Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Installing Multiple Instances of Password Manager

Installing Multiple Instances of Password Manager

Several Password Manager instances sharing common configuration are referred to as a realm. A realm is a group of Password Manager Service instances sharing all settings and having the same set of Management Policies, that is, the same user and helpdesk scopes, Q&A policy, and workflow settings. Password Manager realms provide for enhanced availability and fault tolerance. For more information see Typical Deployment Scenarios.

Caution: It is not recommended to edit Password Manager settings simultaneously on multiple instances belonging to one realm. Simultaneous modification of settings on multiple Password Manager instances may cause data loss.

To create a Password Manager Realm

  1. Export a configuration file from the instance belonging to the target realm.
    • To export instance settings to the configuration file, connect to the Administration site of the instance belonging to the target realm.
    • On the menu bar, click General Settings, then click Import/Export.
    • On the Import/Export Configuration Settings page, select the Export configuration settings option and enter the password to protect the configuration file. Click Export to save the configuration file.

IMPORTANT: Remember the password that you provide for the configuration file. You should enter this password when importing the configuration file for a new instance you want to join to the target realm.
  1. Install a new Password Manager instance by running Password Manager for AD LDS x86 or Password Manager for AD LDS x64 from the autorun window of the installation CD. For more information on the installation procedure, see Installing Multiple Instances of Password Manager.
  2. Open the Administration site by entering the following address: http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed. On the Instance Initialization page, select the A Replica of an existing instance option.
  3. Click Upload to select the configuration file that you exported from the instance belonging to the target realm.
  4. Enter the password to the configuration file and click Save.

FailSafe support in Password Manager

FailSafe support in Password Manager

This feature allows a user to login to Helpdesk or Self-Service site when Password Manager Service is unavailable.

Helpdesk and Self-Service site use Password Manager Service to communicate with Active Directory. If Password Manager Service is unavailable, authentication and other such services do not function. For such scenario, Password Manager has a FailSafe feature integrated to connect to other available Password Manager service automatically.

After the initialization of Helpdesk and Self-Service site, WcfServiceRealms.xml file is created. This file has records of all the instances of Password Manager Services installed. The user can use one of the realm instances listed in WcfServiceRealms.xml file, in case of unavailability of services in the primary instance of Password Manager Service.

For example, helpdesk site is connected to PM service 1. If the PM service 1 is non-functional, with the integrated FailSafe feature, the helpdesk site automatically connects to PM service 2 to continue with the tasks uninterrupted. After the PM service 1 is restored, the helpdesk site is connected back to the initially connected PM service, that is PM service 1.

NOTE: Failsafe works in distributed environment. If all the Password Manager components are installed on the same server, the FailSafe operation might not work as expected.

NOTE: The Self-Service and Helpdesk Site's URLs must be accessible from Password Manager Service.

Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites

Specifying Custom Certificates for Authentication and Traffic Encryption
Between Password Manager Service and Web Sites

When the Password Manager Service is installed on one computer and the Self-Service and Helpdesk sites are installed on some other computers, certificate-based authentication and traffic encryption is used to protect traffic between these components.

By default, Password Manager uses built-in certificates issued by One Identity. However, you may want to install and use custom certificates issued by a trusted Windows-based certification authority.

This section provides instructions on how to start using custom certificates for authentication and traffic encryption between Password Manager components.

Complete the following steps:

  1. Obtain and install custom certificates from a trusted Windows-based certification authority.
  2. Provide certificate issued for a server computer to the Password Manager Service.
  3. Provide certificate issued for client computers to the Self-Service and Helpdesk sites.

Step 1: Obtain and Install Custom Certificates From a TrustedWindows-Based Certification Authority

Step 1: Obtain and Install Custom Certificates From a Trusted
Windows-Based Certification Authority

You must obtain two certificates from a trusted Windows-based certification authority: one for the computer running the Password Manager Service (server computer) and another for computers running the Self-Service or Helpdesk site (client computers).

When obtaining certificates, make sure that:

  • The server computer can be accessed from the client computers by using the server certificate CN.
  • Both is selected as a key usage in a certificate request.
  • Enable strong private key protection option is NOT selected in a certificate request.

The following is a sample procedure describing how to obtain a certificate through the Windows 2012 Certificate Services Web interface.

IMPORTANT: When obtaining a certificate for the server computer, perform the following procedure on a computer where the Password Manager Service runs and use the Password Manager Service account to run Internet Explorer.

When obtaining a certificate for the client computers, perform the following procedure on a computer running the Self-Service or Helpdesk site and use the Application Pool Identity account to run Internet Explorer.

To request a certificate using Windows 2012 Certificate Services Web Interface

  1. Use Internet Explorer to open https://servername/certsrv, where servername refers to the name of the Web server running Windows Server 2012 where the certification authority that you want to access is located.
  2. On the Welcome page, click Request a certificate.
  3. On the Request a Certificate page, click advanced certificate request.
  4. On the Advanced Certificate Request page, click Create and submit a certificate request to this CA.
  5. Provide identification information as required. In the Name text box, enter the name of the server for which you are requesting a certificate.
  6. In Type of Certificate Needed, select Server Authentication Certificate.
  7. In Key Options, select Create new key set, and specify the following options:
    • In CSP (Cryptographic service provider), select Microsoft Enhanced RSA and AES Cryptographic Provider.
    • In Key Usage, click Both.
    • In Key Size, set 1024 or more.
    • Select Automatic key container name.
    • Select the Mark keys as exportable check box.
    • Clear the Enable strong private key protection check box.
  8. In Additional Options, specify the following:
  • In Request Format, select CMC.
  • In Hash Algorithm, select sha256.
  • Do not select the Save request check box.
  • Specify attributes if necessary and a friendly name for your request.
  1. Click Submit.
  2. If you see the Certificate Issued Web page, click Install this certificate. If your request needs to be approved by your administrator first, wait for the approval and then go to the https://servername/certsrv, click View the status of a pending certificate request, and then install the issued certificate.
Related Documents