Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Application Pool Identity

Application Pool Identity

Application pool identity is an account under which the application pool's worker process runs. The account you specify as the application pool identity during Password Manager setup will be used to run Password Manager Web sites.

Application pool identity account must meet the following requirements:

  • This account must be a member of the IIS_IUSRS local group on the Web server in IIS 7.0.
  • This account must have permissions to create files in the <Password Manager installation folder>\App_Data folder.
  • Application pool identity account must the full control permission set for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager for AD LDS.

Access Account for Application Directory Partition Connection

Access Account for Application Directory Partition Connection

When you connect to an AD LDS instance, you can create a new connection or use existing connections, if any. When creating the connection, you must specify an access account - an account under which Password Manager will access the AD LDS instance and a specified application directory partition. You can use the Password Manager Service account, an Active Directory account or an AD LDS account. These accounts must have the following minimum set of permissions:

  • Membership in the Domain Users group (for the Password Manager Service account and the Active Directory account)
  • Membership in the Readers group in the application directory partition (for the AD LDS account)
  • Membership in the Administrators group in the configuration directory partition
  • The Read permission for all attributes of user objects
  • The Write permission for the following attributes of user objects: pwdLastSet, comment, unicodePwd, lockoutTime, msDS-UserAccountDisabled
  • The right to reset user passwords
  • The permission to create user accounts and containers in the Users container
  • The Read permission for attributes of the organizationalUnit object and container objects
  • The Write permission for the gpLink attribute of the organizationalUnit objects and container objects
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
  • The permission to create container objects in the System container
  • The permission to create the serviceConnectionPoint objects in the System container
  • The permission to delete the serviceConnectionPoint objects in the System container
  • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

If you want to use the same connection in password policies as well, make sure the account has the following permissions:

  • The Read permission for attributes of the groupPolicyContainer objects.
  • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
  • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
  • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.

Account for Using One Identity Quick Connect

Account for Using One Identity Quick Connect

You can configure cross-platform password synchronization using One Identity Quick Connect. If used in conjunction with Quick Connect Sync Engine, Password Manager allows you to enable users and helpdesk operators to manage their passwords across a wide variety of connected systems.

To enable Password Manager to set passwords in connected systems, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server.

For more information on using Quick Connect with Password Manager, see Reset Password in AD LDS and Connected Systems.

Appendix B: Open Communication Ports for Password Manager for AD LDS

Appendix B: Open Communication Ports for Password Manager for AD LDS

This section provides a list of communication ports that need to be open in the firewall for Password Manager to function properly.

Administration Site

  • Port 80 (Default HTTP) TCP Inbound
  • Port 443 (Default HTTPS) TCP Inbound/Outbound
  • Port 8081 TCP Inbound/Outbound
  • Port 25 (Default SMTP port) TCP Outbound
  • Port 135 TCP Inbound/Outbound

Self-Service and Helpdesk Sites

  • Port 80 (Default HTTP) TCP Inbound
  • Port 443 (Default HTTPS) TCP Inbound/Outbound
  • Port 8081 TCP Inbound/Outbound

Password Manager Service

  • Port 53 (Outgoing DNS lookups) UDP Outbound
  • Port 88 (Kerberos Authentication) TCP/UDP Outbound
  • Port 389 (LDAP Access) TCP/UDP Outbound
  • Port 636 (LDAP Access) TCP Outbound
  • Port 137 (NetBIOS Name Service) TCP Outbound
  • Port 139 (NetBIOS Session Service) TCP Outbound

SQL Server

  • Port 1433 (SQL Server) TCP/UDP Outbound
  • Port 1434 (SQL Server Browser Service) TCP/UDP Outbound

Report Server

  • Port 80 (SQL Server Report Services) TCP Outbound

Email Notification

  • Port 25 (Default SMTP port) TCP Outbound

One Identity Quick Connect Sync Engine

  • Port 808 TCP Outbound

Telesign

  • Port 443 TCP Outbound

Defender

  • Port specified in the activity settings (Authenticate with Defender) is used
Related Documents