Recovering from a lost encryption certificate
If you lose access to the encryption certificate's private key, any current and historical passwords encrypted with that key are not recoverable. This is why backups are so important.
In order to restore local admin password access to your environment, you need to publish a new key, and force the agents to generate a new password and encrypt it with that key.
Recovery steps for passwords stored in Access Manager
Step 1: Generate a new certificate
From the Access Manager Service configuration tool, visit the Access Manager Agent/Password settings
click Generate new...
to create a new certificate.
Step 2: Backup the new certificate
Once the certificate has been generated, click Export...
to back up the certificate. Choose a strong password, and keep this file safe, preferably in an offline location.
Step 3: Publish the new certificate
Once you've secured your backup key, click Set Active
to activate the new certificate.
Step 4: Expire all computer passwords
On the Access Manager Agent/Devices
page, select all the appropriate devices and click Expire password
. Within 60 minutes, the agents that are online will generate new passwords and store them in the directory.
Unfortunately, password history is not recoverable.
Recovery steps for Lithnet LAPS passwords stored in Active Directory (deprecated)
These steps only apply to cases where you have the v2 agent configured on Active Directory-managed devices, storing passwords in Active Directory
Step 1: Generate a new certificate
From the Access Manager Service configuration tool, visit the Directory Configuration/Active Directory/Lithnet LAPS page (deprecated)
, select the forest you need to recover from the drop-down list, and click Generate new...
.
Step 2: Backup the new certificate
Once the certificate has been generated, click Export...
to back up the certificate. Choose a strong password, and keep this file safe, preferably in an offline location.
Step 3: Publish the new certificate
Once you've secured your backup key, click Publish
to generate a new script to publish this certificate to AD. Run the script as a domain admin of the root forest.
Step 4: Force expire all computer passwords
In order to force clients to immediately generate a new password, we must set the lithnetPasswordExpiry
attribute on each computer to 0
.
You can use the following script to do this. Set the $ou
variable to the DN of the container where the computers are located, or leave it as-is to expire the password of all computers in the domain.
When the agent next runs (by default this is every 60 minutes) it will detect that it's password has been expired, and generate a new password, and encrypt it using the newly published certificate in the directory.
If you are using the password history feature, those previously used passwords can no longer be decrypted. You should delete them from the directory using the following script to avoid users being presented with Password could not be decrypted
warnings in the web app.
Last updated