Subject |
This guide explains how to use Authentication Manager with the following Windows versions: 10, (8) (+Server 2012), 7 (+Server 2008). The following sections are relevant for all Windows versions displayed above, unless specified otherwise. | ||
Audience |
This guide is intended for:
| ||
Required Software |
EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes. | ||
Typographical Conventions |
Bold Indicates:
| ||
|
Italics - Indicates references to other guides. | ||
|
Code - Indicates portions of program codes, command lines or messages displayed in command windows. | ||
|
CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules). | ||
|
< > Identifies parameters to be supplied by the user. | ||
|
| ||
|
| ||
|
| ||
Documentation support |
The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website. |
Authentication Manager is the authentication module of the Enterprise Access Management (EAM) suite. It enables rapid implementation of connection procedures using authentication mechanisms with physical authentication tokens (smart cards, USB drive, RFID badges), biometrics and mobile devices, in addition to the standard authentication methods of login/password.
|
NOTE: The list of supported authentication devices is provided in One Identity EAM Release Notes. |
Authentication Manager is used to rapidly implement strong authentication in the following use cases:
The Authentication Manager icon , displayed in the notification area, launches every time you authenticate yourself to a Windows session and displays different actions depending on which rights the administrator has given you, such as:
Authentication Manager can be configured in one of the following modes:
The initial authentication screen appears when you press Ctrl+Alt+Del at workstation startup, or when you want to switch users.
Several users can be logged at the same time on a workstation, but only one session can be active on the workstation.
Windows 10
With Windows 10, you must first enter you user name, then click on Sign-in options to display the available authentication methods and select one. Depending on the selected authentication method, the display will be modified as a consequence and you will be able to authenticate.
Windows 7
With Windows 7, the initial authentication screen shows several tiles corresponding to the authentication methods which are allowed and installed on the workstation, and to the users logged on the workstation.
Authentication Manager provides the following authentication methods:
You can also use the Windows Remote Desktop Connection to open a Windows session remotely When you authenticate yourself on a workstation, your credentials are transmitted to the remote workstation (Pass Through method) when authenticating on it.
|
IMPORTANT: When you open a Windows session with your smart card and then open another connection remotely, this new session is opened in password mode only. This limitation is a Microsoft limitation as Windows only sends the login and password to the remote workstation |
This section explains how to connect to Windows with your user name and password through Active Directory or any other supported LDAP directory.
For the Windows 10 procedure, go to Windows 10.
For the Windows 7 procedure, go to Windows 7.
|
NOTE: If you are offline and enter 5 wrong passwords in a row, you will not be able to authenticate for the next 15 minutes. If you enter another wrong password, you will have to wait for an additional 15 minutes. |
The log on screen of the last authenticated user appears.
|
IMPORTANT: If you need to open a local session (you will not be protected by the advanced features of EAM), type <workstation name>\<user name>. |
The Windows session opens.
The initial authentication screen appears.
The authentication screen appears. The following example window shows the Other User authentication tile.
|
IMPORTANT: If you need to open a local session (you will not be protected by the advanced features of EAM), type <workstation name>\<user name>. |
The Windows session opens.
If your account data is enrolled on the smart card, you can log on to your Windows session as explained in the following procedure.
The authentication window appears.
The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card.
By default, the tile corresponding to the last primary account used to log on the workstation is selected.
|
NOTE: If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account on the card, this primary account is selected. |
|
IMPORTANT: If you re-authenticate, enter your PIN. |
|
NOTE: You do not need to enter your username and domain name as they are already stored on the card when it is assigned by an EAM administrator. |
|
If you try to log on with an expired password, a new password is requested. The smart card will be updated with this new password.
If you have defined a password-generation policy in Enterprise SSO, the new password can be randomly generated. In this case, this screen never appears.
The Windows session opens.
Authenticating with a smart card of type SmartCard Logon enables you also to manage your primary password.
Indeed, EAM uses the smart card certificate to authenticate you with your primary password.
Your administrator must:
For more information, see One Identity EAM Console - Guide de l'administrateur.
The authentication window appears.
The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card.
By default, the tile corresponding to the last primary account used to log on the workstation is selected.
|
NOTE: If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account on the card, this primary account is selected. |
|
IMPORTANT:If you want to reset your password, select the Generate my password check box. |
|
NOTE:You do not need to enter your username and domain name as they are already stored on the card when it is assigned by an EAM administrator. |
The Windows session opens.
Authentication is the same as in Logging on with a Smart Card containing Account Data.
|
IMPORTANT:If your password has been modified (by an administrator for example), it will have to be re-collected. |
The first time you use a multi-account smart card to logon to your workstation, your account data is not necessarily stored on the smart card yet. The following procedure explains how to enroll your own account on a smart card.
The following procedure only applies to smart cards that can handle self-enrollment and multi-accounts.
The initial authentication screen appears.
As your account is not stored on the smart card yet (first smart card authentication), the smart card tile displays Not assigned.
The authentication screen appears.
Windows 10 |
Windows 7 |
|
|
As this is the first time you authenticate with this smart card, you are asked for your log on user name and password (that are stored in the directory). The password will be stored on the smart card and will no longer be requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Authentication Manager).
The account is created on the smart card and the session opens.
The Windows session opens.
|
NOTE: If your last authentication was with your Smart Card, the Smart Card tile is automatically selected. |
The Windows session opens.
If your smart card can store several accounts, Authentication Manager enables you to enroll new accounts on your smart card, as explained in the following procedure.
|
IMPORTANT:The account you want to store on the Smart Card must exist in the users' directory. |
The initial authentication screen appears.
The tile corresponding to the last primary account used to log on the workstation is selected.
The Windows Account Entry window appears.
The account is created on the smart card and the Windows session opens.
Authentication Manager can work in three store modes to authenticate users using their biometric data:
The biometric data is stored on the PC in the EAM cache file. The fingerprint replaces the Identifier/Password.
You must enroll yourself on each PC that you connect to.
The biometric data is stored on a server. The fingerprint replaces the Identifier/Password.
To log on to Windows using your finger, you must first enroll your biometric data.
|
NOTE: The workstation can support only one reader.. |
|
IMPORTANT: We strongly recommend that you download the latest:
|
|
NOTE: For more information on supported biometric devices, see One Identity EAM Release Notes. |
|
IMPORTANT: Ensure that the Controller is available to enroll in Store on Server Mode. |
|
NOTE: You can also log on by using your password and enroll your biometric data afterwards. |
The EAM Biometrics Enrollment tool starts after a successful authentication.
|
NOTE: There can only be one set of fingers per biometric reader. |
This section describes how to log on to Windows using your finger(s).
|
NOTE: Depending on your biometric authentication mode (STORE ON PC, STORE ON SMART CARD or STORE ON SERVER), the procedure is slightly different. |
You must have enrolled your biometric data, as described in First Log on.
|
NOTE:Each time you connect yourself to a new workstation in Store On PC mode, you must enroll your biometric data. |
The following tile appears:
Depending on your configuration, you log on automatically when your finger is successfully captured Otherwise, the following window appears:
|
NOTE: For details on how to enable the automatic validation, see Appendix A., "Authentication Manager Registry Keys". |
The biometrics tile appears:
Depending on your configuration, you log on automatically when your finger is successfully captured Otherwise, the following window appears:
|
NOTE:
|
This section explains how to authenticate with an RFID badge or a Bluetooth device. Indeed, Bluetooth devices (mobile phones, tablets...) can also be used to authenticate when the RFID badge is not available.
|
IMPORTANT: For the Bluetooth device to be recognized by the EAM Console as an RFID badge, it must be paired with the workstation. |
There are two types of RFID authentication:
An RFID badge can either be:
To force RFID authentication behavior, you must set the corresponding registry keys: see RFID.
When the user enters the unlock area, the RFID badge is detected by the device and the unlocking of the session is possible.
When the user leaves the unlock area, the session closes.
The following figure illustrates how EAM acts depending on the area in which it detects the RFID badge.
An RFID reader must be installed on the workstation.
The authentication window appears and tells you that your RFID badge is not assigned.
The Enroll an Account window appears.
If your are authenticated, the session opens.
|
NOTE:
|
You can combine the RFID authentication method with a smart card for your first log on.
|
IMPORTANT:
|
Your smart card and your RFID badge are detected, the following window appears:
Your RFID badge is now enrolled.
The authentication window appears.
|
NOTE: Contact RFID method: you can withdraw your RFID badge before typing in your password. |
In the RFID owner field, select the wanted RFID badge, type in your password or PIN and click OK.
|
IMPORTANT: If you have withdrawn your RFID badge, you have 30 seconds to enter your password and validate. |
Your session opens.
If you want to log on through Citrix/TSE, you must press the SHIFT key when placing your RFID badge in the unlock area.
There are two possibilities for logging out with a contact RFID badge:
|
NOTE: Not relevant for HID Prox 125kHz badges. |
|
NOTE:
|
To log out with a zone RFID badge, leave the unlock area and the session closes.
The OTP enables you to log on to Windows with a different password each time. The OTP authentication method is considered as an emergency alternative to the other authentication methods.
If you are in:
The authentication window appears.
Wait for the new code to appear on your token and enter this code.
|
IMPORTANT: Do not enter your PIN. |
The RSA security policy requires you to set or change your PIN, a dialog box appears. The security policy either lets you choose a PIN, or imposes a PIN which you must accept.
Enter the new PIN and click OK
Your session opens.
If your administrator has authorized it, you can log on to Windows by answering questions from the Questions and answers tile (Windows 10) or Password forgotten (Windows 7) without changing your password. If he has not authorized it, you must reset your password as described in Resetting Your Password or PIN with the Emergency Access.
The Self Service Password Request wizard appears.
If you have answered the questions correctly, your Windows session opens.
If your administrator has authorized it, you can log on to Windows using your mobile device, from the Connect with a mobile device tile.
For more information on this authentication method, refer to the QRentry - Guide de l’utilisateur.
The authentication screen corresponding to the authentication method used by the other user to lock his/her session appears.
The initial authentication screen appears.
There are two ways to log on to Windows with Autologon:
|
IMPORTANT: To use Autologon, you must set registry keys If you set these keys for both Microsoft and Authentication Manager Autologon at the same time, then only Microsoft Autologon is applied: no E-SSO process is started. |
The Microsoft Autologon opens a Windows session without starting Authentication Manager or E-SSO.
|
NOTE: You can use the SSO FUS method to log on. |
Microsoft Autologon works only if all the following registry keys are set:
AutoAdminLogon.
DefaultDomainName.
DefaultUserName.
DefaultPassword
.
|
NOTE: To set these keys, please refer to the corresponding Microsoft documentation: http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=10&y=13. |
|
IMPORTANT: If you want to disable the Microsoft Autologon process, keep the Shift key pressed during authentication process. |
The Authentication Manager Autologon opens a Windows session with Authentication Manager and/or E-SSO processes being started.
Authentication Manager Autologon works only if all the registry keys in Autologon are set.
|
IMPORTANT: If you want to disable the Authentication Manager Autologon process, keep the Shift key pressed during authentication process |
By default, the authentication is done on the existing cache. The following procedure explains how to force the authentication in the target directory and so to update the authentication data in the cache.
|
NOTE: This feature is only available if Automatic Validation is disabled by the Administrator: please refer to the One Identity EAM Console - Guide de l'administrateur |
The Login Options window appears.
The authentication is done in the directory and the cache is updated.
The Lock state enables you to prevent anybody from accessing your session when you are away.
This section describes the different means to lock a session, whether your computer is in a cluster or not.
To lock the computer, do one of the following:
OR
|
NOTE: If you have authenticated with a smart card, remove the card from the reader (or a USB drive from its port): your session is locked automatically. |
|
NOTE: The administrator can modify the default workstation behavior when a token is removed, from EAM Console. If the session is not locked at token removal, it means that your administrator has modified this option. |
To unlock your session, you can re-authenticate as you do for session opening. The re-authentication method does not necessarily need to be the same as for opening the main session.
A workstation can only be unlocked by the user who has locked it, unless it is unlocked using the Fast User Switching option.
|
NOTE: A user with administration rights on the workstation can force the closure of a locked administration session. |
To unlock the session, do one of the following:
|
NOTE: The grace period is set by your administrator. |
To unlock the session, do one of the following:
If the grace period has:
|
NOTE: The grace period is set by your administrator. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy