Windows Client Installation Guide - FastPassCorp · Windows Client Installation Guide Status: Final...
Transcript of Windows Client Installation Guide - FastPassCorp · Windows Client Installation Guide Status: Final...
FastPass Password Manager Version 3.4.2
Windows Client Installation Guide
Windows Client Installation Guide
Status: Final Page 2 of 46
Date: October 05, 2012
Document Title Windows Client Installation Guide
Document Classification Public
Document Revision H
Document Status Final
Document Date October 05, 2012
The specifications and information in this document are subject to change without notice. Companies, names, and data
used in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any
means, in whole or in part, for any reason, without the express written permission of FastPassCorp A/S.
© 2004 - 2012 FastPassCorp A/S. All rights reserved. Lyngby Hovedgade 98, 2800 Kongens Lyngby, Denmark.
http://www.fastpasscorp.com/.
FastPass Password Manager is a trademark of FastPassCorp A/S. All further trademarks are the property of their respective
owners.
Limited Warranty
No guarantee is given for the correctness of the information contained in this document. Please send any comments or
corrections to [email protected].
Windows Client Installation Guide
Status: Final Page 3 of 46
Date: October 05, 2012
Table of Contents 1. Introduction ..................................................................................................................................................................... 5
1.1 Purpose ................................................................................................................................................................... 5
1.2 Audience ................................................................................................................................................................. 5
1.3 References .............................................................................................................................................................. 5
1.4 Terms ...................................................................................................................................................................... 5
2. About FastPass Password Manager ................................................................................................................................. 6
2.1 The architecture of FastPass Password Manager ................................................................................................... 7
3. About the Password Manager Windows Client ............................................................................................................... 9
3.1 Vital changes in version 3.4.2.1 .............................................................................................................................. 9
3.2 Vital changes in 3.4.2.4 ......................................................................................................................................... 10
3.3 The architecture of Password Manager Windows Client ..................................................................................... 10
3.3.1 Windows XP ...................................................................................................................................................... 10
3.3.2 Windows Vista and Windows 7 ........................................................................................................................ 12
3.4 Launch Window .................................................................................................................................................... 13
3.5 Launch Link ........................................................................................................................................................... 14
3.6 Functional description .......................................................................................................................................... 14
3.7 Enrollment Enforcement feature .......................................................................................................................... 14
3.7.1 Flow of information .......................................................................................................................................... 15
3.7.2 User Interfaces of the Enrollment Enforcement Client .................................................................................... 15
3.7.3 Parameter tweaking ......................................................................................................................................... 17
4. Displaying Custom messages after password reset – HelpPanel Feature ..................................................................... 19
5. Using Windows Client with IIS Client Certificate Mapping ............................................................................................ 20
5.1 Configuring the Windows Client ........................................................................................................................... 20
6. Windows Client only access .......................................................................................................................................... 21
7. Security measures inside Windows Client ..................................................................................................................... 22
7.1 Url restrictions ...................................................................................................................................................... 22
7.2 Keyboard restrictions ............................................................................................................................................ 22
7.3 Process restrictions ............................................................................................................................................... 22
8. Installing the Password Manager Windows Client ........................................................................................................ 24
8.1 Supported Platforms ............................................................................................................................................. 24
8.2 Pre-requirements.................................................................................................................................................. 24
8.3 Administrative privileges required ....................................................................................................................... 25
8.4 Installation using GUI ............................................................................................................................................ 25
Windows Client Installation Guide
Status: Final Page 4 of 46
Date: October 05, 2012
8.5 Installation using Command Line options ............................................................................................................. 27
8.6 Installation using XML Configuration file .............................................................................................................. 29
8.7 Post installation configuration .............................................................................................................................. 29
8.8 Running the Windows Client in a Terminal Services/Citrix environment ............................................................. 30
8.8.1 Installing ........................................................................................................................................................... 30
8.8.2 Setting up Citrix GINA component ................................................................................................................... 31
9. Upgrading the Windows Client ...................................................................................................................................... 33
10. Setting up the for Remote Password Reset ................................................................................................................... 34
10.1 How it works ......................................................................................................................................................... 34
10.2 Preparing the Server ............................................................................................................................................. 34
10.3 Preparing the Client .............................................................................................................................................. 36
10.3.1 Config changes ............................................................................................................................................. 36
10.3.2 Creating a script ........................................................................................................................................... 36
11. Customizing the splash screen ...................................................................................................................................... 37
12. Uninstalling the Password Manager Windows Client ................................................................................................... 38
12.1 Uninstalling from a Windows XP machine ............................................................................................................ 38
12.2 Uninstalling from a Windows 7/Windows Vista machine .................................................................................... 38
13. Appendices .................................................................................................................................................................... 39
13.1 Appendix A: Custom Windows Client Layout Settings for Launch Panel .............................................................. 39
13.2 Appendix B: Custom Windows Client Layout Settings for Launch Text ................................................................ 44
Windows Client Installation Guide
Status: Final Page 5 of 46
Date: October 05, 2012
1. Introduction
This document is covering FastPass Password Manager version 3.4.2.3 , please note that there has been changes in the
installer parameters in version 3.4.1. This document also describes the Changes in behavior introduced in version 3.4.2.1 of
the Windows Client.
1.1 Purpose
The purpose of this document is to describe how to install the Password Manager Windows Client in a FastPass Password
Manager implementation including all configuration aspects.
1.2 Audience
The intended audience of this document is personnel responsible for administration of the Password Manager solution.
1.3 References
This document references the following documents:
None.
1.4 Terms
The following technical and product specific terms are used without further explanation throughout the document.
Windows Client Installation Guide
Status: Final Page 6 of 46
Date: October 05, 2012
2. About FastPass Password Manager
FastPass Password Manager is a secure web-based solution offering self-service password operations to end-users.
Users are required to remember many more complex passwords on more systems than ever before. Research (Gartner)
suggests that 20-50% of all calls to Help Desks are related to forgotten passwords.
Built to use Active Directory as the authoritative repository, FastPass is capable of delivering almost instant ROI by
deploying in just a few hours utilizing your existing Microsoft Windows Server environment.
Introduce Self-Service
Users only need a web browser to access FastPass whether on the corporate intranet or across the internet. In addition an
easily integrated deployment via SharePoint Portal or the SAP Portal gives a secure single point of entry to all applications
and supports anonymous access for users who have forgotten their passwords.
FastPass enables self-service enrollment and password resets utilizing the same Web UI and saving directly into Active
Directory technology. Captured password resets can be synchronized across multiple platforms using either FastPassCorp
connector technology or other synchronization tools available in your organization (for instance Microsoft ILM2007/2)
FastPass helps reducing the workload in the Help Desk, Increase end-user productivity and Strengthen Security
A Password Management solution from FastPassCorp will save you both time and money and at the same time increase
end-user productivity (fast password retrieval), enhance service to a 24/7/365 password self-service and strengthen
security through a secure password reset process and enable stronger password policies to be enforced with no additional
support cost in the Help-desk.
For Executives:
• Reduce workload in Help-desk • Make it possible for your employees to access systems even when the Help Desk is closed
• Enhance security
• Leverage past investments in Windows Server and Active Directory
• Typically ROI within 3-6 months
For Help Desk Managers:
• Remove 20-50% of calls to help desk • Enhance logging and reporting
• Significantly lower total cost per forgotten password
• Increase employee satisfaction
• Easy implementation (from few hours to few days depending on complexity)
• Easy roll-out using automated enrollment services
For Employees:
• Extremely fast solution to a forgotten password situation • Access to systems 24/7/365
• No need to involve other people (Help-desk, colleges etc.)
• No barrier to comply with strict password security policies
Windows Client Installation Guide
Status: Final Page 7 of 46
Date: October 05, 2012
• Simple to use
2.1 The architecture of FastPass Password Manager
The following describes and illustrates the architecture of FastPass Password Manager.
From a user perspective the Password Manager is offering web based self-service features to maintain passwords in the
enterprise. This is what is illustrated below.
Logically the Password Manager Server is built of multiple sub components each offering its own set of functions for the
total solution. The main components are listed in the table below:
Component Description
Backend Server Implement the control of all end-user transactions, communication to the
Gateway Server, scheduled discovery of users in the domain infrastructure,
control and coordination of password synchronizations, invitations of users etc.
Client Server Implements the Web-interface for the end-users and communicates with the
Backend Server.
Gateway Server Implements access to the domain infrastructure and other Password Sync target
systems.
All three main components are by default installed on the Password Manager Server and are directly configured to operate
together. A full implementation can be built on additional Client Servers and Gateway Servers. This is shown in the
illustration:
Windows Client Installation Guide
Status: Final Page 8 of 46
Date: October 05, 2012
The solution is designed in a Service Oriented Architecture. All main components are implemented as web services running
on Microsoft Internet Information Server (IIS) and communications are using SOAP over HTTPS.
Windows Client Installation Guide
Status: Final Page 9 of 46
Date: October 05, 2012
3. About the Password Manager Windows Client
The Password Manager Windows Client is a component that integrates with the login interfaces on different Windows
Workstation platforms and makes it possible for users to access the Password Manager solution to reset their password or
to unlock their account without being authenticated to the domain.
Windows XP integration is shown in Figure 1.
Figure 1 The Password Manager Windows Client login integration on Windows XP
Windows Vista/Windows 7 default integration is shown in Figure 2. Please note that the Graphics in the upper right corner
can be removed leaving only the text under the password field.
Figure 2 The Password Manager Windows Client login integration on Windows Vista/Windows 7
The tight integration into the login interfaces helps eliminate the need for end-user education. The solution to a “forgotten
password problem” sits directly in front of the end-user.
3.1 Vital changes in version 3.4.2.1
Windows Client Installation Guide
Status: Final Page 10 of 46
Date: October 05, 2012
The “Login Integration” feature from older versions has been removed and a new has been created instead, offering better
functionality and nearly the same design.
3.2 Vital changes in 3.4.2.4
FastPass Windows Client now works even if the user has locked the computer, however this integration differ from
Windows XP to Vista/Windows 7.
• Win 7: Then end-user simply activates the FastPass. The Windows Client Gui starts, the user can reset the
password, return to the login screen, logon and continue working
• XP: If the machine is in the locked state and the user clicks the Forgotten Password button the user will be asked if
the current logon should be terminated. (by default members of the administrators group cannot be unlocked this
can be changed – look at the configuration description regarding this later)
A change has been made in this version to the way the credential provider integration is done, the new way secures easier
integration to other credential providers such as Novell etc. In previous version an icon where displayed at the Switch user
screen this has now been removed be default. Instead a clickable bitmap is placed in the upper right corner on the desktop
– details and screenshots can be seen below.
3.3 The architecture of Password Manager Windows Client
The Password Manager Windows Client integrations to the login interfaces are implemented in the best possible way
allowed by the client operating systems.
3.3.1 Windows XP
On Windows XP systems the Password Manager Windows Client is implemented as a GINA extension.
What is a GINA?
When you initially press Ctrl+Alt+Del on a Windows NT system, a logon screen appears. This module is called a GINA
(Graphical Identification and Authentication). GINA is designed for securing your IT environment, so you must log on before
you can do anything else.
The two types of GINAs
• GINA filter: Adds some additional capabilities to Windows XP, but it does not authenticate the user. You can have
multiple GINA filters, as long as each GINA filter can chain to the next GINA filter. There are a number of GINA
filters, such as the Password Manager Windows Client FastPassGINA.DLL, that are available.
• GINA authenticator: Handles the user authentication. It must be the last GINA called. Most people use one of two
GINA authenticators - the Microsoft MSGINA.DLL or the Novell NWGINA.DLL.
Chaining GINAs
Unfortunately, Microsoft does not have a standard for where to store the name of the next GINA in the chain. Most third-
parties chaining GINAs store the next GINA to chain to in the registry. This means that if another third-party GINA is
installed, they can potentially break the GINA chain.
• Windows XP loads the GINA that is indicated by this Registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
• If this value is not present, Windows NT loads Microsoft's GINA, MSGINA.DLL.
Windows Client Installation Guide
Status: Final Page 11 of 46
Date: October 05, 2012
• If the Password Manager Windows Client is in use, the value will be:
<SystemRootDrive>:\WINDOWS\System32\FastPassGINA.dll
• Password Manager Windows Client FastPassGINA.DLL loads the next GINA from the registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\HookGINA.
• If this registry value does not exist, then it loads the Microsoft's MSGINA.DLL.
Unlock functionality
If a user is locked on an XP machine and the user activates the Forgot Password Button, FastPass will need force a logoff of
the current user before being able to run. After activating the button FastPass will present the following dialog to the and-
user.
Figure 3 Asking the user the current user should be logged off in under Windows XP
By default the end user can unlock a user who is not in the Administrators group on the machine. This group can also be set
differently by setting the group in the following registry value.
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\ProtectGroup (String)
FastPass will then check if the logged in user is a member of the mentioned group and only allow the forced logoff off users
not being a member of that group
What does the Password Manager Windows Client GINA do?
The Password Manager Windows Client FastPassGINA.DLL provides the following functions:
1. Supports the Ctrl+Alt+Del handling by a Password Manager Windows Client host
Security and FastPassGINA.DLL
Some customers have expressed concern that FastPassGINA.DLL opens a security hole into Windows XP. This is not the
case. FastPassGINA.DLL does not authenticate the user. FastPassGINA is present only to provide its listed capabilities.
Logging on and authenticating the users is the responsibility of the GINA that FPGINA chains to. If FastPassGINA does not
chain to a GINA that can authenticate you with Windows XP, it is impossible to log on to Windows XP.
Third-party GINAs
FastPassCorp has tested Password Manager Windows Client with a number of third-party GINAs that support GINA chaining
correct. If any conflict occurs between Password Manager Windows Client and any third-party GINA, please report this to
FastPassCorp technical support and the third party company's technical support.
If the Password Manager Windows Client GINA is not loading
If you can boot in to Windows XP, but the Password Manager Windows Client GINA is not loading, it is recommended that
you re-install Password Manager Windows Client. If you are loading several different programs that provide GINA
extensions, you may need to load the applications in a particular order so that the various GINAs chain properly.
Please Notice!
The GINA extension is implemented as a GINA chaining meaning that it will respect other GINA extensions, During
installation the Password Manager Windows Client hooks itself in the first position and chains the previously first GINA
Windows Client Installation Guide
Status: Final Page 12 of 46
Date: October 05, 2012
extension as the next.
3.3.2 Windows Vista and Windows 7
On Windows Vista and 7 systems the Password Manager Windows Client is implemented as a Credential Provider that
allows the opening of the Windows Client Internet Browser style interface that connects to the Password Manager Server.
The overall design of the Vista logon system is shown in Figure 3. The extension provided to allow kiosk-mode access is a
Credential Provider (CP).
Figure 4 Overall Design of the Vista Logon System
As a difference to the old-style GINA extension method that is used on the Windows XP system, the Credential Provider
method, is offering a per-provider user prompting behavior. This Credential Provider architecture requires each provider to
enumerate its UI elements. For example, in a given scenario, a provider might indicate to LogonUI that it requires two edit
boxes, two captions, a checkbox, and a bitmap. In turn, LogonUI renders those controls on behalf of the credential provider.
A consequence of the change to the Credential Provider model is that absolutely no unintended relation exists between the
different credential providers, meaning that the rate of occurrence of problems caused by conflicting products has gone
significantly down.
Usability on Windows Vista and windows 7
In Windows Vista systems the integration accessible to the end-user is as shown in Figure 5.
Windows Client Installation Guide
Status: Final Page 13 of 46
Date: October 05, 2012
Figure 5 The default Windows Vista/Windows 7 login screen
3.4 Launch Window
The launch windows is by default showed in Windows 7/Vista can be disabled. By default the windows is displayed in the
login and Switch user window.
Figure 6 The “Launch window”
Disabling the Window can be done by setting the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\LaunchPanelFeatureEnabled
DWORD32 value data= 1|0 (0 will disable it)
Or by choosing another LI value when installing.
Disabling that functionality will enable an icon to appear if the Switch user Window
Windows Client Installation Guide
Status: Final Page 14 of 46
Date: October 05, 2012
3.5 Launch Link
The launch Link can be used instead of the Launch window; however both cannot be enabled at the same time. The Link
works as the Launch Window.
Figure 7 The “Launch Link”
You can enable the Launch Link by setting the following registry value to 1 (and disabling the LaunchPanelFeatureEnabled
above ):
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\LaunchLinkFeatureEnabled
DWORD32 value data= 1|0 (0 will disable it)
How to customize different Lay outs please look in Appendix A page 31
Please Notice!
On the Windows Vista platform there is no problem chaining to other Vista UI integrations. Every authentication
provider runs in its absolute own environment.
3.6 Functional description
Under the installation of the Windows Client the installation will create a local user called FPKioskUser, initialize it and
disable the account. When a User activates the Windows Client from the Login screen the following will happen:
• The FpKioskUser will be enabled
• The UserInit setting in the registry will be set to FPKioskInit
• A Login as the local user will be started
• FPKioskInit.exe will be started
• PMWindowsClient.exe will be started
When the session is over this will happen:
• PmWindowsClient will exit starting the logoff process
• FPKioskInit will exit
• The FPKioskUser will be disabled
• The session will end displaying the login picture again
3.7 Enrollment Enforcement feature
As of version 3.4.2 (patch 5) the Password Manager Windows Client contains a new Enrollment Enforcement feature which
is designed to help getting more users registered into the FastPass solution.
The feature is installed together with and shares both configuration and code with the Password Manager Windows Client.
Windows Client Installation Guide
Status: Final Page 15 of 46
Date: October 05, 2012
The feature runs on PC’s in the user session and is primarily visible by an icon in the Notification area (typically the lower
right corner). The icon represents the Enrollment Enforcement Client which is automatically started when a user logs on to
the PC. The client is responsible of checking the enrollment status in Password Manager and for executing configured
actions if required.
3.7.1 Flow of information
When a user logs on to Windows using a domain account the Enrollment Enforcement Client tries to get hold of the users
enrollment status by sending a web service request to the FastPass Client which forwards this to the FastPass Server.
The FastPass Server uses the following logic to determine the enrollment status:
1. Is the domain information contained in the request unknown then return “UserRepositoryNotFound”.
2. Is the user account for the request unknown then return “UserNotFound”.
3. Is the user account enrolled then return “UserIsEnrolled”.
4. Is the user account locked in Password Manager then return “UserIsLocked”.
5. Isn’t the user allowed to enroll then return “UserCannotEnroll”. The checking of whether the user is allowed to
enroll is based on the configuration of Authentication Profiles for the “Enroll User” operation.
6. Isn’t the user invited to enroll then return “UserCanEnroll”. The checking of whether the user is invited is based on
the configuration of Enroll Profiles.
7. If the user is invited to enroll then return “UserMustEnroll”.
The enrollment status isn’t the only information returned to the Enrollment Enforcement Client. The following data is
delivered together with the enrollment status:
• OperationStatus
Contains information of whether the request executed successfully (or failed).
• OperationStatusDetail
optionally contains error details.
• UserEnrollmentStatus
The enrollment status:
• UserEnrollmentEnforcementMethod
Contains information about which method that shall be executed by the Enrollment Enforcement Client as result of
the operation.
Possible values: None, Window and FullScreen.
• UserEnrollmentStatusCheckInterval
Contains information about at which interval to check the enrollment status.
• UserEnrollmentEnforcementGracePeriod
Contains information about for how long time the user can postpone when the enrollment status is
“UserMustEnroll”.
Various customizations can be made on the server side to manipulate the above flow but before looking into this lets first
take a look at the user interfaces for the Enrollment Enforcement Client.
3.7.2 User Interfaces of the Enrollment Enforcement Client
The screenshots shown in the following section is what can be shown to the user if the UserEnrollmentEnforcementMethod
returned by the server is “Window”.
Notice that some of the screenshots contains a “Close” button. This button is only shown if the screenshot is taken from a
window shown after clicking the icon in the notification area.
Windows Client Installation Guide
Status: Final Page 16 of 46
Date: October 05, 2012
The first screenshot illustrates the interface shown to an end user if the enrollment status returned by the server is
“UserIsEnrolled”.
The text shown in the screenshot is as in all other screenshots the default text delivered with the product but everything is
fully customizable so any description can be shown.
As the identified enrollment status is “UserIsEnrolled” all options are shown but also a button allowing to just closing the
window.
Clicking the “Postpone” button will cause the window to close and not be redisplayed before the selected time value
expires.
Clicking the “Enroll Now” button will cause the “FullScreen” method to be called which is the same interface as also
available directly from the Windows login interface.
The next screenshot illustrates the interface shown to an end user if the enrollment status returned by the server is
“UserCanEnroll”.
As the status here is “UserCanEnroll” the window does not contain a “Close” button. The reason is that although the user
isn’t forced to enroll we still want him/her to enroll so the provided options are to postpone and to enroll now.
Windows Client Installation Guide
Status: Final Page 17 of 46
Date: October 05, 2012
The next screenshot illustrates the interface shown to an end user if the enrollment status returned by the server is
“UserMustEnroll”.
As the status is “UserMustEnroll” no other options them enroll now is given.
If the returned enrollment status is “UserRepositoryNotFound”, “UserNotFound” or “UserCannotEnroll” then the icon in the
notification area is hidden but checking continues at configured intervals.
If the user isn’t logged on with a domain account the application closes.
3.7.3 Parameter tweaking
As mentioned earlier the FastPass Server offers some options for tweaking of the flow. In the current version all tweaking
parameters are global (same for the all organizations defined on a server and same for all users). This will be changed in
future versions.
All parameters can be defined in the Registry under “HKLM\SOFTWARE\FastPassCorp\Password Manager”.
The following list contains the tweaking parameters related to the “UserEnrollmentStatusCheckInterval” return value:
• UserEnrollmentStatusCheckInterval_Default
• UserEnrollmentStatusCheckInterval_UserCanEnroll
• UserEnrollmentStatusCheckInterval_UserCannotEnroll
• UserEnrollmentStatusCheckInterval_UserIsEnrolled
• UserEnrollmentStatusCheckInterval_UserIsLocked
• UserEnrollmentStatusCheckInterval_UserMustEnroll
• UserEnrollmentStatusCheckInterval_UserNotFound
• UserEnrollmentStatusCheckInterval_UserRepositoryNotFound
The timing variables are used to limit the number of server requests. The default value of all parameters is 1440 which
refers to the number of minutes between checking. The values can be customized by creating a REG_DWORD value named
as listed. Be careful of not lowing the value too much as this will increase the traffic against your FastPass environment.
To allow for a more flexible enforcement the parameter “UserEnrollmentEnforcementGracePeriod_UserMustEnroll” can be
used to define the number of days that a user can be allowed to postpone before she/he is eventually forced to enroll. The
value is only returned to the Enrollment Enforcement Client is the FastPass Server identifies the enrollment status as
Windows Client Installation Guide
Status: Final Page 18 of 46
Date: October 05, 2012
“UserMustEnroll” and the Enrollment Enforcement Client stores the time of when it sees this status for the first time for the
specific user and following that it only allows the user to postpone her/his enrollment until the grace period expires. Notice
that the timestamp is only stored on the PC so if the user logs on to different PC they will all allow her/him a different grace
period.
By default the FastPass Server returns “FullScreen” as the value of the “UserEnrollmentEnforcementMethod” return value
when the enrollment status is “UserMustEnroll” and “Window” when the enrollment status is “UserCanEnroll”. To tweak
this behavior the following parameters can be defined as REG_SZ:
• UserEnrollmentEnforcementMethod_UserCanEnroll
• UserEnrollmentEnforcementMethod_UserCannotEnroll
• UserEnrollmentEnforcementMethod_UserIsEnrolled
• UserEnrollmentEnforcementMethod_UserIsLocked
• UserEnrollmentEnforcementMethod_UserMustEnroll
By default the FastPass Server uses Authentication Profiles and Enrollment Profiles as describe earlier. If this logic isn’t
desired the following parameters can be used.
• UserEnrollmentEnforcementAllowPostpone_UserCanEnroll
If set to “False” the returned enrollment status will be switched to “UserMustEnroll”.
• UserEnrollmentEnforcementAllowPostpone_UserMustEnroll
If set to “True” the returned enrollment status will be switched to “UserCanEnroll”.
Windows Client Installation Guide
Status: Final Page 19 of 46
Date: October 05, 2012
4. Displaying Custom messages after password reset – HelpPanel Feature
In some cases there is a need for displaying certain information after a user has done a password reset in the Windows
Client. This feature will display such a message as a bitmap. This feature is only available on Windows 7 machines.
To enable this feature a registry value must be set on the client machine along with a folder with the images.
Create a 32 bit DWORD registry value named:
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\HelpPanelFeatureEnabled
Setting the value data to 1
The folder called HelpImages must be created under <INSTALLPATH>\FastPassWindowsClient\. The folder must contain
images for the possible languages the installation has. Naming convention <LANG>.bmp the <LANG> key value can be seen
in the LANGUAGE parameter for the installer.
The default language is English (EN.bmp) which has to be present.
The dimensions of the bmp images must be W X H,250 X 500 pixels.
Windows Client Installation Guide
Status: Final Page 20 of 46
Date: October 05, 2012
5. Using Windows Client with IIS Client Certificate Mapping
Using Windows Client with Client Certificates tightens security to the FastPass solution permitting only clients with a proper
certificate to access the solution. Certificate wise this is all handled by IIS on the server part. Please refer to the following
documentation:
http://www.iis.net/configreference/system.webserver/security/authentication/iisclientcertificatemappingauthentication
The Certificate mapping needs to be assigned on the website FastPass client resides on (Standalone/DMZ Client).
5.1 Configuring the Windows Client
The Windows Client must be able to send the client license to the server, in order to get access. The Clients will load the
license from password protected PFX certificate file and also add it to the current users certificate store, if not already
present. This configuration is done in the like this in the PMWindowsClient-config.xml file.: <url target="https://<TARGETSERVER>/FastPassClient/Default.aspx" timeout="60" clientcertificatepath="c:\certificates\UserCert.pfx" clientcertificatepassword="M3x1AaUFJjmszSJ0gf9sv8pw==" />
The clientcertificatepath tells the client the path and filename of the pfx certificate file.
The clientcertificatepassword tells the client the password to the pfx file. Please notice that the password is encrypted. To
encrypt your password please contact FastPass support to get the application that will let you encrypt your password or
event create your own encryption(can be created using .Net).
When using this feature it is also necessary to set the HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows
Client\DisableLowercaseConfig(REG_SZ) registry value on the client machine. Value data must be True.
The website address the clients accesses must reside in the users(and the local fpkioskuser account) Intranet or Trusted
Zone. This can be achieved using GPO to distribute the settings.
If the client has more than one certificate suited to be sent to the server Windows presents a choice between certificates.
This must be avoided. To avoid this, limit the trusted CA’s on the webserver(as the client will only find certificates the server
trusts as suitable.) .
Windows Client Installation Guide
Status: Final Page 21 of 46
Date: October 05, 2012
6. Windows Client only access
To avoid browser/mobile clients to access the FastPass solution the client can be setup to limit the access to the site. This
feature is normally used to limit the access to the FastPass Client when accessing the solution from the Internet. To limit the
access add the following REG_SZ value to the registry:
HKLM\Software\FastPassCorp\Password Manager\SelfServiceClientRestrictionClientType
Value data: WindowsClient;Browser;MobileClient
The above value data will restrict all clients ; is the delimiter.
When set the Client restricts access for all other clients than the one mentioned. Eg. Setting the value to WindowsClient will
only permit Windows Client client to access the website. If it is set the feature will send a 404 http status code to all other
clients.
Furthermore it is possible to limit access to the client by domain, this feature only targets the Windows Client – pre-req is
that the SelfServiceClientRestrictionClienType setting must be set to WindowsClient. Limiting by domain is easy simply add
the REG_SZ value:
HKLM\Software\FastPassCorp\Password Manager\SelfServiceClientRestrictionClientDomain
Setting the netbios name of the domain, multiple can be added, separating by ; eg:
DomainA;domainB
Windows Client Installation Guide
Status: Final Page 22 of 46
Date: October 05, 2012
7. Security measures inside Windows Client
7.1 Url restrictions
By default Windows Client will only let the web-part get web pages from pages that hold the /FastPassClient/ part amongst
other. The intention is to prevent any visits on malicious web pages. The Pages allowed in the Windows Client are controlled
in the PMWindowsClient-config.xml file in the following section.
<urlrestrictions>
<!-- BUILD-IN <urlrestriction type="allow" behavior="hidden" matchmethod="regexp" url="^https://.+/FastPassClient/" /> -->
<!-- BUILD-IN <urlrestriction type="allow" behavior="hidden" matchmethod="regexp" url="^javascript:__doPostBack\('ctl00\$butMenu" /> -->
<!-- BUILD-IN <urlrestriction type="deny" behavior="hidden" matchmethod="regexp" url="^about:" /> -->
<!-- BUILD-IN <urlrestriction type="deny" behavior="visible" matchmethod="regexp" url="^http://" /> -->
<!-- SAMPLE <urlrestriction type="allow" behavior="visible" matchmethod="regexp" url="^https://demo.fastpasscorp.com/" /> -->
<!-- SAMPLE <urlrestriction type="allow" behavior="visible" matchmethod="startwith" url="https://demo.fastpasscorp.com/" /> -->
<!-- SAMPLE <urlrestriction type="allow" behavior="visible" matchmethod="endswith" url=".aspx" /> -->
<!-- SAMPLE <urlrestriction type="allow" behavior="visible" matchmethod="contains" url="//demo.fastpasscorp.com/" /> -->
<!-- SAMPLE <urlrestriction type="deny" behavior="visible" matchmethod="regexp" url="^javascript:__doPostBack\('ctl00\$butMenuChangePwd"
/> -->
<!-- SAMPLE <urlrestriction type="deny" behavior="visible" matchmethod="nregexp"
url="(^https://.+/FastPassClient/)|(^javascript:__doPostBack\('ctl00\$butMenu)" /> -->
<!-- SAMPLE <urlrestriction type="deny" behavior="visible" matchmethod="regexp" url="^javascript:__doPostBack\('ctl00\$butMenuChangePwd"
/> -->
</urlrestrictions>
Use the rules to customize the usage in the specific environment.
7.2 Keyboard restrictions
The Windows Key and the Print Screen keys will not work while having the Windows Client open. Normally to further
modifications of the key restrictions are needed, however if you expect to change these settings please contact FastPass
support for further documentation regarding this.
7.3 Process restrictions
To make sure that no other processes are launched while having the Windows Client open process restrictions are in place.
The way this works depends on the architecture.
• XP. The FastPassGina.dll controls the processes run until the Windows Client itself has started. When the client has
started it takes over the monitoring while the Gina part controls that the Windows Client is still running. If the Gina
detects that the Windows Client is not alive (it will monitor heartbeats sent by the process) it will terminate the
session and logoff.
• Vista/Windows 7: The FPKioskInit controls the processes run until the Windows Client itself has started. When the
client has started it takes over the monitoring while the FPKioskInit part controls that the Windows Client is still
running. If the FPKioskInit detects that the Windows Client is not alive (it will monitor heartbeats sent by the
process) it will terminate the session and logoff.
When the VPN feature in enabled other processes has to be allowed to run – this can be specified in a special section so the
process names are only allowed in the specific state of the Windows Client. Process restriction can also be customized using
the configuration parameters below. There might be certain process that has to be allowed in a specific environment.
Windows Client Installation Guide
Status: Final Page 23 of 46
Date: October 05, 2012
<processrestrictions> <processrestriction type="allow" state="always" action="log" matchmethod="equals" executable="C:\Program Files (x86)\FastPassCorp\FastPassWindowsClient\PMWindowsClient.exe" /> <processrestriction type="allow" state="always" action="log" matchmethod="equals" executable="C:\Program Files\FastPassCorp\FastPassWindowsClient\PMWindowsClient.exe" /> <processrestriction type="allow" state="always" action="log" matchmethod="equals" executable="C:\Windows\System32\FastPassKioskInit.exe" /> <processrestriction type="allow" state="always" action="log" matchmethod="regexp" executable="^.:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\" /> <processrestriction type="allow" state="always" action="log" matchmethod="regexp" executable="^.:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\" /> <processrestriction type="allow" state="always" action="log" matchmethod="regexp" executable="^.:\\Windows\\System32\\conhost.exe$" /> <processrestriction type="allow" state="always" action="log" matchmethod="regexp" executable="^.:\\windows\\System32\\taskhost.exe$" /> <processrestriction type="allow" state="always" action="log" matchmethod="equals" executable="C:\Program Files\FastPassCorp\FastPassWindowsClient\PMWindowsClient.exe" /> <processrestriction type="allow" state="vpnopening" action="log" matchmethod="endswith" executable="cmd.exe" /> <processrestriction type="allow" state="vpnclosing" action="log" matchmethod="endswith" executable="cmd.exe" /> </processrestrictions> <processrestrictionactionstartupchecks>10</processrestrictionactionstartupchecks> <processrestrictionactionstartup>log</processrestrictionactionstartup> <processrestrictionaction>kill</processrestrictionaction> <processrestrictioncheckinterval>500</processrestrictioncheckinterval>
Processes not listed as allowed will be killed within 500ms by default.
Please Notice!
The C level part, Gina on XP and Credential Provider on Windows7/Vista, part can only accept “EQUALS” rules. You will
need to add different paths to make sure that the C level part will not kill and exit the session itself.
Windows Client Installation Guide
Status: Final Page 24 of 46
Date: October 05, 2012
8. Installing the Password Manager Windows Client
The Password Manager Windows Client is distributed in a single MSI installer package for all the supported platforms and it
can be installed silently by specifying options on the command line or in a configuration file.
On Windows XP a reboot of the machine is needed after the installation before the “Forgot Password” button will be
displayed in the Login dialog but there is no other reason to perform the reboot directly after the installation so typically
this reboot can be postponed.
In Windows Vista/Windows 7 reboot is not required.
8.1 Supported Platforms
The Password Manager Windows Client is supported on the following Windows Operating Systems.
Operating Systems Limitations
Windows XP Professional 32 bit None
Windows XP Professional 64 bit None
Windows Vista Business 32 bit None
Windows Vista Business 64 bit None
Windows Vista Enterprise 32 bit None
Windows Vista Enterprise 64 bit None
Windows Vista Ultimate 32 bit None
Windows Vista Ultimate 64 bit None
Windows 7 32 bit None
Windows 7 64 bit None
For operation in Terminal Services environment the following platforms are supported:
Operating Systems Limitations
Windows Server 2003 family 32 bit None
Windows Server 2003 family 64 bit None
Windows Server 2008 family 32 bit Versions 3.4.1.0 and before:None/3.4.2.0 version with the “Launch
Window disabled”
Windows Server 2008 family 64 bit Versions 3.4.1.0 and before:None/3.4.2.0 version with the “Launch
Window disabled”
8.2 Pre-requirements
The Password Manager Windows Client has the following pre-requirements for installation on any of the supported
platforms.
Operating Systems Comments
Microsoft .NET v3.5 SP1 Higher versions like v4.0 includes the v3.5 SP1 and installation of
these as alternatives are therefore also supported.
Windows Client Installation Guide
Status: Final Page 25 of 46
Date: October 05, 2012
8.3 Administrative privileges required
When you are trying to install FastPass Windows Client sometimes you will meet this message.
What you need to do is to run this from a command prompt with Administrattive privileges.
To achieve this:
Click on your start menu on the PC and in the search menu type cmd.exe � right click the cmd.exe and choose to Run as
Administrator. You might be prompted to give credentials and password.
You will now have to place the commandline where the FastPass Windows Client.msi is residing.
8.4 Installation using GUI
The Password Manager Windows Client can be installed in GUI mode which is described and illustrated in the following.
To start the installation you must be logged on as a user with administrative privileges and the start the installer program,
by default named as “FastPassWindowsClient.msi”. This will bring up the InstallShield Wizard program.
Click the “Next” button to continue and the “End User License Agreement” screen will be shown.
Windows Client Installation Guide
Status: Final Page 26 of 46
Date: October 05, 2012
Click the “Next” button to accept and to continue and the user specification screen will be shown.
Type in User and Organization information and click the “Next” button to continue and the Installation destination selection
screen will be shown.
Click the “Browse” button to specify an alternative installation destination and eventually click the “Next” button to
proceed. This will bring you to the “Installation Confirmation” screen, which is the last chance to cancel before the actual
installation will be performed.
Windows Client Installation Guide
Status: Final Page 27 of 46
Date: October 05, 2012
Click the “Install” button to proceed. This will initiate the installation process and bring up the “Installation Progress”
screen.
On successful completion the wizard automatically shifts to the “Finish” screen.
Click the “Finish” button. This will close the InstallShield Wizard.
8.5 Installation using Command Line options
The Password Manager Windows Client can be installed in silent mode and configured to access a specific Password
Manager server using a command line options. Supported options:
• KIOSKACCOUNT=”fpkioskuser” (Default)
Unprivileged account used by the solution.
• LI=[2|1|0] (Default setting is 1)
o 2 - Launch Link
o 1 – Launch Window
o 0 – Only the icon at the “Switch User” panel is shown
o Note and the LI feature is only present on Windows Vista, Windows 7 and Windows Server 2008, but
causes no issues when the parameter is used under XP
Windows Client Installation Guide
Status: Final Page 28 of 46
Date: October 05, 2012
• IE=[1|0] (Default setting is 0)
Internet Explorer initialization for the KIOSKACCOUNT. (If a proxy is specified in the configuration file for Fa then
this setting must be set to one when installing)
• SERVER=”selfservice.mydomain.local”
Server to be accessed.
• SERVERURL=”https://selfservice.mydomain.local/FastPassClient/Default.aspx”
Full specification of the URL to be accessed.
• LANGUAGE= [da|de|en|es|fr|nl|no|sv|pt|it]
Default Language to be used if the system language settings isn’t supported by the Windows Client.
Value Language
da Danish
de German
en English
Fr French
nl Dutch
no Norwegian
sp Spanish
sv Swedish
pt Portuguese
it Italian
• FORCELANGUAGE=[0|1]
Forces the use of a specific language (value of LANGUAGE or “en”) instead of defaulting to the system settings.
• ID=[GUID]
Sets the design on the Windows Client(Please take a look at the appendix regarding the different designs. And the
corresponding ID values.)
• ECC=[0|1]
Wheather the Enforcement Client should also be installed, this is enabled(1) by default.
The syntax for this is as shown in the following.
<MSIFILE> /quiet SERVERURL=”https://<server>/FastPassClient/Default.aspx” IE=1
Where <MSIFILE> shall be replaced with the filename of the installer which by default is FastPassWindowsClient.msi.
Supported MSI parameters for control of booting:
• /forcerestart
• /norestart
If no boot parameters are specified UI installations will prompt the user to restart and silent installations will complete
without prompting or booting.
Please Notice!
When installing using the “/quiet” option the installation is done into the path %ProgramFiles%\FastPassCorp, so
typically “C:\Program Files\FastPassCorp”.
Windows Client Installation Guide
Status: Final Page 29 of 46
Date: October 05, 2012
8.6 Installation using XML Configuration file
The Password Manager Windows Client can be installed in silent mode and fully configured using a command line option
where a XML configuration file is pointed to.
The syntax for this is as shown in the following.
<MSIFILE> /quiet CONFIGFILE="PMWindowsClient-config.xml"
Or
<MSIFILE> /quiet CONFIGFILE="\\ComputerName\SharedFolder\PMWindowsClient-config.xml"
In most installations the proxy settings is not needed since this is already available from the machine default settings and
then this whole section can be left out but if you have the same proxy all over then you can also enter this here.
Please Notice!
When installing using the “/quiet” option the installation is done into the path %ProgramFiles%\FastPassCorp, so
typically “C:\Program Files\FastPassCorp”.
8.7 Post installation configuration
The Password Manager Windows Client can also be configured after installation.
This is done by editing the configuration file found under the following path.
<INSTALLDIR>\FastPassCorp\Configuration\FastPassWindowsClient\PMWindowsClient-config.xml
Where <INSTALLDIR> shall be replaced with the selected installation directory typically “C:\Program Files”.
The configuration file could be looking similar to what is shown in the following.
<?xml version="1.0" encoding="utf-8" ?> <config> <formTitle>Password Manager Client</formTitle> <buttonTitle>Exit</buttonTitle> <language>en</language> <records> <record> <!-- section one --> <conditions> <pings> <!-- ping each reference until one responds --> <!--<ping host="10.0.0.249"/>--> <!--<ping host="server400.fastpasscorp.com"/>--> </pings> <networks> <!-- at least one active network card must be within one of these networks --> <!--<network lowrange="10.0.0.2" highrange="10.0.0.254" />--> </networks> <defaultGateways> <!-- at least one of these gateways must match current default gateway --> <!--<defaultGateway ip="10.0.0.250" />--> </defaultGateways> <dnsSuffixes>
Windows Client Installation Guide
Status: Final Page 30 of 46
Date: October 05, 2012
<!-- at least one of these dns names must match current dns name --> <!--<dnsSuffix name="fastpasscorp.com" />--> </dnsSuffixes> <dnsServers> <!-- at least one of these dns names must match current dns name --> <!--<dnsServer ip="10.0.0.212" />--> </dnsServers> <dhcpServers> <!--<DhcpServer ip="10.0.0.213" />--> </dhcpServers> </conditions> <urls timeout="20"> <!-- Syntax: <url target="URI" [timeout="seconds"] [proxy="URI"] [pacFile="URI"] --> <!-- URI syntax: [scheme://]hostname-or-IP[:port]/page --> <!-- scheme ::= {http://|https://} --> <!-- hostname ::= {www.google.com} --> <!-- IP ::= {74.125.77.103}--> <!-- Port ::= {8080}--> <!-- page ::= {FastPassClient/Default.aspx}--> <!--<url target="https://passwordmanager/FastPassClient/Default.aspx" timeout="5" proxy="10.0.0.249:8080"/>--> <!--<url target="https://passwordmanager/FastPassClient/Default.aspx" pacFile="http://servername/aa.pac"/>--> <url target="https://passwordmanager/FastPassClient/Default.aspx"/> </urls> </record> </records> </config>
Please Notice!
The number of supported languages is continuously expanding and further more this can be controlled by the Password
Manager Server configuration. Read the Installation Guide for the Password Manager Server to see the newest list of
supported languages and read the Administrators Guide for information on how to customize language behavior.
8.8 Running the Windows Client in a Terminal Services/Citrix environment
Windows Client is fully compatible running in a Terminal Service/Citrix environment. From version 3.4.2.0 running with
Terminal Services/Citrix running under Windows Server 2008 is only advised not using Launch Window feature. Disabling
that is done setting a registry parameter – please check the Windows 7 section where this is described in detail.
The windows client supports operating in a Terminal Services and/or Citrix environment; however there is some limitation
and settings that needs to be set to ensure secure operation.
8.8.1 Installing
Please install the Windows client as described above but after the installation the following has to be done.
1. Edit the local user en the Terminal Services server called FPKioskUser and allow the user to logon to Terminal
Services (Validate this by logging in as the user)
2. Change the user settings
Windows Client Installation Guide
Status: Final Page 31 of 46
Date: October 05, 2012
This will ensure that the FPKioskUser is able to login and that sessions will not pile up. (The Windows Client itself will also
detect lost sessions and end the session on detect)
8.8.2 Setting up Citrix GINA component
The following refers to a system where there are no other thirdparty GINA’s than Citrix.
If the registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\ctxGINADLL
If set please contact FastPass Support to analyze the Ginas before installing the Windows Client. If the Windows Client is
installed before Citrix Presentation Server the software should work without changes – but if the Windows Client is installed
on a system where the Citrix installation is already present changes will have to be made to the registry.
Before installing:
Validate that the key:
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\GINADLL is either set to ctxGINA.dll or MSGina.dll.
After installing
After installing the Windows Client, do not reboot until the following Registry changes is done. Set the following values:
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\GINADLL = ctxGINA.dll
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\ctxGINADLL = FastPassGina.dll
Then set the FastPass Keys:
HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\HookGINA=msgina.dll
Now reboot the system.
NOTE: If Ctxgina.dll is not the primary GinaDll set in HKLM\Software\Microsoft\Windows NT\Current
Version\Winlogon\GINADLL , the following Citrix-specific functionality is unavailable:
1. Users cannot log on with UPN user names; for example, [email protected].
2. Users cannot log on with a password that is longer than 15 characters.
3. Citrix Auto Client Reconnect fails.
4. Clients configured with "User Specified Credentials" fail
Windows Client Installation Guide
Status: Final Page 32 of 46
Date: October 05, 2012
After the steps above has been completed test that the Gina is showing correct on the Console and via RDP (NOT ICA).
Finally there is an option on the ICA-tcp connection in the ‘Terminal Service Configuration’ Management Console default set
to ‘Use standard Windows logon interface’. Make sure that this option is not selected.
Windows Client Installation Guide
Status: Final Page 33 of 46
Date: October 05, 2012
9. Upgrading the Windows Client
From version 3.4.2.3 the FastPass Windows Client can be updated by installing over the current version. But there are some
things to pay attention to.
1. The configuration file will not be updated by FastPass, some versions add important features and defaults to
FastPass therefore we recommend to get create a new configuration file and install using the CONFIGFILE
parameter. This will ensure that the current config file gets overwritten.
2. On Windows 7 the integration has changed – please check the section regarding this in this document.
3. Reinstalling on XP will not destroy chaining to other Ginas, FastPass will leave the chain as it was found.
4. FastPass will from now on have a new Product Code for each version – which will let you install over a previous
version without uninstalling and rebooting.
5. When using this option uninstalling the old version is not advised unless the application is not to be used at all.
Windows Client Installation Guide
Status: Final Page 34 of 46
Date: October 05, 2012
10. Setting up the for Remote Password Reset
With this feature a user is able to reset the password, and get the local machines cached password updated, from
anywhere. To use this feature a VPN connection and script must be setup for use with Windows Client.
10.1 How it works
Basically the VPN can be started up either:
1. As soon as the Windows Client starts (FullVPN)
2. Right after the user has reset the password (VPN)
Here are overall steps in the communication:
1. When the Windows Client starts it will open up the web-page and display it to the user
2. Once the user activates the Exit button, and the feature is enabled in the PMWindowsClient config file, the
credentials are fetched from Password Manager.
3. When the user activates the exit button, Windows Client will contact the Password Manager server if the
usevpnconnection feature is set to true in Windows Client config.
4. If and only if a password reset has been successfully carried out the VPN script specified in the config is called
5. If the connection succeeds and Windows Client can connect to a domain controller the Password Cache is updated
6. The close VPN script is called
7. Windows Client exits
Windows Client will call the script – the script itself will have to be changed to fit the customers VPN software. Example
scripts are found in the VPN folder under the FastPassWindowsClient folder.
10.2 Preparing the Server
On the server side the vpn setup can be enabled by opening the administration client clicking the Feature settings-
>Windows Client icon(if not present the feature might be missing in your License). When opening the following screen
appears:
Windows Client Installation Guide
Status: Final Page 35 of 46
Date: October 05, 2012
By default the “settings for local Connections” is enabled. This will let Windows Client update the locally cached password
on the Lan and not wait for the user to login manually.
To enable the VPN feature we will have to adjust the settings for “Settings for Remote Connections”
Basic settings:
• Profile Name: this name is relayed to the Windows Client and will be available in the VPNScript as an environment
variable
• Credential mode
o User Credentials (The users username and password) (cannot be used with the FullVPN feature)
o Specific Password (The users username and the specified password)
o Specific Credentials(The specified username and password)
• UserName: Is only used when the specific credentials are used
Windows Client Installation Guide
Status: Final Page 36 of 46
Date: October 05, 2012
• Password: : Is only used when the “specific credentials” or “specific password” is used
VPN Opening Settings
• VPN Open Script: The name of the script/executable to be called - has to be residing in the
FastPassWindowsClient\VPN folder
• Delay before open: Sets the number of seconds to wait before calling the script
• Open operation timeout: Specifies how long time to wait the vpn open operation to complete
• Delays after open: Specifies how long to wait before moving to the Update operation.
Update Operation Settings
• Delay before update: Sets the number of seconds to wait before attempting the operation
• Number of update retries: How many times to retry the operation if it fails
• Delay between retires: Specifies how long time to wait before making a retry operation
• Delays after update: Specifies how long to wait before moving to the close operation.
VPN Closing Settings
• VPN Close Script: The name of the script/executable to be called - has to be residing in the
FastPassWindowsClient\VPN folder
• Delay before close: Sets the number of seconds to wait before calling the script
• Close operation timeout: Specifies how long time to wait for the vpn close operation to complete
• Delays after Close: Specifies how long to wait before exiting.
10.3 Preparing the Client
10.3.1 Config changes
There is a few things to prepare on the Windows Client. In the PMWindowsClient.config.xml file you will have to enable the
vpn feature by setting the usevpnconnection to true like this:
<uservpnconnection>true</usevpnconnection>
10.3.2 Creating a script
You can use the examples placed on the FastPassClient\vpn folder.
The Windows Client will make the credential information available to the Windows Client selected vpn script by creating the
following environment variables:
• VpnProfile
• VpnUsername
• VpnPassword
Windows Client Installation Guide
Status: Final Page 37 of 46
Date: October 05, 2012
11. Customizing the splash screen
It is possible to customize some of the images in the windowsclient, providing a known look and feel to the users.
The background color can be set using the following registry key: HKLM\SOFTWARE\FastPassCorp\Windows
Client\CustomBackgroundColor (String)
Colors are defined in HTML so eg. #FFFFFF or White are valid values.
The splash image can be set using this key: HKLM\SOFTWARE\FastPassCorp\Windows Client\CustomImage (String)
The value should be the complete string to a jpg file (please ensure that the jpg file will be readable for the fpkioskuser)
Windows Client Installation Guide
Status: Final Page 38 of 46
Date: October 05, 2012
12. Uninstalling the Password Manager Windows Client
The Password Manager Windows Client is uninstalled from the Control Panel. The following sections describe how this is
done in Windows XP and in Windows Vista.
12.1 Uninstalling from a Windows XP machine
To uninstall the Password Manager Windows Client from a Windows XP machine you must be logged in as a user with
administrative rights.
Open the “Add/Remove Programs” from the “Control Panel”.
Select the “FastPass Windows Client” and select the “Uninstall” button at the top of the program list.
The uninstall will be performed and the “Programs and Features” program will be shown again.
12.2 Uninstalling from a Windows 7/Windows Vista machine
To uninstall the Password Manager Windows Client from a Windows Vista machine you must be logged in as a user with
administrative rights.
Open the “Programs and Features” program from the “Control Panel”.
Select the “FastPass Windows Client” and select the “Uninstall” button at the top of the program list.
Click the “Yes” button to accept that uninstall shall be performed.
Windows UAC will prompt you to warn about the action and you shall select ”Allow” for the uninstall to be performed.
The uninstall will be performed and the “Programs and Features” program will be shown again.
Windows Client Installation Guide
Status: Final Page 39 of 46
Date: October 05, 2012
13. Appendices
13.1 Appendix A: Custom Windows Client Layout Settings for Launch Panel
In FastPass Windows Client you can choose between different FastPass Windows Client Layouts. The layouts affects how
the icons displayed on the login screen looks. The different designs can be seen below along with their design ID’s
The design can be choosen by either setting the design ID at installation time (as described in the installation parameter
section) or setting the design ID in a registry key as described beow.
Go to your Windows Client PC and go to the Run Menu.
Type Regedit and place you under the following posistion.:
HKLM\Software\FastPassCorp\Windows Client\ProductID
Create a new String Value and name it ProductID � right Click the new String Value and choose Modify.
Windows Client Installation Guide
Status: Final Page 40 of 46
Date: October 05, 2012
Design ID: 03BC0A20-9BB9-4464-96D3-29FA163D3EF0
Windows Client Installation Guide
Status: Final Page 41 of 46
Date: October 05, 2012
Design ID:03BC0A20-9BB9-4464-96D3-29FA163D3EF1
Design ID:03BC0A20-9BB9-4464-96D3-29FA163D3EF2
Windows Client Installation Guide
Status: Final Page 42 of 46
Date: October 05, 2012
Design ID:03BC0A20-9BB9-4464-96D3-29FA163D3EF3
Design ID:03BC0A20-9BB9-4464-96D3-29FA163D3EF4
Windows Client Installation Guide
Status: Final Page 43 of 46
Date: October 05, 2012
Design ID:03BC0A20-9BB9-4464-96D3-29FA163D3EF5
Design ID:03BC0A20-9BB9-4464-96D3-29FA163D3EF6
Windows Client Installation Guide
Status: Final Page 44 of 46
Date: October 05, 2012
Design ID:03BC0A20-9BB9-4464-96D3-29FA163D3EF7
You can also have layout to a Link Text instead of an Icon in the right corner.
Please go to the section 3.5 to see how to configure this.
13.2 Appendix B: Custom Windows Client Layout Settings for Launch Text
As the Launch Panel the Launch Text can also be customized, please take a look at the below description.
Windows Client Installation Guide
Status: Final Page 45 of 46
Date: October 05, 2012
To Change the Text Link Color you have to go to HKLM\Software\FastPassCorp\Windows Client
Insert the following 3 REG_DWORDS
• LaunchLinkTextColorB � Insert value between 1 and 255
• LaunchLinkTextColorG �Insert value between 1 and 255
• LaunchLinkTextColorR �Insert value between 1 and 255
Windows Client Installation Guide
Status: Final Page 46 of 46
Date: October 05, 2012
Go to a Paint Program and choose your color insert the values.
Example
• LaunchLinkTextColorB � 40
• LaunchLinkTextColorG �225
• LaunchLinkTextColorR � 50
Text Link will be same as in the Paint Program shown above � Green