Server Settings

The Server settings dialog box can be found in the menu item Manage. It includes the following tabs: General, Connections, Logging, Backups, Additional, Email, 2FA Settings, Active Directory, Azure AD and OpenID Connect. In general, you can use the server settings for server configuration and defining settings that will affect the entire server and all users. The content of the single tabs available in the server settings is explained in detail below.

General

Server

You can define basic server settings here:

Server language: Select the language of the server (not the language for Server Manager's user interface!). You can choose between English, German, French, Spanish and Dutch.
Server port: Adjust the port number for the client to server connection. In general, the default port number is always displayed here but you can change the value if required. When changing the port number, please make sure to also change it in the client and use the correct port for your server connection.
Internet Protocol: Specify a specific Internet protocol version that should be used by default. The following options are available: IPv4+IPv6, IPv4, IPv6. So, depending on the network configuration administrators can define which Internet protocol versions the server should support. The server will then send via UDP an info message to the clients about the supported Internet protocol version. Afterwards, the clients will automatically choose the correct version for the main TCP connection.
Use SSL/TLS for TCP Server: You can activate the SSL/TLS connection when connecting clients to the Enterprise Server. Click Install Certificate to install the certificate in the Server Manager. A new dialog window will open where you will have to specify the correct path for your certificate file and its private key. Besides, you will also have to enter the certificate's password here.
Keepalive enabled: You can activate the Keepalive feature if clients connect to a server which is not part of the same local network.

WARNING: In case you decide to change the default port, make sure that it is not used by any other application.

REST Server

Origin URL: Enter the correct URL of your Password Depot web server. It should be the exact URL which is used for addressing your Enterprise Server through the Password Depot web interface.
Use SSL/TLS for REST Server: You can activate the SSL/TLS connection during REST Server connection. Because of the REST Server implementation you can now also access the Enterprise Server via REST API. A new web interface is available in the source code for the purpose of demonstration or productive use. It is basically a web server which can use both the HTTP and HTTPS (recommended) protocol. To use HTTPS a valid certificate is required on the server. Please click Install Certificate for installation.

HINT: For more information on SSL connections on the Enterprise Server please have a look at the following support portal article: How does the SSL connection in Password Depot Enterprise Server work and which settings are required?

Databases

Storage folder: You can specify the path where server databases are stored to by default. This is C:\Program Files\AceBIT\Password Depot Server XX\Data\DB in Password Depot 15. You can change the path, however, we always recommend storing the databases to the local drive instead of using a network share or mapped drive since the latter may not be accessible at all times. If during the process of saving the database, Password Depot Enterprise Server cannot find or access the path specified in the server settings it will switch back to the default settings and save the databases to the default folder.

Connections

Supported authentications

Select the supported authentications for your server. You can choose between the following options: User credentials (account and password), Integrated Windows Authentication (Single Sign On), Azure Active Directory or OpenID Connect. The server supports activating more than one authentication mode at the same time.

HINT: For more information on the Integrated Windows Authentication as well as the required settings please check the following support portal article: How do I log on to the Enterprise Server using the Integrated Windows Authentication (SSO)?

Supported clients

Check all the clients that should support the Enterprise Server connection. The following options are available here:

Standard Edition for Windows
Corporate Edition for Windows
Android Edition
iOS Edition
macOS Edition
Web Client

NOTE: All clients that are intended to be used for Enterprise Server connection need to be activated in the Server Manager. If a client is deactivated here, users won't be able to use the disabled edition to connect to the Enterprise Server.

New connection from different device

You can decide how you would like to proceed with connections carried out by the same user but from other devices. You can choose between the following:

Deny new connection when user is already logged on
Close existing connection and allow new one
Allow multiple connections from different IP addresses

NOTE: As is the case with many other similar servers, it is not recommended with the Enterprise Server either to allow multiple connections carried out by the same user at the same time. This feature was implemented since it may happen that users need to connect with their desktop client and a mobile device simultaneously. This works because mobile devices are not synchronized with the server in real time. However, if a user tries to establish a server connection using their account on two different Windows clients at the same time, this may cause problems. It may happen that the user will be disconnected from one device.

Inactive sessions

Specify how Password Depot Enterprise Server should handle inactive connections. For example, you can define that clients should be disconnected from the server after a specific time of inactivity. In addition to that, that is if you activate this option, you can also specify that the database should be closed and users should be logged out.

Logging

In this tab you can define anything referring to the logs of Password Depot Enterprise Server. The following options are available here:

Local log

Logs folder: You can see here the default directory for storing the Enterprise Server's logs which is C:\Program Files\AceBIT\Password Depot Server XX\Logs. You can change the location using the browse button. In any case, we recommend always using a local directory, if possible.
Max. file size (KB): Determine the maximum size (KB) of the server's log file.
Create new log file: Select a time when to create a new log file.
Delete logs: Define the settings for deleting already existing logs. You can either select "Never deleting any log files" or determine a maximum number of log files to be kept, 30 for example (this is the default value). This means that the latest 30 files will be saved and older log files will be deleted automatically.

Remote log

Send log messages to a remote server: Check this box if you wish to activate the option and send the Enterprise Server's log files to external log servers. You can specify the server address and port of the external server where the log files should be sent to. Thus, you can ensure that protocols are not being manipulated.

Backup databases and settings

In this tab you can specify the settings of your backup files in general. The following options are available:

Backup

Backup folder: You can specify where backup copies of your server database should be saved to. By default, they are stored to the directory C:\Program Files\AceBIT\Password Depot Server XX\Backups\. Use the browse button to change it. However, as is the case with the server's log files too we also recommend always using a local directory for storing the backup files, if possible. The server backup files include your databases, logs and the server's configuration file (pwd_srv.cfg) where the users, permissions and server configurations are saved to.
On every startup: Select this option in order to create a new backup copy on every startup.
Create Backup every: Set a time for Password Depot Enterprise Server to automatically create a new backup file. We recommend creating new backup files every 24 hours. You also have the option to choose between the following options: monthly, weekly, daily, hourly (this option allows you to specify an interval within a certain time frame).

Delete old backups

Limit number of stored backups to: This option allows you to set the maximum number of backups.
Delete backup files older than: Activate this option if you would like to automatically delete backup files older than x months from the server's backup directory. You can determine a specific period of time for this deletion to take place.

NOTE: By default, the options Backup databases on every startup and Backup databases every x hours are checked and we strongly recommend to keep both options activated at all times.

Backup log

Log backups to file: If you activate this option, Password Depot Enterprise Server will create a log of all generated backups and save it to the specified file. At a later point of time, this will help you to track the times server backups were created.

Additional

The Additional tab contains more options including the following:

Editing entries

Lock entry timeout (min.): You can determine a specific lock entry timeout (min.). By default this is five minutes, however, you can increase or decrease the lock entry timeout, if required. If a user has opened an entry but is not working with it, this specific entry will then be locked automatically if the timeout set up in the Server Manager has expired.

Private databases

Automatically create private databases for new users: You can determine whether a private database should be created automatically for every new user on the Enterprise Server. Those private databases will then also be stored to the server and users can add their own private entries there which are not supposed to be part of the company's server database. Private databases will be displayed as Private_DB_<USER>.pswe in the Database area.
Automatically delete private databases for deleted users: You can further determine whether private databases should be deleted automatically from the server once the user is removed from the Enterprise Server. If this option is enabled and a user is deleted in the Server Manager, their private database will be deleted from the server.

NOTE: By default both options are deactivated.

Protection against brute force attacks

Deactivate user account after multiple failed logins in a row: Determine a maximum of failed login attempts a user can carry out before his server account will be blocked temporarily. If a user account was blocked, it can be re-activated again by the server administrator. To do so, open the Server Manager and go to Users → <USERNAME> → Accounts and uncheck the box Account deactivated.
Block IP address after multiple failed logins within a short period of time: Determine how many failed Login attempts within a given time (in minutes) need to occur in order to block the account trying to access the server. Also provide a setting for the period of time after an account will be unblocked (in minutes).

NOTE: A user's failed login attempts will not be reset after some hours or days but the Password Depot Server Manager will remember the number of failed login attempts and add them up. However, if a user enters the correct password after two failed login attempts (provided the maximum number of failed login attempts is set to 3 in the Server Manager) the previous failed attempts will be reset to 0. The next time the user wants to login on the Enterprise Server he will have another 3 new login attempts until his account will be blocked.

Email

In this tab you can define email server settings:

Sender: You can enter the sender's email address and name.
Outgoing Mail Server: You can configure the outgoing mail server.
Test Connection: You can enter the email address of a mail recipient and send a test email to check if the settings are correct.

2FA Settings

In this tab, you can activate Two-Factor Authentication on the server for the users.

Operation mode

TOTP - codes are generated by mobile Authenticator apps: Users will receive the second factor for the login on their smartphone in their authenticator app.
Email - codes are sent by Server to user's default address: Users will receive the second factor by separate email to their individual email address.
Users may choose to remember their devices (days): Specify a certain period of time during which users can trust connections to a specific device. In this case, regarding Two-Factor Authentication, it will not be necessary for users to always enter a new code each time they want to connect to the same device (=server) in x days provided that users enable the option Trust this computer when connecting for the first time and entering the required code once.
Email code expiration time (minutes): This option determines the validity of a code sent by email for Two-Factor Authentication. By default, this is ten minutes. However, this time can be changed here by the server administrator. If a user does not enter the required code in time, it expires. For authentication, a new code will then be required.
FIDO2/WebAuthn security keys: Since version 18, the Password Depot Enterprise Server supports FIDO2/WebAuthn, allowing users to use YubiKeys as a two-factor authentication method (2FA) when connecting to a Password Depot Server via the Password Depot Client. For more information on setting up FIDO2, please refer to our instructions.

HINT: Please visit our knowledge base to get more information on the Two-Factor Authentication.

NOTE: Both the Integrated Windows Authentication and Password Depot credentials authentication support Two-Factor Authentication. Go to Users → <USERNAME> → Account if you want to deactivate the Two-Factor Authentication for single users, if required. Besides, you can also reset 2FA for single users in the user area if problems occur. Read more about this feature in the chapter Users.

Active Directory

SSPI

In this field, you have the option of selecting the desired authentication service (SSPI).

SSPI Mode: Select the desired authentication service (NTLM, Negotiate or Kerberos).
Service Principal Name (SPN): Select the correct Service Principal Name.

Synchronization

Automatically run synchronization with AD every: Specify whether to perform AD synchronization automatically. If so, you can also determine the time interval automatic AD synchronization should be carried out. Furthermore, you can also specify what to do with users and groups not (or no longer) found in AD. Those users can be ignored, deactivated or deleted in the Server Manager. Please note that this option does only affect the users on the Enterprise Server but not in the Active Directory in general since Password Depot Enterprise Server cannot change anything in Active Directory.

NOTE: The administrator should perform AD synchronization manually, if required. However, if automatic synchronization is necessary, synchronization cycles should preferably be at times when the server load is low, for example once in 24 hours.

NOTE: The server option Automatically run synchronization with AD every is limited to 60 minutes and uses the server’s own SYSTEM account.

Azure AD

Tenants

Here, you can add a new organization to Password Depot Enterprise Server and the Server Manager. Once a new organization has been added you can use it to perform Azure AD synchronization.

New: Click New to launch the process. You will be asked to select a Microsoft account next and login with the administrator's access data. After the login you can see the organization in the Tenants area which means that it has been added to the Server Manager successfully. Now, select Tools → Import from Azure AD in the Server Manager to automatically synchronize Azure AD users with the Enterprise Server. You can select the desired organization to perform Azure AD synchronization from the corresponding synchronization wizard.

HINT: You can launch the same process by going to Tools → Import from Azure AD. The button New for adding a new organization to the Server Manager is also available here.

Update: Update an organization that has already been added to the Server Manager and the related data.
Delete: Delete organizations from the Server Manager if you do not need them anymore, for example. You can then add new or other organizations for Azure AD synchronization to the Server Manager by clicking the button New.

NOTE: Find out more about Azure AD synchronization in the Server Manager in the chapter Azure AD Import which can be found under Tools.

Synchronization

Automatically run synchronization with AD every: As is the case with the Active Directory synchronization, you can determine if Azure AD synchronization should be performed automatically every x minutes. Azure AD users and their attributes will then be synchronized and updated automatically according to the specified time interval. The option User and groups not found in AD does work in the same way it does during Active Directory synchronization. The only difference is that it actually refers to Azure AD and not the Active Directory.

OIDC

Identity Providers

Add a new organization to Password Depot Enterprise Server and the Server Manager with the help of the OIDC import. By clicking onto New... you are able to add a new OIDC Service to import your OIDC users into the Enterprise Server.

HINT: You can launch the same process by going to Tools→Import from OIDC.

NOTE: Find out more about OIDC synchronization in the Server Manager in the chapter OpenID Connect-Import which can be found under Tools.

Return to the Password Depot homepage • Support Center • Legal Notice • Privacy Policy