e-sso 803 kioskclusteradminguide

7/29/2019 E-SSO 803 KioskClusterAdminGuide

1/37

Kiosk and Cluster Modes

Administrator Guide

8.0.3Enterprise Single Sign-On


2/37

Copyright 1998-2009 Quest Software and/or its LicensorsALL RIGHTS RESERVED.

This publication contains proprietary information protected by copyright. The software described inthis publication is furnished under a software license or nondisclosure agreement. This softwaremay be used or copied only in accordance with the terms of the applicable agreement. No part of

this publication may be reproduced, stored in a retrieval system or transmitted in any form or by anymeans, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER

The information in this publication is provided in connection with Quest branded products fromEvidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right isgranted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE

AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITYWHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTYRELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTYOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVENIF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes tospecifications and product descriptions at any time without notice. Evidian and Quest do not makeany commitment to update the information contained in this publication. The information andspecifications in this publication are subject to change without notice.

Trademarks

Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, BigBrother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook,

IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg,NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka,SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!,StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRTare trademarks and registered trademarks of Quest Software, Inc in the United States of Americaand other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch,WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarksmentioned in this document are the propriety of their respective owners.

World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656Website: www.quest.com Please refer to our website for regional and international office information.

Quest Enterprise SSO

Updated January 2010Software version 8.0.3
http://www.quest.com/http://www.quest.com/


3/37

i

CONTENTS

About This Guide ...................................................................................................... 3 Access Management ..................... ......................... ......................... ......................... ......... 3

Conventions ............................................................................................................... 4 1. Overview................................................................................................................. 5

1.1 Kiosk and Cluster Modes Functions..................... ........................ ........................ ....... 5 1.1.1 Kiosk Mode Functions ......................................................................................5 1.1.2 Cluster Mode Function .....................................................................................6

1.2 Kiosk and Cluster Mode Authentication Methods .......................................................6 1.3 Required Enterprise SSO Modules ....................... ......................... ........................ ..... 7

2. The Fast User Switching (FUS) Function ........................................................... 8 2.1 Fast User SwitchingOverview and Use ................................................................... 8

2.1.1 Definition ........................................................................................................... 8 2.1.2 Fast User Switching Modes.............................................................................. 8

2.2 Configuring Hierarchized Access FUS ..................... ........................ ........................ . 12 2.2.1 Activating Hierarchized Access FUS.............................................................. 12 2.2.2 Overriding the User "Unlocking Level" (Optional) .......................................... 13

2.3 Configuring Shared Access FUS............. ......................... ......................... ................ 14 2.3.1 Activating FUS for Shared Access FUS Users ..............................................14 2.3.2 Associating Users with a Shared Windows Account......................................15 2.3.3 Activating Shared Access FUS on Dedicated Access Points (Optional).......17

2.4 Installing and Configuring Public Access FUS..................... ........................ ............. 18 2.5 Configuring Application Closing ...................... ........................ ........................ .......... 19

3. The Roaming Session Mode .............................................................................. 21 3.1 Roaming Session ModeOverview and Use ...................... ........................ ............. 21 3.2 Configuring the Roaming Session Mode.................. ......................... ........................ 22

3.2.1 Activating the Roaming Session Mode for Users ........................................... 23 3.2.2 Activating the Roaming Session Mode on Computers................................... 24

3.3 Administering Users Roaming Sessions .................... ........................ ...................... 25 3.3.1 Administering Users Roaming Sessions from the Enterprise SSO Console 25 3.3.2 Administering Current Roaming Session from the Users Workstation .........26

4. The Cluster Mode ................................................................................................ 28 4.1 Cluster ModeOverview .......................................................................................... 28 4.2 Creating and Configuring a Cluster of Access Points .................... ....................... .... 30 4.3 Displaying Cluster Event Logs (Events Tab)................. ....................... ..................... 32

4.4 Renaming Clusters ........................ ........................ ........................ ........................ .... 33 4.5 Deleting Clusters .......................... .......................... ......................... .......................... 33 4.6 Removing Temporarily an Access Point From the Cluster .......................................34

About Quest Software, Inc. .................................................................................... 35 Contacting Quest Software.......... ......................... ......................... ........................ .......... 35 Contacting Quest Support ..................... ........................ ........................ ........................ .. 35


4/37


5/37

Administrator Guide

3

About This Guide

Access Management

SUBJECT The Kiosk mode gathers the following functionalities: Fast User Switching and Roaming Session mode.

This guide explains how to configure the Kiosk and Cluster modefunctionalities.

INTENDED READER Enterprise SSO Administrators who know how to use theEnterprise SSO Console.

SOFTWARE/HARDWAREREQUIRED

Enterprise SSO 8.0 evolution 3 and later versions.

For more information about the versions of the required operatingsystems and software solutions quoted in this guide, please refer to Quest Enterprise SSO Release Notes .

SUPPORTED OPERATINGSYSTEMS

Enterprise SSO controller runs only on Windows systems.

Kiosk and Cluster modes are only available on WindowsEnterprise SSO clients.


6/37

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

Conventions

In order to help you get the most out of this guide, we have used specific formattingconventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting variousinterface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest products, such as menus andcommands.

Italic text Used for comments.

Bold Italic text Introduces a series of procedures.

Blue text Indicates a cross-reference. When viewed in Adobe Acrobat , this format

can be used as a hyperlink.

Used to highlight additional information pertinent to the process beingdescribed.

Used to provide Best Practice information. A best practice details therecommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them atthe same time.

| A pipe sign between elements means that you must select the elements inthat particular sequence.

4


7/37

Administrator Guide

5

1. OverviewEnterprise SSO Kiosk and Cluster modes speed up computer use and improves security.

1.1 Kiosk and Cluster Modes Functions

1.1.1 Kiosk Mode Functions

Fast User Switching

Fast User Switching (FUS) simplifies the access to computers used by severalemployees.

FUS modifies the Microsoft session unlocking method by allowing users to unlock or close an other users session, by using one of the following methods:

Hierarchized access FUS : users are only authorized to unlock or close thesession of other users whose level is below or equal to their own level.

Shared access FUS : several users have in their Windows account list the onethat has open the session, so they can unlock or close the session of all other users who have the same account.

Public access FUS : the workstation session remains open and is the samefor all users, but the SSO context and application opening/closing are handledindividually for each user.

This function is particularly used in retail store workstations where salespersons want tocheck stocks or register orders before their customers change their minds.

Fast User Switching can work with Roaming Session Mode or with Cluster Mode.

To know how to configure and use the Fast User Switching, see Section 2, The Fast

User Switching (FUS) Function .Roaming Session

The Roaming Session mode simplifies the successive authentication to severalcomputers.

When a user needs to access several computers during the day, he/she only has toauthenticate once on the first computer; then he/she only needs his/her device to openthe other computers sessions.


8/37


This function is particularly used in hospitals emergency desks, where nurses anddoctors need immediate access to information.It can be combined with Fast User Switching, and can be used on Clusters of computers.

To know how to configure and use the Roaming Session mode, see Section 3, TheRoaming Session Mode .

1.1.2 Cluster Mode Function

The Cluster mode is intended to employees who have on their desk several computersand need to use them simultaneously:

When an employee authenticates on a computer, sessions on other computers used by this employee are also unlocked.

When an employee locks or closes a computer, all other computers used bythis employee are locked or closed too.

This function is particularly used in financial institution trading rooms or control rooms.The cluster mode can be combined with Roaming Session Mode and/or Fast User Switching.

To know how to configure and use the Cluster mode, see Section 4, The Cluster Mode .

1.2 Kiosk and Cluster Mode AuthenticationMethodsThe following table lists the authentication methods that can be used for each of theKiosk and Cluster mode functions.

AuthenticationMethod

Function

Password SmartCard

ActiveRFDI

PassiveRFID

Biometrics

Hierarchized Access FUS

Shared Access FUS

Public Access FUS

Cluster Mode

Roaming Session Mode Notrelevant

Not relevant

6


9/37

Administrator Guide

1.3 Required Enterprise SSO ModulesThe following table lists the Enterprise SSO modules that you must install to use each of the Kiosk and Cluster mode functions.

Enterprise SSO ClientEnterprise SSOModule

Function SSOWatch Advanced Login

Enterprise SSOConsole

Hierarchized Access FUS Optional

Shared Access FUS Optional

Public Access FUS

Cluster Mode

Roaming Session Mode Optional

7


10/37


8

2. The Fast User Switching (FUS)Function

2.1 Fast User SwitchingOverview and Use

2.1.1 Definition

The Enterprise SSO Fast User Switching (FUS) is a functionality that allows multipleusers to easily share the same workstation, by allowing them to change the SSOcontext quickly, without closing the Windows session.

2.1.2 Fast User Switching Modes

The Fast User Switching function works in three modes so that it can perfectly fit your needs. These modes are detailed in the following sub-sections.

In Hierarchized Access FUS and Shared Access FUS , the access to the Windowssession is protected: the Windows session locking and unlocking is managed by

Advanced Login. All authentication methods can be used, but if an authentication deviceis used, it ensures that when a user removes his/her device, the session isautomatically locked. If the same user comes back to the same workstation, he/she willfind his/her applications still open.

In Public Access FUS , the access to the Windows session is not protected: theworkstation session is the same for all users, but each user can access his/her ownapplications.


11/37

Administrator Guide

2.1.2.1 Hierarchized Access FUS

In hierarchized Access FUS, users are associated with an "unlocking level" and a"closing level". They are only authorized to unlock or close the session of other userswhose level is below or equal to their own level.

User CApplicaions

User A

User AApplicaions

User C Unlocking Level

User A Unlocking Level

In the above illustration, the Windows user is still User A, and the Enterprise SSO user is User B.

To configure this FUS mode, see Section 2.2, Configuring Hierarchized Access FUS .

9


12/37


2.1.2.2 Shared Access FUS

In Shared Access FUS, all users who need to authenticate to the same workstationhave the same Windows account. All these users have in their account list the one thathas open the session. This way, they can unlock the session open by another user of the same group.

User CApplicaions

User AApplicaions

User BApplicaions

Shared Windows Account

Computer with Advanced Login

User A User CUser B

To configure this FUS mode, see Section 2.3, Configuring Shared Access FUS .

10


13/37


14/37


2.2 Configuring Hierarchized Access FUSQuest provides hierarchized access Fast User Switching with Advanced Login. Thefunctionality is managed from Enterprise SSO Console.

2.2.1 Activating Hierarchized Access FUSSubject

You activate hierarchized access FUS from the user security profile, as explained in thefollowing procedure.

Before Starting

Make sure Advanced Login is installed on the workstation you want to be usedfor Fast User Switching.

Make sure you have the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following rights:

"User security profile: Creation/Modification", "Application profile:Creation/Modification" and "Access point security profile:Creation/Modification".

For more details on administration roles, see Enterprise SSO Console Administrator Guide .

Procedure

1. In the Enterprise SSO Console, from the directory panel, click the user security profile that applies to users that will use the hierarchized Fast User Switching.

2. Click the Unlocking tab. The Unlocking tab appears.

Fill-in the tab as explained in the following Unlocking Tab Description section.

12


15/37

Administrator Guide

Unlocking Tab Description

TAB ELEMENT DESCRIPTION

User level Enter a user hierarchy level (0 is the lowest level, and 50000is the highest).

We recommend to let a big interval between levels (for

example 10; 20; 30 and so on), so that you can add sub-levels in between if needed.

User can unlock sessionsof users below level

Select this check box to allow a user to unlock a session lockedby another user whose level is below the specified level.

User can close sessionsof users below level

Select this check box to allow a user to close a session openedby another user whose level is below the specified level.

When a user tries to perform a FUS on a workstation, Enterprise SSO refers to theunlocking level before the closing level. For example, if the user level does notallow him/her to

2.2.2 Overriding the User "Unlocking Level" (Optional)

Subject

In the application security profile, you can define a different user level than the onespecified in the user security profile.

In this case, when a user launches an application that is associated with this applicationsecurity profile, the user "unlocking level" is overridden with the level set in theapplication security profile (usually set to a higher level).

13


16/37


Procedure

1. In the Enterprise SSO Console, from the directory panel, click the applicationsecurity profile that applies to applications for which you want to override theuser unlocking level.

2. Click the Configuration/General tab. The General tab appears.

3. Select the When application is used, set users "unlocking level" to:select the check box and set the level number.

4. Click Apply .

2.3 Configuring Shared Access FUSThe shared access FUS is used when no hierarchy can be set between employees thatneed to access a workstation.

2.3.1 Activating FUS for Shared Access FUS Users

To configure shared access FUS, you must first allow users to use the FUS function.For that, you must authorize them to unlock and close the session of other users andassign them a level (the same for all users) through the Unlocking tab of the user security profiles, as explained in Section 2.2.1, Activating Hierarchized Access FUS .

14


17/37

Administrator Guide

2.3.2 Associating Users with a Shared Windows Account

Subject

In shared access FUS, all users who need to access the same workstation have in their account list the one that has open the session. The easiest way to configure this is to

gather these users in a group of users. The following procedure explains how toassociate a group of users with a shared windows account.

Before Starting

To perform the task described in this section, you must have at least the followingadministration role:

In classic administration mode: "Security object administrator" In advanced administration mode, your role must contain the following right:

"Application: Creation/Modification".

Procedure

1. In the Enterprise SSO Console, from the directory panel, right-click theOrganizational Unit that must contain your Application and selectNew /Template-based Application /Windows .

The Windows Application window appears.

2. Fill-in the window by typing the application name and Windows domain.3. In the group of users that you want to make share the same Windows account,

add the application and define it as shared, as follows:

a) Click the group of users and select the Application Access tab. The Application Access tab appears.

15


18/37


b) In the Application Access tab, add the application you have justcreated, and set the Account type to Shared .

4. In the group of users, assign an owner for the application, as follows:

a) Click the group of users and select the Accounts tab The Accounts tab appears.

b) Click the application and click the Properties button The Account Properties window appears.

16


19/37

Administrator Guide

c) In the SSO Data tab, create credentials for the account.

d) In the Ownership tab, you can assign an owner for the account. In thiscase, this owner becomes the only user authorized to modify the accountpassword.

Enterprise SSO allows you to manage password modification of a sharedapplication account: if you do not set ownership, all users who are part of the groupof users sharing the same application account are authorized to modify the sharedaccount password. The other users automatically retrieve the new password.

2.3.3 Activating Shared Access FUS on Dedicated AccessPoints (Optional)

Subject

By default, FUS is authorized on all access points, without need of any configuration.

This section explains how to reserve some workstations only for shared access FUSusers. The configured workstations will only be accessible to shared access FUS users.

Procedure

1. In the Enterprise SSO Console, from the directory panel, click the access pointsecurity profile that applies to computers reserved for shared access FUS users.

17


20/37


2. Click the Configuration/Advanced Login tab. The Advanced Login tab appears.

3. Select the Only allow unlocking with the same windows credential

check box.4. Click Apply .

2.4 Installing and Configuring Public Access FUSSubject

Quest provides Fast User Switching at the session level (SSOFUS) with SSOWatch,with the "Kiosk mode" extra license.

The process listens for incoming events from activated authentication devices. Thesedevices are:

Smart cards managed from Quest. Smart cards managed externally for which the PKA authentication is activated

in Quest. Active RFID device.

In this FUS mode, the Windows session is the same for all users. The Windows sessionused is the one of the first user who has open a Windows session on the workstation.

18


21/37

Administrator Guide

Users use their authentication device to access their own SSO context and applications.

To avoid this, you can set a generic Windows account that has no particular right on itsown, to keep the Windows session open for all users, as explained in the followingprocedure.

Before Starting Make sure you have the "Kiosk mode" license key. If it is not already set up on your workstation, install Microsoft Redistributables:

open the Administration Tools interface (see steps 1 to 4 of the followingprocedure) and click Install Microsoft Redistributables .

Make sure Advanced Login is not installed on the workstation.

Procedure

1. Log-on as system administrator and install the FUS option with SSOWatch asfollows:

If you use Ready-To-Go SSO Edition or the Enterprise SSO Quick installation:During the Client installation, select the Public access authentication modein the client module selection wizard window.

For more details on Enterprise SSO quick installation, see Enterprise SSO Quick Installation and Start Guide.

If you use the Enterprise SSO advanced installation:During SSOWatch installation, select the Fast User Switching option in theSelect Feature wizard window.

For more details on E-SSO advanced installation, see Enterprise SSO Advanced Installation and Configuration Guide.

2. If you want to set a generic logon, activate AutoLogon on the workstation asexplained in the following web page:http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=10&y=13 (URL valid in September 2009).

2.5 Configuring Application ClosingSubject

When a user locks a session (for Hierarchized and Shared Access FUS) or withdrawhis/her device (for Public Access FUS), SSOWatch is closed but the users runningapplications remains open.

To force SSOWatch to automatically close the users applications before switchingcontext, you must write a DLL. SSOWatch can execute the dll code at session locking,session unlocking, SSOWatch starting and SSOWatch closing.

19
http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=10&y=13http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=10&y=13


22/37


20

Functions

The functions that can be called by SSOWatch are:

"OnSessionLocked": at session locking. "OnSessionUnLocked": at session unlocking. "EngineStarted": at SSOWatch start. "EngineStopped": at SSOWatch stop.

Function Format

The functions must be written according to the following format:

typedef struct _CUSTOMPARAMETERS{

LPCSTR szUser;} CUSTOMPARAMETERS, *PCUSTOMPARAMETERS;

BOOL APIENTRY OnSessionLocked(HWND hParent, const PCUSTOMPARAMETERSpcapParameters){

return TRUE;}

BOOL APIENTRY OnSessionUnLocked(HWND hParent, const PCUSTOMPARAMETERSpcapParameters){

return TRUE;}

BOOL APIENTRY EngineStarted(HWND hParent, const PCUSTOMPARAMETERSpcapParameters){

return TRUE;}

BOOL APIENTRY EngineStopped(HWND hParent, const PCUSTOMPARAMETERS

pcapParameters){

return TRUE;}

DLL location

Define the location in a string value of the registry under HKLM\Software\Enatel\SSOWatch\ExternalCall

Example: CustomDllName (name of the registry key) C:\SSO\MyDll.dll


23/37

Administrator Guide

3. The Roaming Session Mode

3.1 Roaming Session ModeOverview and UseDefinition

The roaming session mode allows users to open a session (using Enterprise SSO Advanced Login) on one or several computer(s) with their physical authentication token,without having to type a secret, during a defined period of time.

Mechanism Description

Admin User

User object

Physical tokenNO Secret

1 2

Roaming SessionAdministration

FirstAuthentication

Login / PasswordSmart card + PINRFID+ PasswordBiometry + login

E-SSO Console

Authenticationwith Roaming

Session

3 Roaming SessionCreation

Roaming Session

Retrieval

Storage in theDirectory

Directory

E-SSOController

21


24/37


25/37

Administrator Guide

3.2.1 Activating the Roaming Session Mode for Users

Subject

You must activate the roaming session mode in the user security profile. For usersassociated with this profile, a roaming session will be automatically created after they

have authenticated themselves with Advanced Login on a computer that authorizesroaming sessions.

Procedure

1. In the Enterprise SSO Console, from the directory panel, click the user security profile that applies to users that will use the roaming session mode.

2. Click the Security tab. The Security tab appears.

3. Select the Roaming session duration check box and define the number of hours you want the session to be active (the roaming session is created assoon as the user authenticates on an authorized access point, and the sessionduration time starts from that moment).

If you change the duration time in the Roaming session duration field once theroaming session has started, the new value will only be taken into account oncethe session in progress has expired.

4. Click Apply .

23


26/37


3.2.2 Activating the Roaming Session Mode on Computers

Subject

You must activate the roaming session mode in the access point security profile. For computers associated with this profile:

A roaming session is automatically created when authorized usersauthenticate on these computers.

The roaming session is automatically retrieved when an authorized user presents a physical authentication token; this automatically opens the user session it exists.

To optimize the session opening time, we recommend to allow the roaming sessionmode only on access point that will actually use it.

Procedure

1. In the Enterprise SSO Console, from the directory panel, click the access pointsecurity profile that applies to computers on which activating the roamingsession mode is necessary.

2. Click the Advanced Login tab. The Advanced login tab appears.

3. Select the Allow roaming session check box.4. Click Apply .

24


27/37

Administrator Guide

3.3 Administering Users Roaming SessionsFrom the Enterprise SSO Console, you can display information on users' roamingsession duration, and decide to delete it for a selected user: see Section 3.3.1,

Administering Users Roaming Sessions from the Enterprise SSO Console.

From his/her workstation, the user can also display information on his/her own roamingsession duration, and also delete it: see Section 3.3.2, Administering Current Roaming Session from the Users Workstation .

3.3.1 Administering Users Roaming Sessions from theEnterprise SSO Console

Subject

You can see information on user roaming sessions from the Enterprise SSO Console,as explained in the following procedure.

You can decide to delete a roaming session. In this case, the current user sessionremains open, but this forces the user to authenticate again at next session opening.This also allows you to disable the roaming session in case a user has lost his/her token.

Before Starting

To perform the task described in this section, you must work in advanced administrationmode, and your role must contain the following right: "Roaming: Delete users sessions".

For more information on administration modes, see Enterprise SSO Console Administrator Guide.

Procedure

1. In the Enterprise SSO Console, from the directory panel, click the user for whoyou want to display the roaming session information.

2. Click the Connection/Authentication tab. The Authentication tab appears. It displays the roaming session duration time

left for the selected user.

25


28/37


3. To delete the displayed roaming session, click the Delete roaming session button.

The current user session remains open on the computer, but he/she will haveto authenticate again at next session opening.

3.3.2 Administering Current Roaming Session from the UsersWorkstation

Subject

From his/her workstation, a user can administer his/her own roaming session: he candecide to delete a roaming session. In this case, the current user session remains open.

The functionality described in this section is not available if the user has authenticatedwith his password, or with Biometrics.

Procedure

1. On the workstation, in the notification area, right-click the credential manager icon and click Roaming Session .

The following window appears, it displays the roaming session duration time left.

26


29/37

Administrator Guide

2. To delete the roaming session, click Terminate . The current user session remains open.

27


30/37


4. The Cluster Mode

4.1 Cluster ModeOverviewDefinitions

A cluster of access points is a set of computers on which the Windows sessions aresynchronized by Enterprise SSO. Operations that a user performs on the Windowssession (opening, closing, locking, unlocking) of a computer that belongs to the cluster are automatically and simultaneously performed on all the other computers that form thecluster, as illustrated in the following figure:

Master

Slave Slave Slave Slave

SessionOpening

SessionOpening

Master

SessionOpening

SessionLocking

The number of workstations you can include in a cluster is not limited.

In a cluster of access points, the computer on which the user performs an action iscalled the master computer. The same action is simultaneously performed on the other computers of the cluster, called slaves .

An Enterprise SSO Controller does not work in Cluster mode.

28


31/37

Administrator Guide

Mechanism Description

When a user performs an operation (opening, closing, locking, unlocking) on acomputer, this computer becomes the master computer and periodically informs theslave computers of the operation performed. This allows the management of slavecomputer behaviors.

Session Opening/Session Unlocking When a user opens a session on a computer of the cluster, all the sessions

of other computers of the cluster open with the same user account. If a slave computer is not reachable at session opening on the master

computer, the session opening operation on this slave computer will beperformed as soon as the network is restored.

If a slave computer restarts, and if the last operation performed on the master computer is a session opening, a session will be opened on this slavecomputer as soon as it is available.

If the session of a slave computer is locked by another user, the session isunlocked only if the Fast User Switching (FUS) option is activated for theuser (see Section 2, The Fast User Switching (FUS) Function ). If a user performs a FUS on a computer, all the other computers of the cluster performthe FUS.

If an "Excluded Account" opens a session on a computer that is part of thecluster, this computer is automatically excluded from the cluster. For moreinformation on excluded accounts, see Enterprise SSO Console

Administrator Guide . Session Locking

When a computer is locked, all the other computers are locked according totheir defined lock mode (see Section 4.2, Creating and Configuring a Cluster of Access Points ).

If a slave computer with an open session does not receive any informationfrom the master for a period of 30 seconds, it is automatically lockedaccording to its defined lock mode ((see Section 4.2, Creating and Configuring a Cluster of Access Points ).

Session ClosingWhen the user closes a computer, all the other computers of the cluster areclosed.

A slave computer can only accept orders from the master computer if they arecompatible with its current session. For example, if a user locks a computer session while all the other cluster computer sessions are closed, these sessionswill remain closed.

Screensaver When a computer screensaver is activated, the computer is not locked. Itbecomes locked at the end of the screensaver period: it then becomes themaster and locks all computers of the cluster. You must configure thescreensaver according to the wanted computer behavior.

29


32/37


4.2 Creating and Configuring a Cluster of AccessPoints

Subject

You create and configure the cluster mode from the Enterprise SSO Console, asexplained in the following procedure.

Before Starting

To perform the task described in this section, you must work in advancedadministration mode, and your role must contain the following right: "Cluster:Creation/Modification".

For more information on administration modes, see Enterprise SSO Console Administrator Guide .

Make sure that none of the computer you want to place in the cluster is anEnterprise SSO Controller.

Make sure all the computers you want to gather in a cluster are connected toeach other, and configured according to your needs (automatic screen-saver launching, locking).

DNS resolution must work properly so that orders sent from the master can beeasily transmitted to slaves.

Port 3644 must be open on all computers you want to gather in a cluster. Enterprise SSO must be configured in "manage-access-point" mode. The following license keys must be installed on the Enterprise SSO Controller

and Enterprise SSO Clients: "Cluster mode" and "Audit and advancedsecurity".

Procedure

1. In Enterprise SSO Console, in the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Cluster of access pointsand select New\Cluster of access points .

The Configuration tab appears.

2. Fill in the Name field.3. Click the Add button to select the access points you want to add to the cluster.

Use the Browse tab to browse the directory tree structure or use the Searchtab to find the access point by typing its name.

4. Define the cluster properties as explained in the following Configuration TabDescription section.

5. Click Apply . The Cluster object is created and configured.

30


33/37

Administrator Guide

Configuration Tab Description

Allow users to temporarily withdraw a computer from the cluster check boxIf this check box is selected, users allowed to access one of the cluster computer will be able to temporarily exclude a computer from the cluster, fromthe SSOWatch application module: see Section 4.6, Removing Temporarily an

Access Point From the Cluster for more details.

Option buttonGives access to the Cluster Lock Mode window.

For each computer of the cluster, this button allows you to define its behavior as a slave in the following cases:

When it receives a locking order from the master computer. When it does not receive any order from the master for more than 30

seconds.

31


34/37


The behavior selected here only applies when the computer is a slave.

Do nothingThe selected computer is not locked.

Lock keyboard and mouseThe selected computer is not locked, but keyboard and mouse are disabled.Pressing Ctrl+Alt+Del on this computer unlocks it.

Lock session (default value)The selected computer is locked.

Remove buttonRemoves the selected computer from the cluster.

Add button Allows you to select the access points you want to add to the cluster.The Browse tab allows you to browse the directory tree structure and theSearch tab allows you to find the access point by typing its name.

4.3 Displaying Cluster Event Logs (Events Tab)Subject

The Events tab allows you to display all the events that are directly or indirectly linked tothe selected object, for a defined period (the last two days by default). This reportcontains both User action and administration log entries.

Restriction

The Events tab appears only if you have at least the following administration role:

In classic administration mode: "Auditor". In advanced administration mode, your role must contain the following right:

"Audit: Visualization".

For more details on administration roles, see Enterprise SSO Console Administrator Guide.

Procedure

1. In the tree structure of the Directory panel, select the wanted Cluster.2. Click the Events tab.

The Events tab appears.

3. In the Filter area, define a period of time to filter the log entries and clickApply (for more information on event logs, see Enterprise SSO Console

Administrator Guide ).

32


35/37

Administrator Guide

4.4 Renaming ClustersSubject

This section describes how to rename a Cluster.

Before Starting

To perform the task described in this section, you must work in advanced administrationmode, and your role must contain the following right: "Cluster: Creation/Modification".

For more information on administration modes, see Enterprise SSO Console Administrator Guide.

Procedure

1. In the tree structure of the Directory panel, right-click the Cluster and selectRename .

2. In the Configuration tab, type the new name of the object and press Enter .

4.5 Deleting ClustersSubject

This section describes how to delete Clusters.

Before Starting

To perform the task described in this section, you must work in advanced administration

mode, and your role must contain the following right: "Cluster: Deletion".

For more details on administration roles, see Enterprise SSO Console Administrator Guide .

Procedure

In the tree structure of the Directory panel, right-click the Cluster to delete and selectDelete .

The Cluster is deleted.

33


36/37


34

4.6 Removing Temporarily an Access Point Fromthe Cluster

Subject

From his/her workstation, a user can temporarily remove a computer from the cluster.This can be useful for maintenance operations: the PC can be rebooted independentlyfrom the others.

Before Starting

This functionality is only available to the user if it has been activated from the EnterpriseSSO Console (see Section 4.2, Creating and Configuring a Cluster of Access Points ).

Procedure

1. On the workstation, in the notification area, right click the SSOWatch icon. The SSOWatch pop-up menu appears.

2. Select Deactivate cluster mode . The workstation is excluded from the cluster. It remains excluded even when

you restart the computer.

3. To include again the computer in the cluster, click Activate cluster mode .


37/37

Administrator Guide

About Quest Software, Inc.Now more than ever, organizations need to work smart and improve efficiency. Quest Softwarecreates and supports smart systems management productshelping our customers solve everydayIT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest SoftwarePhone 949.754.8000 (United States and Canada)

Email [email protected]

Mail Quest Software, Inc.World Headquarters5 Polaris Way

Aliso Viejo, CA 92656USA

Web site www.quest.com

Please refer to our Web site for regional and international office information.

Contacting Quest SupportQuest Support is available to customers who have a trial version of a Quest product or who havepurchased a Quest product and have a valid maintenance contract. Quest Support providesunlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/

From SupportLink, you can do the following:

Retrieve thousands of solutions from our online Knowledgebase Download the latest releases and service packs Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services,contact information, and policy and procedures. The guide is available at: http://support.quest.com .
http://www.quest.com/mailto:[email protected]://www.quest.com/http://support.quest.com/http://support.quest.com/http://support.quest.com/http://support.quest.com/http://support.quest.com/http://www.quest.com/mailto:[email protected]://www.quest.com/

e-sso 803 kioskclusteradminguide

Documents