[Tips & Tricks] Configuring high availability in ADSelfService Plus
ADSelfService Plus utilises automated failover to support high availability in case of system and product failures. Essentially, this means that when the ADSelfService Plus service fails on one machine, another instance of ADSelfService Plus running on another machine automatically takes over. Before configuring high availability in ADSelfService Plus, make sure that the following conditions are satisfied. Condition 1: Download and install ADSelfService Plus in two separate machines. If you already
[Tips & Tricks] How to prevent concurrent logins for a user in ADSelfService Plus
Concurrent logins can lead to the use of valid credentials by illegitimate personnel at the same time as the legitimate user to authenticate to the network. This could lead to multiple security issues within the organization like misuse of the user's personal information or resources to perform unauthorized actions. This can also result in the user being wrongly held accountable for the harmful actions of another user with malicious intent. In ADSelfService Plus, when a user is logged in from multiple clients,
Photo Attribute used in ADSelfService
Where does the user's photo come from? We have deleted all our user photo's (long story) but there are a number of users that still show a photo. I have checked and none of these users have the photo, or jpegPhoto or thumbnailLogo or thumbnail Photo attributes populated! I have cleared cache, new profile and even a new workstation, but the photo remains. Thanks Bob
Password Synchronization with Novell eDirectory (openLDAP)
How do you setup an openLDAP Password Sync? Specifically I want to link an old Novell eDirectory (more or less openLDAP) change the passwords at the same time. I've followed the documentation (what I can find) and it doesn't really seem to be the right. The "Domain Name" in the example say (dc=example,dc=com) but we use (o=companyname) As for the user, the FQDN would be (cn=admin,ou=admins,o=companyname) but I eventually tried just cn=admin,ou=admins hoping that it would append the "Domain Name"
issue with format of Password Expiry notification
Since updating to version 5.6 (5600), the formatting of the email for Password Expiring is not following the spacing and character settings we used in the editor. The text is all saved without formatting. Also, we can not delete the existing notification (in attempts to create a new one). Creating yet another one seems to save, but it does not show up. We are using the Free edition of the SelfService Plus for password expire notifications.
[Free White Paper] Common password attack methods and how not to become a victim
Verizon data breach investigations report (2018) revealed that over 43,000 successful accesses via stolen credentials were recorded in 2017. Hackers are incessantly looking for vulnerabilities in any form to intrude into your network. Even if one account in your network is compromised, there's a high chance of sensitive data leakage.How do you prevent this? How do you secure your privileged user accounts and passwords? Read our expert's guide "Shifting landscape of passwords and how to keep up with
ADSelfService Plus 5601 released with Hebrew language support.
We've updated ADSelfService Plus to 5601. This release includes the following enhancement: Highlight: ADSelfService Plus now supports Hebrew language. How to update? Update using service pack. New to ADSelfService Plus? Download the latest version of
Force Password Change on Enrollment
How can I force users to change their password after enrolling?
Clear Enrollment
How does my help desk staff clear security questions for someone who forgot their answers? My staff has "Operator" role in the "Technician Settings." They do not have an option to clear enrollment or questions for users. There is only 2 roles, admin and operator. Or maybe there is another way?
Cannot generate CSR
Hi, I installed selfservice on windows server. I went to the admin area and filled out the generate CSR form. I click generate and nothing happens. Any ideas?
Two Factor Authorization Problems
Hello everybody, I would like to implement the two factor authorization. That works so far. If a user wants to reset his password he must connect to the Webportal an log in with his domain user name. In the next step the user can choose the option how he would like to reset the password. Either by mail or via the Mobile Phone Number. Is there a way to ban this selection? I would like the user only needs to specify his domain user name and then automatically gets an SMS on the deposited Mobile Phone
Selfservice not starting after new certificate install
Hi there, I have my own domain rootCA and issued a certificate after completing the csr process. I imported the certnew.cer into the selfcert.keystore file. Moved the selfcert.keystore file to the ./conf folder. Here is the SSL block in my server.xml: <Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/selfcert.keystore" keystorePass="mypass" maxSpareThreads="75" maxThreads="150"
Limit "Search Employee" and "Organization Chart" results
Is there a way of limiting the above searched to a specific OU or a custom LDAP Filter? Also, is it possible to remove the "[Change]" link after the " Organization Chart for Domain"? Thanks Bob
Making a "New Custom App" for Password Synchronization
I must say, there are a large number of premade connectors for password synchronization, however I have a number of legacy applications (most built in-house) that are going to need custom apps. However the setup seems to be limited to SAML applications. Is there a way to use a custom made script? Thanks Bob
Using DUO when Unlocking Account/Resetting password
I've enabled DUO security as per the documentation (https://www.manageengine.com/products/self-service-password/kb/duo-enabled-two-factor-authentication.html) but when I try the unload/password reset feature I never get a DUO notification! I verified that the server can access the "API hostname", however we do have local DUO proxy server. Any idea where I might look for a solution? Thanks Bob
Admin Login option gone
I made a customized login page logo change, and now I can't find the tab to allow for admin login. How do I restore the ability to login as an admin? Is there another port or page to access the admin login directly or does it share the function with the standard domain user login only?
ADSelfService Plus & Symantec VIP for MFA
Has anyone successfully integrated ADSelfService Plus with Symantec VIP for multi-factor user authentication during "forgot my password" and "unlock account" actions? If yes, can you share details how did you perform the integration?
SAML Authentication using ADFS?
Hi @ all, I was wondering if it's possible to use the new SAML-Feature with ADFS? Because, everytime we want to upload the given SP_Metadata.xml into the ADFS, we are getting the attached Error-message. (ADFS-error) Alternatively: Could you please state, which type of Data from the SP_Metadata.xml you have to enter in the following pictures 01 to 03, when trying to add it manually? Thanks in advance!
[Tips & Tricks] How to synchronize Active Directory passwords with ServiceNow using ADSelfService Plus
ServiceNow provides cloud-based IT Service Management (ITSM) software that comes bundled with user self-service options to meet the various needs of enterprises. With the help of ADSelfService Plus's real-time password synchronizer, users can now log in to their ServiceNow accounts with their Active Directory passwords. This will enable users to use the same set of credentials across both the platforms, thereby eliminating the need to remember multiple passwords. Prerequisites: You will need a
ADSelfService Plus 5600 released! Sports a new flat UI for its password expiration notifier free tool
ADSelfService Plus’ free tool—Password Expiration Notifier—gets a makeover with a new flat user interface for easier configuration. We’ve also fixed some issues in this release. Highlight: The Password Expiration Notifier free tool gets a makeover with a new flat user interface that makes configuring password expiration notifications easier than ever. Issues fixed: Issue in expanding parent OUs to select child OUs in the GINA/Mac logon agent installation page. Issue in disabling product and event
HA
Is there configuration for HA?
[Tips & Tricks] Verify users' identities using SAML-based identity providers during self-service password reset and account unlock
In the long list of multi-factor authentication options that ADSelfService Plus supports, the latest addition is SAML Authentication. Verification of user's identity is done using SAML-based identity providers like OneLogin or Okta. When SAML Authentication is enabled in ADSelfService Plus, users are routed to their identity provider login URL for authentication, during password self-service operations. After successful authentication in the identity provider, users are redirected back to the ADSelfService
[Tips & Tricks] How to integrate Zendesk with Active Directory (AD) for password synchronization using ADSelfService Plus?
Last week, we saw how ADSelfService Plus facilitated password synchronization between IBM servers and Active Directory. This week, let’s learn how to integrate Zendesk with Active Directory for password synchronization using ADSelfService Plus. ADSelfService Plus’ Real-time Password Synchronizer helps ensure users have only one password between different applications to reduce password related issues. This means, every time a user resets or changes his/her AD password, the new password will automatically
GINA on Thin Clients
Hi, We just started using ADSelfService, it working well so far. But we reach a little issue, the GINA client is not installing well on some Thin Clients. To be specific, on thin clients with "Windows XP Embedded" it's working well.on those that have Windows Embedded Standard 7 (HP), it returns the error "Fatal error during installation". We checked all permissions, remove the lock on these machines, but the result is always the same. Is there a solution for this?, or just Windows Embedded 7 is not
The ManageEngine ADSelfService Plus service terminated with service-specific error %%-1.
Hi There I have self service setup on a server changed the port to 80. installed the app as a service, change the login to a domain admins account. When I start the service I get The ManageEngine ADSelfService Plus service terminated with service-specific error %%-1. I can login though. ANy ideas why this is crashing or not working?
ADSelfService Plus - Redirect HTTP to HTTPS
Hello - We're running v5.5, build 5521. We've successfully enabled SSL to port 443. So, accessing https://ad.mydomain.com takes users to the SSL enabled version of the login page. The way I understood it, once SSL was enabled, any HTTP requests should automatically forward to HTTPS. But, that doesn't seem to be the case for us. If a user enters either ad.mydomain.com or http://ad.mydomain.com, it takes them to a non-secure version of the site. In server.xml, the line begining <Connector URIEncoding...
Mobile - Password Reset Screen Customization
Does anyone know a way (or the correct way) to customize the Password Reset screen on the mobile app? We're wanting to include a line for password restrictions (like - Use 3 of 4 items listed: Upper, Lower, Number, Special characters). Thanks for any thoughts or workarounds/hacks.
[Tips & Tricks] How to enable two-factor authentication for Windows logons using ADSelfService Plus?
With cyber-attacks on the rise, only having passwords as a defense mechanism is no longer safe. An additional filter is required to weed out unauthorized users. ADSelfService Plus handles the above issue by supporting two-factor authentication (TFA) to all Windows local and remote login attempts. Once this feature is enabled, users will be required to input their Active Directory domain credentials, and additionally get authenticated via the selected TFA method configured in ADSelfService Plus.
ADSelfService Plus (5521) now supports SAML-based multi-factor authentication
The latest build of ADSelfService Plus supports SAML-based multi-factor authentication and fixes an important issue in the product. Features: SAML-based multi-factor authentication (MFA): For self password reset and account unlock, users can now be authenticated using SAML-based identity providers such as OneLogin and Okta. SAML-based SSO to access ADSelfService Plus: Allow users to authenticate themselves through SAML-based identity providers for a one click access to ADSelfService Plus. Enhancements:
[Free webinar] Active Directory based single sign-on. Login just once to access 100+ applications
The proliferation of enterprise applications in organizations, subjects end-users to a password overhaul. As a result, users mix up their passwords, get themselves locked out or resort to extremely unsafe password storage methods like writing their passwords down. Wouldn't it be great if users can access all their applications using just one password without compromising security? That's exactly what single sign-on offers. Join us at our on-demand webinar where our product expert explains on how
[Tips & Tricks] How to clone existing policies in ADSelfService Plus?
ADSelfService Plus’ clone existing policy feature is a huge time saver. Consider a scenario in which you have to create different policies, with only minor or few differences, for different departments or sets of users. Instead of creating policies from the scratch, every time, you can just copy an existing policy, make the desired changes and save it. This article explains how to clone an existing policy, customize it and assign it to the required OU(s) or Group(s) or domain in ADSelfService Plus.
Display issue with "Password Policy Executor"
Hi, We just started using ADSelfService, it working well so far. But we reach a little issue in our Windows 10 clients (1709-1803), the scroll bar still empty. The password policy does not working. However, going through the custom Gina it works. Is there a solution for this ? Regards
Translation bugs/Typos
During Self Enrollment when creating security questions the length infos are translated wrong to german: Längenangabe Die minimale Länge der Antwort(en) sollte 5 Zeichen sein, und maximal erlaubt sind 255 Zeichen Die minimale Länge der Antwort(en) sollte 4 Zeichen betragen, und maximal erlaubt sind 255 Zeichen The first one should be: Die minimale Länge der Frage(n) sollte 5 Zeichen sein, und maximal erlaubt sind 255 Zeichen Typo: When deploying the credential provider (windows) you get this as default
Mobile Access
Hi, Could you please advise what the difference is between 'Mobile site access' and 'Mobile app access' (as per attached screenshot)?
Force Enrollment Screen
When users are forced to enroll, they are presented with the ADSelfService Plus login screen. Once they enter their AD credentials to enroll they are sent to the Change Password screen and a popup window appears "Thanks for enrolling into ADSSP" "Click Yes to explore Self-Service options or No to quit." Most of our users get confused by this prompt or don't even read it and just click "Yes" and then proceed to change their password because they believe it's required for the enrollment. Is there a
Automated Email to Non-Enrolled Users
Hello, Does anyone know if it is possible to send an email to all non-enrolled users? There is the option of exporting a list of these users which can be used to manually send, but ideally if this could be automated ? Thanks
Automated email to Non-Enrolled Users?
We have a number of Non-Enrolled users, is there an automated way to send an email to all these users with the standard template? The workaround would be to download these users and manually email, but an automated process would help ... Does anyone know if this is possible ? Thanks
Redundant Installation?
Hi @ all. Is it possible to install the Application on two separate Machines, so if the first one is temporarily not available, the other one can handle the requests? Thanks in Advance.
ADSelfService Plus (build 5520) now supports Windows logon two-factor authentication.
The latest build of ADSelfService Plus supports two major features: Windows logon two-factor authentication support and password synchronization between Active Directory and ServiceNow. Highlight: Two-factor authentication for Windows logon: Improve security by enforcing two-factor authentication for local interactive and remote desktop logons to Windows clients and servers. ServiceNow password synchronization: Now synchronize users' Active Directory passwords with their ServiceNow accounts in real-time.
[Tips & Tricks] How to integrate IBM iSeries/AS400 with Active Directory for password synchronization using ADSelfService Plus?
ADSelfService Plus' Real-time Password Synchronizer assists administrators by ensuring that the password changes made natively in the Windows interface are synchronized with the IBM servers. Password Sync Agent accomplishes real-time synchronization in seconds, which means when users change or reset their Active Directory password, the new password will automatically be synced with the IBM servers. It is to note that the linking of AD accounts with the IBM servers can be done based on any AD attribute.
Next Page