Post-Installation Settings and Tasks

Add Password Synchronization Manager to OAS administrative client list

This step is only required if you want to use Password Synchronization Manager with connection type set to SEAL.

To allow Password Synchronization Manager to establish an administrative connection to OneSpan Authentication Server, you need to register the domain controller on which Password Synchronization Manager is installed as an administrative client for the OneSpan Authentication Server instance.

To add Password Synchronization Manager to administrative client list of OneSpan Authentication Server

1. Start a web browser application.

2. Navigate and log on to the Administration Web Interface of the respective OneSpan Authentication Server instance.

3. Select Clients > Register in the web site navigation bar.

   You are redirected to the Create new Client page.

4. Click SELECT FROM LIST and select Administration Program in the client type list.

5. Type the IP address of the domain controller on which Password Synchronization Manager is installed in the Location box.

6. Select OAS Administration Logon in the Policy ID list.

7. Select SEAL in the Protocol ID list.

8. Click Create.

Enable and configure remote access to Windows registry

This step is only required if you want to use PSM Remote Configuration Manager to manage Password Synchronization Manager remotely.

To allow PSM Remote Configuration Manager to manage Password Synchronization Manager on a remote machine, you need to enable remote registry access and configure remote write access privileges to the Windows registry of the machine on which Password Synchronization Manager is installed.

To enable remote registry access

1. On the domain controller, start the local Services management plug-in by typing services.msc in a command-line prompt.

2. In the Services list, locate the Remote Registry service and verify that it is started and its startup type is set to Automatic.

   • If the Remote Registry service is not started, select Start from the service entry’s context menu.

   • If the startup type is not set to Automatic:

     1. Select Properties from the service entry’s context menu.

        The Remote Registry Properties Dialog appears.

     2. Select Automatic in the Startup type list.

     3. Click OK.

3. Close the Services management plug-in.

By default, members of the Administrators group have Full Control access to the registry. You need to complete the following procedure only, if you want or need to use a user account, which is not member of the Administrators group.

To configure remote write access privileges to Windows registry for a specific user or user group

1. On the domain controller, start Registry Editor via a command-line prompt by typing regedit.exe.

2. Locate the following registry key:

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]

3. Select Edit > New > Key from the menu bar and create a new registry key.

   Key name: SecurePipeServers

4. Locate the newly created registry key:

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers]

5. Select Edit > New > Key from the menu bar and create a new registry key.

   Key name: winreg

6. Locate the newly created registry key:

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg]

7. Select Edit > New > String Value from the menu bar and create a new key value.

   Value name: Description

   Data type: REG_SZ

   String: Registry Server

8. Locate the newly created registry key:

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg]

9. Select Edit > Permissions from the menu bar.

   The Permissions Dialog appears.

10. Edit the current permissions or add the user or user group to whom you want to grant access. Make sure that the respective user or user group has read permissions.

11. Locate the following registry key:

    [HKEY_LOCALMACHINE\SOFTWARE\OneSpan\Password Synchronization Manager]

12. Select Edit > Permissions from the menu bar.

    The Permissions Dialog appears.

13. Edit the current permissions or add the user or user group to whom you want to grant access. Make sure that the respective user or user group has read and write permissions.

14. Exit Registry Editor.

15. Restart the Remote Registry service.

To test remote registry access

1. On a different computer (other than the domain controller), open Registry Editor via a command-line prompt by typing regedit.exe.

2. Select File > Connect Network Registry.

   The Select Computer Dialog appears.

3. Type the name of the domain controller and click OK.

   Registry Editor connects to the registry on the remote machine.

4. Verify that you can access the registry key

   [HKEY_LOCALMACHINE\SOFTWARE\OneSpan\Password Synchronization Manager]

To enable computer browsing

This step is only required if you want to use PSM Remote Configuration Manager to manage Password Synchronization Manager remotely. In Windows Server 2016 environments (or later) the Computer Browser service is disabled by default.

If computer browsing is disabled, PSM Remote Configuration Manager cannot find the domain controller automatically when searching the network using the Search CBS method. However, you may use an alternative search method, e.g. Search global catalog, or add the domain controller manually to the server list in PSM Remote Configuration Manager.

To enable computer browsing

1. On the domain controller, start the local Services management plug-in by typing services.msc in a command-line prompt.

2. In the Services list, locate the Computer Browser service and verify that it is started and its startup type is set to Automatic.

   • If the Computer Browser service is not started, select Start from the service entry’s context menu.

   • If the startup type is not set to Automatic:

     1. Select Properties from the service entry’s context menu.

        The Computer Browser Properties Dialog appears.

     2. Select Automatic in the Startup type list.

     3. Click OK.

3. Close the Services management plug-in.

To test computer browsing

1. Open a command-line prompt.

2. Type the following command:

   net view /domain

   You should see a list of all domains in you network.

3. Type the following command, where {DomainName} is the name of the domain to browse:

   net view /domain:{DomainName}

   If the result of one of the commands above is empty, computer browsing is probably disabled.

Verify Lightweight Directory Access Protocol (LDAP) and global catalog access

This step is only required if you want to use PSM Remote Configuration Manager to search domains and domain controllers using Lightweight Directory Access Protocol (LDAP) or global catalog (GC).

If LDAP or global catalog access is not properly configured, PSM Remote Configuration Manager cannot find the domain controller automatically when the network is searched with the Search global catalog or the Search domain methods. However, you may use an alternative search method, e.g. Search CBS, or add the domain controller manually to the server list in PSM Remote Configuration Manager.

To test LDAP and global catalog access

1. On the domain controller, start the Active Directory Service Interfaces Editor management plug-in by typing adsiedit.msc in a command-line prompt.

2. In the console tree select ADSI Edit.

3. Select Action > Connect to from the menu bar.

   The Connection Settings dialog appears.

4. Select Default naming context in the Select a well known Naming Context list.

5. Select Select or type a domain or server and type the domain or server name in the respective box.

   Enter the Fully Qualified Domain Name (FQDN) or the NETBIOS name of the domain. Alternatively, you can enter the FQDN, NETBIOS name, or the IP address of a server in that particular domain.

6. Click Advanced.

   The Advanced Dialog appears.

7. (OPTIONAL) Select Specify Credentials and type the user credentials used to establish the connection.

   This step is only required, if you require to use different user credentials when connecting to the Active Directory or global catalog server.

8. Select the protocol to test in the Protocol group.

9. Click OK to return to the Connection Settings dialog.

10. Click OK.

    If the configuration is correct, ADSI Editor connects to the domain controller, creates a new entry in the console tree, and populates it with the respective objects retrieved from Active Directory.

Verify open firewall ports

Password Synchronization Manager uses several different TCP ports to communicate. If these are blocked by a firewall, some features will not work correctly. Before you use Password Synchronization Manager, or if you experience issues, verify that the respective ports are not blocked by a firewall.

For information about firewall ports required by OneSpan Authentication Server, refer to the OneSpan Authentication Server Administrator Reference.

Create password filter configuration

To finish the Password Synchronization Manager setup, you need to create a password filter configuration and assign it to the domain controller with password filter installed with PSM Remote Configuration Manager. For more information, see the Password filter.