We strongly recommend that you use HTTPS with Password Manager. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web.
For instructions on how to configure SSL in order to support HTTPS connections from client applications, see the article “Configuring Secure Sockets Layer in IIS 7" at http://technet.microsoft.com/en-us/library/cc771438%28WS.10%29.aspx.
|NOTE: To enable the Password Manager installation to be redirected from HTTP to use HTTPS by default, the HSTS (web security policy mechanism) functionality must be enabled. To enable HSTS in Password Manager, in the "HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager" registry key, set the registry value of the "HSTSEnabled" string to "true".
Steps to Install Password Manager
Steps to Install Password Manager
To install Password Manager
- Depending on the hardware, run Password Manager for AD LDS x86 or Password Manager for AD LDS x64 from the autorun window of the installation CD.
- Read the license agreement, select I accept the terms in the license agreement, and then click Next.
- On the User Information page, specify the following options, and then click Next:
Table 3: User information details
Type your name.
Type the name of your organization.
Click this button, and then specify the path to the license file.
A license file is a file with the .ASC extension that you have obtained from your One Identity representative.
- On the Custom Setup page, select the components to install, and then click Next.
Table 4: Installation component details
Select this option to install Password Manager Service and the Administration, Self-Service and Helpdesk sites on this computer.
Legacy Self-Service Site
Select this option to install only the legacy Self-Service site.
Password Manager Self-Service Site
Select this option to install only the Password Manager Self-Service site.
Select this option to install only the Helpdesk site.
You can install all Password Manager components together on a single server or you can deploy the Self-Service and Helpdesk sites on a standalone server. To learn more about installing the Self-Service and Helpdesk sites on a standalone server, see Installing Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites on a Standalone Server.
- On the Password Manager Service Account Information page, specify the name and password for the Password Manager Service account, and then click Next. For more information on the requirements for the Password Manager Service account, see Configuring Password Manager Service Account and Application Pool Identity.
- On the Specify Web Site and Application Pool Identity page, select the Web site name and specify the name and password for the account to be used as an application pool identity, and then click Next. For more information on the requirements for the application pool identity, see Configuring Password Manager Service Account and Application Pool Identity.
- Click Install.
- When the installation is complete, click Finish.
Extending AD LDS Schema
To use Password Manager with an AD LDS instance, you need to extend the AD LDS schema to include required object class definitions.
When installing a unique AD LDS instance, you must specify the LDAP and SSL port numbers and the application directory partition name. Make sure, you remember the values you enter because you will need to use them when extending the AD LDS schema.
|IMPORTANT: When you install an AD LDS instance, in the AD LDS setup wizard select the option to create a new application directory partition and, on the Importing LDIF Files page, select all shown files.
To extend AD LDS schema
- On a computer where an AD LDS instance is installed, create a temporary folder.
- Copy all files from the Password Manager\Setup\ADLDS Extension folder on the Password Manager installation CD to the folder you created in step 1.
- In the temporary folder, modify the prepare_ad_lds.cmd file using any text editor. Replace the port number in the line “SET PORT=50000” with the LDAP port number you specified in the AD LDS setup wizard.
- In the temporary folder, modify the data.ldf file using any text editor. Replace all occurrences of the “O=Quest,C=US” with the application directory partition name you specified in the AD LDS setup wizard.
- Run the prepare_ad_lds.cmd file.
After you installed Password Manager on your computer, you need to initialize an instance before you begin to configure a new Management Policy, that is, before configuring the user and helpdesk scopes, Questions and Answers policy, and managing workflows. When initializing a Password Manager instance, you can choose one of the two options: create a unique instance or a replica of an existing instance. When you create the replica of the existing instance, the new instance shares its entire configuration with the existing instance. Password Manager instances sharing the same configuration are referred to as a Password Manager realm. For more information about Password Manager realms, see Installing Multiple Instances of Password Manager.
To initialize Password Manager instance
- Open the Administration site by entering the following address: http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed. You can obtain the URL path to the Admin site from your system administrator. On the logon page, enter your user name and password and click Log on. The Instance Initialization page will be displayed automatically.
NOTE: For Password Manager versions 5.8.x or later, users must be a part of the local PMAdminADLDS group and either of IIS_IUSRS or Administrators group to access the PMAdmin site.
- On the Instance Initialization page, select one of the following options, depending on what type of instance you want to create:
- Unique instance Creates a new instance.
- A replica of an existing instance Joins a new instance to a Password Manager realm.
- If you have selected the option A replica of an existing instance, follow the instructions provided later in the section “Installing Multiple Instances of Password Manager”.
- If you have selected the option Unique instance, under Service connection settings, specify the following:
- Certificate name Select the certificate that was issued for the computer running the Password Manager Service. If you decide to install the Legacy Self-service, Self-Service and Helpdesk sites separately from the Password Manager Service, it is recommended to replace the built-in certificate that is used encrypt traffic between the Service and the sites. For more information, see Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites.
- Port number Specify the port that the Self-Service and Helpdesk sites will use to connect to the Password Manager Service. By default, port 8085 is used.
- Under Advanced settings, specifying the following:
- Encryption algorithm Specify the encryption algorithm that will be used to encrypt users’ answers to secret questions and other security sensitive information. You can select from two options: Triple DES and AES. By default, Password Manager uses Triple DES algorithm to encrypt data. Note, that users’ answers will be encrypted if the “Store answers using reversible encryption” option is selected in the Q&A Profile settings. Otherwise, the answers will be hashed.
- Encryption key length Specify whether a 192-bit or 256-bit encryption key will be used.
- Hashing algorithm Specify the hashing algorithm that will be used to hash users’ answers to secret questions. The following algorithms are available: MD5 and SHA-256. By default, Password Manager uses SHA-256 hashing algorithm. Password Manager will hash users’ answers if “Store answers using reversible encryption” option is not selected in the Q&A Profile settings.
- Attribute name Enter the attribute of user's account in AD LDS in which user's Questions and Answers profile will be stored. By default, Password Manager stores Q&A profile data in the comment attribute of each user's account and configuration data in the comment attribute of a configuration storage account, which is automatically created when installing Password Manager.
- Click Save to complete instance initialization.