• No results found

Administrator Guide. DigitalPersona Pro. for Active Directory. Version 4.0

N/A
N/A
Protected

Academic year: 2021

Share "Administrator Guide. DigitalPersona Pro. for Active Directory. Version 4.0"

Copied!
215
0
0

Loading.... (view fulltext now)

Full text

(1)

Administrator Guide

DigitalPersona

®

Pro

for Active Directory

(2)

DigitalPersona, Inc.

© 2006 DigitalPersona, Inc. All Rights Reserved.

All intellectual property rights in the DigitalPersona software, firmware, hardware and documentation included with or described in this guide are owned by DigitalPersona or its suppliers and are protected by United States copyright laws, other applicable copyright laws, and international treaty provisions. DigitalPersona and its suppliers retain all rights not expressly granted.

U.are.U®, DigitalPersona® and One Touch® are trademarks of DigitalPersona, Inc. registered in the United States and other countries.

Windows, Windows 2000, Windows 2003 and Windows XP are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners.

This DigitalPersona Pro for Active Directory Administrator Guide and the software it describes are furnished under license as set forth in the “License Agreement” screen that is shown during the installation process.

Except as permitted by such license, no part of this document may be reproduced, stored, transmitted and translated, in any form and by any means, without the prior written consent of DigitalPersona. The contents of this manual are furnished for informational use only and are subject to change without notice. Any mention of third-party companies and products is for demonstration purposes only and constitutes neither an endorsement nor a recommendation. DigitalPersona assumes no responsibility with regard to the performance or use of these third-party products. DigitalPersona makes every effort to ensure the accuracy of its documentation and assumes no responsibility or liability for any errors or inaccuracies that may appear in it. This document is subject to the DigitalPersona LIMITED WARRANTY and other general provisions set forth in the Appendix of this manual.

Should you have any questions concerning this document, or if you need to contact DigitalPersona for any other reason, write to:

DigitalPersona, Inc. 720 Bay Road Suite 100

Redwood City, CA 94063 USA

(3)

Table of Contents

Part One: Overview

1 Introduction 2

Chapter Overview 3

Conventions 5

Recommended Skill Set 7

Support Resources 8

Your Feedback is Requested 8

2 Key Concepts & Terminology 9

Concepts 9 Terminology 14

3 Product Overview 18

DigitalPersona Pro for Active Directory 18

Product Components and Modules 19

DigitalPersona Pro Server 20

DigitalPersona Pro Workstation 21

Fingerprint Readers 22

Administration Tools 23

Extended Server Policy Module 24

System Requirements 25

Product Compatibility 26

Related Products 26

Part Two: Deployment & Installation

4 Deploying DigitalPersona Pro Server 29

Deployment Overview 29

Upgrading from Previous Versions 29

Install DigitalPersona Pro Server 35

Install the Administrative Templates 36

Install Templates to Active Directory 39

Install Workstation Template Locally 41

Changes Made During Installation 42

DNS Registration 44

Uninstalling DigitalPersona Pro Server 46

5 Installing DigitalPersona Pro Workstation 47

System Requirements 47

Local installation from the product CD 48

Remote Installation 51

Command Line Installation 52

Uninstalling DigitalPersona Pro Workstation 54

(4)

Table of Contents

Part Three: Administration

6 Configuring Policies and Settings 56

About DigitalPersona Pro Settings 56

DigitalPersona Pro Policies and Settings 58

Event Logging 59

BAS Locator DNS Records 60

Fingerprint Verification Lockout 64

Fingerprint Recognition 65

Workstation Only 67

Workstation Properties 70

One Touch SignOn 71

User Properties 71

7 User Properties 72

Basic User Properties 72

Extended User Policies 74

Unlocking Accounts after Failed Logon Attempts 75

Deleting User Credentials using the ADSI Edit Tool 76

8 DigitalPersona Pro Events 77

Auditing Using the Windows Event Viewer 77

Event Log Specifications 79

Computer Environment 79

General Secret Management 80

Fingerprint/Credentials Management 80

Fingerprint/Credentials Management 81

User Management 81

Logon/Lock 82

DNS Registration 82

One Touch SignOn 83

9 Administration Tools 84

Overview 84

License Control Manager 86

Overview 86

Connecting to a domain 86

Getting License Information 87

Reviewing and installing license files 88

Viewing license details 88

Viewing UAL Summary Information 89

Uninstalling licenses 89

Attended Fingerprint Registration 90

Assigning Registration Permissions 90

Single User 90

Organizational Unit or Domain 91

One Touch SignOn Administration Tool 92

Overview 92

Installing the OTS Administration Tool 93

Setting up OTS 93

Creating OTS Templates 97

(5)

Table of Contents

Managing Containers 121

Managing Templates 122

One Touch SignOn Settings 127

Logging On with One Touch SignOn 129

Changing Passwords with One Touch SignOn 130

User Query Tool 131

Cleanup Wizard 136

10 DigitalPersona Pro Workstation 138

Features Overview 139

One Touch Menu 141

Reader Icon and Menu 143

Fingerprint Reader Visual Cues 145

Fingerprint Registration 147

One Touch Logon 151

Using Fingerprint PINs 155

Using Smart Cards for Logon 157

One Touch Features 158

One Touch Internet 159

Logging On to Web Sites and Programs 160

Creating Fingerprint Logons 161

DigitalPersona Pro Workstation Properties 165

Deleting Registered Fingerprints 167

Changing Your Windows Password 168

Fingerprint Reader Usage and Maintenance 169

Part Four: Appendices

11 Planning & Deployment 172

Overview 172 Planning 174 Deployment 181

Deployment Plan Checklist 185

12 DigitalPersona Pro Settings 187

13 Troubleshooting 191

Reader Troubleshooting 191

One Touch Programs Troubleshooting 194

Installation Troubleshooting 195

14 Customizing Pro Workstation 196

One Touch Menu Content 196

Quick Actions 197

15 Installing High Encryption 198

16 Warranties, Provisions & Regulatory Information 199 Warranties 199

General Provisions 201

Regulatory Information 202 17 Index 204

(6)

Part One: Overview

Part One of the DigitalPersona Pro for AD Administrator Guide includes the following chapters:

Chapter Title Purpose Page

Introduction Provides an overview of each chapter in the Administrator Guide and other information that will help make your use of the guide more effective.

2

Key Concepts & Terminology

Defines and describes important concepts and terms that you need to be familiar with to understand the features and functions of DigitalPersona Pro for AD.

9

Product Overview Describes each component of DigitalPersona Pro for AD and explains the authentication process.

(7)

Introduction

1

The DigitalPersona® Pro for Active Directory Administrator Guide is your comprehensive resource for information about DigitalPersona Pro for Active Directory.

The Guide includes a Product Overview which describes the features and functionality of each component, an explanation of Key Concepts and Terminology, specific chapters on the Installation, Configuration and

Administration of DigitalPersona Pro Server, as well as a complete guide to the features of DigitalPersona Pro Workstation.

Appendices include a Planning & Deployment Guide, List of policies and settings, Troubleshooting section and Warranty information.

See the next page for a complete chapter summary. The purpose of this chapter is to:

Give a brief overview of the chapters in the guide.

Explain the text, naming and other conventions used in the guide. Describe the recommended skill set for users of the guide. Let you know what additional resources are available for support.

Provide a means for you to give us feedback on any aspect of our products, service or documentation.

(8)

Chapter 1 - Introduction

Chapter Overview

Chapter Overview

Part One of the Administrator Guide includes this chapter, the Product Overview, and the Key Concepts and Terminology chapters.

The purpose of this section is to provide information that will assist you in understanding the DigitalPersona Pro for Active Directory product and components, and establishing the conceptual framework for the remainder of the guide.

Chapter 1, Introduction, is described on the previous page.

Chapter 2, Key Concepts & Terminology, defines terms and concepts used in the guide, including an overview of Active Directory.

Chapter 3, Product Overview, describes DigitalPersona Pro for Active Directory Server and Workstation software and hardware components, system

requirements, compatibility with previous versions and related products. It also explains the DigitalPersona Pro authentication process.

Part Two includes chapters on deploying DigitalPersona Pro for Active Directory Server and Workstation.

Chapter 4, Deploying DigitalPersona Pro Server, consists of detailed instructions for deploying (and uninstalling) DigitalPersona Pro Server. Chapter 5, Installing DigitalPersona Pro Workstation, contains detailed instructions for installing (and uninstalling) DigitalPersona Pro Workstation.

Part Three, Administration, describes the configuration and administration of DigitalPersona Pro for Active Directory, including the policies, settings and properties used to tailor system behavior to meet the needs of your organization. Chapter 6, Configuring Policies and Settings, explains each policy and setting available as part of DigitalPersona Pro for Active Directory and implemented through the use of Active Directory administration tools for domain-wide administration and the Microsoft Management Console for local administration. Chapter 7, User Properties, describes the user settings available through the User Properties Snap-in and the extended settings available through the Extended Server Policy Module.

(9)

Chapter 1 - Introduction

Chapter Overview

Chapter 8, DigitalPersona Pro Events, lists and describes the events generated by DigitalPersona Pro for Active Directory, which can be viewed through the Windows Event Viewer.

Chapter 9, Administration Tools, provides instructions for using each of the standalone administration tools that can be used to provide centralized or decentralized administration of DigitalPersona Pro for Active Directory. Some of the available tools are: License Control Manager, Attended Fingerprint Registration Tool, One Touch SignOn Administration Tool, User Query Tool and the CleanUp Wizard.

Chapter 10, DigitalPersona Pro Workstation, describes and explains the features of DigitalPersona Pro Workstation for the administrator.

Part Four, Appendices, provides additional information about DigitalPersona Pro for Active Directory.

Chapter 11, Planning & Deployment, provides design guidelines, assists you in selecting and planning a deployment scenario and provides tools to help you create and execute a successful Pro deployment plan.

Chapter 12, DigitalPersona Pro Settings, provides a complete alphabetical list of all DigitalPersona Pro policies and settings with references to their Active Directory location and the page number where they are described. Chapter 13, Troubleshooting, provides solutions to situations where

DigitalPersona Pro for Active Directory software or hardware may be acting in an unexpected manner.

Chapter 14, Customizing Pro Workstation, describes how to configure One Touch Menu content and Quick Actions behavior through the Windows Registry. These settings can then be pushed to all DigitalPersona Pro for Active Directory Workstations.

Chapter 15, Installing High Encryption, describes how to install 128-bit high encryption for Windows 2000 without the latest patches.

Chapter 16, Warranties, Provisions and Regulatory Information, provides legal and regulatory information about the product.

(10)

Chapter 1 - Introduction

Conventions

Conventions

Naming Conventions

In order to make this guide easier and quicker to read, the following naming conventions are used to describe the DigitalPersona Pro for Active Directory Server and Workstation software and hardware:

DigitalPersona Pro Server, Pro Server and Server sometimes replace the full product name, DigitalPersona Pro for Active Directory Server. In this guide, these terms always refer to the Active Directory version, and not to any other version of DigitalPersona Pro Server software.

DigitalPersona Pro Workstation, Pro Workstation and Workstation are sometimes used instead of the full name, DigitalPersona Pro for Active Directory Workstation. They always refer to the Active Directory version of DigitalPersona Pro when used in this guide.

Reader or Fingerprint Reader, used in either upper or lower case, refers to the DigitalPersona U.are.U Reader and third-party swipe readers, unless otherwise specified in the context.

Notation Conventions

The following notation conventions are used in this guide to call attention to information of special importance:

Note

A note highlights information that may help you better understand the text and its concepts.

Warning

A warning advises you that failure to take or avoid a specific action could result in your inability to complete the required tasks or cause undesirable results.

(11)

Chapter 1 - Introduction

Conventions

Typographic Conventions

This guide uses the following typographic conventions: Courier indicates text that is typed by the user.

Example:

“Type http://www.digitalpersona.com/ in the Address text box.” You would only type “http://www.digitalpersona.com/” and would not type any surrounding text.

Text in Courier bold and surrounded by brackets [ ] indicates information that is always supplied by you and will vary depending on a particular circumstance.

Example:

“Type http://[your company Web site URL]/ in the Address text box.” You would type “http://”, then type your company Web site URL—not the words “[your company Web site URL]”—and then “/”.

Courier bold is also used to display information that is dynamically generated by DigitalPersona Pro.

(12)

Chapter 1 - Introduction

Recommended Skill Set

Recommended Skill Set

To fully and effectively utilize the information contained in this guide, we recommend that you possess the minimum skills and knowledge defined below.

Domain Administrators

If you will be administering DigitalPersona Pro Server for one or more domains, you should have knowledge of and experience with the Windows 2000 or 2003 Server operating system and its administrative tools. Specifically, you should have working knowledge of key Active Directory concepts and objects including group policy objects, containers, sites, domains and organizational units and be able to use the standard Active Directory administration tools such as the Active Directory for Users and Computers console and the Group Policy Editor.

Local Administrators

If you are administering DigitalPersona Pro Workstation on a local computer, you should understand how to use the Microsoft Management Console (MMC) to manage computer properties.

Workstation End Users

End users of DigitalPersona Pro for Active Directory Workstation should possess basic computer and network operation skills, such as logging on to a computer and using the taskbar, shortcut menus and a Web browser.

(13)

Chapter 1 - Introduction

Support Resources

Support Resources

In addition to this guide, the following resources are provided for additional support to both users of DigitalPersona Pro Server and Workstation:

Readme files are provided in the root directory of the product CD for both DigitalPersona Pro Server and Workstation. These files often contain late-breaking information about the product.

The DigitalPersona Web site provides an online technical support form at http://www.digitalpersona.com/support/enterprise/chooseproduct.php, where you can ask for help with your questions. Simply describe your issue, include your contact information, and a technical support representative will contact you shortly by e-mail or phone.

Phone support is available at (877) 378-2740 in the U.S. only. Outside the U.S., call +1 650-474-4000.

Online help is included with DigitalPersona Pro Server and Workstation as well as with the Administration Tools. Workstation Help is accessible from various dialog boxes that appear during the use of the software and from the One Touch Menu, as described in “Help” on page 142.

Your Feedback is Requested

Although the information in this guide has been thoroughly reviewed and tested, we welcome your feedback on any errors, omissions or suggestions for future improvements. If you find errors or have suggestions for future publications, contact us at:

TechPubs@digitalpersona.com Or at:

DigitalPersona, Inc. 720 Bay Road, Suite 100

Redwood City, California 94063 USA (650) 474-4000

(14)

Key Concepts & Terminology

2

In order to fully understand and implement the features of DigitalPersona Pro for Active Directory, you will need to be familiar with the terms and concepts covered in this chapter.

If you consider yourself knowledgeable about Active Directory, you may want to skip the rest of this page and continue with reading about DigitalPersona Pro concepts and terminology of page 10.

Concepts

Active Directory

Active Directory is a proprietary directory service that has been included with Microsoft Windows servers since the release of Windows 2000 Server. A directory service is a software application that stores and organizes

information about a computer network's users and resources; such as computers, printers and network shares. It enables network administrators to manage users' access to those resources.

The design, implementation and configuration of Active Directory can be a complex task, even for a small to medium-sized organization, and is beyond the scope of this topic. Assuming that Active Directory is setup and working correctly for your organization’s current needs, this topic will provide the information that you need in order to utilize a working Active Directory to administer DigitalPersona Pro.

DigitalPersona Pro for Active Directory utilizes the Active Directory service for administration of policies and settings that determine the functionality and features implemented in your organization.

Through Active Directory you can assign enterprise-wide policies and settings to computers in your network as well as locate and administer objects, users and resources across the network.

Active Directory is structured as a hierarchy of objects and containers laid out in a tree format. In the Users and Computers Snap-in (Figure 2-1), which is one of the visual tools that can be used to create and administer objects, the hierarchy looks much the same as the folder structure in Windows Explorer.

(15)

Chapter 2 - Key Concepts & Terminology

Concepts

Figure 2-1. Users and Computers Snap-in

Administrative Templates & Snap-ins

DigitalPersona Pro for Active Directory integrates with Active Directory through the use of the following Administrative Templates and Snap-ins.

* User Properties take precedence over GPO settings.

Template/Snap-in Purpose Page

DigitalPersonaProSvr.adm The Active Directory Administrative Template for DigitalPersona Pro Server is applied to GPOs governing Domain Controllers running DigitalPersona Pro Server.

36

DigitalPersonaProWksta.adm The Administrative Template for

DigitalPersona Pro Workstation is applied to GPOs governing computers running DigitalPersona Pro Workstation, or can be applied to a local policy object for a standalone configuration of DigitalPersona Pro Workstation.

36

User Properties Snap-in An Active Directory snap-in that enables DigitalPersona Pro user settings.*

72

Extended Server Policy Module An optional snap-in extending DigitalPersona Pro User Properties.*

(16)

Chapter 2 - Key Concepts & Terminology

Concepts

Group Policy

Group Policy is a feature of the Active Directory service that facilitates change and configuration management.

Group Policy settings are stored in Group Policy Objects (GPOs) in the Active Directory database. These GPOs are linked to containers, which include Active Directory sites, domains, and organizational units (OUs).

Because Group Policy is so closely integrated with Active Directory, it is important to have a basic understanding of both Active Directory structure and the security implications of different design configuration options within it before you implement Group Policy.

For information about the policies and settings that DigitalPersona Pro adds to a GPO, see “Configuring Policies and Settings” on page 56. For additional information about security and DigitalPersona Pro, refer to the DigitalPersona Pro for Active Directory Security Guide.

Organizational Units (OUs)

An OU is a container within an Active Directory domain. An OU may contain users, groups, computers, and other OUs, which are known as child OUs. You can link a GPO to an OU, and the GPO settings will be applied to the users and computers that are contained within that OU and its child OUs. To facilitate administration you can delegate administrative authority to each OU. OUs provide an easy way to group users, computers, and other security principals, and they also provide an effective way to segment administrative boundaries. Users and computers are generally assigned to separate OUs, because some settings only apply to users and other settings only apply to computers. One of the primary goals of an OU structure design for any environment is to provide a foundation for a seamless Group Policy implementation that applies to all workstations in Active Directory and ensures that they meet the security standards of your organization.

(17)

Chapter 2 - Key Concepts & Terminology

Concepts

The OU structure must also be designed to provide adequate security settings for specific types of users in an

organization. For example, developers may need some permissions that average users do not need to have. Also, laptop users may have slightly different security requirements than desktop users.

The figure on the right shows a basic OU structure for illustration of the concept only, and is not a recom-mendation to create your OU structure in the same way. Your OU structure must be defined by the specific organizational requirements of your environment.

Pro Biometric Authentication Process

DigitalPersona Pro’s biometric authentication process validates the identity of a user through a scan of their fingerprint, which can also be used in combination with their password or a smart card for multi-factor authentication.

This biometric authentication process is used by DigitalPersona Pro Workstation in an enterprise deployment with DigitalPersona Pro Servers.

Prior to authentication:

1 A user registers their fingerprint(s), creating a registration template that is stored on the local workstation and also sent securely to the Pro Server. 2 Pro Workstation captures user data (such as user account or logon

information), called “secrets” and sends them securely to Pro Server for storage in Active Directory.

By default, it also caches these secrets locally on the Workstation, so that they are available if the Server cannot be reached. Caching can be disabled by the administrator through a setting in the DigitalPersona Pro Active Directory Administrative Template.

(18)

Chapter 2 - Key Concepts & Terminology

Concepts

The authentication process is initiated when a Pro application (such as Pro Workstation) prompts the user to verify their identity by providing their fingerprint. This may be in order to logon to Windows using One Touch Logon, or to logon to a program or Web site using One Touch SIgnOn or One Touch Internet.

The authentication process is as follows:

1 The user touches the fingerprint reader with a registered finger. 2 The fingerprint is scanned and processed at the workstation, creating a

verification template.

3 The verification template is compared to the registration template cached on the local workstation and then sent to the Pro Server for confirmation of the user’s identity.

4 Pro Server compares the verification template to the registration template in the user record in Active Directory. If the verification template matches the registration template, Pro Server authenticates the user and sends the “secret” requested by the application securely to the Workstation.

5 The Pro application receives the Secret and then uses the information as needed, typically to log the user on to their Windows account, a program or Web site.

Note

When a Pro Server is unavailable, such as when a laptop is disconnected from the network, the required secret is retrieved from a local cache on the

Workstation. If a Pro Server is unavailable, and local caching has been disabled by the administrator, authentication is not possible.

This authentication process can be modified by the administrator using settings in the DigitalPersona Pro Administrative Templates (see “Configuring Policies and Settings” on page 56).

(19)

Chapter 2 - Key Concepts & Terminology

Terminology

Terminology

Authentication

User Authentication is the process of verifying a user’s identity by validating one or more credentials provided by the user. Examples of credentials are passwords, smart cards and biometrics.

Biometric authentication is the process of comparing a user’s previously created “registration template” with a “verification template” created from a fingerprint scan of the user at the time of authentication. See also: “Fingerprint

Registration” and “Verification Template” below, as well as “Pro Biometric Authentication Process” on page 12.

Credentials

Credentials are a set of information used to gain access to your Windows account or to a password protected Web site or program. Windows credentials can include a combination of a user name, password, fingerprint, fingerprint PIN, or smart card. Web site and program credentials usually include a combination of fingerprint and password, but can sometimes require additional information.

Dynamic DNS

Dynamic DNS defines a protocol for dynamically updating a DNS server with new or changed values. DigitalPersona Pro uses Dynamic DNS to update the DNS server with changes made to DigitalPersona Pro policies and settings.

Fingerprints

Fingerprints provided through supported fingerprint readers are transformed into highly compressed and digitally encoded representations of fingerprint features called a fingerprint template. These fingerprint templates are created whenever a user places a finger on the reader (when logging on for example), and encoded with a one-way algorithm that cannot be reversed to recreate the scan of that fingerprint. The actual fingerprint scans are never stored, but are discarded after the template is created.

(20)

Chapter 2 - Key Concepts & Terminology

Terminology

Fingerprint Identification

Fingerprint identification is the process of identifying a user out of a set of users by fingerprints. It is performed with only a fingerprint, and not a user name, by matching the verification template to all registration templates in the set of users.

Fingerprint PINs

The administrator may require that users type a short sequence of characters, known as a fingerprint PIN, each time they use a fingerprint to log on, unlock the computer, or change their Windows password. This provides an additional level of security. Logon settings with fingerprint PINs are supported only on Windows XP and 2000. Logon settings are managed by your administrator.

Fingerprint Registration

Fingerprint registration is the process that begins with a DigitalPersona Pro user providing one or more fingers to be scanned using a supported fingerprint reader. Once the finger is successfully scanned four times, the system then transforms the result into a highly compressed, digitally encoded representation of fingerprint features called a registration template.

This registration template is then stored in DigitalPersona Pro Server’s user database for future use during authentication and identification, or on the local workstation if DigitalPersona Pro Server has not been deployed.

A fingerprint for which a registration template was created is referred to as a registered fingerprint.

Fingerprint Template

See Fingerprints.

Fingerprint Verification

Fingerprint verification is the process of verifying that the template derived from the fingerprint scan during the authentication process, the verification template, and the original registration template are from the same finger. The verification template is deleted immediately after its use in the matching process.

(21)

Chapter 2 - Key Concepts & Terminology

Terminology

Fingerprint Verification Lockout

Fingerprint Verification Lockout occurs when a user attempts to identify themself with their fingerprint, and it a successful match is not made after a specified number of attempts. The user will be unable to use their fingerprint for identification until the lockout is released.

The number of attempts allowed, the amount of time the user is locked out, and the interval before the lockout is removed are configurable by the administrator. See “Fingerprint Verification Lockout” on page 64 for details.

The lockout can also be manually released by an administrator from the DigitalPersona Pro tab of the Properties dialog for the user in the Active Directory Users and Computers console.

One Touch Internet

One Touch Internet (OTI) provides the ability for the end user to create Fingerprint Logons that can be used to logon to Web sites by touching a supported fingerprint reader.

One Touch Logon

One Touch Logon provides the ability for you to log on to your Windows account by simply touching a supported fingerprint reader.

One Touch Unlock

One Touch Unlock provides the ability to lock or unlock Windows by touching a supported fingerprint reader.

One Touch SignOn

One Touch SignOn (OTS) provides the ability for you to log on to your Windows account (One Touch Logon), Web sites and password protected programs by simply touching a supported fingerprint reader. It also includes One Touch Unlock which enables you to lock and unlock your computer with your fingerprint.

(22)

Chapter 2 - Key Concepts & Terminology

Terminology

Quick Actions

Quick Actions, which combine the Shift or Control Keys with use of the fingerprint to access DigitalPersona Pro features, can be created by end users in the DigitalPersona Workstation Properties dialog.

Secret

A DigitalPersona Pro Secret is application specific user data that is stored securely in Active Directory by the DigitalPersona Pro Server, or locally by the local authentication server on the workstation. The secret is released to the application upon successful identification of the user, and used to log on to programs and Web sites for which logon templates have been created.

Service Resource Records (SVR RR)

Active Directory servers publish their addresses so that clients can find them knowing only the domain name. Active Directory servers are published via Service Resource Records (SRV RRs) in DNS. The SRV RR is a DNS record used to map the name of a service to the address of a server offering that service. The name of a SRV RR is in this form: <service>.<protocol>.<domain> Active Directory servers offer the LDAP service over the TCP protocol with published names in the form:

ldap.tcp.<domain>

For example, the SRV RR for ``Microsoft.com'' is ``ldap.tcp.microsoft.com.'' Additional information on the SRV RR indicates the priority and weight for the server, allowing clients to choose the best server for their needs.

When an Active Directory server is installed, it publishes itself via Dynamic DNS. Since TCP/IP addresses are subject to change over time, servers periodically check their registrations to make sure they are correct, updating them if necessary.

Verification Template

A verification template is created from a fingerprint scan whenever a user places their finger on the fingerprint reader. During authentication, this template is matched to available Registration Templates in order to identify the user. At the end of the authentication process the Verification Template is erased.

(23)

Product Overview

3

This chapter provides an overview of DigitalPersona Pro for Active Directory, a comprehensive biometric authentication software and hardware solution, and describes the several integrated components that can be used to create a deployment that addresses your specific organizational needs.

Additionally, you will find system requirements for each of the components, information on product compatibility and a list of related products.

DigitalPersona Pro for Active Directory

DigitalPersona Pro for Active Directory combines the security of biometric authentication with the simplicity and convenience of Single Sign-On (SSO). Workstation users can conveniently log on to Windows computers, Microsoft networks, password-protected programs and Web sites by simply touching the U.are.U® Fingerprint Reader or using one of the many supported third-party readers embedded in today’s popular notebook computers.

DigitalPersona Pro Server provides central authentication and administration for deployed Workstations and scales to over one hundred thousand users. Tightly integrated with Windows Active Directory, it can usually be deployed without the need for professional services.

(24)

Chapter 3 - Product Overview

Product Components and Modules

Product Components and Modules

DigitalPersona Pro for Active Directory includes the following components and modules:

Component Purpose Page

DigitalPersona Pro Server

For domain-wide, centralized authentication and administration of DigitalPersona Pro Workstations.

20, 172, 29

DigitalPersona Pro Workstation

Client software providing Single Source SignOn to Windows, Web sites and password protected programs. It can also be used in a standalone installation.

21, 47, 138

Fingerprint Reader

DigitalPersona’s U.are.U optical fingerprint reader. 22

Administration Tools

Various administrative tools that can be deployed for centralized or decentralized administration of Servers and Workstations.

23, 84

Extended Server Policy Module

An optional module to extend DigitalPersona Pro User Properties, available from your DigitalPersona Account Manager or product Reseller.

(25)

Chapter 3 - Product Overview

DigitalPersona Pro Server

DigitalPersona Pro Server

DigitalPersona Pro for Active Directory Server provides scalable domain-wide authentication and administration of networked DigitalPersona Pro

Workstations. Server software features include:

Full integration with Active Directory Administration

DigitalPersona Pro Server, installed on either a Windows 2000 or 2003 Server domain controller, uses standard Active Directory administration tools for implementing and managing policies and settings which control the behavior of the Workstations and can be used to customize the authentication process.

For example, using the Group Policy Editor, you can create a GPO that controls the false accept rate for fingerprint recognition , as well as specifies credential requirements for logon settings and more. When the GPO is applied to a group of Workstations, they require no additional configuration to use the DigitalPersona Pro Server for authentication.

DigitalPersona Pro also provides fault tolerance and load balancing through Active Directory’s DNS locator service, automatically and transparently locating all available servers and then selecting one to be used for authentication.

For additional information on available policies and settings for

DigitalPersona Pro Server, see “Configuring Policies and Settings” on page 56.

Security architecture

DigitalPersona Pro Server builds on the trust relationship established by Windows 2000/2003 Server to provide a secure infrastructure for server-client communication.

Centralized credential and application databases

DigitalPersona Pro Server extends the Active Directory schema to enable storing DigitalPersona Pro data and replicating it throughout the network. This allows a known user to use their fingerprint on any DigitalPersona Pro Workstation that is connected to a DigitalPersona Pro Server.

(26)

Chapter 3 - Product Overview

DigitalPersona Pro Workstation

DigitalPersona Pro Workstation

DigitalPersona Pro for Active Directory Workstation provides fingerprint logon functionality for Windows computers, including the following features: One Touch Logon increases both security and convenience by adding

biometric authentication to the Windows logon procedure. One Touch Logon replaces the standard Windows logon dialog box, allowing users to log on to Windows with a fingerprint in addition to, or as an alternative to, Windows credentials such as a password or a smart card.

One Touch Logon guides users through providing the required credentials to log on to Windows. It also allows users to quickly lock and unlock their computers using the credentials specified by the logon settings.

One Touch SignOn simplifies and secures access to password-protected software programs and Web sites. Users just touch the reader to

automatically and securely provide data for logon fields, such as user name and password, on any Web site or program logon screen.

Administrators use the One Touch SignOn Administration Tool to create templates specifying information for the logon screens, and can use application policy settings in the GPO to deploy the One Touch SignOn templates to end users.

One Touch Internet is an option that can be deployed to provide end users with many of the capabilities of One Touch SignOn for their personal Web accounts through the easy-to-use configuration tool.

(27)

Chapter 3 - Product Overview

Fingerprint Readers

Fingerprint Readers

U.are.U Fingerprint Reader

The DigitalPersona U.are.U Fingerprint Reader is a high-quality optical scanner designed especially for reading fingerprints, and is the recommended fingerprint reader for use with DigitalPersona Pro.

DigitalPersona Pro Workstation works with the U.are.U Reader to read the fingerprint scan for authentication purposes.

You may have a U.are.U Reader or a keyboard or device with an embedded U.are.U Reader.

Third-Party Swipe readers

DigitalPersona Pro also supports the use of several third-party “swipe” fingerprint readers installed in many current models of notebook computers.

For a complete list of supported readers, visit the following page on DigitalPersona’s Web site:

(28)

Chapter 3 - Product Overview

Administration Tools

Administration Tools

DigitalPersona Pro for Active Directory provides several tools for administering various aspects of your implementation as well as expanding the functionality of the product.

Some of these tools are installed automatically with the installation of DigitalPersona Pro for Active Directory Server, while others must be selected through the Custom Install option in the Administration Tools Installation wizard or run from the product CD.

The following table gives a brief description of each of the tools, and the page where they are described more fully.

Admin Tool Purpose Page

License Control Manager

Used to control and manage licenses for users of DigitalPersona Pro Servers, including gathering the information necessary for requesting a license, adding and removing licenses and viewing license and user information.

86

Attended Fingerprint Registration Tool

An optional feature requiring supervision of users when registering their fingerprints.

90

One Touch SignOn The One Touch SignOn Administration Tool enables administrators to add biometric authentication to Web sites and programs.

92

User Properties Snap-in

An Active Directory Snap-in, automatically installed with Pro Server for administering DigitalPersona Pro users.

72

User Query Tool Used to query the DigitalPersona Pro for Active Directory user database for information about DigitalPersona Pro users.

131

CleanUp Wizard Removes user data (such as fingerprint credentials, secure application data and global domain data) from Active Directory.

(29)

Chapter 3 - Product Overview

Extended Server Policy Module

Extended Server Policy Module

Basic Server policies are provided by the User Policies Snap-in, installed as part of DigitalPersona Pro Server, which allow an administrator to configure fingerprint logon settings and restore the use of fingerprints for a user after the account has been locked due to failed fingerprint attempts.

The optional Extended Server Policy Module adds the following additional user policies settings:

User must type a PIN when providing a fingerprint to log on.

User must provide a fingerprint to log on (in addition to other authentication specified by Windows policy setting).

The Extended Server Policy Module is available from your DigitalPersona Account Manager or product Reseller.

(30)

Chapter 3 - Product Overview

System Requirements

System Requirements

Product/Component Minimum Requirements

DigitalPersona Pro Server

Pentium Processor,128 MB RAM

Windows 2003 Server or 2000 (Standard or Enterprise) Server. Small Business Server is not supported. Active Directory

10 MB Available hard disk space 5K hard disk space per user

DigitalPersona Pro Workstation

Pentium 233 MHz Processor, 128 MB RAM

Windows 2000, XP Professional or Embedded, 2003 Server. XP Home Edition is not supported.

30 MB Available hard disk space

CD-ROM drive if installing locally, Network connection for silent/network installation

Microsoft Internet Explorer 6 (if using One Touch SignOn or One Touch Internet)

(31)

Chapter 3 - Product Overview

Product Compatibility

Product Compatibility

DigitalPersona Pro for Active Directory Server

Can coexist with other Pro Servers that are version 3.0 or above.

All Pro Workstations that are authenticating to the Pro Server must be at least version 3.0 or above.

All Pro Kiosk workstations authenticating to the Pro Server must be at least 1.0 or above.

Is compatible with DigitalPersona Pro SDK installed on Pro Workstation 3.x DigitalPersona Pro for Active Directory Workstation -

Can coexist with other Pro Workstations that are version 3.0 or above. Is not compatible with DigitalPersona Gold, DigitalPersona Platinum or

DigitalPersona Online or with DigitalPersona Pro SDK when installed on Pro Workstation 4.x.

Supported Fingerprint Readers are:

DigitalPersona U.are.U 4000 and 4000B series

Many third-party swipe readers embedded in current models of notebook computers. For a list of supported swipe readers, visit our Web site at:

http://www.digitalpersona.com/products/notebooks.php.

Related Products

The following related products are also available from your DigitalPersona Account Manager or product Reseller:

DigitalPersona Pro for Active Directory SDK - Provides developers with simple, powerful tools to extend DigitalPersona Pro for Active Directory with custom applications.

Developers can fingerprint enable access to their applications by leveraging DigitalPersona Pro security, credential management in Active Directory, user interface and deployment tools.

(32)

Chapter 3 - Product Overview

Related Products

The DigitalPersona Pro SDK is designed to work with the DigitalPersona Pro Server and the DigitalPersona Pro Workstation Software. The DigitalPersona Pro SDK only supports the DigitalPersona U.are.U Fingerprint Readers included with Workstation packages.

DigitalPersona Online/SDK - DigitalPersona Online consists of server and client software to add fingerprint authentication to enable virtually any web application. DigitalPersona Online enables businesses to provide heightened security to customers, partners and employees, replacing cumbersome passwords with the convenience of a single touch of a finger.

DigitalPersona Kiosk - DigitalPersona Pro Kiosk for Active Directory provides fast, secure and convenient access to shared computer environments, such as healthcare, retail point of sale and manufacturing lines, where multiple users share workstations running mission- and life-critical programs.

DigitalPersona Pro Kiosk solves compliance challenges in a multi-user environment by providing comprehensive audit trails for each user. DigitalPersona Platinum SDK - DigitalPersona Platinum Software

Development Kit (SDK) enables developers to add the power of DigitalPersona fingerprint authentication security to their Windows applications.

This toolkit exposes a set of DCOM objects and ActiveX controls which enables developers to access the functionality of the DigitalPersona Identity Engine to execute the core tasks of fingerprint capture, template creation, credential storage and template matching.

The toolkit’s Security Layer is completely transparent to the application developer. ActiveX (OCX) support allows programming in other scripting languages.

The toolkit includes sample code for Visual C, C++, Visual Basic and .NET. The DigitalPersona Platinum SDK only supports the DigitalPersona U.are.U Fingerprint Readers (sold separately, see details below).

(33)

Part Two: Deployment & Installation

Part Two of the DigitalPersona Pro for AD Administrator Guide includes the following chapters:

For information on planning and deployment, see “Planning & Deployment” on page 172

Chapter Title Purpose Page

Deploying DigitalPersona Pro Server

Describes the procedure for deploying DigitalPersona Pro Server.

29

Installing DigitalPersona Pro Workstation

Describes the procedure for installing DigitalPersona Pro Workstation.

(34)

Deploying DigitalPersona Pro Server

4

This chapter provides instructions for the deployment or upgrading of DigitalPersona Pro for Active Directory Server on a domain controller. Instructions for uninstalling DigitalPersona Pro Server are on page 46.

Deployment Overview

Here is a high-level overview of the steps required to deploy DigitalPersona Pro Server for Active Directory on the domain controller for a Windows 2000 or 2003 network:

1 Extend the Active Directory schema to include attributes and classes used by DigitalPersona Pro Server.

2 Configure each domain on which DigitalPersona Pro Server will be installed by running the Domain Configuration Wizard.

3 Install the DigitalPersona Pro Server software. 4 Install the Administrative Templates.

Detailed instructions for installation begin on page 32.

Upgrading from Previous Versions

This topic contains information that is specific to upgrading from version 3.x of DigitalPersona Pro for Active Directory to the current version which is 4.0. Upgrading to the current version has been made as straightforward and simple as possible. In most cases, it is simply a matter of removing the old software and installing the new software.

However, you should keep the following in mind.

DigitalPersona Pro for Active Directory 4.0 introduces a new licensing model for Pro Server which is based on requiring User Authentication Licenses for each user who will be registering their fingerprints.

(35)

Chapter 4 - Deploying DigitalPersona Pro Server

Upgrading from Previous Versions

You should contact your DigitalPersona Account Manager or product Reseller to obtain the necessary licenses prior to beginning the upgrade process.

Installation of Pro Server 4.0 prior to installing the license will not lock out your current users, but will prevent any new users from registering their fingerprints on a version 4.0 Workstation.

To upgrade from a previous version

The recommended sequence of events for upgrading from a previous version to the current version is:

1 Determine the number of User Authentication Licenses required and generate a license request file for each domain using the License Control Manager application included on the Administration Tools CD. Follow instructions in the topic “Getting License Information” on page 87 for requesting and installing license files.

2 Remove existing 3.x Pro Servers and install all 4.0 Pro Servers according to the instructions in “Deploying DigitalPersona Pro Server” on page 29. It is important to complete the upgrade of ALL Pro Servers before installing any Pro Workstations.

Warning

DO NOT run the Schema Extension wizard as part of the upgrade process. This is step 1 in the installation process for new installations, but should not be followed for upgrading your Pro Server.

3 Enter User Authentication Licenses for each domain where Pro Servers are installed.

4 Begin installation of Pro Workstation 4.0 according to the instructions in “Installing DigitalPersona Pro Workstation” on page 47.

The table on the following page will assist you in determining your upgrade path according to your specific needs.

(36)

Chapter 4 - Deploying DigitalPersona Pro Server

Upgrading from Previous Versions

Table 4-1. Feature Comparison

Deployment Scenario DigitalPersona Pro Features

Pur chase Pr o 4. 0 Serv er Follow up gr ad e in stru ctio ns on p age 3 0 . Sec u re Serve r Authentication One T o uch Sign On an d One T o uch In tern et Secu re W in dows L ogo n One T o uch L ogo n & One T o uch UnL o ck W o rkstation Administration

Have Pro 3.x Server(s) and want to upgrade to Pro 4.0 Server(s)

X X X X X X

Have Pro 3.x Workstations and want to upgrade to Pro 4.0 Workstations

X X X X

Have Pro 4.0 Server and Pro 4.0

Workstations and want to add more Pro 4.0 Workstations

(37)

Chapter 4 - Deploying DigitalPersona Pro Server

Upgrading from Previous Versions

Extend the Active Directory Schema

Prior to installing DigitalPersona Pro Server, the Active Directory schema must be extended to create new attributes for the user object and new classes, as well as to make modifications to existing classes. The Active Directory Schema Extension Wizard automatically handles all of the necessary changes to the schema. This schema extension is global to the Active Directory forest. If you want to view the script that is used to extend the schema (dp-schema.ldif), it is available on the product CD at the following location:

[cd drive]\AD Schema Extension\dp-schema.ldif

Warning

The Active Directory Schema Extension Wizard must be run from the schema master domain controller, or the data may not replicate fast enough to allow the wizard to continue. If the data is not replicated fast enough, the wizard will terminate, and you should then wait one replication cycle before running the wizard again.

After the schema extension, and again after configuring your domains, you must wait for Active Directory schema replication to be completed. The amount of time this takes will depend on the complexity of your Active Directory structure.

You must have Schema Administrator privileges to run the Schema Extension Wizard.

To run the Active Directory Schema Extension Wizard

1 Double-click DPSchemaExt.exe, which is located in the AD Schema Extension folder on the Server installation CD, to start the Schema Extension Wizard.

2 Read the terms and conditions on the License Agreement page. If you agree with them, select I accept the license agreement and then click Next. 3 When prompted to proceed with the schema extension, click Yes.

4 Next, specify a location and name for the log file generated by the Schema Extension Wizard in the Save Log File As dialog box. Then, click Save.

(38)

Chapter 4 - Deploying DigitalPersona Pro Server

Upgrading from Previous Versions

5 If the schema is not writable, the wizard will inform you of the fact and will allow you to make it writable. If this dialog box displays, click Yes to make the schema writable and perform the schema extension.

6 The wizard will extend the schema and provide information such as the class and attribute names. To close the wizard, click Finish.

The name of each new attribute and class added to the Active Directory schema follows Microsoft naming conventions. The names are assigned a “dp” prefix, which is registered with Microsoft.

(39)

Chapter 4 - Deploying DigitalPersona Pro Server

Upgrading from Previous Versions

Configure each domain

For each domain on which you plan to install DigitalPersona Pro Server, you need to run the DigitalPersona Pro Active Directory Domain Configuration Wizard, which configures the required domain-specific data including the necessary cryptographic keys.

Running the wizard requires administrator privileges on the domain controller.

Warning

You should run this wizard once on each domain controller where Pro Server will be installed.

When installing multiple Pro Servers, it is critical that you run the wizard only once during any replication period, allowing full replication to be completed before going on to run the wizard on the next domain controller.

Running the wizard a second time during a replication period, will result in corrupted Server data, and any DigitalPersona Pro Servers in the domain will be unusable.

To run the DigitalPersona Pro Active Directory Domain Configuration Wizard 1 Double-click DPDomainConfig.exe, which is located in the AD Domain

Configuration folder on the Server installation CD.

2 Read the license agreement that displays and, if you agree to the terms and conditions, select I accept the license agreement and then click Next. 3 A warning reminds you not to run this wizard if you have an existing

DigitalPersona Pro Server installation on this domain. If you are sure there are no other DigitalPersona Pro Server installations on the domain you are configuring, check the I accept that the domain will be configured box and click Next.

4 In the Save Log File As dialog box, specify a file name and folder path for the log file generated by the wizard and click Save.

5 When you click Save, the wizard performs the necessary changes on the domain.

(40)

Chapter 4 - Deploying DigitalPersona Pro Server

Install DigitalPersona Pro Server

Install DigitalPersona Pro Server

After extending the Active Directory schema and configuring the domain where you plan to install DigitalPersona Pro Server, you are ready to install the DigitalPersona Pro Server software.

In addition to the minimum hardware and software requirements specified by Microsoft for a domain controller, DigitalPersona Pro Server has the following requirements:

Operating System: Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, or Windows 2003 Server

Active Directory installed and configured

High-encryption (128-bit) capability. This is built into Windows 2003 Server and the latest service packs for Windows 2000 Servers. If you need to install high encryption capability for an early Windows 2000 OS, see “Installing High Encryption” on page 198.

10 MB of free hard disk space

Administrator privileges on the domain controller No other DigitalPersona products are installed To install DigitalPersona Pro Server

1 Double-click Setup.exe, which is located in the Install folder on the Server installation CD, to run the DigitalPersona Pro Server Installation Wizard. 2 When the wizard opens, click Next.

3 Read the terms and conditions on the License Agreement page. If you agree with them, select the I accept the license agreement button and then click Next.

4 On the next page, you can specify the folder in which DigitalPersona Pro Server will be installed. If you want to install DigitalPersona Pro in the default location, C:\Program Files\DigitalPersona\, click Next; otherwise, click Browse to specify a new location and then click Next to continue.

(41)

Chapter 4 - Deploying DigitalPersona Pro Server

Install the Administrative Templates

Install the Administrative Templates

DigitalPersona Pro Server and Workstation use Active Directory Administrative Templates to provide access to various policies and settings used in configuring the DigitalPersona Pro environment. These policies and settings are described in the chapter, “Configuring Policies and Settings” on page 56.

During installation of DigitalPersona Pro Server, the Administrative Templates for Pro Server and Workstation are copied to the %system root%\inf\ folder, i.e. in most cases, C:\Windows\inf.

The Workstation Administrative Template is also copied to the same folder during installation of the Workstation software.

Adding the Administrative Template to a GPO makes the DigitalPersona Pro policies and settings available.

The two Administrative Templates used to configure DigitalPersona Pro policies and settings are:

DigitalPersonaProSvr.adm - Designed for DigitalPersona Pro Servers, this template should be applied to Active Directory GPOs where it can be distributed to Domain Controllers running DigitalPersona Pro Server. DigitalPersonaProWksta.adm - Designed for DigitalPersona Pro

Workstations, this template should be applied to Active Directory GPOs where it can be distributed to computers running DigitalPersona Pro Workstation. It can also be applied to a local policy object for a standalone installation of DigitalPersona Pro Workstation.

Settings provided include: Fingerprint Verification Accuracy, Number of Fingerprints, Lockout Policy, Multi-credential Logon, Local Caching, One Touch Logon and One Touch SignOn settings and more.

(42)

Chapter 4 - Deploying DigitalPersona Pro Server

Install the Administrative Templates

Implementation Guidelines

Before you add the Administrative Templates to your GPOs, give some thought to your Active Directory structure, where GPOs are placed, and which GPOs the Administrative Templates should be added to.

Policy configuration needs will vary from network to network and specific policy recommendations are beyond the scope of this guide. You may want to refer to Microsoft’s documentation on Group Policy Object configuration for more information.

Organizational Units and GPOs

Although the use and configuration of organizational units and GPOs varies widely among corporations, we have provided some general guidelines for structuring Active Directory organizational units.

There are two key factors in deciding how to structure your network: • How you group your users and computers, and

• Where the DigitalPersona Pro GPOs are set.

For example, if users and computers can be grouped according to authentication policies, you might group them into separate organizational units and then set specific GPOs for each unit.

However, when authentication policies within organizational units vary, as they often do among department heads and subordinates, then you may want to group those users and computers into a child organization unit.

Structuring your organizational units based on authentication policies is the easiest way to administer DigitalPersona Pro.

1 Plan your network structure by identifying the settings you intend to configure.

2 Determine whether to apply the settings to users and computers in a site or domain, or just to users and computers in an organizational unit.

3 Create the organizational units required to implement your design. 4 Add the respective users and computers to the organizational units.

(43)

Chapter 4 - Deploying DigitalPersona Pro Server

Install the Administrative Templates

GPO behavior

Here are a few guidelines to keep in mind when configuring DigitalPersona Pro GPOs.

If a GPO setting is not configured, the default value set in the software is used.

If a superior (higher-level) GPO has a value for a setting and a subordinate GPO has a conflicting value for that setting, the setting in the subordinate is used.

If a GPO has a value for a setting and a subordinate (lower-level) container has the GPO setting with no value, the setting in the superior (high-level) GPO is used.

GPOs can only be applied to the three Active Directory containers: sites, domains and organizational units; not to users or computers.

A single GPO can be applied to one or more containers.

A GPO affects all users and computers in the container, and subcontainers, it is applied to.

(44)

Chapter 4 - Deploying DigitalPersona Pro Server

Install Templates to Active Directory

Install Templates to Active Directory

For centralized administration of DigitalPersona Pro, both Administrative Templates need to be added to a GPO on the appropriate nodes by the domain administrator.

For local administration of a DigitalPersona Pro Workstation, see “Install Workstation Template Locally” on page 41.

In order to install the DigitalPersona Pro Administrative Templates and access their settings, you need to have domain administrator rights.

1 In the Active Directory Users and Computers tool, right click on a node whose GPO can be distributed to Domain Controllers running DigitalPersona Pro Server and select Properties.

2 In the Properties dialog, click Edit to display the Group Policy Editor. 3 In the Group Policy Editor, right-click on the Computer Configuration/

Administrative Templates folder and select Add/Remove Templates. 4 In the Add/Remove Templates dialog, select DigitalPersonaProSvr and

click Add.

5 Select DigitalPersonaProWksta and click Add. 6 Click Close to exit the dialog.

(45)

Chapter 4 - Deploying DigitalPersona Pro Server

Install Templates to Active Directory

7 A DigitalPersona Pro folder will then be listed under Computer Configuration/Administrative Templates.

DigitalPersonaProWksta should also be added to the Active Directory GPOs where it can be distributed to computers running DigitalPersona Pro Workstation on the Windows 2000, XP or Server 2003 operating systems. 1 In the Active Directory Users and Computers tool, right click on a node

whose GPO can be distributed to computers running DigitalPersona Pro Workstation and select Properties.

2 In the Properties dialog, click Edit to display the Group Policy Editor. 3 In the Group Policy Editor, right-click on the Computer Configuration/

Administrative Templates folder and select Add/Remove Templates. 4 Select DigitalPersonaProWksta and click Add.

5 Click Close to exit the dialog.

Use the Group Policy Editor to modify DigitalPersona Pro settings by clicking Properties on the shortcut menu of each setting and then clicking the Policy tab on the Properties dialog box.

For a complete list of DigitalPersona Pro settings, see “DigitalPersona Pro Policies and Settings” on page 58.

(46)

Chapter 4 - Deploying DigitalPersona Pro Server

Install Workstation Template Locally

Install Workstation Template Locally

For local administration of a DigitalPersona Pro Workstation, the Workstation Administrative Template (DigitalPersonaProWksta) can be added to the local policy object of any workstation running DigitalPersona Pro Workstation by using the Microsoft Management Console (MMC) Group Policy Editor. To add the Workstation Administrative Template

1 On the Start menu, click Run. Type gpedit.msc and press Enter to launch the Group Policy Editor.

2 Right-click the Administrative Templates folder and select Add/Remove Templates on the Administrative Templates folder shortcut menu. 3 Click the Add button on the Add/Remove Templates dialog box and then

locate and select DigitalPersonaProWksta file located in the following path:

%system root%\inf (For example, c:\Windows\inf.)

(47)

Chapter 4 - Deploying DigitalPersona Pro Server

Changes Made During Installation

Changes Made During Installation

Running the Schema Extension Wizard adds the following data to Active Directory.

Active Directory Containers

The Schema Extension Wizard installs three subcontainers in the Active Directory System container. They contain information administrators can use to verify and administer the DigitalPersona Pro Server installation.

The three containers are the Biometric Authentication Servers container, Licenses container and the Policies container.

The Biometric Authentication Servers container provides the class name of the Server.

The Licenses container holds the license files for DigitalPersona Pro Server. The Policies container—located under [domain name]/System/

DigitalPersona/UareUPro/Policies—contains all the Policy Objects created for use with DigitalPersona Pro, as described in “DigitalPersona Pro Policies and Settings” on page 58.

In addition to these containers, the following data is added to the Service container:

(48)

Chapter 4 - Deploying DigitalPersona Pro Server

Changes Made During Installation

Service Configuration Container Name, set to Biometric Authentication Server.

Service Version Object Name, set to <current BAS version>.

Published Information

DigitalPersona Pro Server publishes its service using the following properties: Service Class Name, set to Biometric Authentication Service.

Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56-E3BC77F32D7F}.

Vendor Name, set to DigitalPersona. Product Name, set to UareUPro.

Product GUID, set to {48F74E29-1CC0-468F-A0A0-8236628A5170}. Authentication Server Object Name, the DNS name of the host computer. Service Principal Name, a unique name identifying the instance of a service

for a client.

Schema Version Number, the version of the Active Directory schema extension.

Product Version Number, the version of DigitalPersona Pro Server software. Product Version High, set to [current version].

Product Version Low, set to [current version].

Keywords for searching the server are Service Class GUID, Vendor Name, Product Name and Product GUID. The keyword values are the same as the property values listed in this section.

The Server publishes its service in compliance with the Active Directory Service Connection Point specifications.

References

Related documents

Install the Administrative Templates DigitalPersona Pro Server and Workstation use Active Directory Administrative Templates to provide access to various policies and settings used

• Experience planning, implementing, managing, maintaining, and securing Microsoft Windows Server 2000 or 2003, including Active Directory and Network Infrastructure server roles..

“stand-alone” Windows Server to an active directory services (ADS) domain controller (DC)..

 Experience planning, implementing, managing, maintaining, and securing Microsoft Windows Server 2000 or 2003, including Active Directory and Network Infrastructure server roles. 

RIS must be installed on a Windows 2000/2003- based server that has access to Active Directory, for example, a domain controller or a server that is a member of a domain with access

Once your DigitalPersona Workstation client has been installed, logon to Windows is controlled by the Logon Authentication Policy set by GPO in Active Directory or through

Active Directory uses the Pre-Windows 2000 Compatible Access local group to grant or revoke anonymous access to Active Directory objects On Windows 2000 Active Directory

The DigitalPersona Enterprise License Activation Manager is used to input Pro Server (user), Pro Client (computer) and feature licenses into Active Directory for distribution