Skip Headers
Oracle® Fusion Middleware Enterprise Single Sign-On Suite Administrator's Guide
11
g
Release 2 (11.1.2.2)
Part Number E37692-06
Home
Contact Us
Next
PDF
·
Mobi
·
ePub
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Introduction to Oracle Enterprise Single Sign-On Suite
1.1
Suite Components
1.1.1
Logon Manager
1.1.2
Password Reset
1.1.3
Provisioning Gateway
1.1.4
Anywhere
1.1.5
Universal Authentication Manager
1.1.6
Reporting
1.2
Suite Administration
1.3
Overview of the Administrative Console
1.4
Administrative Console Menu Commands for Logon Manager
1.5
Administrative Console Menu Commands for Password Reset
2
Using the Administrative Console to Configure Logon Manager
2.1
Overview
2.1.1
Architecture/Modules
2.1.1.1
Authentication
2.1.1.2
Encryption
2.1.1.3
Intelligent Agent Response
2.1.1.4
Core (Including Storage)
2.1.1.5
Credential Synchronization
2.1.1.6
Event Logging
2.1.1.7
Miscellaneous Components
2.1.2
Common Scenarios
2.1.3
Resources
2.2
Logon Manager Features
2.3
Considerations Before Deploying Logon Manager
2.3.1
User Work Modes
2.3.1.1
One Workstation, One User
2.3.1.2
Frequent Movement Among Few Workstations
2.3.1.3
Frequent Movement Among Many Workstations
2.3.1.4
One Workstation, Many Users
2.3.1.5
Disconnected
2.3.1.6
Security Locked Down vs. User Freedom
2.3.1.7
Usability: User Flexibility vs. Simplicity
2.3.1.8
Other Settings
2.3.2
System Configuration
2.3.2.1
Application Configurations
2.3.3
Software Rollout Basics
2.3.4
Administration and Management
2.4
Configuring the Server for Logon Manager
2.4.1
LDAP Directory Server Configuration
2.4.2
File Systems Configuration
2.4.2.1
Creating the Container Object
2.4.3
Database Synchronization Configuration
2.4.4
IBM DB2 Configuration
2.4.4.1
IBM DB2 Setup Requirements
2.4.4.2
Extending the Database Schema
2.4.4.3
Publishing to the Repository
2.4.4.4
Required Settings for Connecting to IBM DB2 Database
2.4.5
Repositories
2.4.5.1
Displaying and Connecting to a Repository
2.4.5.2
Repository Actions and Options
2.4.5.3
Add User or Group (for Active Directory Role/Group Support)
2.4.5.4
Viewing Global Group Membership (for AD Role/Group Support)
2.4.5.5
Searching for Specific Users or Groups (for AD Role/Group Support)
2.4.5.6
Adding Users or Groups (for LDAP Role/Group Support)
2.4.5.7
Selecting a Search Base (for LDAP Role/Group Support)
2.4.5.8
Browsing for a Repository
2.4.5.9
Connecting to the Repository
2.4.5.10
Connection Controls
2.4.5.11
Creating a New Container
2.4.5.12
Editing a Server List
2.4.5.13
Editing a Repository List
2.4.5.14
Subnodes Filtering Options
2.4.5.15
Working with Filtered Subnodes
2.4.5.16
Importing Multiple Objects to the Administrative Console
2.4.5.17
Publish to Repository
2.4.5.18
Publishing to the Repository from the Administrative Console
2.4.5.19
Exporting Administrative Overrides from the Administrative Console
2.4.5.20
Displaying the Publish to Repository Window
2.4.5.21
Publishing to the Repository from a Data File
2.4.5.22
Exporting Administrative Overrides from Data Files
2.4.5.23
Displaying the Wizard Page
2.4.6
Configuring Logon Manager Support
2.4.7
Exporting Administrative Overrides to a Synchronizer Container
2.4.8
Select Applications, Password Policies, and Session Lists to Publish to Repository
2.4.9
Selecting Global Agent Settings to Publish to Repository
2.4.10
Including Passphrase Questions to Publish to the Repository
2.4.10.1
Publish to Repository Summary Page
2.4.11
Selecting Role/Group Support Mode When Publishing to a Repository
2.4.12
Configuring Applications for an EntList
2.4.13
Adding a Locator Object
2.4.14
View Object
2.5
Synchronization
2.5.1
Supported Synchronizers
2.5.2
Directory Server Synchronization Support
2.5.3
Directory Structure
2.5.4
Finding and Creating User Objects
2.5.4.1
Method 1: Logon Manager Looks for the User Object
2.5.4.2
Method 2: Logon Manager Looks for a User Pointer
2.5.4.3
Method 3: Logon Manager Looks for a Default Pointer
2.5.5
File System Synchronization Support
2.5.5.1
File System Structure
2.5.6
Database Synchronization Support
2.5.7
Multiple Synchronizer Support
2.5.8
Multiple Synchronizer Extensions
2.5.9
Multiple Configurations of the Same Synchronizer Extension
2.5.10
Overriding Configuration Objects
2.5.11
Working with Multiple Sets of Overriding Settings
2.5.11.1
Sample Scenarios
2.5.12
Selective Backup/Restore
2.5.13
Command-Line Synchronization
2.6
Setting Password Policies
2.6.1
Creating Password Generation Policies
2.6.2
Adding a Password Policy
2.6.3
Working with a Selected Password Policy
2.6.4
Managing Policy Subscribers
2.6.5
The Password Constraints Tab
2.6.5.1
Password Constraint Options
2.6.6
Testing a Password Policy
2.6.6.1
Generating a Test Password
2.7
Using Passphrase Sets
2.7.1
Adding a Passphrase Set
2.7.2
Deleting a Passphrase Set
2.7.3
Modifying a Passphrase Set
2.7.4
Setting the Default Passphrase Set
2.7.5
Working with the Questions Tab
2.8
Working with Credential Sharing Groups
2.8.1
Adding Predefined Applications to a Credential Sharing Group
2.8.2
Creating Credential Sharing Groups
2.8.3
Viewing or Editing a Sharing Group
2.8.4
Deleting a Credential Sharing Group
2.8.5
The Domain Sharing Group
2.8.6
The LDAP Sharing Group
2.8.7
Settings for a Selected Credential Sharing Group
2.8.8
Adding Applications to a Credential Sharing Group
2.8.9
Editing Applications in a Credential Sharing Group
2.8.10
Removing Applications from a Credential Sharing Group
2.9
Working with User Exclusions
2.9.1
Creating an Exclusion List
2.9.2
Publishing an Exclusion List
2.9.2.1
Special Considerations for Active Directory Users
2.9.2.2
Publishing Exclusion Lists with Configuration Files
2.9.3
Add Exclusion List Dialog
2.9.4
Working with a Selected Exclusion List
2.9.4.1
Selecting an Exclusion List for Viewing or Editing
2.9.4.2
Exclusion Subscribers
2.9.4.3
Excluded Usernames
2.10
Using Shared Accounts
2.11
Storing User Data
2.11.1
Storing Credentials in the User Object
2.11.2
File-Based Backup/Restore
2.11.2.1
Automatic Backup
2.11.2.2
Command-Line Backup
2.11.2.3
Event-Driven Automatic Backup
2.11.2.4
Forced Restore
2.11.2.5
Command-Line Forced Restore
2.11.2.6
Event-Driven Forced Restore
2.12
Creating and Using Templates
2.12.1
Managing Templates
2.12.1.1
Creating a Template for a Running Application
2.12.1.2
Creating a New Template for Applications That Are Not Running on Your Workstation
2.12.1.3
Modifying an Existing Template
2.12.1.4
Deleting a Template
2.12.1.5
Adding Application Templates to Logon Manager
2.12.2
General Guidelines for Setting Up Applications
2.12.3
Adding Windows Applications
2.12.3.1
Special Issues and Settings
2.12.4
Adding Web Applications
2.12.5
Adding Host/Mainframe Applications
2.12.5.1
Configuring a Host/Mainframe Application Manually
2.12.5.2
Adding Java Applications and Applets
2.12.5.3
Adding Telnet Applications
2.12.5.4
Adding a Telnet Application Logon
2.12.5.5
Configuring a Telnet Application Logon Manually
2.12.6
Bulk-Adding Applications for First-Time Use
2.12.6.1
Specifying Applications to Bulk-Add
2.13
Creating New Applications
2.13.1
The Applications List
2.13.2
Adding an Application
2.13.2.1
Adding an Application from a Template
2.13.3
Creating a New Windows or Java Application Template
2.13.3.1
Creating a Template Using the Administrative Console
2.13.3.2
Configuring a Template Manually
2.13.3.3
Creating a Template Using an Open Application
2.13.4
The Windows Form Wizard
2.13.4.1
Selecting the Window Title
2.13.4.2
The Windows Form Wizard Application Tab
2.13.4.3
The Windows Form Wizard Credential Field Tab
2.13.4.4
Windows Form Wizard for RSA SecurID Applications
2.13.4.5
The Windows Form Wizard Identification Tab
2.13.4.6
The Windows Form Wizard Fields Tab
2.13.4.7
SendKeys for a Windows Application Logon
2.13.4.8
Kiosk Manager SendKeys (for a Windows Application)
2.13.4.9
Matching Tab for Configuring a Windows Application
2.13.4.10
The Windows Form Wizard Matching Dialog
2.13.4.11
Creating Match Criteria Using the Wizard
2.13.4.12
Creating or Modfiying Match Criteria Manually
2.13.4.13
Add or Edit a Title on the Windows Matching Tab
2.13.4.14
Control Matching
2.13.4.15
Control ID Dialog (Windows Fields Tab)
2.13.4.16
Control Match Wizard
2.13.4.17
Ignore App Window
2.13.4.18
Ignore Match Fields
2.13.4.19
Logon App Window
2.13.4.20
Logon Match Fields
2.13.4.21
Logon Credential
2.13.4.22
Password Change App Window
2.13.4.23
Password Change Match Fields
2.13.4.24
Password Change Credential
2.13.4.25
Password Confirm App Window
2.13.4.26
Password Confirm Match Fields
2.13.4.27
Password Confirm Credential
2.13.4.28
Options Tab for Configuring a Windows Application
2.13.5
Creating a New Web Application Template
2.13.5.1
Creating a Template Using the Administrative Console
2.13.5.2
Creating a Template Using an Open Application
2.13.5.3
Web Form Wizard
2.13.5.4
Configuring a Web Application Using the Wizard
2.13.5.5
Web Form Wizard (for RSA SecurID Applications)
2.13.5.6
Identification Tab for Configuring a Web Application
2.13.5.7
Fields Tab for Configuring a Web Application
2.13.5.8
Dynamic and Ordinal Control IDs
2.13.5.9
Choose Control ID
2.13.5.10
SendKeys Settings for a Web Application
2.13.5.11
Matching Tab for Configuring a Web Application
2.13.5.12
Creating or Modifying Detection-Matching Criteria
2.13.5.13
Offset Matching
2.13.5.14
Edit Match Criteria for a Web Application
2.13.5.15
Add/Edit URL
2.13.5.16
Matching Expressions
2.13.5.17
Matching Environment Variables
2.13.5.18
Adding and Editing Web Fields
2.13.5.19
Field Identification Dialog
2.13.5.20
Options Tab for Configuring for a Web Application
2.13.5.21
Proxy Tab for Configuring a Web Application
2.13.6
Creating a New Host/Mainframe Application
2.13.6.1
Host/Mainframe Form Wizard
2.13.6.2
Configuring a Host/Mainframe Application
2.13.6.3
Host/Mainframe Form Wizard for RSA SecurID
2.13.6.4
Configuring a Host/Mainframe Application for RSA SecurID
2.13.6.5
Identification Tab for Configuring a Host or Mainframe Application
2.13.6.6
Text Matching (on a Host/Mainframe Logon Form)
2.13.6.7
Edit SendKeys Fields and Actions for a Host/Mainframe Application
2.13.6.8
Fields Tab for Configuring a Host or Mainframe Application
2.13.6.9
Matching Tab for Configuring a Host or Mainframe Application
2.13.6.10
Options Tab for Configuring a Host or Mainframe Application
2.14
Configuring a Specific Application
2.14.1
General Tab (for a Selected Application
2.14.2
Bulk Add Tab (for a Selected Application)
2.14.3
Authentication Tab (for a Selected Application)
2.14.4
Error Loop Tab (for a Selected Application)
2.14.5
Password Change Tab (for a Selected Application)
2.14.6
Events Tab (for a Selected Application)
2.14.7
Miscellaneous Tab (for a Selected Application)
2.14.8
Security Tab-Role/Group Support (for a Selected Application)
2.14.9
Provisioning Tab-Role/Group Support (for a Selected Application)
2.14.9.1
Add User or Group Dialog
2.14.10
Privileged Accounts Tab (for a Selected Application)
2.14.11
Delegated Credentials Tab (for a Selected Application)
2.14.11.1
Setting Up Delegated Credentials with Oracle Repositories
2.14.11.2
Export to INI File
2.14.11.3
Export EntList File
2.14.11.4
Export First-Time Use
2.14.11.5
Import Merge Conflict
2.14.11.6
Override Settings Tab (Edit Template Dialog)
2.14.11.7
Supply Info Tab (Edit Template Dialog)
2.14.11.8
Update Applications (from Template)
2.14.11.9
Launch Tab (for a Selected Application)
2.14.12
Launch Tab (for a Selected Application)
2.14.12.1
Manage Launch URI
2.14.13
Testing Templates
2.15
SSO Applications Node
2.16
Configuring Logon Manager for Specific Environments
2.16.1
Configuring the Agent for Windows Authentication
2.16.1.1
Confirming 128-bit Encryption
2.16.2
Configuring the Agent for Directory Server Synchronization
2.16.2.1
Using Role/Group Support with Directory-Server Synchronization
2.16.3
Configuring the Agent for Database Synchronization
2.16.4
Configuring the Agent for File System Synchronization
2.16.5
Configuring the Agent in a Citrix Environment
2.16.5.1
Installing Logon Manager on Citrix Server
2.16.5.2
Controlling Logon Manager for Specific Applications in Citrix
2.16.5.3
SSOLauncher for Citrix Servers
2.17
Configuring the Agent with Global Agent Settings
2.17.1
Global Agent Settings vs. Administrative Overrides
2.17.1.1
Recommended Global Agent Settings
2.17.1.2
Recommended Administrative Overrides
2.17.2
Working with a Set of Global Agent Settings
2.17.2.1
Creating and Importing Global Agent Settings
2.17.2.2
Adding a Set of Global Agent Settings
2.17.2.3
Exporting a Set of Global Agent Settings
2.17.2.4
Export Format
2.17.3
Global Agent Settings in Depth
2.17.3.1
User Experience
2.17.3.2
Application Response
2.17.3.3
Initial Credential Capture
2.17.3.4
Web Application Response
2.17.3.5
Windows Application Response
2.17.3.6
Java Application Response
2.17.3.7
Host/Mainframe Application Response
2.17.3.8
Password Change
2.17.3.9
User Interface
2.17.3.10
Setup Wizard
2.17.3.11
Authentication
2.17.3.12
Authentication Manager
2.17.3.13
Windows v2 Authenticator Settings
2.17.3.14
Windows v2 Authenticator Passphrase Settings
2.17.3.15
Windows Authenticator Settings
2.17.3.16
LDAP v2 Authenticator Settings
2.17.3.17
LDAP v2 Authenticator Special Purpose Settings
2.17.3.18
LDAP Authenticator Settings
2.17.3.19
LDAP Authenticator Special Purpose Settings
2.17.4
Using Strong Authenticators
2.17.5
Strong Authenticator Configuration Settings
2.17.5.1
Smart Cards
2.17.5.2
Integrating with Kiosk Manager
2.17.5.3
Smart Card Middleware
2.17.5.4
Smart Card Authenticator Settings
2.17.5.5
Read-Only Smart Cards
2.17.5.6
Integrating with Kiosk Manager
2.17.5.7
Read-Only Smart Card Authenticator Settings
2.17.5.8
Proximity Cards
2.17.5.9
Integrating with Kiosk Manager
2.17.5.10
Active Directory Technical Notes
2.17.5.11
AD LDS (ADAM) Technical Notes
2.17.5.12
OmniKey Proximity Card Reader Technical Note
2.17.5.13
Proximity Card Authenticator Settings
2.17.5.14
RSA SecurID
2.17.5.15
Configuring the SoftID Helper
2.17.5.16
First-Time-Use Scenarios
2.17.5.17
Integrating with Kiosk Manager
2.17.5.18
Microsoft Visual C++ Technical Note
2.17.5.19
PIN Mode Support Technical Note
2.17.5.20
Secure Data Storage
2.17.5.21
Enabling Secure Data Storage
2.17.5.22
Secure Data Storage Authenticator Settings
2.17.5.23
Kiosk Manager Integration Notes
2.17.6
Provisioning Gateway Server Locations
2.17.6.1
Delegated Credentials Settings
2.17.6.2
Privileged Accounts Settings
2.17.7
Synchronization Settings
2.17.7.1
Manage Synchronizers Dialog
2.17.7.2
Add Synchronizer Dialog
2.17.7.3
Using the Edit List Dialog for Synchronizer Settings
2.17.7.4
General Synchronization Options
2.17.7.5
Active Directory Synchronization Settings
2.17.7.6
AD LDS (ADAM) Synchronization Settings
2.17.7.7
Database Synchronization Settings
2.17.7.8
File System Synchronization Settings
2.17.7.9
LDAP Synchronization Settings
2.17.7.10
LDAP Special Purpose Synchronization Settings
2.17.7.11
Roaming Profile Synchronization Extension Settings
2.17.8
Security Settings
2.17.8.1
Security Options
2.17.8.2
Masked fields
2.17.9
Custom Actions Settings
2.17.10
Windows Event Log-Based Reporting
2.17.10.1
Technical Prerequisites
2.17.11
Audit Logging Settings
2.17.11.1
Configuring the Windows Event Logging Server
2.17.11.2
Configuring the Reporting Server
2.17.11.3
Configuring Windows Event Viewer
2.17.11.4
Configuring the Syslog Server
2.17.11.5
XML File Event Logging
2.17.11.6
Database Event Logging
2.17.11.7
Kiosk Manager Settings
2.17.11.8
Kiosk Manager User Interface
2.17.12
Oracle Access Manager Support
2.17.12.1
Access Manager Settings
2.17.13
Integrating with Password Reset
2.17.13.1
Password Reset Settings
2.17.14
Using the Configuration Test Manager
2.17.14.1
Categories
2.17.14.2
Parameters
2.17.14.3
Execution and Results
2.18
Deploying Logon Manager
2.18.1
Default MSI Deployment Options
2.18.1.1
Performing an Installation with the Shipped MSI Package
2.18.1.2
Installing from the Command Line
2.18.1.3
Installing the MSI Package Remotely
2.18.1.4
Microsoft Windows Installer (MSI) Package
2.18.2
Deploying the Agent with Anywhere
2.18.3
Using the MSI Generator
2.18.3.1
Base MSI Selection
2.18.3.2
Selecting MSI Features
2.18.3.3
Selecting a Set of Global Agent Settings and Generating a New MSI
2.18.3.4
Testing and Deploying to End-Users
2.18.4
Using Other Deployment Tools
2.19
Using Kiosk Manager
2.19.1
Events and Actions
2.19.1.1
Types of Events
2.19.1.2
Configuring Events and Action Lists
2.19.1.3
Creating an Action List
2.19.1.4
Creating and Using Terminate Lists
2.19.1.5
Configuring Kiosk Manager to Terminate an Application
2.19.1.6
Specifying a Window Title for Matching
2.19.1.7
Using SendKeys with Kiosk Manager
2.19.1.8
Creating and Using Run Lists
2.19.1.9
Creating and Using Special Actions Lists
2.19.1.10
Adding Applications with Process Path Keys
2.19.1.11
Selecting Default Applications to Leave Running
2.19.2
Session States
2.19.2.1
Creating a Session State
2.19.2.2
Copying a Session State
2.19.2.3
Deleting a Session State
2.19.2.4
Selecting Session State Events
2.19.2.5
Selecting a Predefined Event
2.19.2.6
Adding a Custom Event
2.19.2.7
Selecting a Session State Authenticator
2.19.2.8
Adding a Custom Authenticator
2.19.2.9
Using the Actions Tab to Add Session States
2.19.2.10
Associating Actions to a Session State
2.19.2.11
Configuring Session State Security
2.19.3
About Desktop Manager
2.19.3.1
Administration Menu
2.19.3.2
Session Termination
2.19.3.3
Open Sessions (Multi-Sessions)
2.19.3.4
Transparent Screen Lock
2.19.3.5
Terminating Sessions
2.19.3.6
Customizing the Desktop Manager
2.19.3.7
Desktop Status Window
2.19.4
Event and Audit Logs
2.19.4.1
Event Log Messages
2.19.4.2
Bypassing the Kiosk Manager Agent
2.19.4.3
Closing the Kiosk Manager Agent
2.19.4.4
Setting Up a Trust
2.19.4.5
Using the MacListener Utility to Enable Caregiver Mobility and Oracle VDI Session Support
2.19.5
Configuring Strong Authentication Options
2.19.6
Linking to Password Reset
2.19.7
Command Line Options
2.19.8
The .NET API
2.19.8.1
.NET API Sample Code
2.19.9
Kiosk Manager Best Practices
2.19.9.1
Deploying Kiosk Manager Settings
2.19.9.2
SendKeys
2.19.9.3
Disable Task Manager and Run
2.20
Provisioning Gateway Overview
2.20.1
Managing Provisioning
2.20.1.1
Provisioning Default Rights Tab
2.20.1.2
Add User or Group Dialog
2.20.1.3
Provisioning Admin Rights Tab
2.20.2
Oracle Privileged Accounts Manager (OPAM)
3
Configuring an Agent Deployment with Anywhere
3.1
Overview of Creating a Deployment Package
3.1.1
A Few Notes About Anywhere Prerequisites and Deployment Limitations
3.1.2
Creating a Deployment Package
3.2
The General Tab
3.3
The Options Tab
3.3.1
Install Settings
3.3.2
Updates Settings
3.3.2.1
Localized Deployments
3.3.3
Agent Settings
3.4
The Generate Tab
4
Using the Administrative Console to Configure Password Reset
4.1
First-Time Setup
4.1.1
Configuring Service Storage
4.1.1.1
Adding a Server
4.1.1.2
Adding a Connection String
4.1.2
Configuring the Reset Service Account
4.1.2.1
Setting or Changing the Anonymous Logon
4.2
Setting Up the Enrollment Interview
4.2.1
Enrollment Level Settings
4.2.2
National Language Support
4.2.3
Questions Tab
4.2.4
Creating System Questions
4.2.4.1
Assigning Point Values to Questions
4.2.5
Editing System Questions
4.2.5.1
Selecting Users and Groups for Question Assignment
4.2.5.2
Modifying or Disabling a System Question
4.2.5.3
Changing Question Weights
4.2.6
Question Examples
4.2.6.1
Required Questions
4.2.6.2
Eliminators
4.2.6.3
Optional Questions
4.2.7
Excluding Users from Forced Enrollment
4.3
Configuring Reset Authentication
4.3.1
Score Thresholds
4.3.2
Editing Reset Service Settings
4.3.3
Multi-Domain Support
4.4
Password Complexity
4.5
Alerts
4.6
Logging
4.7
Reporting
4.8
Configuring the Enrollment User Interface
4.9
Configuring the Reset User Interface
4.9.1
Changing the Reset User Interface Through the Registry
4.9.2
Customizing Reset Messages
4.9.3
Role/Group Support
4.10
Managing Users
4.10.1
User Details General Tab
4.10.2
User Details Enrollments Tab
4.10.3
User Details Resets Tab
4.10.4
Managing Enrollments
4.10.4.1
Viewing Enrollment Search Results
4.11
Managing Resets
4.11.1
Viewing Resets
4.11.1.1
Viewing Reset Search Results
4.11.1.2
Viewing User Search Results
4.12
Working with External Validators
4.12.1
Writing the External Validator Interface
4.12.2
Installing the External Validator
4.12.3
Directing Password Reset to the External Validator
4.12.3.1
User Enrollment with External Validators
4.12.3.2
Password Reset with External Validators
4.12.4
Deleting the External Validator
5
Configuring Strong Authenticators with Universal Authentication Manager
5.1
Overview of Universal Authentication Manager
5.1.1
Universal Authentication Manager Repository Synchronization
5.1.1.1
How Synchronization Works
5.1.1.2
Repository Functions
5.1.1.3
Synchronization Functions
5.1.2
Administration of Universal Authentication Manager
5.1.3
Fingerprints
5.1.4
Proximity Cards
5.1.4.1
About Proximity Card PINs
5.1.5
Smart Cards
5.1.5.1
About Smart Card PINs
5.1.6
Challenge Questions
5.2
Deploying Universal Authentication Manager
5.2.1
Selecting the Client Mode
5.2.1.1
Local Mode
5.2.1.2
Enterprise Mode
5.2.1.3
Switching from Local to Enterprise Mode on an Existing Installation
5.2.2
Configuring Universal Authentication Manager for Synchronization with Microsoft Active Directory
5.2.2.1
Preparing the Repository when Logon Manager Is Already Deployed
5.2.2.2
Creating a Universal Authentication Manager Service Account
5.2.2.3
Extending the Schema
5.2.2.4
Enabling Data Storage Under User Objects
5.2.2.5
Initializing Universal Authentication Manager Storage
5.2.2.6
Configuring the Universal Authentication Manager Synchronizer
5.2.2.7
Configuring Universal Authentication Manager Synchronization for Administrative Users
5.2.3
Configuring Universal Authentication Manager for Synchronization with Microsoft AD LDS (ADAM)
5.2.3.1
Preparing the Repository when Logon Manager Is Already Deployed
5.2.3.2
Creating the AD LDS (ADAM) Instance and Partition
5.2.3.3
Configuring the AD LDS (ADAM) Default Naming Context
5.2.3.4
Creating a Universal Authentication Manager Service Account
5.2.3.5
Extending the Schema
5.2.3.6
Creating the People Container
5.2.3.7
Initializing Universal Authentication Manager Storage
5.2.3.8
Configuring the Universal Authentication Manager Synchronizer
5.2.4
Integrating with Logon Manager
5.2.5
Integrating with Password Reset
5.2.6
Integrating with Kiosk Manager
5.3
Working with Universal Authentication Manager Policies
5.3.1
Creating a Policy
5.3.1.1
The General and Assignments Tabs
5.3.2
Configuring a Policy
5.3.2.1
Enabling Logon Methods
5.3.2.2
Configuring Enrollment Prompts
5.3.2.3
Setting the Enrollment Grace Period
5.3.2.4
Configuring a Fingerprint Policy
5.3.2.5
Configuring a Proximity Card Policy
5.3.2.6
Configuring a Smart Card Policy
5.3.2.7
Configuring a Challenge Questions Policy
5.3.2.8
Configuring a Windows Password Policy
5.3.3
Publishing a Policy
5.3.4
Assigning Users and Groups to a Policy
5.3.5
Publishing a Policy to the Repository
5.3.6
Modifying an Existing Policy
5.3.7
Deleting a Policy
6
Using the Administrative Console to Configure the Reporting Client
6.1
Installing the Administrative Console and Reporting Client
6.2
Installing the Reporting Extension
6.2.1
Configuring Reporting Settings
6.3
Setting Up the Reporting Service as a Domain User
6.3.1
Overview of the Process to Set Up Reporting as a Domain User
6.4
Oracle Database Configuration Overview
6.4.1
Creating the Oracle Database User
6.4.2
Creating the Database Table and Setting Up Stored Procedures
6.4.3
Creating a Connection String
6.4.4
Configuring Oracle Database on Client Machines
6.4.5
Setting Up Oracle Database to Use Reporting with Windows Integrated Authentication
6.4.5.1
Creating an Active Directory domain user that will write events to the database
6.4.5.2
Modifying the Default domain policy to allow the Reporting Domain User to Log on as a service
6.4.5.3
Verifying Publication of the Active Directory Permission on the Client Machine
6.4.5.4
Configuring the ESSO Reporting Service on the Client Machine to run as this domain user
6.4.6
Setting Up the Server for Integrated Authentication
6.4.6.1
Verify the Windows Authentication Protocol
6.4.6.2
Create the External Oracle User for the Domain User
6.5
Setting Up the Oracle Database for Reporting
6.5.1
Upgrading an Existing Oracle Database Setup
6.5.1.1
Upgrading an Existing Oracle Database Setup
6.5.1.2
Providing the Required Permissions to the New Reporting Domain User
6.5.1.3
Creating a Public Synonym for SP_WRITEEVENTS
6.5.2
Setting Up a New Oracle Database for the ESSO Reporting Service
6.5.3
Creating the Connection String for Integrated Login
6.5.4
Configuring the Oracle Database on Client Machines
6.5.5
Next Steps
6.6
Microsoft SQL Server Configuration Overview
6.6.1
Creating the Database Table and Setting Up Stored Procedures
6.6.2
Creating the Reporting Database User
6.6.3
Setting Up the Domain Computer
6.6.4
Setting Permissions to Log On to the Reporting Administrative Console
6.6.5
Enabling TCP/IP Protocol on SQL 2008 Server R2
6.6.6
Setting Up Microsoft SQL Server to Use Reporting with Windows Integrated Authentication
6.6.6.1
Creating an Active Directory domain user that will write events to the database
6.6.6.2
Modifying the Default domain policy to allow the Reporting Domain User to Log on as a service
6.6.7
Verifying Publication of the Active Directory Permission on the Client Machine
6.6.8
Configuring the ESSO Reporting Service on the Client Machine to run as this domain user
6.6.9
Setting Up Microsoft SQL Server for Integrated Authentication
6.6.9.1
Configuring a Login and Role for the New Reporting Domain User in the Microsoft SQL Database
6.6.10
Setting Permissions for the Reporting Domain User
6.6.11
Next Steps
6.7
Using Oracle Business Intelligence Publisher for Deployment with Reporting
6.7.1
Configuring Oracle Business Intelligence Publisher
6.7.2
Deploying Reporting
7
Reference
7.1
General Suite Information
7.1.1
Installing an AD LDS (ADAM) Instance
7.1.2
Obtaining a Certificate for SSL Connectivity
7.1.2.1
Considerations When Deciding to Use SSL
7.2
Logon Manager
7.2.1
Understanding the Application Configuration Files
7.2.1.1
How the Agent Uses entlist.ini
7.2.1.2
How the Agent Uses aelist.ini
7.2.2
Best Practices for Deploying the Agent in a Citrix Environment
7.2.2.1
Installation
7.2.2.2
Deploying Logon Manager Per User
7.2.2.3
Deploying Logon Manager Per Application
7.2.2.4
Deploying Logon Manager Per Server
7.2.2.5
Global Agent Settings Specific to Citrix Servers
7.2.2.6
Publishing Applications
7.2.3
Logon Manager Application Compatibility Considerations
7.2.4
Configuring Host Emulators
7.2.4.1
Attachmate EXTRA!/ myExtra!
7.2.4.2
BlueZone Web-to-Host Emulator
7.2.4.3
BOSaNOVA
7.2.4.4
Ericom PowerTerm
7.2.4.5
G&R Glink
7.2.4.6
Hummingbird Host Explorer
7.2.4.7
IBM Client Access
7.2.4.8
IBM Client Access Express
7.2.4.9
IBM Host On-Demand
7.2.4.10
IBM Personal Communications
7.2.4.11
Jolly Giant QWS3270 PLUS
7.2.4.12
NetManage Rumba
7.2.4.13
Net Soft NS/Elite
7.2.4.14
Newhart Systems BLUES 2000
7.2.4.15
Novell LAN Workplace
7.2.4.16
PuTTY
7.2.4.17
Scanpak Aviva for Desktops
7.2.4.18
Seagull BlueZone
7.2.4.19
WRQ Reflection
7.2.4.20
Zephyr PC to Host
7.2.4.21
Zephyr Web to Host
7.2.5
SAP Configuration
7.2.5.1
Border Values for Web Logon Credential Fields
7.2.6
Understanding the Logon Manager Secondary Authentication API
7.2.6.1
The SecondaryAuthKey Method
7.2.6.2
The FreeSecondaryAuthKey Method
7.2.6.3
Driver Code for Testing a Custom Secondary Authenticator
7.2.6.4
Switching Secondary Authentication Methods
7.2.6.5
Switching from Built-In Secondary Authentication to External Secondary Authentication
7.2.6.6
Switching from External Secondary Authentication to Built-In Secondary Authentication
7.2.6.7
Switching from One External Secondary Authentication Library to Another
7.2.7
Configuring Windows Authenticator Version 2
7.2.7.1
Migrating a WinAuth v1 Installation to WinAuth v2
7.2.7.2
Configuring WinAuth v2 for Authenticator Key Management via Windows DPAPI
7.2.7.3
Configuring WinAuth v2 for Recovery via Interactive Passphrase Prompt
7.2.7.4
Configuring WinAuth v2 for Recovery via Logon Manager Secondary Authentication API
7.2.7.5
Configuring WinAuth v2 for Kiosk Environments
7.2.7.6
Resetting the User-Provided Passphrase Answer
7.2.7.7
Enabling WinAuth v2 Strong Authentication Device Support
7.2.8
Configuring LDAP Authenticator Version 2
7.2.8.1
Migrating an LDAPAuth v1 Installation to LDAPAuth v2
7.2.8.2
Configuring LDAPAuth v2 for Recovery via Interactive Passphrase Prompt
7.2.8.3
Configuring LDAPAuth v2 for Recovery via Logon Manager Secondary Authentication API
7.2.8.4
Resetting the User-Provided Passphrase Answer
7.2.8.5
Enabling LDAPAuth v2 Strong Authentication Device Support
7.2.9
Smart Card Monitor Utility (ssoSCDetect.exe)
7.2.10
Global Agent Settings
7.2.10.1
Recommended Global Agent Settings for SSO Kiosk Operation
7.2.11
Configuring Registry Settings and Administrative Overrides
7.2.12
Directory Server Schema Definition
7.2.12.1
vGOSecret
7.2.12.2
vGOUserData Object
7.2.12.3
vGOConfig Object
7.2.12.4
vGOLocatorClass
7.2.13
Error Loop Quick Reference
7.2.14
Configuring Logon Manager Event Logging for IBM DB2 Database Support
7.2.14.1
Installing and Configuring the IBM DB2 Database
7.2.14.2
Setting Up the Event Log Data Table
7.2.14.3
Installing the Database Event Extension Component for Logon Manager
7.2.14.4
Configuring Logon Manager Event Logging for Database Support
7.2.14.5
Testing Your Event Logging Configuration
7.2.15
Configuring Logon Manager Event Logging with MS SQL Server 2005
7.2.15.1
Install and Configure MS SQL Server 2005
7.2.15.2
Set Up the Event Log Data Table
7.2.15.3
Install the Database Event Extension Component for Logon Manager
7.2.15.4
Configure Logon Manager Event Logging for Database Support
7.2.15.5
Test Your Event Logging Configuration
7.2.16
Understanding the Logon Manager Event Notification API
7.2.16.1
Event Handling Tasks
7.2.16.2
The SSONotificationService Co-Class
7.2.16.3
Sending Data (Producer)
7.2.16.4
Receiving Data (Consumer)
7.2.17
Using the Trace Controller Utility
7.2.17.1
Using the Trace Controller Utility in Graphical Mode
7.2.17.2
Viewing Logged Events
7.2.17.3
Customizing the Event List View
7.2.17.4
Configuring Event Capture Hot Keys
7.2.17.5
Using the Trace Controller Utility in Command Line Mode
7.2.18
Authentication Manager Error Messages
7.2.18.1
Warning Level Messages
7.2.18.2
Error Level Messages
7.2.19
Regular Expression Syntax
7.2.20
Command-Line Options
7.2.21
Character Codes and Keys
7.2.21.1
Codes for VTabKeyN (Windows)
7.2.21.2
Codes for VirtualKeyCode and VKEY (Windows)
7.2.21.3
Codes for PreKey and TabKey (Host/HLLAPI)
7.2.21.4
ftulist.ini Keys
7.2.21.5
entlist.ini Keys
7.2.22
Kiosk Manager .NET API Sample
7.3
Password Reset
7.3.1
Understanding Password Reset Data Structures
7.3.1.1
Main Configuration Data (SYSTEMPARAMETERS Table)
7.3.1.2
Logging Configuration Data (SYSTEMPARAMETERS Table)
7.3.1.3
System Challenge Question Data (SYSTEMPARAMETERS Table)
7.3.1.4
User Enrollment Data (ENROLLMENTINFORMATION, USERQUESTIONS, and USER Tables)
7.3.1.5
Password Reset Data (RESETINFORMATION Table)
7.3.1.6
Log Message Data (SYSLOG)
7.3.2
Schema Diagram
7.3.2.1
Rights and Security
7.3.2.2
Object Classes
7.3.2.3
Attributes
7.3.3
Configuring Password Reset for Data Storage in an Oracle Database
7.3.3.1
Configuring the Database Schema for Password Reset Data
7.3.3.2
Configuring Password Reset to Store Data in the Database
7.3.4
Password Reset Client-Side Registry Settings
7.3.4.1
Under HKLM\Software\Passlogix\SSPR
7.3.4.2
Language Codes for WindowsInterface\xx
7.3.5
Password Reset Server-Side Registry Settings
7.3.5.1
Under HKLM\Software\Passlogix\SSPR
7.3.5.2
Under HKLM\Software\Passlogix\SSPR\Storage\Extensions\
7.3.5.3
Under HKLM\Software\Passlogix\SSPR\Storage\Extensions\ADAM\
7.3.5.4
Under HKLM\Software\Passlogix\SSPR\Storage\Extensions\
7.3.5.5
Under HKLM\Software\Passlogix\SSPR\Storage\Extensions\AD\
7.4
Reporting
7.4.1
Reporting Event Definition Table
7.4.1.1
Definitions
7.5
Universal Authentication Manager Registry Settings
7.5.1
Setting Logon Method Display Order
7.5.2
Re-Enabling the Windows 7 Password Credential Provider
7.5.3
Re-Enabling the Windows 7 PKI SmartCard Credential Provider
7.5.4
Disabling the Windows 7 Fingerprint Credential Provider
7.5.5
Global Universal Authentication Manager Settings
7.5.6
Global Brand Settings
8
Troubleshooting
8.1
Installation
8.1.1
Authenticators
8.1.2
Synchronizer Extensions
8.1.3
Uninstalling
8.1.4
Agent Performance/Application Response
8.1.5
Authentication
8.1.5.1
Initial Authentication
8.1.5.2
Reauthentication
8.1.6
Application Configuration
8.1.6.1
All Applications
8.1.6.2
Predefined Windows Applications
8.1.6.3
All Web Applications
8.1.6.4
Web Applications That Are Predefined
8.1.6.5
Web Applications That Are Not Predefined
8.1.7
Host Applications
8.1.7.1
Responding to All Host Applications
8.1.7.2
Responding to a Specific Host Application
8.1.8
Event Logging
8.1.8.1
All Extensions
8.1.8.2
Windows Event Viewer
8.1.9
Credential Sharing Groups
8.1.10
All Synchronizer Extensions
8.1.10.1
All Directory Extensions User Connections
8.1.10.2
Admin Objects
8.1.10.3
File System Server User Connections
8.1.10.4
OpenLDAP Directory Server Repository
8.2
Troubleshooting a Universal Authentication Manager Deployment
8.2.1
Recovery from Deletion of the Service Account
8.2.2
Authentication Service Repair Error
8.2.3
AutoLogon Condition Is Incorrectly Configured
8.2.4
Avoid Using Dual-Purpose Cards with Dual-Purpose Readers
8.2.5
Ensuring Compatibility with Windows Domain Policies
8.2.6
AutoLogon Behavior
8.2.7
Windows Password Logon and Unlock
8.2.7.1
Windows Password Logon and Unlock Errors
8.2.8
Microsoft Active Directory Security Policies
8.2.9
Active Directory Password Policies
8.2.10
Universal Authentication Manager Authentication Methods and Lockout
8.2.11
Changing User Passwords As the Administrator
Scripting on this page enhances content navigation, but does not change the content in any way.