Integrating PAM360 with ManageEngine ADSelfService Plus (ADSSP)
This document walks you through the procedure for integrating PAM360 with ManageEngine ADSelfService Plus (ADSSP). The following topics are discussed here:
- Key Benefits of Integration
- Prerequisites for Performing the Integration
- Steps to Configure the Integration
- Steps to Map Domain Account Details
- Troubleshooting Tips
1. Key Benefits of Integration
ManageEngine PAM360 integrates with ManageEngine ADSSP, an integrated web-based self-service password management and Single-Sign-On solution. ADSSP assists domain users in performing activities such as self-service password reset, self-service account unlock, etc. ADSSP utilizes PAM360 to manage its domain controller passwords, especially the privileged accounts.
Earlier, when remote password reset of the ADSSP privileged domain account was performed in PAM360, the new password had to be manually updated in ADSSP. If not, ADSSP still retains the old password and therefore restricts the AD users from performing tasks such as password reset, account unlock, etc. This may lead to more help desk calls. With PAM360-ADSSP integration, the privileged domain account details of ADSSP will be mapped with the domain account in PAM360. So, whenever the password of the ADSelfService Plus's privileged domain account mapped in PAM360 is updated, PAM360 automatically updates the password of the privileged domain account in ADSelfService Plus as well.
2. Prerequisites for Performing the Integration
Before commencing the integration, verify if all of the below prerequisites are satisfied:
- PAM360 should be accessible from the server on which ADSSP is running. To verify this, try launching your PAM360 web-client from the ADSSP server.
- For this integration to work, ADSSP should be running in secured HTTPs mode only.
- As ADSSP is running in the HTTPs mode, the identity of the system needs to be verified through a valid SSL certificate, which has to be imported into the PAM360 certificate store. Follow the steps listed below:
- Stop the PAM360 service.
- Open the command prompt and go to the "<PAM360_Installation_Folder>/bin" directory.
- Execute the following command:
importCert.bat <Path of the certificate used by ADSSP>
- Restart the PAM360 service.
3. Steps to Configure the Integration
You can perform all the configurations related to the PAM360-ADSSP integration from the PAM360 portal itself. To configure the integration, you need to provide the details of the machine, where ADSSP is installed. The details include Host Name, Port Number, etc. Once you have entered all the required details and saved the configuration, PAM360 will try to set a connection with ADSSP. After the successful connection, the domain details will be retrieved from ADSSP and saved in the PAM360 database, and the integration will be established.
Here are the steps:
- Navigate to Admin >> Integration >> ManageEngine.
Note: Only the users with the "ManageEngine Integration" role will see the ManageEngine option under Integration.
- In the page displayed, you will see the ADSelfService Plus block with either of the below options based on whether you have disabled or enabled the integration, respectively:
Buttons and Definitions:
Sl. No: Button Definition 1
Enable
You will see this option if the integration is disabled. Click this button, and the ADSelfService Plus Integration window pops up.2
Edit
Click this button, and the ADSelfService Plus Integration window pops up. Modify the configuration details, if required.3
Disable
You will see this option if the integration is enabled. Click this button to disable the integration.
- Click the Edit button and you will see the below window:
- Configure the following details:
Now, the integration will be enabled, and the domain details fetched from ADSSP will be saved in the PAM360 database. Proceed with mapping the domain account details of ADSSP with PAM360.
4. Steps to Map Domain Account Details
Ensure, the correct domain account in ADSSP is mapped with the domain account in PAM360. Only then, the automatic update of the password will happen with the right domain account in ADSSP.
- Navigate to Resources >> Resource Actions. Click the option Configure ADSelfService Plus Domain Details.
This option will be available only:
- For the Windows Domain resources.
- If ADSSP integration is configured.
- A window pops-up with the selected Resource Name appended with the title. The Domain Name in PAM360 is shown by default.
- Choose the Domain Name in ADSSP to be mapped with the Domain Name in PAM360. If you do not find any domain name, click the Fetch link to import the domain from ADSSP.
- The Domain Account Name in ADSSP and the Domain Account Name in PAM360 fields will be automatically populated based on the Domain Name in ADSSP selected in step i. You can also select a different account for PAM360.
- Click Save.
Once the mapping of domain account details of PAM360 and ADSSP is successfully done, PAM360 will automatically update the password of the domain account in ADSSP, whenever the password reset for the account is done in PAM360.
5. Troubleshooting Tips
- Check if the certificates are properly imported.
- Check the connectivity between the two machines; connectivity should be bi-directional.
- Click fetch under Windows DC >> Resource Actions >> Configuring ADSelf service plus domain details to get the domain details. If it fails, check the pam0 file available under <PAM360_Installation_Folder>/logs directory for any error.
