ScriptLogic Desktop Authority Password Self-Service version 4.6 Quick Start Guide

Transcription

1 ScriptLogic Desktop Authority Password Self-Service version 4.6 Quick Start Guide

2 Password Self-Service 4 ii 2010 Quest Software, Inc. ALL RIGHTS RESERVED. Licensed to ScriptLogic Corporation This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. TRADEMARKS Quest, Quest Software, the Quest Software logo, ScriptLogic, ScriptLogic Software, the ScriptLogic Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. DISCLAIMER The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Updated 24 May 2010 ii

3 Password Self-Service 4 iii DOCUMENTATION CONVENTIONS In order to help you get the most out of this guide, we have used specific formatting conventions, which apply to procedures, icons, keystrokes and cross-references. Element Bolded text Italic text Convention Interface elements that appear in ScriptLogic products, such as menus and commands. Used for comments. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. CONTACTING SCRIPTLOGIC Contact ScriptLogic about any questions, problems or concerns. ScriptLogic Corporation 6000 Broken Sound Parkway NW Boca Raton, Florida Sales and General Inquiries Technical Support Fax SCRIPTLOGIC ON THE WEB ScriptLogic can be found on the web at Our web site offers customers a variety of information: Download product updates, patches and/or evaluation products. Locate product information and technical details. Find out about Product Pricing. Search the Knowledge Base for Technical Notes containing an extensive collection of technical articles, troubleshooting tips and white papers. Search Frequently Asked Questions, for the answers to the most common non-technical issues. Participate in Discussion Forums to discuss problems or ideas with other users and ScriptLogic representatives. Updated 24 May 2010 iii

4 Password Self-Service 4 iv Contents PRODUCT OVERVIEW...1 LICENSING...1 Installing the License...2 Updating the License...2 PASSWORD SELF-SERVICE COMPONENTS...2 INSTALLING PASSWORD SELF-SERVICE...4 CONFIGURING THE PASSWORD SELF-SERVICE APPLICATION ACCOUNT...4 STEPS TO INSTALL PASSWORD SELF-SERVICE...4 INSTALLING MULTIPLE INSTANCES OF PASSWORD SELF-SERVICE...7 Understanding Farms...7 SELECTING CRYPTOGRAPHIC AND HASHING ALGORITHMS...8 INSTALLING PASSWORD POLICY MANAGER...9 DEPLOYING AND CONFIGURING SECURE PASSWORD EXTENSION...10 Self-Service Site Location and Service Connection Points...11 Password Manager Farm Affinity...12 Overriding Automatic Self-Site Location...13 Customizing the Logo for Secure Password Extension...14 Customizing Position of the Secure Password Extension Window...15 Managing Secure Password Extension Using Administrative Templates...16 Generic Settings...16 Pre-Windows Vista Settings...19 Windows Vista Settings...19 ENABLING HTTPS...20 UPGRADING PASSWORD SELF-SERVICE...21 UPGRADE RECOMMENDATIONS...21 UPGRADE REQUIREMENTS...22 UPGRADE FROM PASSWORD SELF-SERVICE VERSION 3.X...23 Single Server Upgrade...23 Multiple Server Upgrade...24 Upgrading Password Policy Manager...25 UPGRADING SECURE PASSWORD EXTENSION...26 UPGRADE FROM PASSWORD SELF-SERVICE VERSION 4.X...28 Single Server Upgrade...28 Multiple Server Upgrade...29 UPGRADING PASSWORD POLICY MANAGER...31 UPGRADING GINA EXTENSION TO SECURE PASSWORD EXTENSION...31 MANAGING DOMAINS...33 CONFIGURING PERMISSIONS TO ACCESS A DOMAIN...33 ADDING A MANAGED DOMAIN...34 CONFIGURING PASSWORD POLICIES...35 About Password Policies...35 Installing Password Policy Manager...36 Creating and Configuring a Password Policy...37 Configuring Password Policy Rules...38 Password Age Rule Updated 24 May 2010 iv

5 Password Self-Service 4 v Complexity Rule Required Characters Rule Disallowed Characters Rule Sequence Rule User Properties Rule Dictionary Rule Symmetry Rule Managing Password Policy Links...45 Deleting a Password Policy...46 MANAGING QUESTIONS AND ANSWERS PROFILES...47 Creating and Configuring Question Lists...47 Configuring Questions and Answers Policy Performing Bulk Profile Updates...50 Changing the Attribute Used for Storing Questions and Answers Profiles Bulk Creation of Questions and Answers Profiles CONFIGURING REGISTRATION NOTIFICATION AND ENFORCEMENT...51 DELEGATING HELP DESK AND ADMINISTRATIVE TASKS...55 Delegating Help Desk Tasks...55 Delegating Administrative Tasks...55 CONFIGURING ACCESS TO SELF-SERVICE SITE...56 GLOSSARY...57 Updated 24 May 2010 v

6 Password Self-Service 4 1 Product Overview ScriptLogic Desktop Authority Password Self-Service provides users and help desk support personnel with the ability to easily and securely manage their passwords, thus eliminating the need for assistance from high-level administrators, and reducing help desk workload. This solution offers a powerful and flexible password policy control mechanism that allows the administrator to ensure that all passwords in the organization comply with the established policies. ScriptLogic Desktop Authority Password Self-Service works with Windows 2000, and 2003, and Windows 2008 domains, including domains operating in mixed mode. LICENSING The Password Self-Service license specifies the maximum number of enabled user accounts in all managed domains. When launching the Administration site, Password Self-Service counts the actual number of enabled user accounts, and compares it with the maximum number specified by the license. If the actual number exceeds the maximum licensed number, a license violation occurs. A warning message is displayed on every connection to the Administration site of Password Self-Service. In the event of a license violation, you have the following options: Exclude a number of user accounts from the user accounts managed by Password Self-Service to bring your license count in line with the licensed value and reconnect to the Administration site to recalculate the license number. Remove one or more managed domain to decrease the number of managed user accounts. Purchase a new license with a greater number of user accounts, and then update your license using the instructions provided later in this section. Note: The following items are not limited by the license: The number of computers connected to the Administration, Self-Service, and Help Desk sites of Password Self-Service. The number of Password Self-Service instances in a large enterprise, Password Self-Service can be installed on multiple computers for enhanced performance and fault tolerance. Updated 24 May

7 Password Self-Service 4 2 Installing the License The license is initially installed when you install the Password Self-Service: 1. In the Installation Wizard, click Licenses to display the License status dialog box. 2. Click Browse License, locate and open your license key file using the Select License File dialog box, and then click Close. Updating the License If you have purchased a new license, you need to update the license by installing the new license key file. You can use the About section of the Administration site to install the file. To update the license 1. On the menu bar, select About, and then select Update License. 2. On the Update License page, click Browse, and then use the Choose file dialog box to locate and open your license key file. PASSWORD SELF-SERVICE COMPONENTS Password Self-Service includes the following components: Component Description Importance Password Self- Service x86 Password Self- Service x64 Password Policy Manager x86 Password Policy Manager x64 Secure Password Extension x86 The suite of role-based sites that expose the functionality of Password Manager to end users. Must be installed on a 32-bit machine. The suite of role-based sites that expose the functionality of Password Manager to end users. Must be installed on a 64-bit machine. Password Policy Manager is designed to enforce domain password policies set with Password Self-Service. If you choose to install this component, you must install it on all domain controllers running a 32-bit Microsoft Windows Server operating system. Password Policy Manager is designed to enforce domain password policies set with Password Self-Service. If you choose to install this component, you must install it on all domain controllers running a 64-bit Microsoft Windows Server operating system. Secure Password Extension x86 facilitates access to the Self-service site from the Windows logon screen. Secure Password Extension x86 is intended to be deployed on computers running 32-bit versions of Microsoft Windows operating systems. Required Required Optional Optional Optional Updated 24 May

8 Password Self-Service 4 3 Component Description Importance Secure Password Extension x64 The Secure Password Extension facilitates access to the Self-service site from the Windows logon screen. Secure Password Extension x64 is intended to be deployed on computers running 64-bit versions of Microsoft Windows Vista. Optional Updated 24 May

9 Password Self-Service 4 4 Installing Password Self-Service This section describes how to install ScriptLogic Desktop Authority Password Self-Service. You will learn how to configure an account to use it as Password Self-Service Application Account. A separate section will guide you through the steps required to install Password Self-Service. CONFIGURING THE PASSWORD SELF-SERVICE APPLICATION ACCOUNT When installing Password Self-Service, you are prompted for the name and password of the Password Self-Service application account. For Password Self-Service to run successfully, the Password Self-Service application account must meet the following requirements: You need to add the Password Self-Service application account to the Administrators group on the Web server where Password Self-Service is installed. Password Self-Service application account must be a member of the IIS_WPG local group on the Web server. Before you install Password Self-Service, make sure that the Password Self- Service application account has the rights listed above. STEPS TO INSTALL PASSWORD SELF-SERVICE When installing a new Password Self-Service instance, you can either upgrade in place the existing instance, install a new instance, or add a new instance to a Password Self-Service farm. In place upgrade allows you to upgrade an existing instance of Password Self-Service provided it supports in-place upgrade. New instance of Password Self-Service you normally install to enable the Password Self-Service functionality in a new environment or to create a new Password Self-Service farm managing the same environment. Password Self-Service farm is a group of Password Self-Service instances sharing common configuration and collectively serving client requests to ensure high availability and load balancing. To add a new member to a a Password Self-Service farm, you use the "A replica of an existing instance" option. Normally, you install Password Self-Service using the Password Self-Service installation wizard. Before starting the wizard, ensure that the account you use to install Password Self-Service is the member of the following groups and roles: Updated 24 May

10 Password Self-Service 4 5 The local Administrators group on the computer where you plan to install Password Self-Service. The database creators (db_creator) fixed role on the SQL Server used to store the Password Self-Service configuration database. To install Password Self-Service 1. Remove any previous versions of Password Self-Service by using Add or Remove Programs in Control Panel. 2. Run the autorun.exe file located in the root folder of the installation CD. 3. Install the redistributable packages required by Password Self-Service. The installation CD includes all the required redistributable packages; they are listed below Application.NET Framework 3.5 How to Install 1. Select Redistributables from the menu bar. 2. Click.NET Framework When the installation completes, restart the computer. 4..On the Password Self-Service tab, click Password Self-Service (x86) (for 32-bit system) or Password Self-Service (x64) (for 64-bit system) to start the ScriptLogic Desktop Authority Password Self-Service installation wizard. 5. Click Next. 6. Specify the following options, and then click Next: Option Full name Organization Licenses Action Type your name Type the name of your organization Click this button, and then specify the path to the license file. Note: A license file is the file with the.asc extension that you have obtained from your ScriptLogic representative. You can define whether to install the application only for the current user or for all users on the computer. 7. Read the license agreement, select I accept the license agreement, and then click Next. 8. On the Select Features page, select the features that you want to install and the installation path, and then click Next. Updated 24 May

11 Password Self-Service Select the type of instance you want to install and click Next. You can choose from the following options: Option A unique instance A replica of an existing instance Upgrade the existing instance Description This option automatically creates a new instance of Password Self-Service. Installer will generate encryption keys to encrypt the configuration data. If you select this option, you will be prompted to specify the file name and location to store the encryption keys. This option creates a new instance of Password Self-Service that uses the configuration of an existing instance. The Password Self-Service instances sharing the same configuration are collectively referred to as Password Self-Service farm. If you select this option, you will be prompted to specify the path to the encryption keys generated when installing the existing instance of Password Self-Service. This option is available only if you are upgrading from a previous version of Password Self-Service. 10. On the Password Self-Service Account Information page, specify the name and password for the Password Self-Service application account, and then click Next. Use the following user name format: DOMAIN\Username. 11. On the Specify Web Site Root Directory page, enter the Web site name and the virtual directory name, and then click Next. 12. Click Install. 13. When installation is complete, click Finish, and then restart the computer when prompted. Important: During installation, Setup creates the 'Desktop Authority Password Self-Service' and Desktop Authority Password Self-Service Publisher scheduled tasks on the local computer. Do not delete these scheduled tasks, otherwise Password Self-Service may not operate properly. Updated 24 May

12 Password Self-Service 4 7 INSTALLING MULTIPLE INSTANCES OF PASSWORD SELF-SERVICE Normally, you install multiple instances of Password Self-Service to provide for: enhanced availability and fault tolerance by installing additional replicas of the Password Self-Service instance which is already available in a domain. You do this by using the "A replica of an existing instance" option in Password Self-Service Install Wizard. Several Password Self- Service instances sharing common configuration are referred to as farm. For more information on farms, see the next section. maintaining more than one Password Manager configuration in a single domain. This may be required when a domain in an organization spans several locations which requiring different Password Self-Service configurations, for instance different Q&A policies. You do this by using the "A unique instance" option in Password Manager Install Wizard. Understanding Farms For the ease of management, you can group several Password Self-Service instances into a farm. A farm is a group of Password Self-Service instances using common configuration settings, including but not limited to Questions and Answers profiles, Self-Service and Help-Desk sites settings. The members of a Password Self-Service farm do not necessarily manage the same set of domains, i.e., individual farm members may manage different domains. Although, if several members of a Password Self-Service farm manage the same server, they use the same settings and any updates to the settings made on one member are effectively propagated to other members of the farm managing that domain. Also, several members of a Password Self-Service farm managing the same domain can be used interchangeably for serving user requests. By using Group Policy, you can bind users from a domain managed by several Password Self-Service farms to specific. You can use this feature to implement different Password Self-Service policies in a single domain. For instance, if a domain in your organization spans two offices located in New York (USA) and Paris (France) and you want Password Self-Service to use different Q&A policies in the offices, you can implement two Password Self- Service farms and bind users of the NY office to one of the farms and the users from the French office bind to the other farm. You bind users to specific farms by using the Password Self-Service affinity feature. For more information about Password Self-Service affinity, see Password Manager Farm Affinity. Updated 24 May

13 Password Self-Service 4 8 SELECTING CRYPTOGRAPHIC AND HASHING ALGORITHMS By default, Password Self-Service uses 192-bit TripleDES algorithm to encrypt configuration data such as Questions and Answers profiles, and the MD5 algorithm for hashing users' authentication answers. Alternatively, you can select the combination of the AES-256 data encryption algorithm and the SHA-256 hashing algorithm, both being NSA-approved cryptographic algorithms intended to protect both classified and unclassified national security systems and information. To enable Password Self-Service to use the AES-256 and the SHA-256 algorithms, you can use one of the following methods: If Password Self-Service is being installed for the first time on a server, install the solution from the command line using Msiexec.exe and specifying the AES_SHA_256="yes" as a command-line parameter. If you have already installed Password Self-Service on a server, manually modify the local.spr file to specify the encryption algorithms. To install Password Self-Service from the command line using Msiexec.exe 1. Launch the Setup program from the command line by adding the AES_SHA_256="yes" as a command-line parameter. For example: msiexec /i "C:\ScriptLogic Desktop Authority Password Self- Service.msi" AES_SHA_256="yes" /l*v "%TEMP%PRMSetup.log" 2. Follow the instructions in the Installation Wizard. To manually modify the local.spr file 1. Open the local.spr file with Notepad (or any text editor) at the following location: '<install location>\prmdll\'. If the file does not exist, create it with Notepad. 2. Under '[Options]', type the following strings on separate lines: csp=aes klen=256 calg=aes256 halg=sha256 The strings are case sensitive. 3. Save the file. The existing Password Self-Service configuration data is then re-encrypted with the specified algorithms. Note: Once you have enabled Password Self-Service to use the stronger encryption algorithms (the combination of AES-256 and SHA-256), you cannot change back to the default algorithms (the combination of 192-bit TripleDES and MD5). To have Password Self-Service use the default encryption and hashing algorithms (the combination of 192-bit TripleDES and MD5), install the solution by following the procedure outlined in Installing Password Self-Service. Updated 24 May

14 Password Self-Service 4 9 INSTALLING PASSWORD POLICY MANAGER Password Policy Manager is an independently deployed component of Password Self-Service intended to enforce the Password Self-Service policies. Password Policy Manager must be installed on all domain controllers in a managed domain This section describes how to deploy Password Policy Manager in a managed domain. Password Policy Manager is deployed on all domain controllers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Password Policy Manager to the destination computers. Password Policy Manager is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you apply either of the following installation packages included on the installation CD: Desktop Authority Password Policy Manager x86.msi - Installs the Password Policy Manager on domain controllers running an x86 Microsoft Windows Server operating system. Desktop Authority Password Policy Manager x64.msi - Installs the Password Policy Manager on domain controllers running an x64 Microsoft Windows Server operating system. The installation packages are located in the \Setup\program files\scriptlogic\desktop Authority Password Self-Service\Deployment\PPM folder on the installation CD. Note: Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of the Password Policy Manager must be installed. To install Password Policy Manager on a single domain controller 1. Run the appropriate Password Policy Manager.MSI package located in the \Setup\program files\scriptlogic\desktop Authority Password Self- Service\Deployment\PPM folder on the installation CD. 2. Restart the computer once the installation completes. To deploy Password Policy Manager on multiple domain controllers 1. Copy the appropriate Password Policy Manager.MSI package from the installation CD to a network share accessible from all domain controllers in a managed domain. 2. Create a GPO and apply it to all domain controllers in a managed domain. You may also choose an existing GPO to deploy the Password Policy Manager. 3. Open the Computer Configuration folder under the selected GPO, and then open the Software Settings folder. 4. Right-click Software installation, and then select New Package. 5. Select the.msi package you have copied in step Click Open. 7. Select the deployment method and click OK. 8. Verify and configure the installation properties if needed. Updated 24 May

15 Password Self-Service 4 10 DEPLOYING AND CONFIGURING SECURE PASSWORD EXTENSION This section describes the prerequisites and steps for deploying and configuring ScriptLogic Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. The Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Secure Password Extension to the destination computers. The Secure Password Extension is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD: Desktop Authority Secure Password Extension x86.msi - Installs the Secure Password Extension on computers running x86 versions of pre- Windows Vista, Windows Vista, and Windows 7 operating systems. Desktop Authority Secure Password Extension x64.msi - Installs the Secure Password Extension on computers running x64 versions of Windows Vista and Windows 7. You can modify the behavior and on-screen appearance of the Secure Password Extension components by configuring the prm_gina.adm Administrative Template's settings, and then applying the template to the target computers through Group Policy. Follow the steps below to configure and deploy the Secure Password Extension on end-user computers. To deploy and configure the Secure Password Extension 1. Copy the prm_gina.adm administrative template file from the \Setup\program files\scriptlogic\desktop Authority Password Self- Service\Deployment\SPE\Administrative Template\ folder of the installation CD. The recommended target location is the \inf subfolder of the Windows folder on a domain controller. 2. Copy the required installation package (Desktop Authority Secure Password Extension.msi or Desktop Authority Secure Password Extension x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install the Secure Password Extension. The.MSI packages are located in the \Setup\program files\scriptlogic\desktop Authority Password Self-Service\Deployment\SPE\ folder of the installation CD. 3. Create a GPO and link it to all computers, sites, domains, or organizational units where you want to use the Secure Password Extension. You may also choose an existing GPO to use with the Secure Password Extension. 4. Open the GPO in the Group Policy Object Editor, and then do the following: Under the Computer Configuration node, right-click Administrative Templates, and then click Add/Remove Templates. Click Add, and then browse for the prm_gina.adm file that you have copied in step 1. Updated 24 May

16 Password Self-Service 4 11 Expand Computer Configuration/Administrative Templates and then click the ScriptLogic Desktop Authority Password Self- Service node. Configure the prm_gina.adm Administrative Template settings, as required. For the complete reference to the policy settings included in this administrative template, including their brief descriptions, see Managing Secure Password Extension Using Administrative Templates. Expand Computer Configuration/Software Settings, right-click Software installation, and then select New Package. Browse for the.msi package you have copied in step 2, and then click Open. In the Deploy Software window, select a deployment method and click OK. Verify and configure the properties of the installation, if needed. 5. To complete Secure Password Extension installation, you must reboot all the client computers affected by the Group policy. Self-Service Site Location and Service Connection Points To enable users to open the Self-Service site by clicking the Forgot My Password or the Manage My Password buttons on the Windows logon screen, you no longer need to configure the URL path that points to a specific server where the Self-Service site is deployed because Password Self-Service automatically locates the nearest Self-Service site. Secure Password Extension locates the Self-Service site using service connection points mechanism available in Active Directory. Service connection points are used in Active Directory to publish information that applications can use to bind to a service. To locate the server where the Self-Service site is deployed, Secure Password Extension uses the service connection points published by Password Self-Service instances in Active Directory. When an instance of Password Self-Service is installed, Password Self-Service publishes its service connection points in Active Directory. Password Self- Service regularly updates its service connection points using the ScriptLogic Password Self-Service Publisher scheduled task. Every 10 minutes, the task publishes the service connection points in all the domains managed by the underlying Password Self-Service instance. Updated 24 May

17 Password Self-Service 4 12 Password Manager Farm Affinity In some instances, you may want Secure Password Extension to contact only specific Password Self-Service instances when locating a Self-Service site. You can force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service farm. Password Self-Service farm is one or more Password Self-Service instances sharing common configuration and the same encryption key. Normally, you add a member to a Password Self-Service farm by installing a new Password Self-Service instance using the "A replica of an existing instance" option. To force Secure Password Extension to use only Password Self-Service from a specific farm, you must set the Secure Password Extension affinity for that farm. To set Secure Password Extension affinity for a Password Self-Service farm: 1. Open the Administration site of the Password Self-Service instance that belongs to the target farm. 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain, to which belongs the computer running the Secure Password Extension instance you want to bind. 3. On the General tab, select the contents of the Password Self-Service Farm Affinity ID box, right-click the selection and select Copy. 4. Open Administrative Tools (located at Start Menu Settings Control Panel). 5. Open Active Directory Users and Computers. 6. Right-click the managed domain name on the left pane and select Properties. 7. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 8. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add/Remove Templates. 9. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 10. Click Close to close the Add/Remove Templates dialog box. 11. Select Administrative Templates node, and then double-click the ScriptLogic Password Self-Service template on the right pane. 12. Click Generic Settings in the left pane. 13. In the right pane, double-click Password Self-Service Farm Affinity. 14. Select the Enabled option on the Settings tab, and then right-click the Farm Affinity ID text box and select Paste. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Note: Application of the updated policy to the computers in the managed domain may take some time to complete. Updated 24 May

18 Password Self-Service 4 13 Overriding Automatic Self-Site Location In some instances, you may not want Secure Password Extension to automatically locate the nearest Self-Service site using the Password Self- Service connection points published in Active Directory. If you need to override the default behavior and force a Secure Password Extension to use specific Self-Service site, you must explicitly manually specify the URL path and override the default behavior of Secure Password extension by following the steps below. To override automatic Self-Service site location: 1. Open Administrative Tools (located at Start Menu Settings Control Panel). 2. Open Active Directory Users and Computers. 3. Right-click the managed domain name on the left pane and select Properties. 4. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 5. Expand Default Domain Policy Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates. 6. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 7. Click Close to close Add / Remove Templates dialog box. 8. Select Administrative Templates node, then double-click Desktop Authority Password Self-Service template on the right pane. 9. Double-click Generic Settings. 10. Double-click Specify URL to the Self-service site. 11. Click the Enabled radio button on the Settings tab and then enter the URL path to the Self-service site into the entry field using the following format: where COMPUTER_NAME is the name of the server where Password Self- Service resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during Desktop Authority Password Self-Service Setup (by default, the virtual directory name is DAPSS). Substitute with if you don t use HTTPS. Note: It is strongly recommended that you enable HTTPS on the Password Self-Service server. 12. Click OK. 13. Double-click Override URL path to Self-Service site. 14. Select the Enabled option on the Settings tab. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Note: The application of the updated policy to the computers in the managed domain may take some time to complete. Updated 24 May

19 Password Self-Service 4 14 Customizing the Logo for Secure Password Extension You can replace the Secure Password Extension's default logo that is displayed on the Windows logon screen. Depending on the operating system, running on the target computers, the image must meet the following requirements: For pre-windows Vista operating systems, the logo must be a 417-by-58- pixel.bmp file. For Windows Vista and Windows 7, you can use the following image types:.bmp,.gif,.jpg, or.png. The logo image may have any size suitable for your requirements. The recommended size is 128 by 128 pixels. To deploy a custom logo for Secure Password Extension to end-user computers 1. Create a startup script to deploy your logo image. See a sample script below this procedure. 2. Create your logo image and place it on a network share accessible to all network hosts against which the script is run. 3. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 4. Expand Computer Configuration/Administrative Templates and then click ScriptLogic Desktop Authority Password Self-Service. 5. Under ScriptLogic Desktop Authority Password Self-Service, do the following: Expand Pre-Windows Vista Settings/Secure Password Extension Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers. Expand Windows Vista Settings/Secure Password Extension Logo, and enable the Set tile image policy setting by specifying a local path to the logo image file on end-user computers. The local path you specify in these policy settings must be the same as in the startup script specified later in this section. 6. Expand Computer configuration/windows Settings/Scripts (Startup/Shutdown) and double-click the Startup policy setting in the right pane. 7. In the Startup Properties window, click Add, then browse for the script file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window. 8. Click OK. The following startup script is a batch file that runs on end-user computers during system startup, and copies the custom logo image from the network share to a local folder: Updated 24 May

20 Password Self-Service 4 off rem "SPE startup script" rem *Check target directory existence* if exist "c:\program Files\ScriptLogic\Desktop Authority Secure Password Extension" goto :COPY_FILE md "c:\program Files\ScriptLogic\Desktop Authority Secure Password Extension" rem *Copy BMP image - %1* :COPY_FILE copy %LOGONSERVER%\share\logos\%1 "c:\program Files\ScriptLogic\ Desktop Authority Secure Password Extension\*.*" rem pause :out Exit Note: The script lines containing target path should be typed as a single line. The lines are wrapped in this article only for readability purposes. You can modify the sample target path in the script as you need. Customizing Position of the Secure Password Extension Window You can specify the position of the Secure Password Extension window on the logon screen of user computers. To change the position of Secure Password Extension window on enduser computers 1. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 2. Expand Computer Configuration/Administrative Templates and then click ScriptLogic Desktop Authority Password Self-Service. 3. Under ScriptLogic Desktop Authority Password Self-Service, expand Pre-Windows Vista Settings/Secure Password Extension Window Settings, and enable the Set Secure Password Extension Window Position policy by specifying the position of the Secure Password Extension window on the Windows logon screen of user computers. 4. Click OK. Updated 24 May

21 Password Self-Service 4 16 Managing Secure Password Extension Using Administrative Templates The prm_gina.adm Administrative Template features a powerful set of options that allow you to customize the behavior and appearance of the Secure Password Extension according to your requirements. The Administrative Template layout includes the following folders: Generic Settings - includes policy settings that can be applied to computers running both pre- and Windows Vista Microsoft operating systems. Pre-Windows Vista Settings - includes policy settings that can be applied to computers running only pre-windows Vista operating systems. Windows Vista Settings - includes policy settings that can be applied to computers running only Windows Vista operating systems and later. Brief descriptions of the Administrative Template policy settings are outlined in the tables below. For more information about policy settings, see the Explain tab on the Properties page of each policy. Generic Settings The following table outlines generic Administrative Template policy settings you can use to customize the behavior of Secure Password Extension. Policy Name Specify URL path to the Self-service site Override URL path to Self-Service site Maximum number of attempts to connect to the Self-Service site Description This policy lets you specify the link for the access to the Self-service site from the Windows logon screen. This link is opened when users click the Forgot My Password or the Manage My Password buttons on the Windows logon screen in pre-vista operating systems, and the Manage My Password command link in Windows Vista. Use the following URL path format: User/, where COMPUTER_NAME is the name of the server where Password Self-Service resides, and VIRTUAL_DIRECTORY is a virtual directory name that was configured during Desktop Authority Password Self- Service Setup (by default, the virtual directory name is DAPSS). Substitute with if you don t use HTTPS. By default, Secure Password Extension automatically locates the Self-Service site in its domain. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service site specified in the Specify URL path to the Self-service site setting. This setting specifies the maximum number of attempts to connect to the Self-Service site from Secure Password Extension. If this setting is disabled or not configured, the default number of attempts is 5. Updated 24 May

22 Password Self-Service 4 17 Policy Name Force HTTPS Password Self-Service Farm Affinity Enable proxy server access Configure required proxy settings Configure optional proxy settings Restore desktop shortcuts for the Selfservice site Do not create desktop shortcuts for the Selfservice site Do not create any shortcuts for the Selfservice site Display custom names for the Secure Password Extension window title Set custom name for the Secure Password Extension window title in <Language> Description This policy setting lets you enforce HTTPS for connections with the Self-service site established using the Secure Password Extension. This policy setting lets you force Secure Password Extension to use only Password Self-Service instances that belong to specific Password Self-Service farm. This policy setting determines whether connections to the Self-service from the Windows logon screen are established through the specified proxy server. Specifies the settings required to enable proxy server access to the Self-service site from the Windows logon screen. Specifies optional settings for the proxy server access. This policy setting lets you define whether the desktop shortcut to the Self-service site on a user's computer should be re-created by the Secure Password Extension if the user deletes the desktop shortcut. This policy setting lets you define whether the desktop shortcuts to the Self-service site on users' computers should not be created by the Secure Password Extension. This policy setting lets you define whether any shortcuts to the Self-service site on users' computers (on the desktop and in the Start menu) should not be created by the Secure Password Extension. This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages. This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box. Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyphs width. The URL length must not exceed 256 characters. Display the usage policy button (command link) Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs. The usage policy button on pre-windows Vista operating systems, and the usage policy command link on Windows Vista operating systems, are displayed on the Windows logon screen, and are intended to open a HTML document that describes the enterprise usage policy or contains any information that you may want to make available to endusers. Updated 24 May

23 Password Self-Service 4 18 Policy Name Set default URL Set name and URL for the usage policy button (command link) in <Language> Display custom names for the Manage My Password button (command link) Set custom name for the Manage My Password button (command link) in <Language> Balloon notification period Enable customization of notification texts Specify notification texts in <Language> Description This policy lets you specify an URL to the usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to an HTML file. This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and an URL for each of the required logon languages. 36 language-specific policy settings are available. Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of the hieroglyphs width. The URL length must not exceed 256 characters. This policy setting lets you define whether to replace the default language-specific names of the Manage My Password button and command link with the names that you specify for the required logon languages. The Manage My Password button (command link) is intended to open the Self-service site from the Windows logon screen. On pre-windows Vista operating systems, the Manage My Password button is displayed if you are already logged on to the system. On Windows Vista operating systems, the Manage My Password command link is displayed under the ScriptLogic Secure Password Extension tile on the Windows logon screen, irrespective of whether you are logged on to the system or not. This group of policy settings allows you to specify names of the Manage My Password button and command link individually for each of the required logon languages. 36 language-specific policy settings are available. If the registration notification is turned on, users will be notified of the necessity to register with Password Self- Service through a balloon briefly displayed in the notification are of the Windows taskbar. This setting lets you specify how often you want registration notifications to be displayed on the desktop of user computers where the Secure Password Extension is running. This policy setting allows you to define whether you want to replace the default text on language-specific registration notifications and message boxes with your custom text. This group of policy settings allows you to specify notification texts individually for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box. Updated 24 May

24 Password Self-Service 4 19 Pre-Windows Vista Settings The following table outlines Administrative Template policy settings for Secure Password Extension in pre-windows Vista operating systems. Policy Name Set dialog background image Set the Secure Password Extension Window Position Display custom names of the Forgot My Password button Set custom name of the Forgot My Password button in <Language> Description This policy setting lets you choose a picture to replace the default background image on the Secure Password Extension dialog that appears on the Windows logon screen. This policy setting lets you specify the position of the Secure Password window on the Windows logon screen of user computers. This policy setting lets you define whether to replace the default language-specific names of the Forgot My Password button with the names that you specify for the required logon languages. The Forgot My Password button is intended to open the Self-service site on pre-windows Vista operating systems, and is displayed on the Windows logon screen, provided that you are not logged on to the system. This group of policy settings allows you to specify the name of the Forgot My Password button individually for each of the required logon languages. 36 language-specific policy settings are available. Windows Vista Settings The following table outlines Administrative Template policy settings for Secure Password Extension in Windows Vista operating system. Policy Name Set tile image Display custom names of the tile Set custom tile name in <Language> Description This policy setting lets you choose a picture that will be associated with the ScriptLogic Secure Password Extension tile on the Windows Vista logon screen. This policy specifies whether the custom names of the Secure Password Extension tile will be displayed on the Windows logon screen. This group of policy settings allows you to modify the name of the Manage My Password credential tile on the Windows Vista logon screen individually for each of the required logon languages. 36 languagespecific policy settings are available. Updated 24 May

25 Password Self-Service 4 20 ENABLING HTTPS We strongly recommend that you use HTTPS with ScriptLogic Desktop Authority Password Self-Service Manager. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web. To enable HTTPS for your Web server you may need to obtain a Server Certificate. For step-by-step instructions on how to configure a Web server for SSL in order to support https connections from client applications, see the MSDN article "How To: Set Up SSL on a Web Server" at Updated 24 May

26 Password Self-Service 4 21 Upgrading Password Self-Service This section provides instructions on how to upgrade Password Self-Service and its components. The following topics are covered: Upgrade recommendations and requirements. Single server upgrade from Password Self-Service version 3.x. Multiple server upgrade from Password Self-Service version 3.x Password Self-Service components (PPM version 3.x and GINA Extension version 3.x [later on renamed to SPE]) upgrade. Single server upgrade from Password Self-Service version 4.x. Multiple server upgrade from Password Self-Service version 4.x Password Self-Service components (PPM version 4.x and GINA Extension version 4.x [later on renamed to SPE]) upgrade. UPGRADE RECOMMENDATIONS It is recommended to perform preliminary test upgrade using a test environment before upgrading Password Self-Service in the production environment of your enterprise. The recommended Password Self-Service upgrade sequence is the following: 1. Upgrade of Password Self-Service. 2. Upgrade of Password Policy Manager (PPM). 3. Upgrade of GINA Extension to Secure Password Extension (SPE). The detailed steps that implement the above sequence are provided later in this document. Updated 24 May