• Created by Unknown User (anastasia.antonenko), last modified on Dec 26, 2023

In an emergency, if the Indeed Identity PAM components fail, you can dump the privileged account passwords from the Indeed Identity PAM database.

Location of dump utility indeed-pam-windows\MISC\Dump\Pam.Tools.Dump.exe

At first, Open the utility config file indeed-pam-windows\MISC\Dump\appsettings.json and specify the access parameters for the Core database:

Database section

  • Database — DBMS provider
    • mssql Microsoft SQL Server
    • pgsql PostgreSQL, PostgreSQL Pro

  • ConnectionStrings


  • Data Source the name of the DBMS server or named instance
  • Initial Catalog — database name
  • User ID database connection account
  • Password — account's password
  "ConnectionString": "Data Source=sql.domain.local; Initial Catalog=IPAMCore; Integrated Security=False; User ID=IPAMSQLService; Password=password"

If using a Named Instance of Microsoft SQL Server, the value of the Server parameter must be specified in the Server Name\\Named instance format.

"PamCore": "Data Source=sql\\instance; ..."
  • Host — the name of the DBMS server or named instance
  • Database database name
  • Username database connection account

  • Password — account's password

  • Other options available, see the Npgsql connection string documentation
  "ConnectionString": "Host=sql.domain.local; Database=IPAMCore; Integrated Security=False; Username=IPAMSQLService; Password=password"

Encryption section

  • AlgorithmCore database encryption algorithm
  • KeyCore database encryption key

The utility can be executed with the following arguments:

  • decrypt-ssh-key — decrypting encrypted exported ssh key of the account
  • decrypt-password — decrypting encrypted exported password of the account
  • decrypt-secrets — decrypting credentials of accounts from specified or choosen folder
  • ssh-key — dumping the SSH key of the account, you must specify the account, for example:
    Pam.Tools.Dump.exe ssh-key --name res2\administrator
  • password — dumping the password of a privileged account, you must specify an account, for example:
    Pam.Tools.Dump.exe password --name res2\administrator
  • all-secrets — dumping all credentials to the .\Results folder, or to the specified one. Passwords will be dumped to accounts.csv file, keys will be dumped to sshKeys folder in separate files. Example command:
    Pam.Tools.Dump.exe all-secrets --output c:\temp
  • help — displaying more information of a specific command
  • version — displaying version information


  • No labels