Whether through policy or for other reasons, there may come a time when you need to change the password for the AD account used by Venafi. This article outlines the steps necessary to make sure the password gets updated everywhere the AD account is used by Venafi.
1. Change the AD password as you normally would.
2. Run VCC on each Venafi server, update the database password
NOTE: This step is only necessary if the AD account is used to give Venafi access to the database.
On each machine running Venafi, run the VCC. This needs to be run on each machine as running it on one machine will still leave the other machines unable to communicate with the database.
Choose "Change database password".
On the "Database Configuration" page, enter your new password and click "Verify"
On the next page, provide the credentials of a local master admin. At this stage, the AD identity for Venafi has not been updated to reflect the new password, so any attempts to log in with an AD account will fail.
Finish the wizard.
3. Run WinAdmin to change password for the binding account
NOTE: This step is only necessary if the AD account that you changed the password on is the binding account.
NOTE: This step does not need to be run on each Venafi server, running it on one is enough.
Select the AD identity. Take note of the Username in the settings panel. If this does not match the AD account you changed the password on, there is no need to continue as your AD binding was not affected by the password change.
Select the Active Directory Identity Wizard from the top of the page. Do not select the wizard from the menu as that will create a new AD identity and not update the current one.
On the "Active Directory Authentication Credentials" screen, enter the new password for the binding account.
Finish through the rest of the wizard. If the AD itself didn't change, you should only need to update the password.
More information about updating the AD identity can be found in this article
Venafi and IIS services will need to be restarted on each Venafi server. This ensures the changes propagate through the environment.
4. Update the identity for each Venafi site
NOTE: This step is only necessary if the AD account you changed the password on is the one used to run the sites in the application pool. If you are unsure, follow the steps and note the Identity before clicking on it. If the Identity for the application does not match the one you've changed the password on, there is no need to change it.
NOTE: This will need to be done on each machine running any Venafi web service.
Open IIS Manager.
Click on Application Pools.
For each Venafi site (Aperture, VAcme, VEDAdmin, VEDClient, VEDScep, VEDWebSDK):
- Click on the application
- On the right, click "Advanced Settings" in the "Actions" bar.
- In the window that pops up, find the Identity under the Process Model header
- Click on the Identity to change it. If this identity doesn't match the AD account you changed the password on, there is no need to change it.
5. Change credential objects
If this AD account was used to log into any local CA, you will have to change the credential object to reflect the new password. Luckily, even if you have multiple CAs that log in with this identity, if they all share the same credential object you will only need to change the password on the one credential object.