Frequently Asked Questions

1. General

  1. Do I need to install any prerequisite software before using Access Manager Plus?
  2. Can others view the connections added by me?
  3. What happens if a user leaves the organization without sharing their sensitive passwords with anyone?
  4. How do I troubleshoot if importing users/connections from AD fails?
  5. Does domain SSO work across firewalls/VPNs?
  6. Does Access Manager Plus record Password viewing attempts and retrievals by users?
  7. Why does the size of PostgreSQL wal_archive file increase at a rapid pace?
  8. Does Access Manager Plus support High Availability?
  9. What are the various syslog formats followed by Access Manager Plus?
  10. Does Access Manager Plus alter the number of Windows CAL licenses?
  11. How do I fix the PostgreSQL server start-up failure?

2. Web Interface and Authentication

  1. Can I change the default port 9292 where Access Manager Plus is listening?
  2. How do I change the Access Manager Plus web portal access URL?
  3. Access Manager Plus is a web-based application that can be accessed via a web browser. Does that mean I can access it from anywhere?
  4. What if my users are not notified of their Access Manager Plus accounts?
  5. What are the user roles available in Access Manager Plus? What are their access levels?
  6. What if I forget my Access Manager Plus login password?
  7. Why do I sometimes see a security warning while accessing the Access Manager Plus console via the browser?

3. Licensing

  1. What is the Licensing Policy for Access Manager Plus?
  2. Can I buy a permanent license for Access Manager Plus? What are the options available?
  3. How can I apply my license file?
  4. Can Access Manager Plus support more than 1000 administrators?
  5. Can I extend my evaluation to include more administrator users or for more number of days?

1. General

1. Do I need to install any prerequisite software before using Access Manager Plus?

Although there are no prerequisite software required to install and start Access Manager Plus, you will need the following components in order to use Privileged account discovery features:

  • Microsoft .NET framework 4.5.2 or above must be installed in the server where Access Manager Plus is installed.
  • Microsoft Visual C++ 2015 redistributable must be installed.

To check if these software requirements are configured:

  • Go to Support » Software Requirements and click Check Configuration.

In the pop-up box that opens, the configuration status will be displayed.

2. Can others view the connections added by me?

No one including admin users, will be able to see the private connections added by you. However, if you share your connections, the entire Access Manager Plus user base will be able to view the connections.

3. What happens if a user leaves the organization without sharing their sensitive passwords with anyone?

If an administrative user leaves the organization, they can transfer the connections they own to other administrators. By doing so, they'll have no access to those connections themselves, unless they transfer the connections to themselves. Refer to this document for more details.

4. How do I troubleshoot if importing users/connections from AD fails?

Verify the following:

  • Check if the user credentials are correct.
  • If you are trying with an admin user and it fails, try entering the credentials of a non-admin user. This is just to verify if connection could be established properly.

If the above verifications fail, please contact amp-support@manageengine.com.

5. Does domain SSO work across firewalls / VPNs?

The domain Single Sign On (Windows-integrated authentication) is achieved in the Windows environment by setting non-standard parameters in the HTTP header, which are usually stripped off by devices like firewalls / VPNs. Access Manager Plus is designed for use within the network. So, if you have users connecting from outside the network, you cannot have SSO enabled.

6. Does Access Manager Plus record Password viewing attempts and retrievals by users?

Yes, Access Manager Plus records all operations that can be possibly performed by an user- including password viewing and copying operations. From audit trails, you can get a comprehensive list of all the actions and attempts by the users with password retrieval. Click here to know more.

7. Why does the size of PostgreSQL wal_archive file increase at a rapid pace?

This issue occurs when the backup location specified in Access Manager Plus is no longer accessible to save the backup file. In simple terms, whenever the PostgreSQL database backup fails, wal_archive folder size will start increasing.

Solution:

  1. Check if there is enough disk space available on the Access Manager Plus drive.
  2. If not, remove the logs directory and a few files present inside the directory.
  3. You need to have only one or two backups to be present here.
  4. Login to Access Manager Plus and navigate to Admin >> Configuration >> Database Backup.
  5. Click on the 'Backup Now' button.

This will trigger an instant backup and automatically purge the wal_archive directory.

8. Does Access Manager Plus support High Availability?

No, Access Manager Plus does not support High Availability.

9. What are the various Syslog formats followed by Access Manager Plus?

The following are three different types of syslog formats that Access Manager Plus uses to send syslog messages to your syslog collector host:

i. Resource Audit

operatedName+":"+operatedIp operationType operatedDate statusMess resourceName+":"+accName+":"+reason

ii. User Audit

operatedName+":"+operatedIp operationType operatedDate statusMess auditUserName+":"+reason

10. Does Access Manager Plus alter the number of Windows CAL licenses?

Generally, RDP sessions are invoked from the Access Manager Plus server and relayed to the end user's browser through a third-party component called Spark Gateway. This component comes bundled with Access Manager Plus and does not have any relation to Windows CAL licenses. Hence, Access Manager Plus does not affect the number of Windows CAL licenses in any way. Users need to purchase as many CAL licenses, as suggested by Microsoft.

11. How do I fix the PostgreSQL server start-up failure?

Error Scenarios:

  • During Upgrade:

'Trying to start PostgresSQL server failed' error in the command prompt after choosing the PPM file.

  • While setting up HA:

'Trying to start PostgresSQL server failed' error in the command prompt after executing the HASetup.bat command.

  • During Service Start up:
    1. Access Manager Plus service start failure after the upgrade.
    2. Access Manager Plus service start failure after updating the Access Manager Plus service account in Services console.
  • For the above two cases, do the following:
    Open the <AMP-HOME>\logs\wrapper file with notepad/Notepad++ and move to the very bottom of the file (i.e. most recent time frame) and check if we get the 'Trying to start PostgresSQL server failed' error.

Possible Causes:   

The following causes are explained with respect to the above error scenarios:

The 'Trying to start PostgresSQL server failed' error occurs when,

  1. Access Manager Plus is unable to access a few sub-folders inside Access Manager Plus (i.e appropriate permission not given).
  2. The PostgreSQL DB fails to start because of a background process that was not terminated properly.
  3. The instant DB port might be occupied by a different process.

Solution:  

The solution given below applies to all the above error scenarios. To fix this issue, follow the below steps to provide permission,

  1. Start the Task Manager and kill all Postgres process (make sure "show process from all users" is selected - For Access Manager Plus).  
  2. Update the Access Manager Plus service with a privileged account in the services console.
  3. Open command prompt using administrator and execute the below query:
    1. icacls "installation path" /q /c /t /grant Users:F
      • installation path - Provide the Manage_Engine folder location.
      • Users - Provide the Access Manager Plus service account in the following format:  <DomainName\user name> or <username@domainname>.
      • Example:  icacls "C:\ProgramFiles\ManageEngine\AMP" /q /c /t /grant ManageEngine\svcamp:F
    2. If the key is placed outside the Access Manager Plus folder, kindly provide permission for the key's locations using icacls command.
    3. In the same way, provide full control permission for <AMP>\pgsql\data folder.
    4. Check the <AMP_Installation_Directory>/pgsql/data folder and ensure if it has inherited that permission.
  4. Navigate to <AMP_Installation_Directory>/pgsql/data and open pg_hba.conf and search NULL. If you find any, remove the entire line that contains NULL.
  5. Rename the logs folder present inside the <AMP_Installation_Directory> as logs.old and create a new folder as logs.
  6. Rename the Patch folder present inside the <AMP_Installation_Directory> as Patch.old and create a new folder as Patch.
  7. Navigate to <AMP_Installation_Directory>/bin directory and look for files named .lock or lockfile. If present, move both these files to any other directory.
  8. Go to <AMP_Installation_Directory>/pgsql/data directory and look for files named recovery.conf and postmaster.pid. If present, move this file to any other directory.
  9. Now, try to apply the PPM or configure HA or try starting the service.

If the issue still persists, zip and send us the logs from the <AMP_HOME> and also the <AMP-HOME>\pgsql\data\pg_log folder along with the above screen shots to accessmanagerplus-support@manageengine.com.

2. Web Interface and Authentication

1. Can I change the default port 9292 where Access Manager Plus is listening?

Yes, you can change the default port as explained below:

  1. Login to Access Manager Plus as an Administrator. Navigate to Admin >> Server Settings >> Access Manager Plus Server
  2. Enter the required port beside the Server Port field, and click Save.
  3. Restart Access Manager Plus for this configuration to take effect.

2. How do I change the Access Manager Plus web portal access URL?

  1. Login as an administrator. Navigate to Admin >> Server Settings and click Mail Server Settings.
  2. Fill in the required URL in the Access URL field and save the settings.

This will serve as your custom web URL for Access Manager Plus from now on.

3. Access Manager Plus is a web-based application that can be accessed via a web browser. Does that mean I can access it from anywhere?

Access Manager Plus is an on-premise tool installed in a physical server or virtual machines (VM). You can access Access Manager Plus's web interface from any machine on the network connected to the same LAN network using the web browsers.

4. What if my users are not notified of their Access Manager Plus accounts?

In general, users are notified of their Access Manager Plus accounts only through emails.  If a user does not get the notification emails, verify:

  • If you have configured the mail server settings properly, with the details of the SMTP server in your environment.
  • If you have provided valid credentials as a part of mail server settings, as some mail servers require the same for mails to be received.
  • If the 'Sender E-Mail ID' is properly configured, as some mail servers reject emails sent without the From address or mails originating from unknown domains.

5. What are the user roles available in Access Manager Plus? What are their access levels?

Access Manage Plus comes with two pre-defined user roles:

  1. Administrator
  2. Standard User

Licensing restricts the number of users as a whole, which includes Administrators and User. To get more details on the user roles, click here.

6. What if I forget my Access Manager Plus login password?

Note: Show 'Forgot Password' option in the login screen should be enabled under Admin >> General Settings >> User Management.

If you were already given a valid Access Manager Plus account for Local Authentication,

  1. Click the Forgot Password? link available in the login page to reset your password.
  2. In the pop-up that appears,
    1. Enter the Username and the corresponding Email Id.
    2. Click Reset to send a password reset link to the configure Email.
  3. Open your email and find the email containing the password reset link and click on the link.
  4. Now, Access Manager Plus will send a One Time Password (OTP) to the configured email.
  5. Use this One Time Password along with the Username and choose Local Authentication in the Domain name drop down menu to login.
  6. Access Manager Plus will prompt you to reset your password. Mention the One Time Password under Old Password and enter the New Password.
  7. Click Save.

You have successfully reset your Access Manager Plus password.

7. Why do I sometimes see a security warning while accessing the Access Manager Plus console via the browser?

The Access Manager Plus web console always uses the HTTPS protocol to communicate with the Access Manager Plus server. The Access Manager Plus server comes with a default self-signed SSL certificate, which the standard web browsers will not recognize, thereby issuing a warning. You can ignore this warning while you're testing or evaluating the product. However, if you're rolling it out in production, we recommend that you install an SSL certificate bought from an authorized Certificate Authority (CA) that is recognized by all standard web browsers.

3. Licensing

1. What is the Licensing Policy for Access Manager Plus?

There are two license types:

  1. Free Edition: Licensed software that allows you to have 2 users with limited set of features. Valid forever.
  2. Standard Edition: The registered version with licensing is based on the number of users, irrespective of roles. It comes with additional enterprise-class features such as TFA, Landing Servers for RDP/SSH, Session Collaboration, etc.

For more information on licensing or to procure a license, get in touch with our sales team sales@manageengine.com.

2. Can I buy a permanent license for Access Manager Plus? What are the options available?

Though Access Manager Plus follows an annual subscription model for pricing, we also provide perpetual licensing option. The perpetual license will cost three times the annual subscription price, with 20% AMS from the second year. Contact sales@manageengine.com for more details.

3. How can I apply my license file?

  1. Login as an administrator in the Access Manager Plus web interface. Click the 'My Account' icon at the top right corner and select License.
  2. Browse to add the license file and click on Upgrade. Your new license file is added.
  3. Now, restart the Access Manager Plus service for the license to take effect. You can check to see if the license is applied and other details under the same section.

4. Can Access Manager Plus support more than 1000 administrators?

Yes. If you want a license with more than 1000 administrator users, please contact sales@manageengine.com for more details.

5. Can I extend my evaluation to include more administrator users or for more number of days?

Yes. Fill in the required details in the website and we will send you the license keys.
Top