support
-
Posts
5,090 -
Joined
-
Last visited
-
Days Won
318
Posts posted by support
-
-
Hey Everyone,
Just a quick message to say we are very close to releasing a beta of our new Chrome extension. Possibly in the next couple of weeks, and this feature is in the new version:)
We'll be announcing the beta release on Social Media soon, and we'll report back here to, and you are all welcome to test it out.
Thanks again,
Support.
-
Hi Sarge,
From your desktop, can you do an open port test to your web server, and port 7273 - this is the default port the Gateway uses. Can you let us know if the port is open?
RegardsClick Studios
-
This forum post will show you how to encrypt and decrypt your web.config file. This file by default is located in c:\inetpub\passwordstate folder on your webserver.
A standard web.config file will be in clear text, and two important parts of this file with sensitive are the "Connection String" section, and the "AppSettings" section.
The ConnectionString section holds the credentials that your Passwordstate website uses to connect to your database. So it will contain the server name, the database name and database instance if it is applicable, and the SQL username and password.
The AppSettings section contains the two Secret Keys which are used to protect your website from being accessed if your database is stolen, and the setup stage of your install.
A clear text web.config file looks like this:
An encrypted web.config file looks like this:
As you can see, the encrypted web.config file is not readable when it is encrypted, and this can protect your information in the event your web server has been compromised.
Encrypting Web.config file:
To encrypt of decrypt the different sections of the web.config file, please follow these instructions below.
Step 1:
Open a command prompt as Administrator
Step 2:
Change directories by copying and pasting the following code into your command prompt, and hit enter: CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319
Step 3:
To encrypt the connectionString section, execute this line of code: aspnet_regiis.exe -pef "connectionStrings" "c:\inetpub\passwordstate"
To encrypt the AppSettings section, execute this line of code: aspnet_regiis.exe -pef "appSettings" "c:\inetpub\passwordstate"
Decrypting the web.config file:
To decrypt the web.config file, the code you execute is only slightly different:
Step 1:
Open a command prompt as Administrator
Step 2:
Change directories by copying and pasting the following code into your command prompt, and hit enter: CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319
Step 3:
To decrypt the connectionString section, execute this line of code: aspnet_regiis.exe -pdf "connectionStrings" "c:\inetpub\passwordstate"
To decrypt the AppSettings section, execute this line of code: aspnet_regiis.exe -pdf "appSettings" "c:\inetpub\passwordstate"
Notes:
Note 1: Decrypting the web.config file must be carried out on the same server where it was encrypted, otherwise this process will not work. This is part of the security and is built in to the operating system. If you are migrating your Passwordstate website to a new server, it must be decrypted first on the old server, otherwise your website will not load.
Note 2: If you encrypt the AppSettings section of your web.config file, it is imperative you keep an exported copy of your encryption keys in a safe place, as they may be required in the event of a server rebuild, or server move. You can export your encryption keys to a password protected zip file under Administration -> Encryption Keys once you have access to your website. The Passwordstate built backup feature can also take a backup of your encryption keys on a regular schedule. Please see Click Studios documentation page for links on how to set this up: https://www.clickstudios.com.au/documentation/
Note 3: If you intend to rename your server host name, or move your Passwordstate install to a different server, you should decrypt your web.config file first, and re-encrypt it again once the renaming is complete..
If you have any more questions about this, please contact Click Studios support via email, and we'll help in any way we can.
Regards,
Support.
-
HI ParrishK,
Sorry we didn't respond back to this yesterday:(
Could you please send us your log file from C:\inetpub\Passwordstate\hosts\gateway to our support email address (support@clickstudios.com.au)? It might be worth zipping up the logs folder in that same directory and send it through to us. Hopefully there is some sort of error in here which will lead us to a condition that is causing this to hang.
Regards,
Support.
-
Hello,
Sorry you're having some issues, and can you confirm a few more things for us:
- What Build of Passwordstate are you using
- What Browser Type are you using
- Is your Passwordstate-Gateway Windows Service started
- What sort of certificate did you export to use with the Gateway - is it a trusted certificate, or is it a self-Signed certificate
- With the URL you're using for Passwordstate, is the DNS entry for this from internal DNS, or external? If external, you may need to open access on your firewall to get to the Gateway's default port which is 7273
- If you go to the screen Administration -> Remote Session Management and click on the 'Browser Based Gateway Settings' button, if there is a URL specified in the 'Gateway URL' field, please clear this, Save the change, and then test again
- From your Passwordstate web server, do you have network connectivity to the Host? You can run the following PowerShell command to determine this (change host name and port as appropriate) - test-netconnection hostname.domain.com -port 3389
- Do you have any firewalls enabled on your Passwordstate web server? If so, you may need to allow access on Port 7273
Regards
Click Studios
-
Thanks - we've been meaning to work on this for quite some time now, but it does require updating several hundred calls to the database, and testing them all, across all tiers and modules in Passwordstate.
There just seems to be a lot more other request that seem to take up our time. Maybe we could improve the delete process here, so the user is well aware this is an irreversible process - we could make them acknowledge it by forcing them to tick a checkbox.Regards
Click Studios
-
Passwordstate can work with Azure MFA, using our One Time Passwords authentication option. Here's how to set this up:
Step 1:
Take note of your emergency password under Administration -> Emergency Access. If you make a mistake during this process, you can reverse out the changes using this password. This video shows how to use the Emergency Password: https://www.youtube.com/watch?v=yP0riGN5Ek4
Step 2:
Under Administration -> System Settings -> Authentication Options, choose either Manual AD and One Time Password, or just One Time Password. Save this once you have confirmed your choice.
Step 3:
Download and install the Microsoft Authenticator App in your phone from the App Store
Step 4:
Browse to your Passwordstate website, and on the login screen you should be presented with a QR Code. Scan this into your phone and you should have a functioning One Time Password code you can use to log into Passwordstate
We hope this helps and please let us know if you have any questions about this.
Regards,
Support
-
Yes, this is what would be required, but presenting that meaningfully in auditing data would be a challenge. If you have a look at the database schema of the SystemSettings table alone, we would some how need to present the 200 odd different fields into meaningful auditing data. Not impossible to, but we'd expect quite a bit of development work would be required to achieve it.
RegardsClick Studios
-
Thanks Sarge.
We've also thought about this in the past, but not sure technically how we would achieve this - if you look at all the possible settings alone under the System Settings screen, there would be 100's if not 1000's of changes that would need to be somehow tracked, and reported. Hopefully one day we can come up with a solution for this.
RegardsClick Studios
-
Hello BjornDir,
Sorry, as per your other post, this is not possible.
RegardsClick Studios
-
Thanks for sharing habskilla - we appreciate it
-
Thanks for letting the community know
-
Hi Bobby,
Yes, that is what a lot of our customers do to store SSL certificates.Your other option is to select the SSL Certificates template when creating a Password List, and this will configure a Generic Field to store the 'text' value of your certificate in.
RegardsClick Studios
-
Hello habskilla.
The Folder view in version 7 was the exact same screen as Passwords Home, but just a filtered view.
So we did not remove it as such, as this is a complete new screen and features in version 8, which we haven't had the time to work on providing customization for.
We hope this clarifies.
RegardsClick Studios
-
Hi Scott,
Sorry, at this stage we do not have the ability to customize the folders screen. We may look into it in the future though.
RegardsClick Studios
-
If you have the Active Directory integrated version of Passwordstate installed, by default, Passwordstate requires you to enter your Active Directory username and password to authenticate into the system. It is possible for Passwordstate to take your currently logged in credentials from your Windows session, and pass them through to Passwordstate. There is a few thing to do and be aware of when setting this up:
- First you to disable Anonymous Authentication in IIS, which is a default setting that we set during the install. To do this open Internet Information Services (IIS) on your web server, select your Passwordstate website and click Authentication
- Now right click Anonymous Authentication and disable it so it looks like this:
- Back in Passwordstate, go to Administration -> System Settings -> Authentication Options and select AD Single Sign-On:
Things to consider:
- The browser may prompt you for authentication when you make these changes. This is a browser security feature which can be fixed by following suggestion 1 in this forum post: https://www.clickstudios.com.au/community/index.php?/topic/1305-passwordstate-prompts-for-authentication/
- If you are accessing Passwordstate from Linux or Macs then you will get prompted to enter your username and password, there's unfortunately no way around this.
We hope this helps!
Support.
-
Thanks for sharing
-
To help us troubleshoot your issue, it is very handy for us to know certain information about your Passwordstate website, database, and the infrastructure that is is running on. To help speed up our support response times, we've developed a Powershell script that will collect some information about your environment.
To run this script:
- Please download the "Passwordstate Support Information Script" script from our Checksums page here https://www.clickstudios.com.au/passwordstate-checksums.aspx.
- Extract the zip file and save the ServerInfo.ps1 file on your Passwordstate web server
- Open Powershell ISE "As Administrator" and open your ServerInfo.ps1 file
- Run the script
- When the script has finished it will create a ServerInfo.zip file in the same folder where you have run the script from. Please email that back to support@clickstudios.com.au for analysis.
Below is full disclosure of what the script is doing:
- This script will not make any changes to your server, or Passwordstate environment
-
Information it collects from your web server is as follows:
- Current Passwordstate version
- All Installed Programs on your server
- Name of your web server
- Last time your web server was rebooted
- Free disk space and free memory on your web server
- A check to see if your web server is a part of a domain, or a workgroup
- What language the web server is in, plus OS version and .NET version
- Information about your Passwordstate App Pools in IIS - Names, Path and Identity Type
- Installation path of your Passwordstate website
- Passwordstate web bindings in IIS and Authentication options
- NSLookups and tracerts of each URL for the Passwordstate website only
- List of certificates names on the web server, expiry date and who they are issued by
- Powershell version
- IP address of webserver
- Information about Passwordstate services - If they are running and who is the logon identity and when they were stopped, and started
- Local Administrator Accounts if there are any
- Passwordstate installation folder permissions
- Event Log errors from the Application Event logs
- Information from the web.config file - database server name, SQL instance, database name, setup stage and passivenode values. We also query the username and password out of the connection string, but do not store this anywhere. We only use this information temporarily to connect to your database and gather the information in the section below
- The remaining non sensitive part of the web.config file is also collected. You'll find your web.config file inside the zip file, but you'll see all sensitive info in the ConnectionString and AppSettings Section is redacted.
- .NET Framework versioning
- Local Intranet Zone URLs
- Information in Hosts file
- Upgrade Log File data
-
Information it collects from your database is as follows:
- How many password lists and passwords
- Information about Active Directory Domains
- Count of Password Lists and tree path
- Count of auditing records
- Count of total users in the system
- Count of total Security Groups
- Passwordstate Licensing information
- Database Build Number, Base URL and Fips Mode, Ignored URLs and Backup Settings
- Detailed table sizes in database
- Email Notification information including Security Groups names and Usernames
- User Account Policy information including Security Groups names and Usernames
**NOTE** if your web.config file connections string and AppSettings section is encrypted, we make a temporary copy of this web.config file, and decrypt it to get the connection information out of it, and then we delete this file from the file system. We do not store any of this data anywhere on the system, nor do we provide secret keys of connections information in the output file you supply back to click studios.
**NOTE** If you are not comfortable in sending some or all of this information, we will still do our best to help you resolve your issue. We may just have to ask a series of questions to get to the bottom of the problem.
Regards,
Click Studios
-
If you are experiencing slow performance of your Passwordstate website, please put the answers to these following questions in an email and send it to support@clickstudios.com.au. There are different factors that can cause poor performance in different areas of the product, so this information will help troubleshoot the issue.
Questions to Answer:
- Where is your Passwordstate database in relation to the Passwordstate web server? ie are they on the same LAN, across a WAN or possibly hosted in something like Azure or AWS?
- Do you use any Reverse Proxies or Load Balancers?
- Where are your clients accessing Passwordstate from? Same LAN, across a WAN etc?
- If you RDP into your Password web server, and launch Passwordstate inside that session, does this speed things up?
- Can you explain what pages are slow to access? ie is it when you first log into the system and the navigation tree takes a long time to render? Or is it when you click on a Password List as an example?
- What sort of times are you experiencing when loading pages? 5 seconds? 10 seconds etc?
- Are you running AV on your web server? If so, which brand?
- How much free memory do you have on your web and database server?
- If your users are seeing poor performance when opening a Password List, can you find out how many item they have configured to show in the grid? Screenshot below of this:
Regards,
Support.
-
If using the High Availability module in Passwordstate, this will mean you have two webservers hosting two Passwordstate websites, and most likely you'll have two SQL databases replicating data in real time. You will find the names and roles of your servers under Administration -> Authorized Web Servers, as per below screenshot:
If the Polling Health is a visual reference that both servers are in sync, so if it is red in colour this could mean there is an issue you need to address. The mechanics of how the polling process works depend on if you have yoru HA web server set to run in Passive mode (server is in Read Only mode), or Active (Server is in Read/Write mode).
Please note, you should always have one server on this page that has the Primary Server role assigned. This is very important as it will ensure the Passwordstate Windows Service is fully functional and processes a number of different tasks in the background.
To troubleshoot why the polling health icons are red, please check the following:
Passive Mode:
If your HA server is set to Passive, the the Passwordstate service on the secondary server will make a call on a regular schedule to the primary site API. If it can contact it, it will show a successful green icon.
Things to check:
- When logged into to your Primary Passwordstate site, check the URL under Administration -> System Settings -> Miscellaneous is correct.
- Ensure the Passwordstate Service on the secondary web server is running
- From your Secondary server, perform a Powershell open port test back to your primary website to ensure no firewalls are blocking access. Example is test-netconnection passwordstate.com.au -port 443
- From your secondary server, try browsing to the poll test URL by appending /api/highavailability/primarypoll/polltest to your normal Passwordstate URL. If this works, you will see a Success:True message in the body of the website. If you do not see this, please investigate if you have load balancers or proxy servers that are blocking this API call, and possibly bypass these devices as a quick test to rule them out.
- Look in the Application Event logs for any errors, and if you find any, but can't work out what they are, submit them to Click Studios support for review (support@clickstudios.com.au)
Active Mode:
If running your HA server in Active mode, instead of making a call to the API it will insert the date, time and build number directly to the secondary database, and then when replication occurs back to the primary database this will be displayed as a healthy green polling status in the both of your Passwordstate websites.
Things to check:
- Passwordstate service on the secondary web server is running
- Database replication is working (try adding a test password record into the system and then log into the second website to see if that password record is visible there - this should be almost instant if SQL replication is working)
- Look in the Application Event logs for any errors, and if you find any, but can't work out what they are, submit them to Click Studios support for review (support@clickstudios.com.au)
**TIP**
Another quick way to check replication is working correctly is to do a count of auditing events against both databases. This SQL query below should be run against both database servers, and they will and they will be exactly the same if replication is working correctly.
Use Passwordstate
Select count(*) from auditing
Regards,
Support:)
-
This article describes how to set up a group policy using the Google Chrome templates, and deploy the Passwordstate Browser extension to all machines in a specific Organisational Unit (OU). Please note this article is a general guide from Click Studios, and you should contact your Group Policy Administrators of your network before making any of the below changes.
Step 1: Check the Chrome Policy Templates are available
If you do not already have the Chrome policy templates available in Group Policy, you will need to follow these instructions.
To check if Chrome Policy Templates are available in your group policy, log into your domain controller, and open gpedit.msc. If you see the following Google Chrome folder under Administrative Templates then you have the templates installed and you can skip to Step 2, otherwise follow the instruction below to add these policy templates in:
Adding Chrome Policy Templates (These instructions are for servers based in English US location)
- On your domain controller, download this zip file and extract it to a temporary location: https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
- Copy the .\policy_templates\windows\admx\chrome.admx file to C:\Windows\policydefinitions
- Copy the C:\Data\policy_templates\windows\admx\en-US\chrome.adml file to C:\Windows\policydefinitions\en-US
Step 2: Creating and Applying the Policy
-
Open Group Policy Manager on your domain controller, expand out your domain -> Group Policy Objects and create a New policy
-
Name the policy something relevant like “Passwordstate Chrome"
-
Right click this new policy and select Edit
-
Expand out Passwordstate Chrome -> Computer Configuration -> Policies -> Administrative Templates -> Google Chrome -> Extensions
-
Right click and Edit the “Configure the list of force-installed apps and extensions”
-
Tick the Enable button, and then click the Show button
-
Add the following text and click OK: appojfilknpkghkebigcdkmopdfcjhim;https://clients2.google.com/service/update2/crx
-
Click Apply, and then click OK
- Close down the Group Policy Management Editor
- Right click the OU of your choice, and select Link and Existing GPO…
- Choose the “Passwordstate Chrome” policy
For any machine that is in that OU, it will now automatically install the Passwordstate browser extension, if Chrome is installed on that machine. You may need to run a gpupdate /force in an elevated command prompt to apply this new group policy to the machine.
Any updates Click Studios makes to the browser extension will automatically apply to your computers that have this group policy applied. It does this by connecting to the Chrome store so the computer must have access to the internet.
If you disable this group policy, the extension will automatically be removed from the machines.
-
Certain brands of Anti-Virus software installed on your Passwordstate web server can cause issues with sessions in IIS (Internet Information Services). These AV products can kill sessions in IIS, causing the general error screen to appear in Passwordstate, and the following types of errors in the Error Console screen:
- It appears the user's session in IIS has been prematurely ended, causing the following error
- Object variable or With block variable not set
- Error Code = Incorrect syntax near the keyword 'DEFAULT'
- Error Code = Thread was being aborted
- ApplyScreenCustomisations
- Invalid Viewstate
- There was an issue validating both the AuthToken session variable and cookie
-
The parameterized query
-
Specified argument was out of the range of valid values in conjunction with ApplyScreenCustomisations()
If you see any errors like this, please temporarily exclude the Passwordstate folder from any active scanning, as well as the w3wp.exe process, which is IIS. Generally the Passwordstate install folder is c:\inetpub\passwordstate. If this resolves the issue then remove the exclusion and contact your AV vendor for a permanent solution.
Some of these errors can also be caused by using multiple instances of Passwordstate open in different browsers, or different tabs, and upgrading to the latest version will fix these errors.
**EDIT** We have also been made aware that reverse proxies, or even web load balances can cause some of these errors. To rule out these solutions are causing these errors, please bypass them an monitor the error console.
If you can determine that a Load Balancer or Reverse Proxy is causing the issue, please log a support call with that vendor to ask for advice on how to configure their solution to prevent this from happening.
**EDIT 14th August 2023**
Another customer has given us information when using Blackberry’s Cylance ENDPOINT (aka Cylance PROTECT and Cylance OPTICS). Information about this can be seen below:
Memory protection policy needs to have these exclusions added:
- “\inetpub\Passwordstate\Bin\Passwordstate.exe” – for all violation types (build 9700 or below)
- “\inetpub\Passwordstate\WindowsService\Passwordstate.exe” – for all violation types (build 9708 or above)
- “\Program Files (x86)\Passwordstate Agent\PasswordstateAgent.exe” – ignore Malicious payload violation type
- “\Program Files (x86)\Passwordstate Agent\PasswordstateAgentUpgradeService.exe” – ignore Malicious payload violation type
Regards
Click Studios
-
Thanks for confirming Peter, and I'm not sure why you are seeing this. Could you contact us via our support page, and email us a copy of your web.config file, and we will try encrypting it ourselves?
ThanksClick Studios
-
Hello,
When a google translate part of the message, it says "The configuration section is encrypted". Can you tell me if you've opened the web.config file, and it still is not encrypted?
ThanksClick Studios
storing ssl certs with password
in Community Support
Posted
Hi Constantin,
You can upload any type of file to a Password Record, a Password List or a Folder. To upload a certificate file to a password record, please do this from the actions menu. You'll see a little document icon on your Password Record after you have uploaded one, and your document can then be accessed from this icon, or also selecting the view Documents from the Actions menu. Hope this helps!
Regards,
Support