If used in conjunction with Microsoft Identity Integration Server (MIIS), Quest Password Manager allows you to enable users and helpdesk operators to manage their passwords across different connected data sources, including:
• Active Directory® directory service • Active Directory Application Mode (ADAM) • Microsoft Windows NT® 4.0
• Lotus Notes 4.6 and 5.0 • IBM Directory Server
• Sun and Netscape directory servers (formerly iPlanet Directory Server) • Novell eDirectory 8.6.2 and 8.7
Before you can configure Quest Password Manager to use a MIIS server for cross-platform password synchronization, you must install MIIS 2003 Service Pack 1 and configure Management Agents for all connected data sources which you want to be available for password management. There are several operational considerations for creating an account for password management:
• To enable Password Manager to connect to MIIS and set passwords in connected data sources through MIIS server, you must add the Password Manager service account to the
MIISPasswordSet group, and to the MIISAdmins group.
If Password Manager is configured to use Windows authentication to access MIIS, you must restart IIS after you have added the Password Manager service account to the
MIISPasswordSet group.
• If you plan to install MIIS and Quest Password Manager on the same server, you must configure Password Manager to use Windows authentication. You can do it when you specify the connected data sources in Password Manager by using the procedure outlined later in this section. Then, Password Manager will access MIIS under the same account which it uses to access the managed domain.
To configure password management in MIIS:
1. Create a Management Agent for the managed Active Directory domain, and then create and run a Full Import and Full Synchronization profile for this Management Agent. Password synchronization will be available only to those users who have been added to the Connector Space of the Active Directory Management Agent.
2. When creating Management Agents for all connected data sources, select the Enable Password Management check box on the Configure Extensions page of the Management Agent Designer. If connection between Microsoft Identity Integration Server and the
connected data source target server cannot be secure during password set operations using Secure Sockets Layer (SSL), click the Settings button on the Configure Extensions page of the Management Agent Designer, and then clear the Require secure connection for password synchronization operations check box.
3. Create Management Agents for those data sources which you want to be available for password synchronization. It is important to associate User objects of the Active Directory connector space with the corresponding objects in the connector spaces of all available connected data sources. To link the connector space objects with the objects that already exist in the metaverse, you can create join rules or use the Joiner tool.
To enable Password Manager for cross-platform password synchronization:
1. Register an Active Directory domain with Password Manager.
2. On the home page of the Administration site, click Managed Domains.
3. On the Managed Domains page, click the managed domain you want to enable for cross-platform password synchronization.
4. On the Connected Systems tab, click the Click to specify button, and then enter the MIIS server name and account details to access the server.
Connected data sources available on the MIIS server will be listed in the "Microsoft Identity Integration Server" section.
5. You can use either pre-Windows 2000 logon name (such as DomainName\UserName) or User Principal Name (such as [email protected]) to specify the User name.
6. Specify how you want users' passwords to be synchronized across the different data sources. To do it, click the link next to a connected data source, and then do one of the following:
• To have users' passwords synchronized with their domain passwords, select Synchronize passwords in Connected System after they are reset or changed in Active Directory. • To allow users to manage their passwords in connected systems independently from Active
Directory, select Allow users to reset and change passwords in Connected System independently of Active Directory.
• To prevent users from managing their passwords in a connected data source, select Never synchronize passwords between Active Directory and Connected System.
The Never synchronize passwords between Active Directory and Connected System
option must be selected for the managed Active Directory domain.
7. Repeat step 5 for all connected data sources in the list, and then click Save.
To verify that a user can set and change their passwords in connected data sources by using Password Manager:
1. Open the MIIS Identity Manager console. 2. On the Tools menu, click Metaverse Search.
3. In Scope by Object Type, select the person object type. 4. Click Search.
5. In Search Results, click a metaverse object for the user that you want to verify. 6. On the Actions menu, click Properties.
7. In the Metaverse Object Properties window, click the Connectors tab. Ensure that there is a management agent for the managed Active Directory domain in the list of connected data sources.
8. Register the user with Password Manager and attempt to set and change the user’s passwords by using the Self-Service site.
When you have specified a connection to a MIIS server, you can define the behavior of the Self-Service site for situations when Password Manager cannot contact the MIIS server.
To specify how to act when MIIS server is not accessible:
1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/.
2. Open the home page of the Administration site, click the Manage Domains box.
3. On the Managed Domains page, click a domain, and then click the Connected Systems
tab.
4. On the Connected Systems tab, specify the following options:
5. Click Save.
OPTION SELF-SERVICE SITE BEHAVIOR
Act as if no MIIS or Quick Connect server were
specified Users can manage their passwords only in the Active Directory domain. No warnings are displayed to users if MIIS server or Quick Connect server is not available.
Alert user and allow to reset or change password
only in Active Directory Users are notified that other connected data sources are temporarily unavailable, and are allowed to continue managing their passwords only in the Active Directory domain.
Do not allow users to reset or change passwords Users cannot perform any password management tasks in the Active Directory domain and in connected data sources, if the MIIS server or Quick Connect server is not available.