Server Settings

The Server settings dialog box can be found in the menu item Manage. It includes the following tabs: General, Connections, Logging, Backups, Additional, Email, 2FA Settings, Active Directory and Azure AD. In general, you can use the server settings for server configuration and defining settings that will affect the entire server and all users. The content of the single tabs available in the server settings is explained in detail below.

General

Server

You can define basic server settings here:

  • Server language: You can select the language of the server (not the language for Server Manager's user interface!). You can choose between English, German, French, Spanish and Dutch.
  • Server port: You can define the port number for the client to server connection. In general, the default port number is always displayed here but you can change the value if required. When changing the port number, please make sure to also change it in the client and use the correct port for your server connection. 
  • Internet Protocol: Here, you can specify a specific Internet protocol version that should be used by default. The following options are available: IPv4+IPv6, IPv4, IPv6. So, depending on the network configuration administrators can define which Internet protocol versions the server should support. The server will then send via UDP an info message to the clients about the supported Internet protocol version. Afterwards, the clients will automatically choose the correct version for the main TCP connection.
  • Use SSL/TLS for TCP Server: You can activate the SSL/TLS connection when connecting clients to the Enterprise Server. Click Install Certificate to install the certificate in the Server Manager. A new dialog window will open where you will have to specify the correct path for your certificate file and its private key. Besides, you will also have to enter the certificate's password here.
  • Keepalive enabled: You can activate the Keepalive feature if clients connect to a server which is not part of the same local network.

WARNING: In case you decide to change the default port, make sure that it is not used by any other application.

REST Server

  • Origin URL: Enter the correct URL of your Password Depot web server. It should be the exact URL which is used for addressing your Enterprise Server through the Password Depot web interface.
  • Use SSL/TLS for REST Server: You can activate the SSL/TLS connection during REST Server connection. Because of the REST Server implementation you can now also access the Enterprise Server via REST API. A new web interface is available in the source code for the purpose of demonstration or productive use. It is basically a web server which can use both the HTTP and HTTPS (recommended) protocol. To use HTTPS a valid certificate is required on the server. Please click Install Certificate for installation. 

HINT: For more information about SSL connections on the Enterprise Server please have a look at the following knowledge base article: How does the SSL connection in Password Depot Enterprise Server work and which settings are required?

Databases

  • Storage folder: You can specify the path where server databases are stored to by default. This is C:\Program Files\AceBIT\Password Depot Server 15\Data\DB in Password Depot 15. You can change the path, however, we always recommend storing the databases to the local drive instead of using a network share or mapped drive since the latter may not be accessible at all times. If, during the process of saving the database, Password Depot Enterprise Server cannot find or access the path specified in the server settings it will switch back to the default settings and save the databases to the default folder. 

Connections

Supported authentications

Here, you can define the supported authentications on your server. You can choose between the following options: User credentials (account and password), Integrated Windows Authentication (Single Sign On) and/or Azure Active Directory. The server supports activating more than one authentication mode at the same time. 

HINT: For more information about the Integrated Windows Authentication as well as the required settings please check the following knowledge base article: How do I log on to the Enterprise Server using the Integrated Windows Authentication (SSO)?

Supported clients

Check all the clients that should support the Enterprise Server connection. The following options are available here:

  • Standard Edition for Windows
  • Corporate Edition for Windows
  • Android Edition
  • iOS Edition
  • macOS Edition
  • Web Client

NOTE: All clients supposed to be used for Enterprise Server connection need to be activated in the Server Manager. If a client is deactivated here, users won't be able to use the disabled edition to connect to the Enterprise Server

New connection from different device

You can decide how you would like to proceed with connections carried out by the same user but from other devices. You can choose between the following:

  • Deny new connection when user is already logged on 
  • Close existing connection and allow new one
  • Allow multiple connections from different IP addresses

NOTE: As is the case with many other similar servers, it is not recommended with the Enterprise Server either to allow multiple connections carried out by the same user at the same time. This feature was implemented since it may happen that users need to connect with their desktop client and a mobile device simultaneously. This works because mobile devices are not synchronized with the server in real time. However, if a user tries to establish a server connection using their account on two different Windows clients at the same time, this may cause problems. It may happen that the user will get disconnected from one device at least.

Inactive sessions

Specify how Password Depot Enterprise Server should handle inactive connections. For example, you can define that clients should be disconnected from the server after a specific time of inactivity. In addition to that, that is if you activate this option, you can also specify that the database should be closed and users should be logged out.  

Logging

In this tab you can define anything referring to the logs of Password Depot Enterprise Server. The following options are available here:

Local log

  • Logs folder: You can see here the default directory for storing the Enterprise Server's logs which is C:\Program Files\AceBIT\Password Depot Server 15\Logs. You can change the location using the browse button. In any case, we recommend always using a local directory, if possible.
  • Max. file size (KB): Determine the maximum size (KB) of the server's log file.
  • Create new log file: Select a time when to create a new log file.
  • Delete logs: Define the settings for deleting already existing logs. You can either select never deleting any log files or determine a maximum number of log files to be kept, 30 for example (this is the default value). This means that the latest 30 files will be saved and older log files will be deleted automatically.

Remote log

  • Send log messages to a remote server: Check this box if you wish to activate the option and send the Enterprise Server's log files to external log servers. You can specify the server address and port of the external server where the log files should be sent to. Thus, you can ensure that protocols are not being manipulated.

Backup databases and settings

In this tab you can specify the settings of your backup files in general. The following options are available:

Backup

  • Backup folder: You can specify where backup copies of your server database should be saved to. By default, they are stored to the directory C:\Program Files\AceBIT\Password Depot Server 15\Backups\. Use the browse button to change it. However, as is the case with the server's log files too we also recommend always using a local directory for storing the backup files, if possible. The server backup files include your databases, logs and the server's configuration file (pwd_srv.cfg) where the users, permissions and server configurations are saved to. 
  • On every startup: Select this option in order to create a new backup copy on every startup.
  • Backup databases every: Set a time for Password Depot Enterprise Server to automatically create a new backup file. We recommend creating new backup files at least once a day (that is once in 24 hours). Since version 17.0.5 you also have the option to choose between the following options: Monthly, Weekly, Daily, Hourly (this option allows you to specify an interval within a certain time frame).

Delete old backups

  • Limit number of stored backups to: This option allows you to set the maximum number of backups.
  • Delete backup files older than: Activate this option if you would like to automatically delete backup files older than x months from the server's backup directory. You can determine a specific period of time for this deletion to take place.

NOTE: By default, the options Backup databases on every startup and Backup databases every x hours are checked and we strongly recommend to keep both options activated at all times.

Backup log

  • Log backups to file: If you activate this option, Password Depot Enterprise Server will create a log of all generated backups and save it to the specified file. At a later point of time, this will help you to track the times server backups were created.

Additional

The Additional tab contains more options including the following:

Editing entries

  • Lock entry timeout (min.): You can determine a specific lock entry timeout (min.) here. By default this is five minutes, however, you can increase or decrease the lock entry timeout, if required. If a user has opened an entry but is not working with it, this specific entry will then be locked automatically if the timeout set up in the Server Manager has expired.

Private databases

  • Automatically create private databases for new users: You can determine whether a private database should be created automatically for every new user on the Enterprise Server. Those private databases will then also be stored to the server and users can add their own private entries there which are not supposed to be part of the company's server database. Private databases will be displayed as Private_DB_<USER→.pswe in the Database area. 
  • Automatically delete private databases for deleted users: You can further determine whether private databases should be deleted automatically from the server once the user a private database has been assigned to is removed from the Enterprise Server. If this option is activated and a user is deleted in the Server Manager, their private database will be deleted from the server, too and thus will no longer be available on the server.

NOTE: By default both options are deactivated

WebSockets port for clients

  • Use default port number: The add-on's default port number is 25109. It is checked in the server settings by default. If the browser add-on is activated, port 25109 is used for communication and users do not need to adjust their settings since port 25109 is also set in the browser by default. However, if required, this port can be changed. In any case, please note that users will then have to change the port number in the client (Edit -→ Options -→ Browsers -→ WebSockets port) and the browser itself.
  • Auto-generate unique port numbers (recommended for Terminal Servers): As you can see from the description, this option is strongly recommended when using Password Depot on a terminal server. Since all users work on the same system when using a terminal server it must be ensured that each user is assigned a unique port number for the communication with the add-on. The socket port number is not a virtual but moreover physical parameter and therefore it cannot be shared by different instances of the Password Depot client. If you do not use individual port numbers for each client, problems will definitely occur since Password Depot can not know where to send the access data requested by the add-on. It may happen, in this case, that User A receives access data from User B even though he has no access rights for such entries. Therefore, when using a terminal server, it is mandatory, in any case, assigning individual port numbers to each user who is to work with Password Depot on the terminal server. For best practice, you can check the option Auto-generate unique port numbers (recommended for Terminal Servers) in the server settings and use it by default on the Enterprise Server. In this case, each user on the server will be assigned a separate port number automatically and it will not be necessary to adjust the port number for each user individually.

HINT: For additional information please have a look at the following knowledge base article: How do I change the port number when working with the add-on and using Password Depot on a terminal server?

Failed logins

Here, you can determine a maximum of failed login attempts a user can carry out before his server account will be blocked temporarily. If a user account was blocked, it can be re-activated again by the server administrator. To do so, open the Server Manager and go to Users → <USERNAME→ → Accounts and uncheck the box Account deactivated

NOTE: A user's failed login attempts will not be reset after some hours or days but the Password Depot Server Manager will remember the number of failed login attempts and add them up. However, if a user enters the correct password after two failed login attempts (provided the maximum number of failed login attempts is set to 3 in the Server Manager) the previous failed attempts will be deleted and everything will be reset to 0. Next time the same user wants to login on the Enterprise Server again he will have another 3 new login attempts until his account will be blocked again etc. 

Email

In this tab you can define email server settings:

  • Sender: Here, you can enter the sender's email address and name.
  • Outgoing Mail Server: You can configure the outgoing mail server.
  • Test Connection: You can enter the email address of a mail recipient here and send a test email to check if the settings are correct.

2FA Settings

In this tab, you can activate Two-Factor Authentication on the server for the users. 

Operation mode

  • TOTP - codes are generated by mobile Authenticator apps: Users will receive the second factor for the login on their smartphone in their authenticator app. 
  • Email - codes are sent by Server to user's default address: Users will receive the second factor by separate email to their individual email address. 
  • Users may choose to remember their devices (days): You can specify a certain period of time during which users can trust connections to a specific device. In this case, regarding Two-Factor Authentication, it will not be necessary for users to always enter a new code each time they want to connect to the same device (=server) in x days provided that users enable the option Trust this computer when connecting for the first time and entering the required code once.
  • Email code expiration time (minutes): This option determines the validity of a code sent by email for Two-Factor Authentication. By default, this is ten minutes. However, this time can be changed here by the server administrator. If a user does not enter the required code in time, it expires. For authentication, a new code will then be required.

HINT: Please visit our knowledge base to get more information about the Two-Factor Authentication.

NOTE: Both the Integrated Windows Authentication and Password Depot credentials authentication support Two-Factor Authentication. Go to Users → <USERNAME> → Account if you want to deactivate the Two-Factor Authentication for single users, if required. Besides, you can also reset 2FA for single users in the user area if problems occur. Read more about this feature in the chapter Users.

Active Directory

Synchronization

  • Automatically run synchronization with AD every: Specify whether to perform AD synchronization automatically. If so, you can also determine the time interval automatic AD synchronization should be carried out. Furthermore, you can also specify what to do with users and groups not (or no longer) found in AD. Those users can be ignored, deactivated or deleted in the Server Manager. Please note that this option does only affect the users on the Enterprise Server but not in the Active Directory in general since Password Depot Enterprise Server cannot change anything in Active Directory.

NOTE: The administrator should perform AD synchronization manually, if required. However, if automatic synchronization is necessary, synchronization cycles should preferably be at times when the server load is low, for example once in 24 hours.

NOTE:The server option Automatically run synchronization with AD every is limited to 60 minutes and uses the server’s own SYSTEM account.

Azure AD

Tenants

Here, you can add a new organization to Password Depot Enterprise Server and the Server Manager. Once a new organization has been added you can use it to perform Azure AD synchronization.

  • New: Click New to launch the process. You will be asked to select a Microsoft account next and login with the administrator's access data. After the login you can see the organization in the Tenants area which means that it has been added to the Server Manager successfully. Now, select Tools → Azure AD Synchronization in the Server Manager to automatically synchronize Azure AD users with the Enterprise Server. You can select the desired organization to perform Azure AD synchronization from the corresponding synchronization wizard.

HINT: You can launch the same process directly by going to Tools → Azure AD Synchronization. The button New for adding a new organization to the Server Manager is also available here.

  • Update: Update an organization that has already been added to the Server Manager and the data related to it.
  • Delete: Delete organizations from the Server Manager if you do not need them anymore, for example. You can then add new or other organizations for Azure AD synchronization to the Server Manager by clicking the button New

NOTE: Find out more about Azure AD synchronization in the Server Manager in the chapter Azure AD Synchronization which can be found under Tools.

Synchronization

  • Automatically run synchronization with AD every: As is the case with the Active Directory synchronization, you can determine here too if Azure AD synchronization should be performed automatically every x minutes. Azure AD users and their attributes will then be synchronized and updated automatically according to the specified time interval. The option User and groups not found in AD does work in the same way it does during Active Directory synchronization. The only difference is that it actually refers to Azure AD and not the Active Directory.