立即与支持人员聊天
与支持团队交流

Password Manager 5.14 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring Access to the Administration Site Configuring Access to the Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Third-party contributions Glossary

Step 1: Obtain and install custom certificates from a trusted Windows-based Certification Authority

You must obtain two certificates from a trusted Windows-based certification authority: one for the computer running the Password Manager Service (server computer), and another for computers running the Self-Service or Helpdesk Site (client computers).

When obtaining certificates, make sure that:

  • The server computer can be accessed from the client computers by using the server certificate CN.

  • Both is selected as a key usage in a certificate request.

  • Enable strong private key protection option is NOT selected in a certificate request.

The following is a sample procedure describing how to obtain a certificate through the Windows 2012 Certificate Services Web interface.

IMPORTANT: When obtaining a certificate for the server computer, perform the following procedure on a computer where the Password Manager Service runs and use the Password Manager Service account to run a supported web browser.

When obtaining a certificate for the client computers, perform the following procedure on a computer running the Self-Service or Helpdesk Site and use the Application Pool Identity account to run a supported web browser.

To request a certificate using Windows 2012 Certificate Services Web Interface

  1. Use a browser to open https://servername/certsrv, where servername refers to the name of the web server running Windows Server 2012 where the certification authority that you want to access is located.

  2. On the Welcome page, click Request a certificate.

  3. On the Request a Certificate page, click Advanced Certificate Request.

  4. On the Advanced Certificate Request page, click Create and submit a certificate request to this CA.

  5. Provide identification information as required. In the Name field, enter the name of the server for which you are requesting a certificate.

  6. In Type of Certificate Needed, select Server Authentication Certificate.

  7. In Key Options, select Create new key set, and specify the following options:

    • In CSP (Cryptographic service provider), select Microsoft Enhanced RSA and AES Cryptographic Provider.

    • In Key Usage, click Both.

    • In Key Size, set 1024 or more.

    • Select Automatic key container name.

    • Select Mark keys as exportable.

    • Clear Enable strong private key protection.

  8. In Additional Options, specify the following:

    • In Request Format, select CMC.

    • In Hash Algorithm, select sha256.

    • Do not select the Save request check box.

    • Specify attributes if necessary and a friendly name for your request.

  9. Click Submit.

  10. If you see the Certificate Issued web page, click Install this certificate. If your request needs to be approved by your administrator first, wait for the approval and then go to https://servername/certsrv. Then, click View the status of a pending certificate request, and then install the issued certificate.

Step 2: Providing certificate issued for server computer to Password Manager service

In this step, you provide the certificate issued for the server computer to the Password Manager Service by using the Administration Site.

To provide the certificate to the Password Manager Service

  1. Open the Administration Site by entering the following address: http(s)://<ComputerName>/PMAdmin, where <ComputerName> is the name of the computer on which Password Manager is installed.

  2. Click General Settings > Instance Reinitialization. Under the Service connection settings, select the custom certificate issued for the server computer from the Certificate name drop-down list.

  3. Click Save.

Step 3: Providing certificate issued for client computers to Self-Service and Helpdesk Sites

In this step, you provide the certificate issued for the client computers to the Self-Service and Helpdesk sites installed separately from the Password Manager Service.

To provide the certificate to the Password Manager Self-Service Site

  1. Open the Self-Service Site by entering the following address:

    http(s)://<ComputerName>/PMSelfService

    In this URL, <ComputerName> is the name of the computer on which Self-Service Site is installed.

    For the Password Manager Self-Service Site, enter the following address: http(s)://<ComputerName>/PMNewUser,

    The Self-Service Site Initialization page will be displayed automatically if the Self-Service Site is opened for the first time.

  2. From the Certificate name drop-down list, select the custom certificate issued for the client computer.

  3. Click Save.

To provide the certificate to the Helpdesk Site

  1. Open the Helpdesk Site by entering the following address: http(s)://<ComputerName>/PMHelpdesk, where <ComputerName> is the name of the computer on which Helpdesk Site is installed. The Helpdesk Site Initialization page will be displayed automatically if the Helpdesk Site is opened for the first time.

  2. From the Certificate name drop-down list, select the custom certificate issued for the client computer.

  3. Click Save.

Password Manager Architecture

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级