All Versions of Venafi.
NOTE: At version 19.3 the location of the AD wizard changed - different instructions are provided below.
Whether through policy or for other reasons, there may come a time when you need to change the password for the AD account used by Venafi. There are two potential places we need a reliable AD account:
- for SQL Server access
- for AD Binding ("connector" in Venafi)
This article outlines the steps necessary to make sure the password gets updated everywhere appropriately
Modifying the Database connection Password
There are two ways to connect to the Database: using a SQL account or using Windows Authentication (AD Account). These steps apply to both, but the implications are slightly different.
1. Change the Account password as you normally would, either in AD or in SQL Directly.
2. Run VCC with Admin rights on each Venafi server to update the database password. NOTE: This will modify how the services and IIS are configured, so this is necessary on ALL TPP Servers for them to be able to communicate with the database.
- Select Database, Properties, and then enter a "Local" Master-Admin account to access the DB settings.
- On the Configuration page, modify the password appropriately. Select "OK"
- Exit the Venafi Configuration console. Be sure to restart both Venafi Services, and IIS. All 3 use this account, so this is very important!
- Repeat on all other TPP servers.
Modifying the AD/LDAP Binding Account (Connector)
For versions prior to 19.1, you should follow the steps outlined here after changing the AD password as you normally would:
For 19.2 and following, you should follow the steps outlined here after changing the AD password as you normally would:
Modifying any internal Venafi credential objects
If this AD account was used to log into any local CA or other devices, you will have to change the credential object to reflect the new password. Be sure to update all related passwords and accounts in Venafi.