Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by support

  1. Passwordstate is a self hosted website, and all websites using the secure HTTPS protocol require a certificate which the browser analyses and determines whether it is secure or not. This forum post will help you understand the different certificate types, and will guide you through the process of using these different types of certificates. Part One: Certificate Best Practices A good certificate should come from a trusted source, and should also match the URL of your Passwordstate website. All certificates have an expiry date which can range from a year to many years, depending on the certificate source. There are three different types of certificates that Click Studios recommends for your Passwordstate web site, all have their pros and cons. There are Self Signed Certificates, Certificates issued from an internal Certificate Authority, and Certificates issued from an online Authority. Part Two: Self Signed Certificates When you install Passwordstate for the first time, the default URL that is chosen by the installer is the name of your server, as under most circumstances this should have a functioning DNS entry for you already. It is possible to change the URL to anything you like during the initial install, but if you change it you must ensure you create a new functioning DNS entry for this URL. Whether you leave the default URL as the server name, or choose a custom URL, the installer process will create a Self Signed certificate that matches that URL. This is the first step in getting your browser to trust the certificate which makes for a nicer end user experience. Pros: * Easy to create, can just use Powershell whenever needed * Free Cons: * Browsers don't trust them by default * Will require manual work to get browser to trust them * Cannot use a wild card with this type of certificate When to Use: * If you are only a small corporation * Don't have many users * Do not wish to spend any money on a certificate * Do not intend on accessing Passwordstate outside your own network * Do no mind installing a certificate for via your Browser as a once off process for each machine, or every time your Browser cache is emptied Links related to Self Signed Certificates: Creating a new Self Signed Certificate: https://www.clickstudios.com.au/community/index.php?/topic/1948-create-new-self-signed-certificate-powershell/ Changing the Passwordstate URL to something custom: https://www.clickstudios.com.au/community/index.php?/topic/1465-changing-the-passwordstate-url/ Fixing a browser warning if it does not trust the certificate - Follow Section 12 in this document: https://www.clickstudios.com.au/downloads/version8/Installation_Instructions.pdf Part Three: Certificate Issued from an internal Certificate Authority (CA) An internal certificate authority is a role that you enable on one or more of your domain controllers, assuming you have Passwordstate installed on a computer joined to a domain. Once you enable this role on your server, you can issue certificates for applications that require a certificate, that will be running on your domain. Certificates from an internal CA are trusted by default by your browser, as long as you are accessing Passwordstate from a domain joined machine. Pros: * Better security * Free * Browsers will not complain if accessing Passwordstate from a domain joined machine * can use a wildcard certificate, meaning you can have multiple URLs with the same certificate Cons: * Requires a configuration change to your domain controller * Browsers will still complain if you access Passwordstate outside your own network, or from a non domain joined machine When to Use: * If you have Passwordstate joined on a domain joined server * You already have an internal CA set up is a bonus * You do not anticipate accessing Passwordstate from outside your own network, or from a non domain joined machine Links related to Internal CA issued certificates: How to set up a internal Certificate Authority: https://www.clickstudios.com.au/community/index.php?/topic/2934-how-to-set-up-a-internal-certificate-authority/ Generate a certificate from an internal CA, and use it on your Passwordstate website: https://www.clickstudios.com.au/community/index.php?/topic/1952-generate-a-new-certificate-from-active-directory-certificate-authority/ Changing the Passwordstate URL to something custom: https://www.clickstudios.com.au/community/index.php?/topic/1465-changing-the-passwordstate-url/ Part Four: Using an Online Certificate Authority There are business online that you can use which will issue you the most secure type of certificate for your Passwordstate website, but these do come at a cost. The certificates can either come with a static DNS name or for a little more money you can buy a wildcard certificate. Click Studios are not affiliated with any online certificate authorities, and therefore would prefer not to recommend any of these over another one. We'd recommend Googling online certificate authorities and making your own decision on who to go with. Pros: * Most secure type of certificate that all browsers will accept without issue * Best end user experience if access Passwordstate from inside, or outside your own network, and from non domain joined machines Cons: * There is a cost involved with these types of certificates When to Use: * Can be used in Passwordstate under all circumstances, whether you are a big or small company, and if you are accessing Passwordstate from anywhere * Ideal for using when accessing Passwordstate outside your own network, or from non domain joined machines * wild card certificates can also be reused for other Passwordstate features, like the Browser Based Gateway, the Self Destruct Site or maybe the Mobile website * If you are an MSP, and intend on using the Browser Based Gateway with multiple Remote Sites across the internet, a wildcard certificate of this type is required. This will allow you to RDP and SSH into remote networks, for more information about this, please request advice from Click Studios Support. Links related to Online Certificate Authorities Changing the Passwordstate URL to something custom: https://www.clickstudios.com.au/community/index.php?/topic/1465-changing-the-passwordstate-url/ If you still have any questions about any of the information above, please log a support call with Click Studios on support@clickstudios.com.au Regards, Support
  2. Hi Dave, Out of curiosity, are you saying the email we send is being rejected, as the email itself is quite small, and no mail server or client should reject that? Regards Click Studios
  3. Hi Dave, Unfortunately we do not have a feature where this email can be customized - we will look into it in a future release though. Regards Click Studios
  4. Hi Karen, Below are some screenshot to show you how to convert the permission model to propagate down. We also have many training videos for customers on our Youtube channel here which might help - https://www.youtube.com/c/clickstudiospasswordstate/videos
  5. Hello Karen, I've reviewed the code, and we do not hide this button for any reason, only disable it if you do not have the required permissions. Could you let us know what build of Passwordstate you are using, and provide a screenshot like mine below?
  6. Hi Wouter, We've seen this before when the columns in the csv file do not match the fields selected for the Password List, but I'm not sure if this is the case if you are using the supplied template. Could you contact us via the following page https://clickstudios.com.au/support-agreement.aspx, providing a screenshot of the fields selected for the Password List, and also a sample of your csv file? Thanks very much. Regards Click Studios
  7. Thanks very much Azkabahn - we appreciate it.
  8. Hi Chris, I've just tested this site, and it appears to be form filling okay for us. Below are two screenshots of how I have the record in Passwordstate configured - can you try yours in this format also? If that does not work , can you please check you do not have this URL saved as an Ignored URL. This can be checked on the screens Preferences -> Browser Extension tab, and Administration -> Browser Extension Settings -> Ignored URLs tab. Regards Click Studios
  9. Thank you Eric, that is very much appreciated and I'll try to test this as soon as I can. This will definitely help other users with Firefox:) regards, Support
  10. Hi Azkabahn, Thanks for the information. For us to design this in Passwordstate, where is slack would we send these notifications - would it be a direct message to yourself, or send the "emails" to a channel? Thanks very much. Regards Click Studios
  11. Hi Eric, Please use this URL below, and can you let us know if you get this working? We might create a Firefox GPO forum post too for other users. We haven't tested this ourselves yet, but if you run into any issues, we will set this up and document the process. https://www.mozilla.org/firefox/new/?utm_source=addons.mozilla.org&utm_medium=referral&utm_campaign=non-fx-button&utm_content=rta%3AQHBhc3N3b3Jkc3RhdGU Regards, Support
  12. Some users like to protect their Passwordstate web server by disconnecting it from the internet. Passwordstate will function fine when disconnected like this. Below are the scenarios where Passwordstate needs to communicate on the Internet, but none of these need to be used: 1. To check for new builds of Passwordstate - https://www.clickstudios.com.au/NewBuildInfo.xml 2. To download the upgrade file for the In-Place Upgrade feature - https://passwordstate-8665.kxcdn.com/passwordstate_upgrade.zip 3. Have I Been Pwned API Integration - https://api.pwnedpasswords.com 4. And the following 2FA authentication options: - Duo Authentication - Yubikey Authentication - SafeNet Authentication - SAML Authentication Upgrading without an internet connection can be found in Section 4 of this document: https://www.clickstudios.com.au/downloads/version8/Upgrade_Instructions.pdf We can also confirm that Passwordstate does not send any data from your network back to Click Studios. We encourage you to run something like Wireshark on your web server to trace outgoing traffic to confirm this. Regards, Support
  13. Issue: You have installed the Browser Based Gateway on your Passwordstate web server, but the Passwordstate-Gateway Service will not start. Part of the installation process is to export the Passwordstate certificate to a password protected pfx file, and then that password is encrypted and inserted into the gateway.conf file. If this encrypted password is missing or incorrect, then the service will not start. One way to test this is the issue is to set the SSL value to false, as per below screenshot, and then try starting the service again. If the service starts then this indicates a problem with the certificate. Change the SSL value back to true after this test. To fix this, follow these steps: 1. Export the certificate again by following Section 6 in this document: https://www.clickstudios.com.au/downloads/version8/Passwordstate_Remote_Session_Launcher_Gateway_Install_Guide.pdf 2. Confirm the exported certificate is called Passwordstate.pfx and copy it into your c:\inetpub\passwordstate\hosts\gateway folder, overwriting the existing certificate if it exists 3. Run the following Powershell script when logged into your web server, but change the password from Welcome123 to the password you set when exporting the certificate cd C:\inetpub\Passwordstate\hosts\gateway java.exe -cp SparkGateway.jar com.toremote.gateway.Encryption Welcome123 -q This will give an output as per below screenshot: 4. Copy this value and place it into your gateway.conf file, as per below screenshot, and save this change 5. Now try to start the Passwordstate-Gateway service again. If this still does not help, please contact Click Studios support. Regards, Support
  14. Hello Andreas, We've responded to you support email for this overnight. We suspect you must have made a typo in the web.config file during your migration, but please email that to us and we can take a look. Regards Click Studios
  15. Hi Eric, Are you asking for a link to download the source code from our web site, or are you asking for a link to the extension within Firefox's store? Thanks very much. Regards Click Studios
  16. Hello, With the Discovery Job, screenshot below, you can disable the option for resets, but we do not have an option to not specify an expiry date - mainly because doing that is not best practice. You can change the 'Default Password Reset Schedule' on the Password List itself though, and extend the Expiry Date out into the future for what ever time period you choose. Regards Click Studios
  17. Hello Sap, Sorry, but we do not have an official module for this. Regards Click Studios
  18. Hi, Out of curiosity, where is slack would we send these notifications - would it be a direct message to yourself, or send the "emails" to a channel? Regards Click Studios
  19. Hi Tobias, Unfortunately we do not currently have a feature for what you need. Out of curiosity, how many Password Lists do you currently use? I'm asking because there is a setting on a Password List called 'Disable Email Notifications for this Password List', so you could enable this on all Password Lists that you do not want to see these email notifications for. Regards Click Studios
  20. Hello Sap, Can this tool called SaltState make calls to API's in other software? If so, then it might be possible to integrate the two products? Regards Click Studios
  21. No problems at all - you would not have know the other account types were possible. Regards Click Studios
  22. Occasionally you may find that you have a website credential saved in Passwordstate, but when you browse to the website the extension will not automatically fill those credentials. Generally this is caused by having the website saved as an "Ignored URL" in Passwordstate, and by design this feature prevents the credentials from being filled. Here's where to check for Ignored URLs: 1. Under your personal Preferences, look for the Ignored URL under the Browser Extension tab. If you find it in here you should delete it via the Action Menu: Ignored URLs can also be set globally under the Security Administration area. Look for the URL under Administration tab -> Browser Extension Settings as per below screenshot. If you find it under here, also delete it via the Actions menu, and if you do not have access to this Administration tab, please contact your Security Administrator and ask them to remove this Ignored URL for you: If you find and delete an Ignored URL, try closing your browser and reopening it to pick up this change. If you now refresh your website that wasn't auto-filling, you should now see the credentials populate automatically. If this forum post does not help, please contact Click Studios on support@clickstudios.com.au and we'll do our best to help. Regards, Support
  23. The PassiveNode setting in your c:\inetpub\passwordstate\web.config file controls the behaviour of your Passwordstate website, and the Passwordstate Windows Service. This is where your PassiveNode is set: If you do not see your PassiveNode in the web.config file in clear text like the screenshot above, then your web.config file will be encrypted. Please see this forum post for more information on this: https://www.clickstudios.com.au/community/index.php?/topic/2699-encrypting-and-decrypting-the-webconfig-file/ To explain the PassiveNode values: False = your Passwordstate website is in fully functional, read/write and the windows service is fully operational. Your primary server should always be set to False Active = The website is in Read/Write mode, but the windows service is limited. ie it does not perform syncs or password resets, or send out user emails. True = the website is in Read only mode and the Windows service is also limited. Basically, set the primary web.config to False always, and the secondary web.config to either True or Active, depending if you want the website to be in Read/Write mode, or just Read Only mode. If you need to change the value of the PassiveNode for any reason, please restart your Passwordstate Windows Service to pick up this change. Restarting the Windows service is non disruptive for your end users. Regards, Support
  24. Hi, Sorry, just to clarify, when you say 'Local Auth' are you using the Forms Based authentication version of Passwordstate? We do have local account logins, when integrated with Active Directory, so thought I would ask. The screenshot below will allow you to determine this. Regards Click Studios
  25. Hello, You can use the following article as a guide for this migration - https://www.clickstudios.com.au/downloads/Forms_to_AD_Migration.pdf If you have any questions about it, please let us know. Regards Click Studios
  • Create New...