AD Credential Rotation Task

The AD Credential Rotation Task enables VPAM administrators to set an automatic change policy (rotation) to a user’s password (credential) in a VPAM application. VPAM administrators can configure the credential rotation to a custom time, in a daily, weekly, or monthly frequency.

The AD Credential Rotation Task works by linking a VPAM application user credential to an Active Directory (AD) user, enforcing security and privacy to access the VPAM application.

This document contains the requirements and procedure to configure the AD Credential Rotation Task.

Requirements

To use the AD Credential Rotation Task, the VPAM administrator must comply with the following requirements:

  • Admin Role or Permissions in VPAM Server: To access the Vault and Tasks pages, you must have the admin role or additional privileges in your VPAM server. Contact your VPAM administrator for more information.

  • Active Directory (AD) Account: The VPAM admin must have access to the Active Directory account where they manage their users.

  • Administrator Privilege in the AD Account (Domain Admin): For the AD Credential Rotation Task, the VPAM administrator must also have AD admin permits, as they are needed to grant permission to rotate (change) another user’s password.

    • Base DN: Domain Admins must provide the Base DN attributes to configure the user retrieval from the Active Directory.

  • Domain User: A second user in your Active Directory. This user receives the AD Credential Rotation policy.

  • VPAM Server Version: The AD Credential Rotation Task is only available for VPAM servers with version 25.1.3 or newer. Contact success@imprivata.com for more information on how to update your VPAM server.

IMPORTANT:
If the administrator does not meet any of the previous requirements, the AD Credential Rotation Task will not run. Read the Troubleshooting section of this document for more information.

How-To Use the Feature

The AD Credential Rotation Task functions in two areas of the VPAM User Interface:

  • The Vault tab, where you configure the AD Admin and AD User secrets.

  • The Tasks tab, where you configure the rotation policy and the AD User it applies to.

The following sections describe the steps for VPAM admins to configure and use the AD Credential Rotation Task.

How-To Create a Secret in the Vault Section

To create a new secret in the Vault Section of VPAM, follow these steps:

  1. Click +Add > Password Credential.

  2. Complete the Add New Password Credential Form considering the following:

    Attribute Description Required
    Secret Type Indicates the type of credential being created. Yes
    Credential Name Enter a unique name for the credential. This name identifies the specific credential. Yes
    Description Provide a description of the user associated with the credential. This is optional but can be helpful for identifying the purpose of the credential.

    No, but recommended
    Domain Specify the domain for the credential. Yes
    User ID Enter the user ID associated with the credential. Yes
    Password Provide a password used for authentication. Yes
    Confirm Password Re-enter the password to confirm it. This ensures that the password was entered correctly. Yes
    Is this credential part of a credential pool? Select Yes or No to indicate whether this credential is part of a credential pool. Credential Pools are groups of credentials that allow multiple users to log in to a host simultaneously, each with a unique credential. When a user connects to a service, an available credential is returned by the pool and marked as used by that user. A credential can only be used by one user at a time.

    No, but recommended
    Select Port Types to Restrict Usage Specify the port types to ensure that this credential is available only for use with the selected port types.

    No, but recommended
    Select a Category Specify a credential category to limit the usage of this credential to users assigned to that category.

    No, but recommended

  3. Click Create Secret to finalize and create the new secret.

The new secret is now ready for use and can be associated with the password rotation policy in the Tasks section.

IMPORTANT:

You must have at least one Domain Admin with permission to set up credential rotation for other users, and at least one Domain User, which can be either an admin or a standard user.

How-To Create the Rotation Policy in the Tasks Section

After you have created the secrets for the AD Admin and the AD User users, you must continue to set the password rotation policy in the Tasks section of the VPAM UI. To start configuring the credential rotation:

  1. Click +Add > Password Rotation.

    The task pane opens. The system is only enabled to configure Active Directory.

  2. Click Next to open the Rotation Details.

  3. Complete the form considering the following:

Attribute Description Required
Task Name Add a unique name to the password rotation. Yes
Base DN Provide the Base DN where the policy queries the user to whom it applies. Consider the following example: dc=instance,dc=example,dc=com Yes
Application Select the application that the user has access to, which is impacted by the credential rotation policy. No, but recommended

Host Service

Select the LDAP or LDAPS service of the application.

 Yes

Secrets to be rotated

Select all the user’s secrets (AD Users) that are impacted by the policy rotation policy.

 Yes

Credential Provider

Select Single.

 Yes

Provider Name

Select the AD Admin User you created. This selection pulls authorization to place the rotation credential policy onto the AD User you selected in Secrets to be rotated.

 Yes

Task Password Policy

Set the rules for each new password that the policy rotates.

No, but recommended

The rotation policy enables you to set a schedule-based rotation policy by completing the following fields:

  • Rotate: Sets the frequency of the rotation.

    • Daily: The secret changes every day.

    • Weekly: The secret changes every week, on the same day.

    • Monthly: The secret changes every month, on the same day number.

  • At: Defines the moment the password changes:

    • When Daily selected: Choose the time of day.

    • When Weekly selected: Choose the day of the week and the time of day.

    • When Monthly selected: Choose the day number and the time of day.

  • Allow on demand rotation: Select to enable users to rotate the secret at any moment.

Viewing Task Execution Results

After configuring the password rotation policy, you can review the results of the task executions through the Task History page. This page provides detailed information about the status and execution timeline of each task.

To view the task execution results:

  • In Task, click on the name of a previously created task to open Task Details.

  • Click on Task History. This shows a table with the following information:

Field Description
Run ID The unique identifier for the task run.
Task Start The exact date and time when the task execution started.
Task End The exact date and time when the task execution completed.
Triggered By The user who triggered the task execution.
Trigger For The user whose credentials were impacted by the task
Execution Status Indicates whether the task was Successful or Failed.

This helps you monitor and verify the execution of credential rotation tasks.

Troubleshooting

If you encounter issues during the setup or execution of the password rotation task, consider the following common problems and solutions:

  • Problem: The password rotation task fails due to missing or misconfigured AD Admin or Domain User.

  • Solution: Create at least one Domain Admin user with the appropriate permissions to configure password rotation for other users. Also, create at least one Domain User, either an admin or a standard user. The task does not function properly without these users.

  • Problem: Application setup fails to connect to Active Directory.

  • Solution: Verify that the Host name of the application exactly matches the AD host name. Also, confirm that LDAPS or LDAP services are correctly selected and configured. In the Launch Via - Protocol setting, ensure that TCP is chosen, as this is necessary for proper communication between the application and AD.

  • Problem: Users cannot manually rotate the password on demand.

  • Solution: Check that the Allow on-demand rotation option is selected in the rotation policy. With this option disable, users cannot initiate password rotations on demand.

FAQ

  • Can I use the AD Credential Rotation Task in any version of VPAM?

    No, this feature is only available in version 25.1.3 or newer instances.

  • Can I configure the AD Credential Rotation Task without an Active Directory?

    No, you must have an Active Directory to be able to rotate your user’s passwords.

  • Is this feature available in other PAM applications?
    For the moment, this feature is only available in Vendor Privileged Access Management.