Beruflich Dokumente
Kultur Dokumente
3
User Guide
Advanced Login for Windows
Copyright 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.
DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.
Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information. Quest Enterprise SSO Updated January 2010 Software version 8.0.3
CONTENTS
About This Guide ...................................................................................................... 3
Access Management ......................................................................................................... 3 Conventions ............................................................................................................... 4
1. Overview................................................................................................................. 5
1.1 Advanced Login Usage ............................................................................................... 5 1.2 Operating Modes ......................................................................................................... 5
3.7 Managing Primary Accounts on Your Smart Card ....................................................... 48 3.8 Logging on as an Administrator on a User Session ("Administrator Grace Period") 49
ii
User Guide
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT CONVENTION
Select Bolded text Italic text Bold Italic text Blue text
This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.
+ |
A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.
User Guide
1. Overview
Enterprise SSO Advanced Login is the authentication module of the Enterprise SSO (E-SSO) suite. It enables speedy implementation of connection procedures using authentication mechanisms with physical tokens (smart cards, USB keys, RFID badges) and biometrics, in addition to the standard authentication methods of login/password.
To log on to Windows, you can: Press Ctrl+Alt+Del to connect using your user name/password, as explained in Section 2.2.1, Logging on to Windows using User Name/Password. Insert your smart card or USB key (if any), as explained in Section 2.2.2, Logging on to Windows with Smart Cards. Place your finger on the scanner (if any), as explained in Section 2.2.3, Logging on to Windows using your Fingers. Use your RFID badge (if any), as explained in Section 2.2.4, Logging on to Windows Using Your RFID Badge.
Enterprise SSO Advanced Login respects the Ctrl+Alt+Del key combination that you can configure in Windows.
6
User Guide
2.
If you have a number of accounts in one or more domains, and/or if none of them is known to the Enterprise SSO services, the following window prompts you to select the account to be used.
The Windows domain definition can be done with the SSOStudio component of SSOWatch: define an application with a Windows application model. For more information on SSOWatch, see Enterprise SSO - SSOWatch Administrator Guide.
3.
Select an account and click OK. If the account is unknown, an error message appears, informing you that the system needs to collect your authentication data (login/password) and the data collection window appears.
User Guide
3. 4.
If needed, select the account with which you want to authenticate. Enter the PIN of your smart card and click OK.
You do not need to enter your username and domain name as they are already stored on the card when it is created by an Enterprise SSO administrator.
If your log on password has expired, a new password is requested. The new password will be stored instead of the old one. If you have defined a password-generation policy in SSOWatch, the new password can be randomly generated. In this case, this screen never appears. 5. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window that appears. The Windows session opens.
3.
Enter the PIN of your smart card and click OK. As this is the first time you authenticate with this smart card, you are prompted for your log on user name and password (which are stored in the directory). This information will be stored on the smart card and will no longer be requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Enterprise SSO Advanced Login).
10
User Guide
4.
Type the required information and click OK. The account is created on the smart card and the session opens.
11
If you use several finger readers, just plug in the one reader you want to use and restart the computer.
For more information on supported biometric devices, see Quest Enterprise SSO Release Notes.
If the administrator has configured a validation of your authentication, a second E-SSO user must authenticate him or herself after you. If the Biometric Enrollment tool is not available, modify the SSOWatch installation by selecting the Biometrics Enrollment tool option and restart the computer.
Ensure that the Controller is available to be able to enroll in Store on Server Mode.
2. 3. 4.
If it does not start: display the SSOWatch menu by right-clicking the SSOWatch icon in the notification area and clicking Biometric enrollment. Follow the instructions of the Biometric Enrollment tool. When you have successfully completed the scan of your finger(s), log off and try to log on using the finger print reader, as described in Section 2.2.3.2, Everyday Log on.
There can only be one set of fingers per biometric reader.
12
User Guide
Before Starting You must have enrolled your biometric data, as described in Section 2.2.3.2, Everyday Log on.
Each time you connect yourself to a new workstation in Store On PC mode, you must enroll your biometric data.
Procedures STORE ON PC Mode 1. When the Advanced Login welcome screen appears, place your finger on the scanner. The following window appears:
2. 3.
Read the instructions displayed in the Fingerprint field. Depending on your configuration, you log on automatically when your finger is successfully captured. If not, just fill in the User field and click OK.
For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.
13
STORE ON SMART CARD Mode 1. When the Advanced Login welcome screen appears, insert your smart card in the reader. The following window appears:
2. 3.
Either enter your PIN, or place your finger on the scanner. If you have entered your PIN, click OK (if your finger is successfully captured, you log on automatically).
STORE ON SERVER Mode 1. When the Advanced Login welcome screen appears, place your finger on the scanner. The following window appears:
14
User Guide
2.
Read the instructions displayed in the Fingerprint field. Depending on your configuration, you log on automatically when your finger is successfully captured. If you are not logged on automatically, just fill in the User field and click OK.
For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.
3.
4.
If the authentication fails, you have to enter your ID to update the local cache.
Unlock Area
nge k ra c o l un
Sensor/ Antenna
Visibility Area
ge ran k loc
Lock Area
15
2.
16
User Guide
3.
Enter your login and password to associate them with your RFID badge and click OK. If your are authenticated, the session opens.
You can have as many RFID badges as you want, this enables you to lend them to other people. You can delete the badge enrollment by blacklisting it in the Administration Console. E-SSO policy cannot block auto-enrollment.
Procedure 1. Insert your Smart Card in the Card reader. Your Smart Card and your RFID badge are detected, the following window appears:
2.
Click the Enroll button to enroll your RFID badge. Your RFID badge is now enrolled.
17
If several RFID badges are detected in the unlock area, the RFID owner field lists all the detected RFID badges. You can take your badge back before typing in your password.
2.
In the RFID owner field, select the wanted RFID badge, type in your password and click OK.
If you have taken your RFID badge back, you have 30 seconds to enter your password and validate.
18
User Guide
If you retrieved your RFID badge when opening the session, you must place it back in the unlock area and retrieve it again to close the session.
You can configure how the session closes in the Access Point Profile. If an E-SSO authentication: primary reauthentication, SSOStudio launch etc. is necessary, then placing the RFID badge in the unlock area will not lock the PC. If you have a contact chip badge, you must insert it in the RFID reader.
19
Example Active Directory Session Information Password Authentication The following illustration is an example of an Enterprise SSO Session Information window that appears when authenticating with a password through Active Directory: the Enterprise SSO and Windows accounts correspond to the same user, and you can change your password.
Smart card Authentication The following illustration is an example of an Enterprise SSO Session Information window that appears when authenticating with a smart card through Active Directory: the Enterprise SSO and Windows accounts again correspond to the same user, and you can change your PIN.
20
User Guide
Finger Authentication The following illustration is an example of an Enterprise SSO Session Information window that appears when authenticating with your finger through Active Directory: the Enterprise SSO and Windows accounts correspond to the same user, and the Change your password button is disabled.
LDAP Directories (other than Active Directory) Session Information Session data when authenticating with any supported LDAP directory except Active Directory. The Enterprise SSO and Windows accounts are different.
21
Procedure 1. 2. Press Ctrl+Alt+Del. The session information window appears. Click the Shutdown button The shutdown window appears.
22
User Guide
If you have authenticated with an RFID badge, place the RFID badge outside the visibility area (lock area). Put the computer into a sleep state.
23
Procedure To unlock the computer, do one of the following: Press Ctrl+Alt+Del keys and log on as described in Section 2.2.1, Logging on to Windows using User Name/Password. Insert your smart card (if any) and log on as described in Section 2.2.2, Logging on to Windows with Smart Cards. Place your finger on the scanner (if any) and log on as described in Section 2.2.3, Logging on to Windows using your Fingers. Place your RFID badge inside the unlock area:
If the grace period is exceeded, log on as described in Section 2.2.4, Logging on to Windows Using Your RFID Badge. If the grace period is not exceeded, the session is automatically unlocked. The grace period is set by your administrator.
24
User Guide
3.
Enter the information required and click OK. To modify the password of another user, type the following information in the User field: <user domain>\<user name> or <user name>@<domain name> The password is modified in the LDAP directory.
25
3.
Enter the information required and click OK. The smart card PIN is modified.
26
User Guide
You can not use a second time the challenge given by the Help Desk.
When the Wizard terminates, your password is reset and a session opens. You can then use the new password for subsequent logon.
If the password has been reset in disconnected mode, you will be asked to change it again the next time you connect to the network.
27
Restriction The reset PIN feature is only available in disconnected mode (set by the administrator). Before Starting To be able to reset your PIN, you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access initialization Wizard (see Appendix Enterprise SSO - Getting Started with SSOWatch). Procedure 1. 2. In the session opening window, click the SOS button. The Emergency Access wizard appears. Follow the displayed instructions: When the following window appears, call the Help Desk and give it the displayed challenge, so that it can give you back the administrator challenge.
You can not use a second time the challenge given by the Help Desk.
When the Wizard terminates, your PIN is reset and a session opens. You can then use the new PIN for subsequent logon.
28
User Guide
2.
This authentication allows E-SSO to verify your identification data. The user Windows session stays open, so your Windows permissions do not apply. 3. Perform your administration tasks on the user workstation: if you run an ESSO application (Enterprise SSO Studio, ), the authentication is done using your administrator smart card. When you are finished with the user's workstation, withdraw your smart card The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN code to turn the SSOWatch engine back to the unlocked mode.
4.
29
The initial authentication screen shows several tiles corresponding to the log on methods (credential providers) which are allowed and installed on the workstation, and to the users logged on the workstation. On Windows Vista, several users can be logged at the same time on a workstation, but only one session can be active on the workstation. Advanced Login provides the following authentication methods on Windows Vista systems: User name/password authentication (two middle tiles in the example screen). Several users can be logged at the same time on the workstation. The screen shows one tile for each logged user, or if no user is logged, it shows one tile with the name of the last logged user. The "Other User" tile allows another user to open a session. See Section 3.2.1, Authenticating on Windows Vista Using User Name/Password.
30
User Guide
Smart card authentication (first tile in the example screen): The initial authentication screen shows as many tiles as accounts stored on the smart card. See Section 3.2.2, Authenticating on Windows Vista Using Smart Cards.
Biometric authentication (last tile in the example screen) See Section 3.2.3, Logging on to Windows using your Fingers.
31
3.
Click
.
The Windows session opens.
32
User Guide
3.
You do not need to enter your username and domain name as they are already stored on the card when it is created by an Enterprise SSO administrator.
If your log on password has expired, a new password is requested. The new password will be stored instead of the old one. 4. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window that appears. The Windows session opens.
33
3.
Click the "Not assigned" smart card tile. The authentication screen appears.
4.
As this is the first time you authenticate with this smart card, you are prompted for your log on user name and password (which are stored in the directory). This information will be stored on the smart card and will no longer be requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Enterprise SSO Advanced Login).
5.
Type the required information and click OK. The account is created on the smart card and the session opens.
34
User Guide
Procedure 1. 2. Press Ctrl+Alt+Del. The initial authentication screen appears. Insert your smart card in the smart card reader. The tile corresponding to the last primary account used to log on the workstation is selected.
3. 4.
Enter the PIN of your smart card. Select the Create a new account check box and click The Windows Account Entry window appears .
35
5.
Type the required information and click OK. The account is created on the smart card and the Windows session opens.
3.
Select the Update User Cache check box and click OK.
36
User Guide
If you use several fingerprint readers, just plug in the one reader you want to use and restart the computer.
For more information on supported biometric devices, see Quest Enterprise SSO Release Notes.
If the administrator has configured a validation of your authentication, a second E-SSO user must authenticate him or herself after you. If the Biometric Enrollment tool is not available, modify the SSOWatch installation by selecting the Biometrics Enrollment tool option and restart the computer.
Ensure that the Controller is available to be able to enroll in Store on Server Mode.
37
Procedure 1. Log on using your password, as described in Section 3.2.1, Authenticating on Windows Vista Using User Name/Password. The Enterprise SSO Biometric Enrollment tool starts after a successful authentication. If it does not start: display the SSOWatch menu by right-clicking the SSOWatch icon in the notification area and clicking Biometric Enrollment. Follow the instructions of the Biometric Enrollment tool. When you have successfully completed the scan of your finger(s), log off and try to log on using the finger print reader, as described in Section 3.2.3.2, Everyday Log on.
There can only be one set of fingers per biometric reader.
2. 3. 4.
Before Starting You must have enrolled your biometric data, as described in Section 3.2.3.2, Everyday Log on.
Each time you connect yourself to a new workstation in Store on PC mode, you must enroll your biometric data.
Procedures STORE ON PC Mode 1. When the Advanced Login welcome screen appears, place your finger on the scanner. The following tile appears:
38
User Guide
Depending on your configuration, you log on automatically when your finger is successfully captured. If not, the following window appears:
2.
to validate.
For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.
STORE ON SERVER Mode 1. When the Advanced Login welcome screen appears, place your finger on the scanner. The following tile appears:
39
Depending on your configuration, you log on automatically when your finger is successfully captured. If not, the following window appears:
2.
to validate.
If the authentication fails, you have to check your ID. If it is not the right one, enter the correct ID. For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.
40
User Guide
Procedure 1. After choosing the tile, click I want to modify login options. The Login Options window appears.
2.
Select the Update User Cache check box and click OK.
Put the computer into a sleep state. The workstation gets in the lock state and the "Ctrl+Alt+Del" screen appears.
41
2.
42
User Guide
Procedure Logging on a Workstation Locked by Someone Else 1. To log on a workstation locked by someone else, press Ctrl+Alt+Del. The authentication screen corresponding to the authentication method used by the other user to lock his/her session appears. Click the Other Credentials button. Click the Switch User button. The initial authentication screen appears. Log on to the workstation as explained in Section 3.2, Logging on to Windows Vista.
2. 3. 4.
43
Procedure 1. 2. Open your session as explained in Section 3.2.1, Authenticating on Windows Vista Using User Name/Password and press Ctrl+Alt+Del. Click the Change a Password option. The change password screen appears.
If the change password option has been disabled by your administrator, clicking on Change a Password will have no effect.
The following example screen shows a change password screen for a user authenticated with a smart card.
3.
The password is modified on your smart card (if you have logged on with a smart card) and in the LDAP directory.
44
User Guide
3.
Enter the required information and click OK. The smart card PIN is modified.
45
The Reset password wizard appears. 2. Follow the displayed instructions. If the following window appears, call the Help Desk before the end of the two minutes during which the Exchange with help desk window stays open. Give them the displayed challenge, so that they can give you back the administrator challenge. You cannot use a second time the challenge given by the Help Desk.
The need to call the Help Desk to reset your password depends on the configuration set by your administrator in the Enterprise SSO Console.
When the Wizard terminates, your password is reset and a session opens. You can then use the new password for subsequent logon. If the password has been reset in disconnected mode, you will be asked to change it again the next time you connect to the network.
46
User Guide
Restriction The reset PIN feature is only available in disconnected mode (set by the administrator). Before Starting To be able to reset your PIN, you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access initialization Wizard (see Enterprise SSO - Getting Started with SSOWatch). Procedure 1. In the authentication screen, click I have forgotten my PIN.
If the I have forgotten my PIN option does not appears on the screen, it means that your administrator has disabled it (see Section A.1, Advanced Login Configuration Parameters for more details.
The Reset PIN wizard appears. 2. Follow the displayed instructions: When the following window appears, call the Help Desk before the end of the 2 minutes during which the Exchange with help desk window stays open. Give them the displayed challenge, so that they can give you back the administrator challenge.
You can not use a second time the challenge given by the Help Desk.
When the Wizard terminates, your PIN is reset and a session opens. You can then use the new PIN for subsequent logon.
47
You can delete all the accounts stored on the smart card, even the one you used to logon. In this case, after the account deletion, the session stays open. Do not lock it because you won't be able to unlock it. Procedure 1. 2. Open your session as explained in Section 3.2.2, Authenticating on Windows Vista Using Smart Cards. In the Notification area, right click the icon and select Manage Primary Accounts. The account management window appears and lists the accounts stored on the smart card.
If you delete the account that you have used to logon, the session will stay open: do not lock it because you won't be able to unlock it. We recommend you to log off the session after the account deletion.
Select the account you want to add or remove and click the Add or Remove button. Follow the displayed instructions and click OK. The account is created or removed on the smart card.
48
User Guide
2.
This authentication enables E-SSO to check your identification data. The user Windows session stays open, so your Windows permissions do not apply. 3. Perform your administration tasks on the user workstation: if you run an ESSO application (Enterprise SSO Studio, etc.), the authentication is done using your administrator smart card. When you have finished with the users workstation, withdraw your smart card. The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN to switch the SSOWatch engine back to the unlocked mode.
4.
49
The following table lists and describes the Advanced Login parameters in the computer registry that can be used in standalone mode.
VALUE DESCRIPTION LOCATION
LockTimer ActionWhenTokenRemoved
Timeout (in seconds) before locking the computer. This does not end the session. Default automatic action if the token is removed: 0: not configured (=lock). 1: lock the computer. 2: log off. 3: do nothing.
A A
AutoValidationTimer
Timeout (in seconds) before the automatic validation of the default action defined in ActionWhenTokenRemoved.
50
WorkStationAccount RandomNPGP
Only used with any supported LDAP directory except Active Directory. In this type of architecture, Enterprise SSO stores users SSO data in another LDAP directory than Active Directory. But the users' accounts are stored in Active Directory and are managed by Enterprise SSO as secondary accounts. By default, the Windows password must be changed manually. 0: manual change of Windows password. 1: automatic change of Windows password.
BioAutoValidate
Store on PC mode only: enable/disable the automatic validation upon fingerprint authentication: 0: disabled. 1: enabled.
ResetPassword
ByPassWGAuthForLocal Admin
Enables users that are not local administrators to bypass the Advanced Login authentication : the users which are members of the local "administrators" group directly or via group membership can bypass the Advanced Login authentication even if they can not create the Enterprise SSO keys/objects.: 0: disabled non null value: enabled
ManageUserExclusion
Windows Vista only. Enable or disable SSO for excluded users. 0: At user authentication, Advanced login opens a session, and gets the used credentials to start SSOEngine with them. 0: At user authentication, Advanced login first tries to authenticate with the given credentials against the E-SSO directory. If the user belongs to an exclusion group, the windows session is opened, but no SSO will be available for that session. If the user does not belong to any exclusion group, opening the windows session is submitted to the success of the E-SSO authentication.
51
BiometricFAR
FAR: False Accepted Rate. Modify this value depending on your tolerance limits. Default value: 20000 (means that the probability that a wrong fingerprint passes is 1/20000).
BiometricMaxEnrolled Users
Maximum number of users that can be enrolled on the workstation (Store on PC mode). Default value: 20. If the maximum number is exceeded, the older enrolled user is deleted.
52
User Guide
Web site
Please refer to our Web site for regional and international office information.
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.
53