connection for which you want to specify groups or OUs and click Edit.
  4. Do the following:
    • To specify the groups, click Add under Groups excluded from the scope of managed persons.
    • To specify the OUs, click Add under Organizational units excluded from the scope of managed persons.
  5. Click Save.

You can use the procedures below to specify the scope of managed external persons.

To add AD LDS instance to the managed external persons scope

  1. On the menu bar of the Administration site, click Licensing.
  2. On the Licenses page, click the Managed External Persons tab.
  3. On the Scope of Managed External Persons page, click Connect to AD LDS Instance.
  4. If connections already exist, select a connection from the list. If you want to create a new connection, click Add new connection.
  5. If you selected to create the new connection, in the Connect to AD LDS Instance dialog, configure the following options:
    • In the Server name on which AD LDS instance is installed text box, type the name of the server to which you want to connect.
    • In the Port number (LDAP or SSL) text box, enter the port number that you specified when installing the AD LDS instance. If you select the Use SSL check box, enter the SSL port number; otherwise, LDAP port number. It is recommended to use SSL in your production environment.
    1. In the Application directory partition text box, enter the name of the application directory partition from the AD LDS instance to which you want to connect.
    2. In the Application directory partition alias text box, type the alias for the application directory partition which will be used to address the partition on the Self-Service site.
    3. In the Access account section, select Password Manager Service account to have Password Manager access the AD LDS instance using the Password Manager Service account, otherwise, select The following Active Directory account or The following AD LDS account radio button and enter the required user name and password.

For information on how to prepare the access account, see Configuring Permissions for Access Account.

  1. Click Save.

To specify groups or OUs included in the scope of managed external persons

  1. On the menu bar of the Administration site, click Licensing.
  2. On the Licenses page, click the Managed External Persons tab.
  3. On the Scope of Managed External Persons page, select the connection for which you want to specify groups or OUs and click Edit.
  4. Do the following:
    • To specify the groups, click Add under Groups included into the scope of managed external persons.
    • To specify the OUs, click Add under Organizational units included into the scope of managed external persons.
  5. Click Save.

To specify groups or OUs excluded from the scope of managed external persons

  1. On the menu bar of the Administration site, click Licensing.
  2. On the Licenses page, click the Managed External Persons tab.
  3. On the Scope of Managed External Persons page, select the connection for which you want to specify groups or OUs and click Edit.
  4. Do the following:
    • To specify the groups, click Add under Groups excluded from the scope of managed external persons.
    • To specify the OUs, click Add under Organizational units excluded from the scope of managed external persons.
  5. Click Save.

Updating the License

Updating the License

If you have purchased a new license, you need to update the license by installing the new license key file. You can use the About section of the Administration site to install the file.

To update the license

  1. On the menu bar of the Administration site, click Licensing.
  2. On the Licenses page, click Update license.
  3. On the Update License page, click Browse, and then select your license key file.
  4. Click Save.

Telephone Verification Feature License

Telephone Verification Feature License

Password Manager requires a separate license for telephone verification feature that allows users to authenticate themselves via one-time PINs received as text messages or through automated voice calls. For more information about this feature, see Phone-Based Authentication Service Overview.

You can install this license during Password Manager installation or provide the license file later on the Administration site. To install the license after Password Manager installation, see the above procedure “Updating the License”.

You must specify a separate scope of users for telephone verification service. Only users included in the scope will have access to the service.

License violation occurs in the following cases:

  • The actual number of users exceeds the maximum licensed number for the telephone verification service.
  • The license for the telephone verification service expired.

In case of a license violation, you will have a grace period of 30 days during which the telephone verification service is available. After this period, the service will be turned off if you do not decrease the number of user accounts set in the scope or do not update the license.

 

Related Documents