Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3
Administrator Guide
Kiosk and Cluster Modes
Copyright 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.
DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.
Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information. Quest Enterprise SSO Updated January 2010 Software version 8.0.3
CONTENTS
About This Guide ...................................................................................................... 3
Access Management ......................................................................................................... 3 Conventions ............................................................................................................... 4
1. Overview................................................................................................................. 5
1.1 Kiosk and Cluster Modes Functions............................................................................ 5 1.1.1 Kiosk Mode Functions ...................................................................................... 5 1.1.2 Cluster Mode Function ..................................................................................... 6 1.2 Kiosk and Cluster Mode Authentication Methods ....................................................... 6 1.3 Required Enterprise SSO Modules ............................................................................. 7
Administrator Guide
The Kiosk mode gathers the following functionalities: Fast User Switching and Roaming Session mode. This guide explains how to configure the Kiosk and Cluster mode functionalities.
Enterprise SSO Administrators who know how to use the Enterprise SSO Console. Enterprise SSO 8.0 evolution 3 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to Quest Enterprise SSO Release Notes. Enterprise SSO controller runs only on Windows systems. Kiosk and Cluster modes are only available on Windows Enterprise SSO clients.
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT CONVENTION
Select Bolded text Italic text Bold Italic text Blue text
This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.
+ |
A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.
Administrator Guide
1. Overview
Enterprise SSO Kiosk and Cluster modes speed up computer use and improves security.
This function is particularly used in retail store workstations where salespersons want to check stocks or register orders before their customers change their minds. Fast User Switching can work with Roaming Session Mode or with Cluster Mode. To know how to configure and use the Fast User Switching, see Section 2, The Fast User Switching (FUS) Function. Roaming Session The Roaming Session mode simplifies the successive authentication to several computers. When a user needs to access several computers during the day, he/she only has to authenticate once on the first computer; then he/she only needs his/her device to open the other computers sessions.
This function is particularly used in hospitals emergency desks, where nurses and doctors need immediate access to information. It can be combined with Fast User Switching, and can be used on Clusters of computers. To know how to configure and use the Roaming Session mode, see Section 3, The Roaming Session Mode.
This function is particularly used in financial institution trading rooms or control rooms. The cluster mode can be combined with Roaming Session Mode and/or Fast User Switching. To know how to configure and use the Cluster mode, see Section 4, The Cluster Mode.
Administrator Guide
Administrator Guide
User A
User B User B Unlocking Level > User A Unlocking Level Unlocks User A session
User C User C Unlocking Level < User A Unlocking Level Cannot Unlocks User A session
User A Applicaions
User B Applicaions
User C Applicaions
In the above illustration, the Windows user is still User A, and the Enterprise SSO user is User B. To configure this FUS mode, see Section 2.2, Configuring Hierarchized Access FUS.
User A
User B
User C
User A Applicaions
User B Applicaions
User C Applicaions
To configure this FUS mode, see Section 2.3, Configuring Shared Access FUS.
10
Administrator Guide
User A
User B
User C
SSOWatch
SSOWatch
SSOWatch
User A Applicaions
User B Applicaions
User C Applicaions
Upon detection of a smart card or active RFID device, SSOWatch starts and prompts the user for his/her PIN (smart card) or password (RFID). Once the user is authenticated, SSOWatch starts. When the device is removed, SSOWatch is closed. The Windows session can use a generic account that has no particular right of its own. To install and configure this FUS mode, see Section 2.4, Installing and Configuring Public Access FUS.
11
For more details on administration roles, see Enterprise SSO Console Administrator Guide. Procedure 1. In the Enterprise SSO Console, from the directory panel, click the user security profile that applies to users that will use the hierarchized Fast User Switching. Click the Unlocking tab.
The Unlocking tab appears.
2.
Fill-in the tab as explained in the following Unlocking Tab Description section.
12
Administrator Guide
TAB ELEMENT
DESCRIPTION
User level
Enter a user hierarchy level (0 is the lowest level, and 50000 is the highest). We recommend to let a big interval between levels (for example 10; 20; 30 and so on), so that you can add sublevels in between if needed.
User can unlock sessions of users below level User can close sessions of users below level
Select this check box to allow a user to unlock a session locked by another user whose level is below the specified level. Select this check box to allow a user to close a session opened by another user whose level is below the specified level.
When a user tries to perform a FUS on a workstation, Enterprise SSO refers to the unlocking level before the closing level. For example, if the user level does not allow him/her to
Procedure 1. In the Enterprise SSO Console, from the directory panel, click the application security profile that applies to applications for which you want to override the user unlocking level. Click the Configuration/General tab.
The General tab appears.
2.
3. 4.
Select the When application is used, set users "unlocking level" to: select the check box and set the level number. Click Apply.
14
Administrator Guide
Procedure 1. In the Enterprise SSO Console, from the directory panel, right-click the Organizational Unit that must contain your Application and select New/Template-based Application/Windows.
The Windows Application window appears.
2. 3.
Fill-in the window by typing the application name and Windows domain. In the group of users that you want to make share the same Windows account, add the application and define it as shared, as follows: a) Click the group of users and select the Application Access tab.
The Application Access tab appears.
15
b) 4.
In the Application Access tab, add the application you have just created, and set the Account type to Shared. Click the group of users and select the Accounts tab
The Accounts tab appears.
b)
16
Administrator Guide
c)
d)
In the Ownership tab, you can assign an owner for the account. In this case, this owner becomes the only user authorized to modify the account password.
Enterprise SSO allows you to manage password modification of a shared application account: if you do not set ownership, all users who are part of the group of users sharing the same application account are authorized to modify the shared account password. The other users automatically retrieve the new password.
17
2.
3. 4.
Select the Only allow unlocking with the same windows credential check box. Click Apply.
In this FUS mode, the Windows session is the same for all users. The Windows session used is the one of the first user who has open a Windows session on the workstation.
18
Administrator Guide
Users use their authentication device to access their own SSO context and applications. To avoid this, you can set a generic Windows account that has no particular right on its own, to keep the Windows session open for all users, as explained in the following procedure. Before Starting Make sure you have the "Kiosk mode" license key. If it is not already set up on your workstation, install Microsoft Redistributables: open the Administration Tools interface (see steps 1 to 4 of the following procedure) and click Install Microsoft Redistributables. Make sure Advanced Login is not installed on the workstation.
Procedure 1. Log-on as system administrator and install the FUS option with SSOWatch as follows:
If you use Ready-To-Go SSO Edition or the Enterprise SSO Quick installation: During the Client installation, select the Public access authentication mode in the client module selection wizard window. For more details on Enterprise SSO quick installation, see Enterprise SSO Quick Installation and Start Guide. If you use the Enterprise SSO advanced installation: During SSOWatch installation, select the Fast User Switching option in the Select Feature wizard window. For more details on E-SSO advanced installation, see Enterprise SSO Advanced Installation and Configuration Guide.
2.
If you want to set a generic logon, activate AutoLogon on the workstation as explained in the following web page: http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=10&y=13 (URL valid in September 2009).
19
Functions The functions that can be called by SSOWatch are: "OnSessionLocked": at session locking. "OnSessionUnLocked": at session unlocking. "EngineStarted": at SSOWatch start. "EngineStopped": at SSOWatch stop.
Function Format The functions must be written according to the following format:
typedef struct _CUSTOMPARAMETERS { LPCSTR szUser; } CUSTOMPARAMETERS, *PCUSTOMPARAMETERS; BOOL APIENTRY OnSessionLocked(HWND hParent, const PCUSTOMPARAMETERS pcapParameters) { return TRUE; } BOOL APIENTRY OnSessionUnLocked(HWND hParent, const PCUSTOMPARAMETERS pcapParameters) { return TRUE; } BOOL APIENTRY EngineStarted(HWND hParent, const PCUSTOMPARAMETERS pcapParameters) { return TRUE; } BOOL APIENTRY EngineStopped(HWND hParent, const PCUSTOMPARAMETERS pcapParameters) { return TRUE; }
DLL location Define the location in a string value of the registry under HKLM\Software\Enatel\SSOWatch\ExternalCall Example: CustomDllName (name of the registry key) C:\SSO\MyDll.dll
20
Administrator Guide
Admin
User
1
E-SSO Console
First Authentication
NO Secret
Directory
21
3. 4.
The administrator configures the roaming session mode on appropriate access points, and for a number of users for a defined duration. A user authenticates on a computer on which the roaming session mode is available, whatever the authentication method is (login/password, smart card, active or passive RFID device, and biometry).
This automatically creates a roaming session in the Enterprise SSO Controller. If no Enterprise SSO Controller is available, the roaming session is not created.
5.
When the computer (on which the roaming session mode is activated) detects a physical authentication token (smart card, active or passive RFID), the roaming session is retrieved from the Enterprise SSO Controller and the user is authenticated without having to type the secret associated with the token. The session duration time is displayed to the user in a task bar balloon help. If the roaming session expires when it is open on a computer, or if the user password expires or is changed, the session remains open, but the user will have to authenticate at next session opening. Make sure you have the "Kiosk mode" license key. If users authenticate with a smart card for the roaming session, the smart card must meet the following requirements:
The smart card configuration must allow the owner name to be read without typing the PIN. The smart card contains only one account. No SSO account is stored on the smart card.
Prerequisites
Restriction In a roaming session, users cannot change their password or PIN with Advanced Login.
22
Administrator Guide
3.
Select the Roaming session duration check box and define the number of hours you want the session to be active (the roaming session is created as soon as the user authenticates on an authorized access point, and the session duration time starts from that moment).
If you change the duration time in the Roaming session duration field once the roaming session has started, the new value will only be taken into account once the session in progress has expired.
4.
Click Apply.
23
To optimize the session opening time, we recommend to allow the roaming session mode only on access point that will actually use it. Procedure 1. In the Enterprise SSO Console, from the directory panel, click the access point security profile that applies to computers on which activating the roaming session mode is necessary. Click the Advanced Login tab.
The Advanced login tab appears.
2.
3. 4.
24
Administrator Guide
3.3.1 Administering Users Roaming Sessions from the Enterprise SSO Console
Subject You can see information on user roaming sessions from the Enterprise SSO Console, as explained in the following procedure. You can decide to delete a roaming session. In this case, the current user session remains open, but this forces the user to authenticate again at next session opening. This also allows you to disable the roaming session in case a user has lost his/her token. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Roaming: Delete users sessions".
For more information on administration modes, see Enterprise SSO Console Administrator Guide.
Procedure 1. 2. In the Enterprise SSO Console, from the directory panel, click the user for who you want to display the roaming session information. Click the Connection/Authentication tab.
The Authentication tab appears. It displays the roaming session duration time left for the selected user.
25
3.
To delete the displayed roaming session, click the Delete roaming session button.
The current user session remains open on the computer, but he/she will have to authenticate again at next session opening.
26
Administrator Guide
2.
27
Session Opening
Session Locking
Master
Master
Session Opening
Session Opening
Slave
Slave
Slave
Slave
The number of workstations you can include in a cluster is not limited. In a cluster of access points, the computer on which the user performs an action is called the master computer. The same action is simultaneously performed on the other computers of the cluster, called slaves.
An Enterprise SSO Controller does not work in Cluster mode.
28
Administrator Guide
Mechanism Description When a user performs an operation (opening, closing, locking, unlocking) on a computer, this computer becomes the master computer and periodically informs the slave computers of the operation performed. This allows the management of slave computer behaviors. Session Opening/Session Unlocking
When a user opens a session on a computer of the cluster, all the sessions of other computers of the cluster open with the same user account. If a slave computer is not reachable at session opening on the master computer, the session opening operation on this slave computer will be performed as soon as the network is restored. If a slave computer restarts, and if the last operation performed on the master computer is a session opening, a session will be opened on this slave computer as soon as it is available. If the session of a slave computer is locked by another user, the session is unlocked only if the Fast User Switching (FUS) option is activated for the user (see Section 2, The Fast User Switching (FUS) Function). If a user performs a FUS on a computer, all the other computers of the cluster perform the FUS. If an "Excluded Account" opens a session on a computer that is part of the cluster, this computer is automatically excluded from the cluster. For more information on excluded accounts, see Enterprise SSO Console Administrator Guide.
Session Locking
When a computer is locked, all the other computers are locked according to their defined lock mode (see Section 4.2, Creating and Configuring a Cluster of Access Points). If a slave computer with an open session does not receive any information from the master for a period of 30 seconds, it is automatically locked according to its defined lock mode ((see Section 4.2, Creating and Configuring a Cluster of Access Points).
Session Closing When the user closes a computer, all the other computers of the cluster are closed.
A slave computer can only accept orders from the master computer if they are compatible with its current session. For example, if a user locks a computer session while all the other cluster computer sessions are closed, these sessions will remain closed.
Screensaver When a computer screensaver is activated, the computer is not locked. It becomes locked at the end of the screensaver period: it then becomes the master and locks all computers of the cluster. You must configure the screensaver according to the wanted computer behavior.
29
Make sure that none of the computer you want to place in the cluster is an Enterprise SSO Controller. Make sure all the computers you want to gather in a cluster are connected to each other, and configured according to your needs (automatic screen-saver launching, locking). DNS resolution must work properly so that orders sent from the master can be easily transmitted to slaves. Port 3644 must be open on all computers you want to gather in a cluster. Enterprise SSO must be configured in "manage-access-point" mode. The following license keys must be installed on the Enterprise SSO Controller and Enterprise SSO Clients: "Cluster mode" and "Audit and advanced security".
Procedure 1. In Enterprise SSO Console, in the tree structure of the Directory panel, rightclick the Organizational Unit that must contain your Cluster of access points and select New\Cluster of access points.
The Configuration tab appears.
2. 3.
4. 5.
Fill in the Name field. Click the Add button to select the access points you want to add to the cluster. Use the Browse tab to browse the directory tree structure or use the Search tab to find the access point by typing its name. Define the cluster properties as explained in the following Configuration Tab Description section. Click Apply.
The Cluster object is created and configured.
30
Administrator Guide
Allow users to temporarily withdraw a computer from the cluster check box If this check box is selected, users allowed to access one of the cluster computer will be able to temporarily exclude a computer from the cluster, from the SSOWatch application module: see Section 4.6, Removing Temporarily an Access Point From the Cluster for more details. Option button Gives access to the Cluster Lock Mode window.
For each computer of the cluster, this button allows you to define its behavior as a slave in the following cases:
When it receives a locking order from the master computer. When it does not receive any order from the master for more than 30 seconds.
31
The behavior selected here only applies when the computer is a slave.
Do nothing The selected computer is not locked. Lock keyboard and mouse The selected computer is not locked, but keyboard and mouse are disabled. Pressing Ctrl+Alt+Del on this computer unlocks it. Lock session (default value) The selected computer is locked.
Remove button Removes the selected computer from the cluster. Add button Allows you to select the access points you want to add to the cluster. The Browse tab allows you to browse the directory tree structure and the Search tab allows you to find the access point by typing its name.
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Cluster. Click the Events tab.
The Events tab appears.
In the Filter area, define a period of time to filter the log entries and click Apply (for more information on event logs, see Enterprise SSO Console Administrator Guide).
32
Administrator Guide
Procedure 1. 2. In the tree structure of the Directory panel, right-click the Cluster and select Rename. In the Configuration tab, type the new name of the object and press Enter.
Procedure In the tree structure of the Directory panel, right-click the Cluster to delete and select Delete. The Cluster is deleted.
33
3.
To include again the computer in the cluster, click Activate cluster mode.
34
Administrator Guide
Web site
Please refer to our Web site for regional and international office information.
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.
35