ADSelfService Plus: 3rd party Winlogon Client Software Support

Similar documents
(Installation through ADSelfService Plus web portal and Manual Installation)

ADSelfService Plus Client Software Installation Guide

Contents 1. Introduction 2. Security Considerations 3. Installation 4. Configuration 5. Uninstallation 6. Automated Bulk Enrollment 7.

Password Manager Windows Desktop Client

TestElite - Troubleshooting

Guide to Integrate ADSelfService Plus with Outlook Web App

NetWrix Password Manager. Quick Start Guide

ManageEngine ADSelfService Plus. Evaluator s Guide

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

SAS 9.3 Foundation for Microsoft Windows

VPN Remote Access Installation and Configuration Guide Operating System: Windows (XP, Vista, 7 and 8)

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

SELF SERVICE RESET PASSWORD MANAGEMENT IMPLEMENTATION GUIDE

Entrust Managed Services PKI

Create, Link, or Edit a GPO with Active Directory Users and Computers

Sophos SafeGuard Native Device Encryption for Mac quick startup guide. Product version: 7

SafeGuard Easy startup guide. Product version: 7

Sophos Enterprise Console server to server migration guide. Product version: 5.1 Document date: June 2012

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

Table of Contents WELCOME TO AD Welcome to AD Contact Us... 4 GETTING STARTED Getting Started Sysem Requirements...

Sophos Disk Encryption License migration guide. Product version: 5.61 Document date: June 2012

SELF SERVICE RESET PASSWORD MANAGEMENT GPO DISTRIBUTION GUIDE

Password Policy Enforcer

XMap 7 Administration Guide. Last updated on 12/13/2009

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

ContentWatch Auto Deployment Tool

SafeGuard PortProtector 3.30 SP6 Installation guide

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

CONNECT-TO-CHOP USER GUIDE

4cast Client Specification and Installation

Video Administration Backup and Restore Procedures

System Area Management Software Tool Tip: Agent Deployment utilizing. the silent installation with Active Directory

NETWRIX PASSWORD MANAGER

Table of Contents. Welcome to ADSelfService Plus Contact AdventNet Getting Started... 6

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

Global VPN Client Getting Started Guide

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Windows XP Exchange Client Installation Instructions

Sophos SafeGuard Disk Encryption, Sophos SafeGuard Easy Demo guide

DigitalPersona Pro. Password Manager. Version 5.x. Application Guide

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

McAfee One Time Password

Instructions for accessing the new TU wireless Network

Novell Filr. Windows Client

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

Upgrading from MSDE to SQL Server 2005 Express Edition with Advanced Services SP2

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

Sophos Enterprise Console server to server migration guide. Product version: 5.2

EventTracker: Support to Non English Systems

Installing OneStop Reporting Products

pcanywhere Advanced Configuration Guide

Exchange Server Backup and Restore

MailStore Outlook Add-in Deployment

Connecticut Hazardous Waste Manifests Database

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

Sophos Cloud Migration Tool Help. Product version: 1.0

Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

Cisco TelePresence Management Suite Extension for Microsoft Exchange

Sage Peachtree Installation Instructions

BRIC VPN Setup Instructions

How to connect to VUWiFi

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

DriveLock Quick Start Guide

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

PigCHAMP Knowledge Software. Enterprise Edition Installation Guide

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

NETWRIX IDENTITY MANAGEMENT SUITE

Contents. VPN Instructions. VPN Instructions... 1

SafeGuard Enterprise upgrade guide. Product version: 6.1

Quick Start Guide. IT Management On-Demand

ACTIVE DIRECTORY DEPLOYMENT

Autograph 3.3 Network Installation

Comodo MyDLP Software Version 2.0. Endpoint Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Snow Inventory. Installing and Evaluating

Symantec Endpoint Encryption (SEE Client) Installation Instructions. Version 8.2

CISCO VPN CLIENT INSTALL AND UPDATE INSTRUCTIONS

SARANGSoft WinBackup Business v2.5 Client Installation Guide

TECHNICAL SUPPORT GUIDE

SafeGuard Enterprise Web Helpdesk

Defender EAP Agent Installation and Configuration Guide

TrueEdit Remote Connection Brief

SafeGuard Enterprise Installation Best Practice

Full Disk Encryption Pre-Boot Authentication Reference

Migrating MSDE to Microsoft SQL 2008 R2 Express

Symantec PGP Whole Disk Encryption Hands-On Lab V 3.7

SafeGuard Enterprise Installation best practice

Audit account logon events

Jetico Central Manager. Administrator Guide

Installation Guide - Client. Rev 1.5.0

DeviceLock Management via Group Policy

Aventail Connect Client with Smart Tunneling

HELP DOCUMENTATION E-SSOM CONFIGURATION GUIDE

Computer Science and Engineering Windows Cisco VPN Client Installation and Setup Guide

Windows Administration Terminal Services, AD and the Windows Registry. INLS 576 Spring 2011 Tuesday, February 24, 2011

Global Image Management System For epad-vision. User Manual Version 1.10

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Transcription:

ADSelfService Plus: 3rd party Winlogon Client Software Support 1

Contents ADSelfService Plus - Introduction:... 3 ADSelfService Plus Client Software:... 3 Support for 3rd party GINA/Credential Provider agents:... 5 For Credential Providers:... 5 For GINA:... 7 Cisco VPN client... 7 Sophos safeguard disk encryption... 7 Checkpoint Full Disk Encryption (pre-boot authentication is not supported)... 7 Other 3rd Party GINA clients... 8 VPN GINA Clients... 10 Steps for Bulk Configuration via Group Policy:... 11 Step 1: Create Group Policy Objects... 11 Step 2: Configure Script settings... 14 Step 3: Important Settings:... 20 Step 4: Applying the GPO... 23 Troubleshooting Tips:... 29 2

ADSelfService Plus - Introduction: ADSelfService Plus is a secure, web-based, end-user password reset management program. With ADSelfService Plus, end-users can: Self-service Reset Password Self-service Unlock Account Receive Password/Account Expiry Notification Self-service Update directory information Search Corporate/Employee directory Winlogon (Ctrl+Alt+Del) Password Reset It helps administrators to delegate the task of password reset and account unlock to end-users, while minimizing the cost and effort involved with help desk calls. ADSelfService Plus Client Software: With web-based self-service softwares, the end-users need not rely on helpdesk personnel for reset password/account unlock operations anymore. But, there is still a small element of dependency involved: the user, who has forgotten the password needs a neighbor s machine or a dedicated kiosk to carry out the required self-service operations. ADSelfService Plus, with the help of its Client Software, eliminates such dependencies by adding a button labeled Reset Password/Unlock Account to native Windows log-on prompt. ADSelfService Plus Client Software is an extension of the standard GINA/Credential Provider from Microsoft. Such GINA/Credential Provider extensions are now widely used by 3rd party software providers to offer a wide range of functionality like Secure VPN access and Full Disk Encryption. But, some of these extensions may not be compatible with others, and thus limits the features that can be added to the Windows logon screen. Fear not! ADSelfService Plus Client Software can be configured to work with your 3rd party GINA/Credential Provider extension. Some of the 3rd party GINA/Credential Provider agents supported by ADSelfService Plus are: 3

CREDENTIAL PROVIDER AGENTS Zenworks Endpoint Security agent 2X agent Toshiba Logon Provider Cisco NAC agent OneX Credential Provider Note: You need to configure the Windows registry settings to make ADSelfService Plus Client Software compatible with the above mentioned Credential Provider agents. Please click here for the configuration steps. GINA AGENTS Sophos Safeguard Disk Encryption Cisco VPN client Checkpoint Full Disk Encryption Note: ADSelfService Plus has built-in support for the above mentioned GINA agents. Hence, no configuration is required from your side. Additionally, by editing the Windows registry settings, more 3rd party GINA/Credential Provider agents can be made compatible with ADSelfService Plus Client Software. This document will provide you with all the information you need to seamlessly integrate ADSelfService Plus Client Software with your 3rd party GINA/Credential Provider extension. 4

Support for 3rd party GINA/Credential Provider agents: Important Note: Care must be taken before making any changes to the Windows registry. Make sure that you have backed up your registry settings before proceeding further. For Credential Providers: 1) Open Registry Editor (open Run type regedit press OK). 2) Get the unique GUID (Global Unique Identifier) of your 3rd party Credential Provider from the registry key given below: 3) Use that GUID in the command shown below during installation of ADSelfService Plus Client Software: 5

Open Registry Editor (open Run type regedit press OK). Create a new String Value called WrappingProvider in the following registry key: 6

Provide the unique GUID of your 3rd party Credential Provider as its value. For GINA: Note: ADSelfService Plus has built-in support for the following GINA agents: Cisco VPN client Sophos safeguard disk encryption Checkpoint Full Disk Encryption (pre-boot authentication is not supported) No configuration is required from your side for the above mentioned GINA agents. 7

Other 3rd Party GINA clients To configure other 3rd party GINA agents, try the steps given below: 1) Open Registry Editor (open Run type regedit press OK). 2) Create a String Value called GinaDLL in the following registry key: 8

3) Provide <install_dir>\zoho Corp\ADSelfService Plus Client Software\ADSSPGina.dll (for 32-bit machine) or <install_dir> \ZOHO Corp\ADSelfService Plus Client Software\ADSSPGina64.dll (for 64-bit machine) as its value. E.g.: C:\Program Files\ZOHO Corp\ADSelfService Plus Client Software\ADSSPGina.dll 4) Now, create a String Value called OrigGina.dll in the following registry entry: 5) Provide XYZ.dll as its value, where XYZ is the name of your 3rd party GINA. Please contact your 3rd party GINA provider for information on the exact GINA file. 6) Reboot the machine. 9

VPN GINA Clients If you are using a 3rd party VPN Gina client, then it must be loaded first before any other GINA agents. In such cases, follow the steps given below: 1) Open Registry Editor (open Run type regedit press OK). 2) Create a String Value called GinaDLL in the following registry key: 3) Provide XYZ.dll as its value, where XYZ is the name of your 3rd party GINA 4) Now, create a String Value that points to ADSelfService Plus GINA in you 3rd party s registry key. For example: Let s assume that you are using Sophos Safeguard Disk Encryption GINA component in your environment. Open the registry editor and make the registry changes as shown below: 1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "GinaDLL"="SGGINA.DLL" 2) HKEY_LOCAL_MACHINE\SOFTWARE\Utimaco\SGLogon (3rd party registry key) "Original Gina"="ADSSPGina.dll 5) Provide <install_dir>\zoho Corp\ADSelfService Plus Client Software\ADSSPGina.dll (for 32-bit machine) or <install_dir> \ZOHO Corp\ADSelfService Plus Client Software\ADSSPGina64.dll (for 64-bit machine) as its value. 6) Reboot the machine. 10

Steps for Bulk Configuration via Group Policy: In a large IT environment, configuring GINA/Credential Provider agents individually for each machine is not feasible. In such cases, you can follow the bulk configuration steps given below, to make your 3rd party GINA/Credential Provider agents compatible with ADSelfService Plus Client Software: Important: Before starting with the process, download ConfigureGINA.bat and ConfigureCP.bat files (download and extract from the zipped folder) and place them in a network shared folder of the server. Best Practice: For GINA, add all the computers running Windows Server 2003/XP to one group. For Credential Provider, add all the computers running Windows Server 2008/R2/Vista/7 to another group. Step 1: Create Group Policy Objects First, you have to create two new Group Policy Objects (GPOs). One of the GPO will be configured to run ConfigureGINA.bat, and will be applied to the group containing Windows Server 2003/XP machines. The other GPO will be configured to run ConfigureCP.bat, and will be applied to the group containing Windows Server 2008/R2/Vista/7 machines. Follow the steps given below to create a GPO: FOR WINDOWS SERVER 2003 1) Open Active Directory Users and Computers console 11

2) Right-click the parent container of all the computer objects (which are added to a group refer Best Practice above) and select Properties 3) In the properties dialog box that appears, select Group Policy tab. In this tab, click New to create a Group Policy Object. 12

FOR WINDOWS SERVER 2008 AND LATER 1) Open Group Policy Management console 2) In the left pane, right-click Group Policy Objects container and select New 3) Give a descriptive name to the Group Policy Object and click OK 13

Step 2: Configure Script settings After creating the two GPOs, you have to configure the script settings in each of these GPOs to run the respective batch files. Follow the steps given below: 1) Right-click the Group Policy Object that you have just created and click Edit to open the GPO Editor 14

2) In the GPO editor, on the right pane, double-click Computer Configuration Windows Settings Scripts (Startup/Shut Down) Startup (In Windows Server 2008 and later, Computer Configuration Policies Windows Settings Scripts (Startup/Shut Down) Startup) 15

3) Right-click Startup and select Properties a. In the Startup Properties dialog box, click Show Files 16

b. Paste the ConfigureGINA.bat and ConfigureCP.bat files in the Startup folder window that opens, and then close the window. c. Click Add in the Startup Properties dialog box. d. In the Add a Script dialog box do the following: i. Under Script Name, click Browse and select ConfigureGINA.bat or ConfifureCP.bat depending on the GPO you are working on. 17

ii. For GINA GPO, you have to provide XYZ.dll as Script Parameter, where XYZ is the name of your third party GINA (Please refer your 3rd party GINA provider). 18

iii. For Credential Provider GPO, you have to enter the GUID of your third party Credential Provider as Script Parameter. For example, let s say the GUID of your 3rd party Credential Provider is 6f45dc1e-5384-457a-bc13-2cd81b0d28ed, then the syntax for the parameter is: WINDOWS SERVER 2003: {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}" WINDOWS SERVER 2008 AND LATER: {6f45dc1e-5384-457a-bc13-2cd81b0d28ed} iv. Once set, click OK to return to the Startup Properties dialog box. e. Click Apply first and then click OK to complete the procedure Important: Before setting the parameter, check the accessibility of ConfigureGINA.bat and ConfigureCP.bat 19

Step 3: Important Settings: Once you have completed the above mentioned steps, configure the Administrative Template Settings as shown below: Administrative Template Settings 1) On the left pane of GPO Editor window, go to Computer Configuration Administrator Templates System 2) Under System, configure the following settings: i. Scripts In the right pane of the GPO editor, double-click Run logon scripts synchronously and Enable it. Click Apply, and then OK. 20

Double-click Maximum wait time for Group Policy scripts and Enable it. Click Apply, and then OK. 21

ii. Logon Double click Always wait for the network at startup and logon and Enable it. Click Apply, and then OK. 22

iii. Group Policy Double click Group Policy slow link detection and Enable it. Click Apply, and then OK. Step 4: Applying the GPO Once the Administrative Template settings are configured, apply the GPOs to the desired computers in the network. 23

1) On the left pane of the GPO editor, right-click on the GPO you are working on (available on the top left corner of the GPO editor), and select Properties. 2) Click Security Tab, in the properties dialog box that appears. IMPORTANT NOTE: In the Security Tab, remember to uncheck Apply Group Policy permission for Authenticated Users before proceeding further. 24

3) Now, click Add to open the Select Users, Computers or Groups dialog box. There, click Object Types button and make sure Groups is checked, and then click OK. 25

4) Enter the name of the group (that contains all the Windows Server 2003/XP computers or all the Windows Server 2008/R2/Vista/7 based on the GPO you are working on) and click Check Names. Highlight the desired group and click OK to return to the Security tab. 26

5) The group will now be added to the list of Group or User Names under Security Tab 27

6) With the newly added group highlighted, apply the following permissions: Read Allow Apply Group Policy Allow Click Apply, and then OK. 7) Reboot the computers to apply the GPO and wait till the next startup for the settings to take effect. 28

To apply the GPO directly to Computers: In case you prefer to apply the GPO directly to computers instead of the group, please follow the steps given below: a. Follow steps 1 and 2 shown above. b. Click Object Types button. Make sure Computers is checked. Click OK. c. Use Check Names to find the necessary computers. Highlight the desired computers you want to add and click OK to return to the Security tab. d. Set Read and Apply Group Policy permissions to Allow for each and every computer that you just added. IMPORTANT NOTE: After completing all these steps, remember to uncheck Apply Group Policy permission for Authenticated Users. f. Reboot all the client machines. Troubleshooting Tips: If you are experiencing any problems in the Windows logon screen after installing ADSelfService Plus Client software and making the registry changes, try the following steps to solve the problem: Restart your machine in Safe Mode In case of Windows Vista and later, remove the registry key - "{B80B099C-62EA- 43cd-9540-3DD26AF3B2B0}" found under In case of Windows XP, remove the registry entry - "GinaDLL" found under 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information