Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Enterprise Access Management Installation Guide

Centralizing Parameters Using Group Policy Objects (GPO)

Subject

This section describes how to apply registry-based policy settings to servers and user computers running EAM using the Group Policy Management Console. It is intended to system administrators who want to use Group Policy to manage EAM workstations.

NOTE: If you are new to Group Policy, it is strongly recommended to read the following documentation before going further:

You will add to the Administrative Templates extension administrative template files provided by Evidian.

These files allow you to set EAM policy settings pertaining to the registry and distribute them to EAM workstations, in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Enatel registry key.

IMPORTANT: These parameters supersede the local parameters, which are located in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel.

Windows Server 2008 introduces a new format for displaying registry-based policy settings and uses a new standard-based, XML file format known as ADMX files. These new files replace ADM files; which used their own markup language.

This section covers the procedures for creating GPO using ADMX files.

Restrictions
  • The following procedures apply only to EAM workstations that are members of a Windows domain.
  • When an IAM server is in the same domain as the E-SSO controller (which is the most common) and GPOs are applied to all the workstations of this domain, the middleware configuration of the IAM workstation is modified. However, since this middleware configuration is different than the E-SSO one, you must add a restriction for the application of E-SSO GPOs on the IAM workstations.

Creating and Configuring Group Policy Objects Using ADMX Files

Restriction

ADMX files are XML-based administrative template files that were introduced in Windows Vista and Windows Server 2008. They are not compatible with earlier versions of the operating system.

Before Starting
  • Check that the administrative template files are available. These files are located in the Authentication Manager or Enterprise SSO installation package, in TOOLS\ADMX
  • If you need more details on the following procedure, see
    http://technet.microsoft.com/en-us/library/cc748955
Procedure
  1. Select the ADMX and ADML files that you need according to the following guidelines:
    • UserAccess.admx and UserAccessLicenses.admx are mandatory.
    • Depending on your Evidian solution, select one of the available configuration file (UserAccessConfiguration<config>,where <config> represents an architecture (example: MicrosoftADwithADLS).
    • Select one of the available license file according to your EAM license (example: copy UserAccessLicencesX.admx if you have the Evidian X License).
    • ADML files are language-specific resource files. They are located in the language subfolder (example: EN-US for United States English). Copy the equivalent files (UserAccess.adml, UserAccessLicenses.adml, UserAccessConfiguration<config>.adml and UserAccessLicences<Licence>.adml).
  2. Store these files in the PolicyDefinitions folder on a domain controller:

    NOTE:

    • You must be a member of the Domain Administrator group in Active Directory.
    • It is recommended that you create this folder on the primary domain controller, in order to use these files more quickly
    • ADMX files are stored in %systemroot%\SYSVOL\domain\policies\
      PolicyDefinitions
      .
    • ADML files are stored in %systemroot%\sysvol\domain\policies\
      PolicyDefinitions\<LANG>
      , where <LANG> represents the language identifier (example: EN-US).

      NOTE: As the Domain Controllers are replicated, the files are automatically copied to the other servers.
  3. Click Start\Run and type gpmc.msc to launch the Group Policy Management Console (GPMC).

    NOTE: If the GPMC is not installed on your domain controller, open an elevated command prompt and type ServerManagercmd -install gpmc to install it.
  4. From the GPMC, right-click the Group Policy Objects node and create a new GPO.
  5. Right-click the GPO you created and select Edit.

    All the ADMX files located in the PolicyDefinitions folder are automatically read.

  6. Select a subfolder and double-click a GPO to edit settings as appropriate.

 

Description of the EAM Administrative Template

The EAM administrative template allows you to configure registry entries taking action on the following modules:

  • Enterprise SSO.
  • Authentication Manager.
  • EAM Security Services.

The following tables describe briefly each parameter of the ADMX file.

NOTE: The following tables list the entirety of the parameters, regardless of the file extension (ADMX). Entries are not relevant to admx files.
Enterprise SSO Parameters
  • Enterprise SSO Common Parameters

    These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig

Value Name

Value Type

Description/

Default Value

LCID

DWORD

User interface language.

  • 0: Default.
  • 409: English.
  • 40C: French.
  • 407: German.
  • 411: Japanese.

AllowSmartCard
InactivityTimer

DWORD

Time in second before locking Enterprise SSO.

It concerns only smart card authentication.

DontUseSmartCard
InOTP

DWORD

If the value is set to 1, Enterprise SSO stores the user primary password in the directory to use it for SSO. This way, the smart card logon is ignored.

 

These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\SSOWatch\HllAPI

Value Name

Value Type

Description/

Default Value

EnableMultiEmulator

DWORD

Enterprise SSO starts the HllAPI plug-in with several emulators, specified in the n value.

n: number of emulators.

HllEntryPoint

String

DLL entry point.

HLLAPI-32bit

DWORD

Specifies that the application using HLLAPI is a 32-bit or a 16-bit application.

  • 0: 32-bit.
  • 1: 16-bit (default).

HllLibrary

String

Name of the .dll file that corresponds to the HLLAPI plug-in.

Default: PCSHLL32.dll

IgnoreWindows
Handle

DWORD

The HLLAPI library returns or not Windows handles.

  • 0: returns Windows handles (default).
  • 1: does not return Windows handles.

NOTE: The HLLAPI plugin also exists in 64-bit version. To make it interact with 32-bit applications, install the ESSOHLLAPI.msi and VCRedist_x86.msi packages.

Authentication Manager Parameters

  • Authentication Manager configuration parameters.

    This parameter is located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\AdvancedLogin

Value Name

Value Type

Description/

Default Value

BioAutoValidate

DWORD

Automatic validation upon fingerprint authentication:

  • 0: disabled. (default)
  • 1: enabled.
  • Authentication Manager configuration parameters.

    This parameter is located in:

    • HKLM\SOFTWARE\Enatel\WiseGuard: to be positioned manually.
    • HKLM\SOFTWARE\Policies\Enatel\Wise\Guard: to be positioned with the GPOs.

Value Name

Value Type

Description/

Default Value

UnlockWithWindowsAccount

DWORD

Unlocking a Smart Card session with Windows credentials.

  • 0: disabled. (default)
  • 1: enabled.

DisplayAuthMethodIcon

DWORD

Displaying authentication method icon in the Session Unlocking window.

  • 0: disabled. (default)
  • 1: enabled.
EAM Security Services Parameters
  • Installation Type

    EAM installation type.

    These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Config

Value Name

Value Type

Description/

Default Value

ManageAccessPoints

DWORD

Access point management:

  • 0: EAM does not manage access points.
  • 1: EAM manages access points (default).

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

For more information on access point management see One Identity EAM Console - Guide de l'administrateur).

RegisterSoftware
Modules

DWORD

Management of software module objects in the directory:

  • 0: Software module objects are not managed in the directory.
  • 1: Software module objects are managed in the directory (default).

 

WGSS Parameters

Parameters to deploy a domain account for EAM to do LDAP requests. For more information, see Deploying a Workstation LDAP User Account.

This parameter is located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\FmkServer

Value Name

Value Type

Description/

Default Value

AccessPointLdap
Credentials

String

Access Point LDAP account. This value is ciphered.

 

Security Directory

Configuration of the EAM security database.

These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Directory

Value Name

Value Type

Description/

Default Value

BlobCompression

DWORD

Enables binary data compression:

  • 0: off.
  • 1: on.

DirectoryType

DWORD

User database or directory:

  • 0: Windows Workstation/SAM Base (default).
  • 1: Active Directory.
  • 2: SunONE Directory Server.
  • 3: OpenLDAP.
  • 4: Novell eDirectory.
  • 6: IBM Tivoli Directory Server.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

DirectoryUsage

DWORD

Security database storage mode:

  • 0: Authentication (default).
  • 1: Authentication & Security Base.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

PossibleDomains
List

String

Authorized NetBios windows domains list separated by space.

Only for Active Directory and AD LDS.

By default the EAM solution considers that all Windows domains defined on the station are managed by the solution. If it is not the case, the key must be set to indicate the list of the configured domains.

NOTE: EAM Console displays error messages when it tries to connect to a domain not managed.

EnterpriseUser
Authentication

DWORD

Security data location:

0: store EAM data in enterprise Directory (default).

1: store EAM data in another Directory or Naming Context.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

SSL

DWORD

SSL:

  • 0: SSL disabled (default).
  • 1: SSL enabled.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

LdapAuthMethod

DWORD

Authentication method:

  • 0: simple clear-text authentication (default).
  • 1: SASL/DIGEST-MD5 authentication.
  • 2: SASL/NMAS authentication (Novell specific).

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

TLS

DWORD

TLS:

  • 0: TLS is not activated (default).
  • 1: TLS is always activated.
  • 2: TLS is only activated when a sensible data is transferred on the network (during password change or account creation).

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

TLSDemand

DWORD

TLS demand:

  • 0: TLS is not mandatory: If TLS fails, the connection is activated without encryption.(default).
  • 1: TLS is mandatory: if TLS fails, no connection is activated.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

ServerList

String

List of servers.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

RootLdapDN

String

Root object DN.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

SearchResultSize
Limit

DWORD

Maximum number of elements returned by request:

  • no limit (default).
  • 10 (min.).

UserSearchFilter

String

Attributes used by search request for the delegation.

ldapAttName=Label,…

Example:

UserPrincipalName=Label,...

AccessResolutionByGroups

DWORD

Authorization of access request on groups:

  • 0: access request not authorized.
  • 1: access request authorized (default).

AccessResolutionByUO

DWORD

Authorization of access request on organizational units:

  • 0: access request not authorized.
  • 1: access request authorized (default).

AccessResolutionByGroupOfGroups

DWORD

Authorization access request on groups of groups:

  • 0: access request not authorized.
  • 1: access request authorized (default).

LdapAPIDir

String

LDAP library binaries location path.

MustChange
PasswordOnWindows

DWORD

Password must be changed on Windows (useful if a synchronization takes place):

  • 0: LDAP server (default).
  • 1: MS Windows domain.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

ExtendedGroup
Integration

DWORD

Support of special type of groups for SAMBA integration:

  • 0: only standard groups using distinguished name for members.
  • 1: support SAMBA groups using a memberUid-like attribute type for members.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

CorporateComputer
Integration

DWORD

Integration of corporate computer objects as SAMBA computers:

  • 0: do not use SAMBA computer entries.
  • 1: use SAMBA computer entries (default).

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

Secondary Security Directory or Naming Context

Configuration of two directories to separate the EAM data from your identities repository. For more information, see Separation of the EAM Data.

These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\WGDirectory

Value Name

Value Type

Description/

Default Value

DirectoryType

DWORD

Secondary security directory or LDAP naming context where security data are not stored in the user Directory:

  • 2: Sun/RedHat/Fedora Directory Server.
  • 7: Microsoft Active Directory Application Mode.

NOTE:

this value must not be modified in the registry. To modify it, use the wgss configuration file.

LdapAuthMethod

DWORD

Authentication method:

  • 0: simple clear-text authentication (default).
  • 1: SASL/DIGEST-MD5 authentication.
  • 2: SASL/NMAS authentication (Novell specific).

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

TLS

DWORD

TLS:

  • 0: TLS is not activated (default).
  • 1: TLS is always activated.
  • 2: TLS is only activated when a sensible data is transferred on the network (during password change or account creation).

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

TLSDemand

DWORD

TLS demand:

  • 0: TLS is not mandatory: If TLS fails, the connection is activated without encryption.(default).
  • 1: TLS is mandatory: if TLS fails, no connection is activated.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

ServerList

String

List of servers.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

RootLdapDN

String

Root object DN.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

Authentication

List of the authorized authentication methods.

These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\Framework\Authentication

Value Name

Value Type

Description/

Default Value

LogonIntegrated

DWORD

Integrated Windows authentication:

  • 0: off.
  • 1: on.

CacheSynchro
WithAuth

DWORD

SSO account synchronization after login:

  • 0: off.
  • 1: on.

WaitBeforeLogon
Script

DWORD

Time to wait before activation user shell (only in "stub" mode):

  • 0 (default).
  • -1

ManualPwdChangeMandatory

DWORD

In case the manual password change policy detects expiration date of the password when the user authenticates offline, this option can force the user to authenticate when the directory is available again, so that he/she can manually change his/her directory password.

  • 0 (default): no authentication forced in the user session. No manual password change.
  • 1: authentication forced in the user session, so that he.she can manually change his/her directory password.

Single Sign-On

These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\SingleSignOn

Value Name

Value Type

Description/

Default Value

SyncTokenAnd
SessionKeys

DWORD

Enables the SSO keys synchronization: if the user AD password has been modified with another tool than EAM, the user SSO data cannot be deciphered with the new AD password when the user authenticates on the workstation.

  • 1: when the user authenticates on the workstation, SSO data is deciphered with the session key.
  • 0 (default): no synchronization is performed.

Audit / Log

Tuning and customizing of the EAM log.

These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Audit

Value Name

Value Type

Description/

Default Value

QueueSize

DWORD

Audit buffer size:

  • Default: 50 events.
  • Minimum: 10.

QueueFlushTimeOut

DWORD

Time interval between buffer flush (in minutes):

  • Default: 60.
  • Minimum: 1.

CustomExtension

String

DLL of audit extension.

Network Cache

Activation and performance tuning of the EAM network cache.

These parameters are located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Cache

Value Name

Value Type

Description/

Default Value

CacheDir

String

Cache files location.

NOTE: this value must not be modified in the registry. To modify it, use the wgss configuration file.

SynchronizeOnLDAP
ConnectionBack

DWORD

Synchronization of SSO accounts cache when directory is available:

  • 0: off.
  • 1: on (default).

Directory Network Services (DNS)

Deactivation of the reverse DNS resolution. If the DNS server is slow, retrieving the name of a connection workstation can take a few seconds. This will slow down authentication.

This parameters is located in:

HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Network

Value Name

Value Type

Description/

Default Value

DisableReverseDns

DWORD

Disable reverse DNS usage:

  • 0: off.
  • 1: on (default).

LDAP Directory Server List

An exhaustive list of LDAP Directory servers potentially used by EAM. This parameter must contain a sublist of the existing LDAP Directory servers. Without this list, EAM can connect to any LDAP Directory server available in the domain.

This parameter is located in one of the following directories:

  • HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\Directory
  • HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\WGDirectory

Value Name

Value Type

Description/

Default Value

ServerList

REG_SZ

Comma separated list of LDAP directory servers.

LDAP Directory Server List Ordering

Successively try to connect to the LDAP Directory servers according to the above list, or in a random order.

This parameters is located in:

HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\Directory

Value Name

Value Type

Description/

Default Value

FollowServerListOrder

DWORD

Disable LDAP Server list randomization:

  • 0: The server list is randomized before the first LDAP server is contacted (default).
  • 1: The server list is not randomized: the first LDAP server of the list is used, then the next ones.

Installing EAM MSI Packages in Silent Mode

Subject

This section describes the parameters that can be used when installing EAM MSI packages in silent mode.

IMPORTANT: The (silent) installation of MSI packages does not include the configuration of the computer.

Silent installation can be performed through the msiexec command, which is part of the Microsoft Windows Installer. For more details, refer to Windows Installer Microsoft documentation.

This section explains how to silently install the following elements:

Silent Installation Methods

To perform a silent installation of an MSI package, you can use one of the following method:

  • Use of the MSI properties MODULES and TRANSLATIONS of msiexec

    This method is strongly recommended, when available.
    These properties facilitate the installation or upgrade of already installed MSI packages, according to the operating system: when MODULES and/or TRANSLATIONS properties are used when installing MSI package, the mandatory and hidden MSI features are automatically selected according to the operating system.

    These properties must be used with INSTALLMODE=Custom parameter and must not be used with ADDLOCAL parameter.

  • Use of the MSI property ADDLOCAL of msiexec

    Each feature can be added as values of this property.

Before Starting

Make sure you have the Microsoft Windows Installer version 3.0 (or later version).

Installing Microsoft Redistributable in Silent Mode

Subject

The Microsoft Visual Microsoft Visual C++ 2012 Update 4 runtime libraries are delivered as a separate MSI package: the VCRedist_x86.msi (or the VCRedist_x64.msi for x64 platforms).

The installation of this MSI package is a prerequisite to the installation of any EAM software module. It must be installed once on each workstation and does not need to be updated.

Procedure

In the ADDLOCAL property of the msiexec command, add the wanted feature name (see "Feature Name" column in the following Features table):

Use ADDLOCAL=CRT_WinSXS or ADDLOCAL=ALL msiexec parameters

 

Features

The VCRedist_x86.msi (or the VCRedist_x64.msi for x64 platforms) contains the following selectable features:

Feature Name

Description

CRT_WinSXS

Studio 2012 Update 4 Redistributable.

Installing EAM Controller in Silent Mode

Subject

The ESSOController.msi gathers all software modules required to install an EAM Controller.

IMPORTANT: This package does not include the configuration of the computer.
Procedure
Installation using the ADDLOCAL property of msiexec

In the ADDLOCAL property of the msiexec command, add the wanted feature names (see "Feature Name" column in the following Features table).

IMPORTANT: It is mandatory to select the parent feature in order to select a sub-feature. For example, it is necessary to select the Translation feature to select the german feature.
Installation using the MODULES and TRANSLATIONS properties of msiexec

In the MODULES property of the msiexec command, add the short name of the wanted features (see "Short Name" column in the following Features table).

In the TRANSLATIONS property of the msiexec command, add the short name of the wanted languages.

IMPORTANT: In this case, the ADDLOCAL parameter must not be used.
Example

The following command line installs the EAM Controller with EAM Console without RFID, with all required hidden/mandatory MSI features:

msiexec /qn /l*v <pathToLogFile> /i <pathToESSOController.MSI> /qn /norestart INSTALLMODE=Custom /PASSIVE MODULES=CSL TRANSLATIONS=DE

Features

The following table gives the list of features that can be selected to perform a silent installation of EAM Controller.

NOTE: Feature and short names are case sensitive.

 

 

 

Feature/Sub-feature Name

Short Name

Description

WGSS

-

Mandatory feature. EAM middleware.

WGSSServer

-

Mandatory feature.

 

ESSO_Console

CSL

EAM administration Console.

Translations

-

Localized resources of EAM software modules. English resources are always installed.

german

DE

The German translated resources for EAM Controller software.

arabic

AR

The Arabic translated resources for EAM Controller software.

japanese

JP

Needs a specific license.
The Japanese translated resources for EAM Controller software.

french

FR

The French translated resources for EAM Controller software.

italian

IT

The Italian translated resources for EAM Controller software.

spanish

ES

The Spanish translated resources for EAM Controller software.

dutch

NL

The Dutch translated resources for EAM Controller software.

russian

RU

The Russian translated resources for EAM Controller software.

finnish

FI

The Finnish translated resources for EAM Controller software.

swedish

SV

The Swedish translated resources for EAM Controller software.

Installing EAM Client in Silent Mode

Subject

The ESSOAgent.msi gathers all software modules that may be installed on a user’s workstation.

IMPORTANT: This package does not include the configuration of the workstation.

 

Procedure
Installation using the ADDLOCAL property of msiexec

In the ADDLOCAL property of the msiexec command, add the wanted feature names (see "Feature Name" column in the following Features table).

IMPORTANT: It is mandatory to select the parent feature in order to select a sub-feature.
Examples:

To select the SSOJava feature it is necessary to select the SSOWatch feature.
To select the
GinaStub feature it is necessary to select both WindowsStub and SSOWatch features.

Example

The following command line installs the EAM Client with Authentication Manager, EAM Console without RFID management, Enterprise SSO with Personal SSO Studio and Enterprise SSO Studio and the Java plug-in, along with German resources (with all required hidden/mandatory MSI features):

  • On a Windows XP system:

    msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart /PASSIVE ADDLOCAL=WGSS,EssoErrors,Advanced_Login,Gina_NTWG_Gina,WG_Safe_Gina,ESSO_Console,SSOWatch,SSOJava,Studio_Enterprise,Studio_Personal,translations,german

  • On Windows 7 systems and above:

    msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart /PASSIVE ADDLOCAL=WGSS,EssoErrors,Sens,Advanced_Login,
    VistaCP,WGSens,ESSO_Console,SSOWatch,SSOJava,
    Studio_Enterprise,Studio_Personal,translations,german,
    devista

Installation using the MODULES and TRANSLATIONS properties of msiexec
  • In the MODULES property of the msiexec command, add the short name of the wanted features (see "Short Name" column in the following Features table).
  • In the TRANSLATIONS property of the msiexec command, add the short name of the wanted languages.

IMPORTANT: In this case, the ADDLOCAL parameter must not be used.
Example

The following command line installs the EAM Client with Authentication Manager, EAM Console without RFID management, Enterprise SSO with Personal SSO Studio and Enterprise SSO Studio and the Java plug-in, along with German resources (with all required hidden/mandatory MSI features):

msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart INSTALLMODE=Custom /PASSIVE MODULES=ADL,CSL,SSO,SSOJAVA,SSOENT,SSOPER TRANSLATIONS=DE

Features

The following table gives the list of features that can be selected to perform a silent installation of EAM Client.

IMPORTANT: It is mandatory to select the parent feature in order to select a sub-feature. Examples: To select the SSOJava feature it is necessary to select the SSOWatch feature.

 

NOTE: Feature and short names are case sensitive.

 

 

 

Feature/Sub-feature Name

Short Name

Description

WGSS

-

Mandatory feature.
Select all its sub-features.

 

EssoErrors

-

Mandatory feature.

Sens

-

Mandatory feature on Windows 7 (and above), Windows Server 2008 (and above).

UAVC

-

Mandatory feature.

WGSSServer

-

Mandatory feature when installing on an EAM Controller.

Advanced_Login

ADL

Authentication Manager, which secures access to the workstation.

 

Gina_NT

-

Required up to Windows XP and 2003.
Select all its sub-features.

 

WG_Gina

-

Required up to Windows XP and 2003.

WG_Safe_Gina

-

Required up to Windows XP and 2003.

VistaCP

-

Required on Windows 7 (and above), Windows Server 2008 (and above). Select its sub-feature.

 

WGSens

 

Required on Windows 7 (and above), Windows Server 2008 (and above).

 

PwdTile

PWD

Allow password authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above).

 

TokenTile

TOKEN

Allow smart card authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above).

 

RfidTile

RFIDTILE

Allow contact-less badge authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above).

 

BioTile

BIO

Allow biometrics authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above).

 

MobileTile

MOBILE

Allow mobile phone authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above).

 

SsprTile

SSPR

Allow SSPR and Q&A authentication. Valid for Windows 7 (and above), Windows Server 2008 (and above).

 

ClusterTile

CLUSTER

Allow transparent locking and Cluster automatic logging. Valid for Windows 7 (and above), Windows Server 2008 (and above).

SSOWatch

SSO

Evidian Enterprise SSO, which provides Single Sign On to applications.

BioEnroll

SSOBIO

Enables users to enroll their biometrics authentication data.

WindowsStub

SSOWIN

Automatically opens Enterprise SSO with user's Windows credentials if Authentication Manager is not installed.

 

GinaStub

-

Required up to Windows XP and 2003.

VistaWrapper

-

Required on Windows 7 (and above), Windows Server 2008 (and above).

IEPLUGIN

SSOIE

Obsolete Internet Explorer plug-in (with BHO).

SSOJava

SSOJAVA

Provides Single Sign On to Java applications and applets.

Studio_Personal

SSOPER

Personal SSO Studio, which allows end-users to enable SSO on their applications.

Studio_Enterprise

SSOENT

Enterprise SSO Studio, which is the SSO configuration management tool.

SSOFUS

SSOFUS

Public Access Fast User Switching for the free-access to Windows sessions if neither Authentication Manager nor WindowsStub are installed.

 

BIOFUS

BIOFUS

Multi-User Desktop, if neither Authentication Manager nor WindowsStub are installed.

 

FUS_sessionmgr

 

A customizable extension DLL dedicated to Fast User Switching.

ESSO_Console

CSL

EAM administration Console.
Mandatory feature when installing on an EAM Controller.

translations

-

Localized resources of EAM software modules. English resources are always installed.

german

DE

The German translated resources for EAM Client software.

 

devista

-

Additional German resources for Windows 7 (and above), Windows Server 2008 (and above).

arabic

AR

The Arabic translated resources for EAM Client software.

 

arvista

-

Additional Arabic resources for Windows 7 (and above), Windows Server 2008 (and above).

japanese

JP

Needs a specific license.
The Japanese translated resources for EAM Client software.

 

jpvista

-

Additional Japanese resources for Windows 7 (and above), Windows Server 2008 (and above).

french

FR

The French translated resources for EAM Client software.

 

frvista

-

Additional French resources for Windows 7 (and above), Windows Server 2008 (and above).

italian

IT

The Italian translated resources for EAM Client software.

 

itvista

-

Additional Italian resources for Windows 7 (and above), Windows Server 2008 (and above).

spanish

ES

The Spanish translated resources for EAM Client software.

 

esvista

-

Additional Spanish resources for Windows 7 (and above), Windows Server 2008 (and above).

russian

RU

The Russian translated resources for EAM Client software.

 

ruvista

-

Additional Russian resources for Windows 7 (and above), Windows Server 2008 (and above).

dutch

NL

The Dutch translated resources for EAM Client software.

 

nlvista

-

Additional Dutch resources for Windows 7 (and above), Windows Server 2008 (and above).

 

finnish

FI

The Finnish translated resources for EAM Client software.

 

fivista

-

Additional Finnish resources for Windows 7 (and above), Windows Server 2008 (and above).

swedish

SV

The Swedish translated resources for EAM Client software.

 

svvista

-

Additional Swedish resources for Windows 7 (and above), Windows Server 2008 (and above).

Installing Cloud E-SSO in Silent Mode

Description

To install the Cloud Enterprise SSO Engine package in silent mode, you need to install all the related features, such as: ADDLOCAL=ALL

To initialize the Cloud Enterprise SSO Engine with a:

  • Default Cloud server, the URL must be set in the CLOUDSERVER property: CLOUDSERVER="https://my.esso.cloud.server:9765/"
  • Set of trusted CA certificates, the path of the trusted CA Certificate file must be set in the CLOUDCAFILE property: CLOUDCAFILE="c:\\TrustedCA\\CloudCA.pem"
Example

Windows Installer command line:

MSIEXEC.EXE /I ESSOCloud.msi ADDLOCAL="ALL" CLOUDSERVER="https://my.esso.cloud.server:9765/" CLOUDCAFILE="c:\\TrustedCA\\CloudCA.pem" /qn

Installing EAM Web Server in Silent Mode

Subject

The ESSOWebServer.msi gathers all software modules that may be installed on a web server.
The silent installation can only be used for updating the web server: the MSI does not include the Apache server installation, which is a prerequisite for the Self-Service Password Reset and the EAM API.

IMPORTANT: This package does not include the configuration of the computer.
Procedure
Installation using the ADDLOCAL property of msiexec

 

In the ADDLOCAL property of the msiexec command, add the wanted feature names (see "Feature Name" column in the following Features table).

IMPORTANT: It is mandatory to select the parent feature in order to select a subfeature.

 

 

Installation using the MODULES and TRANSLATIONS properties of msiexec
Procedure

In the MODULES property of the msiexec command, add the short name of the wanted features (see "Short Name" column in the following Features table).

In the TRANSLATIONS property of the msiexec command, add the short name of the wanted languages.

IMPORTANT:In this case, the ADDLOCAL parameter must not be used.
Example

The following command line installs the EAM Self-Service for Password Reset (with all required hidden/mandatory MSI features):

msiexec /qn /l*v <pathToLogFile> /i <pathToESSOWebServer.MSI> /qn /norestart INSTALLMODE=Custom /PASSIVE MODULES=SSPR

Features

The following table gives the list of features that can be selected to perform a silent installation of EAM Client.

NOTE: Feature and short names are case sensitive.

 

 

 

Feature name

Short Name

Description

WEB

-

Optional feature.

WGSSSERVER

-

Mandatory feature when installing on an EAM Controller.

ESSO_WGAPI

-

Mandatory feature.

APACHE_WEB

-

Installs EAM Web Portal in Apache Web Server.

 

ESSO_SSPR

SSPR

EAM Self Service for Password Request.

ESSO_SSAP

SSAP

EAM Self-Service for Administration Portal.

ESSO_WSAPI

WSAPI

EAM API Web Service.

IIS_Web

-

Installs EAM as an IIS site.

Installing HLLAPI Wrapper in Silent Mode (64-bit clients only)

Subject

The HLLAPI Wrapper is delivered as a separate MSI package: ESSOHllAPI.msi, located in the ESSO.x64\Install folder of the installation packages.

IMPORTANT:The following procedure must be performed to run the HLLAPI plugin with 32-bit emulators only.
Procedure

In the ADDLOCAL property of the msiexec command, add the feature HllAPIWrapper feature (single and mandatory feature).

NOTE: The MODULES property of the msiexec command is not supported.

 

 

 

Enhancing EAM

Enhancing Security

Subject

You can customize EAM security to fit your security needs by reading the following sections.

Encrypting the LDAP Connection

By default, the connection to the Active Directory is not encrypted as the sensitive data transmitted through this channel is already encrypted.

However, you can activate the encryption of the LDAP connection by setting the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
Directory\GSSEncryption DWORD 1

Deactivating the Web Service Role on a Controller

By default, all the services are activated on a EAM controller, including the Web Service:

If you are not using this Web Service, you should deactivate it by clearing the corresponding check box (Directory Panel > Access Point (EAM Controller) > Configuration tab).

Encrypting the Client Workstation/Controller Connection

Subject

By default, the connection between the client workstation and the controller is SSPI-encrypted. However, you can use an alternate encryption method by setting the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
FmkServer\DontUseSSPIWithServer DWORD 1

Once it is set, you can obtain an AES 128 encryption.

Enhancing Performance

Subject

You can customize EAM to fit your performance needs by reading the following section.

Saving Directory Space
Description

When the primary account is stored, the following additional parameters are also stored:

  • Short name (john)
  • NT4 name (WINDOMAIN\john)
  • User principal name (john@windomain.win.dom)

You can save some space in the Active Directory by setting the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
SingleSignOn\CleanWindowsParam REG_DWORD 1

This value deletes the additional parameters which are now stored only when a delegation using the primary account has been activated.

Activating Traces

Subject

To diagnose unexpected results from an installation program, you can activate traces as described in the following procedure.

Before Starting
  • Create the folder that will store your trace files (C:\Traces for example).
  • If you want to trace Password Reset, create a specific folder (C:\TracesRP for example).
Procedure
  1. Start Registry Editor.
  2. Create the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Debug key.
  3. Create the following values:

 

Value Type

Value Name

Value

String

TraceDir

Location of the trace files (C:\Traces for example)

DWORD

TraceLevel

Enter a value between 0 and 5:

  • 0: no trace.
  • 5: traces return highly detailed information.

DWORD

MaxFileSize

Maximum size in KB of the trace files.

DWORD

LimitedLogFiles

2 by default.

Maximum number of trace files (enter a value between 2 and 10).

DWORD

TraceDurationHours

The number of hours that must be covered by the trace files.

0 (default): disabled.

non-null value: enabled.

When the current trace file for a given process reaches the MaxFileSize, the first trace file is identified for this process that was the last to be modified before the last TraceDurationHours hours:

  • If none of the existing files match this criteria, a new trace file is generated with current index +1.
  • If an existing file matches this criteria, the contents of this file is erased and this file is used as the next trace file; any file with a greater index is deleted.

IMPORTANT: if TraceDurationHours is set to a non-null value, the LimitedLogFiles registry value is ignored.

 

NOTE: if this value is enabled, the number of trace files used for a given active process can be very high. This number decreases when the process is not active.
  1. If you want to trace Password Reset, create the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\
    Framework\ResetPassword
    key, with the following value:

Value Type

Value Name

Value

String

TraceDir

Location of the trace files (C:\TracesRP for example)

  1. Restart your workstation.

    When the user log on his/her workstation, the following trace files are created in the specified directory:

    • WGSSxxxx.log: traces of the EAM Security Services service.
    • ssoenginexxxx.log: traces of the Enterprise SSO engine.
    • ssoenginexxxx.log: traces of the Enterprise SSO engine.
    • winlogonxxxx.log: Authentication Manager traces.
    • WGConfigxxxx.log: traces of WGConfig.exe, which allows you to configure the EAM Security Services on the EAM workstations.
    • SSOBuilderxxxx.log: traces of Enterprise SSO Studio.
    • SENSxxxx.log: traces of the EAM Session Manager service.
    • BIOFUSxxxx.log: traces of the Multi-User Desktop.
    • LogonUIxxxx.log: traces of Authentication Manager (Windows 7 and above) with the method as a suffix (eg. LogonUI(Pwd), LogonUI(Bio)).
    • UAPnAgentxxxx.log: traces of the XenApp session management by Enterprise SSO Engine.
    • Credentialmanagerxxxx.log: traces of the Credential Manager.

 

 

Related Documents