An administrator can log on a user's session using his own smart card, even though the user opened his Windows session using a smart card.
The user session is left unchanged. If Enterprise SSO was running, it is automatically set to a locked mode.
|
NOTE: The length of the grace period can be configured from EAM Console. |
This authentication enables User Access to check your identification data. The user Windows session stays open: your Windows permissions do not apply.
The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN to turn Enterprise SSO back to the unlocked mode.
If your administrator has authorized it, you can log on as local administrator on a user workstation using your mobile device, from the Connect with a mobile device tile.
For more information on this authentication method, refer to the QRentry - Guide de l’utilisateur.
An administrator can log on a user's session using his own smart card or OTP, even though the user opened his Windows session using same authentication method.
The Execute window appears:
The Command Prompt window appears.
The command line has been executed with your Windows credentials.
|
NOTE: The AMRunAS command line is derived from the RunAS Windows command line. You can display all the different command lines and their description by entering the following command line: RunAS.exe /? |
The Execute window appears:
The Command Prompt window appears.
You are now logged on with your Windows credentials.
If the administrator needs to use Enterprise SSO or any other application, it must be installed on the user’s workstation.
The Execute window appears:
The Command Prompt window appears.
Enterprise SSO restarts with your credentials.
Authentication Manager enables you to download PDF reports (generated on demand or periodically) and to save them on your workstation.
|
NOTE: A notification e-mail can be sent to you informing you that a report is available for download from Authentication Manager. |
For more information on report generation, refer to the One Identity EAM Console - Guide de l'administrateur.
The report management window appears.
|
NOTE: Select the Show reports generated in the last x days check box to limit the number of reports taken into account |
|
NOTE: The Report state column indicates if the report has been downloaded or not and displays the two following states:
|
|
NOTE: If several reports are assigned to you, you can select them and download them all at the same time.. |
This appendix describes the Authentication Manager configuration settings stored in the Windows registry that you can modify.
Some registry keys are only used by EAM clients, others are reserved for EAM Controllers, and others are available either on clients and controllers. Depending on the computer where the registry keys are changed, the scope of the update is different. Indeed, if you update the configuration of a:
|
IMPORTANT: The Windows registry must be modified by qualified personnel only. |
AutoLogonUserLogin
Scope |
EAM Client |
Description |
|
Type |
REG_SZ |
Values |
User name with domain (<Domain_name>\<user_name>). |
Location |
|
AutoLogonUserPassword
Scope |
EAM Client |
Description |
|
Type |
REG_SZ |
Values |
User password. |
Location |
|
AutoRelogon
Scope |
EAM Client |
Description |
Configures the autologon to be executed after a closed session. |
Type |
REG_DWORD |
Values |
0: the session is not automatically re-opened. 1: the session is automatically re-opened with the same user. If you keep the Shift key pressed during the logon sequence, the automatic logon is interrupted and you can authenticate yourself with a smart card or biometric data to open the Windows session as another user. |
Location |
|
BioAutoValidate
Scope |
EAM Client |
Description |
Store on PC mode only. Enables/disables the automatic validation upon fingerprint authentication. |
Type |
REG_DWORD |
Values |
0: disabled. 1: enabled. |
Location |
|
BiometricFAR
Scope |
EAM Client |
Description |
Biometric False Accepted Rate. |
Type |
REG_DWORD |
Values |
Default value: 20000. (means that the probability of a wrong fingerprint pass is 1/20000). |
Location |
|
BiometricMaxEnrolledUsers
Scope |
EAM Client |
Description |
Store on PC mode only. Maximum number of users that can be enrolled on the workstation. If the maximum number is exceeded, the oldest enrolled user is deleted. |
Type |
REG_DWORD |
Values |
Default value: 20. |
Location |
|
CheckEnrollment
Scope |
EAM Client |
Description |
After the biometric templates have been saved, the user is asked to perform a biometric authentication to check the biometric templates and to create the biometric authentication cache. If the user cancels the authentication, the biometric authentication cache is not created. This key is set on all workstations where the biometric enrollment tool is installed. |
Type |
REG_DWORD |
Values |
0 (default): the user does not authenticate himself. 1: the user must authenticate himself to create the cache file. |
Location |
|
DisableBeepOnBioEvent
Scope |
EAM Client |
Description |
Each time a detection event is identified by the biometric middleware, a message appears and a beep occurs. |
Type |
REG_DWORD |
Values |
0 (default): beep is enabled. 1: beep is disabled. |
Location |
|
StartOnce
Scope |
EAM Client |
Description |
Displays the biometric enrollment tool only once for the user. If he/she cancels the enrollment, the biometric enrollment tool is not displayed anymore. |
Type |
REG_DWORD |
Values |
0 (default): the biometric enrollment tool is displayed each time the user starts his Windows session. 1: the biometric enrollment tool is displayed only once. Then, password authentication is displayed by default. |
Location |
|
CheckWhetherPasswordExpires
Scope |
EAM Client |
Description |
The automatic change of the primary password defined in the user security profile does not apply to the Windows accounts which password never expires. Note: this applies only when the primary accounts are stored in the AD. |
Type |
REG_DWORD |
Values |
0 (default): disabled. 1: enabled. |
Location |
|
ForcePasswordChangeAfterSSPR
Scope |
EAM Client |
Description |
The must change password at next connection option is always enabled when users reset a password through the SSPR process. This key must be set on the workstations where the SSPR process is running. This key has no effect if no SSPR process is installed. |
Type |
REG_DWORD |
Values |
0: option disabled. 1: option enabled. |
Location |
|
PasswordChangeForbiddenMessage
Scope |
EAM Client |
Description |
Enables the administrator to display an information message to the user after he has refused to change his password from the workstation. |
Type |
REG_SZ |
Values |
Message displayed to the user after a password change refusal. |
Location |
|
PasswordChangeProcessCheckList
Scope |
EAM Client |
Description |
Enables the administrator to prevent the user from changing his password when certain processes are active. |
Type |
REG_SZ |
Values |
List of processes forbidding the password change. Processes are separated with a space. The name of the process is the one displayed in the Windows process manager. |
Location |
|
PostChangePasswordMessage
Scope |
EAM Client |
Description |
Enables the administrator to display an information message to the user after he has changed his password from the workstation. |
Type |
REG_SZ |
Values |
The text of the message to display after a voluntary password change from the One Identity tile. |
Location |
|
RandomPasswordLength
Scope |
EAM Client |
Description |
When the PFCP imposes a password generated randomly, the password length is also generated randomly in the limits defined by this PFCP. |
Type |
REG_DWORD |
Values |
0 (default): disabled. 1: enabled. |
Location |
|
ResetPasswordAdminGroupDN
Scope |
EAM Controller. |
Description |
Allows all administration group members to reset the passwords of each user. |
Type |
REG_SZ |
Values |
Administration group DN. |
Location |
|
ShowPasswordFormatHelper
Scope |
EAM Client |
Description |
Displays or hides the password format wizard to help the user change his password. |
Type |
REG_DWORD |
Values |
0: option disabled. 1 (default): option enabled. |
Location |
|
ShowResetColleaguePasswordN
Scope |
EAM Controller and Client |
Description |
Allows a manager or an administration group member to define a temporary password access (TPA) for a colleague. To configure the TPA, you must create the |
Type |
REG_DWORD |
Values |
0 (default): option disabled. 1: option enabled. |
Location |
|
SSPRForSelfSSORecovery
Scope |
EAM Client |
Description |
Activates the SSO data recovery feature via the SSPR. This key must be set on all workstations where the SSO Data recovery is enabled. |
Type |
REG_DWORD |
Values |
0: option disabled. 1 (default): option enabled. |
Location |
|
WorkStationAccountRandomNPGP
Scope |
EAM Client |
Description |
Available with any supported LDAP directory except Active Directory. In this type of architecture, EAM stores user SSO data in another LDAP directory than Active Directory. But the users' accounts are stored in Active Directory and are managed by Enterprise SSO as secondary accounts. In this configuration, the Windows password must be changed manually by default. This key allows you to configure an automatic password change. |
Type |
REG_DWORD |
Values |
0: manual change of the Windows password. 1: automatic change of the Windows password. |
Location |
|
ForceRfidMode
Scope |
EAM Client |
Description |
Forces the RFID authentication behavior. |
Type |
REG_DWORD |
Values |
0: default behavior: if the badge is present for less than 3 seconds, the passive mode is taken into account. if the badge is present for more than 3 seconds, the active mode is taken into account. 1: Passive mode. 2: Active mode. |
Location |
|
RFIDMultiSelfEnrollAllowed
Scope |
EAM Controller. |
Description |
Restricts the self-enrollment of RFID tokens to one token per user. |
Type |
REG_DWORD |
Values |
0: restricted to one token per user. 1 (default): no restriction. |
Location |
|
RFIDSelfEnrollAllowed
Scope |
EAM Controller and Client |
Description |
Forbids or allows the self-enrollment of RFID tokens. |
Type |
REG_DWORD |
Values |
0: forbidden. 1 (default): allowed. |
Location |
|
GetRoamingSessionOnlyFromRFID
Scope |
EAM Client |
Description |
Restricts the opening of a roaming session to the RFID badge authentication method. |
Type |
REG_DWORD |
Values |
0 (default): the roaming session is opened with any authentication method (RFID badge or smart card). 1: the roaming session is opened only upon the use of an RFID badge. |
Location |
|
RoamingSessionMaxPINTries
Scope |
EAM Controller and Client |
Description |
If too many bad PINs are entered to open a roaming session with a smart card or RFID badge, the roaming session is deactivated and the user must insert his smart card. |
Type |
REG_DWORD |
Values |
5 (default): the user can provide up to 5 bad PINs before the deactivation of his roaming session and having to insert his smart card. Notes: The bad PIN counter is reset each time the user provides the good PIN. The bad PIN counter cannot be displayed. This registry key does not work for the EAM web services. |
Location |
|
RoamingSessionProtectedByPIN
Scope |
EAM Controller and Client |
Description |
Opening a roaming session with a smart card or an RFID badge requires their PIN. |
Type |
REG_DWORD |
Values |
0 (default): the roaming session is opened with any authentication method (RFID badge or smart card) without the PIN. 1: the roaming session is opened with an RFID badge or a smart card with the PIN (mandatory). |
Location |
|
RoamingSessionServerList
Scope |
EAM Controller. | ||
Description |
To manage roaming sessions, it is recommended in some complex architectures to force controllers to connect to the same LDAP server (to avoid problems with replication delay between LDAP servers used by the controllers). In such a case, this registry key allows you to configure the LDAP servers list by order of priority. | ||
Type |
REG_SZ | ||
Values |
Ordered list of LDAP servers (by default, there is no value).
| ||
Location |
AD: |
SetRoamingSessionOnly
Scope |
EAM Client |
Description |
When the roaming session is active and expired, if a user authenticates with an RFID badge, a card insertion is requested instead of a password. |
Type |
REG_DWORD |
Values |
0 (default): a password is asked when authenticating with an RFID badge. 1: a card insertion is asked when authenticating with an RFID badge. |
Location |
|
SetRoamingSessionOnlyFromCard
Scope |
EAM Client |
Description |
Restricts the creation of a roaming session to the smart card authentication method. |
Type |
REG_DWORD |
Values |
0 (default): the roaming session is created with any authentication method (smart card or RFID badge). 1: the roaming session is created only upon a smart card authentication. |
Location |
|
ActionWhenTokenRemoved
Scope |
EAM Client |
Description |
Default automatic action if the token is removed. |
Type |
REG_DWORD |
Values |
0 (default): not configured (=lock). 1: lock the computer. 2: log off. 3: do nothing. |
Location |
|
AllowSmartCardInactivityTimer
Scope |
EAM Client |
Description |
Activates the inactivity duration of Enterprise SSO when a smart card is used. |
Type |
REG_DWORD |
Values |
0 (default): not configured (=no lock). 1: Enterprise SSO is locked after the defined inactivity duration. |
Location |
|
AutoValidationTimer
Scope |
EAM Client |
Description |
Timeout before the automatic validation of the default action defined in ActionWhenTokenRemoved. |
Type |
REG_DWORD |
Values |
Value in seconds. |
Location |
|
NoLdapConnection
Scope |
EAM Client | ||
Description |
The smart card authentication is asynchronous, which improves the performances of this authentication method. The state of the smart card connection is checked during the first 30 seconds of the session logon/logoff. If: The smart card is removed before the asynchronous check, the session is locked and the smart card authentication will be performed asynchronously at the next authentication. The asynchronous smart card authentication fails, the cache is updated with this information and the session is locked. The asynchronous smart card authentication succeeds, the cache is updated with this information and the session is locked.
| ||
Type |
REG_DWORD | ||
Values |
0 (default): disabled. 1: enabled. | ||
Location |
|
NoSSOPrivateKey
Scope |
EAM Client |
Description |
The private user data is disabled, therefore it is only the recoverable key that is decrypted during authentication, which improves the performances of the smart card authentication. |
Type |
REG_DWORD |
Values |
0 (default): disabled: the recoverable key and the private key are used. 1: enabled: only the private key is used. |
Location |
|
PINMaxLength
Scope |
EAM Client |
Description |
Maximum number of characters authorized in a PIN. |
Type |
REG_DWORD |
Values |
Value in numbers. |
Location |
|
PINMinLength
Scope |
EAM Client |
Description |
Minimum number of characters authorized in a PIN. |
Type |
REG_DWORD |
Values |
Value in numbers. |
Location |
|
PINNumericOnly
Scope |
EAM Client |
Description |
The PIN can contain numbers only. |
Type |
REG_DWORD |
Values |
0 (default): all characters are authorized. 1: only numbers are authorized. |
Location |
|
ByPassWGAuthForLocalAdmin
Scope |
EAM Client |
Description |
Enables users that are not local administrators to bypass the Authentication Manager login window. The users who are members of the local administrators group can bypass the Authentication Manager login window even if they cannot create the Enterprise SSO keys/objects. |
Type |
REG_DWORD |
Values |
0: disabled. non null value: enabled. |
Location |
|
HideDomainList
Scope |
EAM Client |
Description |
Displays/hides the domain list. |
Type |
REG_DWORD |
Values |
0: domain list displayed. 1: domain list hidden. |
Location |
|
HideRemoteConnection
Scope |
EAM Client |
Description |
Displays/hides the Open the session over a modem connection option. |
Type |
REG_DWORD |
Values |
0 (default): option displayed. 1: option hidden. |
Location |
|
LockTimer
Scope |
EAM Client |
Description |
Timeout before locking the computer. This does not end the session. |
Type |
REG_DWORD |
Values |
Value in seconds. |
Location |
|
ManageUserExclusion
Scope |
EAM Client |
Description |
Windows 7 and next versions only. Enable or disable SSO for excluded users. |
Type |
REG_DWORD |
Values |
0 (default): at user authentication, Authentication Manager opens a standard Windows session and then retrieves the user credentials (stored in the E-SSO directory) to start the SSO engine with them. 1: at user authentication, Authentication Manager first tries to authenticate with the provided credentials against the E-SSO directory:
|
Location |
|
ResetPassword
Scope |
EAM Client |
Description |
Makes available or unavailable the Questions and answers (Windows 10) or Password forgotten (Windows 7) tile. |
Type |
REG_DWORD |
Values |
0: available. 1: unavailable. |
Location |
|
Prim'X Cryhod is a software product that encrypts data on computer disks running Microsoft Windows. Cryhod includes a pre-boot utility which allows the user to enter his credentials at system start-up; he is then granted or denied access to encrypted data. The integration of Authentication Manager with Cryhod is only for Smart Card Authentication.
Cryhod supports authentication by Smart Card and PIN.
Authentication Manager supports integration with Cryhod on Microsoft Windows 7 and 2008 systems only.
The integration consists in an automatic transfer of a Smart Card PIN from Cryhod to Authentication Manager. This allows the user to perform Cryhod and Authentication Manager Smart Card authentication while only entering the PIN once.
The PIN transfer feature is implemented in a Windows DLL which is provided by Authentication Manager and used by the Cryhod Encryption Service according to Cryhod configuration parameters.
Retrieve the following elements:
Full path name of the Windows DLL. The file is called DiskEncryptionCryhod.dll and is installed in the same directory as the EAM Client.
SHA-256 hash values for DiskEncryptionCryhod.dll. They are displayed in the DiskEncryptionCryhod.txt file, located in the EAM Client installation directory. Depending on the architecture of your Windows workstations, you may need the hash values for 32 and/or 64-bit systems.
Name the value as recommended: Authentication Manager CREDAPI Extension Vx.y (zz-bit) and use these elements to set the Cryhod policy P880 - Software Extensions with Microsoft Windows GPO.
|
NOTE: The required format for the value is described in the Cryhod documentation. |
The HKEY_LOCAL_MACHINE\SOFTWARE\Policies\PrimX\Cryhod\Common\Extensions key is generated in the Microsoft Windows registry of each workstation.
This key contains a value of type String corresponding to the version of DiskEncryptionCryhod.dll used on the local workstation. If the key contains multiple values corresponding to different versions of DiskEncryptionCryhod.dll, only the value that matches a file on the local workstation is used.
Value name |
Value |
Authentication Manager CREDAPI Extension V1.0 (32-bit) |
dll32=%ProgramFiles%\One Identity\ |
It is possible for an Authentication Manager Smart Card tile to be selected before Cryhod transfers the PIN to Authentication Manager. Authentication Manager waits for a few seconds for the PIN to be transfered. If the PIN is not transfered in time, the user has to provide it, thus typing the PIN twice.
To avoid this, the length of time that Authentication Manager waits for the PIN can be configured using a Windows registry value.
|
IMPORTANT: Only on-site testing can determine the optimum length of time. |
The length of time has been customized.
An event is recorded in the Cryhod event log each time DiskEncryptionCryhod.dll is used. The event includes a result code indicating the reason for any failure to transfer the PIN.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy