User's Guide...Logging on with a Smart Card of type SmartCard Logon 17 Primary password Collection...

One Identity Authentication Manager for Windows 9.0.2

User's Guide

Copyright 2017 One Identity LLC.

ALL RIGHTS RESERVED.This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC .The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity do not make any commitment to update the information contained in this document.If you have any questions regarding your potential use of this material, contact:One Identity LLC.Attn: LEGAL Dept4 Polaris WayAliso Viejo, CA 92656Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.

PatentsOne Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at http://www.OneIdentity.com/legal/patents.aspx.

TrademarksOne Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.OneIdentity.com/legal. All other trademarks are the property of their respective owners.

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Authentication Manager for Windows User's GuideUpdated - November 2017Version - 9.0.2

http://www.oneidentity.com/

http://www.oneidentity.com/legal/patents.aspx

http://www.oneidentity.com/legal

Contents

Preface 7

Overview 9

Authentication Manager Usage 9

Authentication Manager Features 9

Operating Modes 10

Welcome Screen 10

Logging on to Windows 13

Logging on to Windows with you User Name and Password 13

Logging on to Windows with your Smart Card 16

Logging on with a Smart Card containing Account Data 16

Logging on with a Smart Card of type SmartCard Logon 17

Primary password Collection or Reset 17

Everyday Log on 18

Logging on with a blank Smart Card 18

Logging on through Prim'X Cryhod 20

Enrolling a new Account on a Smart Card 20

Logging on to Windows with your Fingers 21

First Log on 21

Everyday Log on 23

Store on PC mode 23

Store on server Mode 24

Logging on to Windows with your RFID Badge 25

First Log on 26

First Log on with your Smart Card 27

Everyday Log on 28

Logging on through Citrix/TSE 29

Logging out 29

Logging on to Windows with your OTP (One Time Password) 29

Logging on to Windows by answering Questions 30

Logging on with your mobile device 31

Logging On a Workstation Locked by another User 32

Authentication Manager for Windows 9.0.2 User's Guide 3

Logging on to Windows using Autologon 32

Logging on with Microsoft Autologon 32

Logging on with Authentication Manager Autologon 33

Forcing Cache Update at Logon 33

Locking/Unlocking your Windows Session 35

Locking your Session 35

Unlocking your Session 36

Standard Unlocking 36

Transparent Unlocking 37

Switching Users Without Logging Off Windows 38

Managing your Password or PIN 40

Changing your Password 40

Changing an Expired Primary Password 42

Resetting your Password by Logging on to Windows with your Mobile Device 43

Modifying your Smart Card PIN 43

Modifying your RFID badge PIN 44

Modifying an Expired PIN 45

Resetting your PIN with your Primary Password 45

Resetting Your Password or PIN with the Emergency Access 46

Reset with Questions & Answers 47

Initializing the Self Service Password Request Feature 48

Resetting Your Password Upon Session Opening 49

Resetting your PIN 51

Resetting with an OTP 52

Managing your Smart Card 54

Managing the Unblocking of your Smart Card 54

Providing the Unblocking PIN of Your Smart Card 54

Unblocking your Smart Card 55

Unblocking Your Smart Card if you have provided Your PUK 56

Unblocking Your Smart Card if you have not provided Your PUK 56

Managing Primary Accounts on your Smart Card 57

Renewing your Smart Card Certificate(s) 58

Recovering your SSO Data 60


Recovering your SSO data with your old password 60

Recovering your SSO data by answering questions 61

Managing Your Windows Session Accounts 63

Creating a Windows Session Account 63

Deleting a Windows Session Account 65

Delegating a Windows Session Account 65

Removing a Windows Session Account Delegation 66

Managing a Cluster from your Workstation 67

Creating and Configuring your Cluster 68

Managing the Cluster Composition 68

Attaching a Workstation to Your Cluster 68

Releasing a Workstation from your Cluster 70

Renaming your Workstation 71

Setting an Alias 71

Modifying an Alias 72

Deleting an Alias 72

Executing Maintenance Operations on Your cluster 72

Removing Temporarily a Workstation from the Cluster 72

Rebooting your Cluster 73

Refreshing the Displayed Data 74

Managing Session Delegation 75

Configuring Session Delegation 75

Configuring Session Delegation in a Cluster 75

Setting a Temporary Session Delegation 76

Ending a Temporary Session Delegation 77

Setting a Permanent Session Delegation 78

Ending a Permanent Session Delegation 79

Configuring Session Delegation outside a Cluster 80

Setting a Session Delegation 80

Ending a Session Delegation 81

Accessing a Colleague’s Workstation 82

Accessing a Colleague’s Workstation in a Cluster 82

Taking control over another workstation 83

Ending the control over a Workstation 84


Accessing a Colleague’s Workstation outside a Cluster 84

Taking control over another workstation 84

Ending the control over a Workstation 85

Ending a Roaming session 87

Logging on a User Session as an Administrator 88

Logging on a User Session with Your Smart Card: "Grace period" 88

Logging on as local administrator with your mobile device 89

Running a Process on a User Session 89

Running a Process Using your Smart Card 89

Running a Process Using your OTP 90

Restarting and Running Enterprise SSO with your Credentials 90

Managing Reports 91

Authentication Manager Registry Keys 94

Autologon 94

Biometrics 95

Password Management 98

RFID 102

Roaming session 103

Smart Card 106

User Access 109

Integrating Authentication Manager with Prim'X Cryhod 112

Configuring the Integration 112

Customizing the Integration 113

Cryhod Log Files 114

About us 115

Contacting us 115

Technical support resources 115


Preface

Subject This guide explains how to use Authentication Manager with the following Windows versions: 10, (8) (+Server 2012), 7 (+Server 2008).

The following sections are relevant for all Windows versions displayed above, unless specified otherwise.

Audience This guide is intended for:

l End-users

l Administrators.

Required Software EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.

Typographical Conventions

Bold Indicates:

l Interface objects, such as menu names, buttons, icons and labels.

l File, folder and path names.

l Keywords to which particular attention must be paid.

Italics - Indicates references to other guides.

Code - Indicates portions of program codes, command lines or messages displayed in command windows.

CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).

< > Identifies parameters to be supplied by the user.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Documentation support

The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your

Authentication Manager for Windows 9.0.2 User's Guide

Preface7

comments or suggestions regarding the documentation on the One Identity support website.


Preface8

1

Overview

Authentication Manager is the authentication module of the Enterprise Access Management (EAM) suite. It enables rapid implementation of connection procedures using authentication mechanisms with physical authentication tokens (smart cards, USB drive, RFID badges), biometrics and mobile devices, in addition to the standard authentication methods of login/password.

NOTE: The list of supported authentication devices is provided in One Identity EAM Release Notes.

Authentication Manager Usage

Authentication Manager is used to rapidly implement strong authentication in the following use cases:

l Authentication with smart card or USB drive on Windows workstations, with no need to deploy a PKI compatible with Windows Active Directory certificates.

l Authentication using non-Windows methods, such as biometrics or mobile devices.

l Authentication of users through an enterprise directory, which is not part of the Windows network.

l Authentication using an RFID badge or a Bluetooth device.

l Authentication with an OTP (One Time Password).

Authentication Manager Features

The Authentication Manager icon , displayed in the notification area, launches every time you authenticate yourself to a Windows session and displays different actions depending on which rights the administrator has given you, such as:


Overview9

l Enrolling your biometric data.

l Enrolling your mobile device.

l Managing personal notes: refer to QRentry - Guide de l’utilisateur.

l Using the Self Service Password Request feature, by answering personal questions or by using your mobile device.

l Changing your PIN or collect an unblocking PIN.

l Managing a cluster.

l Delegating a Windows session.

l Taking control over a workstation.

l Ending a Roaming session.

l Managing security questions.

l Managing reports.

Operating Modes

Authentication Manager can be configured in one of the following modes:

l With Controller: administrators are directly authenticated in EAM console, the advanced access control module.

l Without Controller: administrators are directly authenticated in Active Directory or in any other supported LDAP directories.

Welcome Screen

The initial authentication screen appears when you press Ctrl+Alt+Del at workstation startup, or when you want to switch users.

Several users can be logged at the same time on a workstation, but only one session can be active on the workstation.

Windows versions

Windows 10

With Windows 10, you must first enter you user name, then click on Sign-in options to display the available authentication methods and select one. Depending on the selected authentication method, the display will be modified as a consequence and you will be able to authenticate.


Overview10

Windows 7

With Windows 7, the initial authentication screen shows several tiles corresponding to the authentication methods which are allowed and installed on the workstation, and to the users logged on the workstation.


Overview11

Methods to authenticate

Authentication Manager provides the following authentication methods:

l User name/password authentication Several users can be logged at the same time on the workstation. The screen shows one tile for each logged user, or if no user is logged, it shows one tile with the name of the last logged user. The Other User tile allows another user to open a session. For more information, see Logging on to Windows with you User Name and Password.

l Smart card authenticationThe initial authentication screen shows as many tiles as accounts stored on the smart card.For more information, see Logging on to Windows with your Smart Card.

l Biometric authenticationSee Logging on to Windows with your Fingers.

l RFID authenticationSee Logging on to Windows with your RFID Badge.

l OTP authenticationSee Logging on to Windows with your OTP (One Time Password).

l Password forgottenSee Logging on to Windows by answering Questions.

l Mobile device authenticationSee Logging on with your mobile device.

You can also use the Windows Remote Desktop Connection to open a Windows session remotely When you authenticate yourself on a workstation, your credentials are transmitted to the remote workstation (Pass Through method) when authenticating on it.

IMPORTANT: When you open a Windows session with your smart card and then open another connection remotely, this new session is opened in password mode only. This limitation is a Microsoft limitation as Windows only sends the login and password to the remote workstation


Overview12

2

Logging on to Windows

Logging on to Windows with you User Name and Password

Subject

This section explains how to connect to Windows with your user name and password through Active Directory or any other supported LDAP directory.

For the Windows 10 procedure, go to Windows 10.

For the Windows 7 procedure, go to Windows 7.

NOTE: If you are offline and enter 5 wrong passwords in a row, you will not be able to authenticate for the next 15 minutes. If you enter another wrong password, you will have to wait for an additional 15 minutes.

Windows 10

Procedure

1. Press Ctrl+Alt+Del.

The log on screen of the last authenticated user appears.

2. Click on Other user (or press Esc) to display the welcome screen.

3. Enter your user name and click Sign-in options to display all the authorized


Logging on to Windows13

authentication methods.

4. Do one of the following operations:

l To log on to the domain displayed on screen, type your password.

l To log on to another domain than the one displayed on the screen, type: <domain name>\<user name>.

IMPORTANT: If you need to open a local session (you will not be protected by the advanced features of EAM), type <workstation name>\<user name>.

5. Click on .

The Windows session opens.



Windows 7

Procedure


The initial authentication screen appears.

2. Click the tile corresponding to your name, or if no tile shows your name, click the Other User tile.

The authentication screen appears. The following example window shows the Other User authentication tile.

3. Do one of the following operations:

l To log on to the domain displayed on screen, type you user name and password.

l To log on to another domain than the one displayed on the screen, type: <domain name>\<user name>.

IMPORTANT: If you need to open a local session (you will not be protected by the advanced features of EAM), type <workstation name>\<user name>.

4. Click on .




Logging on to Windows with your Smart Card

Logging on with a Smart Card containing Account Data

Subject

If your account data is enrolled on the smart card, you can log on to your Windows session as explained in the following procedure.

Procedure


The authentication window appears.

2. Insert your smart card in the smart card reader.

The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card.By default, the tile corresponding to the last primary account used to log on the workstation is selected.

NOTE: If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account on the card, this primary account is selected.

3. If needed, select the account with which you want to authenticate.

4. Enter the PIN and click OK.

IMPORTANT: If you re-authenticate, enter your PIN.

NOTE: You do not need to enter your username and domain name as they are already stored on the card when it is assigned by an EAM administrator.

If you try to log on with an expired password, a new password is requested. The smart card will be updated with this new password.If you have defined a password-generation policy in Enterprise SSO, the new password can be randomly generated. In this case, this screen never appears.

5. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window.




Logging on with a Smart Card of type SmartCard Logon

Subject

Authenticating with a smart card of type SmartCard Logon enables you also to manage your primary password.

Description

Indeed, EAM uses the smart card certificate to authenticate you with your primary password.

Prerequisites

Your administrator must:

l Allow you to authenticate with your password.

l Allow the encrypted storage of your primary password.

For more information, see One Identity EAM Console - Guide de l'administrateur.

Primary password Collection or Reset

Procedure




The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card.By default, the tile corresponding to the last primary account used to log on the workstation is selected.

NOTE: If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account on the card, this primary account is selected.

3. If needed, select the account with which you want to authenticate.

4. Fill-in the Password field and click OK.

IMPORTANT:If you want to reset your password, select the Generate my password check box.



NOTE:You do not need to enter your username and domain name as they are already stored on the card when it is assigned by an EAM administrator.

5. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window.


Everyday Log on

Authentication is the same as in Logging on with a Smart Card containing Account Data.

IMPORTANT:If your password has been modified (by an administrator for example), it will have to be re-collected.

Logging on with a blank Smart Card

Subject

The first time you use a multi-account smart card to logon to your workstation, your account data is not necessarily stored on the smart card yet. The following procedure explains how to enroll your own account on a smart card.

The following procedure only applies to smart cards that can handle self-enrollment and multi-accounts.

Procedure




As your account is not stored on the smart card yet (first smart card authentication), the smart card tile displays Not assigned.

3. Click the Not assigned smart card tile.

The authentication screen appears.



Windows 10 Windows 7

4. Enter the PIN and click or .

As this is the first time you authenticate with this smart card, you are asked for your log on user name and password (that are stored in the directory). The password will be stored on the smart card and will no longer be requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Authentication Manager).

5. Enter the requested information and click OK.

The account is created on the smart card and the session opens.



Logging on through Prim'X Cryhod

Description

l When both Cryhod and E-SSO are installed, log-on as follows.

l For more information on Prim'X Cryhod integration, see Integrating Authentication Manager with Prim'X Cryhod.

Procedure

1. Log-on to the Cryhod pre-boot with your Smart Card and PIN.



3. Select the Smart Card tile

NOTE: If your last authentication was with your Smart Card, the Smart Card tile is automatically selected.


Enrolling a new Account on a Smart Card

Subject

If your smart card can store several accounts, Authentication Manager enables you to enroll new accounts on your smart card, as explained in the following procedure.

IMPORTANT:The account you want to store on the Smart Card must exist in the users' directory.

Procedure




The tile corresponding to the last primary account used to log on the workstation is selected.

3. Enter the PIN of your Smart Card.

4. Select the Create a new account check box and click or .



The Windows Account Entry window appears.


The account is created on the smart card and the Windows session opens.

Logging on to Windows with your Fingers

Authentication Manager can work in three store modes to authenticate users using their biometric data:

l STORE ON PC mode

The biometric data is stored on the PC in the EAM cache file. The fingerprint replaces the Identifier/Password.

You must enroll yourself on each PC that you connect to.

l STORE ON SERVER mode

The biometric data is stored on a server. The fingerprint replaces the Identifier/Password.

First Log on

Subject

To log on to Windows using your finger, you must first enroll your biometric data.

Before starting

l A finger reader must be installed on the workstation.

NOTE: The workstation can support only one reader..

IMPORTANT: We strongly recommend that you download the latest:

l Drivers and license of your product.

l License for the installation.

l If you use several finger readers, just plug in the one reader you want to use, unplug all the other readers and restart the computer.



NOTE: For more information on supported biometric devices, see One Identity EAM Release Notes.

l If the administrator has configured a validation of your authentication, a second EAM user must authenticate him or herself after you.

l If the Biometric Enrollment tool does not start, modify the Authentication Manager installation by selecting the Biometric Enrollment tool option and restart the computer.

IMPORTANT: Ensure that the Controller is available to enroll in Store on Server Mode.

Procedure

1. Depending on your biometric authentication mode, do one of the following:

l Store on PC: log on using your password, as described in Logging on to Windows with you User Name and Password.

l Store on Server: log on using your finger, as described in Logging on to Windows with your Fingers.

NOTE: You can also log on by using your password and enroll your biometric data afterwards.

The EAM Biometrics Enrollment tool starts after a successful authentication.

2. If it does not start: display the Authentication Manager menu by right-clicking the Authentication Manager icon in the notification area and clicking Biometric enrollment.

3. Follow the instructions of the Biometric Enrollment tool.

4. When you have successfully completed the scan of your finger(s), log off and try to log on using the biometric reader, as described in Logging on to Windows with your Fingers.

NOTE: There can only be one set of fingers per biometric reader.



Everyday Log on

Subject

This section describes how to log on to Windows using your finger(s).

NOTE: Depending on your biometric authentication mode (STORE ON PC, STORE ON SMART CARD or STORE ON SERVER), the procedure is slightly different.

Before starting

You must have enrolled your biometric data, as described in First Log on.

NOTE:Each time you connect yourself to a new workstation in Store On PC mode, you must enroll your biometric data.

Store on PC mode

1. When the Authentication Manager welcome screen appears, place your finger on the scanner. If prompted to, enter your Password.

The following tile appears:

Depending on your configuration, you log on automatically when your finger is successfully captured Otherwise, the following window appears:



2. Make sure your Login is correct and click or to validate.

NOTE: For details on how to enable the automatic validation, see Appendix A., "Authentication Manager Registry Keys".

Store on server Mode

1. When the Authentication Manager welcome screen appears, place your finger on the scanner. If prompted to, enter your Password.

The biometrics tile appears:

Depending on your configuration, you log on automatically when your finger is successfully captured Otherwise, the following window appears:

2. Make sure your Login is correct and click or to validate.

NOTE:

l If the authentication fails, check your Identifier. If it is not the right one, enter the correct Identifier.

l For more details on how to enable the automatic validation, see Appendix A., "Authentication Manager Registry Keys".



Logging on to Windows with your RFID Badge

Subject

This section explains how to authenticate with an RFID badge or a Bluetooth device. Indeed, Bluetooth devices (mobile phones, tablets...) can also be used to authenticate when the RFID badge is not available.

IMPORTANT: For the Bluetooth device to be recognized by the EAM Console as an RFID badge, it must be paired with the workstation.

Description

There are two types of RFID authentication:

l Contact RFID: see Contact RFID hereunder.

l Zone RFID: see Zone RFID hereunder.

Contact RFID

An RFID badge can either be:

l Placed on the device, i.e. active mode: the Windows session is locked when the badge is withdrawn.

l Quickly presented to the device, i.e. passive mode: the Windows session locks itself when the badge is presented again and withdrawn.

To force RFID authentication behavior, you must set the corresponding registry keys: see RFID.

Zone RFID

When the user enters the unlock area, the RFID badge is detected by the device and the unlocking of the session is possible.

When the user leaves the unlock area, the session closes.

The following figure illustrates how EAM acts depending on the area in which it detects the RFID badge.



First Log on

Before starting

An RFID reader must be installed on the workstation.

Procedure

1. Place the RFID badge in the unlock area or on the device so that EAM detects it.

The authentication window appears and tells you that your RFID badge is not assigned.



2. Click on to validate.

The Enroll an Account window appears.

3. Enter your login and password to associate them with your RFID badge.

4. (Optional): if a PIN has to be associated with your RFID badge, enter it in the corresponding fields.

5. Click OK.

If your are authenticated, the session opens.

NOTE:

l You can have as many RFID badges as you want, this enables you to lend them to other people.

l You can delete the badge enrollment by blacklisting it in the Administration Console.

l EAM policy cannot block the auto-enrollment of a badge.

First Log on with your Smart Card

Subject

You can combine the RFID authentication method with a smart card for your first log on.

Before starting

l Authentication Manager must be installed on the workstation.

l An RFID and Smart Card reader must be installed on the workstation.



IMPORTANT:

l You must own both RFID badge and smart card to log on.

l If no RFID badge is detected, the RFID badge enrollment will not be suggested the next time you open your Windows session.

Procedure


Your smart card and your RFID badge are detected, the following window appears:

2. Click the Enroll button to enroll your RFID badge.

Your RFID badge is now enrolled.

Everyday Log on

Procedure

1. Place the RFID badge in the unlock area or on the device so that EAM detects it.


NOTE: Contact RFID method: you can withdraw your RFID badge before typing in your password.

2. In the RFID owner field, select the wanted RFID badge, type in your password or PIN and click OK.



IMPORTANT: If you have withdrawn your RFID badge, you have 30 seconds to enter your password and validate.

Your session opens.

Logging on through Citrix/TSE

If you want to log on through Citrix/TSE, you must press the SHIFT key when placing your RFID badge in the unlock area.

Logging out

There are two possibilities for logging out with a contact RFID badge:

l If you have left your RFID badge on the device, withdraw it and the session closes.

NOTE: Not relevant for HID Prox 125kHz badges.

l If you have withdrawn your RFID badge when opening the session, you must place it back in the unlock area and withdraw it again to close the session.

NOTE:

l You can configure how the session closes in the Access Point Profile.

l If an EAM authentication such as primary reauthentication, Enterprise SSO Studio launch etc. is necessary; then placing the RFID badge in the unlock area will not lock the PC.

l If you have a contact smart card, you must insert it in the RFID reader

To log out with a zone RFID badge, leave the unlock area and the session closes.

Logging on to Windows with your OTP (One Time Password)

Subject

The OTP enables you to log on to Windows with a different password each time. The OTP authentication method is considered as an emergency alternative to the other authentication methods.



Before starting

If you are in:

l Online mode: the RSA Authentication Agent must be installed on the EAM Controller.

l Online and Offline mode: the RSA Authentication Agent must be installed on the EAM Controller and on every workstation. You must have authenticated at least once in Online mode to authenticate with your OTP in Offline mode.

Procedure



2. Enter your User name and OTP with/without PIN displayed on the device in the corresponding fields.

3. Click or .

4. If:

a. You enter too many wrong OTPs in a row, the RSA security policy can require you to enter the next code from your token. A dialog box appears.

Wait for the new code to appear on your token and enter this code.

IMPORTANT: Do not enter your PIN.

b. The RSA security policy requires you to set or change your PIN, a dialog box appears. The security policy either lets you choose a PIN, or imposes a PIN which you must accept.

l Enter the new PIN and click OK

l Wait for the code on your token to change and then reconnect with an OTP that uses the new PIN.

l Click OK.

Your session opens.

Logging on to Windows by answering Questions

Subject

If your administrator has authorized it, you can log on to Windows by answering questions from the Questions and answers tile (Windows 10) or Password forgotten



(Windows 7) without changing your password. If he has not authorized it, you must reset your password as described in Resetting Your Password or PIN with the Emergency Access.

Before starting

l You must have chosen a set of questions and recorded the associated answers using the Authentication Manager Self Service Password Request Wizard. Refer to the Resetting Your Password or PIN with the Emergency Access.

l You workstation must be online.

l An EAM controller must be available.

Procedure

1. In the session opening window, depending on your Windows version, click one of the following tiles:

l Windows 10: Questions and answers.

l Windows 7: Password forgotten.

The Self Service Password Request wizard appears.

2. Follow the displayed instructions and answer the different questions.

If you have answered the questions correctly, your Windows session opens.

Logging on with your mobile device

Subject

If your administrator has authorized it, you can log on to Windows using your mobile device, from the Connect with a mobile device tile.

For more information on this authentication method, refer to the QRentry - Guide de l’utilisateur.



Logging On a Workstation Locked by another User

Procedure

1. To log on to a workstation locked by another user, press Ctrl+Alt+Del.

The authentication screen corresponding to the authentication method used by the other user to lock his/her session appears.

2. Click the Other Credentials button.

3. Click the Other User (Windows 10) or Switch User (Windows 8) button.


4. Log on to the workstation as explained in Logging on to Windows.

Logging on to Windows using Autologon

There are two ways to log on to Windows with Autologon:

l Without Authentication Manager: see Logging on with Microsoft Autologon.

l With Authentication Manager: see Logging on with Authentication Manager Autologon.

IMPORTANT: To use Autologon, you must set registry keys If you set these keys for both Microsoft and Authentication Manager Autologon at the same time, then only Microsoft Autologon is applied: no E-SSO process is started.

Logging on with Microsoft Autologon

The Microsoft Autologon opens a Windows session without starting Authentication Manager or E-SSO.

NOTE: You can use the SSO FUS method to log on.

Microsoft Autologon works only if all the following registry keys are set:AutoAdminLogon.

DefaultDomainName.

DefaultUserName.

DefaultPassword.



NOTE: To set these keys, please refer to the corresponding Microsoft documentation: http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=10&y=13.

IMPORTANT: If you want to disable the Microsoft Autologon process, keep the Shift key pressed during authentication process.

Logging on with Authentication Manager Autologon

The Authentication Manager Autologon opens a Windows session with Authentication Manager and/or E-SSO processes being started.

Authentication Manager Autologon works only if all the registry keys in Autologon are set.

IMPORTANT: If you want to disable the Authentication Manager Autologon process, keep the Shift key pressed during authentication process

Forcing Cache Update at Logon

Subject

By default, the authentication is done on the existing cache. The following procedure explains how to force the authentication in the target directory and so to update the authentication data in the cache.

NOTE: This feature is only available if Automatic Validation is disabled by the Administrator: please refer to the One Identity EAM Console - Guide de l'administrateur

Procedure

1. After choosing the tile, click I want to modify login options.

The Login Options window appears.



2. Select the Update User Cache check box and click OK.

The authentication is done in the directory and the cache is updated.



3

Locking/Unlocking your Windows Session

Locking your Session

Subject

The Lock state enables you to prevent anybody from accessing your session when you are away.

This section describes the different means to lock a session, whether your computer is in a cluster or not.

Procedure

To lock the computer, do one of the following:

l Press the Windows+L keys. Depending on the workstation profile, this locks the:

l Workstation.

l Keyboard and mouse (transparent lock).

OR

l Keyboard and mouse with a logo displayed at the top of the screen (transparent lock):

NOTE: If you have authenticated with a smart card, remove the card from the reader (or a USB drive from its port): your session is locked automatically.

l If you have authenticated with a smart card, remove the card from the reader (or a USB drive from its port): your session is locked automatically.

NOTE: The administrator can modify the default workstation behavior when a token is removed, from EAM Console. If the session is not locked at token removal, it means that your administrator has modified this option.


Locking/Unlocking your Windows Session35

l If you have authenticated with an RFID badge, place the badge outside the visibility area (lock area).

l If you have authenticated with your mobile device, use the QRentry remote control to lock your session. For more information, see QRentry - Guide de l’utilisateur.

l Put the computer into a sleep state.

Unlocking your Session

To unlock your session, you can re-authenticate as you do for session opening. The re-authentication method does not necessarily need to be the same as for opening the main session.

l If you have authenticated yourself with an RFID badge and locked the session by placing the badge outside the unlock area, the session is automatically unlocked if you come back with your RFID badge in the unlock area before the end of the grace period (which is defined by your administrator).

l If you have authenticated with your mobile device, use the QRentry remote control to unlock your session. For more information, see QRentry - Guide de l’utilisateur.

A workstation can only be unlocked by the user who has locked it, unless it is unlocked using the Fast User Switching option.

NOTE: A user with administration rights on the workstation can force the closure of a locked administration session.

Standard Unlocking

Procedure

To unlock the session, do one of the following:

l User name and password authentication: log on as described in Logging on to Windows with you User Name and Password.

l Smart card authentication: go to step 2 of Logging on to Windows with your Smart Card. If you do not have your smart card with you, press the Ctrl+Alt+Del keys and log on using your Windows password. Refer to the One Identity EAM Installation Guide to insert the corresponding registry keys.

l Biometric authentication: log on as described in Everyday Log on.

l RFID authentication: place your RFID badge inside the unlock area. If the grace period has:



l Exceeded, log on as described in Logging on to Windows with your RFID Badge.

l Not exceeded, the session is automatically unlocked.

NOTE: The grace period is set by your administrator.

l OTP authentication: enter your OTP: see Logging on to Windows with your OTP (One Time Password).

Transparent Unlocking

Procedure

To unlock the session, do one of the following:

l User name and password authentication: depending on your Windows version, do one of the following: press the Windows+L keys and go to Logging on to Windows with you User Name and Password.

l Smart card authentication: go to step 2 of Logging on with a Smart Card containing Account Data. If you do not have your smart card with you, press the Windows+L keys and log on using your Windows password. Refer to the One Identity EAM Installation Guide to insert the corresponding registry keys.

l Biometric authentication: depending on your Windows version, do one of the following: press the Windows+L keys and go to Everyday Log on.

l RFID authentication: place your RFID badge inside the unlock area.

If the grace period has:

l Exceeded, log on as described in Logging on to Windows with your RFID Badge.

l Not exceeded, the session is automatically unlocked.

NOTE: The grace period is set by your administrator.

l OTP authentication: enter your OTP: see Logging on to Windows with your OTP (One Time Password).



4

Switching Users Without Logging Off Windows

Subject

One Identity offers two means of fast user switching: the Fast User Switching (FUS) and the Multi-User Desktop (MUD).

Fast User Switching

The Fast User Switching (FUS) feature allows a user to load his/her SSO configuration without closing the current Windows session.

When the user logs on to the workstation, all the running applications are closed and Enterprise SSO restarts with the user SSO configuration.

Multi-User Desktop

The Multi-User Desktop (MUD) is an advanced feature of the FUS. Indeed, the MUD enables a high number of users to work on a single station with simultaneous Windows sessions.

When one of the users logs on to the workstation, all the applications of the user are opened and Enterprise SSO restarts with the user SSO configuration.

NOTE:For more information on the FUS and the MUD, refer to Authentication Manager Session Management Administrator’s Guide.

Before starting

l You have rights to lock/unlock Enterprise SSO sessions.

l FUS: the workstation is configured to use the Fast User Switching feature with Authentication Manager.


Switching Users Without Logging Off Windows38

l MUD:

l Applications must support several instances working simultaneously.

l A specific configuration is required for Internet Explorer. Please contact the One Identity Expertise Center.

l MUD is configured for stations where the Windows session is opened automatically and continuously and must never be locked. Do not activate the display screensaver, however a basic screensaver with no password request can be used.

Procedure

l Log on to the workstation as explained in Logging on to Windows.


Switching Users Without Logging Off Windows39

5

Managing your Password or PIN

Changing your Password

Subject

This section explains how to modify your own password or the password of another user (if you are allowed to).

Description

If you have authenticated with your:

l Smart card or RFID badge, you can modify the password of the account that you have used to authenticate, as explained in the following procedure. The password will be modified on the smart card or RFID badge and in the directory.

l User name and password, you can modify your password as explained in the following procedure.

Procedure

1. Open a session as described in Logging on to Windows.


3. Click Change a Password.

The change password window appears.

NOTE:

l If the change password option has been disabled by your administrator, clicking on Change a Password will have no effect.

l The password change window differs depending on the authentication method used.


Managing your Password or PIN40

Windows 10 Windows 7

4. To help you enter a password consistent with the Password Format Control Policy, click Help me choose a valid password.

The following window appears:

5. Fill-in the Password field and click OK.

6. Fill in the Confirm Password field and click or .



The password is modified in the LDAP directory.

Changing an Expired Primary Password

Subject

If you authenticate with your User name and Primary Password, you can choose a new Primary Password.

Procedure

1. When your Primary Password is expired, the Security Data Collection window appears.

2. To change your Primary Password, do one of the following:

l To use your own password, type in your chosen password in the Password and Confirmation fields.

l If your administrator has authorized it, you can generate a random password by selecting the Generate automatically check box.



3. Click the OK button.

Your Primary Password has been changed.

NOTE: If you are offline when your Primary Password is about to expire, you will be asked to change it the next time you log on.

Resetting your Password by Logging on to Windows with your Mobile Device

Subject

If allowed by your security administrator, you can reset your primary password after logging on to Windows with your mobile device.


Modifying your Smart Card PIN

Subject

This section explains how to change the PIN of your smart card.

Procedure

1. Open a Windows session as described in Logging on to Windows with your Smart Card.

2. In the notification area, right click the Authentication Manager icon and select Change PIN.

The change PIN window appears.




The smart card PIN is modified.

Modifying your RFID badge PIN

Subject

This section explains how to modify the PIN of your RFID badge.

Procedure

1. Open a Windows session as described in Logging on to Windows with your RFID Badge.

2. In the notification area, right click the Authentication Manager icon and select Change PIN.

The change PIN window appears.




The RFID badge PIN is modified.

Modifying an Expired PIN

Subject

When your PIN expires, you must change it.

Procedure

1. When your PIN is expired, the change PIN window appears.

2. Enter your new PIN in the corresponding fields.

NOTE: Your new PIN must comply with the PIN control policy.


Your PIN has been modified.

NOTE: If you are offline when your PIN is about to expire, you will be asked to change it the next time you log on.

Resetting your PIN with your Primary Password

Subject

When your RFID badge is blocked because you entered too many wrong PINs, you can reset your PIN with your primary password.



Procedure

1. When your PIN is blocked, the Unblock RFID badge PIN windows appears.

2. Enter your primary password in the Password field.

3. Enter a new PIN in the corresponding fields and click OK.

Your PIN is reset.

NOTE:

l If you are offline when your PIN is blocked, you will be asked to reset it the next time you log on.

l Your PIN can also be reset by the help desk.

Resetting Your Password or PIN with the Emergency Access

The emergency access (SSPR) enables you to authenticate and reset your password or PIN, whether you are connected or not to the network. If you are:

l Connected or not to the network, you can reset your password or PIN by answering questions, as described in Reset with Questions & Answers.



l Connected to the network, you can reset your password by requesting an OTP sent to your mobile device/email, as described in Resetting with an OTP.

IMPORTANT: If you are not connected to the network, you must answer the questions if it has been configured.

Reset with Questions & Answers

The following schema illustrates the tasks you have to perform to reset your password or PIN by answering a series of personal questions. These tasks are described in this section.

NOTE: This PIN reset method is not compatible with the RFID+PIN authentication method.



Initializing the Self Service Password Request Feature

Subject

You must initialize the Self Service Password Request (SSPR) feature to save your answers to a set of questions. Then, to reset your password or PIN, you must answer the questions you have chosen.

You can perform this task every time you want to update or change your questions and answers.



When the SSPR is enabled, you can define your questions (optional) and answers the first time that your Authentication Manager is activated. Then you may need to modify this information in the following cases:

l The questions have changed, so you have to update your answers.

l You must enter your answers periodically.

l You want to change your questions/answers.

You can initialize the SSPR through the EAM portal (see One Identity EAM Portal - Guide de l’utilisateur) or through the Authentication Manager icon as detailed in the following procedure.

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Manage Security Questions.


2. Enter your ID and Password and click OK


3. Follow the displayed instructions: you have to select a number of questions and record their corresponding answers.

NOTE: You may have restrictions to define your questions/answers, as for example a minimum/maximum number of characters, or words that you cannot use. If you do not know why your questions/answers are not accepted, contact your EAM administrator.

Resetting Your Password Upon Session Opening

Subject

The Reset Password feature allows you to reset your password to open your Windows session even if you have forgotten your smart card or cannot remember your password.

You can reset your password through the EAM portal (see One Identity EAM Portal - Guide de l’utilisateur) or upon session opening as detailed in the following procedure.

Before starting

l Authentication Manager must be installed on your workstation.

l You have chosen a set of questions and recorded the associated answers using the Self Service Password Request Wizard, as described in Initializing the Self Service Password Request Feature.



NOTE: If you have not initialized the Self Service Password Request feature and therefore cannot reset your password by yourself, the administrator can still modify your primary password from EAM Console.

Procedure

1. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name).

2. Do one of the following, depending on your Windows version:

Windows version Action

Windows 10

Check or enter your user name.

Click the Questions and answers tile.

Windows 7

Click the Password forgotten tile.

Check or enter your user name.

IMPORTANT: Replace this text with a notation that requires the reader's attention.

3. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name).

IMPORTANT: If the Questions and answers/Password forgotten option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license.


4. Follow the instructions displayed in the Wizard window: answer each question, according to the answers you gave while initializing the Self Service Password Request.

5. Enter your new password twice.

NOTE: Click Help me to choose a valid password to check that your new password is in accordance with the Password Format Control Policy.



6. Depending on the SSPR configuration, you may have to enter a challenge provided by the help desk to confirm your new password. Do the following:

a. Call the help desk and give the displayed challenge.

The help desk gives you back another challenge.

NOTE: The challenge that the help desk gives you can only be used once.

7. Enter this challenge and validate.

Your password is reset and your session opens. You can then use the new password for next logons.

NOTE: If the password has been reset in disconnected mode, you will be asked to change it the next time you connect to the network.

Resetting your PIN

Subject

The Reset PIN feature allows you to reset your PIN (either being online or offline) in case you have forgotten it.

Before starting

l Authentication Manager must be installed on your workstation.

l You have chosen a set of questions and recorded the associated answers using the Self Service Password Request Wizard, as described in Initializing the Self Service Password Request Feature.

Procedure

1. Insert your Smart Card.

2. In the authentication screen, click I have forgotten my PIN.

IMPORTANT: If the I have forgotten my PIN option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license.


3. Follow the instructions displayed in the Wizard window: answer each question, according to the answers you gave while initializing the Self Service Password Request and enter your new PIN twice.




4. Call the help desk and give the displayed challenge.

The help desk gives you back another challenge.

NOTE: The challenge that the help desk gives you can only be used once.

5. Enter this challenge and click Next.

When the Wizard terminates, your PIN is reset and a session opens. You can then use the new PIN for next logons.

Resetting with an OTP

Subject

The Reset Password feature allows you to reset your password to open your Windows session even if you cannot remember your password.

You can reset your password through the EAM portal (see One Identity EAM Portal - Guide de l’utilisateur) or upon session opening as detailed in the following procedure.

Before starting

Authentication Manager must be installed on your workstation.



Procedure

1. Do one of the following, depending on your Windows version:

Windows version Action

Windows 10

a. Check or enter your user name.

b. Click the Questions and answers tile.

Windows 7

a. Click the Password forgotten tile.

b. Check or enter your user name.

2. {2}. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name).

IMPORTANT: If the Questions and answers/Password forgotten option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license.

An OTP is sent to your mobile device/email.

3. Enter the received OTP and click or .

4. Enter your new password twice.

NOTE: Click Help me to choose a valid password to check that your new password is in accordance with the Password Format Control Policy.

Your password is reset and your session opens. You can then use the new password for next logons.



6

Managing your Smart Card

Managing the Unblocking of your Smart Card

During authentication, if you enter too many successive wrong PINs, your smart card blocks itself and the following window appears:

You are asked to enter your unblocking PIN, or PUK, to unblock your smart card.

l You can provide your PUK beforehand: see Providing the Unblocking PIN of Your Smart Card.

NOTE:

l This option is available only if your Administrator has authorized it.

l You must own a PUK to provide it.

l To unblock your smart card, see Unblocking your Smart Card.

Providing the Unblocking PIN of Your Smart Card

Subject

Providing your unblocking PIN, or PUK, enables you to unblock your smart card if you have entered too many successive wrong PINs.


Managing your Smart Card54

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Collect unblocking PIN.

The Collect unblocking code window appears.

2. Enter your PUK in both fields and click OK.

IMPORTANT: If you enter too many successive wrong PUKs, your Smart Card blocks itself.

3. Enter your PIN to confirm your are the actual owner of this smart card and click the OK button.

You PUK has been provided.

Unblocking your Smart Card

Before starting

You can unblock your smart card only if it has an external CMS.

If you:

l Have already provided your PUK, see Unblocking Your Smart Card if you have provided Your PUK.

l Have not provided your PUK, see Unblocking Your Smart Card if you have not provided Your PUK.



Unblocking Your Smart Card if you have provided Your PUK

Procedure

1. In the Smart Card Blocked window, click the OK button.

The Unblock Smart Card window appears.

2. Call the Help Desk so that it can give you the Unblocking secret.

3. Enter you Unblocking secret in the Unblocking secret field.

4. Enter your new PIN in the New PIN and PIN confirmation fields.

5. Click OK.

Your smart card is now unblocked.

Unblocking Your Smart Card if you have not provided Your PUK

Procedure

1. In the Smart Card Blocked window, click the OK button.

The Unblock Smart Card window appears.



2. Enter you PUK in the Your PUK field.

3. Enter your new PIN in the New PIN and PIN confirmation fields.

4. Click OK.

Your smart card is now unblocked.

Managing Primary Accounts on your Smart Card

Before starting

The following procedure only applies to smart cards that can store several SSO accounts.

You can delete all the accounts stored on the smart card, even the one you used to log on with. In this case, after the account deletion, the session stays open.

IMPORTANT: Do not lock the session as you will not be able to unlock it. We recommend you to log off the session after the account deletion.

Procedure

1. Open a session as described in Logging on to Windows with your Smart Card.

2. In the notification area, right click the Authentication Manager icon and select Manage Primary Accounts.

The Manage Primary Accounts window appears and lists the accounts stored on the smart card.



3. Select the account you want to add or remove and click the Add or Remove button.

4. Follow the displayed instructions and click OK.

The account is created/removed on/from the smart card.

Renewing your Smart Card Certificate(s)

Subject

A set of certificates can be stored on you smart card. When these certificates are about to expire and upon a successful smart card authentication, Authentication Manager displays a warning message with the list of these certificates. To renew them, execute the following procedure.

Restriction

Compatible only with Windows Smartlogon cards.

Procedure

1. Log on with your smart card.

The Automatic Certificate Renewal window appears.



2. Enter your PIN and click Renew all.

Your certificate(s) has(have) been renewed and added to your smart card.

NOTE: If your click Not now, your certificate is not renewed and the window will appear each time you log on until your renew the certificate(s).



7

Recovering your SSO Data

Subject

If your password was forced by a directory administrator or if you have changed smart cards, you can recover your SSO data by providing your old password or by answering questions.

Recovering your SSO data with your old password

Before starting

You authenticated at least once on your workstation connected to the network or an EAM directory is available.

Procedure

l At session opening, the SSO data recovery window appears. Enter your old password and click OK.

Your SSO data has been recovered.


Recovering your SSO Data60

Recovering your SSO data by answering questions

Before starting

l Your administrator has given you the authorization (the SSPR must be configured in always available mode: see One Identity EAM Console - Guide de l'administrateur).

l You authenticated at least once on your workstation connected to the network or an EAM directory is available.

l The SSPRForSelfSSORecovery registry key (see Password Management) must be enabled.

l You must have chosen a set of questions and recorded the associated answers using the Authentication Manager Self Service Password Request Wizard. Refer to the Initializing the Self Service Password Request Feature.

Procedure

1. At session opening, the SSO data recovery window appears.

2. Click Next.


3. Follow the displayed instructions and answer the different questions.

If you answered all the questions correctly, your SSO data is recovered.



If you did not answer all the questions correctly , you can restart the procedure or enter your old password.By clicking Cancel, the Enterprise SSO - Data Migration window appears.



8

Managing Your Windows Session Accounts

The Windows Session Accounts window enables you to manage your Windows accounts. You can:

Create or delete a Windows account, see Creating a Windows Session Account and Deleting a Windows Session Account.

Delegate your Windows account(s), seeDelegating a Windows Session Account.

Remove your Windows account delegation(s), see Removing a Windows Session Account Delegation.

Creating a Windows Session Account

Before starting

Your administrator must have created a Windows account for you beforehand.

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Windows Session Accounts.

2. Re-authenticate if needed.

The Manage Windows session accounts window appears.


Managing Your Windows Session Accounts63

3. Select a Windows account and click the New button.

The Windows account properties window appears.

4. Enter:

l The Role you want to give the new Windows Account in the Role field.

l Your Windows identifier in the Identifier field.

l Your corresponding Windows password in the Password field.


Your Windows session account has been created.



Deleting a Windows Session Account

Procedure




3. Select the account you want to delete and click Delete.

Your Windows session account has been deleted.

Delegating a Windows Session Account

Procedure




3. Select the account you want to delegate and click the Delegate button.

The Account Delegation window appears.

4. Type the name of the user to whom you want to delegate your Windows session account in the User name field and click the Search button.



The list of users appears.

5. Select the user in the displayed list.

6. Select the duration of the delegation by clicking the Delegation start and Delegation until drop-down lists.

7. Click the Delegate button.

Your Windows session account has been delegated. Next time the user authenticates him/herself, he/she must choose between the displayed Windows session accounts.

Removing a Windows Session Account Delegation

Procedure




3. Select the delegated Windows session account and click the Remove delegation(s) button.

Your Windows session account is not delegated anymore.



9

Managing a Cluster from your Workstation

Subject

The Cluster mode enables you to access several workstations simultaneously. When you:

l Authenticate yourself on a workstation, sessions on other workstations you are using are also unlocked.

l Lock or switch off a workstation, all other workstations you are using are also locked or switched off.

l Reboot, you can reboot one or several workstations of your choice or the whole cluster at once.

l Attach or release a workstation, you can add a workstation from an existing cluster or an entire cluster to your own cluster and then release it.

To manage your cluster, use the Cluster Wizard in the Authentication Manager dialog box.

You can customize the way the workstations of a cluster are displayed on your screen: see Authentication Manager and Enterprise SSO Customization Guide.

Before starting

l All the actions you can perform from your workstations are only available if they have previously been authorized by the EAM Console administrator: see Authentication Manager Cluster Administrator’s Guide.

l The Cluster Client license keys must be installed on all EAM workstations on which the Cluster feature is used.


Managing a Cluster from your Workstation67

Creating and Configuring your Cluster

Managing the Cluster Composition

If you are authorized to access workstations of a cluster, you can attach one or more workstations from an existing cluster to your cluster. The workstation(s) is(are) detached when you release it(them) from your cluster or if another user authenticates on the original cluster.

Attaching a Workstation to Your Cluster

Subject

Attaching a workstation to your cluster is not a permanent action, you can release a workstation whenever you want. You can attach only the workstations authorized by the administrator.

Before starting

The Windows session of the workstation you want to attach to your cluster must be closed.

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Manage Cluster.


The Cluster wizard window appears.



3. Select Manage my cluster and click Next.




4. Do one of the following actions to add a workstation to your cluster:

l Type in the name of the workstation you want to attach in the corresponding field and click the Attach button.

l Click the Select button and select a workstation in the list displayed by the wizard.

IMPORTANT:Only the workstations authorized by the administrator are displayed.

5. Click Finish.

The workstation is now attached to your cluster and its session opens automatically.

Releasing a Workstation from your Cluster

Before starting

You can release a workstation/cluster only if you have added it to your cluster beforehand. The released workstation is automatically reattached to its original cluster.



Procedure





4. The Attach/Detach workstation window appears.

5. Select the workstation you want to detach from your cluster and click the Detach button.

6. Click Finish.

The workstation is now released from your cluster and its session closes automatically.

Renaming your Workstation

Subject

You can rename your workstation, i.e. give it an alias that is displayed:

1. In the cluster management windows.

2. On the desktop (if configured).

Setting an Alias

Procedure





4. The Attach/Detach workstation window appears.

5. Select one or more of the displayed workstations and click the Set alias button.

The Set alias dialog box appears.



6. In the Alias field, enter the alias you want to give to your workstation and click the OK button.

NOTE: Since the alias must be unique, a check is made to see if it does not already exist.

The alias of your workstation has been set.

Modifying an Alias

Procedure

Repeat the procedure of Setting an Alias and at step 5, modify the alias that is set.

Deleting an Alias

Procedure

Repeat the procedure of Setting an Alias and at step 5, delete the text in the Alias field.

Executing Maintenance Operations on Your cluster

Removing Temporarily a Workstation from the Cluster

Subject

From your workstation, you can temporarily remove another workstation from the cluster.



This can be useful for maintenance operations: the workstation can be rebooted independently from the others.

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Deactivate cluster mode.

The workstation is excluded from the cluster. It remains excluded even when you restart it.

2. To include the computer back into the cluster, click Activate cluster mode.

Rebooting your Cluster

Subject

This action enables you to restart all the workstations in the cluster at once.

Before starting

There are two station behaviors:

l The master station can accept, decline or delay its reboot.

l The slave station can only accept or decline its reboot.

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Reboot Cluster.

The following dialog box appears:

IMPORTANT: If the station is a slave station, you can only accept or decline the reboot.



2. Do one of the following:

l Click Yes to reboot the cluster except your current workstation.

The cluster is rebooted and locked: go to step 3.

l Click No to reboot the cluster including your current workstation.

The cluster is rebooted.


l Click Yes to reboot your current workstation.

Your current station is rebooted and the other workstations of the cluster stay locked.

l Click No to unlock the cluster without rebooting your current workstation.

Refreshing the Displayed Data

Subject

If you change your desktop wallpaper, the cluster data disappears from the desktop. To re-display this data, execute the following procedure.

Procedure

l Right-click the Authentication Manager icon in the notification area and select Redraw wallpaper.

The cluster data is re-displayed on the desktop.



10

Managing Session Delegation

Configuring Session Delegation

If for any reason you have to leave your workstation or cluster, you can delegate your Windows session to your delegate to monitor or intervene in any of your ongoing operations.

You can configure session delegation either:

l Inside a cluster: see Configuring Session Delegation in a Cluster.

l Outside a cluster: see Configuring Session Delegation outside a Cluster.

Configuring Session Delegation in a Cluster

In cluster mode, you can delegate your workstation to your Primary delegate or your Backup:

l The Primary delegate is the main person to whom you are delegating your session.

l If the Primary delegate is not available, the Backup is the one monitoring your workstation.

For more information on cluster configuration, go to Section 9., "Gérer une grappe à partir de votre poste de travail".

There are two types of session delegation:

l Temporary: the session is delegated only once, until the next time you re-authenticate yourself. For more details, refer to:

l Setting a Temporary Session Delegation.

l Ending a Temporary Session Delegation.

l Permanent: the session is delegated permanently, until you stop delegating the workstation. For more details, refer to:

l Setting a Permanent Session Delegation.

l Ending a Permanent Session Delegation.


Managing Session Delegation75

Setting a Temporary Session Delegation

Subject

l If the administrator has activated the approval function, your Primary delegate or your Backup must be at his workstation to accept the session delegation, i.e. with an unlocked workstation.

l Once you have delegated your session, if your Primary delegate leaves and locks his workstation, your delegated workstations are not part of his cluster anymore. If he wants to include them back into his cluster, he must follow the procedure described in Accessing a Colleague’s Workstation in a Cluster.

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Set temporary session delegation.



3. Click the Manage delegates button to select your Favorite users and fill-in the Primary delegate and Backup drop-down lists. If you have already done so, go directly to step 7.

The Manage delegates window appears.



4. Select your favorite users by typing their name in the Find names starting with field and click the Search button.

A list of the names appears in the Search Results area.

5. Select your favorite users and click the Add button to add the names to your favorite users list.

6. Click Close.

7. In the Primary delegate drop-down list, select your Primary delegate.

8. If you want a Backup, select the Backup check box and select him/her in the drop-down list.

9. Click the Advanced Delegation button to delegate more than one workstation from your cluster.

10. Click the Delegate button.

Your temporary session delegation is now set and the selected workstation(s) from your cluster is(are) delegated, pending approval from the Primary delegate/Backup.

NOTE: If you retrieve your smart card, your cluster locks itself except your delegated workstations.

Ending a Temporary Session Delegation

Subject

There are different ways to end a temporary session delegation. If the master workstation is delegated, you have to end the delegation and lock the workstation by inserting your smart card and re-authenticate yourself.



Procedure

Do one of the following:

l Reauthenticate yourself.

l Use Authentication Manager:

a. Right-click the Authentication Manager icon in the notification area and select Set temporary session delegation.

b. Reauthenticate if needed.


c. Click the Remove delegation button.

The session delegation has ended.

l Ask the Primary delegate or Backup to end the delegation (see Ending the control over a Workstation).

If... Then...

the Primary delegate or Backup ends the delegation...

the delegated workstation(s) is/are locked.

you lock a cluster containing a delegated workstation...

the workstation locks itself.

you shut down a cluster containing a delegated workstation...

the workstation is released from the cluster and locks itself.

Setting a Permanent Session Delegation

Subject

You can delegate as many workstations to as many delegates as you want.

Procedure


2. Reauthenticate if needed.


3. Select Manage permanent delegations and click Next.




4. Select a delegate in the drop-down list or click the Add button to add users to your delegates list.


l In the Delegated workstations area, select the workstations you want to delegate to the selected delegate.

l Click the Select all button to select all the workstations at once.

6. Click the Submit button.

The next time you lock your workstation(s), your selected delegate will be able to take control over your selected workstation(s).

Ending a Permanent Session Delegation

Subject

There are different ways to end a permanent session delegation. If the master workstation is delegated, you have to end the delegation and lock the workstation by inserting your smart card and re-authenticate yourself.



Procedure




3. Select Manage permanent delegations and click Next.

4. The Manage your permanent delegation window appears.

5. Clear the check box(es) corresponding to the workstation(s) for which you want to end the delegation.

6. Select the delegate for whom you want to end the delegation and click the Remove button.

NOTE: Click the Remove all button to remove all the delegations at once.

7. Click the Submit button.


If... Then...

the Primary delegate or Backup ends the delegation...

the delegated workstation(s) is/are locked.

you shut down a cluster containing a delegated workstation...

the workstation is released from the cluster and locks itself.

Configuring Session Delegation outside a Cluster

There is only one type of session delegation outside a cluster: permanent delegation. For more information, refer to the following sections:

l Setting a Session Delegation

l Ending a Session Delegation.

Setting a Session Delegation

You can delegate several workstations to one of your delegates.



Procedure

1. Right-click the Authentication Manager icon in the notification area and select Manage Session Delegation.

2. Reauthenticate yourself.

The Windows session delegation window appears.

3. Select a delegate in the drop-down list or click the Add button to add users to your delegates list.


l In the Delegated workstations area, select the workstations you want to delegate to the selected delegate.

l Click the Select all button to select all the workstations at once.

5. Click Apply.

The next time you lock your workstation(s), your selected delegate will be able to take control over your selected workstation(s).

Ending a Session Delegation

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Manage Session Delegation.




The Windows session delegation window appears.

3. Clear the check box(es) corresponding to the workstation(s) for which you want to end the delegation.

4. Select the delegate for whom you want to end the delegation and click the Remove button.

NOTE: Click the Remove all button to remove all the delegations at once.

5. Click Apply.


NOTE: If the delegate ends the delegation, the delegated workstation(s) is(are) locked.

Accessing a Colleague’s Workstation

Subject

If you are a delegate, you can take control over one of your colleague’s locked workstation(s) to monitor or intervene in any of his ongoing operations.

The Windows context is the one of the user who has opened the session and the SSO engine (if any) is suspended.

You can access a colleague’s workstation whether you are:

l Inside a cluster:Accessing a Colleague’s Workstation in a Cluster

l Outside a cluster: Accessing a Colleague’s Workstation outside a Cluster.

Accessing a Colleague’s Workstation in a Cluster

The delegated workstations are not attached to the delegate cluster and the operations performed on these workstations are not propagated to the cluster.

NOTE: By double-clicking the Authentication Manager icon, you directly access the Access a colleague’s workstation feature.



Taking control over another workstation

Before starting

l Your colleague must have designated you as his Primary delegate or his backup.

l Your colleague’s workstation(s) must be locked.

Procedure

1. Double-click the Authentication Manager icon in the notification area.


The following window appears with the list of workstations you are authorized to take control over.

NOTE: If you are allowed a permanent session delegation, all the workstations are displayed whether they are delegated temporarily or permanently.

3. Select the workstation(s) you want to take control over and click the Unlock button.

NOTE: Click the Select all button to select all the displayed workstations.

You now have the control over the selected workstation(s).



Ending the control over a Workstation

Subject

There are two ways to end the control over a delegated workstation.

l If you do not lock the workstation, it will be locked when you lock your cluster.

l To take back the control over your delegated workstation, the latter must be locked.

When the delegate unlocks his cluster, the previously controlled workstation does not unlock itself. To take the control back, he must follow the same procedure as described in Accessing a Colleague’s Workstation in a Cluster.

Procedure

Do one of the following operations:

l On the delegated workstation, press Windows+L to lock it.

l The delegate ends the control by following this procedure:

a. Double-click the Authentication Manager icon in the notification area.

b. Reauthenticate if needed.

The Access a colleague’s workstation window appears.

c. Select the workstation(s) you want to end control over and click the Lock button.

The workstation is not under your control anymore.

Accessing a Colleague’s Workstation outside a Cluster

Taking control over another workstation

Before starting

l Your colleague must have designated you as his delegate.

l Your colleague’s workstation(s) must be locked.

l On Windows 7 workstations, set the following key to support unlock request: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD



Procedure

1. Right-click the Authentication Manager icon in the notification area and select Access a Colleague’s Workstation.


The following window appears with the list of workstations you are authorized to take control over.

3. Select the workstation(s) you want to take control over and click the Unlock button.

NOTE: Click the Select all button to select all the displayed workstations

You now have the control over the selected workstation(s).

Ending the control over a Workstation

Subject

To take back the control over your delegated workstation, the latter must be locked.

Procedure

Do one of the following operations:



l On the delegated workstation, press Windows+L to lock it.

l The delegate ends the control by following this procedure:

a. Right-click the Authentication Manager icon in the notification area and select Access a Colleague’s Workstation.

b. Reauthenticate yourself.

The Unlock Colleague Workstation window appears.

c. Select the workstation(s) you want to end control over and click the Lock button.

The workstation is not under your control anymore.



11

Ending a Roaming session

Subject

When you authenticate yourself with a smart card, you can end your Roaming Session through the Authentication Manager icon located in the notification area.

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Roaming Session.


The Roaming Session Management window appears.

3. Click the Terminate button.

Your Roaming Session has ended.


Ending a Roaming session87

12

Logging on a User Session as an Administrator

Logging on a User Session with Your Smart Card: "Grace period"Subject

An administrator can log on a user's session using his own smart card, even though the user opened his Windows session using a smart card.

Procedure

1. Press the SHIFT key during the logged user smart card withdrawal.

The user session is left unchanged. If Enterprise SSO was running, it is automatically set to a locked mode.

2. Insert your administrator smart card and enter your PIN before the end of the grace period (the default value is 60 seconds).

NOTE: The length of the grace period can be configured from EAM Console.

This authentication enables User Access to check your identification data. The user Windows session stays open: your Windows permissions do not apply.

3. Perform your administration tasks on the user workstation: if you run an EAM application (Enterprise SSO Studio, etc.), the authentication is done using your administrator smart card.

4. When you have finished with the user's workstation, withdraw your smart card.

The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN to turn Enterprise SSO back to the unlocked mode.


Logging on a User Session as an Administrator88

Logging on as local administrator with your mobile device

Subject

If your administrator has authorized it, you can log on as local administrator on a user workstation using your mobile device, from the Connect with a mobile device tile.


Running a Process on a User Session

Subject

An administrator can log on a user's session using his own smart card or OTP, even though the user opened his Windows session using same authentication method.

Running a Process Using your Smart Card

Procedure

1. Press the Windows+R keys.

The Execute window appears:

2. Enter cmd in the Open field.


The Command Prompt window appears.

4. Insert your administrator Smart Card.

5. Enter the following command line and press the ENTER key: C:\%EAM installation folder%\AMRunAS <Command Line>

6. If you have several accounts on the smart card, type in the displayed account number and press the ENTER key.

7. Enter your PIN and press the ENTER key.

The command line has been executed with your Windows credentials.

NOTE: The AMRunAS command line is derived from the RunAS Windows command line. You can display all the different command lines and their description by entering the following command line: RunAS.exe /?



Running a Process Using your OTP

Procedure






4. Enter the following command line and press the ENTER key: C:\%EAM installation folder%\AMRunAS.exe /OTP /USER:DomainName\UserName <Command Line>

5. Enter your OTP and press the ENTER key.

You are now logged on with your Windows credentials.

Restarting and Running Enterprise SSO with your Credentials

Before starting

If the administrator needs to use Enterprise SSO or any other application, it must be installed on the user’s workstation.

Procedure






4. Enter the following command line and press the ENTER key: C:\%EAM installation folder\AMRunAS.exe /SSO <Command Line>

Enterprise SSO restarts with your credentials.



13

Managing Reports

Subject

Authentication Manager enables you to download PDF reports (generated on demand or periodically) and to save them on your workstation.

NOTE: A notification e-mail can be sent to you informing you that a report is available for download from Authentication Manager.

For more information on report generation, refer to the One Identity EAM Console - Guide de l'administrateur.

Procedure

1. Right-click the Authentication Manager icon in the notification area and select Manage reports.


The report management window appears.


Managing Reports91

3. Click Preferences to define the destination directory of the reports to download. Once you have finished, click OK to come back to the management window.

4. Click Search to display the reports that are assigned to you.

NOTE: Select the Show reports generated in the last x days check box to limit the number of reports taken into account


Managing Reports92

NOTE: The Report state column indicates if the report has been downloaded or not and displays the two following states:

l On server: the report has not been downloaded in the destination directory yet.

l Local: the report has been downloaded and is available for consultation in the destination directory.

5. When a report is ready to download, double-click it to open it or select it and click Download (the report will be available in the destination directory).

NOTE: If several reports are assigned to you, you can select them and download them all at the same time..

6. Click Close.


Managing Reports93

14

Authentication Manager Registry Keys

Subject

This appendix describes the Authentication Manager configuration settings stored in the Windows registry that you can modify.

Some registry keys are only used by EAM clients, others are reserved for EAM Controllers, and others are available either on clients and controllers. Depending on the computer where the registry keys are changed, the scope of the update is different. Indeed, if you update the configuration of a:

l EAM client, the scope is limited to the User Access client itself.

l EAM Controller, the scope is extended to all the EAM clients connected to this controller.

Before starting

IMPORTANT: The Windows registry must be modified by qualified personnel only.

Autologon

AutoLogonUserLogin

Scope EAM Client

Description

Type REG_SZ

Values User name with domain (<Domain_name>\<user_name>).


Authentication Manager Registry Keys94

Location HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\WiseGuard\AdvancedLogin

AutoLogonUserPassword

Scope EAM Client

Description

Type REG_SZ

Values User password.


AutoRelogon

Scope EAM Client

Description Configures the autologon to be executed after a closed session.

Type REG_DWORD

Values 0: the session is not automatically re-opened.

1: the session is automatically re-opened with the same user. If you keep the Shift key pressed during the logon sequence, the automatic logon is interrupted and you can authenticate yourself with a smart card or biometric data to open the Windows session as another user.You cannot authenticate yourself with a password; indeed when you press the Ctrl+Alt+Del keys, the automatic logon resumes and the session is re-opened with the user configured for autologon.


Biometrics

BioAutoValidate

Scope EAM Client



Description Store on PC mode only.

Enables/disables the automatic validation upon fingerprint authentication.

Type REG_DWORD

Values 0: disabled.

1: enabled.


BiometricFAR

Scope EAM Client

Description Biometric False Accepted Rate.

Type REG_DWORD

Values Default value: 20000.

(means that the probability of a wrong fingerprint pass is 1/20000).

Location HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\WiseGuard\FrameWork\Authentication

BiometricMaxEnrolledUsers

Scope EAM Client

Description Store on PC mode only.

Maximum number of users that can be enrolled on the workstation.

If the maximum number is exceeded, the oldest enrolled user is deleted.

Type REG_DWORD

Values Default value: 20.




CheckEnrollment

Scope EAM Client

Description After the biometric templates have been saved, the user is asked to perform a biometric authentication to check the biometric templates and to create the biometric authentication cache. If the user cancels the authentication, the biometric authentication cache is not created. This key is set on all workstations where the biometric enrollment tool is installed.

Type REG_DWORD

Values 0 (default): the user does not authenticate himself.

1: the user must authenticate himself to create the cache file.


DisableBeepOnBioEvent

Scope EAM Client

Description Each time a detection event is identified by the biometric middleware, a message appears and a beep occurs.

Type REG_DWORD

Values 0 (default): beep is enabled.

1: beep is disabled.


StartOnce

Scope EAM Client

Description Displays the biometric enrollment tool only once for the user. If he/she cancels the enrollment, the biometric enrollment tool is not displayed anymore.

Type REG_DWORD

Values 0 (default): the biometric enrollment tool is displayed each time the user starts his Windows session.



1: the biometric enrollment tool is displayed only once. Then, password authentication is displayed by default.

Location HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\WiseGuard\FrameWork

Password Management

CheckWhetherPasswordExpires

Scope EAM Client

Description The automatic change of the primary password defined in the user security profile does not apply to the Windows accounts which password never expires.

Note: this applies only when the primary accounts are stored in the AD.

Type REG_DWORD

Values 0 (default): disabled.

1: enabled.


ForcePasswordChangeAfterSSPR

Scope EAM Client

Description The must change password at next connection option is always enabled when users reset a password through the SSPR process.

This key must be set on the workstations where the SSPR process is running. This key has no effect if no SSPR process is installed.

Type REG_DWORD

Values 0: option disabled.

1: option enabled.




PasswordChangeForbiddenMessage

Scope EAM Client

Description Enables the administrator to display an information message to the user after he has refused to change his password from the workstation.

Type REG_SZ

Values Message displayed to the user after a password change refusal.


PasswordChangeProcessCheckList

Scope EAM Client

Description Enables the administrator to prevent the user from changing his password when certain processes are active.

Type REG_SZ

Values List of processes forbidding the password change. Processes are separated with a space. The name of the process is the one displayed in the Windows process manager.


PostChangePasswordMessage

Scope EAM Client

Description Enables the administrator to display an information message to the user after he has changed his password from the workstation.

Type REG_SZ

Values The text of the message to display after a voluntary password change from the One Identity tile.




RandomPasswordLength

Scope EAM Client

Description When the PFCP imposes a password generated randomly, the password length is also generated randomly in the limits defined by this PFCP.

Type REG_DWORD


1: enabled.


ResetPasswordAdminGroupDN

Scope EAM Controller.

Description Allows all administration group members to reset the passwords of each user.

Type REG_SZ

Values Administration group DN.


ShowPasswordFormatHelper

Scope EAM Client

Description Displays or hides the password format wizard to help the user change his password.

Type REG_DWORD


1 (default): option enabled.




ShowResetColleaguePasswordN

Scope EAM Controller and Client

Description Allows a manager or an administration group member to define a temporary password access (TPA) for a colleague. To configure the TPA, you must create the RCOptions key in the same place.

Type REG_DWORD

Values 0 (default): option disabled.

1: option enabled.


SSPRForSelfSSORecovery

Scope EAM Client

Description

Activates the SSO data recovery feature via the SSPR.

This key must be set on all workstations where the SSO Data recovery is enabled.

Type REG_DWORD


1 (default): option enabled.


WorkStationAccountRandomNPGP

Scope EAM Client

Description Available with any supported LDAP directory except Active Directory.

In this type of architecture, EAM stores user SSO data in another LDAP directory than Active Directory. But the users' accounts are stored in Active Directory and are managed by Enterprise SSO as secondary accounts. In this configuration, the Windows password must be changed manually by default. This key allows you to configure an automatic password change.



Type REG_DWORD

Values 0: manual change of the Windows password.

1: automatic change of the Windows password.


RFID

ForceRfidMode

Scope EAM Client

Description Forces the RFID authentication behavior.

Type REG_DWORD

Values 0: default behavior:

if the badge is present for less than 3 seconds, the passive mode is taken into account.

if the badge is present for more than 3 seconds, the active mode is taken into account.

1: Passive mode.

2: Active mode.


RFIDMultiSelfEnrollAllowed


Description Restricts the self-enrollment of RFID tokens to one token per user.

Type REG_DWORD

Values 0: restricted to one token per user.

1 (default): no restriction.




RFIDSelfEnrollAllowed


Description Forbids or allows the self-enrollment of RFID tokens.

Type REG_DWORD

Values 0: forbidden.

1 (default): allowed.


Roaming session

GetRoamingSessionOnlyFromRFID

Scope EAM Client

Description Restricts the opening of a roaming session to the RFID badge authentication method.

Type REG_DWORD

Values 0 (default): the roaming session is opened with any authentication method (RFID badge or smart card).

1: the roaming session is opened only upon the use of an RFID badge.


RoamingSessionMaxPINTries


Description If too many bad PINs are entered to open a roaming session with a smart card or RFID badge, the roaming session is deactivated and the user must insert his smart card.

Type REG_DWORD

Values 5 (default): the user can provide up to 5 bad PINs before the deactivation of his roaming session and having to



insert his smart card.

Notes:

The bad PIN counter is reset each time the user provides the good PIN.

The bad PIN counter cannot be displayed.

This registry key does not work for the EAM web services.


RoamingSessionProtectedByPIN


Description Opening a roaming session with a smart card or an RFID badge requires their PIN.

Type REG_DWORD

Values 0 (default): the roaming session is opened with any authentication method (RFID badge or smart card) without the PIN.

1: the roaming session is opened with an RFID badge or a smart card with the PIN (mandatory).


RoamingSessionServerList


Description To manage roaming sessions, it is recommended in some complex architectures to force controllers to connect to the same LDAP server (to avoid problems with replication delay between LDAP servers used by the controllers). In such a case, this registry key allows you to configure the LDAP servers list by order of priority.

Type REG_SZ

Values Ordered list of LDAP servers (by default, there is no value).



IMPORTANT: Do not forget to update these values when adding/deleting LDAP servers from the architecture.

Location AD: HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\WiseGuard\FrameWork\Directory

SetRoamingSessionOnly

Scope EAM Client

Description

When the roaming session is active and expired, if a user authenticates with an RFID badge, a card insertion is requested instead of a password.

Type REG_DWORD

Values 0 (default): a password is asked when authenticating with an RFID badge.

1: a card insertion is asked when authenticating with an RFID badge.


SetRoamingSessionOnlyFromCard

Scope EAM Client

Description Restricts the creation of a roaming session to the smart card authentication method.

Type REG_DWORD

Values 0 (default): the roaming session is created with any authentication method (smart card or RFID badge).

1: the roaming session is created only upon a smart card authentication.




Smart Card

ActionWhenTokenRemoved

Scope EAM Client

Description Default automatic action if the token is removed.

Type REG_DWORD

Values 0 (default): not configured (=lock).

1: lock the computer.

2: log off.

3: do nothing.


AllowSmartCardInactivityTimer

Scope EAM Client

Description Activates the inactivity duration of Enterprise SSO when a smart card is used.

Type REG_DWORD

Values 0 (default): not configured (=no lock).

1: Enterprise SSO is locked after the defined inactivity duration.

Location Software\Enatel\SSOWatch\CommonConfig

AutoValidationTimer

Scope EAM Client

Description Timeout before the automatic validation of the default action defined in ActionWhenTokenRemoved.

Type REG_DWORD

Values Value in seconds.




NoLdapConnection

Scope EAM Client

Description The smart card authentication is asynchronous, which improves the performances of this authentication method.

The state of the smart card connection is checked during the first 30 seconds of the session logon/logoff. If:

The smart card is removed before the asynchronous check, the session is locked and the smart card authentication will be performed asynchronously at the next authentication.

The asynchronous smart card authentication fails, the cache is updated with this information and the session is locked.

The asynchronous smart card authentication succeeds, the cache is updated with this information and the session is locked.

NOTE: This option is available only if the Always authenticate on cache check box is selected in EAM Console (see One Identity EAM Console - Guide de l'administrateur).

Type REG_DWORD


1: enabled.


NoSSOPrivateKey

Scope EAM Client

Description The private user data is disabled, therefore it is only the recoverable key that is decrypted during authentication, which improves the performances of the smart card authentication.

Type REG_DWORD

Values 0 (default): disabled: the recoverable key and the private key are used.

1: enabled: only the private key is used.



Location HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\WiseGuard\FrameWork\SingleSignOn

PINMaxLength

Scope EAM Client

Description Maximum number of characters authorized in a PIN.

Type REG_DWORD

Values Value in numbers.


PINMinLength

Scope EAM Client

Description Minimum number of characters authorized in a PIN.

Type REG_DWORD

Values Value in numbers.


PINNumericOnly

Scope EAM Client

Description The PIN can contain numbers only.

Type REG_DWORD

Values 0 (default): all characters are authorized.

1: only numbers are authorized.




User Access

ByPassWGAuthForLocalAdmin

Scope EAM Client

Description Enables users that are not local administrators to bypass the Authentication Manager login window.

The users who are members of the local administrators group can bypass the Authentication Manager login window even if they cannot create the Enterprise SSO keys/objects.

Type REG_DWORD

Values 0: disabled.

non null value: enabled.


HideDomainList

Scope EAM Client

Description Displays/hides the domain list.

Type REG_DWORD

Values 0: domain list displayed.

1: domain list hidden.


HideRemoteConnection

Scope EAM Client

Description Displays/hides the Open the session over a modem connection option.

Type REG_DWORD

Values 0 (default): option displayed.

1: option hidden.




LockTimer

Scope EAM Client

Description Timeout before locking the computer. This does not end the session.

Type REG_DWORD

Values Value in seconds.


ManageUserExclusion

Scope EAM Client

Description Windows 7 and next versions only.

Enable or disable SSO for excluded users.

Type REG_DWORD

Values 0 (default): at user authentication, Authentication Manager opens a standard Windows session and then retrieves the user credentials (stored in the E-SSO directory) to start the SSO engine with them.

1: at user authentication, Authentication Manager first tries to authenticate with the provided credentials against the E-SSO directory:

l if the user belongs to an exclusion group, the Windows session is opened, but the SSO engine is not started (no SSO will be available for that session).

l if the user does not belong to any exclusion group, the opening of the Windows session is submitted to the success of the EAM authentication.




ResetPassword

Scope EAM Client

Description Makes available or unavailable the Questions and answers (Windows 10) or Password forgotten (Windows 7) tile.

Type REG_DWORD

Values 0: available.

1: unavailable.




15

Integrating Authentication Manager with Prim'X Cryhod

Subject

Prim'X Cryhod is a software product that encrypts data on computer disks running Microsoft Windows. Cryhod includes a pre-boot utility which allows the user to enter his credentials at system start-up; he is then granted or denied access to encrypted data. The integration of Authentication Manager with Cryhod is only for Smart Card Authentication.

Description

Cryhod supports authentication by Smart Card and PIN.

Authentication Manager supports integration with Cryhod on Microsoft Windows 7 and 2008 systems only.

The integration consists in an automatic transfer of a Smart Card PIN from Cryhod to Authentication Manager. This allows the user to perform Cryhod and Authentication Manager Smart Card authentication while only entering the PIN once.

The PIN transfer feature is implemented in a Windows DLL which is provided by Authentication Manager and used by the Cryhod Encryption Service according to Cryhod configuration parameters.

Configuring the Integration

Procedure

Retrieve the following elements:

Full path name of the Windows DLL. The file is called DiskEncryptionCryhod.dll and is installed in the same directory as the EAM Client.

SHA-256 hash values for DiskEncryptionCryhod.dll. They are displayed in the DiskEncryptionCryhod.txt file, located in the EAM Client installation directory.


Integrating Authentication Manager with Prim'X Cryhod112

Depending on the architecture of your Windows workstations, you may need the hash values for 32 and/or 64-bit systems.

Name the value as recommended: Authentication Manager CREDAPI Extension Vx.y (zz-bit) and use these elements to set the Cryhod policy P880 - Software Extensions with Microsoft Windows GPO.

NOTE: The required format for the value is described in the Cryhod documentation.

The HKEY_LOCAL_MACHINE\SOFTWARE\Policies\PrimX\Cryhod\Common\Extensions key is generated in the Microsoft Windows registry of each workstation.This key contains a value of type String corresponding to the version of DiskEncryptionCryhod.dll used on the local workstation. If the key contains multiple values corresponding to different versions of DiskEncryptionCryhod.dll, only the value that matches a file on the local workstation is used.

Example

Value name Value

Authentication Manager CREDAPI Extension V1.0 (32-bit)

dll32=%ProgramFiles%\One Identity\UserAccess\DiskEncryptionCryhod.dll;sha256=37 5B 06 C5 AC E6 67 59 B5 83 4B 2E B4 9D 7A AE 24 6C D3 80 95 05 15 A2 AB 3E A7 2A 70 63 7C 59;credapi=1

Customizing the Integration

Description

It is possible for an Authentication Manager Smart Card tile to be selected before Cryhod transfers the PIN to Authentication Manager. Authentication Manager waits for a few seconds for the PIN to be transfered. If the PIN is not transfered in time, the user has to provide it, thus typing the PIN twice.

To avoid this, the length of time that Authentication Manager waits for the PIN can be configured using a Windows registry value.

IMPORTANT: Only on-site testing can determine the optimum length of time.

Procedure



1. Create the DWORD value WaitForPINDuration under one of the following keys:

l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Enatel\WiseGuard\AdvancedLogin.

l HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\AdvancedLogin

2. Set the key to the number of seconds required.

The length of time has been customized.

Cryhod Log Files

An event is recorded in the Cryhod event log each time DiskEncryptionCryhod.dll is used. The event includes a result code indicating the reason for any failure to transfer the PIN.



About us

About us

Contacting us

For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

l Submit and manage a Service Request

l View Knowledge Base articles

l Sign up for product notifications

l Download software and technical documentation

l View how-to-videos

l Engage in community discussions

l Chat with support engineers online

l View services to assist you with your product


About us115

https://www.oneidentity.com/company/contact-us.aspx

https://support.oneidentity.com/

User's Guide...Logging on with a Smart Card of type SmartCard Logon 17 Primary password Collection...

Documents

Transcript of User's Guide...Logging on with a Smart Card of type SmartCard Logon 17 Primary password Collection...