Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Authentication Manager for Windows Users Guide

Logging on a User Session as an Administrator

Logging on a User Session as an Administrator

Logging on a User Session with Your Smart Card: "Grace period"

Subject

An administrator can log on a user's session using his own smart card, even though the user opened his Windows session using a smart card.

Procedure
  1. Press the SHIFT key during the logged user smart card withdrawal.

    The user session is left unchanged. If Enterprise SSO was running, it is automatically set to a locked mode.

  2. Insert your administrator smart card and enter your PIN before the end of the grace period (the default value is 60 seconds).

    NOTE: The length of the grace period can be configured from EAM Console.

    This authentication enables User Access to check your identification data. The user Windows session stays open: your Windows permissions do not apply.

  3. Perform your administration tasks on the user workstation: if you run an EAM application (Enterprise SSO Studio, etc.), the authentication is done using your administrator smart card.
  4. When you have finished with the user's workstation, withdraw your smart card.

    The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN to turn Enterprise SSO back to the unlocked mode.

Logging on as local administrator with your mobile device

Subject

If your administrator has authorized it, you can log on as local administrator on a user workstation using your mobile device, from the Connect with a mobile device tile.

For more information on this authentication method, refer to the QRentry - Guide de l’utilisateur.

Running a Process on a User Session

Subject

An administrator can log on a user's session using his own smart card or OTP, even though the user opened his Windows session using same authentication method.

Running a Process Using your Smart Card

Procedure
  1. Press the Windows+R keys.

    The Execute window appears:

  2. Enter cmd in the Open field.
  3. Click the OK button.

    The Command Prompt window appears.

  4. Insert your administrator Smart Card.
  5. Enter the following command line and press the ENTER key: C:\%EAM installation folder%\AMRunAS <Command Line>
  6. If you have several accounts on the smart card, type in the displayed account number and press the ENTER key.
  7. Enter your PIN and press the ENTER key.

    The command line has been executed with your Windows credentials.

    NOTE: The AMRunAS command line is derived from the RunAS Windows command line. You can display all the different command lines and their description by entering the following command line: RunAS.exe /?

 

Running a Process Using your OTP

Procedure
  1. Press the Windows+R keys.

    The Execute window appears:

  2. Enter cmd in the Open field.
  3. Click the OK button.

    The Command Prompt window appears.

  4. Enter the following command line and press the ENTER key: C:\%EAM installation folder%\AMRunAS.exe /OTP /USER:DomainName\
    UserName <Command Line>
  5. Enter your OTP and press the ENTER key.

    You are now logged on with your Windows credentials.

 

Restarting and Running Enterprise SSO with your Credentials

Before starting

If the administrator needs to use Enterprise SSO or any other application, it must be installed on the user’s workstation.

Procedure
  1. Press the Windows+R keys.

    The Execute window appears:

  2. Enter cmd in the Open field.
  3. Click the OK button.

    The Command Prompt window appears.

  4. Enter the following command line and press the ENTER key: C:\%EAM installation folder\AMRunAS.exe /SSO <Command Line>

    Enterprise SSO restarts with your credentials.

 

Managing Reports

Managing Reports

Subject

Authentication Manager enables you to download PDF reports (generated on demand or periodically) and to save them on your workstation.

NOTE: A notification e-mail can be sent to you informing you that a report is available for download from Authentication Manager.

For more information on report generation, refer to the One Identity EAM Console - Guide de l'administrateur.

Procedure
  1. Right-click the Authentication Manager icon in the notification area and select Manage reports.
  2. Re-authenticate if needed.

    The report management window appears.

  3. Click Preferences to define the destination directory of the reports to download. Once you have finished, click OK to come back to the management window.
  4. Click Search to display the reports that are assigned to you.

    NOTE: Select the Show reports generated in the last x days check box to limit the number of reports taken into account

    NOTE: The Report state column indicates if the report has been downloaded or not and displays the two following states:

    • On server: the report has not been downloaded in the destination directory yet.
    • Local: the report has been downloaded and is available for consultation in the destination directory.
  5. When a report is ready to download, double-click it to open it or select it and click Download (the report will be available in the destination directory).

    NOTE: If several reports are assigned to you, you can select them and download them all at the same time..
  6. Click Close.

 

Authentication Manager Registry Keys

Authentication Manager Registry Keys

Subject

This appendix describes the Authentication Manager configuration settings stored in the Windows registry that you can modify.

Some registry keys are only used by EAM clients, others are reserved for EAM Controllers, and others are available either on clients and controllers. Depending on the computer where the registry keys are changed, the scope of the update is different. Indeed, if you update the configuration of a:

  • EAM client, the scope is limited to the User Access client itself.
  • EAM Controller, the scope is extended to all the EAM clients connected to this controller.
Before starting

IMPORTANT: The Windows registry must be modified by qualified personnel only.

 

Autologon

AutoLogonUserLogin

Scope

EAM Client

Description

 

Type

REG_SZ

Values

User name with domain (<Domain_name>\<user_name>).

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

AutoLogonUserPassword

Scope

EAM Client

Description

 

Type

REG_SZ

Values

User password.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

AutoRelogon

Scope

EAM Client

Description

Configures the autologon to be executed after a closed session.

Type

REG_DWORD

Values

0: the session is not automatically re-opened.

1: the session is automatically re-opened with the same user. If you keep the Shift key pressed during the logon sequence, the automatic logon is interrupted and you can authenticate yourself with a smart card or biometric data to open the Windows session as another user.
You cannot authenticate yourself with a password; indeed when you press the
Ctrl+Alt+Del keys, the automatic logon resumes and the session is re-opened with the user configured for autologon.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

Biometrics

BioAutoValidate

Scope

EAM Client

Description

Store on PC mode only.

Enables/disables the automatic validation upon fingerprint authentication.

Type

REG_DWORD

Values

0: disabled.

1: enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

BiometricFAR

Scope

EAM Client

Description

Biometric False Accepted Rate.

Type

REG_DWORD

Values

Default value: 20000.

(means that the probability of a wrong fingerprint pass is 1/20000).

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

BiometricMaxEnrolledUsers

Scope

EAM Client

Description

Store on PC mode only.

Maximum number of users that can be enrolled on the workstation.

If the maximum number is exceeded, the oldest enrolled user is deleted.

Type

REG_DWORD

Values

Default value: 20.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

CheckEnrollment

Scope

EAM Client

Description

After the biometric templates have been saved, the user is asked to perform a biometric authentication to check the biometric templates and to create the biometric authentication cache. If the user cancels the authentication, the biometric authentication cache is not created. This key is set on all workstations where the biometric enrollment tool is installed.

Type

REG_DWORD

Values

0 (default): the user does not authenticate himself.

1: the user must authenticate himself to create the cache file.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

DisableBeepOnBioEvent

Scope

EAM Client

Description

Each time a detection event is identified by the biometric middleware, a message appears and a beep occurs.

Type

REG_DWORD

Values

0 (default): beep is enabled.

1: beep is disabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

StartOnce

Scope

EAM Client

Description

Displays the biometric enrollment tool only once for the user. If he/she cancels the enrollment, the biometric enrollment tool is not displayed anymore.

Type

REG_DWORD

Values

0 (default): the biometric enrollment tool is displayed each time the user starts his Windows session.

1: the biometric enrollment tool is displayed only once. Then, password authentication is displayed by default.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork

Password Management

CheckWhetherPasswordExpires

Scope

EAM Client

Description

The automatic change of the primary password defined in the user security profile does not apply to the Windows accounts which password never expires.

Note: this applies only when the primary accounts are stored in the AD.

Type

REG_DWORD

Values

0 (default): disabled.

1: enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

ForcePasswordChangeAfterSSPR

Scope

EAM Client

Description

The must change password at next connection option is always enabled when users reset a password through the SSPR process.

This key must be set on the workstations where the SSPR process is running. This key has no effect if no SSPR process is installed.

Type

REG_DWORD

Values

0: option disabled.

1: option enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork

PasswordChangeForbiddenMessage

Scope

EAM Client

Description

Enables the administrator to display an information message to the user after he has refused to change his password from the workstation.

Type

REG_SZ

Values

Message displayed to the user after a password change refusal.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

PasswordChangeProcessCheckList

Scope

EAM Client

Description

Enables the administrator to prevent the user from changing his password when certain processes are active.

Type

REG_SZ

Values

List of processes forbidding the password change. Processes are separated with a space. The name of the process is the one displayed in the Windows process manager.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

PostChangePasswordMessage

Scope

EAM Client

Description

Enables the administrator to display an information message to the user after he has changed his password from the workstation.

Type

REG_SZ

Values

The text of the message to display after a voluntary password change from the One Identity tile.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

RandomPasswordLength

Scope

EAM Client

Description

When the PFCP imposes a password generated randomly, the password length is also generated randomly in the limits defined by this PFCP.

Type

REG_DWORD

Values

0 (default): disabled.

1: enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

ResetPasswordAdminGroupDN

Scope

EAM Controller.

Description

Allows all administration group members to reset the passwords of each user.

Type

REG_SZ

Values

Administration group DN.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

ShowPasswordFormatHelper

Scope

EAM Client

Description

Displays or hides the password format wizard to help the user change his password.

Type

REG_DWORD

Values

0: option disabled.

1 (default): option enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\WiseGuard\AdvancedLogin

ShowResetColleaguePasswordN

Scope

EAM Controller and Client

Description

Allows a manager or an administration group member to define a temporary password access (TPA) for a colleague. To configure the TPA, you must create the RCOptions key in the same place.

Type

REG_DWORD

Values

0 (default): option disabled.

1: option enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

SSPRForSelfSSORecovery

Scope

EAM Client

Description

Activates the SSO data recovery feature via the SSPR.

This key must be set on all workstations where the SSO Data recovery is enabled.

Type

REG_DWORD

Values

0: option disabled.

1 (default): option enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\WiseGuard\FrameWork\Authentication

WorkStationAccountRandomNPGP

Scope

EAM Client

Description

Available with any supported LDAP directory except Active Directory.

In this type of architecture, EAM stores user SSO data in another LDAP directory than Active Directory. But the users' accounts are stored in Active Directory and are managed by Enterprise SSO as secondary accounts. In this configuration, the Windows password must be changed manually by default. This key allows you to configure an automatic password change.

Type

REG_DWORD

Values

0: manual change of the Windows password.

1: automatic change of the Windows password.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

RFID

ForceRfidMode

Scope

EAM Client

Description

Forces the RFID authentication behavior.

Type

REG_DWORD

Values

0: default behavior:

if the badge is present for less than 3 seconds, the passive mode is taken into account.

if the badge is present for more than 3 seconds, the active mode is taken into account.

1: Passive mode.

2: Active mode.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

RFIDMultiSelfEnrollAllowed

Scope

EAM Controller.

Description

Restricts the self-enrollment of RFID tokens to one token per user.

Type

REG_DWORD

Values

0: restricted to one token per user.

1 (default): no restriction.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

RFIDSelfEnrollAllowed

Scope

EAM Controller and Client

Description

Forbids or allows the self-enrollment of RFID tokens.

Type

REG_DWORD

Values

0: forbidden.

1 (default): allowed.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

Roaming session

GetRoamingSessionOnlyFromRFID

Scope

EAM Client

Description

Restricts the opening of a roaming session to the RFID badge authentication method.

Type

REG_DWORD

Values

0 (default): the roaming session is opened with any authentication method (RFID badge or smart card).

1: the roaming session is opened only upon the use of an RFID badge.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

RoamingSessionMaxPINTries

Scope

EAM Controller and Client

Description

If too many bad PINs are entered to open a roaming session with a smart card or RFID badge, the roaming session is deactivated and the user must insert his smart card.

Type

REG_DWORD

Values

5 (default): the user can provide up to 5 bad PINs before the deactivation of his roaming session and having to insert his smart card.

Notes:

The bad PIN counter is reset each time the user provides the good PIN.

The bad PIN counter cannot be displayed.

This registry key does not work for the EAM web services.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

RoamingSessionProtectedByPIN

Scope

EAM Controller and Client

Description

Opening a roaming session with a smart card or an RFID badge requires their PIN.

Type

REG_DWORD

Values

0 (default): the roaming session is opened with any authentication method (RFID badge or smart card) without the PIN.

1: the roaming session is opened with an RFID badge or a smart card with the PIN (mandatory).

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

RoamingSessionServerList

Scope

EAM Controller.

Description

To manage roaming sessions, it is recommended in some complex architectures to force controllers to connect to the same LDAP server (to avoid problems with replication delay between LDAP servers used by the controllers). In such a case, this registry key allows you to configure the LDAP servers list by order of priority.

Type

REG_SZ

Values

Ordered list of LDAP servers (by default, there is no value).

IMPORTANT: Do not forget to update these values when adding/deleting LDAP servers from the architecture.

Location

AD: HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Directory

SetRoamingSessionOnly

Scope

EAM Client

Description

When the roaming session is active and expired, if a user authenticates with an RFID badge, a card insertion is requested instead of a password.

Type

REG_DWORD

Values

0 (default): a password is asked when authenticating with an RFID badge.

1: a card insertion is asked when authenticating with an RFID badge.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\WiseGuard\FrameWork\Authentication

SetRoamingSessionOnlyFromCard

Scope

EAM Client

Description

Restricts the creation of a roaming session to the smart card authentication method.

Type

REG_DWORD

Values

0 (default): the roaming session is created with any authentication method (smart card or RFID badge).

1: the roaming session is created only upon a smart card authentication.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

Smart Card

ActionWhenTokenRemoved

Scope

EAM Client

Description

Default automatic action if the token is removed.

Type

REG_DWORD

Values

0 (default): not configured (=lock).

1: lock the computer.

2: log off.

3: do nothing.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

AllowSmartCardInactivityTimer

Scope

EAM Client

Description

Activates the inactivity duration of Enterprise SSO when a smart card is used.

Type

REG_DWORD

Values

0 (default): not configured (=no lock).

1: Enterprise SSO is locked after the defined inactivity duration.

Location

Software\Enatel\SSOWatch\CommonConfig

AutoValidationTimer

Scope

EAM Client

Description

Timeout before the automatic validation of the default action defined in ActionWhenTokenRemoved.

Type

REG_DWORD

Values

Value in seconds.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

NoLdapConnection

Scope

EAM Client

Description

The smart card authentication is asynchronous, which improves the performances of this authentication method.

The state of the smart card connection is checked during the first 30 seconds of the session logon/logoff. If:

The smart card is removed before the asynchronous check, the session is locked and the smart card authentication will be performed asynchronously at the next authentication.

The asynchronous smart card authentication fails, the cache is updated with this information and the session is locked.

The asynchronous smart card authentication succeeds, the cache is updated with this information and the session is locked.

NOTE: This option is available only if the Always authenticate on cache check box is selected in EAM Console (see One Identity EAM Console - Guide de l'administrateur).

Type

REG_DWORD

Values

0 (default): disabled.

1: enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

NoSSOPrivateKey

Scope

EAM Client

Description

The private user data is disabled, therefore it is only the recoverable key that is decrypted during authentication, which improves the performances of the smart card authentication.

Type

REG_DWORD

Values

0 (default): disabled: the recoverable key and the private key are used.

1: enabled: only the private key is used.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\SingleSignOn

PINMaxLength

Scope

EAM Client

Description

Maximum number of characters authorized in a PIN.

Type

REG_DWORD

Values

Value in numbers.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

PINMinLength

Scope

EAM Client

Description

Minimum number of characters authorized in a PIN.

Type

REG_DWORD

Values

Value in numbers.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

PINNumericOnly

Scope

EAM Client

Description

The PIN can contain numbers only.

Type

REG_DWORD

Values

0 (default): all characters are authorized.

1: only numbers are authorized.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

User Access

ByPassWGAuthForLocalAdmin

Scope

EAM Client

Description

Enables users that are not local administrators to bypass the Authentication Manager login window.

The users who are members of the local administrators group can bypass the Authentication Manager login window even if they cannot create the Enterprise SSO keys/objects.

Type

REG_DWORD

Values

0: disabled.

non null value: enabled.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

HideDomainList

Scope

EAM Client

Description

Displays/hides the domain list.

Type

REG_DWORD

Values

0: domain list displayed.

1: domain list hidden.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

HideRemoteConnection

Scope

EAM Client

Description

Displays/hides the Open the session over a modem connection option.

Type

REG_DWORD

Values

0 (default): option displayed.

1: option hidden.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

LockTimer

Scope

EAM Client

Description

Timeout before locking the computer. This does not end the session.

Type

REG_DWORD

Values

Value in seconds.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\AdvancedLogin

ManageUserExclusion

Scope

EAM Client

Description

Windows 7 and next versions only.

Enable or disable SSO for excluded users.

Type

REG_DWORD

Values

0 (default): at user authentication, Authentication Manager opens a standard Windows session and then retrieves the user credentials (stored in the E-SSO directory) to start the SSO engine with them.

1: at user authentication, Authentication Manager first tries to authenticate with the provided credentials against the E-SSO directory:

  • if the user belongs to an exclusion group, the Windows session is opened, but the SSO engine is not started (no SSO will be available for that session).
  • if the user does not belong to any exclusion group, the opening of the Windows session is submitted to the success of the EAM authentication.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork\Authentication

ResetPassword

Scope

EAM Client

Description

Makes available or unavailable the Questions and answers (Windows 10) or Password forgotten (Windows 7) tile.

Type

REG_DWORD

Values

0: available.

1: unavailable.

Location

HKEY_LOCAL_MACHINE\Software\[Policies\]Enatel\
WiseGuard\FrameWork

 

Integrating Authentication Manager with Prim'X Cryhod

Integrating Authentication Manager with Prim'X Cryhod

Subject

Prim'X Cryhod is a software product that encrypts data on computer disks running Microsoft Windows. Cryhod includes a pre-boot utility which allows the user to enter his credentials at system start-up; he is then granted or denied access to encrypted data. The integration of Authentication Manager with Cryhod is only for Smart Card Authentication.

Description

Cryhod supports authentication by Smart Card and PIN.

Authentication Manager supports integration with Cryhod on Microsoft Windows 7 and 2008 systems only.

The integration consists in an automatic transfer of a Smart Card PIN from Cryhod to Authentication Manager. This allows the user to perform Cryhod and Authentication Manager Smart Card authentication while only entering the PIN once.

The PIN transfer feature is implemented in a Windows DLL which is provided by Authentication Manager and used by the Cryhod Encryption Service according to Cryhod configuration parameters.

Configuring the Integration

Procedure

 

Retrieve the following elements:

Full path name of the Windows DLL. The file is called DiskEncryptionCryhod.dll and is installed in the same directory as the EAM Client.

SHA-256 hash values for DiskEncryptionCryhod.dll. They are displayed in the DiskEncryptionCryhod.txt file, located in the EAM Client installation directory. Depending on the architecture of your Windows workstations, you may need the hash values for 32 and/or 64-bit systems.

Name the value as recommended: Authentication Manager CREDAPI Extension Vx.y (zz-bit) and use these elements to set the Cryhod policy P880 - Software Extensions with Microsoft Windows GPO.

NOTE: The required format for the value is described in the Cryhod documentation.

 

The HKEY_LOCAL_MACHINE\SOFTWARE\Policies\PrimX\Cryhod\Common\Extensions key is generated in the Microsoft Windows registry of each workstation.
This key contains a value of type
String corresponding to the version of DiskEncryptionCryhod.dll used on the local workstation. If the key contains multiple values corresponding to different versions of DiskEncryptionCryhod.dll, only the value that matches a file on the local workstation is used.

 

Example

 

Value name

Value

Authentication Manager CREDAPI Extension V1.0 (32-bit)

dll32=%ProgramFiles%\One Identity\
UserAccess\DiskEncryptionCryhod.dll;
sha256=37 5B 06 C5 AC E6 67 59 B5 83 4B 2E B4 9D 7A AE 24 6C D3 80 95 05 15 A2 AB 3E A7 2A 70 63 7C 59;credapi=1

Customizing the Integration

Description

It is possible for an Authentication Manager Smart Card tile to be selected before Cryhod transfers the PIN to Authentication Manager. Authentication Manager waits for a few seconds for the PIN to be transfered. If the PIN is not transfered in time, the user has to provide it, thus typing the PIN twice.

To avoid this, the length of time that Authentication Manager waits for the PIN can be configured using a Windows registry value.

IMPORTANT: Only on-site testing can determine the optimum length of time.
Procedure

 

  1. Create the DWORD value WaitForPINDuration under one of the following keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Enatel\WiseGuard\
      AdvancedLogin.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\AdvancedLogin
  2. Set the key to the number of seconds required.

    The length of time has been customized.

Cryhod Log Files

An event is recorded in the Cryhod event log each time DiskEncryptionCryhod.dll is used. The event includes a result code indicating the reason for any failure to transfer the PIN.

Related Documents