1. Overview
1.1 Quest ESSO Concepts
1.2 Quest ESSO Controllers
1.3 A Multi-Domain Architecture
1.4 General Ergonomic Design
2 Authenticating to Quest ESSO Console and Managing Protection Modes
2.1 Starting/Stopping Quest ESSO Console
3 Searching the Directory Tree
4 Managing Administrators
2.1.1 Starting Quest ESSO Console
2.2 Managing Protection Modes
2.1.1.1 Starting Quest ESSO Console in Hardware Protection Mode
2.1.1.2 Starting Quest ESSO Console in Software Protection Mode
2.1.2 Stopping Quest ESSO Console
4.1 Administration Modes - Presentation
5 Managing Security Profiles
4.1.1 The Classic Administration Mode
4.1.2 The Advanced Administration Mode
4.1.3 Administration Role Inheritance
4.2 Delegating Administration Roles
4.3 Managing Administration Profiles
4.4 Transferring an Administration Role
4.5 Deleting an Administration Role
4.6 Displaying your Administration Role
4.7 Modifying the Parent Administrator
4.8 Adding/Removing Primary Administrators
5.1 Managing Time Slices
6 Managing Directory Objects
5.1.1 Creating/Modifying Time Slices
5.1.2 Configuring Time Slices
5.1.3 Displaying Timeslice Object Event Logs
5.1.4 Renaming Timeslice Objects
5.1.5 Deleting Timeslice Objects
5.2 Managing Password Format Control Policies
5.2.1 Creating/Modifying Password Format Control Policies
5.2.2 Configuring Password Format Control Policy
5.2.3 Displaying Password Format Control Policy Event Logs
5.2.4 Renaming Password Format Control Policies
5.2.5 Deleting Password Format Control Policies
5.3 Managing User Security Profiles
5.3.1 Creating/Modifying User Security Profiles
5.3.2 Configuring User Security Profiles
5.4 Managing Access Point Security Profiles
5.3.2.1 Authentication Tab
5.3.2.2 Security Tab
5.3.2.3 Unlocking Tab (Fast User Switching Feature)
5.3.2.4 Self Service Password Request Tab
5.3.2.5 Biometrics Tab
5.3.2.6 Session Delegation Tab
5.3.2.7 Audit Tab
5.3.2.8 OTP Tab
5.3.3 Displaying User Security Profile Event Logs
5.3.4 Renaming User Security Profiles
5.3.5 Deleting User Security Profiles
5.4.1 Creating/Modifying Access Point Security Profiles
5.4.2 Configuring Access Point Security Profiles
5.5 Managing Application Security Profiles
5.4.2.1 Security Services Tab
5.4.2.2 Advanced Login Tab
5.4.2.3 QESSO SSOWatch Tab
5.4.2.4 Multi-User Desktop Tab
5.4.2.5 Biometrics Tab
5.4.2.6 Self Service Password Request Tab
5.4.2.7 Active RFID Tab
5.4.2.8 Audit Tab
5.4.3 Displaying Access Point Security Profile Event Logs
5.4.4 Renaming Access Point Security Profiles
5.4.5 Deleting Access Point Security Profiles
5.5.1 Managing Password Generation Policies
5.6 Defining Security Profiles Default Values
5.7 Managing User and Access Point Security Profiles Priorities
5.5.1.1 Creating/Modifying Password Generation Policies
5.5.1.2 Configuring the Password Generation Policy
5.5.1.3 Displaying Password Generation Policy Event Logs
5.5.1.4 Renaming Password Generation Policies
5.5.1.5 Deleting Password Generation Policies
5.5.2 Creating/Modifying Application Security Profiles
5.5.3 Configuring Application Security Profiles
5.5.3.1 General Tab
5.5.3.2 Account Tab
5.5.3.3 Authentication Method Tab
5.5.3.4 Delegation Tab
5.5.3.5 IP Address Constraints Tab
5.5.4 Displaying Application Security Profile Event Logs
5.5.5 Renaming Application Security Profiles
5.5.6 Deleting Application Security Profiles
6.1 Managing Applications
7 Importing/Exporting Security Profiles and Directory Objects
8 Managing Smart Cards
6.1.1 Creating an Application
6.2 Managing Users
6.1.1.1 Creating an Application without Using a Template
6.1.1.2 Creating an Application Using Templates
6.1.2 Defining the General Properties of an Application
6.1.3 Creating the Account Properties of an Application
6.1.4 Defining the Single Sign-On Properties of an Application
6.1.5 Defining External Names
6.1.6 Assigning Users to an Application
6.1.7 Sharing the Administration of an Application
6.1.8 Generating/Importing Accounts for an Application
6.1.9 Assigning Access Points to an Application
6.1.10 Displaying Accounts Associated with the Application
6.1.11 Displaying Application Event Logs
6.1.12 Displaying/Modifying Application Information
6.1.13 Renaming Applications
6.1.14 Deleting Applications
6.2.1 Displaying User General Information
6.2.2 Defining User Connection Parameters
6.3 Managing Access Points
6.2.2.1 Suspending or Limiting Temporarily a User Access
6.2.2.2 Displaying User Authentication Information and Administering Roaming Sessions
6.2.2.3 Predefine a New User's Primary Password
6.2.2.4 Managing User SSPR
6.2.2.5 Defining an Audit Identifier
6.2.2.6 Creating a Welcome Message
6.2.3 Assigning a User Security Profile to a User
6.2.4 Declaring a User as an Administrator
6.2.5 Assigning/Forbidding Access Points to a User
6.2.6 Managing User Accounts
6.2.7 Sending SSO Account Passwords to Users
6.2.8 Defining Additional Security Policy Parameters for Groups of Users
6.2.9 Managing User Smart Cards
6.2.11 Displaying and Deleting User Biometric Data
6.2.12 Assigning Applications to a User
6.2.13 Displaying Delegated Sessions
6.2.14 Managing User RFID Tokens
6.2.15 Displaying User Event Logs
6.2.16 Deleting SSO Data of Disabled User Accounts
6.2.17 Adding or Removing a User from a Group
6.3.1 Displaying Access Point General Information
6.3.2 Defining Access Point Configuration Parameters
6.4 Managing Representative Objects
6.3.2.1 Assigning an Access Point Security Profile to an Access Point
6.3.2.2 Managing the Quest ESSO Controller Services
6.3.3 Assigning/Forbidding Users to Access Points
6.3.4 Assigning/Forbidding Applications to Access Points
6.3.5 Adding or Removing an Access Point from a Group
6.3.6 Displaying Access Point Event Logs
6.4.1 Managing Inbound Representative Objects
6.5 Managing Clusters of Access Points
6.4.1.1 Creating/Modifying an Inbound Representative Object
6.4.1.2 Defining the Set of Users to Represent
6.4.1.3 Assigning a User Security Profile to the Inbound Representative Object
6.4.1.4 Selecting the Access Points Available to the Representative
6.4.2 Managing Outbound Representative Objects
6.4.2.1 Creating/Modifying an Outbound Object
6.4.2.2 Defining the Set of Access Points to Represent
6.4.2.3 Selecting the Applications Available to the Representative
6.4.3 Displaying Representative Event Logs
6.4.4 Renaming Representative Objects
6.4.5 Deleting Representative Objects
6.5.1 Creating and Configuring a Cluster of Access Points
6.5.2 Managing Users' Permissions on a Cluster
6.6 Selecting a Domain Controller
6.5.2.1 Authorizing Users to Access Workstations of the Cluster
6.5.2.2 Displaying the Cluster Composition Made by Authorized Users
6.5.3 Displaying Cluster Event Logs
6.5.4 Renaming Clusters
6.5.5 Deleting Clusters
8.1 Assigning Smart Cards to Users
9 Managing SA Server Devices
10 Managing RFID Tokens
8.1.1 Assigning Smart Cards to Many Users
8.1.2 Assigning a Smart Card to a User
8.1.3 Assigning a new Smart Card Allowing a User to Log on a Workstation which is Disconnected from the Directory
8.2 Formatting Smart Cards
8.3 Forcing a new PIN
8.4 Disabling Temporarily Smart Cards
8.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel
8.4.2 Disabling Smart Cards of a User from the Directory Panel
8.5 Unlocking Smart Cards
8.5.1 Unlocking Smart Cards from the Smart Card Panel
8.5.2 Unlocking Smart Cards from the Directory Panel
8.5.3 Defining Contact Information
8.6 Sending Smart Cards to a Blacklist
8.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel
8.6.2 Sending Smart Cards to a Blacklist from the Directory Panel
8.7 Extending the Validity of a Smart Card
8.8 Allowing Users to Renew their Smart Card Certificates
8.9 Displaying Smart Card Properties
8.10 Displaying the List of Supported Smart Cards
8.11 Managing Smart Card Configuration Profiles
8.11.1 Creating / Modifying Configuration Profiles
8.11.2 Renaming Configuration Profiles
8.11.3 Deleting Configuration Profiles
8.12 Managing Loan Cards
8.13 Managing Smart Cards' Authentication Parameters
8.14 Managing Batches of Smart Cards
10.1 Assigning an RFID Token
10.2 Locking and Unlocking an RFID Token
11 Managing Biometric Enrolment
10.2.1 Locking and Unlocking an RFID Token from the Directory Panel
10.2.2 Locking and Unlocking an RFID Token from the RFID Panel
10.3 Blacklisting and Deleting an RFID Token
10.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel
10.3.2 Blacklisting and Deleting an RFID Token From the RFID Panel
10.4 Modifying the Detection Areas and the Grace Period
10.5 Exporting a List of RFID Tokens
11.1 Defining the Biometric Enrolment Policy
11.2 Defining the Biometric Workstation Parameters
11.3 Managing the User Enrolment
11.4 Displaying and Exporting the Biometric Enrolment Report
13 Enabling the Public Key Authentication Method
13.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method
13.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities
14 Managing the Emergency Plan
15 Managing Audit Events
13.2.1 Activating the PKA Authentication Method
13.2.2 Configuring the Set of Authorized Certification Authorities
13.3 Configuring the Automatic Update of the Revocation Information
15.1 Displaying Audit Events
15.2 Defining an Audit Population
15.3 Managing and Applying Audit Filters
16 Managing Reports
15.3.1 Creating an Audit Filter
15.3.2 Saving an Audit Filter
15.3.3 Loading an Audit Filter
15.3.4 Applying an Audit Filter
15.4 Interpreting Audit Events
15.4.1 The Audit Main Window
15.4.2 The "Event Details" Window
15.4.3 Detailed Information on Administration Audit Events
15.5 Exporting Audit Events
15.6 Archiving Audit Records
15.7 Retrieving User ID from Audit ID
15.8 Retrieving Event Codes
16.1 Generating Reports
17 Customizing Configuration Files
18 Creating Scripts
Appendix A: Regular Expressions - Basic Syntax
Appendix B: Listing Audit Events and Error Codes
Appendix C: Correspondence Between Profile and Administration Rights
16.1.1 Generating Application Account Reports
16.1.2 Generating User Account Reports
16.1.3 Generating Administrators Report
16.1.4 Generating Analysis and Statistics Reports
16.2 Exporting the Generated Report
5.3.2.1 Authentication Tab
|
• |
 |
A wide range of authentication methods is supported. To add more authentication methods to the list, please contact your Quest Software representative. |
|
• |
The Session authentication method works only with Active Directory. |
|
• |
For smart card authentication methods (as Cryptoflex smart card, CyberFlex PKCS#11 or Rainbow iKey3000 for example), you can assign a specific configuration using the Select Configuration button. These configurations are defined in the Smart Card panel. For more details, see Section 8.11, "Managing Smart Card Configuration Profiles". |
|
• |
The Biometrics Store-On-Server and Biometrics Store-On-PC methods cannot be used simultaneously. You must only select one of them. For more information on available biometric methods, see section 11., "Managing Biometric Enrolment". |
|
• |
The RFID authentication method can be configured in the RFID panel: see section 10., "Managing RFID Tokens" for more details. |
|
• |
Online and offline mode: in this case, only RSA is available. Make sure the RSA Authentication server and Authentication agent are installed on each access point on which you want to use OTP. If you only select this method, Quest ESSO stores the user password in the directory. This method can be configured in the OTP tab: see 5.3.2.8 OTP Tab.
|
|
SSOWatch module supports only one activated OTP authentication method at a time. For more information, see Quest ESSO Installation Guide. |
The default Timeslice is selected by default. Click the 
button to select another existing Timeslice.
button to select another existing Timeslice.
 |
Click the  button to display and if necessary modify the selected time slice, as described in 5.1.1 Creating/Modifying Time Slices. |
|
|
|
|
Session activation time before re-authentication is required. The default value is 0: infinite time. Re-authentication is never required.
Duration of the validity of the temporary password, when granted to a user (for more information on TPA, see Section 6.2.2.3, "Predefine a New User's Primary Password".
When the duration is over, the user cannot log on anymore.
When the duration is over, the user cannot log on anymore.
|
• |
In "no-access-point-management" mode, a user can open a Quest ESSO session on an access point of his/her domain only if the Allow on all access points field is selected. |
To authorize the users to log on access points registered in external domains, see Section 6.4, "Managing Representative Objects".
|
|
|
• |
To interconnect Quest ESSO with Web Access Manager (WAM). |
If this option is selected, Quest ESSO stores the user primary password as an SSO account.
Then, SSOWatch module of Quest ESSO uses this SSO account for each application configured to use primary accounts.
|
|
In Smart Card Logon mode, if the Windows password is not yet stored as an SSO account, of if a bad password is detected by SSOWatch module of Quest ESSO upon the SSO process, SSOWatch module of Quest ESSO requests the user to re-authenticate with his/her smart card and asks for his/her primary password.
|
|
|
|
• |
User, administrators and external key: allows an external application to decipher the user's SSO primary account using a public key. For example, you must select this entry if you want to use Quest ESSO with WAM. By selecting this entry, you allow WAM to decipher the Quest ESSO SSO primary account of the user so that it can perform SSO with this account. |
|
• |
Quest ESSO must be configured in "manage-access-point" mode. |
|
• |
A Quest ESSO Controller must be available. |
|
|
As Double-Login Prevention information is stored in the directory, the directory architecture and replication time (in case several servers are replicated) must be taken into account. The Double-Login Prevention feature can only work if the time it takes for the user to change computer is longer than the time it takes to replicate data between all directory servers.
If replication time is too long, you can configure Quest ESSO Controllers to make them use a list of directory servers according to their availability. As Double-Login Prevention information is stored in the directory, the directory architecture and replication time (in case several servers are replicated) must be taken into account. The Double-Login Prevention feature can only work if the time it takes for the user to change computer is longer than the time it takes to replicate data between all directory servers.
If replication time is too long, you can configure Quest ESSO Controllers to make them use a list of directory servers according to their availability. |
5.3.2.2 Security Tab
|
• |
User authentication area |
|
Allows the user to manually change his/her primary password (whatever the authentication method used) every "n" days using the default password format control policy (PFCP) displayed in the User PFCP field.
Note: In Smart Card Logon mode, the Windows password is changed automatically every "n" days when SSOWatch module of Quest ESSO starts.
Note: If you also select the Change password on token every<n> days check box, the present option is disabled for users whose authentication method does not require to provide the primary password (smart cards, biometrics). | |||||
|
The default password format control policy (PFCP) is selected by default. This PFCP applies when the user types his/her password.
Click the  button to select another existing PFCP.Note: Click the  button to display and if necessary modify the selected PFCP, as described in 5.2.1 Creating/Modifying Password Format Control Policies. | |||||
|
Select this check box to enable the automatic change of the smart card or USB token password every <n> days. This operation has no consequence on the user authentication tasks (the user still uses his/her PIN to authenticate).
If the automatic password change policy detects expiration date of the password when the user authenticates offline, the automatic password change is not performed (it is performed upon the next authentication in connected mode of the user).
You can force the user to re-authenticate when the directory is available again in the opened session, so that the directory password can be automatically changed. For this, set the following registry key to 1: "AutoPwdChangeMandatory" (DWORD), which is located in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Enatel\WiseGuard\Framework\Authentication.
Note: This option is unavailable if the Change password on token every <n> days check box is cleared. | |||||
|
The default password format control policy (PFCP) is selected by default. This PFCP applies when password change is performed automatically, without user intervention (e.g.: the password is stored on smart card and changes every x days).
Click the button to select another existing PFCP.Note: Click the button to display and if necessary modify the selected PFCP, as described in 5.2.1 Creating/Modifying Password Format Control Policies. | |||||
|
Select this check box to allow users to ask for their password to be sent by email through the Self Service Admin Portal. The list of passwords sent to the user is controlled by the option set on the application. For more information, see Section 6.1.3.2, "Defining Account Properties".
| |||||
If you change the duration time parameter once the roaming session has started, the new value will only be taken into account once the session in progress has expired, or has been deleted by the user (from Advanced Login) or in by the administrator from Quest ESSO Console (see Section 6.2.2.2, "Displaying User Authentication Information and Administering Roaming Sessions").
|
|
• |
Single sign On (SSO) area |
|
Defines the time of inactivity of SSOWatch module of Quest ESSO before its state switches to locked.
Note: The "0" value means infinite time: SSOWatch module of Quest ESSO never locks. | |
|
Allows you to define if the users associated with this user security profile can pause, refresh, stop and restart SSOWatch module of Quest ESSO. | |
|
When SSOWatch module of Quest ESSO is started, this check box allows you to define if the SSOWatch desktop can be opened on the application launcher. | |
|
Allow Enterprise Studio | |
|
Allows you to define if the users associated with this user security profile can select different roles in SSOWatch module of Quest ESSO. | |
5.3.2.3 Unlocking Tab (Fast User Switching Feature)
The Unlocking tab allows you to activate and use the Fast User Switching (FUS) feature.
For more information on the FUS feature, see Session Management Administrator Guide.
For more information on the FUS feature, see Session Management Administrator Guide.
|
Enter a user hierarchy level (0 is the lowest level, and 50000 is the highest). | |
Consider the following situation: you want that user 1, who is a user associated with User Security Profile 1 can unlock or close sessions of other users associated with User Security Profile 1. To do so, you must configure the Unlocking tab as follows:
|
1. |
Use Advanced Login to log on as User 1. |
|
3. |
SSOWatch module of Quest ESSO is restarted with the SSO data of User 2, and the Session Information window of Advanced Login displays the following:
|
• |
Quest ESSO user: User 2. |
|
• |
Windows user: User 1. |
5.3.2.4 Self Service Password Request Tab
The Self Service Password Request tab allows you to activate and configure the Self Service Password Reset feature (SSPR), which allows a user who has lost his/her smart card or forgotten his/her password (or PIN code) to get new credentials on his/her own (with or without the intervention of the helpdesk), in order to authenticate on his/her workstation in a brief delay.
|
|
For a complete description of the SSPR feature (installation, administration...), see Advanced Login Self Service Password Request Administrator Guide. |
|
In this mode, the user cannot reset his/her PIN code. You must set the list of the SSPR servers to be used, as detailed in 5.4.2.6 Self Service Password Request Tab. If the user runs the SSPR feature whereas he/she has locked his/her account, the account is automatically unlocked by the SSPR server upon the password reset.Always available: the user is always able to run the SSPR feature, even if the workstation is not connected to the network or if the SSPR server is not available. You can configure this mode so that the SSPR server can be used if it is available; by selecting item 10 in the SSPR Policy window (see description of the Security Services Tab below).
If Advanced Login is installed, you are advised to use this mode. You must activate the cache. For details, see Section 5.4.2.1, "Security Services Tab". If the directory is not available when the user resets his/her password, you can configure the use of a temporary new password; by selecting item 11 in the SSPR Policy window (see description of the Security Services tab below). In this case, when the workstation switches to the connected mode (directory available again), the user is prompted to re-authenticate and to change his/her password (which will then be updated in the directory).
| |||||
|
This option is only available if the Always available mode is selected.
It allows you to force the user to call the help desk to reset his/her password. For PIN reset, the check box is ignored because the help desk call is mandatory.
| |||||
|
This option is only available if the Always available mode is selected.
It allows you to set the Self Service Password Request (SSPR) feature as an authentication method:
| |||||
|
Questions area
|
This area allows you to define the number of questions to ask to the end-user and to manage a list of available questions. These questions will be displayed by the Self Service Password Request wizard (through Advanced Login) to your end users.
For details, see "Question List Management Procedures", below. | ||||
|
Security area
|
The Advanced button allows you to define other security parameters, as explained in the following table:
 | ||||
|
Security area
|
 To force the user to populate his/her questions and answers before he/she can use SSOWatch module of Quest ESSO on his/her workstation. This option is only available if you have selected the Always available mode.Select this check box to set a waiting period before allowing the user to attempt to answer questions again on his/her workstation. Note: The timeout is set only on the concerned workstation: the user can answer the questions from another workstation before the end of the timeout.
 This option is only available if you have selected the Always available mode.To try the use of the Self Service Password Request (SSPR) server before using the disconnected mode. | ||||
|
Security area
|
To force the user to change his/her answers to question at a defined frequency.
To prevent the user from giving the same answer to different questions.
To prevent the user from using the words used in the questions in his/her answers.
To set the maximum number of attempts to answer questions.
To set the answers of questions as case-insensitive.
To allow the user to connect by password (if he/she is only allowed to connect by smart card) during a defined period of time.
To allow the help desk to set the validity of the temporary password, when he provides a challenge to a user.
This option is only available if you have selected the Always available mode.
This option is only available if you have selected the Always available mode.
|
• |
To create the questions, go to Procedure 1. |
|
• |
To import the questions, go to Procedure 2. |
|
1. |
In the Questions area, click the Select button, and in the displayed window, click Manage questions. |
|
a) |
|
c) |
Set the Question Type: select either Predefined Question to specify a question that cannot be modified by the end user or User-supplied question to allow the end user to define his/her own question. |
|
d) |
|
• |
Click Translations. |
|
• |
Click Add. |
|
• |
Click OK. |
|
f) |
Set the Answer constraints: |
|
• |
Fill in Must match regular expression, to set restrictions on the string corresponding to the answer entered by the end user. For details on the syntax of regular expressions, see Appendix A. "Regular Expressions - Basic Syntax". |
|
g) |
|
3. |
|
4. |
Set a question number to an available question to define a list of available questions for each Question field of the Self Service Password Request wizard (available through Advanced Login): |
|
b) |
|
c) |
Click OK. |
|
• |
To import a set of questions, a .csv file containing the questions must have been generated with the Export button. |
|
• |
If there are more questions in the .csv file than in the Existing Questions, then the additional questions are added to the Existing Questions. |
|
• |
If there are less questions in the Existing Questions than in the csv file, the Existing Questions are kept. |
|
• |
If both the .csv file and the Existing Questions contain the same questions with a few discrepancies, then the Existing Questions are replaced by the questions of the .csv file. |
|
• |
|
1. |
In the Questions area, click the Select button, and in the displayed window, click Manage questions. |
|
2. |
|
4. |
Click Open. |
The set of questions is added to the Existing Questions area.
|
5. |
|
6. |
|
a) |
In the list of questions drop down list, select the Question number, click the Add button. |
|
b) |
|
c) |
Click OK. |