DigitalPersona Pro Enterprise

(1)

DigitalPersona

®

Pro Enterprise

Version 5

(2)

DigitalPersona and its suppliers retain all rights not expressly granted.

U.are.U® and DigitalPersona® are trademarks of DigitalPersona, Inc. registered in the United States and other countries. Windows, Windows Server 2003/2008, Windows 8, Windows 7, Windows Vista and Windows XP are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners.

This DigitalPersona Pro Enterprise Administrator Guide and the software it describes are furnished under license as set forth in the “License Agreement” screen that is shown during the installation process. Except as permitted by such license, no part of this document may be reproduced, stored, transmitted and translated, in any form and by any means, without the prior written consent of DigitalPersona. The contents of this manual are furnished for informational use only and are subject to change without notice. Any mention of third-party companies and products is for demonstration purposes only and constitutes neither an endorsement nor a recommendation. DigitalPersona assumes no responsibility with regard to the performance or use of these third-party products.

DigitalPersona makes every effort to ensure the accuracy of its documentation and assumes no responsibility or liability for any errors or inaccuracies that may appear in it.

Feedback

Although the information in this guide has been thoroughly reviewed and tested, we welcome your feedback on any errors, omissions, or suggestions for future improvements. You can contact us at

Crossmatch 720 Bay Road Suite 100

(3)

This chapter provides a high-level overview of the DigitalPersona Pro Enterprise solution, and

includes the following major topics.

More details on specific components and modules are provided in the remainder of this Administrator Guide. Additional implementation, administration and reference-level documentation is provided through a series of Quick Start Guides and Application Guides for many of the components and modules as well as for major features. A series of integrated help files provide the finest level of detail for all user-centric features as well as many administrator features and functions.

References to procedures, UI elements and images in this guide are always made to the current version of DigitalPersona Pro products. References to, and images of, Microsoft Windows products are to Windows Server 2008 and Windows 7 unless otherwise noted.

Topics Page

Introduction 11

Architecture 11

Components 12

Authentication and Credentials 15 Security applications 15

Licensing model 16

(11)

Chapter 1 - Solution Overview

Introduction

DigitalPersona Pro Enterprise is an enterprise-level central management solution

for Endpoint Protection that enables administrators to manage security and authentication within Active Directory networks

including data protection, access management and recovery. It represents an optimal

solution to multiple security needs, including:

• Strong Authentication for PC, application and RADIUS logon • Single Sign-On (SSO) for Enterprise applications

For further information on how

DigitalPersona Pro Enterprise

can help you solve your security needs, we have white papers, datasheets and case studies on our website at http://www.digitalpersona.com/ enterprise.

Architecture

The conceptual architecture of DigitalPersona Pro Enterprise consists of four layers.

• Management – Provides an Active Directory-based solution for the enterprise; enabling the IT Administrator to configure, deploy and administer security policies throughout the organization.

• Security Applications – Provides pluggable applications and features that are managed through the DigitalPersona Pro management infrastructure.

• Clients - Workstation software installed on notebooks, desktops and shared-user kiosks.

• Credentials – Provides support for multiple authentication credentials that may be used in specified combinations for verifying the identity of users accessing managed computers and security

(12)

Components

DigitalPersona Pro Enterprise is a client-server product. It consists of server and client components that work within an existing Active Directory environment.

Server components

DigitalPersona Pro’s server components fulfill four main purposes:

• They allow IT Administrators to manage security and authentication policies via Active Directory

Group Policy Objects. For these purposes, DigitalPersona Pro includes various GPMC (Group Policy Management Console) extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and settings to Active Directory containers.

• They provide centralized, server-side authentication of various types of credentials (e.g. fingerprints,

smart cards, bluetooth, one-time passwords etc.). For these purposes, DigitalPersona Pro runs authentication services within your domain and receives authentication requests from managed computers.

• They allow centralized backup and roaming of computers’ and users’ credentials and passwords. For

these purposes, DigitalPersona Pro uses Active Directory as a database of relevant data.

• They also allow other general administrative tasks, including: • Access recovery into locked workstations

• Deployment of license activation codes.

The main server components of the DigitalPersona Pro Enterprise product are briefly described in the following table, and more fully described in the referenced pages.

Server component Purpose Page

Pro Enterprise Server Provides domain-wide, centralized administration of Pro clients and enables strong authentication through various credentials, such as Bluetooth tokens, Windows passwords, fingerprints, smart cards and more.

22

DigitalPersona Defender Enables two-factor authentication in workstation clients, and works with any OATH-compliant hardware token.

57 Pro Administration Tools Provides additional tools for administration of various

DigitalPersona Pro features and utilities including License Management, GPMC Extensions, Access Recovery, Attended Enrollment and the Password Manager Admin Tool.

(13)

Compatible workstation clients

The DigitalPersona Pro Enterprise solution supports the following clients:

• DigitalPersona Pro Workstation for Enterprise - This primary client enforces security and

authentication policies on managed Windows computers while providing intuitive access to end-user features and functionality. It may be centrally managed by Pro Enterprise Server, or installed as a stand-alone product.

• DigitalPersona Pro Kiosk for Enterprise - This specialized kiosk clientprovides DigitalPersona Pro features for environments where users log on to a shared, common Windows account or kiosk.It is centrally managed by Pro Enterprise Server.

NOTE: The Pro Workstation for Enterprise and Pro Kiosk for Enterprise clients may be installed individually on computers or deployed through Active Directory GPO, SMS (Systems Management Server) or logon scripts. They cannot be installed through ghosting or imaging technologies.

DigitalPersona Pro Workstation for Enterprise

DigitalPersona Pro Workstation for Enterprise is the primary client application for end-users, providing an intuitive means for increasing both security and convenience through a variety of configurable options including enrollment and use of multiple credentials, and the use of automated logons for enterprise resources, programs and websites. For more details, see the chapter Pro Workstation on page 155.

DigitalPersona Pro Kiosk

(14)

Client user interfaces

Pro Enterprise Workstation contains two separate program interfaces; a user dashboard and an

Administrative Console. Access to the Administrative Console requires local administrator privileges. The Pro Kiosk client provides the same user dashboard, but does not have an Administrative Console.

Settings that govern the features and behavior of the user dashboard are in most cases controlled through Active Directory GPO settings. However, settings that are left “Not Configured” in Active Directory may be configured by the local administrator using the Administrative Console. These local settings will then be effective for all users on the specific computer.

Whenever a setting is configured (enabled or disabled) in Active Directory, the local administrator cannot modify the setting through the Administrative Console.

(15)

Authentication and Credentials

The default, and simplest, means of authentication, i.e. making sure that you are a person authorized to access a computer or other resource, is your Windows account name and password. Authentication is generally required in logging on to Windows, accessing network applications and resources, and logging into to websites.

DigitalPersona Pro clients provide a means for the IT Administrator to easily setup and enforce strong authentication such as two-factor and multi-factor authentication using a variety of supported credentials. DigitalPersona Pro supports the use of various credentials for authentication, including Windows

passwords, fingerprints, smart cards, contactless cards, proximity cards, face, PIN, Bluetooth and One-Time-Passwords.

An additional Self Password Recovery credential may be used solely for recovering access to a managed client computer in place of a forgotten password.

Initial setup and enrollment of credentials is provided through a Setup wizard, or may be controlled by an administrator using Attended Enrollment.

Security applications

DigitalPersona Pro Enterprise security applications integrate with the basic functionality of the solution. Additional DigitalPersona Pro Enterprise security applications may be available. Contact your

DigitalPersona partner or reseller for further information, or go to our website at:

http://www.digitalpersona.com/enterprise/products/pro-enterprise.

Password Manager Admin Tool

The Password Manager Admin Tool simplifies and secures access to password-protected software

programs and websites through the use of managed logons that allow users to identify themselves through the use of any supported credential or combination of credentials specified by the administrator, as defined in the Authentication and Credentials topic above.

Administrators use the DigitalPersona Password Manager Admin Tool to create managed logons specifying information for logon and change password screens for websites, programs and network resources. These managed logons are then deployed to managed workstations, where they are accessible to the user through the Password Manager application and the mini-dashboard. Managed logons always take precedence over personal logons created by users.

(16)

Licensing model

DigitalPersona Pro Enterprise features and functionality as described in this Administrator Guide are included in the core version of the product, unless otherwise indicated.

The basic licensing model is the User license, which permits enrolling of user credentials by a specified number of DigitalPersona Pro Enterprise users. The specific DigitalPersona Pro SKU and/or package you purchased may entitle you to licensing of one or more additional modules or components that are

integrated with DigitalPersona Pro.

You should have received from DigitalPersona or from a DigitalPersona authorized reseller all of the license activation keys and/or files that are part of the package you purchased. Make sure you contact your DigitalPersona representative, should you have any questions. Some modules or optional components may need to be activated individually.

For information on other licensed versions of the product which may be available, and licensing for specific features, contact your DigitalPersona Account Manager or Reseller - or visit our website at:

http://www.digitalpersona.com/enterprise/products/pro-enterprise

.

(17)

System Requirements

* Also supported: Windows XP Embedded SP3, Windows Embedded Standard 2009 and Windows Embedded Standard 7, with dependencies as documented on page 210.

†

Personal logons allow end-users to create automated logon to programs, websites and network resources. Managed logons have the same function but are created by an administrator and deployed to end-users. NOTE: When using Internet Explorer on Windows 8, Password Manager features are only available when the browser is launched from the legacy desktop, not from the Metro UI.

Support Resources

The following resources are provided for additional support.

• Readme files in the root directory of each product package contain late-breaking product information. • AskPersona.com (http://askpersona.com) is a DigitalPersona knowledge portal providing answers to

many frequently asked questions about our products.

• DigitalPersona Maintenance and Support customers will find additional information about technical

support resources in their Maintenance and Support confirmation email.

• Online help is included with each component and application.

Product/Component Minimum Requirements DigitalPersona Pro

Enterprise Server

• Microsoft Windows Server 2008 R2 (32/64-bit) or Windows Server

2003 SP2 (32/64 bit) or Windows SBS 2003 SP2

• Active Directory

• 12 MB disk space plus 5Kper user

DigitalPersona Pro Workstation for Enterprise

• Windows Server 2008 R2 (32/64-bit) or Windows Server 2003 SP2

(32/64-bit) or Windows 7/8/Vista (32/64-bit) or Windows XP

Professional SP3 (32/bit).* Home editions of Windows 7/Vista/XP are not supported.

• 50 MB disk space, 100 MB during installation

• Microsoft Internet Explorer 6-10, Chrome 11+ or Firefox 4+ to create/

use Password Manager personal

†

logons or use managed

†

logons. Microsoft Internet Explorer 6-10 to create managed

†

logons using the Password Manager Admin Tool

DigitalPersona Pro Kiosk for Enterprise

• Windows 7/8/Vista (32/64 bit) or Windows XP Professional SP3 (32

bit). Home editions are not supported.

• 50 MB disk space, 100 MB during installation

• Microsoft Internet Explorer 6-10, Chrome 11+ or Firefox 4+ to use

(18)

All DigitalPersona Pro Enterprise documentation is available on our website at:

http://www.digitalpersona.com/Support/Reference-Material/DigitalPersona-Pro-Reference-Material-Guides.

Changes from previous version

5.5 vs 5.4.1

The major differences between the 5.5 release and the previous 5.4.1 release are summarized below. 1 Support for Microsoft 2012 server.

2 Support for NetMotion.

3 Fingerprint authentication for Citrix XenDesktop 4 Microsoft Windows Logo Certification.

5 The User Query Tool has been modified to enable reporting users who have answered the Self Password Recovery questions.

6 Support for U.are.U 5160 PIV Certified fingerprint sensor, Eikon II and Eikon Mini fingerprint readers.

7 Passwords are treated as credentials, and therefore consume a license, only when used for SSO and for authentication into the Pro Administrative Console.

8 The Delete License command has been refined so that user data from the local cache is removed during the process, and the warning (from v5.4.1) not to use DigitalPersona Pro on this account in the future is no longer necessary.

9 Enhancements to the processes for enrolling and using Card credentials (Smart Cards, Contactless Cards and Proximity Cards) to simplify their use and align the experience more closely with that of other credentials.

10 Support for two models of Dell/Wyse thin clients; D90 & Z90 running Ubuntu and SUSE) using ICA or RDP clients. Requires separate part number and download.

5.4.1 vs 5.4

The major differences between the 5.4.1 release and the previous 5.4 release are summarized below. 1 Delete License - A new feature available through the DigitalPersona Users and Computers snap-in

(19)

Note that use of this command will delete all DigitalPersona credentials and other user data stored in Active Directory. The user account should no longer be used with DigitalPersona Pro, and the product should not be reinstalled in the same user account. If use of DigitalPersona Pro is attempted on this account, an “Access Denied” error will be reported due to previously locally cached credentials. See page 84.

2 User Query Tool - Additional functionality has been added to the User Query Tool which now returns a flag indicating whether a license was taken by a specified user, and provides the ability to delete the license. See pages 86 and following.

3 Kiosk access restrictions - Note that in versions prior to 5.4.1, kiosk access restriction through an identification list (see page 215) applies only to fingerprint access, and access through other

credentials, such as WIndows password, is not restricted. Beginning with version 5.4.1, the restriction applies to all supported credentials.

4

5.4 vs 5.3

The major differences between the 5.4 release and the previous 5.3 release are summarized below. 1 DigitalPersona Reporter has a brand new interface, with dozens of reports for compliance and

auditing, the ability to schedule, email and export in popular formats such as PDF, XLS, XML, and the ability to extensively filter and customize reports. Pre-canned reports support HIPAA, PCI and Sox compliance standards.

2 New simplified Client Suite Installer and Administrative Suite Installer provides a more convenient way to install related Digitalpersona Pro Enterprise components.

3 DigitalPersona Pro Workstation for Enterprise can now be installed in Evaluation mode, which does not require connection to a DigitalPersona Pro Enterprise Server.

4 Client licenses are no longer required for DigitalPersona Pro Workstation and Pro Kiosk. Pro Server User Licenses are required to cover the number of users enrolling credentials in the DigitalPersona Pro Enterprise environment. Instructions for installing the previous version (5.3) Client Package and Component licenses are included for reference beginning on page 73.

5 New Fast Connect feature allows for SSO to Citrix Published Applications and Desktops with XenApp and XenDesktop. See Citrix Deployment Scenarios on page 200.

6 Quick Actions now support the use of smart (contact, contactless and proximity) cards, and the new Fast Connect feature. See Quick Actions tab on page 170.

7 Support has been added for Windows 8, in Legacy mode only.

(20)

9 The User Query Tool now reports the dates that fingerprints were first enrolled and last enrolled. See User Query Tool snap-in on page 86.

10 Password Manager Pro has been renamed the Password Manager Admin Tool.

11 Some pages and settings in the Administrative Console have been changed. Management of DigitalPersona Pro Users is no longer available through the Administrative Console. See Pro Administrative Console on page 179.

12 The DigitalPersona Pro 5.4 package includes a new version (v5.7) of DigitalPersona Defender. 13 Support for new contactless (Felica) and proximity (Indala) cards.

14 User secrets (i.e. Password Manager logon account data) created on disconnected computers are now synchronized with the Pro Server data once reconnect ion is established.

15 New centrally-managed, roaming, question-and-answer-based Self Password Recovery feature allows the user to recover access to any domain computer where they have logged on at least once.

16 Support for YubiKey tokens used as RFID tokens or as OTP tokens through DigitalPersona Defender. 17 On Windows Server 2003, DigitalPersona 5.4.0 administrative templates are installed in a new

location, the Windows\Inf\{language} folder. When upgrading previous versions of Pro Server to 5.4.0 on Windows Server 2003, all adminstrative templates have to explicitly be removed from GPOs, and the new adm files added to Administrative Templates.

(21)

Section One: Installation

This section of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters:

Chapter Number and Title Purpose Page

2 - Pro Server Installation Requirements and procedure for installing DigitalPersona Pro Enterprise Server.

22 3 - Pro Client installation Requirements and procedure for installing DigitalPersona

Pro clients.

35 4 - Pro Kiosk installation Requirements and procedure for installing DigitalPersona

Pro Kiosk clients.

46 5 - Optional installations Requirements and procedure for installing optional

DigitalPersona Pro Enterprise components.

(22)

This chapter provides instructions for the installation of DigitalPersona Pro Enterprise Server on a domain controller.

Instructions for uninstalling DigitalPersona Pro Enterprise Server are on page 31.

Deployment Overview

Here is a high-level overview of the steps required for initial deployment of DigitalPersona Pro Enterprise Server on the domain controller for a Windows 2003/2008 Server network.

Upgrading from Previous Versions

Before upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade Notes available at http://www.digitalpersona.com/support/reference-material/pro-upgrade-notes/.

Direct upgrades from DigitalPersona Pro for Active Directory versions previous to 4.4.3 are not supported. If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro 4.4.3 and then upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized

Procedure Page

1 Extend the Active Directory schema to include attributes and classes used by DigitalPersona Pro Enterprise Server. Requires AD Schema Administrator rights. You can view the details of the changes that will be made to the schema by opening the file “dp-schema.ldif” located in the “AD Schema Extension” folder in the product package.

23

2 Configure each domain on which DigitalPersona Pro Enterprise Server will be installed by running DPDomainConfig.exe (located in the folder "AD Domain Configuration" in the product package). Requires AD Domain Administrator rights.

24

3 Install the DigitalPersona Pro Enterprise Server software. Note that this will set firewall rules necessary for the operation of DigitalPersona software.

26 4 (Windows Server 2003 only) Add DigitalPersona Administrative Templates to

OUs.

55, 133 5 (Optional) Configure Pro Enterprise Server for use with DigitalPersona Pro Kiosk,

if Pro Kiosk will be used in the domain.

(23)

Chapter 2 - Pro Server Installation

channel partner for upgrading from DigitalPersona Pro for Active Directory 4.4.3 to DigitalPersona Pro Enterprise 5.3.

Also, make sure to review the readme.txt files included with each component in the product package that you are installing.

Compatibility

DigitalPersona Pro Enterprise Server version 5.4 is compatible with the following DigitalPersona products:

• DigitalPersona Pro Workstation for Enterprise 4.4.3 and above. • DigitalPersona Pro Kiosk for Enterprise 4.4.3 and above. • DigitalPersona Password Manager Admin Tool 5.3.0 and above • DigitalPersona Privacy Manager Pro 5.51 or higher

• DigitalPersona Defender Server 5.7

DigitalPersona Pro Server Enterprise 5.4 should NOT be

• installed over (or upgraded to) DigitalPersona Pro Server for Active Directory versions prior to 4.4.3. • used in a mixed environment with Pro Server for Active Directory versions 3.x or 4.x or with Pro

Workstation/Kiosk 3.x/4.x.

If any previous version of DigitalPersona Pro Server for Active Directory was installed, the administrator should uninstall it and run the DigitalPersona Cleanup wizard (located in the product package) to delete all the previous DigitalPersona Pro data.

This release is not compatible with, and requires the uninstallation of any other DigitalPersona products on the same computer.

Extending the Active Directory Schema

Prior to installing DigitalPersona Pro Server, the Active Directory schema must be extended to create new attributes for the user object and new classes, as well as to make modifications to existing classes. The Active Directory Schema Extension Wizard automatically handles all of the necessary changes to the schema.

This schema extension is version 2. The schema extension version number is independent of the

DigitalPersona Pro product version number. Each Pro product release will identify the schema extension version it requires. This schema extension is global to the Active Directory forest.

If you want to view the script that is used to extend the schema (dp-schema.ldif), it is available in the product package at the following location:

(24)

The Active Directory Schema Extension Wizard must be run from the schema master domain controller, or the data may not replicate fast enough to allow the wizard to continue. If the data is not replicated fast enough, the wizard will terminate, and you should then wait one replication cycle before running the wizard again.

After the schema extension, and again after configuring your domains, you must wait for Active Directory schema replication to be completed. The amount of time this takes will depend on the complexity of your Active Directory structure.

You must have Schema Administrator privileges to run the Schema Extension Wizard.

To run the Active Directory Schema Extension Wizard

1 Double-click DPSchemaExt.exe, which is located in the Schema Extension folder in the Server installation package, to start the Schema Extension Wizard.

2 Read the terms and conditions on the License Agreement page. If you agree with them, select I accept

the license agreement and then click Next.

3 When prompted to proceed with the schema extension, click Yes.

4 Next, specify a location and name for the log file generated by the Schema Extension Wizard in the

Save Log File As dialog box. Then, click Save.

5 If the schema is not writable, the wizard will inform you of the fact and will allow you to make it writable. If this dialog box displays, click Yes to make the schema writable and perform the schema extension.

6 The wizard will extend the schema and provide information such as the class and attribute names. To close the wizard, click Finish.

The name of each new attribute and class added to the Active Directory schema follows Microsoft naming conventions. The names are assigned a “dp” prefix, which is registered with Microsoft.

The OID base, generated by Microsoft, is 1.2.840.113556.1.8000.651.

Configure each domain

For each domain on which you plan to install DigitalPersona Pro Server, you need to run the DigitalPersona Pro Active Directory Domain Configuration Wizard, which configures the required domain-specific data including the necessary cryptographic keys.

Running the wizard requires administrator privileges on the domain controller.

You should run this wizard only once on each domain where Pro Server will be installed.

(25)

Running the wizard a second time during a single replication period will result in corrupted Server data, and any DigitalPersona Pro Enterprise Servers in the domain will be unusable.

After running the Domain Configuration wizard, domain level permissions to enroll/delete fingerprints are reset to the default, i.e. Allow.

To run the DigitalPersona Pro Enterprise Domain Configuration Wizard

1 Double-click DPDomainConfig.exe, which is located in the Domain Configuration folder in the Server installation package.

2 Read the license agreement that displays and, if you agree to the terms and conditions, select I accept

the license agreement and then click Next.

3 A warning reminds you not to run this wizard if you have an existing DigitalPersona Pro Enterprise Server installation on this domain. If you are sure there are no other DigitalPersona Pro Enterprise Server installations on the domain you are configuring, check the I accept that the domain will be

configured box and click Next.

4 In the Save Log File As dialog box, specify a file name and folder path for the log file generated by the wizard and click Save.

(26)

Install DigitalPersona Pro Enterprise Server

After extending the Active Directory schema and configuring the domain where you will install Pro Server, you are ready to install the software.

Before installing DigitalPersona Pro Enterprise Server, ensure that the computer meets the minimum requirements listed on page 17.

WARNING: To avoid possible data loss, wait one data replication cycle after domain configuration before installing DigitalPersona Pro Enterprise Server.

Note also that the installation will set three inbound firewall policies necessary for the operation of DigitalPersona software as follows:

To install DigitalPersona Pro Server

1 Double-click Setup.exe to run the DigitalPersona Pro Enterprise Server Installation Wizard, located in the Pro Enterprise Server folder of the DigitalPersona Pro Enterprise Server installation package. 2 When the wizard opens, click Next.

3 Read the terms and conditions on the License Agreement page. If you agree with them, select the I

accept the license agreement button and then click Next.

4 On the next page, you can specify the folder in which DigitalPersona Pro Enterprise Server will be installed. If you want to install the server in the default location, which is C:\Program

Files\DigitalPersona, click Next. Or click Browse to specify a new location and then click Next to continue.

5 The wizard will install the Server software. To close the wizard, click Finish.

DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and

Policy Name Description

DigitalPersona Authentication Service (Echo Request - ICMPv4-In)

Inbound rule for DigitalPersona

Authentication Service to allow Echo Request messages to be sent as ping requests.

DigitalPersona Authentication Service (DCOM-In)

Inbound rule for DigitalPersona Authentication Service to allow remote DCOM activation via the RPCSS service. DigitalPersona Authentication Service

(TCP-In)

(27)

settings to Active Directory containers. These policies and settings are described in the chapter, Policies and Settings on page 99.

In releases prior to 5.2, administrative templates were automatically copied to the default folder for administrative templates during installation of DigitalPersona Pro Enterprise Server,

• On Windows Server 2003, this folder is C:\Windows\inf.

• On Windows Server 2008, the folder is X:\Windows\PolicyDefinitions.

Beginning in release 5.2, these administrative templates are no longer copied as part of the Pro Enterprise installation. They are now part of the DigitalPersona Pro Administrative Tools, GPMC Extensions component, which may be installed on any Active Directory aware computer.

(28)

Configuring DigitalPersona Pro Server for Pro Kiosk

Configuration Steps

Complete the following Pro Server and Kiosk installation and configuration steps in the order shown below. Specific instructions for configuration are described in the following sections and additional pages as referenced.

Complete the following

1 Install DigitalPersona Pro Server, 5.x or higher version. This includes performing Schema

Extension, Domain Configuration and the Server installation as specified on pages 23 and following. If previous versions of DigitalPersona Pro Server were installed in the domain, you should run the Domain Configuration Wizard, but should not run the Schema Extension Wizard again in this case.

2 Install the DigitalPersona Pro Administration Tools. You do not need to install all of the included Administration Tools components,. However, the GPMC Extensions component must be installed. See Administration Tools on page 55.

3 Create an OU for each kiosk and assign computers to the kiosk OU. See Creating the OU for the Kiosk on page 29. By default, the entire domain is considered as one kiosk. You may want to set up multiple, separate kiosks.

4 Assign kiosk permissions. By default, all domain users are allowed Kiosk permissions. You can restrict identification to specific groups or users by following the instructions in the chapter Identification List on page 215. Note that by design, AD Domain Administrator will have access even if not granted permission on an Identification List. However, you can change the permission for the Domain Administrator from Allow to Deny for any specific kiosk.

5 Create a Shared Account in Active Directory and specify the account information either by GPO or on individual kiosk computers. See Kiosk Shared Account Settings on page 29 and Adding Shared Account Settings Using GPO on page 29.

6 Install DigitalPersona Pro Kiosk on kiosk computers. See Pro Kiosk installation on page 46 for instructions.

(29)

Configuring Kiosk GPO Settings

Perform fingerprint identification on server

The GPO setting Perform fingerprint identification on server must be applied and enabled for all Pro Kiosk clients that will be using fingerprint credentials. For further details, see Perform fingerprint identification on server on page 121.

Kiosk Shared Account Settings

At the kiosk level, whether it is the domain or an OU, you must specify the kiosk Shared Account information. For more information, see Adding Shared Account Settings Using GPO on page 26.

Creating the OU for the Kiosk

When you install DigitalPersona Pro Server and Pro Kiosk, the entire domain is considered as one kiosk unless you complete further configuration.

To create multiple kiosks in a domain, or to limit the usage of the kiosk to specific computers only, you should create an organizational unit (OU) for each kiosk and then assign computers to the OU. You might create several kiosks where each kiosk is associated with its own OU. If computers in the same OU are geographically located in different sites, each OU per site is a kiosk.

Specifying a Shared Account for the Kiosk

Pro Kiosk requires an account, known as the Shared Account, that is specified on every kiosk computer. Account information includes the user name, domain name and password for an Active Directory account. You should have one Shared Account per kiosk with a Password never expires setting.

You can configure the kiosk Shared Account by supplying the kiosk Shared Account information through GPO settings, as described below.

If the kiosk Shared Account information is distributed through Group Policies settings, all computers that belong to the selected object level in Active Directory, such as OU, Domain, or Site, receive the kiosk Shared Account settings.

Pro Kiosk automatically assigns the “Impersonate a client after authentication” user right to the kiosk Shared Account. This right allows programs that run on behalf of that user to impersonate a client. This right allows Pro Kiosk to authenticate multiple users while using only one logon session for the Shared Account.

Adding Shared Account Settings Using GPO

(30)

Note that beginning with Pro Enterprise 5.3, the AD location of these settings have been changed. The settings previously found at Computer Configuration/Administrative Templates/DigitalPersona Pro Client Kiosk Administration have been replaced and are included for backward compatibility only.

The new location is Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Kiosk Administration.

You can use the Group Policy Editor to modify DigitalPersona settings. For the Kiosk Shared Account Settings, at the OU level for the kiosk, open the Kiosk Administration node and double-click Kiosk Workstation Shared Account Settings. Specify the following values:

• Kiosk Shared Account user name

• Kiosk Shared Account NetBIOS domain name • Kiosk Shared Account password

The Shared Account information will be enabled for all computers in the OU.

Assigning Kiosk Permissions

In situations where additional security restrictions are necessary or desirable, you can modify the default permissions to allow or deny specific groups or users from using each kiosk. The default installation permits every domain user to use all kiosks in the domain and no additional configuration is necessary. For an example of how to restrict identification, see Restricting kiosk identification on page 122.

Password Manager Admin Tool settings

If you plan on using managed logons with DigitalPersona Pro Kiosk, the templates created in the Password Manager Admin Tool must be accessible by the Shared Accounts that are used to access the kiosks. Make sure that the templates are available through GPO settings to the kiosk Shared Account rather than kiosk user accounts.

(31)

Changes Made During Installation

Running the Schema Extension Wizard adds the following data to Active Directory.

Active Directory Containers

The Schema Extension Wizard installs two subcontainers in the Active Directory System container. They contain information administrators can use to verify and administer the DigitalPersona Pro Server installation. In the ADUC (Active Directory Users and Computers) Snap-in, ensure that Advanced

Features is selected from the View menu in order to view the System container.

The new containers installed are the BAS (Biometric Authentication Servers) container and the Licenses container.

(32)

Published Information

DigitalPersona Pro Server publishes its service using the following properties:

• Service Class Name, set to Authentication Service.

• Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56-E3BC77F32D7F}. • Vendor Name, set to DigitalPersona.

• Product Name, set to UareUPro.

• Product GUID, set to {48F74E29-1CC0-468F-A0A0-8236628A5170}. • Authentication Server Object Name, the DNS name of the host computer.

• Service Principal Name, a unique name identifying the instance of a service for a client. • Schema Version Number, the version of the Active Directory schema extension.

• Product Version Number, the version of DigitalPersona Pro Server software. • Product Version High, set to [current version].

• Product Version Low, set to [current version].

• Keywords for searching the server are Service Class GUID, Vendor Name, Product Name and Product

GUID. The keyword values are the same as the property values listed in this section.

The Server publishes its service in compliance with the Active Directory Service Connection Point specifications.

DNS Registration

The use of DNS registration enables DigitalPersona Pro Workstations to locate Pro Servers without needing additional local configuration to do so. If your DNS Server supports dynamic registration, DigitalPersona Pro Server registers itself with the DNS using the service name, _dpproent.

The format of the DNS resource records for DigitalPersona Pro Server is: • _dpproent._tcp.[domain] 600 IN SRV 0 100 0 [server name]

• _dpproent._tcp.[site name]._sites.[domain] 600 IN SRV 0 100 0 [server name]

Pro Server calculates site coverage based on the availability of other Pro Servers on the domain (as well as sites configured for the domain) and then creates Service Resource Records (SRV RRs) for the domain and sites it covers.

Settings in the DigitalPersona Pro Administrative Template govern whether or not Pro Server utilizes dynamic registration. For information on this and other DNS related settings, see pages 122 and following.

Automatic Registration

By default, DigitalPersona Pro Server registers itself with DNS every time Pro Server starts, is

(33)

When DigitalPersona Pro Server unregisters itself, it removes only the records it has created during automatic registration. Records entered by the administrator will be unaffected.

Automatic Registration may be disabled through a GPO setting.

Manual DNS Registration

If your DNS Server does not support dynamic registration, or if dynamic registration is disabled through a DigitalPersona Pro GPO setting, an administrator can manually register the Pro Servers by entering the DNS resource records in the format shown above.

You can view the default values of settings created during Pro Server setup by opening the U.are.UPro.DNS file in Notepad. It is located in the Program Files\ DigitalPersona\bin folder.

To manually register a Pro Server in Microsoft DNS

1 Open the DNS console and expand the Forward Lookup Zone.

2 In the left pane, select and then right-click on [domainname], and select Other New Records in the context menu.

3 In the Resource Record Type dialog box, click on Service Location, and then click the Create Record button.

4 In the New Resource Record dialog, set the following values:

• Service: _dpproent • Weight: 100

• Port Number: 0

• Host offering this service: domaincomputername.domainname.com 5 Click OK to save the settings and return to the main DNS console window. 6 Under the same [domainname], expand the _sites key.

7 In the left pane, select and then right-click on Default-First-Site-Name and select Other New

Records from the context menu.

8 Repeat steps 3 through 5 for each Pro server that you want to register.

(34)

Improving Performance

The Priority and Weight settings can be modified to achieve better response time and load-balancing in the _dpproent.Properties dialog box, which is accessible by double-clicking _dpproent in the DNS Console. The _dpproent SRV RRs can be found in the following paths in the DNS Console:

• DNS/[DNS server]/Forward Lookup Zones/[domain]/_tcp

• DNS/[DNS server]/Forward Lookup Zones/[domain]/sites/[site name]/_tcp

If your DNS does not support dynamic registration, you will have to add these SRV RRs manually. For your convenience, these entries are stored in a file, UareUPro.DNS, which is located in the folder in which you installed DigitalPersona Pro Server.

Configuring DNS Dynamic Registration

Additional parameters for configuring DNS registration are available in the DigitalPersona Pro

Administrative Template when added to the governing GPO. These settings are described beginning on page 122.

Uninstalling DigitalPersona Pro Server

DigitalPersona Pro Server can be uninstalled from the Add/Remove Programs Control Panel in Windows if you have administrator privileges on the domain on which Pro Server is installed. The software is listed as, “DigitalPersona Pro Enterprise Server version [version number].”

When you uninstall the Server software, the published information (described in Published Information on page 29) and the DNS SRV RRs (described in DNS Registration on page 29) are removed.

(35)

Pro Client installation

3

This chapter provides instructions for installing the DigitalPersona Pro Workstation for Enterprise client. Installation of the DigitalPersona Pro Kiosk client is covered in Chapter 4, beginning on page 46.

In most environments, DigitalPersona Pro Enterprise Servers will be used for authentication. They should be installed and configured before installing DigitalPersona Pro Workstation for Enterprise.

The following topics cover the installation of DigitalPersona Pro Workstation for Enterprise:

• System requirements • Installation

• Remote installation • Client Suite installation • Local installation

• Command line Installation

• Installation on Citrix Presentation Server

System requirements

Before installing DigitalPersona Pro Workstation for Enterprise on a computer, make sure it meets the system requirements listed on page 17, and that you have Administrative Rights on the computer.

Upgrading from Previous Versions

Before upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade Notes available at http://www.digitalpersona.com/support/reference-material/pro-upgrade-notes/.

Direct upgrades from DigitalPersona Pro for Active Directory versions previous to 4.4.3 are not supported. If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro 4.4.3 and then upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized channel partner for upgrading from DigitalPersona Pro for Active Directory 4.4.3 to DigitalPersona Pro Enterprise 5.3. Also, make sure to review the readme.txt files included with each component in the product package that you are installing.

CAUTION: Upgrading the operating system from Windows XP to any later version of Windows will uninstall DigitalPersona Pro, and it will need to be reinstalled. Any Pro enrolled credentials will be lost as well. Before upgrading you should use the Backup and Restore feature (page 169) to backup your

DigitalPersona Pro data, and then restore the data after installing DigitalPersona Pro under the new operating system.

Compatibility

(36)

• DigitalPersona Pro Enterprise Server 5.4.0 and above. • DigitalPersona Defender 5.7 and above.

• DigitalPersona Password Manager Admin Tool 5.4.0 and above • DigitalPersona Privacy Manager Pro 5.51 and above.

This release is not compatible with, and requires the uninstall of, any other DigitalPersona products on the same computer.

Installation

Remote installation

For remote installation of patches, see the next section.

The installer for Pro Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install or uninstall the software using Active Directory administration tools, or other software deployment tools.

Note that this installer only works for computer-based policy installation, not user-based installations.

Prerequisites

Before installing your DigitalPersona Pro client, you must install the following prerequisites.

• Windows Management Framework Core package - Includes the following components: Windows PowerShell 2.0 and Windows Remote Management (WinRM) 2.0. See Windows KB article 968930.

• Microsoft .NET Framework version 2.0 or above

(37)

Chapter 3 - Pro Client installation

Installing Pro Workstation

To install Pro Workstation remotely through Active Directory use the following procedure. Some steps will vary depending on the operating system version.

For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation file for each environment.

1 Create an administrative installation package.

a. Open a command prompt session and navigate to the location where you have stored the product package. Change the directory to “Pro Enterprise Workstation\x86” for the 32-bit version or “Pro Enterprise Workstation\x64” for the 64-bit version. Note that the 32-bit version will not install on 64-bit computers.

b. Type setup.exe /a

c. The product installation wizard launches and prompts you for a location where you would like the administrative installation package to be created. Choose a network shared drive that will be accessible to the computers where you will be installing the software. For example,

\\servername\InstallDir, where InstallDir is a predefined shared folder. There is no need to reboot at the end of the wizard.

2 Create a Group Policy Object (GPO) that will be used to distribute the software package. a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to

Administrative Tools, and then click Active Directory Users and Computers.

b. In the console tree, right-click your domain, and then click Properties. c. Click the Group Policy tab, and then click New.

d. Type a name for this new policy (for example, DigitalPersona Pro 5.5 distribution), and then press

Enter.

e. Click Properties, and then click the Security tab.

f. Clear the Apply Group Policy check box for the security groups that you don't want this policy to apply to.

g. Select the Apply Group Policy check box for the groups that you want this policy to apply to. h. When you are finished, click OK.

3 Assign the package

a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to

(38)

c. Click the Group Policy tab, select the policy that you want, and then click Edit. d. Under Computer Configuration, expand Software Settings.

e. Right-click Software installation, point to New, and then click Package.

f. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\file server\share\file name.msi. It is important that you do not use the Browse button to access the location. Make sure that you use the UNC path of the shared installer package.

g. Click Open.

h. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window.

i. For 32-bit installation packages only - Right-click the newly created package and select Properties. Then, on the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86

application available on Win64 machines. If this checkbox remains selected, the application will

not install.

j. Close the Group Policy snap-in, click OK, and then close the Active Directory Users and Computers snap-in.

4 Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer.

Remote installation for patches

This topic addresses the remote installation of client patches through slipstreaming. For standard product installation, see the preceding topic.

The installer for Pro Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install patches to software using Active Directory administration tools, or other software deployment tools.

For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation files for both environments. Note that this installer only works for computer-based policy installation, not user-based.

To install a Pro Workstation patch remotely through Active Directory, use the following procedure. The following steps assume that an administrative installation package has been created as described in the previous topic. Some steps will vary depending on the operating system version.

1 Update the installation package.

(39)

msiexec.exe /p [path\name of updated MSP file]\ /a [path\name of administrative installation file]

2 Redeploy the application

a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to

b. Right-click the GPO that governs the computers you want to update and select Edit. c. Navigate to Computer Configuration/Policies/Software Settings/Software

Installation.

d. Right-click the Pro client software name and select All Tasks\Redeploy application. Confirm your intent to redeploy the application.

(40)

Client Suite installation

To install

1 Launch the Client Suite installer by running setup.exe from the Client folder of the product package. 2 Click Next.

3 Select the product to install. Note that only one of these product can be installed on a computer. DigitalPersona Pro Workstation for Enterprise, or

DigitalPersona Pro Kiosk for Enterprise

4 If you need to install third party drivers for fingerprint or card readers, click the Third Party Drivers button and select the appropriate drivers for your hardware and operating system. Note that

DigitalPersona does not provide drivers for Authentec fingerprint readers. There is a link on the page for downloading these drivers. The suggested driver for Authentec fingerprint readers is AT9.

5 On the confirmation page you will see a list of items to be installed.

6 Click Install to begin the installation. Details of the Workstation installation are the same as described below in the Local Installation topic.

7 Successful installation requires the presence of a VeriSign Primary PCA Root Certificate (G5). If your system does not have this certificate, the installation will fail. If it does, see the next topic, “Install VeriSign Primary PCA Root Certificate”, and then restart the installation.

8 After the Workstation installation is finished, you will need to restart the computer. After the restart, installation of any third-party drivers will be started automatically.

Install VeriSign Primary PCA Root Certificate

Note that this is only required if the DigitalPersona Pro client installation fails due to the following error.

1 To install a VeriSign Primary PCA Root Certificate

(41)

3 Unzip the downloaded file and open the Generation 5 (G5) PCA folder.

4 Launch the file VeriSign Class 3 Public Primary Certification Authority - G5.cer. 5 Select Install Certificate.

6 In the Certificate Import Wizard, select Place all certificates in the following store, and browse to the Trusted Root Certification Authorities store.

7 Click Next and then click Finish.

Local installation

To install DigitalPersona Pro Workstation for Enterprise on a local computer

1 Launch the installer from the Pro Enterprise Workstation folder of the product package.

• For all supported operating systems except Windows XP Embedded and Windows Embedded

Standard 2009, run Setup.exe located in the Client\Pro Enterprise Workstation root folder. Or, for silent mode, enter setup.exe /s /v” /qn” at the command line.

• On Windows XP Embedded and Windows Embedded Standard 2009 only, run DigitalPersona Pro Workstation for Enterprise.msi located in the Client\Pro Enterprise Workstation\x86 folder.

In step 5 below, select the Typical installation option.

2 When the Welcome page displays, click Next to proceed with the installation.

3 Read the License Agreement page. If you agree, select the I accept the terms in the license agreement button and click Next.

4 On the next page, you can specify the folder that DigitalPersona Pro Workstation for Enterprise will be installed in. If you want to install DigitalPersona Pro to the default location, click Next; otherwise, click Change to specify a new location and then click Next to continue.

5 On the Choose Installation Mode page, select the operational mode for this installation of the software.

• Evaluation mode - All credentials are enrolled on the local machine and do not roam. The

software does not require, and will not connect to, a Pro Enterprise Server.

• Standard mode - By default, credentials cannot be enrolled without a connection to a licensed Pro

Enterprise Server. This may be changed by disabling the Allow Pro client to use Pro Server GPO on the server (see page 113).

• The current operational mode is displayed in the About dialog, and a link there allows you to

change the mode.

(42)

CAUTION: The choice of whether to store biometric data remotely or locally cannot be changed without uninstalling and reinstalling the client software. Switching from locally stored data to remotely stored data will also remove any biometric data and Password Manager logon data that was stored on the computer. When switching from remotely stored data to locally stored data, the local user will no longer be able to use previously stored biometric data or Password Manager logons on the local machine.

7 Choose one the following options to indicate the type of installation you want to perform. • Typical - Installs the most commonly used features.

• Custom - Allows selection of which features to install. Optional features include binaries

necessary for developers accessing the DigitalPersona Pro API through .NET and COM interfaces. 8 Click Next and then Install, to begin installation.

After the computer restarts, and at every subsequent restart, the DigitalPersona Pro client software automatically uses the default DNS Server to locate all DigitalPersona Pro Servers for the domain and its site. If more than one Pro Server is found, the Workstation will choose the Pro Server for authentication that offers the most efficient connectivity. If no Pro Servers are found, the client will perform

authentication locally.

For instructions on using DigitalPersona Pro Enterprise clients, see page 154.

Command line Installation

DigitalPersona Pro Workstation can also be installed or uninstalled using MSI at the command line. The syntax of the msiexec command is shown below and is followed by a description of the command line options, parameters and values available:

msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software] REMOVE=[software] TRANSFORMS=[Name of transform file]/qn

Command line Options

Parameters

Options Description

/i (Required) Indicates that MSI will be used to install the DigitalPersona Pro software. It must be followed by the full pathname to the setup.msi file.

DigitalPersona Pro Enterprise

DigitalPersona

Pro Enterprise

Version 5

Table of Contents

This chapter provides a high-level overview of the DigitalPersona Pro Enterprise solution, and

Introduction

DigitalPersona Pro Enterprise is an enterprise-level central management solution

including data protection, access management and recovery. It represents an optimal

solution to multiple security needs, including:

DigitalPersona Pro Enterprise

Architecture

Components

Server components

Compatible workstation clients

DigitalPersona Pro Workstation for Enterprise

DigitalPersona Pro Kiosk

Client user interfaces

Authentication and Credentials

Security applications

Password Manager Admin Tool

Licensing model

http://www.digitalpersona.com/enterprise/products/pro-enterprise

.

System Requirements

†

Support Resources

†

†

†

Changes from previous version

5.5 vs 5.4.1

5.4.1 vs 5.4

5.4 vs 5.3

Section One: Installation

Deployment Overview

Upgrading from Previous Versions

Compatibility

Extending the Active Directory Schema

Configure each domain

Install DigitalPersona Pro Enterprise Server

Configuring DigitalPersona Pro Server for Pro Kiosk

Configuration Steps

Configuring Kiosk GPO Settings

Perform fingerprint identification on server

Kiosk Shared Account Settings

Creating the OU for the Kiosk

Specifying a Shared Account for the Kiosk

Adding Shared Account Settings Using GPO

Assigning Kiosk Permissions

Password Manager Admin Tool settings

Changes Made During Installation

Active Directory Containers

Published Information

DNS Registration

Automatic Registration

Manual DNS Registration

Improving Performance

Configuring DNS Dynamic Registration

Uninstalling DigitalPersona Pro Server

Pro Client installation

3

System requirements

Upgrading from Previous Versions

Compatibility

Installation

Remote installation

Prerequisites

Installing Pro Workstation

Remote installation for patches

Client Suite installation

Local installation

Command line Installation

Command line Options

Parameters