Chat now with support
Chat with Support

Password Manager 5.9.5 - Administration Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

System Requirements

To use the phone-based authentication service, the following requirements must be met:

  1. You have a valid license for the phone-based authentication service (see the About page of the Administration site for the service status).
  2. Outbound SSL connections are allowed from the computer on which Password Manager Service runs to the following address: https://*.telesign.com. * can be replaced with any valid subdomain name, for example, https://api.telesign.com or https://www.telesign.com.

 

Configuring Management Policy

After initializing the Administration site, you need to configure the default Management Policy to enable users to use the Self-Service site.

The required settings you need to configure for the Management Policy are a user scope and secret questions.

Configuring Permissions for Access Account

When you connect to an AD LDS instance, you can create a new connection or use existing connections, if any. When creating the connection, you must specify an access account - an account under which Password Manager will access the AD LDS instance and a specified application directory partition. You can use the Password Manager Service account, an Active Directory account or an AD LDS account. These accounts must have the following minimum set of permissions:

  • Membership in the Domain Users group (for the Password Manager Service account and the Active Directory account)
  • Membership in the Readers group in the application directory partition (for the AD LDS account)
  • Membership in the Administrators group in the configuration directory partition
  • The Read permission for all attributes of user objects
  • The Write permission for the following attributes of user objects: pwdLastSet, comment, unicodePwd, lockoutTime, msDS-UserAccountDisabled

NOTE: If the Storage attribute for Security questions under Reinitialization page is a custom value (say userParameters), then the Write permissions must be provided for that attribute instead of Comment attribute.

  • The right to reset user passwords
  • The permission to create user accounts and containers in the Users container
  • The Read permission for attributes of the organizationalUnit object and container objects
  • The Write permission for the gpLink attribute of the organizationalUnit objects and container objects
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
  • The permission to create container objects in the System container
  • The permission to create the serviceConnectionPoint objects in the System container
  • The permission to delete the serviceConnectionPoint objects in the System container
  • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

If you want to use the same connection in password policies as well, make sure the account has the following permissions:

  • The Read permission for attributes of the groupPolicyContainer objects.
  • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
  • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
  • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.

 

Corporate Authentication

In the Register workflow, if the Admin selects Corporate authentication check box, user will only be able to review the corporate account details while registration. If Allow user to edit corporate details check box is selected, user will be able to update the respective corporate details such as Corporate email and Corporate phone number, provided that the details are not previously populated by administrator in the AD.

If Corporate authentication registration mode is selected in the Register activity, make sure that Domain management account has the following set of permissions.

  1. The read permission for Corporate email attribute and Corporate phone attribute where, Mobile is the default attribute for the Corporate phone.
  2. If Allow user to edit corporate details checkbox is selected under Corporate authentication check box, both Read and Write permission must be available for Corporate email attribute and Corporate phone attribute, where Mobile is the default attribute for the Corporate phone.

NOTE: If the Corporate phone attribute under Reinitialization page is a custom value(say, pager) then, the Read/ Write Permissions need to be provided for that attribute instead of the mobile attribute.

Connecting to AD LDS Instance

After adding a connection to the user scope, you need to specify groups from the application directory partition that will be able to access the Self-Service site. By default, the group “Users” is included in the scope when you add the connection to the user scope. You can also restrict some groups from accessing the Self-Service site.

To connect to AD LDS instance

  1. Open the Administration site by entering the Administration site URL in the address bar of your browser. By default, the URL is http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed.
  2. On the Administration site, select the Management Policy you want to configure and click the User Scope link.
  3. On the User Scope page, click Connect to AD LDS instance.
  4. If connections already exist, select a connection from the list. If you want to create a new connection, click Add new connection.
  5. If you selected to create the new connection, in the Connect to AD LDS Instance dialog, configure the following options:
    • In the Server name on which AD LDS instance is installed text box, type the name of the server to which you want to connect.
    • In the Port number (LDAP or SSL) text box, enter the port number that you specified when installing the AD LDS instance. If you select the Use SSL check box, enter the SSL port number; otherwise, LDAP port number. It is recommended to use SSL in your production environment.
    • In the Application directory partition text box, enter the name of the application directory partition from the AD LDS instance to which you want to connect.
    • In the Application directory partition alias text box, type the alias for the application directory partition which will be used to address the partition on the Self-Service site.
    • In the Access account section, select Password Manager Service account to have Password Manager access the AD LDS instance using the Password Manager Service account, otherwise, select The following Active Directory account or The following AD LDS account radio button and enter the required user name and password.

For information on how to prepare the access account, see Configuring Permissions for Access Account.

  1. Click Save.
  2. NOTE: When you add an AD LDS instance to the user scope, the group “Users” from the specified application directory partition is automatically included in the user scope.

To specify groups or OUs that are allowed to access the Self-Service site

  1. On the Administration site, select the Management Policy you want to configure and click the User Scope link.
  2. On the User Scope page, select the connection for which you want to specify groups or OUs and click Edit.
  3. Do the following:
    • To specify the groups, click Add under Groups allowed access to the Self-Service site.
    • To specify the OUs, click Add under Organizational units allowed access to the Self-Service site.
  4. Click Save.

NOTE: If you have the Domain Management account configured with a user other than the Active Directory Administrator then, provide Security permissions to all the groups, OUs that are added as Included groups, and Included OUs in the userscope.

If the users/ groups/ OUs included in the userscope, are a member of Readers/ Administrators group in the ADLDS then, the Write Permissions are already inherited.

To specify groups or OUs that are denied access to the Self-Service site

  1. On the Administration site, select the Management Policy you want to configure and click the User Scope link.
  2. On the User Scope page, select the connection for which you want to specify groups or OUs and click Edit.
  3. Do the following:
    • To specify the groups, click Add under Groups denied access to the Self-Service site.
    • To specify the OUs, click Add under Organizational units denied access to the Self-Service site.
  4. Click Save.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating