Virtualization

Manage your Active Directory identities with Nervepoint Access Manager

Derek Schauland takes a look at Nervepoint Access Manager, a free, preconfigured virtual appliance offering a self-service solution for managing AD identities.

Being a systems administrator in an IT department of three (read: Me, Myself, and I) has its challenges, and password resets are certainly one of them. I have covered applications that help with this in the past and have tried several solutions, but this one is just a bit different and might be a good option to consider.

Because Nervepoint Access Manager (NAM) starts out as a ready to go VM, just point it at your Active Directory and let it do the work.

How is it different?

Nervepoint distributes its access manager in a preconfigured virtual appliance which requires very little in terms of configuration other than downloading the appliance (around 200Mb) and starting it in VMware. In my testing I started the appliance in VMware workstation on my laptop, but you could run it inside vSphere or even with VMware Player.

Getting started

Once the machine is running, the configuration takes place in a browser and is very straight forward. To get started, simply point your browser at nervepoint.domain.com or the IP address assigned to your Nervepoint machine.

When you first access the service via a browser you will need to complete the initial configuration wizard beginning with the EULA for Nervepoint.

After accepting the agreement you will be asked to specify an administrator password to access configuration and reporting details about the Nervepoint system. Once this password is set, it cannot be reset if forgotten unless you remove the VM and start over from a new instance of Nervepoint. Enter a password and confirm the password then click Next to proceed.

On the next page you specify connection information for your Active Directory environment. Enter the username and password for a domain administrator account and click Next.

Figure A

AD credentials (click to enlarge)

Nervepoint will now begin discovering your directory and return any domain controllers it finds. Select one of the found domain controllers (or select Manually Configure) and click Next.

After specifying domain controller information, the system will verify and test these settings. Once complete, you will be asked to specify security questions to aid in identifying users. These questions are configured only one time and the questions cannot be changed once configured. There are default questions filled in that can be modified during the initial configuration.

Figure B

Challenge Question configuration

On the next page of configuration you can specify your organization's email settings. The email notification information includes the following:

  • Email server hostname
  • User name and password (if needed)
  • Sender address for notification
  • Recipient Address for notifications

On the bottom of this screen you will also see a template for the initial email. This template is used to alert your users of the new service and prompt them to configure their profile and complete security questions. Also, you can select the checkbox to send this notice to users as soon as the configuration is complete.

Once these screens are completed, click Finish to save the settings. Next time you visit, the service you will see the options screen shown in Figure C.

Figure C

Service options

There are three user options available within Nervepoint. You can reset your password if you have forgotten it, update the answers to your challenge questions, and unlock a locked account. Select the option you wish to use.

For the account management option, which accesses your challenge questions, you will need to provide your username and password. For the other options, you specify your username and then answer challenge questions to proceed.

At the very bottom of the list is an administrative option, selecting this will prompt you to log in with the administrator account, which is "admin," and the password you specified during configuration. The admin options are shown below in Figure D.

Figure D

Administrator options

On this screen you can see usage reports and other management options including:

  • A list of manageable accounts
  • A dashboard displaying system usage
  • Email Template configuration
  • Active Directory configuration options
  • Nervepoint System configuration
If you access the administrative URL for the virtual appliance, defaulted to port 10000, you can access information related to the appliance and Linux configuration for the service. The main screen for this is shown in Figure E. Note: When you first power the virtual appliance, you are presented with the system administrative credentials which default to Administrator and administrator and should be changed as soon as possible.

Figure E

System administrative pages (click to enlarge)

Who should consider it?

Organizations wishing to implement some type of password and account self-service options would be great candidates for this application. Because there is no hardware needed specifically for the account management tools, the startup costs are quite minimal.

What is the cost to implement?

The identity management features provided by Nervepoint are free and will always be available at no cost. Other features are coming which may incur costs, but the password management application is completely free.

Bottom Line

For organizations just starting out with self-service options, this is a great spot to start given the cost and ease to implement. The virtual appliance is a breeze to configure and the extremely minimal requirements to run the appliance make it optimal for organizations of any size looking to evaluate an easy to use solution. For small organizations where budgeting may be a factor, the Nervepoint solution is definitely ahead of the game.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

19 comments
jeorgebook
jeorgebook

Well thanks for this information. I would certainly love to know wheather the tool has the authority to authorize the co-workers to unlock the account if the present user is unavailable. Like i had tested Lepide Self Service product in which theres a facility to authorize a co-worker if the present user is unvailable for the day. This in turns has cases the time for the organization. Thus please update this information also. Thanks

Khayne
Khayne

This looks like a god send for my organisation, but since most of my colleagues have Norwegian as their first language it would only work well if it could support other languages than english, or have the option to change the text on the web pages to norwegian. Does this application come with language support for other languages than english or gives the administrator access to change the text on the web pages? Thanks!

Craig_B
Craig_B

I tried to run the VM on VMware ESX 3.5 and VMPlayer and both came up with error about it being invalid. I simply copied the .vmx and .vmdk to the host and imported the VM but no go.

orcsattheg8
orcsattheg8

Have you found a way to put this on an existing linux server as opposed to a VM. I've got several offices with both linux and microsoft in the same environment.

SgtPappy
SgtPappy

...that big of an issue that someone has to write a full blown app to have end users reset it themselves? I've been a network admin for a very very long time and I don't think I've ever had to reset someone's password because they forgot it. If someone can't remember their login password they probably should find a job that doesn't require the use of a computer.

cgrace70
cgrace70

I figured as much. Unfortunately, the group of people I have in mind are our mobile workforce at there is no other system on the internal network that they can use. I hesitate putting the service on the 'net.

Derek Schauland
Derek Schauland

You can simply have the user access the site on another system. they will be prompted for their logon info when they hit the site.

cgrace70
cgrace70

In a corporate environment I would love to have a self assist interface. However, if a user has locked out their account or forgotten their password, how do they access the interface to do the reset when they cannot log in to the computer?

Derek Schauland
Derek Schauland

that I am certainly no Linux admin, it was pretty easy. The setup was all handled in the browser after the VM powered up. In testing it seemed to perform quite well. I wouldnt imagine Linux admin capabilities are needed at all.

mario.aguirre
mario.aguirre

Figure E shows it's simply a customized Webmin running on a Ubuntu 11.04. Given that microsoft oriented companies do not have linux admins, is this solution really "start,config,run&forget"? How is compatibility granted between Ubuntu and Webmin? I remember some versions not being fully compatible... BTW, I use Ubuntu. I'm not begging against this solution. It's just because although I love it, I had some troubles with Webmin before and when it comes to something AD related, my fears start to rise..

majid
majid

Khayne this is the first release, additional launguage support is something we will look to adding in a later release. It would be worth adding this to the forums so we can continue any further dialog with you on this when this feature goes in.

majid
majid

Craig, if you send this to the forums we can help out. This article isn't really the place

majid
majid

We can certainly add it as potential feature in a later release if the demand is there. It would be worth posting this to the forums for consideration

corcorac
corcorac

@SgtPappy, how long is a long time, you must be working with the perfect staff! I have worked in IT since Punch card( yes I'm about to retire) and have worked my way up through al the flavors of Novell and MS Servers and am still changing and resetting passwords foe users. This includes Finaancial and administrative people. With our 60 day change requirement on all passwords at least 1 or 2 out of the 5000 users will forget a password on any given day. I am going to give this a try

cgrace70
cgrace70

I get at least a call a week from a user pool of 200 people. The worst are sales/marketing people and yes, most of them shouldn't be using a computer. :)

trippledes
trippledes

SgtPappy i worked in a mid sized business that spanned several timezones, infact we had a big engineering office in India, US, Michigan and then satellite offices in various other parts of the world. IT support was based in the US and looked after the main network which is where key resources were, such as SVN servers, file servers, support systems etc. Forgetting passwords after coming back off holiday was not unusual or new employees forgetting their password was also not unusual. We had to raise support tickets and being based in the UK it meant having to wait 8 hours before support came in to reset passwords. Again not everyone was engineering either, some sales, marketing and not neccessarily mindful of remembering their passwords. You then got to also remember some of these guys were in India too with a 12 hour time difference.

jpb
jpb

Unfortunately Sarge, more and more jobs require the use of a computer and apps like this are very much in demand. I remember paying out big bucks for this kind of thing in 1999/2000 when we put PCs out on the production floor. I also remembering what took them so long to get something like that to market and I've been officially employed as an network admin or manager since the days when Novell was king.

Derek Schauland
Derek Schauland

Since each user has different answers to the challenge questions and you could use an SSL certificate to secure the site, exposing it to the web should be ok in most cases, but before doing so, I would take stock of your security requirements.

majid
majid

Mario, Webmin itself is not involved at all in the integration with Active Directory. It is simply there to provide a way of changing some of the basic configuration of the VM. Nervepoint itself is not tied to Webmin or indeed Linux (the application itself is cross platform). We simply felt this was the best way to distirubte Nervepoint, at least initially. Also, the functions we expose in Webmin will gradually be removed or moved to the Nervepoint application itself (stuff like retrieving logs, certificate management).