How to Access Passwordstate During A DR Event

You get the phone call you’ve been dreading, “We’ve lost our network and Active Directory.  We’re unsure of the status of most systems but do have successful backups that we can recover from if required.  When can you get in to the office as we’re calling a DR Event.”. 

Great!  You’ve been asking for the budget to establish High Availability for critical systems for a while but nobody’s interested.  And having good backups is all well and good but not much use if you don’t have access to your privileged accounts!  And you can’t access your Passwordstate instance as the network is down.  Looks like you’re out of luck… or are you?

Is Passwordstate Self Contained on the One Server?

The scenario we’re using in this blog (based on there being no network, high availability for critical systems or AD), will only work for those systems that have their Passwordstate database and website (Microsoft Internet Information Services) installed on the same server.  If your instance is split between 2 servers, one for the webserver and a separate server for your database you’re out of luck (…because you don’t have a network).

Create a HTTPS Binding

The first thing you’re going to need to do is bypass your production server’s HTTPS binding.  To do this you’re going to need to be able to login via the console on your Passwordstate Server (again… no network).  Hopefully you have a Local Login and access to the password for this.  If you haven’t, then the first thing you’re doing once you’re out of the DR event, is to download our native iOS and Android Apps and sync these to your Passwordstate instance.  This’ll give you a secure encrypted cache containing all of all the credentials you’ve been granted access to.

Next, you need to perform the following steps;

  1. Start Microsoft IIS,
  2. Select the passwordstate website,
  3. On the left hand side of the IIS console, under Edit Site click on Bindings…,
  4. Click on the Add button,
  5. In the Add Site Binding dialog select the Type as HTTPS, set the Port as 443. Type a Host name of localhost, and select Require Server Name Indication if you have other servers using the same port number,
  6. Select your SSL certificate from the drop down box,
  7. Then click the OK button.

And finally click on the Close button.

Browse to your Passwordstate URL

Now you potentially have 2 options available to you.  If you have a Local Login with appropriate Security Administrator roles and permissions to the required Password Lists etc. you can logon with that account.  You can then access all the required credentials as appropriate.  Simply browse to https://localhost and click on the indicated buttons and links,

However, if you don’t have a Local Login then you’ll need to login via the Emergency Access Account.  This can be accessed via browsing to https://localhost/emergency,

In the example above we have 2FA enabled for the Emergency Access Account.  The limitation with using the Emergency Access Account is that you won’t have easy access to the credentials you’ll need.  Instead, you’ll need to Export All Passwords to a password protected .ZIP file and then copy this to a USB drive if required. 

Note this will only export Shared Password Lists, you have no access to user’s Private Password Lists.  To export all passwords, navigate to Administration->Export All Passwords and select the Export Option you want and click on Export,

As long as you have console access to your Passwordstate server, and have the webserver and database installed on the same server, you can access your credentials via one of the 2 options outlined above.

If you’d like to share your feedback please send it through to