5 Configuring Strong Authenticators with Universal Authentication Manager

Oracle Enterprise Single Sign-On Universal Authentication Manager enables enterprises to replace the use of native password logon to Microsoft Windows and Active Directory networks with stronger and easier to use authentication methods. The Universal Authentication Manager system also enhances enterprise security beyond traditional password authentication by providing two-factor authentication methods. Universal Authentication Manager enables users to rapidly and securely enroll credentials that will be used to identify and authenticate them.

In this chapter, you will learn the following:

5.1 Overview of Universal Authentication Manager

At its core, Universal Authentication Manager offers a flexible, adaptable, and truly universal authentication solution, capable of integrating with a wide variety of authentication methods through its framework and APIs. Out-of-the-box, Universal Authentication Manager offers four built-in and configurable authentication methods: smart cards, passive proximity cards, biometric fingerprint, and a challenge questions quiz. Native Windows Passwords are also supported.

Universal Authentication Manager associates an easily obtainable piece of data from a smart card or proximity card with a user account, so that the card or token can be used to identify and authenticate a user.

5.1.1 Universal Authentication Manager Repository Synchronization

Universal Authentication Manager can synchronize with Microsoft Active Directory for centralized storage of Universal Authentication Manager policies. When Universal Authentication Manager is configured to utilize a repository, it periodically synchronizes logon method policies and user credential enrollment data to and from the repository.

Synchronization takes place only when a client workstation is deployed in enterprise mode to utilize a centralized repository. The repository itself must be properly configured to support Universal Authentication Manager synchronization. For information on preparing the repository, see Configuring Universal Authentication Manager for Synchronization with Microsoft Active Directory and Configuring Universal Authentication Manager for Synchronization with Microsoft AD LDS (ADAM). How Synchronization Works

Policy synchronization is pull-down-only, meaning only the latest roaming policies published to each user are pulled down from the repository during synchronization. User credential enrollment data is reconciled by timestamp—that is, newer local data is uploaded to the repository, while newer remote data is downloaded and cached on the client computer.

Universal Authentication Manager synchronizes at a number of locations and times, depending on how you have configured your system. Data may be out-of-date at any given time; this is necessary to provide the highest level of performance for the typical cases where data does not change very often and thus no synchronization is required. By default, synchronization will occur at every authentication and enrollment event. You can customize synchronization settings as described in Section 7.5, "Universal Authentication Manager Registry Settings" Repository Functions

  • Stores Universal Authentication Manager policies and enrollment data.

  • Leverages existing repository schemas used by other Oracle Enterprise Single Sign-On Suite products.

  • Enrollment data is secure and access to it is restricted. Synchronization Functions

  • Retrieves Universal Authentication Manager policies from the repository to local data cache.

  • Reconciles data updated during offline operations from repository.

  • Enforces security for proper access rights to repository data.

5.1.2 Administration of Universal Authentication Manager

Universal Authentication Manager administrators can configure and apply Universal Authentication Manager policy settings from a central location using the Administrative Console. The Administrative Console contains Universal Authentication Manager settings that allow administrators to configure policies; these policies specify how various logon methods operate for different users and user groups.

A policy is simply a collection of settings that control how a user or user group authenticates to the system and is stored as an object within the repository and Universal Authentication Manager's local cache. You can create as many policies as you need in order to establish secure authentication for all users throughout your enterprise, but you can only apply one policy per user or user group.

After you create a policy, you publish it to the supported repository and select which users it will govern. See Publishing a Policy for details.

Using the Administrative Console, an administrator can perform the following tasks:

5.1.3 Fingerprints

Universal Authentication Manager enables you to enroll and use third-party USB biometric fingerprint readers and readers embedded in laptops as an authentication mechanism to Universal Authentication Manager.

Administrators can configure up to ten fingerprint samples to be enrolled. By default, one fingerprint sample is required by Universal Authentication Manager, but Oracle recommends administrators increase this number to at least two to prevent lockout in case of injury in which the primary sample becomes unusable.

This logon method requires a supported biometric reader device and the BIO-key BSP v1.12 (older versions are not supported) to be installed and configured on each user's system using this logon method. If this is not installed, users will get an error message.

To use the Fingerprint logon method, users must manually choose to log on with that method from the Logon dialog.

5.1.4 Proximity Cards

A passive proximity card or token is an identity object (such as a workplace ID badge) containing a circuit that a card-reading device can detect and decipher. When the proximity card is placed in close proximity to a reader, the reader detects the token's presence and recognizes identifying information that is associated with a specific user. This Universal Authentication Manager logon method includes the option to require a user to enroll a PIN that is associated with a proximity token. When so configured, Universal Authentication Manager prompts the user for the enrolled PIN associated with a token during logon, strengthening user authentication.

User logon and unlock can be initiated by card detection, or a user can manually choose to logon or unlock using this method. Users will insert or tap an enrolled card on an attached reader to initiate or complete a logon or an unlock.

When presenting a proximity card, users must tap-and-hold the proximity card until the software noticeably responds to the event. You can adjust the minimum token presence required before a proximity token is recognized by using the MinPresence setting in the registry. For more information, see Section 7.5, "Universal Authentication Manager Registry Settings"

Proximity cards will be enrolled by retrieving each card's unique serial number and securely associating its value with a single repository user account.

Universal Authentication Manager supports two proximity card authentication methods:

  • Proximity card only (no PIN)

  • Proximity card plus Universal Authentication Manager PIN (default value) About Proximity Card PINs

Proximity cards can have associated PINs for stronger account security. By default users are required to create the PIN during enrollment, and supply the PIN for authentication.


Oracle strongly recommends always using PINs associated with proximity cards as a best practice for increased security.

PINs for proximity cards are created by the user and securely managed and stored (hash only) by Universal Authentication Manager. A Universal Authentication Manager PIN feature is integrated into the proximity card authenticator, enabling users to enroll an optional PIN value that is linked and stored with each enrolled card.

A policy controls whether a card's Universal Authentication Manager PIN is required for user authentication. When a Universal Authentication Manager PIN is required, a PIN prompt dialog will appear after the card is presented to and detected by a reader.

If a policy is configured to require the card and a PIN, during the card enrollment flow the user will be required to enroll a Universal Authentication Manager PIN in conjunction with the card together as one event.

5.1.5 Smart Cards

A smart card is a credit card-sized token containing a chip or embedded circuits that can store and process data securely. Information stored on a smart card can also be used for identification and authentication. Universal Authentication Manager enables enrolling and using smart cards for user logon and authentication without writing any data to the smart card. A PIN is required to enroll and use a smart card at all times.

User logon and unlock can be initiated by card detection, or a user can manually choose to logon or unlock using this method. Users will insert an enrolled card to an attached reader to initiate a logon or unlock. About Smart Card PINs

Smart cards issued to users have an associated PIN that is stored and managed on each card. Universal Authentication Manager requires users to utilize a PIN with their smart card at all times and you may choose to require either the smart card's built in PIN or allow the user to generate and assign a custom Universal Authentication Manager PIN to the smart card. This PIN is securely stored (hash only, never the actual PIN) and managed by Universal Authentication Manager and is not written to the card. To select the desired PIN mode, see Configuring a Smart Card Policy.

Your environment must satisfy the following prerequisites in order to use a smart card with its built-in PIN:

  • Each card must have an embedded serial number.

  • Each card must have a valid digital certificate and a key pair, which can be generated either by third-party tools or Universal Authentication Manager. Oracle recommends using the method that conforms more closely to your organization's security policies. Cards without a valid certificate and key pair can only be used with a Universal Authentication Manager-generated PIN.


    To have Universal Authentication Manager generate a key pair, you must configure it to do so via Section 7.5, "Universal Authentication Manager Registry Settings" Universal Authentication Manager does not generate digital certificates and one is not required in such a scenario.
  • Your card's middleware must conform to the Microsoft Base CSP standard or be both fully PKCS#11-compliant and provide a CSP module.

A policy setting controls whether the card's built in PIN or a user-assigned Universal Authentication Manager PIN will be used. Settings for controlling the minimum PIN length and allowed characters are also available.

During card enrollment, a user must either correctly submit a smart card's PIN value or provide a new custom PIN before a card can be enrolled as a security measure to ensure that the user knows the associated PIN value. When the card is used for authentication, the user will be prompted for the card's PIN in order to successfully authenticate.

5.1.6 Challenge Questions

The Challenge Questions method is a question-and-answer quiz that can be used as a fallback logon method when authentication via other enrolled methods fails. Challenge Questions requires the user to correctly answer enough questions to satisfy a predetermined weight requirement for successful logon.

In local mode, the questions and answers, as well as their weight requirements are preconfigured and cannot be altered. In enterprise mode, Universal Authentication Manager supports synchronization with Password Reset, which enables the use of Password Reset to store questions and answers enrolled by the user through Universal Authentication Manager (existing Password Reset enrollments cannot be used by Universal Authentication Manager) providing portability for the enrollment data. Synchronization with Password Reset also enables control over the questions that are available to different users and groups, as well as individual customization of the weight of each question, as allowed by Password Reset.


If you are deploying Universal Authentication Manager in enterprise mode and install the Challenge Questions logon method, you must configure synchronization with a Password Reset server, as described in Integrating with Password Reset. Otherwise, users will be unable to enroll with or authenticate via the Challenge Questions method across your network.

In order to synchronize with Password Reset, you must:

  • Deploy Password Reset on your network.

  • Deploy Universal Authentication Manager in enterprise mode.

  • Provide the Password Reset synchronization URL of a fully functional Password Reset server instance as described in Integrating with Password Reset.

  • Instruct users to select their questions and provide answers by enrolling the Challenge Questions logon method via Universal Authentication Manager; existing Password Reset enrollments cannot be used by Universal Authentication Manager.


    If you are using the Challenge Questions logon method on a machine that is not connected to the Internet and are experiencing long delays when enrolling in or answering a Challenge Questions quiz, disable the option Check for publisher's certificate revocation in Internet Explorer. The delay is caused by the Microsoft .NET Framework attempting to look up the server's certificate and timing out when a certificate authority cannot be reached.

5.2 Deploying Universal Authentication Manager

This section covers the following Universal Authentication Manager deployment tasks:

5.2.1 Selecting the Client Mode

During installation, you can select whether to install Universal Authentication Manager in either local mode or enterprise mode. Local Mode

In local mode, Universal Authentication Manager securely stores policies and enrollment data on the local machine. Note that:

  • A Windows-default security policy limits the local account's use of blank passwords to workstation logon only. In consequence, local accounts with blank passwords cannot be used to authenticate to Universal Authentication Manager, even though they can still be used to authenticate to Windows. Oracle recommends that you enforce cryptographically strong passwords across your enterprise at all times.

  • If Universal Authentication Manager is switched to enterprise mode and synchronizes with a repository, any policy settings configured by the administrator will be enforced and override all local policy settings; locally stored enrollment data will be stored in the repository instead from that point forward.

  • If you have deployed Universal Authentication Manager in local mode and are planning to switch to enterprise mode, users must not enroll on multiple machines; doing so will cause an encryption key mismatch once the multiple enrollments are synchronized to the repository and result in possible loss of the enrollment data. Enterprise Mode

In enterprise mode, Universal Authentication Manager synchronizes with a central repository in which it stores enrollment data and from which it retrieves policy settings deposited by the administrator. Note that:

  • When Universal Authentication Manager is able to connect to the repository, it synchronizes any policy and user enrollment changes as required during each authentication and enrollment operation. Various aspects of synchronization can be configured by the administrator, including recurring background synchronization.

  • When Universal Authentication Manager is unable to connect to the repository, it will continue to function and use a locally stored copy of policies and enrollments retrieved during the last successful synchronization. Any policy updates deployed to the repository will not take effect until a connection to the repository is reestablished and synchronization is completed.

  • When deploying Universal Authentication Manager in enterprise mode, users must not enroll in any logon methods until synchronization with the repository has been properly configured and tested. Otherwise, the pre-synchronization enrollment data will be lost.


If you are deploying Universal Authentication Manager in enterprise mode and install the Challenge Questions logon method, you must configure synchronization with a Password Reset server, as described in Integrating with Password Reset. Otherwise, users will be unable to enroll with or authenticate via the Challenge Questions method across your network. Switching from Local to Enterprise Mode on an Existing Installation

If you plan to have Universal Authentication Manager synchronize with a repository, as a best practice, Oracle recommends installing Universal Authentication Manager in local mode and switching over to enterprise mode manually after the repository has been prepared and synchronization settings configured as described in Prepare the Universal Authentication Manager Repository in Oracle Enterprise Single Sign-On Suite Installation Guide.

To switch an existing Universal Authentication Manager installation from local mode to enterprise mode, set the registry key HKLM\Software\Passlogix\UAM\ClientMode to a dword value of 1 (0x00000001) and restart the machine.


When making the switch, enforce the following:

  • Users must not enroll or authenticate to Universal Authentication Manager at all (even with Windows password) prior to switching from local to enterprise mode. Otherwise, all enrollment data will be lost.

  • The switch should occur after installing Universal Authentication Manager and configuring the Universal Authentication Manager service account but before rebooting the workstation.

5.2.2 Configuring Universal Authentication Manager for Synchronization with Microsoft Active Directory


Before completing the procedures in this section, note that:
  • Oracle recommends that you install Universal Authentication Manager in local mode and switch it to enterprise (synchronization) mode as described in Selecting the Client Mode only after you have prepared the repository and configured synchronization settings. Otherwise, Universal Authentication Manager data structures may not be correctly created or permissions correctly set within the repository.

  • When deploying Universal Authentication Manager in enterprise mode, users must not enroll in any logon methods until synchronization with the repository has been properly configured and tested. Otherwise, enrollment data will be lost.

  • Only Microsoft Active Directory and Microsoft AD LDS (ADAM) are supported as repositories.

In order to allow Universal Authentication Manager to centrally store and manage policies and enrollment data, you must prepare an Active Directory-based repository and configure Universal Authentication Manager for synchronization with that repository by performing the following tasks:

When assigning user groups, keep the following in mind:

  • User groups used should be in the same domain.

  • Use security groups, not distribution groups.

  • Universal Authentication Manager will only support a single Active Directory domain. Preparing the Repository when Logon Manager Is Already Deployed

If Logon Manager is already installed and synchronizing with your Active Directory-based repository, Universal Authentication Manager will be sharing Logon Manager's repository container to store its own policies and settings. In such cases, you do not need to extend the schema or enable data storage under user objects. Instead, complete the following steps: Creating a Universal Authentication Manager Service Account

In order for Universal Authentication Manager to read and write data in the repository, you must give it the privileges to do so. This is accomplished by creating a service account that Universal Authentication Manager uses to interact with its repository. This account should be a standard domain account (member of Domain Users); no other permissions are necessary.

  1. On the workstation that will serve as your domain controller, launch Active Directory Users and Computers.

  2. Right-click in the Users container and select New > User. The User account is a regular member of the Domain Users group.

    Description of uam_create_new_user_ad.png follows
    Description of the illustration ''uam_create_new_user_ad.png''

  3. Enter a name for the user or group account (for this example, the name is uamservice) and click Next>.

    Description of uam_create_user_account.png follows
    Description of the illustration ''uam_create_user_account.png''

  4. Enter a password, select the Password never expires box, and deselect the User must change password at next logon box.

    Description of uam_cop_obj_pwd_no_exp.png follows
    Description of the illustration ''uam_cop_obj_pwd_no_exp.png'' Extending the Schema


If you are not sure whether you have already extended the schema, simply complete the steps below; performing the schema extension multiple times will not harm your repository or the data it contains.
  1. Launch the Administrative Console.

  2. From the Repository menu, select Extend Schema.

    Description of uam_extend_schema.png follows
    Description of the illustration ''uam_extend_schema.png''

  3. In the Connect to Repository dialog that appears, enter a Server Name (for this example, the name is DC01), select Microsoft Active Directory Server from the drop-down menu, select the Use secure channel (SSL) check box if your environment is configured for SSL connectivity, enter the Port number (this example uses port 389), and the Username/ID and Password of an administrative account with Domain and Schema Administrator permissions. Click OK when finished.

    Description of uam_connect_to_dc01.png follows
    Description of the illustration ''uam_connect_to_dc01.png'' Enabling Data Storage Under User Objects

After extending the schema, you must allow Universal Authentication Manager to store enrollment data under each respective user's user object within the repository. To do so, complete the following steps:


If Logon Manager is already installed and synchronizing with your repository, you do not need to enable this option, as it is already enabled; proceed to the next section.
  1. In the left-hand tree, right-click the Repository node and select Connect To... from the context menu.

  2. In the Connect to Repository dialog that appears, enter a Server Name (for this example, the name is DC01), select Microsoft Active Directory Server from the drop-down menu, select the Use secure channel (SSL) check box if your environment is configured for SSL connectivity, enter the Port number (this example uses port 389), and the Username/ID and Password of an administrative account with Domain and Schema Administrator permissions. Click OK when finished.

    Description of uam_connect_to_dc01.png follows
    Description of the illustration ''uam_connect_to_dc01.png''

  3. From the Repository menu, select Enable Storing Credentials Under User Object.

  4. In the prompt that appears, click OK.

  5. In the confirmation dialog that appears, click OK to dismiss it. Initializing Universal Authentication Manager Storage

Perform these steps after successfully extending the schema.

  1. Return to the Repository menu and select Initialize UAM Storage.

    Description of uam_initialize_storage.png follows
    Description of the illustration ''uam_initialize_storage.png''

  2. From the drop-down menu, select the server that you just created. The other fields are filled in automatically.

    Description of uam_connect_to_dc01.png follows
    Description of the illustration ''uam_connect_to_dc01.png''

  3. Click OK.

  4. In the Select User or Group dialog, start typing the name of your service account, then click Check Names. The service account name is filled in automatically.

    Description of uam_sel_user_grp_for_extnd.png follows
    Description of the illustration ''uam_sel_user_grp_for_extnd.png''

  5. Click OK and wait for the success message.

    Description of uam_strg_init_successful.png follows
    Description of the illustration ''uam_strg_init_successful.png''

    The data structures have now been created and the required permissions set. For more information on what's done in the repository during this step, see the next section. About The Universal Authentication Manager Repository Data Structures and Permissions

When you invoke the Initialize UAM Storage command described earlier, Universal Authentication Manager does the following within your repository:

  • Modifies the schema to ensure that vgoUser and vgoConfig classes may be placed inside Container objects.

  • Builds the default container structure Program Data/Passlogix/UAM with subcontainers Policies and Index as shown below:

    Description of uam_repository_structure.png follows
    Description of the illustration ''uam_repository_structure.png''


    Never manually modify the contents of the index and policies containers.

    The containers can be named differently if your environment requires so; however, you will need to manually configure all Universal Authentication Manager client instances to point to the custom-named containers. Oracle highly recommends you leave the container names at their defaults.

  • Grants the Universal Authentication Manager service account generic read, write, modify, and delete permissions to the index container (as well as all other permissions inherited from its parent) so that the Universal Authentication Manager service can read, create, modify, and delete objects in the index container.

  • Grants the Universal Authentication Manager service account generic read permissions (as well as any permissions inherited from its parent) so that the Universal Authentication Manager service can read objects within the policies container.

  • Updates the domain root DSE object to grant the Universal Authentication Manager service account permissions to create and delete vgoConfig and vGoUser objects under User objects across the entire domain. (If the user objects have been relocated to a custom location, the permissions can be set directly at the target container instead of at the root.)

  • Updates the domain root DSE object to grant the Universal Authentication Manager service account generic read permissions to all vgoConfig objects across the domain so that the Universal Authentication Manager service can read all vgoConfig objects regardless of their location in the repository. Configuring the Universal Authentication Manager Synchronizer

You are now ready to configure the Universal Authentication Manager to allow Universal Authentication Manager to synchronize with the repository. Complete the following steps:

  1. Launch the Administrative Console.

  2. In the left-hand tree navigate to Global Agent Settings > [TargetSettingsSet>] > Synchronization.

  3. If Logon Manager is not installed and synchronizing with the repository, add a configuration node for the Active Directory synchronizer to your settings set as follows (otherwise skip to the next step):

    1. Right-click the Synchronization node and select Manage synchronizers from the context menu.

    2. In the window that appears, click Add.

    3. In the list of available synchronizers, select Active Directory, enter ADEXT as the name, and click OK.

    4. Click OK to dismiss the dialog. The ADEXT node appears under the Synchronization node.

  4. Do one of the following:

    • If Logon Manager is installed and synchronizing with the repository, do not modify the value of the Base location(s) for configuration objects field; instead, skip to the next step.

    • If Logon Manager is not installed and synchronizing with the repository, do the following in the Base location(s) for configuration objects field:

      Select the check box.

      Click the ellipsis ("") button.

      In the window that appears, enter the fully qualified DN of the Universal Authentication Manager Policies container.

      Click OK.

  5. In the Base location(s) for UAM storage index field, select the check box, click the ellipsis ("") button, and enter the fully qualified DN of the Index container, then click OK.

  6. If it is not already set, select the check box next to the Location to store user credentials option and select Under respective directory user objects from the drop-down list.

  7. Configure other synchronization settings as desired; for more information on each setting, see the Administrative Console help.

  8. Export your settings to a .REG file for distribution to end-user workstations:

    1. From the File menu, select Export.

    2. In the dialog that appears, click HKLM Registry Format.

    3. In the Save dialog that appears, navigate to the desired location and provide a name for the .REG file, then click Save.


      The Console produces a .REG file compatible only with 32-bit systems. If you are merging the .REG file on a 64-bit system, you must include the /reg:32 switch in your import command to merge the registry data into the correct location within the registry; otherwise, Universal Authentication Manager will not function.

      For example: reg.exe import MyRegistryFile.reg /reg:32

  9. Distribute the .REG file to your Universal Authentication Manager workstations and merge it into their Windows registries. Configuring Universal Authentication Manager Synchronization for Administrative Users

The rights necessary to store credentials under user objects are granted at the tree root and inherited down to user objects. If you are deploying Universal Authentication Manager in enterprise mode in an environment where members of protected user groups, such as Administrators, will be using it, you must grant the Universal Authentication Manager service account through the AdminSDHolder object the permissions necessary to create and delete vGOUserData and vGOSecret objects.


If Logon Manager is already installed and synchronizing with the same repository that Universal Authentication Manager is utilizing, you will also need to grant these permissions to the AdminSDHolder object itself, which was most likely done during Logon Manager deployment. This granting will appear as "SELF" in the affected administrative user's permissions list, as well as in the AdminSDHolder object's permissions list.

Without this explicit permission application, administrative users will be blocked from storing their Universal Authentication Manager data in the repository due to automatic inheritance of restrictive rights from the AdminSDHolder object. This is because the object's ACL, which governs the ACLs of all protected groups, prohibits rights inheritance by default. For more information about this issue, see Microsoft Knowledge Base Article 817433 available at the Microsoft Help and Support site: http://support.microsoft.com/kb/817433.

The following protected user groups are known to be affected by this problem:

  • Enterprise Admins

  • Schema Admins

  • Domain Admins

  • Administrators

  • Account Operators

  • Server Operators

  • Print Operators

  • Backup Operators

  • Cert Publishers

To verify that you are experiencing this particular issue, do the following:

  1. Log on to the primary domain controller as a domain administrator.

  2. Open the Active Directory Users and Computers MMC snap-in.

  3. From the View menu, select Advanced Features.

  4. Navigate to the affected user object, right-click it, and select Properties.

  5. In the dialog that appears, select the Security tab.

  6. Click Advanced. The Advanced Security Settings dialog appears:

    Description of uam_admin_permissions.png follows
    Description of the illustration ''uam_admin_permissions.png''

  7. In the dialog, check whether:

    • The Allow inheritable permissions… check box is not selected.

    • The permissions highlighted in the figure in step 6 are not present in the list.

      If the above conditions are true, the user object is not inheriting the necessary permissions from the directory root.

To rectify this issue, you must manually modify the ACL of the AdminSDHolder object to grant the right to create objects of type vGOConfig and vGOUserData. The steps are as follows:

  1. Log in to the primary domain controller as a domain administrator.

  2. In the Microsoft Management Console, open the Active Directory Schema snap-in.

  3. In the left-hand tree, drill down the Classes node and locate the vGOUserData node.

  4. Right-click the vGOUserData node and select Properties from the context menu.

  5. In the properties dialog that appears, select the Relationship tab.

  6. Click the Add Superior button.

  7. In the dialog that appears, select container from the drop-down list and click OK. The container class appears in the Possible Superior field.

    Description of uam_vgouserdata_props.png follows
    Description of the illustration ''uam_vgouserdata_props.png''

  8. In the Microsoft Management Console, open the Active Directory Users and Computers snap-in.

  9. From the View menu, select Advanced Features.

  10. Navigate to the AdminSDHolder container located in cn=AdminSDHolder,cn=System,dc=domainName,dc=domainSuffix

  11. Right-click the AdminSDHolder container and select Properties.

  12. In the Properties dialog, select the Security tab and click Advanced.

  13. In the Advanced Security Settings dialog, click Add…

  14. In the Select User, Computer, or Group dialog, enter the name of the Universal Authentication Manager service account and click OK.

  15. In the Permission Entry dialog, do the following:

    1. From the Apply onto: drop-down list, select This object and all child objects.


      If the create and delete permissions for vGOUserData objects do not appear in the permissions list, select User objects from the Apply on to: drop-down list instead. This variation occurs between different versions and patches of Active Directory and the underlying operating system.
    2. In the list of permissions, select the Allow check box for the permissions shown below:

      Description of uam_vgo_user_data_perms.png follows
      Description of the illustration ''uam_vgo_user_data_perms.png''

    3. Click OK.

  16. Trigger the SD propagator (SDPROP) process to immediately propagate the changes throughout the network. For instructions for launching the SD propagator process, see Microsoft Knowledge Base Article 251343 available at the Microsoft Help and Support site: http://support.microsoft.com/kb/251343.


If you encounter a version of this procedure that calls to apply the above permissions onto "This object only," disregard it. It is deprecated and has been superseded by the steps above.

If you are running Windows Server 2008 R2, you can trigger the SD propagator process by kicking off the RunProtectAdminGroupsTask task.

5.2.3 Configuring Universal Authentication Manager for Synchronization with Microsoft AD LDS (ADAM)


Before completing the procedures in this section, note that:
  • Oracle recommends that you install Universal Authentication Manager in local mode and switch it to enterprise (synchronization) mode as described in Selecting the Client Mode only after you have prepared the repository and configured synchronization settings. Otherwise, Universal Authentication Manager data structures may not be correctly created or permissions correctly set within the repository.

  • When deploying Universal Authentication Manager in enterprise mode, users must not enroll in any logon methods until synchronization with the repository has been properly configured and tested. Otherwise, enrollment data will be lost.

  • Only Microsoft Active Directory and Microsoft AD LDS (ADAM) are supported as repositories.

In order to allow Universal Authentication Manager to centrally store and manage policies and enrollment data in Microsoft AD LDS (ADAM), you must prepare a Microsoft AD LDS (ADAM) instance and configure Universal Authentication Manager for synchronization with that repository by performing the following tasks:

  • Create the AD LDS (ADAM) Instance and Partition

  • Configure the AD LDS (ADAM) Default Naming Context

  • Create a Universal Authentication Manager Service Account

  • Extend the Schema

  • Create the People Container

  • Initialize Universal Authentication Manager Storage

  • Configure the Universal Authentication Manager Synchronizer

When assigning user groups, keep the following in mind:

  • User groups used should be in the same domain,

  • Use security groups, not distribution groups,

  • Universal Authentication Manager will only support a single Active Directory domain. Preparing the Repository when Logon Manager Is Already Deployed

If Logon Manager is already installed and synchronizing with your AD LDS (ADAM)-based repository, Universal Authentication Manager will be sharing Logon Manager's repository container to store its own policies and settings. In such cases, you do not need to extend the schema or create the People container. Instead, complete the following steps:

Universal Authentication Manager requires that the People container is located in its default location. If you have configured Logon Manager to use a People container located elsewhere (e.g. not in the root of the AD LDS (ADAM) partition), Universal Authentication Manager will not be able to share that container with Logon Manager; you will need to create a separate People container at the root of the AD LDS (ADAM) partition for Universal Authentication Manager. Creating the AD LDS (ADAM) Instance and Partition

If you have not already done so, create an AD LDS (ADAM) instance and partition by following the steps in the "Creating an AD LDS (ADAM) Instance" section of the guide Deploying Logon Manager with a Directory-Based Repository. Configuring the AD LDS (ADAM) Default Naming Context

After you have created your AD LDS (ADAM) instance and partition, you must point the instance's default naming context to the target partition so that Universal Authentication Manager is able to locate its data within the repository.

  1. Launch the ADSIEdit tool (available from the Microsoft website) and connect to the "Configuration" context of the target AD LDS (ADAM) instance.

  2. In the left-hand tree, navigate to Configuration > CN=Sites > CN=SiteName > CN=InstanceName .

  3. Under the instance node, double-click the CN=NTDS Settings child node.

  4. In the properties dialog that appears, select the msDS-DefaultNamingContext attribute and click Edit.

  5. In the editor dialog that appears, enter the fully qualified distinguished name of the target AD LDS (ADAM) partition, then click OK to save your changes.

    Description of uam_dnc.png follows
    Description of the illustration ''uam_dnc.png''

  6. Click OK to save your changes and dismiss the properties dialog.

  7. Restart the affected AD LDS (ADAM) instance by restarting the corresponding service in the Windows Services Manager. Creating a Universal Authentication Manager Service Account

In order for Universal Authentication Manager to read and write data in the repository, you must give it the privileges to do so. This is accomplished by creating a service account that Universal Authentication Manager uses to interact with its repository. This account should be a standard domain account (member of Domain Users); no other permissions are necessary. However, you must add the account to the target AD LDS (ADAM) instance's "Readers" group.

  1. On the workstation that will serve as your domain controller, launch Active Directory Users and Computers.

  2. Right-click in the Users container and select New > User. The User account is a regular member of the Domain Users group.

    Description of uam_create_new_user_ad.png follows
    Description of the illustration ''uam_create_new_user_ad.png''

  3. Enter a name for the user or group account (for this example, the name is uamservice) and click Next>.

    Description of uam_create_user_account.png follows
    Description of the illustration ''uam_create_user_account.png''

  4. Enter a password, select the Password never expires box, and deselect the User must change password at next logon box.

  5. Add the Universal Authentication Manager service account to the AD LDS (ADAM) instance's "Readers" group:

    1. Start the ADSIEdit tool (available from the Microsoft website) and connect to the data partition of the target AD LDS (ADAM) instance.

    2. In the left-hand tree, expand the target partition and select the CN=Roles node.

    3. In the right-hand pane, double-click the CN=Readers role.

    4. In the properties dialog that appears, do the following:

      Select the member attribute and click Edit.

      In the attribute editor dialog that appears, click Add Windows Account.

      In the dialog that appears, enter the name of the Universal Authentication Manager service account and click Check Names.

      Once the name validates successfully, click OK to dismiss the account selection dialog.

      Click OK to save your changes and dismiss the attribute editor dialog.

      Description of uam_cn_readers1.png follows
      Description of the illustration ''uam_cn_readers1.png''

    5. Click OK to save your changes and dismiss the properties dialog. Extending the Schema


If you are not sure whether you have already extended the schema, simply complete the steps below; performing the schema extension multiple times will not harm your repository or the data it contains.
  1. Launch the Administrative Console.

  2. From the Repository menu, select Extend Schema.

    Description of uam_extend_schema.png follows
    Description of the illustration ''uam_extend_schema.png''

  3. In the Connect to Repository dialog that appears, enter a Server Name, select Microsoft AD LDS (ADAM) from the drop-down menu, select the Use secure channel (SSL) check box if your environment is configured for SSL connectivity, enter the Port number, and the Username/ID and Password of an administrative account with Domain and Schema Administrator permissions. Click OK when finished. Creating the People Container

In order to allow Universal Authentication Manager to store enrollment data in AD LDS (ADAM), you must create an OU named People at the root of your AD LDS (ADAM) partition. You must not rename or move this container or Universal Authentication Manager synchronization will not function.

If Logon Manager is already installed and synchronizing with the repository and it is using a custom People container location, you must still create the People container for Universal Authentication Manager at the root of the AD LDS (ADAM) partition.

Oracle recommends that you maintain separate People containers for Logon Manager and Universal Authentication Manager when sharing an AD LDS (ADAM) instance.

  1. In the Administrative Console, select the Repository node in the tree.

  2. Click the Click here to connect link in the right-hand pane. The Console displays the Connect to Repository dialog. Fill in the fields as explained in step 3 in the previous section and click OK to connect.

  3. In the tree, right-click the root of the target AD LDS (ADAM) instance, and select Create People Container from the context menu.

    Description of uam_create_ppl_cont.png follows
    Description of the illustration ''uam_create_ppl_cont.png''

  4. Verify that the People container now exists at the root of the AD LDS (ADAM) instance's sub-tree.

    Description of uam_ppl_cont_created.png follows
    Description of the illustration ''uam_ppl_cont_created.png'' Initializing Universal Authentication Manager Storage

Perform these steps after you have successfully extended the schema.

  1. Return to the Repository menu and select Initialize UAM Storage.

    Description of uam_initialize_storage.png follows
    Description of the illustration ''uam_initialize_storage.png''

  2. From the drop-down menu, select the server that you just created and click OK. (The other fields are filled in automatically.)

  3. In the Select User or Group dialog, start typing the name of your service account, then click Check Names. The service account name is filled in automatically.

    Description of uam_sel_user_grp_for_extnd.png follows
    Description of the illustration ''uam_sel_user_grp_for_extnd.png''

  4. Click OK and wait for the success message.

    Description of uam_strg_init_successful.png follows
    Description of the illustration ''uam_strg_init_successful.png''

The data structures have now been created and the required permissions set. For more information on what's done in the repository during this step, see the next section. About The Universal Authentication Manager Repository Data Structures and Permissions

When you invoke the Initialize UAM Storage command described earlier, Universal Authentication Manager does the following within your repository:

  • Modifies the schema to ensure that vgoUser and vgoConfig classes may be placed inside Container objects.

  • Builds the default container structure "Program Data/Passlogix/UAM" with subcontainers "Policies" and "Index" as shown below:

    Description of uam_tree_adlds.png follows
    Description of the illustration ''uam_tree_adlds.png''


    Never manually modify the contents of the index and policies containers.

    The containers can be named differently if your environment requires so; however, you will need to manually configure all Universal Authentication Manager client instances to point to the custom-named containers. Oracle highly recommends you leave the container names at their defaults.

  • Grants the Universal Authentication Manager service account generic read, write, modify, and delete permissions to the index container (as well as all other permissions inherited from its parent) so that the Universal Authentication Manager service can read, create, modify, and delete objects in the index container.

  • Grants the Universal Authentication Manager service account generic read permissions (as well as any permissions inherited from its parent) so that the Universal Authentication Manager service can read objects within the policies container.

  • Updates the root DSE object of the AD LDS (ADAM) partition to grant the Universal Authentication Manager service account permissions to create and delete vgoConfig and vGoUser objects under User objects across the entire AD LDS (ADAM) partition. (If the user objects have been relocated to a custom location, the permissions can be set directly at the target container instead of at the root.)

  • Updates the root DSE object of the AD LDS (ADAM) partition to grant the Universal Authentication Manager service account generic read permissions to all vgoConfig objects across the AD LDS (ADAM) partition so that the Universal Authentication Manager service can read all vgoConfig objects regardless of their location in the repository. Configuring the Universal Authentication Manager Synchronizer

You are now ready to configure the Universal Authentication Manager to allow Universal Authentication Manager to synchronize with the repository. Complete the following steps:

  1. Launch the Administrative Console.

  2. In the left-hand tree navigate to Global Agent Settings > [TargetSettingsSet>] > Synchronization.

  3. If Logon Manager is not installed and synchronizing with the repository, add a configuration node for the AD LDS (ADAM) synchronizer to your settings set as follows (otherwise skip to the next step):

    1. Right-click the Synchronization node and select Manage synchronizers from the context menu.

    2. In the window that appears, click Add.

    3. In the list of available synchronizers, select Microsoft AD LDS (ADAM), enter ADAMSyncExt as the name, and click OK.

    4. Click OK to dismiss the dialog. The ADAMSyncExt node appears under the Synchronization node.

  4. If Logon Manager is installed and synchronizing with the repository, do not modify the value of the Servers, SSL, or Base location(s) for configuration objects fields; instead, skip to the next step.

    If Logon Manager is not installed and synchronizing with the repository, do the following:

    1. In the Servers field, select the check box.

    2. Click the ellipsis ("") button.

    3. In the window that appears, enter the full address(es) and port(s) of your AD LDS (ADAM) instances, one per line, in the format server:port.

    4. Click OK.

    5. In the Base location(s) for configuration objects field, select the check box.

    6. Click the ellipsis ("") button.

    7. In the window that appears, enter the fully qualified DN of the Universal Authentication Manager Policies container.

    8. Click OK.

    9. If your environment is not using SSL, select the check box next to the SSL field and select No from the drop-down field. Oracle highly recommends enabling SSL in your environment for maximum security.

  5. In the Base location(s) for UAM storage index field, select the check box, click the ellipsis ("") button, and enter the fully-qualified DN of the Index container, then click OK.

  6. In the Prepend Domain field, select the check box and select Yes from the drop-down menu.

  7. Configure other synchronization settings as desired; for more information on each setting, see the Console help.

  8. Export your settings to a .REG file for distribution to end-user workstations:

    1. From the File menu, select Export.

    2. In the dialog that appears, click HKLM Registry Format.

    3. In the "Save" dialog that appears, navigate to the desired location and provide a name for the .REG file, then click Save.


    The Console produces a .REG file compatible only with 32-bit systems. If you are merging the .REG file on a 64-bit system, you must include the /reg:32 switch in your import command to merge the registry data into the correct location within the registry; otherwise, Universal Authentication Manager will not function.

    For example: reg.exe import MyRegistryFile.reg /reg:32

  9. Distribute the .REG file to your Universal Authentication Manager workstations and merge it into their Windows registries.

5.2.4 Integrating with Logon Manager

You can configure Logon Manager to use Universal Authentication Manager as its primary logon method. Universal Authentication Manager supports integration with Logon Manager version 11.1.2.

When the Universal Authentication Manager installer detects that Logon Manager is installed, the Universal Authentication Manager Authenticator custom setup option is displayed, allowing you to choose to install the authenticator to enable integration with Logon Manager. For details on installation, see the Oracle Enterprise Single Sign-On Suite Installation Guide.

5.2.5 Integrating with Password Reset

The Universal Authentication Manager Challenge Questions logon method enables the use of Password Reset to store questions and answers enrolled by the user through Universal Authentication Manager (existing Password Reset enrollments cannot be used by Universal Authentication Manager) providing portability for the enrollment data. Synchronization with Password Reset also enables control over the questions that are available to different users and groups, as well as individual customization of the weight of each question, as allowed by Password Reset.

In order to configure Universal Authentication Manager to integrate with Password Reset, you must do the following:

  1. Install the Challenge Questions logon method if it has not already been installed. For instructions, see the Oracle Enterprise Single Sign-On Suite Plus Installation Guide.

  2. Install and configure Password Reset as described in the Oracle Enterprise Single Sign-On Suite Installation Guide.

  3. Obtain the Password Reset synchronization URL. The URL will have the following format:

    https://hostname:port/ vGOSelfServiceReset/WebServices/Synchronization.asmx
  4. Configure Universal Authentication Manager to synchronize with Password Reset as described in the next section.

  5. Configure the challenge questions as desired within Password Reset. For more information, see Password Reset documentation.

  6. Instruct users to select their questions and provide answers by enrolling the Challenge Questions logon method via Universal Authentication Manager; existing Password Reset enrollments cannot be used by Universal Authentication Manager.

To configure Universal Authentication Manager to leverage Password Reset questions and answers for authentication, do the following:

  1. Launch the Administrative Console.

  2. Under the Global Agent Settings node navigate to the settings set you want to modify, or load it if necessary.

  3. Navigate to the Password Reset node and select it.

  4. In the right-hand pane, select the check box next to the Password Reset Synchronization URL option and enter the appropriate URL in the following format:

    https://hostname:port/ vGOSelfServiceReset/WebServices/Synchronization.asmx


    If you have not configured your Password Reset deployment for SSL connectivity, replace https:// with http://.
  5. Export your settings to a .REG file for distribution to end-user machines:

    1. From the File menu, select Export.

    2. In the dialog that appears, click HKLM Registry Format (.REG).

    3. In the Save dialog that appears, navigate to a desired target location, enter a descriptive file name and click Save.


      The Console produces a .REG file compatible only with 32-bit systems. If you are merging the .REG file on a 64-bit system, you must run the following command to move the merged registry data to the correct location within the registry (otherwise, Universal Authentication Manager will not function):

      reg.exe COPY HKLM\Software\Passlogix HKLM\Software\Wow6432Node\Passlogix /s

  6. Distribute the .REG file to end-user machines and merge it into each machine's Windows registry.

5.2.6 Integrating with Kiosk Manager

Universal Authentication Manager can be used as an authentication mechanism for locking and unlocking Kiosk Manager sessions in kiosk environments.

The steps in this procedure outline only the minimal configuration required to integrate Universal Authentication Manager with Kiosk Manager; your environment might require a more comprehensive configuration of Kiosk Manager.

In order to configure Universal Authentication Manager to integrate with Kiosk Manager, you must do the following:

  1. Install and configure Logon Manager and Kiosk Manager as described in the Oracle Enterprise Single Sign-On Suite Installation Guide. When configuring Kiosk Manager, you must follow instructions for strong authentication environments, as Universal Authentication Manager is a strong authentication application.

  2. Install Universal Authentication Manager as described in the Oracle Enterprise Single Sign-On Suite Installation Guide.

  3. Set Universal Authentication Manager as the default logon method for Logon Manager as described in Integrating with Logon Manager.

  4. Configure Universal Authentication Manager for synchronization with the repository, as described in Configuring Universal Authentication Manager for Synchronization with Microsoft Active Directory.

  5. Configure Kiosk Manager as described in the next section.

To configure Kiosk Manager to allow the locking and unlocking of a session via Universal Authentication Manager, complete the following steps:

  1. Configure Kiosk Manager strong authentication behavior as follows:

    1. Launch the Administrative Console.

    2. Navigate to Global Agent Settings > [TargetSettingsSet] > Kiosk Manager.

    3. In the Cached Credentials section, select the check box next to the Use Cached Credentials option and select No from the drop-down menu.

    4. In the Strong Authentication section, select the check box next to the Monitor for device events option and select Always from the drop-down menu.

    5. Select the check box next to the Prepopulate on Startup option and select Always from the drop-down menu.

    6. (Optional) If you do not want to lock the Kiosk Manager session when a Universal Authentication Manager token is removed, select the check box next to the Lock session on ESSO-UAM token removal option and select No from the drop-down menu. (The default is to lock the session on token removal.)

  2. Configure Logon Manager to clear the user's local cache on shutdown:

    1. Navigate to Global Agent Settings > [TargetSettingsSet] > Synchronization.

    2. Select the check box next to the Delete Local Cache option and select Yes from the drop-down menu.

  3. Configure Kiosk Manager user interface behavior as follows:

    1. Navigate to Global Agent Settings > [TargetSettingsSet] > User Experience> Application Response.

    2. Select the check box next to the Respond to hidden and minimized windows option and select No from the drop-down menu.

  4. Configure the Kiosk Manager session states required by Universal Authentication Manager. In the left hand tree, expand the Kiosk Manager (top level, not under Global Agent Settings) node.

    Configure the action and session state for the "KM Session Locked" event:

    1. Select the Session States sub-node.

    2. Click Add and enter KMS_Locked as the name.

    3. Select the Events tab.

    4. Uncheck the Session End event.

    5. Check the Session Locked event.

    6. Select the Authenticators tab.

    7. Check the Universal Authentication Manager authenticator and all its individual adapters.

    8. Select the Actions tab.

    9. Click Add.

    10. Enter KMA_Locked as the name, select the Run List option, and click OK.

    11. Select the .NET API radio button and enter the following values into the fields:

      Assembly: ESSO-LM_Install_Directory \AUI\UAMAuth\KioskSessionChange.dll

      Class: CSessionStateChangeHandler

      Method: SessionLocked

  5. Configure the action and session state for the KM Before Session Unlocked event:

    1. Select the Session States sub-node.

    2. Click Add and enter KMS_IsUnlocking as the name.

    3. Select the Events tab.

    4. Uncheck the Session End event.

    5. Check the Before Session Unlocked event.

    6. Select the Authenticators tab.

    7. Check the Universal Authentication Manager authenticator and all its individual adapters.

    8. Select the Actions tab.

    9. Click Add.

    10. Enter KMA_IsUnlocking as the name, select the Run List option, and click OK.

    11. Select the .NET API radio button and enter the following values into the fields:

      Assembly: ESSO-LM_Install_Directory \AUI\UAMAuth\KioskSessionChange.dll

      Class: CSessionStateChangeHandler

      Method: BeforeSessionUnlocked

  6. Publish your changes to the repository.

5.3 Working with Universal Authentication Manager Policies

This section describes the following tasks you can perform when working on policies:

5.3.1 Creating a Policy

To create a new Universal Authentication Manager policy, do one of the following:

  • Click Universal Authentication Manager in the left pane. In the right pane, click Add Policy at the bottom of the screen.


  • Expand Universal Authentication Manager in the left pane and select Policies. Click the Add button at the bottom of the screen.


  • Right-click Universal Authentication Manager or Policies in the left pane and select New Policy.


  • Select UAM Policy from the Insert menu.

A dialog opens, prompting you to name the policy. Enter a name for the policy and click OK. The policy you created now appears when you expand the Policies node. The General and Assignments Tabs

When you click the name of the policy, you will see two tabs in the right pane: General and Assignments.

Description of uam_highlighted_policy.png follows
Description of the illustration ''uam_highlighted_policy.png'' General Tab (for a Selected Policy)

From the General tab for a selected policy, you can review how many settings have been configured for the Logon Methods for that policy. Specifically, this tab displays the following information:

  • Path. The name of each Logon Method that makes up a group of related settings.

  • Set. The number of settings that have been configured.

  • Total. The total number of settings per Logon Method

  • Add Notes. Launches the Notes dialog should you want to make any notes about this policy.

After settings are configured, re-selecting the policy in the left pane will display a summary of settings on the General tab that were changed. The text in the columns changes its color to highlight where changes were made to the policy. Assignments Tab (for a Selected Policy)

From the Assignments tab for a selected policy, you can assign the policy to specific user and/or user groups to which you want the policy applied.

For more information and restrictions on policy assignments, see Assigning Users and Groups to a Policy.

5.3.2 Configuring a Policy

Universal Authentication Manager supports enrollment using a number of logon methods that permit users to enroll credentials. When you create a policy, you specify:

  • Whether the logon method is enabled.

  • Whether to require users to enroll.

    • If enrollment is required, whether there is an enrollment grace period, and how long the grace period should be.

  • Other settings specific to each logon method.

Universal Authentication Manager administrators can configure and apply Universal Authentication Manager policy settings from a central location using the Administrative Console. The Administrative Console contains Universal Authentication Manager functions that allow administrators to configure policies. Policies control the privileges, restrictions, and enforcement of enrollment and logon rules for Active Directory users who log on to workstations connected to an Active Directory domain. Each policy you create contains a unique set of conditions for using Universal Authentication Manager that you can apply to users and user groups.

Under Universal Authentication Manager in the left pane, select Policies. The right pane will display the following items:

  • Policy Name. The name you give to a policy.

  • Items Set. The number of settings, or details, that have been configured for that policy.

  • Total Items. The total number of settings available for configuration.

  • Add. Click this button to create a new policy.

  • Delete. Click this button to remove a policy from the list.

For details on configuring logon method settings, see:


As a security best practice, Oracle recommends that you configure and apply policies for users to prevent them from configuring their own settings. If you do not define policies for users, they can define and change their own settings. Enabling Logon Methods

This section describes the policies that apply to all of the logon methods. For policies specific to a particular logon method, see the specific logon method settings section for a description. Logon Method Enabled Policy

The Logon Method Enabled policy is a per-logon method policy that allows administrators or users to disable an installed Universal Authentication Manager logon method.

This policy applies to all logon methods individually and each logon method will have its own value.

  • In enterprise mode, the Logon Method Enabled policy setting is an Administrative policy only. This means that the policy will never appear in the Universal Authentication Manager settings.

  • In local mode, the Logon Method Enabled policy setting is an end-user policy setting. You can manage the policy setting right from the Settings tab.

Description of uam_logon_meth_enabled.png follows
Description of the illustration ''uam_logon_meth_enabled.png'' Windows Password Exception

Universal Authentication Manager automatically enables Windows Password authentication if no other logon methods are enrolled.

This is a "built-in" behavior that requires no configuration. For example, if you've disabled Windows Password via the Logon Method Enabled policy, a password will be allowed for logon, re-authentication and unlock, if the user is not enrolled in at least one other method.


If the user is enrolled in one or more other methods, but those methods (and password) are all disabled, the user will be locked out. The administrator will have to correct this by re-configuring the Logon Method Enabled policy in the Administrative Console. Logon Method Enabled Policy Prerequisites

Before you publish the Logon Method Enabled policy:

  • You must install the Administrative Console on the system.

  • You must install Universal Authentication Manager in enterprise mode on the end-user's system.

  • You must install the enabled logon method on the end-user's system.

  • You must configure the end user's system for synchronization to the repository.

To configure the policy:

  1. Launch the Administrative Console.

  2. Either create a new Universal Authentication Manager policy or select an existing one to modify.

  3. Enable or disable each logon method by setting the Logon Method Enabled value to Yes or No.

  4. Publish the new / changed Universal Authentication Manager policy to the UAM Storage Container for your user or user group in the repository so that Universal Authentication Manager will apply the policy to the end-user.

  5. Universal Authentication Manager syncs the Universal Authentication Manager policy for the end-user. Logon Method Enabled Policy Rules

If the Logon Method Enabled is configured to No for a logon method:

  • The logon method is displayed in the Logon Methods tab with a status of DISABLED. The only action users are allowed to perform is a Delete, as long as they are enrolled using the logon method. No other enrollment actions (Enroll or Modify) are available.

  • In enterprise mode, the logon method appears in the Settings tab. All policy settings are disabled, and the Logon Method Enabled policy setting is not displayed.

  • In local mode, the logon method appears in the Settings tab. The Logon Method Enabled policy setting is enabled, and all other policy settings are disabled.

  • Users are not allowed to log onto or enroll on the workstation using that logon method. If they attempt to log on with a disabled logon method, they will receive an error message.

  • Users are not allowed to re-authenticate using the logon method and will not see the logon method as an authentication option. A password authentication is enabled for Logon, Unlock, and Re-authentication, if they are not enrolled in any other method. Configuring Enrollment Prompts

The Enrollment Prompt is a per-logon method policy that controls whether end-users are prompted to enroll credentials for a specific logon method and if the enrollment is optional or required. This applies to all logon methods that support enrollment (not Windows Password), and each logon method will have its own value. The options are:

  • Never. Users will not be prompted to enroll in that logon method.

  • Optional (default). Users are prompted to enroll in the logon method each time they log on to their system as well as every time they launch Universal Authentication Manager.

  • Required. Users are prompted to enroll in this logon method. Unless a Grace Period exists or an alternative logon method, such as Windows Password, is enabled, they will not be able to log on to their systems unless they enroll in this logon method.


Be careful when using the Required option. Since the Fingerprint, Proximity Card, and Smart Card logon methods require additional hardware, users may be unable to log on if one of those methods is configured as required and the required hardware is not available or functioning at logon time. Oracle highly recommends configuring a grace period or an optional enrollment for users who can potentially be affected by such a scenario.

If multiple logon methods are set to optional or required, users will be consecutively prompted to enroll each logon method. When prompted to enroll in each logon method, they may choose from the following options:

  • Enroll. Enroll in the logon method now.

  • Not Now. Exit and ask me to enroll later. This option does not exist when an enrollment is required and a Grace Period has not been set.

  • Never. Exit and do not ask me to enroll again. This option only exists when this policy is set to Optional.

    Description of uam_smart_welcome.png follows
    Description of the illustration ''uam_smart_welcome.png''

This policy works in tandem with the Grace Period policy. When Enrollment Prompt is set to "Required" and a Grace Period is set, you can require enrollment with a specific logon method without immediately restricting end-users' access to systems. You can configure a suitable number of days in which an end-user will be allowed to defer enrollment.

The Enrollment Prompt policy setting is an administrative enterprise policy only. You can edit the policy setting only by using the Administrative Console.


Enrollment Grace Period does not appear as a user setting in Universal Authentication Manager in either local or enterprise mode. The value defaults to zero, and may be overridden by a policy in enterprise mode. Configuring the Enrollment Prompt Policy

Before you publish the Enrollment Prompt policy:

  • You must install the Administrative Console on the system.

  • You must install Universal Authentication Manager in enterprise mode on the end-user's system.

  • You must install the desired logon method on the end-user's system.

  • You must configure the end user's system for synchronization to the repository.

To configure the policy:

  1. Launch the Administrative Console.

  2. Either create a new Universal Authentication Manager policy or select an existing one to modify.

  3. Set the Enrollment Prompt value for each logon method to Never, Optional or Required.

  4. Assign the policy to a user or group and publish it to the repository as described in Publishing a Policy.

    Universal Authentication Manager applies the policy during the next synchronization with the repository. Setting the Enrollment Grace Period

The Enrollment Grace Period is a per-logon method policy that allows end-users to defer a required enrollment for a configured number of days (the grace period) whenever the enrollment prompt for the logon method is configured as required. This applies to all logon methods that support enrollment (that is, not Windows Password) individually, and each logon method will have its own value.

This feature allows you to require enrollment with a specific logon method without immediately restricting end-users' access to workstations. You can configure a suitable number of days in which an end-user will be allowed to defer enrollment.

The Enrollment Grace Period policy setting is an Administrative Enterprise Client Policy only. You can edit the policy setting only by using the Administrative Console.

The grace period can be from 0 (no grace period) to 365 days long.


Enrollment Grace Period does not appear as a user setting in Universal Authentication Manager in either local or enterprise mode. The value defaults to zero, and may be overridden by a policy in enterprise mode. Configuring the Grace Period Policy

Before you publish the Grace Period policy:

  • You must install the Administrative Console on the system.

  • You must install Universal Authentication Manager in enterprise mode on the end-user's system.

  • You must install the desired logon method on the end-user's system.

  • You must configure the end user's system for synchronization to the repository.

To configure the policy:

  1. Launch the Administrative Console.

  2. Either create a new Universal Authentication Manager policy or select an existing one to modify.

  3. At a minimum, enable and configure the following policies for the desired logon method:

    • Set Enrollment Grace Period to a value greater than zero.

    • Set Enrollment Prompt to "Required."

  4. Assign the policy to a user or group and publish it to the repository as described in Publishing a Policy.

    Universal Authentication Manager applies the policy during the next synchronization with the repository.

At the next system logon, users see that they have a set number of days to enroll using the desired logon method.

Description of uam_finger_enroll_win7.png follows
Description of the illustration ''uam_finger_enroll_win7.png''

If the user clicks Not Now, a message box appears, stating how many days remain within the grace period.

Description of uam_grace_period_days.png follows
Description of the illustration ''uam_grace_period_days.png'' Conditions that Disable the Grace Period Policy

The Enrollment Grace Period will not be in effect (that is, it will be disabled) if either of the following conditions exist:

  • The Logon Method Enrollment Prompt policy setting is NOT configured to "Required."

  • The Logon Method Enrollment Grace Period policy setting is configured to zero. Configuring a Fingerprint Policy

When you select Fingerprint for a chosen policy, you are presented with all of the available fingerprint settings. All settings will be disabled by default and set to default values; to change a setting, select the check box next to the setting and configure a value.

Description of uam_consolefingerprint.png follows
Description of the illustration ''uam_consolefingerprint.png''

You can configure the following settings:

Control Function
Logon Method Enabled Allows you to enable or disable the logon method. This policy setting enhances security by controlling the specific logon methods that end-users are allowed to use.


  • Yes (default)

  • No

If you select No, the end-user is not allowed to log on to or enroll on the workstation using this logon method. If users attempt to log on with a disabled logon method, they will receive an error message.

Enrollment Prompt Controls whether a user is prompted to enroll and whether enrollment is optional or required.


  • Never

  • Optional (default)

  • Required

Grace Period Allows end-users to defer a required enrollment for a configured number of days (the grace period).

Allows administrators to require enrollment with a desired logon method without immediately restricting end-users' access to workstations. Administrators can configure a suitable number of days in which an end-user will be allowed to defer enrollment.

The Enrollment Grace Period is disabled if any of the following conditions are met:

  • The Enrollment Prompt policy setting is NOT configured to "Required."

  • This setting is configured to zero.

Default is 0. Maximum grace period is 365 days.

Number of Fingers Specifies the number of fingers the user is required to enroll. This policy requires the user to enroll exactly the specified number of finger samples during enrollment. Default is 1.
PIN Required Specifies whether you must submit a PIN in order to be authenticated. Options are Yes (default setting) or No.
PIN Minimum Length The minimum allowed length for the PIN. Possible values are 4-16 characters (default setting is 4 characters).
PIN Allowed Characters Restricts the character type(s) you can use in your PIN. Options are numeric only, alphanumeric, or any characters (default setting). Configuring a Proximity Card Policy

When you select Proximity Card for a chosen policy, you are presented with all of the available proximity card settings. All settings will be disabled by default and set to default values; to change a setting, select the check box next to the setting and configure a value.

Description of uam_consoleprox.png follows
Description of the illustration ''uam_consoleprox.png''

You can configure the following settings:

Control Function
Logon Method Enabled Allows administrators to enable or disable the logon method. This policy setting enhances security by controlling the specific logon methods that end-users are allowed to use.


  • Yes (default)

  • No

If you select No, the end-user is not allowed to log on to or enroll on the workstation using this logon method. If users attempt to log on with a disabled logon method, they will receive an error message.

Removal Action Controls how the computer responds to a proximity card event when a user is logged on.

Note: Removal Action is only enforced when the corresponding logon method was the last method used to log on to or unlock the computer.


  • No Action

  • Lock Workstation (default)

  • Force Logoff

Enrollment Prompt Controls whether a user is prompted to enroll and whether enrollment is optional or required.


  • Never

  • Optional (default)

  • Required

Grace Period Allows end-users to defer a required enrollment for a configured number of days (the grace period).

Allows administrators to require enrollment with a desired logon method without immediately restricting end-users' access to workstations. Administrators can configure a suitable number of days in which an end-user will be allowed to defer enrollment.

The Enrollment Grace Period is disabled if either of the following conditions are met:

  • The Enrollment Prompt policy setting is NOT configured to "Required."

  • This setting is configured to zero.

Default is 0. Maximum grace period is 365 days.

PIN Required Controls if a user is required to enroll a PIN that is associated with the card. If a PIN is required, after the proximity card is presented to reader, the user will be challenged to submit the PIN to authenticate.


  • Yes (default)

  • No

PIN Minimum Length The minimum allowed length of the proximity card PIN.


  • Possible values 4-16 (default is 4)

PIN Allowed Characters The character sets allowed for users to enroll a PIN that is associated with a proximity card.


  • Any characters (default)

  • Alphanumeric only

  • Numeric only Configuring a Smart Card Policy

When you select Smart Card for a chosen policy, you are presented with all of the available smart card settings. All settings will be disabled by default and set to default values; to change a setting, select the check box next to the setting and configure a value.

Description of uam_consolesmart.png follows
Description of the illustration ''uam_consolesmart.png''

You can configure the following settings:

Control Function
Logon Method Enabled Allows administrators to enable or disable the logon method. This policy setting enhances security by controlling the specific logon methods that end-users are allowed to use.


  • Yes (default)

  • No

If you select No, the end-user is not allowed to log on to or enroll on the workstation using this logon method. If users attempt to log on with a disabled logon method, they will receive an error message.

Removal Action Controls how the computer responds when the smart card is removed from a card reader.

Note: Removal Action is only enforced when the corresponding logon method was the last method used to log on to or unlock the computer.


  • No Action

  • Lock Workstation (default)

  • Force Logoff

Enrollment Prompt Controls whether a user is prompted to enroll and whether enrollment is optional or required.


  • Never

  • Optional (default)

  • Required

Grace Period Allows end-users to defer a required enrollment for a configured number of days (the grace period).

Allows administrators to require enrollment with a desired logon method without immediately restricting end-users' access to workstations. Administrators can configure a suitable number of days in which an end-user will be allowed to defer enrollment.

The Enrollment Grace Period is disabled if either of the following conditions are met:

  • The Enrollment Prompt policy setting is NOT configured to "Required."

  • This setting is configured to zero.

Default is 0. Maximum grace period is 365 days.

PIN Type Specifies whether to use the card's internal preconfigured PIN or create and store a PIN within Universal Authentication Manager's secure data store. Options are Smart Card PIN (default setting) or ESSO-UAM PIN.
PIN Minimum Length (ESSO-UAM PIN type only) The minimum allowed length for the PIN. Possible values are 4-16 characters (default setting is 4 characters).
PIN Allowed Characters (ESSO-UAM PIN type only) Restricts the character type(s) you can use in your PIN. Options are numeric only, alphanumeric, and any characters (default setting). Configuring a Challenge Questions Policy

When you select Challenge Questions for a chosen policy, you are presented with all of the available challenge questions settings. All settings will be disabled by default and set to default values; to change a setting, select the check box next to the setting and configure a value.


If you have configured Universal Authentication Manager to integrate with Password Reset (enterprise mode only), you must configure the enrollment questions through Password Reset. Questions and answers cannot be modified when in local mode.

Additionally, users must select their questions and provide answers by enrolling the Challenge Questions logon method via Universal Authentication Manager; existing Password Reset enrollments cannot be used by Universal Authentication Manager.

Description of uam_cons_chlng_quests.png follows
Description of the illustration ''uam_cons_chlng_quests.png''

You can configure the following settings:

Control Function
Logon Method Enabled Allows administrators to enable or disable the logon method. This policy setting enhances security by controlling the specific logon methods that end-users are allowed to use.


  • Yes (default)

  • No

If you select No, the end-user is not allowed to log on to or enroll on the workstation using this logon method. If users attempt to log on with a disabled logon method, they will receive an error message.

Enrollment Prompt Controls whether a user is prompted to enroll and whether enrollment is optional or required.


  • Never

  • Optional (default)

  • Required

Grace Period Allows end-users to defer a required enrollment for a configured number of days (the grace period).

Allows administrators to require enrollment with a desired logon method without immediately restricting end-users' access to workstations. Administrators can configure a suitable number of days in which an end-user will be allowed to defer enrollment.

The Enrollment Grace Period is disabled if either of the following conditions are met:

  • The Enrollment Prompt policy setting is NOT configured to "Required."

  • This setting is configured to zero.

Default is 0. Maximum grace period is 365 days. Configuring a Windows Password Policy

When you select Windows Password for a chosen policy, the page that opens displays a Windows Password setting for you to edit. The setting will be disabled by default and set to a default; to change the setting, select the check box next to it and configure a value.

Description of uam_consolewindows.png follows
Description of the illustration ''uam_consolewindows.png''

Control Function
Logon Method Enabled Allows administrators to enable or disable an installed authenticator on an Universal Authentication Manager Client. This policy setting enhances security by controlling the specific logon methods that end-users are allowed to use.


  • Yes (default)

  • No

If you select No, the end-user is not allowed to log on to or enroll on the workstation using this logon method. If users attempt to log on with a disabled logon method, they will receive an error message.

If you disable Windows Password and a user is not enrolled in any other methods, the password is still allowed until a user enrolls in at least one Universal Authentication Manager method.

5.3.3 Publishing a Policy

The procedure for publishing a Universal Authentication Manager policy is similar to that for publishing Logon Manager configuration objects.

In order to apply a policy to one or more users or user groups, you must:

  • Assign the desired users and/or groups to the target policy.

  • Publish the policy to the repository.

5.3.4 Assigning Users and Groups to a Policy

After you have created a new Universal Authentication Manager policy and configured its settings, you can apply the policy to specific users and/or groups by assigning those users or groups to the policy.


When assigning users and/or groups to a policy:

  • Ensure that the machine you are using to make the assignments can connect to the Universal Authentication Manager repository.

  • Assigning policies to the Domain Users group is not supported.

  • You must ensure that each Universal Authentication Manager-enrolled user is assigned exactly one policy, either directly or through membership in a user group. If multiple assignments are made, the results will be non-deterministic.

To assign users and/or groups to a policy:

  1. Launch the Administrative Console.

  2. In the left-hand tree, navigate to Universal Authentication Manager > Policies.

  3. Under the Policies node, select the target policy, then select the Assignments tab in the right-hand pane.

  4. Click Add.

  5. In the Select User or Group dialog, enter the name of the desired user or group and click Check Names to validate it against your domain controller, then click OK to assign it to the policy. The assigned user or group appears in the assignments list.

    Description of uam_assignment1.png follows
    Description of the illustration ''uam_assignment1.png''

  6. Repeat step 5 for any additional users or groups you want to assign to the policy.

  7. Publish the policy to the repository.

5.3.5 Publishing a Policy to the Repository

Once you have assigned the desired users and/or user groups to your policy, you can publish it to the repository for propagation to end-user workstations.

To publish a policy to the repository:

  1. Launch the Administrative Console.

  2. In the left-hand tree, navigate to Universal Authentication Manager > Policies.

  3. Right-click the target policy and select Publish from the context menu.

  4. In the Publish to Repository dialog that appears, do the following:

    1. Ensure that the target policy appears in the Selected objects to be published list.

    2. Click Browse.

    3. In the repository connection dialog that appears, fill in the required fields and click OK to connect.

    4. In the Browse for Repository dialog that appears, navigate to and select the Universal Authentication Manager policies container, then click OK. Description of uam_browse_for_repository.png follows
      Description of the illustration ''uam_browse_for_repository.png''

    5. Click Publish.

5.3.6 Modifying an Existing Policy

To modify the settings for an existing policy that has been published to the repository:

  1. Launch the Administrative Console.

  2. In the left-hand tree, right-click the Repository node and select Connect To from the context menu.

  3. In the Connect to Repository dialog, enter the necessary information and click OK to connect. The contents of your repository appear in the right-hand pane.

  4. In the right-hand pane, navigate to your Universal Authentication Manager policies container. By default, the path to this container is CN=Program Data, CN=Passlogix, CN=UAM, CN=Policies.

  5. Expand your policies container, right-click the desired policy, and select Bring to Console from the context menu. The policy appears under the Universal Authentication Manager > Policies node in the left-hand tree.

  6. In the left-hand tree, navigate to Universal Authentication Manager > Policies and double-click the desired policy.

    Description of uam_highlighted_policy.png follows
    Description of the illustration ''uam_highlighted_policy.png''

  7. Make your changes in the General and Assignments tabs, as necessary. To modify the settings for a logon method, select that method in the left-hand tree and make your changes in the right-hand pane.

  8. When you have made your changes, you must publish the updated policy object to the repository in place of the old one as described in Publishing a Policy.

5.3.7 Deleting a Policy

To delete a policy from the repository, do the following:

  1. Launch the Administrative Console.

  2. In the left-hand tree, right-click the Repository node and select Connect To from the context menu.

  3. In the Connect to Repository dialog, enter the necessary information and click OK to connect. The contents of your repository appear in the right-hand pane.

  4. In the right-hand pane, navigate to your Universal Authentication Manager policies container. By default, the path to this container is CN=Program Data, CN=Passlogix, CN=UAM, CN=Policies.

  5. Expand your policies container, right-click the desired policy, and select Delete from the context menu.

  6. In the confirmation dialog that appears, click Yes. The policy is deleted from the policies container.