Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v1.0
v1.0
  • Home
  • How does Access Manager help prevent lateral movement
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Downloads
    • Creating a service account for the Access Manager service
    • Choosing between the Microsoft and Lithnet agents for LAPS support
    • Installing Access Manager
      • Access Manager Agent
      • Access Manager Service
  • Configuration
    • Setting up Authentication
      • Setting up smart card authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
    • Deploying features
      • Setting up Microsoft LAPS
      • Setting up Bitlocker access
      • Setting up Just-in-Time access
      • Setting up password encryption and history
      • Installing in a Failover Cluster
      • Integrated Windows authentication
    • Importing authorization rules
      • Importing BitLocker permissions
      • Importing local administrators group membership
      • Importing Microsoft LAPS permissions
      • Importing mappings from a CSV file
      • Importing rules from Lithnet LAPS web app
  • Help & Support
    • Frequently asked Questions
    • Troubleshooting
    • Getting Support
  • Advanced help
    • Advanced help topics
      • Access evaluation in Access Manager Service (AMS)
      • Performing an offline discovery of local admins
      • Script-based authorization
      • Backing up Access Manager
      • Recovering from a lost encryption certificate private key
    • Application help pages
      • Active Directory
      • Audit variables
      • Auditing Page
      • Auditing scripts
      • Authentication Provider
      • Authorization Page
      • BitLocker Page
      • Effective Access Page
      • SMTP Server Settings
      • High Availability Page
      • Proxy Settings
      • Jit Access Page
      • Licensing-Page
      • Local Admin Passwords Page
      • Rate Limits Page
      • User Interface Page
      • Web Hosting Page
Powered by GitBook
On this page
  • Backing up AMS
  • Backing up the configuration
  • Backing up the encryption certificate
  • Restoring AMS from a backup
  • Restoring the configuration
  • Restoring the encryption certificate
  • Recovering from a lost encryption certificate private key

Was this helpful?

  1. Advanced help
  2. Advanced help topics

Backing up Access Manager

Backing up AMS

You should regularly backup and restore your AMS config, and always backup before version updates.

Backing up the configuration

To backup the AMS configuration, simply backup the config folder, located in the program files directory.

%ProgramFiles%\Lithnet\Access Manager Service\config

If you have custom scripts or templates located outside of this folder, then back those up as well. We recommend keeping them in this folder to keep transport simple.

Backing up the encryption certificate

If you have deployed the Access Manager Agent, and are using the encrypted password functionality, you'll need to ensure you have a backup of your password encryption certificate and it's private key. There is one encryption certificate per forest.

The easiest way to backup the encryption certificates for each forest is to use the AMS configuration tool. From the Local admin passwords page, select the forest that contains the certificate you want to backup, and click View Certificate. From the Details tab, click Copy to file, making sure to select the option to export the private key when prompted. Choose a very strong password, and store the resulting PFX somewhere very safe. Preferably in offline storage. Remember that access to this key will allow someone to decrypt all the local admin passwords in your domain.

Repeat the process for any other keys listed, in this forest, or other forests you have in your environment.

Alternatively, you can use mmc.exe to backup the certificates. Run mmc.exe and select the File menu and Add/Remove snap in.... Add the certificates snap in, and select service account followed by local computer. When prompted to select a service, choose the Lithnet Access Manager Service. All the encryption certificates are located in the Personal store of the service. Right click on each certificate and select All tasks -> Export to run the export wizard.

Restoring AMS from a backup

Restoring the configuration

To restore from backup, stop the Access Manager Service using the Windows services MMC. Close down the configuration editor if you have it open. Copy the contents of your config backup into the AMS configuration folder.

%ProgramFiles%\Lithnet\Access Manager Service\config

Open the Access Manager Configuration tool, and if you configuration is correct, you can start the AMS service.

Restoring the encryption certificate

Run mmc.exe and select the File menu and Add/Remove snap in.... Add the certificates snap in, and select service account followed by local computer. When prompted to select a service, choose the Lithnet Access Manager Service. Once the console has loaded, right click on lithnetams\Personal and select All tasks -> Import certificate. Select your exported PFX files, provide the password, and import the certificate into the services personal store.

Recovering from a lost encryption certificate private key

If you loose access to the encryption certificate's private key, any current and historical passwords encrypted with that key are not recoverable. This is why backups are so important.

PreviousScript-based authorizationNextRecovering from a lost encryption certificate private key

Last updated 2 years ago

Was this helpful?

However, you can publish a new key, and force the agents to generate a new password and encrypt it with that key. See the guide o for more details.

n Recovering from a lost encryption certificate