support

Passwordstate can work with Azure MFA, using our One Time Passwords authentication option. Here's how to set this up: Step 1: Take note of your emergency password under Administration -> Emergency Access. If you make a mistake during this process, you can reverse out the changes using this password. This video shows how to use the Emergency Password: https://www.youtube.com/watch?v=yP0riGN5Ek4 Step 2: Under Administration -> System Settings -> Authentication Options, choose either Manual AD and One Time Password, or just One Time Password. Save this once you have confirmed your choice. Step 3: Download and install the Microsoft Authenticator App in your phone from the App Store Step 4: Browse to your Passwordstate website, and on the login screen you should be presented with a QR Code. Scan this into your phone and you should have a functioning One Time Password code you can use to log into Passwordstate We hope this helps and please let us know if you have any questions about this. Regards, Support

Yes, this is what would be required, but presenting that meaningfully in auditing data would be a challenge. If you have a look at the database schema of the SystemSettings table alone, we would some how need to present the 200 odd different fields into meaningful auditing data. Not impossible to, but we'd expect quite a bit of development work would be required to achieve it. Regards Click Studios

Thanks Sarge. We've also thought about this in the past, but not sure technically how we would achieve this - if you look at all the possible settings alone under the System Settings screen, there would be 100's if not 1000's of changes that would need to be somehow tracked, and reported. Hopefully one day we can come up with a solution for this. Regards Click Studios

Hello BjornDir, Sorry, as per your other post, this is not possible. Regards Click Studios

Thanks for sharing habskilla - we appreciate it

Thanks for letting the community know

Hi Bobby, Yes, that is what a lot of our customers do to store SSL certificates. Your other option is to select the SSL Certificates template when creating a Password List, and this will configure a Generic Field to store the 'text' value of your certificate in. Regards Click Studios

Hello habskilla. The Folder view in version 7 was the exact same screen as Passwords Home, but just a filtered view. So we did not remove it as such, as this is a complete new screen and features in version 8, which we haven't had the time to work on providing customization for. We hope this clarifies. Regards Click Studios

Hi Scott, Sorry, at this stage we do not have the ability to customize the folders screen. We may look into it in the future though. Regards Click Studios

If you have the Active Directory integrated version of Passwordstate installed, by default, Passwordstate requires you to enter your Active Directory username and password to authenticate into the system. It is possible for Passwordstate to take your currently logged in credentials from your Windows session, and pass them through to Passwordstate. There is a few thing to do and be aware of when setting this up: First you to disable Anonymous Authentication in IIS, which is a default setting that we set during the install. To do this open Internet Information Services (IIS) on your web server, select your Passwordstate website and click Authentication Now right click Anonymous Authentication and disable it so it looks like this: Back in Passwordstate, go to Administration -> System Settings -> Authentication Options and select AD Single Sign-On: Things to consider: The browser may prompt you for authentication when you make these changes. This is a browser security feature which can be fixed by following suggestion 1 in this forum post: https://www.clickstudios.com.au/community/index.php?/topic/1305-passwordstate-prompts-for-authentication/ If you are accessing Passwordstate from Linux or Macs then you will get prompted to enter your username and password, there's unfortunately no way around this. We hope this helps! Support.

Thanks for sharing

To help us troubleshoot your issue, it is very handy for us to know certain information about your Passwordstate website, database, and the infrastructure that is is running on. To help speed up our support response times, we've developed a Powershell script that will collect some information about your environment. To run this script: Please download the "Passwordstate Support Information Script" script from our Checksums page here https://www.clickstudios.com.au/passwordstate-checksums.aspx. Extract the zip file and save the ServerInfo.ps1 file on your Passwordstate web server Open Powershell ISE "As Administrator" and open your ServerInfo.ps1 file Run the script When the script has finished it will create a ServerInfo.zip file in the same folder where you have run the script from. Please email that back to support@clickstudios.com.au for analysis. Below is full disclosure of what the script is doing: This script will not make any changes to your server, or Passwordstate environment Information it collects from your web server is as follows: Current Passwordstate version All Installed Programs on your server Name of your web server Last time your web server was rebooted Free disk space and free memory on your web server A check to see if your web server is a part of a domain, or a workgroup What language the web server is in, plus OS version and .NET version Information about your Passwordstate App Pools in IIS - Names, Path and Identity Type Installation path of your Passwordstate website Passwordstate web bindings in IIS and Authentication options NSLookups and tracerts of each URL for the Passwordstate website only List of certificates names on the web server, expiry date and who they are issued by Powershell version IP address of webserver Information about Passwordstate services - If they are running and who is the logon identity and when they were stopped, and started Local Administrator Accounts if there are any Passwordstate installation folder permissions Event Log errors from the Application Event logs Information from the web.config file - database server name, SQL instance, database name, setup stage and passivenode values. We also query the username and password out of the connection string, but do not store this anywhere. We only use this information temporarily to connect to your database and gather the information in the section below The remaining non sensitive part of the web.config file is also collected. You'll find your web.config file inside the zip file, but you'll see all sensitive info in the ConnectionString and AppSettings Section is redacted. .NET Framework versioning Local Intranet Zone URLs Information in Hosts file Upgrade Log File data Information it collects from your database is as follows: How many password lists and passwords Information about Active Directory Domains Count of Password Lists and tree path Count of auditing records Count of total users in the system Count of total Security Groups Passwordstate Licensing information Database Build Number, Base URL and Fips Mode, Ignored URLs and Backup Settings Detailed table sizes in database Email Notification information including Security Groups names and Usernames User Account Policy information including Security Groups names and Usernames **NOTE** if your web.config file connections string and AppSettings section is encrypted, we make a temporary copy of this web.config file, and decrypt it to get the connection information out of it, and then we delete this file from the file system. We do not store any of this data anywhere on the system, nor do we provide secret keys of connections information in the output file you supply back to click studios. **NOTE** If you are not comfortable in sending some or all of this information, we will still do our best to help you resolve your issue. We may just have to ask a series of questions to get to the bottom of the problem. Regards, Click Studios

If you are experiencing slow performance of your Passwordstate website, please put the answers to these following questions in an email and send it to support@clickstudios.com.au. There are different factors that can cause poor performance in different areas of the product, so this information will help troubleshoot the issue. Questions to Answer: Where is your Passwordstate database in relation to the Passwordstate web server? ie are they on the same LAN, across a WAN or possibly hosted in something like Azure or AWS? Do you use any Reverse Proxies or Load Balancers? Where are your clients accessing Passwordstate from? Same LAN, across a WAN etc? If you RDP into your Password web server, and launch Passwordstate inside that session, does this speed things up? Can you explain what pages are slow to access? ie is it when you first log into the system and the navigation tree takes a long time to render? Or is it when you click on a Password List as an example? What sort of times are you experiencing when loading pages? 5 seconds? 10 seconds etc? Are you running AV on your web server? If so, which brand? How much free memory do you have on your web and database server? If your users are seeing poor performance when opening a Password List, can you find out how many item they have configured to show in the grid? Screenshot below of this: Regards, Support.

If using the High Availability module in Passwordstate, this will mean you have two webservers hosting two Passwordstate websites, and most likely you'll have two SQL databases replicating data in real time. You will find the names and roles of your servers under Administration -> Authorized Web Servers, as per below screenshot: If the Polling Health is a visual reference that both servers are in sync, so if it is red in colour this could mean there is an issue you need to address. The mechanics of how the polling process works depend on if you have yoru HA web server set to run in Passive mode (server is in Read Only mode), or Active (Server is in Read/Write mode). Please note, you should always have one server on this page that has the Primary Server role assigned. This is very important as it will ensure the Passwordstate Windows Service is fully functional and processes a number of different tasks in the background. To troubleshoot why the polling health icons are red, please check the following: Passive Mode: If your HA server is set to Passive, the the Passwordstate service on the secondary server will make a call on a regular schedule to the primary site API. If it can contact it, it will show a successful green icon. Things to check: When logged into to your Primary Passwordstate site, check the URL under Administration -> System Settings -> Miscellaneous is correct. Ensure the Passwordstate Service on the secondary web server is running From your Secondary server, perform a Powershell open port test back to your primary website to ensure no firewalls are blocking access. Example is test-netconnection passwordstate.com.au -port 443 From your secondary server, try browsing to the poll test URL by appending /api/highavailability/primarypoll/polltest to your normal Passwordstate URL. If this works, you will see a Success:True message in the body of the website. If you do not see this, please investigate if you have load balancers or proxy servers that are blocking this API call, and possibly bypass these devices as a quick test to rule them out. Look in the Application Event logs for any errors, and if you find any, but can't work out what they are, submit them to Click Studios support for review (support@clickstudios.com.au) Active Mode: If running your HA server in Active mode, instead of making a call to the API it will insert the date, time and build number directly to the secondary database, and then when replication occurs back to the primary database this will be displayed as a healthy green polling status in the both of your Passwordstate websites. Things to check: Passwordstate service on the secondary web server is running Database replication is working (try adding a test password record into the system and then log into the second website to see if that password record is visible there - this should be almost instant if SQL replication is working) Look in the Application Event logs for any errors, and if you find any, but can't work out what they are, submit them to Click Studios support for review (support@clickstudios.com.au) **TIP** Another quick way to check replication is working correctly is to do a count of auditing events against both databases. This SQL query below should be run against both database servers, and they will and they will be exactly the same if replication is working correctly. Use Passwordstate Select count(*) from auditing Regards, Support:)

This article describes how to set up a group policy using the Google Chrome templates, and deploy the Passwordstate Browser extension to all machines in a specific Organisational Unit (OU). Please note this article is a general guide from Click Studios, and you should contact your Group Policy Administrators of your network before making any of the below changes. Step 1: Check the Chrome Policy Templates are available If you do not already have the Chrome policy templates available in Group Policy, you will need to follow these instructions. To check if Chrome Policy Templates are available in your group policy, log into your domain controller, and open gpedit.msc. If you see the following Google Chrome folder under Administrative Templates then you have the templates installed and you can skip to Step 2, otherwise follow the instruction below to add these policy templates in: Adding Chrome Policy Templates (These instructions are for servers based in English US location) On your domain controller, download this zip file and extract it to a temporary location: https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip Copy the .\policy_templates\windows\admx\chrome.admx file to C:\Windows\policydefinitions Copy the C:\Data\policy_templates\windows\admx\en-US\chrome.adml file to C:\Windows\policydefinitions\en-US Step 2: Creating and Applying the Policy Open Group Policy Manager on your domain controller, expand out your domain -> Group Policy Objects and create a New policy Name the policy something relevant like “Passwordstate Chrome" Right click this new policy and select Edit Expand out Passwordstate Chrome -> Computer Configuration -> Policies -> Administrative Templates -> Google Chrome -> Extensions Right click and Edit the “Configure the list of force-installed apps and extensions” Tick the Enable button, and then click the Show button Add the following text and click OK: appojfilknpkghkebigcdkmopdfcjhim;https://clients2.google.com/service/update2/crx Click Apply, and then click OK Close down the Group Policy Management Editor Right click the OU of your choice, and select Link and Existing GPO… Choose the “Passwordstate Chrome” policy For any machine that is in that OU, it will now automatically install the Passwordstate browser extension, if Chrome is installed on that machine. You may need to run a gpupdate /force in an elevated command prompt to apply this new group policy to the machine. Any updates Click Studios makes to the browser extension will automatically apply to your computers that have this group policy applied. It does this by connecting to the Chrome store so the computer must have access to the internet. If you disable this group policy, the extension will automatically be removed from the machines.

Certain brands of Anti-Virus software installed on your Passwordstate web server can cause issues with sessions in IIS (Internet Information Services). These AV products can kill sessions in IIS, causing the general error screen to appear in Passwordstate, and the following types of errors in the Error Console screen: It appears the user's session in IIS has been prematurely ended, causing the following error Object variable or With block variable not set Error Code = Incorrect syntax near the keyword 'DEFAULT' Error Code = Thread was being aborted ApplyScreenCustomisations Invalid Viewstate There was an issue validating both the AuthToken session variable and cookie The parameterized query Specified argument was out of the range of valid values in conjunction with ApplyScreenCustomisations() If you see any errors like this, please temporarily exclude the Passwordstate folder from any active scanning, as well as the w3wp.exe process, which is IIS. Generally the Passwordstate install folder is c:\inetpub\passwordstate. If this resolves the issue then remove the exclusion and contact your AV vendor for a permanent solution. Some of these errors can also be caused by using multiple instances of Passwordstate open in different browsers, or different tabs, and upgrading to the latest version will fix these errors. **EDIT** We have also been made aware that reverse proxies, or even web load balances can cause some of these errors. To rule out these solutions are causing these errors, please bypass them an monitor the error console. If you can determine that a Load Balancer or Reverse Proxy is causing the issue, please log a support call with that vendor to ask for advice on how to configure their solution to prevent this from happening. **EDIT 14th August 2023** Another customer has given us information when using Blackberry’s Cylance ENDPOINT (aka Cylance PROTECT and Cylance OPTICS). Information about this can be seen below: Memory protection policy needs to have these exclusions added: “\inetpub\Passwordstate\Bin\Passwordstate.exe” – for all violation types (build 9700 or below) “\inetpub\Passwordstate\WindowsService\Passwordstate.exe” – for all violation types (build 9708 or above) “\Program Files (x86)\Passwordstate Agent\PasswordstateAgent.exe” – ignore Malicious payload violation type “\Program Files (x86)\Passwordstate Agent\PasswordstateAgentUpgradeService.exe” – ignore Malicious payload violation type Regards Click Studios

Thanks for confirming Peter, and I'm not sure why you are seeing this. Could you contact us via our support page, and email us a copy of your web.config file, and we will try encrypting it ourselves? Thanks Click Studios

Hello, When a google translate part of the message, it says "The configuration section is encrypted". Can you tell me if you've opened the web.config file, and it still is not encrypted? Thanks Click Studios

Hi Eric, Yes, it is sorry - this post is a little out-dated. Here is the System Requirements page from our web site - https://www.clickstudios.com.au/passwordstate-system-requirements.aspx Regards Click Studios

Purpose: You need to get automatic email notifications based on some activity in Passwordstate. This forum post describes how to set up a Scheduled Report to achieve this. Step 1: Open Scheduled Reports from the left hand pane Reports Menu, and then click Add Report Step 2. By default, the report will be sent to you, but you can add another user email address in the CC field if required. Ensure you tick the Do not send report if it produces no results, and choose the Custom Auditing Report type Step 3: Choose the scheduled to be any thing you like. In this example I’ll create it to run every 5 minutes so the user will be email almost immediately after the event has been triggered. If there's no activity to report, Passwordstate will not email anything to the users. If it’s not urgent that the user finds out this information, you can choose a different time scale, like daily or weekly for example Step 4: Choose the Password List or Lists you’d like to monitor, the type of auditing activity that will trigger the report, and the amount of time to query data. This should match your schedule in Step 3 so data in reports being sent do no overlap Regards, Support

Hi Guys, Interesting - didn't know that was even in the works. With PowerShell and our WinAPI, it is the parameter -UseDefaultCredentials which is used to pass the identity of the authenticated "Windows" account across to our API - basically it's impersonation. I'm not sure, but I don't think PowerShell Core can support this, as you're not logged on as a Windows User - unless there's a way to do this in Linux. Regards Click Studios

Hi Habskilla, Sorry, the WinAPI (Windows API) can only be called from Windows Machines using PowerShell. With the use of PowerShell, you can execute the script under the identity of an Active Directory account, which then gives you the same level of access as if you were logged into Passwordstate. For Linux machines, you will need to use the standard API, which used API Keys for authentication. Regards Click Studios

Hello, Thanks for your request. As a work around, you could run the SQL Query below. Any Password Lists with a TotalPermissions of 0, means there is no Admin on the list. USE Passwordstate SELECT PasswordLists.PasswordListID, PasswordLists.PasswordList, PasswordLists.Description, PasswordLists.TreePath, (SELECT COUNT(PasswordListID) FROM [PasswordListsACL] PSSWD WHERE (PSSWD.PasswordListID = PasswordLists.PasswordListID) AND (PSSWD.Permissions = 'A')) As TotalPermissions FROM [PasswordLists] WHERE (PasswordLists.PrivatePasswordList = 0) AND (PasswordLists.Folder <> 1) GROUP BY PasswordLists.PasswordListID, PasswordLists.PasswordList, PasswordLists.Description, PasswordLists.TreePath ORDER BY PasswordLists.PasswordList Regards Click Studios

Hi Yes, This is only an email notification. You can also ensure no users login by enabling maintenance mode, and that will give them a page explaining they cannot use Passwordstate at the moment. Certainly not what you've asked for though. Regards Click Studios

Hello, Thanks for your request. Whilst not automated like you would like, you can send 'Outage Notifications' to all users from the screen Administration -> Backups and Upgrades. Just click on the 'Send Outage Notification' button, and adjust the details as appropriate. Regards Click Studios