SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE

Similar documents
Copyright Tools4ever B.V. All rights reserved.

SELF SERVICE RESET PASSWORD MANAGEMENT COM OBJECT GUIDE

VERSION 6.78 BUILD 1180, SEPTEMBER 1, 2017

Copyright Tools4ever B.V. All rights reserved.

User Management Resource Administrator. UMRA Example Projects. Printer Queue Management

The PCM rule dialog now adjust the size of the window and rules if the font size is enlarged.

ENHANCEMENTS The PCM rule dialog now adjust the size of the window and rules if the font size is enlarged.

McAfee File and Removable Media Protection Product Guide

Sphinx Feature List. Summary. Windows Logon Features. Card-secured logon to Windows. End-user managed Windows logon data

IBM IBM Tivoli Access Manager for Enterprise Single Sign-On V8.0.1 Implementation.

ANIXIS Password Reset

Security in Confirmit Software - Individual User Settings

NetIQ SecureLogin 8.7 enhances the product capability and resolves several previous issues.

Sophos Central Device Encryption. Administrator Guide

FAQ. General Information: Online Support:

Safe AutoLogon Password Server

SecuRemote for Windows 32-bit/64-bit

EMC Clariion SAN storage system

Cloud FastPath: Highly Secure Data Transfer

Endpoint Protection with DigitalPersona Pro

Sophos Mobile. startup guide. Product Version: 8.1

March 2011

Salesforce1 Mobile Security White Paper. Revised: April 2014

81 -key The Power of a Touch. ID DIRECTOR for Windows. Microsoft Partner. Adress 3349 Highway 138 BLDG A STE E Wall, NJ 07719

Active Directory Attacks and Detection

FRAMEWORK VERSION 3.0 NETWORK INSTALLATION INSTALLING MICROSOFT STEP BY STEP INTERACTIVE TRAINING SOFTWARE

Equitrac Embedded for Ricoh Basic. Setup Guide Equitrac Corporation

MultiConnect rcell 100 Series Cellular Routers

EAM Portal User's Guide

Oracle Enterprise Single Sign-on Kiosk Manager. User Guide Release E

Getting Started with OmniVista Security

Copyright 2017 Softerra, Ltd. All rights reserved

NetScaler Radius Authentication. Integration Guide

NetIQ Advanced Authentication Framework - Group Policy Templates. Administrator's Guide. Version 5.1.0

Oracle Enterprise Single Sign-on Kiosk Manager

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

Symantec Managed PKI. Integration Guide for ActiveSync

HIPAA Faxing Checklist

Sophos Mobile Control startup guide. Product version: 7

Authentication Manager Self Service Password Request Administrator s Guide

citrix MetaFrame Password Manager2.0:Adminsitration

DELL EMC OPENMANAGE ESSENTIALS (OME) SNMPV3 SUPPORT

Security Service tools user IDs and passwords

USER GUIDELINES. Q 2. Is it necessary to configure password retrieval question and answer? How can I do that? Q 3. How can I change password?

User Guide. Version R94. English

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

MANAGING LOCAL AUTHENTICATION IN WINDOWS

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

SOA Software Platform 7.x: Configuring a Standalone Container

Partner Information. Integration Overview Authentication Methods Supported

Citrix Access Gateway Implementation Guide

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Securing VMware NSX MAY 2014

OmniAccess 3500 Nonstop Laptop Guardian Release 1.2 Administrator Release Notes

Encrypted Phone Configuration File Setup

Security Guide Release 4.0

One Identity Password Manager User Guide

Guide to your CGIAR Network account Self Service tool

FORUM Business Online Banking

Getting Started with. Management Portal. Version

Indeed Card Management Smart card lifecycle management system

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

Upgrading the Cisco APIC-EM Deployment

Installation & Administration Guide

Aegis Padlock DT. User s Manual

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

Monitoring NetApp Products

Oracle Hospitality Simphony Post-Installation or Upgrade Guide. Release 18.2

User Guide. Version R92. English

Configuring Remote Access using the RDS Gateway

Symantec PGP Viewer for ios

Sophos Mobile. startup guide. Product Version: 8.5

PROXY Pro v10 RAS Security Layer Overview

BIG-IP System: Migrating Devices and Configurations Between Different Platforms. Version

Unified Security Platform. Security Center 5.4 Hardening Guide Version: 1.0. Innovative Solutions

DUO Two Factor Authentication (DUO 2FA) User Guide for O365 Applications Login

Veritas SaaS Backup for Office 365

At present, PABP is a voluntary compliance process for software vendors but will soon be mandatory.

Polycom CMA System Upgrade Guide

SecurEnvoy Windows Logon Agent Installation and Admin Guide v9.3 Including support for SecurPassword

Parallels Mac Management for Microsoft SCCM

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

VMware AirWatch Certificate Authentication for EAS with ADCS

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

Oracle Enterprise Single Sign-on Provisioning Gateway

Avaya Converged Platform 130 Series. idrac9 Best Practices

Quest One Password Manager

INSTALLATION GUIDE Spring 2017

Microsoft Exchange Proxy Settings Outlook 2010 Gpo

Instructions for connecting to the FDIBA Wireless Network (Windows Vista)

Sophos Mobile in Central

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

Application of Cryptography in.net Framework

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver KYOCERA Document Solutions Inc.

Instant HR Auditor Installation Guide

Moxa Remote Connect Server Software User s Manual

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

User Directories. Overview, Pros and Cons

System Administrator s Guide Login. Updated: May 2018 Version: 2.4

Clay Tablet Connector for Adobe Experience Manager. User Guide. Version 2.3.0

Transcription:

SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE

Copyright 1998-2017 Tools4ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted in any form or by any means without the written permission of Tools4ever. DISCLAIMER - Tools4ever will not be held responsible for the outcome or consequences resulting from your actions or usage of the informational material contained in this user guide. Responsibility for the use of any and all information contained in this user guide is strictly and solely the responsibility of that of the user. All trademarks used are properties of their respective owners. www.tools4ever.com

Contents 1. Introduction 1 2. Architecture 1 2.1. SSRPM Service... 2 2.1.1. Fail Over / Redundancy... 3 2.2. Admin console... 4 2.3. Client software... 4 2.3.1. Enrollment Wizard... 4 2.3.2. Reset Wizard... 4 2.3.3. GINA/Credential Provider... 5 2.4. COM Object... 5 2.5. Webinterface... 5 2.6. Helpdesk Caller Identification... 5 2.7. Complete overview... 6 3. Index 7 Copyright Tools4ever 1998-2017 i

1. Introduction SSRPM consists of many components that communicate with one another. Some of these components also store (encrypted) information in a database or in files. This document describes all of the components of SSRPM, what kind of data is stored, the encryption used and the communication methods. 2. Architecture SSRPM consists of multiple components. This chapter describes these components and their relation to other components. Overview of components and their relation. Copyright Tools4ever 1998-2017 1

2.1. SSRPM Service The main component of SSRPM is the SSRPM Service. This service manages all of the connections with the clients as well as the connection with the SSRPM Database. The SSRPM Service may be installed on any server in the network. The MSSQL database does not need be be installed on the same machine. Communication The SSRPM Service communicates with the SMS Gateway over an HTTPS connection. By default the SSRPM service communicates over port 39746 with the clients. The most important data stored by SSRPM service are the user answers. In order to store the data safely and to support certain functionality, the SSRPM service supports the following mechanisms to store the user answers in the database: Clear text MD5 SHA 256 (Default) Reversible encryption Clear text The answers are stored in the database as plain text. This option is not recommended. MD5 and SHA 256 hash The answers are stored in the database as a hash. It is not possible to reconstruct the original answer from a hash. It is recommended to use SHA 256 hashing as it is the most secure method. Reversible encryption The reversible encryption is based on the credentials of the SSRPM service account and uses 256-bit AES encryption. This option is required for the helpdesk caller identification functionality. Copyright Tools4ever 1998-2017 2

2.1.1. Fail Over / Redundancy SSPRM is designed so that it can be configured in a high availability situation.there are several mechanisms that may be used to achieve high availability. Offline mode The user clients can be configured so that they cache user and configuration data locally on the client machine. This allows users to logon using SSRPM even if the SSRPM service is not available. The functionality provided by the user client offline mode can also be used to service laptops that are not always connected to the company network. When the laptops connect to the network, they communicate with the SSRPM service to exchange data. This data is then stored locally so that the user can continue to use SSRPM when he/she works at home or another location. Multiple SSRPM Services Multiple SSRPM services may be installed to provide high availability in case of hardware failure on one of the servers that is running the SSRPM service. The clients will automatically connect to another server if the connection to the SSRPM service fails, assuming the server names are pushed to the clients. Multiple SSRPM databases In combination with multiple SSRPM services multiple Databases may be used. The databases must run on a MSSQL server and replicate the data stored in the database to the other SSRPM databases. The configuration guide contains a step by step guide on how to configure an MSSQL server for replication. Copyright Tools4ever 1998-2017 3

2.2. Admin console Administrators can use the admin console to install and manage the SSRPM service. The admin console communicates with the SSRPM Service using secure RPC connection. The encryption method used by the secure RPC connection depend on the security settings of the domain. The minimal encryption used is 128 bit RC4 encryption. 2.3. Client software The client software consists of three components: 1. Enrollment wizard 2. Reset Wizard 3. GINA/Credential Provider 2.3.1. Enrollment Wizard The enrollment wizard is installed on the workstations. The end user can use this application to enroll in SSRPM. It also checks periodically if a user is enrolled, if the user should re-enroll and (if applicable) if the data in the local cache is up-to-date. The local cache is only used for the offline logon functionality. If this functionality is not enabled, no data stored in the local cache. Local Cache The local cache contains all the information required to perform a offline logon. This includes profile and user data. The data stored in the local cache is stored as binary data and is encrypted using the local system account using Windows Data Protection which use 256 bit AES encryption. On top of that, the answers are additionally encrypted with the unencrypted answer or hash as salt. This means that the answers can only be decrypted if you already have the answer. The enrollment wizard communicates with the SSRPM Service using secure RPC connection. The encryption method used by the secure RPC connection depend on the security settings of the domain. The minimal encryption used is 128 bit RC4 encryption. 2.3.2. Reset Wizard The reset wizard is installed on the workstations. The end user can use this application to reset his/her password or unlock his/her account. Local Cache The local cache contains all the information required to perform a offline logon. If the reset wizard can't connect to the SSRPM service it will look in the local cache if it can perform an offline logon. The reset wizard communicates with the SSRPM Service using secure RPC connection. The encryption method used by the secure RPC connection depend on the security settings of the domain. The minimal encryption used is 128 bit RC4 encryption. Offline SMS If the SMS authentication is enabled and required during the offline logon procedure, the reset wizard will try to connect to the SMS Gateway over an HTTPS connection and the transmitted data will be encrypted using 128 bit RC4 encryption. Copyright Tools4ever 1998-2017 4

2.3.3. GINA/Credential Provider SSRPM includes two types of GINA's/Credential providers, the standard GINA/Credential provider and the offline GINA/Credential provider. Standard The standard GINA/Credential provider is installed on the workstation with the enrollment- and reset wizard. It doesn't use the local cache nor does it communicate with the SSRPM service. Offline The offline GINA/Credential provider needs to be installed on the workstation separately, in addition to the client software. It also doesn't communicate with the SSRPM service, but it does cache credentials for the offline logon procedure. The cached credentials are encrypted using 256 bit AES encryption. 2.4. COM Object The COM object is typically used by the web interfaces of SSRPM. The COM object communicates with the SSRPM Service using secure RPC connection. The encryption method used by the secure RPC connection depend on the security settings of the domain. The minimal encryption used is 128 bit RC4 encryption. 2.5. Webinterface It is recommended to install the web interface on a separate server, especially if it can be accessed from outside the network. The end user can use the webinterface to enroll in SSRPM, to reset his password or to unlock his account. The end user communicates with the webinterface using HTTPS. The webinterface uses the COM-object to communicate with the SSRM Service. 2.6. Helpdesk Caller Identification The administrator can use this web interface to determine if the end users knows the answers to his challenge questions without finding out the whole answer. This functionality requires that the SSRPM service stores the user's answers using reversible encryption. However the answers are only decrypted by the SSRPM service and never leave the SSRPM service. The end user communicates with the webinterface using HTTPS. The webinterface uses the COM-object to communicate with the SSRM Service. Copyright Tools4ever 1998-2017 5

2.7. Complete overview Copyright Tools4ever 1998-2017 6

3. Index A Admin console 4 Architecture 1 C Client software 4 COM Object 5 Complete overview 6 E Enrollment Wizard 4 F Fail Over / Redundancy 3 G GINA/Credential Provider 5 H Helpdesk Caller Identification 5 I Introduction 1 R Reset Wizard 4 S SSRPM Service 2 W Webinterface 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback