Search Results for

    Show / Hide Table of Contents

    Configuration

    Configuration of PDS service is maintained in PDS.config file. Service recognizes configuration parameters as specified in table below.

    Note: This file is created upon first start of PDS service with default values. Changes then can be made either manually, or via PowerShell cmdlets. File content is preserved during uninstalls and upgrades of PDS service.

    PowerShell cmdlets that modify content of PDS.config file are:

    Supported Forest management:

    • Add-AdmPwdPdsSupportedForest
    • Set-AdmPwdPdsSupportedForest
    • Remove-AdmPwdPdsSupportedForest

    Managed Accounts Containers:

    • Add-AdmPwdPdsManagedAccountsContainer
    • Set-AdmPwdPdsManagedAccountsContainer
    • Remove-AdmPwdPdsManagedAccountsContainer

    SID Mappings:

    • Add-AdmPwdPdsSidMapping
    • Set-AdmPwdPdsSidMapping
    • Remove-AdmPwdPdsSidMapping

    Access control configuration:

    • Set-AdmPwdPdsAccessControlParameters

    Autodiscover DNS SRV record publishing:

    • Set-AdmPwdPdsDnsParameters

    PDS Admin Role management:

    • Move-AdmPwdPdsAdminRole

    License file location and name:

    • Set-AdmPwdPdsLicenseParameters

    It's strongly recommended to use PowerShell cmdlets to modify configuration of PDS, rather than editing PDS.config manually.

    All cmdlets above allow effective update of configuration of multiple PDS instances via pipelining, such as: Get-AdmPwdPds | Set-AdmPwdPdsSupportedForest .... This further simplifies configuration management and helps keep configuration standardized across machines.

    Table below specifies PDS service configurable parameters.

    Parameter Meaning Note
    Pds - Dns – Autodiscovery - RegistrationInterval Interval for DNS SRV record refresh, in seconds. PDS automatically refreshes its own SRV record to prevent expiration

    Default: 86400 (1 day)
    Setting to 0 disables SRV record registration and refresh. This is useful in environments where PDS service account does not have permission to write to DNS.

    Pds - Dns – Autodiscovery - UnregisterOnShutdown Whether PDS shall unregisters its own DNS SRV record during service shutdown

    Default: False

    Pds - Dns – Autodiscovery - Priority Priority of SRV record being created by instance of PDS

    Default: 100

    Pds - Dns – Autodiscovery - Weight Weight of SRV record being created by instance of PDS

    Default: 100
    Note: PDS discovery logic implemented in Integration SDK ignores weight of SRV records – thus does not perform load balancing

    Pds - Dns – Autodiscovery - TTL TTL of registered SRV record, in seconds

    Default: 1200 (20 minutes)

    Pds - Dns – Autodiscovery – DomainsToPublish – Domain - DnsName DNS name of domain where PDS shall publish own SRV record

    Default: Empty list which means that PDS registers SRV recordin ow domain only.

    When specified, PDS registers SRV record in specified domains only. PDS own domain must be listed as well so as PDS would register SRV record there.
    If no domain specified, PDS registers SRV record in own domain only.

    Pds - Keystore Identifier of assembly implementing keystore for key pairs.

    Do not change parameters here unless you know what are you doing.

    PDS supports extensibility and different implementations of keystore.

    Note: Default keystore that comes with the solution is of type AdmPwd.PDS.KeyStore.FileSystemKeyStore and is implemented in main PDS executable.

    Pds – AccessControl - HonorFullControlPermission

    Specifies whether or not to honor Full Control permission on computer/user object when performing authorization checks for password reads and resets.

    When set to TRUE, users who have Full control permission on computer objects can read and reset local admin password even when they are not given explicit permissions as specified in Extended Rights specification

    Default: False
    (Full control right on AD object does NOT give permission to read/reset admin password)

    Pds – AccessControl - SidMappings Maps primary SID (from PDS forest) to SID from untrusted forest managed by PDS. Used to support access control when accessing untrusted AD forest

    Default: Empty list

    Use PowerShell to manage configuration of SID mappings

    Pds – AccessControl - MandatoryGroups - Group - Sid Contains list of SIDs of groups caller has to be member of so as requests for password read and reset was honored. Works as additional protection layer in additions to standard Read/Reset password. Used to enforce Authentication Mechanism Assurance

    Default: Empty list, which means that this additional layer of protection is not active

    Pds – PDSAdmin - Role Name of AD group implementing PDS Admin role

    Default: Enterprise Admins

    Note: PDS Admin role is allowed to perform the following operations:

    • Generate new encryption/decryption key pairs
    • Maintain alternate credentials to authorize PDS access to remote forests
    • Maintain list of Supported Forests, Managed Accounts Containers and SID mappings
    Pds – License – File Path to license file that unlocks the solution from freeware mode

    Default: license.xml

    Relative to PDS folder; so, by default, PDS looks for license.xml file in %ProgramFiles%\AdmPwd\PDS

    Can be also:

    • an absolute path
    • UNC path
    Pds – SupportedForests – Forest - DnsName List of forests managed by PDS. When missing, only local forest where PDS is installed is supported.

    Default: Not present, which means that PDS manages only its own AD forest.

    Forest can contain registration of connection credentials:

    • User: username
    • Password: password for user specified in username; encrypted by PDS encryption key
    • KeyId: ID of key that was used to encrypt the password

    Note: When alternate creadentials not specified, PDS uses identity of own service account to authenticate access to remote forest.
    Note: Local PDS forest is always supported and does not support alternate credentials.

    PDS - FileSystemKeyStore – Path Path where keystore stores key pairs

    Default: CryptoKeyStorage
    Relative to PDS folder; so, by default, PDS looks for key pairs in %ProgramFiles%\AdmPwd\PDS\CryptoKeyStorage Can be also:

    • an absolute path
    • UNC path
    PDS - FileSystemKeyStore – PathType Whether path is absolute or relative

    Default: Relative

    Possible values: Absolute, Relative

    PDS - FileSystemKeyStore – CryptoForNewKeys Cryptography used to generate new encryption/decryption keys

    Default: CNG

    Possible values:

    • CNG
    • CryptoAPI

    Note: Support for new keys generated by CryptoAPI is maintained for compatibility only, and ability to generate new keys using CryptoAPI will be removed in future versions. However, PDS will still be able to decrypt passwords encrypted with CryptoPAPI keys

    PDS - FileSystemKeyStore – FavorOAEP Whether to try try OAEP padding first or PKCS padding first on decryption.

    Note: This setting is for compatibility only and will be removed in future versions.

    Default: true

    PDS - FileSystemKeyStore – SupportedKeySizes – add – KeySize List of supported key sizes when creating new key pair PDS only allows to create key pair with one of the specified key sizes
    PDS - ManagedAccounts - PasswordManagementInterval  How often PDS looks for expired passwords of Managed Domain Accounts in registered Managed Accounts Containers  

    Default: 600 seconds

    PDS - ManagedAccounts - Containers - Add - DistinguishedName DN of container when PDS looks for Managed Domain Accounts to manage password for

    Default: Empty list

    Use PowerShell to manage configuration of Managed Accounts Containers

    PDS - ManagedAccounts - Containers - Add - PasswordAge Password age for Managed Domain Accounts in given container, in minutes.

    Default: 43200 minutes (30 days)

    PDS - ManagedAccounts - Containers - Add - KeyId ID of encryption key to use to encrypt the password of Managed Domain Account in given container

    Default: 0, which means most recent key managed by keystore

    PDS - ManagedAccounts - Containers - Add - PasswordComplexity Required complexity of password for Managed Domain Accounts in given container

    Allowed values:
    Large .. Large letters
    LargeSmall .. Large and Small letters
    LargeSmallNum .. Large and Small letters and Numbers
    LargeSmallNumSpec .. Large and Small letters, Numbers and Special characters

    Default: LargeSmallNumSpec

    ManagedAccounts - containers - add - passwordLength Required length of password set by PDS on Managed Domain Accounts in given container

    Default: 12

    Sample of configuration file:

    <?xml version="1.0" encoding="utf-8"?>
    <PDS xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <SupportedForests>
        <Forest DnsName="myRemoteForest.com" />
      </SupportedForests>
      <Dns>
        <Autodiscovery UnregisterOnShutdown="true" RegistrationInterval="86400" Priority="100" Weight="100" TTL="1200">
          <DomainsToPublish>
            <Domain DnsName="myRemoteForest.com" />
          </DomainsToPublish>
        </Autodiscovery>
      </Dns>
      <KeyStoreType Assembly="AdmPwd.PDS" TypeName="AdmPwd.PDS.KeyStore.FileSystemKeyStore" />
      <AccessControl HonorFullControlPermission="false" HonorAllExtendedRightsPermission="false" HonorLocalGroupsFromRemoteComputerDomain="false">
        <SidMappings>
        </SidMappings>
        <MandatoryGroups />
      </AccessControl>
      <PDSAdmin Role="Enterprise Admins" />
      <License File=".\license.xml" />
      <FileSystemKeyStore Path="CryptoKeyStorage" PathType="Relative" CryptoForNewKeys="CNG" FavorOAEP="true">
        <SupportedKeySizes>
          <add KeySize="2048" />
          <add KeySize="3072" />
          <add KeySize="4096" />
        </SupportedKeySizes>
      </FileSystemKeyStore>
      <ManagedAccounts PasswordManagementInterval="600">
        <Containers>
          <add DistinguishedName="OU=Managed Domain Accounts,DC=mydomain,DC=com" PasswordAge="43200" KeyId="1" PasswordComplexity="LargeSmallNumSpec" PasswordLength="13" PasswordHistory="true" PasswordHistoryLength="3" />
          <add DistinguishedName="OU=Managed Domain Accounts,DC=myRemoteDomain,DC=com" PasswordAge="43200" KeyId="1" PasswordComplexity="LargeSmallNum" PasswordLength="16" PasswordHistory="false" PasswordHistoryLength="0" />
        </Containers>
      </ManagedAccounts>
    </PDS>
    
    • Improve this Doc
    ☀
    ☾
    Back to top Generated by DocFX