15.1 Prerequisites
Ensure that SecureLogin is installed in Microsoft Active Directory mode and the user is part of Active Directory domain.
(Conditional)VC++ Redistributable - Install this component if you are on Windows 8 or Windows 2012 server, install. To download, go to Microsoft Download Center (http://www.microsoft.com/en-in/download/details.aspx?id=30679). While downloading, select the executable based on your platform. For instance, for a 64-bit platform select to download vcredist_x64.exe.
NOTE: vcredist_arm.exe is not supported on SecureLogin.
.NET Framework version 3.5 - To download, go to Microsoft Download Center (http://www.microsoft.com/en-in/download/details.aspx?id=25150). For instructions on installing .NET Framework version 3.5, see Section 15.2.1, “Installing .NET Framework 3.5,” on page 108
Client Login Extension 3.7.2 (CLE)- The setup utility is placed in <CD_ROOT>/ClientLoginExtension folder. Here CD_ROOT refers to the location where the SecureLogin files are extracted. The .NET Framework 3.5 is required to proceed with the CLE 3.7.2 installation.
For instructions on installing the .NET Framework version 3.5, see Section 15.2.2, “Installing Client Login Extension 3.7.2,” on page 108
108 NetIQ SecureLogin Administration Guide
Ensure that SSPR is installed and the challenge-response information is setup for the user. For information on configuring challenge-response information, see Configuring Challenge Response Authentication (https://www.netiq.com/documentation/sspr3/adminguide/data/b14go6pf.html)
The user must log in to the online mode at least once before attempting to connect by using the Emergency Access feature.Logging in the online mode ensures that any changes to the challenge-response questions are updated in the local cache.
15.2 Installing Dependant Components
Section 15.2.1, “Installing .NET Framework 3.5,” on page 108
Section 15.2.2, “Installing Client Login Extension 3.7.2,” on page 108
15.2.1 Installing .NET Framework 3.5
(Conditional) Execute this procedure if you are on a Windows 8 or Windows 2012 server. For other versions of Windows, you can download and install the .NET Framework without executing any additional steps.
1 Execute the following command:
Dism /online /enable-feature /featurename:NetFx3 /All /LimitAccess / Source:<drive>:\sources\sxs
Replace <drive> with the location of the Windows Installation media.
For example, if your Windows Installation media is in drive D, the command is:
Dism /online /enable-feature /featurename:NetFx3 /All /Source:D:\sources\sxs / LimitAccess
15.2.2 Installing Client Login Extension 3.7.2
1 Go to <CD_ROOT >/ ClientLoginExtension folder. Here CD_ROOT refers to the location where the SecureLogin files are extracted. Select the executable for your platform. For instance, if you are on a 64-bit platform select the executable inside the win64 folder.
2 Run ClientLoginExtensionConfigurationUtilitySetup.exe as an administrator. Follow the prompts to complete the installation.
3 ClientLoginExtension 3.7.2 by default installs the
IdentityManagerClientLoginExtension_en.msi in the MyDocuments folder. All the libraries are copied to System32 folder.
The files copied to a Windows 2012/ Windows 7/ Windows 8 workstations are:
CLECredentialProvider.dll
CLECredentialProviderFilter.dll
RestrictedBroswer.dll
RestrictedBrowser.exe
The files copied to a Windows XP workstation are:
MSGinaExtension.dll
NCLoginExtension.dll
Using Emergency Access 109
RestrictedBrowser.dll
RestrictedBrowser.exe
The installation process creates two shortcuts to
ClientLoginExtensionConfigurationUtility.exe, one for the desktop and one for the Programs menu. The process installs the following folders and files in the installation folder:
ClientLoginExtensionConfigurationUtility.exe
Interop.WindowsInstaller.dll
license.rtf
Installer/
IdentityManagerClientLoginExtension_en.msi (English--default)
IdentityManagerClientLoginExtension_de.msi (German)
IdentityManagerClientLoginExtension_es.msi (Spanish)
IdentityManagerClientLoginExtension_fr.msi (French)
IdentityManagerClientLoginExtension_it.msi (Italian)
IdentityManagerClientLoginExtension_ja.msi (Japanese)
IdentityManagerClientLoginExtension_zh_CN.msi (Chinese Mandarin)
IdentityManagerClientLoginExtension_zh_TW.msi (Chinese Traditional)
NOTE: Folders with an “_”(underscore) in the name indicate a localized ClientLoginExtension file.
4 After ClientLoginExtension is installed, a shortcut is placed on your desktop. Double-click the shortcut icon to open the Client Login Extension Configuration Utility 3.7.2 dialog.
5 In the Link URL field, specify the URL of the SSPR Server. This is the server where the challenge-response questions are configured. Leave all other values unchanged.
6 Click Configure Installer to complete the installation.
15.3 Installing the Emergency Access Feature
1 In the Custom Setup screen, select Emergency Access and specify how to install it.
110 NetIQ SecureLogin Administration Guide
2 Specify the following details in the Client and Server configuration screen:
2a Maximum Retry Attempts: A numerical value that indicates the maximum number of attempts a user is allowed for answering the challenge-response questions, before getting locked out. After the maximum number of attempts are exhausted, the Emergency Access feature is not accessible. The default number of attempts are 3.
If you have configured a higher number of challenge-response questions for the user, specify a higher number for the retry attempts. This helps in a situation where the user forgets some of the answers to the challenge-response questions.
2b Session Time Allowed: A numerical value that indicates the number of minutes the user is allowed to use the system in the Emergency Access mode. The time allocated for the session should be configured to ensure that the user does not use the system in the emergency access mode for extended durations. The default time allowed is 30 minutes.
When lockout is imminent, a warning is displayed on the system tray. After the session time is exhausted, the user is automatically locked out of the system.
2c SSPR Server URL: Indicates the URL of the SSPR server. The typical format is http://
<ip address of sspr server>:<http port number of sspr webserver>/sspr/
public/rest/.
2d SSPR Request Timeout: A numerical value in seconds that indicates the maximum time emergency access service should wait for fetching the challenge-response information of the logged in user. The challenge information is fetched on every successful login.
Specify a value based on the network speed and average amount of challenge information that might be present for the users. The default timeout value is 300 seconds.
Using Emergency Access 111
15.4 Verifying Emergency Access Installation
After successful installation, a new registry entry is created at HKEY_LOCAL_MACHINE/SOFTWARE/
Novell/SecureLogin/EmergencyAccess and is updated with the details specified during installation. The keys included are:
AccessMethod : Verify that the value of this key is SSPR.
SSPRURL: Verify that the entry matches the URL specified while configuring Emergency Access.
LockTimeout: Verify that the value of this field indicates the Session Time Allowed value specified during installation.
WarnTimeout: This is optional field. By default the WarnTimeout is 30seconds. Configure a value less than the Session Time Allowed value.
LogFilePath: This is optional field. Specify a path to indicate where Emergency Access logs should be placed.
15.5 Configuring Emergency Access
1 Login to the SSPR server using the domain username and password.
NOTE: Ensure that the URL of the SSPR server matches the URL specified while installing Emergency Access.
112 NetIQ SecureLogin Administration Guide
2 Select Setup Password Responses from Main Menu.
3 Specify the challenge questions.
4 Save the password responses.
15.6 Using the Emergency Access Feature
1 Click Forgotten Password on the Windows logon page.
The Credential Provider checks the availability of the SSPR server. If the SSPR server is reachable, a Restricted Browser window is launched. If the SSPR server is not reachable, the challenge-response dialog is displayed.
2 If the challenge questions are answered, the user can log in using Emergency Access feature for a specified time.
After expiry of the specified duration, the user is logged out automatically.
16
Using The slAP Tool 113
16
Using The slAP Tool
This section provides information on the following:
Section 16.1, “About The slAP Tool,” on page 113