If you choose to integrate Passwordstate with your Active Directory domain, there are various features available to you to make role-based access management easier, as well as various authentication options.
During the initial installation of Passwordstate, you are presented with two Authentication Options - Active Directory Integrated, and Forms Based Authentication. In order to use the AD authenticated version, ensure your web server has been added
to the domain, and then the features below will be available to you.
Active Directory Authentication Options
There are a total of 15 different types of Authentication Options in Passwordstate, of which 8 are integrated with Active Directory. The options are:
- Single Sign-On
- Manual AD Authentication
- Manual AD and Google Authenticator
- Manual AD and RSA SecurID Authentication
- Manual AD and ScramblePad Authentication
- Manual AD and Email Temporary Pin Code
- Manual AD and AuthAnvil Authentication
- Manual AD and Duo Push Authentication
- Manual AD and SafeNet Authentication
- Manual AD and One-Time Password
The Single Sign-On (Passthrough) authentication option is the default default authentication type, and it allows you to authenticate to Passwordstate without having to manually enter your domain credentials.
The other 9 'Manual AD' authentication options will present you with a login dialog window where you must manually enter your domain credentials.
Permissions and Role Based Access
Access to all Passwords in Passwordstate are permission based, either using Read, Modify or Admin rights. When integrated with Active Directory, you can apply permissions using Active Directory Security groups, as opposed to just the users Active Directory domain account.
Majority of the menus and features in Passwordstate are also role-based, and again Active Directory Security groups can be used.
With the use of Security Groups for applying permissions everywhere, it's quite simple to establish your own Role-based Access Controls - import Security Groups of a certain type/role e.g. Sys Admins, Database Admins, etc, and when new users are added to the security groups,
permissions are automatically granted for them.
User Account Status Synchronization
In addition to synchronizing members of security groups, the status of a user's account in Active Directory can also by synchronized. If their account in AD is disabled, it will automatically be disabled in Passwordstate, preventing any further access to passwords.
If their account is deleted in AD, there are multiple options as to what you would like to do with their account in Passwordstate i.e. either delete, disable or do nothing with their account.
Both the synchronization of User Account status, and security group memberships, can be done on a scheduled - ranging from every 5 minutes, up to once a day.
Resetting Passwords in Active Directory
It's also possible to store Active Directory accounts in Passwordstate, and then reset the password in Active Directory when required - either manually when needed, or on a schedule you choose.
If the AD account being reset is used for other Resources on your network (Windows Services, Scheduled Tasks, IIS Application Pools and COM+ Components), then these Resources can also have their passwords changed.
Unlock, Disable and Enable AD Accounts
There is also a feature called 'Active Directory Actions'. This feature is of great use to Help Desk staff, as they can reset users' accounts on the domain, and then select one of the following actions to process for the AD account:
- Unlock this account if locked
- User must change password at next logon
- Disable this account
- Enable this account