-
标题
HOW TO: Change the Password Manager Service Account, Application Pool, and Override Account credentials -
说明
There are three separate areas in Password Manager where credentials may be specified. Carefully read and follow the guidance in the sections below to verify and update each appropriately. Unless the proper procedure is followed, it will not be possible to log into the Admin Site in Password Manager after changing the service account or updating the password, and data can be lost.
In the event of an improper Service Account modification, error messages in the Event Viewer logs and User Site will show the following:
Cryptography exception - Bad Data.
NOTE: If there is a requirement for a minimal permissions account see this article before completing the steps in this article to switch the service account being used. Assigning Minimum Permissions Required to Install and Run Password Manager (4227388) -
解决办法
Password Manager Service Account:
The Password Manager username and password is stored encrypted in the configuration. In order to change the account or password for the Service Account, a backup of the configuration must be exported before making any changes and re-imported after the credentials have been modified or the Password Manager service will no longer be able to read the configuration data, resulting in loss of configuration and user Q&A profile data.
To change the Password Manager Service Account, perform the following steps exactly as noted:
NOTE: Due to security enhancements, a complex password is generated when exporting the configuration. The password is only displayed once and changes each time the page is viewed. The password must be noted and secured at the time of the configuration export, as it will never be displayed again. The password is required to import the configuration.
- Launch the Password Manager PMAdmin site.
- On the menu bar, click General Settings, then click the Import/Export tab and export the configuration file of the primary instance of Password Manager, ensuring the file password is saved as noted above.
- Stop the Password Manager Service on all Password Manager instances in the environment.
- Using the Windows Services console or PowerShell, update the log on details as required.
- Under C:\ProgramData\One Identity, rename the Password Manager folder to Password Manager-OLD.
- Start the Password Manager service.
- Launch the Password Manager Admin site.
- On the Instance Initialization page, select Unique instance and click Save.
- On the menu bar, click General Settings, then click the Import/Export tab and import the configuration file which was exported before changing the service account in step 1.
- Repeat steps 4-9 on all Password Manager instances in the environment.
Application Pool Identity:
Follow the guidance below to update the Application Pool Identity in Microsoft Internet Information Services (IIS). These credentials can be updated at any time without risk to product configurations and can be performed independently from the Service Account.
- Launch IIS.
- Expand the top-level node.
- Select Application Pools.
- Right-click PMAdmin under Application Pools on the right side window.
- Select Advanced Settings... from the menu.
- Change the Identity field value to the updated credentials.
- Repeat for the PMHelpdesk, PMSelfService, and PMUser Application Pools.
- Repeat the above steps on each Password Manager server.
Domain Connection Override Account:
Follow the guidance below to update the Override Accounts used in any Domain Connections. Please note that many configurations may not utilize Override Accounts and may instead use the Password Manager Service Account to access the managed domains. These credentials can be updated at any time without risk to product configurations and can be performed independently from the Service Account.
- Select the General Settings tab.
- Select the Domain Connections tab.
- Select the Edit option under the Domain Connection to be modified.
- Under the Access account heading, update the User name and Password for the account.
- Select the Save option to commit the changes.
-
其他信息
In multiple Password Manager server environments using Replication, after updating the service account and reimporting configuration it is advisable to verify that the Primary node is still properly set as the Primary Instance for replication purposes. Please see this linked section of the How-To guide for details on setting the Primary Instance.