Enterprise Single Sign-On 8.0.

3
User Guide
Advanced Login for Windows

Copyright 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.

Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information. Quest Enterprise SSO Updated January 2010 Software version 8.0.3

CONTENTS
About This Guide ...................................................................................................... 3
Access Management ......................................................................................................... 3 Conventions ............................................................................................................... 4

1. Overview................................................................................................................. 5
1.1 Advanced Login Usage ............................................................................................... 5 1.2 Operating Modes ......................................................................................................... 5

2. Using Advanced Login on Windows 2000/XP Systems .................................... 6

2.1 Welcome Screen ......................................................................................................... 6 2.2 Logging on to Windows ............................................................................................... 7 2.2.1 Logging on to Windows using User Name/Password ...................................... 7 2.2.2 Logging on to Windows with Smart Cards ....................................................... 9 2.2.3 Logging on to Windows using your Fingers ................................................... 11 2.2.4 Logging on to Windows Using Your RFID Badge .......................................... 15 2.2.5 Forcing Cache Update at Logon .................................................................... 19 2.3 Displaying Session Information ................................................................................. 19 2.4 Shutting Down the Workstation ................................................................................. 22 2.5 Locking/Unlocking the Workstation ........................................................................... 23 2.5.1 Locking the Computer .................................................................................... 23 2.5.2 Unlocking the Computer ................................................................................. 24 2.6 Modifying Password or PIN ....................................................................................... 24 2.6.1 Modifying Password ....................................................................................... 25 2.6.2 Modifying your PIN ......................................................................................... 26 2.7 Using the Emergency Access (SOS) ........................................................................ 26 2.7.1 Resetting Your Password ............................................................................... 27 2.7.2 Resetting Your PIN ......................................................................................... 28 2.8 Logging on as an Administrator on a User Session ("Administrator Grace Period") ........................................................................................ 29

3. Using Advanced Login on Windows Vista Systems ....................................... 30

3.1 The Initial Authentication Screen............................................................................... 30 3.2 Logging on to Windows Vista .................................................................................... 31 3.2.1 Authenticating on Windows Vista Using User Name/Password .................... 31 3.2.2 Authenticating on Windows Vista Using Smart Cards ................................... 32 3.2.3 Logging on to Windows using your Fingers ................................................... 37 3.3 Locking/Unlocking the Session ................................................................................. 41 3.3.1 Locking the Session ....................................................................................... 41 3.3.2 Unlocking the Session .................................................................................... 42 3.4 Switching Users ......................................................................................................... 43 3.5 Modifying your Password or PIN ............................................................................... 43 3.5.1 Modifying your Password ............................................................................... 43 3.5.2 Modifying your PIN ......................................................................................... 45 3.6 Using the Emergency Access ................................................................................... 45 3.6.1 Resetting Your Password ............................................................................... 46 3.6.2 Resetting Your PIN ......................................................................................... 47

3.7 Managing Primary Accounts on Your Smart Card ....................................................... 48 3.8 Logging on as an Administrator on a User Session ("Administrator Grace Period") 49

A. Advanced Login and Biometrics Configuration.............................................. 50

A.1 Advanced Login Configuration Parameters .............................................................. 50 A.2 Biometrics Configuration Parameters ....................................................................... 52 A.3 Modifying the Authentication Screen Icons (Windows Vista only) ........................... 52

About Quest Software, Inc. .................................................................................... 53

Contacting Quest Software.............................................................................................. 53 Contacting Quest Support ............................................................................................... 53

ii

User Guide

About This Guide

Access Management
Subject Intended Reader Software/Hardware Required This guide explains how to use Enterprise SSO Advanced Login for Windows User's Guide. Advanced Login end-users. Advanced Login Administrators. Quest Enterprise SSO Advanced Login 8.0 evolution 3 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to Quest Enterprise SSO Release Notes. Supported Operating Systems Quest Enterprise SSO Advanced Login runs on the following systems: Windows. Linux.

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT CONVENTION

Select Bolded text Italic text Bold Italic text Blue text

This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.

+ |

A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.

User Guide

1. Overview
Enterprise SSO Advanced Login is the authentication module of the Enterprise SSO (E-SSO) suite. It enables speedy implementation of connection procedures using authentication mechanisms with physical tokens (smart cards, USB keys, RFID badges) and biometrics, in addition to the standard authentication methods of login/password.

1.1 Advanced Login Usage

Enterprise SSO Advanced Login is used to implement strong authentication in the following scenarios of use: Authentication with smart cards or USB keys with Windows workstations, without any need to deploy a PKI compatible with Windows Active Directory certificates. Authentication using non-Windows methods, such as biometrics. Authentication of users through an enterprise directory, which is not part of the Windows network. Authentication with RFID badges.

1.2 Operating Modes

Enterprise SSO Advanced Login can be configured either in one of the following modes: Client/server mode: users are directly authenticated in Enterprise SSO Console, the advanced access control module. Standalone mode: users are directly authenticated in Active Directory or in any other supported LDAP directories.

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2. Using Advanced Login on Windows 2000/XP Systems

This section describes the E-SSO authentication with Advanced Login on Windows 2000 or Windows XP systems.

2.1 Welcome Screen

The Enterprise SSO Advanced Login welcome screen is displayed at workstation startup. It shows the log on methods which are allowed and installed on the workstation.

To log on to Windows, you can: Press Ctrl+Alt+Del to connect using your user name/password, as explained in Section 2.2.1, Logging on to Windows using User Name/Password. Insert your smart card or USB key (if any), as explained in Section 2.2.2, Logging on to Windows with Smart Cards. Place your finger on the scanner (if any), as explained in Section 2.2.3, Logging on to Windows using your Fingers. Use your RFID badge (if any), as explained in Section 2.2.4, Logging on to Windows Using Your RFID Badge.
Enterprise SSO Advanced Login respects the Ctrl+Alt+Del key combination that you can configure in Windows.
6

User Guide

2.2 Logging on to Windows

2.2.1 Logging on to Windows using User Name/Password
Subject This section explains how to connect to Windows with your user name and password through Active Directory or any other supported directories. Procedure 1. In the Welcome window, press Ctrl+Alt+Del. The authentication window appears.
If an RFID badge or a smart card is detected by the workstation, the RFID or smart card authentication window appears by default. In this case, press the Esc (Escape) key to open the login/password authentication window.

2.

Enter the following information and click OK.

User: type your user name. Password: type your password. Connected to: select your domain (Active Directory), or Root (any other directory) or local session. If you open a local session, you will not be protected by the advanced features of Enterprise SSO.

If you have a number of accounts in one or more domains, and/or if none of them is known to the Enterprise SSO services, the following window prompts you to select the account to be used.

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

The Windows domain definition can be done with the SSOStudio component of SSOWatch: define an application with a Windows application model. For more information on SSOWatch, see Enterprise SSO - SSOWatch Administrator Guide.

3.

Select an account and click OK. If the account is unknown, an error message appears, informing you that the system needs to collect your authentication data (login/password) and the data collection window appears.

User Guide

2.2.2 Logging on to Windows with Smart Cards

2.2.2.1 Logging on With a Smart Card Containing Account Data
Subject If your account data is enrolled on the smart card, you can log on to your windows session as explained in the following procedure. Procedure 1. 2. Press Ctrl+Alt+Del. The authentication window appears. Insert your smart card in the smart card reader. If your card can stored several accounts, the User field lists all the primary accounts stored on the smart card.
If there is only one primary account in the card, this primary account is selected.

3. 4.

If needed, select the account with which you want to authenticate. Enter the PIN of your smart card and click OK.
You do not need to enter your username and domain name as they are already stored on the card when it is created by an Enterprise SSO administrator.

If your log on password has expired, a new password is requested. The new password will be stored instead of the old one. If you have defined a password-generation policy in SSOWatch, the new password can be randomly generated. In this case, this screen never appears. 5. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window that appears. The Windows session opens.

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2.2.2.2 Logging on Using a Blank Smart Card

Subject The first time you use a multi-account smart card to logon to your workstation, your account data is necessarily not stored on the smart card yet. The following procedure explains how to enroll your own account on a smart card. The following procedure only applies to smart cards that can handle self-enrolment and multi-accounts. Procedure 1. 2. Press Ctrl+Alt+Del. The authentication window appears. Insert your smart card in the smart card reader. As your account is not stored on the smart card yet (first smart card authentication), the User field displays "Smartcard empty: enroll an account".

3.

Enter the PIN of your smart card and click OK. As this is the first time you authenticate with this smart card, you are prompted for your log on user name and password (which are stored in the directory). This information will be stored on the smart card and will no longer be requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Enterprise SSO Advanced Login).

10

User Guide

4.

Type the required information and click OK. The account is created on the smart card and the session opens.

2.2.3 Logging on to Windows using your Fingers

Advanced Login can work in three modes to authenticate users using their biometric data: STORE ON PC Mode In this mode, the biometric data is stored on the PC in the Enterprise SSO cache file. The finger replaces the ID/Password. You must enroll yourself on each PC that you connect to. STORE ON SMART CARD Mode In this mode, the biometric data is stored on a smart card. The finger replaces the PIN. STORE ON SERVER Mode In this mode, the biometric data is stored on a server. The finger replaces the ID/Password.

11

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2.2.3.1 First Log on

Subject To be able to log on to Windows using your finger, you must first enroll your biometric data. Before Starting Make sure the Enterprise SSO finger module is installed on the workstation. A finger reader must be installed on the workstation.
The workstation can support only one reader. We strongly recommend that you download the latest: Drivers and licence of your product. Licence for the installation.

If you use several finger readers, just plug in the one reader you want to use and restart the computer.
For more information on supported biometric devices, see Quest Enterprise SSO Release Notes.

If the administrator has configured a validation of your authentication, a second E-SSO user must authenticate him or herself after you. If the Biometric Enrollment tool is not available, modify the SSOWatch installation by selecting the Biometrics Enrollment tool option and restart the computer.
Ensure that the Controller is available to be able to enroll in Store on Server Mode.

Procedure 1. Depending on your biometric authentication mode, do one of the following:

Store on PC: log on using your password, as described in Section 2.2.1, Logging on to Windows using User Name/Password. Store on Server: log on using your finger, as described in Section 2.2.3, Logging on to Windows using your Fingers. The Enterprise SSO Biometrics Enrollment tool starts after a successful authentication.

2. 3. 4.

If it does not start: display the SSOWatch menu by right-clicking the SSOWatch icon in the notification area and clicking Biometric enrollment. Follow the instructions of the Biometric Enrollment tool. When you have successfully completed the scan of your finger(s), log off and try to log on using the finger print reader, as described in Section 2.2.3.2, Everyday Log on.
There can only be one set of fingers per biometric reader.

12

User Guide

2.2.3.2 Everyday Log on

Subject This section describes how to log on to Windows using your finger.
Depending on your biometric authentication mode (STORE ON PC, STORE ON SMART CARD or STORE ON SERVER), the procedure is slightly different.

Before Starting You must have enrolled your biometric data, as described in Section 2.2.3.2, Everyday Log on.
Each time you connect yourself to a new workstation in Store On PC mode, you must enroll your biometric data.

Procedures STORE ON PC Mode 1. When the Advanced Login welcome screen appears, place your finger on the scanner. The following window appears:

2. 3.

Read the instructions displayed in the Fingerprint field. Depending on your configuration, you log on automatically when your finger is successfully captured. If not, just fill in the User field and click OK.
For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.

13

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

STORE ON SMART CARD Mode 1. When the Advanced Login welcome screen appears, insert your smart card in the reader. The following window appears:

2. 3.

Either enter your PIN, or place your finger on the scanner. If you have entered your PIN, click OK (if your finger is successfully captured, you log on automatically).

STORE ON SERVER Mode 1. When the Advanced Login welcome screen appears, place your finger on the scanner. The following window appears:

14

User Guide

2.

Read the instructions displayed in the Fingerprint field. Depending on your configuration, you log on automatically when your finger is successfully captured. If you are not logged on automatically, just fill in the User field and click OK.
For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.

3.

4.

If the authentication fails, you have to enter your ID to update the local cache.

2.2.4 Logging on to Windows Using Your RFID Badge

Subject This section explains how to authenticate with an RFID badge. The following figure illustrates how Enterprise SSO acts depending on the areas in which it detects the RFID badge.

Unlock Area
nge k ra c o l un

Sensor/ Antenna

Session Kept Alive

Visibility Area

ge ran k loc

Able to Open/ Unlock

Session Locked/ Closed

Lock Area

15

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2.2.4.1 First Log on

Before Starting An RFID reader must be installed on the workstation. Procedure 1. Place the RFID badge in the unlock area so that Enterprise SSO detects it. The Advanced Login window appears and tells you that your RFID badge is not assigned.

2.

Click OK to validate it. The Enroll an Account window appears.

16

User Guide

3.

Enter your login and password to associate them with your RFID badge and click OK. If your are authenticated, the session opens.
You can have as many RFID badges as you want, this enables you to lend them to other people. You can delete the badge enrollment by blacklisting it in the Administration Console. E-SSO policy cannot block auto-enrollment.

2.2.4.2 First Log on with a Smart Card

Before Starting E-SSO Advanced Login must be installed on the workstation. An RFID and a Smart Card reader must be installed on the workstation.
You must have both RFID badge and Smart Card to log on. If no RFID badge is detected, the RFID badge enrolment will not be suggested the next time you open your Windows session.

Procedure 1. Insert your Smart Card in the Card reader. Your Smart Card and your RFID badge are detected, the following window appears:

2.

Click the Enroll button to enroll your RFID badge. Your RFID badge is now enrolled.

17

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2.2.4.3 Everyday Log on

Procedure 1. Place the RFID badge in the unlock area so that Enterprise SSO detects it. The authentication window appears.

If several RFID badges are detected in the unlock area, the RFID owner field lists all the detected RFID badges. You can take your badge back before typing in your password.

2.

In the RFID owner field, select the wanted RFID badge, type in your password and click OK.
If you have taken your RFID badge back, you have 30 seconds to enter your password and validate.

Your session opens.

2.2.4.4 Logging on through Citrix/TSE

If you want to log on through Citrix/TSE, you must press the SHIFT key when placing your RFID badge in the unlock area.

2.2.4.5 Logging out

There are two possibilities for logging out: If you have left your RFID badge in the unlock area, retrieve it and the session closes.
Not relevant for HID Prox 125kHz badges.

18

User Guide

If you retrieved your RFID badge when opening the session, you must place it back in the unlock area and retrieve it again to close the session.
You can configure how the session closes in the Access Point Profile. If an E-SSO authentication: primary reauthentication, SSOStudio launch etc. is necessary, then placing the RFID badge in the unlock area will not lock the PC. If you have a contact chip badge, you must insert it in the RFID reader.

2.2.5 Forcing Cache Update at Logon

Subject By default, the authentication is done on the existing cache. The following procedure explains how to force the authentication to be done in the target directory and so to update the authentication data in the cache. Procedure 1. 2. In the authentication window (whatever the authentication token used), provide your authentication information. Select the Do not use user cache check box and click OK. The authentication is done in the directory and the cache is updated.

2.3 Displaying Session Information

Subject You can display your session information at any time as explained in the following procedure. Procedure Press Ctrl+Alt+Del. The session information window appears, as illustrated in the following example windows. The main session pieces of data are:
The authenticated Enterprise SSO user. The Windows user account used. The date and time the Enterprise SSO session is opened.

19

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

Example Active Directory Session Information Password Authentication The following illustration is an example of an Enterprise SSO Session Information window that appears when authenticating with a password through Active Directory: the Enterprise SSO and Windows accounts correspond to the same user, and you can change your password.

Smart card Authentication The following illustration is an example of an Enterprise SSO Session Information window that appears when authenticating with a smart card through Active Directory: the Enterprise SSO and Windows accounts again correspond to the same user, and you can change your PIN.

20

User Guide

Finger Authentication The following illustration is an example of an Enterprise SSO Session Information window that appears when authenticating with your finger through Active Directory: the Enterprise SSO and Windows accounts correspond to the same user, and the Change your password button is disabled.

LDAP Directories (other than Active Directory) Session Information Session data when authenticating with any supported LDAP directory except Active Directory. The Enterprise SSO and Windows accounts are different.

21

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2.4 Shutting Down the Workstation

Subject The Advanced Login shutdown functionality is the same as with classical Windows sessions. It allows you to: Close the session. Shutdown the workstation. Reboot the workstation. Put the workstation into a sleep state. Put the workstation into a hibernate state (if activated in the system parameters).

Procedure 1. 2. Press Ctrl+Alt+Del. The session information window appears. Click the Shutdown button The shutdown window appears.

22

User Guide

2.5 Locking/Unlocking the Workstation

2.5.1 Locking the Computer
Subject The Lock state enables you to prevent anybody from using the workstation in your absence. This section describes the possible means to lock a computer. Procedure To lock the computer, do one of the following: Press Ctrl+Alt+Del keys and click the Lock computer button. If you have authenticated with a smart card, remove the smart card from the reader (or a USB key from its port) and do not take any action for 10 seconds.
The administrator can modify the default workstation behavior when a token is removed, from the Enterprise SSO Console. If the session is not locked at token removal, it means that your administrator has modified this option.

If you have authenticated with an RFID badge, place the RFID badge outside the visibility area (lock area). Put the computer into a sleep state.

23

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2.5.2 Unlocking the Computer

Subject A computer can only be unlocked by the user who has locked it (unless it is unlocked using the "Fast-user switching" option). To unlock the computer, you must re-authenticate as at session opening. The authentication method does not necessarily need to be the same as for opening the main session. If you have authenticated with an RFID badge and locked the session by placing the RFID badge outside the unlock area, the session is automatically unlocked if you come back with your RFID badge in the unlock area before the grace period (which has been set by your administrator).
A user with administration rights on the workstation can force the closure of a locked administration session.

Procedure To unlock the computer, do one of the following: Press Ctrl+Alt+Del keys and log on as described in Section 2.2.1, Logging on to Windows using User Name/Password. Insert your smart card (if any) and log on as described in Section 2.2.2, Logging on to Windows with Smart Cards. Place your finger on the scanner (if any) and log on as described in Section 2.2.3, Logging on to Windows using your Fingers. Place your RFID badge inside the unlock area:
If the grace period is exceeded, log on as described in Section 2.2.4, Logging on to Windows Using Your RFID Badge. If the grace period is not exceeded, the session is automatically unlocked. The grace period is set by your administrator.

2.6 Modifying Password or PIN

If you are allowed to by your administrator, you can change your password or PIN, as explained in the following procedure. This section also explains how to modify the password of another user.

24

User Guide

2.6.1 Modifying Password

Subject This section explains how to modify your own password or the password of another user (if you are allowed to). Procedure 1. 2. Open your session as explained in Section 2.2.1, Logging on to Windows using User Name/Password and press Ctrl+Alt+Del. Click the Change a Password button. The change password screen appears.
If the change password option has been disabled by your administrator, clicking on Change a Password will have no effect.

3.

Enter the information required and click OK. To modify the password of another user, type the following information in the User field: <user domain>\<user name> or <user name>@<domain name> The password is modified in the LDAP directory.

25

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2.6.2 Modifying your PIN

Subject This section explains how to modify the PIN of your smart card. Procedure 1. 2. Open your session as explained in Section 2.2.2, Logging on to Windows with Smart Cards and press Ctrl+Alt+Del. Click the Change PIN button. The change PIN screen appears.
If the change PIN option has been disabled by your administrator, clicking on Change PIN will have no effect.

3.

Enter the information required and click OK. The smart card PIN is modified.

2.7 Using the Emergency Access (SOS)

The Emergency Access feature allows you to: Reset your password in case you have forgotten it: see Section 2.7.1, Resetting Your Password. Reset you PIN in case you have forgotten it or to unlock your smart card (only accessible in disconnected mode): see Section 2.7.2, Resetting Your PIN.

26

User Guide

2.7.1 Resetting Your Password

Subject The Reset Password functionality allows you to reset you password in case you have forgotten it. Before Starting To be able to reset your primary password, SSOWatch must be installed on your workstation, and you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access Wizard (see Appendix Enterprise SSO - Getting Started with SSOWatch. Procedure 1. 2. In the session opening window, click the SOS button. The Emergency Access wizard appears. Follow the displayed instructions. If the following window appears, call the Help Desk and give them the displayed challenge, so that it can give you back the administrator challenge.
The need to call the Help Desk to reset your password depends on the configuration set by your administrator in the Enterprise SSO Console.

You can not use a second time the challenge given by the Help Desk.

When the Wizard terminates, your password is reset and a session opens. You can then use the new password for subsequent logon.
If the password has been reset in disconnected mode, you will be asked to change it again the next time you connect to the network.

27

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

2.7.2 Resetting Your PIN

Subject The Reset PIN functionality allows you to: Reset your PIN in case you have forgotten it. Unlock your smartcard.

Restriction The reset PIN feature is only available in disconnected mode (set by the administrator). Before Starting To be able to reset your PIN, you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access initialization Wizard (see Appendix Enterprise SSO - Getting Started with SSOWatch). Procedure 1. 2. In the session opening window, click the SOS button. The Emergency Access wizard appears. Follow the displayed instructions: When the following window appears, call the Help Desk and give it the displayed challenge, so that it can give you back the administrator challenge.

You can not use a second time the challenge given by the Help Desk.

When the Wizard terminates, your PIN is reset and a session opens. You can then use the new PIN for subsequent logon.

28

User Guide

2.8 Logging on as an Administrator on a User Session ("Administrator Grace Period")

Subject An administrator can log on a user's session using his own smart card, even though the user opened his Windows session using a smart card. Procedure 1. Press the Shift key during the logged user smart card withdrawal. The user session is left unchanged. If the SSOWatch engine was running, it is automatically set to a locked mode. Insert your administrator smartcard and enter your PIN before the end of the grace period (the default value is 60 seconds).
The length of the grace period can be configured from the Enterprise SSO Console.

2.

This authentication allows E-SSO to verify your identification data. The user Windows session stays open, so your Windows permissions do not apply. 3. Perform your administration tasks on the user workstation: if you run an ESSO application (Enterprise SSO Studio, ), the authentication is done using your administrator smart card. When you are finished with the user's workstation, withdraw your smart card The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN code to turn the SSOWatch engine back to the unlocked mode.

4.

29

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

3. Using Advanced Login on Windows Vista Systems

This section describes the E-SSO authentication with Advanced Login on Windows Vista systems.

3.1 The Initial Authentication Screen

The initial authentication screen appears when you press Ctrl+Alt+Del at workstation startup, or when you want to switch user. In the following example screen, two sessions are already open.

The initial authentication screen shows several tiles corresponding to the log on methods (credential providers) which are allowed and installed on the workstation, and to the users logged on the workstation. On Windows Vista, several users can be logged at the same time on a workstation, but only one session can be active on the workstation. Advanced Login provides the following authentication methods on Windows Vista systems: User name/password authentication (two middle tiles in the example screen). Several users can be logged at the same time on the workstation. The screen shows one tile for each logged user, or if no user is logged, it shows one tile with the name of the last logged user. The "Other User" tile allows another user to open a session. See Section 3.2.1, Authenticating on Windows Vista Using User Name/Password.
30

User Guide

Smart card authentication (first tile in the example screen): The initial authentication screen shows as many tiles as accounts stored on the smart card. See Section 3.2.2, Authenticating on Windows Vista Using Smart Cards.

Biometric authentication (last tile in the example screen) See Section 3.2.3, Logging on to Windows using your Fingers.

3.2 Logging on to Windows Vista

3.2.1 Authenticating on Windows Vista Using User Name/Password
Subject This section explains how to connect to Windows with your user name and password through Active Directory or any other supported directories. Procedure 1. 2. Press Ctrl+Alt+Del. The initial authentication screen appears. If any, click the tile corresponding to your name, or if no tile shows your name, click the Other User tile. The authentication screen appears. The following example window shows the "Other User" authentication tile.

31

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

3.

Do one of the following :

To log on to the domain displayed on screen, type you user name and password. To log on to another domain than the one displayed on the screen, type <domain name>\<user name>. If you need to open a local session (you will not be protected by the advanced features of Enterprise SSO), type <workstation name>\<user name>.

Click

.
The Windows session opens.

3.2.2 Authenticating on Windows Vista Using Smart Cards

3.2.2.1 Logging on With a Smart Card Containing Account Data
Subject If your account data is enrolled on the smart card, you can log on to your windows session as explained in the following procedure. Procedure 1. 2. Press Ctrl+Alt+Del. The initial authentication screen appears. Insert your smart card in the smart card reader. The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card. By default, the tile corresponding to the last primary account used to log on the workstation is selected.
If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account in the card, this primary account is selected.

32

User Guide

3.

Enter the PIN of your smart card and click

You do not need to enter your username and domain name as they are already stored on the card when it is created by an Enterprise SSO administrator.

If your log on password has expired, a new password is requested. The new password will be stored instead of the old one. 4. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window that appears. The Windows session opens.

3.2.2.2 Logging on Using a Blank Smart Card

Subject The first time you use a smart card to logon to your workstation, your account data is not stored on the smart card yet. The following procedure explains how to enroll your own account on the smart card. The following procedure only applies to smart cards that can handle self-enrolment and multi-accounts. Procedure 1. 2. Press Ctrl+Alt+Del. The initial authentication screen appears. Insert your smart card in the smart card reader. As your account is not stored on the smart card yet (first smart card authentication), the smart card tile displays "Not assigned".

33

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

3.

Click the "Not assigned" smart card tile. The authentication screen appears.

4.

Enter the PIN of your smart card and click

As this is the first time you authenticate with this smart card, you are prompted for your log on user name and password (which are stored in the directory). This information will be stored on the smart card and will no longer be requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Enterprise SSO Advanced Login).

5.

Type the required information and click OK. The account is created on the smart card and the session opens.

34

User Guide

3.2.2.3 Enrolling a New Account on a Smart Card

Subject If your smart card can stores several accounts, Advanced Login allows you to enroll new accounts on your smart card, as explained in the following procedure.
The account you want to store on the smart card must exist in the users' directory.

Procedure 1. 2. Press Ctrl+Alt+Del. The initial authentication screen appears. Insert your smart card in the smart card reader. The tile corresponding to the last primary account used to log on the workstation is selected.

3. 4.

Enter the PIN of your smart card. Select the Create a new account check box and click The Windows Account Entry window appears .

35

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

5.

Type the required information and click OK. The account is created on the smart card and the Windows session opens.

3.2.2.4 Forcing Cache Update at Logon

Subject By default, the authentication is done on the existing cache. The following procedure explains how to force the authentication to be done in the target directory and so to update the authentication data in the cache. Procedure 1. 2. Insert your smart card in the smart card reader. Click I want to modify login options. The login option window appears.

3.

Select the Update User Cache check box and click OK.

36

User Guide

3.2.3 Logging on to Windows using your Fingers

Advanced Login can work in two modes to authenticate users using their biometric data: STORE ON PC Mode In this mode, the biometric data is stored on the PC in the Enterprise SSO cache file. The finger replaces the ID/Password. You must enroll yourself on each PC that you connect to. STORE ON SERVER Mode In this mode, the biometric data is stored on a server. The finger replaces the ID/Password.

3.2.3.1 First Log on

Subject To be able to log on to Windows using your finger, you must first enroll your biometric data. Before Starting Make sure the Enterprise SSO fingerprint module is installed on the workstation. A fingerprint reader must be installed on the workstation.
The workstation can support only one reader. We strongly recommend that you download the latest: Drivers and licence of your product; Licence for the installation.

If you use several fingerprint readers, just plug in the one reader you want to use and restart the computer.
For more information on supported biometric devices, see Quest Enterprise SSO Release Notes.

If the administrator has configured a validation of your authentication, a second E-SSO user must authenticate him or herself after you. If the Biometric Enrollment tool is not available, modify the SSOWatch installation by selecting the Biometrics Enrollment tool option and restart the computer.
Ensure that the Controller is available to be able to enroll in Store on Server Mode.

37

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

Procedure 1. Log on using your password, as described in Section 3.2.1, Authenticating on Windows Vista Using User Name/Password. The Enterprise SSO Biometric Enrollment tool starts after a successful authentication. If it does not start: display the SSOWatch menu by right-clicking the SSOWatch icon in the notification area and clicking Biometric Enrollment. Follow the instructions of the Biometric Enrollment tool. When you have successfully completed the scan of your finger(s), log off and try to log on using the finger print reader, as described in Section 3.2.3.2, Everyday Log on.
There can only be one set of fingers per biometric reader.

2. 3. 4.

3.2.3.2 Everyday Log on

Subject This section describes how to log on to Windows using your finger.
Depending on your biometric authentication mode (STORE ON PC or STORE ON SERVER), the procedure is slightly different.

Before Starting You must have enrolled your biometric data, as described in Section 3.2.3.2, Everyday Log on.
Each time you connect yourself to a new workstation in Store on PC mode, you must enroll your biometric data.

Procedures STORE ON PC Mode 1. When the Advanced Login welcome screen appears, place your finger on the scanner. The following tile appears:

38

User Guide

Depending on your configuration, you log on automatically when your finger is successfully captured. If not, the following window appears:

2.

Make sure your Login is correct and click the

to validate.

For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.

STORE ON SERVER Mode 1. When the Advanced Login welcome screen appears, place your finger on the scanner. The following tile appears:

39

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

Depending on your configuration, you log on automatically when your finger is successfully captured. If not, the following window appears:

2.

Make sure your Login is correct and click the

to validate.

If the authentication fails, you have to check your ID. If it is not the right one, enter the correct ID. For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.

3.2.3.3 Forcing Cache Update at Logon

Subject By default, the authentication is done on the existing cache. The following procedure explains how to force the authentication to be done in the target directory and so to update the authentication data in the cache.
This is only available if Automatic Validation is disabled by the Administrator in the Enterprise SSO Console Administrator Guide.

40

User Guide

Procedure 1. After choosing the tile, click I want to modify login options. The Login Options window appears.

2.

Select the Update User Cache check box and click OK.

3.3 Locking/Unlocking the Session

3.3.1 Locking the Session
Subject The Lock state enables you to prevent anybody from accessing your session on the workstation in your absence. This section describes the possible means to lock a computer. Procedure When your session is open, do one of the following to lock the computer: Press Ctrl+Alt+Del keys and click the Lock this computer option. If you have authenticated with a smart card, remove the smart card from the reader (or a USB key from its port).
The default workstation behavior when a token is removed can be modified by the administrator from the Enterprise SSO Console. If the session is not locked at token removal, it means that your administrator has modified this option.

Put the computer into a sleep state. The workstation gets in the lock state and the "Ctrl+Alt+Del" screen appears.

41

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

3.3.2 Unlocking the Session

Subject To unlock the computer, you must re-authenticate as at session opening. The authentication method does not necessarily need to be the same as for opening the main session. If a station is in the locked state, another user can unlock it by login on with its own credentials, without unlocking the first user locked session. Procedure Unlocking Your own Session 1. To unlock the session you have locked, press Ctrl+Alt+Del. The authentication screen corresponding to the authentication method used appears. The following example screen shows the unlock authentication screen for a user authenticated with a smart card.

2.

Enter your PIN or password and click Your session is unlocked.

42

User Guide

Procedure Logging on a Workstation Locked by Someone Else 1. To log on a workstation locked by someone else, press Ctrl+Alt+Del. The authentication screen corresponding to the authentication method used by the other user to lock his/her session appears. Click the Other Credentials button. Click the Switch User button. The initial authentication screen appears. Log on to the workstation as explained in Section 3.2, Logging on to Windows Vista.

2. 3. 4.

3.4 Switching Users

Subject This section explains how to rapidly switch users on a workstation. Procedure When a session is open, press Ctrl+Alt+Del and click the Switch User option. The initial authentication screen appears and another user can log on the workstation. The first user session stays locked on the workstation.

3.5 Modifying your Password or PIN

If you are allowed to by your administrator, you can change your password or PIN, as explained in the following procedure.

3.5.1 Modifying your Password

Subject If you have authenticated with your smart card, you can modify the password of the account that you have used to authenticate, as explained in the following procedure. The password will be modified on the smart card and in the directory. If you have authenticated using your user name and password, you can modify your password as explained in the following procedure.

43

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

Procedure 1. 2. Open your session as explained in Section 3.2.1, Authenticating on Windows Vista Using User Name/Password and press Ctrl+Alt+Del. Click the Change a Password option. The change password screen appears.
If the change password option has been disabled by your administrator, clicking on Change a Password will have no effect.

The following example screen shows a change password screen for a user authenticated with a smart card.

3.

Enter the information required and click

The password is modified on your smart card (if you have logged on with a smart card) and in the LDAP directory.

44

User Guide

3.5.2 Modifying your PIN

Subject The Advanced Login Credential Manager feature is automatically started at logon time and allows you to change your PIN. Procedure 1. 2. Open a Windows session as explained in Section 3.2.2, Authenticating on Windows Vista Using Smart Cards. In the Notification area, right click the icon and select Change PIN. The change PIN screen appears.

3.

Enter the required information and click OK. The smart card PIN is modified.

3.6 Using the Emergency Access

The Emergency Access feature allows you to: Reset your password in case you have forgotten it: see Section 3.6.1, Resetting Your Password. Reset you PIN in case you have forgotten it or to unlock your smart card (only accessible in disconnected mode): see Section 3.6.2, Resetting Your PIN.

45

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

3.6.1 Resetting Your Password

Subject The Reset Password functionality allows you to reset you password in case you have forgotten it. Before Starting To be able to reset your primary password, SSOWatch must be installed on your workstation, and you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access Wizard (see Enterprise SSO Getting Started with SSOWatch). Procedure 1. In the authentication screen, click I have forgotten my password.
If the I have forgotten my password option does not appears on the screen, it means that your administrator has disabled it (see Section A.1, Advanced Login Configuration Parameters for more details).

The Reset password wizard appears. 2. Follow the displayed instructions. If the following window appears, call the Help Desk before the end of the two minutes during which the Exchange with help desk window stays open. Give them the displayed challenge, so that they can give you back the administrator challenge. You cannot use a second time the challenge given by the Help Desk.

The need to call the Help Desk to reset your password depends on the configuration set by your administrator in the Enterprise SSO Console.

When the Wizard terminates, your password is reset and a session opens. You can then use the new password for subsequent logon. If the password has been reset in disconnected mode, you will be asked to change it again the next time you connect to the network.
46

User Guide

3.6.2 Resetting Your PIN

Subject The Reset PIN functionality allows you to: Reset your PIN in case you have forgotten it. Unlock your smartcard.

Restriction The reset PIN feature is only available in disconnected mode (set by the administrator). Before Starting To be able to reset your PIN, you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access initialization Wizard (see Enterprise SSO - Getting Started with SSOWatch). Procedure 1. In the authentication screen, click I have forgotten my PIN.
If the I have forgotten my PIN option does not appears on the screen, it means that your administrator has disabled it (see Section A.1, Advanced Login Configuration Parameters for more details.

The Reset PIN wizard appears. 2. Follow the displayed instructions: When the following window appears, call the Help Desk before the end of the 2 minutes during which the Exchange with help desk window stays open. Give them the displayed challenge, so that they can give you back the administrator challenge.

You can not use a second time the challenge given by the Help Desk.

When the Wizard terminates, your PIN is reset and a session opens. You can then use the new PIN for subsequent logon.
47

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

3.7 Managing Primary Accounts on Your Smart Card

Subject The Advanced Login Credential Manager feature is automatically started at logon time and allows you among other actions to delete or create a primary account on a smart card.
The following procedure only applies to smart cards that can store several SSO accounts.

You can delete all the accounts stored on the smart card, even the one you used to logon. In this case, after the account deletion, the session stays open. Do not lock it because you won't be able to unlock it. Procedure 1. 2. Open your session as explained in Section 3.2.2, Authenticating on Windows Vista Using Smart Cards. In the Notification area, right click the icon and select Manage Primary Accounts. The account management window appears and lists the accounts stored on the smart card.

If you delete the account that you have used to logon, the session will stay open: do not lock it because you won't be able to unlock it. We recommend you to log off the session after the account deletion.

Select the account you want to add or remove and click the Add or Remove button. Follow the displayed instructions and click OK. The account is created or removed on the smart card.

48

User Guide

3.8 Logging on as an Administrator on a User Session ("Administrator Grace Period")

Subject An administrator can log on a users session using his own smart card, even though the user opened his Windows session using a smart card. Procedure 1. Press the SHIFT key during the logged user smart card withdrawal. The user session is left unchanged. If the SSOWatch engine was running, it is automatically set to a locked mode. Insert your administrator smart card and enter your PIN before the end of the grace period, the default value being 60 seconds.
The length of the grace period can be configured from the Enterprise SSO Console.

2.

This authentication enables E-SSO to check your identification data. The user Windows session stays open, so your Windows permissions do not apply. 3. Perform your administration tasks on the user workstation: if you run an ESSO application (Enterprise SSO Studio, etc.), the authentication is done using your administrator smart card. When you have finished with the users workstation, withdraw your smart card. The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN to switch the SSOWatch engine back to the unlocked mode.

4.

49

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

A. Advanced Login and Biometrics Configuration

A.1 Advanced Login Configuration Parameters
This section describes the Advanced Login parameters in the computer registry that can be used in standalone mode. These parameters are located either in:
A HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\AdvancedLogin or HKEY_LOCAL_MACHINE\Software\Policies\Enatel\WiseGuard\AdvancedLogin B HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\FrameWork\Authentication or HKEY_LOCAL_MACHINE\Software\Policies\Enatel\WiseGuard\FrameWork\ Authentication C HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\FrameWork\ or HKEY_LOCAL_MACHINE\Software\Policies\Enatel\WiseGuard\FrameWork

The following table lists and describes the Advanced Login parameters in the computer registry that can be used in standalone mode.
VALUE DESCRIPTION LOCATION

LockTimer ActionWhenTokenRemoved

Timeout (in seconds) before locking the computer. This does not end the session. Default automatic action if the token is removed: 0: not configured (=lock). 1: lock the computer. 2: log off. 3: do nothing.

A A

AutoValidationTimer

Timeout (in seconds) before the automatic validation of the default action defined in ActionWhenTokenRemoved.

50

User Guide VALUE DESCRIPTION LOCATION

WorkStationAccount RandomNPGP

Only used with any supported LDAP directory except Active Directory. In this type of architecture, Enterprise SSO stores users SSO data in another LDAP directory than Active Directory. But the users' accounts are stored in Active Directory and are managed by Enterprise SSO as secondary accounts. By default, the Windows password must be changed manually. 0: manual change of Windows password. 1: automatic change of Windows password.

BioAutoValidate

Store on PC mode only: enable/disable the automatic validation upon fingerprint authentication: 0: disabled. 1: enabled.

ResetPassword

Makes available or unavailable the SOS button: 0: available. 1: unavailable.

ByPassWGAuthForLocal Admin

Enables users that are not local administrators to bypass the Advanced Login authentication : the users which are members of the local "administrators" group directly or via group membership can bypass the Advanced Login authentication even if they can not create the Enterprise SSO keys/objects.: 0: disabled non null value: enabled

ManageUserExclusion

Windows Vista only. Enable or disable SSO for excluded users. 0: At user authentication, Advanced login opens a session, and gets the used credentials to start SSOEngine with them. 0: At user authentication, Advanced login first tries to authenticate with the given credentials against the E-SSO directory. If the user belongs to an exclusion group, the windows session is opened, but no SSO will be available for that session. If the user does not belong to any exclusion group, opening the windows session is submitted to the success of the E-SSO authentication.

51

Quest Enterprise SSO 8.0.3 Advanced Login for Windows

A.2 Biometrics Configuration Parameters

This section describes the biometrics parameters in the computer registry. These parameters are located in HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\FrameWork\Authentication
VALUE DESCRIPTION

BiometricFAR

FAR: False Accepted Rate. Modify this value depending on your tolerance limits. Default value: 20000 (means that the probability that a wrong fingerprint passes is 1/20000).

BiometricMaxEnrolled Users

Maximum number of users that can be enrolled on the workstation (Store on PC mode). Default value: 20. If the maximum number is exceeded, the older enrolled user is deleted.

A.3 Modifying the Authentication Screen Icons (Windows Vista only)

Subject This section only applies to Windows Vista. You can change the bitmaps displayed in the Windows Vista tiles as explained in the following procedure. Procedure In the Advanced Login installation folder (by default: C:\Program Files\Quest Software\E-SSO\ Advanced Login), create the two following bitmaps, with the size of 96x96 pixels: ESSOCredProv.bmp: the icon displayed in the initial authentication screen for the smart card tile when no smart card is inserted. ESSOCredProvActive.bmp: the icon displayed when a smart card tile is selected or selectable.

52

User Guide

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management productshelping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

Phone Email Mail 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com

Web site

Please refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/ From SupportLink, you can do the following: Retrieve thousands of solutions from our online Knowledgebase Download the latest releases and service packs Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.

53