ScriptLogic Desktop Authority Password Self-Service version 4.6 Quick Start Guide

(1)

ScriptLogic

®

Desktop Authority

Password Self-Service

version 4.6

Quick Start Guide

(2)

This guide contains proprietary information protected by copyright. The software

described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.

T

RADEMARKS

Quest, Quest Software, the Quest Software logo, ScriptLogic, ScriptLogic Software, the ScriptLogic Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory,

DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change

Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are

trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners.

D

ISCLAIMER

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF

INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any

(3)

D

OCUMENTATION

C

ONVENTIONS

In order to help you get the most out of this guide, we have used specific formatting conventions, which apply to procedures, icons, keystrokes and cross-references.

Element Convention

Bolded text Interface elements that appear in ScriptLogic products, such as menus and commands.

Italic text Used for comments.

+ A plus sign between two keystrokes means that you must press them at the same time.

| A pipe sign between elements means that you must select the elements in that particular sequence.

C

ONTACTING

S

CRIPT

L

OGIC

Contact ScriptLogic about any questions, problems or concerns. ScriptLogic Corporation

6000 Broken Sound Parkway NW Boca Raton, Florida 33487-2742

561.886.2400 Sales and General Inquiries 561.886.2450 Technical Support

561.886.2499 Fax www.scriptlogic.com

S

CRIPT

L

OGIC ON THE

W

EB

ScriptLogic can be found on the web at www.scriptlogic.com. Our web site offers customers a variety of information:

Download product updates, patches and/or evaluation products.

Locate product information and technical details.

Find out about Product Pricing.

Search the Knowledge Base for Technical Notes containing an extensive

collection of technical articles, troubleshooting tips and white papers.

Search Frequently Asked Questions, for the answers to the most common

non-technical issues.

Participate in Discussion Forums to discuss problems or ideas with other

(4)

Product Overview

ScriptLogic Desktop Authority Password Self-Service provides users and help desk support personnel with the ability to easily and securely manage their passwords, thus eliminating the need for assistance from high-level

administrators, and reducing help desk workload. This solution offers a powerful and flexible password policy control mechanism that allows the administrator to ensure that all passwords in the organization comply with the established policies.

ScriptLogic Desktop Authority Password Self-Service works with Windows 2000, and 2003, and Windows 2008 domains, including domains operating in mixed mode.

L

ICENSING

The Password Self-Service license specifies the maximum number of enabled user accounts in all managed domains. When launching the Administration site, Password Self-Service counts the actual number of enabled user accounts, and compares it with the maximum number specified by the license. If the actual number exceeds the maximum licensed number, a license violation occurs. A warning message is displayed on every connection to the Administration site of Password Self-Service.

In the event of a license violation, you have the following options:

Exclude a number of user accounts from the user accounts managed by

Password Self-Service to bring your license count in line with the licensed value and reconnect to the Administration site to recalculate the license number.

Remove one or more managed domain to decrease the number of

managed user accounts.

Purchase a new license with a greater number of user accounts, and then

update your license using the instructions provided later in this section. Note: The following items are not limited by the license:

The number of computers connected to the Administration, Self-Service,

and Help Desk sites of Password Self-Service.

The number of Password Self-Service instances—in a large enterprise,

Password Self-Service can be installed on multiple computers for enhanced performance and fault tolerance.

(7)

Installing the License

The license is initially installed when you install the Password Self-Service:

1. In the Installation Wizard, click Licenses to display the License status

dialog box.

2. Click Browse License, locate and open your license key file using the

Select License File dialog box, and then click Close.

Updating the License

If you have purchased a new license, you need to update the license by installing the new license key file. You can use the About section of the Administration site to install the file.

To update the license

1. On the menu bar, select About, and then select Update License.

2. On the Update License page, click Browse, and then use the Choose

file dialog box to locate and open your license key file.

P

ASSWORD

S

ELF

-S

ERVICE

C

OMPONENTS

Password Self-Service includes the following components:

Component Description Importance

Password Self-Service x86

The suite of role-based sites that expose the functionality of Password Manager to end users. Must be installed on a 32-bit machine.

Required

Password Self-Service x64

The suite of role-based sites that expose the functionality of Password Manager to end users. Must be installed on a 64-bit machine.

Required

Password Policy

Manager x86 Password Policy Manager is designed to enforce domain password policies set with Password Self-Service. If you choose to install this component, you must install it on all domain controllers running a 32-bit Microsoft Windows Server operating system.

Optional

Password Policy Manager x64

Password Policy Manager is designed to enforce domain password policies set with Password Self-Service. If you choose to install this component, you must install it on all domain controllers running a 64-bit Microsoft Windows Server operating system.

Optional

Secure Password

Extension x86 Secure Password Extension x86 facilitates access to the Self-service site from the Windows logon screen. Secure Password Extension x86 is intended to be deployed on computers running 32-bit versions of Microsoft Windows operating systems.

(8)

Component Description Importance Secure Password

Extension x64 The Secure Password Extension facilitates access to the Self-service site from the Windows logon screen. Secure Password Extension x64 is intended to be deployed on computers running 64-bit versions of Microsoft Windows Vista.

(9)

Installing Password Self-Service

This section describes how to install ScriptLogic Desktop Authority Password Self-Service. You will learn how to configure an account to use it as Password Self-Service Application Account. A separate section will guide you through the steps required to install Password Self-Service.

C

ONFIGURING THE

P

ASSWORD

S

ELF

-S

ERVICE

A

PPLICATION

A

CCOUNT When installing Password Self-Service, you are prompted for the name and password of the Password Self-Service application account. For Password Self-Service to run successfully, the Password Self-Service application account must meet the following requirements:

You need to add the Password Self-Service application account to the

Administrators group on the Web server where Password Self-Service is installed.

Password Self-Service application account must be a member of the

IIS_WPG local group on the Web server.

Before you install Password Service, make sure that the Password Self-Service application account has the rights listed above.

S

TEPS TO

I

NSTALL

P

ASSWORD

S

ELF

-S

ERVICE

When installing a new Password Self-Service instance, you can either upgrade in place the existing instance, install a new instance, or add a new instance to a Password Self-Service farm.

In place upgrade allows you to upgrade an existing instance of Password

Self-Service provided it supports in-place upgrade.

New instance of Password Self-Service you normally install to enable the

Password Self-Service functionality in a new environment or to create a new Password Self-Service farm managing the same environment.

Password Self-Service farm is a group of Password Self-Service

instances sharing common configuration and collectively serving client requests to ensure high availability and load balancing. To add a new member to a a Password Self-Service farm, you use the "A replica of an existing instance" option.

Normally, you install Password Self-Service using the Password Self-Service installation wizard. Before starting the wizard, ensure that the account you use to install Password Self-Service is the member of the following groups and roles:

(10)

The local Administrators group on the computer where you plan to install Password Self-Service.

The database creators (db_creator) fixed role on the SQL Server used to

store the Password Self-Service configuration database. To install Password Self-Service

1. Remove any previous versions of Password Self-Service by using Add or

Remove Programs in Control Panel.

2. Run the autorun.exe file located in the root folder of the installation CD.

3. Install the redistributable packages required by Password Self-Service.

The installation CD includes all the required redistributable packages; they are listed below

Application How to Install

.NET Framework 3.5 _1. _{Select Redistributables from the menu bar.} 2. Click .NET Framework 3.5.

3. When the installation completes, restart the computer.

4. .On the Password Self-Service tab, click Password Self-Service

(x86) (for 32-bit system) or Password Self-Service (x64) (for 64-bit system) to start the ScriptLogic Desktop Authority Password Self-Service installation wizard.

5. Click Next.

6. Specify the following options, and then click Next:

Option Action

Full name Type your name

Organization Type the name of your organization

Licenses Click this button, and then specify the path to the license file.

Note: A license file is the file with the .ASC extension that you

have obtained from your ScriptLogic representative.

You can define whether to install the application only for the current user or for all users on the computer.

7. Read the license agreement, select I accept the license agreement,

and then click Next.

8. On the Select Features page, select the features that you want to install

(11)

9. Select the type of instance you want to install and click Next. You can choose from the following options:

Option Description

A unique instance This option automatically creates a new instance of Password Self-Service. Installer will generate encryption keys to encrypt the configuration data. If you select this option, you will be prompted to specify the file name and location to store the encryption keys.

A replica of an existing instance

This option creates a new instance of Password Self-Service that uses the configuration of an existing instance. The Password Self-Service instances sharing the same configuration are collectively referred to as Password Self-Service farm.

If you select this option, you will be prompted to specify the path to the encryption keys generated when installing the existing instance of Password Self-Service.

Upgrade the existing instance

This option is available only if you are upgrading from a previous version of Password Self-Service.

10.On the Password Self-Service Account Information page, specify the

name and password for the Password Self-Service application account, and then click Next. Use the following user name format:

DOMAIN\Username.

11.On the Specify Web Site Root Directory page, enter the Web site name

and the virtual directory name, and then click Next.

12.Click Install.

13.When installation is complete, click Finish, and then restart the computer

when prompted.

Important: During installation, Setup creates the 'Desktop Authority

Password Self-Service' and Desktop Authority Password Self-Service Publisher scheduled tasks on the local computer. Do not delete these scheduled tasks, otherwise Password Self-Service may not operate properly.

(12)

I

NSTALLING

M

ULTIPLE

I

NSTANCES OF

P

ASSWORD

S

ELF

-S

ERVICE

Normally, you install multiple instances of Password Self-Service to provide for:

enhanced availability and fault tolerance by installing additional

replicas of the Password Self-Service instance which is already available in a domain. You do this by using the "A replica of an existing instance" option in Password Service Install Wizard. Several Password Self-Service instances sharing common configuration are referred to as farm. For more information on farms, see the next section.

maintaining more than one Password Manager configuration in a

single domain. This may be required when a domain in an organization spans several locations which requiring different Password Self-Service configurations, for instance different Q&A policies. You do this by using the "A unique instance" option in Password Manager Install Wizard.

Understanding Farms

For the ease of management, you can group several Password Self-Service instances into a farm. A farm is a group of Password Self-Service instances using common configuration settings, including but not limited to Questions and Answers profiles, Self-Service and Help-Desk sites settings.

The members of a Password Self-Service farm do not necessarily manage the same set of domains, i.e., individual farm members may manage different domains. Although, if several members of a Password Self-Service farm manage the same server, they use the same settings and any updates to the settings made on one member are effectively propagated to other members of the farm managing that domain. Also, several members of a Password Self-Service farm managing the same domain can be used interchangeably for serving user requests.

By using Group Policy, you can bind users from a domain managed by several Password Self-Service farms to specific. You can use this feature to

implement different Password Self-Service policies in a single domain. For instance, if a domain in your organization spans two offices located in New York (USA) and Paris (France) and you want Password Self-Service to use different Q&A policies in the offices, you can implement two Password Self-Service farms and bind users of the NY office to one of the farms and the users from the French office bind to the other farm. You bind users to specific farms by using the Password Self-Service affinity feature. For more

information about Password Self-Service affinity, see “Password Manager Farm Affinity”.

(13)

S

ELECTING

C

RYPTOGRAPHIC AND

H

ASHING

A

LGORITHMS

By default, Password Self-Service uses 192-bit TripleDES algorithm to encrypt configuration data such as Questions and Answers profiles, and the MD5 algorithm for hashing users' authentication answers. Alternatively, you can select the combination of the AES-256 data encryption algorithm and the SHA-256 hashing algorithm, both being NSA-approved cryptographic algorithms intended to protect both classified and unclassified national security systems and information.

To enable Password Self-Service to use the AES-256 and the SHA-256 algorithms, you can use one of the following methods:

If Password Self-Service is being installed for the first time on a server,

install the solution from the command line using Msiexec.exe and specifying the AES_SHA_256="yes" as a command-line parameter.

If you have already installed Password Self-Service on a server, manually

modify the local.spr file to specify the encryption algorithms. To install Password Self-Service from the command line using Msiexec.exe

1. Launch the Setup program from the command line by adding the

AES_SHA_256="yes" as a command-line parameter. For example:

msiexec /i "C:\ScriptLogic Desktop Authority Password Self-Service.msi"

AES_SHA_256="yes" /l*v "%TEMP%PRMSetup.log"

2. Follow the instructions in the Installation Wizard.

To manually modify the local.spr file

1. Open the local.spr file with Notepad (or any text editor) at the following

location: '<install location>\PrmDll\'. If the file does not exist, create it with Notepad.

2. Under '[Options]', type the following strings on separate lines:

csp=AES klen=256 calg=AES256 halg=SHA256

The strings are case sensitive.

3. Save the file.

The existing Password Self-Service configuration data is then re-encrypted with the specified algorithms.

Note: Once you have enabled Password Self-Service to use the stronger encryption algorithms (the combination of AES-256 and SHA-256), you cannot change back to the default algorithms (the combination of 192-bit TripleDES and MD5).

To have Password Self-Service use the default encryption and hashing algorithms (the combination of 192-bit TripleDES and MD5), install the solution by following the procedure outlined in Installing Password Self-Service.

(14)

I

NSTALLING

P

ASSWORD

P

OLICY

M

ANAGER

Password Policy Manager is an independently deployed component of

Password Self-Service intended to enforce the Password Self-Service policies. Password Policy Manager must be installed on all domain controllers in a managed domain This section describes how to deploy Password Policy Manager in a managed domain.

Password Policy Manager is deployed on all domain controllers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Password Policy Manager to the destination computers. Password Policy Manager is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you apply either of the following installation packages included on the installation CD:

Desktop Authority Password Policy Manager x86.msi - Installs the

Password Policy Manager on domain controllers running an x86 Microsoft Windows Server operating system.

Desktop Authority Password Policy Manager x64.msi - Installs the

Password Policy Manager on domain controllers running an x64 Microsoft Windows Server operating system.

The installation packages are located in the \Setup\program

files\ScriptLogic\Desktop Authority Password Self-Service\Deployment\PPM folder on the installation CD.

Note: Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of the Password Policy Manager must be installed.

To install Password Policy Manager on a single domain controller

1. Run the appropriate Password Policy Manager .MSI package located in the

\Setup\program files\ScriptLogic\Desktop Authority Password Self-Service\Deployment\PPM folder on the installation CD.

2. Restart the computer once the installation completes.

To deploy Password Policy Manager on multiple domain controllers

1. Copy the appropriate Password Policy Manager .MSI package from the

installation CD to a network share accessible from all domain controllers in a managed domain.

2. Create a GPO and apply it to all domain controllers in a managed domain. You

may also choose an existing GPO to deploy the Password Policy Manager.

3. Open the Computer Configuration folder under the selected GPO, and

then open the Software Settings folder.

4. Right-click Software installation, and then select New | Package.

5. Select the .MSI package you have copied in step 1.

6. Click Open.

7. Select the deployment method and click OK.

(15)

D

EPLOYING AND

C

ONFIGURING

S

ECURE

P

ASSWORD

E

XTENSION This section describes the prerequisites and steps for deploying and

configuring ScriptLogic Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. The Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Secure Password Extension to the destination computers. The Secure Password Extension is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD:

Desktop Authority Secure Password Extension x86.msi - Installs the

Secure Password Extension on computers running x86 versions of pre-Windows Vista, pre-Windows Vista, and pre-Windows 7 operating systems.

Desktop Authority Secure Password Extension x64.msi - Installs the

Secure Password Extension on computers running x64 versions of Windows Vista and Windows 7.

You can modify the behavior and on-screen appearance of the Secure Password Extension components by configuring the prm_gina.adm

Administrative Template's settings, and then applying the template to the target computers through Group Policy.

Follow the steps below to configure and deploy the Secure Password Extension on end-user computers.

To deploy and configure the Secure Password Extension

1. Copy the prm_gina.adm administrative template file from the

\Setup\program files\ScriptLogic\Desktop Authority Password Self-Service\Deployment\SPE\Administrative Template\ folder of the

installation CD. The recommended target location is the \inf subfolder of the Windows folder on a domain controller.

2. Copy the required installation package (Desktop Authority Secure

Password Extension.msi or Desktop Authority Secure Password Extension x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install the Secure Password Extension. The .MSI packages are located in the \Setup\program files\ScriptLogic\Desktop Authority Password Self-Service\Deployment\SPE\ folder of the installation CD.

3. Create a GPO and link it to all computers, sites, domains, or organizational

units where you want to use the Secure Password Extension. You may also choose an existing GPO to use with the Secure Password Extension.

4. Open the GPO in the Group Policy Object Editor, and then do the

following:

Under the Computer Configuration node, right-click Administrative

Templates, and then click Add/Remove Templates.

Click Add, and then browse for the prm_gina.adm file that you have

(16)

Expand Computer Configuration/Administrative Templates and then click the ScriptLogic Desktop Authority Password Self-Service node.

Configure the prm_gina.adm Administrative Template settings, as

required.

For the complete reference to the policy settings included in this

administrative template, including their brief descriptions, see Managing

Secure Password Extension Using Administrative Templates.

Expand Computer Configuration/Software Settings, right-click

Software installation, and then select New | Package.

Browse for the .MSI package you have copied in step 2, and then click

Open.

In the Deploy Software window, select a deployment method and

click OK.

Verify and configure the properties of the installation, if needed.

5. To complete Secure Password Extension installation, you must reboot all

the client computers affected by the Group policy.

Self-Service Site Location and Service Connection Points

To enable users to open the Self-Service site by clicking the Forgot My Password or the Manage My Password buttons on the Windows logon screen, you no longer need to configure the URL path that points to a specific server where the Self-Service site is deployed because Password Self-Service automatically locates the nearest Self-Service site.

Secure Password Extension locates the Self-Service site using service

connection points mechanism available in Active Directory. Service connection points are used in Active Directory to publish information that applications can use to bind to a service. To locate the server where the Self-Service site is deployed, Secure Password Extension uses the service connection points published by Password Self-Service instances in Active Directory.

When an instance of Password Self-Service is installed, Password Self-Service publishes its service connection points in Active Directory. Password Self-Service regularly updates its service connection points using the ScriptLogic Password Self-Service Publisher scheduled task. Every 10 minutes, the task publishes the service connection points in all the domains managed by the underlying Password Self-Service instance.

(17)

Password Manager Farm Affinity

In some instances, you may want Secure Password Extension to contact only specific Password Self-Service instances when locating a Self-Service site. You can force Secure Password Extension to use only Password Self-Service

instances that belong to specific Password Self-Service farm.

Password Self-Service farm is one or more Password Self-Service instances sharing common configuration and the same encryption key. Normally, you add a member to a Password Self-Service farm by installing a new Password Self-Service instance using the "A replica of an existing instance" option. To force Secure Password Extension to use only Password Self-Service from a specific farm, you must set the Secure Password Extension affinity for that farm. To set Secure Password Extension affinity for a Password Self-Service farm:

1. Open the Administration site of the Password Self-Service instance that

belongs to the target farm.

2. On the Administration site home page, click Managed Domains, and on the

Managed Domains page, click the domain, to which belongs the computer running the Secure Password Extension instance you want to bind.

3. On the General tab, select the contents of the Password Self-Service

Farm Affinity ID box, right-click the selection and select Copy.

4. Open Administrative Tools (located at Start Menu | Settings |

Control Panel).

5. Open Active Directory Users and Computers.

6. Right-click the managed domain name on the left pane and select Properties.

7. Select the domain policy that is configured to work with Secure

Password Extension on the Group Policy tab and click Edit.

8. Expand Default Domain Policy | Computer Configuration on the

Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add/Remove Templates.

9. Click Add, browse for the prm_gina.adm file, select it, and then click Open.

10.Click Close to close the Add/Remove Templates dialog box.

11.Select Administrative Templates node, and then double-click the

ScriptLogic Password Self-Service template on the right pane.

12.Click Generic Settings in the left pane.

13.In the right pane, double-click Password Self-Service Farm Affinity.

14.Select the Enabled option on the Settings tab, and then right-click the

Farm Affinity ID text box and select Paste.

15.Click OK.

16.Apply the updated policy to the computers in the managed domain.

Note: Application of the updated policy to the computers in the managed domain may take some time to complete.

(18)

Overriding Automatic Self-Site Location

In some instances, you may not want Secure Password Extension to automatically locate the nearest Service site using the Password Self-Service connection points published in Active Directory. If you need to override the default behavior and force a Secure Password Extension to use specific Self-Service site, you must explicitly manually specify the URL path and override the default behavior of Secure Password extension by following the steps below.

To override automatic Self-Service site location:

1. Open Administrative Tools (located at Start Menu | Settings |

Control Panel).

4. Select the domain policy that is configured to work with Secure Password

Extension on the Group Policy tab and click Edit.

Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates.

7. Click Close to close Add / Remove Templates dialog box.

8. Select Administrative Templates node, then double-click Desktop

Authority Password Self-Service template on the right pane.

9. Double-click Generic Settings.

10.Double-click Specify URL to the Self-service site.

11.Click the Enabled radio button on the Settings tab and then enter the URL

path to the Self-service site into the entry field using the following format: https://COMPUTER_NAME/VIRTUAL_DIRECTORY_NAME/User/, where COMPUTER_NAME is the name of the server where Password Self-Service resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during Desktop Authority Password Self-Service Setup (by default, the virtual directory name is DAPSS). Substitute https:// with http:// if you don’t use HTTPS.

Note: It is strongly recommended that you enable HTTPS on the Password Self-Service server.

12.Click OK.

13.Double-click Override URL path to Self-Service site.

14.Select the Enabled option on the Settings tab.

15.Click OK.

16.Apply the updated policy to the computers in the managed domain.

Note: The application of the updated policy to the computers in the managed domain may take some time to complete.

(19)

Customizing the Logo for Secure Password Extension

You can replace the Secure Password Extension's default logo that is

displayed on the Windows logon screen. Depending on the operating system, running on the target computers, the image must meet the following

requirements:

For pre-Windows Vista operating systems, the logo must be a

417-by-58-pixel .bmp file.

For Windows Vista and Windows 7, you can use the following image types:

.bmp, .gif, .jpg, or .png. The logo image may have any size suitable for your requirements. The recommended size is 128 by 128 pixels.

To deploy a custom logo for Secure Password Extension to end-user computers

1. Create a startup script to deploy your logo image. See a sample script

below this procedure.

2. Create your logo image and place it on a network share accessible to all

network hosts against which the script is run.

3. In the Group Policy Object Editor, open the GPO which includes the

prm_gina.adm Administrative Template.

4. Expand Computer Configuration/Administrative Templates and then

click ScriptLogic Desktop Authority Password Self-Service.

5. Under ScriptLogic Desktop Authority Password Self-Service, do the

following:

Expand Pre-Windows Vista Settings/Secure Password Extension

Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers.

Expand Windows Vista Settings/Secure Password Extension

Logo, and enable the Set tile image policy setting by specifying a local path to the logo image file on end-user computers.

The local path you specify in these policy settings must be the same as in the startup script specified later in this section.

6. Expand Computer configuration/Windows Settings/Scripts

(Startup/Shutdown) and double-click the Startup policy setting in the right pane.

7. In the Startup Properties window, click Add, then browse for the script

file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window.

8. Click OK.

The following startup script is a batch file that runs on end-user computers during system startup, and copies the custom logo image from the network share to a local folder:

(20)

@echo off

rem "SPE startup script"

rem *Check target directory existence*

if exist "c:\Program Files\ScriptLogic\Desktop Authority Secure Password Extension"

goto :COPY_FILE

md "c:\Program Files\ScriptLogic\Desktop Authority Secure Password Extension"

rem *Copy BMP image - %1* :COPY_FILE

copy %LOGONSERVER%\share\logos\%1 "c:\Program Files\ScriptLogic\ Desktop Authority Secure Password Extension\*.*"

rem pause :out Exit

Note: The script lines containing target path should be typed as a single line. The lines are wrapped in this article only for readability purposes. You can modify the sample target path in the script as you need.

Customizing Position of the Secure Password Extension Window

You can specify the position of the Secure Password Extension window on the logon screen of user computers.

To change the position of Secure Password Extension window on end-user computers

1. In the Group Policy Object Editor, open the GPO which includes the

prm_gina.adm Administrative Template.

2. Expand Computer Configuration/Administrative Templates and then

click ScriptLogic Desktop Authority Password Self-Service.

3. Under ScriptLogic Desktop Authority Password Self-Service, expand

Pre-Windows Vista Settings/Secure Password Extension Window Settings, and enable the Set Secure Password Extension Window Position policy by specifying the position of the Secure Password Extension window on the Windows logon screen of user computers.

(21)

Managing Secure Password Extension Using Administrative Templates

The prm_gina.adm Administrative Template features a powerful set of options that allow you to customize the behavior and appearance of the Secure

Password Extension according to your requirements.

The Administrative Template layout includes the following folders:

Generic Settings - includes policy settings that can be applied to

computers running both pre- and Windows Vista Microsoft operating systems.

Pre-Windows Vista Settings - includes policy settings that can be

applied to computers running only pre-Windows Vista operating systems.

Windows Vista Settings - includes policy settings that can be applied to

computers running only Windows Vista operating systems and later. Brief descriptions of the Administrative Template policy settings are outlined in the tables below. For more information about policy settings, see the Explain tab on the Properties page of each policy.

Generic Settings

The following table outlines generic Administrative Template policy settings you can use to customize the behavior of Secure Password Extension.

Policy Name Description

Specify URL path to the Self-service site

This policy lets you specify the link for the access to the Self-service site from the Windows logon screen. This link is opened when users click the Forgot My Password or the Manage My Password buttons on the Windows logon screen in pre-Vista operating systems, and the

Manage My Password command link in Windows Vista.

Use the following URL path format:

https://COMPUTER_NAME/VIRTUAL_DIRECTORY/ User/, where COMPUTER_NAME is the name of the

server where Password Self-Service resides, and

VIRTUAL_DIRECTORY is a virtual directory name that

was configured during Desktop Authority Password Self-Service Setup (by default, the virtual directory name is

DAPSS). Substitute https:// with http:// if you don’t use

HTTPS. Override URL path to

Self-Service site

By default, Secure Password Extension automatically locates the Self-Service site in its domain. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service site specified in the Specify URL path to the Self-service

site setting.

Maximum number of attempts to connect to the Self-Service site

This setting specifies the maximum number of attempts to connect to the Self-Service site from Secure Password Extension.

If this setting is disabled or not configured, the default number of attempts is 5.

(22)

Force HTTPS This policy setting lets you enforce HTTPS for connections with the Self-service site established using the Secure Password Extension.

Password Self-Service

Farm Affinity This policy setting lets you force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service farm. Enable proxy server

access

This policy setting determines whether connections to the Self-service from the Windows logon screen are

established through the specified proxy server. Configure required

proxy settings Specifies the settings required to enable proxy server access to the Self-service site from the Windows logon screen.

Configure optional

proxy settings Specifies optional settings for the proxy server access. Restore desktop

shortcuts for the Self-service site

This policy setting lets you define whether the desktop shortcut to the Self-service site on a user's computer should be re-created by the Secure Password Extension if the user deletes the desktop shortcut.

Do not create desktop shortcuts for the Self-service site

This policy setting lets you define whether the desktop shortcuts to the Self-service site on users' computers should not be created by the Secure Password Extension. Do not create any

shortcuts for the Self-service site

This policy setting lets you define whether any shortcuts to the Self-service site on users' computers (on the desktop and in the Start menu) should not be created by the Secure Password Extension.

Display custom names for the Secure Password Extension window title

This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages.

Set custom name for the Secure Password Extension window title in <Language>

This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box.

Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the

hieroglyphs width. The URL length must not exceed 256 characters.

Display the usage policy

button (command link) Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs.

The usage policy button on pre-Windows Vista operating systems, and the usage policy command link on Windows Vista operating systems, are displayed on the Windows logon screen, and are intended to open a HTML document that describes the enterprise usage policy or contains any information that you may want to make available to end-users.

(23)

Set default URL This policy lets you specify an URL to the usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to an HTML file. Set name and URL for

the usage policy button (command link) in <Language>

This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and an URL for each of the required logon languages. 36 language-specific policy settings are available.

Note: The name you specify must not exceed 32

characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyphs width. The URL length must not exceed 256 characters. Display custom names

for the Manage My Password button (command link)

This policy setting lets you define whether to replace the default language-specific names of the Manage My Password button and command link with the names that you specify for the required logon languages.

The Manage My Password button (command link) is intended to open the Self-service site from the Windows logon screen. On pre-Windows Vista operating systems, the Manage My Password button is displayed if you are already logged on to the system. On Windows Vista operating systems, the Manage My Password

command link is displayed under the ScriptLogic Secure Password Extension tile on the Windows logon screen, irrespective of whether you are logged on to the system or not.

Set custom name for the Manage My Password button (command link) in <Language>

This group of policy settings allows you to specify names of the Manage My Password button and command link individually for each of the required logon languages. 36 language-specific policy settings are available.

Balloon notification

period If the registration notification is turned on, users will be notified of the necessity to register with Password Self-Service through a balloon briefly displayed in the

notification are of the Windows taskbar. This setting lets you specify how often you want registration notifications to be displayed on the desktop of user computers where the Secure Password Extension is running.

Enable customization of

notification texts This policy setting allows you to define whether you want to replace the default text on language-specific registration notifications and message boxes with your custom text.

Specify notification

texts in <Language> This group of policy settings allows you to specify notification texts individually for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box.

(24)

Pre-Windows Vista Settings

The following table outlines Administrative Template policy settings for Secure Password Extension in pre-Windows Vista operating systems.

Set dialog background image This policy setting lets you choose a picture to replace the default background image on the

Secure Password Extension dialog that

appears on the Windows logon screen. Set the Secure Password

Extension Window Position This policy setting lets you specify the position of the Secure Password window on the Windows logon screen of user computers.

Display custom names of the Forgot My Password button

This policy setting lets you define whether to replace the default language-specific names of the Forgot My Password button with the names that you specify for the required logon languages. The Forgot My Password button is intended to open the Self-service site on pre-Windows Vista operating systems, and is displayed on the Windows logon screen, provided that you are not logged on to the system.

Set custom name of the Forgot My Password button in

This group of policy settings allows you to specify the name of the Forgot My Password button individually for each of the required logon languages. 36 language-specific policy settings are available.

Windows Vista Settings

The following table outlines Administrative Template policy settings for Secure Password Extension in Windows Vista operating system.

Set tile image This policy setting lets you choose a picture that will be associated with the ScriptLogic Secure Password Extension tile on the Windows Vista logon screen.

Display custom names of the tile This policy specifies whether the custom names of the Secure Password Extension tile will be displayed on the Windows logon screen.

Set custom tile name in

<Language> This group of policy settings allows you to modify the name of the Manage My Password credential tile on the Windows Vista logon screen individually for each of the required logon languages. 36 language-specific policy settings are available.

(25)

E

NABLING

HTTPS

We strongly recommend that you use HTTPS with ScriptLogic Desktop Authority Password Self-Service Manager.

The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web.

To enable HTTPS for your Web server you may need to obtain a Server

Certificate. For step-by-step instructions on how to configure a Web server for SSL in order to support https connections from client applications, see the MSDN article "How To: Set Up SSL on a Web Server" at

(26)

Upgrading Password Self-Service

This section provides instructions on how to upgrade Password Self-Service and its components. The following topics are covered:

Upgrade recommendations and requirements.

Single server upgrade from Password Self-Service version 3.x.

Multiple server upgrade from Password Self-Service version 3.x

Password Self-Service components (PPM version 3.x and GINA Extension

version 3.x [later on renamed to SPE]) upgrade.

Single server upgrade from Password Self-Service version 4.x.

Multiple server upgrade from Password Self-Service version 4.x

Password Self-Service components (PPM version 4.x and GINA Extension

version 4.x [later on renamed to SPE]) upgrade.

U

PGRADE

R

ECOMMENDATIONS

It is recommended to perform preliminary test upgrade using a test environment before upgrading Password Self-Service in the production environment of your enterprise.

The recommended Password Self-Service upgrade sequence is the following:

1. Upgrade of Password Self-Service.

2. Upgrade of Password Policy Manager (PPM).

3. Upgrade of GINA Extension to Secure Password Extension (SPE).

The detailed steps that implement the above sequence are provided later in this document.

(27)

U

PGRADE

R

EQUIREMENTS

Before you start the upgrade process, follow this checklist to ensure you have made the necessary preparations and met the essential upgrade

requirements.

Step COMMENT

Ensure that you installed or upgraded the third-party redistributable packages required for the latest version of Password Self-Service.

Ensure that you know Password Self-Service application account credentials (user name and password) for each domain managed by Password Self-Service.

For more information on what permissions are required for an account under which Password Self-Service will access the domain refer to the User Guide.

Ensure that Password Self-Service application account is a member of the Administrators group on the Web server where Password Self-Service is installed. Ensure that Password Self-Service application account is a member of the IIS_WPG local group on the Web server. Ensure that you know SQL database account

credentials (user name and password). That is needed only if Password Self-Service is configured to use special SQL account (different from Password Self-Service application account) to work with the SQL database. Ensure that the account, that is used to

upgrade Password Self-Service, is a member of the local Administrators group on the server where you upgrade the product. Ensure that the account, that is used to upgrade Password Self-Service, is a member of the database creators (db_creator) fixed role on the SQL server hosting the Password Self-Service configuration database.

Depending on the Password Self-Service version you are upgrading from, refer to one of the sections below: “Upgrade from Password Self-Service version 3.x” or “Upgrade from Password Self-Service version 4.x”

(28)

U

PGRADE FROM

P

ASSWORD

S

ELF

-S

ERVICE VERSION

3.

X

Please note that Password Self-Service features and settings listed below are not transferred from Password Self-Service version 3.x to version 4.x.

Feature Issue

Password Self-Service license

file Password Self-Service version 3.x license file is not compatible with Password Self-Service version 4.x. You will not be able to upgrade Password Self-Service without a valid license file that matches your product version.

Password Self-Service log Starting from Desktop Authority Password Self-Service version 4.0.1, the application Log feature has been replaced with the Reports feature. Please note that Password Self-Service version 4.0.0 supports neither the Log feature nor the Reports feature.

Domain password policies The domain password policies created in Password Self-Service version 3.x are no longer available in version 4.x. You cannot transfer the password policies from version 3.x to version 4.x because of incompatible policies format.

Single Server Upgrade

Single server upgrade is applied in the following environments:

One Password Self-Service instance manages one domain.

One Password Self-Service instance manages several domains.

Proceed to the “Multiple Server Upgrade” section below if you have several instances of Password Self-Service to manage for the same managed domain(s).

To upgrade from Password Self-Service version 3.x on a single server:

1. Write down the details of domain password polices assigned in Password

Self-Service version 3.x for all managed domains.

2. Uninstall Password Self-Service version 3.x.

3. Install or upgrade the required third-party redistributables.

4. Install the new version of Password Self-Service with the A unique

instance option selected.

5. Export the encryption keys to a .BIN file when prompted.

6. Manually re-assign password policies settings for all managed domains.

7. Make a backup copy of the encryption keys file.

Important: After you have upgraded from Password Self-Service version 3.x with the A unique instance option selected, the encrypted data will no longer be available for use with Password Self-Service version 3.x.

(29)

Multiple Server Upgrade

Multiple server upgrade should be used in environments where several instances of Password Self-Service manage the same managed domain(s). Multiple server upgrade is applied in the following environments:

Several Password Self-Service instances simultaneously manage one

domain.

Several Password Self-Service instances simultaneously manage several

domains.

All the Password Self-Service 3.x instances for the specific domain become unusable once you upgrade the first server in that domain to the latest version of Password Self-Service. Do not use the previous version instances during the upgrade.

Upgrading multiple version 3.x instances breaks down into two distinctively different steps and upgrade procedures:

1. Upgrading the first Password Self-Service instance.

2. Upgrading each of the rest of the Password Self-Service instances.

The following steps should be performed to upgrade the first Password Self-Service instance.

To upgrade from Password Self-Service version 3.x on the first server:

1. Write down the details of domain password polices assigned in Password

Self-Service version 3.x for all managed domains.

2. Stop the PRMAppPool Application Pool in the IIS Manager on all

Password Self-Service version 3.x servers.

This step makes Password Self-Service service temporary unavailable for users.

3. Uninstall Password Self-Service version 3.x from the first server.

4. Install or upgrade the required third-party redistributable packages on

that server.

5. Install the new version of Password Self-Service on that server with the A

unique instance option selected.

6. Export the encryption keys to a .BIN file when prompted.

7. Ensure that the PRMAppPool Application Pool is running in the IIS

Manager on the server you have upgraded. If it is not running – start it manually.

This step makes Password Self-Service service available.

8. Manually re-assign password policies settings for all managed domains.

9. Make a backup copy of the encryption keys file.

Important: After you have upgraded from Password Self-Service version 3.x with the A unique instance option selected, the encrypted data will no longer be available for use with Password Self-Service version 3.x.

(30)

The following steps should be performed to upgrade each of the rest of the Password Self-Service instances. The steps should be performed only after you have upgraded the first Password Self-Service instance as described above.

To upgrade from Password Self-Service version 3.x on the other servers:

1. Uninstall Password Self-Service version 3.x from a server.

2. Install or upgrade the required third-party redistributable packages on

that server.

3. Install the new version of Password Self-Service on that server with the A

replica of an existing instance option selected. When prompted, specify the path to the encryption keys .BIN file saved during the first server upgrade.

4. Once the server is upgraded, ensure that the PRMAppPool Application

Pool is running in the IIS Manager on that server. If it is not running – start it manually.

5. Repeat the steps 1 through 4 for each Password Self-Service version 3.x.

Important: Do not select A unique instance option when upgrading the other instances of Password Self-Service, otherwise it will cause the encrypted data loss.

Upgrading Password Policy Manager

Password Policy Manager ensures, that all the passwords in the organization comply with the password policies established by Password Self-Service administrator. Skip this section if you do not use domain password policies assigned in Password Self-Service.

Domain password policies assigned in Password Self-Service version 3.x are valid until Password Policy Manager (PPM) version 3.x is removed from the last domain controller (DC). During upgrade period the previous and the new versions of PPM can run simultaneously on different DCs within the same domain. Therefore it is very important to have the password polices settings synchronized for both the previous and the new versions of PPM. To achieve this, ensure you have re-assigned password policies for all managed domains after the first single-server upgrade from Password Self-Service version 3.x. as described in the previous section.

Both removal and installation of Password Policy Manager requires computer restart. Upgrade PPM on all domain controllers in sequential order. Perform the upgrade during off-peak hours to cause minimal impact to your

organization’s operations.

To upgrade from Password Policy Manager version 3.x:

1. Make sure you have upgraded Password Self-Service and re-assigned

password policies settings for all managed domains as described in the previous section.

(31)

2. Remove the previous version of Password Policy Manager from a domain controller and restart the computer when prompted.

3. Install the new version of Password Policy Manager on that domain

controller and restart the computer when prompted.

4. Repeat the steps 2 and 3 for each domain controller in the managed

domain.

If the previous version of Password Policy Manager has been deployed through Group Policy, it should be uninstalled by removing the previously assigned .MSI package from the Software installation list. After the previous version is removed from the domain controllers, the new version may be deployed to those DCs through Group Policy.

To guarantee that all the passwords in your organization comply with the defined policies, Password Policy Manager must be deployed on all domain controllers in the managed domain.

U

PGRADING

S

ECURE

P

ASSWORD

E

XTENSION

Secure Password Extension (previously GINA Extension) is an application that provides access to the complete functionality of the Self-service site from the Windows logon screen.

Note: Starting from Desktop Authority Password Self-Service version 4.1.0 GINA Extension was renamed to Secure Password Extension (SPE).

We do our best to provide the compatibility between different versions of SPE and Password Self-Service. Nevertheless, it is strongly recommended that you use SPE and Password Self-Service of the same version.

SPE may be deployed on different workstations by applying different GPOs. This allows you to not upgrade GINA Extension to Secure Password Extension on all the workstations at one time, but do it in several steps depending on your needs and preferences.

You can centrally upgrade workstations to the latest version of the Secure Password Extension by assigning the software for deployment using Group Policy. Depending on your environment, you can remove the existing .MSI package from the Software installation list, and then assign the latest-version package, or you can add the latest-version package, and then specify it as an upgrade for the existing one.

To remove the existing and assign a latest-version package:

1. Remove the assigned package (Desktop Authority Secure Password

Extension.msi or Desktop Authority Secure Password Extension x64.msi) from the list of software to be installed.

2. Add the latest-version .MSI packages to the list of software to be installed.

(32)

To specify an upgrade for the Secure Password Extension package:

1. Add the required latest-version package (Desktop Authority Secure

Password Extension.msi or Desktop Authority Secure Password Extension), or both) to the list of software to be installed.

2. Open the installation properties and select the Upgrade tab.

3. Click Add.

4. Select the previously assigned package.

5. Click Uninstall the existing package, then install the upgrade package,

and then click OK.

6. Click OK.

the client computers affected by the Group policy.

Starting with version 4.6.0, Secure Password Extension by default

automatically discovers the Self-Service site. If you upgrade from the earlier versions, this functionality may be overridden by the policy that explicitly specify the URL for the Self-Service site. To enable Secure Password Extension to automatically discover the nearest Self-Service site, you must disable the Specify URL to the Self-Service site setting in Group Policy. To enable Secure Password Extension to automatically discover Self-Service site:

3. Select the domain policy that is configured to work with Secure Password

Extension on the Group Policy tab and click Edit.

Group Policy Object Editor left pane, then right-click Administrative Templates node, and select Add / Remove Templates.

6. Click Close to close Add / Remove Templates dialog box.

7. Select Administrative Templates node, then double-click Quest

Password Manager template on the right pane.

8. Double-click Generic Settings.

9. Double-click Specify URL to the Self-Service site.

10.Select the Disabled option on the Settings tab, and then click OK.

When upgrading GINA Extension to Secure Password Extension, do not forget to upgrade the prm_gina.adm administrative template with the one located in the \ScriptLogic Desktop Authority Password Self-Service\Setup\

Administrative Template\ folder of the installation CD.

During upgrade of prm_gina.adm administrative template, the previously made template settings are preserved and picked up by newer versions. For more information on how to upgrade Secure Password Extension and the administrative template please refer to the User Guide.

(33)

U

PGRADE FROM

P

ASSWORD

S

ELF

-S

ERVICE VERSION

4.

X

This section describes how to upgrade Password Manager, if you are using a 4.x version.

Password Manager 4.6 comes with Reports feature which is incompatible with the Report feature in previous 4.x versions. The new Password Self-Service version creates a new reporting database and a new set of reports. Any new reports are installed on SQL Server side by side of the old database and the reports and they are neither deleted nor overwritten. When upgrading Password Self-Service, you cannot upgrade the reports or append the usage data to the existing database. You cannot see the old reports using Password Self-Service, although you can always access the reports using native Report Server tools.

When upgrading Password Self-Service 4.x, you can face either or both of the two scenarios: a single Password Self-Service manages one domain or a single Password Self-Service manages several domains. Depending on the scenario, the upgrade procedure differs. This also applies to Password Manager farms managing a single or multiple domains.

If Password Self-Service manages in your environment only one domain, proceed to the next section. If you use several instances of Password Service to manage the same domain(s), proceed to Multiple Server Upgrade.

Single Server Upgrade

Single Server Upgrade may be used in the following environments:

One Password Self-Service instance (or a farm) manages one domain.

One Password Self-Service instance (or a farm) manages several domains.

Follow the instructions below to upgrade a single instance of Password Self-Service or a Password Self-Self-Service farm.

Important: If you have previously changed the name of the default Password Self-Service service account (__PRM_svc_user001__), before adding managed domains to Password Self-Service, you must rename it back to __PRM_svc_user001__ as described below.

To upgrade Password Self-Service version 4.x on a single server:

1. Write down the list of the Managed Domains managed by the Password

Self-Service instance you are going to upgrade.

Important: When upgrading to the new version of Password Self-Service, all the existing settings are migrated except for the list of the Managed Domains. All the Managed Domains will be disconnected from Password Self-Service, though the configuration for the Managed Domains will be preserved.

2. Delete all Password Self-Service scheduled tasks from the server.

3. Uninstall the previous version of Password Self-Service.

ScriptLogic Desktop Authority Password Self-Service version 4.6 Quick Start Guide

ScriptLogic

®

Desktop Authority

Password Self-Service

version 4.6

Quick Start Guide

T

D

D

C

C

S

L

S

L

W













Contents

Product Overview

L











P

S

-S

C

Installing Password Self-Service

C

P

S

-S

A

A





S

I

P

S

-S











I

M

I

P

S

-S





S

C

H

A





I

P

P

M





D

C

S

P

E

