Passwordstate Documentation

Password Reset Portal Installation

Instructions for installing the Self-Serve Password Reset Portal website.

System Requirements - General

Passwordstate’s Password Reset Portal (PRP) is an additional website that you’ll install on a Windows server of your choice with the following required components:

  • Microsoft Windows Server 2016, 2019, 2022, 2025 or Windows 11
  • Microsoft .NET Framework 4.7.2 or above
  • A separate installation of Passwordstate, preferably configured using a trusted SSL Certificate, as the Password Reset Portal communicates with Passwordstate’s API
  • Your domain must be at 2012 functional level or higher
  • If using LDAPS instead of the default protocol “Kerberos” for domain communication, you will need an internal Certificate Authority, which allows for LDAP over SSL on port 636 (instructions included)

Architectural Overview

The Password Reset Portal (which we’ll refer to as PRP for the rest of this document) is an additional module available for Passwordstate, which is installed as its own stand-alone website.

The website can be installed on any Windows server of your choice, and typically you would host this in your DMZ, but it really depends on your requirements. You could install it on your existing Passwordstate webserver, on another shared server in your DMZ, or even on a server you have provisioned in the cloud.

The PRP website communicates securely back to your main Passwordstate website, with all traffic encrypted within the SSL tunnel. All business logic like authentication, verification, resetting passwords etc, is performed by your core Passwordstate website.

The PRP website is merely the front facing website your users will access to initiate the resetting, or the unlocking of their Active Directory password.

From your PRP Server, you must have appropriate ports open back to your Passwordstate web server i.e. generally Port 443, unless you are using a non-standard port by default for HTTPS.

By default, Kerberos will be used for communication back to your domain when password resets or account unlocks are requested, and ports 88 and 464 need to be open on your domain for this to work.

If you prefer to use LDAPS to communicate to your domain, you must also have a Domain Certificate Authority installed – instructions are provided in this document on how to install a CA.