DigitalPersona / Windows Server Identity 2016

¡Supera tus tareas y exámenes ahora con Quizwiz!

DigitalPersona LDS Server Installation & Setup Procedure

-Add Server roles and features -Set up a unique instance of AD LDS -Configure the AD LDS service -Install DigitalPersona Pro Enterprise LDS Server -Activate the DigitalPersona Server License -Define the authorization store name - Configure additional servers (Recommended) - Command line Installation - Published information - Configuration for use with DigitalPersona LDS Kiosk (Optional) - Uninstalling DigitalPersona LDS Server

DP LDS Administration Tools Include the following

-User Query Snap-in -GPMC Extensions -Hardware Tokens Management Utility -DigitalPersona LDS Administration Scripts -XML Configuration -ADSI Edit tool

Configuration for use with DigitalPersona LDS Kiosk (Optional)

1. Optionally, create an OU for each kiosk and assign computers to the kiosk OU. See Creating the OU for the Kiosk below. By default, all computers in the AD domain are treated as a single kiosk. You may want to set up multiple, separate kiosks by using OUs. 2. Create a Shared Account in Active Directory and specify the account information either by GPO or on individual kiosk computers. See the topics Kiosk Shared Account Settings and Adding Shared Account Settings Using GPO below. 3. Install DigitalPersona LDS Kiosk on computers. See the DigitalPersona Kiosk Installation chapter in the DigitalPersona Client Guide. 4. Enroll user credentials. By default, DigitalPersona users are not allowed to enroll their own credentials, as user creation and credential enrollment are handled centrally through the DigitalPersona Attended Enrollment component. For more information, refer to the chapter DigitalPersona Attended Enrollment in the DigitalPersona Client Guide.

DigitalPersona Attended Enrollment

Allows an administrator or other delegated individuals to supervise credential enrollment for end-users from one or more centralized locations. Attended Enrollment is an optional component of DigitalPersona LDS Workstation, installed by choosing Custom during the DigitalPersona LDS Workstation installation.

DigitalPersona Password Manager

Is an optional feature of the DigitalPersona Workstation client that integrates with the DigitalPersona Console to provide automated logon to enterprise resources, programs and websites.

Group Policy Implementation Guidelines

Before you add any Administrative Templates to your GPOs, give some thought to your Active Directory structure, where GPOs are placed, and which GPOs the Administrative Templates should be added to. Policy configuration needs will vary from network to network and specific policy recommendations are beyond the scope of this guide. You may want to refer to Microsoft's documentation on Group Policy Object configuration for more information. Organizational Units and GPOs Although the use and configuration of organizational units and GPOs varies widely among corporations, we have provided some general guidelines for structuring Active Directory organizational units. There are two key factors in deciding how to structure your network: ■ How you group your users and computers, and ■ Where the DigitalPersona AD GPOs are set. For example, if users and computers are to be grouped according to authentication policies, you should group them into separate OUs (Organizational Units) and then set specific GPOs for each OU. However, when authentication policies within organizational units vary, as they often do among department heads and subordinates, then you should group your users and/or computers into child organization units reflecting the necessary authentication needs. Structuring your organizational units based on authentication policies is the easiest way to administer DigitalPersona. 1. Plan your network structure by identifying the settings you intend to configure. 2. Determine whether to apply the settings to all users and computers in a site or domain, or just to the users and computers in an organizational unit. 3. Create the organizational units required to implement your design. 4. Add the respective users and computers to the organizational units. ■ If a superior (higher-level) GPO has a value for a setting and a subordinate GPO has a conflicting value for that setting, the setting in the subordinate is used. ■ If a GPO has a value for a setting and a subordinate (lower-level) container has the GPO setting with no value, the setting in the superior (high-level) GPO is used. ■ GPOs can only be applied to the three Active Directory containers: sites, domains and organizational units; not to users or computers. ■ A single GPO can be applied to one or more containers. ■ A GPO affects all users and computers in the container, and subcontainers, it is applied to. The DigitalPersona GPO settings apply only to computers with DigitalPersona software installed on them. In very basic Active Directory deployments, one can simply make a specific DigitalPersona GPO, linked at the domain, and set the DigitalPersona Server and DigitalPersona Workstation settings here for all users and computers alike.

Add Server Roles and Features for LDS DP and LDS DP Web components

Before you can install the DP LDS Server, there are a few roles and features that need to be added to the default installation of Windows Server. Under configure this local server choose "add roles and features" , verify you have completed the prerequisites and then click next. On the Select server roles page, in addition to the roles selected by default, ensure that the Active Directory Lightweight Directory Services role is included. Selecting this role will pop up a dialog for additional features required for AD LDS. Click Add Features. If you are planning to also install the Web Administration Console, make sure to select Web Server (IIS) and any required management features. Then click Next. On the Select features page, in addition to the features selected by default, ensure that those features listed below are selected. Click Add Features as requested. - NET Framework 4.5 Features, including HTTP Activation Then click Next and confirm installation. The Installation Progress page displays a bar indicating the approximate progress of the installation process. Note that you can close the wizard (by clicking the Close (X) button) without interrupting the installation, and open it again to view progress by clicking Notifications and then Task Details in the Server Manager Dashboard Command Bar. Upon completion of the installation, you can choose to run the Active Directory Lightweight Directory Services Setup Wizard from the link provided, or close the wizard and follow the instructions in the next section to run the wizard. An automatic refresh will also be performed upon closing the Add Roles and Features Wizard.

Configure the AD LDS service

Configure the Active Directory Lightweight Directory Service by running the DigitalPersona AD LDS Configuration Wizard. The wizard extends the instance's default AD LDS schema for use by DigitalPersona and creates necessary DigitalPersona configuration data including cryptographic keys. The wizard must be run by the user (or member of the group) that was defined as the AD LDS Administrator during the AD LDS installation (see step 9 on page 34). To configure the DigitalPersona AD LDS Server instance: 1. Launch the DigitalPersona AD LDS Configuration Wizard by running DPADLDSConfig.exe, located in the product package at: ..\Server\DigitalPersona|LDS Server\Configuration Wizard. 2. The wizard's Welcome page displays. Click Next. 3. On the License Agreement page, select I accept the license agreement. Click Next. 4. On the Confirmation page, confirm that the correct AD LDS instance appears in the Choose AD LDS instance to configure field and check the I accept that this AD LDS instance will be configured checkbox. If there is only one AD LDS instance on the computer, the instance will be automatically selected, and grayed out, since there is no other instance available for selection. 5. In the Save Log File As window, select a location where you want DigitalPersona LDS log files saved to, and enter a name for the file. 6. The Configuring the AD LDS instance page displays relevant information as the configuration progresses, as well as any errors that occur during the process. 7. The final page will indicate a successful installation or provide help in troubleshooting any issues that may arise.

Authentication Combination Issue

Contactless Writable and Contactless ID cards cannot be used in the Logon Authentication Policy or Enhanced Logon Authentication Policy when either FIDO or PKI cards are used in the policy. This does not apply to the Session Authentication Policy.

Digitalpersona LDS Server components include:

DP LDS Server, DP LDS Administrative tools,

Digitalpersona LDS Client components include:

DP LDS Workstation, DP Attended Enrollment, DP LDS Kiosk, Password Manager Tool

DigitalPersona Remote Access

DP Server includes support for remotely accessing DP Workstation and DP clients through Windows Terminal Services (including Remote Desktop Connection), and through various Citrix products. ■ When DP Workstation or DP Kiosk are accessed remotely, the fingerprint reader attached to a local Workstation or Kiosk can be used to access all DP Workstation or DP Kiosk features on the remote computer. See Redirect fingerprint data on page 2. Also see the NOTE below. ■ When using DP Workstation or DP Kiosk remotely, the remote computer is locked to prevent interruption of your session. ■ When completing a Terminal Services session, use "Log Off" to close the session; use "Disconnect" or "Shutdown", or the Close Window icon to leave your session active.

DP LDS Licensing Model

DigitalPersona Premium Employee License - Permits the enrollment of user credentials, and subsequent use by a specified number of users. These users may be AD users or Non AD users. DigitalPersona Customer Facing License - Permits the enrollment of user credentials and subsequent use by a specified number of Non AD users only. Face authentication - Permits enrollment and use of the Face credential by licensed users. Behavioral keystrokes - Permits enrollment and use of the Behavioral keystrokes feature for licensed users.

GPMC Extensions

DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions, installed under the Software Settings and Administrative Templates nodes, to link product policies and settings to Active Directory containers.

GPMC/GPOE Extensions

DigitalPersona creates a number of extensions that are visible in the Group Policy Management Console (read-only) and the Group Policy Management Editor. This chapter describes these extensions from the viewpoint of the GPO Editor, since that is where they can be enabled and configured or disabled. There are three child nodes under the Computer Configuration and User Configuration parent nodes in the Group Policy Object Editor namespace. ■ Software Settings ■ Windows Settings ■ Administrative Templates DigitalPersona settings are located in the Software Settings and Administrative Templates nodes. ■ The Software Settings node contains extension snap-ins that extend the Computer Configuration node and the User Configuration node. ■ The Administrative Templates node contains registry-based policy settings, and are extended by using administrative template (.adm/.admx) files. The Software Settings snap-ins are installed automatically as part of the DigitalPersona LDS Server installation, but the Administrative Templates are only installed as part of the DigitalPersona LDS Administrative Tools. By default, Administrative Templates are installed only into a local PolicyDefinitions store.

DigitalPersona LDS Workstation

Enforces security and authentication policies on managed Windows computers while providing intuitive access to end-user features and functionality.

Separate Installation Options

Includes the following: DP LDS Admin Tools, Web Management Components, Password Manager Admin Tool, DP LDS Extended Server Policy Module (ESPM), Guardian Ten-Print Scanner Support, DP Large Scale ID Wrapper, DP CAC/PIV Card Module

DP PKI Smart Card

For Customer who would like to use PKI Smart Cards for DigitalPersona Windows Logon or to log in to services federated with the DigitalPersona Identity Provider (including DigitalPersona Web Administration Console and HID DigitalPersona Enrollment), the cards must be initialized outside of the DigitalPersona platform and have a Windows Logon Certificate provisioned on the card. To use PKI Smart Cards, you must have a PKI infrastructure as part of your environment. Setting up this environment is beyond the scope of this guide, however, you may find the following link helpful.

Installing the Client Administrative Templates Locally

For local administration of a DigitalPersona AD Workstation or Kiosk, the following Administrative Templates can be added to the local policy object of any computer running the client by using the Microsoft Management Console (MMC) Group Policy Editor. ■ DPCA_AD_General.admx ■ DPCA_AD_DesktopApps.admx ■ DPCA_AD_PasswordManager.admx ■ DPCA_AD_OneTouchLock.admx To add the Administrative Templates locally 1. On the Start menu, click Run. Type gpedit.msc and press Enter to launch the Group Policy Editor. 2. Right-click the Administrative Templates folder and select Add/Remove Templates on the Administrative Templates folder shortcut menu. 3. Click the Add button on the Add/Remove Templates dialog box and then locate and select the desired Administrative Templates from the default administrative templates directory. 4. Click Close.

DP LDS - Configure additional servers (Recommended)

HID Global recommends the use of additional DigitalPersona LDS Servers to make use of the solution's built-in load balancing and failover capabilities. However, each DigitalPersona LDS Server and its associated AD LDS database must reside on a separate machine. Multiple DigitalPersona LDS Servers cannot coexist on the same machine, and an associated database must be on the same machine as the DigitalPersona LDS Server. To configure an additional DigitalPersona LDS Server for load balancing and failover, follow the steps provided below. This will result in multiple AD LDS instances that are automatically synchronized and load balanced. It is recommended to have the first AD LDS instance and DigitalPersona LDS Server completely set up following the instructions in the first part of this chapter before creating any additional instances. This is because any additional AD LDS instances require information from the original instance for configuration when joining the configuration set. Add Server roles and features: Before installing DigitalPersona LDS Server, there are a few roles and features that need to be added to the default installation of Windows Server. To add the required roles and features required by the DigitalPersona LDS Server 1. In Windows Server, open the Server Manager and select Dashboard. 2. Under Configure this local server, click Add roles and features. 3. On the Before you begin page of the Add Roles and Features Wizard, verify that you have completed the prerequisite tasks before continuing. Then click Next. 4. On the Select installation type page, select Role-based or feature-based installation. Then click Next. 5. On the Select destination server page, choose Select a server from the server pool. Then click Next. 6. On the Select server roles page, in addition to the roles selected by default, ensure that the Active Directory Lightweight Directory Services role is included and then click Next. 7. On the Select features page, in addition to the features selected by default, ensure that the following features are selected and then click Next. Group Policy Management AD DS and AD LDS Tools 8. The following page simply explains how to create an AD LDS instance, by using the AD LDS Setup Wizard, and how to remove the AD LDS role through the Windows Control Panel. Click Next. 9. On the Confirm installation selections page, click Install. 10. The Installation progress page displays a bar indicating the approximate progress of the installation process. Note that you can close the wizard (by clicking the Close (X) button) without interrupting the installation, and open it again to view progress by clicking Notifications and then Task Details in the Server Manager Dashboard Command Bar. 11. Upon completion of the installation, the wizard will close and the following information will display. An automatic refresh will also be performed. Replicate an existing AD LDS instance: Once the LDS feature has been installed, you will use the Active Directory Lightweight Directory Services Setup Wizard to install a new AD LDS instance on this machine that is a replica of the existing instance created during the installation of your first DigitalPersona LDS Server. To set up an AD LDS replica: 1. In the Server Manager Dashboard Command Bar, select Tools. Then select Active Directory Lightweight Directory Services Setup Wizard. 2. The Active Directory Lightweight Directory Services Setup Wizard displays. Click Next. 3. On the Setup options page, select A replica of an existing instance. Then click Next. This will create a new AD LDS instance on this machine that uses the configuration and schema pattern from the instance associated with your previously installed DigitalPersona LDS Server. 4. Enter the name for the instance you are creating. This must be the same name as the original instance that you are replicating. Optionally, enter a description. 5. Enter the LDAP and SSL port numbers for this instance. The default port numbers for this computer are shown. In most cases, the default port numbers should be accepted. 6. Enter the Server Name and LDAP port for the Configuration Set that you want to join. 7. If you do not have the exact Server Name and port, click Select to search for and select the server. You will be asked for your network credentials. Enter the LDAP port that was used in the installation of the original DigitalPersona LDS instance. Once the Configuration Set information has been entered, click Next to continue. 8. Select an account with administrative credentials for the configuration set. 9. Select the Application Directory Partitions to copy from the Configuration Set to the selected server. If no Application Directory Partition is shown, this may indicate that the DigitalPersona AD LDS Configuration Wizard was not run on the initial AD LDS instance. Close this wizard, return to the original instance and run the configuration wizard there before continuing. 10. Specify a location for each type of file associated with this instance of AD LDS. 11. Specify the user or group that will have administrative privileges for this AD LDS instance. 12. At the Ready to Install page, click Next. 13. During the installation, a progress bar is shown along with details about the installation process. 14. When the AD LDS Setup Wizard has finished the installation, a final dialog displays. Click Finish. 15. Closing the above dialog leaves the Add Roles and Features Wizard page on the screen. Additional tasks will be running, but you can close this page without interrupting them. You can open the page again by clicking Notifications in the command bar and then Task Details. 16. Finally, closing the Add Roles and Features page will leave the Server Manager Dashboard on the screen. There will be an error flag in the upper right of the page until the AD LDS replica setup has completed post deployment configuration. To cause the page to refresh, click the Refresh button to the left of the warning flag. Configuration of the AD LDS Service: DO NOT run the DigitalPersona AD LDS Configuration Wizard when setting up your replica. Configuration and schema information for the replica is automatically set to match the joined unique instance associated with your previous DigitalPersona LDS Server. Configuring replication frequency and availability: By default, replication of data from one instance to another within a configuration set is set to occur every 180 minutes (3 hours). This time interval is configurable. Additionally specified blocks of time may be designated as available or unavailable for replication in order to limit scheduled replication intervals to certain times of the day (such as after normal business hours). Then install the DP LDS Server. Do not activate a DP server license.

Activate the DigitalPersona Server License

In most cases, you will activate your DigitalPersona Servers over the internet through Active Directory and the DigitalPersona Activation wizard. The following procedure assumes that license activation is performed on the DigitalPersona LDS Server machine. This is not required, but the DigitalPersona LDS Administration Tools must be installed on the computer being used to activate the license. To activate a DigitalPersona User license 1. From the computer where the DigitalPersona Server to be licensed is installed, open the Local Group Policy Editor (gpedit.msc). 2. Navigate to: Computer Configuration, Software Settings, DigitalPersona Server, Licenses. 3. Right-click on Licenses and select Add Customer license or Add Employee license. 4. When the DigitalPersona Activation Wizard displays, click Next. 5. Select the option to I want to activate the software over the Internet. 6. On the next page, enter the License ID and password provided with your product purchase. Or, if you have been given a License Activation (.dplic) file, click the Use license file instead of License ID link to display a page where you can activate the product with the License Activation file. 7. Click Next. Upon successful activation, a confirmation dialog will display.

DP Credentials (FIDO2 Keys)

Note that FIDO UTF keys are not supported in this version. If FIDO2 Key credentials will be used with DigitalPersona Web Components, i.e. Identity Provider, HID DigitalPersona Administration Console or HID DigitalPersona Enrollment, the Web Management Components module should be installed and configured prior to any user enrolling a FIDO2 Key credential. If a FIDO2 Key credential is enrolled through the DigitalPersona Workstation User Console, prior to the successful configuration of the Web Management Components, the credential will not roam and cannot be managed through HID DigitalPersona Enrollment or used to authenticate to any DigitalPersona web-based component.

Set up a unique instance of AD LDS

Once the LDS feature has been installed, you will use the Active Directory Lightweight Directory Services Setup Wizard to install and set up a unique instance of AD LDS to be used as a data store for DigitalPersona LDS. Note that the computer must be a member of a domain before beginning this wizard or LDS will be run a system service account and the instance will not be able to replicate data with AD LDS instances on other computers. To Setup LDS: 1. In the Server Manager Dashboard Command Bar, select Tools. Then select Active Directory Lightweight Directory Services Setup Wizard. 2. The Active Directory Lightweight Directory Services Setup Wizard displays. Click Next. 3. On the Setup options page, select whether to create a unique instance of AD LDS or to create a replica of an existing instance. Then click Next. Select A unique instance unless you want to replicate a previously created instance for load balancing or failover. Click Next. 4.On the Instance name page, enter a unique name that will be used to differentiate this instance of AD LDS from other AD LDS instances that may exist on this computer. Click Next. 5. On the Ports page, in most cases, use the default ports provided. The default ports will usually be 389 and 636. Click Next. 6. On the Application Directory Partitions page, you should accept the default to not create an application directory partition. Click Next. 7. On the File location page, accept the default. Click Next. 8. On the Service account selection page, accept the default to use the network service account to perform operations. Click Next. 9. On the AD LDS Administrators page, specify the user or group that will have administrative privileges for this instance of AD LDS. In most cases, accept the default that the currently logged on user, i.e. the one performing this installation, will have administrative permissions. Click Next. 10. On the Importing LDIF Files page, select all of the listed options by pressing Ctrl+A and then clicking any selection box. Then click Next. 11. On the Ready to install page, review and confirm your selections. Click Next. 12. The Installing AD LDS page indicates the progress as the unique instance of AD LDS is installed. 13. When the installation is completed, the final page of the wizard displays. Click Finish to close the setup wizard, and Close to close the Add Roles and Features Wizard, if it has not already been closed.

DigitalPersona LDS Administration Tools

Provides additional tools for administration of various DigitalPersona Pro Enterprise features and utilities including License Management and GPMC Extensions (with DigitalPersona Administrative Templates).

DigitalPersona LDS Server

Provides centralized administration of DigitalPersona clients and enables strong authentication through various credentials and credential combinations

SMS Configuration

SMS Configuration specifies the API values and Sender Addresses assigned by the Nexmo Gateway and is required for operation of DigitalPersona's OTP via SMS credential. A previously created Nexmo account is required. ■ If enabled, and valid values are entered in the fields provided, SMS authentication will be shown on the logon screen. The API Key assigned by Nexmo is required. ■ If disabled or not configured, SMS authentication is not shown on the logon screen. Nexmo API Key Enter the API Key assigned by Nexmo. Nexmo API Secret Enter the API Secret assigned by Nexmo. Nexmo Sender Addresses Enter one or more semicolon-delimited alphanumeric strings to be used as Sender Addresses (also called SenderID) by the Nexmo SMS Gateway. There are country specific limitations for sender addresses; for example, alphabetic characters are not allowed in the United States. Country specific restrictions are described here: https://help.nexmo.com/hc/en-us/sections/200622473-Country-Specific-Features-and-Restrictions. ■ If more than one Sender Address is specified, the SMS will be sent with a Sender Address selected randomly from the list. ■ If no Sender Address is specified, a default Sender Address of 'NXSMS' will be used.

Kiosk Administration

Settings that define DigitalPersona Kiosk policies are stored in the following location. Computer Configuration\Policies\Software Settings\DigitalPersona Client\Kiosk Administration Allow automatic logon using Shared Kiosk Account Determines whether the automatic logon feature is enabled. ■ If enabled, automatic logon uses the Kiosk Shared Account to log users on to the computer when the Windows operating system starts up. The Log On to Windows dialog box is not displayed. ■ If disabled or not configured, the automatic logon is disabled. CAUTION: The automatic logon setting will allow any user to access a Windows session without interactive authentication when the Kiosk computer is restarted. Logon/Unlock with Shared Account Credentials ■ If enabled, any user who knows the user name and password for the shared account that Kiosk uses can use those credentials to log on to or unlock the computer. ■ If disabled or not configured, the shared account credentials cannot be used to log on to or unlock the computer. Prevent users from logging on outside of a Kiosk session ■ If enabled, only those with administrator privileges are able to log on to any Kiosk workstation controlled by the GPO. ■ If disabled or not configured, users can log on to the Kiosk workstations as a local user outside of the Kiosk session. Kiosk Workstation Shared Account Settings In order for a DigitalPersona Kiosk workstation to function correctly, this setting must be enabled and the Windows shared account information (user name, domain and password) specified. For further details, see Specifying a Shared Account for the Kiosk on page 30. ■ If enabled, you can specify Windows shared account information for the governed kiosks. ■ If disabled or not configured, Kiosk workstations affected by the GPO will not be operable. Kiosk Unlock Script Specifies a script file to run whenever a Kiosk session is unlocked by a new user. By default, the script file should be located in the directory shown below on the Domain Controller or you can specify the full path to a shared folder containing the script file. %systemroot%\sysvol\sysvol\domain_DNS_name\scripts

SMTP Configuration

Specify the SMTP server parameters for an account to be used by the password reset and OTP through email features for sending email to the user. Note that these features are separately enabled through the additional GPO settings Allow sending OTP through email and Allow users to reset their Windows passwords. When enabled, the following fields are mandatory: SMTP Server - Hostname only supported Email Address - Used to login to SMTP Server Email Password - Used to login to SMTP Server To validate the SMTP server parameters entered, enter an Incoming Email Address and click Test Settings. A test email will be sent to the specified address. ■ If enabled and valid SMTP parameters are entered, the specified SMTP server will be used.

DigitalPersona LDS Administration Tools

The DigitalPersona LDS Administration Tools are part of a separate installation package included in the DigitalPersona Pro Enterprise product package. It includes the User Query Snap-in (used to query user data) and the GPMC/GPOE Extensions (used to manage DigitalPersona policies and settings), and can also be used to manage DigitalPersona LDS Licenses. Note that Domain Admin permissions are required to manage DigitalPersona licenses, unless you add the Manage Licenses permission to additional users in the Microsoft Authorization Manager (AzMan). See page 154 for details. If you will be managing your DigitalPersona LDS Server directly from the computer it is installed on, you will want to install the DigitalPersona Administration Tools on that computer. However, you can also manage the DigitalPersona LDS Server from another domain joined computer in which case you would install the Administration Tools on that computer. (See page 95 and following for full descriptions of the tools.) It must be installed on a machine that also has either the DigitalPersona LDS Server, or DigitalPersona LDS Workstation. The tools may be installed on a single workstation for centralized administration of DigitalPersona; or for larger organizations, each tool may be installed on a separate workstation in order to divide the administration of various features among several people. By default, all Administration Tools are installed. Select Custom Setup to deselect any tools you do not wish to install. Installation 1. Locate and launch the setup.exe located in the ..\Server\DigitalPersona LDS Administration Tools folder of the product package. The DigitalPersona LDS Administration Tools Wizard displays. 2. On the Welcome page, click Next. 3. On the License Agreement page, accept the agreement and click Next. 4. On the Destination Folder page, click Next. If this is the first DigitalPersona product being installed on this machine, there will also be a Change button which allows you to change the installation directory. Additional DigitalPersona product installations remove this button in order to ensure that associated products are installed to the same directory. 5. On the Setup Type page, select a Complete installation or choose Custom to control which features are installed and where they are installed. ■ Complete - Installs all available features: the User Query Snap-in for collecting DigitalPersona LDS user information for the AD domain, and the GPMC Extensions, used to link product policies and settings to Active Directory containers. ■ Custom - By default, installs all features, but allows deselecting any feature. 6. On the Ready to Install the Program page, click Install. 7. On the Installshield Wizard completed page, click Finish.

DP Compatibility with other versions of DP

The DigitalPersona Server is backwards compatible with older clients. Any upgrade to a newer version of DigitalPersona must start with upgrading the DigitalPersona Servers and Administrator Tools. Then upgrade any installed clients.

User Query Snap-in

The DigitalPersona User Query Snap-in is a component within the DigitalPersona Administration Tools. These tools are a separate installation and are located in the DigitalPersona LDS Administration Tools folder of your product package. This tool provides a means for the administrator to query the DigitalPersona user database for information about DigitalPersona users and to perform certain operations and to set values associated with a selected user. It has three separate implementations, as described in the following topics. ■ ActiveX control (page 96) ■ Interactive dialog-based application (page 98) ■ Command line utility (page 100) The User Query Tool can only be successfully run on the computer where DigitalPersona LDS Server is installed. Once installed, the Interactive dialog-based application can be run from the Start menu by selecting DigitalPersona, User Query Tool. Interactive dialog-based application: To run the interactive dialog-based application: 1. On the Start menu, point to All Programs, DigitalPersona, User Query Tool. 2. In the application dialog that displays, select the type of information you would like to display. 3. Optionally, Browse to the location where you want to save the resulting log file. 4. Click the Run button. 5. The file is saved as a .csv file with the default name of DPQuery.csv, which can be opened in Notepad or programs like Microsoft Excel and other spreadsheet programs.

License activation Options

The DigitalPersona user license is issued with a unique License ID and password. The license may be activated, deactivated or refreshed through various wizards launched through the Active Directory Group Policy Management Editor on the computer where the DigitalPersona Server is installed. In most cases, you will activate your DigitalPersona Servers over the internet through Active Directory and the DigitalPersona Activation wizard. If a proxy server is used for internet access, the computer which will contact the Licensing Server may need additional configuration. ■ Open the Windows Registry Editor. ■ Navigate to the "HKEY_LOCAL_MACHNE\Software\DigitalPersona\Application\Licensing" registry key. ■ Create a Proxy string value, with the value in the form of "hostname:port". If you need to activate a license for a DigitalPersona Server that is in an air-gapped domain, see the topic License activation from another computer later in this section.

Enhanced Logon Authentication Policy

The Enhanced Logon Authentication Policy specifies the credentials or credential combinations that will be used to log on to or unlock domain computers when any of the conditions specified on the Conditions tab are met. Note that this policy has no effect on DigitalPersona Kiosk clients. ■ If enabled, and credentials are defined by clicking the Add button; then whenever the conditions selected on the Conditions tab are met, logon authentication will require the credentials or credential combinations specified in this policy. Note that when the specified conditions are met, this policy replaces the Logon Authentication Policy in force. ■ If disabled or not configured, the standard Logon Authentication Policy remains in force. To configure the Enhanced Logon Authentication Policy 1. Select Enabled and click the Add link in order to specify the required credential(s). See the previous topic Primary and Secondary credentials for details on permitted credential combinations. Notes: Contactless Writable and Contactless ID cards cannot be used in the Logon Authentication Policy or Enhanced Logon Authentication Policy when either FIDO or PKI cards are used in the policy. This does not apply to the Session Authentication Policy. The Face credential requires a separate Face Authentication License and is not supported in web-based components. 2. Specify any conditions that must be met for this policy to be applied.

Enrollment Policy

The Enrollment Policy specifies the credentials that may be used for enrollment in the User Console, Attended Enrollment and HID DigitalPersona Enrollment applications. By default, all supported credentials are initially listed on this tab. ■ If enabled, only the specified credentials may be enrolled and only those credentials' tiles are displayed in the UI. ■ If disabled or not configured, any installed and supported credentials may be used, except for Face. To use the Face credential, the policy must be enabled and the Face credential selected. All other credentials that you want to be available for enrollment must also be selected. Note that the Face credential requires a separate Face Authentication License and is not supported in web-based components.

Kiosk Session Authentication Policy

The Kiosk Session Authentication Policy defines the credentials that may be used to access Security applications during a DigitalPersona Kiosk session. By default, all supported credentials are listed on the tab. Note that the Face credential requires a separate Face Authentication License and is not supported in web-based components. See the previous topic Primary and Secondary credentials on page 123 for details on permitted credential combinations. ■ If enabled, only the specified combination of credentials in the Policy can be used for authentication. ■ If disabled or not configured, credentials will be controlled by local GPOs. To edit or delete a credential from the list ■ Click the arrow that appears to the right of the credential. To add a credential to the list ■ Click Add at the top of the list.

Password Manager Admin Tool

The Password Manager Admin Tool is a separate component included with the DigitalPersona Premium package, which simplifies and secures access to password-protected software programs and websites through the use of managed logons that allow users to identify themselves through the use of any supported DigitalPersona credential or combination of credentials specified by the administrator, as defined in the Authentication and Credentials topic above. Administrators can use the DigitalPersona Password Manager Admin Tool to create managed logons specifying information for logon and change password screens for websites, programs and network resources. These managed logons are then deployed to managed workstations, where they are accessible to the user through the Password Manager application and the mini-dashboard. Managed logons always take precedence over personal logons created by users.

Session Authentication Policy

The Session Authentication Policy defines the credentials needed to access Security applications during a Windows session. By default, all supported credentials are listed on the tab. See the previous topic Primary and Secondary credentials on page 123 for details on permitted credential combinations. Note that the Face credential requires a separate Face Authentication License and is not supported in web-based components. ■ If enabled, only the specified combination of credentials in the Policy can be used for authentication. ■ If disabled, the user is not prompted to authenticate by DigitalPersona security applications during the Windows session. This configuration provides Single Sign-on functionality. The user logs on to Windows, and gains access to all security applications without being prompted to authenticate for each application. ■ If not configured, credentials will be controlled by local GPOs. However, credential enrollment will still require authentication. To edit or delete a credential from the list ■ Click the arrow that appears to the right of the credential. To add a credential to the list ■ Click Add at the top of the list.

Define the authorization store name

The administration and management of role-based permissions, tasks and operations for DigitalPersona LDS is accomplished through the DigitalPersona Authorization Store and the Microsoft Authorization Manager. For ease of use, the Authorization Manager Snap-in may be added to a new or existing Microsoft Management Console on any computer that is a member of the same domain as the DigitalPersona LDS Server. The Authorization Manager can also be run directly from the command line by entering azman.mmc. A shortcut to the MMC placed on the Start screen or Windows taskbar provides immediate and convenient access to the Authorization Manager and Authorization Store. Installation and administration of the Microsoft Authorization Manager Snap-in must be performed by a member of the computer's local Administrators group. To enter the Authorization Store name for DigitalPersona LDS: 1. Launch the Microsoft Authorization Manager by typing azman.msc on the start screen. 2. In the Microsoft Authorization Manager, select Open Authorization Store. 3. Select Active Directory or Active Directory Application Mode (ADAM). 4. Enter the authorization store name and click OK. Since the syntax of the store name is rather complex, the necessary string defining the store name is provided in a file for you so that you can copy and paste it into the Store name field. The file name and location (based on a default installation) is: Program Files\DigitalPersona\Bin\AzMan.txt The authorization store name will be a string similar to the following - MSLDAP://127.0.0.1:50000/CN=Authorization Store,CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US 5. Once the authorization store has been set up, the Authorization Manager will be populated with the roles, tasks and operations defined for DigitalPersona LDS. Although the system does not ask you to reboot the computer, doing so is recommended.

Authentication and Credentials

The default, and simplest, means of authentication, i.e. making sure that you are a person authorized to access a computer or other resource, is your Windows account name and password. Authentication is generally required in logging on to Windows, accessing network applications and resources, and logging in to websites. DigitalPersona clients provide a means for the IT Administrator to easily setup and enforce strong authentication such as two-factor and multi-factor authentication using a variety of supported credentials. DigitalPersona credentials are defined as Primary and Secondary credentials. Primary credentials are considered stronger (more secure) than Secondary credentials, and include the following: ■ Password ■ Fingerprint ■ PKI Smart cards ■ Contactless Writable cards ■ Contactless ID cards (when enabled as a single (Primary) credential by GPO. See the Allow the use of Contactless ID cards as a single (Primary) credential setting on page 136). ■ One-Time Password ■ Face (Requires a separate Face Authentication License. Not supported in web-based components.) ■ FIDO2 Key Secondary credentials can only be used in combination with a Primary credential. They are: ■ Contactless ID card (except when enabled as Single (Primary) by GPO. See the Allow the use of Contactless ID cards as a single (Primary) credential setting on page 136). ■ PIN ■ Bluetooth device An additional Password Recovery credential may be used solely for recovering access to a managed client computer when other credentials fail, are forgotten or are unavailable. Note that by default, user credentials are cached on the local DigitalPersona Workstation client, and not cached on a computer running the DigitalPersona Kiosk client. This means that DigitalPersona Workstation users will be authenticated without a connection to the DigitalPersona Server, but DigitalPersona Kiosk users will not be authenticated if there is no connection to the DigitalPersona Server (although caching can be enabled for the Kiosk client if desired). By default, initial enrollment of end-user credentials is provided through the DigitalPersona Attended Enrollment component, which requires the supervising logged on user to have been previously assigned the role of DigitalPersona Security

Extended Server Policy Module

This chapter describes the DigitalPersona LDS Extended Server Policy Module, an optional component available for your DigitalPersona LDS Server. The DigitalPersona LDS Extended Server Policy Module (ESPM) is a separately purchased and installed server module that adds additional per user policies configurable through the Set policy dialog from within the DigitalPersona Web Administration Console. This module provides additional user policies that may be used to manage the credential combinations used for Windows logon. They do not affect the use of DigitalPersona credentials for authentication when used with personal or managed logons to websites, applications and network resources, but only log on to Windows. Without the ESPM, the following user policies are available for DigitalPersona users. ■ Use Windows password only ■ Randomize user's Windows password ■ Use OTP and Windows password Installation of the ESPM adds the following additional user policy settings to the Set Policy dialog. Settings ■ Use fingerprint The user must verify their identity with a fingerprint credential in order to log on to Windows. No other credentials can be used, except for supported recovery options such as Self Password Recovery. ■ Use fingerprint and PIN The user must provide a PIN whenever a fingerprint is used to log on, to unlock the computer or to change their Windows password. The fingerprint PIN option adds another level of security to logging on with a fingerprint. ■ Use fingerprint and Windows Password The user must verify their identity with their fingerprint credential in addition to Windows authentication (a PKI Smart card or password according to the Windows policy setting). ■ Use OTP and fingerprint The user must verify their identity with their fingerprint credential in addition to using the OTP credential. Note that some user policies (such as 'Use Windows password only' and 'Use fingerprint') will cause conflicting policies to be grayed out and unavailable to select. Those policies defining credential combinations, such as 'Use fingerprint and PIN' and 'Use OTP and fingerprint' will allow the user to authenticate with any credential combination that is selected, i.e. creates an OR policy.

Install DigitalPersona Pro Enterprise LDS Server

To install the DigitalPersona LDS Server 1. Launch the DigitalPersona LDS Server - InstallShield Wizard by running Setup.exe, located in the ..\Server\DigitalPersona LDS Server folder in the product package. 2. The wizard's Welcome page displays. Click Next. 3. Read the License Agreement page. If you agree with the stated terms, select I accept the license agreement. and click Next. 4. On the Destination Folder page, accept the default install destination folder, or click Change to install to a different folder. Click Next. 5. On the Setup type page, choose one the following options to indicate the type of installation you want to perform. ■Typical - Installs the LDS Server and the DigitalPersona Fingerprint Recognition Engine. ■ Custom - Allows selection of which features to install. ■ Fingerprint Recognition Engine - Enables fingerprint matching functionality, i.e. fingerprint enrollment, verification and identification. Note that if you plan on installing the Biometric Tokenization Engine or the optional DigitalPersona Large Scale ID Wrapper, you should deselect the Fingerprint Recognition Engine feature. For further details on the wrapper, see the DigitalPersona Large Scale ID Wrapper: Installation Guide. ■ Biometric Tokenization Engine - Creates a tokenized revocable presentation of a fingerprint. It can be used for enrollment and verification but not for identification. Note that this engine does not support deduplication. Also, switching from the Fingerprint Recognition Engine to the Biometric Tokenization Engine will require re-enrollment of all users' fingerprints. ■ It is critical that the same recognition engine is installed on all DigitalPersona Servers and clients in the AD forest. 6. On the Ready to install page, click Install. 7. The Installing DigitalPersona LDS Server page displays the progress of the installation. ■ Windows Authorization Access Group - In order for DigitalPersona Server to provide access control, it requires access to authorization information on user account objects. ■ By default, members of the "Pre-Windows 2000 Compatible Access" group have access to this data. If the "Permissions compatible with pre-Windows 2000 servers" option was selected during the DCPromo process when the domain was created, "Everyone" would have been added to the "Pre-Windows 2000 Compatible Access" group and DigitalPersona Server would be able to access the necessary user authorization information in Active Directory. ■ However, if this option was not selected, DigitalPersona Server would not have access to the user authorization information and as result, user enrollment will fail with an "Access Denied" error. ■ Therefore, the machine account where DigitalPersona Server is running must be added to the Windows Authorization Access Group. 8. Upon completion of the wizard, the InstallShield Wizard Completed page displays. Click Finish to close the wizard.

Installing Administrative Templates into a Central Store

Windows allows storing Administrative Templates either in a local store (%SystemRoot%\PolicyDefinitions), or in a Central Store (%SystemRoot%\SYSVOL\sysvol\%UserDomain%\Policies\PolicyDefinitions). Administrative Templates installed in the Central Store are automatically replicated to all Domain Controllers in the domain. For more details, see the Microsoft article Create and manage central store. If your company use a Central Store as a default place to store all Administrative Templates, then you may want to use it for DigitalPersona Administrative Templates as well. To install DigitalPersona Administrative Templates into the Central Store, you may either copy the ADMX/ADML files manually, like any other ADMX/ADML file, or you can use a 'DeployTemplates.bat' script located within your DigitalPersona software package at the following location: DigitalPersona [AD|LDS] Server\Server Tools\Policy Templates. Note that you need to run the file 'As Administrator'. When you run the script, it will attempt to detect whether you currently use the Central Store or a local store. If the script discovers a "%SystemRoot%\SYSVOL\sysvol\%UserDomain%\Policies\PolicyDefinitions" folder, it will assume that you use Central Store, otherwise it will assume that you use a local store. The script will also ask you to choose which language to install for DigitalPersona Administrative Templates. unning the file will display the following UI. 1. Select a policy language to install by typing the two-letter abbreviation for a language, or type an asterisk (*) to install all languages. 2. Press Enter. The script then installs administrative templates and selected language files into the detected policy definitions store. If, later, you switch from local store to a Central Store, or vice versa, run the 'DeployTemplates.bat' again to install DigitalPersona Administrative Templates to the selected store. 3. Press Enter. You can verify that the policies have been copied to the domain's Central Store by ensuring that the GPME indicates that the Policy definitions have been 'retrieved from the central store'.

DigitalPersona LDS Kiosk

a client application specifically designed for environments where users need fast, convenient and secure multi-factor identification on workstations shared by multiple users. Although the Kiosk application uses a single Windows account, each DigitalPersona user logs in to Kiosk with their own DigitalPersona credentials, gaining separately controlled access to resources, applications and data.

DigitalPersona LDS

is an end-to-end, MFA solution platform that provides a non-repudiable identity from enrollment to authentication, customized to your environment.

DP LDS Clients maybe installed in the following ways

may be installed individually on computers or deployed through Active Directory GPO, SMS (Systems Management Server) or logon scripts. They cannot be installed through ghosting or imaging technologies.


Conjuntos de estudio relacionados

207 CH 4 Documentation and Interprofessional Communication

View Set

6.4 Patofyziologie jater a pancreatu

View Set

Imaginez Structures 9.2 Répondez en utilisant un participe présent.

View Set

10.8.6 The Human Costs of World War II

View Set

ICP Semester One Final Exam Practice Test Answers

View Set

Real Estate Practice Chapter 27 Verify Property Disclosures: Retain a Home Inspector

View Set

Anatomy Chapter 9: The Endocrine System Part 3

View Set