One Identity Authentication Manager for Windows User's Guide

Transcription

1 One Identity Authentication Manager for Windows User's Guide

2 Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of One Identity LLC. The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity do not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: One Identity LLC. Attn: LEGAL Dept 4 Polaris Way Aliso Viejo, CA Refer to our Web site ( for regional and international office information. Patents One Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at Trademarks One Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at All other trademarks are the property of their respective owners. Legend WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Authentication Manager for Windows User's Guide Updated - November 2017 Version

3 Contents Preface 7 Overview 9 Authentication Manager Usage 9 Authentication Manager Features 9 Operating Modes 10 Welcome Screen 10 Logging on to Windows 13 Logging on to Windows with you User Name and Password 13 Logging on to Windows with your Smart Card 16 Logging on with a Smart Card containing Account Data 16 Logging on with a Smart Card of type SmartCard Logon 17 Primary password Collection or Reset 17 Everyday Log on 18 Logging on with a blank Smart Card 18 Logging on through Prim'X Cryhod 20 Enrolling a new Account on a Smart Card 20 Logging on to Windows with your Fingers 21 First Log on 21 Everyday Log on 23 Store on PC mode 23 Store on server Mode 24 Logging on to Windows with your RFID Badge 25 First Log on 26 First Log on with your Smart Card 27 Everyday Log on 28 Logging on through Citrix/TSE 29 Logging out 29 Logging on to Windows with your OTP (One Time Password) 29 Logging on to Windows by answering Questions 30 Logging on with your mobile device 31 Logging On a Workstation Locked by another User 32 3

4 Logging on to Windows using Autologon 32 Logging on with Microsoft Autologon 32 Logging on with Authentication Manager Autologon 33 Forcing Cache Update at Logon 33 Locking/Unlocking your Windows Session 35 Locking your Session 35 Unlocking your Session 36 Standard Unlocking 36 Transparent Unlocking 37 Switching Users Without Logging Off Windows 38 Managing your Password or PIN 40 Changing your Password 40 Changing an Expired Primary Password 42 Resetting your Password by Logging on to Windows with your Mobile Device 43 Modifying your Smart Card PIN 43 Modifying your RFID badge PIN 44 Modifying an Expired PIN 45 Resetting your PIN with your Primary Password 45 Resetting Your Password or PIN with the Emergency Access 46 Reset with Questions & Answers 47 Initializing the Self Service Password Request Feature 48 Resetting Your Password Upon Session Opening 49 Resetting your PIN 51 Resetting with an OTP 52 Managing your Smart Card 54 Managing the Unblocking of your Smart Card 54 Providing the Unblocking PIN of Your Smart Card 54 Unblocking your Smart Card 55 Unblocking Your Smart Card if you have provided Your PUK 56 Unblocking Your Smart Card if you have not provided Your PUK 56 Managing Primary Accounts on your Smart Card 57 Renewing your Smart Card Certificate(s) 58 Recovering your SSO Data 60 4

5 Recovering your SSO data with your old password 60 Recovering your SSO data by answering questions 61 Managing Your Windows Session Accounts 63 Creating a Windows Session Account 63 Deleting a Windows Session Account 65 Delegating a Windows Session Account 65 Removing a Windows Session Account Delegation 66 Managing a Cluster from your Workstation 67 Creating and Configuring your Cluster 68 Managing the Cluster Composition 68 Attaching a Workstation to Your Cluster 68 Releasing a Workstation from your Cluster 70 Renaming your Workstation 71 Setting an Alias 71 Modifying an Alias 72 Deleting an Alias 72 Executing Maintenance Operations on Your cluster 72 Removing Temporarily a Workstation from the Cluster 72 Rebooting your Cluster 73 Refreshing the Displayed Data 74 Managing Session Delegation 75 Configuring Session Delegation 75 Configuring Session Delegation in a Cluster 75 Setting a Temporary Session Delegation 76 Ending a Temporary Session Delegation 77 Setting a Permanent Session Delegation 78 Ending a Permanent Session Delegation 79 Configuring Session Delegation outside a Cluster 80 Setting a Session Delegation 80 Ending a Session Delegation 81 Accessing a Colleague s Workstation 82 Accessing a Colleague s Workstation in a Cluster 82 Taking control over another workstation 83 Ending the control over a Workstation 84 5

6 Accessing a Colleague s Workstation outside a Cluster 84 Taking control over another workstation 84 Ending the control over a Workstation 85 Ending a Roaming session 87 Logging on a User Session as an Administrator 88 Logging on a User Session with Your Smart Card: "Grace period" 88 Logging on as local administrator with your mobile device 89 Running a Process on a User Session 89 Running a Process Using your Smart Card 89 Running a Process Using your OTP 90 Restarting and Running Enterprise SSO with your Credentials 90 Managing Reports 91 Authentication Manager Registry Keys 94 Autologon 94 Biometrics 95 Password Management 98 RFID 102 Roaming session 103 Smart Card 106 User Access 109 Integrating Authentication Manager with Prim'X Cryhod 112 Configuring the Integration 112 Customizing the Integration 113 Cryhod Log Files 114 About us 115 Contacting us 115 Technical support resources 115 6

7 Preface Subject Audience This guide explains how to use Authentication Manager with the following Windows versions: 10, (8) (+Server 2012), 7 (+Server 2008). The following sections are relevant for all Windows versions displayed above, unless specified otherwise. This guide is intended for: End-users Administrators. Required Software Typographical Conventions EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes. Bold Indicates: Interface objects, such as menu names, buttons, icons and labels. File, folder and path names. Keywords to which particular attention must be paid. Italics - Indicates references to other guides. Code - Indicates portions of program codes, command lines or messages displayed in command windows. CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules). < > Identifies parameters to be supplied by the user. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Documentation support The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your Preface 7

8 comments or suggestions regarding the documentation on the One Identity support website. Preface 8

9 1 Overview Authentication Manager is the authentication module of the Enterprise Access Management (EAM) suite. It enables rapid implementation of connection procedures using authentication mechanisms with physical authentication tokens (smart cards, USB drive, RFID badges), biometrics and mobile devices, in addition to the standard authentication methods of login/password. NOTE: The list of supported authentication devices is provided in One Identity EAM Release Notes. Authentication Manager Usage Authentication Manager is used to rapidly implement strong authentication in the following use cases: Authentication with smart card or USB drive on Windows workstations, with no need to deploy a PKI compatible with Windows Active Directory certificates. Authentication using non-windows methods, such as biometrics or mobile devices. Authentication of users through an enterprise directory, which is not part of the Windows network. Authentication using an RFID badge or a Bluetooth device. Authentication with an OTP (One Time Password). Authentication Manager Features The Authentication Manager icon, displayed in the notification area, launches every time you authenticate yourself to a Windows session and displays different actions depending on which rights the administrator has given you, such as: Overview 9

10 Enrolling your biometric data. Enrolling your mobile device. Managing personal notes: refer to QRentry - Guide de l utilisateur. Using the Self Service Password Request feature, by answering personal questions or by using your mobile device. Changing your PIN or collect an unblocking PIN. Managing a cluster. Delegating a Windows session. Taking control over a workstation. Ending a Roaming session. Managing security questions. Managing reports. Operating Modes Authentication Manager can be configured in one of the following modes: With Controller: administrators are directly authenticated in EAM console, the advanced access control module. Without Controller: administrators are directly authenticated in Active Directory or in any other supported LDAP directories. Welcome Screen The initial authentication screen appears when you press Ctrl+Alt+Del at workstation startup, or when you want to switch users. Several users can be logged at the same time on a workstation, but only one session can be active on the workstation. Windows versions Windows 10 With Windows 10, you must first enter you user name, then click on Sign-in options to display the available authentication methods and select one. Depending on the selected authentication method, the display will be modified as a consequence and you will be able to authenticate. Overview 10

11 Windows 7 With Windows 7, the initial authentication screen shows several tiles corresponding to the authentication methods which are allowed and installed on the workstation, and to the users logged on the workstation. Overview 11

12 Methods to authenticate Authentication Manager provides the following authentication methods: User name/password authentication Several users can be logged at the same time on the workstation. The screen shows one tile for each logged user, or if no user is logged, it shows one tile with the name of the last logged user. The Other User tile allows another user to open a session. For more information, see Logging on to Windows with you User Name and Password. Smart card authentication The initial authentication screen shows as many tiles as accounts stored on the smart card. For more information, see Logging on to Windows with your Smart Card. Biometric authentication See Logging on to Windows with your Fingers. RFID authentication See Logging on to Windows with your RFID Badge. OTP authentication See Logging on to Windows with your OTP (One Time Password). Password forgotten See Logging on to Windows by answering Questions. Mobile device authentication See Logging on with your mobile device. You can also use the Windows Remote Desktop Connection to open a Windows session remotely When you authenticate yourself on a workstation, your credentials are transmitted to the remote workstation (Pass Through method) when authenticating on it. IMPORTANT: When you open a Windows session with your smart card and then open another connection remotely, this new session is opened in password mode only. This limitation is a Microsoft limitation as Windows only sends the login and password to the remote workstation Overview 12

13 2 Logging on to Windows Logging on to Windows with you User Name and Password Subject This section explains how to connect to Windows with your user name and password through Active Directory or any other supported LDAP directory. For the Windows 10 procedure, go to Windows 10. For the Windows 7 procedure, go to Windows 7. NOTE: If you are offline and enter 5 wrong passwords in a row, you will not be able to authenticate for the next 15 minutes. If you enter another wrong password, you will have to wait for an additional 15 minutes. Windows Press Ctrl+Alt+Del. The log on screen of the last authenticated user appears. 2. Click on Other user (or press Esc) to display the welcome screen. 3. Enter your user name and click Sign-in options to display all the authorized Logging on to Windows 13

14 authentication methods. 4. Do one of the following operations: To log on to the domain displayed on screen, type your password. To log on to another domain than the one displayed on the screen, type: <domain name>\<user name>. IMPORTANT: If you need to open a local session (you will not be protected by the advanced features of EAM), type <workstation name>\<user name>. 5. Click on. The Windows session opens. Logging on to Windows 14

15 Windows 7 1. Press Ctrl+Alt+Del. The initial authentication screen appears. 2. Click the tile corresponding to your name, or if no tile shows your name, click the Other User tile. The authentication screen appears. The following example window shows the Other User authentication tile. 3. Do one of the following operations: To log on to the domain displayed on screen, type you user name and password. To log on to another domain than the one displayed on the screen, type: <domain name>\<user name>. IMPORTANT: If you need to open a local session (you will not be protected by the advanced features of EAM), type <workstation name>\<user name>. 4. Click on. The Windows session opens. Logging on to Windows 15

16 Logging on to Windows with your Smart Card Logging on with a Smart Card containing Account Data Subject If your account data is enrolled on the smart card, you can log on to your Windows session as explained in the following procedure. 1. Press Ctrl+Alt+Del. The authentication window appears. 2. Insert your smart card in the smart card reader. The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card. By default, the tile corresponding to the last primary account used to log on the workstation is selected. NOTE: If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account on the card, this primary account is selected. 3. If needed, select the account with which you want to authenticate. 4. Enter the PIN and click OK. IMPORTANT: If you re-authenticate, enter your PIN. NOTE: You do not need to enter your username and domain name as they are already stored on the card when it is assigned by an EAM administrator. If you try to log on with an expired password, a new password is requested. The smart card will be updated with this new password. If you have defined a password-generation policy in Enterprise SSO, the new password can be randomly generated. In this case, this screen never appears. 5. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window. The Windows session opens. Logging on to Windows 16

17 Logging on with a Smart Card of type SmartCard Logon Subject Authenticating with a smart card of type SmartCard Logon enables you also to manage your primary password. Description Indeed, EAM uses the smart card certificate to authenticate you with your primary password. Prerequisites Your administrator must: Allow you to authenticate with your password. Allow the encrypted storage of your primary password. For more information, see One Identity EAM Console - Guide de l'administrateur. Primary password Collection or Reset 1. Press Ctrl+Alt+Del. The authentication window appears. 2. Insert your smart card in the smart card reader. The initial authentication screen appears, displaying as many tiles as primary accounts stored on the smart card. By default, the tile corresponding to the last primary account used to log on the workstation is selected. NOTE: If none of the listed primary accounts correspond to the last used primary account, one of the listed primary accounts is randomly selected. If there is only one primary account on the card, this primary account is selected. 3. If needed, select the account with which you want to authenticate. 4. Fill-in the Password field and click OK. IMPORTANT:If you want to reset your password, select the Generate my password check box. Logging on to Windows 17

18 NOTE:You do not need to enter your username and domain name as they are already stored on the card when it is assigned by an EAM administrator. 5. If there are several Windows accounts corresponding to the primary account, select an account in the role selection window. The Windows session opens. Everyday Log on Authentication is the same as in Logging on with a Smart Card containing Account Data. IMPORTANT:If your password has been modified (by an administrator for example), it will have to be re-collected. Logging on with a blank Smart Card Subject The first time you use a multi-account smart card to logon to your workstation, your account data is not necessarily stored on the smart card yet. The following procedure explains how to enroll your own account on a smart card. The following procedure only applies to smart cards that can handle self-enrollment and multi-accounts. 1. Press Ctrl+Alt+Del. The initial authentication screen appears. 2. Insert your smart card in the smart card reader. As your account is not stored on the smart card yet (first smart card authentication), the smart card tile displays Not assigned. 3. Click the Not assigned smart card tile. The authentication screen appears. Logging on to Windows 18

19 Windows 10 Windows 7 4. Enter the PIN and click or. As this is the first time you authenticate with this smart card, you are asked for your log on user name and password (that are stored in the directory). The password will be stored on the smart card and will no longer be requested, unless it is changed through an external procedure (administrator forcing a change, or a change initiated from a workstation not protected by Authentication Manager). 5. Enter the requested information and click OK. The account is created on the smart card and the session opens. Logging on to Windows 19

20 Logging on through Prim'X Cryhod Description When both Cryhod and E-SSO are installed, log-on as follows. For more information on Prim'X Cryhod integration, see Integrating Authentication Manager with Prim'X Cryhod. 1. Log-on to the Cryhod pre-boot with your Smart Card and PIN. The Windows session opens. 2. Press Ctrl+Alt+Del. 3. Select the Smart Card tile NOTE: If your last authentication was with your Smart Card, the Smart Card tile is automatically selected. The Windows session opens. Enrolling a new Account on a Smart Card Subject If your smart card can store several accounts, Authentication Manager enables you to enroll new accounts on your smart card, as explained in the following procedure. IMPORTANT:The account you want to store on the Smart Card must exist in the users' directory. 1. Press Ctrl+Alt+Del. The initial authentication screen appears. 2. Insert your smart card in the smart card reader. The tile corresponding to the last primary account used to log on the workstation is selected. 3. Enter the PIN of your Smart Card. 4. Select the Create a new account check box and click or. Logging on to Windows 20

21 The Windows Account Entry window appears. 5. Enter the requested information and click OK. The account is created on the smart card and the Windows session opens. Logging on to Windows with your Fingers Authentication Manager can work in three store modes to authenticate users using their biometric data: STORE ON PC mode The biometric data is stored on the PC in the EAM cache file. The fingerprint replaces the Identifier/Password. You must enroll yourself on each PC that you connect to. STORE ON SERVER mode The biometric data is stored on a server. The fingerprint replaces the Identifier/Password. First Log on Subject To log on to Windows using your finger, you must first enroll your biometric data. Before starting A finger reader must be installed on the workstation. NOTE: The workstation can support only one reader.. IMPORTANT: We strongly recommend that you download the latest: Drivers and license of your product. License for the installation. If you use several finger readers, just plug in the one reader you want to use, unplug all the other readers and restart the computer. Logging on to Windows 21

22 NOTE: For more information on supported biometric devices, see One Identity EAM Release Notes. If the administrator has configured a validation of your authentication, a second EAM user must authenticate him or herself after you. If the Biometric Enrollment tool does not start, modify the Authentication Manager installation by selecting the Biometric Enrollment tool option and restart the computer. IMPORTANT: Ensure that the Controller is available to enroll in Store on Server Mode. 1. Depending on your biometric authentication mode, do one of the following: Store on PC: log on using your password, as described in Logging on to Windows with you User Name and Password. Store on Server: log on using your finger, as described in Logging on to Windows with your Fingers. NOTE: You can also log on by using your password and enroll your biometric data afterwards. The EAM Biometrics Enrollment tool starts after a successful authentication. 2. If it does not start: display the Authentication Manager menu by right-clicking the Authentication Manager icon in the notification area and clicking Biometric enrollment. 3. Follow the instructions of the Biometric Enrollment tool. 4. When you have successfully completed the scan of your finger(s), log off and try to log on using the biometric reader, as described in Logging on to Windows with your Fingers. NOTE: There can only be one set of fingers per biometric reader. Logging on to Windows 22

23 Everyday Log on Subject This section describes how to log on to Windows using your finger(s). NOTE: Depending on your biometric authentication mode (STORE ON PC, STORE ON SMART CARD or STORE ON SERVER), the procedure is slightly different. Before starting You must have enrolled your biometric data, as described in First Log on. NOTE:Each time you connect yourself to a new workstation in Store On PC mode, you must enroll your biometric data. Store on PC mode 1. When the Authentication Manager welcome screen appears, place your finger on the scanner. If prompted to, enter your Password. The following tile appears: Depending on your configuration, you log on automatically when your finger is successfully captured Otherwise, the following window appears: Logging on to Windows 23

24 2. Make sure your Login is correct and click or to validate. NOTE: For details on how to enable the automatic validation, see Appendix A., "Authentication Manager Registry Keys". Store on server Mode 1. When the Authentication Manager welcome screen appears, place your finger on the scanner. If prompted to, enter your Password. The biometrics tile appears: Depending on your configuration, you log on automatically when your finger is successfully captured Otherwise, the following window appears: 2. Make sure your Login is correct and click or to validate. NOTE: l l If the authentication fails, check your Identifier. If it is not the right one, enter the correct Identifier. For more details on how to enable the automatic validation, see Appendix A., "Authentication Manager Registry Keys". Logging on to Windows 24

25 Logging on to Windows with your RFID Badge Subject This section explains how to authenticate with an RFID badge or a Bluetooth device. Indeed, Bluetooth devices (mobile phones, tablets...) can also be used to authenticate when the RFID badge is not available. IMPORTANT: For the Bluetooth device to be recognized by the EAM Console as an RFID badge, it must be paired with the workstation. Description There are two types of RFID authentication: Contact RFID: see Contact RFID hereunder. Zone RFID: see Zone RFID hereunder. Contact RFID An RFID badge can either be: Placed on the device, i.e. active mode: the Windows session is locked when the badge is withdrawn. Quickly presented to the device, i.e. passive mode: the Windows session locks itself when the badge is presented again and withdrawn. To force RFID authentication behavior, you must set the corresponding registry keys: see RFID. Zone RFID When the user enters the unlock area, the RFID badge is detected by the device and the unlocking of the session is possible. When the user leaves the unlock area, the session closes. The following figure illustrates how EAM acts depending on the area in which it detects the RFID badge. Logging on to Windows 25

26 First Log on Before starting An RFID reader must be installed on the workstation. 1. Place the RFID badge in the unlock area or on the device so that EAM detects it. The authentication window appears and tells you that your RFID badge is not assigned. Logging on to Windows 26

27 2. Click on to validate. The Enroll an Account window appears. 3. Enter your login and password to associate them with your RFID badge. 4. (Optional): if a PIN has to be associated with your RFID badge, enter it in the corresponding fields. 5. Click OK. If your are authenticated, the session opens. NOTE: You can have as many RFID badges as you want, this enables you to lend them to other people. You can delete the badge enrollment by blacklisting it in the Administration Console. EAM policy cannot block the auto-enrollment of a badge. First Log on with your Smart Card Subject You can combine the RFID authentication method with a smart card for your first log on. Before starting Authentication Manager must be installed on the workstation. An RFID and Smart Card reader must be installed on the workstation. Logging on to Windows 27

28 IMPORTANT: You must own both RFID badge and smart card to log on. If no RFID badge is detected, the RFID badge enrollment will not be suggested the next time you open your Windows session. 1. Insert your smart card in the smart card reader. Your smart card and your RFID badge are detected, the following window appears: 2. Click the Enroll button to enroll your RFID badge. Your RFID badge is now enrolled. Everyday Log on 1. Place the RFID badge in the unlock area or on the device so that EAM detects it. The authentication window appears. NOTE: Contact RFID method: you can withdraw your RFID badge before typing in your password. 2. In the RFID owner field, select the wanted RFID badge, type in your password or PIN and click OK. Logging on to Windows 28

29 IMPORTANT: If you have withdrawn your RFID badge, you have 30 seconds to enter your password and validate. Your session opens. Logging on through Citrix/TSE If you want to log on through Citrix/TSE, you must press the SHIFT key when placing your RFID badge in the unlock area. Logging out There are two possibilities for logging out with a contact RFID badge: If you have left your RFID badge on the device, withdraw it and the session closes. NOTE: Not relevant for HID Prox 125kHz badges. If you have withdrawn your RFID badge when opening the session, you must place it back in the unlock area and withdraw it again to close the session. NOTE: You can configure how the session closes in the Access Point Profile. If an EAM authentication such as primary reauthentication, Enterprise SSO Studio launch etc. is necessary; then placing the RFID badge in the unlock area will not lock the PC. If you have a contact smart card, you must insert it in the RFID reader To log out with a zone RFID badge, leave the unlock area and the session closes. Logging on to Windows with your OTP (One Time Password) Subject The OTP enables you to log on to Windows with a different password each time. The OTP authentication method is considered as an emergency alternative to the other authentication methods. Logging on to Windows 29

30 Before starting If you are in: Online mode: the RSA Authentication Agent must be installed on the EAM Controller. Online and Offline mode: the RSA Authentication Agent must be installed on the EAM Controller and on every workstation. You must have authenticated at least once in Online mode to authenticate with your OTP in Offline mode. 1. Press Ctrl+Alt+Del. The authentication window appears. 2. Enter your User name and OTP with/without PIN displayed on the device in the corresponding fields. 3. Click or. 4. If: a. You enter too many wrong OTPs in a row, the RSA security policy can require you to enter the next code from your token. A dialog box appears. Wait for the new code to appear on your token and enter this code. IMPORTANT: Do not enter your PIN. b. The RSA security policy requires you to set or change your PIN, a dialog box appears. The security policy either lets you choose a PIN, or imposes a PIN which you must accept. Enter the new PIN and click OK Wait for the code on your token to change and then reconnect with an OTP that uses the new PIN. Click OK. Your session opens. Logging on to Windows by answering Questions Subject If your administrator has authorized it, you can log on to Windows by answering questions from the Questions and answers tile (Windows 10) or Password forgotten Logging on to Windows 30

31 (Windows 7) without changing your password. If he has not authorized it, you must reset your password as described in Resetting Your Password or PIN with the Emergency Access. Before starting You must have chosen a set of questions and recorded the associated answers using the Authentication Manager Self Service Password Request Wizard. Refer to the Resetting Your Password or PIN with the Emergency Access. You workstation must be online. An EAM controller must be available. 1. In the session opening window, depending on your Windows version, click one of the following tiles: Windows 10: Questions and answers. Windows 7: Password forgotten. The Self Service Password Request wizard appears. 2. Follow the displayed instructions and answer the different questions. If you have answered the questions correctly, your Windows session opens. Logging on with your mobile device Subject If your administrator has authorized it, you can log on to Windows using your mobile device, from the Connect with a mobile device tile. For more information on this authentication method, refer to the QRentry - Guide de l utilisateur. Logging on to Windows 31

32 Logging On a Workstation Locked by another User 1. To log on to a workstation locked by another user, press Ctrl+Alt+Del. The authentication screen corresponding to the authentication method used by the other user to lock his/her session appears. 2. Click the Other Credentials button. 3. Click the Other User (Windows 10) or Switch User (Windows 8) button. The initial authentication screen appears. 4. Log on to the workstation as explained in Logging on to Windows. Logging on to Windows using Autologon There are two ways to log on to Windows with Autologon: Without Authentication Manager: see Logging on with Microsoft Autologon. With Authentication Manager: see Logging on with Authentication Manager Autologon. IMPORTANT: To use Autologon, you must set registry keys If you set these keys for both Microsoft and Authentication Manager Autologon at the same time, then only Microsoft Autologon is applied: no E-SSO process is started. Logging on with Microsoft Autologon The Microsoft Autologon opens a Windows session without starting Authentication Manager or E-SSO. NOTE: You can use the SSO FUS method to log on. Microsoft Autologon works only if all the following registry keys are set: AutoAdminLogon. DefaultDomainName. DefaultUserName. DefaultPassword. Logging on to Windows 32

33 NOTE: To set these keys, please refer to the corresponding Microsoft documentation: IMPORTANT: If you want to disable the Microsoft Autologon process, keep the Shift key pressed during authentication process. Logging on with Authentication Manager Autologon The Authentication Manager Autologon opens a Windows session with Authentication Manager and/or E-SSO processes being started. Authentication Manager Autologon works only if all the registry keys in Autologon are set. IMPORTANT: If you want to disable the Authentication Manager Autologon process, keep the Shift key pressed during authentication process Forcing Cache Update at Logon Subject By default, the authentication is done on the existing cache. The following procedure explains how to force the authentication in the target directory and so to update the authentication data in the cache. NOTE: This feature is only available if Automatic Validation is disabled by the Administrator: please refer to the One Identity EAM Console - Guide de l'administrateur 1. After choosing the tile, click I want to modify login options. The Login Options window appears. Logging on to Windows 33

34 2. Select the Update User Cache check box and click OK. The authentication is done in the directory and the cache is updated. Logging on to Windows 34

35 3 Locking/Unlocking your Windows Session Locking your Session Subject The Lock state enables you to prevent anybody from accessing your session when you are away. This section describes the different means to lock a session, whether your computer is in a cluster or not. To lock the computer, do one of the following: Press the Windows+L keys. Depending on the workstation profile, this locks the: Workstation. Keyboard and mouse (transparent lock). OR Keyboard and mouse with a logo displayed at the top of the screen (transparent lock): NOTE: If you have authenticated with a smart card, remove the card from the reader (or a USB drive from its port): your session is locked automatically. If you have authenticated with a smart card, remove the card from the reader (or a USB drive from its port): your session is locked automatically. NOTE: The administrator can modify the default workstation behavior when a token is removed, from EAM Console. If the session is not locked at token removal, it means that your administrator has modified this option. Locking/Unlocking your Windows Session 35

36 If you have authenticated with an RFID badge, place the badge outside the visibility area (lock area). If you have authenticated with your mobile device, use the QRentry remote control to lock your session. For more information, see QRentry - Guide de l utilisateur. Put the computer into a sleep state. Unlocking your Session To unlock your session, you can re-authenticate as you do for session opening. The reauthentication method does not necessarily need to be the same as for opening the main session. If you have authenticated yourself with an RFID badge and locked the session by placing the badge outside the unlock area, the session is automatically unlocked if you come back with your RFID badge in the unlock area before the end of the grace period (which is defined by your administrator). If you have authenticated with your mobile device, use the QRentry remote control to unlock your session. For more information, see QRentry - Guide de l utilisateur. A workstation can only be unlocked by the user who has locked it, unless it is unlocked using the Fast User Switching option. NOTE: A user with administration rights on the workstation can force the closure of a locked administration session. Standard Unlocking To unlock the session, do one of the following: User name and password authentication: log on as described in Logging on to Windows with you User Name and Password. Smart card authentication: go to step 2 of Logging on to Windows with your Smart Card. If you do not have your smart card with you, press the Ctrl+Alt+Del keys and log on using your Windows password. Refer to the One Identity EAM Installation Guide to insert the corresponding registry keys. Biometric authentication: log on as described in Everyday Log on. RFID authentication: place your RFID badge inside the unlock area. If the grace period has: Locking/Unlocking your Windows Session 36

37 Exceeded, log on as described in Logging on to Windows with your RFID Badge. Not exceeded, the session is automatically unlocked. NOTE: The grace period is set by your administrator. OTP authentication: enter your OTP: see Logging on to Windows with your OTP (One Time Password). Transparent Unlocking To unlock the session, do one of the following: User name and password authentication: depending on your Windows version, do one of the following: press the Windows+L keys and go to Logging on to Windows with you User Name and Password. Smart card authentication: go to step 2 of Logging on with a Smart Card containing Account Data. If you do not have your smart card with you, press the Windows+L keys and log on using your Windows password. Refer to the One Identity EAM Installation Guide to insert the corresponding registry keys. Biometric authentication: depending on your Windows version, do one of the following: press the Windows+L keys and go to Everyday Log on. RFID authentication: place your RFID badge inside the unlock area. If the grace period has: Exceeded, log on as described in Logging on to Windows with your RFID Badge. Not exceeded, the session is automatically unlocked. NOTE: The grace period is set by your administrator. OTP authentication: enter your OTP: see Logging on to Windows with your OTP (One Time Password). Locking/Unlocking your Windows Session 37

38 4 Switching Users Without Logging Off Windows Subject One Identity offers two means of fast user switching: the Fast User Switching (FUS) and the Multi-User Desktop (MUD). Fast User Switching The Fast User Switching (FUS) feature allows a user to load his/her SSO configuration without closing the current Windows session. When the user logs on to the workstation, all the running applications are closed and Enterprise SSO restarts with the user SSO configuration. Multi-User Desktop The Multi-User Desktop (MUD) is an advanced feature of the FUS. Indeed, the MUD enables a high number of users to work on a single station with simultaneous Windows sessions. When one of the users logs on to the workstation, all the applications of the user are opened and Enterprise SSO restarts with the user SSO configuration. NOTE:For more information on the FUS and the MUD, refer to Authentication Manager Session Management Administrator s Guide. Before starting You have rights to lock/unlock Enterprise SSO sessions. FUS: the workstation is configured to use the Fast User Switching feature with Authentication Manager. Switching Users Without Logging Off Windows 38

39 MUD: Applications must support several instances working simultaneously. A specific configuration is required for Internet Explorer. Please contact the One Identity Expertise Center. MUD is configured for stations where the Windows session is opened automatically and continuously and must never be locked. Do not activate the display screensaver, however a basic screensaver with no password request can be used. Log on to the workstation as explained in Logging on to Windows. Switching Users Without Logging Off Windows 39

40 5 Managing your Password or PIN Changing your Password Subject This section explains how to modify your own password or the password of another user (if you are allowed to). Description If you have authenticated with your: Smart card or RFID badge, you can modify the password of the account that you have used to authenticate, as explained in the following procedure. The password will be modified on the smart card or RFID badge and in the directory. User name and password, you can modify your password as explained in the following procedure. 1. Open a session as described in Logging on to Windows. 2. Press Ctrl+Alt+Del. 3. Click Change a Password. The change password window appears. NOTE: If the change password option has been disabled by your administrator, clicking on Change a Password will have no effect. The password change window differs depending on the authentication method used. Managing your Password or PIN 40

41 Windows 10 Windows 7 4. To help you enter a password consistent with the Password Format Control Policy, click Help me choose a valid password. The following window appears: 5. Fill-in the Password field and click OK. 6. Fill in the Confirm Password field and click or. Managing your Password or PIN 41

42 The password is modified in the LDAP directory. Changing an Expired Primary Password Subject If you authenticate with your User name and Primary Password, you can choose a new Primary Password. 1. When your Primary Password is expired, the Security Data Collection window appears. 2. To change your Primary Password, do one of the following: To use your own password, type in your chosen password in the Password and Confirmation fields. If your administrator has authorized it, you can generate a random password by selecting the Generate automatically check box. Managing your Password or PIN 42

43 3. Click the OK button. Your Primary Password has been changed. NOTE: If you are offline when your Primary Password is about to expire, you will be asked to change it the next time you log on. Resetting your Password by Logging on to Windows with your Mobile Device Subject If allowed by your security administrator, you can reset your primary password after logging on to Windows with your mobile device. For more information on this authentication method, refer to the QRentry - Guide de l utilisateur. Modifying your Smart Card PIN Subject This section explains how to change the PIN of your smart card. 1. Open a Windows session as described in Logging on to Windows with your Smart Card. 2. In the notification area, right click the Authentication Manager icon and select Change PIN. The change PIN window appears. Managing your Password or PIN 43

44 3. Enter the requested information and click OK. The smart card PIN is modified. Modifying your RFID badge PIN Subject This section explains how to modify the PIN of your RFID badge. 1. Open a Windows session as described in Logging on to Windows with your RFID Badge. 2. In the notification area, right click the Authentication Manager icon and select Change PIN. The change PIN window appears. Managing your Password or PIN 44

45 3. Enter the requested information and click OK. The RFID badge PIN is modified. Modifying an Expired PIN Subject When your PIN expires, you must change it. 1. When your PIN is expired, the change PIN window appears. 2. Enter your new PIN in the corresponding fields. NOTE: Your new PIN must comply with the PIN control policy. 3. Click the OK button. Your PIN has been modified. NOTE: If you are offline when your PIN is about to expire, you will be asked to change it the next time you log on. Resetting your PIN with your Primary Password Subject When your RFID badge is blocked because you entered too many wrong PINs, you can reset your PIN with your primary password. Managing your Password or PIN 45

46 1. When your PIN is blocked, the Unblock RFID badge PIN windows appears. 2. Enter your primary password in the Password field. 3. Enter a new PIN in the corresponding fields and click OK. Your PIN is reset. NOTE: If you are offline when your PIN is blocked, you will be asked to reset it the next time you log on. Your PIN can also be reset by the help desk. Resetting Your Password or PIN with the Emergency Access The emergency access (SSPR) enables you to authenticate and reset your password or PIN, whether you are connected or not to the network. If you are: Connected or not to the network, you can reset your password or PIN by answering questions, as described in Reset with Questions & Answers. Managing your Password or PIN 46

47 Connected to the network, you can reset your password by requesting an OTP sent to your mobile device/ , as described in Resetting with an OTP. IMPORTANT: If you are not connected to the network, you must answer the questions if it has been configured. Reset with Questions & Answers The following schema illustrates the tasks you have to perform to reset your password or PIN by answering a series of personal questions. These tasks are described in this section. NOTE: This PIN reset method is not compatible with the RFID+PIN authentication method. Managing your Password or PIN 47

48 Initializing the Self Service Password Request Feature Subject You must initialize the Self Service Password Request (SSPR) feature to save your answers to a set of questions. Then, to reset your password or PIN, you must answer the questions you have chosen. You can perform this task every time you want to update or change your questions and answers. Managing your Password or PIN 48

49 When the SSPR is enabled, you can define your questions (optional) and answers the first time that your Authentication Manager is activated. Then you may need to modify this information in the following cases: The questions have changed, so you have to update your answers. You must enter your answers periodically. You want to change your questions/answers. You can initialize the SSPR through the EAM portal (see One Identity EAM Portal - Guide de l utilisateur) or through the Authentication Manager icon as detailed in the following procedure. 1. Right-click the Authentication Manager icon in the notification area and select Manage Security Questions. The authentication window appears. 2. Enter your ID and Password and click OK The Self Service Password Request wizard appears. 3. Follow the displayed instructions: you have to select a number of questions and record their corresponding answers. NOTE: You may have restrictions to define your questions/answers, as for example a minimum/maximum number of characters, or words that you cannot use. If you do not know why your questions/answers are not accepted, contact your EAM administrator. Resetting Your Password Upon Session Opening Subject The Reset Password feature allows you to reset your password to open your Windows session even if you have forgotten your smart card or cannot remember your password. You can reset your password through the EAM portal (see One Identity EAM Portal - Guide de l utilisateur) or upon session opening as detailed in the following procedure. Before starting Authentication Manager must be installed on your workstation. You have chosen a set of questions and recorded the associated answers using the Self Service Password Request Wizard, as described in Initializing the Self Service Password Request Feature. Managing your Password or PIN 49

50 NOTE: If you have not initialized the Self Service Password Request feature and therefore cannot reset your password by yourself, the administrator can still modify your primary password from EAM Console. 1. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name). 2. Do one of the following, depending on your Windows version: Windows version Windows 10 Action Check or enter your user name. Click the Questions and answers tile. Windows 7 Click the Password forgotten tile. Check or enter your user name. IMPORTANT: Replace this text with a notation that requires the reader's attention. 3. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name). IMPORTANT: If the Questions and answers/password forgotten option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license. The Self Service Password Request wizard appears. 4. Follow the instructions displayed in the Wizard window: answer each question, according to the answers you gave while initializing the Self Service Password Request. 5. Enter your new password twice. NOTE: Click Help me to choose a valid password to check that your new password is in accordance with the Password Format Control Policy. Managing your Password or PIN 50

51 6. Depending on the SSPR configuration, you may have to enter a challenge provided by the help desk to confirm your new password. Do the following: a. Call the help desk and give the displayed challenge. The help desk gives you back another challenge. NOTE: The challenge that the help desk gives you can only be used once. 7. Enter this challenge and validate. Your password is reset and your session opens. You can then use the new password for next logons. NOTE: If the password has been reset in disconnected mode, you will be asked to change it the next time you connect to the network. Resetting your PIN Subject The Reset PIN feature allows you to reset your PIN (either being online or offline) in case you have forgotten it. Before starting Authentication Manager must be installed on your workstation. You have chosen a set of questions and recorded the associated answers using the Self Service Password Request Wizard, as described in Initializing the Self Service Password Request Feature. 1. Insert your Smart Card. 2. In the authentication screen, click I have forgotten my PIN. IMPORTANT: If the I have forgotten my PIN option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license. The Self Service Password Request wizard appears. 3. Follow the instructions displayed in the Wizard window: answer each question, according to the answers you gave while initializing the Self Service Password Request and enter your new PIN twice. The following window appears: Managing your Password or PIN 51

52 4. Call the help desk and give the displayed challenge. The help desk gives you back another challenge. NOTE: The challenge that the help desk gives you can only be used once. 5. Enter this challenge and click Next. When the Wizard terminates, your PIN is reset and a session opens. You can then use the new PIN for next logons. Resetting with an OTP Subject The Reset Password feature allows you to reset your password to open your Windows session even if you cannot remember your password. You can reset your password through the EAM portal (see One Identity EAM Portal - Guide de l utilisateur) or upon session opening as detailed in the following procedure. Before starting Authentication Manager must be installed on your workstation. Managing your Password or PIN 52

53 1. Do one of the following, depending on your Windows version: Windows version Windows 10 Windows 7 Action a. Check or enter your user name. b. Click the Questions and answers tile. a. Click the Password forgotten tile. b. Check or enter your user name. 2. {2}. Click or (if the session is locked and the unlocking by another user is forbidden, you cannot change the user name). IMPORTANT: If the Questions and answers/password forgotten option does not appear on the screen, it means that your administrator has disabled it or that you do not own the license. An OTP is sent to your mobile device/ . 3. Enter the received OTP and click or. 4. Enter your new password twice. NOTE: Click Help me to choose a valid password to check that your new password is in accordance with the Password Format Control Policy. Your password is reset and your session opens. You can then use the new password for next logons. Managing your Password or PIN 53

54 6 Managing your Smart Card Managing the Unblocking of your Smart Card During authentication, if you enter too many successive wrong PINs, your smart card blocks itself and the following window appears: You are asked to enter your unblocking PIN, or PUK, to unblock your smart card. You can provide your PUK beforehand: see Providing the Unblocking PIN of Your Smart Card. NOTE: This option is available only if your Administrator has authorized it. You must own a PUK to provide it. To unblock your smart card, see Unblocking your Smart Card. Providing the Unblocking PIN of Your Smart Card Subject Providing your unblocking PIN, or PUK, enables you to unblock your smart card if you have entered too many successive wrong PINs. Managing your Smart Card 54

55 1. Right-click the Authentication Manager icon in the notification area and select Collect unblocking PIN. The Collect unblocking code window appears. 2. Enter your PUK in both fields and click OK. IMPORTANT: If you enter too many successive wrong PUKs, your Smart Card blocks itself. 3. Enter your PIN to confirm your are the actual owner of this smart card and click the OK button. You PUK has been provided. Unblocking your Smart Card Before starting You can unblock your smart card only if it has an external CMS. If you: Have already provided your PUK, see Unblocking Your Smart Card if you have provided Your PUK. Have not provided your PUK, see Unblocking Your Smart Card if you have not provided Your PUK. Managing your Smart Card 55

56 Unblocking Your Smart Card if you have provided Your PUK 1. In the Smart Card Blocked window, click the OK button. The Unblock Smart Card window appears. 2. Call the Help Desk so that it can give you the Unblocking secret. 3. Enter you Unblocking secret in the Unblocking secret field. 4. Enter your new PIN in the New PIN and PIN confirmation fields. 5. Click OK. Your smart card is now unblocked. Unblocking Your Smart Card if you have not provided Your PUK 1. In the Smart Card Blocked window, click the OK button. The Unblock Smart Card window appears. Managing your Smart Card 56

57 2. Enter you PUK in the Your PUK field. 3. Enter your new PIN in the New PIN and PIN confirmation fields. 4. Click OK. Your smart card is now unblocked. Managing Primary Accounts on your Smart Card Before starting The following procedure only applies to smart cards that can store several SSO accounts. You can delete all the accounts stored on the smart card, even the one you used to log on with. In this case, after the account deletion, the session stays open. IMPORTANT: Do not lock the session as you will not be able to unlock it. We recommend you to log off the session after the account deletion. 1. Open a session as described in Logging on to Windows with your Smart Card. 2. In the notification area, right click the Authentication Manager icon and select Manage Primary Accounts. The Manage Primary Accounts window appears and lists the accounts stored on the smart card. Managing your Smart Card 57

58 3. Select the account you want to add or remove and click the Add or Remove button. 4. Follow the displayed instructions and click OK. The account is created/removed on/from the smart card. Renewing your Smart Card Certificate (s) Subject A set of certificates can be stored on you smart card. When these certificates are about to expire and upon a successful smart card authentication, Authentication Manager displays a warning message with the list of these certificates. To renew them, execute the following procedure. Restriction Compatible only with Windows Smartlogon cards. 1. Log on with your smart card. The Automatic Certificate Renewal window appears. Managing your Smart Card 58

59 2. Enter your PIN and click Renew all. Your certificate(s) has(have) been renewed and added to your smart card. NOTE: If your click Not now, your certificate is not renewed and the window will appear each time you log on until your renew the certificate(s). Managing your Smart Card 59

60 7 Recovering your SSO Data Subject If your password was forced by a directory administrator or if you have changed smart cards, you can recover your SSO data by providing your old password or by answering questions. Recovering your SSO data with your old password Before starting You authenticated at least once on your workstation connected to the network or an EAM directory is available. At session opening, the SSO data recovery window appears. Enter your old password and click OK. Your SSO data has been recovered. Recovering your SSO Data 60

61 Recovering your SSO data by answering questions Before starting Your administrator has given you the authorization (the SSPR must be configured in always available mode: see One Identity EAM Console - Guide de l'administrateur). You authenticated at least once on your workstation connected to the network or an EAM directory is available. The SSPRForSelfSSORecovery registry key (see Password Management) must be enabled. You must have chosen a set of questions and recorded the associated answers using the Authentication Manager Self Service Password Request Wizard. Refer to the Initializing the Self Service Password Request Feature. 1. At session opening, the SSO data recovery window appears. 2. Click Next. The Self Service Password Request wizard appears. 3. Follow the displayed instructions and answer the different questions. If you answered all the questions correctly, your SSO data is recovered. Recovering your SSO Data 61

62 If you did not answer all the questions correctly, you can restart the procedure or enter your old password. By clicking Cancel, the Enterprise SSO - Data Migration window appears. Recovering your SSO Data 62

63 8 Managing Your Windows Session Accounts The Windows Session Accounts window enables you to manage your Windows accounts. You can: Create or delete a Windows account, see Creating a Windows Session Account and Deleting a Windows Session Account. Delegate your Windows account(s), seedelegating a Windows Session Account. Remove your Windows account delegation(s), see Removing a Windows Session Account Delegation. Creating a Windows Session Account Before starting Your administrator must have created a Windows account for you beforehand. 1. Right-click the Authentication Manager icon in the notification area and select Windows Session Accounts. 2. Re-authenticate if needed. The Manage Windows session accounts window appears. Managing Your Windows Session Accounts 63

64 3. Select a Windows account and click the New button. The Windows account properties window appears. 4. Enter: The Role you want to give the new Windows Account in the Role field. Your Windows identifier in the Identifier field. Your corresponding Windows password in the Password field. 5. Click the OK button. Your Windows session account has been created. Managing Your Windows Session Accounts 64

65 Deleting a Windows Session Account 1. Right-click the Authentication Manager icon in the notification area and select Windows Session Accounts. 2. Re-authenticate if needed. The Manage Windows session accounts window appears. 3. Select the account you want to delete and click Delete. Your Windows session account has been deleted. Delegating a Windows Session Account 1. Right-click the Authentication Manager icon in the notification area and select Windows Session Accounts. 2. Re-authenticate if needed. The Manage Windows session accounts window appears. 3. Select the account you want to delegate and click the Delegate button. The Account Delegation window appears. 4. Type the name of the user to whom you want to delegate your Windows session account in the User name field and click the Search button. Managing Your Windows Session Accounts 65

66 The list of users appears. 5. Select the user in the displayed list. 6. Select the duration of the delegation by clicking the Delegation start and Delegation until drop-down lists. 7. Click the Delegate button. Your Windows session account has been delegated. Next time the user authenticates him/herself, he/she must choose between the displayed Windows session accounts. Removing a Windows Session Account Delegation 1. Right-click the Authentication Manager icon in the notification area and select Windows Session Accounts. 2. Re-authenticate if needed. The Manage Windows session accounts window appears. 3. Select the delegated Windows session account and click the Remove delegation(s) button. Your Windows session account is not delegated anymore. Managing Your Windows Session Accounts 66

67 9 Managing a Cluster from your Workstation Subject The Cluster mode enables you to access several workstations simultaneously. When you: Authenticate yourself on a workstation, sessions on other workstations you are using are also unlocked. Lock or switch off a workstation, all other workstations you are using are also locked or switched off. Reboot, you can reboot one or several workstations of your choice or the whole cluster at once. Attach or release a workstation, you can add a workstation from an existing cluster or an entire cluster to your own cluster and then release it. To manage your cluster, use the Cluster Wizard in the Authentication Manager dialog box. You can customize the way the workstations of a cluster are displayed on your screen: see Authentication Manager and Enterprise SSO Customization Guide. Before starting All the actions you can perform from your workstations are only available if they have previously been authorized by the EAM Console administrator: see Authentication Manager Cluster Administrator s Guide. The Cluster Client license keys must be installed on all EAM workstations on which the Cluster feature is used. Managing a Cluster from your Workstation 67

68 Creating and Configuring your Cluster Managing the Cluster Composition If you are authorized to access workstations of a cluster, you can attach one or more workstations from an existing cluster to your cluster. The workstation(s) is(are) detached when you release it(them) from your cluster or if another user authenticates on the original cluster. Attaching a Workstation to Your Cluster Subject Attaching a workstation to your cluster is not a permanent action, you can release a workstation whenever you want. You can attach only the workstations authorized by the administrator. Before starting The Windows session of the workstation you want to attach to your cluster must be closed. 1. Right-click the Authentication Manager icon in the notification area and select Manage Cluster. 2. Re-authenticate if needed. The Cluster wizard window appears. Managing a Cluster from your Workstation 68

69 3. Select Manage my cluster and click Next. The following window appears: Managing a Cluster from your Workstation 69

70 4. Do one of the following actions to add a workstation to your cluster: Type in the name of the workstation you want to attach in the corresponding field and click the Attach button. Click the Select button and select a workstation in the list displayed by the wizard. IMPORTANT:Only the workstations authorized by the administrator are displayed. 5. Click Finish. The workstation is now attached to your cluster and its session opens automatically. Releasing a Workstation from your Cluster Before starting You can release a workstation/cluster only if you have added it to your cluster beforehand. The released workstation is automatically reattached to its original cluster. Managing a Cluster from your Workstation 70

71 1. Right-click the Authentication Manager icon in the notification area and select Manage Cluster. 2. Re-authenticate if needed. The Cluster wizard window appears. 3. Select Manage my cluster and click Next. 4. The Attach/Detach workstation window appears. 5. Select the workstation you want to detach from your cluster and click the Detach button. 6. Click Finish. The workstation is now released from your cluster and its session closes automatically. Renaming your Workstation Subject You can rename your workstation, i.e. give it an alias that is displayed: 1. In the cluster management windows. 2. On the desktop (if configured). Setting an Alias 1. Right-click the Authentication Manager icon in the notification area and select Manage Cluster. 2. Re-authenticate if needed. The Cluster wizard window appears. 3. Select Manage my cluster and click Next. 4. The Attach/Detach workstation window appears. 5. Select one or more of the displayed workstations and click the Set alias button. The Set alias dialog box appears. Managing a Cluster from your Workstation 71

72 6. In the Alias field, enter the alias you want to give to your workstation and click the OK button. NOTE: Since the alias must be unique, a check is made to see if it does not already exist. The alias of your workstation has been set. Modifying an Alias Repeat the procedure of Setting an Alias and at step 5, modify the alias that is set. Deleting an Alias Repeat the procedure of Setting an Alias and at step 5, delete the text in the Alias field. Executing Maintenance Operations on Your cluster Removing Temporarily a Workstation from the Cluster Subject From your workstation, you can temporarily remove another workstation from the cluster. Managing a Cluster from your Workstation 72

73 This can be useful for maintenance operations: the workstation can be rebooted independently from the others. 1. Right-click the Authentication Manager icon in the notification area and select Deactivate cluster mode. The workstation is excluded from the cluster. It remains excluded even when you restart it. 2. To include the computer back into the cluster, click Activate cluster mode. Rebooting your Cluster Subject This action enables you to restart all the workstations in the cluster at once. Before starting There are two station behaviors: The master station can accept, decline or delay its reboot. The slave station can only accept or decline its reboot. 1. Right-click the Authentication Manager icon in the notification area and select Reboot Cluster. The following dialog box appears: IMPORTANT: If the station is a slave station, you can only accept or decline the reboot. Managing a Cluster from your Workstation 73

74 2. Do one of the following: Click Yes to reboot the cluster except your current workstation. The cluster is rebooted and locked: go to step 3. Click No to reboot the cluster including your current workstation. The cluster is rebooted. 3. Do one of the following: Click Yes to reboot your current workstation. Your current station is rebooted and the other workstations of the cluster stay locked. Click No to unlock the cluster without rebooting your current workstation. Refreshing the Displayed Data Subject If you change your desktop wallpaper, the cluster data disappears from the desktop. To redisplay this data, execute the following procedure. Right-click the Authentication Manager icon in the notification area and select Redraw wallpaper. The cluster data is re-displayed on the desktop. Managing a Cluster from your Workstation 74

75 10 Managing Session Delegation Configuring Session Delegation If for any reason you have to leave your workstation or cluster, you can delegate your Windows session to your delegate to monitor or intervene in any of your ongoing operations. You can configure session delegation either: Inside a cluster: see Configuring Session Delegation in a Cluster. Outside a cluster: see Configuring Session Delegation outside a Cluster. Configuring Session Delegation in a Cluster In cluster mode, you can delegate your workstation to your Primary delegate or your Backup: The Primary delegate is the main person to whom you are delegating your session. If the Primary delegate is not available, the Backup is the one monitoring your workstation. For more information on cluster configuration, go to Section 9., "Gérer une grappe à partir de votre poste de travail". There are two types of session delegation: Temporary: the session is delegated only once, until the next time you reauthenticate yourself. For more details, refer to: Setting a Temporary Session Delegation. Ending a Temporary Session Delegation. Permanent: the session is delegated permanently, until you stop delegating the workstation. For more details, refer to: Setting a Permanent Session Delegation. Ending a Permanent Session Delegation. Managing Session Delegation 75

76 Setting a Temporary Session Delegation Subject If the administrator has activated the approval function, your Primary delegate or your Backup must be at his workstation to accept the session delegation, i.e. with an unlocked workstation. Once you have delegated your session, if your Primary delegate leaves and locks his workstation, your delegated workstations are not part of his cluster anymore. If he wants to include them back into his cluster, he must follow the procedure described in Accessing a Colleague s Workstation in a Cluster. 1. Right-click the Authentication Manager icon in the notification area and select Set temporary session delegation. 2. Re-authenticate if needed. The Cluster wizard window appears. 3. Click the Manage delegates button to select your Favorite users and fill-in the Primary delegate and Backup drop-down lists. If you have already done so, go directly to step 7. The Manage delegates window appears. Managing Session Delegation 76

77 4. Select your favorite users by typing their name in the Find names starting with field and click the Search button. A list of the names appears in the Search Results area. 5. Select your favorite users and click the Add button to add the names to your favorite users list. 6. Click Close. 7. In the Primary delegate drop-down list, select your Primary delegate. 8. If you want a Backup, select the Backup check box and select him/her in the drop-down list. 9. Click the Advanced Delegation button to delegate more than one workstation from your cluster. 10. Click the Delegate button. Your temporary session delegation is now set and the selected workstation(s) from your cluster is(are) delegated, pending approval from the Primary delegate/backup. NOTE: If you retrieve your smart card, your cluster locks itself except your delegated workstations. Ending a Temporary Session Delegation Subject There are different ways to end a temporary session delegation. If the master workstation is delegated, you have to end the delegation and lock the workstation by inserting your smart card and re-authenticate yourself. Managing Session Delegation 77

78 Do one of the following: Reauthenticate yourself. Use Authentication Manager: a. Right-click the Authentication Manager icon in the notification area and select Set temporary session delegation. b. Reauthenticate if needed. The Cluster wizard window appears. c. Click the Remove delegation button. The session delegation has ended. Ask the Primary delegate or Backup to end the delegation (see Ending the control over a Workstation). If... the Primary delegate or Backup ends the delegation... you lock a cluster containing a delegated workstation... you shut down a cluster containing a delegated workstation... Then... the delegated workstation(s) is/are locked. the workstation locks itself. the workstation is released from the cluster and locks itself. Setting a Permanent Session Delegation Subject You can delegate as many workstations to as many delegates as you want. 1. Right-click the Authentication Manager icon in the notification area and select Manage Cluster. 2. Reauthenticate if needed. The Cluster wizard window appears. 3. Select Manage permanent delegations and click Next. The following window appears: Managing Session Delegation 78

79 4. Select a delegate in the drop-down list or click the Add button to add users to your delegates list. 5. Do one of the following: In the Delegated workstations area, select the workstations you want to delegate to the selected delegate. Click the Select all button to select all the workstations at once. 6. Click the Submit button. The next time you lock your workstation(s), your selected delegate will be able to take control over your selected workstation(s). Ending a Permanent Session Delegation Subject There are different ways to end a permanent session delegation. If the master workstation is delegated, you have to end the delegation and lock the workstation by inserting your smart card and re-authenticate yourself. Managing Session Delegation 79

80 1. Right-click the Authentication Manager icon in the notification area and select Manage Cluster. 2. Reauthenticate if needed. The Cluster wizard window appears. 3. Select Manage permanent delegations and click Next. 4. The Manage your permanent delegation window appears. 5. Clear the check box(es) corresponding to the workstation(s) for which you want to end the delegation. 6. Select the delegate for whom you want to end the delegation and click the Remove button. NOTE: Click the Remove all button to remove all the delegations at once. 7. Click the Submit button. The session delegation has ended. If... the Primary delegate or Backup ends the delegation... you shut down a cluster containing a delegated workstation... Then... the delegated workstation(s) is/are locked. the workstation is released from the cluster and locks itself. Configuring Session Delegation outside a Cluster There is only one type of session delegation outside a cluster: permanent delegation. For more information, refer to the following sections: Setting a Session Delegation Ending a Session Delegation. Setting a Session Delegation You can delegate several workstations to one of your delegates. Managing Session Delegation 80

81 1. Right-click the Authentication Manager icon in the notification area and select Manage Session Delegation. 2. Reauthenticate yourself. The Windows session delegation window appears. 3. Select a delegate in the drop-down list or click the Add button to add users to your delegates list. 4. Do one of the following: In the Delegated workstations area, select the workstations you want to delegate to the selected delegate. Click the Select all button to select all the workstations at once. 5. Click Apply. The next time you lock your workstation(s), your selected delegate will be able to take control over your selected workstation(s). Ending a Session Delegation 1. Right-click the Authentication Manager icon in the notification area and select Manage Session Delegation. 2. Reauthenticate yourself. Managing Session Delegation 81

82 The Windows session delegation window appears. 3. Clear the check box(es) corresponding to the workstation(s) for which you want to end the delegation. 4. Select the delegate for whom you want to end the delegation and click the Remove button. 5. Click Apply. NOTE: Click the Remove all button to remove all the delegations at once. The session delegation has ended. NOTE: If the delegate ends the delegation, the delegated workstation(s) is(are) locked. Accessing a Colleague s Workstation Subject If you are a delegate, you can take control over one of your colleague s locked workstation (s) to monitor or intervene in any of his ongoing operations. The Windows context is the one of the user who has opened the session and the SSO engine (if any) is suspended. You can access a colleague s workstation whether you are: Inside a cluster:accessing a Colleague s Workstation in a Cluster Outside a cluster: Accessing a Colleague s Workstation outside a Cluster. Accessing a Colleague s Workstation in a Cluster The delegated workstations are not attached to the delegate cluster and the operations performed on these workstations are not propagated to the cluster. NOTE: By double-clicking the Authentication Manager icon, you directly access the Access a colleague s workstation feature. Managing Session Delegation 82

83 Taking control over another workstation Before starting Your colleague must have designated you as his Primary delegate or his backup. Your colleague s workstation(s) must be locked. 1. Double-click the Authentication Manager icon in the notification area. 2. Reauthenticate if needed. The following window appears with the list of workstations you are authorized to take control over. NOTE: If you are allowed a permanent session delegation, all the workstations are displayed whether they are delegated temporarily or permanently. 3. Select the workstation(s) you want to take control over and click the Unlock button. NOTE: Click the Select all button to select all the displayed workstations. You now have the control over the selected workstation(s). Managing Session Delegation 83

84 Ending the control over a Workstation Subject There are two ways to end the control over a delegated workstation. If you do not lock the workstation, it will be locked when you lock your cluster. To take back the control over your delegated workstation, the latter must be locked. When the delegate unlocks his cluster, the previously controlled workstation does not unlock itself. To take the control back, he must follow the same procedure as described in Accessing a Colleague s Workstation in a Cluster. Do one of the following operations: On the delegated workstation, press Windows+L to lock it. The delegate ends the control by following this procedure: a. Double-click the Authentication Manager icon in the notification area. b. Reauthenticate if needed. The Access a colleague s workstation window appears. c. Select the workstation(s) you want to end control over and click the Lock button. The workstation is not under your control anymore. Accessing a Colleague s Workstation outside a Cluster Taking control over another workstation Before starting Your colleague must have designated you as his delegate. Your colleague s workstation(s) must be locked. On Windows 7 workstations, set the following key to support unlock request: HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon\DisableCAD Managing Session Delegation 84

85 1. Right-click the Authentication Manager icon in the notification area and select Access a Colleague s Workstation. 2. Reauthenticate yourself. The following window appears with the list of workstations you are authorized to take control over. 3. Select the workstation(s) you want to take control over and click the Unlock button. NOTE: Click the Select all button to select all the displayed workstations You now have the control over the selected workstation(s). Ending the control over a Workstation Subject To take back the control over your delegated workstation, the latter must be locked. Do one of the following operations: Managing Session Delegation 85

86 On the delegated workstation, press Windows+L to lock it. The delegate ends the control by following this procedure: a. Right-click the Authentication Manager icon in the notification area and select Access a Colleague s Workstation. b. Reauthenticate yourself. The Unlock Colleague Workstation window appears. c. Select the workstation(s) you want to end control over and click the Lock button. The workstation is not under your control anymore. Managing Session Delegation 86

87 11 Ending a Roaming session Subject When you authenticate yourself with a smart card, you can end your Roaming Session through the Authentication Manager icon located in the notification area. 1. Right-click the Authentication Manager icon in the notification area and select Roaming Session. 2. Reauthenticate if needed. The Roaming Session Management window appears. 3. Click the Terminate button. Your Roaming Session has ended. Ending a Roaming session 87

88 12 Logging on a User Session as an Administrator Logging on a User Session with Your Smart Card: "Grace period" Subject An administrator can log on a user's session using his own smart card, even though the user opened his Windows session using a smart card. 1. Press the SHIFT key during the logged user smart card withdrawal. The user session is left unchanged. If Enterprise SSO was running, it is automatically set to a locked mode. 2. Insert your administrator smart card and enter your PIN before the end of the grace period (the default value is 60 seconds). NOTE: The length of the grace period can be configured from EAM Console. This authentication enables User Access to check your identification data. The user Windows session stays open: your Windows permissions do not apply. 3. Perform your administration tasks on the user workstation: if you run an EAM application (Enterprise SSO Studio, etc.), the authentication is done using your administrator smart card. 4. When you have finished with the user's workstation, withdraw your smart card. The user session appears as it was before the smart card removal. The user is prompted to insert his smart card and provide his PIN to turn Enterprise SSO back to the unlocked mode. Logging on a User Session as an Administrator 88

89 Logging on as local administrator with your mobile device Subject If your administrator has authorized it, you can log on as local administrator on a user workstation using your mobile device, from the Connect with a mobile device tile. For more information on this authentication method, refer to the QRentry - Guide de l utilisateur. Running a Process on a User Session Subject An administrator can log on a user's session using his own smart card or OTP, even though the user opened his Windows session using same authentication method. Running a Process Using your Smart Card 1. Press the Windows+R keys. The Execute window appears: 2. Enter cmd in the Open field. 3. Click the OK button. The Command Prompt window appears. 4. Insert your administrator Smart Card. 5. Enter the following command line and press the ENTER key: C:\%EAM installation folder%\amrunas <Command Line> 6. If you have several accounts on the smart card, type in the displayed account number and press the ENTER key. 7. Enter your PIN and press the ENTER key. The command line has been executed with your Windows credentials. NOTE: The AMRunAS command line is derived from the RunAS Windows command line. You can display all the different command lines and their description by entering the following command line: RunAS.exe /? Logging on a User Session as an Administrator 89

90 Running a Process Using your OTP 1. Press the Windows+R keys. The Execute window appears: 2. Enter cmd in the Open field. 3. Click the OK button. The Command Prompt window appears. 4. Enter the following command line and press the ENTER key: C:\%EAM installation folder%\amrunas.exe /OTP /USER:DomainName\ UserName <Command Line> 5. Enter your OTP and press the ENTER key. You are now logged on with your Windows credentials. Restarting and Running Enterprise SSO with your Credentials Before starting If the administrator needs to use Enterprise SSO or any other application, it must be installed on the user s workstation. 1. Press the Windows+R keys. The Execute window appears: 2. Enter cmd in the Open field. 3. Click the OK button. The Command Prompt window appears. 4. Enter the following command line and press the ENTER key: C:\%EAM installation folder\amrunas.exe /SSO <Command Line> Enterprise SSO restarts with your credentials. Logging on a User Session as an Administrator 90

91 13 Managing Reports Subject Authentication Manager enables you to download PDF reports (generated on demand or periodically) and to save them on your workstation. NOTE: A notification can be sent to you informing you that a report is available for download from Authentication Manager. For more information on report generation, refer to the One Identity EAM Console - Guide de l'administrateur. 1. Right-click the Authentication Manager icon in the notification area and select Manage reports. 2. Re-authenticate if needed. The report management window appears. Managing Reports 91

92 3. Click Preferences to define the destination directory of the reports to download. Once you have finished, click OK to come back to the management window. 4. Click Search to display the reports that are assigned to you. NOTE: Select the Show reports generated in the last x days check box to limit the number of reports taken into account Managing Reports 92