Quantcast
Channel: Support Portal
Viewing all 1872 articles
Browse latest View live

Verify Password Unreliable

August 25, 2015, 6:49 am
$
0
0

The verify password function is proving to be incredibly un reliable.  It works one minute and then it doesn't work.  It will work for some account in a resource and not for others. 

This is becoming quite frustrating.  I'm trying to document how our password admins should be adding resources, testing and resetting passwords and one minute it is fine and everything works then randomly it stops. 

For example I added a windows resource and the local administrator account and force a password reset and it verifies OK.  I then "Discover Accounts" and it adds in two other local accounts.  I reset the password on all of the resource testing the email and this works fine. 

Then I find I cannot verify any of the 3 local account passwords.  I manually reset the local admin password on the server and then input this password into PMP and this verifies OK.  Later it fails verify but if I click the RDP session it autologs me on with the local admin account so clearly we have the correct password. 

I'm running Password Manager on 2012 R2 in a HA configuration with an SQL backend.  IE 11 and Chrome both exhibit the same issue. 

I'm second guessing myself and doubting if I actually set the passwords or not, but I have.  It just randomly decides it can't verify the password.

And all this before I get to the more complex job of setting up password reset with a service restart on successful password reset. 


Search

RDP Keyboard incorrect

August 25, 2015, 7:46 am
$
0
0

Keyboard layout in an RDP session.

I'm assuming that the browser is impacting the keyboard or is it PMPs gateway? 

In a native RDP session the keyboard layout we use is UK.  when I launch an RDP session via PMP it switches some of the keys around and it looks like it's using the US keyboard layout.  it does not matter if I use chrome or IE.

This is going to mean I cannot use certain characters in the password.  I wonder if this is the issue with the Password verification too?

UK Keyboard

`1234567890-=
qwertyuiop[]
asdfghjkl;'#
\zxcvbnm,./
¬!"£$%^&*()_+
QWERTYUIOP{}
ASDFGHJKL:@~
|ZXCVBNM<>?


 


RDP in IE

the back tick is missing as the first character in line 1 below.

 1234567890-=
qwertyuiop[]
asdfghjkl;`'
\zxcvbnm,./
!@#$%^&*()_+
QWERTYUIOP{}
ASDFGHJKL:~"
|ZXCVBNM<>?





Re : How Do You Reset an Admin's Password

August 25, 2015, 8:43 am
$
0
0

Very simple. I can't believe we missed that.


Thank you,


Stephen

Re : AIX password reset problem

August 25, 2015, 10:52 am
$
0
0
In the latest version of PMP 8200, we have provided this option by default at the Resource Level. Edit the IBM AIX resource and enable the option "Execute pwdadm command". This will make PMP use the pwdadm and it will automatically remove the flags after reset.

Password Manager Pro Team 
Password Manager Pro - Enterprise Password Management Software

PMP timezone

August 25, 2015, 8:05 pm
$
0
0

I installed PMP, I found the time of audit log is using GMT instead of my local time.

How can I change it to my local timezone (HKT GMT+8)?

Thanks!

Re : Verify Password Unreliable

August 27, 2015, 7:08 am
$
0
0

I thought it worth giving an update on this.  It appears that you cannot verify the local administrator account on the PMP server.  The support guys are looking at this and may have a solution. 

The Password manager Server is a windows server obviously and one of the things we want PMP to do is control the local admin password.  It appears that currently that's fine for all of my servers except the Password Manager front end server itself.

To prove this I can verify the local admin credentials on the Slave server from the Primary web portal and the Primary local admin credentials from the Slave server web portal.  But on each if I check the local account, i.e. check the local admin account password of the Slave Server whilst using the web portal from the slave verify fails. 

Allowing a non domain admin to reset and administer service accounts

August 27, 2015, 7:40 am
$
0
0

I have set up a WindowsDomain resource called "Domain Service Accounts" .  One of the accounts in this resource is the PMP service account.  The PMP Service runs under this account. 

By default I cannot verify any passwords on any of the accounts not even the service account that PMP runs under.  In order to verify the passwords I have to tick the box "Supply Credentials for remote synchronization" and select the PMP service account. then I can verify all the passwords in the resource.

OK fair enough but I also want to allow another team to create and manage a windowsDomain resource called SQL Service Accounts.  However I do not want to give them access to an account that has domain level privileges so that they can verify and reset passwords. 

Right I think the penny just dropped.  I was thinking why doesn't the service account reset the password and do the verify?  If the service account were allowed to do the reset then the other team could add any account they like, including a domain admin account and reset the password.  NOT GOOD.  

I've just tested what seems a reasonable way to do this.  Interestingly verify password works as long as I use any of the accounts in the resource as the  account to  "Supply Credentials for remote synchronization"  but password resets fail unless the account has the rights to reset the user account password.

Create an OU for the service accounts you want to allow the SQL DBAs to be able to manage.  Delegate password reset to a service account which will be stored as an account in the SQL Service Account Resources.  Set this account as the  "Supply Credentials for remote synchronization" account.  and then both verify and password reset works.

This is a little clunky but it appears to work!

If you just want them to be able to verify that the password is in sync then you can select any account in the resource and this appears to work OK. 

 

Re : Allowing a non domain admin to reset and administer service accounts

August 27, 2015, 9:34 am
$
0
0

Watch out for this when testing.  The natural thing to do is to reset the password using ADU&C and then use PMP to see if it now reports the passwords are out of sync.  ARRRGGGHHH it's still showing as in sync!!!!

I think under the covers PMP is using LDAP to check the domain password.  AD will, believe it or not will accept both the old and new passwords for a period ( which I think is an hour) after you carry out the password change.  Don't forget AD replication as well can mean you change the password on one DC but the new password does not replicate to the DC PMP is using until some time later depending on your AD setup. 

So as in a lot of testing sometimes the speed at which you make changes and try to detect them is so artificial that they throw up issues no will ever see in a production environment.

The old and new passwords being accepted is to allow you to change a service account password and then have enough time to go to multiple servers, e.g. a cluster, and reset the password stored in the service configuration.  These days we would probably use a managed servie account.





Search

Managing both Windows local admin accounts and SQL accounts in teh same resource

August 28, 2015, 1:58 am
$
0
0

I'm wondering if there is a way of placing a windows account and an SQL account in the same resource. 

It looks like I need to create two resources, e.g. once called "MyServerName Windows Accounts" of resource type Windows with an account called administrator and then a second resource "MyServerName SQL Accounts" of type MS SQL Server with the SQL account in. 

It would be nice if I could have a single resource and add the two different account types to the resource.

Is this possible?

Does anyone else think this is a reasonable way to do things or do they think it makes more sense to split out the two resource types?

Re : Office 365

September 1, 2015, 6:35 am
$
0
0
Hi Rogier,

Thanks for the forum post.
To automatically login to the web sites or web applications, copy paste the URL in the resource URL while adding the resource.   Based on the URL stored along with username and password, we auto fill the username and password while clicking on the resource URL. You can refer this  link  for in formation on how to configure the bookmarklet feature in PMP.

Also, due to certain security enforcement's on different browsers, the BookMarklet feature in PMP might not work in few cases. Similarly the BookMarklet feature may not work with certain websites (ex: secure websites or websites designed through iFrame, flash, web based apps etc). That being said,  to overcome all these kind of limitations, we have planned to implement a new browser based plugin that can be added as an Add on in all major browsers like IE, Chrome, Firefox. 

We have released the FireFox and Chrome extensions now. We are also working for IE which will be available in one of our future releases. Please refer the below mentioned link.



After installing this extension, you will find a new PMP icon in the right hand side top corner of the browser from which you can login to PMP and retrieve password or Auto Logon. The plugin for the Firefox browser is in testing. Also, the plugin for IE is still in the development phase and should be available shortly.

Please write to us if you have any further queries.

Thanks & Regards,
Chris
[Technical Consultant | Password Manager Pro]

Re : RDP Keyboard incorrect

September 1, 2015, 7:27 am
$
0
0
Thanks Chris - this resolved the keyboard issue for me.  FYI we are running the latest build version 8200.

Re : PMP timezone

September 1, 2015, 10:17 am
$
0
0
Hi,

Thanks for the forum post. 
The date and time settings for PMP are taken from the server in which PMP is installed. If the PMP server time zone is set to GMT, we request you to change it to GMT+8 and restart the PMP service once for the new time zone to take effect. 

Feel free to write to us if you have any other questions.

Thanks & Regards,
Chris
[Technical Consultant | Password Manager Pro]

Re : Verify Password Unreliable

September 1, 2015, 10:22 am
$
0
0
Hi Lee,

Thanks for the forum post.
Please try the below steps to run the verify task in CLI from the PMP server for the resources for which verification is failing.
  • Navigate to the <PMP-home>/scripts using command prompt with admin rights and execute the below mentioned command. 
  • cscript VerifyPassword.vbs host_name username password
  • wherein, host_name is the Hostname of the system for which you are verifying the password ( verification failed) , username is the useraccount name and password is the password of that account. 
  • For example, cscript VerifyPassword.vbs "TEST" "administrator" "P@ssword1!"
Please execute the command and send the output to passwordmanagerpro-support@manageengine.com so that we can analyse the issue and get back to you.

Look forward to hear from you.

Thanks & Regards,
Chris
[Technical Consultant | Password Manager Pro]



Re : Managing both Windows local admin accounts and SQL accounts in the same resource

September 1, 2015, 10:29 am
$
0
0
Hi Lee,

Thanks for the forum post.
We completely understand your requirement, at present it is not possible to manage two different account types (ex windows local account and SQL accounts) under single resource type. We will take this as a feature request. We will analyse the feasibility and provide this feature in one of our upcoming releases. 

For now, as mentioned by you. We request you to add the same resource twice with different resource name with all the other field values like DNS Name, domain name , description etc remaining the same. For example: Resource name Server1 for managing the SSH accounts passwords and Server 2 for managing the MySQL passwords by the DNS name, domain name etc can be same for Server 1 and 2.

Feel free to write to us if you have any other questions.

Thanks & Regards,
Chris
[Technical Consultant | Password Manager Pro]

Re : PMP - Google Authenticator reset function

September 1, 2015, 10:38 am
$
0
0
Hi,

Thanks for the forum post.
Unfortunately, we don't have to option to allow super admin to reset the users Google Authenticator or disable the link in UI. We will add this request to our road-map. We will analyse the feasibility and provide this option in one of our future releases.

But, we can assist you in disabling this function from the database. Please send your contact details to passwordmanagerpro-support@manageengine.com so that we can schedule a web meeting session and assist you. Also, we will provide you the scripts which can be used to enable for enabling Google Authenticator when required.

Look forward to hear from you.

Thanks & Regards,
Chris
[Technical Consultant | Password Manager Pro]
Search

Re : Linux resource discovery...

September 1, 2015, 12:34 pm
$
0
0
"Currently, we support discovery for linux resources only using Telnet protocol. But the accounts present in those linux resources can be discovered using SSH protocol."

Can you confirm that what you're actually saying here is that Linux resources can ONLY be autodetected if they have an open telnet service running?!   I find that absolutely astonishing!   I'd be shocked (and horrified) if you could produce for me one single Linux sysadmin who runs a production system that is listening for telnet connections on port 23.

Thanks for putting in the "feature request" to use ssh for auto-discovery... but I find the initial decision to use telnet for Linux auto-discovery so bizarre and ill-considered, that it makes me question whether this really an appropriate product to be using for serious security purposes.

I wasn't the one in our organization to decide to buy this product, but if I had been, this alone would've given me serious reservations about the product.

Why not just say that autodiscovery is unsupported on Linux?  As that is for all practical purposes what this bizarre design decision means.

Re : PMP timezone

September 1, 2015, 7:34 pm
$
0
0
Thanks for your answer.

My server was already configured GMT+8 (HKT) before PMP installation.
However, the audit events in PMP console is still in GMT.

Any idea?  Thanks!

# cat /etc/sysconfig/clock
# The time zone of the system is defined by the contents of /etc/localtime.
# This file is only for evaluation by system-config-date, do not rely on its
# contents elsewhere.
ZONE="Asia/Hong Kong"
# date
Wed Sep  2 10:30:10 HKT 2015

Re : Verify Password Unreliable

September 2, 2015, 2:16 am
$
0
0

Thanks Chris - as per my support email this command works fine so it's only when you try in the web portal to verify the password that it fails. 

Something else worth mentioning as this found me going down yet another rabbit hole, I also tried verifying some other local accounts on a server and these failed verification and I couldn't figure out why then I realised that the accounts were disabled.  The password in PMP was correct but verification failed because the account was disabled.  I'm not sure if PMP can tell if that's why it failed verification or not.  As it is, it just tells you the password is not in sync.

Why am I testing these disabled accounts? 

We have the usual "honey pot" local administrator account, that's not actually the local administrator account and has no rights on the server and is in fact disabled along with the guest account.  Not my idea but this does seem popular to do as I've seen lots of people do it.  They just assume the script kiddies trying to hack the system will waste time trying to hack the wrong account.  I'm not convinced this actually works but the team here like to think it does so every computer has a dummy account for this purpose. 

When I do an account discovery on a resource it pulls in the guest and this dummy account.  A password reset works fine but you can't verify the password because the accounts are disabled.  it would be nice if the verification told me the account was disabled or better still the discovery excludes disabled accounts. 


Edit Password Policy hangs

September 3, 2015, 8:07 am
$
0
0

Hello,


I am trying to edit the password policy on a custom policy I've created.  When trying to add characters to the "Characters not allowed" field it seems to hang when I try to save the policy using certain characters (<>: for example).  Are certain characters not allowed in this field?

Re : difficult to edit file used VI command

September 3, 2015, 9:12 am
Viewing all 1872 articles
Browse latest View live
Search