Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Authentication Manager for Windows Users Guide

Switching Users Without Logging Off Windows

Switching Users Without Logging Off Windows

Subject

One Identity offers two means of fast user switching: the Fast User Switching (FUS) and the Multi-User Desktop (MUD).

Fast User Switching

The Fast User Switching (FUS) feature allows a user to load his/her SSO configuration without closing the current Windows session.

When the user logs on to the workstation, all the running applications are closed and Enterprise SSO restarts with the user SSO configuration.

Multi-User Desktop

The Multi-User Desktop (MUD) is an advanced feature of the FUS. Indeed, the MUD enables a high number of users to work on a single station with simultaneous Windows sessions.

When one of the users logs on to the workstation, all the applications of the user are opened and Enterprise SSO restarts with the user SSO configuration.

NOTE:For more information on the FUS and the MUD, refer to Authentication Manager Session Management Administrator’s Guide.
Before starting
  • You have rights to lock/unlock Enterprise SSO sessions.
  • FUS: the workstation is configured to use the Fast User Switching feature with Authentication Manager.
  • MUD:
    • Applications must support several instances working simultaneously.
    • A specific configuration is required for Internet Explorer. Please contact the One Identity Expertise Center.
    • MUD is configured for stations where the Windows session is opened automatically and continuously and must never be locked. Do not activate the display screensaver, however a basic screensaver with no password request can be used.
Procedure

 

Managing your Password or PIN

Managing your Password or PIN

Changing your Password

Subject

This section explains how to modify your own password or the password of another user (if you are allowed to).

Description

If you have authenticated with your:

  • Smart card or RFID badge, you can modify the password of the account that you have used to authenticate, as explained in the following procedure. The password will be modified on the smart card or RFID badge and in the directory.
  • User name and password, you can modify your password as explained in the following procedure.
Procedure
  1. Open a session as described in Logging on to Windows.
  2. Press Ctrl+Alt+Del.
  3. Click Change a Password.

    The change password window appears.

    NOTE:

    • If the change password option has been disabled by your administrator, clicking on Change a Password will have no effect.
    • The password change window differs depending on the authentication method used.

     

    Windows 10

    Windows 7

  4. To help you enter a password consistent with the Password Format Control Policy, click Help me choose a valid password.

    The following window appears:

  5. Fill-in the Password field and click OK.
  6. Fill in the Confirm Password field and click or .

    The password is modified in the LDAP directory.

 

Changing an Expired Primary Password

Subject

If you authenticate with your User name and Primary Password, you can choose a new Primary Password.

Procedure
  1. When your Primary Password is expired, the Security Data Collection window appears.

  2. To change your Primary Password, do one of the following:
    • To use your own password, type in your chosen password in the Password and Confirmation fields.
    • If your administrator has authorized it, you can generate a random password by selecting the Generate automatically check box.
  3. Click the OK button.

    Your Primary Password has been changed.

NOTE: If you are offline when your Primary Password is about to expire, you will be asked to change it the next time you log on.

 

Resetting your Password by Logging on to Windows with your Mobile Device

Subject

If allowed by your security administrator, you can reset your primary password after logging on to Windows with your mobile device.

For more information on this authentication method, refer to the QRentry - Guide de l’utilisateur.

Modifying your Smart Card PIN

Subject

This section explains how to change the PIN of your smart card.

Procedure
  1. Open a Windows session as described in Logging on to Windows with your Smart Card.
  2. In the notification area, right click the Authentication Manager icon and select Change PIN.

    The change PIN window appears.

  3. Enter the requested information and click OK.

    The smart card PIN is modified.

 

Modifying your RFID badge PIN

Subject

This section explains how to modify the PIN of your RFID badge.

Procedure
  1. Open a Windows session as described in Logging on to Windows with your RFID Badge.
  2. In the notification area, right click the Authentication Manager icon and select Change PIN.

    The change PIN window appears.

  3. Enter the requested information and click OK.

    The RFID badge PIN is modified.

 

Modifying an Expired PIN

Subject

When your PIN expires, you must change it.

Procedure
  1. When your PIN is expired, the change PIN window appears.
  2. Enter your new PIN in the corresponding fields.

    		NOTE: Your new PIN must comply with the PIN control policy.
  3. Click the OK button.

    Your PIN has been modified.

    NOTE: If you are offline when your PIN is about to expire, you will be asked to change it the next time you log on.

 

 

Resetting your PIN with your Primary Password

Subject

When your RFID badge is blocked because you entered too many wrong PINs, you can reset your PIN with your primary password.

Procedure
  1. When your PIN is blocked, the Unblock RFID badge PIN windows appears.

  2. Enter your primary password in the Password field.
  3. Enter a new PIN in the corresponding fields and click OK.

    Your PIN is reset.

NOTE:

  • If you are offline when your PIN is blocked, you will be asked to reset it the next time you log on.
  • Your PIN can also be reset by the help desk.

 

Resetting Your Password or PIN with the Emergency Access

The emergency access (SSPR) enables you to authenticate and reset your password or PIN, whether you are connected or not to the network. If you are:

  • Connected or not to the network, you can reset your password or PIN by answering questions, as described in Reset with Questions & Answers.
  • Connected to the network, you can reset your password by requesting an OTP sent to your mobile device/email, as described in Resetting with an OTP.

    		IMPORTANT: If you are not connected to the network, you must answer the questions if it has been configured.

Reset with Questions & Answers

The following schema illustrates the tasks you have to perform to reset your password or PIN by answering a series of personal questions. These tasks are described in this section.

NOTE: This PIN reset method is not compatible with the RFID+PIN authentication method.

 

 

Initializing the Self Service Password Request Feature

Subject

You must initialize the Self Service Password Request (SSPR) feature to save your answers to a set of questions. Then, to reset your password or PIN, you must answer the questions you have chosen.

You can perform this task every time you want to update or change your questions and answers.

When the SSPR is enabled, you can define your questions (optional) and answers the first time that your Authentication Manager is activated. Then you may need to modify this information in the following cases:

  • The questions have changed, so you have to update your answers.
  • You must enter your answers periodically.
  • You want to change your questions/answers.

You can initialize the SSPR through the EAM portal (see One Identity EAM Portal - Guide de l’utilisateur) or through the Authentication Manager icon as detailed in the following procedure.

Procedure

 

  1. Right-click the Authentication Manager icon in the notification area and select Manage Security Questions.

    The authentication window appears.

  2. Enter your ID and Password and click OK

    The Self Service Password Request wizard appears.

  3. Follow the displayed instructions: you have to select a number of questions and record their corresponding answers.

    		NOTE: You may have restrictions to define your questions/answers, as for example a minimum/maximum number of characters, or words that you cannot use. If you do not know why your questions/answers are not accepted, contact your EAM administrator.

 

Resetting Your Password Upon Session Opening

Subject

The Reset Password feature allows you to reset your password to open your Windows session even if you have forgotten your smart card or cannot remember your password.

You can reset your password through the EAM portal (see One Identity EAM Portal - Guide de l’utilisateur) or upon session opening as detailed in the following procedure.

Before starting

NOTE: If you have not initialized the Self Service Password Request feature and therefore cannot reset your password by yourself, the administrator can still modify your primary password from EAM Console.

Procedure

 

  1. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name).
  2. Do one of the following, depending on your Windows version:

    Windows version

    Action

    Windows 10

     

    Check or enter your user name.

    Click the Questions and answers tile.

    Windows 7

     

    Click the Password forgotten tile.

    Check or enter your user name.

    		IMPORTANT: Replace this text with a notation that requires the reader's attention.
  1. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name).

    		IMPORTANT: If the Questions and answers/Password forgotten option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license.

    The Self Service Password Request wizard appears.

  2. Follow the instructions displayed in the Wizard window: answer each question, according to the answers you gave while initializing the Self Service Password Request.
  3. Enter your new password twice.

    NOTE: Click Help me to choose a valid password to check that your new password is in accordance with the Password Format Control Policy.

  4. Depending on the SSPR configuration, you may have to enter a challenge provided by the help desk to confirm your new password. Do the following:
    1. Call the help desk and give the displayed challenge.

      The help desk gives you back another challenge.

      		NOTE: The challenge that the help desk gives you can only be used once.

  5. Enter this challenge and validate.

    Your password is reset and your session opens. You can then use the new password for next logons.

    		NOTE: If the password has been reset in disconnected mode, you will be asked to change it the next time you connect to the network.

Resetting your PIN

Subject

The Reset PIN feature allows you to reset your PIN (either being online or offline) in case you have forgotten it.

Before starting
Procedure
  1. Insert your Smart Card.
  2. In the authentication screen, click I have forgotten my PIN.

    		IMPORTANT: If the I have forgotten my PIN option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license.

    The Self Service Password Request wizard appears.

  3. Follow the instructions displayed in the Wizard window: answer each question, according to the answers you gave while initializing the Self Service Password Request and enter your new PIN twice.

    The following window appears:

  4. Call the help desk and give the displayed challenge.

    The help desk gives you back another challenge.

    		NOTE: The challenge that the help desk gives you can only be used once.
  5. Enter this challenge and click Next.

    When the Wizard terminates, your PIN is reset and a session opens. You can then use the new PIN for next logons.

 

Resetting with an OTP

Subject

The Reset Password feature allows you to reset your password to open your Windows session even if you cannot remember your password.

You can reset your password through the EAM portal (see One Identity EAM Portal - Guide de l’utilisateur) or upon session opening as detailed in the following procedure.

Before starting

Authentication Manager must be installed on your workstation.

Procedure
  1. Do one of the following, depending on your Windows version:

    Windows version

    Action

    Windows 10

     

    1. Check or enter your user name.
    2. Click the Questions and answers tile.

    Windows 7

     

    1. Click the Password forgotten tile.
    2. Check or enter your user name.
  2. {2}. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name).

    		IMPORTANT: If the Questions and answers/Password forgotten option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license.

    An OTP is sent to your mobile device/email.

  3. Enter the received OTP and click or .
  4. Enter your new password twice.

    		NOTE: Click Help me to choose a valid password to check that your new password is in accordance with the Password Format Control Policy.

    Your password is reset and your session opens. You can then use the new password for next logons.

 

 

Managing your Smart Card

Managing your Smart Card

Managing the Unblocking of your Smart Card

During authentication, if you enter too many successive wrong PINs, your smart card blocks itself and the following window appears:

You are asked to enter your unblocking PIN, or PUK, to unblock your smart card.

Providing the Unblocking PIN of Your Smart Card

Subject

Providing your unblocking PIN, or PUK, enables you to unblock your smart card if you have entered too many successive wrong PINs.

Procedure
  1. Right-click the Authentication Manager icon in the notification area and select Collect unblocking PIN.

    The Collect unblocking code window appears.

  2. Enter your PUK in both fields and click OK.

    		IMPORTANT: If you enter too many successive wrong PUKs, your Smart Card blocks itself.
  3. Enter your PIN to confirm your are the actual owner of this smart card and click the OK button.

    You PUK has been provided.

 

Unblocking your Smart Card

Before starting

You can unblock your smart card only if it has an external CMS.

If you:

Unblocking Your Smart Card if you have provided Your PUK

Procedure
  1. In the Smart Card Blocked window, click the OK button.

    The Unblock Smart Card window appears.

  2. Call the Help Desk so that it can give you the Unblocking secret.
  3. Enter you Unblocking secret in the Unblocking secret field.
  4. Enter your new PIN in the New PIN and PIN confirmation fields.
  5. Click OK.

    Your smart card is now unblocked.

 

Unblocking Your Smart Card if you have not provided Your PUK

Procedure
  1. In the Smart Card Blocked window, click the OK button.

    The Unblock Smart Card window appears.

  2. Enter you PUK in the Your PUK field.
  3. Enter your new PIN in the New PIN and PIN confirmation fields.
  4. Click OK.

    Your smart card is now unblocked.

 

Managing Primary Accounts on your Smart Card

Before starting

The following procedure only applies to smart cards that can store several SSO accounts.

You can delete all the accounts stored on the smart card, even the one you used to log on with. In this case, after the account deletion, the session stays open.

IMPORTANT: Do not lock the session as you will not be able to unlock it. We recommend you to log off the session after the account deletion.
Procedure
  1. Open a session as described in Logging on to Windows with your Smart Card.
  2. In the notification area, right click the Authentication Manager icon and select Manage Primary Accounts.

    The Manage Primary Accounts window appears and lists the accounts stored on the smart card.

  3. Select the account you want to add or remove and click the Add or Remove button.
  4. Follow the displayed instructions and click OK.

    The account is created/removed on/from the smart card.

 

Renewing your Smart Card Certificate(s)

Subject

A set of certificates can be stored on you smart card. When these certificates are about to expire and upon a successful smart card authentication, Authentication Manager displays a warning message with the list of these certificates. To renew them, execute the following procedure.

Restriction

Compatible only with Windows Smartlogon cards.

Procedure
  1. Log on with your smart card.

    The Automatic Certificate Renewal window appears.

  2. Enter your PIN and click Renew all.

    Your certificate(s) has(have) been renewed and added to your smart card.

    		NOTE: If your click Not now, your certificate is not renewed and the window will appear each time you log on until your renew the certificate(s).

Recovering your SSO Data

Recovering your SSO Data

Subject

If your password was forced by a directory administrator or if you have changed smart cards, you can recover your SSO data by providing your old password or by answering questions.

Recovering your SSO data with your old password

Before starting

You authenticated at least once on your workstation connected to the network or an EAM directory is available.

Procedure
  • At session opening, the SSO data recovery window appears. Enter your old password and click OK.

    Your SSO data has been recovered.

 

Recovering your SSO data by answering questions

Before starting
  • Your administrator has given you the authorization (the SSPR must be configured in always available mode: see One Identity EAM Console - Guide de l'administrateur).
  • You authenticated at least once on your workstation connected to the network or an EAM directory is available.
  • The SSPRForSelfSSORecovery registry key (see Password Management) must be enabled.
  • You must have chosen a set of questions and recorded the associated answers using the Authentication Manager Self Service Password Request Wizard. Refer to the Initializing the Self Service Password Request Feature.
Procedure
  1. At session opening, the SSO data recovery window appears.

  2. Click Next.

    The Self Service Password Request wizard appears.

  3. Follow the displayed instructions and answer the different questions.

    If you answered all the questions correctly, your SSO data is recovered.

    If you did not answer all the questions correctly , you can restart the procedure or enter your old password.
    By clicking     Cancel, the Enterprise SSO - Data Migration window appears.

 

 

Related Documents