Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Password Manager 5.9.7 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Unregistering users from Password Manager Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies One Identity Starling Reporting Password Manager Integration Appendixes Glossary

RADIUS Two-Factor Authentication

RADIUS Two-Factor Authentication enables two-factor authentication on Password Manager. RADIUS Two-Factor Authentication uses one-time passwords to authenticate users on the Self-Service site and Helpdesk site.

To configure RADIUS Two-Factor Authentication in Password Manager, you have to configure the RADIUS server details in Password Manager.

To configure RADIUS Two-Factor Authentication

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed.

  2. Click Add RADIUS server to add a new RADIUS server for authentication.

    RADIUS Two-Factor Authentication page is displayed.

    NOTE: You can add only two servers, one is used as a primary server and the other as a secondary server. The server that is created first is considered as the primary server and used for RADIUS authentication.
  3. In the RADIUS Server (IP address or hostname) field, enter the RADIUS server IP address.

  4. In the Port number field, enter the port number assigned during configuration of RADIUS.

  5. In the RADIUS Shared Secret field, enter the password set during RADIUS configuration.

  6. Specify the Active Directory attribute to authenticate the user from the drop-down menu.

  7. From the Additional RADIUS Attribute section, select the required RADIUS attribute from the drop-down menu. Specify the value for the selected attribute and click +.

    The RADIUS attributes and the corresponding values that you add is displayed.

    NOTE: The RADIUS attributes supported are NAS-IP-Address, NAS-Port, NAS-Port-Type, and NAS-Identifier.
  8. Click Save.

For more information, see Authenticate with RADIUS Two-Factor Authentication.

Working with RADIUS servers

You can create two RADIUS servers to authenticate users on the Self-Service site and Helpdesk site through RADIUS Two-Factor authentication.

To configure RADIUS Two-Factor Authentication in Password Manager, you have to configure the RADIUS server details in Password Manager. For more information on creating and configuring a RADIUS server, see RADIUS Two-Factor Authentication.

To swap RADIUS servers

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Interchange RADIUS servers to swap the priority of the RADIUS servers between primary and secondary priority.

To modify RADIUS servers

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click the modify icon to modify the properties and attributes of RADIUS servers.

    NOTE: The status of the RADIUS server is periodically scanned every 5 minutes.

To disable RADIUS servers

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Disable to disable a RADIUS server.

  3. A message is displayed to confirm, click Disable.

    The server is disabled.

    NOTE:

    • On disabling a RADIUS server, the other RADIUS server by default becomes the primary server.

    • You can enable a server that was disabled earlier.

To delete RADIUS servers

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Delete permanently delete the RADIUS server.

  3. A message is displayed to confirm, click Delete.

    The server is Deleted.

During a workflow execution, the ping to the RADUIS server to check the status of the RADIUS server is temporarily interrupted. The status check continues after the authentication process in the workflow is completed successfully.

For more information, see Authenticate with RADIUS Two-Factor Authentication.

Unregistering users from Password Manager

Unregistering users from Password Manager

Using the unregister feature, users registered to the Password Manager can be removed. Note that the user is removed only from the Password Manager and not Active Directory.

To unregister a user from the Password Manager

  1. On the home page of the Administration site, click General Settings | Unregister Users.
  2. On the Unregister Users page:

    • If you want to unregister individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.
    • If you want to select a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.
    • If you want to select the entire organization unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Add.
  3. Click Unregister User to unregister the users.

NOTE:

  • If you want to run the task at a specified time, select the Schedule at check box to specify the time to run the task and click Save.
  • If a task to unregister an user is scheduled at a later time and you want to unregister the user at the current instance, click Remove Setting to delete the scheduled task settings and click Save.
  • If you have the Domain management account configured with a user other than the Active Directory Administrator then, make sure that Write permissions are available to the storage attribute of the security questions (comment, by default) for all the users/ groups/OUs that are configured to be unregistered.

  • If the users/ groups/ OUs that need to be unregistered are a member of DomainAdmins/ Administrators group in the Active Directory then, the Write Permissions are already inherited.

Working with Redistributable Secret Management account

Redistributable Secret Management Service (rSMS) can be used to manage user passwords across multiple connected systems. Using the rSMS service it is possible to quickly synchronize the passwords across connected systems. By default, the rSMS service is installed with the Password Manager software.

An rSMS account must be created and configured to interact with the rSMS service to execute password change functionality on connected systems. After creating the rSMS account and configuring the certificate binding settings (optional), you can configure the settings to reset the password in connected systems. For more information, see Reset password in connected systems through embedded connectors.

To create rSMS account and configure certificate binding settings

  1. On the home page of the Administration site, click General Settings.

  2. Click the rSMS Settings tab from the options.

    The Redistributable Secret Management Service page is displayed.

    NOTE: An rSMS account must be created before working with rSMS activity. An rSMS user is automatically created if the imported configuration file has the rSMS account details.

  1. In the Create Account section, click Create Account to create an rSMS account.

  2. In the Certificate binding section, select a custom certificate from the drop-down list, if available. By default, the built-in certificate is used. If the certificate binding settings are modified you must restart the One Identity rSMS Service.

    NOTE: If you import a configuration file, the rSMS certificate binding details are not imported. The default binding settings or the certificate binding settings of the system are used.

  3. Select the IP address from the rSMS IP address drop-down list.

    NOTE: For built-in certificates, the Port number field is automatically populated with the value 20001. For a custom certificates, custom port number can be provided.

  4. Click Save Settings to save the certificate binding settings.

    NOTE:

    • By default, all Password Manager logs are available in C:\Windows\TEMP folder. If the default Password Manager log path is changed during an update, rSMS automatically uses the updated log path instead of the default path used earlier.
    • Additional rSMS logs are available in the rSMS.Service-{Date}.log file. Enable Password Manager logging from the Administrator site under General Settings | Logging Settings.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating