3 Installing Logon Manager

This section describes the steps necessary for installing Logon Manager. It covers the following topics:

3.1 Prerequisites for Installing Logon Manager

Before you install Logon Manager, ensure the prerequisites listed in this section have been satisfied.


Please refer to the latest release notes to find out about last-minute requirements or changes that might affect your installation.

3.1.1 Prerequisites for Installing Logon Manager

If you are installing Logon Manager on a 64-bit (x64) system, you must use the 64-bit installer files marked with the _x64 suffix. While the installers have been compiled for the 64-bit platform, Logon Manager itself is a 32-bit application that runs via the Windows-on-Windows 64-bit (WoW64) emulation engine and is installed into the "Program Files (x86)" parent directory. The 32-bit version of Logon Manager is fully compatible with the supported 64-bit operating systems listed below.

Oracle supports the installation of Logon Manager on the following 64-bit platforms:

  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows XP

  • Windows 7

If you plan to synchronize with a database, or have the Reporting Service store application events in a database, you must install the appropriate database client in order to allow Logon Manager to connect to the database instance. Additionally, if you are installing Logon Manager on a 64-bit system and plan to connect to an Oracle database, you must install the 32-bit version of the Oracle database client on the target end-user machine; otherwise, the Reporting Service will not be able to connect to the Oracle database.


When installing on Windows XP, you must install the latest root certificate update from Microsoft, otherwise the installation will fail.

For details and instructions, see the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/931125

3.1.2 Prerequisites for Unattended ("Silent") Installations

In order to successfully install Logon Manager in unattended ("silent") mode, the Windows Management Instrumentation (WMI) service must be running before the installer is executed.

To check whether the WMI service is running, and start it if necessary, do the following on each target machine:

  1. Open the System Management Console.

  2. Open the Services snap-in.

  3. Navigate to the Windows Management Instrumentation service and check its status and startup mode.

Depending on the status, do one of the following:

  • If the status is Started, the WMI service is running; proceed to the next section.

  • If the status is blank, check the service's startup type and start it as follows:

    1. Double-click the service.

    2. In the properties box that appears, set the startup type to Manual or Automatic, as dictated by your environment and click Apply.

    3. Click Start. The status changes to Started.

    4. Click OK to close the service properties dialog box.

3.2 Upgrading an Existing Logon Manager Installation

This section provides information on upgrading an existing Logon Manager installation to the latest version.

Upgrading to Logon Manager 11.1.2 is supported for the following versions of Logon Manager:



Oracle fully supports installing version 11.1.2 of Logon Manager on top of existing installations of Logon Manager as listed above. The installer will uninstall the previous version automatically, and then proceed with installation of the new version. Refer to the sections in this guide for more information on installing both the Logon Manager Administrative Console and the Logon Manager Agent.


If the original installer was customized using the Logon Manager Administrative Console, you must customize the new installer in the same manner before performing the upgrade, otherwise your current Logon Manager settings will be overwritten by the defaults in the unmodified installer.Oracle recommends that you do not change the primary logon method during an upgrade, as such a change introduces unneeded complexity to the process. Changes to the primary logon method should be undertaken as a separate project.

The following are the basic recommended steps to upgrade to Logon Manager 11.1.2.

  1. Perform a backup of your existing credentials.

  2. Run your installation as outlined in the sections, Installing the Oracle Enterprise Single Sign-On Administrative Console and Installing the Logon Manager Client-Side Software.

  3. If deploying on Microsoft Active Directory, set the Use secure location for storing user settings option under Global Agent Settings > [TargetSettingsSet] > ADEXT to Yes and publish this setting to the repository as an administrative override.


    Only deploy this override once all instances of Logon Manager have been upgraded to version or above; otherwise, once Logon Manager or above synchronizes with the repository, all previous versions will no longer be able to synchronize with the repository for that user. For more information on this setting, see the guide Securing Oracle Enterprise Single Sign-On Suite.
  4. Update all of your repository objects (policies, templates, and so on) to the latest data schema used by the latest version of Logon Manager as follows:

    1. Connect to your repository with the latest version of the Oracle Enterprise Single Sign-On Administrative Console.

    2. Retrieve all of your templates, policies, and any other data from the repository and into the Console.

    3. (Optional) Make any configuration changes in your templates and policies as desired.

    4. Publish all of the retrieved objects back to your repository.


    This procedure is mandatory and must be performed in a test environment before deploying Logon Manager to end-users. This is because the latest version of Logon Manager introduces a new data schema to its configuration objects, such as templates and policies, which is incompatible with objects created with previous versions of Logon Manager. Attempting to synchronize Logon Manager with a repository that has not been updated will result in data corruption. Oracle highly recommends that you create a separate OU in your repository to test your new configuration objects before deploying them enterprise-wide.
  5. Restore your backed up credentials to the new installation.


    The Passphrase Suppression setting is, as of the release, configurable under Global Agent Settings > [TargetSettingsSet] > Authentication > Windows v2 > Recovery Method. The default is to display the passphrase. If you want to suppress the passphrase, you must change this setting.

    Note that if you have a custom passphrase suppression (a DLL that implements the Secondary Authentication API), this DLL must return a unique GUID from its GetID function. Also, you must set the:


    registry value to that GUID.

    See the guide Administering Oracle Enterprise Single Sign-On Suite for more details.

  6. After the installer has finished and your credentials are restored, the upgrade is complete. Refer to the Oracle Enterprise Single Sign-On Suite Release Notes to learn about the new product features.

3.3 Installing the Logon Manager Client-Side Software


If you have a previous version of Kiosk Manager installed and are updating it during this installation, you must first uninstall the previous Kiosk Manager using the Control Panel Add/Remove Programs or the Uninstall option of the earlier software installer.For additional considerations with regard to Kiosk Manager, see the guide Administering Oracle Enterprise Single Sign-On Suite.

To install and configure Logon Manager:

  1. Close all programs.

  2. Execute one of the following files to begin the installation:

    • ESSO-LM.msi for 32-bit installations.

    • ESSO-LMx64.msi for 64-bit installations.


    If you are installing in a language other than English and would like to launch the installer in the desired language, execute the following command:

    msiexec /I <packagename>.msi TRANSFORMS=<language>.mst

    where <packagename> is the name of the Logon Manager installer MSI package, and <language>.mst is the name of the corresponding language transform file (included in the installer archive).

  3. On the Welcome Panel, click Next>.

  4. Select a setup type. Typical provides a path to select commonly used program features easily. Advanced provides a detailed tree view of all the program features available for installation. If you select a typical setup, go to step 6; for an advanced setup, go to step 7.

    Click Next.

  5. The "Typical Setup" screen appears. Select your authentication methods and indicate whether you want to use multiple authenticators.

    Authentication methods. In order to authenticate a user and grant access to stored credentials, Logon Manager offers a number of authentication methods implemented as authenticator plug-ins, with the most common method being a user name and password. In Active Directory environments, Logon Manager supports this authentication method through its Windows Logon (WinAuth) v2 plug-in.

    If you are using a strong authentication method, refer to the Oracle Enterprise Single Sign-On Suite Administrator's Guide which describes specific settings that must be enabled within an authenticator to work with Logon Manager. It also describes all the Logon Manager Administrative Console settings and any steps that must be taken to integrate with Kiosk Manager.

    Multiple Authenticators. The Authentication Manager feature adds the capability to enable multiple logon methods to authenticate the user. These logon methods can be the standard Logon Manager supported logon methods such as LDAP and Windows Logon v2, or the strong authenticators such as smart cards, proximity devices, and RSA SecurID tokens.

    Click Next.

  6. Select your repositories and indicate which audit logging capabilities should be installed. If you install the Oracle Enterprise Single Sign-On Reporting Server, refer to the Oracle Enterprise Single Sign-On Suite Administrator's Guide for configuration information. Click Next> and continue to the next step.

  7. If you are performing an advanced setup, choose from the following installation options:

    Application Support
    This option installs all necessary files and settings that serve as the core of the application, and allows you to select the application types for Logon Manager to interact with. Surrounding text describes image018.jpg.
    Web Integration Helper objects that allow integration with Web browsers and external Web services.
    Mozilla Firefox Helper object that adds Logon Manager support for Mozilla-based browsers.
    OAM Support Helper object that adds Logon Manager support for Oracle Access Manager-protected browser applications.
    Google Chrome Helper object that adds Logon Manager support for the Google Chrome browser.
    Windows Support for Windows desktop applications. Windows support files are installed by default. These files cannot be deselected.
    Microsoft Internet Explorer Helper object that adds Logon Manager support for Internet Explorer. Installed by default.
    Host/Mainframe Emulators Helper object that adds Logon Manager support for HLLAPI-based emulators.
    Console Windows Support for Console windows (command prompt) within the Logon Manager mainframe plug-in.
    PuTTY Support for PuTTY windows within the Logon Manager mainframe plug-in.
    Java Helper object that adds native Logon Manager support for Java applications.
    SAP Helper object that adds SAP application support to Logon Manager.
    SoftID Helper object that adds Logon Manager support for SoftID applications. See the Oracle Enterprise Single Sign-On Suite Administrator's Guide for more information on using this feature.

    To use this helper object, the Authentication Manager authenticator must be installed and selected as your Primary Logon Method.

    The authenticators are plug-ins that provide different methods for logging on to Logon Manager. By default, Windows Logon v2 is installed.

    If you are installing Proximity Card, Read-Only Smart Card, RSA SecurID, Secure Data Storage, or Smart Cards, see the Oracle Enterprise Single Sign-On Suite Administrator's Guide.

    Surrounding text describes image021.jpg.
    Windows Logon (deprecated) Deprecated plug-in that enables logging on to Logon Manager by logon to Windows. Note: Do not install this component unless explicitly instructed to do so by Oracle support. It is being provided for legacy purposes only.
    Windows Logon v2 Plug-in that enables logging on to Logon Manager by logon to Windows with secure passphrase support. This authenticator is installed by default.
    GINA Module that works with the Windows Logon v2 method. The GINA option is available only for Windows XP.

    You must select between GINA and Network Provider. It is not possible to install both methods.

    LDAP Plug-in that enables logging on to Logon Manager by logon to an LDAP directory.
    LDAP v2 Plug-in that enables logging on to Logon Manager by logon to an LDAP directory. This plug-in also includes secure passphrase support.
    Network Provider Eliminates double authentication by utilizing the Network Provider mechanism to log on to Logon Manager. Supports all current Microsoft Windows operating systems.

    This feature has been moved to its own node, and is no longer a sub-feature of Windows Logon v2, as of version

    Proximity Card Authenticator plug-in that supports authentication with HID Proximity Cards.
    Smart Card Plug-in that enables logging on to Logon Manager using MS-CAPI-capable smart cards.
    Smart Card (Read-Only) Plug-in that enables logging on to Logon Manager using a Read-Only Smart Card.
    RSA SecurID Plug-in that enables logging on to Logon Manager using one-time passwords generated by RSA SecurID tokens.
    Local Authentication Toolkit Components needed to perform RSA SecurID authentication.
    Authentication Manager This feature adds the capability to allow multiple logon methods to authenticate the user. If you want to use the Enrollment, Grade, and Order functionality, you must install this feature.

    This plug-in provides for the management of synchronization extensions to the application.

    The available synchronization plug-ins are:

    Surrounding text describes image022.jpg.
    Microsoft Active Directory Synchronization plug-in that supports storage and retrieval of credentials and settings from an Active Directory server.
    Microsoft AD LDS (ADAM) Synchronization plug-in that supports storage and retrieval of credentials and settings from an AD LDS (ADAM) server.
    LDAP Plug-in that supports storage and retrieval of credentials and settings from an LDAP-compliant directory, such as Oracle Identity Manager.
    Database Synchronization plug-in that supports storage and retrieval of credentials and settings from a database.
    Roaming Profile (deprecated) Synchronization plug-in that supports roaming profiles.

    Do not install this component unless explicitly instructed to do so by Oracle support. It is being provided for legacy purposes only.

    File System Synchronization plug-in that supports storage and retrieval of credentials and settings from a file share.

    Kiosk Manager
    Kiosk Manager

    Plug-in that is available to support kiosk scenarios.

    Surrounding text describes image023.gif.

    To use Kiosk Manager, you must install the LDAP Authenticator and a synchronizer. You must also ensure that Windows Authenticator v2 is not installed.

    Refer to the Oracle Enterprise Single Sign-On Suite Administrator's Guide for more information.

    Session Locking Support Installs the Kiosk Manager session locking component to support kiosk scenarios. This component is not installed by default.

    If you install this component, the Kiosk Manager Agent (SMAgent) starts automatically.

    If you do not install the Kiosk Manager GINA, the Kiosk Manager Agent (SMAgent) does not start automatically, but events can be triggered through the command line from other applications. Using this scenario, you can install Kiosk Manager on a workstation and have it run only when executed.

    See the Oracle Enterprise Single Sign-On Suite Administrator's Guide for more information on using the command-line options.

    Password Reset
    Password Reset Client Installs the client-side component of Password Reset which provides knowledge-based authentication and password reset functionality.

    You must install the Password Reset server-side component before you install the client-side component. Password reset is not installed as part of the Typical installation option. For more information on installing Password Reset, see Installing Password Reset.

    Provisioning Options
    Provisioning Gateway Client Installs the Provisioning Gateway client-side software that provides remote credential provisioning functionality as well as credential delegation.

    You must install the Provisioning Gateway server component (as described in Installing Provisioning Gateway) before you install the client-side software.

    Credential Delegation Installs the Provisioning Gateway credential delegation component, allowing a user to temporarily delegate one or more credentials to another user.

    Requires Provisioning Gateway to be installed and functional on the target machine.

    Privileged Accounts Installs the Provisioning Gateway privileged accounts component, allowing a user to temporarily check out one or more credentials from an Oracle Privileged Account Manager server, temporarily enable single sign-on functionality for applications associated with that credential, and check the credential back in when it is no longer needed.

    Requires Provisioning Gateway to be installed and functional on the target machine.

    Audit Logging Methods
    This plug-in provides for the management of event logging extensions to the application.

    The available plug-ins are:

    Surrounding text describes image024.jpg.
    ESSO Reporting Server Event Management plug-in that supports logging of events to the reporting service.
    Windows Event Manager Event Management plug-in that supports logging of events to the Windows Event Manager.
    Syslog Server Event Management plug-in that supports logging of events to a Syslog server.
    XML File Event Management plug-in that supports logging of events to a local XML file.
    Database Event Management plug-in that supports logging of events to a Database.

    This plug-in provides a simple file-based backup and restore mechanism via a wizard interface.

    The localized language support packages that allow the Agent to be displayed in the displayed languages. Surrounding text describes image026.jpg.


    To change the destination folder, click Change, navigate to the desired path, and click OK.
  8. The InstallShield Wizard is ready to begin the installation. Click Install.

  9. Wait for the installation to complete. When the "Completed" screen appears, click Finish.

  10. The Logon Manager installation does not require restarting, except in the following scenarios:

    • If you installed the Windows Authentication v2 authenticator with the GINA or Network Provider components (Windows XP only), you will be prompted to restart your workstation after you click Finish. Continue with step 11 after restart.

    • If you installed Kiosk Manager , you must configure Logon Manager to synchronize with one of the synchronizers that you selected during installation. Refer to the Oracle Enterprise Single Sign-On Suite Administrator's Guide for instructions. Additionally, on Windows XP, do not install any other GINAs if you install the Kiosk Manager GINA. Restart your workstation after setting up synchronization, then continue with step 11.

  11. After your workstation or server restarts, log on to Windows. The Logon Manager Welcome Screen/First Time Use (FTU) Wizard launches. Follow the instructions on the screen to complete the FTU Wizard. After the FTU is complete, an icon appears in the tool tray.


    Refer to the Oracle Enterprise Single Sign-On Suite User's Guide and online help for information on completing the FTU Wizard and using Logon Manager.

3.4 MSI Package Components

This section describes the contents of the Logon Manager MSI installer. The feature names listed in this section are as they appear in the "Advanced Setup" section of the Logon Manager installer.

The following are mandatory core components - omitting them during command-line installation or when creating a customized MSI package will result in a non-functional installation:

  • Application Support (Core)

  • Provisioning Gateway Client (Provisioning

  • At least one authenticator

  • At least one language pack

Oracle also recommends including the Internet Explorer support component in all Logon Manager deployments.

Additionally, note the following::

  • Feature names are case-sensitive.

  • The following features are mutually exclusive (i.e., only one can be installed at a time): SSOGINA, SSOGINA.x64, SMGina, SMAgent, Locking, SSONP, SSONP.x64

  • The MSI package contains critical components that are not listed in this section and should not be tampered with in any way, as they are essential to the proper functioning of Logon Manager and other Enterprise Single Sign-On Suite features. Only install/include, or uninstall/remove components listed in this section.

  • The ADDLOCAL command only installs components that are explicitly specified, plus their parent components and child components required by the parent. If you do not explicitly specify a component to be installed, it will not be installed. Omission of any of the mandatory core components listed above will result in a non-functional installation.

    For example, specifying Chrome will also install its parent component Core, as well as Core_Support6 which is required by the Core component, but it will not install any language packs.

Example installation command:

msiexec /i <my.msi> ADDLOCAL="Core,Provisioning,MSauth,English_Pack, InternetExplorer"

Additional information on using the msiexec command-line tool can be found at the following URLs:

  • http://support.microsoft.com/kb/230781 and

  • http://technet.microsoft.com/en-us/library/cc759262(v=ws.10).aspx

Application Support
Title (as seen in installer) Feature Name Feature Parent Additional Information
Application Support Core N/A Mandatory for a functional installation.
Web Integration WebIntegration Core  
Mozilla Firefox Mozilla WebIntegration
OAM Support OAMSupport WebIntegration
Google Chrome Chrome WebIntegration
Windows Core_Support6 Core
Microsoft Internet Explorer InternetExplorer Core Recommended.
Host/Mainframe Emulators MainframeEmulators Core  
Console Windows DOSHelper MainframeEmulators
PuTTY PuttySupport MainframeEmulators


JavaHelper.x86 Core 32-bit OS only.
JavaHelper.x64 Core 64-bit OS only.
SAP SAP Core  
SoftID SoftIdHO Core

Title (as seen in installer) Feature Name Feature Parent Additional Information
Authenticators Authenticators N/A At least one authenticator is mandatory for a functional installation.
Windows Logon SLA Authenticators  
Windows Logon v2 MSauth Authenticators
GINA SSOGina MSauth Windows XP 32-bit only.
SSOGina.x64 MSauth Windows XP 64-bit only.
LDAP LDAP Authenticators  
LDAP v2 LDAPauth Authenticators
Network Provider SSONP Authenticators 32-bit OS only
Network Provider SSONP.x64 Authenticators 64-bit OS only
Proximity Card ProxCardAuth Authenticators  
Smart Card SCAuth Authenticators  
Smart Card (Read-Only) ROSCAuth Authenticators
RSA SecurID SecurID Authenticators
Local Authentication Toolkit (LAT) LocalAuthToolkit SecurID
Authentication Manager MultiAuth Authenticators

Title (as seen in installer) Feature Name Feature Parent Additional Information
Synchronizers Synchronizers N/A  
Microsoft Active Directory AD_Sync Synchronizers
Microsoft AD LDS (ADAM) ADAM_sync Synchronizers
LDAP LDAP_Sync Synchronizers
Database DB_Sync Synchronizers
Roaming Profile (deprecated) Roam_Sync Synchronizers
File System File_Sync Synchronizers

Kiosk Manager
Title (as seen in installer) Feature Name Feature Parent Additional Information
Kiosk Manager SMAgent_Files N/A  
Session Locking Support SMGina SMAgent_Files Window XP only.
SMAgent_Locking SMAgent_Files Window 7 and above

Password Reset Client
Title (as seen in installer) Feature Name Feature Parent Additional Information
Password Reset Client PR_Components N/A  

Provisioning Gateway Client
Title (as seen in installer) Feature Name Feature Parent Additional Information
Provisioning Gateway Client Provisioning N/A  
Credential Delegation DelegateMgr Provisioning
Privileged Accounts OpamMgr Provisioning

Audit Logging Methods
Title (as seen in installer) Feature Name Feature Parent Additional Information
Audit Logging Methods EventMgr N/A  
ESSO Reporting Server ReportingExt_Release EventMgr
Windows Event Manager WindowsEventExt EventMgr
Syslog Server SyslogEventExt EventMgr
XML File LocalFileExt EventMgr
Database DatabaseEventExt EventMgr

Title (as seen in installer) Feature Name Feature Parent Additional Information
Backup/Restore BackupMgr N/A  


Title (as seen in installer) Feature Name Feature Parent Additional Information
Languages Languages _TopLevel Feature  
English English_Pack Languages Mandatory

Automatically selected if any other language is selected with ADDLOCAL

Chinese (Simplified) Chinese_Simplified_Pack Languages  
Traditional Chinese Chinese_Traditional_Pack Languages  
Czech Czech_Pack Languages  
Danish Danish_Pack Languages  
Dutch Dutch_Pack Languages  
Finnish Finnish_Pack Languages  
French French_Pack Languages  
German German_Pack Languages  
Greek Greek_Pack La nguages  
Hungarian Hungarian_Pack Languages  
Italian Italian_Pack Languages  
Japanese Japanese_Pack Languages  
Norwegian Norwegian_Pack Languages  
Korean Korean_Pack Languages  
Polish Polish_Pack Languages  
Portuguese (Brazil) Portuguese_Brazilian_Pack Languages  
Portuguese (Portugal) Portuguese_Portugal_Pack Languages  
Romanian Romanian_Pack Languages  
Russian Russian_Pack Languages  
Slovak Slovak_Pack Languages  
Spanish Spanish_Pack Languages  
Swedish Swedish_Pack Languages  
Thai Thai_Pack Languages  
Turkish Turkish_Pack Languages  

3.5 Completing the Installation of Logon Manager

This section describes the steps necessary to complete the installation of Logon Manager.

3.5.1 Completing the Installation of the Mozilla Firefox Support Component

In order to complete the installation of the Mozilla Firefox Support component of Logon Manager, you must do the following after installing Logon Manager:

  • If Mozilla Firefox was running during the installation, close all of its instances and re-launch it,

  • Ensure that the component is enabled in the "Extensions" list in the "Add-Ons" panel in Mozilla Firefox,

  • Restart Logon Manager.

In the online documentation center, you will find the complete set of product-specific guides for the Oracle Enterprise Single Sign-On Suite. The following table lists the high-level tasks you will need to perform to complete your installation and deployment, and the documents associated with each task.

For This Task… Refer to…
Configuring a repository Deploying Logon Manager with a Directory-Based Repository
Configuring the Agent Oracle Enterprise Single Sign-On Suite Administrator's Guide
Configuring authenticators Oracle Enterprise Single Sign-On Suite Administrator's Guide
Configuring application templates Configuring and Diagnosing Logon Manager Application Templates