Enterprise Single Sign-On 8.0.

3
Getting Started with SSOWatch

Copyright 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.

Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information. Quest Enterprise SSO Updated January 2010 Software version 8.0.3

CONTENTS
About This Guide ...................................................................................................... 3
Access Management ......................................................................................................... 3 Conventions ............................................................................................................... 4

1. Overview................................................................................................................. 5 2. Installing SSOWatch ............................................................................................. 6

2.1 Starting the "Administration Tools" Interface............................................................... 6 2.2 Configuring the Workstation ........................................................................................ 8 2.3 Installing SSOWatch on the Workstation .................................................................... 9

3. Configuring SSOWatch to Enable Single Sign-On A Step by Step Tutorial........................................................................................... 12

3.1 Enabling SSO for Yahoo! Mail Using the SSOWatch Wizard................................... 12 3.2 Enabling SSO for Lotus Notes Application Using SSOStudio .................................. 16 3.2.1 Starting SSOStudio Personal ......................................................................... 17 3.2.2 Enabling SSO for Lotus Notes ....................................................................... 17 3.2.3 Saving the Configuration ................................................................................ 22 3.3 Going Further............................................................................................................. 23

4. Using SSOWatch Engine .................................................................................... 24

4.1 Session Opening ....................................................................................................... 24 4.2 SSO Data Collection.................................................................................................. 25 4.2.1 First Start of an SSO enabled application ...................................................... 25 4.2.2 Password Update Request............................................................................. 26 4.3 Displaying the SSOWatch Engine Popup Menu ....................................................... 26 4.4 The SSOWatch Engine Management Module .......................................................... 27 4.4.1 Opening the SSOWatch Engine Management Module.................................. 28 4.4.2 User Account Management ............................................................................ 29 4.5 Activating, Suspending, Resetting the SSOWatch Engine ....................................... 30 4.6 Exiting SSOWatch ..................................................................................................... 32 4.7 Initializing the Emergency Access............................................................................. 32 4.8 Using the Reset Password Feature .......................................................................... 33 4.8.1 Importing the Enterprise SSO Sample Certification Authority (First-Time Use) ....................................................................................................... 33 4.8.2 Resetting Your Primary Password ................................................................. 33

About Quest Software, Inc. .................................................................................... 35

Contacting Quest Software.............................................................................................. 35 Contacting Quest Support ............................................................................................... 35

Getting Started with SSOWatch

About This Guide

Access Management
Subject This guide explains how to begin with SSOWatch. It describes how to install SSOWatch, how to quickly enable SSO and perform basic SSO operations. This guide does not apply to SSOWatch used in Access Collector mode. Intended Reader Software/Hardware Required End-users. Enterprise SSO - SSOWatch 8.0 evolution 3 and later versions. For further information about the operating systems and other software solutions mentioned in this guide, please refer to the Quest Enterprise SSO Release Notes. Enterprise SSO SSOWatch runs only on Windows systems.

Supported Operating Systems

Quest Enterprise SSO 8.0.3

Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT CONVENTION

Select Bolded text Italic text Bold Italic text Blue text

This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.

+ |

A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.

Getting Started with SSOWatch

1. Overview
Single Sign-On (SSO) is the functionality that allows users to sign-in (authenticate) only once during a whole session, no matter how many applications are being accessed. They can then access their data transparently, without the constraint of retyping a new user name/password couple. SSOWatch performs the SSO functionality by interfacing itself between a security system, where the security data is stored (in the form of user name/password couples) and the applications that require an authentication. It consists of two technical components: SSOWatch Engine, which performs single sign-on. SSOStudio, which allows you to configure SSOWatch. You will use it to "teach" SSOWatch Engine how to recognize the authentication windows of your web and Windows applications.
For more information on SSOStudio, see Enterprise SSO - SSOWatch Administrator Guide.

The present guide explains how to begin with SSOWatch. It describes how to install SSOWatch, how to quickly enable SSO and perform basic SSO operations with the SSOWatch Engine.

Quest Enterprise SSO 8.0.3

2. Installing SSOWatch
Subject SSOWatch is installable on a single workstation or deployable on all the workstations of an enterprise network. This section introduces the interactive installation on a single workstation. For information on implementing the directory mode and on enterprise-wide installation, see Enterprise SSO Advanced Installation and Configuration Guide. Before Starting Make sure you have a supported Windows version. Make sure you have a strong authentication device (smartcard, USB key, or biometrics).
For details on the supported Windows versions and on the supported strong authentication devices, see Quest Enterprise SSO Release Notes.

Make sure you have 25MB of available hard disk space. Make sure you have the license information supplied with the software. Close all running applications. Download the Enterprise SSO installation package from the Quest support website (http://www.quest.com/support).

2.1 Starting the "Administration Tools" Interface

Subject The Enterprise SSO Administration Tools is a task-oriented interface that allows you to configure and install your Enterprise SSO solution.

Getting Started with SSOWatch

Procedure 1. 2. Log on as system administrator. Once you have downloaded the Enterprise SSO Installation Package, run start.hta. The following window appears:

If the window does not appear, do the following: from the E-SSO Installation Package; browse the Tools directory and run WGAdSetup\WGADSetup.exe and go to Step 3 of the current procedure.

3.

In the E-SSO Advanced Installation area, click one of the following, depending on your Windows system processor:
Enterprise SSO: for 32 bits processors. Enterprise SSO - x64: for 64 bits processors. The Administration Tools window appears.

Quest Enterprise SSO 8.0.3

Each tool that you can run from the Administration Tools window is a wizard that allows you to perform a specific operation during the installation process of the Enterprise SSO databases.

2.2 Configuring the Workstation

Subject Before installing SSOWatch, you must configure the workstation so that it runs in standalone mode. Procedure 1. Start the Administration Tools interface (see Section 2.1, Starting the "Administration Tools" Interface).
To open the Configuration Assistant if the Administration Tools does not work properly, browse the installation package folder, double-click TOOLS\WGConfig\WGConfig.exe and go to step 4 of the current procedure.

2. 3.

In the Select a task list, select Install software modules. In the Software Installation task list, click Configure workstation. The Configuration Assistant appears.

Getting Started with SSOWatch

4.

Follow the instructions displayed in the wizard windows with the following guidelines:
DO THE FOLLOWING

WHEN THIS WINDOW APPEARS

1. Select Standalone. 2. Click Next.

1. Select Stand-alone Windows workstation. 2. Click Next.

2.3 Installing SSOWatch on the Workstation

Subject Once you have configured the workstation so that it runs in standalone mode, you can install SSOWatch as explained in the following procedure. Before Starting Configure the workstation to run in standalone mode (see Section 2.2, Configuring the Workstation). Install Microsoft Redistributables if it is not already set up on your workstation: in the Administration Tools interface, click Install Microsoft Redistributables. If you plan to install the SSOJava plug-in (which is an installation feature of SSOWatch, as shown in step 5 in the following procedure), a supported Java version must imperatively be already installed on your workstation (for more details about the supported JRE versions, see Quest Enterprise SSO Release Notes).
9

Quest Enterprise SSO 8.0.3

Procedure 1. Start the Administration Tools interface (see Section 2.1, Starting the "Administration Tools" Interface).
To run the SSOWatch installation wizard if the Administration Tools does not work properly, browse the installation package folder, double-click INSTALL\SSOWatch.msi, and go to step 4 of the current procedure.

2. 3. 4. 5.

In the Select a task list, select Install software modules. In the Software Installation task list, click Install E-SSO Client. The E-SSO Client installation wizard appears. Follow the displayed instructions. When the wizard prompts you to choose the installation type, choose Custom, click Next, and fill in the Select Features window as follows:

Biometrics Enrollment tool: installs the biometrics enrollment wizard on the computer, which allows a user to enroll his/her biometric data for fingerprint authentication. For more information on the Enterprise SSO biometrics feature, see Enterprise SSO Advanced Login for Windows User Guide. Integration with Windows Authentication: launches transparently SSOWatch Engine at session startup using the user Windows credentials. If this feature is not installed, SSOWatch will be launched automatically, but it will ask the user for their credentials. Old IE Plugin: deprecated Internet Explorer plug-in that must only be installed for compatibility reasons with the previous WiseGuard versions. Java plugin: allows SSOWatch to access Java applications.

10

Getting Started with SSOWatch

If you select this feature, make sure a supported Java version is already installed on your workstation before launching the installation of SSOWatch. SSOStudio Personal: allows a single user to configure the applications for which he wants to enable SSO. SSOStudio Enterprise: dedicated to administrators: the SSO configuration is shared by a number of users. Fast User Switching: installs the Fast User Switching option, which allows authorized users to access their session from a workstation that has been locked by another user.

6.

Restart the workstation. The SSOWatch Engine icon appears in your Windows' system tray, which is located on the far right end of your task bar.

11

Quest Enterprise SSO 8.0.3

3. Configuring SSOWatch to Enable Single Sign-On A Step by Step Tutorial

This section explains how to quickly enable SSO. We guide you through the steps required to configure SSO for a standard Windows application. To register an application for SSO, you can use one of the following SSOWatch tools: The SSOWatch Wizard, which is the easiest way to enable SSO for standard application windows. You will find a step-by-step tutorial to register the Yahoo! Mail example application in Section 3.1, Enabling SSO for Yahoo! Mail Using the SSOWatch Wizard. SSOStudio, which is the SSOWatch personal configuration editor for applications that cannot be configured with SSOWatch Wizard, or that require advanced settings. You will find a step-by-step tutorial to register the Lotus Notes example application in Section 3.2, Enabling SSO for Lotus Notes Application Using SSOStudio.

3.1 Enabling SSO for Yahoo! Mail Using the SSOWatch Wizard
Subject The SSOWatch Wizard is the easiest way to enable SSO. It helps you to declare the applications' authentication windows that must be automatically filled in by SSOWatch Engine. The parameters of applications defined this way make up a configuration for SSOWatch Engine.
The SSOWatch wizard is suitable for standard authentication windows. For applications that cannot be configured through the SSOWatch wizard, you must use SSOStudio.

We use Yahoo! Mail as an example, but you can follow the same procedure for almost all web applications.

12

Getting Started with SSOWatch

Before Starting Start Yahoo !Mail so that the authentication window appears, as shown in the following picture:

Procedure 1. In the Windows system tray, right-click the SSOWatch icon (in the notification area) and select Add application. The SSOWatch wizard appears. Fill in the wizard as follows:
ILLUSTRATION

2.

ACTION

Step 1: Select New Application

13

Quest Enterprise SSO 8.0.3 ACTION ILLUSTRATION

Step 2: Select Windows, and type in the name of your application.

Step 3: Drag and drop the target button (1) onto login field (as this is a web application) of the Yahoo! Mail authentication window (2) to fill in this window (3).

14

Getting Started with SSOWatch ACTION ILLUSTRATION

Step 4: Continue drag and drop operations to fill in this window, as shown opposite.

Step 5: Click Finish.

The following window appears:

3.

Click Yes. The SSOWatch Security Data Collect windows appears.

15

Quest Enterprise SSO 8.0.3

4.

Fill in this window as follows and click OK:

Yahoo! Mail starts automatically. SSOWatch is now configured to detect and automatically fill in your Yahoo! Mail authentication window.
If you mistyped the user name or password in the above window, the application does not start. In this case, you need to modify the credentials for the application, as explained in Section 4.4.2.1, Change Password. Why does the Security Data Collect window appear? At this step of the procedure, the SSOWatch Engine is running, and your Yahoo! Mail authentication window is still displayed. Although SSOWatch can detect the window it cannot fill it in as you have not provided your authentication information yet. That is the reason why the Security Data Collect window appears: the first time you start a declared application, SSOWatch requests your user name and password. This data is stored in a secured way by SSOWatch so it will be able to reuse it afterwards, without requesting any new data.

3.2 Enabling SSO for Lotus Notes Application Using SSOStudio

Subject SSOStudio Personal is the SSOWatch personal configuration editor. It provides an easy-to-use graphical interface for declaring the applications for which you want to enable single sign-on. You need to use SSOStudio for applications that cannot be configured with SSOWatch Wizard, but you can also use it for applications that have already been configured using SSOWatch Wizard, to modify or enhance their configurations.

16

Getting Started with SSOWatch

Restriction The following example works only with Lotus Notes 5 and later.

3.2.1 Starting SSOStudio Personal

Subject The following procedure explains how to start SSOStudio Personal. Procedure To start SSOStudio Personal, do one of the following: Click Start | Programs | Quest Software | Enterprise SSO | Personal SSOStudio Right-click the SSOWatch icon (in the notification area) and select Open SSOStudio. The Personal SSOStudio window appears.

The application that we shall use as an example is Lotus Notes.

3.2.2 Enabling SSO for Lotus Notes

The following sub-sections describe how to register the Lotus Notes application using SSOStudio Personal. We use Lotus Notes as an example, but you can follow the same procedure for almost all authorized applications.

3.2.2.1 Creating the Lotus Notes "Application" Object

Subject This section describes how to quickly create the Lotus Notes Application object in your SSOStudio configuration.
17

Quest Enterprise SSO 8.0.3

Procedure 1. In the SSOStudio main window, right-click the Applications node and select New Application. The Application properties window appears. In the Properties tab, type "Lotus Notes" in the Application Name field:

2.

3.

You do not have to change any other options. Click OK. The Lotus Notes Application object appears under the Applications node.

3.2.2.2 Creating the Lotus Notes Authentication "Window" Object

Subject This section describes how to quickly declare the Lotus Notes logon window in your SSOStudio configuration.

18

Getting Started with SSOWatch

Before Starting Start Lotus Notes to display the authentication window, as shown in the following picture:

Procedure 1. In the SSOStudio main window, right-click the Lotus Notes Application object that you have just created and select New Window. The Window properties window appears. Fill in the General tab as follows:
In the Window name field, type Notes Logon. In the Window type field, select NotesLogin.

2.

19

Quest Enterprise SSO 8.0.3

3.

Fill in the Detection tab as follows: All the fields are already pre-configured for Lotus Notes, and you would normally not have anything further to do. However, to show you how it works, we will describe how to configure the window manually.

a) b) c)

Launch the Lotus Notes application. In the Detection tab, click the target button and "dragn drop" it onto the title bar of your Lotus Notes authentication window. As many authentication windows could have the same title, we are going to configure an additional text that will be looked for in one of the fields of the window, to distinguish the Lotus Notes authentication window from the other ones:
Select Look for text, and click the In Field sub-option. Using the small target button , indicate the field containing the text Enter the password of, as you did for the title detection window. The content of the field Look for text is automatically updated with the content of the selected field. In our case: Enter the password of John Smith/QUEST. Depending on your needs, you can erase the users name to only keep the text Enter the password of. If it is not erased, SSO will only be enabled for the user connected during this detection session.

20

Getting Started with SSOWatch

4.

Fill in the Actions tab as follows: All the fields are already pre-configured for Lotus Notes, and you would normally not have anything further to do. However, to show you how it works, we will describe how to configure the window manually.

a)

Using the upper small target icon , select the field containing the text Enter the password of, as you did during the detection configuration. The text in the following field is automatically updated. In this field, select the Lotus Notes identifier (First name/Last name/ button. Unit/Organization) and click the Using the second small target icon password will have to be entered. Using the last small target icon , select the field where the select the OK button.

b) c) d) 5.

Click OK. The Notes Logon Window object appears under the Lotus Notes Application object. See Section 3.2.3, Saving the Configuration.

6.

21

Quest Enterprise SSO 8.0.3

3.2.3 Saving the Configuration

Subject Once you have saved your configuration, SSOWatch can detect the window you have just configured, as explained in the following procedure. Procedure 1. Click the (Save) button located in the SSOStudio toolbar.

The following window appears:

2. 3.

Click Yes. The SSOWatch Security Data Collect windows appears. Fill in this window as follows and click OK:

Lotus Notes starts automatically. SSOWatch is now configured to detect and automatically fill in your Lotus Notes authentication window.
If you mistyped the user name or password in the above window, the application does not start. In this case, you need to modify the credentials for the application, as explained in Section 4.4.2.1, Change Password.
22

Getting Started with SSOWatch

Why does the Security Data Collect window appear? At this step of the procedure, the SSOWatch Engine is running, and your Lotus Notes authentication window is still displayed. Although SSOWatch can detect the window it cannot fill it in, as you have not provided your authentication information yet. That is the reason why the Security Data Collect window appears: the first time you start a declared application, SSOWatch requests your user name and password. This data is stored in a secure way by SSOWatch, so it will be able to reuse it afterwards, without requesting any new data.

3.3 Going Further

There you are! You have configured and enabled your first SSO using SSOWatch Wizard and the SSOWatch SSOStudio Configuration Editor. Using the same steps and procedures, you can configure other types of application and authentication windows.
The detection modes for other applications are different. For more details, see Enterprise SSO - SSOWatch Administrator Guide.

23

Quest Enterprise SSO 8.0.3

4. Using SSOWatch Engine

This section describes SSOWatch from the user point of view. This covers basic SSO operations: SSO data collection, and SSO engine management.

4.1 Session Opening

If you have installed SSOWatch as described in Section 2, Installing SSOWatch, the SSOWatch engine starts automatically when you open a session. Otherwise, SSOWatch may prompt you to authenticate through the following window:

Once the engine is started, an icon is displayed in the Windows notification area:

This indicates that the SSO engine is running.

24

Getting Started with SSOWatch

4.2 SSO Data Collection

4.2.1 First Start of an SSO enabled application
During its standard utilization, SSOWatch is almost invisible to the user. However, when it starts for the first time, or when some particular events occur such as password update requests, you will have to provide some information. At the first launch of an SSO enabled application, when the application requests the users authentication, the SSOWatch collect window appears in foreground (the application is temporarily disabled) and requests the user name and password for the application:

Simply provide your usual user name for this application, your password (and confirm it to avoid mistype errors), and validate by clicking the OK button. This data will be stored in a secured way by SSOWatch so it will be able to reuse it afterwards, without requesting any new data. It has enabled the Single Sign-On function.

25

Quest Enterprise SSO 8.0.3

4.2.2 Password Update Request

When an SSO enabled application asks for password update, this request is intercepted by SSOWatch, which displays the following window:

Simply type in a new password (and confirm it to avoid mistype errors) and validate it by clicking the OK button. This data will be updated and securely stored in the security database, by SSOWatch, so that it will be able to reuse it afterwards, without requesting any new data.

4.3 Displaying the SSOWatch Engine Popup Menu

Subject The SSOWatch Engine popup menu allows you to control the SSOWatch Engine. This popup menu is associated with the SSOWatch Engine taskbar icon:

26

Getting Started with SSOWatch

From this popup menu, you can: Emergency Access: Initialize your primary password or PIN code reset (Emergency Access). This feature runs only with the LDAP configuration storage mode, as described in Section 4.7, Initializing the Emergency Access. Biometric Enrollment: Enroll your biometric data using the biometrics scan wizard (a biometric authentication device must be installed on your computer).
For more information, see Enterprise SSO Advanced Login for Windows User Guide.

Open the management module of SSOWatch: SSOEngine. Add application: Enable SSO applications with SSOWatch Wizard. Open SSOStudio to add an application with SSOStudio, as described in Section 3, Configuring SSOWatch to Enable Single Sign-On A Step by Step Tutorial. Suspend and Activate the SSOWatch Engine. Reset the configuration. Exit SSOWatch: Stop the SSO Engine.

Procedure To display this popup menu, right-click the SSOWatch Engine icon in the taskbar.
Double-clicking the SSOWatch Engine icon performs the default action (in bold): Open.

4.4 The SSOWatch Engine Management Module

The administration module of SSOEngine provides the following functions: Managing the SSOWatch Engine. Management of user accounts.

27

Quest Enterprise SSO 8.0.3

4.4.1 Opening the SSOWatch Engine Management Module

Procedure 1. To open the SSOWatch engine management module, right click the SSOWatch icon in the taskbar, and click Open, or simply double-click the SSOWatch icon itself. The following window appears:

2.

Do one of the following:

To manage your accounts, click the button: see Section 4.4.2, User Account Management. To manage the SSO Engine, click the button: see Section 4.5, Activating, Suspending, Resetting the SSOWatch Engine.

28

Getting Started with SSOWatch

4.4.2 User Account Management

You can see (and update) your user accounts using the User accounts option in the icon in the SSOWatch Engine management SSOEngine module by clicking on the module.

4.4.2.1 Change Password

The button allows you to change your password for the selected account, but only in the security database: the password is not changed in the security base of the target application. This action can be used to manually deal with BadPasswords.
This option may be disabled in the configuration file or with a centralized parameter.

4.4.2.2 New Account

The button allows you to create a new account for the selected application.

When you create an account, you enter security information associated with this account. This operation will be done automatically for the first account defined in the configuration (for an application). User Roles If you have defined several accounts, you will have to manually create the other accounts, through the user account management interface. This is designed for those users who have a number of accounts on the same application(s). An account name designates a role. If a role is shown in the text box of the SSOEngine screen, the corresponding SSO applications will be launched using the security data associated with this role.

29

Quest Enterprise SSO 8.0.3

If no role has been selected for multiple account applications, you will be prompted to choose an account on connection.

4.4.2.3 Delete Account

The button allows you to delete security information (user name, password and optional parameters) associated with an account. If many accounts are associated with an application, the account line will be deleted. If you delete the only remaining account, <not registered> will be displayed in place of the user name.

4.4.2.4 Show Password

The button allows the owner of an account to see the password associated with the account. Using this feature always requires the user to authenticate.

4.4.2.5 Delegate Account

The icon is only available if you use SSOWatch in standalone and LDAP storage mode. It allows the owner of an account to delegate access to other users.

4.4.2.6 Hide Applications without Credentials

This option is available by right-clicking an account. It allows you to display only the applications for which you have an account.

4.4.2.7 Enable/Disable an Application or all Applications

This command is available by right-clicking an account. It allows you to deactivate (and activate again) the SSO function for the specified application.

4.5 Activating, Suspending, Resetting the SSOWatch Engine

Subject The Suspend, Activate, Reset Configuration commands allow you to manage the SSOWatch Engine. You can use this commands either from the SSOWatch engine popup menu, or through button. the SSOWatch management module, using the Home

30

Getting Started with SSOWatch

The Suspend command allows you to suspend the use of SSO. When suspended, the SSOWatch engine does not carry out single sign-on.
You can prevent the user from disabling the SSO engine through the configuration options. SSOWatch Engine automatically suspends itself when the smart card or USB key used for authentication is removed.

The Reset Configuration command allows you to load the modifications performed in your SSOWatch configuration file and reset the applications and windows states (those windows and applications which have been disabled will be reactivated).You can use this menu when the engine is running or when it is suspended. Once the reset action is complete, the SSO Engine will be in a running state. The Activate command allows you to resume the SSOWatch Engine and enable again the use of SSO.

Procedure To suspend the SSOWatch engine, right-click the SSOWatch engine icon and select Suspend. The SSOWatch engine icon changes to . To activate the SSOWatch engine, right-click the SSOWatch engine icon and select Activate. . The SSOWatch engine icon changes to To reset the SSOWatch engine configuration, right-click the SSOWatch engine icon and select Reset Configuration . . If your SSOWatch engine was suspended, its icon changes to

31

Quest Enterprise SSO 8.0.3

4.6 Exiting SSOWatch

To exit SSOWatch, right-click the SSOWatch engine icon and select Exit SSOWatch. The SSOWatch engine icon disappears and single sign-on is disabled.
The Exit SSOWatch command can be disabled through the configuration file.

4.7 Initializing the Emergency Access

Subject The Emergency Access feature allows you to reset your password or your PIN code in case you lost or forgot it. Initializing the Emergency Access feature consists in choosing a set of questions and recording the associated answers (if you want to reset your password or PIN code, you will have to answer the question you have chosen).
This feature runs only with the LDAP configuration storage mode. To know your configuration storage mode, right-click the SSOWatch Engine icon (located on the taskbar), select About SSOWatch, and in the displayed window, check the value of the Configuration storage mode field.

When the Emergency Access feature is enabled, you can define your questions (optional) and answers the first time that your SSOWatch engine is activated. Then you may need to modify this data in the following cases: The questions have changed, so you have to update your answers. You must enter your answers periodically. You want to change your questions/answers.

Procedure 1. Right-click the SSOWatch icon located in the notification area, and select Emergency Access. The Authentication window appears. Enter your ID and Password and click OK. The Emergency Access wizard appears. Follow the displayed instructions.
You may have restrictions to define your questions/answers, as for example a minimum/maximum number of characters, words that you cannot use If you do not know why your questions/answers are not accepted, contact your Enterprise SSO administrator.

2. 3.

32

Getting Started with SSOWatch

4.8 Using the Reset Password Feature

4.8.1 Importing the Enterprise SSO Sample Certification Authority (First-Time Use)
Subject To avoid Security Alert messages when connecting to the Reset Password portal, you must import the Sample Certification Authority (CA) in your Internet Explorer web browser, as explained in the following procedure. Procedure 1. Start Internet Explorer and enter in the address bar the URL corresponding to the Reset Password web server followed by /ca.crt (example: http://MyResetPasswordServer/ca.crt) The following window appears:

2. 3.

Click Open, and in the displayed window, click Install Certificate. Follow the instruction of the Import Certificate wizard.
It is recommended to keep the default selected options. Just click the Next and Finish buttons to install the file.

4.

Click OK to close the Certificate window. The Sample CA is imported.

4.8.2 Resetting Your Primary Password

Subject This section describes how to securely reset your primary password from any workstation using Internet Explorer. If you can no longer log on any workstation, reset your primary password as explained in the following procedure.
33

Quest Enterprise SSO 8.0.3

Before Starting The Emergency Access feature must be initialized: you must have chosen a set of questions and answers (see Section 4.7, Initializing the Emergency Access). Procedure 1. Start your Internet Explorer web browser and enter in the address bar the URL corresponding to the Reset Password web server (example: http://MyResetPasswordServer).
If you do not know this URL, contact your Enterprise SSO administrator.

2. 3.

In the displayed page, click the reset your primary password link. Type your identifier and click the Submit button. The Password reinitialization page appears.

4. 5.

Answer each question, depending on the answers you gave while initializing the Password Reset functionality and type your new primary password twice. Click the Submit button.
After a certain number of wrong answers, the process may be blocked and you will not be able to try again. In this case, contact your Enterprise SSO administrator.

You can now use your new password to connect to your workstation.

34

Getting Started with SSOWatch

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management productshelping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

Phone Email Mail 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com

Web site

Please refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/ From SupportLink, you can do the following: Retrieve thousands of solutions from our online Knowledgebase Download the latest releases and service packs Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.

35