Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Installation Guide

1. Overview 2. Preparing the Storage of Security Data in the LDAP Directory
2.1 Active Directory 2.2 Active Directory + ADAM or AD LDS 2.3 OpenLDAP 2.4 Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server 2.5 Novell eDirectory 2.6 IBM Tivoli Directory Server 2.7 Deploying a Workstation LDAP User Account
3 Installing Quest ESSO Controllers and Audit Databases 4 Installing and Configuring the Software Modules on the Workstations 5 Enabling the Self Service Password Request (SSPR) Capability 6. Enabling OTP Authentication 7 Enabling the Group Membership Modification Feature 8 Centralizing Parameters Using Group Policy Objects (GPO) 9 Installing Quest ESSO MSI Packages in Silent Mode Appendix A: Advanced Configuration: Audit Appendix B: Activating Traces Appendix C: Retrieving the Serial Number on a MiFARE RFID Badge

8.2 Creating and Configuring Group Policy Objects Using ADMX Files (optional)

UserAccess.admx and UserAccessLicenses.admx are mandatory.
Depending on your Quest ESSO solution, select one of the available configuration file (UserAccessConfiguration<config>,where <config> represents an architecture (example: MicrosoftADwithADLS).
ADML files are language-specific resource files. They are located in the language subfolder (example: EN-US for United States English). Copy the equivalent files (UserAccess.adml, UserAccessLicenses.adml, UserAccessConfiguration<config>.adml and UserAccessLicences<Licence>.adml).
2.
Store these files in the PolicyDefinitions folder on a Domain Controller:
ADMX files are stored in %systemroot%\sysvol\domain\policies\
PolicyDefinitions.
ADML files are stored in %systemroot%\sysvol\domain\policies\
PolicyDefinitions\<LANG>, where <LANG> represents the language identifier (example: EN-US).
3.
Click Start\Run and type gpedit.msc to launch the Local Group Policy Editor.
4.
In the console tree, unfold the Computer Configuration\Administrative Templates\User Access folders.

8.3 Description of the User Access Administrative Template (optional)

Quest ESSO Security Services.
SSOWatch Parameters
SSOWatch Common Parameters
0: Default.
409: English.
40C: French.
407: German.
411: Japanese.
Time in second before locking SSOWatch module of Quest ESSO.
If the value is set to 1, SSOWatch module stores the user primary password in the directory to use it for SSO. This way, the smart card logon is ignored.
Description/ Default Value
Quest Enterprise SSO starts the HllAPI plug-in with several emulators, specified in the n value.
n: number of emulators.
0: 32-bit.
1: 16-bit (default).
0: returns Windows handles (default).
1: does not return Windows handles.
Advanced Login Parameters
Advanced Login configuration parameters.
0: disabled. (default)
1: enabled.
Advanced Login configuration parameters.
0: disabled. (default)
1: enabled.
0: disabled. (default)
1: enabled.
Quest ESSO Security Services Parameters
Quest ESSO installation type.
0: Standalone (default).
1: Client.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: Quest ESSO does not manage access points.
1: Quest ESSO manages access points (default).
This value must not be modified in the registry. To modify it, use the wgss configuration file.
For more information on access point management see Quest ESSO Console Administrator Guide).
0: Software module objects are not managed in the directory.
1: Software module objects are managed in the directory (default).
Configuration of the Quest ESSO security database.
0: off.
1: on.
0: Windows Workstation/SAM Base (default).
1: Active Directory.
2: SunONE Directory Server.
3: OpenLDAP.
4: Novell eDirectory.
6: IBM Tivoli Directory Server.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: Authentication (default).
1: Authentication & Security Base.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
By default the Quest ESSO solution considers that all Windows domains defined on the station are managed by the solution. If it is not the case, the key must be set to indicate the list of the configured domains.
Quest ESSO Console displays error messages when it tries to connect to a domain not managed.
0: store Quest ESSO data in enterprise Directory (default).
1: store Quest ESSO data in another Directory or Naming Context.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: SSL disabled (default).
1: SSL enabled.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: simple clear-text authentication (default).
1: SASL/DIGEST-MD5 authentication.
2: SASL/NMAS authentication (Novell specific).
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: TLS is not activated (default).
1: TLS is always activated.
2: TLS is only activated when a sensible data is transferred on the network (during password change or account creation).
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: TLS is not mandatory: If TLS fails, the connection is activated without encryption.(default).
1: TLS is mandatory: if TLS fails, no connection is activated.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
no limit (default).
10 (min.).
0: access request not authorized.
1: access request authorized (default).
0: access request not authorized.
1: access request authorized (default).
0: access request not authorized.
1: access request authorized (default).
0: LDAP server (default).
1: MS Windows domain.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: only standard groups using distinguished name for members.
1: support SAMBA groups using a memberUid-like attribute type for members.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: do not use SAMBA computer entries.
1: use SAMBA computer entries (default).
This value must not be modified in the registry. To modify it, use the wgss configuration file.
Configuration of two directories to separate the Quest ESSO data from your identities repository. For more information, see 1.3.1, "Separation of the Quest ESSO Data".
2: Sun/RedHat/Fedora Directory Server.
7: Microsoft Active Directory Application Mode.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: simple clear-text authentication (default).
1: SASL/DIGEST-MD5 authentication.
2: SASL/NMAS authentication (Novell specific).
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: TLS is not activated (default).
1: TLS is always activated.
2: TLS is only activated when a sensible data is transferred on the network (during password change or account creation).
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: TLS is not mandatory: If TLS fails, the connection is activated without encryption.(default).
1: TLS is mandatory: if TLS fails, no connection is activated.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: off.
1: on.
0: off.
1: on.
0 (default).
0 (default): no authentication forced in the user session. No manual password change.
1: authentication forced in the user session, so that he.she can manually change his/her directory password.
Enables the SSO keys synchronization: if the user AD password has been modified with another tool than Quest ESSO, the user SSO data cannot be deciphered with the new AD password when the user authenticates on the workstation.
50 (default).
10 (min.).
60 (default).
1 (min.).
This value must not be modified in the registry. To modify it, use the wgss configuration file.
0: off.
1: on (default).
These parameters is located in:
0: off.
1: on (default).
An exhaustive list of LDAP Directory servers potentially used by Quest ESSO. This parameter must contain a sublist of the existing LDAP Directory servers. Without this list, Quest ESSO can connect to any LDAP Directory server available in the domain.
These parameters are located in:
0: The server list is randomized before the first LDAP server is contacted (default).
1: The server list is not randomized: the first LDAP server of the list is used, then the next ones.

9 Installing Quest ESSO MSI Packages in Silent Mode

Use of the MSI properties MODULES and TRANSLATIONS of msiexec
This method is strongly recommended, when available.
These properties facilitate the installation or upgrade of already installed MSI packages, according to the operating system: when MODULES and/or TRANSLATIONS properties are used when installing MSI package, the mandatory and hidden MSI features are automatically selected according to the operating system.
Use of the MSI property ADDLOCAL of msiexec

9.1 Installing Microsoft Redistributables in Silent Mode

The installation of this MSI package is a prerequisite to the installation of any Quest ESSO software module. It must be installed once on each workstation and does not need to be updated.
In the ADDLOCAL property of the msiexec command, add the wanted feature name (see "Feature Name" column in the following Features table):
The VCRedist_x86.msi (or the VCRedist_x64.msi for x64 platforms) contains the following selectable features:
Studio 2005 SP1 Redistributable.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating