FASTPASS PASSWORD MANAGER · WINDOWS CLIENT INSTALLATION GUIDE 3 /51 FastPassCorp A/S is a public...

½

FastPassCorp A/S is a public company registered on Nasdaq/Copenhagen/FirstNorth. Distribution and implementation is done through strong and professional partners internationally We improve productivity and compliance for passwords and other authentication models

FASTPASS PASSWORD MANAGER Version 3.6

WINDOWS CLIENT INSTALLATION GUIDE

http://FastPassCorp.com









2/51


Document Title Windows Client Installation Guide

Document Classification Public

Document Revision A

Document Status Final

Document Date December 12, 2018

The specifications and information in this document are subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any means, in whole or in part, for any reason, without the express written permission of FastPassCorp A/S.

© 2004 - 2018 FastPassCorp A/S. All rights reserved. Lyngby Hovedgade 98, 2800 Kongens Lyngby, Denmark. http://www.fastpasscorp.com FastPass Password Manager is a trademark of FastPassCorp A/S. All further trademarks are the property of their respective owners. Limited Warranty No guarantee is given for the correctness of the information contained in this document. Please send any comments or corrections to [email protected]











mailto:[email protected]


3/51


Table of Contents

1 Introduction .......................................................................................................................... 5 1.1 Purpose ............................................................................................................................... 5 1.2 Audience ............................................................................................................................. 5 1.3 References .......................................................................................................................... 5 1.4 Terms .................................................................................................................................. 5

2 About FastPass Password Manager .................................................................................... 6 2.1 The architecture of FastPass Password Manager ................................................................ 7

3 About the Password Manager Windows Client .................................................................. 10 3.1 Vital changes since version 3.5. ......................................................................................... 10 3.2 The architecture of Password Manager Windows Client ...................................................... 11 3.2.1 Windows 7/8/8.1/10 ........................................................................................................... 11

3.3 Functional description of the FastPass Windows Client ...................................................... 12 3.4 Enrollment Enforcement feature ......................................................................................... 12 3.4.1 Flow of information ............................................................................................................ 13 3.4.2 User Interfaces of the Enrollment Enforcement Client ........................................................ 13 3.4.3 Parameter tweaking ........................................................................................................... 15 3.4.4 Controlling server load caused by the Enforcement Client ................................................. 15 3.4.5 Silencing the client ............................................................................................................ 16

3.5 Using Wi-Fi with FastPass Windows Client ......................................................................... 16

4 Windows Client only access ............................................................................................... 17

5 Security measures inside Windows Client ......................................................................... 18 5.1 Url restrictions .................................................................................................................... 18

6 Installing the Password Manager Windows Client ............................................................. 19 6.1 Supported Platforms ........................................................................................................... 19 6.2 Pre-requirements ................................................................................................................ 19 6.3 Administrative privileges required ....................................................................................... 19 6.4 Installation using GUI ......................................................................................................... 20 6.5 Installation using Command Line options ............................................................................ 23 6.6 Installation using XML Configuration file ............................................................................. 25 6.7 Working with multiple servers ............................................................................................. 25 6.8 Running the Windows Client in a Terminal Services/Citrix environment .............................. 27

7 Upgrading the Windows Client ........................................................................................... 28

8 Setting up the for Remote Password Reset ....................................................................... 29 8.1 How it works ....................................................................................................................... 29 8.2 Partial VPN ......................................................................................................................... 29 8.2.1 Partial VPN flow ................................................................................................................ 29












4/51


8.2.2 Preparing the Server for Partial VPN ................................................................................. 29 8.2.3 Preparing the Client ........................................................................................................... 31

8.3 Full VPN ............................................................................................................................. 32 8.3.1 Full VPN flow ..................................................................................................................... 32 8.3.2 Preparing the Client ........................................................................................................... 32

9 Password Manager Windows Client Customization ........................................................... 34 9.1 Customizing the Launch Panel login component ................................................................. 34 9.1.1 Using built-in designs ........................................................................................................ 34 9.1.2 Customizing Colour, logo and texts for the Launch Panel. ................................................. 35 9.1.3 Customizing Colour, logo and texts for the Splash Screen. ................................................ 42

9.2 Text Changes ..................................................................................................................... 43 9.3 Customizing the EEC Client ................................................................................................ 44

10 Customizing the log settings for the FastPass Windows Client ....................................... 48 10.1 Customizing log settings for the Logon component ............................................................. 48 10.1.1 Setting the log file Level .................................................................................................... 48 10.1.2 Setting the log file Path for the PMWindowsClientKiosk.log ............................................... 48 10.1.3 Setting the log file number of days ..................................................................................... 48

10.2 Customizing log settings for the enrolment enforcement client. ........................................... 49 10.2.1 FastPass Windows Client EEC has a various of different log levels that can be set. .......... 49

11 Uninstalling the Password Manager Windows Client ........................................................ 50 11.1 Uninstalling from a Windows 7/8/8.1/10 machine ................................................................ 50












5/51


1 INTRODUCTION

This document is covering FastPass Password Manager Windows Client Version 3.6

1.1 PURPOSE

The purpose of this document is to describe how to install the Password Manager Windows Client in a

FastPass Password Manager implementation including all configuration aspects.

1.2 AUDIENCE

The intended audience of this document is personnel responsible for administration of the Password

Manager solution.

1.3 REFERENCES

This document references the following documents:

None.

1.4 TERMS

The following technical and product specific terms are used without further explanation throughout the

document.












6/51


2 ABOUT FASTPASS PASSWORD MANAGER

FastPass is a solution for large organizations focused on self -service of passwords and compliance for

password issues.

Users are required to remember many more complex passwords on more systems than ever before.

Research (Gartner) suggests that 20-50% of all calls to Help Desks are related to forgotten passwords. Self -

service of passwords is the obvious answer to increase productivity and security.

Built to use Active Directory as the authoritative repository, FastPass can deliver almost instant ROI by

deploying in just a few hours utilizing your existing Microsoft Windows Server environment.

Introduce Self-Service

Users only need a web browser to access FastPass whether on the corporate intranet or across the internet.

Even from a Windows PC and the log-in screen users can benefit from FastPass from an otherwise locked

PC!

Success with self-service requires a clear plan for implementation. FastPass Best Practices help customers

reach 80-95% self-service success. The best practices focus on enrollment , Access anywhere, Flexible and

individual authentication and user-friendly assistance!

Introduce Compliance

Companies now more than ever understand the cost of data breaches. According to research 63% of data

breaches are caused by password issues.

Compliance and security requires a combination of secure self -service and a secure process for the assisted

password reset.

FastPass has the components to secure customers’ compliance!

FastPass helps reducing the workload in the Help Desk, increase end-user productivity and Strengthen

Security

A Password Management solution from FastPassCorp will save you both time and money and at the same

time increase end-user productivity enhance service to a 24/7/365 password self -service and strengthen

security through a secure password reset process and enable stronger password policies to be enforced

with no additional support cost in the Help-desk.

For Executives:

• Reduce service desk cost

• Increase employee productivity

• Avoid data breaches and related costs

• Leverage past investments in Windows Server and Active Directory

• Typically, ROI within 3-6 months

For service desk managers:

• Remove 20-50% of calls to help desk

• Enhanced logging and reporting

• Significantly reduce total cost per forgotten password












7/51


• Increase employee satisfaction

• Easy implementation

• Best practices guidelines

For compliance and IT-security managers

• Reduce risk for data breaches

• Make and monitor a compliant manual process

• Implement strong password policies with user acceptance

• Keep cost of compliance and security down

For employees:

• Extremely fast solution to a forgotten password situation

• Access to systems 24/7/365

• No need to involve other people (service desk, colleagues etc.)

• No barrier to comply with strict password security policies

• Simple to use

2.1 THE ARCHITECTURE OF FASTPASS PASSWORD MANAGER

The following describes and illustrates the architecture of FastPass Password Manager.

From a user perspective FastPass should be available everytime the user needs to user the credentials.

FastPass delivers a client that enables the user to access FastPass even when the user cannot login at the

Windows Login prompt. Basically, Password Manager is offering a web based self-service features to

maintain passwords in the enterprise. This is what is illustrated below.












8/51


Databases

Directories Servers

Password Manager

Server

Enterprise

Applications

Microsoft

Active Directory

ADAM

Logically the Password Manager Server is built of multiple sub components each offering its own set of

functions for the total solution. The main components are listed in the table below:

Component Description

Backend Server Implement the control of all end-user transactions, communication to

the Gateway Server, scheduled discovery of users in the domain

infrastructure, control and coordination of password synchronizations,

invitations of users etc.

Client Server Implements the Web-interface for the end-users and communicates

with the Backend Server.

Gateway Server Implements access to the domain infrastructure and other Password

Sync target systems.

All three main components are by default installed on the Password Manager Server and are directly

configured to operate together. A full implementation can be built on additional Client Servers and Gateway

Servers. This is shown in the illustration:












9/51


Databases

Directories Servers

Password Manager

Backend Server

Enterprise

Applications

Microsoft

Active Directory

ADAM

Password Manager

Client Server

Password Manager

Gateway Server

Password Manager

Gateway Server

The solution is designed in a Service Oriented Architecture. All main components are implemented as web

services running on Microsoft Internet Information Server (IIS) and communications are using SOAP over

HTTPS.












10/51


3 ABOUT THE PASSWORD MANAGER WINDOWS CLIENT

The Password Manager Windows Client is a component that integrates with the login interfaces on different

Windows workstation platforms and makes it possible for users to access the Password Manager solution to

reset their password or to unlock their account without being authenticated to the dom ain. Furthermore, the

installation package holds the Enforcement Enrollment Client (EEC) which will notify the end-user to enroll

into the solution. Term wise the Windows Client installation package holds both the Windows Client itself

and the EEC client.

Windows 7/8/8.1/10 default integration is shown in Figure 1. Please note that the graphics in the upper right

corner can be moved/customized on the Windows Login Screen.

Figure 1 The Password Manager Windows Client login integration on Windows 7/8/8.1/10

The tight integration into the login interfaces helps eliminate the need for end-user education. The solution

to a “forgotten password problem” sits directly in front of the end-user.

3.1 VITAL CHANGES SINCE VERSION 3.5.

Version 3.5.2 is much faster than prior versions. Please note that version 3.5.2 and later is built on new

technology, configuration etc. has changed. The main change is that the local account – fpkioskuser is no

longer needed.












11/51


3.2 THE ARCHITECTURE OF PASSWORD MANAGER WINDOWS CLIENT

The Password Manager Windows Client integration to the login interface is implemented in the best possible

way allowed by the client operating systems.

3.2.1 WINDOWS 7/8/8.1/10

The FastPass Windows Client is implemented as a Credential Provider that allows the opening of the

Windows Client Internet Browser style interface that connects to the Password Manager Server.

The overall design of the Windows logon system is shown in the below figure. The extension provided to

allow kiosk-mode access is a Credential Provider (CP).

Figure 2 Overall Design of the Windows Logon System

The Credential Provider architecture requires each provider to enumerate its UI elements. For example, in

each scenario, a provider might indicate to LogonUI that it requires two edit boxes, two captions, a

checkbox, and a bitmap. In turn, LogonUI renders those controls on behalf of the credential provider.

A consequence of the change to the Credential Provider model is that absolutely no unintended relation

exists between the different credential providers, meaning that the rate of occurrence of problems caused by

conflicting products has gone significantly down.

Usability on Windows 7/8/8.1/10

In Windows 7/8/8.1/10 systems the integration accessible to the end-user is as shown in Figure 3.












12/51


Figure 3 The default Windows 7/8/8.1/10 login screen

3.3 FUNCTIONAL DESCRIPTION OF THE FASTPASS WINDOWS CLIENT

The Windows Client displays itself after installation on the login window on the PC. The design can be

customized to a large extend, explained later in this document. When clicked, the Windows Client can probe

all sever sites to determine what FastPass Server to connect to. After probing, a locked down browser is

started. The Browser is compiled and controlled by FastPass Windows Client.

The Browser is, by default, only allowed to contact the FastPass Client, only URLs specifically allowed will

be contacted, only certain file extensions and operations will be allowed. After getting a successful

connection to the server the browser will allow the user to commence the operations in FastPass. After

finishing the operations, the interface is shut down and the user can again use the Windows login interface.

In Windows 7 the user needs to be already connected by either wired network or fixed wifi. In Windows 10

the end-user will have the ability to use the Windows 10 build in feature to connect to a wifi at the login

page, if necessary.

3.4 ENROLLMENT ENFORCEMENT FEATURE

The feature is installed together with and shares both configuration and code with the Password Manager

Windows Client.

The feature runs on PC’s in the user session and is primarily visible by an icon in the Notification area

(typically the lower right corner). The icon represents the Enrollment Enforcement Client which is












13/51


automatically started when a user logs on to the PC. The client is responsible of checking the enrollment

status in Password Manager and for executing configured actions if required.

The client prompts the FastPass server for Enrollment status and stores that information in the user registry.

Behavior and prompt intervals etc. can be adjusted as described in the below.

3.4.1 FLOW OF INFORMATION

When a user logs on to Windows using a domain account the Enrollment Enforcement Client tries to get hold

of the user’s enrollment status by sending a web service request to the FastPass Client which forwards this

to the FastPass Server.

The FastPass Server uses the following logic to determine the enrollment status:

1. Is the domain information contained in the request unknown then return “UserRepositoryNotFound” 2. Is the user account for the request unknown then return “UserNotFound” 3. Is the user account enrolled then return “UserIsEnrolled” 4. Is the user account locked in Password Manager then return “UserIsLocked” 5. Isn’t the user allowed to enroll then return “UserCannotEnroll” . The checking of whether the user is

allowed to enroll is based on the configuration of Authentication Profiles for the “Enroll User” operation.

6. Isn’t the user invited to enroll then return “UserCanEnroll”. The checking of whether the user is invited is based on the configuration of Enroll Profiles

7. If the user is invited to enroll then return “UserMustEnroll”

The enrollment status isn’t the only information returned to the Enrollment Enforcement Client. The following

data is delivered together with the enrollment status:

• OperationStatus Contains information of whether the request executed successfully (or failed).

• OperationStatusDetail optionally contains error details.

• UserEnrollmentStatus The enrollment status

• UserEnrollmentEnforcementMethod Contains information about which method that shall be executed by the Enrollment Enforcement Client as result of the operation. Possible values: None, Window, Hide, Exit and Full Screen.

• UserEnrollmentStatusCheckInterval Contains information about at which interval to check the enrollment status.

• UserEnrollmentEnforcementGracePeriod Contains information about for how long time the user can postpone when the enrollment status is “UserMustEnroll”. Various customizations can be made on the server side to manipu late the above flow but before looking into this lets first take a look at the user interfaces for the Enrollment Enforcement Client.

3.4.2 USER INTERFACES OF THE ENROLLMENT ENFORCEMENT CLIENT

The screenshots shown in the following section is what can be shown t o the user if the

UserEnrollmentEnforcementMethod returned by the server is “Window”.

Notice that some of the screenshots contains a “Close” button. This button is only shown if the screenshot is

taken from a window shown after clicking the icon in the notification area.












14/51


The text shown in the screenshot below is as in all other screenshots the default text delivered with the

product but everything is fully customizable so any description can be shown.

Clicking the “Postpone” button will cause the window to close and not be re-displayed before the selected

time value expires.

Clicking the “Enroll Now” button will cause the “Full Screen” method to be called which is the same interface

as also available directly from the Windows login interface.

The screenshot illustrates the interface shown to an end user if the enrollment status returned by the server

is “UserCanEnroll”.

Figure 4 UserCanEnroll is shown like this

As the status, here is “UserCanEnroll” the window does not contain a “Close” button. The reason is that

although the user isn’t forced to enroll we still want him/her to enroll so the provided options are to postpone

and to enroll now.












15/51


Figure 5 UserMustEnroll showes like this

The next screenshot illustrates the interface shown to an end user if the enrollment status returned by the

server is “UserMustEnroll”.

As the status is “UserMustEnroll” no other options them enroll now is given.

If the returned enrollment status is “UserRepositoryNotFound”, “UserNotFound” or “UserCannotEnroll” then

the icon in the notification area is hidden but checking continues at configured intervals.

If the user isn’t logged on with a domain account, the application closes.

3.4.3 PARAMETER TWEAKING

The behavior can be changed in the administration client by opening the Enrollment Service ->Enforcement Settings.

3.4.4 CONTROLLING SERVER LOAD CAUSED BY THE ENFORCEMENT CLIENT

There are a few ways to make sure the server is not working too hard. First of all the server will by default

not handle more than 1 request per second, secondly there is an option to postpone the user requests by a

random time period.

3.4.4.1 CONTROLLING THE SERVER SIDE LOAD

As the enforcement client adds a significant amount of load, especially when the client initially is introduced,

some parameters are available for controlling the load amount on the server caused by the Enforcement

Client. By default, the settings are disabled, meaning that the server will handle all requests, which is

normally not a problem with environments hosting less than 20.000 users.

HKLM\SOFTWARE\FastPassCorp\Password Manager

OpenService_AlwaysHandleRequest_GetUserInformation = False (Default false)

The defaults for throttling are:

OpenService_MaximumRequestCountSecond_GetUserInformation =1

OpenService_MaximumRequestCountMinute_GetUserInformation =60

OpenService_MaximumRequestCountHour_GetUserInformation =3660

These can be changed by creating the values in the registry and setting them to the desired values. When

the server rejects a request a warning note in the log is made: eg.: “Rejecting to serve the

'GetUserInformation' request as one or more maximum counters has been reached.”

These settings will limit the Enforcement client requests (If a user tries to Enroll that operation will not be

affected). So, with the defaults settings, if 2 clients request status information in the same second the

second one will be told to try again later (default 2 hours). The same is true for the per minute and hour

settings above.

The client itself will of course be silent and will not trouble the user in that scenario, instead it will wait for 6

hour and retry. These settings should be considered with regards to the number of users and hardware

setup.

3.4.4.2 DISTRUBUTING CLIENT SIDE REQUESTS












16/51


In the Enrollment Enforcement Client config file the following has been added in version 3.6

<?xml version="1.0" encoding="utf-8" ?>

<Config>

<UseWindowsClientConfig>1</UseWindowsClientConfig>

<DefaultCheckInterval>90</DefaultCheckInterval>

<PostponedCheckInterval>5</PostponedCheckInterval>

<StartupDelay>30</StartupDelay>

<MinimumRandomTimingVariance>0</MinimumRandomTimingVariance>

<MaximumRandomTimingVariance>40</MaximumRandomTimingVariance>

<MinimumRandomTimingVarianceAfterPostpone>0</MinimumRandomTimingVarianceAfterPostpone>

<MaximumRandomTimingVarianceAfterPostpone>40</MaximumRandomTimingVarianceAfterPostpone>

DefaultCheckInterval(Minutes) determines how long FastPass will wait if a connection fails in minutes

PostPonedCheckinterval(Minutes) determines how long FastPass will wait if a connection fails in minutes

if the connection to FastPass fails after the Postpone has ended.

StartupDelay(Seconds) is the time the client will wait before attempting anything

MinimumRandomTimingVariance and MaximumRandomTimingVariance(Seconds) allows to system to

wait a random number of minutes until attempting to connect to the server. The random time is between

Minimum and Maximum value – hence if the Minimum value is set to 60 the system will wait at least 60

seconds before attempting a connection.

MinimumRandomTimingVarianceAfterPostpone and MaximumRandomTimingVarianceAfterPostpone

(Seconds) allows to system to wait a random number of minutes until attempting to connect to the server

after a PostPone period has ended. The random time is between Minimum and Maximum value – hence if

the Minimum value is set to 60 the system wil l wait at least 60 seconds before attempting a connection.

3.4.5 SILENCING THE CLIENT

When deploying the client in an environment where the server is already in operation, it can be necessary to

control the operation of all clients in a period of time, e.g. to all clients are deployed. And in the meanwhile,

you still want the Enrollment Service to work. To do that you can disable the Enforcement Client on the

server in the administration client under Enrollement Service->Enforcement Settings

3.5 USING WI-FI WITH FASTPASS WINDOWS CLIENT

In the older Windows Client Wi-Fi support was built into the client FastPass. From version 3.5.2 the native

Windows 10 support at the login prompt can be used. Please consult the docum entation for version 3.5.1.5

regarding the Wi-Fi support in FastPass.












17/51


4 WINDOWS CLIENT ONLY ACCESS

NOTE: this behavior is not yet implemented in Version 3.6, but is expected to be available soon.

To avoid browser/mobile clients to access the FastPass solution the client can be setup to limit the access

to the site. This feature is normally used to limit the access to the FastPass Client when accessing the

solution from the Internet. To limit the access, add the following REG_SZ value to the registry:

HKLM\Software\FastPassCorp\Password Manager\SelfServiceClientRestrictionClientType

Value data: WindowsClient;Browser;MobileClient

The above value data will restrict all clients, ; is the delimiter.

When setting this value, the Client restricts access for all other clients than the one mentioned. E.g. Setting

the value to Windows Client will only permit Windows Client to access the website. If it is set the feature will

send a 404-http status code to all other clients.

Furthermore, it is possible to limit access to the client by domain, this feature only targets the Windows

Client – pre-req is that the SelfServiceClientRestrictionClienType setting must be set to WindowsClient.

Limiting by domain is easy simply add the REG_SZ value:

HKLM\Software\FastPassCorp\Password Manager\SelfServiceClientRestrictionClientDomain

Setting the NetBIOS name of the domain, multiple can be added, separating by; e.g.

DomainA; domainB












18/51


5 SECURITY MEASURES INSIDE WINDOWS CLIENT

5.1 URL RESTRICTIONS

By default, Windows Client will only let the web-part get web pages from pages that hold the

/FastPassClient/ part amongst other. The intention is to prevent any visits on malicious web pages. The

Pages allowed in the Windows Client are controlled in the PMWindowsClient -config.xml file in the following

section.

<urlrestrictions>

<urlrestriction enabled="true" type="allow" behavior="visible" scope="*" matchmethod="regexp"

matchvalue="(.*\/FastPassClient\/.*)|(.*\/FastPassCorp\/skins\/.*)|(.*\/FastPassCorp\/javascript\/.*)|(^https:\/\/appletk.danid.dk\/.*)"

/>

</urlrestrictions>

Figure 6

Use the rules to customize the usage in the specific environment. eg. allowing access to help pages or the

like.












19/51


6 INSTALLING THE PASSWORD MANAGER WINDOWS CLIENT

The Password Manager Windows Client is distributed in 2 MSI installer packages, one for 32-bit OS and one

for 64-bit. For all the supported platforms, it can be installed silently by specifying options on the command

line or in a configuration file. After the installation, the client will immediately start working at the next login .

Reboot is not required.

6.1 SUPPORTED PLATFORMS

The Password Manager Windows Client is supported on the following Windows Operating Systems.

Operating Systems Limitations

Windows 7 32 bit None




Windows 8.1 32 bit None

Windows 8.1 64 bit None



6.2 PRE-REQUIREMENTS

The Password Manager Windows Client has the following pre-requirements for installation on any of the

supported platforms.

Operating Systems Comments

Microsoft .NET v4.5.1 Or higher

6.3 ADMINISTRATIVE PRIVILEGES REQUIRED

Figure 7

When trying to install FastPass Windows Client sometimes you might run into the above message. What is needed is to run this the installer from a command prompt with Administrative privileges. Please follow these steps: Click on the start menu on the PC and in the search menu type cmd.exe → right click the cmd.exe and choose to Run as Administrator. You might be prompted to give credentials and password. You will now have to place the command line where the FastPass Windows Client.msi is residing.












20/51


6.4 INSTALLATION USING GUI

The Password Manager Windows Client can be installed in GUI mode which is described and illustrated in

the following.

To start the installation, you must be logged on as a user with administrative privileges and the start the

installer program, by default named as “FastPassWindowsClient.msi” . This will bring up the Install Shield

Wizard program.

Figure 8

Click the “Next” button to continue and the “End User License Agreement” screen will be shown.












21/51


Figure 9

Click the “Next” button to accept and to continue and the user specification screen will be shown.

Figure 10

Type in User and Organization information and click the “Next” button to continue and the Installation

destination selection screen will be shown.

Figure 11

In the Server name type in the FastPass server name.












22/51


Figure 12

Click the “Browse” button to specify an alternative installation destination and eventually click the “Next”

button to proceed. This will bring you to the “Installation Confirmation” screen, which is the last chance to

cancel before the actual installation will be performed.

Figure 13

Click the “Install” button to proceed. This will initiate the installation process and bring up the “Installation

Progress” screen.












23/51


Figure 14

On successful completion, the wizard automatically shifts to the “Finish” screen.

Figure 15

Click the “Finish” button. This will close the Install Shield Wizard.

6.5 INSTALLATION USING COMMAND LINE OPTIONS

The Password Manager Windows Client can be installed in silent mode and configured to access a specific

Password Manager server using command line options. Supported options:












24/51


• SERVER=”servername” Server to be accessed.

• SERVERURL=”https://servername/FastPassClient/Default.aspx ” Full specification of the URL to be accessed.

• LANGUAGE= [da|cy-GB|de|en|es|fr|it|ja|lt|lv|nl|no|pl|pt-BR|pt-PT|sv|zh] Default Language to be used if the system language settings isn’t supported by the Windows Client.

Value(Missing languages) Language

da Danish

cy-GB Welsh

cs Czech

de German

el Greek

en English

es Spanish

et Estonia

fr French

he Hebrew

hu Hungarian

id Indonesian

it Italian

ja Japanese

lt Lithuanian

lv Latvian

nl Dutch

no Norwegian

pl Polish

pt-BR Portuguese (Brazil)

pt-PT Portuguese (Portugal)

th Thai

tr Turkish

sv Swedish

zh Chinese

• FORCELANGUAGE=[0|1] Forces the use of a specific language (value of LANGUAGE or “en”) instead of defaulting to the system settings.

• ECC=[0|1] Whether the Enforcement Client should also be installed, this is enabled (1) by default.











https://servername/FastPassClient/Default.aspx


25/51


The syntax for this is as shown in the following.

<MSIFILE> /quiet SERVERURL=” https://<server>/FastPassClient/Default.aspx”

Where <MSIFILE> shall be replaced with the filename of the installer which by default is

FastPassWindowsClient.msi.

Please Notice!

The number of supported languages is continuously expanding and furthermore this can be

controlled by the Password Manager Server configuration. Read the Installation Guide for the

Password Manager Server to see the newest list of supported languages and read the

Administrators Guide for information on how to customize language behavior.

Please Notice!

When installing using the “/quiet” option the installation is done into the path

%ProgramFiles%\FastPassCorp, so typically “C: \Program Files\FastPassCorp”.

6.6 INSTALLATION USING XML CONFIGURATION FILE

The Password Manager Windows Client can be installed in silent mode and fully configured using a

command line option where a XML configuration file is pointed to.

The syntax for this is as shown in the following.

<MSIFILE> /quiet CONFIGFILE="PMWindowsClient-config.xml"

or

<MSIFILE> /quiet CONFIGFILE="\\ComputerName\SharedFolder\PMWindowsClient-config.xml"

Please Notice!

When installing using the “/quiet” option the installation is done into the path

%ProgramFiles%\FastPassCorp, so typically “C: \Program Files\FastPassCorp”.

6.7 ADDING A PROXY SERVER

In most installations, the proxy settings are not needed since this is already available from the machine

default settings and then this whole section can be left out but if you have the same proxy all over then you

can also enter it in in the config file like this:

<service>

<conditions>

<webprobes>

<webprobe proxyconfigstring="http://PROXY:PORT"

url="https://SERVER/FastPassClient/Default.aspx" timeout="30" />

</webprobes>











https://webmail.itintergroup.com/owa/redir.aspx?C=a0e5c92025244c0da21e4625db7ab0d8&URL=file%3a%2f%2f%5c%5cComputerName%5cSharedFolder%5cFPWindowsClient-config.xml


26/51


</conditions>

<servers>

<server proxyconfigstring="http://PROXY:PORT" url="https://SERVER/FastPassClient/Default.aspx"

timeout="60" />

</servers>

</service>

Working with multiple servers

There are settings to be managed. If you look at the main configuration file after the installation placed here:

<INSTALLDIR>\FastPassCorp\Configuration\FastPassWindowsClient\PMWindowsClient-config.xml

Where <INSTALLDIR> shall be replaced with the selected installation directory typically “C:\Program Files

(X86)”

The XML config file names a service as a section where access to one or more FastPass servers are to be

contacted. The service entity can host webprobe or server entities. An XML file can host multiple services,

each service can host multiple servers.

An example where you have 3 web-servers in use could be:

<?xml version="1.0" ?>

<config>

<options>

<UpdatePasswordCache value="true" />

<UpdatePasswordCacheForAnyDomain value="false" />

<EnrollmentEnforcementIsEnabled value="true" />

<EnrollmentEnforcementConfigFilename value="C:\Program Files

(x86)\FastPassCorp\Configuration\PMEnrollmentEnforcementClient\PMEnrollmentEnforcementClient.confi

g.xml" />

</options>

<displayoptions>

<DisplayOptionsProfile value="" />

</displayoptions>

<urlrestrictions>


matchvalue="(.*\/FastPassClient\/.*)|(.*\/FastPassCorp\/skins\/.*)|(.*\/FastPassCorp\/javascript\/

.*)|(^https:\/\/appletk.danid.dk\/.*)" />

</urlrestrictions>

<configurationservers>

<configurationserver

url="https://server01.domain2016.local/FastPassClient/ConfigurationService.asmx"

updatefrequency="10" timeout="60" />

</configurationservers>

<services>

<service>

<conditions>

<webprobes>

<webprobe url="https://server01.domain2016.local/FastPassClient/ " timeout="30" />

</webprobes>

</conditions>

<servers>












27/51


<server url="https://server01.domain2016.local/FastPassClient/Default.aspx" timeout="60"

/>

</servers>

</service>

<service>

<conditions>

<webprobes>


</webprobes>

</conditions>

<servers>


/>

</servers>

</service>

<service>

<conditions>

<webprobes>


</webprobes>

</conditions>

<servers>


/>

</servers>

</service>

</services>

</config>

If you are having multiple servers in the infrastructure the client can decide what server to access by using

webprobes. A webprobe is a simply a request to a webserver, if a code 200 or 302 is returned from the

server within the timeout specified the service is chosen. If the probe fails, the client jumps to the next

service.

6.8 RUNNING THE WINDOWS CLIENT IN A TERMINAL SERVICES/CITRIX ENVIRONMENT

Windows Client is fully compatible running in a Terminal Service/Citrix environment.

The windows client supports operating in a Terminal Services and/or Citrix environment.












28/51


7 UPGRADING THE WINDOWS CLIENT

To upgrade from prior versions the old version needs to be uninstalled.












29/51


8 SETTING UP THE FOR REMOTE PASSWORD RESET

With this feature a user can reset the password, and get the local machines cached password updated, from

anywhere. This means that the user can login on a local machine, even while working from home and

resetting the password using FastPass.

8.1 HOW IT WORKS

To use this feature, a VPN connection and script must be setup for use with Windows Client. What FastPass

does is that it started a VPN and forces the client machine to update the locally cached password, hereby

enabling the end-user to login after having reset the password. The VPN connection needs to allow a

connection to a domain controller and to the FastPass server.

Basically, the VPN feature can act in two ways:

1. As soon as the Windows Client starts (Full VPN)

2. Right after the user has reset the password (VPN)

8.2 PARTIAL VPN

8.2.1 PARTIAL VPN FLOW

Here are the overall steps in the communication when the Partial VPN is in use:

1. When the Windows Client starts, it will open the web-page and display it to the user.

2. Once the user activates the Exit button, and the feature is enabled in the PMWindowsClient-

config.XML file, the credentials are attempted to be fetched from Password Manager.

3. The VPN feature also needs to be enabled on the server, from there the client will get details like the

script names etc.

4. If and only if a password reset has been successfully carried out the VPN script specified in the

config will be called

5. If the connection succeeds and Windows Client can connect to a domain controller the Password

Cache is updated

6. The close VPN script is called

7. Windows Client exits

Windows Client will call the script – the script itself needs to be changed to fit the customer’s VPN software.

Example scripts are found in the VPN folder under the FastPassWindowsClient folder.

8.2.2 PREPARING THE SERVER FOR PARTIAL VPN

On the server side the VPN setup can be enabled by opening the administration client and clicking the

Feature settings->Windows Client icon (if not present the feature might be missing in your License). When

opening, the following screen appears:












30/51


Figure 16

By default, the “settings for local Connections” is enabled. This will let Windows Client update the locally

cached password on the LAN and not wait for the user to login manually.

To enable the VPN feature we need to adjust the settings for “Settings for Remote Connections”

Basic settings:

• Profile Name: this name is relayed to the Windows Client and will be available in the VPNScript as

an environment variable

• Credential mode












31/51


o User Credentials (The user’s username and password) (cannot be used with the Full VPN

feature)

o Specific Password (The user’s username and the specified password)

o Specific Credentials (The specified username and password)

• Username: Is only used when the specific credentials are used

• Password: Is only used when the “specific credentials” or “specific password” is used

VPN Opening Settings

• VPN Open Script: The name of the script/executable to be called - must be residing in the

FastPassWindowsClient\VPN folder

• Delay before open: Sets the number of seconds to wait before calling the script

• Open operation timeout: Specifies how long time to wait the vpn open operation to complete

• Delays after open: Specifies how long to wait before moving to the Update operation.

Update Operation Settings

• Delay before update: Sets the number of seconds to wait before attempting the operation

• Number of update retries: How many times to retry the operation if it fails

• Delay between retires: Specifies how long time to wait before making a retry operation

• Delays after update: Specifies how long to wait before moving to the close operation.

VPN Closing Settings

• VPN Close Script: The name of the script/executable to be called - has to be residing in the

PMWindowsClient\VPN folder

• Delay before close: Sets the number of seconds to wait before calling the script

• Close operation timeout: Specifies how long time to wait for the vpn close operation to complete

• Delays after Close: Specifies how long to wait before exiting.

8.2.3 PREPARING THE CLIENT

8.2.3.1 CONFIG CHANGES

There are a few things to prepare on the Windows Client. In the PMWindowsClient -config.xml file you need

to have enable the vpn feature by setting the UsePartialVpnConnection to true like this:

<config>

<options>



<usepartialvpnconnection value="true" />

<usefullvpnconnection value="false" />

8.2.3.2 CREATING A SCRIPT

You can use the examples placed on the folder, if present, or ask support for examples if needed.












32/51


The Windows Client will make the credential information available to the Windows Client selected vpn script

by creating the following environment variables:

• VpnProfile

• VpnUsername

• VpnPassword

8.3 FULL VPN

8.3.1 FULL VPN FLOW

Here are overall steps in the communication when the normal FULL VPN is in use:

1. As soon as the Windows Client is activated the client will try to determine if at domain controller is -

contactable. If no domain controller can be reached, and the settings in the config are set for Full

VPN the VPN open script is executed

2. After having launched the VPN the FastPass server is contacted, the user carries out the reset

3. When the user exits the client the client checks if the user did reset a password, if so the local

password cache is updated.

4. The VPN closes

8.3.1.1 PREPARING THE SERVER FOR FULL VPN

There are no steps needed to prepare the server as the server by default allow the client to update the

cached password. This can be checked here: Feature settings->Windows Client

8.3.2 PREPARING THE CLIENT

8.3.2.1 CONFIG CHANGES

There are a few things to prepare on the Windows Client. In the PMWindowsClient-config.xml file you need

to have enable the vpn feature by setting the usefullvpnconnection to true like this

This is also the place to add the connection details in an encrypted manner. To generate the value in the

vpnconfiguration entity please download the Full VPN configuration Tool from the download site.

Open the configuration tool and put in the credentials and VPN profile if needed for the VPN to establish a

connection. Review the other two tabs which is similar to the settings above for the partial vpn configuration.

When done, click Generate to get the encrypted string. Add the encrypted string as in the example below.

The the basic credential information entered will be available in the VPN scripts as the following

environment variables; VpnProfile, VpnUsernameand and VpnPassword.

The variables are the same












33/51


<config>

<options>



<usepartialvpnconnection value="true" />

<vpnconfiguration value="M34C5wuzRP……………………………………………………… =" />

8.3.2.2 CREATING A SCRIPT

You can use the examples placed on the PMWindowsClient\vpn folder, if present, or ask support for

examples if needed.

The Windows Client will make the credential information available to the Windows Client selected vpn script

by creating the following environment variables:

• VpnProfile

• VpnUsername

• VpnPassword

8.4 SIGNING SCRIPTS

By default, the scripts opening the VPN are executed as is. It is however possible to demand that the scripts

are signed, which will also ensure that no one has tampered with the scrip ts. To enable signing the following

key needs to be created in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\Security\

Under this key the following REG_SZ entry needs to be created:

VerifyFileSigningOfCommandLineScripts

With the value True.

This key need only to be readable by the local system account, hence it is advised to not allow others to

read the key.

Please note that signing will only work if the signers public key is instal led at the machines “Trusted

Publishers” certificate store.












34/51


9 PASSWORD MANAGER WINDOWS CLIENT CUSTOMIZATION

9.1 CUSTOMIZING THE LAUNCH PANEL LOGIN COMPONENT

In this section, you will be guided to customize different layouts the below applies to Windows Client version

3.5.2 or later. Customization wise both color, size, text, fonts, location can be changed.

Customizations is done directly in the PMWindowsClient.Config.xml config file. The file and images used for

customizations needs to be distributed to all clients, either by editing the msi . file or using the package

deployment too to add the files after installation.

In the config, the design is controlled in the displayoptions entity. Example of how the

PMWindowsClient.Config.xml looks like in the FastPass Window Client when setting new layout.

The display option is the part of the PMWindowsClient.Config.xml, where yo u can control the layout of the

Launch Panel and the Splash Screen.

9.1.1 USING BUILT-IN DESIGNS

There are a few built-in, predefined designs. The below shows how to set the design.

<DisplayOptions>

<DisplayOptionsProfile value="SmallLightBlue" />

</DisplayOptions>

The values are predefined by FastPass. Options are SmallLightBlue, SmallLightBlue2, SmallDarkBlue and

SmallDarkBlue2. More to come.

SmallLightBlue, is the default, and it looks like this in the Launch Panel:

And like this in the Splash Screen












35/51


For the FastPass Windows Client Splash Screen

9.1.2 CUSTOMIZING COLOUR, LOGO AND TEXTS FOR THE LAUNCH PANEL.

As noted there are many different elements the XML allows to be customized. To get an overall

understanding of the elements and what they cover please take a look at the figure below.

Decoration Image

Header Text

Detailed Text

Background

In this section the detailed settings are defined and explained. Lets take the below config as example:

<?xml version="1.0" ?>

<config>

<options>

<UsePartialVpnConnection value="false" />

<UseFullVpnConnection value="false" />

<VpnConfiguration value="" />




















36/51


<UpdatePasswordCache value="false" />


<EnrollmEntenforcementIsEnabled value="true" />

</options>

<urlrestrictions>


matchvalue="(.*\/FastPassClient\/.*)|(.*\/FastPassCorp\/skins\/.*)|(.*\/FastPassCorp\/javascript\/.*)|(^https:\

/\/appletk.danid.dk\/.*)" />

</urlrestrictions>

<configurationservers>

<configurationserver url="https://server100.fp.local/FastPassClien t/ConfigurationService.asmx"

updatefrequency="10" timeout="60" />

</configurationservers>

<services>

<service>

<conditions>

<webprobes>

<webprobe url="https://server100.fp.local/FastPassClient/Default.aspx" timeout="15" />

</webprobes>

</conditions>

<servers>

<server url="https://server100.fp.local/FastPassClient/Default.aspx" timeout="60" />

</servers>

</service>

</services>

<DisplayOptions>


<LaunchPanelWindowWidth value="600" />

<LaunchPanelWindowHeight value="110" />

<LaunchPanelWindowVerticalOffset value="Screenbottom" />

<LaunchPanelWindowHorizontalOffset value="Right" />

<LaunchPanelWindowVerticalPositioning value="20" />

<LaunchPanelWindowHorizontalPositioning value="20" />

<LaunchPanelContentAreaBackgroundColorR value="128" />

<LaunchPanelContentAreaBackgroundColorG value="148" />

<LaunchPanelContentAreaBackgroundColorB value="148" />

<LaunchPanelDecorationImage1Enabled value="True" />

<LaunchPanelDecorationImage1Type value="FILE" />

<LaunchPanelDecorationImage1Id value="" />

<LaunchPanelDecorationImage1Path value="c:\\Program Files

(x86)\\FastPassCorp\\Configuration\\PMWindowsClient\\tools64.bmp" />












37/51


<LaunchPanelDecorationImage1PositionX value="10" />

<LaunchPanelDecorationImage1PositionY value="10" />

<LaunchPanelDecorationImage1Width value="64" />

<LaunchPanelDecorationImage1Height value="64" />

<LaunchPanelDecorationImage1TransparencyColorEnabled value="True" />

<LaunchPanelDecorationImage1TransparencyColorR value="0" />

<LaunchPanelDecorationImage1TransparencyColorG value="0" />

<LaunchPanelDecorationImage1TransparencyColorB value="0" />

<LaunchPanelHeaderTextFontQuality value="ANTIALIASED_QUALITY" />

<LaunchPanelDetailTextFontQuality value="ANTIALIASED_QUALITY" />

<LaunchPanelHeaderTextEnabled value="True" />

<LaunchPanelHeaderTextFontSize value="32" />

<LaunchPanelHeaderTextPositionY value="15" />

<LaunchPanelHeaderTextPositionX value="84" />

<LaunchPanelHeaderTextFontWeight value="900" />

<LaunchPanelHeaderTextFontUnderline value="false" />

<LaunchPanelHeaderTextFontItalic value="false" />

<LaunchPanelDetailTextPositionY value="50" />

<LaunchPanelDetailTextPositionX value="84" />

<LaunchPanelDetailTextFontSize value="22" />

<LaunchPanelDetailTextEnabled value="True" />

<LaunchPanelDetailTextFontUnderline value="True" />

<LaunchPanelDetailTextFontItalic value="True" />

<LaunchPanelDetailTextEnabled value="True" />



<LaunchPanelDetailTextColorR value="0" />

<LaunchPanelDetailTextColorG value="0" />

<LaunchPanelDetailTextColorB value="255" />

<LaunchPanelHeaderTextColorR value="0" />

<LaunchPanelHeaderTextColorG value="0" />

<LaunchPanelHeaderTextColorB value="255" />

</DisplayOptions>

</config>

This config results in this layout:












38/51


Please Note!!!

The DisplayOptionsProfile value must be set to empty to allow overriding settings.

Eg:


These are the different options:

9.1.2.1 CONTROLLING THE SIZE OF THE LAUNCH PANEL.

These setting will change the Size of the Launch Panel . Measurements are in pixels.

<LaunchPanelWindowWidth value="600" />

<LaunchPanelWindowHeight value="110" />

Note! Beware that the size of the Launch Panel needs to be large enough to have all text in the Launch

Panel.

9.1.2.2 CONTROLLING THE BACKGROUND COLOR OF THE LAUNCH PANEL

These setting will change the color of the Launch Panel

<LaunchPanelContentAreaBackgroundColorR value="128" />

<LaunchPanelContentAreaBackgroundColorG value="148" />

<LaunchPanelContentAreaBackgroundColorB value="148" />

If the color in Launch Panel is eg. white the text needs to be changed to an appropriate color to see it in the

Launch Panel.

9.1.2.3 CONTROLLING THE COLOR OF THE HEADER TEXT

These setting will change the color of the Header Text

<LaunchPanelHeaderTextColorR value="0" />

<LaunchPanelHeaderTextColorG value="0" />

<LaunchPanelHeaderTextColorB value="255" />












39/51


9.1.2.4 CONTROLLING THE COLOR OF THE DETAIL TEXT

These setting will change the color of the Detail Text

<LaunchPanelDetailTextColorR value="0" />

<LaunchPanelDetailTextColorG value="0" />

<LaunchPanelDetailTextColorB value="255" />

9.1.2.5 CONTROLLING THE DECORATION IMAGE OF THE LAUNCH PANEL

These setting will change the decoration image in the Launch Panel. Download an appropriate BMP file for

the organization and copy it in the FastPassCorp\Configuration\PMWindowsClient folder on the local PC.

The only format supported is BMP.

<LaunchPanelDecorationImage1Enabled value="True" />

<LaunchPanelDecorationImage1Type value="FILE" />

<LaunchPanelDecorationImage1Id value="" />

<LaunchPanelDecorationImage1Path

value="C:\\Program Files\\FastPassCorp\\Configuration\\PMWindowsClient\\tools64.bmp" />

Please note that the path may be different for 32 and 64 bit machines.

9.1.2.6 CONTROLLING TRANSPARENCY IN IMAGES

These setting will change the Transparency Color around Decoration Image in the Launch Panel. Making the

specified color transparent.

<LaunchPanelDecorationImage1TransparencyColorEnabled value="True" />

<LaunchPanelDecorationImage1TransparencyColorR value="0" />

<LaunchPanelDecorationImage1TransparencyColorG value="0" />

<LaunchPanelDecorationImage1TransparencyColorB value="0" />

Please Note!!!

Transparency settings does only applies to Windows 8/8.1 and 10.

9.1.2.7 CONTROLLING THE DECORATION IMAGE POSITION IN THE LAUNCH PANEL

These setting will change the position of the Decoration Image measured in pixels from upper line and from

left side.

<LaunchPanelDecorationImage1PositionX value="20" />

<LaunchPanelDecorationImage1PositionY value="20" />

9.1.2.8 CONTROLLING THE DECORATION IMAGE SIZE OF THE LAUNCH PANEL












40/51


<LaunchPanelDecorationImage1Width value="74" />

<LaunchPanelDecorationImage1Height value="74" />

9.1.2.9 CONTROLLING THE FONTS, SIZE, FORMAT OF THE TEXTS IN THE LAUNCH PANEL.

Changing fonts

<LaunchPanelHeaderTextFontQuality value="ANTIALIASED_QUALITY" />

<LaunchPanelDetailTextFontQuality value="ANTIALIASED_QUALITY" />

The above is the default setting.

Possible values are:

DEFAULT_QUALITY

DRAFT_QUALITY

PROOF_QUALITY

NONANTIALIASED_QUALITY

ANTIALIASED_QUALITY

CLEARTYPE_QUALITY

CLEARTYPE_NATURAL_QUALITY

Change the font size for Header Text and Detailed Text

<LaunchPanelHeaderTextFontSize value="34" />

<LaunchPanelDetailTextFontSize value="28" />

These settings are dependents on the size of Launch Panel and each other. The fonts size can be too big

and overlap each other.

Extending the space for the for header text and detailed text

As the texts are in capsuled in a bounding box, the box may need to be larger. Controlled by the below.

<LaunchPanelHeaderTextWidth value="500" />

<LaunchPanelDetailTextWidth value="500" />

Example of a header text using the Times New Roman font (Valid fonts names can be found at

%WINDIR%/Fonts)












41/51


Not all fonts are supported but the most common are.

If you choose a font that is not supported in (%WINDIR%/Fonts) the font reverts back to default.

<LaunchPanelHeaderTextFontFaceName value="Times New Roman" />

<LaunchPanelDetailTextFontFaceName value="Times New Roman" />

Other font settings

<LaunchPanelHeaderTextFontWeight value="900" />

<LaunchPanelHeaderTextFontUnderline value="false" />

<LaunchPanelHeaderTextFontItalic value="false" />

The weight values from 100- 900, it controls how bold the text is.

Example detailed text



Shows underline & Italic in the detailed text

Controlling the border background color and thickness.

<LaunchPanelBorderOuterBackgroundColorR value="0" />

<LaunchPanelBorderOuterBackgroundColorG value="0" />

<LaunchPanelBorderOuterBackgroundColorB value="0" />

<LaunchPanelBorderOuterThickness value="5" />

RGB controls the color, and outer border background thickness controls how thick the border will be.

Thickness is measured in pixels.

Example changing the inner border background color and thickness.

<LaunchPanelBorderInnerBackgroundColorR value="70" />

<LaunchPanelBorderInnerBackgroundColorG value="255" />

<LaunchPanelBorderInnerBackgroundColorB value="220" />

<LaunchPanelBorderInnerThickness value="5" />

RGB controls the color and Inner border thickness controls how thick the border will be.


Example changing the main border background color and thickness.

<LaunchPanelBorderMainBackgroundColorR value="255" />

<LaunchPanelBorderMainBackgroundColorG value="242" />

<LaunchPanelBorderMainBackgroundColorB value="100" />

<LaunchPanelBorderMainThickness value="5" />












42/51


RGB controls the color and main border thickness controls how thick the border will be.


9.1.3 CUSTOMIZING COLOUR, LOGO AND TEXTS FOR THE SPLASH SCREEN.

This section will explain the details of customizing the splash screen, showed when the Launch Panel is

activated.

Here you can see the different elements in the Splash Screen.

Decoration Image

Status Text

Status Text Background Color Bar

Background

9.1.3.1 CONTROLLING THE SIZE OF THE SPLASH SCREEN

<SplashScreenWindowWidth value="800" />

<SplashScreenWindowHeight value="400" />

9.1.3.2 CONTROLLING THE DECORATION IMAGE OF THE SPLASH PANEL

These setting will change the decoration image in the Splash Panel. Download an appropriate BMP file for

the organization and copy it in the FastPassCorp\Configuration\PMWindowsClient folder on the local PC.

The only format that is supported is BMP.




















43/51


<SplashScreenDecorationImagePath value="c:\\Program

Files\\FastPassCorp\\Configuration\\PMWindowsClient\\Sec.bmp" />

<SplashScreenDecorationImageEnabled value="True" />

<SplashScreenDecorationImageId value="" />

<SplashScreenDecorationImageType value="FILE" />

9.1.3.3 CONTROLLING THE SPLASH SCREEN POSITION OF THE DECORATION IMAGE

<SplashScreenDecorationImagePositionX value="50" />

<SplashScreenDecorationImagePositionY value="50" />

9.1.3.4 CONTROLLING THE SPLASH SCREEN DECORATION IMAGE SIZE

<SplashScreenDecorationImageWidth value="200" />

<SplashScreenDecorationImageHeight value="150" />

9.1.3.5 CONTROLLING THE SPLASH SCREEN STATUS TEXT BAR COLOR

<SplashScreenStatusBarTextColorR value="255" />

<SplashScreenStatusBarTextColorG value="255" />

<SplashScreenStatusBarTextColorB value="255" />

9.1.3.6 CONTROLLING THE SPLASH SCREEN STATUS BACKGROUND COLOR BAR

<SplashScreenStatusBarBackgroundColorR value="0" />

<SplashScreenStatusBarBackgroundColorG value="0" />

<SplashScreenStatusBarBackgroundColorB value="0" />

9.1.3.7 CONTROLLING THE SPLASH SCREEN BACKGROUND COLOR

<SplashScreenContentAreaBackgroundColorR value="148" />

<SplashScreenContentAreaBackgroundColorG value="148" />

<SplashScreenContentAreaBackgroundColorB value="148" />

9.2 TEXT CHANGES

The Organization might want to have customized the messages in the Launch Panel and Splash Screen.

Here is an option to do that in the following file.: PMWindowsClient.TextLibrary.xml the file is placed in the

<Installpath>FastPassCorp\Configuration\PMWindowsClient folder on the local PC.

Find the appropriate language/ languages for your organization and simply change the default text

messages to the texts that is wanted your organization. Mostly changes are made in this section.:












44/51


Example in english

<locale name="en">

.

.

<KioskLaunchWindowHeaderText str="Company name Password Reset" />

<KioskLaunchWindowDetailText1 str="Forgot your password." />

9.3 CUSTOMIZING THE EEC CLIENT

The Enrollment Enforcement Client supports display of custom header image in the displayed window and

custom tray icon in the notification area.

Header image

Logo

System Tray Icon















45/51


How to change the System Tray Icon:

<enrollmentenforcementclienttrayicontype value="FILE" />

<enrollmentenforcementclienttrayiconspec value="C: \favicon32.ico" />

- enrollmentenforcementclienttrayicontype

Icon source type. The value can be: RESOURCE or FILE.

- enrollmentenforcementclienttrayiconspec

Path to the location of the icon file. Please note that tray icon only supports *.ico file.

.

How to change the Header Image:

It is possible to change, resize, reposition the Header image.

<enrollmentenforcementclientheaderbackgroundimagetype value="FILE" />

<enrollmentenforcementclientheaderbackgroundimagespec value="C: \HeaderBackgroundImage3.png" />

<enrollmentenforcementclientheaderbackgroundimagepositionx value="0" />

<enrollmentenforcementclientheaderbackgroundimagepositiony value="0" />

<enrollmentenforcementclientheaderbackgroundimagewidth value="600" />

<enrollmentenforcementclientheaderbackgroundimageheight value="114" />

- enrollmentenforcementclientheaderbackgroundimagetype

Image source type. The value can be: RESOURCE or FILE.

- enrollmentenforcementclientheaderbackgroundimagespec

If image source type is set to FILE, then this is the path to the location of the image file.

If image source type is set to RESOURCE, then value refers to an internal resource key. There are

two resources available:

1. WindowsClient_HeaderBackgroundImage1

2. WindowsClient_HeaderBackgroundImage2

- enrollmentenforcementclientheaderbackgroundimagepositionx

X-axis position of image in Enforcement Client form.

- enrollmentenforcementclientheaderbackgroundimagepositiony

Y-axis position of image in Enforcement Client form.

- enrollmentenforcementclientheaderbackgroundimagewidth

Width of image in pixels.

- enrollmentenforcementclientheaderbackgroundimageheight

Height of image in pixels.

How to change the logo image:

<enrollmentenforcementclientlogoimagetype value="RESOURCE" />












46/51


<enrollmentenforcementclientlogoimagespec value="WindowsClient_LogoImage" />

<enrollmentenforcementclientlogoimagepositionx value="20" />

<enrollmentenforcementclientlogoimagepositiony value="32" />

<enrollmentenforcementclientlogoimagewidth value="80" />

<enrollmentenforcementclientlogoimageheight value="60" />

<enrollmentenforcementclientlogoimagetransparencyenabled value="true" />

<enrollmentenforcementclientlogoimagetransparencycolorr value="255" />

<enrollmentenforcementclientlogoimagetransparencycolorg value="255" />

<enrollmentenforcementclientlogoimagetransparencycolorb value="255" />

- enrollmentenforcementclientlogoimagetype

Image source type. The value can be: RESOURCE or FILE.

- enrollmentenforcementclientlogoimagespec

If logo image source type is set to FILE, then this is the path to the location of the image file.

If logo image source type is set to RESOURCE, then value is a resource already present in the

system. There is one resource available:

1. WindowsClient_LogoImage

- enrollmentenforcementclientlogoimagepositionx

X-axis position of image in Enforcement Client form.

- enrollmentenforcementclientlogoimagepositiony

Y-axis position of image in Enforcement Client form.

- enrollmentenforcementclientlogoimagewidth

Width of image in pixels.

- enrollmentenforcementclientlogoimageheight

Height of image in pixels.

- enrollmentenforcementclientlogoimagetransparencyenabled

For transparent images, the background color will be transparent.

- enrollmentenforcementclientlogoimagetransparencycolorr

From RGB color palette, R need to define here.

- enrollmentenforcementclientlogoimagetransparencycolorg

From RGB color palette, G need to define here.

- enrollmentenforcementclientlogoimagetransparencycolorb

From RGB color palette, B need to define here.

Please Note !!












47/51


- To show an image from a file, the image type must be set as 'FILE'.

- All position and size related values are in pixel units. As the system expects numeric values only, no

need to add 'px' as postfix.

- According to the provided image width and height, the system auto resize the physical size of image

proportionately.

- In logo image, to get background color to be visible, set

'enrollmentenforcementclientlogoimagetransparencyenabled' as 'false'.

- The EEC writes log for every step to show image. It is recommended to refer the log for any

abnormalities.












48/51


10 CUSTOMIZING THE LOG SETTINGS FOR THE FASTPASS WINDOWS CLIENT

This section describes how to change the settings for the different logs. This will affect the numbers of logs

on the PC, the size, the level of logging and where to place the log files. This can overall be configured to

limit and location the log data on the PC. To enforce custom settings the XML files will need to either be

overwritten post install or replaced in the msi package.

By default The logon and Com Components, logs in the System TEMP folder – usually c:\windows\temp\.

The log file for the EEC client is placed in the users TEMP folder

10.1 CUSTOMIZING LOG SETTINGS FOR THE LOGON COMPONENT

The log settings can be customized in the following file: PMWindowsClient.log4cpp.config, and can be found

at.: <Installpath>FastPassCorp\Configuration\PMWindowsClient

This is how the files looks like by default.:

log4cpp.rootCategory=All, fileLog

log4cpp.appender.fileLog=DailyRollingFileAppender

log4cpp.appender.fileLog.maxDaysKeep=7

log4cpp.appender.fileLog.fileName=PMWindowsClientKiosk.log

log4cpp.appender.fileLog.layout=PatternLayout

log4cpp.appender.fileLog.layout.ConversionPattern=%d{%Y/%m/%d %H:%M:%S.%l} [%-10u] [%-8t] [%-

12p] %m%n

10.1.1 SETTING THE LOG FILE LEVEL

FastPass Windows Client has various different loglevels that can be set.

log4cpp.rootCategory=VERBOSE, fileLog

Valid log levels are:

• VERBOSE

• DEBUG

• INFO

• WARNING

• ERROR

• FATAL

Please Note !! the valid log levels are Case Sensitive.

10.1.2 SETTING THE LOG FILE PATH FOR THE PMWINDOWSCLIENTKIOSK.LOG

FastPass Windows Client log can be configured to log in another place that the default.

log4cpp.appender.fileLog.fileName=PMWindowsClientKiosk.log

By default, this is placed in the systems temp folder, usually c: \Windows\Temp.

By changing the log4cpp.appender.fileLog.fileName attribute can be pointed to any folder.

10.1.3 SETTING THE LOG FILE NUMBER OF DAYS

FastPass Windows Client has now a new way to keep logs on the PC’s.

By default, the FastPass Windows Client will keep logs for 7 days.












49/51


The setting: log4cpp.appender.fileLog.maxDaysKeep=7 describes how many days the log should be stored

for.

10.2 CUSTOMIZING LOG SETTINGS FOR THE ENROLMENT ENFORCEMENT CLIENT.

In FastPass Password Manager, if enrollment profile with a security group i s created, and the user is

member of that group. Also, enrollment profile settings are setup and actions are also configured. The

FastPass Windows Client is installed on the PC. The user will be meet with a popup that tells the user to

enroll in FastPass Password Manager. The logging on the PC can be customized.

The log settings can be customized in the following file.: PMWindowsClient.log4cpp.config, and can be

found at.: <Installpath>FastPassCorp\Configuration\PMEnrollmentEnforcementClient

10.2.1 FASTPASS WINDOWS CLIENT EEC HAS A VARIOUS OF DIFFERENT LOG LEVELS THAT CAN

BE SET.

<level value="INFO" />

Valid log levels are:

• OFF

• EMERGENCY

• FATAL

• ALERT

• CRITICAL

• SEVERE

• ERROR

• WARN

• NOTICE

• INFO

• DEBUG

• FINE

• TRACE

• FINER

• VERBOSE

• FINEST

• ALL












50/51


11 UNINSTALLING THE PASSWORD MANAGER WINDOWS CLIENT

The Password Manager Windows Client is uninstalled from the Control Panel. The following sections

describe how this is done in Windows 7/8/8.1/10 uninstalling.

To uninstall the Password Manager Windows Client from a Windows machine you must be logged in as a

user with administrative rights.

Open the “Add/Remove Programs” from the “Control Panel”.

Select the “FastPass Windows Client” and select the “Uninstall” button at the top of the program list.

The uninstall will be performed and the “Programs and Features” program will be shown again.

11.1 UNINSTALLING FROM A WINDOWS 7/8/8.1/10 MACHINE

To uninstall the Password Manager Windows Client from a Windows Vista machine you must be logged in as

a user with administrative rights.

Open the “Programs and Features” program from the “Control Panel”.

Figure 17

Select the “FastPass Windows Client” and select the “Uninstall” button at the top of the program list.

Figure 18

Click the “Yes” button to accept that uninstall shall be performed.












51/51


Windows UAC will prompt you to warn about the action and you must select ”Allow” for the uninstall to be

performed.

The uninstall will be performed and the “Programs and Features” program will be shown again.

You can also read this article in the FastPass Portal how to remove it manually:

https://helpdesk.fastpasscorp.com/solution/articles/9000102358-manually-uninstalling-fastpass-windows-

client

Please note you need to be activated and login to the portal to access this article.











https://helpdesk.fastpasscorp.com/solution/articles/9000102358-manually-uninstalling-fastpass-windows-client

https://helpdesk.fastpasscorp.com/solution/articles/9000102358-manually-uninstalling-fastpass-windows-client

FASTPASS PASSWORD MANAGER · WINDOWS CLIENT INSTALLATION GUIDE 3 /51 FastPassCorp A/S is a public...

Documents

Transcript of FASTPASS PASSWORD MANAGER · WINDOWS CLIENT INSTALLATION GUIDE 3 /51 FastPassCorp A/S is a public...