DigitalPersona Pro Enterprise

Transcription

1 DigitalPersona Pro Enterprise Version 5 Administrator Guide

2 DigitalPersona, Inc. All Rights Reserved. All intellectual property rights in the DigitalPersona software, firmware, hardware and documentation included with or described in this guide are owned by DigitalPersona or its suppliers and are protected by United States copyright laws, other applicable copyright laws, and international treaty provisions. DigitalPersona and its suppliers retain all rights not expressly granted. U.are.U and DigitalPersona are trademarks of DigitalPersona, Inc. registered in the United States and other countries. Windows, Windows Server 2003/2008, Windows 8, Windows 7, Windows Vista and Windows XP are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. This DigitalPersona Pro Enterprise Administrator Guide and the software it describes are furnished under license as set forth in the License Agreement screen that is shown during the installation process. Except as permitted by such license, no part of this document may be reproduced, stored, transmitted and translated, in any form and by any means, without the prior written consent of DigitalPersona. The contents of this manual are furnished for informational use only and are subject to change without notice. Any mention of third-party companies and products is for demonstration purposes only and constitutes neither an endorsement nor a recommendation. DigitalPersona assumes no responsibility with regard to the performance or use of these third-party products. DigitalPersona makes every effort to ensure the accuracy of its documentation and assumes no responsibility or liability for any errors or inaccuracies that may appear in it. Feedback Although the information in this guide has been thoroughly reviewed and tested, we welcome your feedback on any errors, omissions, or suggestions for future improvements. You can contact us at Crossmatch 720 Bay Road Suite 100 Redwood City, CA USA Published: 1/27/2015 (v 5.5.1)

3 Table of Contents 1 Solution Overview 10 Introduction Architecture Components Server components Compatible workstation clients DigitalPersona Pro Workstation for Enterprise DigitalPersona Pro Kiosk Client user interfaces Authentication and Credentials Security applications Password Manager Admin Tool Licensing model System Requirements Support Resources Changes from previous version Section One: Installation 2 Pro Server Installation 22 Deployment Overview Upgrading from Previous Versions Compatibility Extending the Active Directory Schema Configure each domain Install DigitalPersona Pro Enterprise Server Configuring DigitalPersona Pro Server for Pro Kiosk Changes Made During Installation DNS Registration Uninstalling DigitalPersona Pro Server Pro Client installation 35 System requirements Upgrading from Previous Versions Compatibility Installation Remote installation Remote installation for patches Client Suite installation Local installation Command line Installation DigitalPersona Pro Enterprise - Administrator Guide iii

4 Table of Contents Installation on Citrix Presentation Server About Transform files Uninstalling Pro Workstation Pro Kiosk installation 46 System Requirements Recent changes Changes compared to version Changes compared to version Upgrading from Previous Versions Installation Remote Installation Remote installation for patches Local installation Command line installation Installation on Citrix Presentation Server About Transform files Optional installations 55 Included in product package Suite installers Administration Tools License Activation Manager Users and Computers Snap-In Attended Enrollment Tool User Query Tool Snap-in GPMC Extensions Defender Separate product packages Password Manager Admin Tool Extended Server Policy Module (ESPM) Pro Cogent FR Plugin Citrix and remote installation 60 Overview Installation on Citrix solutions Installation & Configuration Disabling automatic client updates Installing Citrix support after DigitalPersona Pro client installation Section Two: Administration 7 Administration overview 65 Administration Tools package License Activation & Management 67 DigitalPersona Pro Enterprise - Administrator Guide iv

5 Table of Contents License Activation Manager License activation Pro Enterprise Server activation Server activation from another computer Package or component activation (v 5.3 only) ADUC snap-ins 82 Users and Computers snap-in User properties User object commands Computer object commands User Query Tool snap-in ActiveX control Interactive dialog-based application Command line utility Attended Enrollment 94 Setting up Attended Enrollment To assign, or remove Register/Delete permissions Enrolling user credentials Deleting Fingerprints Policies and Settings 99 Overview Computer Configuration/Policies/Software Settings DigitalPersona Pro Client Security/Authentication Security/Enrollment Licenses Kiosk Administration DigitalPersona Pro Enterprise Server Licenses Computer Configuration\Policies\Administrative Templates DigitalPersona Pro Client (Summary) DigitalPersona Pro Client (Details) Authentication Devices Event logging General Administration Kiosk Administration Managed applications Security/Authentication Security/Features Software Updates DigitalPersona Pro Enterprise Server (Summary) DigitalPersona Pro Enterprise Server (Detail) DigitalPersona Pro Enterprise - Administrator Guide v

6 Table of Contents User Configuration\Policies\Software Settings DigitalPersona Pro Client (Summary) DigitalPersona Pro Client (Detail) Security/Authentication Security/Enrollment User Configuration\Administrative Templates DigitalPersona Pro Client (Summary) DigitalPersona Pro Client (Detail) Single Sign-On 129 Configuring Single Sign-On Disable Session Authentication Create managed logons GPMC Extensions 130 Overview Implementation Guidelines Install Workstation Administrative Templates Locally Recovery 134 User recovery Computer recovery Account lock recovery Pro Reports 136 Overview Setting up DigitalPersona Pro Reports Web console Creating a report Creating a new subscription Adding a report to an existing subscription Editing a subscription Bookmarking a report Deleting a report or subscription Pro Events 145 Credential Management User Management Secret Management Service Management Password Manager Credential Authentication DNS Registration Deployment Windows Logon Authentication Domain Management DigitalPersona Pro Enterprise - Administrator Guide vi

7 Table of Contents 17 Extended Server Policy Module Utilities 153 Cleanup Wizard Section Three: Pro Clients 19 Pro Workstation 155 Getting Started Workstation setup Opening the dashboard Using the dashboard Managing user credentials Self Password Recovery Enrolling your fingerprints Enrolling a PIN Enrolling scenes for the Face credential Setting up cards and tokens Setting up a smart card Setting up a contactless or proximity card Enrolling a Bluetooth device Changing your Windows password Security Applications Status Windows authentication Smart card authentication Password Manager Backing up and restoring your data Setting your preferences ID Card Learn more Pro Kiosk 173 Feature overview Comparing Pro Workstation and Pro Kiosk Logging On to Windows Using One Touch Logon Logging on to Windows without Kiosk Automatic logon using the Shared Kiosk Account Changing Your Password User Account Control Using the Password Manager Admin Tool with Pro Kiosk Logging On to Password-Protected Programs User logon Switching Users on Pro Kiosk Computers Using multiple Kiosk accounts with Citrix DigitalPersona Pro Enterprise - Administrator Guide vii

8 Table of Contents 21 Pro Administrative Console 179 Opening the Administrative Console Using the Administrative Console Configuring your system Setting authentication policies Logon Policy Session Policy Specifying credentials settings Configuring your applications settings General tab Applications tab Section Four: Appendices 22 Glossary 192 Concepts Terminology Citrix Deployment Scenarios 200 Overview Installation and configuration Fast Connect with XenApp and Pro Workstation XenApp server configuration Pro Server configuration Maintaining local and remote Kiosk identities Setting up kiosks for local and remote identities Using kiosk local and remote identities IGEL Universal Desktop support Requirements Setup Policies and Settings - Alphabetical list Embedded Windows dependencies 210 Required components for supported Windows Embedded platforms Required files for supported Windows Embedded platforms Identification List Pro Events for version Credential Management User Management Secret Management System, Services, Settings and User Sessions External components Password Manager Admin Tool DigitalPersona Pro Enterprise - Administrator Guide viii

9 Table of Contents Fingerprint Match DNS Registration License Management License Management, ID Server licensing OTP Management Status Notifier Logon Schema extension 228 Introduction Schema extension overview Schema objects details Class details Standard Classes Extensions Index 293 DigitalPersona Pro Enterprise - Administrator Guide ix

10 Solution Overview 1 This chapter provides a high-level overview of the DigitalPersona Pro Enterprise solution, and includes the following major topics. Topics Introduction 11 Architecture 11 Page Components 12 Authentication and Credentials 15 Security applications 15 Licensing model 16 System Requirements 17 Support Resources 17 Changes from previous version 18 More details on specific components and modules are provided in the remainder of this Administrator Guide. Additional implementation, administration and reference-level documentation is provided through a series of Quick Start Guides and Application Guides for many of the components and modules as well as for major features. A series of integrated help files provide the finest level of detail for all user-centric features as well as many administrator features and functions. References to procedures, UI elements and images in this guide are always made to the current version of DigitalPersona Pro products. References to, and images of, Microsoft Windows products are to Windows Server 2008 and Windows 7 unless otherwise noted. DigitalPersona Pro Enterprise - Administrator Guide 10

11 Chapter 1 - Solution Overview Introduction DigitalPersona Pro Enterprise is an enterprise-level central management solution for Endpoint Protection that enables administrators to manage security and authentication within Active Directory networks including data protection, access management and recovery. It represents an optimal solution to multiple security needs, including: Strong Authentication for PC, application and RADIUS logon Single Sign-On (SSO) for Enterprise applications For further information on how DigitalPersona Pro Enterprise can help you solve your security needs, we have white papers, datasheets and case studies on our website at enterprise. Architecture The conceptual architecture of DigitalPersona Pro Enterprise consists of four layers. Management Provides an Active Directory-based solution for the enterprise; enabling the IT Administrator to configure, deploy and administer security policies throughout the organization. Security Applications Provides pluggable applications and features that are managed through the DigitalPersona Pro management infrastructure. Clients - Workstation software installed on notebooks, desktops and shared-user kiosks. Credentials Provides support for multiple authentication credentials that may be used in specified combinations for verifying the identity of users accessing managed computers and security applications. DigitalPersona Pro Enterprise - Administrator Guide 11

12 Chapter 1 - Solution Overview Components DigitalPersona Pro Enterprise is a client-server product. It consists of server and client components that work within an existing Active Directory environment. Server components DigitalPersona Pro s server components fulfill four main purposes: They allow IT Administrators to manage security and authentication policies via Active Directory Group Policy Objects. For these purposes, DigitalPersona Pro includes various GPMC (Group Policy Management Console) extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and settings to Active Directory containers. They provide centralized, server-side authentication of various types of credentials (e.g. fingerprints, smart cards, bluetooth, one-time passwords etc.). For these purposes, DigitalPersona Pro runs authentication services within your domain and receives authentication requests from managed computers. They allow centralized backup and roaming of computers and users credentials and passwords. For these purposes, DigitalPersona Pro uses Active Directory as a database of relevant data. They also allow other general administrative tasks, including: Access recovery into locked workstations Deployment of license activation codes. The main server components of the DigitalPersona Pro Enterprise product are briefly described in the following table, and more fully described in the referenced pages. Server component Purpose Page Pro Enterprise Server DigitalPersona Defender Pro Administration Tools Provides domain-wide, centralized administration of Pro clients and enables strong authentication through various credentials, such as Bluetooth tokens, Windows passwords, fingerprints, smart cards and more. Enables two-factor authentication in workstation clients, and works with any OATH-compliant hardware token. Provides additional tools for administration of various DigitalPersona Pro features and utilities including License Management, GPMC Extensions, Access Recovery, Attended Enrollment and the Password Manager Admin Tool , 64 DigitalPersona Pro Enterprise - Administrator Guide 12

13 Chapter 1 - Solution Overview Compatible workstation clients The DigitalPersona Pro Enterprise solution supports the following clients: DigitalPersona Pro Workstation for Enterprise - This primary client enforces security and authentication policies on managed Windows computers while providing intuitive access to end-user features and functionality. It may be centrally managed by Pro Enterprise Server, or installed as a stand-alone product. DigitalPersona Pro Kiosk for Enterprise - This specialized kiosk client provides DigitalPersona Pro features for environments where users log on to a shared, common Windows account or kiosk. It is centrally managed by Pro Enterprise Server. NOTE: The Pro Workstation for Enterprise and Pro Kiosk for Enterprise clients may be installed individually on computers or deployed through Active Directory GPO, SMS (Systems Management Server) or logon scripts. They cannot be installed through ghosting or imaging technologies. DigitalPersona Pro Workstation for Enterprise DigitalPersona Pro Workstation for Enterprise is the primary client application for end-users, providing an intuitive means for increasing both security and convenience through a variety of configurable options including enrollment and use of multiple credentials, and the use of automated logons for enterprise resources, programs and websites. For more details, see the chapter Pro Workstation on page 155. DigitalPersona Pro Kiosk DigitalPersona Pro Kiosk for Enterprise is a client application specifically designed for environments where users need fast, convenient and secure multi-factor identification on workstations shared by multiple users. Although users share a common Windows account, DigitalPersona Pro Kiosk for Enterprise provides separately controlled access to resources, applications and data. For a full description of its features, see the chapter Pro Kiosk on page 173. DigitalPersona Pro Enterprise - Administrator Guide 13

14 Chapter 1 - Solution Overview Client user interfaces Pro Enterprise Workstation contains two separate program interfaces; a user dashboard and an Administrative Console. Access to the Administrative Console requires local administrator privileges. The Pro Kiosk client provides the same user dashboard, but does not have an Administrative Console. Settings that govern the features and behavior of the user dashboard are in most cases controlled through Active Directory GPO settings. However, settings that are left Not Configured in Active Directory may be configured by the local administrator using the Administrative Console. These local settings will then be effective for all users on the specific computer. Whenever a setting is configured (enabled or disabled) in Active Directory, the local administrator cannot modify the setting through the Administrative Console. For this reason especially if the needs specific to your environment require you to provide end users with local administrative rights DigitalPersona strongly recommends IT Administrators explicitly configure each desired setting in Active Directory, rather than relying on default behaviors associated with the unconfigured state. DigitalPersona Pro Enterprise - Administrator Guide 14

15 Chapter 1 - Solution Overview Authentication and Credentials The default, and simplest, means of authentication, i.e. making sure that you are a person authorized to access a computer or other resource, is your Windows account name and password. Authentication is generally required in logging on to Windows, accessing network applications and resources, and logging into to websites. DigitalPersona Pro clients provide a means for the IT Administrator to easily setup and enforce strong authentication such as two-factor and multi-factor authentication using a variety of supported credentials. DigitalPersona Pro supports the use of various credentials for authentication, including Windows passwords, fingerprints, smart cards, contactless cards, proximity cards, face, PIN, Bluetooth and One- Time-Passwords. An additional Self Password Recovery credential may be used solely for recovering access to a managed client computer in place of a forgotten password. Initial setup and enrollment of credentials is provided through a Setup wizard, or may be controlled by an administrator using Attended Enrollment. Security applications DigitalPersona Pro Enterprise security applications integrate with the basic functionality of the solution. Additional DigitalPersona Pro Enterprise security applications may be available. Contact your DigitalPersona partner or reseller for further information, or go to our website at: Password Manager Admin Tool The Password Manager Admin Tool simplifies and secures access to password-protected software programs and websites through the use of managed logons that allow users to identify themselves through the use of any supported credential or combination of credentials specified by the administrator, as defined in the Authentication and Credentials topic above. Administrators use the DigitalPersona Password Manager Admin Tool to create managed logons specifying information for logon and change password screens for websites, programs and network resources. These managed logons are then deployed to managed workstations, where they are accessible to the user through the Password Manager application and the mini-dashboard. Managed logons always take precedence over personal logons created by users. For additional information on the Password Manager Admin Tool, see the DigitalPersona Password Manager Admin Tool Application Guide (available on our website at Support), or see the help file within the program. DigitalPersona Pro Enterprise - Administrator Guide 15

16 Chapter 1 - Solution Overview Licensing model DigitalPersona Pro Enterprise features and functionality as described in this Administrator Guide are included in the core version of the product, unless otherwise indicated. The basic licensing model is the User license, which permits enrolling of user credentials by a specified number of DigitalPersona Pro Enterprise users. The specific DigitalPersona Pro SKU and/or package you purchased may entitle you to licensing of one or more additional modules or components that are integrated with DigitalPersona Pro. You should have received from DigitalPersona or from a DigitalPersona authorized reseller all of the license activation keys and/or files that are part of the package you purchased. Make sure you contact your DigitalPersona representative, should you have any questions. Some modules or optional components may need to be activated individually. For information on other licensed versions of the product which may be available, and licensing for specific features, contact your DigitalPersona Account Manager or Reseller - or visit our website at: Licenses may be activated through Active Directory using the License Activation Manager. For more information about DigitalPersona Pro Enterprise license activation, see License Activation & Management on page 67. DigitalPersona Pro Enterprise - Administrator Guide 16

17 Chapter 1 - Solution Overview System Requirements Product/Component DigitalPersona Pro Enterprise Server DigitalPersona Pro Workstation for Enterprise DigitalPersona Pro Kiosk for Enterprise Minimum Requirements Microsoft Windows Server 2008 R2 (32/64-bit) or Windows Server 2003 SP2 (32/64 bit) or Windows SBS 2003 SP2 Active Directory 12 MB disk space plus 5Kper user Windows Server 2008 R2 (32/64-bit) or Windows Server 2003 SP2 (32/64-bit) or Windows 7/8/Vista (32/64-bit) or Windows XP Professional SP3 (32/bit).* Home editions of Windows 7/Vista/XP are not supported. 50 MB disk space, 100 MB during installation Microsoft Internet Explorer 6-10, Chrome 11+ or Firefox 4+ to create/ use Password Manager personal logons or use managed logons. Microsoft Internet Explorer 6-10 to create managed logons using the Password Manager Admin Tool Windows 7/8/Vista (32/64 bit) or Windows XP Professional SP3 (32 bit). Home editions are not supported. 50 MB disk space, 100 MB during installation Microsoft Internet Explorer 6-10, Chrome 11+ or Firefox 4+ to use managed logons * Also supported: Windows XP Embedded SP3, Windows Embedded Standard 2009 and Windows Embedded Standard 7, with dependencies as documented on page 210. Personal logons allow end-users to create automated logon to programs, websites and network resources. Managed logons have the same function but are created by an administrator and deployed to end-users. NOTE: When using Internet Explorer on Windows 8, Password Manager features are only available when the browser is launched from the legacy desktop, not from the Metro UI. Support Resources The following resources are provided for additional support. Readme files in the root directory of each product package contain late-breaking product information. AskPersona.com ( is a DigitalPersona knowledge portal providing answers to many frequently asked questions about our products. DigitalPersona Maintenance and Support customers will find additional information about technical support resources in their Maintenance and Support confirmation . Online help is included with each component and application. DigitalPersona Pro Enterprise - Administrator Guide 17

18 Chapter 1 - Solution Overview All DigitalPersona Pro Enterprise documentation is available on our website at: Changes from previous version 5.5 vs The major differences between the 5.5 release and the previous release are summarized below. 1 Support for Microsoft 2012 server. 2 Support for NetMotion. 3 Fingerprint authentication for Citrix XenDesktop 4 Microsoft Windows Logo Certification. 5 The User Query Tool has been modified to enable reporting users who have answered the Self Password Recovery questions. 6 Support for U.are.U 5160 PIV Certified fingerprint sensor, Eikon II and Eikon Mini fingerprint readers. 7 Passwords are treated as credentials, and therefore consume a license, only when used for SSO and for authentication into the Pro Administrative Console. 8 The Delete License command has been refined so that user data from the local cache is removed during the process, and the warning (from v5.4.1) not to use DigitalPersona Pro on this account in the future is no longer necessary. 9 Enhancements to the processes for enrolling and using Card credentials (Smart Cards, Contactless Cards and Proximity Cards) to simplify their use and align the experience more closely with that of other credentials. 10 Support for two models of Dell/Wyse thin clients; D90 & Z90 running Ubuntu and SUSE) using ICA or RDP clients. Requires separate part number and download vs 5.4 The major differences between the release and the previous 5.4 release are summarized below. 1 Delete License - A new feature available through the DigitalPersona Users and Computers snap-in allows the administrator to delete the DigitalPersona user license for a selected user. This new command on the context menu for a user in the Active Directory Users and Computers console releases the DigitalPersona license associated with this user back to the license pool. DigitalPersona Pro Enterprise - Administrator Guide 18

19 Chapter 1 - Solution Overview Note that use of this command will delete all DigitalPersona credentials and other user data stored in Active Directory. The user account should no longer be used with DigitalPersona Pro, and the product should not be reinstalled in the same user account. If use of DigitalPersona Pro is attempted on this account, an Access Denied error will be reported due to previously locally cached credentials. See page User Query Tool - Additional functionality has been added to the User Query Tool which now returns a flag indicating whether a license was taken by a specified user, and provides the ability to delete the license. See pages 86 and following. 3 Kiosk access restrictions - Note that in versions prior to 5.4.1, kiosk access restriction through an identification list (see page 215) applies only to fingerprint access, and access through other credentials, such as WIndows password, is not restricted. Beginning with version 5.4.1, the restriction applies to all supported credentials vs 5.3 The major differences between the 5.4 release and the previous 5.3 release are summarized below. 1 DigitalPersona Reporter has a brand new interface, with dozens of reports for compliance and auditing, the ability to schedule, and export in popular formats such as PDF, XLS, XML, and the ability to extensively filter and customize reports. Pre-canned reports support HIPAA, PCI and Sox compliance standards. 2 New simplified Client Suite Installer and Administrative Suite Installer provides a more convenient way to install related Digitalpersona Pro Enterprise components. 3 DigitalPersona Pro Workstation for Enterprise can now be installed in Evaluation mode, which does not require connection to a DigitalPersona Pro Enterprise Server. 4 Client licenses are no longer required for DigitalPersona Pro Workstation and Pro Kiosk. Pro Server User Licenses are required to cover the number of users enrolling credentials in the DigitalPersona Pro Enterprise environment. Instructions for installing the previous version (5.3) Client Package and Component licenses are included for reference beginning on page New Fast Connect feature allows for SSO to Citrix Published Applications and Desktops with XenApp and XenDesktop. See Citrix Deployment Scenarios on page Quick Actions now support the use of smart (contact, contactless and proximity) cards, and the new Fast Connect feature. See Quick Actions tab on page Support has been added for Windows 8, in Legacy mode only. 8 Additional per-user policies and settings. See User properties on page 82. DigitalPersona Pro Enterprise - Administrator Guide 19

20 Chapter 1 - Solution Overview 9 The User Query Tool now reports the dates that fingerprints were first enrolled and last enrolled. See User Query Tool snap-in on page Password Manager Pro has been renamed the Password Manager Admin Tool. 11 Some pages and settings in the Administrative Console have been changed. Management of DigitalPersona Pro Users is no longer available through the Administrative Console. See Pro Administrative Console on page The DigitalPersona Pro 5.4 package includes a new version (v5.7) of DigitalPersona Defender. 13 Support for new contactless (Felica) and proximity (Indala) cards. 14 User secrets (i.e. Password Manager logon account data) created on disconnected computers are now synchronized with the Pro Server data once reconnect ion is established. 15 New centrally-managed, roaming, question-and-answer-based Self Password Recovery feature allows the user to recover access to any domain computer where they have logged on at least once. 16 Support for YubiKey tokens used as RFID tokens or as OTP tokens through DigitalPersona Defender. 17 On Windows Server 2003, DigitalPersona administrative templates are installed in a new location, the Windows\Inf\{language} folder. When upgrading previous versions of Pro Server to on Windows Server 2003, all adminstrative templates have to explicitly be removed from GPOs, and the new adm files added to Administrative Templates. 18 DigitalPersona Drive Encryption is not supported in this version. DigitalPersona Pro Enterprise - Administrator Guide 20

21 Section One: Installation This section of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters: Chapter Number and Title Purpose Page 2 - Pro Server Installation Requirements and procedure for installing DigitalPersona Pro Enterprise Server. 3 - Pro Client installation Requirements and procedure for installing DigitalPersona Pro clients. 4 - Pro Kiosk installation Requirements and procedure for installing DigitalPersona Pro Kiosk clients. 5 - Optional installations Requirements and procedure for installing optional DigitalPersona Pro Enterprise components DigitalPersona Pro Enterprise - Administrator Guide 21

22 Pro Server Installation 2 This chapter provides instructions for the installation of DigitalPersona Pro Enterprise Server on a domain controller. Instructions for uninstalling DigitalPersona Pro Enterprise Server are on page 31. Deployment Overview Here is a high-level overview of the steps required for initial deployment of DigitalPersona Pro Enterprise Server on the domain controller for a Windows 2003/2008 Server network. Procedure 1 Extend the Active Directory schema to include attributes and classes used by DigitalPersona Pro Enterprise Server. Requires AD Schema Administrator rights. You can view the details of the changes that will be made to the schema by opening the file dp-schema.ldif located in the AD Schema Extension folder in the product package. 2 Configure each domain on which DigitalPersona Pro Enterprise Server will be installed by running DPDomainConfig.exe (located in the folder "AD Domain Configuration" in the product package). Requires AD Domain Administrator rights. 3 Install the DigitalPersona Pro Enterprise Server software. Note that this will set firewall rules necessary for the operation of DigitalPersona software. 4 (Windows Server 2003 only) Add DigitalPersona Administrative Templates to OUs. 5 (Optional) Configure Pro Enterprise Server for use with DigitalPersona Pro Kiosk, if Pro Kiosk will be used in the domain. Detailed instructions for installation begin on page 22. Page , Upgrading from Previous Versions Before upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade Notes available at Direct upgrades from DigitalPersona Pro for Active Directory versions previous to are not supported. If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro and then upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized DigitalPersona Pro Enterprise - Administrator Guide 22

23 Chapter 2 - Pro Server Installation channel partner for upgrading from DigitalPersona Pro for Active Directory to DigitalPersona Pro Enterprise 5.3. Also, make sure to review the readme.txt files included with each component in the product package that you are installing. Compatibility DigitalPersona Pro Enterprise Server version 5.4 is compatible with the following DigitalPersona products: DigitalPersona Pro Workstation for Enterprise and above. DigitalPersona Pro Kiosk for Enterprise and above. DigitalPersona Password Manager Admin Tool and above DigitalPersona Privacy Manager Pro 5.51 or higher DigitalPersona Defender Server 5.7 DigitalPersona Pro Server Enterprise 5.4 should NOT be installed over (or upgraded to) DigitalPersona Pro Server for Active Directory versions prior to used in a mixed environment with Pro Server for Active Directory versions 3.x or 4.x or with Pro Workstation/Kiosk 3.x/4.x. If any previous version of DigitalPersona Pro Server for Active Directory was installed, the administrator should uninstall it and run the DigitalPersona Cleanup wizard (located in the product package) to delete all the previous DigitalPersona Pro data. This release is not compatible with, and requires the uninstallation of any other DigitalPersona products on the same computer. Extending the Active Directory Schema Prior to installing DigitalPersona Pro Server, the Active Directory schema must be extended to create new attributes for the user object and new classes, as well as to make modifications to existing classes. The Active Directory Schema Extension Wizard automatically handles all of the necessary changes to the schema. This schema extension is version 2. The schema extension version number is independent of the DigitalPersona Pro product version number. Each Pro product release will identify the schema extension version it requires. This schema extension is global to the Active Directory forest. If you want to view the script that is used to extend the schema (dp-schema.ldif), it is available in the product package at the following location: AD Schema Extension\dp-schema.ldif DigitalPersona Pro Enterprise - Administrator Guide 23

24 Chapter 2 - Pro Server Installation The Active Directory Schema Extension Wizard must be run from the schema master domain controller, or the data may not replicate fast enough to allow the wizard to continue. If the data is not replicated fast enough, the wizard will terminate, and you should then wait one replication cycle before running the wizard again. After the schema extension, and again after configuring your domains, you must wait for Active Directory schema replication to be completed. The amount of time this takes will depend on the complexity of your Active Directory structure. You must have Schema Administrator privileges to run the Schema Extension Wizard. To run the Active Directory Schema Extension Wizard 1 Double-click DPSchemaExt.exe, which is located in the Schema Extension folder in the Server installation package, to start the Schema Extension Wizard. 2 Read the terms and conditions on the License Agreement page. If you agree with them, select I accept the license agreement and then click Next. 3 When prompted to proceed with the schema extension, click Yes. 4 Next, specify a location and name for the log file generated by the Schema Extension Wizard in the Save Log File As dialog box. Then, click Save. 5 If the schema is not writable, the wizard will inform you of the fact and will allow you to make it writable. If this dialog box displays, click Yes to make the schema writable and perform the schema extension. 6 The wizard will extend the schema and provide information such as the class and attribute names. To close the wizard, click Finish. The name of each new attribute and class added to the Active Directory schema follows Microsoft naming conventions. The names are assigned a dp prefix, which is registered with Microsoft. The OID base, generated by Microsoft, is Configure each domain For each domain on which you plan to install DigitalPersona Pro Server, you need to run the DigitalPersona Pro Active Directory Domain Configuration Wizard, which configures the required domain-specific data including the necessary cryptographic keys. Running the wizard requires administrator privileges on the domain controller. You should run this wizard only once on each domain where Pro Server will be installed. When installing multiple DigitalPersona Pro Enterprise Servers, it is critical that you run the wizard only once during any replication period, allowing full replication to be completed before going on to run the wizard on the next domain. DigitalPersona Pro Enterprise - Administrator Guide 24

25 Chapter 2 - Pro Server Installation Running the wizard a second time during a single replication period will result in corrupted Server data, and any DigitalPersona Pro Enterprise Servers in the domain will be unusable. After running the Domain Configuration wizard, domain level permissions to enroll/delete fingerprints are reset to the default, i.e. Allow. To run the DigitalPersona Pro Enterprise Domain Configuration Wizard 1 Double-click DPDomainConfig.exe, which is located in the Domain Configuration folder in the Server installation package. 2 Read the license agreement that displays and, if you agree to the terms and conditions, select I accept the license agreement and then click Next. 3 A warning reminds you not to run this wizard if you have an existing DigitalPersona Pro Enterprise Server installation on this domain. If you are sure there are no other DigitalPersona Pro Enterprise Server installations on the domain you are configuring, check the I accept that the domain will be configured box and click Next. 4 In the Save Log File As dialog box, specify a file name and folder path for the log file generated by the wizard and click Save. 5 When you click Save, the wizard performs the changes on the domain. 6 To close the wizard, click Finish. DigitalPersona Pro Enterprise - Administrator Guide 25

26 Chapter 2 - Pro Server Installation Install DigitalPersona Pro Enterprise Server After extending the Active Directory schema and configuring the domain where you will install Pro Server, you are ready to install the software. Before installing DigitalPersona Pro Enterprise Server, ensure that the computer meets the minimum requirements listed on page 17. WARNING: To avoid possible data loss, wait one data replication cycle after domain configuration before installing DigitalPersona Pro Enterprise Server. Note also that the installation will set three inbound firewall policies necessary for the operation of DigitalPersona software as follows: Policy Name DigitalPersona Authentication Service (Echo Request - ICMPv4-In) DigitalPersona Authentication Service (DCOM-In) DigitalPersona Authentication Service (TCP-In) Description Inbound rule for DigitalPersona Authentication Service to allow Echo Request messages to be sent as ping requests. Inbound rule for DigitalPersona Authentication Service to allow remote DCOM activation via the RPCSS service. Inbound rule for DigitalPersona Authentication Service to allow it to be remotely connected via DCOM. To install DigitalPersona Pro Server 1 Double-click Setup.exe to run the DigitalPersona Pro Enterprise Server Installation Wizard, located in the Pro Enterprise Server folder of the DigitalPersona Pro Enterprise Server installation package. 2 When the wizard opens, click Next. 3 Read the terms and conditions on the License Agreement page. If you agree with them, select the I accept the license agreement button and then click Next. 4 On the next page, you can specify the folder in which DigitalPersona Pro Enterprise Server will be installed. If you want to install the server in the default location, which is C:\Program Files\DigitalPersona, click Next. Or click Browse to specify a new location and then click Next to continue. 5 The wizard will install the Server software. To close the wizard, click Finish. DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and DigitalPersona Pro Enterprise - Administrator Guide 26

27 Chapter 2 - Pro Server Installation settings to Active Directory containers. These policies and settings are described in the chapter, Policies and Settings on page 99. In releases prior to 5.2, administrative templates were automatically copied to the default folder for administrative templates during installation of DigitalPersona Pro Enterprise Server, On Windows Server 2003, this folder is C:\Windows\inf. On Windows Server 2008, the folder is X:\Windows\PolicyDefinitions. Beginning in release 5.2, these administrative templates are no longer copied as part of the Pro Enterprise installation. They are now part of the DigitalPersona Pro Administrative Tools, GPMC Extensions component, which may be installed on any Active Directory aware computer. For additional information on the GPMC Extensions, see GPMC Extensions on page 130. For policies and settings available through the GPMC extensions, see Policies and Settings on page 99. DigitalPersona Pro Enterprise - Administrator Guide 27

28 Chapter 2 - Pro Server Installation Configuring DigitalPersona Pro Server for Pro Kiosk Configuration Steps Complete the following Pro Server and Kiosk installation and configuration steps in the order shown below. Specific instructions for configuration are described in the following sections and additional pages as referenced. Complete the following 1 Install DigitalPersona Pro Server, 5.x or higher version. This includes performing Schema Extension, Domain Configuration and the Server installation as specified on pages 23 and following. If previous versions of DigitalPersona Pro Server were installed in the domain, you should run the Domain Configuration Wizard, but should not run the Schema Extension Wizard again in this case. 2 Install the DigitalPersona Pro Administration Tools. You do not need to install all of the included Administration Tools components,. However, the GPMC Extensions component must be installed. See Administration Tools on page Create an OU for each kiosk and assign computers to the kiosk OU. See Creating the OU for the Kiosk on page 29. By default, the entire domain is considered as one kiosk. You may want to set up multiple, separate kiosks. 4 Assign kiosk permissions. By default, all domain users are allowed Kiosk permissions. You can restrict identification to specific groups or users by following the instructions in the chapter Identification List on page 215. Note that by design, AD Domain Administrator will have access even if not granted permission on an Identification List. However, you can change the permission for the Domain Administrator from Allow to Deny for any specific kiosk. 5 Create a Shared Account in Active Directory and specify the account information either by GPO or on individual kiosk computers. See Kiosk Shared Account Settings on page 29 and Adding Shared Account Settings Using GPO on page Install DigitalPersona Pro Kiosk on kiosk computers. See Pro Kiosk installation on page 46 for instructions. 7 Enroll user credentials. By default, all domain users are allowed to enroll their own credentials. However, you can choose whether you want to supervise the credential enrollment process, or allow users to enroll credentials themselves when they first log on to or unlock a kiosk computer. For more information, refer to the topic Attended Enrollment on page 94. DigitalPersona Pro Enterprise - Administrator Guide 28

29 Chapter 2 - Pro Server Installation Configuring Kiosk GPO Settings Perform fingerprint identification on server The GPO setting Perform fingerprint identification on server must be applied and enabled for all Pro Kiosk clients that will be using fingerprint credentials. For further details, see Perform fingerprint identification on server on page 121. Kiosk Shared Account Settings At the kiosk level, whether it is the domain or an OU, you must specify the kiosk Shared Account information. For more information, see Adding Shared Account Settings Using GPO on page 26. Creating the OU for the Kiosk When you install DigitalPersona Pro Server and Pro Kiosk, the entire domain is considered as one kiosk unless you complete further configuration. To create multiple kiosks in a domain, or to limit the usage of the kiosk to specific computers only, you should create an organizational unit (OU) for each kiosk and then assign computers to the OU. You might create several kiosks where each kiosk is associated with its own OU. If computers in the same OU are geographically located in different sites, each OU per site is a kiosk. Specifying a Shared Account for the Kiosk Pro Kiosk requires an account, known as the Shared Account, that is specified on every kiosk computer. Account information includes the user name, domain name and password for an Active Directory account. You should have one Shared Account per kiosk with a Password never expires setting. You can configure the kiosk Shared Account by supplying the kiosk Shared Account information through GPO settings, as described below. If the kiosk Shared Account information is distributed through Group Policies settings, all computers that belong to the selected object level in Active Directory, such as OU, Domain, or Site, receive the kiosk Shared Account settings. Pro Kiosk automatically assigns the Impersonate a client after authentication user right to the kiosk Shared Account. This right allows programs that run on behalf of that user to impersonate a client. This right allows Pro Kiosk to authenticate multiple users while using only one logon session for the Shared Account. Adding Shared Account Settings Using GPO The Pro Kiosk Shared Account setting is provided as part of the GPMC Extensions component of the DigitalPersona Pro Administration Tools, a separate installation available in your Pro Enterprise product package. DigitalPersona Pro Enterprise - Administrator Guide 29

30 Chapter 2 - Pro Server Installation Note that beginning with Pro Enterprise 5.3, the AD location of these settings have been changed. The settings previously found at Computer Configuration/Administrative Templates/DigitalPersona Pro Client Kiosk Administration have been replaced and are included for backward compatibility only. The new location is Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Kiosk Administration. You can use the Group Policy Editor to modify DigitalPersona settings. For the Kiosk Shared Account Settings, at the OU level for the kiosk, open the Kiosk Administration node and double-click Kiosk Workstation Shared Account Settings. Specify the following values: Kiosk Shared Account user name Kiosk Shared Account NetBIOS domain name Kiosk Shared Account password The Shared Account information will be enabled for all computers in the OU. Assigning Kiosk Permissions In situations where additional security restrictions are necessary or desirable, you can modify the default permissions to allow or deny specific groups or users from using each kiosk. The default installation permits every domain user to use all kiosks in the domain and no additional configuration is necessary. For an example of how to restrict identification, see Restricting kiosk identification on page 122. Password Manager Admin Tool settings If you plan on using managed logons with DigitalPersona Pro Kiosk, the templates created in the Password Manager Admin Tool must be accessible by the Shared Accounts that are used to access the kiosks. Make sure that the templates are available through GPO settings to the kiosk Shared Account rather than kiosk user accounts. The Password Manager logon functionality is the same as in Pro Workstation except that kiosk users cannot create their own personal logons, but can use managed logons created by the administrator. For more information, on the Password Manager GPO settings, refer to Policies and Settings on page 99. For additional information on managed logons, see the Password Manager Application Guide. DigitalPersona Pro Enterprise - Administrator Guide 30

31 Chapter 2 - Pro Server Installation Changes Made During Installation Running the Schema Extension Wizard adds the following data to Active Directory. Active Directory Containers The Schema Extension Wizard installs two subcontainers in the Active Directory System container. They contain information administrators can use to verify and administer the DigitalPersona Pro Server installation. In the ADUC (Active Directory Users and Computers) Snap-in, ensure that Advanced Features is selected from the View menu in order to view the System container. The new containers installed are the BAS (Biometric Authentication Servers) container and the Licenses container. The Biometric Authentication Servers container provides the objectcategory and objectclass for the BAS. The Licenses container stores the license files for DigitalPersona Pro products. DigitalPersona Pro Enterprise - Administrator Guide 31

32 Chapter 2 - Pro Server Installation Published Information DigitalPersona Pro Server publishes its service using the following properties: Service Class Name, set to Authentication Service. Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56-E3BC77F32D7F}. Vendor Name, set to DigitalPersona. Product Name, set to UareUPro. Product GUID, set to {48F74E29-1CC0-468F-A0A A5170}. Authentication Server Object Name, the DNS name of the host computer. Service Principal Name, a unique name identifying the instance of a service for a client. Schema Version Number, the version of the Active Directory schema extension. Product Version Number, the version of DigitalPersona Pro Server software. Product Version High, set to [current version]. Product Version Low, set to [current version]. Keywords for searching the server are Service Class GUID, Vendor Name, Product Name and Product GUID. The keyword values are the same as the property values listed in this section. The Server publishes its service in compliance with the Active Directory Service Connection Point specifications. DNS Registration The use of DNS registration enables DigitalPersona Pro Workstations to locate Pro Servers without needing additional local configuration to do so. If your DNS Server supports dynamic registration, DigitalPersona Pro Server registers itself with the DNS using the service name, _dpproent. The format of the DNS resource records for DigitalPersona Pro Server is: _dpproent._tcp.[domain] 600 IN SRV [server name] _dpproent._tcp.[site name]._sites.[domain] 600 IN SRV [server name] Pro Server calculates site coverage based on the availability of other Pro Servers on the domain (as well as sites configured for the domain) and then creates Service Resource Records (SRV RRs) for the domain and sites it covers. Settings in the DigitalPersona Pro Administrative Template govern whether or not Pro Server utilizes dynamic registration. For information on this and other DNS related settings, see pages 122 and following. Automatic Registration By default, DigitalPersona Pro Server registers itself with DNS every time Pro Server starts, is automatically refreshed at specified intervals, and unregisters itself every time DigitalPersona Pro Server stops. DigitalPersona Pro Enterprise - Administrator Guide 32

33 Chapter 2 - Pro Server Installation When DigitalPersona Pro Server unregisters itself, it removes only the records it has created during automatic registration. Records entered by the administrator will be unaffected. Automatic Registration may be disabled through a GPO setting. Manual DNS Registration If your DNS Server does not support dynamic registration, or if dynamic registration is disabled through a DigitalPersona Pro GPO setting, an administrator can manually register the Pro Servers by entering the DNS resource records in the format shown above. You can view the default values of settings created during Pro Server setup by opening the U.are.UPro.DNS file in Notepad. It is located in the Program Files\ DigitalPersona\bin folder. To manually register a Pro Server in Microsoft DNS 1 Open the DNS console and expand the Forward Lookup Zone. 2 In the left pane, select and then right-click on [domainname], and select Other New Records in the context menu. 3 In the Resource Record Type dialog box, click on Service Location, and then click the Create Record button. 4 In the New Resource Record dialog, set the following values: Service: _dpproent Weight: 100 Port Number: 0 Host offering this service: domaincomputername.domainname.com 5 Click OK to save the settings and return to the main DNS console window. 6 Under the same [domainname], expand the _sites key. 7 In the left pane, select and then right-click on Default-First-Site-Name and select Other New Records from the context menu. 8 Repeat steps 3 through 5 for each Pro server that you want to register. If the DP Service Resource Records (SRV RRs) are not added, either dynamically or manually, the DigitalPersona Pro Workstation will not be able to find the Servers and will perform fingerprint enrollment and authentication locally. DigitalPersona Pro Enterprise - Administrator Guide 33

34 Chapter 2 - Pro Server Installation Improving Performance The Priority and Weight settings can be modified to achieve better response time and load-balancing in the _dpproent.properties dialog box, which is accessible by double-clicking _dpproent in the DNS Console. The _dpproent SRV RRs can be found in the following paths in the DNS Console: DNS/[DNS server]/forward Lookup Zones/[domain]/_tcp DNS/[DNS server]/forward Lookup Zones/[domain]/sites/[site name]/_tcp If your DNS does not support dynamic registration, you will have to add these SRV RRs manually. For your convenience, these entries are stored in a file, UareUPro.DNS, which is located in the folder in which you installed DigitalPersona Pro Server. Configuring DNS Dynamic Registration Additional parameters for configuring DNS registration are available in the DigitalPersona Pro Administrative Template when added to the governing GPO. These settings are described beginning on page 122. Uninstalling DigitalPersona Pro Server DigitalPersona Pro Server can be uninstalled from the Add/Remove Programs Control Panel in Windows if you have administrator privileges on the domain on which Pro Server is installed. The software is listed as, DigitalPersona Pro Enterprise Server version [version number]. When you uninstall the Server software, the published information (described in Published Information on page 29) and the DNS SRV RRs (described in DNS Registration on page 29) are removed. Although the Add/Remove Programs Control Panel uninstalls DigitalPersona Pro Server software, the user data (such as fingerprint credentials and secure application data) and global domain data remain in Active Directory. DigitalPersona provides a DigitalPersona Pro Cleanup Wizard to remove this data. See Utilities on page 153 for details. DigitalPersona Pro Enterprise - Administrator Guide 34

35 Pro Client installation 3 This chapter provides instructions for installing the DigitalPersona Pro Workstation for Enterprise client. Installation of the DigitalPersona Pro Kiosk client is covered in Chapter 4, beginning on page 46. In most environments, DigitalPersona Pro Enterprise Servers will be used for authentication. They should be installed and configured before installing DigitalPersona Pro Workstation for Enterprise. The following topics cover the installation of DigitalPersona Pro Workstation for Enterprise: System requirements Installation Remote installation Client Suite installation Local installation Command line Installation Installation on Citrix Presentation Server System requirements Before installing DigitalPersona Pro Workstation for Enterprise on a computer, make sure it meets the system requirements listed on page 17, and that you have Administrative Rights on the computer. Upgrading from Previous Versions Before upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade Notes available at Direct upgrades from DigitalPersona Pro for Active Directory versions previous to are not supported. If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro and then upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized channel partner for upgrading from DigitalPersona Pro for Active Directory to DigitalPersona Pro Enterprise 5.3. Also, make sure to review the readme.txt files included with each component in the product package that you are installing. CAUTION: Upgrading the operating system from Windows XP to any later version of Windows will uninstall DigitalPersona Pro, and it will need to be reinstalled. Any Pro enrolled credentials will be lost as well. Before upgrading you should use the Backup and Restore feature (page 169) to backup your DigitalPersona Pro data, and then restore the data after installing DigitalPersona Pro under the new operating system. Compatibility DigitalPersona Pro Workstation version 5.4 is compatible with the following DigitalPersona products: DigitalPersona Pro Enterprise - Administrator Guide 35

36 Chapter 3 - Pro Client installation DigitalPersona Pro Enterprise Server and above. DigitalPersona Defender 5.7 and above. DigitalPersona Password Manager Admin Tool and above DigitalPersona Privacy Manager Pro 5.51 and above. This release is not compatible with, and requires the uninstall of, any other DigitalPersona products on the same computer. Installation Remote installation For remote installation of patches, see the next section. The installer for Pro Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install or uninstall the software using Active Directory administration tools, or other software deployment tools. Note that this installer only works for computer-based policy installation, not user-based installations. Prerequisites Before installing your DigitalPersona Pro client, you must install the following prerequisites. Windows Management Framework Core package - Includes the following components: Windows PowerShell 2.0 and Windows Remote Management (WinRM) 2.0. See Windows KB article Microsoft.NET Framework version 2.0 or above Microsoft Visual C SP1 Redistributable package DigitalPersona Pro Enterprise - Administrator Guide 36

37 Chapter 3 - Pro Client installation Installing Pro Workstation To install Pro Workstation remotely through Active Directory use the following procedure. Some steps will vary depending on the operating system version. For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation file for each environment. 1 Create an administrative installation package. a. Open a command prompt session and navigate to the location where you have stored the product package. Change the directory to Pro Enterprise Workstation\x86 for the 32-bit version or Pro Enterprise Workstation\x64 for the 64-bit version. Note that the 32-bit version will not install on 64-bit computers. b. Type setup.exe /a c. The product installation wizard launches and prompts you for a location where you would like the administrative installation package to be created. Choose a network shared drive that will be accessible to the computers where you will be installing the software. For example, \\servername\installdir, where InstallDir is a predefined shared folder. There is no need to reboot at the end of the wizard. 2 Create a Group Policy Object (GPO) that will be used to distribute the software package. a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. b. In the console tree, right-click your domain, and then click Properties. c. Click the Group Policy tab, and then click New. d. Type a name for this new policy (for example, DigitalPersona Pro 5.5 distribution), and then press Enter. e. Click Properties, and then click the Security tab. f. Clear the Apply Group Policy check box for the security groups that you don't want this policy to apply to. g. Select the Apply Group Policy check box for the groups that you want this policy to apply to. h. When you are finished, click OK. 3 Assign the package a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. b. In the console tree, right-click your domain, and then click Properties. DigitalPersona Pro Enterprise - Administrator Guide 37

38 Chapter 3 - Pro Client installation c. Click the Group Policy tab, select the policy that you want, and then click Edit. d. Under Computer Configuration, expand Software Settings. e. Right-click Software installation, point to New, and then click Package. f. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\file server\share\file name.msi. It is important that you do not use the Browse button to access the location. Make sure that you use the UNC path of the shared installer package. g. Click Open. h. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window. i. For 32-bit installation packages only - Right-click the newly created package and select Properties. Then, on the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86 application available on Win64 machines. If this checkbox remains selected, the application will not install. j. Close the Group Policy snap-in, click OK, and then close the Active Directory Users and Computers snap-in. 4 Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer. Remote installation for patches This topic addresses the remote installation of client patches through slipstreaming. For standard product installation, see the preceding topic. The installer for Pro Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install patches to software using Active Directory administration tools, or other software deployment tools. For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation files for both environments. Note that this installer only works for computer-based policy installation, not user-based. To install a Pro Workstation patch remotely through Active Directory, use the following procedure. The following steps assume that an administrative installation package has been created as described in the previous topic. Some steps will vary depending on the operating system version. 1 Update the installation package. Open a command prompt session and type the following command to patch the previously created installation package. DigitalPersona Pro Enterprise - Administrator Guide 38

39 Chapter 3 - Pro Client installation msiexec.exe /p [path\name of updated MSP file]\ /a [path\name of administrative installation file] 2 Redeploy the application a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. b. Right-click the GPO that governs the computers you want to update and select Edit. c. Navigate to Computer Configuration/Policies/Software Settings/Software Installation. d. Right-click the Pro client software name and select All Tasks\Redeploy application. Confirm your intent to redeploy the application. 3 Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer. DigitalPersona Pro Enterprise - Administrator Guide 39

40 Chapter 3 - Pro Client installation Client Suite installation To install 1 Launch the Client Suite installer by running setup.exe from the Client folder of the product package. 2 Click Next. 3 Select the product to install. Note that only one of these product can be installed on a computer. DigitalPersona Pro Workstation for Enterprise, or DigitalPersona Pro Kiosk for Enterprise 4 If you need to install third party drivers for fingerprint or card readers, click the Third Party Drivers button and select the appropriate drivers for your hardware and operating system. Note that DigitalPersona does not provide drivers for Authentec fingerprint readers. There is a link on the page for downloading these drivers. The suggested driver for Authentec fingerprint readers is AT9. 5 On the confirmation page you will see a list of items to be installed. 6 Click Install to begin the installation. Details of the Workstation installation are the same as described below in the Local Installation topic. 7 Successful installation requires the presence of a VeriSign Primary PCA Root Certificate (G5). If your system does not have this certificate, the installation will fail. If it does, see the next topic, Install VeriSign Primary PCA Root Certificate, and then restart the installation. 8 After the Workstation installation is finished, you will need to restart the computer. After the restart, installation of any third-party drivers will be started automatically. Install VeriSign Primary PCA Root Certificate Note that this is only required if the DigitalPersona Pro client installation fails due to the following error. 1 To install a VeriSign Primary PCA Root Certificate 2 Go to and click the Download a root package link. DigitalPersona Pro Enterprise - Administrator Guide 40

41 Chapter 3 - Pro Client installation 3 Unzip the downloaded file and open the Generation 5 (G5) PCA folder. 4 Launch the file VeriSign Class 3 Public Primary Certification Authority - G5.cer. 5 Select Install Certificate. 6 In the Certificate Import Wizard, select Place all certificates in the following store, and browse to the Trusted Root Certification Authorities store. 7 Click Next and then click Finish. Local installation To install DigitalPersona Pro Workstation for Enterprise on a local computer 1 Launch the installer from the Pro Enterprise Workstation folder of the product package. For all supported operating systems except Windows XP Embedded and Windows Embedded Standard 2009, run Setup.exe located in the Client\Pro Enterprise Workstation root folder. Or, for silent mode, enter setup.exe /s /v /qn at the command line. On Windows XP Embedded and Windows Embedded Standard 2009 only, run DigitalPersona Pro Workstation for Enterprise.msi located in the Client\Pro Enterprise Workstation\x86 folder. In step 5 below, select the Typical installation option. 2 When the Welcome page displays, click Next to proceed with the installation. 3 Read the License Agreement page. If you agree, select the I accept the terms in the license agreement button and click Next. 4 On the next page, you can specify the folder that DigitalPersona Pro Workstation for Enterprise will be installed in. If you want to install DigitalPersona Pro to the default location, click Next; otherwise, click Change to specify a new location and then click Next to continue. 5 On the Choose Installation Mode page, select the operational mode for this installation of the software. Evaluation mode - All credentials are enrolled on the local machine and do not roam. The software does not require, and will not connect to, a Pro Enterprise Server. Standard mode - By default, credentials cannot be enrolled without a connection to a licensed Pro Enterprise Server. This may be changed by disabling the Allow Pro client to use Pro Server GPO on the server (see page 113). The current operational mode is displayed in the About dialog, and a link there allows you to change the mode. 6 If Standard mode is selected, the Choose Where Biometric Data are stored page displays. This page is not displayed when installing in Evaluation mode. Select whether to store biometric data remotely (for use on multiple computers), or locally (for use on this computer only). If a stored locally and a secure fingerprint reader is used to enroll fingerprints, the fingerprint data will be stored on the reader. DigitalPersona Pro Enterprise - Administrator Guide 41

42 Chapter 3 - Pro Client installation CAUTION: The choice of whether to store biometric data remotely or locally cannot be changed without uninstalling and reinstalling the client software. Switching from locally stored data to remotely stored data will also remove any biometric data and Password Manager logon data that was stored on the computer. When switching from remotely stored data to locally stored data, the local user will no longer be able to use previously stored biometric data or Password Manager logons on the local machine. 7 Choose one the following options to indicate the type of installation you want to perform. Typical - Installs the most commonly used features. Custom - Allows selection of which features to install. Optional features include binaries necessary for developers accessing the DigitalPersona Pro API through.net and COM interfaces. 8 Click Next and then Install, to begin installation. After the computer restarts, and at every subsequent restart, the DigitalPersona Pro client software automatically uses the default DNS Server to locate all DigitalPersona Pro Servers for the domain and its site. If more than one Pro Server is found, the Workstation will choose the Pro Server for authentication that offers the most efficient connectivity. If no Pro Servers are found, the client will perform authentication locally. For instructions on using DigitalPersona Pro Enterprise clients, see page 154. Command line Installation DigitalPersona Pro Workstation can also be installed or uninstalled using MSI at the command line. The syntax of the msiexec command is shown below and is followed by a description of the command line options, parameters and values available: msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software] REMOVE=[software] TRANSFORMS=[Name of transform file]/qn Command line Options Options Description /i (Required) Indicates that MSI will be used to install the DigitalPersona Pro software. It must be followed by the full pathname to the setup.msi file. /qn (Optional) Hides the user interface when installing the software on the computer, allowing a silent install. If used, it is placed at the end of the command line. Parameters DigitalPersona Pro Enterprise - Administrator Guide 42

43 Chapter 3 - Pro Client installation Three parameters indicate where the software should be installed on the computer, as well as what components should be included or removed: Parameters INSTALLDIR Description (Optional) Specifies the location where the DigitalPersona Pro Workstation software should be installed. If a folder is not specified, defaults to: C:\Program Files\DigitalPersona ADDLOCAL REMOVE TRANSFORMS (Optional) Indicates which DigitalPersona Pro Workstation features to install by providing one of the values listed below. (Optional) Indicates which DigitalPersona Pro software features to uninstall by providing one of the values listed below. (Optional) Use the TRANSFORMS command line parameter to specify a UI language other than U.S. English.You can separate multiple transforms with a semicolon. Because of this, it is recommended that you do not use semicolons in the name of your transform, as the Windows Installer service will interpret those incorrectly. See page 44 for a list of the available transform files for supported languages. ADDLOCAL and REMOVE Values The table below lists the values that may be provided with the ADDLOCAL and REMOVE parameters and provides a description of each value: Values ALL Logon PasswordMgr COM dotnet Description Installs all DigitalPersona Pro software components and features or removes all of the component and features that are currently installed. Installs or removes the Windows One Touch Logon feature. Installs or removes the Password Manager application. Installs or removes COM components necessary for developing DigitalPersona client applications using the DigitalPersona Pro SDK. Installs or removes.net components necessary for developing DigitalPersona client applications using the DigitalPersona Pro SDK. Following are a few rules when using these parameters and their values: If ADD LOCAL or REMOVE are not specified, msiexec will install all DigitalPersona Pro Workstation features. DigitalPersona Pro Enterprise - Administrator Guide 43

44 Chapter 3 - Pro Client installation Individual software features cannot be installed unless the All value was used with the ADDLOCAL parameter first. To install DigitalPersona Pro Workstation software for the first time while omitting one or more software features, use ADDLOCAL=ALL, followed by the REMOVE parameter with each software component you do not want to install separated by a comma. For example; msiexec /i setup.msi ADDLOCAL=ALL REMOVE=Logon,PasswordMgr Installation on Citrix Presentation Server DigitalPersona Pro Workstation can also be installed on supported Citrix platforms. See the chapter Citrix and remote installation on page 60 for details. About Transform files DigitalPersona uses Transform (.mst) files to create an installation package for DigitalPersona Pro components in the supported languages listed below. These files are located in the Bin directory of your product package. When creating a package for a GPO install, select the Advanced option and then add the transform file from the Modifications tab. Ensure that the transform file is included in a folder that is shareable by the Active Directory server computer and all target client computers. Language French German Italian Brazilian Portuguese Spanish Chinese Simplified Chinese Traditional Japanese Korean Transform file 1036.mst 1031.mst 1040.mst 1046.mst 1034.mst 2052.mst 1028.mst 1041.mst 1042.mst DigitalPersona Pro Enterprise - Administrator Guide 44

45 Chapter 3 - Pro Client installation Uninstalling Pro Workstation You can remove the DigitalPersona Pro Workstation software using the Add or Remove Programs Control Panel or through MSI. In the Control Panel, the Workstation software is listed as DigitalPersona Pro Enterprise version [version number]. Note that when uninstalling through Control Panel and the Uninstallation wizard, you can select whether or not to save user credentials and logon data. When using MSI in quiet mode, the default behavior is to delete associated user credentials and logon data. You must have local administrative privileges to modify installations on the computer. DigitalPersona Pro Enterprise - Administrator Guide 45

46 Pro Kiosk installation 4 This chapter provides instructions for installing DigitalPersona Pro Kiosk for Enterprise. Pro Kiosk uses DigitalPersona Pro Enterprise Servers for user identification and authentication. DigitalPersona Pro Enterprise Server should be installed and configured before installing Pro Kiosk. The following topics are covered in this chapter: System Requirements Recent changes Upgrading from Previous Versions Remote Installation Local installation Command line installation Installation on Citrix Presentation Server About Transform files System Requirements Before installing DigitalPersona Pro Workstation for Enterprise on a computer, make sure it meets the system requirements listed on page 17. Recent changes Changes compared to version 5.2 The current version of Pro Kiosk provides improved functionality and scalability related to Citrix deployment and RDP access. Now administrators can deploy multiple kiosks from a Citrix server using different shared accounts for each kiosk. Credentialed users can log into other kiosk computers in a different OU (using the appropriate credentials) while retaining the local resources associated with the original kiosk. In prior versions, logging in to another kiosk replaced any local resources with the resources of the target kiosk. This new functionality also applies when accessing another kiosk through a Citrix client. See additional information on page 178. Changes compared to version 4.4 User identification capabilities were originally available in Pro Kiosk 4.4 through the DigitalPersona Pro ID Server Add-On Module and a separate edition of the Pro ID Server Kiosk client. Beginning with DigitalPersona Pro Enterprise 5.x, identification has been integrated into the DigitalPersona Pro Enterprise Server and the DigitalPersona Pro Kiosk for Enterprise 5.1 client, therefore DigitalPersona Pro Enterprise - Administrator Guide 46

47 Chapter 4 - Pro Kiosk installation a separate ID Server and client are no longer required. However, the GPO setting Perform fingerprint identification on server must be applied and enabled for any Pro Kiosk clients where fingerprint credentials will be used. For optimum performance, identification from a set of more than 10,000 users or 20,000 fingerprint templates is not recommended. Above these limits, erratic results may occur. Upgrading from Previous Versions Before upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade Notes available at Direct upgrades from DigitalPersona Pro for Active Directory versions previous to are not supported. If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro and then upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized channel partner for upgrading from DigitalPersona Pro for Active Directory to DigitalPersona Pro Enterprise 5.3. Also, make sure to review the readme.txt files included with each component in the product package that you are installing. CAUTION: Upgrading the operating system from Windows XP to any later version of Windows will uninstall DigitalPersona Pro, and it will need to be reinstalled. Any Pro enrolled credentials will be lost as well. Before upgrading you should use the Backup and Restore feature (page 169) to backup your DigitalPersona Pro data, and then restore the data after installing DigitalPersona Pro under the new operating system. DigitalPersona Pro Enterprise - Administrator Guide 47

48 Chapter 4 - Pro Kiosk installation Installation The following sections provide instructions on installing DigitalPersona Pro Kiosk in a variety of ways. While not technically part of the installation scenarios described below, the GPO setting Perform fingerprint identification on server must be applied and enabled for any Pro Kiosk clients where fingerprint credentials will be used. Remote Installation For remote installation of patches, see the next section. The installer for Pro Kiosk uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install or uninstall the software using Active Directory administration tools, or other software deployment tools. Note that this installer only works for computer-based policy installation, not user-based installations. Prerequisites Before installing DigitalPersona Pro Kiosk, you must install the following prerequisites. Windows Management Framework Core package - Includes the following components: Windows PowerShell 2.0 and Windows Remote Management (WinRM) 2.0. See Windows KB article Microsoft.NET Framework version 2.0 or above Microsoft Visual C SP1 Redistributable package Installing Pro Kiosk To install Pro Kiosk remotely through Active Directory use the following procedure. Some steps will vary depending on the operating system version. For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation file for each environment. 1 Create an administrative installation package. a. Open a command prompt session and change the directory to DigitalPersona Pro Kiosk for Enterprise\x86 on 32-bit operating systems or DigitalPersona Pro Kiosk for Enterprise\x64 on 64-bit operating systems. b. Type setup.exe /a c. A wizard displays and prompts you for a location where you would like the administrative installation file to be created. Choose a network shared drive that will be accessible to the computers where you will be installing the software. For example \\servername\installdir, where InstallDir is a predefined shared folder. (There is no need to reboot at the end of the wizard.) 2 Create a Group Policy Object (GPO) that will be used to distribute the software package. DigitalPersona Pro Enterprise - Administrator Guide 48

49 Chapter 4 - Pro Kiosk installation a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. b. On the context menu of an organizational unit, click Create and link a GPO..., right-click the new GPO and click Edit. c. Under Computer Configuration, expand Software Settings. d. Right-click Software installation, point to New, and then click Package. e. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\servername\installdir\prokiosk.msi. It is important that you do not use the Browse button to access the location. Make sure that you use the UNC path of the shared installer package. f. Click Open. g. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window. h. For 32-bit installation packages only - Right-click the newly created package and select Properties. Then, on the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86 application available on Win64 machines. If this checkbox remains selected, the application will not install. i. Close the Group Policy snap-in, click OK, and then close the Active Directory Users and Computers snap-in. 3 Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE /FORCE on the local computer. Remote installation for patches This topic addresses the remote installation of client patches through slipstreaming. For standard product installation, see the preceding topic. The installer for Pro Kiosk uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install patches to software using Active Directory administration tools, or other software deployment tools. For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation files for both environments. Note that this installer only works for computer-based policy installation, not user-based. To install a Pro Kiosk patch remotely through Active Directory, use the following procedure. The following steps assume that an administrative install has been created as described in the previous topic. Some steps will vary depending on the operating system version. DigitalPersona Pro Enterprise - Administrator Guide 49

50 Chapter 4 - Pro Kiosk installation 1 Update the installation package. Open a command prompt session and type the following command to patch the previously created installation package. msiexec.exe /p [path\name of updated MSP file]\ /a [path\name of administrative installation file]. 2 Redeploy the aplication. a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. b. Right-click the GPO that governs the computers you want to update and select Edit. c. Navigate to Computer Configuration/Policies/Software Settings/Software Installation. d. Right-click the Pro client software name and select All Tasks\Redeploy application. Confirm your intent to redeploy the application. 3 Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer. Local installation To install DigitalPersona Pro Kiosk for Enterprise locally 1 Launch the installer from the Pro Enterprise Kiosk folder of the product package. For all supported operating systems except Windows XP Embedded and Windows Embedded Standard 2009, run Setup.exe located in the Pro Enterprise Kiosk root folder. Or, for silent mode, enter setup.exe /s /v /qn at the command line. On Windows XP Embedded and Windows Embedded Standard 2009 only, run DigitalPersona Pro Kiosk for Enterprise.msi located in the Pro Enterprise Kiosk/x86 folder. In step 5 below, select the Typical installation option. 2 When the Welcome page displays, click Next to proceed with the installation. 3 Read the License Agreement page. If you agree, select the I accept the terms in the license agreement button and click Next. 4 On the next page, you can specify the folder that Pro Enterprise Kiosk will be installed in. If you want to install to the default location, click Next; otherwise, click Change to specify a new location and then click Next to continue. 5 Choose one of the following options to indicate the type of installation you want to perform. DigitalPersona Pro Enterprise - Administrator Guide 50

51 Chapter 4 - Pro Kiosk installation Typical - Installs the most commonly used features. Custom - Allows selection of which features to install. 6 Click Next and then Install, to begin installation. After the computer restarts, and at every subsequent restart, Pro Kiosk automatically uses the default DNS Server to locate all DigitalPersona Pro Servers for the domain and its site. If more than one Pro Server is found, Pro Kiosk will choose the Pro Server for authentication that offers the most efficient connectivity. If no Pro Servers are found, the client will perform authentication locally. For instructions on using Pro Kiosk, see page 173. DigitalPersona Pro Enterprise - Administrator Guide 51

52 Chapter 4 - Pro Kiosk installation Command line installation DigitalPersona Pro Kiosk can also be installed or uninstalled using MSI at the command line. The syntax of the msiexec command is shown below and is followed by a description of the command line options, parameters and values available: msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software] REMOVE=[software] TRANSFORMS=[Name of transform file]/qn Command line Options There are one required and one optional command line options: Options Description /i (Required) Indicates that MSI will be used to install the DigitalPersona Pro software. It must be followed by the path to, and the name of, the.msi file (setup.msi) that contains the software to install. /qn (Optional) Hides the user interface when installing the software on the computer, allowing a silent install. If used, it is placed at the end of the command line. Parameters Three parameters indicate where the software should be installed on the computer, as well as what components should be included or removed: Parameters INSTALLDIR Description (Optional) Specifies the location where the software should be installed. If a folder is not specified, defaults to: C:\Program Files\DigitalPersona ADDLOCAL REMOVE (Optional) Indicates which Pro Kiosk features to install by providing one of the values listed below. (Optional) Indicates which Pro Kiosk features to uninstall by providing one of the values listed below. DigitalPersona Pro Enterprise - Administrator Guide 52

53 Chapter 4 - Pro Kiosk installation Parameters TRANSFORMS Description (Optional) Use the TRANSFORMS command line parameter to specify a UI language other than U.S. English.You can separate multiple transforms with a semicolon. Because of this, it is recommended that you do not use semicolons in the name of your transform, as the Windows Installer service will interpret those incorrectly. See page 54 for a list of the available transform files for supported languages. ADDLOCAL and REMOVE Values The table below lists the values that may be provided with the ADDLOCAL and REMOVE parameters and provides a description of each value: Values ALL Logon Password Manager COM dotnet Description Installs all Pro Kiosk components and features or removes all of the component and features that are currently installed. Installs or removes the Windows Logon feature. Installs or removes the Password Manager application. Installs or removes COM components necessary for developing DigitalPersona client applications using the DigitalPersona Pro SDK. Installs or removes.net components necessary for developing DigitalPersona client applications using the DigitalPersona Pro SDK. Following are a few rules when using these parameters and their values: If ADD LOCAL or REMOVE are not specified, msiexec will install all Pro Kiosk features. Individual software features cannot be installed unless the All value was used with the ADDLOCAL parameter first. To install Pro Kiosk software for the first time while omitting one or more software features, use ADDLOCAL=ALL, followed by the REMOVE parameter with each software component you do not want to install separated by a comma. For example; msiexec /i setup.msi ADDLOCAL=ALL REMOVE=Logon,PasswordManager Installation on Citrix Presentation Server DigitalPersona Pro Kiosk for Enterprise may also be installed on Citrix Presentation Server. See the chapter Citrix and remote installation on page 60 for details. DigitalPersona Pro Enterprise - Administrator Guide 53

54 Chapter 4 - Pro Kiosk installation About Transform files DigitalPersona uses Transform (.mst) files to create an installation package for DigitalPersona Pro components in the supported languages listed below. These files are located in the Bin directory of your product package. When creating a package for a GPO install, select the Advanced option and then add the transform file from the Modifications tab. Ensure that the transform file is included in a folder that is shareable by the Active Directory server computer and all target client computers. Language French German Italian Brazilian Portuguese Spanish Chinese Simplified Chinese Traditional Japanese Korean Transform file 1036.mst 1031.mst 1040.mst 1046.mst 1034.mst 2052.mst 1028.mst 1041.mst 1042.mst DigitalPersona Pro Enterprise - Administrator Guide 54

55 Optional installations 5 The following optional DigitalPersona Pro Enterprise components are not automatically installed as part of either the DigitalPersona Pro Enterprise Server or client installations. There are two categories of optional components, those included in the DigitalPersona Pro Enterprise product package, and those available as a separate package. Included in product package Suite installers Your product package includes two suite installers, that install more than one component through a single installation file. Administration suite - Installs the DigitalPersona Pro Administration Tools (see below) and the Remote License Tool, used to activate User licenses on computers without internet access. Client suite - Installs either DigitalPersona Pro Workstation for Enterprise or Kiosk for Enterprise, and selected third-party drivers. Administration Tools Those tools shown in the following illustration are part of a separate installation package included in the DigitalPersona Pro Enterprise product package. These Administration Tools may be installed on a single workstation for centralized administration of DigitalPersona Pro for Active Directory, or for larger organizations, each tool may be installed on a separate workstation in order to divide the administration of various features among several people. DigitalPersona Pro Enterprise - Administrator Guide 55

56 Chapter 5 - Optional installations DigitalPersona Pro Workstation for Enterprise must be installed on the computer before the Administration Tools can be installed. By default, all Administration Tools are installed. Select Custom Setup to deselect any tools you do not wish to install. License Activation Manager To install the License Activation Manager 1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder of the DigitalPersona Pro Enterprise product package. 2 Select Complete or Custom installation. To install only the License Activation Manager, select Custom and deselect all other administrative tools. 3 Click Next, and then click Install. Follow the onscreen instructions. For a description of the features available through this snap-in, see page 67. Users and Computers Snap-In (Requires Windows Server 2008 and the Windows Server 2008 Remote Server Administration Tools, or Windows Server 2003 and the Windows Server 2003 Administration Tools Pack.) To install snap-in 1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder of the DigitalPersona Pro Enterprise product package. 2 Select Complete or Custom installation. To install only the Users and Computers Snap-in, select Custom and deselect all other administrative tools. 3 Click Next, and then click Install. For a description of the features available through this snap-in, see page 82. Attended Enrollment Tool Attended Enrollment provides a means for an administrator to supervise the enrollment of user credentials instead of allowing users to enroll the credentials themselves. This feature is automatically installed and accessible through the ADUC snap-in as part of the DigitalPersona Pro Server installation. The Attended Enrollment Tool provides the same functionality that is available through the Snap-in, but as a standalone executable. To install the Attended Enrollment Tool 1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder of the DigitalPersona Pro Enterprise product package. DigitalPersona Pro Enterprise - Administrator Guide 56

57 Chapter 5 - Optional installations 2 Select Complete or Custom installation. To install only the Attended Enrollment Tool, select Custom and deselect all other administrative tools. 3 Click Next, and then click Install. For a description of the features available through this tool, see page 94. User Query Tool Snap-in Use of the User Query Snap-in requires a licensed copy of DigitalPersona Pro Workstation, and the logged on user must have domain administrator privileges. To install the DigitalPersona User Query Snap-in 1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder of the DigitalPersona Pro Enterprise product package. 2 Select Complete or Custom installation. To install only the User Query Snap-in, select Custom and deselect all other administrative tools. 3 Click Next, and then click Install. For a description of the features available through this tool, and additional implementations of the tool, see page 86. GPMC Extensions DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and settings to Active Directory containers. These policies and settings are described in the chapter, Policies and Settings on page 99. To install the DigitalPersona GPMC Extensions 1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder of the DigitalPersona Pro Enterprise product package. 2 Select Complete or Custom installation. To install only the GPMC Extensions, select Custom and deselect all other administrative tools. 3 Click Next, and then click Install. For a description of the features available through this component, see page 130. Defender To install the Defender Server and administrator components, refer to the Defender Quick Start Guide located in the Pro Enterprise Server\Docs folder of the DigitalPersona Pro Enterprise product package. Additional documentation is available in the installation folder after the product is installed. Video tutorials are also provided on our website at: DigitalPersona Pro Enterprise - Administrator Guide 57

58 Chapter 5 - Optional installations For a description of the features made available through use of DigitalPersona Defender with DigitalPersona Password Manager, see the Password Manager Application Guide. Separate product packages The following security applications and modules are separately licensed and installed. Password Manager Admin Tool The Password Manager Admin Tool is used by DigitalPersona Pro administrators to create automated managed logons for websites, applications and network resources. For complete product descriptions and installation instructions, see the associated Password Manager Application Guide on our website at: Extended Server Policy Module (ESPM) The DigitalPersona ESPM adds additional per-user policy settings to Active Directory. For a description of these settings, see page 152. To install the Extended Server Policy Module 1 Copy the package received from DigitalPersona, your channel partner or reseller to the computer where DigitalPersona Pro Server is installed, or any Active Directory-aware computer that will be used to administer the DigitalPersona Pro Server. 2 Launch the installer by clicking setup.exe, and follow the onscreen instructions. 3 Licensing is included in the product purchase. No additional entry of a license number is required. Pro Cogent FR Plugin The Pro Cogent FR Plugin installs Face Recognition for DigitalPersona Pro. This program adds support to DigitalPersona Pro Enterprise Workstation for facial recognition, i.e. a Face credential, that may be used for authentication during Windows logon, for session authentication and when using Password Manager managed or personal logons. Note that the Face credential cannot be used as the sole credential for authentication, but must be used in combination with another supported credential. To install the Pro Cogent FR Plugin 1 Copy the package received from DigitalPersona, your channel partner or reseller to a computer where DigitalPersona Pro Enterprise Workstation is already installed. 2 Launch the installer by clicking setup.exe, and follow the onscreen instructions. DigitalPersona Pro Enterprise - Administrator Guide 58

59 Chapter 5 - Optional installations 3 After installation, launch the DigitalPersona Pro user dashboard. Click Credentials, Face. Then click Start Trial to begin a 60-day trial period, or enter your user name and the license number you received with your purchase of the product. For instructions on enrolling your Face credential, see page 162. DigitalPersona Pro Enterprise - Administrator Guide 59

60 Citrix and remote installation 6 Overview DigitalPersona Pro Enterprise Server includes support for accessing DigitalPersona Pro Workstation for Enterprise and Pro Kiosk clients through Windows Terminal Services (including Remote Desktop Connection), and through the Citrix XenApp and XenDesktop solutions. When DigitalPersona Pro Workstation for Enterprise or Pro Kiosk are accessed remotely, the fingerprint reader attached to a local Workstation or Kiosk can be used to access all DigitalPersona Pro Workstation for Enterprise or Pro Kiosk features on the remote computer. See Redirect fingerprint data on page 108. Also see the NOTE below. When using DigitalPersona Pro Workstation for Enterprise or Pro Kiosk remotely, the remote computer is locked to prevent interruption of your session. When completing a Terminal Services session, use "Log Off" to close the session; use "Disconnect" or "Shutdown", or the Close Window icon to leave your session active. Multiple installations of DigitalPersona Pro Kiosk may be served from a Citrix server, with each kiosk using a different shared-user account. For additional information on Citrix deployment scenarios and Citrix-specific features, see Citrix Deployment Scenarios on page 200. NOTE: By default, the Remote Desktop Protocol (RDP) is not enabled on any Microsoft operating system version. The use of Microsoft Remote Desktop entails opening a port in your firewall and thus creates a security vulnerability. For more information on this vulnerability, see the Microsoft Security Bulletin MS ( Installation on Citrix solutions DigitalPersona Pro Workstation for Enterprise and Kiosk for Enterprise may be installed and run on the Citrix XenApp and XenDesktop virtualization platforms. At the time of release, support for the Citrix platform includes Citrix XenApp (server) 6.5 Citric XenDesktop Citrix Receiver and Citrix online plug-in 11 and 12 For updated information on supported versions and clients, see the readme.txt file in the DigitalPersona product package. DigitalPersona Pro Enterprise - Administrator Guide 60

61 Chapter 6 - Citrix and remote installation Installation & Configuration The following instructions assume that Citrix has been installed and configured prior to installing the DigitalPersona Pro client. For instructions on installing Citrix AFTER a Pro client has been installed, see Installing Citrix support after DigitalPersona Pro client installation on page 62. To configure a DigitalPersona Pro client for Citrix support: 1 Install the DigitalPersona Pro client on the Citrix XenApp server that your Citrix client connects to and on the client computer. 2 Add or modify the following registry value on the XenApp server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI Value Name: LogoffCheckSysModules Type: REG_SZ String: DPAgent.exe 3 In Active Directory, apply the DigitalPersona Pro Administrative Template (DPPro5Client) to a GPO governing the client computer (or apply it to a local policy object on the client computer). 4 In the GPO, enable the "Redirect fingerprint data" setting (page 108). For Citrix published applications - 1 On the Citrix XenApp server, create a new file called usrlogn1.cmd. 2 Create a new file in %systemroot%\application compatibility scripts\logon with a filename such as dplauncher.cmd. 3 Add the following line to your dplauncher.cmd file. Start /d c:\program files\digitalpersona\bin dpagent.exe 4 Add the following line to your usrlogn1.cmd file. Call dplauncher.cmd The above procedure is based on the fact that by default, usrlogon.cmd goes into the %systemroot%\application compatibility scripts\logon directory, and executes usrlogn1.cmd first, and when it completes, it executes usrlogn2.cmd. Neither usrlogn1.cmd nor usrlogn2.cmd exist by default, but they are checked for and executed if found. Also, the usrlogon.cmd exists in a plain TS/RDS environment also. On a Win7/Win2k8R2 system, the usrlogon file is protected from modification by default, and you will have to take ownership of it, and change the permission to edit it. Also, very typically, usrlogon.cmd will fail at the _setpaths.cmd phase very early on, so I typically comment out the if _setpaths == FAIL statement so that it does not take affect. DigitalPersona Pro Enterprise - Administrator Guide 61

62 Chapter 6 - Citrix and remote installation Finally, on some versions of TS the usrlogon is specified in AppSetup, and in some it is specified in UserInit. However, the Citrix install will typically insert ctxhide.exe in front of it, which will prevent it from running the majority of the time (it is known to have serious bugs). Just removing that ctxhide.exe is a huge help. Disabling automatic client updates It is possible that a Citrix update to the client could interfere with DigitalPersona Pro Enterprise functionality. To prevent this from happening, you may want to disable the automatic updating of clients from either the client or server machine. Option 1 1 From the client machine, run Remote Application Manager and deselect Allow Automatic Client Updates. 2 From the server machine, use the ICA Client Configuration Update Utility to disable automatic client updates for each product/client model you want to protect. Option 2 Alternatively, you can modify the client database so that your modifications are in the updated client. The client database is installed in the %SystemRoot%\Ica\ClientDB directory. Each product/model combination has a separate directory. See the MetaFrame XP Server Administrator s Guide for more information about Client Auto Update. Installing Citrix support after DigitalPersona Pro client installation If Citrix was not present prior to installing DigitalPersona Pro Workstation, files necessary to support Citrix will not be installed. To install Citrix support files after installing or reinstalling a DigitalPersona Pro client, perform one of the following steps after the Pro installation. 1 Select DigitalPersona Pro Workstation in the Windows Control Panel list of programs and run Repair. 2 Or, locate the DPICACnt.dll file in the "Misc\Citrix Support" folder of the DP Product package, and copy it to the folder on the client computer where the Citrix client components are located (i.e. for the Program Neighborhood client it might be the "Program Files\Citrix\ICA Client" folder). Then, in the Run box, using the regsvr32.exe program, register the DPICACnt.dll library. Example: regsvr32 <$FilePath\DPICACnt.dll>. 3 If you have several Citrix clients installed on a computer, deploy the DPICACnt.dll library to the Citrix client folder for each client to be used with DigitalPersona Pro software. In all of the above cases, you must reboot the computer in order for the changes to take effect. DigitalPersona Pro Enterprise - Administrator Guide 62

63 Chapter 6 - Citrix and remote installation For additional information on typical Citrix deployment scenarios, see the chapter Citrix Deployment Scenarios on page 200. DigitalPersona Pro Enterprise - Administrator Guide 63

64 Section Two: Administration Section Two of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters. Chapter Title Purpose Page 7 - Administration overview Describes the types of tools and utilities available for administration of DigitalPersona Pro Enterprise. 8 - License Management Describes the types of licenses available, the license activation process, and the information provided to administrators for managing their licenses. 9 - ADUC Snap-in Describes the user properties settings, user object commands and computer object commands that are added to Active Directory by the installation of the ADUC Users and Computers Snap-in Attended Enrollment Describes the Attended Enrollment feature, which allows the supervised enrolling of user credentials Policies and Settings Defines the policies and settings that govern Pro Enterprise Servers and clients Single Sign-On Describes how to implement a Single Sign-On (SSO) policy in the enterprise GPMC Extensions Describes use of the DigitalPersona GPMC Extensions that enable configuration of DigitalPersona Pro Enterprise policies and settings Recovery Describes the user and computer recovery options made available through DigitalPersona Pro Enterprise DigitalPersona Reporter Describes DigitalPersona Reporter, a tool for aggregating and reporting on Pro Enterprise events generated by Pro Enterprise Server and clients Pro Enterprise Events Lists and describes the events that DigitalPersona Pro Enterprise writes to the Windows Event log Extended Server Policy Module Describes a separately purchased and installed server module that adds additional per user policies to the DigitalPersona tab in the AD user Properties tab Utilities Describes additional utilities provided within the DigitalPersona Pro Enterprise product package DigitalPersona Pro Enterprise - Administrator Guide 64

65 Administration overview 7 DigitalPersona Pro for Active Directory provides a full complement of features, tools and utilities to assist the administrator in managing various aspects of the product, as well as expanding the functionality of the product. Some of these tools and utilities are included in the product packages for either DigitalPersona Pro Server or Workstation. Others are available as separate modules, which may be obtained from your DigitalPersona Account Manager or product Reseller. The following chapters of the Administrator Guide describe each of these administrator tools. Administration Tools package Those tools shown in the illustration below are part of a separate installation package included in the DigitalPersona Pro Enterprise product package. These Administration Tools may be installed on a single workstation for centralized administration of DigitalPersona Pro Enterprise, or for larger organizations, each tool may be installed on a separate workstation in order to divide the administration of various features among several people. CAUTION: The Administration Tools should not be installed on a computer until after the DigitalPersona Domain Active Directory Domain Configuration Wizard has been run. Also, when installing the DigitalPersona Pro Enterprise - Administrator Guide 65

66 Chapter 7 - Administration overview Administration Tools on systems where Pro 5.0x or 5.1x were previously installed, the current version of the Domain Configuration Wizard must be run prior to installing the Administration Tools. To install the DigitalPersona Administration Tools, do one of the following. Locate and double-click the setup.exe file located in the Administration Tools directory of the product package. Follow the instructions in the installer wizard. Select Custom to choose which tools to install. Press the down arrow to select installation options for a component. For silent installation, use the syntax shown below to install all tools or remove those you do not want to install. For example, to install only the Attended Enrollment Tool: msiexec /i setup.msi ADDLOCAL=ALL REMOVE=LicenseControlManager,UsersComputersSnapin,UserQuerySnapin In the Client folder of the software package, run Setup.exe. Click Next and select the product to install (Pro Administration Tools or the Remote License Tool). Click Install. DigitalPersona Pro Enterprise - Administrator Guide 66

67 License Activation & Management 8 This chapter covers the following topics. Topics License Activation Manager 68 Pro Enterprise Server activation 69 Server activation from another computer 71 Package or component activation (v 5.3 only) 73 You can release the DigitalPersona license associated with a user back to the license pool through the Delete command in the DigitalPersona ADUC Snap-in. See page 84 for further details. Activation and management of DigitalPersona Pro 5.4 and above licenses is provided through the two license management tools described below. Note that Client Licenses are no longer used in the current version of DigitalPersona Pro Enterprise. For instructions on installing Client Licenses for Pro 5.3, see page 73 and following. License Activation Manager - Used to activate Pro Enterprise User licenses through Active Directory. Remote License Tool - Used for activating Pro Server User licenses for a computer that is not connected to the internet through another computer that has an internet connection. This tool can be found in the product package. IMPORTANT: Any activation of DigitalPersona Pro User Licenses (from the Pro Server or when activating a license through the Remote License Tool), requires access to the following URL: solo.digitalpersona.com. This URL is also accessed when verifying licenses from the link in the Active Directory GPME License Properties dialog for the DigitalPersona Pro Server. Page 81 DigitalPersona Pro Enterprise - Administrator Guide 67

68 Chapter 8 - License Activation & Management License Activation Manager License Activation Manager is a separately installed DigitalPersona administration tool. It provides an Active Directory-based means of installing licenses for DigitalPersona Pro User licenses, and provides some basic information about them. For instructions on installing this component, see page 56. After installation of the License Activation Manager, two new License Group Policy Objects are added to Active Directory, Computer Configuration\Policies\Software Settings. Once under DigitalPersona Pro Client and another under DigitalPersona Pro Enterprise Server. Client licenses are only used with versions of DigitalPersona Pro clients prior to 5.4. See page 74 for further details. DigitalPersona Pro Enterprise - Administrator Guide 68

69 Chapter 8 - License Activation & Management License activation The Pro Server User License is issued in a single DigitalPersona License file with an extension of.dplic, and activated by the administrator through the Active Directory Group Policy Management Editor. If you need to activate a Pro Server that is not connected to the internet, see page 71. Pro Enterprise Server activation In most cases, you will activate your Pro Enterprise Servers over the internet through Active Directory and the DigitalPersona Activation wizard. To activate a DigitalPersona Pro Enterprise User license 1 In the Group Policy Management Editor, navigate to: Computer Configuration, Policies, Software Settings, DigitalPersona, Licenses. 2 Right-click on Pro Enterprise Server\Licenses and select Add license. 3 When the DigitalPersona Activation wizard displays, click Next. DigitalPersona Pro Enterprise - Administrator Guide 69

70 Chapter 8 - License Activation & Management 4 Select the option to I want to activate the software over the Internet. 5 On the next page, browse to the License Activation (.dplic) file provided with your purchase. Or, if you have a License ID and password instead, click the Use License ID... link to enter them. 6 Click Next. Upon successful activation, a confirmation dialog will display. DigitalPersona Pro Enterprise - Administrator Guide 70

71 Chapter 8 - License Activation & Management Server activation from another computer If your Pro Enterprise Server does not have access to the internet, you can activate it remotely through the use of any computer that has internet access. This procedure will use the DP License (.dplic) file and associated password provided with your purchase to generate an Activation Request (.xml) file on the Pro Server computer. This file is then copied to a computer with internet access and used to generate an Activation Response (.xml) file. Finally, this file is used on the original Pro Server computer to activate the Pro Enterprise Server license. To remotely activate a DigitalPersona Pro Enterprise User license 1 In the Group Policy Management Editor, navigate to Computer Configuration, Policies, Software Settings, DigitalPersona Pro Enterprise Server, Licenses. 2 Right-click on Licenses and select Add license. 3 When the DigitalPersona Activation wizard displays, click Next. 4 Select the option to activate the software from another computer. DigitalPersona Pro Enterprise - Administrator Guide 71

72 Chapter 8 - License Activation & Management 5 On the next page, browse to the License Activation (.dplic) file provided with your purchase, and enter the associated password. If you have a License ID and password instead, click the Use License ID... link to enter them. 6 Save the resulting Activation Request (.xml) file to a shared directory or device that can be accessed from a computer with an internet connection. 7 On any internet-enabled computer, install and run the DigitalPersona Remote License Tool. The default installation target directory is Program Files\DigitalPersona\Remote License Tool and the filename is DP RemoteLicenseTool.exe. 8 In the Remote License Tool, enter, or Browse to, the location of the Activation Request file saved in step 6 above. 9 Select the location where you want to save the Activation Response (.xml) file to, and click Next. 10 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page. 11 When activation is reported as successful, click Finish. 12 On the unconnected computer, select the option I want to finalize software activation Browse to the location of the Activation Response file (specified in step 9 above). 14 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page. 15 Upon successful activation, a confirmation dialog will display. DigitalPersona Pro Enterprise - Administrator Guide 72

73 Chapter 8 - License Activation & Management Package or component activation (v 5.3 only) In most cases, you will activate your Pro Enterprise Package or specific component licenses over the internet through Active Directory using the License Activation Manager and the DigitalPersona Activation wizard. On computers with no internet connection, your package or component licenses may also be activated remotely through any internet-connected computer (see the topic beginning on page 74). To activate a DigitalPersona Pro Enterprise Package or component license 1 In the Group Policy Management Editor, navigate to [domain, site or OU], Computer Configuration, Policies, Software Settings, DigitalPersona Pro Client, Licenses. 2 Right-click on Licenses and select Add license. 3 When the DigitalPersona Activation wizard displays, click Next. DigitalPersona Pro Enterprise - Administrator Guide 73

74 Chapter 8 - License Activation & Management 4 Select the option I want to activate the software over the Internet. 5 Browse to the DigitalPersona License (.dplic) file provided with your purchase and enter the associated password. If instead, you have a License ID and password, click the provided link to enter them. 6 Click Next. Upon successful activation, a confirmation dialog will display. Client licenses for individual workstations and features will be activated when clients access the Pro Enterprise Server. If it appears that the software has not been activated, you can run GPUPDATE/FORCE from the command line or Run box to force updating of any changed policies (including licensing) on the computer. Package activation from another computer (v5.3 only) If your Pro Enterprise client does not have access to the internet, you can activate Enterprise Packages or component\feature licenses through any internet-enabled computer. This procedure will generate an Activation Request (.xml) file that you take to an internet-enabled computer to activate the license. Then you can used the generated License Activation (.dplic) file on the original client to activate client, component or feature licenses. DigitalPersona Pro Enterprise - Administrator Guide 74

75 Chapter 8 - License Activation & Management To activate a DigitalPersona Pro Enterprise Package or component license from another computer 1 In the Group Policy Management Editor, navigate to Computer Configuration, Policies, Software Settings, DigitalPersona Pro Client, Licenses. 2 Right-click on Licenses and select Add license. 3 When the DigitalPersona Activation wizard displays, click Next. 4 Select the option to activate the software from another computer. DigitalPersona Pro Enterprise - Administrator Guide 75

76 Chapter 8 - License Activation & Management 5 On the next page, browse to the License Activation (.dplic) file provided with your purchase. Or, if you have a License ID and password instead, click the provided link to enter them. 6 Save the resulting Activation Request (.xml) file to a shared directory or device that can be accessed from a computer with an internet connection. 7 On any internet-enabled computer, install and run the DigitalPersona Remote License Tool.The default installation target directory is Program Files\DigitalPersona\Remote License Tool and the filename is DP RemoteLicenseTool.exe. 8 Browse to the location of the Activation Request file saved in step 6. 9 Select the location where you want to save the Activation Response file to, and click Next. 10 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page. 11 When activation is reported as successful, click Finish. 12 On the original unconnected computer, select the option I want to finalize software activation Browse to the location of the Activation Response file from step 9 above. 14 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page. 15 Upon successful activation, a confirmation dialog will display. Activation on the local workstation (v5.3 only) In some situations, you may see the following dialog, indicating that a component or feature has not been activated on a client workstation. This may be the case if the number of seats in your license has been exceeded, or your Enterprise Package license has not been activated yet on the Pro Enterprise Server, or DigitalPersona Pro Enterprise - Administrator Guide 76

77 Chapter 8 - License Activation & Management the computer has not received activation information from the Pro Enterprise Server, generally because GPO settings have not yet been refreshed since activation on the Pro Enterprise Server. In any of the above scenarios, you can activate the license for the computer (either a current or newly acquired license) from this dialog, or from the About dialog in the workstation client. 1 Click the Activate product now link to enter your license information. 2 When the DigitalPersona Activation Wizard displays, click Next. 3 Select the option to I want to activate the software over the Internet. DigitalPersona Pro Enterprise - Administrator Guide 77

78 Chapter 8 - License Activation & Management 4 Browse to the DigitalPersona License (.dplic) file provided with your purchase, and click Next. Upon successful activation, a confirmation dialog will display. After activation, licensing information is shown in the About dialog, accessible from within the client dashboard. DigitalPersona Pro Enterprise - Administrator Guide 78

79 Chapter 8 - License Activation & Management Activation of the local client from another computer (v5.3 only) Pro Enterprise clients that are not part of the domain, or are not connected to the internet, may be activated on another internet-enabled computer through the DigitalPersona Activation Wizard. To remotely activate a Pro Enterprise client license 1 In the user dashboard About box or the unlicensed product warning, click the License Activation link. 2 When the DigitalPersona Activation wizard displays, click Next. 3 Select the option to activate the software from another computer. 4 On the next page, browse to the License Activation (.dplic) file provided with your purchase, and enter the associated password. Or, if you have a License ID and password instead, click the provided link to enter them. DigitalPersona Pro Enterprise - Administrator Guide 79

80 Chapter 8 - License Activation & Management 5 Save the resulting Activation Request (.xml) file to a shared directory or device that can be accessed from a computer with an internet connection. 6 On the internet-enabled computer, install and run the DigitalPersona Remote License Tool.The default installation target directory is Program Files\DigitalPersona\Remote License Tool and the filename is DP RemoteLicenseTool.exe. 7 Browse to the location of the Activation Request file from step 5. 8 On the next page, select the location where you want to save the Activation Response (.xml) file to, and click Next. 9 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page. 10 When activation is reported as successful, click Finish. 11 On the unconnected computer, select the option I want to finalize software activation Enter, or Browse to, the location of the Activation Response file from step 8 above. 13 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page. 14 Upon successful activation, a confirmation dialog will display. DigitalPersona Pro Enterprise - Administrator Guide 80

81 Chapter 8 - License Activation & Management Releasing user licenses (v5.4.1+) You can release the DigitalPersona license associated with a user back to the license pool through the Delete command in the DigitalPersona ADUC Snap-in. See page 84 for further details. Deactivating client licenses (v5.3 only) Occasionally, you may need to deactivate a client license on a computer in order to use the license on a different computer. To deactivate a client license 1 In the About dialog on the client workstation, right-click on the component that you want to deactivate and select Deactivate the product now. 2 The icon to the left of the component name will display an X, indicating that the component has been deactivated. 3 If the computer is connected to the internet, the licenses available as shown on the Customer Service Portal will be incremented with the newly available license (after the page is refreshed or relaunched). If the computer cannot connect to the Pro Enterprise Server for deactivation, it will still be deactivated locally, but you will need to follow these steps to actually regain use of the license. 1 You are asked to save a Deactivation Request file, and use the Remote License Tool to finalize deactivation from a (proxy) computer that has an internet connection. 2 On the proxy computer, install and run the DigitalPersona Remote License Tool from the Remote License Tool directory in the product package. The default installation target directory is Program Files\DigitalPersona\Remote License Tool and the filename is DP RemoteLicenseTool.exe. 3 In the Remote License Tool, browse to the location of the Deactivation Request file. 4 Next, select the location where you want to save the Activation Response file (.dplic) to, and click Next. 5 On the Product Deactivation page, verify the products that will be deactivated and click Next. 6 When deactivation is reported as successful, click Finish. DigitalPersona Pro Enterprise - Administrator Guide 81

82 ADUC snap-ins 9 The DigitalPersona Pro Enterprise Administration Tools includes two snap-ins to ADUC (Active Directory Users and Computers), the Users and Computers snap-in and the User Query Tool snap-in. Users and Computers snap-in The DigitalPersona Users and Computers snap-in adds a new tab to the User Properties page enabling additional administrative functions; and adds several DigitalPersona commands to the user and computer object context menus. For installation instructions, see page 56. User properties DigitalPersona provides the administrator with several Basic user properties that define settings or behaviors that apply to a single specific user. They are located on the Properties dialog for the selected Active Directory user. Additional user properties are available through a separate product, the Extended Server Policy Module (ESPM) described on page 152. Note that these user properties override any conflicting computer policies. To access the DigitalPersona Basic user properties: 1 In the Users and Computers console, open the Users folder. 2 Right-click on a specific user name, select Properties and click the DigitalPersona Pro tab. 3 Make any desired changes to the user properties, as listed below. Randomize user's Windows Password Enable this setting to randomize a user s Windows Password. This will block them from using their Windows Password to verify their identity, and a fingerprint or other authorized and enrolled credential must be used instead. When this option is set, DigitalPersona Pro changes the user password to a random value when you click OK on this dialog box. This user will no longer be able to access any domain resources unless they have an alternative supported and enrolled credential - even computers where DigitalPersona Pro software is not installed. DigitalPersona Pro Enterprise - Administrator Guide 82

83 Chapter 9 - ADUC snap-ins Warning - Do not enable password randomization with incompatible logon authentication policies, such as Fingerprint and Password, as users will be unable to log on or enroll new credentials (since enrollment requires entering their Windows Password). Also, this property should not be used in combination with the Active Directory policy "User must change password on next logon," since users will be unable to change their password, and therefore unable to logon. This option is not available for accounts with administrative privileges. User provides only Windows credentials to log on When this option is set, the user will not be subject to any logon policy from DigitalPersona Pro. Users will be able to logon with password or smart card as defined by the Windows logon settings. By default this setting is turned off. Account is locked out from use of fingerprint credentials This setting is only for unlocking accounts that have been locked out due to failed logon attempts using fingerprint credentials. If the account is unlocked, the check box is disabled. For instructions on unlocking an account, see below. Note that this setting cannot be used by an administrator to lock an account. Unlocking accounts after failed logon attempts You can unlock an account that has been locked out of fingerprint authentication due to the user reaching the threshold number for failed fingerprint attempts. You must have permissions to access the user account. When an account is unlocked by an administrator, the account becomes immediately available for fingerprint authentication from all computers, or after the next replication interval if there are multiple domain controllers. The administrator can choose to set less strict lockout settings by reducing the the lockout duration time or reducing the counter reset time. To unlock a locked account 1 In Active Directory for Users and Computers, right-click on the user name, and select Properties. 2 Click the DigitalPersona Pro tab. 3 Click the Account is locked out from use of fingerprint credentials check box to unselect it. This check box is for unlocking accounts and cannot be checked by an administrator to lock an account. If the account is unlocked, the check box is disabled. 4 Click OK to close the dialog box and save the changes. DigitalPersona Pro Enterprise - Administrator Guide 83

84 Chapter 9 - ADUC snap-ins User object commands Installation of DigitalPersona Pro adds the following new commands to the context menu for a user in the Active Directory Users and Computers console. Recover User - Enables recovery of the user's access to their Windows account through a one time access code available through a link on the Windows logon screen. Delete License - (Version ) Use this command to release the DigitalPersona license associated with this user back to the license pool. The use of this command will delete all DigitalPersona credentials and other user data stored in Active Directory. Note that in v5.4.1, the user account should no longer be used with DigitalPersona Pro, and the product should not be reinstalled in the same user account. If use of DigitalPersona Pro is attempted on this account, an Access Denied error will be reported due to previously locally cached credentials. In v5.5.0, this is no longer the case. However, you should note the following behavior. The license will be released within a few minutes after the user logs off from their computer. The ability for a user to log on using their WIndows password is not affected by deleting the license. Due to cached credentials on the client computer, the user will still be able to use their enrolled credentials to log on to the computer after the license is deleted. But the cache will be cleared after the log on with any enrolled credential (except Windows password) and the user will need to re-enroll their credentials in order to continue to use them with DigitalPersona Pro. The first time a user tries to save a new Password Manager logon after their license has been deleted, they will receive an error, Data cannot be saved. If this persists, contact your administrator. The next time they attempt to do so, the message should not appear and the data should be saved successfully. After a license has been deleted, a user s first attempt to re-enroll their credentials through the user dashboard, or an administrator s attempt to do so through the Attended Enrollment wizard, may fail. Closing and re-opening the user dashboard or Attended Enrollment wizard should resolve the issue. Delete Credentials - Use this command to delete specific enrolled credentials for selected users. A dialog displays where you can select the credentials to be deleted. This does not release the DigitalPersona license. DigitalPersona Pro Enterprise - Administrator Guide 84

85 Chapter 9 - ADUC snap-ins Computer object commands The DigitalPersona Users and Computers Snap-in adds the following commands to the computer object context menu. Recover Computer (Version 5.3 only) - Enables recovery of access to a specific computer, for example due to lockout at the BIOS or encrypted drive level. DigitalPersona Pro Enterprise - Administrator Guide 85

86 Chapter 9 - ADUC snap-ins User Query Tool snap-in The DigitalPersona Pro User Query Tool snap-in is a component within the DigitalPersona Pro Administration Tools. These tools are a separate installation and are located in the Pro Administration Tools folder of your product package. This tool provides a means for the administrator to query the Pro Enterprise user database for information about DigitalPersona Pro users and to perform certain operations and to set values associated with a selected user. It has three separate implementations, as described in the following topics. ActiveX control (page 86) Interactive dialog-based application (page 89) Command line utility (page 92) The User Query Tool must be installed on a computer running a licensed copy of DigitalPersona Pro Workstation, and the logged on user must have domain administrator privileges. Once installed, the Interactive dialog-based application can be run from the Start menu by clicking DigitalPersona, User Query Tool. ActiveX control The ActiveX control provides the most functionality, including performing operations against the user record and setting certain flags and values. The dialog-based and CLI applications are reporting tools only. Examples of the types of query information that can be accessed by the ActiveX control are: Number of installed licenses Number of licenses used Number of enrolled credentials for each user Types of credentials enrolled for each user Number of users accessing managed logons Dates of first and last fingerprint enrollment Additionally certain operations may be performed against the DigitalPersona user database through the ActiveX control, such as: Lock user account Set user logon policy Delete specific authentication credentials Delete user Secrets The Pro User Query Tool ActiveX control provides two interfaces that can be implemented through Visual Basic or Java script. DigitalPersona Pro Enterprise - Administrator Guide 86

87 Chapter 9 - ADUC snap-ins IDPUserQueryControlInterface This interface is used to return licensing information and create an instance of the DPUserControl object described in the next section. [ ] object, uuid(4ac9bcda-7c6f-4919-a885-d533cba447df), dual, nonextensible, helpstring("idpuserquerycontrol Interface: "), pointer_default(unique) valuesactivex control interface IDPUserQueryControl : IDispatch { [propget, id(1), helpstring("returns number of licenses installed.")] HRESULT NumberOfLicensesInstalled([out, retval] LONG* pval); [propget, id(2), helpstring("returns number of licenses used.")] HRESULT NumberOfLicensesUsed([out, retval] LONG* pval); [id(3), helpstring("creates an instance of DPUserControl object based on user DN.")] HRESULT GetUser([in] BSTR UserDN, [out,retval] IDispatch** ppuser); }; IDPUserControl The IDPUserControl is used to get or set a number of different user properties. [ object, uuid(c6aab663-ea2a f-1c56c ), dual, nonextensible, helpstring("idpusercontrol Interface: "), pointer_default(unique) ] interface IDPUserControl : IDispatch{ [propget, id(1), helpstring("returns a flag that indicates if the account is locked because of intruder detection.")] HRESULT IsAccountLocked([out, retval] VARIANT_BOOL* pfisaccountlocked); [propput, id(1), helpstring("sets a flag that indicates if the account is locked because of intruder detection.")] HRESULT IsAccountLocked([in] VARIANT_BOOL fisaccountlocked); DigitalPersona Pro Enterprise - Administrator Guide 87

88 Chapter 9 - ADUC snap-ins }; [propget, id(2), helpstring("returns a user account control value.")] HRESULT AccountControl([out, retval] LONG* pval); [propput, id(2), helpstring("sets a user account control value.")] HRESULT AccountControl([in] LONG newval); [propget, id(3), helpstring("returns a user logon policy value.")] HRESULT LogonPolicy([out, retval] LONG* pval); [propput, id(3), helpstring("sets a user logon policy value.")] HRESULT LogonPolicy([in] LONG newval); [propget, id(4), helpstring("returns a flag that indicates if the specific authentication token is enrolled.")] HRESULT IsTokenEnrolled([in] BSTR TokenID, [out] VARIANT_BOOL* pfistokenenrolled); [propget, id(5), helpstring("returns a flag that indicates fingerprints enrolled mask.")] HRESULT FingerprintMask([out, retval] LONG* pval); [propget, id(6), helpstring("returns user recovery password.")] HRESULT RecoveryPassword([in] BSTR EncryptedPassword, [out, retval] BSTR* pval); [id(7), helpstring("deletes specific authentication token credentials.")] HRESULT DeleteToken([in] BSTR TokenID); [id(8), helpstring("deletes enrolled fingerprints.")] HRESULT DeleteFingerprints(void); [id(9), helpstring("deletes user Secrets.")] HRESULT DeleteSecrets(void); [id(10), helpstring("returns date and time of first fingerprint enrollment.")] HRESULT FingerprintFirstEnrollmentTime([out, retval] DATE* pval); [id(11), helpstring("returns date and time of last fingerprint enrollment.")] HRESULT FingerprintLastEnrollmentTime([out, retval] DATE* pval); [propget, id(12), helpstring("returns a flag that indicates if the specific authentication token is enrolled.")] HRESULT IsTokenEnrolledEx([in] BSTR TokenID, [in] BSTR Prefix, [out] VARIANT_BOOL* pfistokenenrolled); [propget, id(13), helpstring("returns a flag that indicates if license taken by this user.")] HRESULT IsLicenseTaken([out, retval] VARIANT_BOOL* pfislicensetaken); [id(14), helpstring("clear license by deleting all DigitalPersona data for this user.")] HRESULT ClearLicense(void); DigitalPersona Pro Enterprise - Administrator Guide 88

89 Chapter 9 - ADUC snap-ins Sample VB Script This is a sample of a VB script that returns the date and time of the first and last fingerprint enrollments for a user. Dim objuser Set objquerycontrol = CreateObject("DPUserQuery.DPUserQueryControl") Set objuser = objquerycontrol.getuser("cn=testuser,cn=users,dc=testdomain,dc=com") wscript.echo objuser.fingerprintfirstenrollmenttime wscript.echo objuser.fingerprintlastenrollmenttime Interactive dialog-based application To run the interactive dialog-based application: 1 On the Start menu, point to All Programs, DigitalPersona Pro, User Query Tool. 2 In the application dialog, select the type of information you would like to display and enter or browse to the location where you want to save the resulting log file. 3 Click the Run button. 4 The file is saved as a.csv file with the default name of DPQuery.csv, which can be opened in Notepad or programs like Microsoft Excel and other spreadsheet programs. DigitalPersona Pro Enterprise - Administrator Guide 89

90 Chapter 9 - ADUC snap-ins DPQuery.csv format The file resulting from the use of either the Interactive User Query Tool described above, or the command line interface User Query Tool described beginning on page 92, have the format described in the table below. Column User Name Logon Options Fingerprints Smart Cards Contactless Cards Proximity Cards Bluetooth PIN Licenses (Version ) Self Password Recovery (Version 5.5+) Description Name of the user being reported against. 0 - No log on option is set. 1 - User provides only Windows credentials to log on. 2 - Randomize user s Windows Password. 4 - User must provide Fingerprint and PIN to log on Account is locked out from use of fingerprints credentials. Number of fingerprints enrolled by the user. Yes or No. Indicates whether this credential has been enrolled by the specified user. Yes or No. Indicates whether this credential has been enrolled by the specified user. Yes or No. Indicates whether this credential has been enrolled by the specified user. Yes or No. Indicates whether this credential has been enrolled by the specified user. Yes or No. Indicates whether this credential has been enrolled by the specified user. Yes or No. Indicates whether a DigitalPersona User license is being utilized by the specified user. Yes or No. Indicates whether the Self Password Recovery questions have been answered by the specified user. Additionally, the following totals are provided at the end of the file. Total number of users Total number of licenses used (Version ) Total number of users with fingerprints enrolled Total number of users with smart cards enrolled Total number of users with contactless cards enrolled DigitalPersona Pro Enterprise - Administrator Guide 90

91 Chapter 9 - ADUC snap-ins Total number of users with proximity cards enrolled Total number of users with Bluetooth enrolled Total number of users with PIN enrolled Total number of users with Self Password Recovery enrolled (Version 5.5+) DigitalPersona Pro Enterprise - Administrator Guide 91

92 Chapter 9 - ADUC snap-ins Command line utility The User Query Tool command line utility must be run from an elevated command prompt. To run the User Query Tool command line utility 1 Open an elevated command prompt by right-clicking any Command Prompt shortcut on the Windows Start menu (located by default in the Accessories folder) and selecting Run as administrator. 2 In the Command Prompt window, enter DPQuery.exe using the following syntax and parameters. Syntax DPQuery.exe [-noui] [-dn= BaseDN ] [-out= FileName ] [-ac] [-fp] [-sc] [-cc] [-pc] [-bt] [-pin] [-lic] [-rec] Parameters Parameter -noui -dn= BaseDN -out= FileName -fp -ac -sc -cc -pc -bt -pin -lic -rec Description Run utility silently with no graphical interface Sets the Distinguished Name of the search base for the query. If missing, the Domain DN that the computer belongs to will be used as the search base. Identifies the path and file name for the output log file. If missing, the file DPQuery.csv will be created in the directory containing the utility. Add information about the number of fingerprints enrolled for each user in a query. Add information about user account control flags like password randomization. Add information about smart cards enrolled for each user in a query. Add information about contactless cards enrolled for each user in a query. Add information about proximity cards enrolled for each user in a query. Add information about Bluetooth credentials enrolled for each user in a query. Add information about PINs enrolled for each user in a query. (Version ) Add information about licenses utilized for each user in a query. (Version 5.5+) Add information about Self Recovery Password enrolled for each user in a query. DigitalPersona Pro Enterprise - Administrator Guide 92

93 Chapter 9 - ADUC snap-ins Examples DPQuery.exe noui dn= CN=Users,DN=DigitalPersona,DN=com ac fp This example query returns information about users in the Users folder of the DIGITAL_PERSONA domain, and includes user flags (password randomization for example) and information about enrolled fingerprints. DPQuery.exe noui sc cc The example query above returns information about all users in the DIGITAL_PERSONA domain and includes information about enrolled smart cards, contactless cards and proximity cards. DigitalPersona Pro Enterprise - Administrator Guide 93

94 Attended Enrollment 10 Attended Enrollment is a feature that allows a delegated user, or a member of a delegated user group, to attend and supervise the enrollment of DigitalPersona Pro credentials for other users. This feature is included as part of the DigitalPersona Users and Computers Snap-in, and is also available as a separate component (the Attended Enrollment Tool) in the DigitalPersona Pro Administration Tools package. Attended Enrollment can add a higher level of security to the implementation and use of DigitalPersona Pro Enterprise. By default, the domain administrator is the only user with the permission to save changes to user credentials to Active Directory, and therefor the only one who can use Attended Enrollment out of the box. However, a delegated user or user group may be assigned the permission to supervise the credential enrollment process of other users. Additionally, these users may be prohibited from enrolling or managing their own credentials. Attended Enrollment Feature (ADUC Snap-in) Use of the Attended Enrollment feature within the DigitalPersona Users and Computers Snap-in requires previous installation of the following components. Note that these are not required for use of the Attended Enrollment Tool that is part of the Administrative Tools installation. Attended Enrollment feature system requirements DigitalPersona Pro Workstation for Enterprise Windows Server requires Microsoft Remote Server Administration Tools (available from the Microsoft Download Center). Windows Server requires Windows Server 2003 Administration Tools Pack (adminpak.msi). Attended Enrollment Tool (Standalone program) Attended Enrollment Tool system requirements DigitalPersona Pro Workstation for Enterprise. During the installation, you must select the option to Remotely store Biometric data on the server. Installation of the DigitalPersona Pro Administration Tools package. Setting up Attended Enrollment By default, Attended Enrollment may be performed by any user with domain administrator privileges, and end-users may also enroll and modify their own credentials from their DigitalPersona Pro workstation. If this is the desired behavior for your environment, no further setup is necessary. In some scenarios, you may want to prohibit end-users from enrolling or modifying their credentials. You may also choose to delegate authority for attended enrollment to another user or user group. DigitalPersona Pro Enterprise - Administrator Guide 94

95 Chapter 10 - Attended Enrollment To assign, or remove Register/Delete permissions You can use the following procedure to: Assign enroll/delete credentials permission to a user or group so that they may supervise Attended Enrollment. Remove the enroll/delete credentials permission from all users. Note that in this case, you should remove the permission, not Deny. Add a user or group that will supervise Attended Enrollment. Steps: 1 Open Active Directory Users and Computers. 2 On the View menu, select Advanced Features. 3 As necessary, create a new AD Security Group for those who will be supervising Attended Enrollment. 4 Right-click the AD Domain Root and then click Properties. 5 On the Security tab, click Advanced to view all of the permission entries. DigitalPersona Pro Enterprise - Administrator Guide 95

96 Chapter 10 - Attended Enrollment 6 Do one or more of the following: To assign new permissions, click Add. Then type the name of the group, computer, or user that you wish to assign the permission, and click OK. In the Permission Entry for ObjectName dialog box, on the Object and Properties tabs, select Descendant User objects from the Apply to drop-down menu. Then select or clear the Allow or Deny check boxes for the Register/Delete Fingerprint permission*, as appropriate. To remove the Register/Delete Fingerprint permissions from an object or attribute, click the permission entry, and then click Remove. * Although the permission is titled Register/Delete Fingerprint, it actually applies to all DigitalPersona Pro credentials. DigitalPersona Pro Enterprise - Administrator Guide 96

97 Chapter 10 - Attended Enrollment Enrolling user credentials See the previous section on setting up attended enrollment before you can enroll credentials for another user. To supervise the enrollment of user credentials: 1 Select the user, and start the Attended Enrollment Wizard. The first step is slightly different depending on whether you are enrolling from the ADUC snap-in or from the Attended Enrollment Tool. DigitalPersona Users and Computers snap-in - In Active Directory, rightclick a user name. Select All tasks, Enroll Credentials. Attended Enrollment Tool - Launch the tool from the Start Menu shortcut in the DigitalPersona folder, enter the name of the user, select the domain and click OK. 2 The Attended Enrollment wizard starts. 3 Select the credentials that you want to enroll for this user and click Next. 4 Follow the Attended Enrollment wizard instructions to enroll the user s credentials. The user being enrolled must provide their user password on the screen that follows in order to continue through the Enrollment Wizard.* This requirement prevents the supervising user from enrolling the incorrect person s credentials for the user account. * Resetting a randomized password If your environment includes use of the DigitalPersona Pro setting Randomize user's Windows Password, (see page 82), the user cannot provide their password - since they do not know it. During Attended Enrollment, each DigitalPersona Pro Enterprise - Administrator Guide 97

98 Chapter 10 - Attended Enrollment credential page provides a Reset randomized password link that the administrator may use to reset the randomized password temporarily in order to allow the authentication necessary for enrolling new credentials. Deleting Fingerprints If a user does not have permission to delete their own fingerprints, a supervising user can use Pro Enterprise Server to delete enrolled fingerprints. The enrolled user must be present to provide the password or fingerprint. 1 In Active Directory Users and Computers, right-click a user name. 2 Select All tasks, Enroll Credentials. 3 The Attended Enrollment Wizard starts. 4 Click Next and follow the Attended Enrollment Wizard instructions. The user must provide their user password or fingerprint to continue through the Enrollment Wizard. This requirement prevents the supervising user from deleting the incorrect person s fingerprints for the user account. If the account of the supervising user does not have the Enroll/Delete Fingers permission for the user being enrolled, an Access Denied message displays. 5 On the hand outline, click the finger for the fingerprint that you want to delete. 6 Click Yes in the confirmation dialog. 7 The fingerprint will be deleted, and the corresponding finger image will no longer be green. NOTE: An administrator can also delete all enrolled fingerprints for a user from the ADUC console by right-clicking a user, selecting All Tasks and selecting Delete Credentials. Fingerprints and/or other credentials may be selected and deleted for the selected user. DigitalPersona Pro Enterprise - Administrator Guide 98

99 Policies and Settings 11 DigitalPersona Pro Enterprise provides a comprehensive set of Active Directory-based policies and settings used for licensing, configuring and administering the DigitalPersona Pro Enterprise Server and its clients. These policies and settings are implemented through DigitalPersona Pro GPMC extensions and ADUC snap-ins, available as separate components installed through the DigitalPersona Pro Administration Tools, which is included in your product package. See page 130 for a description of the GPMC Extensions and page 82 for information about the ADUC snap-ins. The Workstation administrative template, installed through the GPMC Extensions component, may also be added to a local policy object on a standalone workstation without access to Active Directory. See Install Workstation Administrative Templates Locally on page 133. Overview In Active Directory, the DigitalPersona Pro GPMC Extensions component adds Pro Enterprise policies and settings to the DigitalPersona Pro Client and DigitalPersona Pro Enterprise Server nodes under Computer Configuration/Policies/Software Settings and adds policies and settings for the DigitalPersona Pro Client under the User Configuration/Policies\Software Settings and User Configuration/Policies/ Administrative Templates nodes. DigitalPersona Pro Enterprise - Administrator Guide 99

100 Chapter 11 - Policies and Settings Installed computer policies and settings can then be accessed through the Active Directory Group Policy Management Editor in the Microsoft Management Console. Local administrators can access the Pro Workstation settings from the Microsoft Management Console (MMC), after installing the workstation administrative template. Each setting can be accessed in the Group Policy Management Editor (or MMC) by clicking Properties on the context menu of the setting and then clicking the Policy tab on the Properties dialog box. GPO settings have three states: enabled, disabled and not configured. By default, all settings are not configured. To override the default settings of DigitalPersona Pro, each setting must be changed to enabled or disabled and, in some cases, additional parameters must be supplied. On the network, by default, changes made to existing GPOs may take as long as 90 minutes to refresh with a 30 minute offset. GPOs applied to computers are refreshed during this time, as well as when the computer is restarted. GPOs applied to users are refreshed every 90 minutes and when the user logs on or off. You can use the standard Windows methods of enforcing refresh of DigitalPersona Pro GPOs without concern for disrupting DigitalPersona Pro functionality on a computer. The following pages describe the policies and settings made available in Active Directory through the DigitalPersona Pro GPMC Extensions component. The information is organized according to major Active Directory nodes, categories and subcategories mirroring their locations in the domain policy tree. Tables list each policy and setting, and reference the page number where a full description is provided. DigitalPersona Pro Enterprise - Administrator Guide 100

101 Chapter 11 - Policies and Settings Computer Configuration/Policies/Software Settings During installation of the DigitalPersona Pro Administration Tools, the following nodes are created at the domain level under the Computer Configuration\Policies\Software Settings node. DigitalPersona Pro Client These client settings can be found at the following location: Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client. These settings are used to configure and govern DigitalPersona Pro clients. Category/Subcategories Setting name Page Security Authentication Logon Authentication Policy 102 Session Authentication Policy 102 Kiosk Session Authentication Policy 103 Enrollment Self Enrollment Policy 104 Licenses [No setting] 104 Kiosk Administration Allow automatic logon using Shared Kiosk Account 104 Logon/Unlock with Shared Account Credentials 104 Prevent users from logging on outside of a Kiosk session 104 Kiosk Workstation Shared Account Settings 105 Kiosk Unlock Script 105 Security/Authentication Settings that define DigitalPersona Pro Enterprise authentication policies are stored at: Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Security/Authentication. DigitalPersona Pro Enterprise - Administrator Guide 101

102 Chapter 11 - Policies and Settings Logon Authentication Policy The Logon Authentication Policy defines the credentials that may be used to log on to Windows. By default, all supported credentials are listed on the tab. Any of the listed credentials or credential combinations may be used for authentication in the Logon Authentication Policy. 1 In the Group Policy Management Editor, click Logon Authentication Policy at the following location: Computer Configuration/Policies/ Software Settings/DigitalPersona Pro Client/ Security/Authentication. 2 On the Logon Policy tab, make any desired changes. To edit or delete a Credential from the list, click the arrow that appears to the right of the credential. To add a credential to the list, click Add at the top of the list. 3 Click Apply. Session Authentication Policy The Session Authentication Policy defines the credentials that may be used to access Security applications during a Windows session. By default, all supported credentials are listed on the tab. Any of the listed credentials or credential combinations - Permitted Credentials - may be used for authentication in the Session Authentication Policy. 1 In the Group Policy Management Editor, click Session Authentication Policy at the following location: Computer Configuration/Policies/ Software Settings/DigitalPersona Pro Client/ Security/Authentication. If enabled, only the specified combination of credentials in the Policy can be used for authentication. If disabled, the user is not prompted to authenticate by DigitalPersona Pro security DigitalPersona Pro Enterprise - Administrator Guide 102

103 Chapter 11 - Policies and Settings applications during the Windows session. This configuration provides Single Sign-On functionality. The user logs on to Windows, and gains access to all security applications without being prompted to authenticate for each application. However, enrollment of credentials will still require authentication. If not configured, any of the installed authentication devices can be used for authentication. 2 On the Session Policy tab, make any desired changes. To edit or delete a Credential from the list, click the arrow that appears to the right of the credential. To add a credential to the list, click Add at the top of the list. 3 Click Apply. Kiosk Session Authentication Policy The Kiosk Session Authentication Policy defines the credentials that may be used to access Security applications during a Pro Kiosk session. By default, all supported credentials are listed on the tab. Any of the listed credentials or credential combinations - may be used for authentication in the Kiosk Session Authentication Policy. 1 In the Group Policy Management Editor, click Kiosk Session Authentication Policy at the following location: Computer Configuration/ Policies/Software Settings/DigitalPersona Pro Client/Security/Authentication. If enabled, only the specified combination of credentials in the Policy can be used for authentication. If disabled, the user is not prompted to authenticate by DigitalPersona Pro security applications during the Windows session. This configuration provides Single Sign-On functionality. The user logs on to Windows, and gains access to all security applications without being prompted to authenticate for each application. However, enrollment of credentials will still require authentication. If not configured, any of the installed authentication devices can be used for authentication. 2 On the Kiosk Session Authentication Policy tab, make any desired changes. To edit or delete a Credential from the list, click the arrow that appears to the right of the credential. To add a credential to the list, click Add at the top of the list. DigitalPersona Pro Enterprise - Administrator Guide 103

104 Chapter 11 - Policies and Settings Click Apply. Security/Enrollment Computer-level settings that define DigitalPersona Pro Enterprise enrollment policies are stored at: Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Security/Enrollment. Self Enrollment Policy This policy determines the credentials that may be used for self enrollment on a client workstation. If enabled, only the specified credentials may be used for self enrollment. If disabled or not configured, any installed and supported credentials may be used. Note that there is also a user-level Self Enrollment Policy setting that takes precedence over this computerlevel setting. Licenses To add new client licenses, right-click the License node and select Add license. Kiosk Administration Settings that define DigitalPersona Pro Kiosk policies are stored at: Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Kiosk Administration. Allow automatic logon using Shared Kiosk Account Determines whether the automatic logon feature is enabled. Automatic logon uses the Kiosk Shared Account to log users on to the computer when the Windows operating system starts up. The Log On to Windows dialog box is not displayed. If disabled or not configured, the automatic logon is disabled. CAUTION: The automatic logon setting will allow any user to access a Windows session without interactive authentication when the Kiosk computer is restarted. Logon/Unlock with Shared Account Credentials If enabled, any user who knows the user name and password for the shared account that Kiosk uses can use those credentials to log on to or unlock the computer. If disabled or not configured, the shared account credentials cannot be used to log on to or unlock the computer. Prevent users from logging on outside of a Kiosk session When enabled, only those with administrator privileges are able to log on to any Kiosk workstation controlled by the GPO. DigitalPersona Pro Enterprise - Administrator Guide 104

105 Chapter 11 - Policies and Settings If disabled or not configured, users can log on to the Kiosk workstations as a local user outside of the Kiosk session. Kiosk Workstation Shared Account Settings In order to use a Kiosk workstation, this setting must be enabled and the Windows shared account information (user name, domain and password) specified. See Kiosk Shared Account Settings on page 29 for additional details. If disabled or not configured, Kiosk workstations affected by the GPO will not be operable. Kiosk Unlock Script Specifies a script file to run whenever a Kiosk session is unlocked by a new user. By default, the script file should be located in the following directory on a Domain Controller: %systemroot%\sysvol\sysvol\domain_dns_name\scripts Or, you can specify the full path to a shared folder which contains the script file. DigitalPersona Pro Enterprise Server These server settings can be found at the following location: Computer Configuration/Policies/Software Settings/DigitalPersona Pro Enterprise Server. These settings are used to configure and govern DigitalPersona Pro servers. Category/Subcategories Setting name Page Licenses [No setting] 105 Licenses DigitalPersona Pro Enterprise license information for DigitalPersona Pro Enterprise Server is stored at: Computer Configuration/Policies/Software Settings/DigitalPersona Pro Enterprise Server/Licenses. To add a license for Pro Enterprise Server, right-click the License node and select Add license. For complete information on adding and managing your DigitalPersona Pro Enterprise licenses, see License Activation & Management on page 67. DigitalPersona Pro Enterprise - Administrator Guide 105

106 Chapter 11 - Policies and Settings Computer Configuration\Policies\Administrative Templates During installation of the DigitalPersona Pro Administration Tools, the following nodes and settings are created at the domain level under the Computer Configuration\Policies\Administrative Templates node. DigitalPersona Pro Client (Summary) These settings are used to configure and govern DigitalPersona Pro clients. Category/Subcategories Setting name Page Authentication Devices 108 Bluetooth Lock computer when your phone is out of range 108 Silent authentication 108 Fingerprints Redirect fingerprint data 108 Cache user data on local computer 110 Fingerprint enrollment 110 Fingerprint verification 110 PIN PIN enrollment 111 Smart cards Lock the computer upon smart card removal 111 Event logging Level of detail in event logs 111 Fast Connect Citrix Published Application Name 112 DigitalPersona Reporter DigitalPersona Reporter Event Forwarding 112 General Administration Quick Actions 112 Do not allow users to run local administrative tools 113 Do not launch the Getting Started wizard upon logon 113 Identification Server domain 113 Allow Pro client to use Pro Server 113 Show Taskbar icon 113 DigitalPersona Pro Enterprise - Administrator Guide 106

107 Chapter 11 - Policies and Settings Category/Subcategories Setting name Page Kiosk Administration Allow automatic logon using Shared Kiosk Account 114 Logon/Unlock with Shared Account Credentials 114 Prevent users from logging on outside of a Kiosk session 114 Kiosk Workstation Shared Account Settings 114 Kiosk Unlock Script 114 Managed applications Disable applications Prevent Password Manager from running 115 Prevent Privacy Manager from running 115 Privacy Manager Encryption policy 115 Certificate publishing policy 115 Certificate use policy 116 Security Authentication Logon Authentication Policy 116 Session Authentication Policy 116 Features Enable multi-factor authentication in Windows logon 116 Settings Enable One Step Logon 117 Enable Self Password Recovery 117 Software Updates Allow running auto updates on the computer 117 Enable the Central Management menu item 117 DigitalPersona Pro Enterprise - Administrator Guide 107

108 Chapter 11 - Policies and Settings DigitalPersona Pro Client (Details) Authentication Devices Bluetooth Lock computer when your phone is out of range Configure whether to lock the computer when a Bluetooth device which was connected during login moves out of range. If enabled, locks the computer when the device is out of range. If disabled or not configured, does not lock the computer when the device is out of range. The definition of out of range depends on the installed Bluetooth stack. For the Broadcom stack, whichcan measure the signal strength of the Bluetooth device, out of range is a hardcoded threshold of 10 db. For non-broadcom stacks, out of range is defined as whenever the device is not visible to the software. Silent authentication Configure whether or not to use silent authentication for Bluetooth credentials. If enabled, when Bluetooth credentials are allowed for authentication by the Logon or Session Policy in force, authentication will be attempted with the previously used Bluetooth credential immediately upon entry to a logon screen. If disabled, selection of a specific Bluetooth credential is required for authentication. If not configured, silent Bluetooth authentication is controlled locally by the "Allow silent authentication" setting in the Administrative Console. Fingerprints Redirect fingerprint data Configure whether or not to allow the client computer to redirect fingerprint data to a remote Terminal Services session. If enabled, clients can send fingerprint data to a remote computer. This configuration must be enabled to support fingerprint authentication on a remote desktop. If disabled or not configured, fingerprint data redirection is not allowed. When an administrator changes this setting, only new connections display the behavior specified by the new setting. Sessions that were initiated before the change must log off and reconnect to be affected by the new setting. The Do not compress fingerprint data for redirection checkbox specifies whether to compress fingerprint data on the client computer before redirecting it to the Terminal Services session. If checked, fingerprint data is not compressed on the client computers before sending to the Terminal Server. DigitalPersona Pro Enterprise - Administrator Guide 108

109 Chapter 11 - Policies and Settings If not checked, fingerprint data is compressed on the client computers before sending to the Terminal Server. When an administrator changes this setting, only new connections display the behavior specified by the new setting. Sessions that were initiated before the change must log off and reconnect to be affected by the new setting. DigitalPersona Pro Enterprise - Administrator Guide 109

110 Chapter 11 - Policies and Settings Cache user data on local computer Determines whether user data for domain users are cached on the local computer. If enabled or not configured, user data (fingerprint templates and secure application data) of domain users is cached locally on the computer. This provides domain users the ability to use their fingerprints when a DigitalPersona Pro Server cannot be located. This is a convenient but less secure option. If not enabled, users may only use fingerprints when DigitalPersona Pro Server is accessible. The data of local users is always stored on the local computer. Fingerprint enrollment Configure settings related to fingerprint enrollment. Set the minimum number of enrolled fingerprints This setting requires that the user enroll at least the specified number of fingerprints. Enrolling just one fingerprint increases probability of not being able to authenticate. Enrolling several fingerprints will increase the probability of false acceptance. If disabled or not configured, the minimum number of fingerprints required for enrollment is 1. Set the maximum number of enrolled fingerprints: This setting restricts the number of fingerprints that a user can enroll. Enrolling several fingerprints will increase the probability of false acceptance. If disabled or not configured, the maximum number of fingerprints allowed for enrollment is 10. Fingerprint verification Configure settings related to fingerprint verification. If enabled, allows you to set the False Accept Rate for the fingerprint verification. If disabled or not configured, a FAR setting of Medium High (1 in 100,000) is used. Set the False Accept Rate The False Accept Rate (FAR) is the probability of receiving a false acceptance decision when comparing fingerprints scanned from different fingers. When this setting is enabled, you can select one of the following FAR values: Medium (1 in 10,000) Medium High (1 in 100,000) - Recommended High (1 in 1,000,000) For example: if you select Medium High, on average, one false acceptance will occur when a fingerprint is compared against one hundred thousand fingerprints scanned from different fingers. DigitalPersona Pro Enterprise - Administrator Guide 110

111 Chapter 11 - Policies and Settings The higher the setting, the lower the chance of receiving a false acceptance. However, at the High setting, the system may reject legitimate fingerprints. NOTE: The FAR is set on a per verification basis. When matching a fingerprint against the fingerprints of multiple users (identification), the internally used FAR is automatically adjusted to maintain the same effective FAR that was selected for one match. PIN PIN enrollment Configure settings related to enrollment of user PIN. If enabled, enables setting the minimum length of the user PIN. If disabled or not configured, the minimum length of the user PIN is 4. Set the minimum length of user PIN Use the up and down arrow keys to set the minimum length of the user PIN. Caution: Setting a very short PIN reduces security by making it easier to try all possible combinations of numbers comprising the PIN. Smart cards Lock the computer on smart card removal Configure whether or not the computer locks upon removing the smart card from the smart card reader. If enabled, the computer locks upon removing the smart card from the smart card reader. The computer will lock only if the smart card was used to log on to Windows. If disabled or not configured, the computer does not lock upon removing the smart card from the smart card reader. Event logging Level of detail in event logs Determines the level of detail and type of events written to the Windows Event Log. If enabled, DigitalPersona Pro logs events on the specified level. If disabled or not configured, events are logged on the Auditing level. There are three levels of event logging: Errors Only Auditing Details DigitalPersona Pro Enterprise - Administrator Guide 111

112 Chapter 11 - Policies and Settings Each higher level includes all previous levels. Events are logged on the computer where the event occurred. For most normal tasks it is enough to set the level to Auditing. This would cover all logon events, authentication events, fingerprint management events, user management events, etc. Setting a very high level of event logging will fill the log file quickly. Log Status events Note that logging of Status events is not enabled by default, and must be separately enabled by selecting the Log Status Events checkbox. Status events provide information about the state of various policies and components on client computers. The interval at which status events are reported can also be configured. Fast Connect Citrix Published Application Name Configures the Fast Connect feature, which provides quick connection and log on to Citrix Published Applications and Virtual Desktops. If enabled, specifies the application or desktop to be connected to when the Fast Connect Quick Action is initiated. The required format is FarmName:ApplicationNameOrDesktopName. If disabled or not configured, the Fast Connect feature is unavailable. DigitalPersona Reporter DigitalPersona Reporter Event Forwarding Configures forwarding of Pro Workstation events to DigitalPersona Reporter via the Windows Event Forwarding mechanism. If enabled, Pro events are forwarded. If disabled or not configured, Pro events are not forwarded. General Administration Quick Actions Specifies administrator-defined Quick Actions that are performed automatically when a user presents an authorized and enrolled credential, or key+credential combination. If enabled, the administrator can specify the Quick Action to be performed by the Pro client. If disabled, no Quick Action will be performed for the selected credential or key+credential combination. If not configured, the default or user specified Quick Action will be performed. Available Quick Actions are described below. DigitalPersona Pro Enterprise - Administrator Guide 112

113 Chapter 11 - Policies and Settings Fast Connect Connects to a Citrix session, runs the Citrix Desktop or Published Application, fills in specified credentials and logs into an application. If a connection is already active, disconnects from the session. Lock Workstation Locks the computer. Password Manager Action Performs one of the following operations when the associated Quick Action is initiated. When the active window has an associated Password Manager personal logon or managed logon, fillsin account data. If the window is determined to be a logon screen that does not have an associated personal logon or managed logon, and the Allow creation of personal logons setting (page 127) is enabled or not configured, the Add Logon dialog displays. If none of the above cases are true, the Logons Menu or user dashboard is shown. Do not allow users to run local administrative tools Prevents users from running the Administrative Console or the Setup wizard. Users will not be able to configure security features on their computers. If enabled, users are not allowed to run local administrative tools. If disabled or not configured, users are allowed to run local administrative tools. Do not launch the Getting Started wizard upon logon If enabled, the DigitalPersona Pro dashboard and the Getting Started page do not start automatically after user logon. If disabled or not configured, the DigitalPersona Pro dashboard and the Getting Started page starts automatically after user logon. Identification Server domain Specifies the name of the domain where a DigitalPersona ID Server is hosted. Computers attempting to identify a user based on their fingerprint credentials will send the query to this domain. If enabled, and a DNS domain name is entered, queries are sent to the specified domain. If not configured or disabled, queries are sent to the domain that the computer belongs to. DNS domain name Specify the name of the domain where the DigitalPersona ID Server is hosted. Allow Pro client to use Pro Server If enabled or not configured, Pro clients will attempt to contact a Pro Server to obtain services. If disabled, Pro clients will not attempt to contact a Pro Server, and will use cached data. Show Taskbar icon If enabled or not configured, a Taskbar icon is displayed on managed workstations. DigitalPersona Pro Enterprise - Administrator Guide 113

114 Chapter 11 - Policies and Settings If disabled, the Taskbar icon is not shown. Kiosk Administration The following Kiosk Administration settings, located under the Administrative Templates node are included for backward compatibility, but have been replaced by the settings described on page 104. Allow automatic logon using Shared Kiosk Account Determines whether the automatic logon feature is enabled. Automatic logon uses the Kiosk Shared Account to log users on to the computer when the Windows operating system starts up. The Log On to Windows dialog box is not displayed. If disabled or not configured, the automatic logon is disabled. CAUTION: The automatic logon setting will allow any user to access a Windows session without interactive authentication when the Kiosk computer is restarted. Logon/Unlock with Shared Account Credentials If enabled, any user who knows the user name and password for the shared account that Kiosk uses can use those credentials to log on to or unlock the computer. If disabled or not configured, the shared account credentials cannot be used to log on to or unlock the computer. Prevent users from logging on outside of a Kiosk session When enabled, only those with administrator privileges are able to log on to any Kiosk workstation controlled by the GPO. If disabled or not configured, users can log on to the Kiosk workstations as a local user outside of the Kiosk session. Kiosk Workstation Shared Account Settings In order to use a Kiosk workstation, this setting must be enabled and the Windows shared account information (user name, domain and password) specified. See Kiosk Shared Account Settings on page 29 for additional details. If disabled or not configured, Kiosk workstations affected by the GPO will not be operable. Kiosk Unlock Script Specifies a script file to run whenever a Kiosk session is unlocked by a new user. By default, the script file should be located in the following directory on a Domain Controller: %systemroot%\sysvol\sysvol\domain_dns_name\scripts Or, you can specify the full path to a shared folder which contains the script file. DigitalPersona Pro Enterprise - Administrator Guide 114

115 Chapter 11 - Policies and Settings Managed applications Disable Applications Prevent Password Manager from running If enabled, the Password Manager application is not available. If disabled or not configured, the Password Manager application is available. Prevent Privacy Manager from running If enabled, the Privacy Manager application is not available. If disabled or not configured, the Privacy Manager application is available. Privacy Manager Encryption policy Controls the encryption capabilities of Privacy Manager. If enabled, the administrator can choose to prevent users from accessing the encryption capabilities of Privacy Manager for Microsoft Office documents Microsoft Outlook If disabled or unconfigured, encryption is allowed. Certificate publishing policy Controls how digital certificates are shared using Active Directory. If enabled, administrators can select one of the following options: Automatic - a user's certificate is automatically published in Active Directory when either acquired from Comodo or imported from another source. Additionally, certificates for Trusted Contacts can be downloaded from Active Directory. Users can publish manually - users are asked whether to publish a certificate in Active Directory when either acquired from Comodo or imported from another source. Additionally, certificates for Trusted Contacts can be downloaded from Active Directory. Note that when a certificate is issued directly for DigitalPersona CSP, and if a user does not need to do anything to start using that certificate, then the certificate is not automatically published in Active Directory but can be manually published if they desire to do so. The certificate can also be published by other means, for example Microsoft Certificate Authority can publish certificates automatically, when issuing them. The ability to download the Address Book (with associated certificates) from within Microsoft Outlook is not affected by this setting. DigitalPersona Pro Enterprise - Administrator Guide 115

116 Chapter 11 - Policies and Settings Certificates are published in the user Certificate attribute of the user record, this is standard place for the user certificates in Active Directory. If disabled or unconfigured, a user's certificates are not published in Active Directory and certificates of Trusted Contacts are not downloaded from Active Directory. Certificate use policy Allows the use of third-party certificates. If enabled, any certificate having signature, encryption and protection capabilities is allowed. If disabled or unconfigured, only special Comodo-issued certificates can be used and only those certificates are displayed in the Certificate Manager and Trusted Contacts Manager. Security/Authentication WARNING: The two authentication settings described below, located under the Policies\Administrative Templates\DigitalPersona Pro Client\Security\Authentication node, are included for backwards compatibility with versions prior to 5.2. Pro Enterprise versions 5.2 and above use new authentication settings, in a new AD location, located under the Policies\Software Settings\DigitalPersona Pro Client\Security\Authentication node (see page 101). When upgrading your DigitalPersona Pro products, once all client workstations have been upgraded to 5.2 these two settings should be set to not configured. Logon Authentication Policy Defines the credentials that may be used to access the computer, decrypt the hard drive, and log on to Windows. If enabled, only the specified authentication devices, in the specified combination, can be used for authentication. If disabled or not configured, any of the installed authentication devices can be used for authentication. Session Authentication Policy Defines the credentials that may be used to access Security applications during a Windows session. If enabled, only the specified authentication devices, in the specified combination, can be used for authentication. If disabled or not configured, any of the installed authentication devices can be used for authentication. Security/Features Enable multi-factor authentication in Windows logon Configures whether or not the multi-factor authentication feature is enabled in Windows logon. DigitalPersona Pro Enterprise - Administrator Guide 116

117 Chapter 11 - Policies and Settings If enabled, users are allowed to log on to Windows only if they are authenticated according to the multi-factor Logon Authentication Policy in effect. If disabled, the multi-factor Logon Authentication Policy in effect is not enforced, and the standard Windows logon is used. If not configured, multi-factor authentication is enabled. Settings Enable One Step Logon One Step Logon simplifies the logon process when multi-factor authentication is enabled both at pre-boot and Windows logon. If enabled or not configured, authentication is required at pre-boot only, and users are automatically logged on to Windows If disabled, authentication may be required multiple times. Enable Self Password Recovery Self Password Recovery is a recovery feature that allows users to gain access to the computer in the event that they are unable to authenticate with the required credentials. If enabled, users will be able to use Self Password Recovery to log on. If disabled, the Self Password Recovery feature is not made available to users. If not configured, the availability of the Self Password Recovery feature is controlled locally by the Allow Self Password Recovery recovery setting in the client s Administrative Console. Software Updates Allow running auto updates on the computer If enabled or not configured, auto updates are allowed on the client computers. If disabled, auto updates are not allowed on the client computers. Enable the Central Management menu item If enabled or not configured, the Central Management menu item is shown in the user dashboard. If disabled, the Central Management menu item is not shown in the user dashboard.aaa DigitalPersona Pro Enterprise - Administrator Guide 117

118 Chapter 11 - Policies and Settings DigitalPersona Pro Enterprise Server (Summary) The policies and settings in this table are implemented through AD Administrative Templates and are used to configure the behavior of DigitalPersona Pro Enterprise Server. Category/Subcategories Setting name Page Authentication Devices 119 Fingerprints Fingerprint verification lockout Account lockout duration 119 Reset account lockout counter after 119 Account lockout threshold 119 Fingerprint enrollment 119 Fingerprint verification 120 PIN PIN enrollment 120 Event logging Level of detail in event logs 121 Identification Server settings Pro Enterprise Server DNS Perform fingerprint identification on server 121 Restrict identification to a specific list of users 122 Automated site coverage by Pro Enterprise Server Locator DNS SRV records 122 Refresh interval of Pro Enterprise Server DNS records 122 Sites covered by Pro Enterprise Server Locator DNS records 123 Priority set in Pro Enterprise Server DNS records 123 Weight set in Pro Enterprise Server Locator DNS records 123 Register Pro Enterprise Server Locator DNS records for domain Dynamic registration of Pro Enterprise Server Locator DNS records DigitalPersona Pro Enterprise - Administrator Guide 118

119 Chapter 11 - Policies and Settings DigitalPersona Pro Enterprise Server (Detail) Authentication Devices Fingerprints Fingerprint verification lockout Account lockout duration Configure the number of minutes an account is locked out before automatically being unlocked. To specify that the account will be locked out until the administrator explicitly unlocks it, set the value to 0. The Account lockout duration must be greater than or equal to the reset time. If enabled, you can set a value between 1 and minutes. If disabled or not configured, the duration of the lockout is 30 minutes. Reset account lockout counter after Configure the number of minutes that must elapse after a failed fingerprint verification attempt before the account lockout counter is reset to 0. The reset time must be less than or equal to the Account lockout duration. If enabled, you can set a value between 1 and minutes. If not configured, the counter is reset after 5 minutes. Account lockout threshold Configure the number of failed fingerprint verification attempts that causes a user account to be locked out. The lockout only applies to fingerprint verification. Other enrolled credentials may still be used. A user cannot access a locked out account using their fingerprint until it is reset by an administrator or until the account lockout duration has expired. If enabled, you can set a value between 1 and 999 failed fingerprint verification attempts, or you can specify that the account will never be locked out to fingerprint verification by setting the value to 0. If disabled or not configured, the account will never be locked out due to failure of fingerprint verification. Fingerprint enrollment Configure settings related to fingerprint enrollment. Set the minimum number of enrolled fingerprints This setting requires that the user enroll at least the specified number of fingerprints. Enrolling just one fingerprint increases probability of not being able to authenticate. Enrolling several fingerprints will increase the probability of false acceptance. If disabled or not configured, the minimum number of fingerprints required for enrollment is 1. DigitalPersona Pro Enterprise - Administrator Guide 119

120 Chapter 11 - Policies and Settings Set the maximum number of enrolled fingerprints: This setting restricts the number of fingerprints that a user can enroll. Enrolling several fingerprints will increase the probability of false acceptance. If disabled or not configured, the maximum number of fingerprints allowed for enrollment is 10. Fingerprint verification Configures the False Accept Rate (FAR), which is the probability of receiving an acceptance decision when comparing fingerprints scanned from different fingers. Specify the value 1 in N where one false acceptance is likely to occur in N verification attempts. For example, if you select 1 in 10,000 it means that, on average, one false acceptance will occur when a fingerprint is compared against ten thousand fingerprints scanned from different fingers. If you select 1 in 100,000 the probability is one in one hundred thousand. The higher the value N specified, the lower the chance of receiving a false acceptance. If this value is too high, the system may reject legitimate fingerprints. If enabled, you can set the False Accept Rate for fingerprint verification. If disabled or not configured, the value of 1 in 100,000 FAR is used. NOTE: FAR is set on a per verification basis. When matching a fingerprint against fingerprints of multiple users (identification), the internally used FAR is automatically adjusted to maintain the same effective FAR as was selected for a single match. PIN PIN enrollment Configure settings related to enrollment of user PIN. If enabled, enables setting the minimum length of the user PIN. If disabled or not configured, the minimum length of the user PIN is 4. Set the minimum length of user PIN Use the up and down arrow keys to set the minimum length of the user PIN. Caution: Setting a very short PIN reduces security by making it easier to try all possible combinations of numbers comprising the PIN. DigitalPersona Pro Enterprise - Administrator Guide 120

121 Chapter 11 - Policies and Settings Event Logging Level of detail in event logs Determines whether DigitalPersona Pro logs events, such as fingerprint registration and authentication attempts, in the Windows Event Log. There are three levels of event logging: Errors Auditing Details Each next level includes all previous levels. Each event is logged on the computer where the event occurred. For most normal tasks it is enough to set the level to Auditing. This would cover all logon events, authentication events, fingerprint management events, user management events, etc. Setting a very high level of event logging will fill the log file quickly. If enabled, DigitalPersona Pro logs events on the specified level. If not configured, events are logged on the Auditing level. If disabled, events are logged on the Auditing level. Log Status events Note that logging of Status events (see page 150) is not enabled by default, and must be separately enabled by selecting the Log Status Events checkbox. Status events provide information about the state of various policies and components on client computers. The interval at which status events are reported can also be configured. Identification Server settings Perform fingerprint identification on server Specifies whether fingerprint identification is performed on the DigitalPersona Pro Server or against the local computer cache. The default is not configured, however this setting must be enabled for DigitalPersona Pro Kiosk clients where fingerprint credentials will be used. If enabled, fingerprint identification requests are directed to a DigitalPersona Pro Server, where the provided fingerprint data is compared to the data for every user with enrolled fingerprints in the Active Directory domain. Note that after enabling this setting, you will need to wait about 15 minutes before identification is available - or you can restart the Pro Enterprise Server to refresh the settings. If disabled or not configured, fingerprint identification requests are processed on the local computer, where the provided fingerprint data is compared to the data for every user with enrolled fingerprints in the local computer cache. DigitalPersona Pro Enterprise - Administrator Guide 121

122 Chapter 11 - Policies and Settings Restrict identification to a specific list of users Allow restricting identification to a specific list of users with permissions for the computer where the identification request originates. If enabled, you can define a list of users who can participate in identification, and then assign this list to a specific computer or set of computers. If disabled or not configured, identification is performed against all domain users. For details on how to define this list of users, see the topic Identification List on page 215. Pro Enterprise Server DNS Automated site coverage by Pro Enterprise Server Locator DNS SRV records Configure whether or not Pro Enterprise Server will dynamically register Pro Enterprise Server Locator site-specific SRV records for the closest sites where no Pro Enterprise Server for the same domain exists. These DNS records are dynamically registered by Pro Enterprise Server, and they are used by DigitalPersona Pro Workstation to locate Pro Enterprise Server. If enabled, the computers to which this setting is applied dynamically register Pro Enterprise Server Locator site-specific DNS SRV records for the closest sites where no Pro Enterprise Server for the same domain exists. If disabled or not configured, the computers will not register site-specific Pro Enterprise Server Locator DNS SRV records for any other sites but their own. Refresh interval of Pro Enterprise Server DNS records Configure the refresh interval of Pro Enterprise Server Locator DNS resource records for computers to which this setting is applied. These DNS records are dynamically registered by Pro Enterprise Server and are used by DigitalPersona Pro Workstation to locate Pro Enterprise Server. This setting may be applied only to computers using dynamic update. Computers configured to perform dynamic registration of Pro Enterprise Server Locator DNS resource records periodically re-register their records with DNS servers, even if their records data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this re-registration is required so that the authoritative DNS servers (which are configured to automatically remove stale records) will recognize these records as current and preserve them in the database. Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the refresh interval configured for these zones. Setting the refresh interval of Pro Enterprise Server Locator DNS records to longer than the refresh interval of the DNS zones may result in unwanted deletion of DNS resource records. If enabled, allows you to specify a refresh interval longer than the default value of 1800 seconds (30 minutes). If disabled or not configured, computers use the default value. DigitalPersona Pro Enterprise - Administrator Guide 122

123 Chapter 11 - Policies and Settings Sites covered by Pro Enterprise Server Locator DNS SRV records Configure the sites for which the domain Pro Enterprise Server registers site-specific Pro Enterprise Server Locator DNS SRV resource records. These records are in addition to the site-specific SRV records registered for the site where Pro Enterprise Server resides, and in addition to the records registered by a Pro Enterprise Server configured to register Pro Enterprise Server Locator DNS SRV records for those sites without a Pro Enterprise Server that are closest to it. The Pro Enterprise Server Locator DNS records are dynamically registered by Pro Enterprise Server, and they are used by DigitalPersona Pro Enterprise clients to locate a Pro Enterprise Server. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. If enabled, configures the sites covered by the Pro Enterprise Server Locator DNS SRV records. Specify the site names in a space-delimited format. The site names have the following format, in which the <site name> component must be present and the <priority> and <weight> components are optional. The <priority> and <weight> components must be a numeric string value. <site name>:<priority>:<weight> If disabled or not configured, no site-specific SRV records will be registered. Priority set in Pro Enterprise Server Locator DNS records Configure the Priority field in the SRV resource records registered by Pro Enterprise Server to which this setting is applied. These DNS records are dynamically registered by Pro Enterprise Server and are used by DigitalPersona Pro Workstation to locate Pro Enterprise Server. The Priority field in the SRV record sets the preference for target hosts specified in the SRV record Target field. DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. If enabled, configures the Priority in the Pro Enterprise Server Locator DNS SRV resource records. Specify a value between 0 and If disabled or not configured, computers use a default priority of 0. Weight set in Pro Enterprise Server Locator DNS records Configure the Weight field in the SRV resource records registered by Pro Enterprise Server to which this setting is applied. These DNS records are dynamically registered by Pro Enterprise Server, and they are used to locate Pro Enterprise Server. The Weight field in the SRV record can be used in addition to the Priority value to provide a loadbalancing mechanism where multiple servers are specified in the SRV record's Target field and set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record. If enabled, configures the Weight in the Pro Enterprise Server Locator DNS SRV records. Specify a value between 0 and DigitalPersona Pro Enterprise - Administrator Guide 123

124 Chapter 11 - Policies and Settings If disabled or not configured, computers use a default weight of 100. Register Pro Enterprise Server Locator DNS records for domain Configure whether or not Pro Enterprise Server will dynamically register Pro Enterprise Server Locator domain-specific SRV records for the domain it belongs to. The DNS records are dynamically registered by Pro Enterprise Server, and they are used by DigitalPersona Pro Workstation to locate Pro Enterprise Server. If enabled or not configured, computers dynamically register Pro Enterprise Server Locator domainspecific DNS SRV records. If disabled, computers will not register the domain-specific Pro Enterprise Server Locator DNS SRV records for the domain they belong to and register only site-specific records. Dynamic registration of Pro Enterprise Server Locator DNS records Configure whether or not dynamic registration of Pro Enterprise Server Locator DNS resource records is enabled. These DNS records are dynamically registered by Pro Enterprise Server and are used by DigitalPersona Pro Workstation to locate Pro Enterprise Server. If enabled or not configured, computers will dynamically register Pro Enterprise Server Locator DNS resource records through dynamic DNS update-enabled network connections. If disabled, computers will not register Pro Enterprise Server Locator DNS resource records. DigitalPersona Pro Enterprise - Administrator Guide 124

125 Chapter 11 - Policies and Settings User Configuration\Policies\Software Settings DigitalPersona Pro Client (Summary) During installation, DigitalPersona Pro Enterprise places a folder under the User Configuration\ Policies \ Software Settings\DigitalPersona Pro Client folder containing policies and settings that may be applied to users. The policies and settings in this table only affect users on supported DigitalPersona Pro Enterprise clients. Category/Subcategories Setting name Page Security Authentication Session Authentication Policy 125 Enrollment Self Enrollment Policy 126 DigitalPersona Pro Client (Detail) Security/Authentication Settings that define DigitalPersona Pro Enterprise authentication policies are stored at: User Configuration/Policies/Software Settings/DigitalPersona Pro Client/Security/Authentication. Session Authentication Policy The Session Authentication Policy defines the credentials that may be used to access Security applications during a Windows session. By default, all supported credentials are listed on the tab. Any of the listed credentials or credential combinations - Permitted Credentials - may be used for authentication in the Session Authentication Policy. 1 In the Group Policy Management Editor, click Session Authentication Policy at the following location: Computer Configuration/Policies/ Software Settings/DigitalPersona/Security/ Authentication. 2 On the Session Policy tab, make any desired changes. To edit or delete a Credential from the list, click the arrow that appears to the right of the credential. DigitalPersona Pro Enterprise - Administrator Guide 125

126 Chapter 11 - Policies and Settings To add a credential to the list, click Add at the top of the list. 3 Click Apply. Security/Enrollment Settings that define DigitalPersona Pro Enterprise enrollment policies are stored at: User Configuration/Policies/Software Settings/ DigitalPersona Pro Client/Security/Enrollment. Self Enrollment Policy This policy determines the credentials that may be used for self enrollment on a client workstation. If enabled, only the specified credentials may be used for self enrollment. If disabled or not configured, any installed and supported credentials may be used. Note that this setting takes precedence over the computer-level Self Enrollment Policy setting. DigitalPersona Pro Enterprise - Administrator Guide 126

127 Chapter 11 - Policies and Settings User Configuration\Administrative Templates DigitalPersona Pro Client (Summary) During installation, DigitalPersona Pro Enterprise places a folder under User Configuration\Administrative Templates\DigitalPersona Pro Client folder containing policies and settings that may be applied to users. The policies and settings in this table only affect users on supported DigitalPersona Pro Enterprise clients. Category/Subcategories Setting name Page Managed applications Password Manager Allow use of personal logons 127 Managed logons 127 Security Authentication Session Authentication Policy 128 DigitalPersona Pro Client (Detail) Managed applications Password Manager Allow creation of personal logons Allows users to create and use personal logons for websites and programs. If enabled or not configured, personal logons are available. If disabled, personal logons are not available. Managed logons Configure settings for managed logons which govern the access to account data and deployment to users. Allow users to view managed logon passwords: If enabled or not configured, users are allowed to view their managed logon passwords after verifying their identity. If disabled, users are not allowed to view managed logon passwords. Allow users to edit account data: If enabled or not configured, users can edit their account data. If disabled, users cannot edit account data. Allow users to add account data: If enabled or not configured, users can add to their account data. If disabled, users cannot add new account data. DigitalPersona Pro Enterprise - Administrator Guide 127

128 Chapter 11 - Policies and Settings Allow users to delete account data: If enabled or not configured, users can delete their account data. If disabled, users cannot delete account data. Path(s) to the managed logons folder(s): If enabled, the logons are copied to the computers that have this setting applied. You can specify multiple folders by separating the paths with a pipe character ( ). If disabled or not configured, no copy operation will be performed. Security (versions previous to 5.2) Authentication WARNING: The authentication setting described below is included for compatibility with Pro Enterprise versions prior to 5.2. It is located under the User Configuration\Policies\Administrative Templates\DigitalPersona Pro Client\Security\Authentication node. Versions of Pro Enterprise 5.2 and above use new authentication settings, in a new AD location, located under the User Configuration\Policies\Software Settings\DigitalPersona Pro Client\Security\Authentication node (see page 101). Once all client workstations in your environment have been upgraded to 5.2, these setting should be set to not configured. Session Authentication Policy Defines the credentials that may be used to access Pro security applications during the Windows session. If enabled, only the specified combination of credentials in the Policy can be used for authentication. If disabled, the user is not prompted to authenticate by DigitalPersona Pro security applications during the Windows session. This configuration provides Single Sign-On functionality. The user logs on to Windows, and gains access to all security applications without being prompted to authenticate for each application. If not configured, any of the installed authentication devices can be used for authentication. DigitalPersona Pro Enterprise - Administrator Guide 128

129 Single Sign-On 12 Single Sign-On (SSO) is a feature of DigitalPersona Pro that allows IT administrators to simplify user logon to DigitalPersona Security Applications and enterprise applications; including traditional Windows applications, websites and web applications, terminals, and Citrix or similar software thin client solutions, without needing to modify existing processes. Single Sign-On supports multiple authentication credentials in configurable combinations in order to provide the utmost flexibility in customizing the feature to your environment. Configuring Single Sign-On Configuration of Single Sign-On requires two steps. 1 Disable the Session Authentication Policy setting for the computers where you want to implement SSO. 2 Create managed logons for any resources that you want users to be able to access during a WIndows session without needing to provide additional authentication. These logons must have their Start Authentication Immediately property set to Yes when they are created by the administrator. Disable Session Authentication In Active Directory, disable Session Authentication for the OU (or domain) where you want to use SSO. 1 In the Group Policy Management Editor, click Session Authentication Policy at the following location: Computer Configuration/Policies/Software Settings/DigitalPersona/Security/Authentication. 2 On the Session Policy tab, select Disabled. Create managed logons The actual creation of managed logons is covered in the DigitalPersona Password Manager Application Guide, and is beyond the scope of this topic. However, in order to implement SSO, the managed logon for each resource that will be part of SSO must include use of the Start Authentication Immediately setting. When creating a managed logon for a resource, On the Logon Screen Properties page of the Logon Screen Wizard, choose Yes for the Start Authentication Immediately setting. Note that this must be used in conjunction with disabling the Session Authentication Policy in order to create a SSO experience. If the Session Authentication Policy is not disabled, authentication will start immediately, but the user will still be prompted for additional authentication. DigitalPersona Pro Enterprise - Administrator Guide 129

130 GPMC Extensions 13 Overview DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and settings to Active Directory containers. These policies and settings are described in the chapter, Policies and Settings on page 99. The GPMC Extensions component includes the Administrative Templates listed in the table below, and the following extensions, which are not actually Administrative Templates (i.e. admx/.adm files), but provide additional policies and settings in basically the same manner. Authentication Policy extension- Settings for specifying the credentials that may be used to log in to Windows and to log in to DigitalPersona security applications during the Windows session. Kiosk Administration extension - Settings for configuring the Kiosk Shared Account and additional kiosk-specific settings. Additional extensions or templates may be provided as new components are released, and will be specified in the readme file for each component. Extensions are.admx for Windows Server 2008 or Windows Vista (and later), and.adm for all other supported versions of Windows. Adding an administrative template to a container applies the DigitalPersona Pro Enterprise policies and settings to the computers and users in that container. For instructions on installing these extensions, see GPMC Extensions on page 57. For a complete listing of the policies and settings provided by the GPMC extensions, see the topic Policies and Settings on page 99. File Name (adm/admx) DPPro5Root DPPro5Server Description DigitalPersona Pro Administrative Template - Creates a root-level folder and categories for all DigitalPersona Pro products, and if not already present, is installed automatically with any DigitalPersona Pro product. DigitalPersona Pro Enterprise Server Administrative Template - Apply to Active Directory GPOs where it can be distributed to Domain Controllers running DigitalPersona Pro Enterprise Server. DPPro5Client DigitalPersona Pro Workstation for Enterprise Administrative Template - Apply to Active Directory GPOs where it can be distributed to computers running DigitalPersona Pro Workstation for Enterprise. It can also be applied to a local GPO for a standalone installation of DigitalPersona Pro Workstation for Enterprise. DigitalPersona Pro Enterprise - Administrator Guide 130

131 Chapter 13 - GPMC Extensions File Name (adm/admx) DPPro5ClientKiosk DPPro5IDServer DPPro5ClientAuthPol DPPasswordManager DPPrivacyManager DPPro5EvForwarding DPPro5OneTouchLock Description DigitalPersona Pro Kiosk for Enterprise Administrative Template - Apply to Active Directory GPOs where it can be distributed to computers running DigitalPersona Pro Kiosk for Enterprise. It can also be applied to a local GPO for a standalone installation of DigitalPersona Pro Kiosk for Enterprise. DigitalPersona Pro Enterprise ID Server Administrative Template - Apply to Active Directory GPOs where it can be distributed to Domain Controllers running DigitalPersona Pro Enterprise Server. DigitalPersona Pro Enterprise Server Authentication Policies Administrative Template - Apply to Active Directory GPOs where it can be distributed to computers running DigitalPersona Pro Workstation for Enterprise. It can also be applied to a local GPO for a standalone installation of DigitalPersona Pro Workstation for Enterprise. DigitalPersona Password Manager Administrative Template - Apply to Active Directory GPOs where it can be distributed to computers running DigitalPersona Password Manager. DigitalPersona Privacy Manager Administrative Template - Apply to Active Directory GPOs where it can be distributed to computers running DigitalPersona Pro Privacy Manager. DigitalPersona Reporter Administrative Template - Apply to Active Directory GPOs where it can be distributed to computers running DigitalPersona Pro Enterprise clients. DigitalPersona One Touch Unlock Administrative Template - Apply to Active Directory GPOs where it can be distributed to computers running DigitalPersona Pro Enterprise clients. Implementation Guidelines Before you add any Administrative Templates to your GPOs, give some thought to your Active Directory structure, where GPOs are placed, and which GPOs the Administrative Templates should be added to. Policy configuration needs will vary from network to network and specific policy recommendations are beyond the scope of this guide. You may want to refer to Microsoft s documentation on Group Policy Object configuration for more information. Organizational Units and GPOs DigitalPersona Pro Enterprise - Administrator Guide 131

132 Chapter 13 - GPMC Extensions Although the use and configuration of organizational units and GPOs varies widely among corporations, we have provided some general guidelines for structuring Active Directory organizational units. There are two key factors in deciding how to structure your network: How you group your users and computers, and Where the DigitalPersona Pro GPOs are set. For example, if users and computers are to be grouped according to authentication policies, you should group them into separate OUs (Organizational Units) and then set specific GPOs for each OU. However, when authentication policies within organizational units vary, as they often do among department heads and subordinates, then you should group your users and/or computers into child organization units reflecting the necessary authentication needs. Structuring your organizational units based on authentication policies is the easiest way to administer DigitalPersona Pro. 1 Plan your network structure by identifying the settings you intend to configure. 2 Determine whether to apply the settings to all users and computers in a site or domain, or just to the users and computers in an organizational unit. 3 Create the organizational units required to implement your design. 4 Add the respective users and computers to the organizational units. GPO behavior Here are a few guidelines to keep in mind when configuring DigitalPersona Pro GPOs. If a GPO setting is not configured, the default value set in the software is used. If a superior (higher-level) GPO has a value for a setting and a subordinate GPO has a conflicting value for that setting, the setting in the subordinate is used. If a GPO has a value for a setting and a subordinate (lower-level) container has the GPO setting with no value, the setting in the superior (high-level) GPO is used. GPOs can only be applied to the three Active Directory containers: sites, domains and organizational units; not to users or computers. A single GPO can be applied to one or more containers. A GPO affects all users and computers in the container, and subcontainers, it is applied to. The DigitalPersona GPO settings apply only to computers with DigitalPersona software installed on them. In very basic Active Directory deployments, one can simply make a DigitalPersona GPO, linked at the domain, and set the DigitalPersona Pro Enterprise Server and Pro Workstation settings here for all users and computers alike. DigitalPersona Pro Enterprise - Administrator Guide 132

133 Chapter 13 - GPMC Extensions Install Workstation Administrative Templates Locally For local administration of a DigitalPersona Pro Workstation, the Workstation Administrative Templates (DPPro5Client and DPPro5ClientAuth) can be added to the local policy object of any computer running DigitalPersona Pro Workstation by using the Microsoft Management Console (MMC) Group Policy Editor. To add the Workstation Administrative Template locally 1 On the Start menu, click Run. Type gpedit.msc and press Enter to launch the Group Policy Editor. 2 Right-click the Administrative Templates folder and select Add/Remove Templates on the Administrative Templates folder shortcut menu. 3 Click the Add button on the Add/Remove Templates dialog box and then locate and select the DPPro5Client and DPPro5ClientAuth files from the default administrative templates directory. On Windows Server 2003, this folder is C:\Windows\inf. On Windows Server 2008, the folder is X:\Windows\PolicyDefinitions. 4 Click Close. DigitalPersona Pro Enterprise - Administrator Guide 133

134 Recovery 14 DigitalPersona Pro Enterprise provides full recovery options to administrators for enabling users to regain access to their Windows user accounts and computers. This chapter includes the following main topics. User recovery Topic Installation of DigitalPersona Pro Enterprise or the DigitalPersona ADUC Snap-in adds the Recover User command to Active Directory s context menu for a user in the Active Directory Users and Computers console. This command enables recovery of the user's access to their Windows account by a one time access code available through a link on the Windows logon screen. To recover a user DigitalPersona Pro Enterprise provides a means to easily recover access to a computer where a user is unable to access their account, and needs one time access to the pre-boot environment and their Windows account. 1. The user contacts your helpdesk and provides their Windows user account name. A Pro Enterprise administrator assists them in recovering their user access. 2. The administrator locates the user in Active Directory, right-clicks the user and selects Recover User, which launches the Recover access wizard. 3. The administrator transmits the displayed Recovery account name and password to the user. This will enable them to authenticate at the pre-boot level. Upon use, this password is automatically changed. 4. The user enters the provided information, gaining access to the computer at the pre-boot level. 5. At the Windows logon screen, the user clicks their user tile. On their user tile screen, they click the One time access link. 6. The user transmits the displayed Security Key to the administrator. Page User recovery 134 Computer recovery 135 Account lock recovery The administrator clicks Next, enters the Security Code and clicks Next again. 8. Pro Enterprise displays a One time access code which is transmitted to the user. 9. The user types the One time access code and clicks OK, gaining access to their Windows account. DigitalPersona Pro Enterprise - Administrator Guide 134

135 Chapter 14 - Recovery Computer recovery In Active Directory, installation of DigitalPersona Pro Enterprise or the DigitalPersona ADUC Snap-in adds the Recover Computer command to Active Directory s computer object context menu. This command can be used to easily recover access to a computer where a user has been locked out during preboot authentication. To recover a computer from a pre-boot lockout 1. The user contacts your helpdesk for assistance in recovering from a pre-boot lockout. A Pro Enterprise administrator assists them in recovering their user access. 2. The administrator locates their computer in Active Directory, right-clicks on the computer and selects the Recover Computer command. 3. The Computer Recovery wizard launches, displaying recovery information for the computer. 4. The administrator transmits the displayed Recovery Account name and password to the user. This will enable them to authenticate at the pre-boot level. Upon use, this password is automatically changed. Account lock recovery When a user exceeds the permissible number of authentication attempts (as defined in the Windows security policy) with a fingerprint credential, they are automatically locked out of their account. A locked out account cannot be used until it is reset by an administrator or until the account lockout duration has expired. When an account is unlocked by an administrator, the account becomes immediately available for fingerprint authentication from all computers, or after the next replication interval if there are multiple domain controllers. To unlock a Windows user account 1 Ensure that you have the required permissions to modify the user account. 2 In Active Directory for Users and Computers, right-click on the user name and select Properties. 3 Click the DigitalPersona Pro tab. 4 Clear the Account is locked out for fingerprint authentication checkbox.this checkbox is for unlocking accounts and cannot be used by an administrator to lock an account. If the account is unlocked, the checkbox is disabled. 5 Click OK to close the dialog box and save the changes. The administrator can choose to set less strict lockout settings by reducing the lockout duration time or reducing the counter reset time through Windows security settings. DigitalPersona Pro Enterprise - Administrator Guide 135

136 Pro Reports 15 DigitalPersona Pro Reports provides a wide-variety of pre-configured template-based reports for managers, administrators and auditors. These reports include detailed information on managed computers, users, SSO events and specific reports addressing HIPAA, PCI and SOX compliance. Pro Reports is an add-on component available from DigitalPersona or your authorized reseller. Overview DigitalPersona Pro Reports automatically forwards all events generated by Pro Enterprise clients (versions 5.4 and above) to a designated Collector computer via the Windows Event Forwarding mechanism. The Pro Ent Report Event import task, which runs every fifteen minutes on the hour, parses the forwarded events and populates an SQL database. Events are then available to be viewed through the DigitalPersona Pro Reports web console (see page 139). Activity events are logged whenever a designated activity occurs on the client. For a complete listing and description of all events, see the chapter Pro Events beginning on page 145. There are some events that are not automatically written to the local Windows Event log. Logging of these events requires additional configuration through selection of the Log Status Events checkbox of the Level of detail in event logs GPO setting (see page 111). These events provide information about the state of various policies and components on client computers. The interval at which status events are reported can also be configured through the GPO. Logging status events at small time intervals may consume system resources and fill up your Forwarded Events log very quickly. All logged DigitalPersona Pro client events are written to the local Windows Event Log with a root name of DigitalPersona\Pro. The channel name includes the name of the component that logs the events. Currently, the following Component names are defined: Component name Core Logon Password Manager Description A general log for all DigitalPersona component events not assigned to a more specific channel. User logon/logoff and lock/unlock events. Managed logon events created by the use of the Password Manager application. Future components may provide their own channel names, creating a separate Component log under DigitalPersona\Pro. Currently, all the events are written into the Operational log under the Component folder. DigitalPersona Pro Enterprise - Administrator Guide 136

137 Chapter 15 - Pro Reports Event logging happens on the client workstation whether or not event forwarding to the Collector computer has been enabled and set up. If the DigitalPersona Reporter Event Forwarding setting (see page 112) has been enabled, then events are forwarded to the Forwarded Events Log folder on the computer where DigitalPersona Pro Reports is installed. The events are logged in the Event Viewer\Windows Log\Forwarded Events folder. In order to use DigitalPersona Pro Reports, the component first needs to be set up. Setting up DigitalPersona Pro Reports Setting up DigitalPersona Pro Reports includes the following tasks: 1 Verify that the Pro Enterprise server is licensed. 2 Configure Active Directory GPO settings for event forwarding on the domain controller. 3 Install and configure DigitalPersona Pro Reports on the computer where the events will be collected. This computer should not be a domain controller and should not have DigitalPersona Pro Enterprise Server installed on it. Verify licensing You can verify license activation in the GPME (Group Policy Management Editor) under Computer Configuration, Policies, Software Settings, DigitalPersona, Licenses. Configure GPO settings Configure the following Active Directory GPO settings. 1 Enable the DigitalPersona Pro Reports Event Forwarding setting. This setting is located in the GPME at Administrative Templates\DigitalPersona Pro Client\Event Logging\DigitalPersona Pro Reports. 2 Enable and configure the Level of detail in event logs setting. This setting is located at Administrative Templates\DigitalPersona Pro Enterprise Server\Event logging. 3 Enable and configure the Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager setting. This setting is located in the GPME at Administrative Templates\Windows Components\Event Forwarding. Enable the setting Click Show, then click Add. Enter the following string, where <computer name> is the name of the computer where DigitalPersona Pro Reports will be installed. Server= name>.<domain name>:5985/wsman/subscriptionmanager/ WEC,Refresh=10 Click OK to close the dialog. DigitalPersona Pro Enterprise - Administrator Guide 137

138 Chapter 15 - Pro Reports Install and configure Pro Reports DigitalPersona Pro Reports may be installed on any computer that is a member of the domain and meets the following requirements. Is running Windows Server 2008 (32/64-bit) or Microsoft Windows 7 (32/64-bit) Should not have DigitalPersona Pro Enterprise Server installed on it The computer name must not include underscores, for example TEST_0250. The computer must not be a domain controller. Installation The installation file for DigitalPersona Pro Reports is located in the root directory of the DigitalPersona Pro Reports product package. Be sure to check the readme.txt file for any updated information prior to installing Pro Reports. 1 Start the installation wizard by launching setup.exe. 2 Follow the onscreen instructions. 3 You will be prompted to either use an existing SQL Server 2008 instance if no other instances of SQL Server (RTM, R2 SP1, Express RTM or R2 SP1 Express) are detected, or to install SQL Server 2008 R2 Express Edition. 4 Internet Information Services (x86) will be installed. 5 The installation will place a shortcut to the DigitalPersona Pro Reports web console on your desktop. DigitalPersona Pro Enterprise - Administrator Guide 138

139 Chapter 15 - Pro Reports Web console The DigitalPersona Pro Reports web console allows you to generate, view and schedule reports based on the activity and status events generated by DigitalPersona Pro Enterprise clients. Pro Reports provides powerful pre-configured templates for quickly and easily creating various types of reports as shown in the illustration below. The URL for the Pro Reports web console is: The Pro Reports web console supports the following web browsers. Internet Explorer 6-10 Google Chrome Mozilla Firefox 4-16 Note that when creating or editing reports, you must click the Save or Run Now buttons to save any new or modified information. DigitalPersona Pro Enterprise - Administrator Guide 139

140 Chapter 15 - Pro Reports Creating a report To create a new report 1 On the main Pro Reports page, click a report type under one of the listed categories. 2 Within the report type, select a template. 3 By default, the report name and description are filled in with the template name and description. You can also click on the name or description to personalize your reports. DigitalPersona Pro Enterprise - Administrator Guide 140

141 Chapter 15 - Pro Reports 4 Select from the available parameters to build the query for your report. Parameters will vary for different reports. 5 In the image on the previous page, the End Date would be the last date you want included in the report. Select from the Limit Data by dropdown to indicate how far back you would like to report data from, i.e. an End Date of today and a Limit Data by selection of End Date - 1 day would give you data from the beginning of yesterday ( ) to the current time today. When scheduling a report, you will enter the date ranges to be used for the subscriptions. 6 (Optional) To report on data for all Pro-managed computers, leave the Computer name field blank. To report on data for a single Pro-managed computer, enter the computer name. 7 To run the report, click Run now. Note that data entered in the fields on this form is not automatically saved as you move from field to field. If you close a tab or browser window before Saving or Running a report your data will be lost. Creating a new subscription Subscriptions can be created from one or more reports scheduled to be run at regularly scheduled intervals. They may be created either during the initial definition of the report, or later, by opening a report and clicking one of the links available to create a new subscription or to add the report to an existing subscription (see page 143). To create a new subscription from a report 1 From the previously created report s page, click Create a new subscription (see the image on the previous page). 2 Enter a name for the subscription and (optionally) a description. 3 Click Create. 4 Enter the address that you want the report to be sent to. You can also enter multiple addresses, separated by semicolons. DigitalPersona Pro Enterprise - Administrator Guide 141

142 Chapter 15 - Pro Reports 5 Enter a subject for the that recipients will receive when they get the report. 6 By default, the subscription is enabled. To disable the subscription, i.e. stop the report from running, deselect the Enabled checkbox. 7 Enter the beginning and ending dates for the subscription. The report(s) in this subscription will be run beginning on the From date until the To date. 8 Indicate specific parameters to be used when determining how often the report(s) are to be run. By default, the report(s) will be run daily during the selected time period. 9 For example, to run the report for a year (as defined in the above image), on the first Monday of the month, deselect the weeks and days when you do not want to run the report. 10 Enter the time when you want the report to be run. 11 Click the Reporting Tools tab to return to the main Pro Reports page. Your new subscription will be listed under My subscriptions. DigitalPersona Pro Enterprise - Administrator Guide 142

143 Chapter 15 - Pro Reports Adding a report to an existing subscription To add a report to an existing subscription 1 From the main Pro Reports page, click the report that you want to add. 2 Click add report to an existing subscription. 3 Select the subscription that you want to add the report to. 4 The report will be added to the selected subscription. Editing a subscription To edit a subscription 1 From the main Pro Reports page, click the subscription you want to revise. 2 Click one of the reports in the subscription to edit the query details. DigitalPersona Pro Enterprise - Administrator Guide 143

144 Chapter 15 - Pro Reports 3 Revise subscription details as required. Changes are saved automatically. Bookmarking a report To bookmark a report 1 On the main Pro Reports page, hover over the name of the report. 2 Click the bookmark icon. Deleting a report or subscription To delete a report On the main Pro Reports page, hover over the name of the report or subscription. Click the X that displays to the right of the report or subscription name. DigitalPersona Pro Enterprise - Administrator Guide 144

145 Pro Events 16 DigitalPersona Pro and its security applications write events to the Windows Event Log when significant activities occur, along with a date and time stamp indicating when they occurred. By default, all DigitalPersona Pro events are logged - except for those that report the status of applications, components or devices. These are identified by the use of (Status event) next to the event name in the following pages. Activity events are classified into the following categories. Description ID Page Credential Management User Management Secret Management Service Management Password Manager Credential Authentication DNS Registration Deployment Windows Logon Events are listed in tables under each category in the following sections. For each event, information is shown indicating where the event is logged (on the Pro Server or on a client workstation) and what level of logging an event is reported at. For example, if an event is shown as logged on the workstation (Wks) at the D (Details) level, it will not be written to the log unless the Detail level is specified in the Level of detail in event logs GPO setting governing that computer (see page 111). Note that error levels are inclusive, i.e. the Audit level includes all Error level messages, and the Details level includes all Audit and Error level messages. DigitalPersona Pro Enterprise - Administrator Guide 145

146 Chapter 16 - Pro Events Credential Management Task Category: 256 These events may be generated during credentials management. Event ID Level Srvr ---- Wks Failed to enroll credential A Credential enrolled A Failed to unenroll credential A Credential unenrolled A Failed to recover user record E Failure of user credential consistency check E Level: E = Error, A - Audit, Dt = Details User Management Task Category: 512 These events may be generated during user management. Event ID Level Srvr ---- Wks Cannot update User Account Control Flags E User Account Control Flags were updated 528 A - User account was unlocked 529 A - User password was randomized 530 A - Pro User added to the database 531 A - Cannot add Pro User to the database 532 E - Pro User deleted from the database 533 A - Cannot delete Pro User from the database 534 E - User account was unlocked using Password Reset 535 A E Level: E = Error, A - Audit, Dt = Details DigitalPersona Pro Enterprise - Administrator Guide 146

147 Chapter 16 - Pro Events Secret Management Task Category: 768 These events may be generated during Secret management. Event ID Level Srvr ---- Wks Failure of %1 secure application data consistency check 769 E E Failed to delete secure application data 770 E E Secure application data deleted 771 A A Failure to release secure application data 772 E E Secure application data released 773 A A Failure of secure application data signature check 774 E E Failed to store secure application data 775 E E Secure application data stored 776 A A Failed to synchronize secure application data 779 E - Secure application data is synchronized 780 A - Level: E = Error, A - Audit, Dt = Details Service Management Task Category: 1024 These events may be generated during the management of system operations. Event ID Level Srvr ---- Wks Failed to start DigitalPersona Authentication Service 1029 E E DigitalPersona Authentication Service started 1030 A A DigitalPersona Authentication Service stopped 1031 A A Failed to reset DigitalPersona Authentication Service configuration parameter 1032 A A DigitalPersona Authentication Service configuration parameter reset 1033 A A DigitalPersona Pro Enterprise - Administrator Guide 147

148 Chapter 16 - Pro Events Event Failed to update DigitalPersona Authentication Service configuration parameter Password Manager 1034 A A DigitalPersona Authentication Service configuration parameter updated 1035 A A DNS registration of the server failed - Client workstations will not be able to locate the server E - Removal of DNS record failed E - Remote DNS server cannot be reached E - No remote DNS servers available E - Level: E = Error, A - Audit, Dt = Details Task Category: 1536 These events are generated when personal or managed logons are used, or logon account data is modified. Event ID Level (Workstation) Personal ---- Managed CRC check failure in % Dt A Logon created 1549 Dt A Logon modified 1550 Dt A Logon deleted 1551 Dt A Password change has been canceled by user 1552 Dt Dt Fillin was performed 1553 Dt A Account data could not be modified 1554 E E Account data was successfully modified Dt A Account data was successfully entered Dt A Account data was successfully deleted Dt A Level: E = Error, A - Audit, Dt = Details ID Level Srvr ---- Wks DigitalPersona Pro Enterprise - Administrator Guide 148

149 Chapter 16 - Pro Events Credential Authentication Task Category: 2048 These events may be generated during the authentication of credentials. Event DNS Registration Task Category: 2304 These events may be generated during DNS registration. ID Level Srvr ---- Wks Account is locked for fingerprint verification E - User account is locked E - Authentication failure A - Authenticated successfully Dt - User password was reset Dt - Failed to identify user A - User identified Dt - Level: E = Error, A - Audit, Dt = Details Event ID Level Srvr ---- Wks Registration of the server failed. (Clients will not be able to locate the server.) 2306 E - Removal of DNS record failed E - Remote server cannot be reached E No remote servers available E Level: E = Error, A - Audit, Dt = Details DigitalPersona Pro Enterprise - Administrator Guide 149

150 Chapter 16 - Pro Events Deployment Task Category: 4096 These events may be generated during license management operations. Event The service is licensed for %1 users. (No more users can be registered at this time because the license quota has been exceeded.) The service is licensed for %1 users. (%2 users are already registered.%n The license quota is nearly exceeded.) ID Level Srvr ---- Wks 4097 E A - License activation status Computer set to Standard mode A User license uninstalled A User license installed A Failed to install user license(s) E Software installed A - Software uninstalled A - List of product(s): Applications enabled Level: E = Error, A - Audit, Dt = Details Windows Logon Task Category: 4864 These events may be generated during Logon operations. Event ID Level Srvr ---- Wks Credentials verified for logon A Credentials verified for unlock A Credentials verified for kiosk logon A DigitalPersona Pro Enterprise - Administrator Guide 150

151 Chapter 16 - Pro Events Event Credentials verified for kiosk unlock A Computer locked A User (%1) logged off A Kiosk computer locked A Kiosk user logged off A There is a problem with the Kiosk Shared Account E Level: E = Error, A - Audit, Dt = Details Authentication Domain Management Task Category: 2048 These Status events may be generated at specified intervals by selecting Log Status events within the Level of detail in event logs setting (see page 111). Status events provide information about the state of various policies on client computers. Event ID Level Srvr ---- Wks Logon Policy for Users (Status event) 5649 * - Logon Policy for Administrators (Status event) 5650 * - Session Policy for Users (Status event) 5651 * - Session Policy for Administrators (Status event) 5652 * - Logon Policy (Status event) 5653 * - Session Policy (Status event) 5654 * - Level: E = Error, A - Audit, Dt = Details ID Level Srvr ---- Wks * The logging of Status events is not enabled by default, and must be explicitly enabled by selecting the Log Status Events checkbox. DigitalPersona Pro Enterprise - Administrator Guide 151

152 Extended Server Policy Module 17 The Extended Server Policy Module (ESPM) is a separately purchased and installed server module that adds additional per user policies to the DigitalPersona tab in the AD user Properties dialog. These policies specify additional requirements for authentication with biometric credentials (such as fingerprints) when used for authentication during Windows logon and wherever administrator authentication is requested by the software - for example when requesting access to the DigitalPersona Pro Administrative Console. Note that these settings do not affect the use of biometric credentials for authentication when used with personal or managed logons to websites, applications and network resources. Installation of the ESPM adds settings to the DigitalPersona tab in the AD user Properties dialog as shown below. Included settings are: User may only log on with Fingerprint credential The user must verify their identity with a fingerprint credential in order to log on to Windows. No other credentials can be used, except for supported recovery options such as Self Password Recovery. User must provide Fingerprint and PIN to log on The user must provide a PIN whenever a fingerprint is used to log on, to unlock the computer or to change their Windows password. The fingerprint PIN option adds another level of security to logging on with a fingerprint. User must provide Fingerprint and Windows Password to log on The user must verify their identity with their fingerprint credential in addition to Windows authentication (a smart card or password according to the Windows policy setting). DigitalPersona Pro Enterprise - Administrator Guide 152

153 Utilities 18 Cleanup Wizard Although the Add/Remove Programs Control Panel uninstalls DigitalPersona Pro Server software, the user data - such as fingerprint credentials and secure application data - and global domain data, remain in Active Directory unless specifically deleted. DigitalPersona provides the DigitalPersona Pro Cleanup Wizard to remove this data. However, if you are planning to reinstall DigitalPersona Pro Server, you may want to retain the user data. The Cleanup Wizard may be requested from DigitalPersona Technical Support. This wizard provides full cleanup of all DigitalPersona Pro data. For removal of individual user data, see Delete License on page 84. To run the DigitalPersona Pro Cleanup Wizard 1 Double-click DPCleanup.exe to launch the DigitalPersona Pro Cleanup Wizard. 2 When the installer runs, you are prompted to choose the type of clean up you want to perform: Delete DigitalPersona Pro user data. This option removes all DigitalPersona Pro data associated with users on the domain, such as fingerprint credentials and secure application data. If you choose to delete DigitalPersona Pro user data, all users in the domain must enroll their fingerprints again. Full clean up. This option removes both DigitalPersona Pro data associated with users on the domain and global data. If you choose full clean up, you must reinstall all DigitalPersona Pro Servers on the domain and run the Active Directory Domain Configuration Wizard again. 3 When prompted to proceed with the removal of DigitalPersona Pro data, click Yes. 4 Choose a location and name for the log file generated during the data removal process. The wizard will then remove the data from Active Directory; however, you must manually remove any DigitalPersona Pro Group Policy Objects. Data changes take time to propagate in Active Directory. Do not configure a domain for DigitalPersona Pro Server or reinstall Server software until all changes made by the removal of domain global data are replicated throughout the domain. Running the DigitalPersona Pro Clean Up Wizard will render all Pro Servers on the domain inoperable. To restore the Pro Server functionality after performing a full cleanup, run the Active Directory Domain Configuration Wizard again, as described in Configure each domain on page 24, and then reinstall Pro Server. DigitalPersona Pro Enterprise - Administrator Guide 153

154 Section Three: Pro Clients Section Three of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters: Chapter Title Purpose Page 19 - Pro Workstation Describes the features and functionality of the user dashboard common to all DigitalPersona Pro Enterprise compatible clients Pro Kiosk Describes the features and functionality specific to the user dashboard provided in the DigitalPersona Pro Kiosk client Pro Administrative Console Describes the features and functionality of the optionallyenabled administrative console common to all DigitalPersona Pro Enterprise compatible clients except for DigitalPersona Pro Kiosk DigitalPersona Pro Enterprise - Administrator Guide 154

155 Pro Workstation 19 This chapter includes the following major topics. Main topics in this chapter Page Getting Started 156 Managing user credentials 159 Windows authentication 166 Backing up and restoring your data 169 Setting your preferences 170 ID Card 171 Learn more 172 DigitalPersona Pro Enterprise includes support for two workstation clients; DigitalPersona Pro Workstation for Enterprise and DigitalPersona Pro Kiosk for Enterprise. DigitalPersona Pro Workstation for Enterprise is a robust and fully featured workstation client which allows you to significantly and easily increase the security of computers in your enterprise, as well as centrally manage security applications and features through Active Directory. DigitalPersona Pro Kiosk is a workstation client specifically designed for environments where shared access to computers and resources is a requirement. It shares most of the same features and functionality as DigitalPersona Pro Workstation for Enterprise, with a few differences as explained in the Pro Kiosk chapter beginning on page 173. Both clients include a user dashboard that provides access to DigitalPersona Pro Enterprise features and applications for the end-user. This dashboard allows use of integrated Pro Workstation or Kiosk applications, as well as additional end-user applications that may be installed depending on the product package purchased. DigitalPersona Pro Workstation for Enterprise also includes an integrated Administrative Console that allows the local administrator of a computer to set logon and session policies and other features. This console may be enabled or disabled by the DigitalPersona Pro Enterprise administrator through an Active Directory GPO setting. For further information on the Administrative Console, see the chapter Pro Administrative Console on page 179. Most of the content in this chapter is written from the end-user perspective, and is also available through the Pro Workstation online help. Note that the availability of some product features described in this chapter may be limited, or behave differently, as determined by GPO policies and settings described in the Policies and Settings chapter beginning on page 99. DigitalPersona Pro Enterprise - Administrator Guide 155

156 Chapter 19 - Pro Workstation Getting Started The first time that you log on to your Windows account on a computer equipped with Pro Workstation, you will be prompted to set up your authentication and recovery credentials. The specific credentials available to you will be configured by your administrator. If your credentials were set up through an attended enrollment process, you may click No at the prompt and select Do not show this message again. Click Yes at the prompt to launch the Getting Started wizard, which will guide you through the setup process. 1 On the Welcome screen, click Next. 2 Verify your identity by typing your Windows password. Click Next. If you have not previously created a Windows password, you will be required to create one. 3 You will be guided through the process of enrolling all credentials supported on your computer and specified in the Logon and Session policies determined by your local or remote administrator. Workstation setup The Getting Started wizard is displayed automatically as the default page in the user dashboard until setup has been completed. To set up your workstation, follow these steps: 1 Read the Welcome screen, and then click Next. 2 Verify your identity by entering your Windows password and then click Next. DigitalPersona Pro Enterprise - Administrator Guide 156

157 Chapter 19 - Pro Workstation If you have not yet created a Windows password, you are prompted to create one. A Windows password is required in order to protect your Windows account from access by unauthorized persons and in order to use the workstation features. 3 Follow the onscreen instructions for enrolling the credentials authorized by the administrator. Step by step instructions for enrolling each type of credential are also provided in the following pages. 4 On the final page of the wizard, click Finish. The Home page of the user dashboard is displayed. Opening the dashboard In DigitalPersona Pro Workstation and Kiosk, you can open the user dashboard in any of the following ways: Click Start, click All Programs, click DigitalPersona, and then click DigitalPersona Pro. Double-click the DigitalPersona Pro icon in the notification area, at the far right of the taskbar. Right-click the DigitalPersona Pro icon, and click Open DigitalPersona Pro. Press the hot key combination ctrl+win+h to open the DigitalPersona Password Manager minidashboard. Using the dashboard The user dashboard is the central location for easy access to Pro Workstation features, applications, and settings. The dashboard is composed of the following components: ID Card - Displays the Windows user name and a selected picture identifying the logged on user account. Security Applications - Displays an expanding menu of links for configuring the following categories of security. Some of the categories shown below may not be present, and will depend on the product package installed. DigitalPersona Pro Enterprise - Administrator Guide 157

158 Chapter 19 - Pro Workstation Home- Provides direct links to the most commonly used features. Status- Displays the status of installed security applications. My logons - Provides applications for managing your logons with Password Manager and your credentials with Credential Manager. Administration - Allows administrators to access the following options: Administrative Console - Allows administrators to manage security and users. Central Management - Allows administrators to access additional solutions, product updates and messages. Advanced - Displays commands for accessing additional features, including: Preferences - Allows you to personalize Pro Workstation settings. Backup and Restore - Allows you to back up or restore data. About - Displays version information about Pro Workstation, such as the version number and copyright notice. DigitalPersona Pro Enterprise - Administrator Guide 158

159 Chapter 19 - Pro Workstation Managing user credentials The credentials that an end-user may use to verify their identity will either be specified through GPO policies and settings (for managed workstations) or by the local administrator in the Administrative Console. Some credentials require the presence of built-in or attached hardware. The following steps will help you to enroll or set up your credentials for use with the product s features and applications. Self Password Recovery The Self Password Recovery credential allows you to regain lost access to your computer by answering three security questions from a list previously defined by the administrator. On the Self Password Recovery page, you can enroll or manage your Self Password Recovery credential; for example, change your recovery questions or the associated answers. In order to use this recovery credential to gain access to a computer, the user must have previously logged on to the same computer at least once with another valid credential. To set up Self Password Recovery 1 On the Self Password Recovery page, select three security questions, and then enter an answer for each question. 2 Click Create. Administrators can select different security questions or create custom questions in the Administrative Console, on the Self Password Recovery page under Credential Manager. After Self Password Recovery is set up, you can access your computer using your personal questions from a Pre-Boot logon screen or the Windows Welcome screen. This feature is optional, and must be explicitly configured through the Enable Self Password Recovery setting (see page 117). DigitalPersona Pro Enterprise - Administrator Guide 159

160 Chapter 19 - Pro Workstation Enrolling your fingerprints 1 If your computer has a fingerprint reader built in or connected, the Pro Workstation Getting Started wizard guides you through the process of setting up or enrolling your fingerprints. 2 To enroll fingerprints through the dashboard, click Credentials, Fingerprints, 3 An outline of two hands is displayed. Fingers that have been previously enrolled are highlighted in green. To enroll a fingerprint, click the image of any finger not previously enrolled. To delete a previously enrolled fingerprint, click a highlighted finger on the outline. 4 After selecting a finger to enroll, you are prompted to scan the finger until its fingerprint is successfully enrolled. Upon completion, that finger image will be highlighted in green. Index or middle fingers are preferable. Repeat steps 1 to 4 for another finger. 5 Click Next, and then follow the instructions on the screen. 6 Click Save. Note that when enrolling fingerprints through the Getting Started wizard, fingerprint information is not saved until you click Next. If you leave the computer inactive for a while, or close the program, the changes you made are not saved. CAUTION: When using an unlicensed product (such as for evaluation), fingerprints are only stored on the local computer and are not stored in Active Directory. WARNING: Users should never enroll the same finger under multiple Windows accounts. Doing so will cause the finger to be rejected as a valid credential in any WIndows account where it has been enrolled. Enrolling a PIN A PIN (Personal Identification Number) is a credential composed of a series of digits. A PIN is often used in combination with another credential to enhance its security. This PIN should not be confused with a Smart Card PIN which is used as part of a Smart Card credential. On the Credential Manager, PIN page, you can create a new PIN or change your existing PIN. To enroll a PIN DigitalPersona Pro Enterprise - Administrator Guide 160

161 Chapter 19 - Pro Workstation 1 Type your Windows password. Click Authenticate. 2 Enter the number that you want to use as your PIN. 3 Enter the number again to confirm. 4 Click Enroll. To change your PIN 1 Type your Windows password or use your current PIN. Click Authenticate. 2 Enter the number that you want to use as your new PIN. 3 Enter the number again to confirm. 4 Click Enroll. DigitalPersona Pro Enterprise - Administrator Guide 161

162 Chapter 19 - Pro Workstation Enrolling scenes for the Face credential If your computer has a webcam built in or connected to it, and Face has been authorized as an acceptable credential by the administrator, DigitalPersona Pro Workstation for Enterprise prompts you to enroll your Face credential during initial setup of your workstation through the Getting Started Wizard. Enrolling consists of capturing several snapshots of your face at slightly different angles, which then form a single scene.you can also enroll scenes on the Face page under the Credential Manager menu item in the Pro Workstation dashboard. Note that your Face credential does not roam on the network, and can only be used for authentication on the computer where it was enrolled. Also, a Face credential cannot be the only authorized credential for authentication, and when defining logon or session policies, must be combined with an alternate credential such as a fingerprint, smart card or Windows password. You must enroll one or more Face scenes in order to use your Face credential. After you have enrolled successfully, you may later enroll new scenes if you have experienced difficulty during logon because one or more of the following conditions have changed: Your face has changed significantly since your last enrollment. The lighting is quite different from any of your previous enrollments. You were wearing glasses (or not) during your last enrollment. NOTE: If you are having difficulty enrolling scenes, try moving closer to the webcam. To enroll a scene from the Getting Started wizard 1 On the Face page of the wizard, click Advanced, and then configure additional security. For more information, refer to the topic Advanced User Settings on page Click OK. 3 Click Start, or if you have enrolled scenes previously, click Enroll a new scene. 4 If you did not select any additional security options, you are prompted to select an Anti-spoof security option. Follow the on-screen instructions, and then click Next. For more information, refer to Advanced User Settings. 5 Click the Camera icon, and then follow the on-screen instructions to enroll your scene. Be sure to look at your image while the scenes are being captured. 6 Click Next and then click Finish. To enroll a scene from the Pro Workstation dashboard 1 Open the dashboard. 2 Under My Logons, click Credential Manager, and then click Face. 3 Click Advanced, and then configure additional security. For more information, refer to Advanced User Settings. DigitalPersona Pro Enterprise - Administrator Guide 162

163 Chapter 19 - Pro Workstation 4 Click OK. 5 Click Start, or if you have enrolled scenes previously, click Enroll a new scene. 6 If you did not select any additional security options, you are prompted to select an Anti-spoof security option. Follow the on-screen instructions, and then click Next. For more information, refer to Advanced User Settings. 7 Click the Camera icon, and then follow the on-screen instructions to enroll your scene. It is important that you look at your image on the screen as the scenes are being captured. Advanced User Settings (Face) These options are also displayed on the Anti-Spoof page if no additional security has been selected. 1 Open the Pro Workstation dashboard. 2 Under My Logons, click Credential Manager, and then click Face. 3 Click Advanced to configure the following security options: Security tab - Select one of the following options: No additional security - Select this option if you do not wish to configure additional security for your face credential. Use PIN for additional security - Select this option to require a user-specific PIN that must be entered in addition to the Face Credential. Once a PIN is created, you can select from the following options: Change, Reset, or Remove a PIN. Use Bluetooth for additional security - Select this option to pair your Bluetooth-capable phone with your Face credential. During Windows logon, once your face is authenticated, the presence of the paired Bluetooth phone will be verified. If the phone is within range and Bluetooth is enabled on the phone, then you are allowed to log on to Windows. Be sure that Bluetooth is enabled on both the computer and the phone. If a Bluetooth-enabled phone is not present, you are prompted to enable the paired Bluetooth phone and restart the logon process. After 30 seconds, the Face Recognition logon window is paused. To initiate the logon process, click the Camera icon. If the Bluetooth-enabled phone is not present, you can use your normal Windows password to log on. Click Add. When your Bluetooth device is displayed, select it, and then click Next. Click OK. Other Settings tab - Select the check boxes to enable one or more of the following options, or clear the check box to disable an option. These settings apply only to the current user. Play sound on face recognition events - Plays a sound when face logon succeeds or fails. DigitalPersona Pro Enterprise - Administrator Guide 163

164 Chapter 19 - Pro Workstation Prompt to update scenes when logon fails - If face logon is unsuccessful but you enter your password successfully, you may be prompted to save a series of images to increase the chances of successful face logon in the future. Prompt to enroll a new scene when logon fails - If face logon is unsuccessful but you enter your password successfully, you may be prompted to enroll a new scene to increase the chances of successful face logon in the future. Setting up cards and tokens Pro Workstation supports a wide variety of card readers, card credentials and tokens, including smart cards, contactless cards and proximity cards. See the glossary entries for each type of card (beginning on page 194) for a list of supported manufacturers. Instructions for setting up the various types of cards and tokens are given on the following pages. Setting up a smart card If a smart card reader is built-in or connected to the user s computer, the Getting Started Wizard will prompt the user to set up a smart card and enter the smart card PIN (personal identification number). The smart card may also be set up on the Cards and tokens page under Credential Manager in the DigitalPersona user dashboard. NOTE: The administrator must have previously enabled smart cards as an authentication credential, either through the Pro Administrative Console or by GPO, and initialized the card (see Smart card, Administration tab on page 185). To set up a smart card 1 Insert a smart card that has been previously formatted and initialized. 2 Enter the smart card PIN. 3 If you have not authenticated within this session you will need to enter your Windows password to verify your identity. 4 Click Save. To change your smart card PIN 1 Insert a smart card that has been previously formatted and initialized. 2 Select Change your PIN. 3 Enter your old PIN, and then enter and confirm a new PIN. 4 If you have not authenticated within this session you will need to enter your Windows password to verify your identity. 5 Click Save. DigitalPersona Pro Enterprise - Administrator Guide 164

165 Chapter 19 - Pro Workstation Setting up a contactless or proximity card A contactless card is a plastic card with an embedded chip that can be used as a sole authentication credential. A proximity card is a plastic card with an embedded chip that can be used as an authentication credential only in combination with another credential as specified in the Logon or Session Policy in force. To set up a contactless card or proximity card 1 Place the contactless card near the reader attached to your computer. 2 If you have not authenticated within this session you will need to enter your Windows password to verify your identity. 3 Click Save. Enrolling a Bluetooth device Any Bluetooth-enabled device discoverable by this software may be used as a credential for authentication, when combined with an additional supported credential as defined by the Logon or Session Policy in force. All unenrolled and discoverable Bluetooth devices within range are displayed in the bottom portion of the Device table on the Bluetooth page. If an expected device is not displayed, ensure that the device is set to be discoverable. To enroll a Bluetooth device as a credential 1 Enter your Windows password. 2 Select an unenrolled device from the Not enrolled list. 3 Click Enroll. If the Bluetooth device has not been paired with the computer, you will be asked to pair it, and then the device will be enrolled as a credential. Devices previously paired with the computer will simply be enrolled. To delete a Bluetooth credential 1 Enter your Windows password. 2 Select a device from the Enrolled list. 3 Click Delete. DigitalPersona Pro Enterprise - Administrator Guide 165

166 Chapter 19 - Pro Workstation Changing your Windows password Pro Workstation makes changing your Windows password simpler and quicker than doing it through the Windows Control Panel. To change your Windows password, follow these steps: 1 From the dashboard, click Credentials, and then click Password. 2 Enter your current password in the Current Windows password text box. 3 Type a new password in the New Windows password text box, and then type it again in the Confirm new password text box. 4 Click Change to immediately change your current password to the new one that you entered. Security Applications Status The Pro Workstation Applications Status page displays the overall status of your installed security applications. It shows the applications that are set up and the status for each. The summary is displayed automatically when you open the dashboard and click Check the status of the security applications or when you click Security Applications. Windows authentication Once your DigitalPersona Workstation client has been installed, logon to Windows is controlled by the Logon Authentication Policy set by GPO in Active Directory or through the Administrator Console by a user with administrator privileges on the local computer. For a complete description of logon policies, see Logon Authentication Policy on page 102. Credentials that may be used to authenticate for Windows logon will be limited to those specified in the policy and supported by required hardware or software present on the workstation. Some credentials, such as smart cards, need to be set up on the computer through the Administrator Console by someone with DigitalPersona Pro Enterprise - Administrator Guide 166

167 Chapter 19 - Pro Workstation administrative privileges on the computer. Additionally, each credential must be enrolled by the end-user, either on the computer, or through Attended Enrollment (see page 94). The actual process of using your DigitalPersona credentials will vary slightly depending on the type of credential, but generally follow Microsoft usage with the following exceptions. Smart card authentication In order to use a contact-type smart card or a Proximity card for logging on to Windows, you must click your user tile on the Windows Logon screen before presenting the card. Then you can insert your smart card for authentication, or use a Proximity card in conjunction with another credential as specified by the Logon Authentication Policy in force. Other types of (non-proximity) contactless cards may be presented directly from the Logon screen for immediate logon to Windows. Password Manager Logging on to Windows, websites, and applications is easier and more secure when you use Password Manager. End-users can easily create personal logons with stronger passwords that they don't have to write down or remember, and then log on easily and quickly with any supported credentials, such as a fingerprint, smart card, or Windows password. DigitalPersona Pro Enterprise - Administrator Guide 167

168 Chapter 19 - Pro Workstation Administrators can create and deploy managed logons for controlled access to resources and allow or prohibit creation of personal logons by end-users. Password-protected resources with associated personal logons or managed logons display a Password Manager icon, shown below, in the upper left corner of the screen (Internet Explorer and Firefox) or to the right of the first recognized entry field (Google Chrome). Password Manager Icon for Internet Explorer and Firefox Password Manager Icon for Internet Explorer and Firefox as displayed on Change Password screens Password Manager Icon for Google Chrome Password Manager Icon for Google Chrome as displayed on Change Password screens For managed logons, administrators can also add a logon for a change password screens. Users will be prompted for their account data the first time they log on to a resource. Then, on subsequent logons, they only need to launch the program, and submit their enrolled credential. DigitalPersona Pro automatically enters the user name, domain and password and any other necessary account data in the appropriate logon screen text boxes and, if so configured, submits the account data. For further information on Password Manager, see the Password Manager Application Guide. It can be accessed or downloaded from our website by selecting Pro Enterprise Workstation and version 5.x from the following page. DigitalPersona Pro Enterprise - Administrator Guide 168

169 Chapter 19 - Pro Workstation Backing up and restoring your data It is recommended that you back up your workstation data on a regular basis. How often you back it up depends on how often the data changes. For instance, if you add new logons on a daily basis, you should probably back up your data daily. Backups can also be used to migrate from one computer to another, also called importing and exporting. NOTE: Only the data is backed up by this feature. A DigitalPersona Pro compatible client must be installed on any computer that is to receive backed up data before the data can be restored from the backup file. To back up your data: 1 On the left panel click Advanced, and then click Backup and Restore. 2 Click Back up data. 3 Select the modules that you want to include in the backup. In most cases, you want to select them all. Then click Next. 4 Enter a name for the storage file. By default, the file is saved to your Documents folder. Click Browse to specify a different location. Then click Next. 5 Enter and confirm a password that will be used to protect the file. 6 Click Finish. To restore your data: 1 On the left panel click Advanced, and then click Backup and Restore. 2 Click Restore data. 3 Select the previously created storage file. You can enter the path in the field provided, or click Browse. 4 Enter the password used to protect the file. 5 Select the modules whose data you want to restore. In most cases, this would be all of the modules listed. 6 Click Finish. DigitalPersona Pro Enterprise - Administrator Guide 169

170 Chapter 19 - Pro Workstation Setting your preferences Your DigitalPersona workstation client has a number of settings that you can customize. From the dashboard, click Advanced, and then click Preferences. Available settings are displayed on three tabs, titled General, Quick Action and Fingerprint. Note that the Fingerprint tab is only displayed when a supported Fingerprint reader is built-in or attached to the computer. General tab The following settings are available on the General tab: Appearance - Show icon in taskbar notification area Controls whether or not the Pro Workstation icon is shown in the taskbar notification area (systray). To enable displaying the icon on the taskbar, select the check box. To disable displaying the icon on the taskbar, clear the check box. Quick Actions tab The following settings are available on the Quick Actions tab: DigitalPersona Pro Enterprise - Administrator Guide 170

171 Chapter 19 - Pro Workstation Hot Key Configuration - Permits assignment of custom key sequences for performing Password Manager Quick Actions and configuring the associated default fingerprint or card behavior. To change the default hot key 1 Click this option and enter a new key combination. Combinations may include one or more of the following: Ctrl,, Alt or Shift, and any alphabetic or numeric key. 2 Click Apply to save your changes. Quick Actions - The Quick Actions tab shows you administrator-defined Quick Actions that are performed automatically in response to the use of the Pro Workstation Hot Key, a credential or a Key+Credential combination. Only fingerprint and supported smart (contact, contactless and proximity) card credentials will initiate a Quick Action. Quick Actions may also be defined through the Quick Actions GPO setting. Fast Connect - provides SSO to Published Applications and Desktops through Citrix XenApp and XenDesktop. See Citrix Deployment Scenarios on page 200. Lock Computer - Locks the computer when the associated Quick Action is initiated. Password Manager Action - Performs one of the following operations when the associated Quick Action is initiated. When the active window has an associated Password Manager personal logon or managed logon, fillsin account data. If the window is determined to be a logon screen that does not have an associated personal logon or managed logon, and the Allow creation of personal logons setting (page 127) is enabled or not configured, the Add Logon dialog displays. If none of the above cases are true, the Logons Menu or user dashboard is shown. Fingerprint tab The following settings are available on the Fingerprint tab: Fingerprint Scan Feedback - Displays only when a fingerprint reader is available. Use this setting to adjust the feedback that occurs when you scan your fingerprint. Enable sound feedback - Pro Workstation gives you audio feedback when a fingerprint has been scanned, playing different sounds for specific program events. You may assign new sounds to these events through the Sounds tab in the Windows Control Panel, or disable sound feedback by clearing this option. Show scan quality feedback - To display all scans, regardless of quality, select the check box. To display only good-quality scans, clear the check box. ID Card Your ID card uniquely identifies you as the owner of this Windows account, showing your name and a picture of your choice. It is prominently displayed in the upper-left corner of Pro Workstation pages. DigitalPersona Pro Enterprise - Administrator Guide 171

172 Chapter 19 - Pro Workstation You can change the picture and the way that your name is displayed. By default, your full Windows user name and the picture you selected during Windows setup are shown. To change the displayed name: 1 From the Pro Workstation dashboard, click the ID Card in the upper left corner. 2 Click the box displaying the name you entered for your account in Windows. The system displays your Windows user name for this account. 3 To change this name, type the new name, and then click the Save button. To change the displayed picture: 1 From the Pro Workstation dashboard, click the ID Card in the upper left corner. 2 Click the Choose picture button, click an image, and then click the Save button. Learn more Provides a direct link to additional information about DigitalPersona products available on our website. An active internet connection is required. From the Pro Workstation dashboard, click Administration and then click Learn more. If there is no [+] Learn more link in the lower-left portion of the dashboard, it has been disabled by the administrator of this computer. DigitalPersona Pro Enterprise - Administrator Guide 172

173 Pro Kiosk 20 DigitalPersona Pro Kiosk for Enterprise provides users with fast, convenient and secure multi-factor identification and authentication in environments where users share a common Windows account yet need separately controlled access to resources, applications and data. Feature overview Pro Kiosk provides these features: Single Sign-On to Enterprise applications - Simplifies user logon to Enterprise applications, including traditional Windows applications, web applications, Terminals, and Citrix or similar software thin client solutions. No changes to those applications are required and setup takes only a few minutes per application. Multi-factor authentication - Further enhances convenience and security by providing administrators with a choice of credentials (such as fingerprints, smart cards or Windows Passwords, etc.) that can be required in any combination to authenticate users logging on to the PC, to enterprise applications, or for fast user switching between users on the same workstation. Ability to roam and share user credentials across computers - If your environment requires users to gain access to multiple workstations or kiosks, they do not need to re-enroll their credentials at each computer. Pro Kiosk automatically makes users' authentication credentials and other data, such as passwords for Enterprise applications, available at each computer within the domain. Local or attended credential enrollment - Users can enroll supported credentials from within Pro Kiosk, or administrators can prohibit this through a GPO setting and provide centralized enrollment through one or more supervised computers. This chapter describes the similarities and differences between DigitalPersona Pro Workstation for Enterprise and Pro Kiosk functionality from the point of view of the administrator. Most of the basic functionality is common to both Pro Workstation and Pro Kiosk. Additional details on user tasks are provided in the DigitalPersona Pro Kiosk Help file. In the following topics, the term kiosk refers to one or more Kiosk Workstations which, due to Active Directory Group Policies, are tied to a shared Kiosk account. Comparing Pro Workstation and Pro Kiosk This section describes the similarities and differences between DigitalPersona Pro Workstation and DigitalPersona Pro Kiosk. Both DigitalPersona Pro Kiosk and DigitalPersona Pro Workstation include the following features: Multifactor and alternative authentication credentials DigitalPersona Pro Enterprise - Administrator Guide 173

174 Chapter 20 - Pro Kiosk Password Manager - supporting managed logons only, i.e. automatic logons with supported credentials to resource, programs and websites that are created by an administrator. Personal logons created by the end-user are available in Pro Workstation but not in Pro Kiosk. Like DigitalPersona Pro Workstation, Pro Kiosk includes options for allowing users to run the Credential Enrollment Wizard, or administrators can implement attended enrollment. Pro Kiosk utilizes the same credential information and Password Manager logon data as DigitalPersona Pro Workstation. DigitalPersona Pro Kiosk for Enterprise 5.x requires DigitalPersona Pro Server Version 5.x or above running on a domain controller. DigitalPersona Pro Workstation Version 5.x or higher and Pro Kiosk 5.x or above are compatible, i.e. they can be installed on computers on the same domain and use the same DigitalPersona Pro Server. When comparing Pro Kiosk to Pro Workstation, Pro Kiosk differs in the following ways: Use of Pro Kiosk requires that the GPO setting Perform fingerprint identification on server (see page 121) must be enabled for all Pro Kiosk clients where fingerprint credentials will be used. A specified Shared Account is always used for Windows logon that is independent of the user account being authenticated. This affects account profile and user preferences. By default, all domain users are granted Kiosk access and all local (non-domain) users are prohibited from logging into Kiosk. Further restrictions may be placed on kiosk access through a GPO setting, Restrict identification to a specific list of users (see page 122). Any authorized kiosk user can unlock a kiosk computer. For example, a user may log on and lock the kiosk computer. Then, a second user can unlock it without performing log off and log on. The name of the last user is not shown in Logon or Unlock dialogs regardless of security settings A kiosk user can enroll credentials, regardless of which user account was logged on to the kiosk, without logging on to Windows. The administrator must have allowed permissions for the user to enroll and delete fingerprints. Pro Kiosk does not provide a means for creating personal automated logons. Instead, managed logons can be created and deployed to users by an administrator using the Password Manager Admin Tool. Then users fill in their personal account data for the automated logons. Logging On to Windows One Touch Logon allows users to log on to Windows with any supported credential. Windows credentials are information used to gain access to Windows accounts, such as a password, fingerprint or smart card. One Touch Logon guides the user through enrolling any credentials that may be specified as required for logging on to Windows. When their identity is verified, they are logged on to a Windows Shared Account. All kiosk users share the same session. If the computer becomes locked, any authorized kiosk user will be able to unlock it, view the desktop, and run programs. Users may also have the option to not log into the kiosk session, but instead to log on to their own Windows account instead of the Shared Account, although this is recommended for administrators only. DigitalPersona Pro Enterprise - Administrator Guide 174

175 Chapter 20 - Pro Kiosk Using One Touch Logon One Touch Logon displays a customized Welcome dialog box or screen, which is similar to the standard Windows dialog box. When a user is identified through their submitted credential, they are logged on to the shared kiosk account. Users should be advised to generally leave the Share the kiosk session check box checked to allow other kiosk users to unlock the computer. Only administrators may need to uncheck this option. When logon is performed with this check box cleared, Pro Kiosk features are not available. In Windows Vista and above, upon their first logon to Pro Kiosk, users will need to click the balloon that displays near the notification area to enroll their credentials, or click the Fingerprint Reader tile and select Credential Enrollment to launch the Credential Enrollment Wizard. In earlier versions of Windows, the Credential Enrollment Wizard will launch automatically after a user logs on to Kiosk for the first time. You must enroll fingerprints before you can log on using the fingerprint reader. The user name for the Windows shared account that Pro Kiosk uses cannot be used to log on to a kiosk session. All Kiosk users must use their own Windows user name to log on. Logging on to Windows without Kiosk To log on to a computer without using a kiosk session Windows XP - Clear the Share the kiosk session check box. This check box is only enabled when a kiosk computer is logging onto the domain. For local logon, it is disabled. Windows Vista and above - Select Switch User and click Other User. Then enter your Windows user name and password. When logging in to a computer outside of a kiosk session, the designated Shared Account for the kiosk is not used and therefore Pro Kiosk features are not available. Specifically, access to the Pro Kiosk user dashboard, and the use of Password Manager logons (both managed logons and personal logons) are disabled. This feature is intended for administrators who might need to access a computer for administrative purposes, and without kiosk features enabled. Non-administrators can be prohibited from logging on to the computer outside of a kiosk session by enabling a DigitalPersona setting in the controlling GPO. See Prevent users from logging on outside of a Kiosk session. on page 114. CAUTION: If you lock the computer outside of a kiosk session, other kiosk users will not be able to unlock it, so be sure to log out of a local session on any kiosk workstation. Automatic logon using the Shared Kiosk Account Kiosk can be configured to automatically logon to the Shared Kiosk account when Windows starts or restarts. The Log On to Windows dialog box will not be displayed. DigitalPersona Pro Enterprise - Administrator Guide 175

176 Chapter 20 - Pro Kiosk The automatic logon setting will allow any user to access a Windows session without interactive authentication when the Kiosk computer is restarted. This option is controlled by the Allow automatic logon using Shared Kiosk Account setting described on page 114. Changing Your Password The process of changing your Windows password on a computer with DigitalPersona Pro Kiosk installed is the same as on a computer without Pro Kiosk installed. To change your Windows password: 1 Press Ctrl+Alt+Delete. 2 Select Change a Password. 3 Enter your Windows user name and your old password. 4 Enter and confirm a new password. User Account Control On Windows Vista and later operating systems, an administrator may use any authorized and supported credential instead of their user name and password, to give a standard user permission to perform an activity that is restricted by User Account Control. When the User Account Control dialog displays, a local administrator with an authorized credential can use their credential to permit the activity. Using the Password Manager Admin Tool with Pro Kiosk The Password Manager Admin Tool is an administrative tool that allows an administrator to provide automated logon to password-protected resources, programs and websites. With Pro Kiosk, Password Manager includes the following differences when compared to Pro Workstation implementations: Managed logons created with the Password Manager Admin Tool must be deployed to the Shared Account instead of to user accounts. Kiosk users do not need to log on to Windows to use managed logons. Their identity is verified each time they log on to the resource. For kiosk users, the Password Manager logon data is never cached locally. Only managed logons created using DigitalPersona Pro version or higher are compatible with the current version of Pro Kiosk. For additional information on the Password Manager Admin Tool and the creation and use of managed logons, see the Password Manager Application Guide. DigitalPersona Pro Enterprise - Administrator Guide 176

177 Chapter 20 - Pro Kiosk Logging On to Password-Protected Programs DigitalPersona Pro Kiosk lets a kiosk user log on to password-protected resources, programs and websites with any enrolled credential. As an administrator, you must enable this feature for specific programs by creating managed logons for them. Password-protected resources with managed logons display a Password Manager icon, shown below, in the upper left corner of the screen (Internet Explorer and Firefox) or to the right of the first recognized entry field (Google Chrome). Password Manager Icon for Internet Explorer and Firefox Password Manager Icon for Internet Explorer and Firefox as displayed on Change Password screens Password Manager Icon for Google Chrome Password Manager Icon for Google Chrome as displayed on Change Password screens You also can add a logon for a change password screen to a managed logon. Refer to the Password Manager Application Guide for more information about creating managed logons. Users are prompted for their account data the first time they log on to a resource. Then, on subsequent logons, they only need to launch the program, and submit their enrolled credential. DigitalPersona Pro Kiosk automatically enters the user name, domain and password and any other necessary account data in the appropriate logon screen text boxes and, if so configured, submits the account data. User logon Users can log on to resources for which managed logons have been deployed in either of two ways. DigitalPersona Pro Enterprise - Administrator Guide 177

178 Chapter 20 - Pro Kiosk From the Password Manager menu, or the Password Manager page in the Pro Kiosk dashboard, the user can click a logon to open the logon page for the resource and automatically submit their account data. Users can open the logon screen for the resource and a Password Manager icon will display indicating that they can automatically submit required logon data using any enrolled credential. If the system determines that account data is required (generally the first time the logon is used), the Enter Account Data dialog box displays. Users will type their account data in the fields provided. The next time this logon is used, the system will fill in the account data. If users have entered multiple sets of account data for the program, they will be prompted to choose the data that they want to use to log on. Users can add, change or remove account data for fingerprint logons for programs using the Pro Kiosk dashboard. However, they cannot delete the fingerprint logons created by administrators. To access the DigitalPersona Pro Kiosk dashboard Click the DigitalPersona Pro icon in the system tray and select Open DigitalPersona Pro Kiosk. Switching Users on Pro Kiosk Computers You can log on, unlock or gain access to a password-protected resource on a kiosk computer by using your enrolled credentials. After your work is finished, you can do one of the following: Close the resource and leave the kiosk computer unlocked. The next user can approach the kiosk computer and provide their credentials to gain access to the password-protected resource. Close the resource and lock the kiosk computer. The next user can approach the kiosk computer and provide their credentials to unlock the computer. They can the open any password-protected resource with their credentials. Close the resource and log off from the kiosk computer. The next user can approach the kiosk computer and provide their credentials to log on to the computer. The user is logged into the Shared Account for the kiosk. The installation and configuration of DigitalPersona Pro Kiosk is covered in the chapter Pro Kiosk installation on page 46. All other functionality is the same as described in the chapter Pro Workstation on page 155. Using multiple Kiosk accounts with Citrix See Citrix Deployment Scenarios on page 200. DigitalPersona Pro Enterprise - Administrator Guide 178

179 Pro Administrative Console 21 When desirable or necessary, local administration of a DigitalPersona Pro Enterprise client can be accomplished through the integrated DigitalPersona Pro Administrative Console on the client workstation. This console may also be disabled by the IT administrator through a GPO setting (see Do not allow users to run local administrative tools on page 113). Using the console, the local administrator can perform the following tasks. Specifying the credentials required for authentication Adjusting credential-specific parameters Configuring installed Pro Workstation applications Opening the Administrative Console For administrative tasks, open the console as follows: Click Start, click All Programs, click DigitalPersona, and then click DigitalPersona Pro Administrative Console. or In the left panel of the DigitalPersona Pro Enterprise client, click Administration. DigitalPersona Pro Enterprise - Administrator Guide 179

180 Chapter 21 - Pro Administrative Console Using the Administrative Console The DigitalPersona Pro Administrative Console is the central location for administering Pro Workstation features and applications. The console is composed of the following components: Computer Configuration - Displays the following categories for configuring security on your computer. Note that categories without installed application do not display. Home - Allows you to select the security tasks to perform. Authentication - Allows you to configure Logon and Session Policies for this computer. Credentials - Provides configuration of credentialspecific settings. Applications/Settings - Displays general settings for DigitalPersona Pro Workstation for Enterprise and integrated applications. Online Tutorial - Provides a video tutorial of the main features and advantages of the DigitalPersona Pro solution. About - Displays information about Pro Workstation, such as the version number and copyright notice. Configuring your system Access the System group from the Tools menu panel on the left side of the Administrative Console. Use these applications to manage the policies and settings for the computer, its users and devices. The following applications are included in the System group: Authentication - View or Manage Logon and Session Policies, governing the credentials that may be used to authenticate during Windows Logon or within Windows sessions. Note that these policies will be read-only on a client that is being centrally managed by a DigitalPersona Pro Enterprise Server. Credentials - Manage credential-specific settings. Setting authentication policies On the authentication pages, you set Logon and Session policies governing access to the computer. You can specify the credentials required to authenticate when logging on to Windows or logging on to websites, programs and network resources managed by DigitalPersona Pro during a user session. DigitalPersona Pro Enterprise - Administrator Guide 180

181 Chapter 21 - Pro Administrative Console By default, all installed and supported credentials are listed on the included Logon Policy and Session Policy tabs. Any of the credentials or credential combinations listed in the policy may be used for authentication in the Logon or Session Policy. To set local authentication policies on a computer 1 In the left panel of the Administrative Console, click Authentication. 2 Select the tab for the type of policy you want to create or manage, Logon Policy or Session Policy. 3 Make any desired changes. To add a credential or credential combination to the list, click Add at the top of the list. To edit a credential or credential combination, click the credential. To delete a credential or credential combination, hover over it, then click the X that appears at the far right. 4 Click Apply. Logon Policy The Logon Policy defines the credentials that may be used to log on to Windows. By default, all installed and supported credentials are listed on the tab. Any of the credentials or credential combinations listed in the Logon Policy may be used for authentication during logon. 1 In the left panel of the Administrative Console, click Authentication. 2 On the Logon Policy tab, make any desired changes. To add a credential or credential combination to the list, click Add at the top of the list. To edit a credential or credential combination, click the credential. DigitalPersona Pro Enterprise - Administrator Guide 181

182 Chapter 21 - Pro Administrative Console To delete a credential or credential combination, hover over it, then click the X that appears at the far right. 3 Click Apply. Session Policy The Session Policy defines the credentials that may be used to access Security applications during a Windows session. By default, all installed and supported credentials are listed on the tab. Any of the listed credentials or credential combinations may be used for authentication in the Session Policy. 1 In the left panel of the Administrative Console, click Authentication. 2 On the Session Policy tab, make any desired changes. To add a credential or credential combination to the list, click Add at the top of the list. To edit a credential or credential combination, click the credential. To delete a credential or credential combination, hover over it, then click the X that appears at the far right. 3 Click Apply. Specifying credentials settings Within the Credentials application, you can specify settings that may be available for any built-in or attached security devices recognized by the DigitalPersona Pro Enterprise client. Not all credentials will have settings, and unplugged peripherals will not be displayed in the list. Self Password Recovery On the Self Password Recovery page, you can configure whether or not to allow Self Password Recovery for Windows logon, and manage the security questions that will be presented to users during the enrollment of their Self Password Recovery credential. 1 In the left panel of the Administrative Console, click Credentials, Self Password Recovery. 2 Select the security questions that a user may choose from during their Self Password Recovery enrollment. You may also specify up to three custom questions. 3 To disable the use of Self Password Recovery for Windows logon, click the associated checkbox. 4 Click Apply. DigitalPersona Pro Enterprise - Administrator Guide 182

183 Chapter 21 - Pro Administrative Console Fingerprints The Fingerprints page enables you to adjust policies and settings relating to the use of a supported fingerprint reader built-in or attached to the computer. This page includes two tabs as described below. 1 In the left panel of the Administrative Console, click Credentials, Fingerprints. 2 Make any desired changes on the included tabs. 3 Click Apply. Enrollment tab You can choose the minimum and maximum number of fingerprints that a user is allowed to enroll. Recognition On the Recognition tab, you can choose from three levels of fingerprint recognition sensitivity for just the right balance between security and convenience that is required to address the needs of your organization. Fingerprint recognition compares a user s scanned fingerprint to their enrolled fingerprint in order to verify their identity. DigitalPersona Pro Enterprise - Administrator Guide 183

184 Chapter 21 - Pro Administrative Console The comparison should be strict enough that unauthorized people are not given access (false acceptance), but should not inconvenience legitimate users by rejecting their fingerprints (false rejection). Note that some people will experience more false rejections than statistically expected due to their fingerprint characteristics. If user fingerprints are not recognized consistently, a lower Recognition setting may be necessary. A higher setting increases the sensitivity to variations in fingerprint scans and therefore decreases the possibility of a false acceptance. The Medium-High setting provides a good mix of security and convenience. Move the slider to adjust the sensitivity used by the fingerprint reader when it scans your fingerprints. Face On the Face page, you can set the security level for your Face credential in order to balance the ease of use versus the difficulty of breaching the security of the computer. 1 In the left panel of the Administrative Console, click Credentials, Face. 2 For more convenience, click the slider to move it to the left, or for more accuracy, click the slider to move it to the right. Convenience - To make it easier for enrolled users to gain access in marginal situations, click the slider bar to move it to the Convenience position. Balance - To provide a good compromise between security and usability, or if you have sensitive information or your computer is located in an area where unauthorized logon attempts can occur, click the slider bar to move it to the Balance position. Accuracy - To make it more difficult for a user to gain access if enrolled scenes or current lighting conditions are below normal and less likely that a false acceptance can occur, click the slider bar to move it to the Accuracy position. NOTE: The Security level applies only to the current user. DigitalPersona Pro Enterprise - Administrator Guide 184

185 Chapter 21 - Pro Administrative Console Smart card The Smart cards page enables you to adjust policies and settings relating to the use of a supported smart card reader built-in or attached to the computer. This page includes two tabs as described below. 1 In the left panel of the Administrative Console, click Credentials, Smart card. 2 Make any desired changes on the included tabs. 3 Click Apply. Settings tab On the Smart card, Settings tab, you can administer settings specific to this credential. Lock computer upon smart card removal Enable this setting to lock a computer when the smart card used to log on to Windows is removed. If the smart card was not used to log on to Windows, removal of the card does not lock the computer. Administration tab On the Smart Card: Administration tab, you can initialize and manage a smart card. Initialization must be performed prior to use of the card by the end user. Note that the following options are not displayed until a supported smart card has been inserted into the reader. DigitalPersona Pro Enterprise - Administrator Guide 185

186 Chapter 21 - Pro Administrative Console Initialize the smart card - Select this option to set up a smart card to be used as a DigitalPersona Pro credential for this workstation. You must also enter a PIN (Personal Identification Number) and click Apply. See below for further details. Change smart card PIN - Select this option to change the PIN used with the smart card. Then type the new PIN in the provided text box and click Apply. Erase DigitalPersona Pro Workstation data only - Select this option to erase only Pro Workstation data on the smart card and click Apply. You may want to use this option if you are assigning this smart card for use with a different workstation, or no longer wish the holder to have access to the workstation. Erase all data on the smart card - Select this option to erase all data on the smart card and click Apply. This option essentially reformats the card, and it will no longer be able to be used as a credential for any application until re-initialized. Initializing the smart card DigitalPersona Pro supports a number of different smart cards. The number and type of characters used as PIN numbers may vary. The manufacturer of the smart card should provide tools to install a security certificate and management PIN that will use in its security algorithm. NOTE: ActivIdentity software must be installed in addition to the driver for the specific reader. The currently required ActivIdentity software is version 6.2 with on of the following hotfixes. AC_ _FIXS _x64 or AC_ _FIXS _x86. 1 Insert the smart card into the reader. 2 Click Start, click All Programs, and then click ActivClient PIN Initialization Tool. 3 Enter and confirm a PIN. 4 Click Next. The smart card software will provide an unlock key. Most smart cards will lock themselves when the PIN is entered incorrectly 5 times. The key is used to unlock the card. 5 Click Start, click All Programs, click DigitalPersona, and then click Administrative Console. 6 Click Credentials, and then click Smart Card. 7 Click the Administration tab. 8 Be sure that Initialize the smart card is selected. 9 Enter and confirm a PIN, click Apply, and then follow the on-screen instructions. 10 After the smart card has been successfully initialized, you will need to register the smart card. See below for further details. DigitalPersona Pro Enterprise - Administrator Guide 186

187 Chapter 21 - Pro Administrative Console Setting up the smart card After the smart card is initialized, users can set it up (or enroll it). 1 In the Pro Workstation dashboard, click Credential Manager, and then click Cards and tokens. 2 Insert the smart card. A list of options will be displayed. 3 Be sure that Set up is selected. 4 Enter your Windows password and your PIN, and then click Save. Changing the smart card PIN To change your smart card PIN 1 In the Pro Workstation Administrative Console, click Credentials, and then click Smart card. 2 Click Credentials, and then click Smart card. 3 Click the Administration tab. 4 Insert a smart card that has been previously formatted and initialized. 5 Select Change smart card PIN. 6 Enter your old PIN, and then enter and confirm a new PIN. Registering the smart card After a smart card is initialized, users can register it in the Pro Workstation dashboard: 1 In the Pro Workstation dashboard, click Start, click All Programs, click DigitalPersona, and then click DigitalPersona Pro. 2 Click Credentials, and then click Smart card. 3 Be sure that Set up is selected. 4 Enter the Windows account password and the PIN (assigned during the initialization step above), and then click Save. Contactless card To delete credential data on this card for Pro Workstation, select that option and click Apply. Administration tab Erase DigitalPersona Pro Workstation data To erase credential data on this card for Pro Workstation, select that option and click Apply. DigitalPersona Pro Enterprise - Administrator Guide 187

188 Chapter 21 - Pro Administrative Console Bluetooth A Bluetooth device may be used for authentication when combined with an additional supported credential as defined by the Logon or Session Policy in force. On the Credentials: Bluetooth page, you can administer settings or operations specific to this credential. Allow silent authentication To prevent silent authentication, and require selection of a specific Bluetooth credential, uncheck this option. By default, silent authentication is enabled, i.e. when Bluetooth credentials are allowed for authentication by the Logon or Session Policy in force, authentication will be attempted with the previously used Bluetooth credential immediately upon entry to a logon screen. PIN You can configure the minimum length of the DigitalPersona PIN credential. The maximum PIN length is 8 digits 1 Enter or select the minimal PIN length. 2 Click Apply. DigitalPersona Pro Enterprise - Administrator Guide 188

189 Chapter 21 - Pro Administrative Console Configuring your applications settings The Applications, Settings page is accessed from the Applications menu panel on the left side of DigitalPersona Pro Workstation for Enterprise Administrative Console. You can use Settings to customize the behavior of currently installed Pro Workstation applications. To edit your application settings: 1 In the Tools menu, under Applications, click Settings. 2 Select the check box to enable or clear the check box to disable a specific setting. 3 Click Apply to save the changes that you have made. General tab The following settings are available on the General tab: Do not automatically launch the Getting Started wizard for users - Select this option to prevent user setup from automatically opening upon logon. DigitalPersona Pro Enterprise - Administrator Guide 189

190 Chapter 21 - Pro Administrative Console Applications tab The settings displayed here can change when new applications are added to Pro Workstation. The minimal settings shown by default are described below. Additional settings may be available depending on the security applications installed on the computer. Applications status - Enables status to be displayed for all applications. Password Manager - Enables the Password Manager application for all users of the computer. Windows Logon Security - Enables use of DigitalPersona credentials during Windows Logon. Enable the Central Management button - Allows all users of this computer to add applications to Pro Workstation by clicking the Central Management button. To return all applications to their factory settings, click the Restore Defaults button. DigitalPersona Pro Enterprise - Administrator Guide 190

191 Section Four: Appendices Part Four of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters: Chapter Title Purpose Page Chapter 22 - Glossary Chapter 24 - Policies and Settings - Alphabetical list Chapter 23 - Citrix Deployment Scenarios Chapter 25 - Embedded Windows dependencies Chapter 26 - Identification List Chapter 27 - Pro Events for version 5.3 Chapter 28 - Schema extension Explains key concepts and terms used in this guide. Lists all DigitalPersona Pro Enterprise policies and settings alphabetically. Describes common ways of deploying DigitalPersona Pro clients through the Citrix virtualization platform. Describes dependencies for installing Pro Workstation on Miscrosoft Windows Embedded operating systems. Provides instructions on creating an identification list. Describes events generated by DigitalPersona Pro Enterprise, version 5.3. Provides details on changes made to the Active Directory schema by DigitalPersona Pro Enterprise DigitalPersona Pro Enterprise - Administrator Guide 191

192 Glossary 22 In order to fully understand and implement the features of DigitalPersona Pro Enterprise, you will need to be familiar with the terms and concepts covered in this chapter. If you consider yourself knowledgeable about Active Directory, you may want to skip the rest of this page and continue with reading about DigitalPersona Pro terminology on page 194. Concepts Active Directory Active Directory is a directory service included with Microsoft Windows servers since Windows 2000 Server. A directory service is a software application that stores and organizes information about a computer network's users and resources; such as computers, printers and network shares. It enables network administrators to manage users' access to those resources. DigitalPersona Pro Enterprise utilizes the Active Directory service for administration of policies and settings that determine the functionality and features implemented in your organization. Through Active Directory you can assign enterprise-wide policies and settings to computers in your network as well as locate and administer objects, users and resources across the network. Active Directory is structured as a hierarchy of objects and containers laid out in a tree format. In the Active Directory Users and Computers (ADUC) Snap-in, which is one of the visual tools that can be used to create and administer objects, the hierarchy looks much the same as the folder structure in Windows Explorer. DigitalPersona Pro Enterprise - Administrator Guide 192

193 Chapter 22 - Glossary Group Policy Group Policy is a feature of the Active Directory service that facilitates change and configuration management. Group Policy settings are stored in Group Policy Objects (GPOs) in the Active Directory database. These GPOs are linked to containers, which include Active Directory sites, domains, and organizational units (OUs). Because Group Policy is so closely integrated with Active Directory, it is important to have a basic understanding of both Active Directory structure and the security implications of different design configuration options within it before you implement Group Policy. For information about the policies and settings that DigitalPersona Pro adds to a GPO, see Policies and Settings on page 99. Organizational Units (OUs) An OU is a container within an Active Directory domain. An OU may contain users, groups, computers, and other OUs, which are known as child OUs. You can link a GPO to an OU, and the GPO settings will be applied to the users and computers that are contained within that OU and its child OUs. To facilitate administration you can delegate administrative authority to each OU. OUs provide an easy way to group users, computers, and other security principals, and they also provide an effective way to segment administrative boundaries. Users and computers are generally assigned to separate OUs, because some settings only apply to users and other settings only apply to computers. One of the primary goals of an OU structure design for any environment is to provide a foundation for a seamless Group Policy implementation that applies to all workstations in Active Directory and ensures that they meet the security standards of your organization. The OU structure must also be designed to provide adequate security settings for specific types of users in an organization. For example, developers may need some permissions that average users do not need to have. Also, laptop users may have slightly different security requirements than desktop users. The figure on the right shows a basic OU structure for illustration of the concept only, and is not a recommendation to create your OU structure in the same way. Your OU structure must be defined by the specific organizational requirements of your environment. The authentication process DigitalPersona Pro s authentication process validates the identity of a user through the submission of one or more administrator-specified credentials. DigitalPersona Pro Enterprise - Administrator Guide 193

194 Chapter 22 - Glossary This authentication process is used by DigitalPersona Pro Workstation clients in an enterprise deployment with DigitalPersona Pro Enterprise Servers. Prior to authentication: 1 A user enrolls or sets up the required credentials, creating an enrollment template that is stored on the local workstation and also sent securely to the Pro Server. 2 The workstation client captures user data (such as user account or logon information), called Secrets, and sends them securely to the DigitalPersona Pro Enterprise Server for storage in Active Directory. By default, it also caches these Secrets locally on the workstation, so that they are available if the Server cannot be reached. Caching can also be disabled by the administrator. See the topic Cache user data on local computer on page 110. The authentication process is initiated when a Pro Enterprise compatible application (such as Pro Workstation) prompts the user to verify their identity by providing their credentials. This may be in order to log on to Windows, specific security applications or applications, network resources or websites using Password Manager logons. The authentication process is as follows: 1 The user attempts to access a protected resource. 2 Verification of identity is requested through the submission of specific credentials. 3 The submitted credentials are compared to enrollment data cached on the local workstation and then sent to the Pro Server for confirmation of the user s identity. 4 Pro Server compares the presented credential(s) to the enrollment data in the user record in Active Directory. If the credentials match the enrollment data, Pro Server authenticates the user and sends the Secret requested by the application securely to the workstation. 5 The requesting application receives the Secret and then uses the information as needed, typically to log the user on to their Windows account, a program or website. When a Pro Server is unavailable, such as when a laptop is disconnected from the network, the required Secret is retrieved from a local cache on the workstation. If a Pro Server is unavailable, and local caching has been disabled by the administrator, authentication is not possible. This authentication process can be modified by the administrator using settings provided through the DigitalPersona Pro GPMC extensions (see Policies and Settings on page 99). Terminology Administrative Console A central location where you can access and manage the features and settings governing a DigitalPersona Pro Enterprise compatible client. DigitalPersona Pro Enterprise - Administrator Guide 194

195 Chapter 22 - Glossary authentication Process of verifying that you are the person you claim to be, through the use of credentials specified by an administrator. back up To save a copy of important program information to a location outside the program. It can then be used for restoring the information at a later date to the same computer or another one. Bluetooth A credential that uses paired Bluetooth-enabled devices for authentication. card reader A hardware device used for reading smart cards, contactless cards and proximity cards. Supported readers are listed below. Drivers included with the readers must be installed, and are not provided by DigitalPersona Pro installations. Contactless card readers: OMNIKEY CardMan 3321, 5321, 6321 Proximity card readers: CardMan 3325, 5325, with a firmware version of not less than cards DigitalPersona supports a wide variety of identification cards, including contact smart cards, contactless cards and proximity cards. For manufacturers and models supported, see the specific type of card as listed above. connected device A hardware device that is connected to a port on the computer. Contactless card A plastic card with an embedded chip that can be used as a sole authentication credential. Supported contactless cards are listed below. Drivers are provided by the card manufacturer or vendor and are not included in DigitalPersona Pro product installations. Contactless HID iclass memory cards; Contactless MiFare Classic 1k, 4k and mini memory cards. (MiFare UltraLight cards are not supported.) Contact\Contactless HID Crescendo С700 PKI cards DigitalPersona Pro Enterprise - Administrator Guide 195

196 Chapter 22 - Glossary credential A specific piece of information or hardware device used to authenticate an individual user. dashboard A central location where you can access and manage the features and settings in DigitalPersona Pro Workstation for Enterprise. dynamic DNS Dynamic DNS defines a protocol for dynamically updating a DNS server with new or changed values. DigitalPersona Pro uses Dynamic DNS to update the DNS server with changes made to DigitalPersona Pro policies and settings. enroll The process of capturing and storing information about your fingerprints, which are then used to authenticate you in order to access Windows, websites, and programs. fingerprint A digital extraction of your fingerprint image. Your actual fingerprint image is never stored by Pro Workstation. kiosk A kiosk is a computer, or group of computers, that can be used by designated persons sharing a single Windows user account and its associated programs. Each user of the kiosk can quickly and easily log on to Windows, programs and websites using the minimum credentials (such as fingerprints) specified by the organization. logon Account data for a website, program, network resource or password change screen that allows a user to logon by using specific credentials as specified by the Pro Enterprise administrator. There are two types of logons, personal logons and managed logons. See separate glossary entries. managed computer Any computer running a compatible DigitalPersona Pro client, that has been set up to be managed by a Pro server. DigitalPersona Pro Enterprise - Administrator Guide 196

197 Chapter 22 - Glossary managed logon A logon (see above) created using the Password Manager Admin Tool, which can then be deployed to all managed computers. The term logon is generally used, except when specifically referring to logons created by an administrator with the Password Manager Admin Tool (managed logons) as contrasted with those created by an end-user (personal logons). When both managed and personal logons exist for the same program or website, the personal logon is disabled and only the managed logon may be used for access to the specified program or website. See also: personal logon. Password Manager A security application included with Pro Enterprise- compatible clients, that allows users to create their own personal logons for programs and websites, in addition to using managed logons created through the Password Manager Admin Tool. These logons may be used to launch the program or website and automatically fill in required account data after verifying their identity with any of a variety of authentication mechanisms (such as password, smart card, fingerprints or Defender-compatible VPN tokens) as specified by the DigitalPersona Pro administrator. Password Manager Admin Tool An optional management application that plugs into Administrative Console of compatible workstation clients to enable the creation, administration and management of logons for password-protected software programs and websites. Users simply verify their identity by supplying required credentials to securely provide data for logon fields, such as user name and password, on any website or program logon screen. Administrators use the Password Manager Admin Tool to create managed logons specifying information for the logon screens, and can use application policy settings in the GPO to deploy the One Touch SignOn templates to end users. (Requires Internet Explorer 6 or above.) personal logon A logon created by an end-user with the Password Manager application. The term logon is generally used, except when contrasting logons created by an end-user (personal logons) with those created by an administrator with the Password Manager Admin Tool (managed logons). See also: managed logons. PIN (Personal Identification Number) A credential composed of a series of digits. A PIN is often used in combination with another credential to easily enhance its security. This PIN should not be confused with a Smart Card PIN which is used as part of a Smart Card credential. DigitalPersona Pro Enterprise - Administrator Guide 197

198 Chapter 22 - Glossary Proximity card A plastic card with an embedded chip that can be used as an authentication credential, but only in combination with another credential as specified in the Logon or Session Policy in force. Proximity cards supported are: Simple HID proximity cards. Drivers are provided by the card manufacturer or vendor and are not included in DigitalPersona Pro product installations. Quick Actions Quick Actions, which combine the Shift or Control Keys with use of the fingerprint to access DigitalPersona Pro features, can be created by end users in the DigitalPersona Pro Workstation Properties dialog. restore A process that copies program information from a previously saved backup file into this program. scene A photo of an enrolled user to be used for authentication. Secret A DigitalPersona Pro Secret is application specific user data that is stored securely in Active Directory by the DigitalPersona Pro Enterprise Server, or locally by the local authentication server on the workstation. The Secret is released to the application upon successful identification of the user, and used to log on to programs and websites for which logon templates have been created. Service Resource Records (SVR RR) Active Directory servers publish their addresses so that clients can find them knowing only the domain name. Active Directory servers are published via Service Resource Records (SRV RRs) in DNS. The SRV RR is a DNS record used to map the name of a service to the address of a server offering that service. The name of a SRV RR is in this form: <service>.<protocol>.<domain> Active Directory servers offer the LDAP service over the TCP protocol with published names in the form: ldap.tcp.<domain> For example, the SRV RR for ``Microsoft.com'' is ``ldap.tcp.microsoft.com.'' Additional information on the SRV RR indicates the priority and weight for the server, allowing clients to choose the best server for their needs. DigitalPersona Pro Enterprise - Administrator Guide 198

199 Chapter 22 - Glossary When an Active Directory server is installed, it publishes itself via Dynamic DNS. Since TCP/IP addresses are subject to change over time, servers periodically check their registrations to make sure they are correct, updating them if necessary. smart card A hardware device that can be used for authentication. Verification Template A verification template is created from a fingerprint scan whenever a user places their finger on the fingerprint reader. During authentication, this template is matched to available Enrollment Templates in order to identify the user. At the end of the authentication process the Verification Template is erased. Windows administrator A user with full rights to modify permissions and manage other users. Windows Logon Windows Logon provides the ability for you to log on to your Windows account by using any of a variety of authentication mechanisms (such as password, smart card, fingerprints or Defender-compatible VPN tokens). Windows Logon Security Protects your Windows accounts by requiring the use of specific credentials for access. Windows user account Profile for an individual who is authorized to log on to a network or to an individual computer. DigitalPersona Pro Enterprise - Administrator Guide 199

200 Citrix Deployment Scenarios 23 Overview This chapter covers a few of the most common deployment scenarios of DigitalPersona Pro Workstation for Enterprise and DigitalPersona Pro Kiosk for Enterprise, through the Citrix XenApp or XenDesktop virtualization platforms. DigitalPersona Pro s Fast Connect feature works with XenApp and XenDesktop to create a streamlined SSO connection to published applications and desktops. You can also easily access DigitalPersona Pro Workstation through Citrix from various supported thin clients. System requirements and setup steps for IGEL thin clients are on page 205. All authorized and enrolled DigitalPersona Pro credentials are supported in the virtual scenarios, except for Bluetooth and Face credentials. Installation and configuration Specific instructions for the installation and configuration of a DigitalPersona Pro client in the Citrix environment are covered in the chapter Citrix and remote installation on page 60. Note that the use of the Fast Connect feature requires a custom installation of DigitalPersona Pro Workstation for Enterprise on the XenApp Server or in the XenDesktop image with the One Touch Logon feature deselected. DigitalPersona Pro Enterprise - Administrator Guide 200

201 Chapter 23 - Citrix Deployment Scenarios Fast Connect with XenApp and Pro Workstation Fast Connect works with XenApp server and the Citrix online plug-in (v12.3 and above) to enable SSO (Single Sign-On) to published applications and desktops. When configured, you can connect to and log on to a Citrix published application or desktop using a predefined Quick Action triggered by use of a credential or key+credential combination. This scenario assumes that DigitalPersona Pro Workstation has been successfully installed on the XenApp server (see page 60), using a custom install with the One Touch Logon feature deselected, and on a separate client computer using a typical install, i.e. including the One Touch Logon feature. XenApp server configuration The Login Mode on the XenApp server must be configured for Pass-through authentication. You can verify this on the client computer running the Citrix online plug-in by right-clicking the Citrix icon, selecting Options, and ensuring that the Login Mode is Pass-through authentication. Pro Server configuration Complete these steps to configure the DigitalPersona Pro Server. (Installation instructions are on page 22.) 1 Configure Group Policies Quick Action - Choose a Quick Action setting, enable it, and select Fast Connect through the dropdown menu. Quick Actions perform a specific operation whenever a specified credential or key+credential combination is presented. This policy is located at: Policies/Administrative Templates/ DigitalPersona Pro Client/General Administration. Fast Connect - Enable the setting, and specify the Citrix Farm Name and the name of the Published Application or Desktop to be launched automatically. These are case-sensitive. The syntax is FarmName:AppOrDesktopName. This setting is located at: Policies/Administrative Templates/ DigitalPersona Pro Enterprise - Administrator Guide 201

202 Chapter 23 - Citrix Deployment Scenarios DigitalPersona Pro Client/Fast Connect. Note that Fast Connect will work without this setting enabled, but will connect to the last accessed Citrix published application or desktop. 2 Disable the Session Authentication Policy - This is optional, but in combination with a Password Manager managed logon, removes the requirement to log on separately to the Windows session, and is used to create SSO functionality. This policy is located at: Policies/Administrative Templates/ DigitalPersona Pro Client/Security/Authentication. 3 In the Password Manager Admin Tool, create a managed logon for the published application. When creating the managed logon, the Start Authentication Immediately property must be set on the Logon Properties page. For instructions on creating a managed logon, see the Password Manager Application Guide. DigitalPersona Pro Enterprise - Administrator Guide 202

203 Chapter 23 - Citrix Deployment Scenarios Maintaining local and remote Kiosk identities (Pro 5.3 and above only) In this scenario, the enterprise wants to implement several local installations of DigitalPersona Pro Kiosk, as well provide access to Pro Kiosk through the Citrix XenDesktop or a published Pro Kiosk application. Additionally, they want the ability for a user to log in to the XenDesktop or Pro Kiosk published application from a local Kiosk without losing access to the resources mapped to the local Kiosk. With versions of DigitalPersona Pro Kiosk prior to version 5.3, this was not possible, since a user logging into a XenDesktop or XenApp published Pro Kiosk application would log into the Shared Account for the published Kiosk and lose their Shared Account identity from the local kiosk. In Pro Kiosk 5.3 and above, local Kiosk users logging into a published Pro Kiosk will maintain their local identity and any resources associated with the local kiosk. For example, a hospital wants to have a local installation of Pro Kiosk on each floor, as well as provide access to a XenDesktop or XenApp published Pro Kiosk application in the administrative wing. When someone needs to log into the XenDesktop published Kiosk, they still have access to local resources for the floor, such as printers and other peripherals. DigitalPersona Pro Enterprise - Administrator Guide 203

204 Chapter 23 - Citrix Deployment Scenarios Setting up kiosks for local and remote identities Setup is fairly simple. 1 Each local kiosk is created in a separate Active Directory OU (Organizational Unit). 2 The remote (XenDesktop or XenApp published Pro Kiosk) can be created at either the OU or domain level. 3 Configure settings for each kiosk as shown in steps 4 through 6 below. 4 In the Group Policy Editor, navigate to Kiosk Administration, Kiosk Shared Account Settings. 5 Enable the following settings; Allow automatic logon using Shared Kiosk Account and Logon/Unlock with Shared Account Credentials. 6 Enter required information under the Kiosk Workstation Shared Account Settings (user name, domain and password). Additional configuration options are available. See Kiosk Administration on page Configure Identification Server settings. If fingerprint readers will be used, the Perform fingerprint identification on server setting must be enabled. Additional configuration options are available, see Identification Server settings on page 121. Using kiosk local and remote identities WIth the scenario described above, once setup has been completed, a local Kiosk user can log onto Pro Kiosk with their domain credentials as usual. Once logged in, if they have a need to access the remote XenApp published Pro Kiosk, they can log in with their domain credentials, but the actual Windows account accessed will be the same Shared Account that they originally logged into on the local Kiosk. Any resources associated with those credentials will now be available from the remote Kiosk. So a user who logs into a local Kiosk, and then launches accesses a XenDesktop or XenApp published Kiosk through a supported XenApp client, will be logged in to the published XenDesktop or published (remote) Pro Kiosk using the Shared Account credentials from the local Kiosk and will retain access to any resources associated with that account. DigitalPersona Pro Enterprise - Administrator Guide 204

205 Chapter 23 - Citrix Deployment Scenarios IGEL Universal Desktop support The Citrix ICA client provided with the IGEL Universal Desktop thin client includes a DigitalPersona Pro plug-in that provides communication between an attached DigitalPersona fingerprint reader and the DigitalPersona software running on Citrix XenApp or XenDesktop. Requirements Supported IGEL hardware: UD2-x30 LX UD3-x31 LX UD5-x30 LX UD9-x30 LX UD9-x31 LX UDC Universal Desktop Converter Firmware: Version or above Software: DigitalPersona Pro Workstation or Kiosk 5.4 or above running on Citrix XenApp or XenDesktop. Setup To set up an individual IGEL box for use with DigitalPersona Pro 1 Run IGEL Setup. 2 Navigate to ICA/ICA Global/Mapping/Device Support. 3 Select DigitalPersona Fingerprint Channel. 4 Click Apply or OK. To set up a group of IGEL boxes IGEL provides a free central management tool, the Universal Management Suite (UMS), for creating and managing configuration profiles for IGEL clients. It is bundled with every IGEL thin client product and can also be downloaded from their website: UMS supports a variety of operating systems, databases and directory services like Microsoft Active Directory, and can therefore be easily integrated into every environment. Procedures for configuring profiles will vary depending on the environment. See UMS documentation for your specific enterprise environment. DigitalPersona Pro Enterprise - Administrator Guide 205

206 Policies and Settings - Alphabetical list 24 The AD nodes, policies, settings and properties included in DigitalPersona Pro Enterprise are listed alphabetically in the following table, along with a reference to the page where they are described in detail. Node/Policy/Setting name Authentication (DigitalPersona Pro Client) Authentication Devices (DigitalPersona Pro Client) Page 101 ff 108 ff Authentication Devices (DigitalPersona Pro Enterprise Server) 119 ff Account lockout duration 119 Account lockout threshold 119 Allow automatic logon using Shared Kiosk Account 114 Allow running auto updates on the computer 117 Allow Pro client to use Pro Server 113 Allow creation of personal logons 127 Allow users to add account data 127 Allow users to delete account data 128 Allow users to edit account data 127 Allow users to view managed logon passwords 127 Automated site coverage by Pro Enterprise Server Locator DNS SRV records 122 Bluetooth 108 Cache user data on local computer 110 Certificate publishing policy 115 Certificate use policy 116 Citrix Published Application Name 112 DigitalPersona Pro Client 101 DigitalPersona Pro Enterprise Server (Policies, Software Settings) 105 DigitalPersona Pro Enterprise Server (Administrative Templates) 118 DigitalPersona Pro Enterprise - Administrator Guide 206

207 Chapter 24 - Policies and Settings - Alphabetical list Node/Policy/Setting name Page DigitalPersona Reporter Event Forwarding 112 Disable applications 115 Do not allow users to run local administrative tools 113 Do not compress fingerprint data for redirection 108 Do not launch the Getting Started wizard upon logon 113 Dynamic registration of Pro Enterprise Server Locator DNS records 124 Enable multi-factor authentication in Windows logon 116 Enable One Step Logon 117 Enable Self Password Recovery 117 Enable the Central Management menu item 117 Enrollment (computer, user) 104, 126 Event logging (client, server) 111, 121 Fast Connect 112 Features 116 Fingerprint enrollment (client, server) 110, 119 Fingerprint verification (client, server) 110, 120 Fingerprint verification lockout 119 Fingerprints (client, server) 108, 119 Fingerprint verification lockout 119 General Administration 112 Identification Server domain 113 Identification Server settings 121 Kiosk Session Authentication Policy (Computer Configuration) 103 Kiosk Session Authentication Policy (User Configuration) 125 Kiosk Workstation Shared Account Settings 114 Kiosk Unlock Script 114 DigitalPersona Pro Enterprise - Administrator Guide 207

208 Chapter 24 - Policies and Settings - Alphabetical list Node/Policy/Setting name Page Level of detail in event logs (client, server) 111, 121 Licenses (client) 104 Lock the computer upon smart card removal 111 Log Status Events 112 Logon/Unlock with Shared Account Credentials 114 Logon Authentication Policy (Computer Configuration) 102 Logon Authentication Policy (User Configuration) 116 Managed applications (Computer Configuration) 115 Managed applications (User Configuration) 127 Managed logons 127 Password Manager 127 Path(s) to the managed logons folder(s) 128 Perform fingerprint authentication on server 121 PIN enrollment (DigitalPersona Pro Client) 111 PIN enrollment (DigitalPersona Pro Enterprise Server) 120 Prevent Password Manager from running 115 Prevent Privacy Manager from running 115 Prevent users from logging on outside of a Kiosk session 114 Priority set in Pro Enterprise Server Locator DNS records 123 Privacy Manager 115 Pro Enterprise Server DNS 122 Quick Actions 112 Randomize user s Windows password 82 Redirect fingerprint data 108 Refresh interval of Pro Enterprise Server DNS records 122 Register Pro Enterprise Server Locator DNS records for domain 124 DigitalPersona Pro Enterprise - Administrator Guide 208

209 Chapter 24 - Policies and Settings - Alphabetical list Node/Policy/Setting name Page Reset account lockout counter after 119 Restrict identification to a specific list of users 122 Self Enrollment Policy (computer, user) 104, 126 Session Authentication Policy (computer, user) 102, 125 Session Authentication Policy (computer, user) 116, 128 Set the False Accept Rate 110 Set the maximum number of enrolled fingerprints 110 Set the minimum number of enrolled fingerprints 110 Set the minimum length of user PIN 111 Settings 117 Show Taskbar icon 113 Silent authentication 108 Sites covered by Pro Enterprise Server Locator DNS records 123 Software updates 117 Smart cards 111 User provides only Windows credentials to log on 83 Weight set in Pro Enterprise Server Locator DNS records 123 DigitalPersona Pro Enterprise - Administrator Guide 209

210 Embedded Windows dependencies 25 This version of DigitalPersona Pro for Enterprise supports several embedded Windows platforms (see System Requirements on page 17. However, note that the Client Suite Installer and the Setup.exe file included in the product package cannot be used to install the DigitalPerwsona Pro client on a Windows XP Embedded OS. Use the SETUP.msi file located in the installation folder instead. This chapter contains two tables, documenting the files and components required in order to run the DigitalPersona Pro Workstation on the supported embedded platforms. Required components for supported Windows Embedded platforms Component Name Accessibility Core Common Control Libraries Version 5 DigitalPersona Fingerprint Reader Microsoft Visual C++ Run Time OpenGL Support Primitive: Crypt32 Primitive: Mpr Primitive: Msimg32 Primitive: Netapi32 Primitive: Ntdll Primitive: Ole32 Dependency Description Dependency caused by OLEACC.DLL of type static Dependency caused by COMCTL32.DLL of type static Dependency caused by DPCtrls of type static Dependency caused by MSVCRT.DLL of type rawdep Dependency caused by OPENGL32.DLL of type static Dependency caused by CRYPT32.DLL of type static Dependency caused by MPR.DLL of type static Dependency caused by MSIMG32.DLL of type static Dependency caused by NETAPI32.DLL of type static Dependency caused by NTDLL.DLL of type static Dependency caused by OLE32.DLL of type static DigitalPersona Pro Enterprise - Administrator Guide 210

211 Chapter 25 - Embedded Windows dependencies Component Name Primitive: Oleaut32 Primitive: Psapi Primitive: Secur32 Primitive: Setupapi Primitive: Shell32 Primitive: Shlwapi Primitive: Userenv Primitive: Winmm RPC Local Support RPC Server Standard Template Libraries (STL) Windows API - Advanced Windows API - GDI Windows API - Kernel Windows API - User Windows Logon (Standard) Dependency Description Dependency caused by OLEAUT32.DLL of type static Dependency caused by PSAPI.DLL of type rawdep Dependency caused by SECUR32.DLL of type static Dependency caused by SETUPAPI.DLL of type static Dependency caused by SHELL32.DLL of type static Dependency caused by SHLWAPI.DLL of type static Dependency caused by USERENV.DLL of type static Dependency caused by WINMM.DLL of type static Dependency caused by RPCRT4.DLL of type static Dependency caused by RPCSS.DLL of type rawdep Dependency caused by MSVCP60.DLL of type rawdep Dependency caused by ADVAPI32.DLL of type static Dependency caused by GDI32.DLL of type static Dependency caused by KERNEL32.DLL of type static Dependency caused by USER32.DLL of type static Dependency caused by MSGINA.DLL of type rawdep DigitalPersona Pro Enterprise - Administrator Guide 211

212 Chapter 25 - Embedded Windows dependencies Required files for supported Windows Embedded platforms File Description Location activeds.dll ADs Router Layer DLL C:\WINDOWS\system32 adsldpc.dll ADs LDAP Provider C DLL C:\WINDOWS\system32 advapi32.dll Advanced Windows 32 Base API C:\WINDOWS\system32 atioglxx.dll ATI OpenGL driver C:\WINDOWS\system32 atl.dll clbcatq.dll ATL Module for Windows XP (Unicode) Microsoft COM Services component C:\WINDOWS\system32 C:\WINDOWS\system32 comctl32.dll Common Controls Library C:\WINDOWS\system32 comres.dll Microsoft Communications module C:\WINDOWS\system32 crypt32.dll Crypto API32 C:\WINDOWS\system32 dciman32.dll DCI Manager C:\WINDOWS\system32 ddraw.dll Microsoft DirectDraw C:\WINDOWS\system32 dnsapi.dll DNS Client API DLL C:\WINDOWS\system32 gdi32.dll GDI Client DLL C:\WINDOWS\system32 GdiPlus.dll Microsoft GDI+ C:\WINDOWS\WinSxS\x86_Microsoft.Wind ows.gdiplus_6595b64144ccf1df_ _x-ww_522f9f82\GdiPlus.dll glu32.dll OpenGL Utility Library DLL C:\WINDOWS\system32 hnetcfg.dll Home Networking Configuration Manager C:\WINDOWS\system32 imagehlp.dll Windows NT Image Helper C:\WINDOWS\system32 iphlpapi.dll IP Helper API C:\WINDOWS\system32 kernel32.dll Windows NT BASE API Client DLL C:\WINDOWS\system32 mpr.dll Multiple Provider Router DLL C:\WINDOWS\system32 DigitalPersona Pro Enterprise - Administrator Guide 212

213 Chapter 25 - Embedded Windows dependencies File Description Location msasn1.dll ASN.1 Runtime APIs C:\WINDOWS\system32 msv1_0.dll Microsoft Authentication Package v1.0 C:\WINDOWS\system32 msvcrt.dll Windows NT CRT DLL C:\WINDOWS\system32 mswsock.dll Microsoft Windows Sockets 2.0 Service Provider C:\WINDOWS\system32 netapi32.dll Net Win32 API DLL C:\WINDOWS\system32 ntdll.dll NT Layer DLL C:\WINDOWS\system32 ole32.dll Microsoft OLE for Windows C:\WINDOWS\system32 oleaut32.dll Microsoft OLE dll C:\WINDOWS\system32 opengl32.dll OpenGL Client DLL C:\WINDOWS\system32 rasadhlp.dll Remote Access AutoDial Helper C:\WINDOWS\system32 riched20.dll Rich Text Edit Control, v3.0 C:\WINDOWS\system32 riched32.dll Wrapper Dll for Richedit 1.0 C:\WINDOWS\system32 rpcrt4.dll Remote Procedure Call Runtime C:\WINDOWS\system32 rsaenh.dll secur32.dll Microsoft Enhanced Cryptographic Provider Security Support Provider Interface C:\WINDOWS\system32 C:\WINDOWS\system32 setupapi.dll Windows Setup API C:\WINDOWS\system32 shell32.dll Windows Shell Common Dll C:\WINDOWS\system32 shlwapi.dll Shell Light-weight Utility Library C:\WINDOWS\system32 user32.dll Windows XP USER API Client DLL C:\WINDOWS\system32 userenv.dll Userenv C:\WINDOWS\system32 uxtheme.dll Microsoft UxTheme Library C:\WINDOWS\system32 version.dll Version Checking and File Installation Libraries C:\WINDOWS\system32 DigitalPersona Pro Enterprise - Administrator Guide 213

214 Chapter 25 - Embedded Windows dependencies File Description Location winmm.dll MCI API DLL C:\WINDOWS\system32 winsta.dll Winstation Library C:\WINDOWS\system32 wintrust.dll Microsoft Trust Verification APIs C:\WINDOWS\system32 wldap32.dll Win32 LDAP API DLL C:\WINDOWS\system32 ws2_32.dll Windows Socket Bit DLL C:\WINDOWS\system32 ws2help.dll Windows Socket 2.0 Helper for Windows NT C:\WINDOWS\system32 wshtcpip.dll Windows Sockets Helper DLL C:\WINDOWS\system32 wtsapi32.dll Windows Terminal Server SDK APIs C:\WINDOWS\system32 DigitalPersona Pro Enterprise - Administrator Guide 214

215 Identification List 26 By default, all domain users are granted Kiosk access. However, DigitalPersona Pro Enterprise provides the capability to restrict identification to a specific list of users with permissions for the computer where the identification request originates. To restrict identification Enable the Restrict identification to a specific list of users GPO setting (see page 122). Remove the default domain-level permission that includes all domain users in the identification list. Assign Allow or Deny permissions to the OU or computers. Note that in versions prior to 5.4.1, this restriction applies only to fingerprint access, and access through other credentials, such as a Windows password, is not restricted. Beginning with version 5.4.1, the restriction applies to all supported credentials. Also, since the Kiosk rights have to be read from a Pro server to see whether or not there is a restriction, if the Kiosk can not reach a Pro server all users are assumed to be restricted and will be rejected, except for those users who have previously logged onto the Kiosk and are therefore cached on the client.the Example: Restricting kiosk identification The following procedure assumes that a kiosk has already been created and that required Shared Account information has been entered. See Kiosk Shared Account Settings on page In the AD Users and Computers console menu, check the View menu to make sure that Advanced Features is on (has a check mark next to it). 2 Remove the default domain-level Kiosk Membership permission that allows everyone in the domain to be identified through the ID Server. Right-click on the domain and select Properties. On the Security tab, click the Advanced button Within the Advanced Security Settings dialog, in the list of permissions, locate the permission Allow\Everyone\Kiosk Membership (DigitalPersona), and click Remove to delete it. 3 Locate (or create) and select the OU or container object that you want to configure the membership for. 4 Ensure that all kiosk computers that you want to use this identification list for are shown within the container. Add kiosk computers as necessary. 5 If you are not using a previously defined user group for the identification list, create a new user group object and add the desired users to the group. 6 Right-click on the kiosk container and select Properties. On the Security tab, click the Advanced button. 7 Set Allow or Deny permissions as desired. On Windows Server 2003/2008, follow steps 8-12 below. On Windows Server 2012, follow steps DigitalPersona Pro Enterprise - Administrator Guide 215

216 Chapter 26 - Identification List 8 For Windows 2003/2008, complete the following steps. 9 In the Advanced Security Settings dialog, click Add to display the Select Users, Computers or Groups dialog. 10 Enter the name of the group (or specific user) that you want to define permissions for and click OK. 11 In the Permission Entry dialog, in the Apply To drop-down list, select Descendent Computer objects. 12 In the list of permissions, locate the permission Kiosk Membership (DigitalPersona) and then select either Allow or Deny. DigitalPersona Pro Enterprise - Administrator Guide 216

217 Chapter 26 - Identification List 13 For Windows Server 2012, complete the following steps. 14 In the Advanced Security Settings dialog, click Add to display the Permission Entry dialog. 15 Click the Select a principal link to display the Select Users, Computers or Groups dialog. Then Enter the name of the group (or specific user) that you want to define permissions for and click OK. 16 Choose the permission type (Allow or Deny) from the Type dropdown menu. 17 In the Applies To drop-down list, select Descendent Computer objects. 18 Select Kiosk Membership (DigitalPersona). Then click OK. In most cases, it is preferable to manage permissions at the group level rather than on a user-by-user level. Note that a Deny permission always has precedence over any Allow permissions for a specific group or user. DigitalPersona Pro Enterprise - Administrator Guide 217

218 Pro Events for version DigitalPersona Pro and its security applications write events to the Windows Event Log when significant activities occur, along with a date and time stamp indicating when they occurred. By default, all DigitalPersona Pro events are logged - except for those in the Status Notifier category (see page 226). Activity events are classified into the following categories. Description ID Page Credential Management User Management Secret Management System, Services, Settings and User Sessions External components Password Manager Admin Tool Fingerprint Match DNS Registration License Management License Management, ID Server licensing OTP Management Status Notifier Logon Events are listed in tables under each category in the following sections. For each event, information is shown indicating where the event is logged (on the Pro Server or on a client workstation) and what level of logging an event is reported at. For example, if an event is shown as logged on the workstation (Wks) at the Fd (Fine detail) level, it will not be written to the log unless the Fine detail level is specified in the Level of detail in event logs GPO setting governing that computer (see page 111). DigitalPersona Pro Enterprise - Administrator Guide 218

219 Chapter 27 - Pro Events for version 5.3 Credential Management Task Category: 256 These events may be generated during credentials management. Event ID Level Srvr ---- Wks Authentication failure A Authenticated successfully Dt Failed to enroll credential A Credential enrolled A Failed to unenroll credential A Credential unenrolled A Payload recovery has failed E Failed to set payload recovery Fd Payload recovery set Fd Payload recovered successfully Fd Level: E = Error, A - Audit, Dt = Details, Fd = Fine details User Management Task Category: 512 These events may be generated during user management. Event ID Level Srvr ---- Wks Failed to add user to authentication domain A User added to authentication domain Dt Failed to remove user from authentication domain A User removed from authentication domain Dt Failed to set user credentials A DigitalPersona Pro Enterprise - Administrator Guide 219

220 Chapter 27 - Pro Events for version 5.3 Event User credentials set Dt Failed to set user policy A User policy set Dt Failed to update user information A User information updated Dt Failed to identify user A User identified Dt Failure of user credential consistency check E Failure of user credential signature check E User account was unlocked 529 Dt - Pro User added to the database 531 A - Cannot add Pro User to the database 532 E - Pro User deleted from the database 533 A - Cannot delete Pro User from the database 534 E - Level: E = Error, A - Audit, Dt = Details, Fd = Fine details ID Level Srvr ---- Wks DigitalPersona Pro Enterprise - Administrator Guide 220

221 Chapter 27 - Pro Events for version 5.3 Secret Management Task Category: 768 These events may be generated during Secret management. Event ID Level Srvr ---- Wks Failure of %1 secure application data consistency check 769 E E Failed to delete secure application data 770 E E Secure application data deleted 771 A A Failure to release secure application data 772 E E Secure application data released 773 A A Failure of secure application data signature check 774 E E Failed to store secure application data 775 E E Secure application data stored 776 A A Failure to release secure application data 777 E - Secure application data released 778 A - Level: E = Error, A - Audit, Dt = Details, Fd = Fine details System, Services, Settings and User Sessions Task Category: 1024 These events may be generated during the management of system operations. Event ID Level Srvr ---- Wks Failed to activate authentication domain A Authentication domain activated A Failed to deactivate authentication domain A Authentication domain deactivated A Failed to start BAS 1029 E E DigitalPersona Pro Enterprise - Administrator Guide 221

222 Chapter 27 - Pro Events for version 5.3 Event BAS started 1030 A A BAS stopped 1031 A A Failed to reset BAS configuration parameter 1032 A A BAS configuration parameter reset 1033 A A Failed to update BAS configuration parameter 1034 A A BAS configuration parameter updated 1035 A A Fingerprint reader connected (%1 reader(s) available.) Fd Fingerprint reader disconnected. ( %1 reader(s) remaining.) Fd Level: E = Error, A - Audit, Dt = Details, Fd = Fine details External components Task Category: 1280 These events may be generated during the management of external components. Event ID Level Srvr ---- Wks Credentials verified for logon A Credentials verified for unlock A Failed to change user password E User password changed A Workstation has been unregistered A Software installed Dt Software uninstalled Dt Application enabled Dt Application disabled Dt Level: E = Error, A - Audit, Dt = Details, Fd = Fine details ID Level Srvr ---- Wks DigitalPersona Pro Enterprise - Administrator Guide 222

223 Chapter 27 - Pro Events for version 5.3 Password Manager Admin Tool Task Category: 1536 These events are generated when a managed logon is used or logon account data is modified. Event Fingerprint Match Task Category: 2048 These events may be generated during fingerprint matching operations. DNS Registration Task Category: 2304 These events may be generated during DNS registration. ID Level Srvr ---- Wks Initial fillin was performed Dt Fillin was performed A Account data was successfully modified A Level: E = Error, A - Audit, Dt = Details, Fd = Fine details Event ID Level Srvr ---- Wks Account is locked for fingerprint verification A - Level: E = Error, A - Audit, Dt = Details, Fd = Fine details Event ID Level Srvr ---- Wks Registration of the server failed. (Clients will not be able to locate the server.) 2306 E - Removal of DNS record failed E - Remote server cannot be reached E No remote servers available E Level: E = Error, A - Audit, Dt = Details, Fd = Fine details DigitalPersona Pro Enterprise - Administrator Guide 223

224 Chapter 27 - Pro Events for version 5.3 License Management Task Category: 4096 These events may be generated during license management operations. Event The service is licensed for %1 users. (No more users can be registered at this time because the license quota has been exceeded.) The service is licensed for %1 users. (%2 users are already registered.%n The license quota is nearly exceeded.) ID Level Srvr ---- Wks 4097 A A - License is not valid E License activated A License activation failed E License deactivated A License deactivation failed A Level: E = Error, A - Audit, Dt = Details, Fd = Fine details DigitalPersona Pro Enterprise - Administrator Guide 224

225 Chapter 27 - Pro Events for version 5.3 License Management, ID Server licensing Task Category: 4112 These events may be generated during license management operations for the DigitalPersona ID Server. Event ID Level Srvr ---- Wks User license installed A Failed to install user license(s) E The number of licensed users has been changed: Total users allowed %t%1%n A Level: E = Error, A - Audit, Dt = Details, Fd = Fine details OTP Management Task Category: 4352 These events may be generated during One Time Password operations. Event ID Level Srvr ---- Wks One Time Password is provisioned A Failed to provision the One Time Password E One Time Password is generated A Failed to generate the One Time Password E One Time Password is deleted A Failed to delete the One Time Password E Level: E = Error, A - Audit, Dt = Details, Fd = Fine details DigitalPersona Pro Enterprise - Administrator Guide 225

226 Chapter 27 - Pro Events for version 5.3 Status Notifier Task Category: 4608 These events are a special category of events that are used in Reports generated by DigitalPersona Pro Enterprise. By default these events are not written to the Windows Event Log, but must be enabled using the Level of detail in event logs setting in the GPO governing the DigitalPersona Pro clients that you desire to report statuses on (see page 111). Event ID Level Srvr ---- Wks License Activation status A Logon Policy for Users A Session Policy for Users A Logon Policy A Session Policy A Authentication Domain Activation Status A Applications Enabling A Level: E = Error, A - Audit, Dt = Details, Fd = Fine details DigitalPersona Pro Enterprise - Administrator Guide 226

227 Chapter 27 - Pro Events for version 5.3 Logon Task Category: 4864 These events may be generated during Logon operations. Event ID Level Srvr ---- Wks Credentials verified for logon Fd Credentials verified for unlock Fd Credentials verified for kiosk logon Fd Credentials verified for kiosk unlock Fd Computer locked Fd User (%user) logged off Fd Kiosk computer locked Fd Kiosk user logged off Fd Level: E = Error, A - Audit, Dt = Details, Fd = Fine details DigitalPersona Pro Enterprise - Administrator Guide 227

228 Schema extension 28 This chapter describes the schema extension made to the Active Directory database in order to support the operation of DigitalPersona Pro Enterprise, version 5.x. The chapter is composed of two sections. Introduction Section This schema extension is version 2. The schema extension version number is independent of the DigitalPersona Pro product version number. Each Pro product release will identify the schema extension version it requires. The schema extension creates new attributes for the user object, creates new classes and makes changes to some existing classes (adding links), as shown in the following tables. The Microsoft naming conventions are followed. The name prefix registered with Microsoft is dp. The Microsoft-generated OID base is For the full, detailed specifications, see Technical Bulletin 1006B, Schema Extension Specifications. This document is intended to be used for reference purposes only, and may be superseded at any time by a new version. Schema extension overview Schema objects summary Page Schema extension overview 228 Schema objects details 235 Class details 277 Standard Classes Extensions 292 The following schema objects are created in the Active Directory database. Object dp-user-credentials-data dp-user-account-control Description Stores fingerprint registration templates for the user. Specifies the flags to control fingerprint credentials behavior for the user. DigitalPersona Pro Enterprise - Administrator Guide 228

229 Chapter 28 - Schema extension Object dp-user-private-data dp-servers-data dp-license dp-user-logon-policy dp-user-public-key dp-user-payload dp-user-recovery-key dp-user-data-type dp-lockout-time dp-recovery-password-last-set-time dp-recovery-password dp-master-key Description Stores the application secure data of the user. Stores configuration data for all authentication servers in a particular domain. Stores the license for all servers in the Active Directory forest. Stores user logon policy information. Stores the user s public key. Stores the user s unified key data. Stores the user s recovery key. Stores the type of the user data stored in the dp-user- Private-Data attribute. Stores the date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out. Stores data indicating the last time that the Recovery Password was set. Stores the computer s recovery password. Stores the computer s hard drive encryption key. Object structure Attribute property admindisplayname admindescription cn Description Display name of this object for use in directory service administrative tools. Description of this object for use in directory service administrative tools Common name. DigitalPersona Pro Enterprise - Administrator Guide 229

230 Chapter 28 - Schema extension Attribute property ldapdisplayname attributeid objectclass objectcategory schemaidguid attributesyntax omsyntax issinglevalued attributesecurityguid ismemberofpartialattributeset searchflags Description The name used by LDAP clients to refer to the object's class. A unique OID that identifies the attribute. The class of which this object is an instance. Reference to an object class or one of its superclasses, which is used when searching for this object. A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. Syntax of this attribute as defined by the XAPIA XOM (X/ Open Object Model) specification. TRUE means that the attribute has a single value, FALSE means that the attribute can have multiple values. An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects. DigitalPersona Pro Enterprise - Administrator Guide 230

231 Chapter 28 - Schema extension Attribute property showinadvancedviewonly Description TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell systemflags systemonly An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. Schema classes summary Class dp-authentication-servers-container dp-user-secret dp-service-configuration Description Object Class Container for Authentication Server objects. Object Class used to represent application secure data of user (i.e. user encryption key). Object Class used to represent global configuration information such as schema version and license. dp-authentication-service-connection-point Object Class used to represent Authentication Server. The class contains information about the Authentication Server version, service principal name, binding information etc. DigitalPersona Pro Enterprise - Administrator Guide 231

232 Chapter 28 - Schema extension Class structure Class Property admindisplayname admindescription Description cn Common name. ldapdisplayname objectclass objectcategory objectclasscategory defaultobjectcategory rdnattid subclassof systemauxiliaryclass governsid schemaidguid defaultsecuritydescriptor defaulthidingvalue Display name of this object for use in directory service administrative tools. Description of this object for use in directory service administrative tools. The name used by LDAP clients to refer to the object's class. The class of which this object is an instance. Reference to an object class or one of its superclasses, which is used when searching for this object. 1 means structural classes. 2 means abstract classes. 3 means auxiliary classes Object-Category used in queries for objects of this class. Attribute name used as the Relative Distinguished Name (RDN) for this class. Immediate superclass of this class. Auxiliary classes that this class inherits from. A unique OID identifying the class. A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. The default security descriptor for new instances of this class. TRUE means that new object instances are hidden in the Administrative snap-ins and the Windows shell, FALSE covers all other situations. DigitalPersona Pro Enterprise - Administrator Guide 232

233 Chapter 28 - Schema extension Class Property showinadvancedviewonly Description TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in the Normal View of the Users and Computers snap-in and in the Windows shell. systemposssuperiors systemonly systemmustcontain systemmaycontain Structural classes that can be containers of instances of this class. For the complete set of classes that can contain this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above. TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. Mandatory attributes that MUST be present on instances of this class. For the complete set of mandatory attributes for this class, you must, in addition to any values shown on the left, include those inherited from its superclasses as listed in the subclassof attribute above and/or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. Optional attributes that may be present on instances of this class. For the complete set of optional attributes for this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above and/or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. DigitalPersona Pro Enterprise - Administrator Guide 233

234 Chapter 28 - Schema extension Standard Classes Extensions The following Active Directory classes are extended in the Active Directory Database to support DigitalPersona Pro. User Class maycontain: dp-user-account-control dp-user-credentials-data dpuserlogonpolicy dpuserpublickey dpuserpayload dpuserrecoverykey dplockouttime Computer Class maycontain: dprecoverypasswordlastsettime dprecoverypassword dpmasterkey DigitalPersona Pro Enterprise - Administrator Guide 234

235 Chapter 28 - Schema extension Schema objects details dp-user-credentials-data Stores fingerprint registration templates for the user. The size of DigitalPersona fingerprint data depends on the number of fingerprints registered to a maximum 6.5 KB. Attribute property Value Description admindisplayname dp-user-credentials-data Display name of this object for use in directory service administrative tools. AdminDescription dp-user-credentials-data Description of this object for use in directory service administrative tools. Cn dp-user-credentials-data Common name. LDAPDisplayName dpusercredentialsdata The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 235

236 Chapter 28 - Schema extension Attribute property Value Description OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 128 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 236

237 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 237

238 Chapter 28 - Schema extension dp-user-account-control Specifies the flags that control fingerprint credentials behavior for the user. Size of DigitalPersona data: 4 bytes. Attribute property Value Description admindisplayname dp-user-account-control Display name of this object for use in directory service administrative tools. AdminDescription dp-user-account-control Description of this object for use in directory service administrative tools. Cn dp-user-account-control Common name. LDAPDisplayName dpuseraccountcontrol The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. OMSyntax 2 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. DigitalPersona Pro Enterprise - Administrator Guide 238

239 Chapter 28 - Schema extension Attribute property Value Description IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 0 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects DigitalPersona Pro Enterprise - Administrator Guide 239

240 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 240

241 Chapter 28 - Schema extension dp-user-private-data Stores the user s secure application data. Size of DigitalPersona data: Varies, depending on the type and size of the user Secrets saved. Potentially there is no limit. Usually it is around 530 bytes. OTS Secrets: Approximately 520 bytes + application logon data. Each application logon data consists of the account name + password + 18 bytes. Attribute property Value Description admindisplayname dp-user-private-data Display name of this object for use in directory service administrative tools. AdminDescription dp-user-private-data Description of this object for use in directory service administrative tools. Cn dp-user-private-data Common name. LDAPDisplayName dpuserprivatedata The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. DigitalPersona Pro Enterprise - Administrator Guide 241

242 Chapter 28 - Schema extension Attribute property Value Description IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 0 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. DigitalPersona Pro Enterprise - Administrator Guide 242

243 Chapter 28 - Schema extension Attribute property Value Description SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 243

244 Chapter 28 - Schema extension dp-servers-data Stores configuration data for all authentication servers in particular domain. Size of DigitalPersona data: 1KB. Attribute property Value Description admindisplayname dp-servers-data Display name of this object for use in directory service administrative tools. AdminDescription dp-servers-data Description of this object for use in directory service administrative tools. Cn dp-servers-data Common name. LDAPDisplayName dpserversdata The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 244

245 Chapter 28 - Schema extension Attribute property Value Description OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 128 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 245

246 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 246

247 Chapter 28 - Schema extension dp-license Stores license information for all DigitalPersona Pro Servers in the Active Directory forest. Size of DigitalPersona data: 0 (Not currently used provided for future extension). Attribute property Value Description admindisplayname dp-license Display name of this object for use in directory service administrative tools. AdminDescription dp-license Description of this object for use in directory service administrative tools. Cn dp-license Common name. LDAPDisplayName dplicense The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 247

248 Chapter 28 - Schema extension Attribute property Value Description OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 0 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 248

249 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 249

250 Chapter 28 - Schema extension dp-user-logon-policy Stores the user s logon policy information. Attribute property Value Description admindisplayname dp-user-logon-policy Display name of this object for use in directory service administrative tools. AdminDescription dp-user-logon-policy Description of this object for use in directory service administrative tools. Cn dp-user-logon-policy Common name. LDAPDisplayName dpuserlogonpolicy The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID e667ko53beywmimrqj3t4a== A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 250

251 Chapter 28 - Schema extension Attribute property Value Description OMSyntax 2 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 0 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects DigitalPersona Pro Enterprise - Administrator Guide 251

252 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly FALSE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 252

253 Chapter 28 - Schema extension dp-user-public-key Stores the user s public key. Attribute property Value Description admindisplayname dp-user-public-key Display name of this object for use in directory service administrative tools. AdminDescription dp-user-public-key Description of this object for use in directory service administrative tools. Cn dp-user-public-key Common name. LDAPDisplayName dpuserpublickey The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. DigitalPersona Pro Enterprise - Administrator Guide 253

254 Chapter 28 - Schema extension Attribute property Value Description IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 0 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 254

255 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 255

256 Chapter 28 - Schema extension dp-user-payload Stores the user s unified key data. Attribute property Value Description admindisplayname dp-user-payload Display name of this object for use in directory service administrative tools. AdminDescription dp-user-payload Description of this object for use in directory service administrative tools. Cn dp-user-payload Common name. LDAPDisplayName dpuserpayload The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 256

257 Chapter 28 - Schema extension Attribute property Value Description OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 128 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 257

258 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 258

259 Chapter 28 - Schema extension dp-user-recovery-key Stores the user s recovery key. Attribute property Value Description admindisplayname dp-user-recovery-key Display name of this object for use in directory service administrative tools. AdminDescription dp-user-recovery-key Description of this object for use in directory service administrative tools. Cn dp-user-recovery-key Common name. LDAPDisplayName dpuserrecoverykey The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. DigitalPersona Pro Enterprise - Administrator Guide 259

260 Chapter 28 - Schema extension Attribute property Value Description IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 128 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 260

261 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 261

262 Chapter 28 - Schema extension dp-user-data-type Stores the type of the user data stored in the dp-user-private-data attribute. Attribute property Value Description admindisplayname dp-user-data-type Display name of this object for use in directory service administrative tools. AdminDescription dp-user-data-type Description of this object for use in directory service administrative tools. Cn dp-user-data-type Common name. LDAPDisplayName dpuserdatatype The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. DigitalPersona Pro Enterprise - Administrator Guide 262

263 Chapter 28 - Schema extension Attribute property Value Description IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 0 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects DigitalPersona Pro Enterprise - Administrator Guide 263

264 Chapter 28 - Schema extension Attribute property Value Description SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 264

265 Chapter 28 - Schema extension dp-lockout-time Stores the date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero indicates that the account is not currently locked out. Attribute property Value Description admindisplayname dp-lockout-time Display name of this object for use in directory service administrative tools. AdminDescription dp-lockout-time Description of this object for use in directory service administrative tools. Cn dp-lockout-time Common name. LDAPDisplayName dplockouttime The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 265

266 Chapter 28 - Schema extension Attribute property Value Description OMSyntax 65 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 0 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects DigitalPersona Pro Enterprise - Administrator Guide 266

267 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 267

268 Chapter 28 - Schema extension dp-recovery-password-last-set-time Stores data indicating the last time that the Recovery Password was set. Attribute property Value Description admindisplayname AdminDescription Cn LDAPDisplayName dp-recovery-password-last- Set-Time dp-recovery-password-last- Set-Time dp-recovery-password-last- Set-Time dprecoverypasswordlastsett ime Display name of this object for use in directory service administrative tools. Description of this object for use in directory service administrative tools. Common name. The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. OMSyntax 65 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification. DigitalPersona Pro Enterprise - Administrator Guide 268

269 Chapter 28 - Schema extension Attribute property Value Description IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 0 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects DigitalPersona Pro Enterprise - Administrator Guide 269

270 Chapter 28 - Schema extension Attribute property Value Description SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 270

271 Chapter 28 - Schema extension dp-recovery-password Stores the computer s recovery password. Attribute property Value Description admindisplayname dp-recovery-password Display name of this object for use in directory service administrative tools. AdminDescription dp-recovery-password Description of this object for use in directory service administrative tools. Cn dp-recovery-password Common name. LDAPDisplayName dprecoverypassword The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/ Open Object Model) specification. DigitalPersona Pro Enterprise - Administrator Guide 271

272 Chapter 28 - Schema extension Attribute property Value Description IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 128 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 272

273 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 273

274 Chapter 28 - Schema extension dp-master-key Stores a computer s hard drive encryption key. Attribute property Value Description admindisplayname dp-master-key Display name of this object for use in directory service administrative tools. AdminDescription dp-master-key Description of this object for use in directory service administrative tools. Cn dp-master-key Common name. LDAPDisplayName dpmasterkey The name used by LDAP clients to refer to the object's class. AttributeID A unique OID that identifies the attribute. ObjectClass Attribute-Schema The class of which this object is an instance. ObjectCategory Attribute-Schema Reference to an object class or one of its superclasses, which is used when searching for this object. SchemaIDGUID A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. AttributeSyntax An OID of the syntax. The combination of the attributesyntax and omsyntax properties determines the syntax of an attribute. OMSyntax 4 Syntax of this attribute as defined by the XAPIA XOM (X/ Open Object Model) specification. DigitalPersona Pro Enterprise - Administrator Guide 274

275 Chapter 28 - Schema extension Attribute property Value Description IsSingleValued TRUE TRUE means that the attribute has a single value. FALSE means that the attribute can have multiple values. attributesecurityguid Not set An optional GUID that identifies the attribute as a member of an attribute set (also known as a property set). ismemberofpartialattributeset FALSE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog. SearchFlags 128 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x = Preserve this attribute in the tombstone object for deleted objects rangeupper The maximum value or length of an attribute. DigitalPersona Pro Enterprise - Administrator Guide 275

276 Chapter 28 - Schema extension Attribute property Value Description showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. SystemFlags 0 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. DigitalPersona Pro Enterprise - Administrator Guide 276

277 Chapter 28 - Schema extension Class details dp-user-secret This class represents the user Secret object that stores the secure application data (i.e. encryption keys) for the user. Class property Value Description admindisplayname dp-user-secret Display name of this object for use in directory service administrative tools. AdminDescription dp-user-secret Description of this object for use in directory service administrative tools. Cn dp-user-secret Common name. LDAPDisplayName dpusersecret The name used by LDAP clients to refer to the object's class. ObjectClass ClassSchema The class of which this object is an instance. ObjectCategory ClassSchema Reference to an object class or one of its superclasses, which is used when searching for this object. ObjectClassCategory 1 1 means structural classes. 2 means abstract classes. 3 means auxiliary classes. defaultobjectcategory dp-user-secret Object-Category used in queries for objects of this class. rdnattid cn Attribute name used as the Relative Distinguished Name (RDN) for this class. subclassof Top Immediate superclass of this class. DigitalPersona Pro Enterprise - Administrator Guide 277

278 Chapter 28 - Schema extension Class property Value Description systemauxiliaryclass Auxiliary classes that this class inherits from. governsid A unique OID identifying the class. SchemaIDGUID defaultsecuritydescriptor D:(A;;RPWPCRCCDCLCLOR CWOWDSDDTSW;;;DA) (A;;RPWPCRCCDCLCLORC WOWDSDDTSW;;;SY) (A;;RPLCLORC;;;AU) S:(AU;SAFA;WDWOSDDTW PCRCCDCSW;;;WD) A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. The default security descriptor for new instances of this class. defaulthidingvalue TRUE TRUE means that new object instances are hidden in the Administrative snap-ins and the Windows shell. FALSE covers all other situations. showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. DigitalPersona Pro Enterprise - Administrator Guide 278

279 Chapter 28 - Schema extension Class property Value Description systemposssuperiors User Structural classes that can be containers of instances of this class. For the complete set of classes that can contain this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. systemmustcontain Mandatory attributes that MUST be present on instances of this class. For the complete set of mandatory attributes for this class, you must, in addition to any values shown on the left, include those inherited from its superclasses as listed in the subclassof attribute above and/ or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. DigitalPersona Pro Enterprise - Administrator Guide 279

280 Chapter 28 - Schema extension Class property Value Description systemmaycontain dpuserprivatedata dpuserdatatype Optional attributes that may be present on instances of this class. For the complete set of optional attributes for this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above and/or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. DigitalPersona Pro Enterprise - Administrator Guide 280

281 Chapter 28 - Schema extension dp-authentication-servers-container Container for Authentication Server objects. Class property Value Description admindisplayname AdminDescription Cn LDAPDisplayName dp-authentication-servers- Container dp-authentication-servers- Container dp-authentication-servers- Container dpauthenticationserverscontai ner Display name of this object for use in directory service administrative tools. Description of this object for use in directory service administrative tools. Common name. The name used by LDAP clients to refer to the object's class. ObjectClass ClassSchema The class of which this object is an instance. ObjectCategory ClassSchema Reference to an object class or one of its superclasses, which is used when searching for this object. ObjectClassCategory 1 1 means structural classes. 2 means abstract classes. 3 means auxiliary classes. defaultobjectcategory dp-authentication-servers- Container Object-Category used in queries for objects of this class. rdnattid cn Attribute name used as the Relative Distinguished Name (RDN) for this class. subclassof Container Immediate superclass of this class. systemauxiliaryclass Auxiliary classes that this class inherits from. DigitalPersona Pro Enterprise - Administrator Guide 281

282 Chapter 28 - Schema extension Class property Value Description governsid A unique OID identifying the class. SchemaIDGUID defaultsecuritydescriptor D:(A;;RPWPCRCCDCLCLOR CWOWDSDDTSW;;;SY) (A;;CCDCLC;;;DA) (A;;CCDCLC;;;EA) (A;;CCDCLC;;;BA) (A;CIIO;RPWPCRCCDCLCL ORCWOWDSDDTSW;;;BA) (OA;;RP;BF9679E5-0DE6-11D0-A285-00AA003049E2;;AU) (OA;;RP;26D D1-A9C6-0000F80367C1;;AU) (A;;LC;;;AU) A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. The default security descriptor for new instances of this class. defaulthidingvalue TRUE TRUE means that new object instances are hidden in the Administrative snap-ins and the Windows shell. FALSE covers all other situations. showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. DigitalPersona Pro Enterprise - Administrator Guide 282

283 Chapter 28 - Schema extension Class property Value Description systemposssuperiors Container Structural classes that can be containers of instances of this class. For the complete set of classes that can contain this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. systemmustcontain Mandatory attributes that MUST be present on instances of this class. For the complete set of mandatory attributes for this class, you must, in addition to any values shown on the left, include those inherited from its superclasses as listed in the subclassof attribute above and/ or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. DigitalPersona Pro Enterprise - Administrator Guide 283

284 Chapter 28 - Schema extension Class property Value Description systemmaycontain dpserversdata Optional attributes that may be present on instances of this class. For the complete set of optional attributes for this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above and/or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. DigitalPersona Pro Enterprise - Administrator Guide 284

285 Chapter 28 - Schema extension dp-service-configuration Class that represents global configuration information (i.e. schema version, license). Class property Value Description admindisplayname dp-service-configuration Display name of this object for use in directory service administrative tools. AdminDescription dp-service-configuration Description of this object for use in directory service administrative tools. Cn dp-service-configuration Common name. LDAPDisplayName dpserviceconfiguration The name used by LDAP clients to refer to the object's class. ObjectClass ClassSchema The class of which this object is an instance. ObjectCategory ClassSchema Reference to an object class or one of its superclasses, which is used when searching for this object. ObjectClassCategory 1 1 means structural classes. 2 means abstract classes. 3 means auxiliary classes. defaultobjectcategory dp-service-configuration Object-Category used in queries for objects of this class. rdnattid cn Attribute name used as the Relative Distinguished Name (RDN) for this class. subclassof Top Immediate superclass of this class. systemauxiliaryclass Auxiliary classes that this class inherits from. governsid A unique OID identifying the class. DigitalPersona Pro Enterprise - Administrator Guide 285

286 Chapter 28 - Schema extension Class property Value Description SchemaIDGUID defaultsecuritydescriptor D:(A;;RPWPCRCCDCLCLOR CWOWDSDDTSW;;;DA) (A;;RPWPCRCCDCLCLORC WOWDSDDTSW;;;SY) (A;;RPLCLORC;;;AU) S:(AU;SAFA;WDWOSDDTW PCRCCDCSW;;;WD) A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. The default security descriptor for new instances of this class. defaulthidingvalue TRUE TRUE means that new object instances are hidden in the Administrative snap-ins and the Windows shell. FALSE covers all other situations. showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. systemposssuperiors Container Structural classes that can be containers of instances of this class. For the complete set of classes that can contain this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above. DigitalPersona Pro Enterprise - Administrator Guide 286

287 Chapter 28 - Schema extension Class property Value Description SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. systemmustcontain systemmaycontain AppSchemaVersion dplicense Mandatory attributes that MUST be present on instances of this class. For the complete set of mandatory attributes for this class, you must, in addition to any values shown on the left, include those inherited from its superclasses as listed in the subclassof attribute above and/ or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. Optional attributes that may be present on instances of this class. For the complete set of optional attributes for this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above and/or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. DigitalPersona Pro Enterprise - Administrator Guide 287

288 Chapter 28 - Schema extension dp-authentication-service-connection-point This class represents the Authentication Server. It provides information about Authentication Server (i.e. version, service principal name, binding information). Class property Value Description admindisplayname AdminDescription Cn LDAPDisplayName dp-authentication-service- Connection-Point dp-authentication-service- Connection-Point dp-authentication-service- Connection-Point dpauthenticationserviceconne ctionpoint Display name of this object for use in directory service administrative tools. Description of this object for use in directory service administrative tools. Common name. The name used by LDAP clients to refer to the object's class. ObjectClass ClassSchema The class of which this object is an instance. ObjectCategory ClassSchema Reference to an object class or one of its superclasses, which is used when searching for this object. ObjectClassCategory 1 1 means structural classes. 2 means abstract classes. 3 means auxiliary classes. defaultobjectcategory dp-authentication-service- Connection-Point Object-Category used in queries for objects of this class. rdnattid cn Attribute name used as the Relative Distinguished Name (RDN) for this class. subclassof ServiceConnectionPoint Immediate superclass of this class. systemauxiliaryclass Auxiliary classes that this class inherits from. DigitalPersona Pro Enterprise - Administrator Guide 288

289 Chapter 28 - Schema extension Class property Value Description governsid A unique OID identifying the class. SchemaIDGUID defaultsecuritydescriptor D:(A;;RPWPCRCCDCLCLOR CWOWDSDDTSW;;;DA) (A;;RPWPCRCCDCLCLORC WOWDSDDTSW;;;SY) (A;;RPLCLORC;;;AU) S:(AU;SAFA;WDWOSDDTW PCRCCDCSW;;;WD) A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object. The default security descriptor for new instances of this class. defaulthidingvalue TRUE TRUE means that new object instances are hidden in the Administrative snap-ins and the Windows shell. FALSE covers all other situations. showinadvancedviewonly TRUE TRUE means that the object will appear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell. FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell. DigitalPersona Pro Enterprise - Administrator Guide 289

290 Chapter 28 - Schema extension Class property Value Description systemposssuperiors Container Structural classes that can be containers of instances of this class. For the complete set of classes that can contain this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above. SystemOnly FALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well. systemmustcontain Mandatory attributes that MUST be present on instances of this class. For the complete set of mandatory attributes for this class, you must, in addition to any values shown on the left, include those inherited from its superclasses as listed in the subclassof attribute above and/ or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. DigitalPersona Pro Enterprise - Administrator Guide 290

291 Chapter 28 - Schema extension Class property Value Description systemmaycontain AppSchemaVersion MarshalledInterface Vendor VersionNumber VersionNumberHi VersionNumberLo Optional attributes that may be present on instances of this class. For the complete set of optional attributes for this class, you must include, in addition to any values shown on the left, those inherited from its superclasses as listed in the subclassof attribute above and/or those derived from any of its auxiliary classes as specified in the systemauxiliary attribute above and as inherited from its superclasses. DigitalPersona Pro Enterprise - Administrator Guide 291

292 Chapter 28 - Schema extension Standard Classes Extensions User Class: maycontain: dp-user-credentials-data, dp-user-account-control. DigitalPersona Pro Enterprise - Administrator Guide 292

293 Index Symbols _dpproent SRV RR 32 _uareupro SRV RR DNS Console path 34 modifying Priority and Weight settings 34.adm and.admx 130 A account is locked out from use of fingerprint credentials setting 83 Account lockout duration (setting) 119 Account lockout threshold (setting) 119, 135 Active Directory containers 31 Biometric Authentication Servers container 31 Active Directory Domain Configuration Wizard 24 Active Directory Schema Extension Wizard 24 Active Directory, defined 192 adding Administrative Templates 26, 57, 58, 130 ADDLOCAL 43, 53 Administration Tools Cleanup Wizard 153 Administrative Console 194 Administrative Templates 130 ADUC Snap-in 82 Allow Pro client to use Pro Server (setting) 113 Allow running auto updates on the computer (setting) 117 Allow use of personal logons (setting) 127 Allow users to add account data 127 Allow users to delete account data 128 Allow users to edit account data 127 Allow users to view managed logon passwords 127 Attended Enrollment 94 Authentication Server Object Name property 32 authentication, defined 195 Automated site coverage by Pro Enterprise Server Locator DNS SRV records (setting) 122 automatic DNS registration 32 Automatic logon using the Shared Kiosk Account 175 Biometric Authentication Servers container 31 Bluetooth 108, 195 C Cache user data on local computer 110 card reader 195 changes made during installation 31 changing passwords 176 Chrome browser 17 Citrix Presentation Server Workstation installation 44, 53, 60 Citrix Published Application Name 112 Cleanup Wizard 153 configure domain 24 configuring OUs for kiosks 29 Pro Server GPO settings 29 settings for Pro Kiosk 28 configuring DNS dynamic registration 34 connected device 195 contactless cards supported 195 Credential Authentication events 149 Credential Management events 145, 218 Credentials, defined 196 D dashboard 196 deactivate a client license 81 Delete Fingerprints command 84 DigitalPersona Pro Workstation 13 DNS Console path 34 DNS Registration 32 DNS Registration events 149, 223 Do not allow users to run local administrative tasks (setting) 112 Do not launch the Getting Started wizard upon logon (setting) 113 domain, configuring for Pro Server 24 Dynamic DNS, defined 196 Dynamic registration of Pro Enterprise Server Locator DNS records (setting) 124 B back up 195 DigitalPersona Pro Enterprise - Administrator Guide 293

294 Index E Enable multi-factor authentication in Windows logon (setting) 116 Enable One Step Logon (setting) 117 Enable the Discover more button (setting) 117 Encryption policy 115 enroll 196 ESPM 152 events Credential Authentication 149 Credential Management 145, 218 DNS Registration 149, 223 External components 222 Fingerprint Match 148, 223 License Management 224 License Management, ID Server 225 OTP Management 225 Secret Management 147, 221 System 147, 221 User Management 146, 219 extend the Active Directory schema 24 Extended Server Policy Module 152 External components events 222 F Fast Connect 112 fingerprint 196 Fingerprint Match events 148, 223 G ghosting 13 GPMC extensions 130 GPO implementation guidelines 131 Group Policy 193 I identification limits 47 imaging 13 implementation guidelines 131 improving performance 34 installing ADUC User Properties Snap-in 56 DigitalPersona Defender 57 DigitalPersona Pro Enterprise Add-on 58 Pro client software 41, 50 Pro Server 26 installing Citrix support after DigitalPersona Pro client installation 62 K kiosk permissions 30 Kiosk Session Authentication Policy 103 L Level of detail in event logs (Server) 121 Level of detail in event logs (setting) 111, 121 License Management events 224 License Management, ID Server events 225 local installation of Pro Workstation 35, 46 Lock the computer on smart card removal (setting) 111 locked account 83 Log Status Events 112, 121, 151 logging on to kiosks 175 logging on to programs 177 logon 196 M managed computer 196 managed logons 197 Managed logons (setting) 127 manual DNS registration 33 modifying DNS Priority setting 34 O OMNIKEY CardMan readers 195 online help 17 Organizational Units 193 OTP Management events 225 OTS templates 30 P Password Manager 197 Password Manager Admin Tool 197 Path(s) to the managed logons folder(s) 128 personal logon 197 DigitalPersona Pro Enterprise - Administrator Guide 294

295 Index policies DigitalPersona Pro client 101 DigitalPersona Pro Enterprise Server 118 Prevent Password Manager from running (setting) 115 Priority set in Pro Enterprise Server Locator DNS records (setting) 123 Pro client 196 Pro Reporter Event Forwarding 112 Pro Server Active Directory containers 31 installation overview 22 installing software 26 published information 32 uninstalling 34 Pro Server GPO settings OTS templates 30 Product Compatibility 18 Product GUID property 32 Product Name 32 Product Version High property 32 Product Version Low property 32 Product Version Number property 32 published information 32 Authentication Server Object Name property 32 keywords 32 Product GUID property 32 Product Name 32 Product Version High property 32 Product Version Low property 32 Product Version Number 32 Schema Version Number property 32 Service Class GUID property 32 Service Class Name property 32 Service Principal Name property 32 Vendor Name property 32 R randomize user s Windows Password 82 recover a computer 135 recovery computer 135 from account lock 135 user 134 Refresh interval of Pro Enterprise Server DNS records (setting) 122 Register Pro Enterprise Server Locator DNS records for domain (setting) 124 remote activation of the local workstation 79 REMOVE 43, 53 removing Pro data 153 Reset account lockout counter after (setting) 119 restore 198 S schema Active Directory Schema Extension Wizard 24 details 22 extending 23 Schema extension details 235 overview 228 Schema Version Number property 32 Secret 198 Secret Management events 147, 221 Service Class GUID property 32 Service Class Name property 32 Service Principal Name property 32 Service Resource Records 198 _dpproent SRV RR 32 adding manually 34 format 32 Session Authentication Policy 102, 125 Session Authentication Policy (setting) 128 Set the False Accept Rate 110 Set the maximum number of enrolled fingerprints 110 Set the minimum length of user PIN 111 Set the minimum number of enrolled fingerprints 110 settings DigitalPersona Pro client 101 DigitalPersona Pro client (user) 124 DigitalPersona Pro Enterprise Server 118 Shared Accounts, specifying 29 silent authentication 108 Sites covered by Pro Enterprise Server Locator DNS SRV records (setting) 123 DigitalPersona Pro Enterprise - Administrator Guide 295

296 Index slipstreaming 38, 49 smart card 199 specifying Shared Accounts 29 Status Notifier events 112, 121, 136, 151 support online help 17 readme file 17 SVR RR 198 System events 147, 221 system requirements DigitalPersona Pro Workstation for Enterprise 17 Pro Workstation 35, 46 W Weight set in Pro Enterprise Server Locator DNS records (setting) 123 T to remove user credential data 86 to unlock a locked account 83 Transform files 44, 54 U uninstalling Pro Server 34 Pro software remotely 36, 38, 48, 49 unlocking locked accounts 83 upgrading from Previous Versions 23 User Context Menu commands 84, 135 User Management events 146, 219 User must provide Fingerprint and PIN to log on 152 User must provide Fingerprint and Windows Password to log on 152 User must provide Fingerprint to log on 152 User provides only Windows credentials to log on 83 users, switching 178 using One Touch Logon 175 using Pro Cleanup Wizard 153 V Vendor Name published information property 32 DigitalPersona Pro Enterprise - Administrator Guide 296