WIXLIB

FastPass Password ManagerVersion 3.4.2Installation Guide

Installation GuideDocument TitleDocument ClassificationDocument RevisionDocument StatusDocument DateInstallation GuidePublicGFinalOctober 6, 2012The specifications and information in this document are subject to change without notice. Companies, names, and dataused in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by anymeans, in whole or in part, for any reason, without the express written permission of FastPassCorp A/S. 2004 - 2012 FastPassCorp A/S. All rights reserved.Lyngby Hovedgade 98, 2800 Kongens Lyngby, Denmark.http://www.fastpasscorp.com/.FastPass Password Manager is a trademark of FastPassCorp A/S. All further trademarks are the property of their respectiveowners.Limited WarrantyNo guarantee is given for the correctness of the information contained in this document. Please send any comments orcorrections to documentation@fastpasscorp.com.Status: FinalDate: October 6, 2012Page 2 of 68

Installation GuideTable of Contents1.2.3.Introduction.51.1Purpose .51.2Audience .51.3References .51.4How to use this document .51.5Terms .5About FastPass Password Manager.62.1The architecture of FastPass Password Manager .72.2Integration to Microsoft Active Directory .8Installing FastPass Password Manager .103.13.1.1Defining the deployment architecture .103.1.2Creating User Accounts and Groups.123.1.3Preparing the application servers .153.1.4Preparing the target AD .253.1.5Requesting a FastPass Password Manager license .263.25.Installing FastPass Password Manager .263.2.2Preparing the ADAM instance for FastPass .303.2.3Initializing the FastPass Password Manager solution .343.3Service restart .373.4Configuring the FastPass Password Manager solution .37Accessing the Administration Client . 37Installing the stand-alone FastPass Client .394.1Installing .394.2Configuring the client .41Installing Multisystem Password Reset and Synchronization .455.1Installing SQL Express .455.2Configuring Microsoft SQL-Express for use with Sync Server .515.2.16.Installing .263.2.13.4.14.Preparing the Installation .10Enabling encryption for SQL server . 535.3Pre-requisites for the connectors .545.4Install Password Sync Server .54Additional information .59Status: FinalDate: October 6, 2012Page 3 of 68

Installation Guide7.Appendices .607.1Appendix A: Backing Up AD LDS Database on Windows 2008 Server. .607.2 Appendix B: Restart FastPass Services .677.3Appendix C: Recommended changes when installing for more than 10.000 users .687.3.1 Separate ADAM instances.687.1.1Tweaking ADAM/ADLDS settings .68Status: FinalDate: October 6, 2012Page 4 of 68

Installation Guide1. IntroductionThe document has last been updated October 6, 2012 and is now targeted the FastPass Password Manager version 3.4.21.1 PurposeThe purpose of this document is to describe the steps included in the process of performing a FastPass Password Managerimplementation.Although the document is written as a tutorial for performing a real installation the reader shall expect to change inputvalues to match the standards and requirements of their own environment.1.2 AudienceThe intended audience of this document is personnel either responsible for, preparing or performing the applicationinstallation.1.3 ReferencesThis document references the following documents:Version 3.4.2 Administrators Guide.1.4 How to use this documentChapter 3 outlines the installation process.Chapter 4 describes the preparation steps for the installation.Chapter 5 describes the actual installation.1.5 TermsThe following technical and product specific terms are used without further explanation throughout the document.Status: FinalDate: October 6, 2012Page 5 of 68

Installation Guide2. About FastPass Password ManagerFastPass Password Manager is a secure web-based solution offering self-service password operations to end-users.Users are required to remember many more complex passwords on more systems than ever before. Research suggests that30% of all calls to Help Desks are related to forgotten passwords.Built to use Active Directory as the authoritative repository, FastPass are capable of delivering an instant ROI by deploying injust a few hours on your existing Microsoft environment. Further value can be gained by integrating these tools withMicrosoft Identity Integration Server (MIIS/ILM 2007) for an industry leading Identity and Access solution.Introduce Self-ServiceUsers only need a web browser to access FastPass whether on the corporate intranet or across the internet. In addition aneasily integrated deployment via SharePoint Portal or the SAP Portal gives a secure single point of entry to all applicationsand supports anonymous access for users who have forgotten their passwords.FastPass enables self-service enrollment and password resets as well as self service account mapping utilizing the sameWeb UI and saving directly into Active Directory. Captured password resets can be synchronized across multiple platformswithout integration to Microsoft Identity Integration Server (MIIS/ILM 2007).FastPass help to reduce the workload within the Help Desk, Increase end-user productivity and Strengthen SecurityA Password Management solution from FastPassCorp saves both time and money for all parties involved: .For Executives: Reduce workload in help deskMake it possible for your employees to access systems even when the Help Desk is closedEnhance securityLeverage past investments in Active Directory or ADAMAchieve ROI within 3-9 months (no investment needed)For Help Desk Managers: Remove 30% of calls to help deskEnhance logging and reportingSignificantly lower total cost per forgotten passwordIncrease employee satisfactionEasy implementation (from minutes to days depending on complexity)Easy roll-out using automated enrollment servicesFor Employees: Extremely fast solution to a forgotten password situationAccess to systems 24/7/365No need to involve othersNo barrier to comply with strict password security policiesSimple to useStatus: FinalDate: October 6, 2012Page 6 of 68

Installation Guide2.1 The architecture of FastPass Password ManagerThe following describes and illustrates the architecture of FastPass Password Manager.From a user perspective the Password Manager is offering web based self-service features to maintain passwords in theenterprise. This is what is illustrated below.Logically the Password Manager Server is built of multiple sub components each offering its own set of functions for thetotal solution. The main components are listed in the table below:ComponentBackend ServerClient ServerGateway ServerDescriptionImplement the control of all end-user transactions, communication to theGateway Server, scheduled discovery of users in the domain infrastructure,control and coordination of password synchronizations, invitations of users andmuch more.Implements the Web-interface for the end-users and communicates with theBackend Server.Implements the access to the domain infrastructure and other Password Synctarget systems.All three main components are by default installed on the Password Manager Server and are directly configured to operatetogether. A full implementation can be built on additional Client Servers and Gateway Servers and this is shown on theillustration below.Status: FinalDate: October 6, 2012Page 7 of 68

Installation GuideThe solution is built as a service oriented architecture meaning that all main components are web services implemented inMicrosoft Internet Information Server (IIS) and communication using SOAP over HTTPS.2.2 Integration to Microsoft Active DirectoryPassword Manager supports easy integration into multiple Microsoft Active Directories from a single implementation. Theconfiguration is done from the Password Manager Administration Client implemented as part of the Password ManagerBackend Server. The communication to the Active Directory infrastructure is done from the Password Manager GatewayServer. The integration is implemented using LDAP v3 communication and this can optionally be implemented to use eithersecure mode or SSL mode. Secure mode is the default and the one used by Microsoft Active Directory internally forsynchronizing passwords between Domain Controllers.Password Manager requires the following parameters to be configured to be able to access a Microsoft Active DirectoryDomain.ParameterDomain NameDomain AliasStatus: FinalDate: October 6, 2012DescriptionThe full qualified domain name of the domain like mycorporation.com.A label typically the same as the NetBIOS name for the domain which is what isPage 8 of 68

Installation GuideLDAP Base DNConnection ModeDomain Account NameDomain Account Passwordshown in desktop login interfaces.The distinguished name (DN) to use as the offset in the LDAP tree structure. Thiscan point to an Organization Unit (OU) like inOU Employess,DC mycorporation,DC com or to the root node like inDC mycorporation,DC com.The connection mode to use for the communication. Microsoft Active Directoryoffers the modes normal, secure and SSL but Password Manager only supportsSecure and SSL mode. The secure mode used Kerberos for the authenticationwhich is dependent on normal domain communication from the PasswordManager Gateway Server and to the Domain Controller in addition tocommunication on port 389 (TCP). The SSL mode requires a certificate to beimplemented on the Domain Controller which is not a trivial task but then as anadvantage it only requires communication on port 636 (TCP) from the PasswordManager Gateway Server and to the Domain Controller.The name for the account with privileges to read user attributes and to resetpasswords.The password for the account specified.All parameters are stored in the Password Manager Data Storage (ADAM / AD LDS) and sensitive information like accountname and password is stored with strong encryption. (ADAM and AD LDS are both names for the database that has FastPassuses for storing data. Under Windows Server 2003 the name was ADAM under Windows Server 2008 the name has changedto AD LDS further in this document AD LDS will be used, but essentially they are identical.)Status: FinalDate: October 6, 2012Page 9 of 68

Installation Guide3. Installing FastPass Password ManagerThe task of installing FastPass Password Manager can be described as in the following list:1.2.Preparing the installationa.Defining the deployment architectureb.Creating user accounts and groupsc.Preparing the application server1.Implementing pre-requisites2.Preparing IIS servers3.Installing ADAM/AD LDS and/or creating an ADAM/AD LDS instanced.Preparing the target ADe.Requesting a FastPass Password Manager licenseInstalling and configuring the softwarea.Installing FastPass Password Managerb.Preparing the AD LDS instance for FastPass Password Managerc.Initializing the FastPass Password Manager solutiond.Configuring the FastPass Password Manager solutionWhen knowing the steps and requirements the actual installation can be done in less than half an hour. It is recommendedthat all details of accounts, groups, hostnames and IP addresses are carefully noted and kept securely for later use.3.1 Preparing the InstallationGenerally, it is recommended that all machines be patched and scrutinized for security optimizations.FastPass Password Manager is a password management application that requires to be highly and efficiently secured.Special care should be taken on passwords for the accounts used by FastPass Password Manager.3.1.1 Defining the deployment architectureThe architecture of the FastPass Password Manager solution is very flexible – meaning that it can be implemented in manydifferent ways reflecting various requirements. For most implementations a single or two servers are sufficient andthis/these can without problems also be running as virtual servers and/or on shared servers. This typical environment lookslike shown in the illustration here below.Status: FinalDate: October 6, 2012Page 10 of 68