Logging on a User Session as an Administrator
Logging on a User Session as an Administrator
Logging on a User Session with Your Smart Card: "Grace period"
Subject
An administrator can log on a user's session using his own smart card, even though the user opened his Windows session using a smart card.
Procedure
- Press the SHIFT key during the logged user smart card withdrawal.
The user session is left unchanged. If Enterprise SSO was running, it is automatically set to a locked mode.
- Insert your administrator smart card and enter your PIN before the end of the grace period (the default value is 60 seconds).
NOTE: The length of the grace period can be configured from EAM Console.
This authentication enables User Access to check your identification data. The user Windows session stays open: your Windows permissions do not apply.
- Perform your administration tasks on the user workstation: if you run an EAM application (Enterprise SSO Studio, etc.), the authentication is done using your administrator smart card.
- When you have finished with the user's workstation, withdraw your smart card.
The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN to turn Enterprise SSO back to the unlocked mode.
Logging on as local administrator with your mobile device
Subject
If your administrator has authorized it, you can log on as local administrator on a user workstation using your mobile device, from the Connect with a mobile device tile.
For more information on this authentication method, refer to the QRentry - Guide de l’utilisateur.
Running a Process on a User Session
Subject
An administrator can log on a user's session using his own smart card or OTP, even though the user opened his Windows session using same authentication method.
Running a Process Using your Smart Card
Procedure
- Press the Windows+R keys.
The Execute window appears:
- Enter cmd in the Open field.
- Click the OK button.
The Command Prompt window appears.
- Insert your administrator Smart Card.
- Enter the following command line and press the ENTER key: C:\%EAM installation folder%\AMRunAS <Command Line>
- If you have several accounts on the smart card, type in the displayed account number and press the ENTER key.
- Enter your PIN and press the ENTER key.
The command line has been executed with your Windows credentials.
NOTE: The AMRunAS command line is derived from the RunAS Windows command line. You can display all the different command lines and their description by entering the following command line: RunAS.exe /?
Running a Process Using your OTP
Procedure
- Press the Windows+R keys.
The Execute window appears:
- Enter cmd in the Open field.
- Click the OK button.
The Command Prompt window appears.
- Enter the following command line and press the ENTER key: C:\%EAM installation folder%\AMRunAS.exe /OTP /USER:DomainName\
UserName <Command Line> - Enter your OTP and press the ENTER key.
You are now logged on with your Windows credentials.
Restarting and Running Enterprise SSO with your Credentials
Before starting
If the administrator needs to use Enterprise SSO or any other application, it must be installed on the user’s workstation.
Procedure
- Press the Windows+R keys.
The Execute window appears:
- Enter cmd in the Open field.
- Click the OK button.
The Command Prompt window appears.
- Enter the following command line and press the ENTER key: C:\%EAM installation folder\AMRunAS.exe /SSO <Command Line>
Enterprise SSO restarts with your credentials.
Managing Reports
Managing Reports
Subject
Authentication Manager enables you to download PDF reports (generated on demand or periodically) and to save them on your workstation.
|
|
NOTE: A notification e-mail can be sent to you informing you that a report is available for download from Authentication Manager. |
For more information on report generation, refer to the One Identity EAM Console - Guide de l'administrateur.
Procedure
- Right-click the Authentication Manager icon in the notification area and select Manage reports.
- Re-authenticate if needed.
The report management window appears.
- Click Preferences to define the destination directory of the reports to download. Once you have finished, click OK to come back to the management window.
- Click Search to display the reports that are assigned to you.
NOTE: Select the Show reports generated in the last x days check box to limit the number of reports taken into account
NOTE: The Report state column indicates if the report has been downloaded or not and displays the two following states:
- On server: the report has not been downloaded in the destination directory yet.
- Local: the report has been downloaded and is available for consultation in the destination directory.
- When a report is ready to download, double-click it to open it or select it and click Download (the report will be available in the destination directory).
NOTE: If several reports are assigned to you, you can select them and download them all at the same time.. - Click Close.
Authentication Manager Registry Keys
Authentication Manager Registry Keys
Subject
This appendix describes the Authentication Manager configuration settings stored in the Windows registry that you can modify.
Some registry keys are only used by EAM clients, others are reserved for EAM Controllers, and others are available either on clients and controllers. Depending on the computer where the registry keys are changed, the scope of the update is different. Indeed, if you update the configuration of a:
- EAM client, the scope is limited to the User Access client itself.
- EAM Controller, the scope is extended to all the EAM clients connected to this controller.
Before starting
|
|
IMPORTANT: The Windows registry must be modified by qualified personnel only. |
Autologon
AutoLogonUserLogin
|
Scope |
EAM Client |
|
Description |
|
|
Type |
REG_SZ |
|
Values |
User name with domain (<Domain_name>\<user_name>). |
|
Location |
|
AutoLogonUserPassword
|
Scope |
EAM Client |
|
Description |
|
|
Type |
REG_SZ |
|
Values |
User password. |
|
Location |
|
AutoRelogon
|
Scope |
EAM Client |
|
Description |
Configures the autologon to be executed after a closed session. |
|
Type |
REG_DWORD |
|
Values |
0: the session is not automatically re-opened. 1: the session is automatically re-opened with the same user. If you keep the Shift key pressed during the logon sequence, the automatic logon is interrupted and you can authenticate yourself with a smart card or biometric data to open the Windows session as another user. |
|
Location |
|
Biometrics
BioAutoValidate
|
Scope |
EAM Client |
|
Description |
Store on PC mode only. Enables/disables the automatic validation upon fingerprint authentication. |
|
Type |
REG_DWORD |
|
Values |
0: disabled. 1: enabled. |
|
Location |
|
BiometricFAR
|
Scope |
EAM Client |
|
Description |
Biometric False Accepted Rate. |
|
Type |
REG_DWORD |
|
Values |
Default value: 20000. (means that the probability of a wrong fingerprint pass is 1/20000). |
|
Location |
|
BiometricMaxEnrolledUsers
|
Scope |
EAM Client |
|
Description |
Store on PC mode only. Maximum number of users that can be enrolled on the workstation. If the maximum number is exceeded, the oldest enrolled user is deleted. |
|
Type |
REG_DWORD |
|
Values |
Default value: 20. |
|
Location |
|
CheckEnrollment
|
Scope |
EAM Client |
|
Description |
After the biometric templates have been saved, the user is asked to perform a biometric authentication to check the biometric templates and to create the biometric authentication cache. If the user cancels the authentication, the biometric authentication cache is not created. This key is set on all workstations where the biometric enrollment tool is installed. |
|
Type |
REG_DWORD |
|
Values |
0 (default): the user does not authenticate himself. 1: the user must authenticate himself to create the cache file. |
|
Location |
|
DisableBeepOnBioEvent
|
Scope |
EAM Client |
|
Description |
Each time a detection event is identified by the biometric middleware, a message appears and a beep occurs. |
|
Type |
REG_DWORD |
|
Values |
0 (default): beep is enabled. 1: beep is disabled. |
|
Location |
|
StartOnce
|
Scope |
EAM Client |
|
Description |
Displays the biometric enrollment tool only once for the user. If he/she cancels the enrollment, the biometric enrollment tool is not displayed anymore. |
|
Type |
REG_DWORD |
|
Values |
0 (default): the biometric enrollment tool is displayed each time the user starts his Windows session. 1: the biometric enrollment tool is displayed only once. Then, password authentication is displayed by default. |
|
Location |
|
Password Management
CheckWhetherPasswordExpires
|
Scope |
EAM Client |
|
Description |
The automatic change of the primary password defined in the user security profile does not apply to the Windows accounts which password never expires. Note: this applies only when the primary accounts are stored in the AD. |
|
Type |
REG_DWORD |
|
Values |
0 (default): disabled. 1: enabled. |
|
Location |
|
ForcePasswordChangeAfterSSPR
|
Scope |
EAM Client |
|
Description |
The must change password at next connection option is always enabled when users reset a password through the SSPR process. This key must be set on the workstations where the SSPR process is running. This key has no effect if no SSPR process is installed. |
|
Type |
REG_DWORD |
|
Values |
0: option disabled. 1: option enabled. |
|
Location |
|
PasswordChangeForbiddenMessage
|
Scope |
EAM Client |
|
Description |
Enables the administrator to display an information message to the user after he has refused to change his password from the workstation. |
|
Type |
REG_SZ |
|
Values |
Message displayed to the user after a password change refusal. |
|
Location |
|
PasswordChangeProcessCheckList
|
Scope |
EAM Client |
|
Description |
Enables the administrator to prevent the user from changing his password when certain processes are active. |
|
Type |
REG_SZ |
|
Values |
List of processes forbidding the password change. Processes are separated with a space. The name of the process is the one displayed in the Windows process manager. |
|
Location |
|
PostChangePasswordMessage
|
Scope |
EAM Client |
|
Description |
Enables the administrator to display an information message to the user after he has changed his password from the workstation. |
|
Type |
REG_SZ |
|
Values |
The text of the message to display after a voluntary password change from the One Identity tile. |
|
Location |
|
RandomPasswordLength
|
Scope |
EAM Client |
|
Description |
When the PFCP imposes a password generated randomly, the password length is also generated randomly in the limits defined by this PFCP. |
|
Type |
REG_DWORD |
|
Values |
0 (default): disabled. 1: enabled. |
|
Location |
|
ResetPasswordAdminGroupDN
|
Scope |
EAM Controller. |
|
Description |
Allows all administration group members to reset the passwords of each user. |
|
Type |
REG_SZ |
|
Values |
Administration group DN. |
|
Location |
|
ShowPasswordFormatHelper
|
Scope |
EAM Client |
|
Description |
Displays or hides the password format wizard to help the user change his password. |
|
Type |
REG_DWORD |
|
Values |
0: option disabled. 1 (default): option enabled. |
|
Location |
|
ShowResetColleaguePasswordN
|
Scope |
EAM Controller and Client |
|
Description |
Allows a manager or an administration group member to define a temporary password access (TPA) for a colleague. To configure the TPA, you must create the |
|
Type |
REG_DWORD |
|
Values |
0 (default): option disabled. 1: option enabled. |
|
Location |
|
SSPRForSelfSSORecovery
|
Scope |
EAM Client |
|
Description |
Activates the SSO data recovery feature via the SSPR. This key must be set on all workstations where the SSO Data recovery is enabled. |
|
Type |
REG_DWORD |
|
Values |
0: option disabled. 1 (default): option enabled. |
|
Location |
|
WorkStationAccountRandomNPGP
|
Scope |
EAM Client |
|
Description |
Available with any supported LDAP directory except Active Directory. In this type of architecture, EAM stores user SSO data in another LDAP directory than Active Directory. But the users' accounts are stored in Active Directory and are managed by Enterprise SSO as secondary accounts. In this configuration, the Windows password must be changed manually by default. This key allows you to configure an automatic password change. |
|
Type |
REG_DWORD |
|
Values |
0: manual change of the Windows password. 1: automatic change of the Windows password. |
|
Location |
|
RFID
ForceRfidMode
|
Scope |
EAM Client |
|
Description |
Forces the RFID authentication behavior. |
|
Type |
REG_DWORD |
|
Values |
0: default behavior: if the badge is present for less than 3 seconds, the passive mode is taken into account. if the badge is present for more than 3 seconds, the active mode is taken into account. 1: Passive mode. 2: Active mode. |
|
Location |
|
RFIDMultiSelfEnrollAllowed
|
Scope |
EAM Controller. |
|
Description |
Restricts the self-enrollment of RFID tokens to one token per user. |
|
Type |
REG_DWORD |
|
Values |
0: restricted to one token per user. 1 (default): no restriction. |
|
Location |
|
RFIDSelfEnrollAllowed
|
Scope |
EAM Controller and Client |
|
Description |
Forbids or allows the self-enrollment of RFID tokens. |
|
Type |
REG_DWORD |
|
Values |
0: forbidden. 1 (default): allowed. |
|
Location |
|
Roaming session
GetRoamingSessionOnlyFromRFID
|
Scope |
EAM Client |
|
Description |
Restricts the opening of a roaming session to the RFID badge authentication method. |
|
Type |
REG_DWORD |
|
Values |
0 (default): the roaming session is opened with any authentication method (RFID badge or smart card). 1: the roaming session is opened only upon the use of an RFID badge. |
|
Location |
|
RoamingSessionMaxPINTries
|
Scope |
EAM Controller and Client |
|
Description |
If too many bad PINs are entered to open a roaming session with a smart card or RFID badge, the roaming session is deactivated and the user must insert his smart card. |
|
Type |
REG_DWORD |
|
Values |
5 (default): the user can provide up to 5 bad PINs before the deactivation of his roaming session and having to insert his smart card. Notes: The bad PIN counter is reset each time the user provides the good PIN. The bad PIN counter cannot be displayed. This registry key does not work for the EAM web services. |
|
Location |
|
RoamingSessionProtectedByPIN
|
Scope |
EAM Controller and Client |
|
Description |
Opening a roaming session with a smart card or an RFID badge requires their PIN. |
|
Type |
REG_DWORD |
|
Values |
0 (default): the roaming session is opened with any authentication method (RFID badge or smart card) without the PIN. 1: the roaming session is opened with an RFID badge or a smart card with the PIN (mandatory). |
|
Location |
|
RoamingSessionServerList
|
Scope |
EAM Controller. | ||
|
Description |
To manage roaming sessions, it is recommended in some complex architectures to force controllers to connect to the same LDAP server (to avoid problems with replication delay between LDAP servers used by the controllers). In such a case, this registry key allows you to configure the LDAP servers list by order of priority. | ||
|
Type |
REG_SZ | ||
|
Values |
Ordered list of LDAP servers (by default, there is no value).
| ||
|
Location |
AD: |
SetRoamingSessionOnly
|
Scope |
EAM Client |
|
Description |
When the roaming session is active and expired, if a user authenticates with an RFID badge, a card insertion is requested instead of a password. |
|
Type |
REG_DWORD |
|
Values |
0 (default): a password is asked when authenticating with an RFID badge. 1: a card insertion is asked when authenticating with an RFID badge. |
|
Location |
|
SetRoamingSessionOnlyFromCard
|
Scope |
EAM Client |
|
Description |
Restricts the creation of a roaming session to the smart card authentication method. |
|
Type |
REG_DWORD |
|
Values |
0 (default): the roaming session is created with any authentication method (smart card or RFID badge). 1: the roaming session is created only upon a smart card authentication. |
|
Location |
|
Smart Card
ActionWhenTokenRemoved
|
Scope |
EAM Client |
|
Description |
Default automatic action if the token is removed. |
|
Type |
REG_DWORD |
|
Values |
0 (default): not configured (=lock). 1: lock the computer. 2: log off. 3: do nothing. |
|
Location |
|
AllowSmartCardInactivityTimer
|
Scope |
EAM Client |
|
Description |
Activates the inactivity duration of Enterprise SSO when a smart card is used. |
|
Type |
REG_DWORD |
|
Values |
0 (default): not configured (=no lock). 1: Enterprise SSO is locked after the defined inactivity duration. |
|
Location |
|
AutoValidationTimer
|
Scope |
EAM Client |
|
Description |
Timeout before the automatic validation of the default action defined in ActionWhenTokenRemoved. |
|
Type |
REG_DWORD |
|
Values |
Value in seconds. |
|
Location |
|
NoLdapConnection
|
Scope |
EAM Client | ||
|
Description |
The smart card authentication is asynchronous, which improves the performances of this authentication method. The state of the smart card connection is checked during the first 30 seconds of the session logon/logoff. If: The smart card is removed before the asynchronous check, the session is locked and the smart card authentication will be performed asynchronously at the next authentication. The asynchronous smart card authentication fails, the cache is updated with this information and the session is locked. The asynchronous smart card authentication succeeds, the cache is updated with this information and the session is locked.
| ||
|
Type |
REG_DWORD | ||
|
Values |
0 (default): disabled. 1: enabled. | ||
|
Location |
|
NoSSOPrivateKey
|
Scope |
EAM Client |
|
Description |
The private user data is disabled, therefore it is only the recoverable key that is decrypted during authentication, which improves the performances of the smart card authentication. |
|
Type |
REG_DWORD |
|
Values |
0 (default): disabled: the recoverable key and the private key are used. 1: enabled: only the private key is used. |
|
Location |
|
PINMaxLength
|
Scope |
EAM Client |
|
Description |
Maximum number of characters authorized in a PIN. |
|
Type |
REG_DWORD |
|
Values |
Value in numbers. |
|
Location |
|
PINMinLength
|
Scope |
EAM Client |
|
Description |
Minimum number of characters authorized in a PIN. |
|
Type |
REG_DWORD |
|
Values |
Value in numbers. |
|
Location |
|
PINNumericOnly
|
Scope |
EAM Client |
|
Description |
The PIN can contain numbers only. |
|
Type |
REG_DWORD |
|
Values |
0 (default): all characters are authorized. 1: only numbers are authorized. |
|
Location |
|
User Access
ByPassWGAuthForLocalAdmin
|
Scope |
EAM Client |
|
Description |
Enables users that are not local administrators to bypass the Authentication Manager login window. The users who are members of the local administrators group can bypass the Authentication Manager login window even if they cannot create the Enterprise SSO keys/objects. |
|
Type |
REG_DWORD |
|
Values |
0: disabled. non null value: enabled. |
|
Location |
|
HideDomainList
|
Scope |
EAM Client |
|
Description |
Displays/hides the domain list. |
|
Type |
REG_DWORD |
|
Values |
0: domain list displayed. 1: domain list hidden. |
|
Location |
|
HideRemoteConnection
|
Scope |
EAM Client |
|
Description |
Displays/hides the Open the session over a modem connection option. |
|
Type |
REG_DWORD |
|
Values |
0 (default): option displayed. 1: option hidden. |
|
Location |
|
LockTimer
|
Scope |
EAM Client |
|
Description |
Timeout before locking the computer. This does not end the session. |
|
Type |
REG_DWORD |
|
Values |
Value in seconds. |
|
Location |
|
ManageUserExclusion
|
Scope |
EAM Client |
|
Description |
Windows 7 and next versions only. Enable or disable SSO for excluded users. |
|
Type |
REG_DWORD |
|
Values |
0 (default): at user authentication, Authentication Manager opens a standard Windows session and then retrieves the user credentials (stored in the E-SSO directory) to start the SSO engine with them. 1: at user authentication, Authentication Manager first tries to authenticate with the provided credentials against the E-SSO directory:
|
|
Location |
|
ResetPassword
|
Scope |
EAM Client |
|
Description |
Makes available or unavailable the Questions and answers (Windows 10) or Password forgotten (Windows 7) tile. |
|
Type |
REG_DWORD |
|
Values |
0: available. 1: unavailable. |
|
Location |
|
Integrating Authentication Manager with Prim'X Cryhod
Integrating Authentication Manager with Prim'X Cryhod
Subject
Prim'X Cryhod is a software product that encrypts data on computer disks running Microsoft Windows. Cryhod includes a pre-boot utility which allows the user to enter his credentials at system start-up; he is then granted or denied access to encrypted data. The integration of Authentication Manager with Cryhod is only for Smart Card Authentication.
Description
Cryhod supports authentication by Smart Card and PIN.
Authentication Manager supports integration with Cryhod on Microsoft Windows 7 and 2008 systems only.
The integration consists in an automatic transfer of a Smart Card PIN from Cryhod to Authentication Manager. This allows the user to perform Cryhod and Authentication Manager Smart Card authentication while only entering the PIN once.
The PIN transfer feature is implemented in a Windows DLL which is provided by Authentication Manager and used by the Cryhod Encryption Service according to Cryhod configuration parameters.
Configuring the Integration
Procedure
Retrieve the following elements:
Full path name of the Windows DLL. The file is called DiskEncryptionCryhod.dll and is installed in the same directory as the EAM Client.
SHA-256 hash values for DiskEncryptionCryhod.dll. They are displayed in the DiskEncryptionCryhod.txt file, located in the EAM Client installation directory. Depending on the architecture of your Windows workstations, you may need the hash values for 32 and/or 64-bit systems.
Name the value as recommended: Authentication Manager CREDAPI Extension Vx.y (zz-bit) and use these elements to set the Cryhod policy P880 - Software Extensions with Microsoft Windows GPO.
|
|
NOTE: The required format for the value is described in the Cryhod documentation. |
The HKEY_LOCAL_MACHINE\SOFTWARE\Policies\PrimX\Cryhod\Common\Extensions key is generated in the Microsoft Windows registry of each workstation.
This key contains a value of type String corresponding to the version of DiskEncryptionCryhod.dll used on the local workstation. If the key contains multiple values corresponding to different versions of DiskEncryptionCryhod.dll, only the value that matches a file on the local workstation is used.
Example
|
Value name |
Value |
|
Authentication Manager CREDAPI Extension V1.0 (32-bit) |
dll32=%ProgramFiles%\One Identity\ |
Customizing the Integration
Description
It is possible for an Authentication Manager Smart Card tile to be selected before Cryhod transfers the PIN to Authentication Manager. Authentication Manager waits for a few seconds for the PIN to be transfered. If the PIN is not transfered in time, the user has to provide it, thus typing the PIN twice.
To avoid this, the length of time that Authentication Manager waits for the PIN can be configured using a Windows registry value.
|
|
IMPORTANT: Only on-site testing can determine the optimum length of time. |
Procedure
- Create the DWORD value WaitForPINDuration under one of the following keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Enatel\WiseGuard\
AdvancedLogin. - HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\AdvancedLogin
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Enatel\WiseGuard\
- Set the key to the number of seconds required.
The length of time has been customized.
Cryhod Log Files
An event is recorded in the Cryhod event log each time DiskEncryptionCryhod.dll is used. The event includes a result code indicating the reason for any failure to transfer the PIN.