Password Manager Version 3.4.2 Password Manager Quick Guide
Document Title Password Manager Quick Guide Document Classification Public Document Revision C Document Status Final Document Date April 16, 2012 Prolog: FastPass Password Manager will give your organization benefits in many different areas: Through Self Service your users can: Reset passwords and unlock accounts 24 hours a day, 365 days a year. They will receive the service immediately, and don t have to wait for telephone answers. They don t have to be embarrassed in front of the Service Desk employee! The Service Desk: Calls and incidents related to passwords disappear. Attention can be transferred to important incidents and problems The service level delivered will be improved Finance: Savings in time for users and the Service Desk will reduce password related cost for the organization The specifications and information in this document are subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any means, in whole or in part, for any reason, without the express written permission of FastPassCorp A/S. 2004-2012 FastPassCorp A/S. All rights reserved. Lyngby Hovedgade 98, 2800 Kongens Lyngby, Denmark. http://www.fastpasscorp.com/. FastPass Password Manager is a trademark of FastPassCorp A/S. All further trademarks are the property of their respective owners. Limited Warranty No guarantee is given for the correctness of the information contained in this document. Please send any comments or corrections to documentation@fastpasscorp.com. Status: Final Page 2 of 24
Table of Contents 1. Introduction... 4 1.1 Purpose... 4 1.2 Audience... 4 1.3 References... 4 2. Pre Requisites... 5 2.1 Windows server 2003 pre requisite... 5 2.1.1 Server preparation... 5 2.2 Windows server 2008 pre requisite... 8 2.2.1 Installing.Net... 8 2.3 Creating local service accounts for Password Manager... 10 2.4 Preparing ADAM/AD LDS... 11 3. Install Password Manager... 15 4. Basic Configuration... 18 Status: Final Page 3 of 24
1. Introduction 1.1 Purpose The purpose of this document is to describe the steps included in the process of performing a FastPass Password Manager installation and basic configuration. The Password Manager can be installed in other environments and in different server setup s, please consult the installation guide for complete coverage. Although the document is written as a tutorial for performing a real installation the reader shall expect to change input values to match the standards and requirements of their own environment. 1.2 Audience The intended audience of this document is personnel either responsible for, preparing or performing the application installation. 1.3 References This document references the following documents: FastPass Password Manager, Version 3.4.2, Installation Guide. FastPass Password Manager, Version 3.4.2, Administrators Guide. Status: Final Page 4 of 24
2. Pre Requisites You will need the following to install FastPass Manager using this Quick guide. : 1. A standalone server with Microsoft Windows server 2003 or 2008 (virtual or physical) 2. The servers FQDN has to be registered in your DNS 3. A valid SSL certificate issued for the FQDN that is trusted by the server itself and all the clients. You will not be able to perform the installation without a proper certificate. Please note - if you are not familiar with certificates we recommend buying one or taking a free trial at eg.: http://www.rapidssl.com/ 4. Access to a domain controller - A domain admin user account for use with the Password Manager installation 5. Group names for a couple of groups to use for the installation that is: a. A group with users that will be able to change their password using the system b. A group of users who can issue HelpDesk pins for other users 6. Installation of the prerequisite software At this point the installation guide is split depending on your server version to Jump to your section choose here: 2.1 Windows server 2003 pre requisite 2.1.1 Server preparation 2.1.1.1 Install.Net Download and install.net on your server using the following link http://www.microsoft.com/download/en/details.aspx?id=22 2.1.1.2 Installation of ADAM on Windows server 2003 R2 or later If you are using a server 2003 version prior to R2 please go to section 2.1.1.3. Login on an administrative account on your server and choose Add or remove a role In the next screen choose Add remove programs Status: Final Page 5 of 24
Choose Active Drectory Services and press the Details button, then you will see the following picture. From there check the Active Directory Application Mode (ADAM). And click OK and follow the instructions on screen. 2.1.1.3 Installation of ADAM on Windows server 2003 on version prior to R2 Use the following link to download and install ADAM: http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en 2.1.1.4 Install IIS on Windows server2003 Start the Configure your server wizard found under Administrative tools Choose Application Server(IIS, ASP.Net) and click next, in the next two windows, and follow the instructions. Status: Final Page 6 of 24
Choose ASP.Net Now open the Internet Information Services (IIS) Manager found under Administrative Tools Open the web sites, right click the Default Web Site and choose Properties. Select the Server Certificate button to import your certificate. Status: Final Page 7 of 24
You can continue to section 2.3 2.2 Windows server 2008 pre requisite 2.2.1 Installing.Net Download and install.net 3.5 SP1 (higher versions are ok then you will not need to download the installer) http://www.microsoft.com/download/en/details.aspx?id=22 2.2.1.1 Installation of AD LDS (ADAM)and IIS on Windows server Login on an administrative account on your server open the Server Manager found under Administrative Tools. Click Roles in the left part of the windows and activate the Add Roles Mark the Web Server (IIS) for installation, and if the Add required features pop s up press the Add Required Features button. Click Next until you see the Role Service screen for IIS. Status: Final Page 8 of 24
Choose ASP.Net and the IIS 6 Metabase Compatibility and click Next and Install. After the installation has completed you need to install your SSL certificate on the webserver. Do this by starting Internet Information Services (IIS) Manager under Administrative Tools. Select the Server Name in the left screen and click the Server Certificates icon and import your certificate. Status: Final Page 9 of 24
Choose the Default Web Site and click the Bindings. Add a new binding of the https type and choose your certificate in the dropdown. Click OK. Now your server is ready for Password Manager. You can continue to section 2.3 2.3 Creating local service accounts for Password Manager We need to create some accounts and one group for use with Password Manager. Open the Computer Management console found under Administrative Tools and create the following users FPAdamUser, FastPassGWUser Note: This user must be allowed to Log on locally. If not the ServerInit installation part will fail not being able to authenticate the user.(you can test this by login on the machine using this user) Status: Final Page 10 of 24
Creation of the FPADAMUser and the FPGWUser Then create a group called FPGWGroup and add the newly created FPGWUser user to it. The last step is to create a group that will hold the AD or local users that will be able to login to the FastPass Administration Client. Here I created a group with access for the local user MyUserAccount and the users in the AD groups Domain Admins and FastPass Admins. 2.4 Preparing ADAM/AD LDS From the Windows Start button select Programs, then ADAM and then Create and ADAM Instance. Using a 2008 server choose the Start button select Administrative Tools and chose Active Directory Lightweight Directory Services Setup Wizard. Click the Next button. Status: Final Page 11 of 24
Select the A unique instance radio button and click the Next button. Enter a name for the ADAM instance and click on the Next button. Enter LDAP port number and SSL port number to 50000 and 50001. Status: Final Page 12 of 24
Select the Yes, create an application directory partition radio button and click on the Next button. Change the file location if desired and click the Next button. Select the Network Services account radio button. If a popup window appears: Answer Yes. Select the Browse button to specify the FPADAMUser account and click Next Status: Final Page 13 of 24
Select the Do not import LDIF files for this instance of ADAM and click on the Next button. Checks that the information is as expected and correct them if they are wrong. When verified click on the Next button. Status: Final Page 14 of 24
3. Install Password Manager There are a few steps to complete the installation of Password Manger after you have unpacked your Password Manager Package it looks like this: Important note for server 2008 users: Every time you execute an installation package right click the package and choose run as administrator Now run the PasswordManagerServer.exe installation file in the 1. Backend Server Installer. Click Next, read and accept the license agreement, click Next, and fill in a User name and company name and click Next. For the next screen: Please enter <machine name>\fpiis and issue a password. This user will be created by the installer, giving only minimum rights to the user. The following popup emerges: Answer yes to let the installation create the user. Now click Next and Install. Now you have completed installing the basic components. Return to the installation directory and enter the directory 2. ADAMInstaller, there execute the ADAMInstaller.exe. Click the Next button and enter the following values: Status: Final Page 15 of 24
Click Next and enter the following values, changing the server name FastPass01 to your match your machine name in the Username. Click Next, and follow the instructions and screen. After the installation wizard is completed we need to run enter the 3. ServerInit directory and execute the ServerInit.exe. Click Next, leave the Organization properties as they are and click Next. Now you need to enter the hostname of the machine this has to be the name registered in the certificate. Leave the IP address list to the default and choose the FPGWGroup as the Administration group (members of this group will be able to administer FastPass). Click Next Status: Final Page 16 of 24
Enter the values as shown below to complete the installation. Click Next and follow the instructions. You have completed the installation of Password Manager. Status: Final Page 17 of 24
4. Basic Configuration Open your browser to access the Password Manager administrative part by opening the following URL on a browser: https://<servername>/fastpassadministrationclient/ (Note: If you are using the browser on the server, be sure to add the site to trusted sites ) The first thing you need to do after logging in is to configure a user repository that is the connection to your AD. This is done by choosing activating the Add button under User Repositories: Status: Final Page 18 of 24
In the upcoming screen, define the basic settings. The Name will be shown on the webpage the client s access. The number of users is equal to the number of AD users to allow for this particular User Repository. Click Save, and activate the Connection Settings and add the following information: 1. Domain Name: The full name of the domain we are accessing 2. NetBIOS name of the domain Status: Final Page 19 of 24
3. The FQDN to your Active Directory server(domain Controller) 4. Leave the connection mode on secure mode and enter an account name and password with Domain Admin rights for the domain. 5. The FastPass account name and password for the account with Domain Admin or delegated rights in the AD. To verify the data press the verify button to make sure all the information is correct. Now we need to tell Password Manager which groups it can operate with this is done using the icon in the Security Settings panel. Under the icons Security Settings you will find a page similar to this: Status: Final Page 20 of 24
The Security Settings defines which groups are available from the Active Directory, and to be used later to configure Password Manager Administration Client. At the opening of the Security Settings page Password Manager collects the Security Groups from Active Directory. The Group for Roles (User Repository) contains two boxes; one for Selected Groups (to the left) and one for the Available Groups (to the right). Search hint is enabled to find the group names matching the typed characters. Select the groups from your AD that fit your needs and Click Save. For test you can use the same group for all the operations. Look in the Administration Guide for further details on these group settings. Now we need to configure which users has access to what from where. This is done the Authentication settings part. Activate the Home link in the left side of your screen and click the Authentication Settings icon and the following page is shown: Status: Final Page 21 of 24
These are the different operations; in this guide we will complete the enrollment and the reset password operations only. Defining the Enrollment operation activate the Enroll User icon and fill in the data as seen below. Click the add button to create a new profile. Status: Final Page 22 of 24
The above picture grants access to the users in the FPBasicUsers groups from any network, to enroll using their Password as authentication. Click save and activate the Reset Password operation icon to define the access for the reset password operation. Click add to add a profile for this operation. Now the client is configured for basic operation. To verify start a browser pointing at https://<servername>/fastpassclient/, you will see the clients screen: Status: Final Page 23 of 24
Now activate the Enroll User operation and follow the instructions on screen. After you have answered the Challenge response questions you will be able to reset the password of the user using activating the Reset Password operation. Now you have completed the Quick guide however we strongly advise you to do the following operations at a minimum: 1. Define the other Authentication Settings 2. Create a Discovery profile to let Password Manager fetch the data for your users 3. Define a mail server 4. Define an enrollment profile this feature sends emails to users that has not enrolled yet 5. Before operation be sure to schedule the service restart script found under the <INSTALLPATH>\FastPassCorp\tools\ folder to ensure continuous operation For an in depth description and guide in setting up these features we refer to the Administration Guide. In the package you will find the Windows Client and instructions on how to install the client in enterprise architecture. Status: Final Page 24 of 24