e-sso 803 advancedlogin windowsuserguide

7/29/2019 E-SSO 803 AdvancedLogin WindowsUserGuide

http://slidepdf.com/reader/full/e-sso-803-advancedlogin-windowsuserguide 1/55

Advanced Login for Windows

User Guide

8.0.3Enterprise Single Sign-On



Copyright © 1998-2009 Quest Software and/or its LicensorsALL RIGHTS RESERVED.

This publication contains proprietary information protected by copyright. The software described inthis publication is furnished under a software license or nondisclosure agreement. This softwaremay be used or copied only in accordance with the terms of the applicable agreement. No part of

this publication may be reproduced, stored in a retrieval system or transmitted in any form or by anymeans, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER

The information in this publication is provided in connection with Quest branded products fromEvidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right isgranted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE

AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITYWHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTYRELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTYOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVENIF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes tospecifications and product descriptions at any time without notice. Evidian and Quest do not makeany commitment to update the information contained in this publication. The information andspecifications in this publication are subject to change without notice.

Trademarks

Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, BigBrother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook,

IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg,NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka,SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!,StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRTare trademarks and registered trademarks of Quest Software, Inc in the United States of Americaand other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch,WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarksmentioned in this document are the propriety of their respective owners.

World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656Website: www.quest.com Please refer to our website for regional and international office information.

Quest Enterprise SSO

Updated – January 2010Software version – 8.0.3

http://www.quest.com/




i

CONTENTS

About This Guide ...................................................................................................... 3 Access Management ......................................................................................................... 3

Conventions ............................................................................................................... 4 1. Overview................................................................................................................. 5

1.1 Advanced Login Usage ............................................................................................... 5 1.2 Operating Modes ......................................................................................................... 5

2. Using Advanced Login on Windows 2000/XP Systems.................................... 6 2.1 Welcome Screen ......................................................................................................... 6 2.2 Logging on to Windows ............................................................................................... 7

2.2.1 Logging on to Windows using User Name/Password......................................7 2.2.2 Logging on to Windows with Smart Cards .......................................................9 2.2.3 Logging on to Windows using your Fingers ...................................................11 2.2.4 Logging on to Windows Using Your RFID Badge ..........................................15 2.2.5 Forcing Cache Update at Logon ....................................................................19 2.3 Displaying Session Information ................................................................................. 19

2.4 Shutting Down the Workstation ................................................................................. 22 2.5 Locking/Unlocking the Workstation ........................................................................... 23

2.5.1 Locking the Computer ....................................................................................23 2.5.2 Unlocking the Computer .................................................................................24

2.6 Modifying Password or PIN ....................................................................................... 24 2.6.1 Modifying Password .......................................................................................25 2.6.2 Modifying your PIN .........................................................................................26

2.7 Using the Emergency Access (SOS) ........................................................................26 2.7.1 Resetting Your Password...............................................................................27 2.7.2 Resetting Your PIN.........................................................................................28

2.8 Logging on as an Administrator on a User Session("Administrator Grace Period") ........................................................................................ 29

3. Using Advanced Login on Windows Vista Systems ....................................... 30 3.1 The Initial Authentication Screen............................................................................... 30 3.2 Logging on to Windows Vista .................................................................................... 31

3.2.1 Authenticating on Windows Vista Using User Name/Password ....................31 3.2.2 Authenticating on Windows Vista Using Smart Cards ...................................32 3.2.3 Logging on to Windows using your Fingers ...................................................37

3.3 Locking/Unlocking the Session ................................................................................. 41 3.3.1 Locking the Session ....................................................................................... 41

3.3.2 Unlocking the Session....................................................................................42

3.4 Switching Users ......................................................................................................... 43 3.5 Modifying your Password or PIN ............................................................................... 43

3.5.1 Modifying your Password ...............................................................................43 3.5.2 Modifying your PIN .........................................................................................45

3.6 Using the Emergency Access ................................................................................... 45 3.6.1 Resetting Your Password...............................................................................46 3.6.2 Resetting Your PIN.........................................................................................47



ii

3.7 Managing Primary Accounts on Your Smart Card ....................................................... 48 3.8 Logging on as an Administrator on a User Session ("Administrator Grace Period") 49

A. Advanced Login and Biometrics Configuration..............................................50 A.1 Advanced Login Configuration Parameters .............................................................. 50 A.2 Biometrics Configuration Parameters ....................................................................... 52 A.3 Modifying the Authentication Screen Icons (Windows Vista only) ........................... 52

About Quest Software, Inc. ....................................................................................53 Contacting Quest Software.............................................................................................. 53 Contacting Quest Support ............................................................................................... 53



User Guide

3

About This Guide

Access Management

Subject This guide explains how to use Enterprise SSO Advanced Login for Windows User's Guide.

Intended Reader • Advanced Login end-users.

• Advanced Login Administrators.

Software/HardwareRequired

Quest Enterprise SSO Advanced Login 8.0 evolution 3 and later versions.

For more information about the versions of the required operatingsystems and software solutions quoted in this guide, please refer toQuest Enterprise SSO Release Notes.

Supported

Operating Systems

Quest Enterprise SSO Advanced Login runs on the followingsystems:

• Windows.

• Linux.



Quest Enterprise SSO 8.0.3 – Advanced Login for Windows

Conventions

In order to help you get the most out of this guide, we have used specific formattingconventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting variousinterface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest products, such as menus andcommands.

Italic text Used for comments.

Bold Italic text Introduces a series of procedures.

Blue text Indicates a cross-reference. When viewed in Adobe®

Acrobat®, this format

can be used as a hyperlink.

Used to highlight additional information pertinent to the process beingdescribed.

Used to provide Best Practice information. A best practice details therecommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them atthe same time.

| A pipe sign between elements means that you must select the elements inthat particular sequence.

4



User Guide

5

1. Overview

Enterprise SSO Advanced Login is the authentication module of the Enterprise SSO(E-SSO) suite. It enables speedy implementation of connection procedures usingauthentication mechanisms with physical tokens (smart cards, USB keys, RFID badges)and biometrics, in addition to the standard authentication methods of login/password.

1.1 Advanced Login Usage

Enterprise SSO Advanced Login is used to implement strong authentication in thefollowing scenarios of use:

• Authentication with smart cards or USB keys with Windows workstations,without any need to deploy a PKI compatible with Windows Active Directorycertificates.

• Authentication using non-Windows methods, such as biometrics.

• Authentication of users through an enterprise directory, which is not part of theWindows network.

• Authentication with RFID badges.

1.2 Operating Modes

Enterprise SSO Advanced Login can be configured either in one of the following modes:

• Client/server mode: users are directly authenticated in Enterprise SSOConsole, the advanced access control module.

• Standalone mode: users are directly authenticated in Active Directory or in anyother supported LDAP directories.




2. Using Advanced Login onWindows 2000/XP Systems

This section describes the E-SSO authentication with Advanced Login onWindows 2000 or Windows XP systems.

2.1 Welcome Screen

The Enterprise SSO Advanced Login welcome screen is displayed at workstation start-up. It shows the log on methods which are allowed and installed on the workstation.

To log on to Windows, you can:

•

Press Ctrl+Alt+Del to connect using your user name/password, as explained inSection 2.2.1, Logging on to Windows using User Name/Password .

• Insert your smart card or USB key (if any), as explained in Section 2.2.2,Logging on to Windows with Smart Cards.

• Place your finger on the scanner (if any), as explained in Section 2.2.3,Logging on to Windows using your Fingers.

• Use your RFID badge (if any), as explained in Section 2.2.4, Logging on toWindows Using Your RFID Badge.

Enterprise SSO Advanced Login respects the Ctrl+Alt+Del key combination thatyou can configure in Windows.

6



User Guide

2.2 Logging on to Windows

2.2.1 Logging on to Windows using User Name/Password

Subject

This section explains how to connect to Windows with your user name and passwordthrough Active Directory or any other supported directories.

Procedure

1. In the Welcome window, press Ctrl+Alt+Del.

The authentication window appears.

If an RFID badge or a smart card is detected by the workstation, the RFID or smartcard authentication window appears by default. In this case, press the Esc

(Escape) key to open the login/password authentication window.

2. Enter the following information and click OK.

• User : type your user name.

• Password: type your password.

• Connected to: select your domain (Active Directory), or Root (any other

directory) or local session.

If you open a local session, you will not be protected by the advanced features of Enterprise SSO.

If you have a number of accounts in one or more domains, and/or if none of them is known to the Enterprise SSO services, the following window promptsyou to select the account to be used.

7




The Windows domain definition can be done with the SSOStudio component of SSOWatch: define an application with a Windows application model. For moreinformation on SSOWatch, see Enterprise SSO - SSOWatch Administrator Guide.

3. Select an account and click OK.

If the account is unknown, an error message appears, informing you that thesystem needs to collect your authentication data (login/password) and the datacollection window appears.

8



User Guide

2.2.2 Logging on to Windows with Smart Cards

2.2.2.1 Logging on With a Smart Card Containing Account Data

Subject

If your account data is enrolled on the smart card, you can log on to your windowssession as explained in the following procedure.

Procedure

1. Press Ctrl+Alt+Del.


2. Insert your smart card in the smart card reader.

If your card can stored several accounts, the User field lists all the primaryaccounts stored on the smart card.

If there is only one primary account in the card, this primary account is selected.

3. If needed, select the account with which you want to authenticate.

4. Enter the PIN of your smart card and click OK.

You do not need to enter your username and domain name as they are alreadystored on the card when it is created by an Enterprise SSO administrator.

If your log on password has expired, a new password is requested. The new

password will be stored instead of the old one.

If you have defined a password-generation policy in SSOWatch, the newpassword can be randomly generated. In this case, this screen never appears.

5. If there are several Windows accounts corresponding to the primary account,select an account in the role selection window that appears.

The Windows session opens.

9




2.2.2.2 Logging on Using a Blank Smart Card

Subject

The first time you use a multi-account smart card to logon to your workstation, your account data is necessarily not stored on the smart card yet. The following procedure

explains how to enroll your own account on a smart card.

The following procedure only applies to smart cards that can handle self-enrolment andmulti-accounts.

Procedure




As your account is not stored on the smart card yet (first smart card

authentication), the User field displays "Smartcard empty: enroll an account".

3. Enter the PIN of your smart card and click OK.

As this is the first time you authenticate with this smart card, you are promptedfor your log on user name and password (which are stored in the directory).This information will be stored on the smart card and will no longer berequested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by

Enterprise SSO Advanced Login).

10



User Guide

4. Type the required information and click OK.

The account is created on the smart card and the session opens.

2.2.3 Logging on to Windows using your Fingers

Advanced Login can work in three modes to authenticate users using their biometric data:

• STORE ON PC Mode

In this mode, the biometric data is stored on the PC in the Enterprise SSOcache file. The finger replaces the ID/Password.

You must enroll yourself on each PC that you connect to.• STORE ON SMART CARD Mode

In this mode, the biometric data is stored on a smart card. The finger replacesthe PIN.

• STORE ON SERVER Mode

In this mode, the biometric data is stored on a server. The finger replaces theID/Password.

11




2.2.3.1 First Log on

Subject

To be able to log on to Windows using your finger, you must first enroll your biometric data.

Before Starting• Make sure the Enterprise SSO finger module is installed on the workstation.

• A finger reader must be installed on the workstation.

The workstation can support only one reader.

We strongly recommend that you download the latest:

• Drivers and licence of your product.

• Licence for the installation.

• If you use several finger readers, just plug in the one reader you want to use

and restart the computer.For more information on supported biometric devices, see Quest Enterprise SSORelease Notes.

• If the administrator has configured a validation of your authentication, asecond E-SSO user must authenticate him or herself after you.

• If the Biometric Enrollment tool is not available, modify the SSOWatchinstallation by selecting the Biometrics Enrollment tool option and restart thecomputer.

Ensure that the Controller is available to be able to enroll in Store on Server Mode.

Procedure

1. Depending on your biometric authentication mode, do one of the following:

• Store on PC: log on using your password, as described in Section 2.2.1,

Logging on to Windows using User Name/Password .

• Store on Server : log on using your finger, as described in Section 2.2.3,

Logging on to Windows using your Fingers.

• The Enterprise SSO Biometrics Enrollment tool starts after a successful

authentication.

2. If it does not start: display the SSOWatch menu by right-clicking theSSOWatch icon in the notification area and clicking Biometric enrollment.

3. Follow the instructions of the Biometric Enrollment tool.

4. When you have successfully completed the scan of your finger(s), log off andtry to log on using the finger print reader, as described in Section 2.2.3.2,Everyday Log on.

There can only be one set of fingers per biometric reader.

12



User Guide

2.2.3.2 Everyday Log on

Subject

This section describes how to log on to Windows using your finger.

Depending on your biometric authentication mode (STORE ON PC, STORE ONSMART CARD or STORE ON SERVER), the procedure is slightly different.

Before Starting

You must have enrolled your biometric data, as described in Section 2.2.3.2, Everyday Log on.

Each time you connect yourself to a new workstation in Store On PC mode, youmust enroll your biometric data.

Procedures

STORE ON PC Mode

1. When the Advanced Login welcome screen appears, place your finger on thescanner.

The following window appears:

2. Read the instructions displayed in the Fingerprint field.

3. Depending on your configuration, you log on automatically when your finger issuccessfully captured. If not, just fill in the User field and click OK.

For details on how to enable the automatic validation, see Section A.1, Advanced Login Configuration Parameters.

13




STORE ON SMART CARD Mode

1. When the Advanced Login welcome screen appears, insert your smart card inthe reader.

The following window appears:

2. Either enter your PIN, or place your finger on the scanner.

3. If you have entered your PIN, click OK (if your finger is successfully captured,you log on automatically).

STORE ON SERVER Mode

1. When the Advanced Login welcome screen appears, place your finger on the

scanner.The following window appears:

14



User Guide

2. Read the instructions displayed in the Fingerprint field.

Depending on your configuration, you log on automatically when your finger issuccessfully captured.

3. If you are not logged on automatically, just fill in the User field and click OK.

For details on how to enable the automatic validation, see Section A.1, Advanced

Login Configuration Parameters.

4. If the authentication fails, you have to enter your ID to update the local cache.

2.2.4 Logging on to Windows Using Your RFID Badge

Subject

This section explains how to authenticate with an RFID badge.

The following figure illustrates how Enterprise SSO acts depending on the areas inwhich it detects the RFID badge.

Sensor/ Antenna

u n l o c k

r a n g e

l o c k r a n g

e

Session Kept Alive

Session Locked/ Closed

Unlock Area

Visibility Area

Lock Area

Able to Open/Unlock

15





Before Starting

An RFID reader must be installed on the workstation.

Procedure

1. Place the RFID badge in the unlock area so that Enterprise SSO detects it.

The Advanced Login window appears and tells you that your RFID badge isnot assigned.

2. Click OK to validate it.

The Enroll an Account window appears.

16



User Guide

3. Enter your login and password to associate them with your RFID badge andclick OK.

If your are authenticated, the session opens.

• You can have as many RFID badges as you want, this enables you to lendthem to other people.

• You can delete the badge enrollment by blacklisting it in the AdministrationConsole.

• E-SSO policy cannot block auto-enrollment.

2.2.4.2 First Log on with a Smart Card

Before Starting

• E-SSO Advanced Login must be installed on the workstation.

• An RFID and a Smart Card reader must be installed on the workstation.

• You must have both RFID badge and Smart Card to log on.

• If no RFID badge is detected, the RFID badge enrolment will not be suggested

the next time you open your Windows session.

Procedure

1. Insert your Smart Card in the Card reader.

Your Smart Card and your RFID badge are detected, the following windowappears:

2. Click the Enroll button to enroll your RFID badge.

Your RFID badge is now enrolled.

17





Procedure

1. Place the RFID badge in the unlock area so that Enterprise SSO detects it.


• If several RFID badges are detected in the unlock area, the RFID owner fieldlists all the detected RFID badges.

• You can take your badge back before typing in your password.

2. In the RFID owner field, select the wanted RFID badge, type in your passwordand click OK.

If you have taken your RFID badge back, you have 30 seconds to enter your password and validate.

Your session opens.

2.2.4.4 Logging on through Citrix/TSE

If you want to log on through Citrix/TSE, you must press the SHIFT key when placingyour RFID badge in the unlock area.

2.2.4.5 Logging out

There are two possibilities for logging out:

• If you have left your RFID badge in the unlock area, retrieve it and the sessioncloses.

Not relevant for HID Prox 125kHz badges.

18



User Guide

• If you retrieved your RFID badge when opening the session, you must place itback in the unlock area and retrieve it again to close the session.

• You can configure how the session closes in the Access Point Profile.

• If an E-SSO authentication: primary reauthentication, SSOStudio launch etc. isnecessary, then placing the RFID badge in the unlock area will not lock the PC.

• If you have a contact chip badge, you must insert it in the RFID reader.

2.2.5 Forcing Cache Update at Logon

Subject

By default, the authentication is done on the existing cache. The following procedureexplains how to force the authentication to be done in the target directory and so toupdate the authentication data in the cache.

Procedure

1. In the authentication window (whatever the authentication token used), provideyour authentication information.

2. Select the Do not use user cache check box and click OK.

The authentication is done in the directory and the cache is updated.

2.3 Displaying Session Information

Subject

You can display your session information at any time as explained in the followingprocedure.

Procedure

• Press Ctrl+Alt+Del.

The session information window appears, as illustrated in the followingexample windows.

The main session pieces of data are:

• The authenticated Enterprise SSO user.

• The Windows user account used.

• The date and time the Enterprise SSO session is opened.

19




Example

Active Directory Session Information

• Password Authentication

The following illustration is an example of an Enterprise SSO Session

Information window that appears when authenticating with a password through Active Directory: the Enterprise SSO and Windows accounts correspond to thesame user, and you can change your password.

• Smart card Authentication

The following illustration is an example of an Enterprise SSO Session

Information window that appears when authenticating with a smart cardthrough Active Directory: the Enterprise SSO and Windows accounts againcorrespond to the same user, and you can change your PIN.

20



User Guide

• Finger Authentication

The following illustration is an example of an Enterprise SSO SessionInformation window that appears when authenticating with your finger through Active Directory: the Enterprise SSO and Windows accounts correspond to thesame user, and the Change your password button is disabled.

LDAP Directories (other than Active Directory) Session Information

Session data when authenticating with any supported LDAP directory except ActiveDirectory. The Enterprise SSO and Windows accounts are different.

21




2.4 Shutting Down the Workstation

Subject

The Advanced Login shutdown functionality is the same as with classical Windowssessions. It allows you to:

• Close the session.

• Shutdown the workstation.

• Reboot the workstation.

• Put the workstation into a sleep state.

• Put the workstation into a hibernate state (if activated in the systemparameters).

Procedure


The session information window appears.

2. Click the Shutdown button

The shutdown window appears.

22



User Guide

2.5 Locking/Unlocking the Workstation

2.5.1 Locking the Computer

Subject

The Lock state enables you to prevent anybody from using the workstation in your absence.

This section describes the possible means to lock a computer.

Procedure

To lock the computer, do one of the following:

• Press Ctrl+Alt+Del keys and click the Lock computer button.

• If you have authenticated with a smart card, remove the smart card from the

reader (or a USB key from its port) and do not take any action for 10 seconds.

The administrator can modify the default workstation behavior when a token isremoved, from the Enterprise SSO Console. If the session is not locked at tokenremoval, it means that your administrator has modified this option.

• If you have authenticated with an RFID badge, place the RFID badge outsidethe visibility area (lock area).

• Put the computer into a sleep state.

23




2.5.2 Unlocking the Computer

Subject

A computer can only be unlocked by the user who has locked it (unless it is unlockedusing the "Fast-user switching" option).

To unlock the computer, you must re-authenticate as at session opening. Theauthentication method does not necessarily need to be the same as for opening themain session.

If you have authenticated with an RFID badge and locked the session by placing theRFID badge outside the unlock area, the session is automatically unlocked if you comeback with your RFID badge in the unlock area before the grace period (which has beenset by your administrator).

A user with administration rights on the workstation can force the closure of alocked administration session.

Procedure

To unlock the computer, do one of the following:

• Press Ctrl+Alt+Del keys and log on as described in Section 2.2.1, Logging onto Windows using User Name/Password .

• Insert your smart card (if any) and log on as described in Section 2.2.2,Logging on to Windows with Smart Cards.

• Place your finger on the scanner (if any) and log on as described in Section2.2.3, Logging on to Windows using your Fingers.

• Place your RFID badge inside the unlock area:

• If the grace period is exceeded, log on as described in Section 2.2.4, Logging

on to Windows Using Your RFID Badge.

• If the grace period is not exceeded, the session is automatically unlocked.

The grace period is set by your administrator.

2.6 Modifying Password or PIN

If you are allowed to by your administrator, you can change your password or PIN, as

explained in the following procedure.

This section also explains how to modify the password of another user.

24



User Guide

2.6.1 Modifying Password

Subject

This section explains how to modify your own password or the password of another user (if you are allowed to).

Procedure

1. Open your session as explained in Section 2.2.1, Logging on to Windowsusing User Name/Password and press Ctrl+Alt+Del.

2. Click the Change a Password button.

The change password screen appears.

If the change password option has been disabled by your administrator, clicking onChange a Password will have no effect.

3. Enter the information required and click OK.

To modify the password of another user, type the following information in theUser field: <user domain>\<user name> or <user name>@<domain name>

The password is modified in the LDAP directory.

25




2.6.2 Modifying your PIN

Subject

This section explains how to modify the PIN of your smart card.

Procedure

1. Open your session as explained in Section 2.2.2, Logging on to Windows withSmart Cards and press Ctrl+Alt+Del.

2. Click the Change PIN button.

The change PIN screen appears.

If the change PIN option has been disabled by your administrator, clicking onChange PIN will have no effect.

3. Enter the information required and click OK.

The smart card PIN is modified.

2.7 Using the Emergency Access (SOS)

The Emergency Access feature allows you to:

• Reset your password in case you have forgotten it: see Section 2.7.1,Resetting Your Password .

• Reset you PIN in case you have forgotten it or to unlock your smart card (onlyaccessible in disconnected mode): see Section 2.7.2, Resetting Your PIN .

26



User Guide

2.7.1 Resetting Your Password

Subject

The Reset Password functionality allows you to reset you password in case you haveforgotten it.

Before Starting

To be able to reset your primary password, SSOWatch must be installed on your workstation, and you must have chosen a set of questions (optional) and recorded theassociated answers using the E-SSO Emergency Access Wizard (see AppendixEnterprise SSO - Getting Started with SSOWatch.

Procedure

1. In the session opening window, click the SOS button.

The Emergency Access wizard appears.

2. Follow the displayed instructions.

If the following window appears, call the Help Desk and give them thedisplayed challenge, so that it can give you back the administrator challenge.

The need to call the Help Desk to reset your password depends on theconfiguration set by your administrator in the Enterprise SSO Console.

You can not use a second time the challenge given by the Help Desk.

When the Wizard terminates, your password is reset and a session opens.You can then use the new password for subsequent logon.

If the password has been reset in disconnected mode, you will be asked to changeit again the next time you connect to the network.

27




2.7.2 Resetting Your PIN

Subject

The Reset PIN functionality allows you to:

• Reset your PIN in case you have forgotten it.

• Unlock your smartcard.

Restriction

The reset PIN feature is only available in disconnected mode (set by the administrator).

Before Starting

To be able to reset your PIN, you must have chosen a set of questions (optional) andrecorded the associated answers using the E-SSO Emergency Access initializationWizard (see Appendix Enterprise SSO - Getting Started with SSOWatch).

Procedure

1. In the session opening window, click the SOS button.

The Emergency Access wizard appears.

2. Follow the displayed instructions:

When the following window appears, call the Help Desk and give it thedisplayed challenge, so that it can give you back the administrator challenge.


When the Wizard terminates, your PIN is reset and a session opens. You canthen use the new PIN for subsequent logon.

28



User Guide

2.8 Logging on as an Administrator on a User Session ("Administrator Grace Period")

Subject

An administrator can log on a user's session using his own smart card, even though theuser opened his Windows session using a smart card.

Procedure

1. Press the Shift key during the logged user smart card withdrawal.

The user session is left unchanged. If the SSOWatch engine was running, it isautomatically set to a locked mode.

2. Insert your administrator smartcard and enter your PIN before the end of thegrace period (the default value is 60 seconds).

The length of the grace period can be configured from the Enterprise SSO Console.

This authentication allows E-SSO to verify your identification data. The user Windows session stays open, so your Windows permissions do not apply.

3. Perform your administration tasks on the user workstation: if you run an E-SSO application (Enterprise SSO Studio, …), the authentication is done usingyour administrator smart card.

4. When you are finished with the user's workstation, withdraw your smart card

The user session appears as it was before the smart card removal. The user isprompted to insert his smart card and provide his PIN code to turn theSSOWatch engine back to the unlocked mode.

29




3. Using Advanced Login onWindows Vista Systems

This section describes the E-SSO authentication with Advanced Login on WindowsVista systems.

3.1 The Initial Authentication Screen

The initial authentication screen appears when you press Ctrl+Alt+Del at workstationstartup, or when you want to switch user.

In the following example screen, two sessions are already open.

The initial authentication screen shows several tiles corresponding to the log onmethods (credential providers) which are allowed and installed on the workstation, andto the users logged on the workstation.

On Windows Vista, several users can be logged at the same time on a workstation, butonly one session can be active on the workstation.

Advanced Login provides the following authentication methods on Windows Vistasystems:

• User name/password authentication (two middle tiles in the example screen).

Several users can be logged at the same time on the workstation. The screenshows one tile for each logged user, or if no user is logged, it shows one tilewith the name of the last logged user. The "Other User" tile allows another user to open a session.

See Section 3.2.1, Authenticating on Windows Vista Using User Name/Password .

30



User Guide

• Smart card authentication (first tile in the example screen):

The initial authentication screen shows as many tiles as accounts stored onthe smart card.

See Section 3.2.2, Authenticating on Windows Vista Using Smart Cards.

• Biometric authentication (last tile in the example screen)

See Section 3.2.3, Logging on to Windows using your Fingers.

3.2 Logging on to Windows Vista

3.2.1 Authenticating on Windows Vista Using User Name/Password

Subject

This section explains how to connect to Windows with your user name and password

through Active Directory or any other supported directories.

Procedure


The initial authentication screen appears.

2. If any, click the tile corresponding to your name, or if no tile shows your name,click the Other User tile.

The authentication screen appears. The following example window shows the"Other User" authentication tile.

31




3. Do one of the following :

• To log on to the domain displayed on screen, type you user name and

password.

• To log on to another domain than the one displayed on the screen, type

<domain name>\<user name>.

If you need to open a local session (you will not be protected by the advancedfeatures of Enterprise SSO), type <workstation name>\<user name>.

• Click .

• The Windows session opens.

3.2.2 Authenticating on Windows Vista Using Smart Cards

3.2.2.1 Logging on With a Smart Card Containing Account Data

Subject

If your account data is enrolled on the smart card, you can log on to your windowssession as explained in the following procedure.

Procedure




The initial authentication screen appears, displaying as many tiles as primaryaccounts stored on the smart card.

By default, the tile corresponding to the last primary account used to log on theworkstation is selected.

If none of the listed primary accounts correspond to the last used primary account,one of the listed primary accounts is randomly selected. If there is only oneprimary account in the card, this primary account is selected.

32



User Guide

3. Enter the PIN of your smart card and click .

You do not need to enter your username and domain name as they are alreadystored on the card when it is created by an Enterprise SSO administrator.

If your log on password has expired, a new password is requested. The newpassword will be stored instead of the old one.

4. If there are several Windows accounts corresponding to the primary account,

select an account in the role selection window that appears.The Windows session opens.

3.2.2.2 Logging on Using a Blank Smart Card

Subject

The first time you use a smart card to logon to your workstation, your account data isnot stored on the smart card yet. The following procedure explains how to enroll your own account on the smart card.

The following procedure only applies to smart cards that can handle self-enrolment and

multi-accounts.

Procedure




As your account is not stored on the smart card yet (first smart cardauthentication), the smart card tile displays "Not assigned".

33




3. Click the "Not assigned" smart card tile.

The authentication screen appears.

4. Enter the PIN of your smart card and click .

As this is the first time you authenticate with this smart card, you are promptedfor your log on user name and password (which are stored in the directory).This information will be stored on the smart card and will no longer berequested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected byEnterprise SSO Advanced Login).


The account is created on the smart card and the session opens.

34



User Guide

3.2.2.3 Enrolling a New Account on a Smart Card

Subject

If your smart card can stores several accounts, Advanced Login allows you to enrollnew accounts on your smart card, as explained in the following procedure.

The account you want to store on the smart card must exist in the users' directory.

Procedure




The tile corresponding to the last primary account used to log on theworkstation is selected.

3. Enter the PIN of your smart card.

4. Select the Create a new account check box and click .

The Windows Account Entry window appears

35





The account is created on the smart card and the Windows session opens.

3.2.2.4 Forcing Cache Update at Logon

Subject


Procedure

1. Insert your smart card in the smart card reader.2. Click I want to modify login options.

The login option window appears.

3. Select the Update User Cache check box and click OK.

36



User Guide

3.2.3 Logging on to Windows using your Fingers

Advanced Login can work in two modes to authenticate users using their biometric data:

• STORE ON PC Mode

In this mode, the biometric data is stored on the PC in the Enterprise SSOcache file. The finger replaces the ID/Password.You must enroll yourself on each PC that you connect to.

• STORE ON SERVER Mode

In this mode, the biometric data is stored on a server. The finger replaces theID/Password.


Subject

To be able to log on to Windows using your finger, you must first enroll your biometric data.

Before Starting

• Make sure the Enterprise SSO fingerprint module is installed on theworkstation.

• A fingerprint reader must be installed on the workstation.

The workstation can support only one reader.

We strongly recommend that you download the latest:

• Drivers and licence of your product;

• Licence for the installation.

• If you use several fingerprint readers, just plug in the one reader you want touse and restart the computer.

For more information on supported biometric devices, see Quest Enterprise SSORelease Notes.

• If the administrator has configured a validation of your authentication, asecond E-SSO user must authenticate him or herself after you.

• If the Biometric Enrollment tool is not available, modify the SSOWatchinstallation by selecting the Biometrics Enrollment tool option and restart thecomputer.

Ensure that the Controller is available to be able to enroll in Store on Server Mode.

37




Procedure

1. Log on using your password, as described in Section 3.2.1, Authenticating onWindows Vista Using User Name/Password .

The Enterprise SSO Biometric Enrollment tool starts after a successfulauthentication.

2. If it does not start: display the SSOWatch menu by right-clicking theSSOWatch icon in the notification area and clicking Biometric Enrollment.

3. Follow the instructions of the Biometric Enrollment tool.

4. When you have successfully completed the scan of your finger(s), log off andtry to log on using the finger print reader, as described in Section 3.2.3.2,Everyday Log on.

There can only be one set of fingers per biometric reader.


Subject

This section describes how to log on to Windows using your finger.

Depending on your biometric authentication mode (STORE ON PC or STORE ONSERVER), the procedure is slightly different.

Before Starting

You must have enrolled your biometric data, as described in Section 3.2.3.2, Everyday Log on.

Each time you connect yourself to a new workstation in Store on PC mode, youmust enroll your biometric data.

Procedures

STORE ON PC Mode


The following tile appears:

38



User Guide

Depending on your configuration, you log on automatically when your finger issuccessfully captured. If not, the following window appears:

2. Make sure your Login is correct and click the to validate.


STORE ON SERVER Mode


The following tile appears:

39




Depending on your configuration, you log on automatically when your finger issuccessfully captured. If not, the following window appears:

2. Make sure your Login is correct and click the to validate.

If the authentication fails, you have to check your ID. If it is not the right one, enter the correct ID.


3.2.3.3 Forcing Cache Update at Logon

Subject


This is only available if Automatic Validation is disabled by the Administrator in theEnterprise SSO Console Administrator Guide.

40



User Guide

Procedure

1. After choosing the tile, click I want to modify login options.

The Login Options window appears.

2. Select the Update User Cache check box and click OK.

3.3 Locking/Unlocking the Session

3.3.1 Locking the Session

Subject

The Lock state enables you to prevent anybody from accessing your session on theworkstation in your absence.

This section describes the possible means to lock a computer.

Procedure

When your session is open, do one of the following to lock the computer:

• Press Ctrl+Alt+Del keys and click the Lock this computer option.

• If you have authenticated with a smart card, remove the smart card from the

reader (or a USB key from its port).

The default workstation behavior when a token is removed can be modified by theadministrator from the Enterprise SSO Console. If the session is not locked attoken removal, it means that your administrator has modified this option.

• Put the computer into a sleep state.

The workstation gets in the lock state and the "Ctrl+Alt+Del" screen appears.

41




3.3.2 Unlocking the Session

Subject

To unlock the computer, you must re-authenticate as at session opening. Theauthentication method does not necessarily need to be the same as for opening the

main session.

If a station is in the locked state, another user can unlock it by login on with its owncredentials, without unlocking the first user locked session.

Procedure

Unlocking Your own Session

1. To unlock the session you have locked, press Ctrl+Alt+Del.

The authentication screen corresponding to the authentication method usedappears.

The following example screen shows the unlock authentication screen for auser authenticated with a smart card.

2. Enter your PIN or password and click .

Your session is unlocked.

42



User Guide

43

Procedure

Logging on a Workstation Locked by Someone Else

1. To log on a workstation locked by someone else, press Ctrl+Alt+Del.

The authentication screen corresponding to the authentication method used by

the other user to lock his/her session appears.

2. Click the Other Credentials button.

3. Click the Switch User button.


4. Log on to the workstation as explained in Section 3.2, Logging on to WindowsVista.

3.4 Switching Users

Subject

This section explains how to rapidly switch users on a workstation.

Procedure

When a session is open, press Ctrl+Alt+Del and click the Switch User option.

The initial authentication screen appears and another user can log on theworkstation. The first user session stays locked on the workstation.

3.5 Modifying your Password or PIN

If you are allowed to by your administrator, you can change your password or PIN, asexplained in the following procedure.

3.5.1 Modifying your Password

Subject

If you have authenticated with your smart card, you can modify the password of theaccount that you have used to authenticate, as explained in the following procedure.The password will be modified on the smart card and in the directory.

If you have authenticated using your user name and password, you can modify your password as explained in the following procedure.




Procedure

1. Open your session as explained in Section 3.2.1, Authenticating on WindowsVista Using User Name/Password and press Ctrl+Alt+Del.

2. Click the Change a Password option.

The change password screen appears.

If the change password option has been disabled by your administrator, clicking onChange a Password will have no effect.

The following example screen shows a change password screen for a user authenticated with a smart card.

3. Enter the information required and click .

The password is modified on your smart card (if you have logged on with asmart card) and in the LDAP directory.

44



User Guide

3.5.2 Modifying your PIN

Subject

The Advanced Login Credential Manager feature is automatically started at logon timeand allows you to change your PIN.

Procedure

1. Open a Windows session as explained in Section 3.2.2, Authenticating onWindows Vista Using Smart Cards.

2. In the Notification area, right click the icon and select Change PIN.

The change PIN screen appears.

3. Enter the required information and click OK.

The smart card PIN is modified.

3.6 Using the Emergency Access

The Emergency Access feature allows you to:

• Reset your password in case you have forgotten it: see Section 3.6.1,Resetting Your Password .

• Reset you PIN in case you have forgotten it or to unlock your smart card (onlyaccessible in disconnected mode): see Section 3.6.2, Resetting Your PIN .

45




3.6.1 Resetting Your Password

Subject

The Reset Password functionality allows you to reset you password in case you haveforgotten it.

Before Starting

To be able to reset your primary password, SSOWatch must be installed on your workstation, and you must have chosen a set of questions (optional) and recorded theassociated answers using the E-SSO Emergency Access Wizard (see Enterprise SSO -Getting Started with SSOWatch).

Procedure

1. In the authentication screen, click I have forgotten my password.

If the I have forgotten my password option does not appears on the screen, it

means that your administrator has disabled it (see Section A.1, Advanced LoginConfiguration Parameters for more details).

The Reset password wizard appears.

2. Follow the displayed instructions.

If the following window appears, call the Help Desk before the end of the twominutes during which the Exchange with help desk window stays open. Givethem the displayed challenge, so that they can give you back the administrator challenge. You cannot use a second time the challenge given by the Help Desk.

The need to call the Help Desk to reset your password depends on theconfiguration set by your administrator in the Enterprise SSO Console.

When the Wizard terminates, your password is reset and a session opens.You can then use the new password for subsequent logon.If the password has been reset in disconnected mode, you will be asked tochange it again the next time you connect to the network.

46



User Guide

3.6.2 Resetting Your PIN

Subject

The Reset PIN functionality allows you to:

• Reset your PIN in case you have forgotten it.• Unlock your smartcard.

Restriction

The reset PIN feature is only available in disconnected mode (set by the administrator).

Before Starting

To be able to reset your PIN, you must have chosen a set of questions (optional) andrecorded the associated answers using the E-SSO Emergency Access initializationWizard (see Enterprise SSO - Getting Started with SSOWatch).

Procedure

1. In the authentication screen, click I have forgotten my PIN.

If the I have forgotten my PIN option does not appears on the screen, it meansthat your administrator has disabled it (see Section A.1, Advanced LoginConfiguration Parameters for more details.

The Reset PIN wizard appears.

2. Follow the displayed instructions:

When the following window appears, call the Help Desk before the end of the2 minutes during which the Exchange with help desk window stays open.

Give them the displayed challenge, so that they can give you back theadministrator challenge.


When the Wizard terminates, your PIN is reset and a session opens. You canthen use the new PIN for subsequent logon.

47




3.7 Managing Primary Accounts on Your Smart Card

Subject

The Advanced Login Credential Manager feature is automatically started at logon time andallows you among other actions to delete or create a primary account on a smart card.

The following procedure only applies to smart cards that can store several SSOaccounts.

You can delete all the accounts stored on the smart card, even the one you used tologon. In this case, after the account deletion, the session stays open. Do not lock itbecause you won't be able to unlock it.

Procedure

1. Open your session as explained in Section 3.2.2, Authenticating on Windows

Vista Using Smart Cards.2. In the Notification area, right click the icon and select Manage Primary

Accounts.

The account management window appears and lists the accounts stored onthe smart card.

If you delete the account that you have used to logon, the session will stay open:do not lock it because you won't be able to unlock it. We recommend you to log off the session after the account deletion.

• Select the account you want to add or remove and click the Add or Remove button.

• Follow the displayed instructions and click OK.

The account is created or removed on the smart card.

48



User Guide

3.8 Logging on as an Administrator on a User Session ("Administrator Grace Period")

Subject

An administrator can log on a user’s session using his own smart card, even though theuser opened his Windows session using a smart card.

Procedure

1. Press the SHIFT key during the logged user smart card withdrawal.

The user session is left unchanged. If the SSOWatch engine was running, it isautomatically set to a locked mode.

2. Insert your administrator smart card and enter your PIN before the end of thegrace period, the default value being 60 seconds.

The length of the grace period can be configured from the Enterprise SSO

Console.This authentication enables E-SSO to check your identification data. The user Windows session stays open, so your Windows permissions do not apply.

3. Perform your administration tasks on the user workstation: if you run an E-SSO application (Enterprise SSO Studio, etc.), the authentication is doneusing your administrator smart card.

4. When you have finished with the user’s workstation, withdraw your smart card.

The user session appears as it was before the smart card removal. The user isprompted to insert his smart card and provide his PIN to switch the SSOWatchengine back to the unlocked mode.

49



User Guide

51

VALUE DESCRIPTION LOCATION

WorkStationAccountRandomNPGP

Only used with any supported LDAP directoryexcept Active Directory.

In this type of architecture, Enterprise SSO

stores users SSO data in another LDAPdirectory than Active Directory. But the users'accounts are stored in Active Directory and aremanaged by Enterprise SSO as secondaryaccounts. By default, the Windows passwordmust be changed manually.

• 0: manual change of Windows password.

• 1: automatic change of Windows password.

A

BioAutoValidate Store on PC mode only:enable/disable the automatic validation uponfingerprint authentication:

• 0: disabled.

• 1: enabled.

A

ResetPassword Makes available or unavailable the SOS button:

• 0: available.

• 1: unavailable.

C

ByPassWGAuthForLocalAdmin

Enables users that are not local administratorsto bypass the Advanced Login authentication :the users which are members of the local"administrators" group directly or via groupmembership can bypass the Advanced Loginauthentication even if they can not create theEnterprise SSO keys/objects.:

• 0: disabled

• non null value: enabled

B

ManageUserExclusion Windows Vista only.

Enable or disable SSO for excluded users.

• 0: At user authentication, Advanced loginopens a session, and gets the usedcredentials to start SSOEngine with them.

• ≠ 0: At user authentication, Advanced loginfirst tries to authenticate with the givencredentials against the E-SSO directory. If the user belongs to an exclusion group, the

windows session is opened, but no SSO willbe available for that session.

If the user does not belong to anyexclusion group, opening the windowssession is submitted to the success of theE-SSO authentication.

B




A.2 Biometrics Configuration Parameters

This section describes the biometrics parameters in the computer registry. Theseparameters are located inHKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\FrameWork\Authentication

VALUE DESCRIPTION

BiometricFAR FAR: False Accepted Rate. Modify this value depending onyour tolerance limits.

Default value: 20000 (means that the probability that a wrongfingerprint passes is 1/20000).

BiometricMaxEnrolledUsers

Maximum number of users that can be enrolled on theworkstation (Store on PC mode).

Default value: 20.

If the maximum number is exceeded, the older enrolleduser is deleted.

A.3 Modifying the Authentication Screen Icons(Windows Vista only)

Subject

This section only applies to Windows Vista.

You can change the bitmaps displayed in the Windows Vista tiles as explained in the

following procedure.

Procedure

In the Advanced Login installation folder (by default: C:\Program Files\QuestSoftware\E-SSO\ Advanced Login), create the two following bitmaps, with the size of 96x96 pixels:

• ESSOCredProv.bmp: the icon displayed in the initial authentication screen for the smart card tile when no smart card is inserted.

• ESSOCredProvActive.bmp: the icon displayed when a smart card tile isselected or selectable.

52



User Guide

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Softwarecreates and supports smart systems management products—helping our customers solve everydayIT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

Phone 949.754.8000 (United States and Canada)

Email [email protected]

Mail Quest Software, Inc.World Headquarters5 Polaris Way

Aliso Viejo, CA 92656USA

Web site www.quest.com

Please refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who havepurchased a Quest product and have a valid maintenance contract. Quest Support providesunlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/

From SupportLink, you can do the following:

• Retrieve thousands of solutions from our online Knowledgebase

• Download the latest releases and service packs

• Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services,contact information, and policy and procedures. The guide is available at: http://support.quest.com.


mailto:[email protected]


http://support.quest.com/






mailto:[email protected]


e-sso 803 advancedlogin windowsuserguide

Documents