Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Installation Guide

1. Overview 2. Preparing the Storage of Security Data in the LDAP Directory
2.1 Active Directory 2.2 Active Directory + ADAM or AD LDS 2.3 OpenLDAP 2.4 Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server 2.5 Novell eDirectory 2.6 IBM Tivoli Directory Server 2.7 Deploying a Workstation LDAP User Account
3 Installing Quest ESSO Controllers and Audit Databases 4 Installing and Configuring the Software Modules on the Workstations 5 Enabling the Self Service Password Request (SSPR) Capability 6. Enabling OTP Authentication 7 Enabling the Group Membership Modification Feature 8 Centralizing Parameters Using Group Policy Objects (GPO) 9 Installing Quest ESSO MSI Packages in Silent Mode Appendix A: Advanced Configuration: Audit Appendix B: Activating Traces Appendix C: Retrieving the Serial Number on a MiFARE RFID Badge

2.1 Active Directory

2.1.1 Global Installation Process within an Active Directory Infrastructure

Depending on your Active Directory infrastructure, you may have to install several types of Quest ESSO Controller. This section describes a multi domain architecture example. This may help you define your own software architecture depending on your requirements.
The above illustration shows multi-domain software architecture that uses four Quest ESSO Controllers (two controllers per domain) and a Master Audit Database:
The primary controller, which corresponds to the first Quest ESSO Controller, installed in Domain 1.
An associated controller, which corresponds to the Quest ESSO Controller installed in Domain 2.
The Audit Master Database, which contains the log entries of every individual Quest ESSO Controller. This concerns both user action log entries and administration action log entries. In this example, the local SQL Server databases of individual Quest ESSO Controllers are only used to store the audit events temporarily, before sending them to the Master base.
To set the Quest ESSO software architecture described above, do the following:

2.1.2 Extending the Schema and Setting ACLs

For Active Directory, Quest ESSO provides a schema management tool that allows you to:
Install or repair the Active Directory schema extension for Quest ESSO. These operations will be applied to the Active Directory domain controller that holds the role of Schema Master. This server must be made accessible for these operations.
Add or repair the ACLs specific to Quest ESSO on the existing user objects in the different domains of the forest.
The modifications to the Active Directory schema for Quest ESSO have been designed to be least intrusive as possible:
In the Start menu, click Run and type regedt32.
Open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDS\Parameters key.
If necessary, set the Schema Update Allowed value to 1.
Quest ESSO requires at least one dedicated user account to extend the Active Directory schema and to apply ACLs on the domain. This account must exist before starting the installation procedure, as the wizard will prompt you for account credentials.
Modify the Active Directory schema (members of the Schema Admins group have this right).
Apply Quest ESSO ACLs on your domain (members of the Domain Admins group have this right).
You are advised to use only one account that is at the same time member of the Schema Admins and of the Domain Admins groups. If it is not possible (depending on your Active Directory design), you can use two different accounts.
Each Quest ESSO Controller requires one dedicated user account to perform operations on the directory (such as the execution of administration requests, read and save operations on audit events, modifications on Quest ESSO objects). To simplify the configuration and the use of the solution, it is strongly recommended to gather these dedicated user accounts in Local groups, as detailed in the following procedure.
Depending on your Active Directory design, you may create and use the same user account for all the Quest ESSO Controllers. Note that this is not possible in multi-domain infrastructures.
Start Active Directory Users and Computers.
Create one Local Group for each domain of the forest.
Create one technical account for each Quest ESSO Controller that you will install on the domain, and define it as a member of the Local Group just created.
For each technical account, enable the Password never expires option.
Each technical account must have the SE_RESTORE_NAME privilege. To be sure about it, add the technical account in the Backup Operators group of each domain.
Each technical account must have the right to force the password change of users. To assign this right, using Active Directory Users and Computers, start the Delegation of Control wizard (right-click the container(s) where the users that will have their passwords reset are located and select Delegate control), and delegate control of the following common task: Reset user passwords and force password change at next logon. Repeat the same operation on the AdminSDHolder container.
Start Active Directory Sites and Services and for each domain controller of your forest, select NTDS Settings, then, in the right panel, right-click the connection objects and select Replicate now, as shown below:
Windows 2000 Service Pack 2 servers only: if the Schema Master (which is the domain controller on which the schema extension operation is performed) is a Windows 2000 Service Pack 2 server, you must define, on each of your workstation clients, the UseCustomApplicationClass registry variable (DWORD) with value 1, in HKLM\Software\Enatel\Framework\Directory or HKLM\Software\Policies\Enatel\Framework\Directory.
If you are installing Quest ESSO in multi-domain mode, read the following:
On the domain controller where you want to install the primary or the associated Quest ESSO Controller, open the root folder of the Quest ESSO installation package and run start.hta.
Browse the TOOLS directory, and run WGAdSetup\WGADSetup.exe, and go to Step 4 of the current procedure.
In the Advanced Installation area, click one of the following, depending on your Windows system processor:
Quest Software E-SSO: for 32 bits processors.
Quest Software E-SSO - x64: for 64 bits processors.
The Administration Tools interface appears:
Click Extend Active Directory Schema.
If you are installing the Quest ESSO primary controller, enter the dedicated user account that is member of the Schema Admins group (for more information, see Before Starting above).
If you are installing an associated controller:
Enter the user account of a Quest ESSO user who is an administrator of the domain. This user must have full rights on the domain.
Select Skip schema checking and jump directly to the domains setup.
Click Next.
Click Next.
Click Next.
Click Yes.
If the user account declared at Step 1 is also a member of the Domain Admins group, click Next and see Step Error! Reference source not found.8
Enter a user account that is member of the Domain Admins group (for more information, see Before Starting above).
Select Skip schema checking and jump directly to the domains setup.
Click Next.
Click Next.
If you do not want to store the configuration data in Program Data\IAM, click Choose another location and select in the displayed tree the wanted location.
Click Next.
Select With controller.
Click Next.
Select Enable the use of software.
Click Next.
Read carefully the displayed instructions. As explained, it is strongly recommended to select Enable (or Keep, in case of update) the access control for members of protected groups.
Click Next.
1. Select the mandatory container Program Data\IAM or the location where you store the configuration data.
2. Select the following containers:
The computers where Quest ESSO is installed.
3. Click Apply changes.
If you have created a Local Group to gather the technical accounts used by the Quest ESSO Controller (for more information, see Before Starting above), select Give some administration profiles to a group of the domain and enter the Group name. Then, select the Controller Server Account check box and click Next.
1. In System, select AdminSDHolder (this container allows you to administer the Active Directory administrators. Moreover, it enables any user to delegate accounts to Active Directory administrators).
2. Select the container(s) storing the Users, Groups, Computers and Domain Controllers that will be administered by the Administration Group entered at Step 14Error! Reference source not found..
3. Click Apply Changes.
1. Select the following mandatory containers:
Program Data\IAM or the location where you store the configuration data.
2. Select the container(s) storing the Quest ESSO configuration data that will be administered by the Administration Group entered at Step 14 (the containers storing the configuration data were defined at Step 9).
3. Click Apply Changes.
Else, select Finished for the selected domain, and click Next.
Else, select Exit this program and click Exit.
During the existing schema validation phase, objects that use Quest ESSO object identifiers may be detected. If this is the case, software from other suppliers that do not adhere to Microsoft’s recommendations for extending the Active Directory schema may have been installed. In these circumstances, contact the Quest Support.

2.1.3 Setting Indexes on Active Directory Attributes (Optional)

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating