지금 지원 담당자와 채팅
지원 담당자와 채팅

Defender 6.5 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Performing an unattended installation of Defender Desktop Login

You can perform an unattended installation of Defender Desktop Login by using the following .msi files supplied in the Defender distribution package:

  • DefenderDesktopLogin_x86.msi  Installs Defender Desktop Login on 32-bit systems.
  • DefenderDesktopLogin_x64.msi  Installs Defender Desktop Login on 64-bit systems.

For example, you can use these files to silently install Defender Desktop Login from a command line or by using Group Policy. For instructions on how to install software by using Group Policy, refer to Microsoft’s knowledge base article 816102.

When using .msi file to install Defender Desktop Login, you can use the following command-line parameters:

 

Table 13:

Defender MSI parameters

Parameter

Description

Example

DSS

Specifies a list of Defender Security Servers (by IP address or DNS name) and ports for the Defender Desktop Login software to authenticate against.

Each IP address or DNS name must have a port which is specified using a colon. For multiple entries, use a semicolon as shown in the example (without a space).

  • DSS=10.0.0.1:1812
  • DSS=MyServer1:1812;
    MyServer2:1812

SHARED_SECRET

Specifies the shared secret which is used to securely communicate and authenticate against the Defender Security Server.

SHARED_SECRET=MySharedSecretString

EXCLUSION_MODE

Determines how Defender Desktop Login authenticates users.

This parameter can take one of the following values:

  • 0  Specifies that all users must authenticate via Defender.
  • 1  Specifies that members of groups in the EXCLUSION_GROUPS parameter are not required to authenticate via Defender.
  • 2  Specifies that only members of groups in the EXCLUSION_GROUPS parameter must authenticate via Defender.

EXCLUSION_MODE=0

EXCLUSION_GROUPS

Specifies the groups whose members must or are not required to authenticate via Defender.

Behavior of this parameter depends on the value set in the EXCLUSION_MODE parameter.

To specify multiple groups in this parameter, use a semicolon as a separator.

EXCLUSION_GROUPS=
Administrators;
DEFENDER\Domain Admins

ALWAYS_ALLOW_LOCAL_LOGON

Specifies whether to allow local users to log on to a computer that has Defender Desktop Login installed without authenticating via Defender.

This parameter can take one of the following values:

  • 0  Do not allow local users to bypass Defender authentication (default value)
  • 1  Always allow local users to bypass Defender authentication

ALWAYS_ALLOW_LOCAL_LOGON=1

ALLOW_OFFLINE_LOGON

Specifies whether users are allowed to log on if all Defender Security Servers are unavailable.

This parameter can take one of the following values:

  • 0  Specifies that users cannot log on if all Defender Security Servers are unavailable.
  • 1  Specifies that users can only log on for a specified period of time from the moment when all Defender Security Servers become unavailable. If you specify this value, use the OFFLINE_LOGON_DAYS to set the number of days you want.
  • 2  Specifies that users can only log on a specified number of times from the moment when all the Defender Security Servers become unavailable. If you specify this value, use the OFFLINE_LOGON_COUNT to set the number of times you want.

ALLOW_OFFLINE_LOGON=2

OFFLINE_LOGON_DAYS

Specifies the period of time (in days) during which users can log on. This period is counted from the moment when all Defender Security Servers become unavailable.

You can only use this parameter if you set the ALLOW_OFFLINE_LOGON parameter value to 1.

OFFLINE_LOGON_DAYS=12

OFFLINE_LOGON_COUNT

Specifies the number of times user can log on from the moment when all Defender Security Servers become unavailable.

You can only use this parameter if you set the ALLOW_OFFLINE_LOGON parameter value to 2.

OFFLINE_LOGON_COUNT=45

DISPLAY_NOTIFICATIONS

Specifies whether to provide the user with information about the remaining number of offline logons or the remaining number of days when the offline logon will be available.

This parameter can take one of the following values:

  • 0  Specifies not to display any offline logon notifications.
  • 1  Specifies to display offline logon notifications.

DISPLAY_NOTIFICATIONS=1

STORE_PASSWORDS

Specifies whether to store user’s password, so that the user is not prompted to reenter the password during each two-factor login.

This parameter can take one of the following values:

  • 0  Specifies not to store the user’s password.
  • 1  Specifies to store the user’s password.

STORE_PASSWORDS=1

MANAGE_PASSWORDS

Specifies whether Defender Desktop Login can change a user’s password when the password has expired.

This parameter can take one of the following values:

0  Specifies that Defender Desktop Login can change user’s password.

  • 1  Specifies that Defender Desktop Login cannot change user’s password.

MANAGE_PASSWORDS=1

WAIT_FOR_NETWORK

Specifies the time period (in seconds) during which Defender Desktop Login waits for the network to become available at startup. The default value is 60 seconds.

WAIT_FOR_NETWORK=60

BLOCK_CREDENTIAL_PROVIDERS

Specifies credential providers Defender Desktop Login should block.

This parameter can take one of the following values:

  • 0  Specifies to allow all credential providers.
  • 1  Specifies to block all credential providers except Defender Credential Provider.
  • 2  Specifies to block Microsoft’s credential providers.

BLOCK_CREDENTIAL_PROVIDERS=0

Configuring Defender Desktop Login by using a configuration tool

You can use the Defender Desktop Login configuration tool (GinaConfig.exe) to configure or check the configuration settings of Defender Desktop Login installed on a particular computer. You can find the GinaConfig.exe file in the Defender Desktop Login installation folder (by default, this is %ProgramFiles%\One Identity\Defender\Desktop Login).

To view and configure the Defender Desktop Login settings

  1. On the computer where Defender Desktop Login installed, run the GinaConfig.exe file.
  2. Use the dialog box that opens to view and configure the Defender Desktop Login settings.

    For more information about these settings, see Defender Desktop Login Configuration tool reference.

  3. When finished, OK to apply your changes and close the dialog box.

To add a passcode field in Desktop

Improved value parameters for desktop login and inclusion of new GINA settings. Check/Uncheck the "Enable passcode field on logon" option to hide/show the passcode field.

Configuring Defender Desktop Login by using Group Policy

You can use Group Policy to configure and provide the required settings to the computers that are governed by Group Policy and have the Desktop Login Software installed.

To configure Group Policy settings

  1. Run the DefenderDesktopLoginGroupPolicy.exe file supplied in the Defender distribution package.
  2. Complete the wizard that starts to install the Defender Desktop Login Group Policy.
  3. Open the Group Policy Management tool (gpmc.msc).
  4. In the left pane of the tool, expand the appropriate domain node to locate the Default Domain Policy.
  5. Right-click the Default Domain Policy, and then on the shortcut menu click Edit.
  6. In the left pane of the window that opens, expand Computer Configuration | Policies, and then select Defender Desktop Login.
  7. In the right-pane, double-click Desktop Login Settings and use the dialog box that opens to configure the Defender Desktop Login settings.

    For more information about these settings, see Defender Desktop Login Configuration tool reference.

  8. When finished, OK to apply your changes and close the dialog box.

    You may want to run the gpupdate command to refresh Group Policy settings in the Active Directory domain. It is also advisable to check that your Group Policy settings have been applied as described in the next steps.

To check if your Group Policy settings have been applied

  1. Open the Active Directory Users and Computers tool.
  2. In the left pane, right-click the domain for which you have configured Group Policy settings, point to All Tasks, and then click Resultant Set Of Policy (Planning).
  3. In the wizard that starts, select the Skip to the final page of this wizard without collecting additional data check box, and then click Next.
  4. In the Summary of Selections step, click Next.
  5. In the completion step, click Finish.
  6. In the left pane of the window that opens, expand Computer Configuration to select the Defender Desktop Login node.
  7. In the right pane, double-click the Desktop Login Settings object to view the current Group Policy settings.

    Alternatively, you can also run these steps against a specific computer object or organizational unit to ensure they use the correct settings.

Defender Desktop Login Configuration tool reference

You can configure a number of settings for Defender Desktop Login. For more information on how to access these settings, see Configuring Defender Desktop Login by using a configuration tool and Configuring Defender Desktop Login by using Group Policy.

 

Table 14:

Configuration settings for Defender Desktop Login

Tab

Description

DSS

Set up a list of the Defender Security Servers you want Defender Desktop Login to use; specify the shared secret that has been configured on the Access Node to be used for authentication requests.

You can use the following elements:

  • Add  Adds a new Defender Security Server entry to the list. In the dialog box that opens, type the server IP address or DNS name and communication port.
  • Edit  Allows you to edit the selected list entry.
  • Remove  Removes the selected list entry.
  • Up  Moves the selected list entry up.
  • Down  Moves the selected list entry down.
  • If Defender Desktop Login is configured by using Group Policy, this tab also provides the Group Policy Settings (read only) list that shows the Defender Security Servers used by Defender Desktop Login.

Logon Settings

Configure which users or groups are required to authenticate via Defender.

You can use the following elements:

  • Require domain users to log on using Defender. Specifies that all domain users who log on to a computer that has Defender Desktop Login installed must authenticate via Defender.
  • Allow specified users to bypass Defender authentication. Specifies that users in groups added to the Groups list do not have to authenticate via Defender when logging on to computers that have Defender Desktop Login installed.
  • Require specified users to log on using Defender. Specifies that users in groups added to the Groups list must authenticate via Defender when logging on to computers that have Defender Desktop Login installed.

If you want local users always to be able to log on to a computer that has Defender Desktop Login installed without authenticating via Defender, select the Always allow local users to bypass Defender authentication check box.

If Defender Desktop Login is configured by using Group Policy, you can click the Group Policy (read-only) tab to view a list of groups whose users must or do not have to authenticate via Defender Desktop Login.

Offline

Configure how to handle users’ logon attempts when all the Defender Security Servers installed in your environment are unavailable.

  • Logins without the Defender Security Server are disabled  Users cannot log on if all the Defender Security Servers are unavailable.
  • Users may login for a set number of days after the previous login against the Defender Security Server  Users can only log on for a specified number of days from the moment when all Defender Security Servers become unavailable.
  • Users have a set number of logins after the previous login against the Defender Security Server  Users can only log on a specified number of times from the moment when all the Defender Security Servers become unavailable
  • Notify user when offline data is downloaded  When this check box is selected, each time an offline logon occurs, the user is provided with information about the remaining number of offline logons or the remaining number of days when the offline logon will be available.

Options

Configure additional settings for Defender Desktop Login. You can use the following options:

  • Remember user's passwords  With this option selected users Active Directory (AD) passwords will be remembered and the user will not need to enter this during the logon process. Only Defender authentication is required. (The user will be prompted for the AD password on first use).
  • Automatically change user's password as required  Causes Defender to automatically change user’s password when it expires.
  • Time to wait for workstation service to be ready (seconds)  
  • Credential Provider Filter  Provides a filter that allows you to display only specific credentials providers.

Test Authentication

Allows you to test the Defender Desktop Login settings you have configured. Type the user name and passcode in the appropriate text boxes, use the Log on to list to select the domain to which you want to log on, and then click Test.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택