Centralizing Parameters Using Group Policy Objects (GPO)
Subject
This section describes how to apply registry-based policy settings to servers and user computers running EAM using the Group Policy Management Console. It is intended to system administrators who want to use Group Policy to manage EAM workstations.
|
|
NOTE: If you are new to Group Policy, it is strongly recommended to read the following documentation before going further: |
You will add to the Administrative Templates extension administrative template files provided by Evidian.
These files allow you to set EAM policy settings pertaining to the registry and distribute them to EAM workstations, in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Enatel registry key.
|
|
IMPORTANT: These parameters supersede the local parameters, which are located in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel. |
Windows Server 2008 introduces a new format for displaying registry-based policy settings and uses a new standard-based, XML file format known as ADMX files. These new files replace ADM files; which used their own markup language.
This section covers the procedures for creating GPO using ADMX files.
Restrictions
- The following procedures apply only to EAM workstations that are members of a Windows domain.
- When an IAM server is in the same domain as the E-SSO controller (which is the most common) and GPOs are applied to all the workstations of this domain, the middleware configuration of the IAM workstation is modified. However, since this middleware configuration is different than the E-SSO one, you must add a restriction for the application of E-SSO GPOs on the IAM workstations.
Creating and Configuring Group Policy Objects Using ADMX Files
Restriction
ADMX files are XML-based administrative template files that were introduced in Windows Vista and Windows Server 2008. They are not compatible with earlier versions of the operating system.
Before Starting
- Check that the administrative template files are available. These files are located in the Authentication Manager or Enterprise SSO installation package, in TOOLS\ADMX
- If you need more details on the following procedure, see
http://technet.microsoft.com/en-us/library/cc748955
Procedure
- Select the ADMX and ADML files that you need according to the following guidelines:
- UserAccess.admx and UserAccessLicenses.admx are mandatory.
- Depending on your Evidian solution, select one of the available configuration file (UserAccessConfiguration<config>,where <config> represents an architecture (example: MicrosoftADwithADLS).
- Select one of the available license file according to your EAM license (example: copy UserAccessLicencesX.admx if you have the Evidian X License).
- ADML files are language-specific resource files. They are located in the language subfolder (example: EN-US for United States English). Copy the equivalent files (UserAccess.adml, UserAccessLicenses.adml, UserAccessConfiguration<config>.adml and UserAccessLicences<Licence>.adml).
- Store these files in the PolicyDefinitions folder on a domain controller:
NOTE:
- You must be a member of the Domain Administrator group in Active Directory.
- It is recommended that you create this folder on the primary domain controller, in order to use these files more quickly
- ADMX files are stored in %systemroot%\SYSVOL\domain\policies\
PolicyDefinitions. - ADML files are stored in %systemroot%\sysvol\domain\policies\
PolicyDefinitions\<LANG>, where <LANG> represents the language identifier (example: EN-US).NOTE: As the Domain Controllers are replicated, the files are automatically copied to the other servers.
- Click Start\Run and type gpmc.msc to launch the Group Policy Management Console (GPMC).
NOTE: If the GPMC is not installed on your domain controller, open an elevated command prompt and type ServerManagercmd -install gpmc to install it. - From the GPMC, right-click the Group Policy Objects node and create a new GPO.
- Right-click the GPO you created and select Edit.
All the ADMX files located in the PolicyDefinitions folder are automatically read.
- Select a subfolder and double-click a GPO to edit settings as appropriate.
Description of the EAM Administrative Template
The EAM administrative template allows you to configure registry entries taking action on the following modules:
- Enterprise SSO.
- Authentication Manager.
- EAM Security Services.
The following tables describe briefly each parameter of the ADMX file.
|
|
NOTE: The following tables list the entirety of the parameters, regardless of the file extension (ADMX). Entries are not relevant to admx files. |
Enterprise SSO Parameters
- Enterprise SSO Common Parameters
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig
|
Value Name |
Value Type |
Description/ Default Value |
|
LCID |
DWORD |
User interface language.
|
|
AllowSmartCard |
DWORD |
Time in second before locking Enterprise SSO. It concerns only smart card authentication. |
|
DontUseSmartCard |
DWORD |
If the value is set to 1, Enterprise SSO stores the user primary password in the directory to use it for SSO. This way, the smart card logon is ignored. |
- HLL API Parameters
HLL API plug-in global configuration parameters. For more information, see Enterprise SSO - Guide de l'administrateur).
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\SSOWatch\HllAPI
|
Value Name |
Value Type |
Description/ Default Value |
|
EnableMultiEmulator |
DWORD |
Enterprise SSO starts the HllAPI plug-in with several emulators, specified in the n value. n: number of emulators. |
|
HllEntryPoint |
String |
DLL entry point. |
|
HLLAPI-32bit |
DWORD |
Specifies that the application using HLLAPI is a 32-bit or a 16-bit application.
|
|
HllLibrary |
String |
Name of the .dll file that corresponds to the HLLAPI plug-in. Default: PCSHLL32.dll |
|
IgnoreWindows |
DWORD |
The HLLAPI library returns or not Windows handles.
|
|
|
NOTE: The HLLAPI plugin also exists in 64-bit version. To make it interact with 32-bit applications, install the ESSOHLLAPI.msi and VCRedist_x86.msi packages. |
Authentication Manager Parameters
- Authentication Manager configuration parameters.
This parameter is located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\AdvancedLogin
|
Value Name |
Value Type |
Description/ Default Value |
|
BioAutoValidate |
DWORD |
Automatic validation upon fingerprint authentication:
|
- Authentication Manager configuration parameters.
This parameter is located in:
- HKLM\SOFTWARE\Enatel\WiseGuard: to be positioned manually.
- HKLM\SOFTWARE\Policies\Enatel\Wise\Guard: to be positioned with the GPOs.
|
Value Name |
Value Type |
Description/ Default Value |
|
UnlockWithWindowsAccount |
DWORD |
Unlocking a Smart Card session with Windows credentials.
|
|
DisplayAuthMethodIcon |
DWORD |
Displaying authentication method icon in the Session Unlocking window.
|
EAM Security Services Parameters
- Installation Type
EAM installation type.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Config
|
Value Name |
Value Type |
Description/ Default Value | ||
|
ManageAccessPoints |
DWORD |
Access point management:
For more information on access point management see One Identity EAM Console - Guide de l'administrateur). | ||
|
RegisterSoftware |
DWORD |
Management of software module objects in the directory:
|
WGSS Parameters
Parameters to deploy a domain account for EAM to do LDAP requests. For more information, see Deploying a Workstation LDAP User Account.
This parameter is located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\FmkServer
|
Value Name |
Value Type |
Description/ Default Value |
|
AccessPointLdap |
String |
Access Point LDAP account. This value is ciphered. |
Security Directory
Configuration of the EAM security database.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Directory
|
Value Name |
Value Type |
Description/ Default Value | ||
|
BlobCompression |
DWORD |
Enables binary data compression:
| ||
|
DirectoryType |
DWORD |
User database or directory:
| ||
|
DirectoryUsage |
DWORD |
Security database storage mode:
| ||
|
PossibleDomains |
String |
Authorized NetBios windows domains list separated by space. Only for Active Directory and AD LDS. By default the EAM solution considers that all Windows domains defined on the station are managed by the solution. If it is not the case, the key must be set to indicate the list of the configured domains.
| ||
|
EnterpriseUser |
DWORD |
Security data location: 0: store EAM data in enterprise Directory (default). 1: store EAM data in another Directory or Naming Context.
| ||
|
SSL |
DWORD |
SSL:
| ||
|
LdapAuthMethod |
DWORD |
Authentication method:
| ||
|
TLS |
DWORD |
TLS:
| ||
|
TLSDemand |
DWORD |
TLS demand:
| ||
|
ServerList |
String |
List of servers.
| ||
|
RootLdapDN |
String |
Root object DN.
| ||
|
SearchResultSize |
DWORD |
Maximum number of elements returned by request:
| ||
|
UserSearchFilter |
String |
Attributes used by search request for the delegation. ldapAttName=Label,… Example: UserPrincipalName=Label,... | ||
|
AccessResolutionByGroups |
DWORD |
Authorization of access request on groups:
| ||
|
AccessResolutionByUO |
DWORD |
Authorization of access request on organizational units:
| ||
|
AccessResolutionByGroupOfGroups |
DWORD |
Authorization access request on groups of groups:
| ||
|
LdapAPIDir |
String |
LDAP library binaries location path. | ||
|
MustChange |
DWORD |
Password must be changed on Windows (useful if a synchronization takes place):
| ||
|
ExtendedGroup |
DWORD |
Support of special type of groups for SAMBA integration:
| ||
|
CorporateComputer |
DWORD |
Integration of corporate computer objects as SAMBA computers:
|
Secondary Security Directory or Naming Context
Configuration of two directories to separate the EAM data from your identities repository. For more information, see Separation of the EAM Data.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\WGDirectory
|
Value Name |
Value Type |
Description/ Default Value | ||
|
DirectoryType |
DWORD |
Secondary security directory or LDAP naming context where security data are not stored in the user Directory:
| ||
|
LdapAuthMethod |
DWORD |
Authentication method:
| ||
|
TLS |
DWORD |
TLS:
| ||
|
TLSDemand |
DWORD |
TLS demand:
| ||
|
ServerList |
String |
List of servers.
| ||
|
RootLdapDN |
String |
Root object DN.
|
Authentication
List of the authorized authentication methods.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\Framework\Authentication
|
Value Name |
Value Type |
Description/ Default Value |
|
LogonIntegrated |
DWORD |
Integrated Windows authentication:
|
|
CacheSynchro |
DWORD |
SSO account synchronization after login:
|
|
WaitBeforeLogon |
DWORD |
Time to wait before activation user shell (only in "stub" mode):
|
|
ManualPwdChangeMandatory |
DWORD |
In case the manual password change policy detects expiration date of the password when the user authenticates offline, this option can force the user to authenticate when the directory is available again, so that he/she can manually change his/her directory password.
|
Single Sign-On
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\SingleSignOn
|
Value Name |
Value Type |
Description/ Default Value |
|
SyncTokenAnd |
DWORD |
Enables the SSO keys synchronization: if the user AD password has been modified with another tool than EAM, the user SSO data cannot be deciphered with the new AD password when the user authenticates on the workstation.
|
Audit / Log
Tuning and customizing of the EAM log.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Audit
|
Value Name |
Value Type |
Description/ Default Value |
|
QueueSize |
DWORD |
Audit buffer size:
|
|
QueueFlushTimeOut |
DWORD |
Time interval between buffer flush (in minutes):
|
|
CustomExtension |
String |
DLL of audit extension. |
Network Cache
Activation and performance tuning of the EAM network cache.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Cache
|
Value Name |
Value Type |
Description/ Default Value | ||
|
CacheDir |
String |
Cache files location.
| ||
|
SynchronizeOnLDAP |
DWORD |
Synchronization of SSO accounts cache when directory is available:
|
Directory Network Services (DNS)
Deactivation of the reverse DNS resolution. If the DNS server is slow, retrieving the name of a connection workstation can take a few seconds. This will slow down authentication.
This parameters is located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Network
|
Value Name |
Value Type |
Description/ Default Value |
|
DisableReverseDns |
DWORD |
Disable reverse DNS usage:
|
LDAP Directory Server List
An exhaustive list of LDAP Directory servers potentially used by EAM. This parameter must contain a sublist of the existing LDAP Directory servers. Without this list, EAM can connect to any LDAP Directory server available in the domain.
This parameter is located in one of the following directories:
- HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\Directory
- HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\WGDirectory
|
Value Name |
Value Type |
Description/ Default Value |
|
ServerList |
REG_SZ |
Comma separated list of LDAP directory servers. |
LDAP Directory Server List Ordering
Successively try to connect to the LDAP Directory servers according to the above list, or in a random order.
This parameters is located in:
HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\Directory
|
Value Name |
Value Type |
Description/ Default Value |
|
FollowServerListOrder |
DWORD |
Disable LDAP Server list randomization:
|
Installing EAM MSI Packages in Silent Mode
Subject
This section describes the parameters that can be used when installing EAM MSI packages in silent mode.
|
|
IMPORTANT: The (silent) installation of MSI packages does not include the configuration of the computer. |
Silent installation can be performed through the msiexec command, which is part of the Microsoft Windows Installer. For more details, refer to Windows Installer Microsoft documentation.
This section explains how to silently install the following elements:
- Microsoft Visual C++ 2012 Redistributable: see Installing Microsoft Redistributable in Silent Mode.
- EAM Controller: see Installing EAM Controller in Silent Mode.
- EAM Client: see Installing EAM Client in Silent Mode.
- EAM Web Server: see Installing EAM Web Server in Silent Mode.
- HLLAPI Wrapper: see Installing HLLAPI Wrapper in Silent Mode (64-bit clients only).
Silent Installation Methods
To perform a silent installation of an MSI package, you can use one of the following method:
- Use of the MSI properties MODULES and TRANSLATIONS of msiexec
This method is strongly recommended, when available.
These properties facilitate the installation or upgrade of already installed MSI packages, according to the operating system: when MODULES and/or TRANSLATIONS properties are used when installing MSI package, the mandatory and hidden MSI features are automatically selected according to the operating system.These properties must be used with INSTALLMODE=Custom parameter and must not be used with ADDLOCAL parameter.
- Use of the MSI property ADDLOCAL of msiexec
Each feature can be added as values of this property.
Before Starting
Make sure you have the Microsoft Windows Installer version 3.0 (or later version).
Installing Microsoft Redistributable in Silent Mode
Subject
The Microsoft Visual Microsoft Visual C++ 2012 Update 4 runtime libraries are delivered as a separate MSI package: the VCRedist_x86.msi (or the VCRedist_x64.msi for x64 platforms).
The installation of this MSI package is a prerequisite to the installation of any EAM software module. It must be installed once on each workstation and does not need to be updated.
Procedure
In the ADDLOCAL property of the msiexec command, add the wanted feature name (see "Feature Name" column in the following Features table):
Use ADDLOCAL=CRT_WinSXS or ADDLOCAL=ALL msiexec parameters
Features
The VCRedist_x86.msi (or the VCRedist_x64.msi for x64 platforms) contains the following selectable features:
|
Feature Name |
Description |
|
CRT_WinSXS |
Studio 2012 Update 4 Redistributable. |
Installing EAM Controller in Silent Mode
Subject
The ESSOController.msi gathers all software modules required to install an EAM Controller.
|
|
IMPORTANT: This package does not include the configuration of the computer. |
Procedure
Installation using the ADDLOCAL property of msiexec
In the ADDLOCAL property of the msiexec command, add the wanted feature names (see "Feature Name" column in the following Features table).
|
|
IMPORTANT: It is mandatory to select the parent feature in order to select a sub-feature. For example, it is necessary to select the Translation feature to select the german feature. |
Installation using the MODULES and TRANSLATIONS properties of msiexec
In the MODULES property of the msiexec command, add the short name of the wanted features (see "Short Name" column in the following Features table).
In the TRANSLATIONS property of the msiexec command, add the short name of the wanted languages.
|
|
IMPORTANT: In this case, the ADDLOCAL parameter must not be used. |
Example
The following command line installs the EAM Controller with EAM Console without RFID, with all required hidden/mandatory MSI features:
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOController.MSI> /qn /norestart INSTALLMODE=Custom /PASSIVE MODULES=CSL TRANSLATIONS=DE
Features
The following table gives the list of features that can be selected to perform a silent installation of EAM Controller.
|
|
NOTE: Feature and short names are case sensitive. |
|
Feature/Sub-feature Name |
Short Name |
Description | ||
|
WGSS |
- |
Mandatory feature. EAM middleware. | ||
|
WGSSServer |
- |
Mandatory feature. | ||
|
|
ESSO_Console |
CSL |
EAM administration Console. | |
|
Translations |
- |
Localized resources of EAM software modules. English resources are always installed. | ||
|
|
german |
DE |
The German translated resources for EAM Controller software. | |
|
arabic |
AR |
The Arabic translated resources for EAM Controller software. | ||
|
japanese |
JP |
Needs a specific license. | ||
|
french |
FR |
The French translated resources for EAM Controller software. | ||
|
italian |
IT |
The Italian translated resources for EAM Controller software. | ||
|
spanish |
ES |
The Spanish translated resources for EAM Controller software. | ||
|
dutch |
NL |
The Dutch translated resources for EAM Controller software. | ||
|
russian |
RU |
The Russian translated resources for EAM Controller software. | ||
|
finnish |
FI |
The Finnish translated resources for EAM Controller software. | ||
|
swedish |
SV |
The Swedish translated resources for EAM Controller software. | ||
Installing EAM Client in Silent Mode
Subject
The ESSOAgent.msi gathers all software modules that may be installed on a user’s workstation.
|
|
IMPORTANT: This package does not include the configuration of the workstation. |
Procedure
Installation using the ADDLOCAL property of msiexec
In the ADDLOCAL property of the msiexec command, add the wanted feature names (see "Feature Name" column in the following Features table).
|
|
IMPORTANT: It is mandatory to select the parent feature in order to select a sub-feature. To select the SSOJava feature it is necessary to select the SSOWatch feature. |
Example
The following command line installs the EAM Client with Authentication Manager, EAM Console without RFID management, Enterprise SSO with Personal SSO Studio and Enterprise SSO Studio and the Java plug-in, along with German resources (with all required hidden/mandatory MSI features):
- On a Windows XP system:
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart /PASSIVE ADDLOCAL=WGSS,EssoErrors,Advanced_Login,Gina_NTWG_Gina,WG_Safe_Gina,ESSO_Console,SSOWatch,SSOJava,Studio_Enterprise,Studio_Personal,translations,german
- On Windows 7 systems and above:
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart /PASSIVE ADDLOCAL=WGSS,EssoErrors,Sens,Advanced_Login,
VistaCP,WGSens,ESSO_Console,SSOWatch,SSOJava,
Studio_Enterprise,Studio_Personal,translations,german,
devista
Installation using the MODULES and TRANSLATIONS properties of msiexec
- In the MODULES property of the msiexec command, add the short name of the wanted features (see "Short Name" column in the following Features table).
- In the TRANSLATIONS property of the msiexec command, add the short name of the wanted languages.
|
|
IMPORTANT: In this case, the ADDLOCAL parameter must not be used. |
Example
The following command line installs the EAM Client with Authentication Manager, EAM Console without RFID management, Enterprise SSO with Personal SSO Studio and Enterprise SSO Studio and the Java plug-in, along with German resources (with all required hidden/mandatory MSI features):
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart INSTALLMODE=Custom /PASSIVE MODULES=ADL,CSL,SSO,SSOJAVA,SSOENT,SSOPER TRANSLATIONS=DE
Features
The following table gives the list of features that can be selected to perform a silent installation of EAM Client.
|
|
IMPORTANT: It is mandatory to select the parent feature in order to select a sub-feature. Examples: To select the SSOJava feature it is necessary to select the SSOWatch feature. |
|
|
NOTE: Feature and short names are case sensitive. |
|
Feature/Sub-feature Name |
Short Name |
Description | ||
|
WGSS |
- |
Mandatory feature. | ||
|
|
EssoErrors |
- |
Mandatory feature. | |
|
Sens |
- |
Mandatory feature on Windows 7 (and above), Windows Server 2008 (and above). | ||
|
UAVC |
- |
Mandatory feature. | ||
|
WGSSServer |
- |
Mandatory feature when installing on an EAM Controller. | ||
|
Advanced_Login |
ADL |
Authentication Manager, which secures access to the workstation. | ||
|
|
Gina_NT |
- |
Required up to Windows XP and 2003. | |
|
|
WG_Gina |
- |
Required up to Windows XP and 2003. | |
|
WG_Safe_Gina |
- |
Required up to Windows XP and 2003. | ||
|
VistaCP |
- |
Required on Windows 7 (and above), Windows Server 2008 (and above). Select its sub-feature. | ||
|
|
WGSens |
|
Required on Windows 7 (and above), Windows Server 2008 (and above). | |
|
|
PwdTile |
PWD |
Allow password authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above). | |
|
|
TokenTile |
TOKEN |
Allow smart card authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above). | |
|
|
RfidTile |
RFIDTILE |
Allow contact-less badge authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above). | |
|
|
BioTile |
BIO |
Allow biometrics authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above). | |
|
|
MobileTile |
MOBILE |
Allow mobile phone authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above). | |
|
|
SsprTile |
SSPR |
Allow SSPR and Q&A authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above). | |
|
|
ClusterTile |
CLUSTER |
Allow transparent locking and Cluster automatic logging. Valid for Windows 7 (and above), Windows Server 2008 (and above). | |
|
SSOWatch |
SSO |
Evidian Enterprise SSO, which provides Single Sign On to applications. | ||
|
|
BioEnroll |
SSOBIO |
Enables users to enroll their biometrics authentication data. | |
|
WindowsStub |
SSOWIN |
Automatically opens Enterprise SSO with user's Windows credentials if Authentication Manager is not installed. | ||
|
|
GinaStub |
- |
Required up to Windows XP and 2003. | |
|
VistaWrapper |
- |
Required on Windows 7 (and above), Windows Server 2008 (and above). | ||
|
IEPLUGIN |
SSOIE |
Obsolete Internet Explorer plug-in (with BHO). | ||
|
SSOJava |
SSOJAVA |
Provides Single Sign On to Java applications and applets. | ||
|
Studio_Personal |
SSOPER |
Personal SSO Studio, which allows end-users to enable SSO on their applications. | ||
|
Studio_Enterprise |
SSOENT |
Enterprise SSO Studio, which is the SSO configuration management tool. | ||
|
SSOFUS |
SSOFUS |
Public Access Fast User Switching for the free-access to Windows sessions if neither Authentication Manager nor WindowsStub are installed. | ||
|
|
BIOFUS |
BIOFUS |
Multi-User Desktop, if neither Authentication Manager nor WindowsStub are installed. | |
|
|
FUS_sessionmgr |
|
A customizable extension DLL dedicated to Fast User Switching. | |
|
ESSO_Console |
CSL |
EAM administration Console. | ||
|
translations |
- |
Localized resources of EAM software modules. English resources are always installed. | ||
|
|
german |
DE |
The German translated resources for EAM Client software. | |
|
|
devista |
- |
Additional German resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
arabic |
AR |
The Arabic translated resources for EAM Client software. | ||
|
|
arvista |
- |
Additional Arabic resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
japanese |
JP |
Needs a specific license. | ||
|
|
jpvista |
- |
Additional Japanese resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
french |
FR |
The French translated resources for EAM Client software. | ||
|
|
frvista |
- |
Additional French resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
italian |
IT |
The Italian translated resources for EAM Client software. | ||
|
|
itvista |
- |
Additional Italian resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
spanish |
ES |
The Spanish translated resources for EAM Client software. | ||
|
|
esvista |
- |
Additional Spanish resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
russian |
RU |
The Russian translated resources for EAM Client software. | ||
|
|
ruvista |
- |
Additional Russian resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
dutch |
NL |
The Dutch translated resources for EAM Client software. | ||
|
|
nlvista |
- |
Additional Dutch resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
|
finnish |
FI |
The Finnish translated resources for EAM Client software. | |
|
|
fivista |
- |
Additional Finnish resources for Windows 7 (and above), Windows Server 2008 (and above). | |
|
swedish |
SV |
The Swedish translated resources for EAM Client software. | ||
|
|
svvista |
- |
Additional Swedish resources for Windows 7 (and above), Windows Server 2008 (and above). | |
Installing Cloud E-SSO in Silent Mode
Description
To install the Cloud Enterprise SSO Engine package in silent mode, you need to install all the related features, such as: ADDLOCAL=ALL
To initialize the Cloud Enterprise SSO Engine with a:
- Default Cloud server, the URL must be set in the CLOUDSERVER property: CLOUDSERVER="https://my.esso.cloud.server:9765/"
- Set of trusted CA certificates, the path of the trusted CA Certificate file must be set in the CLOUDCAFILE property: CLOUDCAFILE="c:\\TrustedCA\\CloudCA.pem"
Example
Windows Installer command line:
MSIEXEC.EXE /I ESSOCloud.msi ADDLOCAL="ALL" CLOUDSERVER="https://my.esso.cloud.server:9765/" CLOUDCAFILE="c:\\TrustedCA\\CloudCA.pem" /qn
Installing EAM Web Server in Silent Mode
Subject
The ESSOWebServer.msi gathers all software modules that may be installed on a web server.
The silent installation can only be used for updating the web server: the MSI does not include the Apache server installation, which is a prerequisite for the Self-Service Password Reset and the EAM API.
|
|
IMPORTANT: This package does not include the configuration of the computer. |
Procedure
Installation using the ADDLOCAL property of msiexec
In the ADDLOCAL property of the msiexec command, add the wanted feature names (see "Feature Name" column in the following Features table).
|
|
IMPORTANT: It is mandatory to select the parent feature in order to select a subfeature. |
Installation using the MODULES and TRANSLATIONS properties of msiexec
Procedure
In the MODULES property of the msiexec command, add the short name of the wanted features (see "Short Name" column in the following Features table).
In the TRANSLATIONS property of the msiexec command, add the short name of the wanted languages.
|
|
IMPORTANT:In this case, the ADDLOCAL parameter must not be used. |
Example
The following command line installs the EAM Self-Service for Password Reset (with all required hidden/mandatory MSI features):
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOWebServer.MSI> /qn /norestart INSTALLMODE=Custom /PASSIVE MODULES=SSPR
Features
The following table gives the list of features that can be selected to perform a silent installation of EAM Client.
|
|
NOTE: Feature and short names are case sensitive. |
|
Feature name |
Short Name |
Description | ||
|
WEB |
- |
Optional feature. | ||
|
WGSSSERVER |
- |
Mandatory feature when installing on an EAM Controller. | ||
|
ESSO_WGAPI |
- |
Mandatory feature. | ||
|
APACHE_WEB |
- |
Installs EAM Web Portal in Apache Web Server. | ||
|
|
ESSO_SSPR |
SSPR |
EAM Self Service for Password Request. | |
|
ESSO_SSAP |
SSAP |
EAM Self-Service for Administration Portal. | ||
|
ESSO_WSAPI |
WSAPI |
EAM API Web Service. | ||
|
IIS_Web |
- |
Installs EAM as an IIS site. | ||
Installing HLLAPI Wrapper in Silent Mode (64-bit clients only)
Subject
The HLLAPI Wrapper is delivered as a separate MSI package: ESSOHllAPI.msi, located in the ESSO.x64\Install folder of the installation packages.
|
|
IMPORTANT:The following procedure must be performed to run the HLLAPI plugin with 32-bit emulators only. |
Procedure
In the ADDLOCAL property of the msiexec command, add the feature HllAPIWrapper feature (single and mandatory feature).
|
|
NOTE: The MODULES property of the msiexec command is not supported. |
Enhancing EAM
Enhancing Security
Subject
You can customize EAM security to fit your security needs by reading the following sections.
Encrypting the LDAP Connection
By default, the connection to the Active Directory is not encrypted as the sensitive data transmitted through this channel is already encrypted.
However, you can activate the encryption of the LDAP connection by setting the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
Directory\GSSEncryption DWORD 1
Deactivating the Web Service Role on a Controller
By default, all the services are activated on a EAM controller, including the Web Service:
If you are not using this Web Service, you should deactivate it by clearing the corresponding check box (Directory Panel > Access Point (EAM Controller) > Configuration tab).
Encrypting the Client Workstation/Controller Connection
Subject
By default, the connection between the client workstation and the controller is SSPI-encrypted. However, you can use an alternate encryption method by setting the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
FmkServer\DontUseSSPIWithServer DWORD 1
Once it is set, you can obtain an AES 128 encryption.
Enhancing Performance
Subject
You can customize EAM to fit your performance needs by reading the following section.
Saving Directory Space
Description
When the primary account is stored, the following additional parameters are also stored:
- Short name (john)
- NT4 name (WINDOMAIN\john)
- User principal name (john@windomain.win.dom)
You can save some space in the Active Directory by setting the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
SingleSignOn\CleanWindowsParam REG_DWORD 1
This value deletes the additional parameters which are now stored only when a delegation using the primary account has been activated.
Activating Traces
Subject
To diagnose unexpected results from an installation program, you can activate traces as described in the following procedure.
Before Starting
- Create the folder that will store your trace files (C:\Traces for example).
- If you want to trace Password Reset, create a specific folder (C:\TracesRP for example).
Procedure
- Start Registry Editor.
- Create the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Debug key.
- Create the following values:
|
Value Type |
Value Name |
Value | ||||
|
String |
TraceDir |
Location of the trace files (C:\Traces for example) | ||||
|
DWORD |
TraceLevel |
Enter a value between 0 and 5:
| ||||
|
DWORD |
MaxFileSize |
Maximum size in KB of the trace files. | ||||
|
DWORD |
LimitedLogFiles |
2 by default. Maximum number of trace files (enter a value between 2 and 10). | ||||
|
DWORD |
TraceDurationHours |
The number of hours that must be covered by the trace files. 0 (default): disabled. non-null value: enabled. When the current trace file for a given process reaches the MaxFileSize, the first trace file is identified for this process that was the last to be modified before the last TraceDurationHours hours:
|
- If you want to trace Password Reset, create the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\
Framework\ResetPassword key, with the following value:
|
Value Type |
Value Name |
Value |
|
String |
TraceDir |
Location of the trace files (C:\TracesRP for example) |
- Restart your workstation.
When the user log on his/her workstation, the following trace files are created in the specified directory:
- WGSSxxxx.log: traces of the EAM Security Services service.
- ssoenginexxxx.log: traces of the Enterprise SSO engine.
- ssoenginexxxx.log: traces of the Enterprise SSO engine.
- winlogonxxxx.log: Authentication Manager traces.
- WGConfigxxxx.log: traces of WGConfig.exe, which allows you to configure the EAM Security Services on the EAM workstations.
- SSOBuilderxxxx.log: traces of Enterprise SSO Studio.
- SENSxxxx.log: traces of the EAM Session Manager service.
- BIOFUSxxxx.log: traces of the Multi-User Desktop.
- LogonUIxxxx.log: traces of Authentication Manager (Windows 7 and above) with the method as a suffix (eg. LogonUI(Pwd), LogonUI(Bio)).
- UAPnAgentxxxx.log: traces of the XenApp session management by Enterprise SSO Engine.
- Credentialmanagerxxxx.log: traces of the Credential Manager.