Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v3.0
v3.0
  • Home
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • What's new in Access Manager v3
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Upgrading from Access Manager v2
      • Considerations for migrating from Access Manager v2
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
    • Installing the Access Manager Agent
      • Enabling agent support on the AMS server
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Microsoft Entra ID
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up RapidLAPS
      • LAPS
        • Setting up Microsoft LAPS for Active Directory
        • Setting up Microsoft LAPS for Entra
        • Setting up Lithnet LAPS
      • Just-in-time Authentication (JIT)
        • Setting up JIT for computers
        • Setting up JIT for roles
      • Setting up BitLocker access
        • Setting up access to BitLocker keys stored in Active Directory
        • Setting up BitLocker recovery key backup and access using the Access Manager Agent
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Microsoft Entra
      • Getting started with RapidLAPS
    • Product lifecycle
    • Choosing between the Lithnet and Microsoft agent for LAPS
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
      • KB000009: Access Manager may return an out-of-date LAPS password, or no password at all
      • KB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)
      • KB000011: Users report delays in obtaining just-in-time access via AD
      • KB000012: Troubleshooting Windows authentication in the Access Manager Web App
      • KB000013: Access Manager cannot be installed on Windows Server 2016 with TLS 1.0 disabled
    • Advanced help topics
      • Creating an Entra app registration or Access Manager
      • Setting up agent policies
      • Managing word lists
      • Password history retention
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
      • Group policy configuration
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Add-AmsIdpClaimMapping
      • Clear-AmsIdpClaimMapping
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsActiveDirectoryJitGroupCreationRule
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsFveRecoveryKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsIdpClaimMapping
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • Get-AmsServiceConfig
      • New-AmsActiveDirectoryJitGroupCreationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsActiveDirectoryJitGroupCreationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitGroupCreationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
      • Set-AmsServiceConfig
    • Application help pages
      • Host configuration page
      • App Configuration
        • AMS License configuration page
        • Authentication configuration page
        • Email configuration page
        • Rate limit configuration page
        • IP Address detection configuration page
        • User interface configuration page
        • Auditing page
        • Security page
        • Database configuration page
      • Access Manager Agent
        • Access Manager Agent - Agent registration page
        • Agent Policies
          • Access Manager Agent - Windows polices page
          • Access Manager Agent - macOS polices page
          • Access Manager Agent - Linux polices page
          • Access Manager Agent - Legacy AMSv2 policies page
        • Access Manager Agent - Password settings page
        • Access Manager Agent - Devices page
        • Access Manager Agent - Groups page
      • Directory Configuration
        • Active Directory configuration page
          • Microsoft LAPS configuration page
          • Lithnet LAPS configuration page (Active Directory)
          • Just-in-time access configuration page
          • BitLocker configuration page
        • Microsoft Entra configuration page
      • Authorization Rules
        • Computer authorization rules page
        • Role authorization rules page
      • Effective access page
    • Getting Support
Powered by GitBook
On this page
  • Access Manager Server
  • Enterprise edition license key update required
  • Community edition no longer allows web app customization
  • Audit template updates
  • Agent policies
  • SPN migration required when using Windows authentication for users
  • Access Manager Agent
  • Access Manager Agent no longer supports writing passwords to the Active Directory custom schema
  • Group policy is no longer used to configure password management of Windows-based agents
  • The package name for the Linux agent has changed
  • ARM32 packages are no longer available

Was this helpful?

  1. Installation
  2. Upgrading from Access Manager v2

Considerations for migrating from Access Manager v2

PreviousUpgrading from Access Manager v2NextInstalling the Access Manager Server

Last updated 10 months ago

Was this helpful?

Upgrading your environment from version 2 to version 3 of Access Manager requires some careful planning as things have changed.

Access Manager Server

Enterprise edition license key update required

If you are an Access Manager enterprise edition customer, you will require a new license key to support AMSv3.

Existing enterprise edition customers should contact to obtain an AMSv3 license prior to upgrading if they have no already done so.

Community edition no longer allows web app customization

Access Manager v2 allowed community edition users to customize some elements of the web app such as branding and custom logo use.

In Access Manager v3, customization of the web app is now an enterprise edition feature.

Community edition users upgrading from v2 to v3 will revert to the default settings of the web app.

Audit template updates

In order to support accurate logging of audit events in line with new features such as RapidLAPS, the event log template has been replaced with a new version. If you have customized the event log template, you'll need to reapply your customizations after the upgrade. The old event log template will be backed up to the Access Manager app path under the migration-backups folder.

Updated versions of the slack, teams, and email templates are provided for use in the templates folder of the application install directory. These are not applied by default.

Agent policies

Agent policies from Access Manager v2 will be imported as "Legacy agent v2 policies". They will continue to work as they do today.

However, before deploying v3 agents, you'll need to create v3 agent policies, as the legacy v2 agent policies are not used by the new agent.

This will allow you to leverage new features such as RapidLAPS, passphrases, and BitLocker recovery key backup.

Policies are now set per operating system type, as each operating system has different feature sets available to it.

SPN migration required when using Windows authentication for users

When user authentication was configured to use integrated windows authentication, Access Manager v2 employed the use of kernel-mode authentication. This required that the SPN for the web site be registered against the AMS computer object.

Access Manager Agent

Upgrade the AMS server before upgrading the AMS agents

The v3 agent can only communicate with a v3 server. Ensure that you upgrade the server to v3, before upgrading the agents to v3.

The v3 server can host both v2 and v3 agents.

Access Manager Agent no longer supports writing passwords to the Active Directory custom schema

When a v2 agent is installed on a host that was joined to an Active Directory domain, it writes LAPS passwords to a set of custom schema attributes in Active Directory. The v3 agent no longer writes to these Active Directory attributes, and instead, stores its password directly in the AMS server.

When upgrading these agents to v3, you must now specify the server name as part of the installation.

Group policy is no longer used to configure password management of Windows-based agents

The password policy settings configured for the v2 agent via group policy are no longer used by the v3 agent. The v3 agent uses policies configured on the AMS server.

The package name for the Linux agent has changed

The Access Manager agent package has been renamed from LithnetAccessManagerAgent to LithnetAccessManagerAgent3 to prevent auto updates to v3 before the server has been upgraded to v3.

The LithnetAccessManagerAgent3 supersedes the previous agent, and migrates the config, so the upgrade process should be seamless.

ARM32 packages are no longer available

See the guides for to set up new password policies that are compatible with V3 agents.

You can also set up new features that the v3 agent unlocks by following the , and guides.

In AMSv3, the Access Manager service uses user-mode authentication, and as such, the SPN must be moved to the AMS service account. The provides the steps required to do this.

For more information, read the guide on

See the guides for to set up new password policies that are compatible with V3 agents.

Please read the guide for full details.

Due to an incompatibility with , Lithnet is currently unable to provide an ARM32 agent for Access Manager v3. You can continue to use the v2 agent on these devices, and upgrade your server to v3. Advanced features, such as passphrases will not be available on these devices, and they will remain managed by legacy AMSv2 policies.

Lithnet support
configuring Lithnet LAPS
configuring RapidLAPS
configuring BitLocker backup
migration guide
installing the Access Manager agent on Windows
configuring Lithnet LAPS
Linux installation guide
.NET 8 and ARM32