Server Settings

The Server settings dialog box can be found in the menu item Manage. It includes the following tabs: General, Connections, Logging, Backups, Additional, Email, 2FA Settings, Active Directory, Entra ID, OpenID Connect, and Passkeys/WebAuthn. In general, you can use the server settings for server configuration and defining settings that will affect the entire server and all users. The content of the single tabs available in the server settings is explained in detail below.

General

Server

You can define basic server settings here:

  • Server language: Select the language of the server (not the language for Server Manager's user interface!). You can choose between English, German, French, Spanish, and Dutch.
  • Server name: Adjust the name of the server.
  • Clients Port/Server Manager Port: Adjust the port number for the client to server connection. In general, the default port number is always displayed here but you can change the value if required. When changing the port number, please make sure to also change it in the client and use the correct port for your server connection.
  • Internet Protocol: Specify a specific Internet protocol version that should be used by default. The following options are available: IPv4+IPv6, IPv4, or IPv6. Depending on the network configuration, administrators can define which Internet protocol versions the server should support. The server will then send via UDP an info message to the clients about the supported Internet protocol version. Afterwards, the clients will automatically choose the correct version for the main TCP connection.
  • Keepalive enabled: You can activate the Keepalive feature if clients connect to a server which is not part of the same local network. You can set the Keepalive time (in minutes) as well as the Keepalive interval (in seconds).

WARNING: In case you decide to change the default port, make sure that it is not used by any other application.

REST Server

  • Origin URL: Enter the correct URL of your Password Depot web server. It should be the exact URL which is used for addressing your Enterprise Server through the Password Depot web interface.
  • Port number: Adjust the port number for the REST server.

Further information on the REST API

Databases

  • Storage folder: You can specify the path where server databases are stored by default. This is C:\Program Files\AceBIT\Password Depot Enterprise Server XX\Data\DB. You can change the path; however, we always recommend storing the databases on the local drive instead of using a network share or mapped drive since the latter may not be accessible at all times. If during the process of saving the database, Password Depot Enterprise Server cannot find or access the path specified in the server settings, it will switch back to the default settings and save the databases to the default folder.

Connections

Supported authentications

Select the supported authentications for your server. You can choose between the following options: Standard Authentication, Integrated Windows Authentication (Single Sign On), Windows Domain Credentials (FQUN or UPN and password), Entra ID (formerly Azure AD), OpenID Connect, or Passkeys (WebAuthn). The server supports activating more than one authentication mode at the same time.

HINT: For more information on the Integrated Windows Authentication as well as the required settings, please check the following support portal article: How do I log on to the Enterprise Server using the Integrated Windows Authentication (SSO)?

Supported clients

Check all the clients that should support the Enterprise Server connection. The following options are available here:

  • Standard Edition for Windows
  • Corporate Edition for Windows
  • Android Edition
  • iOS Edition
  • macOS Edition
  • Linux Edition
  • Web Client

NOTE: All clients that are intended to be used for Enterprise Server connection need to be activated in the Server Manager. If a client is deactivated here, users will not be able to use the disabled edition to connect to the Enterprise Server.

New connection from different device

You can decide how you would like to proceed with connections carried out by the same user but from other devices. You can choose between the following:

  • Deny new connections when user is already logged on
  • Close existing connection and allow new one
  • Allow multiple connections from different IP addresses

NOTE: As is the case with many other similar servers, it is not recommended with the Enterprise Server either to allow multiple connections carried out by the same user at the same time. This feature was implemented since it may happen that users need to connect with their desktop client and a mobile device simultaneously. This works because mobile devices are not synchronized with the server in real time. However, if a user tries to establish a server connection using their account on two different Windows clients at the same time, this may cause problems. It may happen that the user will be disconnected from one device.

Inactive sessions

Specify how Password Depot Enterprise Server should handle inactive connections. For example, you can define that clients should be disconnected from the server after a specific time of inactivity. In addition to that, if you activate this option, you can also specify that the database should be closed and users should be logged out.

Logging

In this tab you can define anything referring to the logs of Password Depot Enterprise Server. The following options are available here:

Local log

  • Logs folder: You can see here the default directory for storing the Enterprise Server's logs which is C:\Program Files\AceBIT\Password Depot Enterprise Server XX\Logs. You can change the location using the Browse button. In any case, we recommend always using a local directory, if possible.
  • Max. file size (KB): Determine the maximum size (KB) of the server's log file.
  • Create new log file: Select a time when to create a new log file.
  • Delete logs: Define the settings for deleting already existing logs. You can either select Never or determine a maximum number of log files to be kept, for example 30 (this is the default value). This means that the latest 30 files will be saved and older log files will be deleted automatically.

Remote log

  • Send log messages to a remote server: Check this box if you wish to activate the option and send the Enterprise Server's log files to external log servers. Thus, you can ensure that protocols are not being manipulated. Here, you can also define the protocol type, the server, and the log format.

Backups

In this tab you can specify the settings of your backup files in general. The following options are available:

Backup databases and settings

  • Backup folder: You can specify where backup copies of your server database should be saved to. By default, they are stored to the directory C:\Program Files\AceBIT\Password Depot Enterprise Server XX\Backups\. Use the browse button to change it. However, as is the case with the server's log files too, we also recommend always using a local directory for storing the backup files, if possible. The server backup files include your databases, logs, and the server's configuration file (pwd_srv.cfg) where the users, permissions, and server configurations are saved.
  • On every startup: Select this option in order to create a new backup copy on every startup.
  • Create Backup every: Set a time for Password Depot Enterprise Server to automatically create a new backup file. We recommend creating new backup files every 24 hours. You also have the option to choose between the following options: monthly, weekly, daily, hourly (this option allows you to specify an interval within a certain time frame).

Delete old backups

  • Limit number of stored backups to: This option allows you to set the maximum number of backups (values 1 to 2,000).
  • Delete backup files older than: Activate this option if you would like to automatically delete backup files older than x months from the server's backup directory. You can determine a specific period of time for this deletion to take place (1 to 72 months).

NOTE: By default, the options Backup databases on every startup and Backup databases every x hours are checked and we strongly recommend to keep both options activated at all times.

Backup log

  • Log backup events to file: If you activate this option, Password Depot Enterprise Server will create a log of all generated backups and save it to the specified file. At a later point of time, this will help you to track the times server backups were created.

Additional

The Additional tab contains more options including the following:

Editing entries

  • Lock entry timeout (min.): You can determine a specific lock entry timeout (min.). By default this is five minutes; however, you can increase or decrease the lock entry timeout, if required. If a user has opened an entry but is not working with it, this specific entry will then be locked automatically if the timeout set up in the Server Manager has expired. The maximum value that can be set is 30 minutes.

Private databases

  • Automatically create group databases for new groups: Allows you to automatically create a database if a new group is added. Only members of the group can access the respective database. Further, you can set a Default DB name prefix for these group databases.
  • Automatically create private databases for new users: You can determine whether a private database should be created automatically for every new user on the Enterprise Server. Those private databases will then also be stored to the server and users can add their own private entries there which are not supposed to be part of the company's server database. Moreover, you can determine the Default DB name prefix.
  • Automatically delete private databases for deleted users: You can further determine whether private databases should be deleted automatically from the server once the user is removed from the Enterprise Server. If this option is enabled and a user is deleted in the Server Manager, their private database will be deleted from the server.

NOTE: By default, all three options are deactivated.

Protection against brute force attacks

  • Deactivate user account after multiple failed logins in a row: Determine a maximum number of failed login attempts a user can carry out before his server account will be blocked temporarily. 
  • Block IP address after multiple failed logins within a short period of time
    • Login attempts: Specify after how many failed login attempts an IP address is automatically blocked.
    • Within (minutes): Specify the time period within which the number of failed attempts defined above must occur for the lockout to take effect.
    • Unblock after (minutes): Determine how long the affected IP address should remain blocked after being blocked before it is automatically released again.

If a user account was blocked, it can be re-activated again by the server administrator. To do so, open the Server Manager and go to Users → <USERNAME> → Accounts and uncheck the box Account deactivated.

NOTE: A user's failed login attempts will not be reset after some hours or days but the Password Depot Enterprise Server Manager will remember the number of failed login attempts and add them up. However, if a user enters the correct password after two failed login attempts (provided the maximum number of failed login attempts is set to 3 in the Server Manager), the previous failed attempts will be reset to 0. The next time the user wants to login on the Enterprise Server, he will have another 3 new login attempts until his account will be blocked.

Email

In this tab you can define email server settings:

  • Sender: You can enter the sender's email address and name.
  • Outgoing Mail Server: You can configure the outgoing mail server.
  • Test Connection: You can enter the email address of a mail recipient and send a test email to check if the settings are correct.

2FA Settings

In this tab, you can Enable Two-Factor Authentication on the server for the users.

Operation mode

  • TOTP  codes are generated by mobile Authenticator apps: Users will receive the second factor for the login on their smartphone in their authenticator app.
  • Email  codes are sent by Server to user's default address: Users will receive the second factor by separate email to their individual email address.
  • Trust period for user devices (hours): Specify a certain period of time during which users can trust connections to a specific device. In this case, regarding Two-Factor Authentication, it will not be necessary for users to always enter a new code each time they want to connect to the same device (=server) in x days provided that users enable the option Trust this computer when connecting for the first time and entering the required code once.
  • Email code expiration time (minutes): This option determines the validity of a code sent by email for Two-Factor Authentication. By default, this is ten minutes. However, this time can be changed here by the server administrator. If a user does not enter the required code in time, it expires. For authentication, a new code will then be required.
  • FIDO2/WebAuthn security keys: Since version 18, the Password Depot Enterprise Server supports FIDO2/WebAuthn, allowing users to use YubiKeys as well as other security devices as a two-factor authentication method (2FA) when connecting to a Password Depot Enterprise Server via the Password Depot Client. For more information on setting up FIDO2, please refer to our instructions.

NOTE: A trust period can be specified for the operation modes TOTP and Email.

HINT: Please visit our knowledge base to get more information on the Two-Factor Authentication.

NOTE: Both the Integrated Windows Authentication and Password Depot credentials authentication support Two-Factor Authentication. Go to Users → <USERNAME> → Account if you want to deactivate the Two-Factor Authentication for single users, if required. Besides, you can also reset 2FA for single users in the user area if problems occur. Read more about this feature in the chapter Users.

Active Directory

SSPI

In this field, you have the option of selecting the desired authentication service (SSPI).

  • SSPI Mode: Select the desired authentication service (NTLM, Negotiate, or Kerberos).
  • Service Principal Name (SPN): Select the correct Service Principal Name.

Synchronization

  • Protocol: Choose between LDAP:// and GC://.
  • Automatically run synchronization with AD every: Specify whether to perform AD synchronization automatically. If so, you can also determine the time interval automatic AD synchronization should be carried out. Furthermore, you can also specify what to do with users and groups not (or no longer) found in AD. Those users can be ignored, disabled, or deleted in the Server Manager. Please note that this option does only affect the users on the Enterprise Server but not in the Active Directory in general since Password Depot Enterprise Server cannot change anything in Active Directory.

NOTE: The administrator should perform AD synchronization manually, if required. However, if automatic synchronization is necessary, synchronization cycles should preferably be at times when the server load is low, for example once in 24 hours.

NOTE: The server option Automatically run synchronization with AD every is limited to 60 minutes and uses the server's own SYSTEM account.

NOTE: Find out more about Active Directory synchronization in the Server Manager in the chapter Import from Active Directory which can be found under Tools.

Entra ID

Tenants

Here, you can add a new organization to Password Depot Enterprise Server and the Server Manager. Once a new organization has been added you can use it to perform Microsoft Entra ID (formerly Microsoft Entra ID) synchronization.

  • New...: Click New... to launch the process. You will be asked to select a Microsoft account next and login with the administrator's access data. After the login you can see the organization in the Tenants area which means that it has been added to the Server Manager successfully. Now, select Tools → Import from Entra ID in the Server Manager to automatically synchronize Entra ID users with the Enterprise Server. You can select the desired organization to perform Entra ID synchronization from the corresponding synchronization wizard.

HINT: You can launch the same process by going to Tools → Import from Entra ID. The button New for adding a new organization to the Server Manager is also available here.

  • Update...: Update an organization that has already been added to the Server Manager and the related data.
  • Delete: Delete organizations from the Server Manager if you do not need them anymore, for example. You can then add new or other organizations for Entra ID synchronization to the Server Manager by clicking the button New....

NOTE: Find out more about Entra ID synchronization in the Server Manager in the chapter Import from Microsoft Entra ID which can be found under Tools.

Synchronization

  • Automatically run synchronization with AD every: As is the case with the Active Directory synchronization, you can determine if Entra ID synchronization should be performed automatically every x minutes. Entra ID users and their attributes will then be synchronized and updated automatically according to the specified time interval. The option User and groups not found in AD does work in the same way it does during Active Directory synchronization. The only difference is that it actually refers to Entra ID and not the Active Directory.

OpenID Connect

Identity Providers

Here, you can add, update, and delete identity providers.

  • New...: Click New... to create a new OIDC entry.
  • Update...: Click Update... to refresh an existing OIDC entry.
  • Delete: Choose Delete to remove an existing OIDC entry.

Add a new organization to Password Depot Enterprise Server and the Server Manager with the help of the OIDC import. By clicking onto New... you are able to add a new OIDC Service to import your OIDC users into the Enterprise Server.

HINT: You can launch the same process by going to Tools → Import from OIDC.

NOTE: Find out more about OIDC synchronization in the Server Manager in the chapter Import from OpenID Connect which can be found under Tools.

Passkeys/WebAuthn

In this tab, you can adjust the settings for authentication via Passkeys/WebAuthn. Besides USB security keys, you can also use Windows Hello, smartphones, and other devices.

Relying Party

  • Relying party ID: Enter the ID of the relying party.
  • Display name: Choose a display name.

Registration Settings

  • Attachment: Choose between Any supported, Platform (internal authenticators), and Cross-Platform (roaming authenticators).
  • Timeout (seconds): Set a timeout value. The maximum value is 300 seconds.

Authentication Settings

  • User verification: Here you can decide whether user verification should be required. You can choose between Any supported, Required, Preferred, and Discouraged.
  • Timeout (seconds): Set a timeout value. The maximum value is 300 seconds.