Contents

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Introduction to Oracle Enterprise Single Sign-On Suite

• 1.1 Suite Components
  • 1.1.1 Logon Manager
  • 1.1.2 Password Reset
  • 1.1.3 Provisioning Gateway
  • 1.1.4 Anywhere
  • 1.1.5 Universal Authentication Manager
  • 1.1.6 Reporting
• 1.2 Suite Administration
• 1.3 Overview of the Administrative Console
• 1.4 Administrative Console Menu Commands for Logon Manager
• 1.5 Administrative Console Menu Commands for Password Reset

2 Using the Administrative Console to Configure Logon Manager

• 2.1 Overview
  • 2.1.1 Architecture/Modules
    • 2.1.1.1 Authentication
    • 2.1.1.2 Encryption
    • 2.1.1.3 Intelligent Agent Response
    • 2.1.1.4 Core (Including Storage)
    • 2.1.1.5 Credential Synchronization
    • 2.1.1.6 Event Logging
    • 2.1.1.7 Miscellaneous Components
  • 2.1.2 Common Scenarios
  • 2.1.3 Resources
• 2.2 Logon Manager Features
• 2.3 Considerations Before Deploying Logon Manager
  • 2.3.1 User Work Modes
    • 2.3.1.1 One Workstation, One User
    • 2.3.1.2 Frequent Movement Among Few Workstations
    • 2.3.1.3 Frequent Movement Among Many Workstations
    • 2.3.1.4 One Workstation, Many Users
    • 2.3.1.5 Disconnected
    • 2.3.1.6 Security Locked Down vs. User Freedom
    • 2.3.1.7 Usability: User Flexibility vs. Simplicity
    • 2.3.1.8 Other Settings
  • 2.3.2 System Configuration
    • 2.3.2.1 Application Configurations
  • 2.3.3 Software Rollout Basics
  • 2.3.4 Administration and Management
• 2.4 Configuring the Server for Logon Manager
  • 2.4.1 LDAP Directory Server Configuration
  • 2.4.2 File Systems Configuration
    • 2.4.2.1 Creating the Container Object
  • 2.4.3 Database Synchronization Configuration
  • 2.4.4 IBM DB2 Configuration
    • 2.4.4.1 IBM DB2 Setup Requirements
    • 2.4.4.2 Extending the Database Schema
    • 2.4.4.3 Publishing to the Repository
    • 2.4.4.4 Required Settings for Connecting to IBM DB2 Database
  • 2.4.5 Repositories
    • 2.4.5.1 Displaying and Connecting to a Repository
    • 2.4.5.2 Repository Actions and Options
    • 2.4.5.3 Add User or Group (for Active Directory Role/Group Support)
    • 2.4.5.4 Viewing Global Group Membership (for AD Role/Group Support)
    • 2.4.5.5 Searching for Specific Users or Groups (for AD Role/Group Support)
    • 2.4.5.6 Adding Users or Groups (for LDAP Role/Group Support)
    • 2.4.5.7 Selecting a Search Base (for LDAP Role/Group Support)
    • 2.4.5.8 Browsing for a Repository
    • 2.4.5.9 Connecting to the Repository
    • 2.4.5.10 Connection Controls
    • 2.4.5.11 Creating a New Container
    • 2.4.5.12 Editing a Server List
    • 2.4.5.13 Editing a Repository List
    • 2.4.5.14 Subnodes Filtering Options
    • 2.4.5.15 Working with Filtered Subnodes
    • 2.4.5.16 Importing Multiple Objects to the Administrative Console
    • 2.4.5.17 Publish to Repository
    • 2.4.5.18 Publishing to the Repository from the Administrative Console
    • 2.4.5.19 Exporting Administrative Overrides from the Administrative Console
    • 2.4.5.20 Displaying the Publish to Repository Window
    • 2.4.5.21 Publishing to the Repository from a Data File
    • 2.4.5.22 Exporting Administrative Overrides from Data Files
    • 2.4.5.23 Displaying the Wizard Page
  • 2.4.6 Configuring Logon Manager Support
  • 2.4.7 Exporting Administrative Overrides to a Synchronizer Container
  • 2.4.8 Select Applications, Password Policies, and Session Lists to Publish to Repository
  • 2.4.9 Selecting Global Agent Settings to Publish to Repository
  • 2.4.10 Including Passphrase Questions to Publish to the Repository
    • 2.4.10.1 Publish to Repository Summary Page
  • 2.4.11 Selecting Role/Group Support Mode When Publishing to a Repository
  • 2.4.12 Configuring Applications for an EntList
  • 2.4.13 Adding a Locator Object
  • 2.4.14 View Object
• 2.5 Synchronization
  • 2.5.1 Supported Synchronizers
  • 2.5.2 Directory Server Synchronization Support
  • 2.5.3 Directory Structure
  • 2.5.4 Finding and Creating User Objects
    • 2.5.4.1 Method 1: Logon Manager Looks for the User Object
    • 2.5.4.2 Method 2: Logon Manager Looks for a User Pointer
    • 2.5.4.3 Method 3: Logon Manager Looks for a Default Pointer
  • 2.5.5 File System Synchronization Support
    • 2.5.5.1 File System Structure
  • 2.5.6 Database Synchronization Support
  • 2.5.7 Multiple Synchronizer Support
  • 2.5.8 Multiple Synchronizer Extensions
  • 2.5.9 Multiple Configurations of the Same Synchronizer Extension
  • 2.5.10 Overriding Configuration Objects
  • 2.5.11 Working with Multiple Sets of Overriding Settings
    • 2.5.11.1 Sample Scenarios
  • 2.5.12 Selective Backup/Restore
  • 2.5.13 Command-Line Synchronization
• 2.6 Setting Password Policies
  • 2.6.1 Creating Password Generation Policies
  • 2.6.2 Adding a Password Policy
  • 2.6.3 Working with a Selected Password Policy
  • 2.6.4 Managing Policy Subscribers
  • 2.6.5 The Password Constraints Tab
    • 2.6.5.1 Password Constraint Options
  • 2.6.6 Testing a Password Policy
    • 2.6.6.1 Generating a Test Password
• 2.7 Using Passphrase Sets
  • 2.7.1 Adding a Passphrase Set
  • 2.7.2 Deleting a Passphrase Set
  • 2.7.3 Modifying a Passphrase Set
  • 2.7.4 Setting the Default Passphrase Set
  • 2.7.5 Working with the Questions Tab
• 2.8 Working with Credential Sharing Groups
  • 2.8.1 Adding Predefined Applications to a Credential Sharing Group
  • 2.8.2 Creating Credential Sharing Groups
  • 2.8.3 Viewing or Editing a Sharing Group
  • 2.8.4 Deleting a Credential Sharing Group
  • 2.8.5 The Domain Sharing Group
  • 2.8.6 The LDAP Sharing Group
  • 2.8.7 Settings for a Selected Credential Sharing Group
  • 2.8.8 Adding Applications to a Credential Sharing Group
  • 2.8.9 Editing Applications in a Credential Sharing Group
  • 2.8.10 Removing Applications from a Credential Sharing Group
• 2.9 Working with User Exclusions
  • 2.9.1 Creating an Exclusion List
  • 2.9.2 Publishing an Exclusion List
    • 2.9.2.1 Special Considerations for Active Directory Users
    • 2.9.2.2 Publishing Exclusion Lists with Configuration Files
  • 2.9.3 Add Exclusion List Dialog
  • 2.9.4 Working with a Selected Exclusion List
    • 2.9.4.1 Selecting an Exclusion List for Viewing or Editing
    • 2.9.4.2 Exclusion Subscribers
    • 2.9.4.3 Excluded Usernames
• 2.10 Using Shared Accounts
• 2.11 Storing User Data
  • 2.11.1 Storing Credentials in the User Object
  • 2.11.2 File-Based Backup/Restore
    • 2.11.2.1 Automatic Backup
    • 2.11.2.2 Command-Line Backup
    • 2.11.2.3 Event-Driven Automatic Backup
    • 2.11.2.4 Forced Restore
    • 2.11.2.5 Command-Line Forced Restore
    • 2.11.2.6 Event-Driven Forced Restore
• 2.12 Creating and Using Templates
  • 2.12.1 Managing Templates
    • 2.12.1.1 Creating a Template for a Running Application
    • 2.12.1.2 Creating a New Template for Applications That Are Not Running on Your Workstation
    • 2.12.1.3 Modifying an Existing Template
    • 2.12.1.4 Deleting a Template
    • 2.12.1.5 Adding Application Templates to Logon Manager
  • 2.12.2 General Guidelines for Setting Up Applications
  • 2.12.3 Adding Windows Applications
    • 2.12.3.1 Special Issues and Settings
  • 2.12.4 Adding Web Applications
  • 2.12.5 Adding Host/Mainframe Applications
    • 2.12.5.1 Configuring a Host/Mainframe Application Manually
    • 2.12.5.2 Adding Java Applications and Applets
    • 2.12.5.3 Adding Telnet Applications
    • 2.12.5.4 Adding a Telnet Application Logon
    • 2.12.5.5 Configuring a Telnet Application Logon Manually
  • 2.12.6 Bulk-Adding Applications for First-Time Use
    • 2.12.6.1 Specifying Applications to Bulk-Add
• 2.13 Creating New Applications
  • 2.13.1 The Applications List
  • 2.13.2 Adding an Application
    • 2.13.2.1 Adding an Application from a Template
  • 2.13.3 Creating a New Windows or Java Application Template
    • 2.13.3.1 Creating a Template Using the Administrative Console
    • 2.13.3.2 Configuring a Template Manually
    • 2.13.3.3 Creating a Template Using an Open Application
  • 2.13.4 The Windows Form Wizard
    • 2.13.4.1 Selecting the Window Title
    • 2.13.4.2 The Windows Form Wizard Application Tab
    • 2.13.4.3 The Windows Form Wizard Credential Field Tab
    • 2.13.4.4 Windows Form Wizard for RSA SecurID Applications
    • 2.13.4.5 The Windows Form Wizard Identification Tab
    • 2.13.4.6 The Windows Form Wizard Fields Tab
    • 2.13.4.7 SendKeys for a Windows Application Logon
    • 2.13.4.8 Kiosk Manager SendKeys (for a Windows Application)
    • 2.13.4.9 Matching Tab for Configuring a Windows Application
    • 2.13.4.10 The Windows Form Wizard Matching Dialog
    • 2.13.4.11 Creating Match Criteria Using the Wizard
    • 2.13.4.12 Creating or Modfiying Match Criteria Manually
    • 2.13.4.13 Add or Edit a Title on the Windows Matching Tab
    • 2.13.4.14 Control Matching
    • 2.13.4.15 Control ID Dialog (Windows Fields Tab)
    • 2.13.4.16 Control Match Wizard
    • 2.13.4.17 Ignore App Window
    • 2.13.4.18 Ignore Match Fields
    • 2.13.4.19 Logon App Window
    • 2.13.4.20 Logon Match Fields
    • 2.13.4.21 Logon Credential
    • 2.13.4.22 Password Change App Window
    • 2.13.4.23 Password Change Match Fields
    • 2.13.4.24 Password Change Credential
    • 2.13.4.25 Password Confirm App Window
    • 2.13.4.26 Password Confirm Match Fields
    • 2.13.4.27 Password Confirm Credential
    • 2.13.4.28 Options Tab for Configuring a Windows Application
  • 2.13.5 Creating a New Web Application Template
    • 2.13.5.1 Creating a Template Using the Administrative Console
    • 2.13.5.2 Creating a Template Using an Open Application
    • 2.13.5.3 Web Form Wizard
    • 2.13.5.4 Configuring a Web Application Using the Wizard
    • 2.13.5.5 Web Form Wizard (for RSA SecurID Applications)
    • 2.13.5.6 Identification Tab for Configuring a Web Application
    • 2.13.5.7 Fields Tab for Configuring a Web Application
    • 2.13.5.8 Dynamic and Ordinal Control IDs
    • 2.13.5.9 Choose Control ID
    • 2.13.5.10 SendKeys Settings for a Web Application
    • 2.13.5.11 Matching Tab for Configuring a Web Application
    • 2.13.5.12 Creating or Modifying Detection-Matching Criteria
    • 2.13.5.13 Offset Matching
    • 2.13.5.14 Edit Match Criteria for a Web Application
    • 2.13.5.15 Add/Edit URL
    • 2.13.5.16 Matching Expressions
    • 2.13.5.17 Matching Environment Variables
    • 2.13.5.18 Adding and Editing Web Fields
    • 2.13.5.19 Field Identification Dialog
    • 2.13.5.20 Options Tab for Configuring for a Web Application
    • 2.13.5.21 Proxy Tab for Configuring a Web Application
  • 2.13.6 Creating a New Host/Mainframe Application
    • 2.13.6.1 Host/Mainframe Form Wizard
    • 2.13.6.2 Configuring a Host/Mainframe Application
    • 2.13.6.3 Host/Mainframe Form Wizard for RSA SecurID
    • 2.13.6.4 Configuring a Host/Mainframe Application for RSA SecurID
    • 2.13.6.5 Identification Tab for Configuring a Host or Mainframe Application
    • 2.13.6.6 Text Matching (on a Host/Mainframe Logon Form)
    • 2.13.6.7 Edit SendKeys Fields and Actions for a Host/Mainframe Application
    • 2.13.6.8 Fields Tab for Configuring a Host or Mainframe Application
    • 2.13.6.9 Matching Tab for Configuring a Host or Mainframe Application
    • 2.13.6.10 Options Tab for Configuring a Host or Mainframe Application
• 2.14 Configuring a Specific Application
  • 2.14.1 General Tab (for a Selected Application
  • 2.14.2 Bulk Add Tab (for a Selected Application)
  • 2.14.3 Authentication Tab (for a Selected Application)
  • 2.14.4 Error Loop Tab (for a Selected Application)
  • 2.14.5 Password Change Tab (for a Selected Application)
  • 2.14.6 Events Tab (for a Selected Application)
  • 2.14.7 Miscellaneous Tab (for a Selected Application)
  • 2.14.8 Security Tab-Role/Group Support (for a Selected Application)
  • 2.14.9 Provisioning Tab-Role/Group Support (for a Selected Application)
    • 2.14.9.1 Add User or Group Dialog
  • 2.14.10 Privileged Accounts Tab (for a Selected Application)
  • 2.14.11 Delegated Credentials Tab (for a Selected Application)
    • 2.14.11.1 Setting Up Delegated Credentials with Oracle Repositories
    • 2.14.11.2 Export to INI File
    • 2.14.11.3 Export EntList File
    • 2.14.11.4 Export First-Time Use
    • 2.14.11.5 Import Merge Conflict
    • 2.14.11.6 Override Settings Tab (Edit Template Dialog)
    • 2.14.11.7 Supply Info Tab (Edit Template Dialog)
    • 2.14.11.8 Update Applications (from Template)
    • 2.14.11.9 Launch Tab (for a Selected Application)
  • 2.14.12 Launch Tab (for a Selected Application)
    • 2.14.12.1 Manage Launch URI
  • 2.14.13 Testing Templates
• 2.15 SSO Applications Node
• 2.16 Configuring Logon Manager for Specific Environments
  • 2.16.1 Configuring the Agent for Windows Authentication
    • 2.16.1.1 Confirming 128-bit Encryption
  • 2.16.2 Configuring the Agent for Directory Server Synchronization
    • 2.16.2.1 Using Role/Group Support with Directory-Server Synchronization
  • 2.16.3 Configuring the Agent for Database Synchronization
  • 2.16.4 Configuring the Agent for File System Synchronization
  • 2.16.5 Configuring the Agent in a Citrix Environment
    • 2.16.5.1 Installing Logon Manager on Citrix Server
    • 2.16.5.2 Controlling Logon Manager for Specific Applications in Citrix
    • 2.16.5.3 SSOLauncher for Citrix Servers
• 2.17 Configuring the Agent with Global Agent Settings
  • 2.17.1 Global Agent Settings vs. Administrative Overrides
    • 2.17.1.1 Recommended Global Agent Settings
    • 2.17.1.2 Recommended Administrative Overrides
  • 2.17.2 Working with a Set of Global Agent Settings
    • 2.17.2.1 Creating and Importing Global Agent Settings
    • 2.17.2.2 Adding a Set of Global Agent Settings
    • 2.17.2.3 Exporting a Set of Global Agent Settings
    • 2.17.2.4 Export Format
  • 2.17.3 Global Agent Settings in Depth
    • 2.17.3.1 User Experience
    • 2.17.3.2 Application Response
    • 2.17.3.3 Initial Credential Capture
    • 2.17.3.4 Web Application Response
    • 2.17.3.5 Windows Application Response
    • 2.17.3.6 Java Application Response
    • 2.17.3.7 Host/Mainframe Application Response
    • 2.17.3.8 Password Change
    • 2.17.3.9 User Interface
    • 2.17.3.10 Setup Wizard
    • 2.17.3.11 Authentication
    • 2.17.3.12 Authentication Manager
    • 2.17.3.13 Windows v2 Authenticator Settings
    • 2.17.3.14 Windows v2 Authenticator Passphrase Settings
    • 2.17.3.15 Windows Authenticator Settings
    • 2.17.3.16 LDAP v2 Authenticator Settings
    • 2.17.3.17 LDAP v2 Authenticator Special Purpose Settings
    • 2.17.3.18 LDAP Authenticator Settings
    • 2.17.3.19 LDAP Authenticator Special Purpose Settings
  • 2.17.4 Using Strong Authenticators
  • 2.17.5 Strong Authenticator Configuration Settings
    • 2.17.5.1 Smart Cards
    • 2.17.5.2 Integrating with Kiosk Manager
    • 2.17.5.3 Smart Card Middleware
    • 2.17.5.4 Smart Card Authenticator Settings
    • 2.17.5.5 Read-Only Smart Cards
    • 2.17.5.6 Integrating with Kiosk Manager
    • 2.17.5.7 Read-Only Smart Card Authenticator Settings
    • 2.17.5.8 Proximity Cards
    • 2.17.5.9 Integrating with Kiosk Manager
    • 2.17.5.10 Active Directory Technical Notes
    • 2.17.5.11 AD LDS (ADAM) Technical Notes
    • 2.17.5.12 OmniKey Proximity Card Reader Technical Note
    • 2.17.5.13 Proximity Card Authenticator Settings
    • 2.17.5.14 RSA SecurID
    • 2.17.5.15 Configuring the SoftID Helper
    • 2.17.5.16 First-Time-Use Scenarios
    • 2.17.5.17 Integrating with Kiosk Manager
    • 2.17.5.18 Microsoft Visual C++ Technical Note
    • 2.17.5.19 PIN Mode Support Technical Note
    • 2.17.5.20 Secure Data Storage
    • 2.17.5.21 Enabling Secure Data Storage
    • 2.17.5.22 Secure Data Storage Authenticator Settings
    • 2.17.5.23 Kiosk Manager Integration Notes
  • 2.17.6 Provisioning Gateway Server Locations
    • 2.17.6.1 Delegated Credentials Settings
    • 2.17.6.2 Privileged Accounts Settings
  • 2.17.7 Synchronization Settings
    • 2.17.7.1 Manage Synchronizers Dialog
    • 2.17.7.2 Add Synchronizer Dialog
    • 2.17.7.3 Using the Edit List Dialog for Synchronizer Settings
    • 2.17.7.4 General Synchronization Options
    • 2.17.7.5 Active Directory Synchronization Settings
    • 2.17.7.6 AD LDS (ADAM) Synchronization Settings
    • 2.17.7.7 Database Synchronization Settings
    • 2.17.7.8 File System Synchronization Settings
    • 2.17.7.9 LDAP Synchronization Settings
    • 2.17.7.10 LDAP Special Purpose Synchronization Settings
    • 2.17.7.11 Roaming Profile Synchronization Extension Settings
  • 2.17.8 Security Settings
    • 2.17.8.1 Security Options
    • 2.17.8.2 Masked fields
  • 2.17.9 Custom Actions Settings
  • 2.17.10 Windows Event Log-Based Reporting
    • 2.17.10.1 Technical Prerequisites
  • 2.17.11 Audit Logging Settings
    • 2.17.11.1 Configuring the Windows Event Logging Server
    • 2.17.11.2 Configuring the Reporting Server
    • 2.17.11.3 Configuring Windows Event Viewer
    • 2.17.11.4 Configuring the Syslog Server
    • 2.17.11.5 XML File Event Logging
    • 2.17.11.6 Database Event Logging
    • 2.17.11.7 Kiosk Manager Settings
    • 2.17.11.8 Kiosk Manager User Interface
  • 2.17.12 Oracle Access Manager Support
    • 2.17.12.1 Access Manager Settings
  • 2.17.13 Integrating with Password Reset
    • 2.17.13.1 Password Reset Settings
  • 2.17.14 Using the Configuration Test Manager
    • 2.17.14.1 Categories
    • 2.17.14.2 Parameters
    • 2.17.14.3 Execution and Results
• 2.18 Deploying Logon Manager
  • 2.18.1 Default MSI Deployment Options
    • 2.18.1.1 Performing an Installation with the Shipped MSI Package
    • 2.18.1.2 Installing from the Command Line
    • 2.18.1.3 Installing the MSI Package Remotely
    • 2.18.1.4 Microsoft Windows Installer (MSI) Package
  • 2.18.2 Deploying the Agent with Anywhere
  • 2.18.3 Using the MSI Generator
    • 2.18.3.1 Base MSI Selection
    • 2.18.3.2 Selecting MSI Features
    • 2.18.3.3 Selecting a Set of Global Agent Settings and Generating a New MSI
    • 2.18.3.4 Testing and Deploying to End-Users
  • 2.18.4 Using Other Deployment Tools
• 2.19 Using Kiosk Manager
  • 2.19.1 Events and Actions
    • 2.19.1.1 Types of Events
    • 2.19.1.2 Configuring Events and Action Lists
    • 2.19.1.3 Creating an Action List
    • 2.19.1.4 Creating and Using Terminate Lists
    • 2.19.1.5 Configuring Kiosk Manager to Terminate an Application
    • 2.19.1.6 Specifying a Window Title for Matching
    • 2.19.1.7 Using SendKeys with Kiosk Manager
    • 2.19.1.8 Creating and Using Run Lists
    • 2.19.1.9 Creating and Using Special Actions Lists
    • 2.19.1.10 Adding Applications with Process Path Keys
    • 2.19.1.11 Selecting Default Applications to Leave Running
  • 2.19.2 Session States
    • 2.19.2.1 Creating a Session State
    • 2.19.2.2 Copying a Session State
    • 2.19.2.3 Deleting a Session State
    • 2.19.2.4 Selecting Session State Events
    • 2.19.2.5 Selecting a Predefined Event
    • 2.19.2.6 Adding a Custom Event
    • 2.19.2.7 Selecting a Session State Authenticator
    • 2.19.2.8 Adding a Custom Authenticator
    • 2.19.2.9 Using the Actions Tab to Add Session States
    • 2.19.2.10 Associating Actions to a Session State
    • 2.19.2.11 Configuring Session State Security
  • 2.19.3 About Desktop Manager
    • 2.19.3.1 Administration Menu
    • 2.19.3.2 Session Termination
    • 2.19.3.3 Open Sessions (Multi-Sessions)
    • 2.19.3.4 Transparent Screen Lock
    • 2.19.3.5 Terminating Sessions
    • 2.19.3.6 Customizing the Desktop Manager
    • 2.19.3.7 Desktop Status Window
  • 2.19.4 Event and Audit Logs
    • 2.19.4.1 Event Log Messages
    • 2.19.4.2 Bypassing the Kiosk Manager Agent
    • 2.19.4.3 Closing the Kiosk Manager Agent
    • 2.19.4.4 Setting Up a Trust
    • 2.19.4.5 Using the MacListener Utility to Enable Caregiver Mobility and Oracle VDI Session Support
  • 2.19.5 Configuring Strong Authentication Options
  • 2.19.6 Linking to Password Reset
  • 2.19.7 Command Line Options
  • 2.19.8 The .NET API
    • 2.19.8.1 .NET API Sample Code
  • 2.19.9 Kiosk Manager Best Practices
    • 2.19.9.1 Deploying Kiosk Manager Settings
    • 2.19.9.2 SendKeys
    • 2.19.9.3 Disable Task Manager and Run
• 2.20 Provisioning Gateway Overview
  • 2.20.1 Managing Provisioning
    • 2.20.1.1 Provisioning Default Rights Tab
    • 2.20.1.2 Add User or Group Dialog
    • 2.20.1.3 Provisioning Admin Rights Tab
  • 2.20.2 Oracle Privileged Accounts Manager (OPAM)

3 Configuring an Agent Deployment with Anywhere

• 3.1 Overview of Creating a Deployment Package
  • 3.1.1 A Few Notes About Anywhere Prerequisites and Deployment Limitations
  • 3.1.2 Creating a Deployment Package
• 3.2 The General Tab
• 3.3 The Options Tab
  • 3.3.1 Install Settings
  • 3.3.2 Updates Settings
    • 3.3.2.1 Localized Deployments
  • 3.3.3 Agent Settings
• 3.4 The Generate Tab

4 Using the Administrative Console to Configure Password Reset

• 4.1 First-Time Setup
  • 4.1.1 Configuring Service Storage
    • 4.1.1.1 Adding a Server
    • 4.1.1.2 Adding a Connection String
  • 4.1.2 Configuring the Reset Service Account
    • 4.1.2.1 Setting or Changing the Anonymous Logon
• 4.2 Setting Up the Enrollment Interview
  • 4.2.1 Enrollment Level Settings
  • 4.2.2 National Language Support
  • 4.2.3 Questions Tab
  • 4.2.4 Creating System Questions
    • 4.2.4.1 Assigning Point Values to Questions
  • 4.2.5 Editing System Questions
    • 4.2.5.1 Selecting Users and Groups for Question Assignment
    • 4.2.5.2 Modifying or Disabling a System Question
    • 4.2.5.3 Changing Question Weights
  • 4.2.6 Question Examples
    • 4.2.6.1 Required Questions
    • 4.2.6.2 Eliminators
    • 4.2.6.3 Optional Questions
  • 4.2.7 Excluding Users from Forced Enrollment
• 4.3 Configuring Reset Authentication
  • 4.3.1 Score Thresholds
  • 4.3.2 Editing Reset Service Settings
  • 4.3.3 Multi-Domain Support
• 4.4 Password Complexity
• 4.5 Alerts
• 4.6 Logging
• 4.7 Reporting
• 4.8 Configuring the Enrollment User Interface
• 4.9 Configuring the Reset User Interface
  • 4.9.1 Changing the Reset User Interface Through the Registry
  • 4.9.2 Customizing Reset Messages
  • 4.9.3 Role/Group Support
• 4.10 Managing Users
  • 4.10.1 User Details General Tab
  • 4.10.2 User Details Enrollments Tab
  • 4.10.3 User Details Resets Tab
  • 4.10.4 Managing Enrollments
    • 4.10.4.1 Viewing Enrollment Search Results
• 4.11 Managing Resets
  • 4.11.1 Viewing Resets
    • 4.11.1.1 Viewing Reset Search Results
    • 4.11.1.2 Viewing User Search Results
• 4.12 Working with External Validators
  • 4.12.1 Writing the External Validator Interface
  • 4.12.2 Installing the External Validator
  • 4.12.3 Directing Password Reset to the External Validator
    • 4.12.3.1 User Enrollment with External Validators
    • 4.12.3.2 Password Reset with External Validators
  • 4.12.4 Deleting the External Validator

5 Configuring Strong Authenticators with Universal Authentication Manager

• 5.1 Overview of Universal Authentication Manager
  • 5.1.1 Universal Authentication Manager Repository Synchronization
    • 5.1.1.1 How Synchronization Works
    • 5.1.1.2 Repository Functions
    • 5.1.1.3 Synchronization Functions
  • 5.1.2 Administration of Universal Authentication Manager
  • 5.1.3 Fingerprints
  • 5.1.4 Proximity Cards
    • 5.1.4.1 About Proximity Card PINs
  • 5.1.5 Smart Cards
    • 5.1.5.1 About Smart Card PINs
  • 5.1.6 Challenge Questions
• 5.2 Deploying Universal Authentication Manager
  • 5.2.1 Selecting the Client Mode
    • 5.2.1.1 Local Mode
    • 5.2.1.2 Enterprise Mode
    • 5.2.1.3 Switching from Local to Enterprise Mode on an Existing Installation
  • 5.2.2 Configuring Universal Authentication Manager for Synchronization with Microsoft Active Directory
    • 5.2.2.1 Preparing the Repository when Logon Manager Is Already Deployed
    • 5.2.2.2 Creating a Universal Authentication Manager Service Account
    • 5.2.2.3 Extending the Schema
    • 5.2.2.4 Enabling Data Storage Under User Objects
    • 5.2.2.5 Initializing Universal Authentication Manager Storage
    • 5.2.2.6 Configuring the Universal Authentication Manager Synchronizer
    • 5.2.2.7 Configuring Universal Authentication Manager Synchronization for Administrative Users
  • 5.2.3 Configuring Universal Authentication Manager for Synchronization with Microsoft AD LDS (ADAM)
    • 5.2.3.1 Preparing the Repository when Logon Manager Is Already Deployed
    • 5.2.3.2 Creating the AD LDS (ADAM) Instance and Partition
    • 5.2.3.3 Configuring the AD LDS (ADAM) Default Naming Context
    • 5.2.3.4 Creating a Universal Authentication Manager Service Account
    • 5.2.3.5 Extending the Schema
    • 5.2.3.6 Creating the People Container
    • 5.2.3.7 Initializing Universal Authentication Manager Storage
    • 5.2.3.8 Configuring the Universal Authentication Manager Synchronizer
  • 5.2.4 Integrating with Logon Manager
  • 5.2.5 Integrating with Password Reset
  • 5.2.6 Integrating with Kiosk Manager
• 5.3 Working with Universal Authentication Manager Policies
  • 5.3.1 Creating a Policy
    • 5.3.1.1 The General and Assignments Tabs
  • 5.3.2 Configuring a Policy
    • 5.3.2.1 Enabling Logon Methods
    • 5.3.2.2 Configuring Enrollment Prompts
    • 5.3.2.3 Setting the Enrollment Grace Period
    • 5.3.2.4 Configuring a Fingerprint Policy
    • 5.3.2.5 Configuring a Proximity Card Policy
    • 5.3.2.6 Configuring a Smart Card Policy
    • 5.3.2.7 Configuring a Challenge Questions Policy
    • 5.3.2.8 Configuring a Windows Password Policy
  • 5.3.3 Publishing a Policy
  • 5.3.4 Assigning Users and Groups to a Policy
  • 5.3.5 Publishing a Policy to the Repository
  • 5.3.6 Modifying an Existing Policy
  • 5.3.7 Deleting a Policy

6 Using the Administrative Console to Configure the Reporting Client

• 6.1 Installing the Administrative Console and Reporting Client
• 6.2 Installing the Reporting Extension
  • 6.2.1 Configuring Reporting Settings
• 6.3 Setting Up the Reporting Service as a Domain User
  • 6.3.1 Overview of the Process to Set Up Reporting as a Domain User
• 6.4 Oracle Database Configuration Overview
  • 6.4.1 Creating the Oracle Database User
  • 6.4.2 Creating the Database Table and Setting Up Stored Procedures
  • 6.4.3 Creating a Connection String
  • 6.4.4 Configuring Oracle Database on Client Machines
  • 6.4.5 Setting Up Oracle Database to Use Reporting with Windows Integrated Authentication
    • 6.4.5.1 Creating an Active Directory domain user that will write events to the database
    • 6.4.5.2 Modifying the Default domain policy to allow the Reporting Domain User to Log on as a service
    • 6.4.5.3 Verifying Publication of the Active Directory Permission on the Client Machine
    • 6.4.5.4 Configuring the ESSO Reporting Service on the Client Machine to run as this domain user
  • 6.4.6 Setting Up the Server for Integrated Authentication
    • 6.4.6.1 Verify the Windows Authentication Protocol
    • 6.4.6.2 Create the External Oracle User for the Domain User
• 6.5 Setting Up the Oracle Database for Reporting
  • 6.5.1 Upgrading an Existing Oracle Database Setup
    • 6.5.1.1 Upgrading an Existing Oracle Database Setup
    • 6.5.1.2 Providing the Required Permissions to the New Reporting Domain User
    • 6.5.1.3 Creating a Public Synonym for SP_WRITEEVENTS
  • 6.5.2 Setting Up a New Oracle Database for the ESSO Reporting Service
  • 6.5.3 Creating the Connection String for Integrated Login
  • 6.5.4 Configuring the Oracle Database on Client Machines
  • 6.5.5 Next Steps
• 6.6 Microsoft SQL Server Configuration Overview
  • 6.6.1 Creating the Database Table and Setting Up Stored Procedures
  • 6.6.2 Creating the Reporting Database User
  • 6.6.3 Setting Up the Domain Computer
  • 6.6.4 Setting Permissions to Log On to the Reporting Administrative Console
  • 6.6.5 Enabling TCP/IP Protocol on SQL 2008 Server R2
  • 6.6.6 Setting Up Microsoft SQL Server to Use Reporting with Windows Integrated Authentication
    • 6.6.6.1 Creating an Active Directory domain user that will write events to the database
    • 6.6.6.2 Modifying the Default domain policy to allow the Reporting Domain User to Log on as a service
  • 6.6.7 Verifying Publication of the Active Directory Permission on the Client Machine
  • 6.6.8 Configuring the ESSO Reporting Service on the Client Machine to run as this domain user
  • 6.6.9 Setting Up Microsoft SQL Server for Integrated Authentication
    • 6.6.9.1 Configuring a Login and Role for the New Reporting Domain User in the Microsoft SQL Database
  • 6.6.10 Setting Permissions for the Reporting Domain User
  • 6.6.11 Next Steps
• 6.7 Using Oracle Business Intelligence Publisher for Deployment with Reporting
  • 6.7.1 Configuring Oracle Business Intelligence Publisher
  • 6.7.2 Deploying Reporting

7 Reference

• 7.1 General Suite Information
  • 7.1.1 Installing an AD LDS (ADAM) Instance
  • 7.1.2 Obtaining a Certificate for SSL Connectivity
    • 7.1.2.1 Considerations When Deciding to Use SSL
• 7.2 Logon Manager
  • 7.2.1 Understanding the Application Configuration Files
    • 7.2.1.1 How the Agent Uses entlist.ini
    • 7.2.1.2 How the Agent Uses aelist.ini
  • 7.2.2 Best Practices for Deploying the Agent in a Citrix Environment
    • 7.2.2.1 Installation
    • 7.2.2.2 Deploying Logon Manager Per User
    • 7.2.2.3 Deploying Logon Manager Per Application
    • 7.2.2.4 Deploying Logon Manager Per Server
    • 7.2.2.5 Global Agent Settings Specific to Citrix Servers
    • 7.2.2.6 Publishing Applications
  • 7.2.3 Logon Manager Application Compatibility Considerations
  • 7.2.4 Configuring Host Emulators
    • 7.2.4.1 Attachmate EXTRA!/ myExtra!
    • 7.2.4.2 BlueZone Web-to-Host Emulator
    • 7.2.4.3 BOSaNOVA
    • 7.2.4.4 Ericom PowerTerm
    • 7.2.4.5 G&R Glink
    • 7.2.4.6 Hummingbird Host Explorer
    • 7.2.4.7 IBM Client Access
    • 7.2.4.8 IBM Client Access Express
    • 7.2.4.9 IBM Host On-Demand
    • 7.2.4.10 IBM Personal Communications
    • 7.2.4.11 Jolly Giant QWS3270 PLUS
    • 7.2.4.12 NetManage Rumba
    • 7.2.4.13 Net Soft NS/Elite
    • 7.2.4.14 Newhart Systems BLUES 2000
    • 7.2.4.15 Novell LAN Workplace
    • 7.2.4.16 PuTTY
    • 7.2.4.17 Scanpak Aviva for Desktops
    • 7.2.4.18 Seagull BlueZone
    • 7.2.4.19 WRQ Reflection
    • 7.2.4.20 Zephyr PC to Host
    • 7.2.4.21 Zephyr Web to Host
  • 7.2.5 SAP Configuration
    • 7.2.5.1 Border Values for Web Logon Credential Fields
  • 7.2.6 Understanding the Logon Manager Secondary Authentication API
    • 7.2.6.1 The SecondaryAuthKey Method
    • 7.2.6.2 The FreeSecondaryAuthKey Method
    • 7.2.6.3 Driver Code for Testing a Custom Secondary Authenticator
    • 7.2.6.4 Switching Secondary Authentication Methods
    • 7.2.6.5 Switching from Built-In Secondary Authentication to External Secondary Authentication
    • 7.2.6.6 Switching from External Secondary Authentication to Built-In Secondary Authentication
    • 7.2.6.7 Switching from One External Secondary Authentication Library to Another
  • 7.2.7 Configuring Windows Authenticator Version 2
    • 7.2.7.1 Migrating a WinAuth v1 Installation to WinAuth v2
    • 7.2.7.2 Configuring WinAuth v2 for Authenticator Key Management via Windows DPAPI
    • 7.2.7.3 Configuring WinAuth v2 for Recovery via Interactive Passphrase Prompt
    • 7.2.7.4 Configuring WinAuth v2 for Recovery via Logon Manager Secondary Authentication API
    • 7.2.7.5 Configuring WinAuth v2 for Kiosk Environments
    • 7.2.7.6 Resetting the User-Provided Passphrase Answer
    • 7.2.7.7 Enabling WinAuth v2 Strong Authentication Device Support
  • 7.2.8 Configuring LDAP Authenticator Version 2
    • 7.2.8.1 Migrating an LDAPAuth v1 Installation to LDAPAuth v2
    • 7.2.8.2 Configuring LDAPAuth v2 for Recovery via Interactive Passphrase Prompt
    • 7.2.8.3 Configuring LDAPAuth v2 for Recovery via Logon Manager Secondary Authentication API
    • 7.2.8.4 Resetting the User-Provided Passphrase Answer
    • 7.2.8.5 Enabling LDAPAuth v2 Strong Authentication Device Support
  • 7.2.9 Smart Card Monitor Utility (ssoSCDetect.exe)
  • 7.2.10 Global Agent Settings
    • 7.2.10.1 Recommended Global Agent Settings for SSO Kiosk Operation
  • 7.2.11 Configuring Registry Settings and Administrative Overrides
  • 7.2.12 Directory Server Schema Definition
    • 7.2.12.1 vGOSecret
    • 7.2.12.2 vGOUserData Object
    • 7.2.12.3 vGOConfig Object
    • 7.2.12.4 vGOLocatorClass
  • 7.2.13 Error Loop Quick Reference
  • 7.2.14 Configuring Logon Manager Event Logging for IBM DB2 Database Support
    • 7.2.14.1 Installing and Configuring the IBM DB2 Database
    • 7.2.14.2 Setting Up the Event Log Data Table
    • 7.2.14.3 Installing the Database Event Extension Component for Logon Manager
    • 7.2.14.4 Configuring Logon Manager Event Logging for Database Support
    • 7.2.14.5 Testing Your Event Logging Configuration
  • 7.2.15 Configuring Logon Manager Event Logging with MS SQL Server 2005
    • 7.2.15.1 Install and Configure MS SQL Server 2005
    • 7.2.15.2 Set Up the Event Log Data Table
    • 7.2.15.3 Install the Database Event Extension Component for Logon Manager
    • 7.2.15.4 Configure Logon Manager Event Logging for Database Support
    • 7.2.15.5 Test Your Event Logging Configuration
  • 7.2.16 Understanding the Logon Manager Event Notification API
    • 7.2.16.1 Event Handling Tasks
    • 7.2.16.2 The SSONotificationService Co-Class
    • 7.2.16.3 Sending Data (Producer)
    • 7.2.16.4 Receiving Data (Consumer)
  • 7.2.17 Using the Trace Controller Utility
    • 7.2.17.1 Using the Trace Controller Utility in Graphical Mode
    • 7.2.17.2 Viewing Logged Events
    • 7.2.17.3 Customizing the Event List View
    • 7.2.17.4 Configuring Event Capture Hot Keys
    • 7.2.17.5 Using the Trace Controller Utility in Command Line Mode
  • 7.2.18 Authentication Manager Error Messages
    • 7.2.18.1 Warning Level Messages
    • 7.2.18.2 Error Level Messages
  • 7.2.19 Regular Expression Syntax
  • 7.2.20 Command-Line Options
  • 7.2.21 Character Codes and Keys
    • 7.2.21.1 Codes for VTabKeyN (Windows)
    • 7.2.21.2 Codes for VirtualKeyCode and VKEY (Windows)
    • 7.2.21.3 Codes for PreKey and TabKey (Host/HLLAPI)
    • 7.2.21.4 ftulist.ini Keys
    • 7.2.21.5 entlist.ini Keys
  • 7.2.22 Kiosk Manager .NET API Sample
• 7.3 Password Reset
  • 7.3.1 Understanding Password Reset Data Structures
    • 7.3.1.1 Main Configuration Data (SYSTEMPARAMETERS Table)
    • 7.3.1.2 Logging Configuration Data (SYSTEMPARAMETERS Table)
    • 7.3.1.3 System Challenge Question Data (SYSTEMPARAMETERS Table)
    • 7.3.1.4 User Enrollment Data (ENROLLMENTINFORMATION, USERQUESTIONS, and USER Tables)
    • 7.3.1.5 Password Reset Data (RESETINFORMATION Table)
    • 7.3.1.6 Log Message Data (SYSLOG)
  • 7.3.2 Schema Diagram
    • 7.3.2.1 Rights and Security
    • 7.3.2.2 Object Classes
    • 7.3.2.3 Attributes
  • 7.3.3 Configuring Password Reset for Data Storage in an Oracle Database
    • 7.3.3.1 Configuring the Database Schema for Password Reset Data
    • 7.3.3.2 Configuring Password Reset to Store Data in the Database
  • 7.3.4 Password Reset Client-Side Registry Settings
    • 7.3.4.1 Under HKLM\Software\Passlogix\SSPR
    • 7.3.4.2 Language Codes for WindowsInterface\xx
  • 7.3.5 Password Reset Server-Side Registry Settings
    • 7.3.5.1 Under HKLM\Software\Passlogix\SSPR
    • 7.3.5.2 Under HKLM\Software\Passlogix\SSPR\Storage\Extensions\
    • 7.3.5.3 Under HKLM\Software\Passlogix\SSPR\Storage\Extensions\ADAM\
    • 7.3.5.4 Under HKLM\Software\Passlogix\SSPR\Storage\Extensions\
    • 7.3.5.5 Under HKLM\Software\Passlogix\SSPR\Storage\Extensions\AD\
• 7.4 Reporting
  • 7.4.1 Reporting Event Definition Table
    • 7.4.1.1 Definitions
• 7.5 Universal Authentication Manager Registry Settings
  • 7.5.1 Setting Logon Method Display Order
  • 7.5.2 Re-Enabling the Windows 7 Password Credential Provider
  • 7.5.3 Re-Enabling the Windows 7 PKI SmartCard Credential Provider
  • 7.5.4 Disabling the Windows 7 Fingerprint Credential Provider
  • 7.5.5 Global Universal Authentication Manager Settings
  • 7.5.6 Global Brand Settings

8 Troubleshooting

• 8.1 Installation
  • 8.1.1 Authenticators
  • 8.1.2 Synchronizer Extensions
  • 8.1.3 Uninstalling
  • 8.1.4 Agent Performance/Application Response
  • 8.1.5 Authentication
    • 8.1.5.1 Initial Authentication
    • 8.1.5.2 Reauthentication
  • 8.1.6 Application Configuration
    • 8.1.6.1 All Applications
    • 8.1.6.2 Predefined Windows Applications
    • 8.1.6.3 All Web Applications
    • 8.1.6.4 Web Applications That Are Predefined
    • 8.1.6.5 Web Applications That Are Not Predefined
  • 8.1.7 Host Applications
    • 8.1.7.1 Responding to All Host Applications
    • 8.1.7.2 Responding to a Specific Host Application
  • 8.1.8 Event Logging
    • 8.1.8.1 All Extensions
    • 8.1.8.2 Windows Event Viewer
  • 8.1.9 Credential Sharing Groups
  • 8.1.10 All Synchronizer Extensions
    • 8.1.10.1 All Directory Extensions User Connections
    • 8.1.10.2 Admin Objects
    • 8.1.10.3 File System Server User Connections
    • 8.1.10.4 OpenLDAP Directory Server Repository
• 8.2 Troubleshooting a Universal Authentication Manager Deployment
  • 8.2.1 Recovery from Deletion of the Service Account
  • 8.2.2 Authentication Service Repair Error
  • 8.2.3 AutoLogon Condition Is Incorrectly Configured
  • 8.2.4 Avoid Using Dual-Purpose Cards with Dual-Purpose Readers
  • 8.2.5 Ensuring Compatibility with Windows Domain Policies
  • 8.2.6 AutoLogon Behavior
  • 8.2.7 Windows Password Logon and Unlock
    • 8.2.7.1 Windows Password Logon and Unlock Errors
  • 8.2.8 Microsoft Active Directory Security Policies
  • 8.2.9 Active Directory Password Policies
  • 8.2.10 Universal Authentication Manager Authentication Methods and Lockout
  • 8.2.11 Changing User Passwords As the Administrator