FastPass Password Manager v3.4 - Installation Guide (revision G)

Transcription

FastPass Password Manager
Version 3.4.2
Installation Guide
Installation Guide
Document Title
Document Classification
Document Revision
Document Status
Document Date
Installation Guide
Public
G
Final
October 6, 2012
The specifications and information in this document are subject to change without notice. Companies, names, and data
used in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any
means, in whole or in part, for any reason, without the express written permission of FastPassCorp A/S.
© 2004 - 2012 FastPassCorp A/S. All rights reserved.
Lyngby Hovedgade 98, 2800 Kongens Lyngby, Denmark.
http://www.fastpasscorp.com/.
FastPass Password Manager is a trademark of FastPassCorp A/S. All further trademarks are the property of their respective
owners.
Limited Warranty
No guarantee is given for the correctness of the information contained in this document. Please send any comments or
corrections to [email protected].
Status: Final
Date: October 6, 2012
Page 2 of 68
Installation Guide
Table of Contents
1.
2.
3.
Introduction.........................................................................................................................................................................5
1.1
Purpose .......................................................................................................................................................................5
1.2
Audience .....................................................................................................................................................................5
1.3
References ..................................................................................................................................................................5
1.4
How to use this document ..........................................................................................................................................5
1.5
Terms ..........................................................................................................................................................................5
About FastPass Password Manager.....................................................................................................................................6
2.1
The architecture of FastPass Password Manager .......................................................................................................7
2.2
Integration to Microsoft Active Directory ..................................................................................................................8
Installing FastPass Password Manager ..............................................................................................................................10
3.1
3.1.1
Defining the deployment architecture .................................................................................................................10
3.1.2
Creating User Accounts and Groups.....................................................................................................................12
3.1.3
Preparing the application servers ........................................................................................................................15
3.1.4
Preparing the target AD .......................................................................................................................................25
3.1.5
Requesting a FastPass Password Manager license ...............................................................................................26
3.2
5.
Installing FastPass Password Manager .................................................................................................................26
3.2.2
Preparing the ADAM instance for FastPass ..........................................................................................................30
3.2.3
Initializing the FastPass Password Manager solution ...........................................................................................34
3.3
Service restart ...........................................................................................................................................................37
3.4
Configuring the FastPass Password Manager solution .............................................................................................37
Accessing the Administration Client ..................................................................................................................... 37
Installing the stand-alone FastPass Client .........................................................................................................................39
4.1
Installing ...................................................................................................................................................................39
4.2
Configuring the client ...............................................................................................................................................41
Installing Multisystem Password Reset and Synchronization ...........................................................................................45
5.1
Installing SQL Express ...............................................................................................................................................45
5.2
Configuring Microsoft SQL-Express for use with Sync Server ...................................................................................51
5.2.1
6.
Installing ...................................................................................................................................................................26
3.2.1
3.4.1
4.
Preparing the Installation .........................................................................................................................................10
Enabling encryption for SQL server ...................................................................................................................... 53
5.3
Pre-requisites for the connectors .............................................................................................................................54
5.4
Install Password Sync Server ....................................................................................................................................54
Additional information ......................................................................................................................................................59
Status: Final
Page 3 of 68
Installation Guide
7.
Appendices ........................................................................................................................................................................60
7.1
Appendix A: Backing Up AD LDS Database on Windows 2008 Server. ....................................................................60
7.2 Appendix B: Restart FastPass Services .............................................................................................................................67
7.3
Appendix C: Recommended changes when installing for more than 10.000 users ................................................68
7.3.1 Separate ADAM instances......................................................................................................................................68
7.1.1
Tweaking ADAM/ADLDS settings .........................................................................................................................68
Status: Final
Page 4 of 68
Installation Guide
1. Introduction
The document has last been updated October 6, 2012 and is now targeted the FastPass Password Manager version 3.4.2
1.1 Purpose
The purpose of this document is to describe the steps included in the process of performing a FastPass Password Manager
implementation.
Although the document is written as a tutorial for performing a real installation the reader shall expect to change input
values to match the standards and requirements of their own environment.
1.2 Audience
The intended audience of this document is personnel either responsible for, preparing or performing the application
installation.
1.3 References
This document references the following documents:
Version 3.4.2 Administrators Guide.
1.4 How to use this document
Chapter 3 outlines the installation process.
Chapter 4 describes the preparation steps for the installation.
Chapter 5 describes the actual installation.
1.5 Terms
The following technical and product specific terms are used without further explanation throughout the document.
Status: Final
Page 5 of 68
Installation Guide
2. About FastPass Password Manager
FastPass Password Manager is a secure web-based solution offering self-service password operations to end-users.
Users are required to remember many more complex passwords on more systems than ever before. Research suggests that
30% of all calls to Help Desks are related to forgotten passwords.
Built to use Active Directory as the authoritative repository, FastPass are capable of delivering an instant ROI by deploying in
just a few hours on your existing Microsoft environment. Further value can be gained by integrating these tools with
Microsoft Identity Integration Server (MIIS/ILM 2007) for an industry leading Identity and Access solution.
Introduce Self-Service
Users only need a web browser to access FastPass whether on the corporate intranet or across the internet. In addition an
easily integrated deployment via SharePoint Portal or the SAP Portal gives a secure single point of entry to all applications
and supports anonymous access for users who have forgotten their passwords.
FastPass enables self-service enrollment and password resets as well as self service account mapping utilizing the same
Web UI and saving directly into Active Directory. Captured password resets can be synchronized across multiple platforms
without integration to Microsoft Identity Integration Server (MIIS/ILM 2007).
FastPass help to reduce the workload within the Help Desk, Increase end-user productivity and Strengthen Security
A Password Management solution from FastPassCorp saves both time and money for all parties involved: .
For Executives:
•
•
•
•
•
Reduce workload in help desk
Make it possible for your employees to access systems even when the Help Desk is closed
Enhance security
Leverage past investments in Active Directory or ADAM
Achieve ROI within 3-9 months (no investment needed)
For Help Desk Managers:
•
•
•
•
•
•
Remove 30% of calls to help desk
Enhance logging and reporting
Significantly lower total cost per forgotten password
Increase employee satisfaction
Easy implementation (from minutes to days depending on complexity)
Easy roll-out using automated enrollment services
For Employees:
•
•
•
•
•
Extremely fast solution to a forgotten password situation
Access to systems 24/7/365
No need to involve others
No barrier to comply with strict password security policies
Simple to use
Status: Final
Page 6 of 68
Installation Guide
2.1 The architecture of FastPass Password Manager
The following describes and illustrates the architecture of FastPass Password Manager.
From a user perspective the Password Manager is offering web based self-service features to maintain passwords in the
enterprise. This is what is illustrated below.
Logically the Password Manager Server is built of multiple sub components each offering its own set of functions for the
total solution. The main components are listed in the table below:
Component
Backend Server
Client Server
Gateway Server
Description
Implement the control of all end-user transactions, communication to the
Gateway Server, scheduled discovery of users in the domain infrastructure,
control and coordination of password synchronizations, invitations of users and
much more.
Implements the Web-interface for the end-users and communicates with the
Backend Server.
Implements the access to the domain infrastructure and other Password Sync
target systems.
All three main components are by default installed on the Password Manager Server and are directly configured to operate
together. A full implementation can be built on additional Client Servers and Gateway Servers and this is shown on the
illustration below.
Status: Final
Page 7 of 68
Installation Guide
The solution is built as a service oriented architecture meaning that all main components are web services implemented in
Microsoft Internet Information Server (IIS) and communication using SOAP over HTTPS.
2.2 Integration to Microsoft Active Directory
Password Manager supports easy integration into multiple Microsoft Active Directories from a single implementation. The
configuration is done from the Password Manager Administration Client implemented as part of the Password Manager
Backend Server. The communication to the Active Directory infrastructure is done from the Password Manager Gateway
Server. The integration is implemented using LDAP v3 communication and this can optionally be implemented to use either
secure mode or SSL mode. Secure mode is the default and the one used by Microsoft Active Directory internally for
synchronizing passwords between Domain Controllers.
Password Manager requires the following parameters to be configured to be able to access a Microsoft Active Directory
Domain.
Parameter
Domain Name
Domain Alias
Status: Final
Description
The full qualified domain name of the domain like mycorporation.com.
A label typically the same as the NetBIOS name for the domain which is what is
Page 8 of 68
Installation Guide
LDAP Base DN
Connection Mode
Domain Account Name
Domain Account Password
shown in desktop login interfaces.
The distinguished name (DN) to use as the offset in the LDAP tree structure. This
can point to an Organization Unit (OU) like in
OU=Employess,DC=mycorporation,DC=com or to the root node like in
DC=mycorporation,DC=com.
The connection mode to use for the communication. Microsoft Active Directory
offers the modes normal, secure and SSL but Password Manager only supports
Secure and SSL mode. The secure mode used Kerberos for the authentication
which is dependent on normal domain communication from the Password
Manager Gateway Server and to the Domain Controller in addition to
communication on port 389 (TCP). The SSL mode requires a certificate to be
implemented on the Domain Controller which is not a trivial task but then as an
advantage it only requires communication on port 636 (TCP) from the Password
Manager Gateway Server and to the Domain Controller.
The name for the account with privileges to read user attributes and to reset
passwords.
The password for the account specified.
All parameters are stored in the Password Manager Data Storage (ADAM / AD LDS) and sensitive information like account
name and password is stored with strong encryption. (ADAM and AD LDS are both names for the database that has FastPass
uses for storing data. Under Windows Server 2003 the name was ADAM under Windows Server 2008 the name has changed
to AD LDS further in this document AD LDS will be used, but essentially they are identical.)
Status: Final
Page 9 of 68
Installation Guide
3. Installing FastPass Password Manager
The task of installing FastPass Password Manager can be described as in the following list:
1.
2.
Preparing the installation
a.
Defining the deployment architecture
b.
Creating user accounts and groups
c.
Preparing the application server
1.
Implementing pre-requisites
2.
Preparing IIS servers
3.
Installing ADAM/AD LDS and/or creating an ADAM/AD LDS instance
d.
Preparing the target AD
e.
Requesting a FastPass Password Manager license
Installing and configuring the software
a.
Installing FastPass Password Manager
b.
Preparing the AD LDS instance for FastPass Password Manager
c.
Initializing the FastPass Password Manager solution
d.
Configuring the FastPass Password Manager solution
When knowing the steps and requirements the actual installation can be done in less than half an hour. It is recommended
that all details of accounts, groups, hostnames and IP addresses are carefully noted and kept securely for later use.
3.1 Preparing the Installation
Generally, it is recommended that all machines be patched and scrutinized for security optimizations.
FastPass Password Manager is a password management application that requires to be highly and efficiently secured.
Special care should be taken on passwords for the accounts used by FastPass Password Manager.
3.1.1 Defining the deployment architecture
The architecture of the FastPass Password Manager solution is very flexible – meaning that it can be implemented in many
different ways reflecting various requirements. For most implementations a single or two servers are sufficient and
this/these can without problems also be running as virtual servers and/or on shared servers. This typical environment looks
like shown in the illustration here below.
Status: Final
Page 10 of 68
Installation Guide
To support large multi-organizational and Service Providers needs where network complexity and security disallows the
communication to go from a central server to AD servers or other target types on remote networks additional servers might
be required. For this scenario FastPass Password Manager can be installed with multiple Client Servers and/or Multiple
Gateway Servers. The illustration below gives an example of such a deployment scenario.
Status: Final
Page 11 of 68
Installation Guide
No matter what deployment scenario is needed fault tolerance is always a matter and since FastPass Password Manager is
only using well-known technologies such as IIS and AD LDS, there is build-in support of using various clustering technologies
like Microsoft Cluster. Since FastPass Password Manager is also relatively uncomplicated to handle when it comes to backup
and restore exercises it is also not uncommon that customers choose to select this as their fault tolerance strategy where a
new environment can typically be build in just 30 minutes.
In the remaining sections of this document the typical deployment architecture is described. For information about complex
deployments please contact us by sending an email to [email protected].
3.1.2 Creating User Accounts and Groups
FastPass Password Manager makes use of a number of accounts and groups which shall be created prior to the installation.
All accounts can be named as wanted or existing accounts can be used. The use of accounts doesn’t have to be consistent
throughout managed domains but we recommend that a standard similar to this is used.
NOTE: If our suggested names are not planned to be used it is recommended to write the alternate names in the schema.
Status: Final
Page 12 of 68
Installation Guide
ACCOUNTS
FPADAMUser
DETAILS
Description:
Used to manage the ADAM instance used for FastPass
data repository.
Username: ____________
Password: ____________
Member of:
+ Domain Users
or
Users
Special privileges:
n/a
Where to create:
In the domain of the FastPass Backend Server or as a local
user on the FastPass Backend Server.
Note: The create ADAM instance tool delivered from
Microsoft do not allow blanks and certain special
characters in passwords for this account.
FPIISUser
Description:
Used to run the IIS Application Pool.
Username: ____________
Member of:
+ Domain Users
or
Users
+ IIS_WPG
+ IIS_IUSRS (local group)
Password: ____________
Special privileges:
+ Log on as a batch job
Where to create:
In all domains hosting FastPass components or as local
users on all servers hosting FastPass components.
Note: This account can be created by the FastPass
installers. Just specify the username and the installer will
prompt for confirmation to create the account.
FPGWUser
Status: Final
Description:
Authentication to Gateways for remote configuration
Page 13 of 68
Installation Guide
Username: ____________
Password: ____________
Member of:
+ Domain Users
or
Users
+ FPGWGroup
Special privileges:
+ Log on Locally
Where to create:
In all domains hosting the FastPass Backend Server or
FastPass Gateway Server components or as local users on
the servers (recommended).
FPDomainAdmin
Description:
The administrative user used against Active Directory.
Username: ____________
Member of:
+ Domain Users
Password: ____________
Special privileges:
+ Domain Admin or delegated permissions
Where to create:
In all managed domains
Note: Read and follow the description for defining this
privileged account with delegated permissions refer to
the “Delegating permissions in Active Directory”
document. Alternatively for this somehow complicated
process of defining an account the account can also just
be made member of the Domain Admins group.
All groups can be named as wanted or existing groups can be used. The use of groups doesn’t have to be consistent
throughout managed domains but we recommend that a standard similar to this is used and we highly recommend that the
FastPass Admins group is created instead of using an existing group.
NOTE: If the suggested names are not planned to be used it is recommended to write the name of the alternate group in
the schema.
GROUPS
FastPass Admins
Status: Final
DETAILS
Description:
Page 14 of 68
Installation Guide
Users that can use the FastPass Administration Client to
administer the FastPass solution
Group: _______________
Member of:
+ Domain Users
or
Users
Special privileges:
+ Log On Locally (on the gateways)
Where to create:
In the domain of the FastPass Server or as local group
on the server.
FPGWGroup
Description:
Users that can reconfigure the FastPass Gateway
Group: _______________
Member of:
+ Domain Users
or
Users
Special privileges:
+ Log On Locally (on the gateways)
Where to create:
In the domain of the FastPass Backend Server and of the
FastPass Gateway Servers or as local users on the
servers.
3.1.3 Preparing the application servers
The application servers are the servers running the FastPass components, which are all implemented as Web-Services.
Preparing means:
• Installing .NET Framework 3.5 SP1
• Implement software pre-requisites
• Implement IIS and a SSL certificate
• Implement AD LDS and/or create an AD LDS instance
The following sub-sections describe how to perform these tasks.
3.1.3.1 Pre-requisites
The following table lists the software pre-requisites for various FastPass Password Manager Components.
Status: Final
Page 15 of 68
Installation Guide
FastPass Gateway Server
X
Windows Client
X
X
X
X
X
X
X
X
X
X
X
X
Windows 7 (64 bit)
X
X
Windows 7 (32 bit)
FastPass Client Server
+ Self-Service Client
+ Mobile Self-Service Client
+ Service Provider Client
X
Windows Vista (64 bit)
X
Windows Vista (32 bit)
X
Windows XP (64 bit)
AD LDS/ADAM SP1
X
Windows XP (32 bit)
IIS 7.0 and 7.5
FastPass Backend Server
Windows Server
2008R2 (32 bit)
Windows Server
2008 R2(64 bit)
Windows Server
2003 R2 (32 bit)
Windows Server
2003R2 (64 bit)
IIS 6.0
FastPass will have to connect to a domain controller running Windows server 2003 or 2008 including R2 releases. FastPass is
not compatible with Windows Server 2000 Domain Controllers.
X
X
X
X
X
X
Besides these pre-requisites it shall also be mentioned that we currently only support Internet Explorer 6.x and higher for
interfaces but that other web browsers is known to be working.
3.1.3.2 Preparing IIS servers
FastPass Password Manager operates almost completely as a pure web-application where all components use SOAP over
HTTPS for communication in a true SOA architecture. This means that the application usually can be installed on existing
servers and thereby utilize hardware investments even more efficiently.
The most important requirements when choosing a server is security and stability and just as for the connections to the AD
there is also a requirement for having trusted certificates implemented. SSL-encryption of communication is mandatory for
all communication between the Backend Server, Infrastructure Gateway and User Repository.
Although unencrypted communication can be configured to be accepted between some components this is absolutely not
recommended and should only be done if components are installed on the same machine and when this machine is live
audited by a remote system. (Anyway a certificate will be needed to install the product)
As for the AD communication both certificates signed by well-known certificate authorities as well as self-signed certificates
is accepted as long as the certificate path is known by the system calling the IIS server.
To register a CA certificate, required for the SSL encryption, you may follow the steps below.
1. In the Microsoft Management Console, add a snap-in.
2. Add certificates – for Computer Account, choose Local Computer.
3. In Trusted Root Certification Authorities, choose to Import.
4. Browse to the CA certificate for the CA that has signed the certificate used on the IIS server.
5. Verify that Place all certificates in the following store is ticked.
Status: Final
Page 16 of 68
Installation Guide
6.
The Server, Client and Gateway installer programs all check not just for the presence of a certificate but also if it is
required and if not, presents a warning.
The easiest method to test for a valid certificate is opening an https connection from a web-browser to the IIS server. If the
browser warns about an invalid certificate then the certificate path is not recognized and accepted by the local system.
Port numbers are configurable in the solution but it is recommended to use 443 since this typically does not meet
restrictions in network configurations.
Windows Server 2008 users have to install the Metabase Compatibility as shown in Figure 1
Figure 1
Preparing IIS7 on Server 2008 – installing Metabase Compatibility
For security and stability reasons FastPass recommends only adding the following Role Services to the web server
installation:
Status: Final
Page 17 of 68
Installation Guide
Figure 2 Advised role services to install for the Web Server on Windows 2008
3.1.3.3 Installing AD LDS and/or creating an AD LDS instance
As written and illustrated above the FastPass Password Manager uses a Microsoft AD LDS instance as data repository. If you
are installing Password Manger for use by more than 10.000 users please refer to Appendix C regarding split AD LDS
instances and tweaking of the default settings.
The recommendation is to install AD LDS on the same machine as the FastPass Server but it is not required.
To secure data in the best possible way a dedicated instance is required and the issues to take into account are included in
the following list.
Please note the values that are given during the installation. You will need them when installing the Data Repository.
Status: Final
Page 18 of 68
Installation Guide
1.
2.
3.
4.
5.
A windows account must be created. It need only be a member of Domain Users or if implemented as a local user
then just member of the Users group.
A unique AD LDS -instance must be created. This is done by completing a wizard that can be started from the menu
by selecting Start, Programs, AD LDS, Create an AD LDS instance.
FastPassCorp recommends using non-default ports e.g. 50000 and 50001.
A specific name must be provided, such as ‘O=Passwordmanager’.
FastPassCorp recommends that the AD LDS instance be set up to run as the above created account and the above
account assigned as the administrator of this instance.
The information used to create the AD LDS -instance, must be provided when installing the actual Data Repository, see
elsewhere.
ADAM is part of the Microsoft Windows Server 2003 R2 and Microsoft Windows 2008 release. From server 2003 R2 it can
be installed through the Optional Component Manager. In Microsoft Windows 2008 Server AD LDS’s name is changed, the
new name is AD LDS (Active Directory Lightweight Directory Services), this component is installed as a separate Role. For
other versions AD LDS it can be downloaded from Microsoft at the following URL:
http://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=4201
This download is also for upgrading older version to Service Pack 1 for ADAM (SP1).
Beware that ADAM Service Pack 1 is not available for Itanium-based systems!!
After ADAM is installed a new ADAM instance needs to be created and the following screenshots visualizes an example
performed on a Windows Server 2003 (English).
From the Windows Start button select Programs, then ADAM and then Create and ADAM Instance. Using a 2008 server
choose the Start button select Administrative Tools and chose Active Directory Lightweight Directory Services Setup
Wizard
Figure 3
Click the Next button.
Status: Final
Page 19 of 68
Installation Guide
Figure 4
Select the A unique instance radio button and click the Next button.
Figure 5
Enter a name for the ADAM instance and click on the Next button.
Status: Final
Page 20 of 68
Installation Guide
Figure 6
Enter LDAP port number and SSL port number where 50000 and 50001 is typicallyy used numbers.
Figure 7
Select the Yes, create an application directory partition radio button and click on the Next button.
Status: Final
Page 21 of 68
Installation Guide
Figure 8
Specify where to place the Data files and Data recovery files. Typically production servers use the D: drive for data but
accept the default values if acceptable for your installation.
NOTE: The ADAM data storage can grow relatively large in size. Our measures have been that a data repository holding
10000 users requires about 175 MB of disk space.
After specifying the paths click on the Next button.
Figure 9
Select the NetworkServices acoount radio button. If the popup windows appears:
Answer Yes.
Status: Final
Page 22 of 68
Installation Guide
Figure 10
Select the This account radio button and browse the account to be used for administrating the ADAM instance. The
recommendation is to use the same account as just specified in the previous screen and as defined in section 5.3.
Click Next to continue.
Figure 11
Select the Do not import LDIF files for this instance of ADAM and click on the Next button.
Status: Final
Page 23 of 68
Installation Guide
Figure 12
Check that the information is as expected and corrects them if they are wrong.
When verified click on the Next button.
Figure 13
Now the ADAM Instance is created and imported. When the actual import starts you will be prompted to enter the
username and password for the ADAM administrator account specified in the ADAM Administrators screen.
Status: Final
Page 24 of 68
Installation Guide
Figure 14
Finally the completion status screen is displayed and the Finish button is clicked.
3.1.4 Preparing the target AD
FastPass Password Manager is capable of managing any number of domains without the need to modify the schema or
anything else in the domain infrastructure. This means that customers only need to prepare for communication with the AD
using LDAP.
Right out of the box a Microsoft Windows Server is prepared for LDAP in Simple mode, Secure mode and SSL mode but the
latter requires a certificate to be operational. FastPass supports only two of these modes; Secure and SSL. Secure mode is
the same as Windows is using internally for synchronizing passwords between domain controllers and SSL is a even more
protective mode but that are also more complex to deploy.
Certificates can be signed by well-known certificate authorities like Thawte or VeriSign but can also be created internally by
the customer (self-signed). The important issue is that the caller of the server that is configured to use a certificate trusts
the authority that signed the certificate. For well-known certificate authorities this trust exists because Microsoft Windows
keeps a list of root certificates but for self-signed this list is manually updated.
To import the certificate for a non well-known certificate authority you may follow the steps below.
1. In the Microsoft Management Console, add a snap-in.
2. Add certificates – for Computer Account, choose Local Computer.
3. In Trusted Root Certification Authorities, choose to Import.
4. Browse to and select the CA certificate.
5. Verify that “Place all certificates in the following store” is ticked.
To ease implementation FastPassCorp delivers a testing tool named “Domain Operation Test Tool” (domainoperationtest.exe) that can be used to verify connectivity on the network, validity of the AD certificate and admin user privileges.
Status: Final
Page 25 of 68
Installation Guide
3.1.5 Requesting a FastPass Password Manager license
FastPass Password Manager Licenses are provided by FastPassCorp as plain text files but signed and cannot be edited
without being corrupted.
FastPassCorp provides this file, as part of the deliverance of the software. Extending the licenses requires a new license file.
The license file must be placed in
C:\Program Files\FastPassCorp\License
FastPass licenses are coming in more variations counting on different measures like number of Identities, Users,
Organizations or Domains and with or without restrictions on technologies, named domains or organizations. Search your
FastPass representative for advice.
If buying new licenses to an existing license please remember to tell your FastPass representative if the will be used on the
same server or not. Changing an existing license requires the old license being blacklisted before getting the new.
3.2 Installing
Installing a FastPass Password Manager Solution will, if all preparations described in chapter 4 have been successfully
completed, not take more than 15 minutes.
The task of installing FastPass Password Manager can be described as in the following list:
1. Installing FastPass Password Manager
2. Preparing the AD LDS instance for FastPass Password Manager
3. Initializing the FastPass Password Manager solution
4. Configuring the FastPass Password Manager solution
As also described and illustrated in chapter 3 FastPass Password Manager is highly flexible in how to implement. All
components can work out of the same machine as well as of different machines. Furthermore the solution has been
successfully tested in virtual environments as well as in clustered environments and FastPassCorp will in the near future
release Best Practice documentation for such implementations.
This section will describe an all-in-one-machine installation.
3.2.1 Installing FastPass Password Manager
The FastPass Password Manager has the flexibility to be installable on a standalone server, a domain member server or a
domain controller without any difference. Note that the last option is not recommended.
! Important note for server 2008 users: “Every time you execute an installation package right click the package and choose
run as administrator”.
The FastPass Password Manager Backend Server is installed by running the InstallShield executable
PasswordManagerServer.exe and the following screenshots illustrate an installation sample.
Status: Final
Page 26 of 68
Installation Guide
Figure 15
Click the Next button to continue the installation.
Figure 16
Click the I Accept the terms of the license agreement radio button and then the Next button to continue the installation.
Status: Final
Page 27 of 68
Installation Guide
Figure 17
Enter User Name and Company Name into the fields and click the Next button to continue the installation.
Figure 18
Enter the IIS Application Pool User Name and Password that will be used to run the application under IIS. The entered User
Name must have the format HOSTNAME\USERNAME for local accounts or DOMAIN\USERNAME for domain accounts. If
the specified account does not exist the installer will prompt for confirmation on whether to create the account.
Read the definition for how to define the account in section 5.3.
Status: Final
Page 28 of 68
Installation Guide
Figure 19
Accept the default installation folder by clicking next or click the Change button to change the folder.
The installer will create a sub folder named FastPassCorp under the specified folder so typically the default installation
folder will not be changed.
The specified folder will be used for other FastPass products and will in the current version not reach a size of more than 5
MB plus the space taken by log files which will typically not be larger than 20 MB.
Figure 20
The installer is now ready to begin the actual installation and after clicking the Install button the installation will commence.
1. If installation directory isn’t available, it will be created.
2.
Files are copied.
3.
Assemblies are registered in GAC (Global Assembly Cache).
Status: Final
Page 29 of 68
Installation Guide
4.
An application pool, FastPassServer, is created in IIS.
5.
A virtual directory, FastPassServer, is created in IIS.
6.
An application pool, FastPassClient, is created in IIS.
7.
A virtual directory, FastPassClient, is created in IIS.
8.
An application pool, FastPassGateway, is created in IIS.
9.
A virtual directory, FastPassGateway, is created in IIS.
10. An application pool, FastPassAdministrationClient, is created in IIS.
11. A virtual directory, FastPassAdministrationClient, is created in IIS.
12. A virtual directory, FastPassCorp, is created in IIS.
13. Various registry keys and values are created.
Figure 21
Upon successful completion of all installation tasks the installer will show this screen and the Finish button can be clicked.
If the Installer does not show this screen but instead an error screen the messages shall be noted and the specified reasons
shall be examined and solved if possible.
Next step is to prepare the AD LDS instance to be used by FastPass.
3.2.2 Preparing the AD LDS instance for FastPass
In chapter 4 (section 4.4.3) it was described how to prepare the AD LDS instance in general and this must have been
completed before proceeding further.
The preparation of the AD LDS instance for FastPass means creating the schema and initializing objects so that the instance
is ready to be used by the FastPass Server.
Status: Final
Page 30 of 68
Installation Guide
The preparation is performed by running the executable ADAMInstaller.exe on the machine where the AD LDS instance is
defined.
The following screenshots illustrates an installation sample.
Figure 22
Click the Next button to continue.
Figure 23
Enter the information that reflects to the AD LDS installation as performed when preparing the AD LDS installation (Figure 7
and ). Click the Next button to continue.
Status: Final
Page 31 of 68
Installation Guide
Figure 24
Enter the authentication information that reflects to the ADAM installation as performed when preparing the ADAM
installation (Figure 10).
Click the Next button to continue. After clicking the Next button the connection is verified and if succeeded the next screen
will be shown.
Figure 25
Status: Final
Page 32 of 68
Installation Guide
Figure 24
A progress bar and detail progress information will be shown.
On completion, review the status and click the Next button to continue.
Figure 25
Click the Finish button to end the program.
Now the ADAM instance is ready for use meaning that the whole FastPass Password Manager is now almost ready to serve
end-users. Next step is to initialize the environment.
Status: Final
Page 33 of 68
Installation Guide
3.2.3 Initializing the FastPass Password Manager solution
In the two previous steps the software was installed and the ADAM instance was prepared. This almost makes the system
ready for use. In the following it will be described how to initialize the environment which is the last step needed before
getting into the real use of the solution.
The initialization is performed by running the executable ServerInit.exe.
The following screenshots illustrates an installation sample.
Figure 26
Figure 27
Enter a name and description for your Organization. The name will be shown in the Administration Client as well as in the
Self-Service Client.
Status: Final
Page 34 of 68
Installation Guide
Figure 28
Verify the value written into the hostname
me field and verify that this name is the same as used in the IIS Certificate
implemented on the server. When the Next button is activated the settings are verified against the server.
Figure 29
Verify that all IP addresses of the
he server are listed in the IP Address List field.
Now specify
pecify the group that shall be used for authorization of administrators trying to login to the FastPass Administration
Client,, by using the AD group selector as shown in Figure 29.
Status: Final
Page 35 of 68
Installation Guide
Figure 30
Specify the group that shall be used for authorization of Gateway Administrators and specify an Account and a Password for
a user that is member of that group. This group and account is used internally by the FastPass Password Manager and shall
not be used again unless other components like FastPass Password Sync is implemented and integrated into the solution.
After clicking the Next button the entered information is verified and if valid the next screen will be shown.
Figure 31
Status: Final
Page 36 of 68
Installation Guide
Figure 32
Click the Finish button to end the program.
Now the FastPass Password Manager solution is ready to be accessed by administrators and the next step is to open the
Administration Client which is done from an Internet Explorer and typing in the URL
https://SERVERNAME.DOMAIN/FastPassAdministrationClient where SERVERNAME.DOMAIN is replaced with your fully
qualified server name (the hostname specified in Figure 28).
3.3 Service restart
Before operation be sure to schedule the service restart script found under the
<INSTALLPATH>\FastPassCorp\tools\ folder to ensure continuous operation.
3.4 Configuring the FastPass Password Manager solution
In the three previous steps the software was installed and the ADAM instance was prepared and the environment was
initialized. This makes the system ready for Administering and this is the absolute last step before letting users into the
solution.
3.4.1 Accessing the Administration Client
The Administration Client is accessed by opening an Internet Explorer and typing in the URL
https://SERVERNAME.DOMAIN/FastPassAdministrationClient where SERVERNAME.DOMAIN shall be replaced with your
fully qualified server name (the hostname specified in Figure 28).
Status: Final
Page 37 of 68
Installation Guide
Figure 33
Login with an account that is member of the Administrators Group specified in Figure 28.
For more information about the configuration read the Administrators Guide.
Status: Final
Page 38 of 68
Installation Guide
4. Installing the stand-alone FastPass Client
The FastPass client is included in the FastPass main server installation. The stand-alone client is used for DMZ installations
and other situations where a stand-alone version is needed.
The installation and configuration is very simple. .Net 3.5 SP1 and IIS is need on the server.
4.1 Installing
Right click the PasswordManagerClient.exe from your FastPass installation package and run it as administrator.
Figure 34
Click the Next button to continue the installation.
Figure 35
Read the License Agreement and select “I accept the …“ to continue the installation
Status: Final
Page 39 of 68
Installation Guide
Figure 36
The FastPass Client needs an application Pool user to run – please refer to section 3.2.1 to locate the details regarding this
user – and remember that FastPass can create this user under the installation.
Figure 37
Select an installation folder
Status: Final
click next
Page 40 of 68
Installation Guide
Figure 38
Click install to complete the installation.
4.2 Configuring the client
The client needs to know where to find the Password Manager server - this information is stored in the
<installdir>\configuration\FastPassClient\CAconfig.xml file. Edit this file and replace the server name with the correct
servername in the CAWSurl, CAWTextUrl, CAWSHelpDeskUrl,PMWSCustomTaskUrl, PMWSOpenServiceUrl . (Please note
that the server where the client is installed has to trust the SSL certificate of the server, and must be able to lookup the
server name in the certificate). Now you need to fill in the CADedicatedToOrg, which is the organization ID for the
Organization this installation is intended for - you find this by:
1.
2.
3.
4.
Login to the administration client
Click on the "Basic Settings" icon.
In the URL you will find the Organization ID
eg.:https://Myserver/FastPassAdministrationClient/Organization/BasicSettings.aspx?TargetOrganizationID=64E0A5
93-A020-4F48-B5AC-EA3574A7E6F6
Now copy the ID part: 64E0A593-A020-4F48-B5AC-EA3574A7E6F6 this is the organizationID.
Figure 39
Found on the FastPass Server
Next you will need to enable the Captcha by editing the OrgCaptchaConfig.xml file setting the Organization ID. The file is
located in <INSTALLPATH>\FastPassCorp\Configuration\FastPassClient
Status: Final
Page 41 of 68
Installation Guide
Figure 40
Insert the Organization ID as shown
Set the CaptchaEnable to true as shown above.
Next we ned to tell FastPass which server to talk to. Openthe CAconfig file (Same path as above) insert the Organization ID
from the FastPass Server to the FastPass DMZ Server and change the values on the CAWSurl, CAWTextUrl,
CAWSHelpDeskUrl,PMWSCustomTaskUrl, PMWSOpenServiceUrl to the path of the FastPass Server.
Status: Final
Page 42 of 68
Installation Guide
Figure 41
Now we need to inform the Password Manager server that a client will be connecting from a different IP than
expected. Please take a note of the IP Address of the DMZ server. Open the CWconfig.xml file found on the FastPass LAN
server in the <INSTALLPATH>\FastPassCorp\Configuration\FastPassServer\ directory.
Copy a “<data Value… “ line and edit the IP address.
Figure 42
Now you need to copy the Registry value on the FastPass Server. Open the key as shown (Please note that the GUID value
differs from system to system). This value will tell the FastPass DMZ server which menus to present to the end-user. The
value must be inserted on the DMZ server in the same location as on the LAN server.
Status: Final
Page 43 of 68
Installation Guide
Figure 43
If missing DNS in the DMZ Zone you have to manual insert on the DMZ Server the IP address and the same name as in the
CAconfig file on the DMZ Server. This is to resolve the name to the IP address.
Now restart the IIS server on both servers. (IISRESET)
Status: Final
Page 44 of 68
Installation Guide
5. Installing Multisystem Password Reset and Synchronization
This option enforces the Password Manager the ability to reset passwords on other systems. There are 2 ways of using this
feature:
1.
2.
The overall process here is:
1.
2.
3.
4.
5.
Synchronizing passwords: by installing FastPass Interceptor on the domain controller all
password resets and password changes are synchronized to the target systems
Selective Password Reset: With this option we let the user decide on which target system the
password should be reset
Install SQL-express server (another MSSQL-server can also be used)
Configure the SQL server for use with FastPass
Pre-requisites – depending on target
Install Password Sync Server
Installation of FastPass Password Sync Interceptor (Only used for Synchronizing) – please refer
to the Password Sync interceptor Install guide.
Please note that you cannot install the Sync Server without having installed Password Manager.
5.1 Installing SQL Express
The SQL server should be configures in the mixed mode. And the TCP protocol should be enabled running on port 1433. The
installer should run as the administrator of the machine, otherwise this may fail. There is another prerequisite for Sync
Server installation which is FastPass Password Manager.
You can install the system using the Express edition of Microsoft SQL Server. The 2005 express SQL-Server can be
downloaded here (MS SQL-Server Express edition SP3) with Management Tools
http://www.microsoft.com/en-us/download/details.aspx?id=23650
Execute the file after download.
Status: Final
Page 45 of 68
Installation Guide
Figure 44
Click next to continue installing
Figure 45
Click Install to continue
Status: Final
Page 46 of 68
Installation Guide
Figure 46
Click Next button to continue the installation.
Figure 47
Please check the list to ensure that the system configuration is ok.
Status: Final
Page 47 of 68
Installation Guide
Figure 48
Adjust the name and Company to your organization
Figure 49
The above shows the minimum installation necessary to run with FastPass.
Status: Final
Page 48 of 68
Installation Guide
Figure 50
Choose “Mixed mode” and enter a password. Please take a note of this password.
Figure 51
Status: Final
Page 49 of 68
Installation Guide
Figure 52
We recommend leaving these blank.
Figure 53
Finally ready for installation.
Status: Final
Page 50 of 68
Installation Guide
Figure 54
The installation completed
Click Next
5.2 Configuring Microsoft SQL-Express for use with Sync Server
Start up the “SQL Server Configuration Manager” – it can be found in Start->Microsoft SQL Server 2005.> Configuration
Tools->SQL Server Configuration Manager
Figure 55
Make sure that the TCP/IP setting is enabled. Right click the TCP/IP settings and set the port number to 1433 for the IP All
section
Status: Final
Page 51 of 68
Installation Guide
Figure 56
Figure 57
Depending on the specific version some of the SQL server settings change – please check the following settings by opening
the “SQL Server Surface Area Configuration” and choosing “Surface Area Configuration for Services and Connections”:
As Shown on the Warning You need to restart the SQL-Service before the changes will take effect.
Status: Final
Page 52 of 68
Installation Guide
Figure 58
After changing the setting –restart the service.
5.2.1 Enabling encryption for SQL server
We recommend using SSL encryption for data operations with SQL server. Please follow these guides setting op SSL
certificates:
To setup encryption please follow these instructions:
http://support.microsoft.com/kb/316898 for the following versions:
1.
2.
3.
4.
5.
6.
7.
Microsoft SQL Server 2000 Standard Edition
Microsoft SQL Server 2000 64-bit Edition
Microsoft SQL Server 2005 Standard Edition
Microsoft SQL Server 2005 Developer Edition
Microsoft SQL Server 2005 Enterprise Edition
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server 2005 Workgroup Edition
If you are using other version of MSSQL server please use the appropriate link:
SQL Server 2005: http://msdn.microsoft.com/en-us/library/ms189067(SQL.90).aspx
SQL Server 2008: http://msdn.microsoft.com/en-us/library/ms189067.aspx
Status: Final
Page 53 of 68
Installation Guide
5.3 Pre-requisites for the connectors
Depending on each connector some changes has to be made for the installation to work. Currently there are these
connectors:
1. AD – this connector can send reset a password on a Microsoft Active Directory server. It will work “out of the box”
2. SAP – this connector works out of the box on the Password Manager Server – however you need to install a small
piece of software on the SAP instances – please refer to the SAP connector documentation
3. IBMiSeries connector. For this connector to work you will need to install the latest java runtime from Sun
http://www.oracle.com
4. MSSQL, Oracle, CLI, SSH and the SPI connectors will all works out of the box on the Password Manager Server
5.4 Install Password Sync Server
Installing a FastPass Password Manager Solution will, if all preparations described in chapter 4 have been successfully
completed, not take more than 15 minutes.
Click on the Installer file (FastPass-PasswordSync-Server.msi) and following screen will be appeared.
Figure 59
The FastPass Password Manager is already installed as this component is the prerequisite of the Sync Server installation. To
proceed with the Sync Server installation we need to choose Yes. This will show welcome screen of the Sync Server
installation. (Figure 60)
Figure 60
Now click on the Next button.
Status: Final
Page 54 of 68
Installation Guide
Figure 61
In the “License Agreement”screen user need to accept the license agreement and click on Next button.
Figure 62
In the “Customer Information” screen user can put User and Organization name or keep the default data shown in the
screen and click on Next button.
Status: Final
Page 55 of 68
Installation Guide
Figure 63
In the “Destination Folder” screen user can’t change the Installation location as the other FastPass component already
installed. And this installation will be done on that folder. This screen is showing the installation location. And click on the
Next button to open the next screen.
Figure 64
In this screen we need to configure the database server where we need to input server, login id, and Password database
name. By default the installation assumes that a local database is active on port 1433.
If the database already exists, it will be replaced and if no database exists with this name, this will create new database. On
click Next, the database will be created (or replaced) with the necessary table, stored procedures, triggers etc. Also, a
database user will be created with name ‘FPsyncUser’ along with necessary permission to the database. The Sync Server will
use this user to connect to the database.
Finally, the following screen will be shown
Status: Final
Page 56 of 68
Installation Guide
Figure 65
Now we are ready to install the product. To start the installation click on the Install button.
Figure 66
Installation process is completed. Now to close this dialog need to click on Finish button.
You have now successfully installed the connectors for FastPass. To configure selective password reset or synchronization
please look at the chapters in the administration guide covering these issues.
Status: Final
Page 57 of 68
Installation Guide
If you are facing problems with installing the Password Sync Server you must install this from a command prompt with
Administrative privileges.
Figure 67 Showing the Command Prompt
Go to the Start menu and right click the cmd.exe and Run as administrator. Go to where the Fastpass-PasswordSync-Server
is placed in the command prompt. Type in the name FastPass-PasswordSync-Servr.msi and press Enter. You will now be able
to install the Sync Server.
Status: Final
Page 58 of 68
Installation Guide
6. Additional information
Additional information and help is available from FastPass partners and from FastPassCorp.
FastPassCorp are continuously working on making the solution as easy as possible to implement, to evaluate and to use and
we are aware that this is the key to our success.
We are continuously also writing Best Practice Guides so please visit our website or contact your sales representative for
information about available guides.
Status: Final
Page 59 of 68
Installation Guide
7. Appendices
7.1 Appendix A: Backing Up AD LDS Database on Windows 2008 Server.
We recommend the Backup to run at least once a week. If any users have enrolled between the last backup and the restore
the users will need to enroll again into the system. The script and receipt focuses on Windows Server 2008 and will not
work for the ADAM database on Windows Server 2003.
Please Notice: It is important that you don’t run this task when the Discovery and Enrollment Services runs, therefore
you should schedule the services to run at other timeframes.
Figure 68
Log on to your server with Administrative Rights Start
Administrative Tools
Task Scheduler
Figure 69
Expand the Task Scheduler
Status: Final
Mark the Windows Unit
Left Click the Icon with Create Basic Task.
Page 60 of 68
Installation Guide
Figure 70
Under Name give the Task a Name as a headline to the Task
Give the Task a Description
Click Next
Figure 71
Choose a Trigger to Run the Task
Status: Final
Click Next
Page 61 of 68
Installation Guide
Figure 72
Put in a Checkmark which day or (Days) of the week the Task must Run Click Next
Figure 73
Click on Browse to find the script to Run.
Status: Final
Page 62 of 68
Installation Guide
Figure 74
Mark the BackupADLDS.cmd file Click Open.
Figure 75
Click
Next
Status: Final
Page 63 of 68
Installation Guide
Figure 76
Click Finish
Figure 77
We recommend you to run the scheduled task as “System” to avoid any issues with service users changing password etc.
Status: Final
Page 64 of 68
Installation Guide
Figure 78
In the script you will need to change some settings to make the script fit to your needs and setup.
1. Name = Set Instance name. In the AD LDS Backup Script change the Instance name.
• Where to find the instance name:
To find the instance name of your AD LDS please following these guidelines:
Go to Windows Services and under the Description find the AD LDS instance. On you left side under Name you will
find the instance Name.
Figure 79
2.
3.
Change the set numberOfBackups=
• Here you can setup the numbers of backups you would like to safe. If you set this 4 the script will
create 4 backups. When the Fifth backup runs the oldest backup will be deleted and the rest of
the backup will be renamed. That means you will only have the last 4 backups available.
Set backuppath=
• c:\backup\adam creates the folders where you path you want to place your AD LDS Backup.
Now you are Able to Backup Your AD LDS Database.
Figure 80
Status Screen of the dsdutil.exe
Status: Final
Page 65 of 68
Installation Guide
Figure 81
To test the Backup Script open a Command Prompt and browse your-self where the script is placed and run the
BackupASLDS.cmd.
Status: Final
Page 66 of 68
Installation Guide
7.2 Appendix B: Restart FastPass Services
To have a stabile solution running without outages we recommend restarting the FastPass Services on a weekly basis.
FastPass comes with a script that can restart all the services, placed in the tools folder. Below you will find a description of
how to add the restart in the Windows task scheduler.
Log on to your server with Administrative Rights
Start Administrative Tools Task Scheduler
Go through the same process same as the AD LDS Backup but this time chooses the RestartPMAll Script.
Figure 82
Click on Browse to find the program or Command to Run.
Mark the Script or Command and Click Open.
“It is very important that you don’t run this task when the Discovery and Enrollment Services runs”. You will need to let
Discovery and Enrollment Services to run uninterrupted.
Status: Final
Page 67 of 68
Installation Guide
7.3 Appendix C: Recommended changes when installing for more than 10.000
users
7.3.1 Storing Event data on SQL
Using SQL for storing event data will speed up reports and limit the data in your ADAM/AD LDS instance. To enable the
storage of events:
1. Install the MSSQL server and Sync-Server as described.
2. Create and set the following Registry value(REG_SZ):
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Password
Manager\DataStorageTypeEvent
Value Data: MSSQL
After this the Events will be automatically stored on the event table in the PasswordSync database.
To ensure the database will run full. Implement the following SQL to run on a daily basis:
http://server400.fastpasscorp.com/files/tools/CleanDB-MSSQL-DiscEvents.zip
7.1.1 Tweaking ADAM/ADLDS settings
ADAM is very slow giving up space, especially in the default settings; this may lead to very big ADAM instances taking up
unnecessary resources here are why:
Whenever a delete operation is been triggered, ADAM archives the object deleted. This results in the increase of the ”dit”
file size. To avoid the “dit” file size growing enormously, we are required to configure garbagecollperiod and
tombstonelifetime parameters in ADAM.(The contents of the Deleted Objects container are visible if you search by using
the 1.2.840.113556.1.4.417 control, which enables you to see deleted objects.)
These two attributes are available in:
CN=DirectoryService, CN=WindowsNT, CN=Services, CN=Configuration
Steps to configure garbagecollperiod and tombstonelifetime:
Open ADAM-ADSI Edit. (The shortcut is mostly available on Desktop or you can go to Program Files/ADAM-/ADAM-ADSI
Edit)
Open Connect to dialog box.
In the Connect to dialog enter the desired information. Select NamingContext radio button and select configuration from
the drop down. Once you are connected to Configuration go to (Please beware that this is in reverse mode) CN=Services,
CN=Windows NT,CN=Services, CN=Configuration.
Open the property sheet of the Directory Service.
Go to garbagecollperiod attribute. Select edit and enter an appropriate value. The value entered is in hours. The minimum
value is 1 hour and by default it is set to 12 hours. This is also recommended.
Go to tombstonelifetime attribute. Select edit and enter an appropriate value. The value entered in days. The minimum
value is 1 day. The default is 180 days. We recommend setting this attribute to 7 days.
For more Information visit:
http://www.msresource.net/knowledge_base/articles/info:_the_directory_service_garbage_collection_process.html
This operation should be done on all you ADAM instances.
Status: Final
Page 68 of 68

FastPass Password Manager v3.4 - Installation Guide (revision G)

Transcription

Similar documents

Atlantis Energy Systems Inc.

World Bazaar MAP

Logging into ClassLink Outside of School

Veterinary Medical Center

Regions CD Check Viewer Installation Guide

Chemcrest Installation Guide

Setting up my WiFi - Alaska Communications

1. Click on your Buffalo Bills Mobile App to access your

Zonnestraal - English

Clik here to open the Sterkinekor Moviestop: Membership Card Guide