Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Authentication Manager for Windows Users Guide

Preface

Preface

Subject

This guide explains how to use Authentication Manager with the following Windows versions: 10, (8) (+Server 2012), 7 (+Server 2008).

The following sections are relevant for all Windows versions displayed above, unless specified otherwise.

Audience

This guide is intended for:

  • End-users
  • Administrators.

Required Software

EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.

Typographical Conventions

Bold Indicates:

  • Interface objects, such as menu names, buttons, icons and labels.
  • File, folder and path names.
  • Keywords to which particular attention must be paid.

 

Italics - Indicates references to other guides.

 

Code - Indicates portions of program codes, command lines or messages displayed in command windows.

 

CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).

 

< > Identifies parameters to be supplied by the user.

 

Warning: A WARNING icon indicates a potential for property damage, personal injury, or death.

 

Caution: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

 

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Documentation support

The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website.

Overview

Overview

Authentication Manager is the authentication module of the Enterprise Access Management (EAM) suite. It enables rapid implementation of connection procedures using authentication mechanisms with physical authentication tokens (smart cards, USB drive, RFID badges), biometrics and mobile devices, in addition to the standard authentication methods of login/password.

NOTE: The list of supported authentication devices is provided in One Identity EAM Release Notes.

Authentication Manager Usage

Authentication Manager is used to rapidly implement strong authentication in the following use cases:

  • Authentication with smart card or USB drive on Windows workstations, with no need to deploy a PKI compatible with Windows Active Directory certificates.
  • Authentication using non-Windows methods, such as biometrics or mobile devices.
  • Authentication of users through an enterprise directory, which is not part of the Windows network.
  • Authentication using an RFID badge or a Bluetooth device.
  • Authentication with an OTP (One Time Password).

Authentication Manager Features

The Authentication Manager icon , displayed in the notification area, launches every time you authenticate yourself to a Windows session and displays different actions depending on which rights the administrator has given you, such as:

  • Enrolling your biometric data.
  • Enrolling your mobile device.
  • Managing personal notes: refer to QRentry - Guide de l’utilisateur.
  • Using the Self Service Password Request feature, by answering personal questions or by using your mobile device.
  • Changing your PIN or collect an unblocking PIN.
  • Managing a cluster.
  • Delegating a Windows session.
  • Taking control over a workstation.
  • Ending a Roaming session.
  • Managing security questions.
  • Managing reports.

Operating Modes

Authentication Manager can be configured in one of the following modes:

  • With Controller: administrators are directly authenticated in EAM console, the advanced access control module.
  • Without Controller: administrators are directly authenticated in Active Directory or in any other supported LDAP directories.

Welcome Screen

The initial authentication screen appears when you press Ctrl+Alt+Del at workstation startup, or when you want to switch users.

Several users can be logged at the same time on a workstation, but only one session can be active on the workstation.

Windows versions

Windows 10

With Windows 10, you must first enter you user name, then click on Sign-in options to display the available authentication methods and select one. Depending on the selected authentication method, the display will be modified as a consequence and you will be able to authenticate.

Windows 7

With Windows 7, the initial authentication screen shows several tiles corresponding to the authentication methods which are allowed and installed on the workstation, and to the users logged on the workstation.

Methods to authenticate

Authentication Manager provides the following authentication methods:

You can also use the Windows Remote Desktop Connection to open a Windows session remotely When you authenticate yourself on a workstation, your credentials are transmitted to the remote workstation (Pass Through method) when authenticating on it.

IMPORTANT: When you open a Windows session with your smart card and then open another connection remotely, this new session is opened in password mode only. This limitation is a Microsoft limitation as Windows only sends the login and password to the remote workstation

Logging on to Windows

Logging on to Windows

Logging on to Windows with you User Name and Password

Subject

This section explains how to connect to Windows with your user name and password through Active Directory or any other supported LDAP directory.

For the Windows 10 procedure, go to Windows 10.

For the Windows 7 procedure, go to Windows 7.

NOTE: If you are offline and enter 5 wrong passwords in a row, you will not be able to authenticate for the next 15 minutes. If you enter another wrong password, you will have to wait for an additional 15 minutes.

Windows 10
Procedure

 

  1. Press Ctrl+Alt+Del.

    The log on screen of the last authenticated user appears.

  2. Click on Other user (or press Esc) to display the welcome screen.
  3. Enter your user name and click Sign-in options to display all the authorized authentication methods.

  1. Do one of the following operations:
    • To log on to the domain displayed on screen, type your password.
    • To log on to another domain than the one displayed on the screen, type:
      <domain name>\<user name>.

      		IMPORTANT: If you need to open a local session (you will not be protected by the advanced features of EAM), type <workstation name>\<user name>.
  2. Click on .

    The Windows session opens.

 

Windows 7
Procedure
  1. Press Ctrl+Alt+Del.

    The initial authentication screen appears.

  2. Click the tile corresponding to your name, or if no tile shows your name, click the Other User tile.

    The authentication screen appears. The following example window shows the Other User authentication tile.

  1. Do one of the following operations:
    • To log on to the domain displayed on screen, type you user name and password.
    • To log on to another domain than the one displayed on the screen, type:
      <domain name>\<user name>.

    		IMPORTANT: If you need to open a local session (you will not be protected by the advanced features of EAM), type <workstation name>\<user name>.
  2. Click on .

    The Windows session opens.

 

Logging on to Windows with your Smart Card

Logging on with a Smart Card containing Account Data

Subject

If your account data is enrolled on the smart card, you can log on to your Windows session as explained in the following procedure.

Procedure
  1. Press Ctrl+Alt+Del.

    The authentication window appears.

  2. Insert your smart card in the smart card reader.

    The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card.
    By default, the tile corresponding to the last primary account used to log on the workstation is selected.

    		NOTE: If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account on the card, this primary account is selected.
  3. If needed, select the account with which you want to authenticate.
  4. Enter the PIN and click OK.

    IMPORTANT: If you re-authenticate, enter your PIN.

    NOTE: You do not need to enter your username and domain name as they are already stored on the card when it is assigned by an EAM administrator.

    If you try to log on with an expired password, a new password is requested. The smart card will be updated with this new password.
    If you have defined a password-generation policy in Enterprise SSO, the new password can be randomly generated. In this case, this screen never appears.

  5. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window.

    The Windows session opens.

 

Logging on with a Smart Card of type SmartCard Logon

Subject

Authenticating with a smart card of type SmartCard Logon enables you also to manage your primary password.

Description

Indeed, EAM uses the smart card certificate to authenticate you with your primary password.

Prerequisites

Your administrator must:

  • Allow you to authenticate with your password.
  • Allow the encrypted storage of your primary password.

For more information, see One Identity EAM Console - Guide de l'administrateur.

Primary password Collection or Reset

Procedure
  1. Press Ctrl+Alt+Del.

    The authentication window appears.

  2. Insert your smart card in the smart card reader.

    The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card.
    By default, the tile corresponding to the last primary account used to log on the workstation is selected.

    NOTE: If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account on the card, this primary account is selected.

  3. If needed, select the account with which you want to authenticate.
  4. Fill-in the Password field and click OK.

    		IMPORTANT:If you want to reset your password, select the Generate my password check box.

     

    		 NOTE:You do not need to enter your username and domain name as they are already stored on the card when it is assigned by an EAM administrator.
  5. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window.

    The Windows session opens.

 

Everyday Log on

Authentication is the same as in Logging on with a Smart Card containing Account Data.

IMPORTANT:If your password has been modified (by an administrator for example), it will have to be re-collected.

Logging on with a blank Smart Card

Subject

The first time you use a multi-account smart card to logon to your workstation, your account data is not necessarily stored on the smart card yet. The following procedure explains how to enroll your own account on a smart card.

The following procedure only applies to smart cards that can handle self-enrollment and multi-accounts.

Procedure
  1. Press Ctrl+Alt+Del.

    The initial authentication screen appears.

  2. Insert your smart card in the smart card reader.

    As your account is not stored on the smart card yet (first smart card authentication), the smart card tile displays Not assigned.

  3. Click the Not assigned smart card tile.

    The authentication screen appears.

Windows 10

Windows 7

  1. Enter the PIN and click or .

    As this is the first time you authenticate with this smart card, you are asked for your log on user name and password (that are stored in the directory). The password will be stored on the smart card and will no longer be requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Authentication Manager).

  2. Enter the requested information and click OK.

    The account is created on the smart card and the session opens.

 

Logging on through Prim'X Cryhod

Description
Procedure
  1. Log-on to the Cryhod pre-boot with your Smart Card and PIN.

    The Windows session opens.

  2. Press Ctrl+Alt+Del.
  3. Select the Smart Card tile

    NOTE: If your last authentication was with your Smart Card, the Smart Card tile is automatically selected.

The Windows session opens.

 

Enrolling a new Account on a Smart Card

Subject

If your smart card can store several accounts, Authentication Manager enables you to enroll new accounts on your smart card, as explained in the following procedure.

IMPORTANT:The account you want to store on the Smart Card must exist in the users' directory.
Procedure
  1. Press Ctrl+Alt+Del.

    The initial authentication screen appears.

  2. Insert your smart card in the smart card reader.

    The tile corresponding to the last primary account used to log on the workstation is selected.

  3. Enter the PIN of your Smart Card.
  4. Select the Create a new account check box and click or .

    The Windows Account Entry window appears.

  5. Enter the requested information and click OK.

    The account is created on the smart card and the Windows session opens.

 

Logging on to Windows with your Fingers

Authentication Manager can work in three store modes to authenticate users using their biometric data:

  • STORE ON PC mode

    The biometric data is stored on the PC in the EAM cache file. The fingerprint replaces the Identifier/Password.

    You must enroll yourself on each PC that you connect to.

  • STORE ON SERVER mode

    The biometric data is stored on a server. The fingerprint replaces the Identifier/Password.

First Log on

Subject

To log on to Windows using your finger, you must first enroll your biometric data.

Before starting
  • A finger reader must be installed on the workstation.

    		NOTE: The workstation can support only one reader..

     

    IMPORTANT: We strongly recommend that you download the latest:

    • Drivers and license of your product.
    • License for the installation.

 

  • If you use several finger readers, just plug in the one reader you want to use, unplug all the other readers and restart the computer.

    		NOTE: For more information on supported biometric devices, see One Identity EAM Release Notes.
  • If the administrator has configured a validation of your authentication, a second EAM user must authenticate him or herself after you.
  • If the Biometric Enrollment tool does not start, modify the Authentication Manager installation by selecting the Biometric Enrollment tool option and restart the computer.

    IMPORTANT: Ensure that the Controller is available to enroll in Store on Server Mode.

 

Procedure
  1. Depending on your biometric authentication mode, do one of the following:

    		NOTE: You can also log on by using your password and enroll your biometric data afterwards.

    The EAM Biometrics Enrollment tool starts after a successful authentication.

  2. If it does not start: display the Authentication Manager menu by right-clicking the Authentication Manager icon in the notification area and clicking Biometric enrollment.
  3. Follow the instructions of the Biometric Enrollment tool.
  4. When you have successfully completed the scan of your finger(s), log off and try to log on using the biometric reader, as described in Logging on to Windows with your Fingers.

    		NOTE: There can only be one set of fingers per biometric reader.

 

 

Everyday Log on

Subject

This section describes how to log on to Windows using your finger(s).

NOTE: Depending on your biometric authentication mode (STORE ON PC, STORE ON SMART CARD or STORE ON SERVER), the procedure is slightly different.

Before starting

You must have enrolled your biometric data, as described in First Log on.

NOTE:Each time you connect yourself to a new workstation in Store On PC mode, you must enroll your biometric data.

Store on PC mode

  1. When the Authentication Manager welcome screen appears, place your finger on the scanner. If prompted to, enter your Password.

    The following tile appears:

    Depending on your configuration, you log on automatically when your finger is successfully captured Otherwise, the following window appears:

  2. Make sure your Login is correct and click or to validate.

NOTE: For details on how to enable the automatic validation, see Appendix A., "Authentication Manager Registry Keys".

 

Store on server Mode

 

  1. When the Authentication Manager welcome screen appears, place your finger on the scanner. If prompted to, enter your Password.

    The biometrics tile appears:

    Depending on your configuration, you log on automatically when your finger is successfully captured Otherwise, the following window appears:

  2. Make sure your Login is correct and click or to validate.

NOTE:

  • If the authentication fails, check your Identifier. If it is not the right one, enter the correct Identifier.

  • For more details on how to enable the automatic validation, see Appendix A., "Authentication Manager Registry Keys".

 

Logging on to Windows with your RFID Badge

Subject

This section explains how to authenticate with an RFID badge or a Bluetooth device. Indeed, Bluetooth devices (mobile phones, tablets...) can also be used to authenticate when the RFID badge is not available.

IMPORTANT: For the Bluetooth device to be recognized by the EAM Console as an RFID badge, it must be paired with the workstation.
Description

There are two types of RFID authentication:

Contact RFID

An RFID badge can either be:

  • Placed on the device, i.e. active mode: the Windows session is locked when the badge is withdrawn.
  • Quickly presented to the device, i.e. passive mode: the Windows session locks itself when the badge is presented again and withdrawn.

To force RFID authentication behavior, you must set the corresponding registry keys: see RFID.

Zone RFID

When the user enters the unlock area, the RFID badge is detected by the device and the unlocking of the session is possible.

When the user leaves the unlock area, the session closes.

The following figure illustrates how EAM acts depending on the area in which it detects the RFID badge.

First Log on

Before starting

An RFID reader must be installed on the workstation.

Procedure
  1. Place the RFID badge in the unlock area or on the device so that EAM detects it.

    The authentication window appears and tells you that your RFID badge is not assigned.

  2. Click on to validate.

    The Enroll an Account window appears.

  3. Enter your login and password to associate them with your RFID badge.
  4. (Optional): if a PIN has to be associated with your RFID badge, enter it in the corresponding fields.
  5. Click OK.

    If your are authenticated, the session opens.

NOTE:

  • You can have as many RFID badges as you want, this enables you to lend them to other people.

  • You can delete the badge enrollment by blacklisting it in the Administration Console.

  • EAM policy cannot block the auto-enrollment of a badge.

 

First Log on with your Smart Card

Subject

You can combine the RFID authentication method with a smart card for your first log on.

Before starting
  • Authentication Manager must be installed on the workstation.
  • An RFID and Smart Card reader must be installed on the workstation.

IMPORTANT:

  • You must own both RFID badge and smart card to log on.

  • If no RFID badge is detected, the RFID badge enrollment will not be suggested the next time you open your Windows session.

Procedure
  1. Insert your smart card in the smart card reader.

    Your smart card and your RFID badge are detected, the following window appears:

  2. Click the Enroll button to enroll your RFID badge.

    Your RFID badge is now enrolled.

 

Everyday Log on

Procedure
  1. Place the RFID badge in the unlock area or on the device so that EAM detects it.

    The authentication window appears.

    		NOTE: Contact RFID method: you can withdraw your RFID badge before typing in your password.

  2. In the RFID owner field, select the wanted RFID badge, type in your password or PIN and click OK.

    		IMPORTANT: If you have withdrawn your RFID badge, you have 30 seconds to enter your password and validate.

    Your session opens.

 

Logging on through Citrix/TSE

If you want to log on through Citrix/TSE, you must press the SHIFT key when placing your RFID badge in the unlock area.

Logging out

There are two possibilities for logging out with a contact RFID badge:

  • If you have left your RFID badge on the device, withdraw it and the session closes.

    NOTE: Not relevant for HID Prox 125kHz badges.

  • If you have withdrawn your RFID badge when opening the session, you must place it back in the unlock area and withdraw it again to close the session.

    NOTE:

    • You can configure how the session closes in the Access Point Profile.
    • If an EAM authentication such as primary reauthentication, Enterprise SSO Studio launch etc. is necessary; then placing the RFID badge in the unlock area will not lock the PC.
    • If you have a contact smart card, you must insert it in the RFID reader

To log out with a zone RFID badge, leave the unlock area and the session closes.

Logging on to Windows with your OTP (One Time Password)

Subject

The OTP enables you to log on to Windows with a different password each time. The OTP authentication method is considered as an emergency alternative to the other authentication methods.

Before starting

If you are in:

  • Online mode: the RSA Authentication Agent must be installed on the EAM Controller.
  • Online and Offline mode: the RSA Authentication Agent must be installed on the EAM Controller and on every workstation. You must have authenticated at least once in Online mode to authenticate with your OTP in Offline mode.
Procedure
  1. Press Ctrl+Alt+Del.

    The authentication window appears.

  2. Enter your User name and OTP with/without PIN displayed on the device in the corresponding fields.
  3. Click or .
  4. If:
    1. You enter too many wrong OTPs in a row, the RSA security policy can require you to enter the next code from your token. A dialog box appears.

      Wait for the new code to appear on your token and enter this code.

    1. The RSA security policy requires you to set or change your PIN, a dialog box appears. The security policy either lets you choose a PIN, or imposes a PIN which you must accept.

      		IMPORTANT: Do not enter your PIN.

      1. The RSA security policy requires you to set or change your PIN, a dialog box appears. The security policy either lets you choose a PIN, or imposes a PIN which you must accept.

        • Enter the new PIN and click OK

        • Wait for the code on your token to change and then reconnect with an OTP that uses the new PIN.
        • Click OK.

          Your session opens.

     

    Logging on to Windows by answering Questions

    Subject

    If your administrator has authorized it, you can log on to Windows by answering questions from the Questions and answers tile (Windows 10) or Password forgotten (Windows 7) without changing your password. If he has not authorized it, you must reset your password as described in Resetting Your Password or PIN with the Emergency Access.

    Before starting
    • You must have chosen a set of questions and recorded the associated answers using the Authentication Manager Self Service Password Request Wizard. Refer to the Resetting Your Password or PIN with the Emergency Access.
    • You workstation must be online.
    • An EAM controller must be available.
    Procedure
    1. In the session opening window, depending on your Windows version, click one of the following tiles:
      • Windows 10: Questions and answers.
      • Windows 7: Password forgotten.

      The Self Service Password Request wizard appears.

    2. Follow the displayed instructions and answer the different questions.

      If you have answered the questions correctly, your Windows session opens.

     

    Logging on with your mobile device

    Subject

    If your administrator has authorized it, you can log on to Windows using your mobile device, from the Connect with a mobile device tile.

    For more information on this authentication method, refer to the QRentry - Guide de l’utilisateur.

    Logging On a Workstation Locked by another User

    Procedure
    1. To log on to a workstation locked by another user, press Ctrl+Alt+Del.

      The authentication screen corresponding to the authentication method used by the other user to lock his/her session appears.

    2. Click the Other Credentials button.
    3. Click the Other User (Windows 10) or Switch User (Windows 8) button.

      The initial authentication screen appears.

    4. Log on to the workstation as explained in Logging on to Windows.

     

    Logging on to Windows using Autologon

    There are two ways to log on to Windows with Autologon:

    IMPORTANT: To use Autologon, you must set registry keys If you set these keys for both Microsoft and Authentication Manager Autologon at the same time, then only Microsoft Autologon is applied: no E-SSO process is started.

    Logging on with Microsoft Autologon

    The Microsoft Autologon opens a Windows session without starting Authentication Manager or E-SSO.

    		NOTE: You can use the SSO FUS method to log on.

    Microsoft Autologon works only if all the following registry keys are set:

    AutoAdminLogon.

    DefaultDomainName.

    DefaultUserName.

    DefaultPassword.

    		NOTE: To set these keys, please refer to the corresponding Microsoft documentation: http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=10&y=13.

     

    IMPORTANT: If you want to disable the Microsoft Autologon process, keep the Shift key pressed during authentication process.

     

    Logging on with Authentication Manager Autologon

    The Authentication Manager Autologon opens a Windows session with Authentication Manager and/or E-SSO processes being started.

    Authentication Manager Autologon works only if all the registry keys in Autologon are set.

    IMPORTANT: If you want to disable the Authentication Manager Autologon process, keep the Shift key pressed during authentication process

    Forcing Cache Update at Logon

    Subject

    By default, the authentication is done on the existing cache. The following procedure explains how to force the authentication in the target directory and so to update the authentication data in the cache.

    NOTE: This feature is only available if Automatic Validation is disabled by the Administrator: please refer to the One Identity EAM Console - Guide de l'administrateur

    Procedure
    1. After choosing the tile, click I want to modify login options.

      The Login Options window appears.

    2. Select the Update User Cache check box and click OK.

      The authentication is done in the directory and the cache is updated.

     

    Locking/Unlocking your Windows Session

    Locking/Unlocking your Windows Session

    Locking your Session

    Subject

    The Lock state enables you to prevent anybody from accessing your session when you are away.

    This section describes the different means to lock a session, whether your computer is in a cluster or not.

    Procedure

    To lock the computer, do one of the following:

    • Press the Windows+L keys. Depending on the workstation profile, this locks the:
      • Workstation.
      • Keyboard and mouse (transparent lock).

        OR

      • Keyboard and mouse with a logo displayed at the top of the screen (transparent lock):

    		NOTE: If you have authenticated with a smart card, remove the card from the reader (or a USB drive from its port): your session is locked automatically.

     

    • If you have authenticated with a smart card, remove the card from the reader (or a USB drive from its port): your session is locked automatically.

    		NOTE: The administrator can modify the default workstation behavior when a token is removed, from EAM Console. If the session is not locked at token removal, it means that your administrator has modified this option.
    • If you have authenticated with an RFID badge, place the badge outside the visibility area (lock area).
    • If you have authenticated with your mobile device, use the QRentry remote control to lock your session. For more information, see QRentry - Guide de l’utilisateur.
    • Put the computer into a sleep state.

     

    Unlocking your Session

    To unlock your session, you can re-authenticate as you do for session opening. The re-authentication method does not necessarily need to be the same as for opening the main session.

    • If you have authenticated yourself with an RFID badge and locked the session by placing the badge outside the unlock area, the session is automatically unlocked if you come back with your RFID badge in the unlock area before the end of the grace period (which is defined by your administrator).
    • If you have authenticated with your mobile device, use the QRentry remote control to unlock your session. For more information, see QRentry - Guide de l’utilisateur.

    A workstation can only be unlocked by the user who has locked it, unless it is unlocked using the Fast User Switching option.

    		NOTE: A user with administration rights on the workstation can force the closure of a locked administration session.

    Standard Unlocking

    Procedure

    To unlock the session, do one of the following:

     

    Transparent Unlocking

    Procedure

    To unlock the session, do one of the following:

     

    Self Service Tools
    Knowledge Base
    Notifications & Alerts
    Product Support
    Software Downloads
    Technical Documentation
    User Forums
    Video Tutorials
    RSS Feed
    Contact Us
    Licensing Assistance
    Technical Support
    View All
    Related Documents