Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Enterprise Access Management Installation Guide

Installing and Configuring the Software Modules on the Workstations

Subject

After the initialization of the EAM security database, you must install and configure the software modules on all the workstations that will run in the EAM environment. All these workstations must at least run the Enterprise SSO software module. Depending on your needs, you can also install the Authentication Manager and/or the EAM Console modules.

Interactive/Silent Mode

The EAM software suite is delivered as installation packages using the Microsoft Windows Installer 2.0 (MSI) format. You can install these packages either in interactive mode (following the instructions of the installation wizard), or in silent mode using any software distribution tool. Command line options allow you to specify installation options for each of the software suite package.

As they are in MSI format, you can install these packages on many workstations if these workstations are member of a Windows domain, using the MSI distribution functionality of Windows Server operating systems (Group Policies (GPO)). This section describes how to install and configure the software modules workstation by workstation. For more information on how to:

Localization

The EAM software suite applications support several languages, and use the language defined in the regional settings of the users workstations without any further installation. Nevertheless, depending on your installation package, you may find several installation packages using several languages for one application. The language of the selected installation package will be the language of the installation wizard and of the labels of the Windows Start menu.

Configuring Workstations

Subject

Before or after installing the software modules, you must configure the workstation, except for the Authentication Manager module for which you must configure the workstation before its installation.

Procedure
  1. Start the Administration Tools window (see Starting the Administration Tools window).
  2. In the Select a task list, select Install software modules.
  3. In the Software Installation task list, click Configure workstation.

    The Configuration Assistant appears.

  4. Follow the displayed instructions in the wizard windows with the following guidelines:

 

EAM Configuration with Active Directory

The following table explains how to configure an EAM workstation to work with Active Directory.

 

Step

When this window appears…

Do the following

1

  • If you have been supplied with a license key file:
    1. In the Customer ID field, type your Customer ID provided by your Evidian representative.
    • Click Import to select your license key file.

      The license keys are saved and appear in the table.

    • Click Next.

If you have been supplied with license keys:

  1. In the Customer ID field, type your Customer ID.
  2. For each license key you have, select the license name in the Select license list.
  3. Type the license keys in the corresponding field and click Add.

    The license keys are saved and appears in the table.

  4. Click Next.

To delete a license key, double-click it.

2

  1. Select with a Controller.
  2. Click Next.

3

  1. Select Microsoft Active Directory.
  2. Click Next.

4

  1. Select a security database storage:
    • A security database stored in the domain directory, then go to step 6.
    • Otherwise, a security database stored in an AD LDS server, then go to step 5.
  2. Click Next.

5

  1. Configure the parameters to access to the LDAP server.
  2. Click Next.

6

  1. Clear Manage access-points if you do not want EAM to manage access points (for more information on access point management see One Identity EAM Console - Guide de l'administrateur).

    Default: Manage access-points selected.

  2. Click Next.

 

EAM Configuration with a User Database or Directory other than Microsoft Active Directory

The following table explains how to configure an EAM workstation to work with a User Database or Directory other than Microsoft Active Directory.

Step

When this window appears…

Do the following

1

If you have been supplied with a license key file:

  1. In the Customer ID field, type your Customer ID provided by your One Identity representative.
  1. Click Import to select your license key file.

    The license keys are saved and appear in the table.

  2. Click Next.

If you have been supplied with license keys:

  1. In the Customer ID field, type your Customer ID.
  2. For each license key you have, select the license name in the Select license list.
  3. Type the license keys in the corresponding field and click Add.

    The license keys are saved and appears in the table.

  4. Click Next.

Note: to delete a license key, double-click it.

2

  1. Select with a Controller.
  2. Click Next.

3

  1. Select one of the user authentication database, other than Microsoft Active Directory.
  2. Click Next.

4

  1. Configure the parameters to access to the LDAP server.
  2. Click Next.

5

  1. Configure LDAP security options.
  2. Click Next.

6

  1. Configure your network environment.
    • To synchronize passwords from the SAMBA controller to the OpenLDAP server, select Passwords are synchronized only from MS Windows domain to LDAP server and fill in the Netbios names of the SAMBA domain and the SAMBA controller.
    • To manage SAMBA computer object, select Integrate with SAMBA computer objects.
    • To manage SAMBA group object, select Support SAMBA group.
  2. Click Next.

For more information, see Integrating SAMBA

7

  1. Clear Manage access-points if you do not want EAM to manage access points (for more information on access point management see One Identity EAM Console - Guide de l'administrateur).

    Default: Manage access-points selected.

  2. Click Next.

 

Installing Microsoft Redistributable

Subject

Before installing an EAM Client or Controller, you must install Microsoft Visual C++ 2012 Redistributable as explained in the following procedure.

Interactive/Silent Mode Installation

The Microsoft Visual C++ 2012 Redistributable is delivered as an installation package using the Microsoft Windows Installer (MSI) format.

You can install this package:

  • In interactive mode: follow the instructions of the installation wizard, as described in the following procedure.
  • In silent mode: command line options allow you to specify installation options for each of the installation package: see Installing EAM MSI Packages in Silent Mode.
Procedure
  1. Start the Administration Tools window (see Starting the Administration Tools window).
  2. In the Select a task list, select Install software modules.
  3. In the Software Installation task list, click Install Microsoft Redistribuables and follow the displayed instructions.

    IMPORTANT: If Microsoft Redistributable is already installed on the workstation, the Install Microsoft Redistribuables link does not appear.

    The installation starts.

 

Installing an EAM Client

Subject

INFODOC: Attention, section en doublon avec le CH2 du guide "E-SSO – Getting Started with SSOWatch". Si cette section subit des mises à jour, ne pas oublier de les reporter dans le guide "E-SSO – Getting Started with SSOWatch".The EAM Client installation wizard allows you to install simultaneously all the EAM software modules on a workstation.

The EAM software modules are:

  • Authentication Manager

    Authentication Manager is the authentication software module.

  • Enterprise SSO

    Enterprise SSO is the secure single sign-on (SSO) software module.You can install it on a single workstation or deploy it on all the workstations of an enterprise network. This section explains how to install it on a workstation.

    To install Cloud E-SSO, see Installing Cloud E-SSO.

    For information on enterprise-wide installation, see Centralizing Parameters Using Group Policy Objects (GPO), and Enterprise SSO - Guide de l'administrateur.

  • Enterprise Access Management Console

    EAM Console is the administration console. This module can be installed on any client workstations.

Interactive/Silent Mode Installation

The EAM Client is delivered as installation packages using the Microsoft Windows Installer (MSI) format.

You can install this package:

  • In interactive mode: follow the instructions of the installation wizard, as described in the following procedure.
  • In silent mode: command line options allow you to specify installation options for each of the installation package: see Installing EAM MSI Packages in Silent Mode.
Before Starting

Make sure you have installed the Microsoft Redistributable as explained in Installing Microsoft Redistributable.

Make sure you have enough available hard disk space.

NOTE: For more information on versions and hardware requirements, see One Identity EAM Release Notes.

If you want to install the SSOJava plug-in (which is an installation feature of Enterprise SSO), a supported Java version must imperatively be already installed on your workstation (for more details about the supported JRE versions, see One Identity EAM Release Notes).

Close all running applications.

Procedure
  1. Start the Administration Tools window (see Starting the Administration Tools window).
  2. In the Select a task list, select Install software modules.
  3. In the Software Installation task list, click Install EAM Client.

NOTE: If the Client installation wizard does not appear: from the downloaded installation package browse the INSTALL directory and double-click ESSOAgent.msi.

The EAM Client installation wizard appears.

  1. Follow the displayed instructions and the guidelines given in the following Client Wizard Window Description section.
  2. Restart the workstation.

    If you have installed Authentication Manager, the Authentication Manager authentication window appears.

 

Client Wizard Window Description
"Select Installation Type" and "Select Features" Window Description

To choose the components to install, click Custom in the Select Installation type window.

The feature selection window appears:

  • Authentication Manager: Authentication Manager software module installation, which includes the following selectable features:

    IMPORTANT:

    • For performance reasons, you are advised to select only the required features.
    • The selection of the Authentication Manager features is available only for Windows systems from Windows 7 and above.
  • Password and OTP authentication.
  • Smart card authentication.
  • RFID authentication.
  • Biometrics authentication.

    NOTE: For details on the supported authentication devices, see One Identity EAM Release Notes.
  • Mobile authentication: users who forgot their password can use their mobile phone to log on to Windows. Administrators can use their mobile phone to log on as local administrators. For more information, see QRentry - Guide de l’utilisateur.
  • SSPR authentication: users who forgot their password must answer security questions to open a session. For more information, see Authentication Manager Self Service Password Request Administrator's Guide.

    NOTE:
    • You can select only this option (without any other listed under the Authentication Manager node) to enable SSPR while keeping the standard Windows authentication.
    • On Windows 7/2008 (and above) clients, this option can be combined with Integration with Windows Authentication (see below) to add the SSPR option to the Smart Card Logon mode.
  • Cluster and transparent locking: this feature must be installed to enable the cluster mode and the transparent locking. For more information, see Authentication Manager Cluster Administrator’s Guide.
  • Biometrics Enrollment tool: installs the biometrics enrollment wizard on the workstation, which allows a user to enroll his/her biometric data for fingerprint authentication. For more information on the EAM biometrics feature, see Authentication Manager pour Windows - Guide de l'utilisateur.
  • Enterprise SSO: Enterprise SSO software module installation, which includes the following selectable features:
    • Integration with Windows Authentication: launches transparently Enterprise SSO at session startup using the user Windows credentials. If this feature is not installed, Enterprise SSO will be launched automatically, but it will ask the user for his/her credentials.

    IMPORTANT: If you select this option to implement the Smart Card Logon mode, by default this feature supports only the Microsoft Credential Provider tile. On Windows 7/2008 (and above) systems, you can extend smart card logon to non-Microsoft credential providers, by creating under HKLM\Software\Enatel\WiseGuard\FrameWork\ Authentication the following value:

    • Value name: AltSmartCardCredentialProviders
    • Value type: REG_SZ (String value).
    • Data: the credential provider GUID. (example: {6012D512-EEBB-41E2-8842-28611CD7FE9E}). For information on the credential provider GUID, see the vendor documentation.
  • Old IE Plugin: this deprecated Internet Explorer plug-in must only be installed for compatibility reasons with the previous EAM versions.
  • Java plugin: allows Enterprise SSO to access Java applications
    If you select this feature, make sure a supported Java version is already installed on your workstation.

IMPORTANT:

  • If you update your Java version, Enterprise SSO must be reinstalled.
  • The configuration of SSO for Java requires advanced skills. To deliver SSO access to Java applications, integration service is required. Please contact Evidian services at
    srv-expertise@evidian.com..
  • Personal SSO Studio: allows a single user to configure the applications for which he/she wants to enable SSO.
  • Enterprise SSO Studio: this feature is dedicated to administrators: the SSO configuration is shared by a number of users.
  • Multi User Desktop: provides a single Windows Desktop to display all the user applications and launches a single instance of Enterprise SSO engine. For more information, please refer to Authentication Manager Session Management Administrator’s Guide.

IMPORTANT: This option is incompatible with Authentication Manager and Integration with Windows.
  • Public Access FUS: allows authorized users to share a workstation without having to restart a Windows session. On smart card, RFID badge or fingerprints detection, Enterprise SSO prompts the user to type his/her PIN code or password and starts the SSO engine. The engine stops at smart card or RFID badge withdrawal, or fingerprints detection.

IMPORTANT: This option is incompatible with Authentication Manager and Integration with Windows.
  • FUS extension DLL: the FUS Extension DLL feature is designed to help you configure automated actions on running applications when Enterprise SSO starts or stops on a workstation configured for Fast User Switching without Authentication Manager installed. For details, see Authentication Manager Session Management Administrator’s Guide.

    To install Cloud E-SSO, see Installing Cloud E-SSO.

  • EAM Console:EAM Console software module installation.

    If EAM Console has already been installed on the machine (with the EAM Controller), the EAM Console feature does not appear in the window.

  • Supported languages.

    You need a specific license to install the Japanese Resources.

Installing Cloud E-SSO

Before Starting
  • Make sure you have installed the Microsoft Redistributable as explained in Installing Microsoft Redistributable.
  • Make sure you have enough available hard disk space.

    For more information on versions and hardware requirements, see One identity EAM Release Notes.

  • If you want to install the SSOJava plug-in (which is an installation feature of Enterprise SSO), a supported Java version must imperatively be already installed on your workstation (for more details about the supported JRE versions, see One Identity EAM Release Notes).
  • Close all running applications.
Procedure
  1. From the EAM installation package browse the INSTALL directory and double-click ESSOCloud.msi.

    The Cloud E-SSO Engine installation wizard appears.

  2. Click Next to start the installation and follow the displayed instructions with the following guidelines:

 

When this window appears

Do the following

Click I accept the license agreement and click Next.

Select the folder where you want to install Enterprise SSO and click Next.

Note: we recommend that you do not modify the destination folder.

Select the Typical installation and click Next.

NOTE: for Cloud E-SSO to work correctly, we recommend that you select the Typical installation to install all the necessary components.

Provide the following elements and click Next:

  • Server URL: the Cloud server URL (DNS name).

IMPORTANT: the server URL must be reachable from the user's workstation; check the DNS and that the port 9765 is opened in the firewall.
  • Trusted CA file: if the company directory is not part of the same domain as the Cloud server, you can define the location of your trusted CA file.

NOTE: if you do not provide any of these elements, the user will be asked to provide them when Cloud E-SSO is launched.

 

Click Finish to close the Wizard.

 

Installing French Healthcare Smart Cards (CPS)

Subject

If you are using CPS smart cards, you must install the CPS smart card middleware on every client workstation that will be using it.

Procedure
  1. Start the Administration Tools window (see Starting the Administration Tools window).
  2. In the Select a task list, select Install software modules.
  3. In the Software Installation task list, click Install French Healthcare (CPS) smart cards.

    NOTE: If the CPS installation wizard does not appear: from the downloaded installation package browse the INSTALL directory and double-click ESSOCPS.msi.

    The CPS installation wizard appears.

  4. Follow the displayed instructions.

    The CPS smart card middleware is installed as a Windows service.

 

Activating Smart Card Readers and PCSC on Remote Workstations

Subject

Some environments such as Citrix or VMWare are not able to display smart card readers or PSCS when they are used remotely. Therefore, a local workstation connecting to one of these remote environments cannot use the smart card authentication method.

Description

EAM offers you the possibility to achieve this with the remote PCSC via a virtual channel between the remote EAM workstation and the local EAM workstation. All smart card accesses are performed by EAM on the local workstation on demand by EAM on the remote workstation.

Pre-requisite

On the local workstation (client side), the smart card authentication method must be activated.

The Dynamic Virtual Channel Client plugin is a Windows dll which is installed by the EAM Client installation package.

Procedure

On the remote workstation (server side), set the following registry key to activate the remote smart card reader:

HKEY_LOCAL_MACHINE\SOFTWARE\[policies]\Enatel\WiseGuard\
FrameWork\Authentication\

  • Name: VirtualChannelRemoteToken
  • Type: REG_DWORD
  • Values:
    • 0 (default): disabled.
    • 1: enabled.

IMPORTANT:For VMWare remote workstations, the virtual channel implementation is specific. You must set an additional registry key to configure it on the VMWare remote workstation:

  • Name: VMWareVirtualChannel
  • Type: REG_DWORD
  • Values:
    • 0 (default): disabled.
    • 1: enabled.

 

Installing Finger Vein Biometric Drivers

Subject

If you are using Hitachi finger vein biometrics, you must install finger vein biometric drivers on every client workstation that will be using it.

Restriction

This feature is not available in Japan.

Procedure

 

  1. Start the Administration Tools window (see Starting the Administration Tools window).
  2. In the Select a task list, select Install software modules.
  3. In the Software Installation task list, click Install finger vein biometric drivers.

NOTE: If the installation does not starts: from the downloaded installation package browse the DRIVERS directory and double-click BioHitachi_Install.exe.

The installation proceeds.

 

Modifying the Possible Domains List

Subject

Upon the EAM installation process in multi-domain mode, you may need to modify the list of possible domains displayed by the authentication windows of EAM workstation clients. The following procedure describes how to modify the possible domains list.

Restrictions

Only for EAM in multi-domain mode with Active Directory or Active Directory/AD LDS architectures.

Procedure
  1. On the wanted EAM Controller, start Registry Editor.
  2. In the HKLM\Software\Enatel\WiseGuard\FrameWork\Directory, add the following value:

Value Type

Value Name

Value

String

PossibleDomainsList

Domain1 [...] DomainN.

 

Enabling the Self Service Password Request (SSPR) Feature

Enabling the Self Service Password Request (SSPR) Feature

Subject

The Self Service Password Request feature allows users to unlock their Windows access by themselves. For example, they can reset their primary password by answering a series of questions, either using the Questions answers tile of Authentication Manager (if installed on workstations) and/or the Evidian EAM Web portal.

This section describes how to install and activate the Self Service Password Request (SSPR) feature, from downloaded Enterprise SSO or Authentication Manager installation packages. You can install these components on any supported Windows systems.

Installing the Self Service Password Request

The SSPR feature can be installed on the following servers:

Installing on an Apache server

Interactive/Silent Mode Installation

The SSPR feature is delivered as installation packages using the Microsoft Windows Installer (MSI) format.

You can install this package:

  • In interactive mode: follow the instructions of the installation wizard, as described in the following procedure.
  • In silent mode: command line options allow you to specify installation options for each of the installation package: see Installing EAM MSI Packages in Silent Mode.
    The silent installation can only be used for updating the web server: the MSI does not include the Apache server installation, which is a prerequisite for the Self-Service Password Request and the EAM API.
Before Starting

The SSPR feature requires a dedicated user account to perform operations in the directory. This account must exist before starting the installation procedure, as the wizard will prompt you for account credentials. The following procedure details how to create and configure this account:

From a workstation where EAM Console is installed, do the following:

  • Create or select in your directory a user account that will be used exclusively for the Self Service Password Request (SSPR) feature.

IMPORTANT: Enable the Password never expires option for this account.
  • If you start EAM Console in hardware protection mode, assign a smart card to this user account using EAM Console, with the following guidelines (this card will be used by the EAM Security Services to enable the SSPR feature):
    • The assigned smart card must not expire.
    • The owner of this token must have the Delegate the right to retrieve SSO data administration right.

    IMPORTANT: The smart card must be permanently connected to the SSPR server, to allow users to reset their password.
  • The user must have authenticated at least once on EAM; so that specific administration rights to manage SSPR can be delegated to him/her:
    • In classic administration mode: SSO Data Recoverer administration role.
    • In advanced administration mode:
      • Self Service Password Request: Answer deletion
      • Self Service Password Request: Challenge generation
      • Self Service Password Request: Reset attempt counter
      • User:password modification.
Restrictions
  • If you have downloaded the installation packages, do not start the following procedure from a network drive: copy the installation packages locally before starting the installation.
  • Check that ports 80 and 443 are not used.
Procedure
  1. If you have chosen the Hardware protection mode at EAM primary controller initialization (see Initializing the Primary Controller), install the driver for your smart card reader.
  2. Start the Administration Tools interface, as described in Starting the Administration Tools window.
  3. In the Administration Tools window, click Define administrator credentials for Self Service Password Request.

    The following window appears:

  4. Do one of the following, depending on the protection mode you have selected in Initializing the Primary Controller:
    • If you have chosen the Software protection mode, select Software credentials and fill-in the Software credentials area with the credentials of the dedicated user account allowed to manage SSPR (see Before Starting above).
    • If you have chosen the Hardware protection mode, select Hardware credentials, insert the SSPR smart card previously created in the smart card reader and provide the PIN for the smart card.

    IMPORTANT: You must let the smart card permanently connected to the SSPR server, so that the user password can be modified.
  5. Click OK to register the administrator’s credentials.
  6. In the Select a task drop-down list, click Install Self Service Password Request:

  7. If you are installing SSPR on a workstation where no other EAM software module is running, click Configure workstation and follow the displayed instructions (for details, see Configuring Workstations).
  8. Click Install EAM Web Server.

    You can also start the installation wizard by double-clicking TOOLS\APACHE\WGInstaller.exe.

    The following window appears.

    If a previous version of the SSPR is already installed, the wizard prompts you to select the features to be updated.

  9. Do the following:
    1. Select the Self Service Password Request check box.
    2. To use the SSPR server with Authentication Manager, select the Web Service check box. The IIS check box is automatically disabled.

    In case of update:

    • The Apache component is not updated automatically: to do so, you must uninstall it as well as the EAM Web Server component, clear the corresponding directories and registry, and re-install the EAM Web Server. The latter will detect the absence of the Apache component and reinstall the latest version.
    • You can also start the setup wizard by double-clicking ESSOWebServer.msi. For 32-bit environment, run the 32-bit package located in E-SSO\INSTALL. For 64-bit environment, you can either run the 64-bit package located in E‑SSO.X64\INSTALL, or the 32-bit package, depending on your configuration. For more details, see the Important note above.
    1. To use the Reveal application password and Account delegation features in the EAM Portal, select the Self Admin. portal check box.

  10. Click the Install (or Update) button to launch installation.

    During the installation process, the Apache web server icon appears on the task bar.

NOTE: This Apache web server runs with the Apache mod_ssl module, PHP (used by the EAM web portal) and the gSOAP module (used by Authentication Manager in connected mode).

IMPORTANT:

  • The Apache web server listens on ports 80 and 443 (SSL). These port numbers cannot be changed.
  • The Web Server is configured in SSL mode by default.

  1. Declare the server and the users allowed to use the SSPR feature. For more information, see Authentication Manager Self Service Password Request Administrator's Guide.

 

Installing on an IIS server

Installing the IIS Server

Procedure
  1. From the Windows Configuration panel, select the Programs and Features.
  2. Click Turn Windows features on or off.

    Depending on your platform, you must either:

    • Add a Role.

    OR

    • Select the IIS Feature.

  3. Select the following check boxes:
    • .NET Framework (later than version 4), including ASP.NET.
    • Internet Information Services including .Net Extensibility and HTTP Redirection.
  4. Click OK.

    The IIS Server installation starts.

 

Registering the .Net Framework to IIS

Procedure

 

From a command prompt, execute the following command line:

%windir%\Microsoft.NET\FrameWork\v4.0.30319\aspnet_regiis.exe -ir

 

Providing Registry Access to IIS

The EAM Web Portal must have read access to the HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets registry key and all its sub-keys and values. You can either:

  • Add read access to the local IIS_IUSRS user,

    OR

  • Check that the EAM Web Portal IIS application runs as Local System user.

Checking the .NET Application and Rights

Procedures
Checking the .NET 4 Application Pool
  1. Open the Server Manager window and browse down in the Connections panel to the IIS Web Server.
  2. In the Actions panel, click Add Application Pool.

    The Add Application Pool window appears.

  3. Enter a pool name. Example: .NET 4 Syst Integrated.
  4. In the drop down lists, check that .Net Framework 4 version and classic pipeline mode are selected.
  5. Select the Start application pool immediately check box.
  6. Click OK.
  7. If the IIS application is to run as local system, select your application pool and in the Actions panel, click Advanced Settings.

    The Advanced Settings window appears.

  8. In the Process Model area, check that the Identity element is set to LocalSystem.

    Click OK.

 

Checking .NET Framework Rights on the IIS Server
  1. In the Server Manager, click the IIS Server host to display the associated features in the main panel.
  2. Double-click ISAPI and CGI Restrictions.
  3. Make sure ASP.NET version 4 is allowed for 32 bits applications, for both 32 bits and 64 bits DLL.

 

Executing the SSPR Installation with IIS

Procedure
  1. Start the Administration Tools interface, as described in Starting the Administration Tools window.
  2. In the Administration Tools window > Select a task drop-down list, click Install Self Service Password Request:

  3. If you are installing SSPR on a workstation where no other EAM software module is running, click Configure workstation and follow the displayed instructions (for details, see Configuring Workstations).
  4. Click Install EAM Web Server.

    The following window appears.

    If a previous version of the SSPR is already installed, the wizard prompts you to select the features to be updated.

  5. Do the following:
    1. Select the Self Service Password Request check box.
    2. To use the IIS server with Authentication Manager, select the Install Enterprise Access Management Web Server for integration in IIS check box. The Web service check box is automatically disabled.
    3. To use the Reveal application password and Account delegation features in the EAM Portal, select the Self Admin. portal check box.
  6. Click the Install (or Update) button to launch installation.
  7. Declare the server and the users allowed to use the SSPR feature. For more information, see Authentication Manager Self Service Password Request Administrator's Guide.

 

Configuring the IIS Web Site

Creating the Web Site application
  1. In the Server Manager, browse down in the Connections panel to the Default Web Site element.
  2. Right-click it and select Add Application.

    The Add Application window appears.

  3. Enter the Web site Alias. Example: EAM.

    The alias is part of the Web Portal URL, such as:
    https://host.dns.name/Alias/

  4. Select the Application Pool described above (.NET 4 Syst Integrated).
  5. Browse your server to select the Physical Path.

    The default UAS Web Portal folder is %CommonProgramFiles%\Evidian\WGIISRoot.

  6. Click OK.

 

Checking the link from the Application Pool to the Default Web Site and Web Site application
  1. In the Server Manager, browse down in the Connections panel to the Default Web Site element.
  2. Select it and, in the Actions panel, click Advanced Settings.

    The Advanced Settings window appears.

  3. In the General area, check that the Application Pool element is set to the application pool you have created (.NET 4 Syst Integrated).
  4. Click OK.
  5. In the Connections panel > Default Web Site element, select the Web site application you have created (EAM).
  6. In the Actions panel, click Advanced Settings.

    The Advanced Settings window appears.

  7. In the General area, check that the Application Pool element is set to the application pool you have created (.NET 4 Syst Integrated).
  8. Click OK.

 

Setting the Web Site Default Page
  1. In the Server Manager, browse down in the Connections panel to the Web site application you have created (EAM).
  2. Select it and, in the main panel, double-click Default Document.

    If default.aspx is not in the list, you must add it.

  3. In the Actions panel, click Add.
  4. Enter default.aspx and click OK.
  5. Select default.aspx and, in the Actions panel, click Move Up until it is in first position in the list.

 

Securing the Web Site
  1. In the Server Manager, browse down in the Connections panel to the Web site application you have just created.
  2. Select it and, in the Actions panel, click Bindings.

    The Site Bindings window appears.

  3. Click Add.

    The Add Site Binding window appears.

  4. In the Type drop down list, select https.
  5. In the Port field, enter 443.
  6. In the SSL certificate drop down list, select the host SSL certificate.

    Refer to Microsoft Windows documentation to install a host certificate on your IIS Server machine.

  7. Click OK twice to close the Bindings windows.

 

Replacing the private key and certificate of the SSPR server

Subject

The SSPR, server runs as an Apache 2.4 Web server with mod_ssl installed. Upon installation, a temporary set of certificates are generated to enable a secure user authentication. It is recommended that you replace these temporary certificates with certificates generated using your own PKI.

The company certificate used for the SSPR server must comply with the following certificate content requirements.

NOTE: For more information about Apache2.4 SSL configuration, refer to: http://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html.

To replace the private key and certificate of the SSPR server with your own company certificate, execute the following procedure.

Requirements
  • The public key certificate must contain the DNS host name of the Reset Password server:
    • In the CN part of the subject of the certificate.
    • And/or in a Netscape SSL server name extension.
    • And/or as a DNS name in a subjectAltName extension

    If the SSPR server has several DNS names and aliases, they must all appear as a DNS name in a subjectAltName.

  • To avoid users getting a warning message, the public key certificate must be signed by a company Certificate Authority with its certificate already deployed on the users' workstations.
  • To enable an automatic start of the SSPR server without entering a password, place the private key in its unencrypted form within the private key file.
Procedure
  1. Set the private key in the %ProgramFiles%\Evidian\WebSrv\Apache2.4\conf\server.key file.
  2. Set the public key certificate in the %ProgramFiles%\Evidian\WebSrv\Apache2.4\conf\server.crt file.
  3. Make sure the path to the above files are properly set in the %ProgramFiles%\Evidian\WebSrv\Apache2.4\conf\extra\httpd-ssl.conf file as follows:
    1. SSLCertificateKeyFile option must contain the full path name of the private key file.
    2. SSLCertificateFile option must contain the full path name of the public key certificate file.

IMPORTANT: Both files must have a PEM format.

 

 

Enabling the "unlocking of a user primary account" feature

Subject

The unlocking of a user primary account is one of the features provided with the Self-Service Password Reset feature. It is only available through the EAM Web portal. It is intended for users who have locked their primary accounts by typing a wrong password several times in a row.

The following procedure details how to enable this feature, which consists in delegating to the dedicated technical account(s) used by the EAM controllers the following tasks:

  • Reset user passwords and force password change at next logon.
  • The Write authorization on the lockoutTime property, only on the User objects.
Restriction

The following procedure must be performed only if EAM is used with Active Directory or AD LDS directories.

NOTE: If you are using another supported LDAP directory, the feature is automatically enabled upon EAM installation. Refer to Evidian EAM Portal - Guide de l’utilisateur to test it.
Procedure
  1. From the Active Directory domain controller, launch Active Directory Users and Computers.
  2. Right-click the Organization of the users you want to enable the feature, and select Delegate Control.

    The Delegation of Control Wizard starts.

  3. Select the group containing the technical accounts of the EAM controllers (Active Directory only), or each technical account individually if necessary.
  4. Read the instructions of the wizard to delegate to the selected technical account(s) the following common task: Reset user passwords and force password change at next logon.
  5. Repeat Select the group containing the technical accounts of the EAM controllers (Active Directory only), or each technical account individually if necessary. to start again the Delegation of Control wizard.
  6. On the Tasks to Delegate page, select Create a custom task to delegate and click Next.
  7. On the Active Directory Object Type page, click Only the following objects in the folder and select User objects. Click Next.
  8. On the Permissions page, select Property-specific and select Write lockoutTime. Click Next then Finish.
  9. Repeat the previous steps to grant the same rights on the System\AdminSDHolder container.

    IMPORTANT:

    • The AdminSDHolder container is protected and may be hidden. To display it, in the View menu of the Active Directory Users and Computer snap-in, click View Advanced Features.
    • Any modification of the AdminSDHolder container takes about one hour to be effective..
  10. For AD LDS, to give the super user the rights to unlock a user primary account, proceed as follows:
    1. From the Active Directory domain controller, launch the command prompt as an administrator.
    2. Execute the following command:
      dsacls CN=AdminSDHolder,CN=System,DC=[domain-name] /G "[super-user]:RPWP;lockouttime;"

 

 

Enabling One-Time Password (OTP) Authentication

Enabling One-Time Password (OTP) Authentication

The OTP authentication method is a two-factor authentication method that allows users to authenticate by giving a login name and a password that is valid only once (in contrast to static passwords). OTP are dynamically generated by a token, which is owned by the user.

To enable the OTP authentication in EAM, you must have one of the following products:

  • RSA Authentication Manager software. When this software is installed and configured to run with EAM, users can authenticate even if they are not connected to the EAM controller (offline mode).
  • A RADIUS plugin (which authenticates against a RADIUS server): this configuration supports only the online mode.

IMPORTANT: EAM supports only one activated OTP authentication method at a time.

RSA Authentication Manager

Subject

The RSA Authentication Manager software consists of the following main components:

  • Authentication Server, which manages authentication operations.
  • Internal database, required for policy data.
  • RSA Security Console, to administer the system.

These components are configured differently depending on which type of installation you choose. The "primary instance" installation type is mandatory. Then, depending on the installation process you have planned to deploy the RSA software, you may also need one or more "replica instances" (for failover) and one or more "server nodes" for improved performance.

To enable authentication operations, your system must also include RSA authentication agents. These components are installed on the user workstations. The RSA authentication agent sends the OTP entered by the user to RSA Authentication Manager for validation. If the OTP is correct, the Windows session opens.

To enable the EAM one-time password authentication method within an RSA architecture, you must install an RSA authentication agent on each one of your EAM controller. To enable the offline mode, you must also install an RSA authentication agent on each EAM workstation that may support this mode.

Before Starting

The RSA primary instance is installed on a dedicated server, as detailed in the RSA Authentication Manager documentation, available at the following URL:
https://knowledge.rsasecurity.com (registration required).

Procedure
  1. Import the system configuration file (sdconf.rec). This file is required by the RSA authentication agent to communicate with the RSA authentication server.

    You may also need the server certificate file (server.cer) to enable the automatic registration of the users’ computers in the internal database of the RSA primary instance and/or to allow users to authenticate with a SecurID 800 authenticator connected to the USB port.

    Depending on the RSA Authentication Manager version, these files can be generated from the RSA Security Console (version 7.1 and later), or are located in the ACEDATA directory on the RSA primary instance (version 6.1 and later).

  2. Install an RSA authentication agent on each one of your EAM controllers, with the following guidelines:
    • To install the software on a single computer, run the MSI file on the local computer. For a large-scale deployment, use the configuration wizard.
    • If you need to import sdconf.ref only, select the Typical installation type. To import sdconf.ref and server.cer, you must select the Custom installation.
    • Select Challenge all users except administrators to allow the local administrator to authenticate using the standard authentication method (password or smart card).
  3. From the RSA administration console, do the following:
    • Register the authentication agent(s) you have installed.
    • Create your organizational hierarchy and access users from the EAM directory.
    • Enable users for authentication and assign them RSA SecurID tokens.

      NOTE: For detailed information on how to use RSA Security Console and RSA Operations Console, please refer to the RSA Authentication Manager administrator’s Guide.
  4. Test authentication to secure the communication between the authentication agent(s) and RSA Authentication Manager:
    • Log on to the EAM Controller using an administrator account.
    • Start the RSA Control Center, and in the Advanced Tools panel, click Test Authentication.

    Upon a successful authentication test, RSA Authentication Manager creates a node secret for the agent and stores it in the internal database. A copy of this node secret is encrypted and stored on the agent.

  5. Repeat Step Test authentication to secure the communication between the authentication agent(s) and RSA Authentication Manager:Log on to the EAM Controller using an administrator account.Start the RSA Control Center, and in the Advanced Tools panel, click Test Authentication. for each EAM Controller.

    IMPORTANT: At the end of this step, the OTP authentication in online mode is available. If you do not need to enable the offline mode, you must now configure EAM to enable the OTP authentication method, as detailed in One Identity EAM Console - Guide de l'administrateur.
  6. To prepare EAM for the offline mode, install RSA authentication agents on the wanted EAM workstations.
  7. From the RSA administration console, register the authentication agent(s) you have installed, enable users for authentication in offline mode and assign them RSA SecurID tokens.
  8. Set the acednt.dll, sdmsg.dll, sdconf.rec and securid.exe files in the Windows/system32 folder of your EAM controller.

    IMPORTANT: To authenticate with RSA OTP in cache mode, your must also set these files in the same folder on the user workstation.
  1. You must now configure EAM to enable the OTP authentication method in offline mode, as detailed in One Identity EAM Console - Guide de l'administrateur.
Hiding the RSA authentication tile

If you install the RSA authentication agent on a computer where EAM Authentication Manager is already installed, the RSA authentication tile appears among the Authentication Manager tiles.
To make the RSA authentication tile disappear, you must set the WGSafeGina.dll in the following registry key: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ Winlogon\GinaDLL.

RADIUS plugin

 

  • Copy and paste the following XML code:

<token_class id="OTP" display_name="OTP">

<token_config>

<custom_otp_dll>CustomOTPExtensionRadius.dll</custom_otp_dll>

<ldap_attribute>sAMAccountName</ldap_attribute>

</token_config>

<data_structure>

<module id="0x0100">

</module>

<module id="0x0200">

</module>

</data_structure>

</token_class>

NOTE:
  • Custom_otp_dll indicates the name of the .dll file to associate with the OTP method.
  • ldap_attribute is the LDAP attribute that collects the Radius login depending on the E-SSO login.
  • Enter the following keys in the registry base:

IMPORTANT: These registry keys must be set on all controllers.

Value

Type

Key

Radius Server

String

HKEY_LOCAL_MACHINE\SOFTWARE\ Enatel\WiseGuard\FrameWork\Radius\Server

Port

DWORD

HKEY_LOCAL_MACHINE\SOFTWARE\ Enatel\WiseGuard\FrameWork\Radius\Port

Radius Server Secret

String

HKEY_LOCAL_MACHINE\SOFTWARE\ Enatel\WiseGuard\FrameWork\Radius\Secret

 

Enabling the Group Membership Modification Feature

Enabling the Group Membership Modification Feature

Subject

You can add or remove Users and Access Points from groups directly through the EAM console, without using a third-party group management console. To enable this feature, you must enable the EAM Controllers to modify group memberships, by delegating the Modify the membership of a group task to their dedicated technical accounts.

Restriction

IMPORTANT: The following procedure must be performed only if EAM is used with Active Directory or AD LDS directories.

 

NOTE: If you are using another supported LDAP directory, the feature is automatically enabled.
Procedure

 

  1. Launch the Active Directory Users and Computer tool on the Active Directory domain controller.
  2. Right-click the Organization of the users or machines you want to modify and select Delegate Control.

    The Delegation of Control Wizard starts.

  3. Press the Next button and then the Add button.
  4. Select the group containing the technical accounts of the EAM Controllers (Active Directory only), or each technical account individually if necessary.

  5. Click the Next button and select the Modify the membership of a group check-box.

  6. Click the Next button and then the Finish button to close the Wizard.

    The delegation of control is complete.

For details on how to use this feature, refer to One Identity EAM Console - Guide de l'administrateur.

 

 

Related Documents