Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email for assistance

Safeguard Authentication Services 6.0 LTS - Upgrade Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services Upgrade Windows components Configure Active Directory Configure UNIX agent components Upgrade client components manually Getting started with Safeguard Authentication Services Troubleshooting

Network requirements

Safeguard Authentication Services must be able to communicate with Active Directory, including domain controllers, global catalogs, and DNS servers using Kerberos, LDAP, and DNS protocols. The following table summarizes the network ports that must be open and their function.

Table 8: Network ports
Port Function


Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting Active Directory site membership.


Used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.


Used for Kerberos authentication and Kerberos service ticket requests against Active Directory Domain Controllers. TCP is used by default.


Used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Safeguard Authentication Services always uses TCP for password operations.


Used for DNS. Since Safeguard Authentication Services uses DNS to locate domain controllers, DNS servers used by the UNIX hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used.


UDP only. Used for time-synchronization with Active Directory.


CIFS port used to enable the client to retrieve configured group policy.

NOTE: Safeguard Authentication Services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.

Upgrade Windows components

One Identity recommends that you upgrade your Windows components before you upgrade the UNIX components.

The process for upgrading the Safeguard Authentication Services Windows components from older versions is similar to the initial installation process. The Safeguard Authentication Services Windows installer detects older versions and automatically upgrades them. The next time you launch Active Directory Users and Computers, you will see the updated Safeguard Authentication Services property tabs.

NOTE: Have your license available for the Setup wizard.

Upgrading Windows components

To upgrade the Safeguard Authentication Services Windows components

  1. From the Safeguard Authentication Services Autorun Setup tab, click Safeguard Authentication Services to launch the Setup wizard.

    The InstallShield Wizard Welcome dialog indicates that a previous installation was found.

  2. Click Next in the Welcome dialog and follow the wizard prompts.

    The Setup Status dialog shows the progress of the upgrade:

    • Removing component registrations

    • Installing

    • Updating shortcuts

    • Registering components

  3. In the Update Complete dialog, indicate whether you want to restart your computer now or later.

If you choose No, I will restart my computer later, the old version of the Control Center opens. To complete the upgrade, restart your computer.

Configure Active Directory

To utilize full Active Directory functionality, when you install Safeguard Authentication Services in your environment, One Identity recommends that you prepare Active Directory to store the configuration settings that it uses. Safeguard Authentication Services adds the UNIX properties of Active Directory users and groups to Active Directory and allows you to map a UNIX user to an Active Directory user. This is a one-time process that creates the Safeguard Authentication Services application configuration in your forest.

NOTE: To use the Safeguard Authentication Services Active Directory Configuration Wizard, you must have rights to create and delete all child objects in the Active Directory container.

If you do not configure Active Directory for Safeguard Authentication Services, you can run your Safeguard Authentication Services client agent in Version 3 Compatibility Mode, which allows you to join a host to an Active Directory domain.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating