Enterprise Single Sign-On User Guide

(1)

(2)

Copyright © 1998-2009 Quest Software and/or its Licensors

ALL RIGHTS RESERVED.

This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER

The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY

WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY

RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,

CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to

specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.

Trademarks

Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!,

StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners.

World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com

Please refer to our website for regional and international office information. Quest Enterprise SSO

(3)

C

ONTENTS

About This Guide ... 3

Access Management ... 3

Conventions ... 4

1. Overview... 5

1.1 Advanced Login Usage ... 5

1.2 Operating Modes ... 5

2. Using Advanced Login on Windows 2000/XP Systems ... 6

2.1 Welcome Screen ... 6

2.2 Logging on to Windows ... 7

2.2.1 Logging on to Windows using User Name/Password ... 7

2.2.2 Logging on to Windows with Smart Cards ... 9

2.2.3 Logging on to Windows using your Fingers ... 11

2.2.4 Logging on to Windows Using Your RFID Badge ... 15

2.2.5 Forcing Cache Update at Logon ... 19

2.3 Displaying Session Information ... 19

2.4 Shutting Down the Workstation ... 22

2.5 Locking/Unlocking the Workstation ... 23

2.5.1 Locking the Computer ... 23

2.5.2 Unlocking the Computer ... 24

2.6 Modifying Password or PIN ... 24

2.6.1 Modifying Password ... 25

2.6.2 Modifying your PIN ... 26

2.7 Using the Emergency Access (SOS) ... 26

2.7.1 Resetting Your Password ... 27

2.7.2 Resetting Your PIN ... 28

2.8 Logging on as an Administrator on a User Session ("Administrator Grace Period") ... 29

3. Using Advanced Login on Windows Vista Systems ... 30

3.1 The Initial Authentication Screen... 30

3.2 Logging on to Windows Vista ... 31

3.2.1 Authenticating on Windows Vista Using User Name/Password ... 31

3.2.2 Authenticating on Windows Vista Using Smart Cards ... 32

3.2.3 Logging on to Windows using your Fingers ... 37

3.3 Locking/Unlocking the Session ... 41

3.3.1 Locking the Session ... 41

3.3.2 Unlocking the Session ... 42

3.4 Switching Users ... 43

3.5 Modifying your Password or PIN ... 43

3.5.1 Modifying your Password ... 43

3.5.2 Modifying your PIN ... 45

3.6 Using the Emergency Access ... 45

3.6.1 Resetting Your Password ... 46

(4)

3.7 Managing Primary Accounts on Your Smart Card ... 48

3.8 Logging on as an Administrator on a User Session ("Administrator Grace Period") 49 A. Advanced Login and Biometrics Configuration... 50

A.1 Advanced Login Configuration Parameters ... 50

A.2 Biometrics Configuration Parameters ... 52

A.3 Modifying the Authentication Screen Icons (Windows Vista only) ... 52

About Quest Software, Inc. ... 53

Contacting Quest Software... 53

(5)

About This Guide

Access Management

Subject This guide explains how to use Enterprise SSO Advanced Login for Windows User's Guide.

Intended Reader • Advanced Login end-users.

• Advanced Login Administrators.

Software/Hardware

Required Quest Enterprise SSO Advanced Login 8.0 evolution 3 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to

Quest Enterprise SSO Release Notes.

Supported

Operating Systems Quest Enterprise SSO Advanced Login runs on the following systems: • Windows.

(6)

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest products, such as menus and commands.

Italic text Used for comments.

Bold Italic text Introduces a series of procedures.

Blue text Indicates a cross-reference. When viewed in Adobe®_Acrobat®_{, this format} can be used as a hyperlink.

Used to highlight additional information pertinent to the process being described.

Used to provide Best Practice information. A best practice details the recommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them at the same time.

(7)

1. Overview

Enterprise SSO Advanced Login is the authentication module of the Enterprise SSO (E-SSO) suite. It enables speedy implementation of connection procedures using

authentication mechanisms with physical tokens (smart cards, USB keys, RFID badges) and biometrics, in addition to the standard authentication methods of login/password.

1.1 Advanced Login Usage

Enterprise SSO Advanced Login is used to implement strong authentication in the following scenarios of use:

• Authentication with smart cards or USB keys with Windows workstations, without any need to deploy a PKI compatible with Windows Active Directory certificates.

• Authentication using non-Windows methods, such as biometrics.

• Authentication of users through an enterprise directory, which is not part of the Windows network.

• Authentication with RFID badges.

1.2 Operating Modes

Enterprise SSO Advanced Login can be configured either in one of the following modes: • Client/server mode: users are directly authenticated in Enterprise SSO

Console, the advanced access control module.

(8)

2. Using Advanced Login on

Windows 2000/XP Systems

This section describes the E-SSO authentication with Advanced Login on Windows 2000 or Windows XP systems.

2.1 Welcome Screen

The Enterprise SSO Advanced Login welcome screen is displayed at workstation start-up. It shows the log on methods which are allowed and installed on the workstation.

To log on to Windows, you can:

• Press Ctrl+Alt+Del to connect using your user name/password, as explained in Section 2.2.1, Logging on to Windows using User Name/Password.

• Insert your smart card or USB key (if any), as explained in Section 2.2.2, Logging on to Windows with Smart Cards.

• Place your finger on the scanner (if any), as explained in Section 2.2.3, Logging on to Windows using your Fingers.

• Use your RFID badge (if any), as explained in Section 2.2.4, Logging on to Windows Using Your RFID Badge.

(9)

2.2 Logging on to Windows

2.2.1 Logging on to Windows using User Name/Password

Subject

This section explains how to connect to Windows with your user name and password through Active Directory or any other supported directories.

Procedure

1. In the Welcome window, press Ctrl+Alt+Del. The authentication window appears.

If an RFID badge or a smart card is detected by the workstation, the RFID or smart card authentication window appears by default. In this case, press the Esc

(Escape) key to open the login/password authentication window.

2. Enter the following information and click OK. • User: type your user name.

• Password: type your password.

• Connected to: select your domain (Active Directory), or Root (any other directory) or local session.

If you open a local session, you will not be protected by the advanced features of Enterprise SSO.

(10)

The Windows domain definition can be done with the SSOStudio component of

SSOWatch: define an application with a Windows application model. For more

information on SSOWatch, see Enterprise SSO - SSOWatch Administrator Guide. 3. Select an account and click OK.

(11)

2.2.2 Logging on to Windows with Smart Cards

2.2.2.1 Logging on With a Smart Card Containing Account Data

Subject

If your account data is enrolled on the smart card, you can log on to your windows session as explained in the following procedure.

Procedure

1. Press Ctrl+Alt+Del.

The authentication window appears.

2. Insert your smart card in the smart card reader.

If your card can stored several accounts, the User field lists all the primary accounts stored on the smart card.

If there is only one primary account in the card, this primary account is selected.

3. If needed, select the account with which you want to authenticate. 4. Enter the PIN of your smart card and click OK.

You do not need to enter your username and domain name as they are already stored on the card when it is created by an Enterprise SSO administrator.

If your log on password has expired, a new password is requested. The new password will be stored instead of the old one.

If you have defined a password-generation policy in SSOWatch, the new password can be randomly generated. In this case, this screen never appears. 5. If there are several Windows accounts corresponding to the primary account,

(12)

2.2.2.2 Logging on Using a Blank Smart Card

Subject

The first time you use a multi-account smart card to logon to your workstation, your account data is necessarily not stored on the smart card yet. The following procedure explains how to enroll your own account on a smart card.

The following procedure only applies to smart cards that can handle self-enrolment and multi-accounts.

Procedure

The authentication window appears.

2. Insert your smart card in the smart card reader.

As your account is not stored on the smart card yet (first smart card

authentication), the User field displays "Smartcard empty: enroll an account".

3. Enter the PIN of your smart card and click OK.

As this is the first time you authenticate with this smart card, you are prompted for your log on user name and password (which are stored in the directory). This information will be stored on the smart card and will no longer be

(13)

4. Type the required information and click OK.

The account is created on the smart card and the session opens.

2.2.3 Logging on to Windows using your Fingers

Advanced Login can work in three modes to authenticate users using their biometric data: • STORE ON PC Mode

In this mode, the biometric data is stored on the PC in the Enterprise SSO cache file. The finger replaces the ID/Password.

You must enroll yourself on each PC that you connect to. • STORE ON SMART CARD Mode

In this mode, the biometric data is stored on a smart card. The finger replaces the PIN.

• STORE ON SERVER Mode

(14)

2.2.3.1 First Log on

Subject

To be able to log on to Windows using your finger, you must first enroll your biometric data. Before Starting

• Make sure the Enterprise SSO finger module is installed on the workstation. • A finger reader must be installed on the workstation.

The workstation can support only one reader.

We strongly recommend that you download the latest: • Drivers and licence of your product.

• Licence for the installation.

• If you use several finger readers, just plug in the one reader you want to use and restart the computer.

For more information on supported biometric devices, see Quest Enterprise SSO

Release Notes.

• If the administrator has configured a validation of your authentication, a second E-SSO user must authenticate him or herself after you.

• If the Biometric Enrollment tool is not available, modify the SSOWatch installation by selecting the Biometrics Enrollment tool option and restart the computer.

Ensure that the Controller is available to be able to enroll in Store on Server Mode.

Procedure

1. Depending on your biometric authentication mode, do one of the following: • Store on PC: log on using your password, as described in Section 2.2.1,

Logging on to Windows using User Name/Password.

• Store on Server: log on using your finger, as described in Section 2.2.3,

Logging on to Windows using your Fingers.

• The Enterprise SSO Biometrics Enrollment tool starts after a successful authentication.

2. If it does not start: display the SSOWatch menu by right-clicking the SSOWatch icon in the notification area and clicking Biometric enrollment. 3. Follow the instructions of the Biometric Enrollment tool.

4. When you have successfully completed the scan of your finger(s), log off and try to log on using the finger print reader, as described in Section 2.2.3.2, Everyday Log on.

(15)

2.2.3.2 Everyday Log on

Subject

This section describes how to log on to Windows using your finger.

Depending on your biometric authentication mode (STORE ON PC, STORE ON SMART CARD or STORE ON SERVER), the procedure is slightly different.

Before Starting

You must have enrolled your biometric data, as described in Section 2.2.3.2, Everyday Log on.

Each time you connect yourself to a new workstation in Store On PC mode, you must enroll your biometric data.

Procedures

STORE ON PC Mode

1. When the Advanced Login welcome screen appears, place your finger on the scanner.

The following window appears:

2. Read the instructions displayed in the Fingerprint field.

3. Depending on your configuration, you log on automatically when your finger is successfully captured. If not, just fill in the User field and click OK.

For details on how to enable the automatic validation, see Section A.1, Advanced

(16)

STORE ON SMART CARD Mode

1. When the Advanced Login welcome screen appears, insert your smart card in the reader.

The following window appears:

2. Either enter your PIN, or place your finger on the scanner.

3. If you have entered your PIN, click OK (if your finger is successfully captured, you log on automatically).

STORE ON SERVER Mode

(17)

2. Read the instructions displayed in the Fingerprint field.

Depending on your configuration, you log on automatically when your finger is successfully captured.

3. If you are not logged on automatically, just fill in the User field and click OK. For details on how to enable the automatic validation, see Section A.1, Advanced

Login Configuration Parameters.

4. If the authentication fails, you have to enter your ID to update the local cache.

2.2.4 Logging on to Windows Using Your RFID Badge

Subject

This section explains how to authenticate with an RFID badge.

The following figure illustrates how Enterprise SSO acts depending on the areas in which it detects the RFID badge.

Sensor/ Antenna

unlock range

lock range

Session Kept Alive

Session Locked/ Closed

Unlock Area

Visibility Area

Lock Area

(18)

2.2.4.1 First Log on

Before Starting

An RFID reader must be installed on the workstation.

Procedure

1. Place the RFID badge in the unlock area so that Enterprise SSO detects it. The Advanced Login window appears and tells you that your RFID badge is not assigned.

2. Click OK to validate it.

(19)

3. Enter your login and password to associate them with your RFID badge and click OK.

If your are authenticated, the session opens.

• You can have as many RFID badges as you want, this enables you to lend them to other people.

• You can delete the badge enrollment by blacklisting it in the Administration Console.

• E-SSO policy cannot block auto-enrollment.

2.2.4.2 First Log on with a Smart Card

Before Starting

• E-SSO Advanced Login must be installed on the workstation.

• An RFID and a Smart Card reader must be installed on the workstation. • You must have both RFID badge and Smart Card to log on.

• If no RFID badge is detected, the RFID badge enrolment will not be suggested the next time you open your Windows session.

Procedure

1. Insert your Smart Card in the Card reader.

Your Smart Card and your RFID badge are detected, the following window appears:

(20)

2.2.4.3 Everyday Log on

Procedure

1. Place the RFID badge in the unlock area so that Enterprise SSO detects it. The authentication window appears.

• If several RFID badges are detected in the unlock area, the RFID owner field lists all the detected RFID badges.

• You can take your badge back before typing in your password.

2. In the RFID owner field, select the wanted RFID badge, type in your password and click OK.

If you have taken your RFID badge back, you have 30 seconds to enter your password and validate.

Your session opens.

2.2.4.4 Logging on through Citrix/TSE

If you want to log on through Citrix/TSE, you must press the SHIFT key when placing your RFID badge in the unlock area.

2.2.4.5 Logging out

There are two possibilities for logging out:

• If you have left your RFID badge in the unlock area, retrieve it and the session closes.

(21)

• If you retrieved your RFID badge when opening the session, you must place it back in the unlock area and retrieve it again to close the session.

• You can configure how the session closes in the Access Point Profile. • If an E-SSO authentication: primary reauthentication, SSOStudio launch etc. is

necessary, then placing the RFID badge in the unlock area will not lock the PC. • If you have a contact chip badge, you must insert it in the RFID reader.

2.2.5 Forcing Cache Update at Logon

Subject

By default, the authentication is done on the existing cache. The following procedure explains how to force the authentication to be done in the target directory and so to update the authentication data in the cache.

Procedure

1. In the authentication window (whatever the authentication token used), provide your authentication information.

2. Select the Do not use user cache check box and click OK.

The authentication is done in the directory and the cache is updated.

2.3 Displaying Session Information

Subject

You can display your session information at any time as explained in the following procedure.

Procedure

• Press Ctrl+Alt+Del.

The session information window appears, as illustrated in the following example windows.

The main session pieces of data are:

• The authenticated Enterprise SSO user. • The Windows user account used.

(22)

Example

Active Directory Session Information • Password Authentication

The following illustration is an example of an Enterprise SSO Session

Information window that appears when authenticating with a password through Active Directory: the Enterprise SSO and Windows accounts correspond to the same user, and you can change your password.

• Smart card Authentication

(23)

• Finger Authentication

The following illustration is an example of an Enterprise SSO Session

Information window that appears when authenticating with your finger through Active Directory: the Enterprise SSO and Windows accounts correspond to the same user, and the Change your password button is disabled.

LDAP Directories (other than Active Directory) Session Information

(24)

2.4 Shutting Down the Workstation

Subject

The Advanced Login shutdown functionality is the same as with classical Windows sessions. It allows you to:

• Close the session.

• Shutdown the workstation. • Reboot the workstation.

• Put the workstation into a sleep state.

• Put the workstation into a hibernate state (if activated in the system parameters).

Procedure

The session information window appears. 2. Click the Shutdown button

(25)

2.5 Locking/Unlocking the Workstation

2.5.1 Locking the Computer

Subject

The Lock state enables you to prevent anybody from using the workstation in your absence.

This section describes the possible means to lock a computer.

Procedure

To lock the computer, do one of the following:

• Press Ctrl+Alt+Del keys and click the Lock computer button.

• If you have authenticated with a smart card, remove the smart card from the reader (or a USB key from its port) and do not take any action for 10 seconds.

The administrator can modify the default workstation behavior when a token is removed, from the Enterprise SSO Console. If the session is not locked at token removal, it means that your administrator has modified this option.

• If you have authenticated with an RFID badge, place the RFID badge outside the visibility area (lock area).

(26)

2.5.2 Unlocking the Computer

Subject

A computer can only be unlocked by the user who has locked it (unless it is unlocked using the "Fast-user switching" option).

To unlock the computer, you must re-authenticate as at session opening. The authentication method does not necessarily need to be the same as for opening the main session.

If you have authenticated with an RFID badge and locked the session by placing the RFID badge outside the unlock area, the session is automatically unlocked if you come back with your RFID badge in the unlock area before the grace period (which has been set by your administrator).

A user with administration rights on the workstation can force the closure of a locked administration session.

Procedure

To unlock the computer, do one of the following:

• Press Ctrl+Alt+Del keys and log on as described in Section 2.2.1, Logging on to Windows using User Name/Password.

• Insert your smart card (if any) and log on as described in Section 2.2.2, Logging on to Windows with Smart Cards.

• Place your finger on the scanner (if any) and log on as described in Section 2.2.3, Logging on to Windows using your Fingers.

• Place your RFID badge inside the unlock area:

• If the grace period is exceeded, log on as described in Section 2.2.4, Logging

on to Windows Using Your RFID Badge.

• If the grace period is not exceeded, the session is automatically unlocked. The grace period is set by your administrator.

2.6 Modifying Password or PIN

If you are allowed to by your administrator, you can change your password or PIN, as explained in the following procedure.

(27)

2.6.1 Modifying Password

Subject

This section explains how to modify your own password or the password of another user (if you are allowed to).

Procedure

1. Open your session as explained in Section 2.2.1, Logging on to Windows using User Name/Password and press Ctrl+Alt+Del.

2. Click the Change a Password button. The change password screen appears.

If the change password option has been disabled by your administrator, clicking on

Change a Password will have no effect.

3. Enter the information required and click OK.

(28)

2.6.2 Modifying your PIN

Subject

This section explains how to modify the PIN of your smart card.

Procedure

1. Open your session as explained in Section 2.2.2, Logging on to Windows with Smart Cards and press Ctrl+Alt+Del.

2. Click the Change PIN button. The change PIN screen appears.

If the change PIN option has been disabled by your administrator, clicking on

Change PIN will have no effect.

3. Enter the information required and click OK. The smart card PIN is modified.

2.7 Using the Emergency Access (SOS)

The Emergency Access feature allows you to:

• Reset your password in case you have forgotten it: see Section 2.7.1, Resetting Your Password.

(29)

2.7.1 Resetting Your Password

Subject

The Reset Password functionality allows you to reset you password in case you have forgotten it.

Before Starting

To be able to reset your primary password, SSOWatch must be installed on your workstation, and you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access Wizard (see Appendix Enterprise SSO - Getting Started with SSOWatch.

Procedure

1. In the session opening window, click the SOS button. The Emergency Access wizard appears.

2. Follow the displayed instructions.

If the following window appears, call the Help Desk and give them the

displayed challenge, so that it can give you back the administrator challenge. The need to call the Help Desk to reset your password depends on the

configuration set by your administrator in the Enterprise SSO Console.

You can not use a second time the challenge given by the Help Desk.

When the Wizard terminates, your password is reset and a session opens. You can then use the new password for subsequent logon.

(30)

2.7.2 Resetting Your PIN

Subject

The Reset PIN functionality allows you to:

• Reset your PIN in case you have forgotten it. • Unlock your smartcard.

Restriction

The reset PIN feature is only available in disconnected mode (set by the administrator). Before Starting

To be able to reset your PIN, you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access initialization Wizard (see Appendix Enterprise SSO - Getting Started with SSOWatch).

Procedure

1. In the session opening window, click the SOS button. The Emergency Access wizard appears.

2. Follow the displayed instructions:

When the following window appears, call the Help Desk and give it the

displayed challenge, so that it can give you back the administrator challenge.

You can not use a second time the challenge given by the Help Desk.

(31)

2.8 Logging on as an Administrator on a User

Session ("Administrator Grace Period")

Subject

An administrator can log on a user's session using his own smart card, even though the user opened his Windows session using a smart card.

Procedure

1. Press the Shift key during the logged user smart card withdrawal.

The user session is left unchanged. If the SSOWatch engine was running, it is automatically set to a locked mode.

2. Insert your administrator smartcard and enter your PIN before the end of the grace period (the default value is 60 seconds).

The length of the grace period can be configured from the Enterprise SSO Console. This authentication allows E-SSO to verify your identification data. The user Windows session stays open, so your Windows permissions do not apply. 3. Perform your administration tasks on the user workstation: if you run an

E-SSO application (Enterprise E-SSO Studio, …), the authentication is done using your administrator smart card.

4. When you are finished with the user's workstation, withdraw your smart card The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN code to turn the

(32)

3. Using Advanced Login on

Windows Vista Systems

This section describes the E-SSO authentication with Advanced Login on Windows Vista systems.

3.1 The Initial Authentication Screen

The initial authentication screen appears when you press Ctrl+Alt+Del at workstation startup, or when you want to switch user.

In the following example screen, two sessions are already open.

The initial authentication screen shows several tiles corresponding to the log on

methods (credential providers) which are allowed and installed on the workstation, and to the users logged on the workstation.

On Windows Vista, several users can be logged at the same time on a workstation, but only one session can be active on the workstation.

Advanced Login provides the following authentication methods on Windows Vista systems:

• User name/password authentication (two middle tiles in the example screen). Several users can be logged at the same time on the workstation. The screen shows one tile for each logged user, or if no user is logged, it shows one tile with the name of the last logged user. The "Other User" tile allows another user to open a session.

(33)

• Smart card authentication (first tile in the example screen):

The initial authentication screen shows as many tiles as accounts stored on the smart card.

See Section 3.2.2, Authenticating on Windows Vista Using Smart Cards. • Biometric authentication (last tile in the example screen)

See Section 3.2.3, Logging on to Windows using your Fingers.

3.2 Logging on to Windows Vista

3.2.1 Authenticating on Windows Vista Using User

Name/Password

Subject

This section explains how to connect to Windows with your user name and password through Active Directory or any other supported directories.

Procedure

The initial authentication screen appears.

2. If any, click the tile corresponding to your name, or if no tile shows your name, click the Other User tile.

(34)

3. Do one of the following :

• To log on to the domain displayed on screen, type you user name and password.

• To log on to another domain than the one displayed on the screen, type

<domain name>\<user name>.

If you need to open a local session (you will not be protected by the advanced features of Enterprise SSO), type <workstation name>\<user name>. • Click .

• The Windows session opens.

3.2.2 Authenticating on Windows Vista Using Smart Cards

3.2.2.1 Logging on With a Smart Card Containing Account Data

Subject

If your account data is enrolled on the smart card, you can log on to your windows session as explained in the following procedure.

Procedure

The initial authentication screen appears. 2. Insert your smart card in the smart card reader.

The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card.

By default, the tile corresponding to the last primary account used to log on the workstation is selected.

(35)

3. Enter the PIN of your smart card and click .

You do not need to enter your username and domain name as they are already stored on the card when it is created by an Enterprise SSO administrator.

If your log on password has expired, a new password is requested. The new password will be stored instead of the old one.

4. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window that appears.

The Windows session opens.

3.2.2.2 Logging on Using a Blank Smart Card

Subject

The first time you use a smart card to logon to your workstation, your account data is not stored on the smart card yet. The following procedure explains how to enroll your own account on the smart card.

The following procedure only applies to smart cards that can handle self-enrolment and multi-accounts.

Procedure

(36)

3. Click the "Not assigned" smart card tile. The authentication screen appears.

4. Enter the PIN of your smart card and click .

As this is the first time you authenticate with this smart card, you are prompted for your log on user name and password (which are stored in the directory). This information will be stored on the smart card and will no longer be

requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Enterprise SSO Advanced Login).

(37)

3.2.2.3 Enrolling a New Account on a Smart Card

Subject

If your smart card can stores several accounts, Advanced Login allows you to enroll new accounts on your smart card, as explained in the following procedure.

The account you want to store on the smart card must exist in the users' directory.

Procedure

The tile corresponding to the last primary account used to log on the workstation is selected.

3. Enter the PIN of your smart card.

(38)

The account is created on the smart card and the Windows session opens.

3.2.2.4 Forcing Cache Update at Logon

Subject

Procedure

1. Insert your smart card in the smart card reader. 2. Click I want to modify login options.

The login option window appears.

(39)

3.2.3 Logging on to Windows using your Fingers

Advanced Login can work in two modes to authenticate users using their biometric data: • STORE ON PC Mode

In this mode, the biometric data is stored on the PC in the Enterprise SSO cache file. The finger replaces the ID/Password.

You must enroll yourself on each PC that you connect to. • STORE ON SERVER Mode

In this mode, the biometric data is stored on a server. The finger replaces the ID/Password.

3.2.3.1 First Log on

Subject

To be able to log on to Windows using your finger, you must first enroll your biometric data. Before Starting

• Make sure the Enterprise SSO fingerprint module is installed on the workstation.

• A fingerprint reader must be installed on the workstation. The workstation can support only one reader.

We strongly recommend that you download the latest: • Drivers and licence of your product;

• Licence for the installation.

• If you use several fingerprint readers, just plug in the one reader you want to use and restart the computer.

For more information on supported biometric devices, see Quest Enterprise SSO

Release Notes.

• If the administrator has configured a validation of your authentication, a second E-SSO user must authenticate him or herself after you.

• If the Biometric Enrollment tool is not available, modify the SSOWatch

installation by selecting the Biometrics Enrollment tool option and restart the computer.

(40)

Procedure

1. Log on using your password, as described in Section 3.2.1, Authenticating on Windows Vista Using User Name/Password.

The Enterprise SSO Biometric Enrollment tool starts after a successful authentication.

2. If it does not start: display the SSOWatch menu by right-clicking the

SSOWatch icon in the notification area and clicking Biometric Enrollment. 3. Follow the instructions of the Biometric Enrollment tool.

4. When you have successfully completed the scan of your finger(s), log off and try to log on using the finger print reader, as described in Section 3.2.3.2, Everyday Log on.

There can only be one set of fingers per biometric reader.

3.2.3.2 Everyday Log on

Subject

This section describes how to log on to Windows using your finger.

Depending on your biometric authentication mode (STORE ON PC or STORE ON SERVER), the procedure is slightly different.

Before Starting

You must have enrolled your biometric data, as described in Section 3.2.3.2, Everyday Log on.

Each time you connect yourself to a new workstation in Store on PC mode, you must enroll your biometric data.

Procedures

STORE ON PC Mode

(41)

Depending on your configuration, you log on automatically when your finger is successfully captured. If not, the following window appears:

2. Make sure your Login is correct and click the to validate.

STORE ON SERVER Mode

(42)

Depending on your configuration, you log on automatically when your finger is successfully captured. If not, the following window appears:

2. Make sure your Login is correct and click the to validate.

If the authentication fails, you have to check your ID. If it is not the right one, enter the correct ID.

3.2.3.3 Forcing Cache Update at Logon

Subject

This is only available if Automatic Validation is disabled by the Administrator in the

(43)

Procedure

1. After choosing the tile, click I want to modify login options. The Login Options window appears.

2. Select the Update User Cache check box and click OK.

3.3 Locking/Unlocking the Session

3.3.1 Locking the Session

Subject

The Lock state enables you to prevent anybody from accessing your session on the workstation in your absence.

This section describes the possible means to lock a computer.

Procedure

When your session is open, do one of the following to lock the computer: • Press Ctrl+Alt+Del keys and click the Lock this computer option.

• If you have authenticated with a smart card, remove the smart card from the reader (or a USB key from its port).

The default workstation behavior when a token is removed can be modified by the administrator from the Enterprise SSO Console. If the session is not locked at token removal, it means that your administrator has modified this option. • Put the computer into a sleep state.

(44)

3.3.2 Unlocking the Session

Subject

To unlock the computer, you must re-authenticate as at session opening. The authentication method does not necessarily need to be the same as for opening the main session.

If a station is in the locked state, another user can unlock it by login on with its own credentials, without unlocking the first user locked session.

Procedure

Unlocking Your own Session

1. To unlock the session you have locked, press Ctrl+Alt+Del.

The authentication screen corresponding to the authentication method used appears.

The following example screen shows the unlock authentication screen for a user authenticated with a smart card.

(45)

Procedure

Logging on a Workstation Locked by Someone Else

1. To log on a workstation locked by someone else, press Ctrl+Alt+Del.

The authentication screen corresponding to the authentication method used by the other user to lock his/her session appears.

2. Click the Other Credentials button. 3. Click the Switch User button.

The initial authentication screen appears.

4. Log on to the workstation as explained in Section 3.2, Logging on to Windows Vista.

3.4 Switching Users

Subject

This section explains how to rapidly switch users on a workstation.

Procedure

When a session is open, press Ctrl+Alt+Del and click the Switch User option. The initial authentication screen appears and another user can log on the workstation. The first user session stays locked on the workstation.

3.5 Modifying your Password or PIN

If you are allowed to by your administrator, you can change your password or PIN, as explained in the following procedure.

3.5.1 Modifying your Password

Subject

If you have authenticated with your smart card, you can modify the password of the account that you have used to authenticate, as explained in the following procedure. The password will be modified on the smart card and in the directory.

(46)

Procedure

1. Open your session as explained in Section 3.2.1, Authenticating on Windows Vista Using User Name/Password and press Ctrl+Alt+Del.

2. Click the Change a Password option. The change password screen appears.

If the change password option has been disabled by your administrator, clicking on

Change a Password will have no effect.

The following example screen shows a change password screen for a user authenticated with a smart card.

3. Enter the information required and click .

(47)

3.5.2 Modifying your PIN

Subject

The Advanced Login Credential Manager feature is automatically started at logon time and allows you to change your PIN.

Procedure

1. Open a Windows session as explained in Section 3.2.2, Authenticating on Windows Vista Using Smart Cards.

2. In the Notification area, right click the icon and select Change PIN. The change PIN screen appears.

3. Enter the required information and click OK. The smart card PIN is modified.

3.6 Using the Emergency Access

The Emergency Access feature allows you to:

• Reset your password in case you have forgotten it: see Section 3.6.1, Resetting Your Password.

(48)

3.6.1 Resetting Your Password

Subject

The Reset Password functionality allows you to reset you password in case you have forgotten it.

Before Starting

To be able to reset your primary password, SSOWatch must be installed on your workstation, and you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access Wizard (see Enterprise SSO - Getting Started with SSOWatch).

Procedure

1. In the authentication screen, click I have forgotten my password.

If the I have forgotten my password option does not appears on the screen, it means that your administrator has disabled it (see Section A.1, Advanced Login

Configuration Parameters for more details).

The Reset password wizard appears. 2. Follow the displayed instructions.

If the following window appears, call the Help Desk before the end of the two minutes during which the Exchange with help desk window stays open. Give them the displayed challenge, so that they can give you back the administrator challenge. You cannot use a second time the challenge given by the Help Desk.

The need to call the Help Desk to reset your password depends on the configuration set by your administrator in the Enterprise SSO Console.

When the Wizard terminates, your password is reset and a session opens. You can then use the new password for subsequent logon.

(49)

3.6.2 Resetting Your PIN

Subject

The Reset PIN functionality allows you to:

• Reset your PIN in case you have forgotten it. • Unlock your smartcard.

Restriction

The reset PIN feature is only available in disconnected mode (set by the administrator). Before Starting

To be able to reset your PIN, you must have chosen a set of questions (optional) and recorded the associated answers using the E-SSO Emergency Access initialization Wizard (see Enterprise SSO - Getting Started with SSOWatch).

Procedure

1. In the authentication screen, click I have forgotten my PIN.

If the I have forgotten my PIN option does not appears on the screen, it means that your administrator has disabled it (see Section A.1, Advanced Login

Configuration Parameters for more details.

The Reset PIN wizard appears. 2. Follow the displayed instructions:

When the following window appears, call the Help Desk before the end of the 2 minutes during which the Exchange with help desk window stays open. Give them the displayed challenge, so that they can give you back the administrator challenge.

(50)

3.7 Managing Primary Accounts on Your Smart Card

Subject

The Advanced Login Credential Manager feature is automatically started at logon time and allows you among other actions to delete or create a primary account on a smart card.

The following procedure only applies to smart cards that can store several SSO accounts.

You can delete all the accounts stored on the smart card, even the one you used to logon. In this case, after the account deletion, the session stays open. Do not lock it because you won't be able to unlock it.

Procedure

1. Open your session as explained in Section 3.2.2, Authenticating on Windows Vista Using Smart Cards.

2. In the Notification area, right click the icon and select Manage Primary Accounts.

The account management window appears and lists the accounts stored on the smart card.

If you delete the account that you have used to logon, the session will stay open: do not lock it because you won't be able to unlock it. We recommend you to log off the session after the account deletion.

• Select the account you want to add or remove and click the Add or Remove button.

• Follow the displayed instructions and click OK.

(51)

3.8 Logging on as an Administrator on a User

Session ("Administrator Grace Period")

Subject

An administrator can log on a user’s session using his own smart card, even though the user opened his Windows session using a smart card.

Procedure

1. Press the SHIFT key during the logged user smart card withdrawal.

The user session is left unchanged. If the SSOWatch engine was running, it is automatically set to a locked mode.

2. Insert your administrator smart card and enter your PIN before the end of the grace period, the default value being 60 seconds.

The length of the grace period can be configured from the Enterprise SSO Console.

This authentication enables E-SSO to check your identification data. The user Windows session stays open, so your Windows permissions do not apply. 3. Perform your administration tasks on the user workstation: if you run an E-SSO application (Enterprise E-SSO Studio, etc.), the authentication is done using your administrator smart card.

(52)

A. Advanced Login and Biometrics

Configuration

A.1 Advanced Login Configuration Parameters

This section describes the Advanced Login parameters in the computer registry that can be used in standalone mode. These parameters are located either in:

A HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\AdvancedLogin or HKEY_LOCAL_MACHINE\Software\Policies\Enatel\WiseGuard\AdvancedLogin B HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\FrameWork\Authentication or HKEY_LOCAL_MACHINE\Software\Policies\Enatel\WiseGuard\FrameWork\ Authentication C HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\FrameWork\ or HKEY_LOCAL_MACHINE\Software\Policies\Enatel\WiseGuard\FrameWork The following table lists and describes the Advanced Login parameters in the computer registry that can be used in standalone mode.

VALUE DESCRIPTION LOCATION

LockTimer Timeout (in seconds) before locking the computer. This does not end the session.

A ActionWhenTokenRemoved Default automatic action if the token is

removed:

• 0: not configured (=lock). • 1: lock the computer. • 2: log off.

• 3: do nothing.

A

AutoValidationTimer Timeout (in seconds) before the automatic validation of the default action defined in ActionWhenTokenRemoved.

(53)

VALUE DESCRIPTION LOCATION

WorkStationAccount

RandomNPGP Only used with any supported LDAP directory _{except Active Directory.} In this type of architecture, Enterprise SSO stores users SSO data in another LDAP directory than Active Directory. But the users' accounts are stored in Active Directory and are managed by Enterprise SSO as secondary accounts. By default, the Windows password must be changed manually.

• 0: manual change of Windows password. • 1: automatic change of Windows password.

A

BioAutoValidate Store on PC mode only:

enable/disable the automatic validation upon fingerprint authentication:

• 0: disabled. • 1: enabled.

A

ResetPassword Makes available or unavailable the SOS button: • 0: available.

• 1: unavailable.

C

ByPassWGAuthForLocal

Admin Enables users that are not local administrators _{to bypass the Advanced Login authentication :} the users which are members of the local "administrators" group directly or via group membership can bypass the Advanced Login authentication even if they can not create the Enterprise SSO keys/objects.:

• 0: disabled

• non null value: enabled

B

ManageUserExclusion Windows Vista only.

Enable or disable SSO for excluded users. • 0: At user authentication, Advanced login

opens a session, and gets the used credentials to start SSOEngine with them. • ≠ 0: At user authentication, Advanced login

first tries to authenticate with the given credentials against the E-SSO directory. If the user belongs to an exclusion group, the windows session is opened, but no SSO will be available for that session.

If the user does not belong to any exclusion group, opening the windows session is submitted to the success of the E-SSO authentication.

(54)

A.2 Biometrics Configuration Parameters

This section describes the biometrics parameters in the computer registry. These parameters are located in

HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\FrameWork\Authentication

VALUE DESCRIPTION

BiometricFAR FAR: False Accepted Rate. Modify this value depending on your tolerance limits.

Default value: 20000 (means that the probability that a wrong fingerprint passes is 1/20000).

BiometricMaxEnrolled

Users Maximum number of users that can be enrolled on the _{workstation (Store on PC mode).} Default value: 20.

If the maximum number is exceeded, the older enrolled user is deleted.

A.3 Modifying the Authentication Screen Icons

(Windows Vista only)

Subject

This section only applies to Windows Vista.

You can change the bitmaps displayed in the Windows Vista tiles as explained in the following procedure.

Procedure

In the Advanced Login installation folder (by default: C:\Program Files\Quest

Software\E-SSO\ Advanced Login), create the two following bitmaps, with the size of 96x96 pixels:

• ESSOCredProv.bmp: the icon displayed in the initial authentication screen for the smart card tile when no smart card is inserted.

(55)

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products—helping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

Phone 949.754.8000 (United States and Canada) Email [email protected]

Mail Quest Software, Inc.

World Headquarters 5 Polaris Way

Aliso Viejo, CA 92656 USA Web site www.quest.com

Please refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at

http://support.quest.com/

From SupportLink, you can do the following:

• Retrieve thousands of solutions from our online Knowledgebase • Download the latest releases and service packs

• Create, update and review Support cases