立即与支持人员聊天
与支持团队交流

Password Manager 5.13.1 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Legacy Self-Service Site and Password Manager Self-Service site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Legacy Self-Service or Password Manager Self-Service site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Glossary

Installing Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites on a Standalone Server

Password Manager allows you to install the legacy Self-Service, Password Manager Self-Service, and Helpdesk sites on a standalone server. For example, you can use this installation scenario to deploy Password Manager in a perimeter network (DMZ).

When deploying Password Manager in a perimeter network, it is recommended to install the Password Manager Service and the sites in a corporate network at first (that is, use the Full Installation option in the Password Manager setup), and then install only the legacy Self-Service or the Password Manager Self-Service site in the perimeter network.

When you use this installation scenario, only one port should be open in the firewall between the corporate network and the perimeter network (by default, port number 8081 is used).

To install Legacy Self-Service, Password Manager Self-Service, and Helpdesk sites on a standalone server

  1. Depending on the hardware, run Password Manager x64 from the installation media autorun window.

  2. Read the license agreement, select I accept the terms in the license agreement, then click Next.

  3. On the User Information page, specify the following options, and then click Next:

    1. Full name: Enter your name.

    2. Organization: Enter the name of your organization.

    3. Licenses: Click this button and specify the path to the license file.

    NOTE: A license file is a file with the .asc extension that you have obtained from your One Identity representative.

  4. On the Custom Setup page, select the Legacy Self-Service Site, Password Manager Self-Service Site, and/or Helpdesk Site features, then click Next.

  5. On the Specify Web Site and Application Pool Identity page, select the website name and specify the name, and password for the account to be used as application pool identity, then click Next. For more information on the requirements for the application pool identity, see Configuring Password Manager Service Account and Application Pool Identity.

  6. Click Install.

  7. When installation is complete, click Finish.

After you installed the Self-Service and Helpdesk sites on a standalone server, you need to initialize the sites to start using them.

To initialize the Legacy Self-Service site and the Password Manager Self-Service site

  1. Open the Legacy Self-Service site by entering the following address: http(s)://<ComputerName>/PMUser, where <ComputerName> is the name of the computer on which Self-Service site is installed.

    For the Password Manager Self-Service site, enter the following address: http(s)://<ComputerName>/PMSelfService.

    The Self-Service Site Initialization page will be displayed automatically.

  2. In the Computer name or IP address text box, specify the Password Manager Service host name or IP address.

  3. In the Port number text box, specify the port number that the Self-Service site will use to connect to the Password Manager Service.

  4. From the Certificate name drop-down list, select the name of the certificate to be used by this site. By default, Password Manager uses a built-in certificate issued by Password Manager. You can specify a custom certificate for authentication and traffic encryption between the Password Manager Service and the websites (Self-Service and Helpdesk). For more information on using custom certificates, see Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Web Sites.

    NOTE: Before selecting a custom certificate on the Self-Service site, specify a custom certificate on the Administration site.

  5. Click Save.

To initialize the Helpdesk site

  1. Open the Helpdesk site by entering the following address: http(s)://<ComputerName>/PMHelpdesk, where <ComputerName> is the name of the computer on which Helpdesk site is installed. The Helpdesk Site Initialization page will be displayed automatically.

  2. In the Computer name or IP address text box, specify the Password Manager Service host name or IP address.

  3. In the Port number text box, specify the port number that the Helpdesk site will use to connect to the Password Manager Service.

  4. From the Certificate name drop-down list, select the name of the certificate to be used by this site. By default, Password Manager uses a built-in certificate issued by One Identity. You can specify a custom certificate for authentication and traffic encryption between the Password Manager Service and the websites (Self-Service and Helpdesk). For more information on using custom certificates, see Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Web Sites.

    NOTE: Before selecting a custom certificate on the Helpdesk site, specify a custom certificate on the Administration site.

  5. Click Save.

NOTE: After the initialization of Helpdesk and Self-Service site, WcfServiceRealms.xml file is created. WcfServiceRealms.xml file has records of all the instances of Password Manager Services installed. WcfServiceRealms.xml file is used to help the user to use one of the realm instances from the list, in case of unavailability of services in the primary instance of Password Manager Service. For more information, see FailSafe support in Password Manager

FailSafe support in Password Manager

This feature allows a user to login to the Helpdesk or Self-Service site when the Password Manager Service is unavailable.

The Helpdesk and Self-Service site use the Password Manager Service to communicate with Active Directory. If the Password Manager Service is unavailable, authentication and other such services do not function. For such scenario, Password Manager has a FailSafe feature integrated to connect to other available Password Manager service automatically.

After the initialization of Helpdesk and Self-Service site, the WcfServiceRealms.xml file is created. This file has records of all the instances of Password Manager Services installed. The user can use one of the realm instances listed in WcfServiceRealms.xml file, in case of unavailability of services in the primary instance of Password Manager Service.

For example, helpdesk site is connected to PM service 1. If the PM service 1 is non-functional, with the integrated FailSafe feature, the helpdesk site automatically connects to PM service 2 to continue with the tasks uninterrupted. After the PM service 1 is restored, the helpdesk site is connected back to the initially connected PM service, that is PM service 1.

NOTE: Failsafe works in distributed environment. If all the Password Manager components are installed on the same server, the FailSafe operation might not work as expected.

NOTE: The Self-Service and Helpdesk Site's URLs must be accessible from Password Manager Service.

Installing multiple instances of Password Manager

Several Password Manager instances sharing common configuration are referred to as a realm. A realm is a group of Password Manager Service instances sharing all settings and having the same set of management policies, that is, the same user and Helpdesk scopes, Q&A policy, and workflow settings. Password Manager realms provide for enhanced availability and fault tolerance.

IMPORTANT: It is not recommended to edit Password Manager settings simultaneously on multiple instances belonging to one realm. Simultaneous modification of settings on multiple Password Manager instances may cause data loss.

To create a Password Manager Realm

  1. Export a configuration file from the instance belonging to the target realm:

    • To export instance settings to the configuration file, connect to the Administration site of the instance belonging to the target realm.

    • On the menu bar, click General Settings, then click Import/Export.

    • On the Import/Export Configuration Settings page, select the Export configuration settings option and click Export to save the configuration file.

      IMPORTANT: Remember the password that is generated while exporting the configuration file. You should enter this password when importing the configuration file for a new instance you want to join to the target realm.

  2. Install a new Password Manager instance by running Password Manager x86 or Password Manager x64from the installation media autorun window. For more information on the installation procedure, see Installing Password Manager.

  3. Open the Administration site by entering the following address: http(s)://<ComputerName>/PMAdmin, where <ComputerName> is the name of the computer on which Password Manager is installed. On the Instance Initialization page, select the Replica of existing instance option.

  4. Click Upload to select the configuration file that you exported from the instance belonging to the target realm.

  5. Enter the password to the configuration file and click Save.

Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Web Sites

When the Password Manager Service is installed on one computer and the Self-Service and Helpdesk sites are installed on some other computers, certificate-based authentication and traffic encryption is used to protect traffic between these components.

By default, Password Manager uses built-in certificates issued by One Identity. However, you may want to install and use custom certificates issued by a trusted Windows-based certification authority.

To start using custom certificates for authentication and traffic encryption between Password Manager components

  1. Step 1: Obtain and install custom certificates from a trusted Windows-based Certification Authority

  2. Step 2: Providing certificate issued for server computer to Password Manager service

  3. Step 3: Providing certificate issued for client computers to Self-Service and Helpdesk Sites

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级