Enterprise Single Sign-On 8.0.

3
Administrator Guide
Kiosk and Cluster Modes

Copyright 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.

Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information. Quest Enterprise SSO Updated January 2010 Software version 8.0.3

CONTENTS
About This Guide ...................................................................................................... 3
Access Management ......................................................................................................... 3 Conventions ............................................................................................................... 4

1. Overview................................................................................................................. 5
1.1 Kiosk and Cluster Modes Functions............................................................................ 5 1.1.1 Kiosk Mode Functions ...................................................................................... 5 1.1.2 Cluster Mode Function ..................................................................................... 6 1.2 Kiosk and Cluster Mode Authentication Methods ....................................................... 6 1.3 Required Enterprise SSO Modules ............................................................................. 7

2. The Fast User Switching (FUS) Function ........................................................... 8

2.1 Fast User SwitchingOverview and Use ................................................................... 8 2.1.1 Definition ........................................................................................................... 8 2.1.2 Fast User Switching Modes.............................................................................. 8 2.2 Configuring Hierarchized Access FUS...................................................................... 12 2.2.1 Activating Hierarchized Access FUS.............................................................. 12 2.2.2 Overriding the User "Unlocking Level" (Optional) .......................................... 13 2.3 Configuring Shared Access FUS............................................................................... 14 2.3.1 Activating FUS for Shared Access FUS Users .............................................. 14 2.3.2 Associating Users with a Shared Windows Account...................................... 15 2.3.3 Activating Shared Access FUS on Dedicated Access Points (Optional) ....... 17 2.4 Installing and Configuring Public Access FUS .......................................................... 18 2.5 Configuring Application Closing ................................................................................ 19

3. The Roaming Session Mode .............................................................................. 21

3.1 Roaming Session ModeOverview and Use ........................................................... 21 3.2 Configuring the Roaming Session Mode................................................................... 22 3.2.1 Activating the Roaming Session Mode for Users........................................... 23 3.2.2 Activating the Roaming Session Mode on Computers................................... 24 3.3 Administering Users Roaming Sessions .................................................................. 25 3.3.1 Administering Users Roaming Sessions from the Enterprise SSO Console 25 3.3.2 Administering Current Roaming Session from the Users Workstation ......... 26

4. The Cluster Mode ................................................................................................ 28

4.1 Cluster ModeOverview .......................................................................................... 28 4.2 Creating and Configuring a Cluster of Access Points ............................................... 30 4.3 Displaying Cluster Event Logs (Events Tab)............................................................. 32 4.4 Renaming Clusters .................................................................................................... 33 4.5 Deleting Clusters ....................................................................................................... 33 4.6 Removing Temporarily an Access Point From the Cluster ....................................... 34

About Quest Software, Inc. .................................................................................... 35

Contacting Quest Software.............................................................................................. 35 Contacting Quest Support ............................................................................................... 35

Administrator Guide

About This Guide

Access Management
SUBJECT

The Kiosk mode gathers the following functionalities: Fast User Switching and Roaming Session mode. This guide explains how to configure the Kiosk and Cluster mode functionalities.

INTENDED READER SOFTWARE/HARDWARE REQUIRED

Enterprise SSO Administrators who know how to use the Enterprise SSO Console. Enterprise SSO 8.0 evolution 3 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to Quest Enterprise SSO Release Notes. Enterprise SSO controller runs only on Windows systems. Kiosk and Cluster modes are only available on Windows Enterprise SSO clients.

SUPPORTED OPERATING SYSTEMS

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT CONVENTION

Select Bolded text Italic text Bold Italic text Blue text

This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.

+ |

A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.

Administrator Guide

1. Overview
Enterprise SSO Kiosk and Cluster modes speed up computer use and improves security.

1.1 Kiosk and Cluster Modes Functions

1.1.1 Kiosk Mode Functions
Fast User Switching Fast User Switching (FUS) simplifies the access to computers used by several employees. FUS modifies the Microsoft session unlocking method by allowing users to unlock or close an other users session, by using one of the following methods: Hierarchized access FUS: users are only authorized to unlock or close the session of other users whose level is below or equal to their own level. Shared access FUS: several users have in their Windows account list the one that has open the session, so they can unlock or close the session of all other users who have the same account. Public access FUS: the workstation session remains open and is the same for all users, but the SSO context and application opening/closing are handled individually for each user.

This function is particularly used in retail store workstations where salespersons want to check stocks or register orders before their customers change their minds. Fast User Switching can work with Roaming Session Mode or with Cluster Mode. To know how to configure and use the Fast User Switching, see Section 2, The Fast User Switching (FUS) Function. Roaming Session The Roaming Session mode simplifies the successive authentication to several computers. When a user needs to access several computers during the day, he/she only has to authenticate once on the first computer; then he/she only needs his/her device to open the other computers sessions.

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

This function is particularly used in hospitals emergency desks, where nurses and doctors need immediate access to information. It can be combined with Fast User Switching, and can be used on Clusters of computers. To know how to configure and use the Roaming Session mode, see Section 3, The Roaming Session Mode.

1.1.2 Cluster Mode Function

The Cluster mode is intended to employees who have on their desk several computers and need to use them simultaneously: When an employee authenticates on a computer, sessions on other computers used by this employee are also unlocked. When an employee locks or closes a computer, all other computers used by this employee are locked or closed too.

This function is particularly used in financial institution trading rooms or control rooms. The cluster mode can be combined with Roaming Session Mode and/or Fast User Switching. To know how to configure and use the Cluster mode, see Section 4, The Cluster Mode.

1.2 Kiosk and Cluster Mode Authentication Methods

The following table lists the authentication methods that can be used for each of the Kiosk and Cluster mode functions.
Authentication Method Function Hierarchized Access FUS Shared Access FUS Public Access FUS Cluster Mode Roaming Session Mode Not relevant Not relevant Password Smart Card Active RFDI Passive RFID Biometrics

Administrator Guide

1.3 Required Enterprise SSO Modules

The following table lists the Enterprise SSO modules that you must install to use each of the Kiosk and Cluster mode functions.
Enterprise SSO Module Function Hierarchized Access FUS Shared Access FUS Public Access FUS Cluster Mode Roaming Session Mode Optional Enterprise SSO Client SSOWatch Optional Optional Advanced Login Enterprise SSO Console

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

2. The Fast User Switching (FUS) Function

2.1 Fast User SwitchingOverview and Use
2.1.1 Definition
The Enterprise SSO Fast User Switching (FUS) is a functionality that allows multiple users to easily share the same workstation, by allowing them to change the SSO context quickly, without closing the Windows session.

2.1.2 Fast User Switching Modes

The Fast User Switching function works in three modes so that it can perfectly fit your needs. These modes are detailed in the following sub-sections. In Hierarchized Access FUS and Shared Access FUS, the access to the Windows session is protected: the Windows session locking and unlocking is managed by Advanced Login. All authentication methods can be used, but if an authentication device is used, it ensures that when a user removes his/her device, the session is automatically locked. If the same user comes back to the same workstation, he/she will find his/her applications still open. In Public Access FUS, the access to the Windows session is not protected: the workstation session is the same for all users, but each user can access his/her own applications.

Administrator Guide

2.1.2.1 Hierarchized Access FUS

In hierarchized Access FUS, users are associated with an "unlocking level" and a "closing level". They are only authorized to unlock or close the session of other users whose level is below or equal to their own level.

User A

User B User B Unlocking Level > User A Unlocking Level Unlocks User A session

User C User C Unlocking Level < User A Unlocking Level Cannot Unlocks User A session

Session Locked (User A)

Computer with Advanced Login

User A Applicaions

User B Applicaions

User C Applicaions

In the above illustration, the Windows user is still User A, and the Enterprise SSO user is User B. To configure this FUS mode, see Section 2.2, Configuring Hierarchized Access FUS.

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

2.1.2.2 Shared Access FUS

In Shared Access FUS, all users who need to authenticate to the same workstation have the same Windows account. All these users have in their account list the one that has open the session. This way, they can unlock the session open by another user of the same group.

User A

User B

User C

Shared Windows Account

Computer with Advanced Login

User A Applicaions

User B Applicaions

User C Applicaions

To configure this FUS mode, see Section 2.3, Configuring Shared Access FUS.

10

Administrator Guide

2.1.2.3 Public Access FUS

The Public Access FUS is adapted to computers used in public access. In this mode, the access to the Windows session is not protected: the workstation session remains open, but the SSO context and application opening/closing are handled individually for each user, as illustrated in the following figure:

User A

User B

User C

Public Access Computer Generic Windows Session

SSOWatch

SSOWatch

SSOWatch

User A Applicaions

User B Applicaions

User C Applicaions

Upon detection of a smart card or active RFID device, SSOWatch starts and prompts the user for his/her PIN (smart card) or password (RFID). Once the user is authenticated, SSOWatch starts. When the device is removed, SSOWatch is closed. The Windows session can use a generic account that has no particular right of its own. To install and configure this FUS mode, see Section 2.4, Installing and Configuring Public Access FUS.

11

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

2.2 Configuring Hierarchized Access FUS

Quest provides hierarchized access Fast User Switching with Advanced Login. The functionality is managed from Enterprise SSO Console.

2.2.1 Activating Hierarchized Access FUS

Subject You activate hierarchized access FUS from the user security profile, as explained in the following procedure. Before Starting Make sure Advanced Login is installed on the workstation you want to be used for Fast User Switching. Make sure you have the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following rights: "User security profile: Creation/Modification", "Application profile: Creation/Modification" and "Access point security profile: Creation/Modification".

For more details on administration roles, see Enterprise SSO Console Administrator Guide. Procedure 1. In the Enterprise SSO Console, from the directory panel, click the user security profile that applies to users that will use the hierarchized Fast User Switching. Click the Unlocking tab.
The Unlocking tab appears.

2.

Fill-in the tab as explained in the following Unlocking Tab Description section.

12

Administrator Guide

Unlocking Tab Description

TAB ELEMENT

DESCRIPTION

User level

Enter a user hierarchy level (0 is the lowest level, and 50000 is the highest). We recommend to let a big interval between levels (for example 10; 20; 30 and so on), so that you can add sublevels in between if needed.

User can unlock sessions of users below level User can close sessions of users below level

Select this check box to allow a user to unlock a session locked by another user whose level is below the specified level. Select this check box to allow a user to close a session opened by another user whose level is below the specified level.

When a user tries to perform a FUS on a workstation, Enterprise SSO refers to the unlocking level before the closing level. For example, if the user level does not allow him/her to

2.2.2 Overriding the User "Unlocking Level" (Optional)

Subject In the application security profile, you can define a different user level than the one specified in the user security profile. In this case, when a user launches an application that is associated with this application security profile, the user "unlocking level" is overridden with the level set in the application security profile (usually set to a higher level).
13

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

Procedure 1. In the Enterprise SSO Console, from the directory panel, click the application security profile that applies to applications for which you want to override the user unlocking level. Click the Configuration/General tab.
The General tab appears.

2.

3. 4.

Select the When application is used, set users "unlocking level" to: select the check box and set the level number. Click Apply.

2.3 Configuring Shared Access FUS

The shared access FUS is used when no hierarchy can be set between employees that need to access a workstation.

2.3.1 Activating FUS for Shared Access FUS Users

To configure shared access FUS, you must first allow users to use the FUS function. For that, you must authorize them to unlock and close the session of other users and assign them a level (the same for all users) through the Unlocking tab of the user security profiles, as explained in Section 2.2.1, Activating Hierarchized Access FUS.

14

Administrator Guide

2.3.2 Associating Users with a Shared Windows Account

Subject In shared access FUS, all users who need to access the same workstation have in their account list the one that has open the session. The easiest way to configure this is to gather these users in a group of users. The following procedure explains how to associate a group of users with a shared windows account. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" In advanced administration mode, your role must contain the following right: "Application: Creation/Modification".

Procedure 1. In the Enterprise SSO Console, from the directory panel, right-click the Organizational Unit that must contain your Application and select New/Template-based Application/Windows.
The Windows Application window appears.

2. 3.

Fill-in the window by typing the application name and Windows domain. In the group of users that you want to make share the same Windows account, add the application and define it as shared, as follows: a) Click the group of users and select the Application Access tab.
The Application Access tab appears.

15

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

b) 4.

In the Application Access tab, add the application you have just created, and set the Account type to Shared. Click the group of users and select the Accounts tab
The Accounts tab appears.

In the group of users, assign an owner for the application, as follows: a)

b)

Click the application and click the Properties button

The Account Properties window appears.

16

Administrator Guide

c)

In the SSO Data tab, create credentials for the account.

d)

In the Ownership tab, you can assign an owner for the account. In this case, this owner becomes the only user authorized to modify the account password.
Enterprise SSO allows you to manage password modification of a shared application account: if you do not set ownership, all users who are part of the group of users sharing the same application account are authorized to modify the shared account password. The other users automatically retrieve the new password.

2.3.3 Activating Shared Access FUS on Dedicated Access Points (Optional)

Subject By default, FUS is authorized on all access points, without need of any configuration. This section explains how to reserve some workstations only for shared access FUS users. The configured workstations will only be accessible to shared access FUS users. Procedure 1. In the Enterprise SSO Console, from the directory panel, click the access point security profile that applies to computers reserved for shared access FUS users.

17

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

2.

Click the Configuration/Advanced Login tab.

The Advanced Login tab appears.

3. 4.

Select the Only allow unlocking with the same windows credential check box. Click Apply.

2.4 Installing and Configuring Public Access FUS

Subject Quest provides Fast User Switching at the session level (SSOFUS) with SSOWatch, with the "Kiosk mode" extra license. The process listens for incoming events from activated authentication devices. These devices are: Smart cards managed from Quest. Smart cards managed externally for which the PKA authentication is activated in Quest. Active RFID device.

In this FUS mode, the Windows session is the same for all users. The Windows session used is the one of the first user who has open a Windows session on the workstation.

18

Administrator Guide

Users use their authentication device to access their own SSO context and applications. To avoid this, you can set a generic Windows account that has no particular right on its own, to keep the Windows session open for all users, as explained in the following procedure. Before Starting Make sure you have the "Kiosk mode" license key. If it is not already set up on your workstation, install Microsoft Redistributables: open the Administration Tools interface (see steps 1 to 4 of the following procedure) and click Install Microsoft Redistributables. Make sure Advanced Login is not installed on the workstation.

Procedure 1. Log-on as system administrator and install the FUS option with SSOWatch as follows:
If you use Ready-To-Go SSO Edition or the Enterprise SSO Quick installation: During the Client installation, select the Public access authentication mode in the client module selection wizard window. For more details on Enterprise SSO quick installation, see Enterprise SSO Quick Installation and Start Guide. If you use the Enterprise SSO advanced installation: During SSOWatch installation, select the Fast User Switching option in the Select Feature wizard window. For more details on E-SSO advanced installation, see Enterprise SSO Advanced Installation and Configuration Guide.

2.

If you want to set a generic logon, activate AutoLogon on the workstation as explained in the following web page: http://support.microsoft.com/?scid=kb%3Ben-us%3B315231&x=10&y=13 (URL valid in September 2009).

2.5 Configuring Application Closing

Subject When a user locks a session (for Hierarchized and Shared Access FUS) or withdraw his/her device (for Public Access FUS), SSOWatch is closed but the users running applications remains open. To force SSOWatch to automatically close the users applications before switching context, you must write a DLL. SSOWatch can execute the dll code at session locking, session unlocking, SSOWatch starting and SSOWatch closing.

19

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

Functions The functions that can be called by SSOWatch are: "OnSessionLocked": at session locking. "OnSessionUnLocked": at session unlocking. "EngineStarted": at SSOWatch start. "EngineStopped": at SSOWatch stop.

Function Format The functions must be written according to the following format:
typedef struct _CUSTOMPARAMETERS { LPCSTR szUser; } CUSTOMPARAMETERS, *PCUSTOMPARAMETERS; BOOL APIENTRY OnSessionLocked(HWND hParent, const PCUSTOMPARAMETERS pcapParameters) { return TRUE; } BOOL APIENTRY OnSessionUnLocked(HWND hParent, const PCUSTOMPARAMETERS pcapParameters) { return TRUE; } BOOL APIENTRY EngineStarted(HWND hParent, const PCUSTOMPARAMETERS pcapParameters) { return TRUE; } BOOL APIENTRY EngineStopped(HWND hParent, const PCUSTOMPARAMETERS pcapParameters) { return TRUE; }

DLL location Define the location in a string value of the registry under HKLM\Software\Enatel\SSOWatch\ExternalCall Example: CustomDllName (name of the registry key) C:\SSO\MyDll.dll
20

Administrator Guide

3. The Roaming Session Mode

3.1 Roaming Session ModeOverview and Use
Definition The roaming session mode allows users to open a session (using Enterprise SSO Advanced Login) on one or several computer(s) with their physical authentication token, without having to type a secret, during a defined period of time. Mechanism Description

Admin

User

1
E-SSO Console

First Authentication

Login / Password Smart card + PIN RFID + Password Biometry + login

Roaming Session Creation

E-SSO Controller Roaming Session Administration

User object
Roaming Session Retrieval Storage in the Directory

Authentication with Roaming Session

Physical token

NO Secret

Directory

21

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

3. 4.

The administrator configures the roaming session mode on appropriate access points, and for a number of users for a defined duration. A user authenticates on a computer on which the roaming session mode is available, whatever the authentication method is (login/password, smart card, active or passive RFID device, and biometry).
This automatically creates a roaming session in the Enterprise SSO Controller. If no Enterprise SSO Controller is available, the roaming session is not created.

5.

When the computer (on which the roaming session mode is activated) detects a physical authentication token (smart card, active or passive RFID), the roaming session is retrieved from the Enterprise SSO Controller and the user is authenticated without having to type the secret associated with the token. The session duration time is displayed to the user in a task bar balloon help. If the roaming session expires when it is open on a computer, or if the user password expires or is changed, the session remains open, but the user will have to authenticate at next session opening. Make sure you have the "Kiosk mode" license key. If users authenticate with a smart card for the roaming session, the smart card must meet the following requirements:
The smart card configuration must allow the owner name to be read without typing the PIN. The smart card contains only one account. No SSO account is stored on the smart card.

Prerequisites

Restriction In a roaming session, users cannot change their password or PIN with Advanced Login.

3.2 Configuring the Roaming Session Mode

Subject To make available the roaming session mode, you must activate it for concerned users, and on appropriate access points, as explained in the following sections. Before Starting To perform the tasks described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "User security profile: Creation/Modification" and "Access point security profile: Creation/Modification".

22

Administrator Guide

3.2.1 Activating the Roaming Session Mode for Users

Subject You must activate the roaming session mode in the user security profile. For users associated with this profile, a roaming session will be automatically created after they have authenticated themselves with Advanced Login on a computer that authorizes roaming sessions. Procedure 1. 2. In the Enterprise SSO Console, from the directory panel, click the user security profile that applies to users that will use the roaming session mode. Click the Security tab.
The Security tab appears.

3.

Select the Roaming session duration check box and define the number of hours you want the session to be active (the roaming session is created as soon as the user authenticates on an authorized access point, and the session duration time starts from that moment).
If you change the duration time in the Roaming session duration field once the roaming session has started, the new value will only be taken into account once the session in progress has expired.

4.

Click Apply.

23

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

3.2.2 Activating the Roaming Session Mode on Computers

Subject You must activate the roaming session mode in the access point security profile. For computers associated with this profile: A roaming session is automatically created when authorized users authenticate on these computers. The roaming session is automatically retrieved when an authorized user presents a physical authentication token; this automatically opens the user session it exists.

To optimize the session opening time, we recommend to allow the roaming session mode only on access point that will actually use it. Procedure 1. In the Enterprise SSO Console, from the directory panel, click the access point security profile that applies to computers on which activating the roaming session mode is necessary. Click the Advanced Login tab.
The Advanced login tab appears.

2.

3. 4.

Select the Allow roaming session check box. Click Apply.

24

Administrator Guide

3.3 Administering Users Roaming Sessions

From the Enterprise SSO Console, you can display information on users' roaming session duration, and decide to delete it for a selected user: see Section 3.3.1, Administering Users Roaming Sessions from the Enterprise SSO Console. From his/her workstation, the user can also display information on his/her own roaming session duration, and also delete it: see Section 3.3.2, Administering Current Roaming Session from the Users Workstation.

3.3.1 Administering Users Roaming Sessions from the Enterprise SSO Console
Subject You can see information on user roaming sessions from the Enterprise SSO Console, as explained in the following procedure. You can decide to delete a roaming session. In this case, the current user session remains open, but this forces the user to authenticate again at next session opening. This also allows you to disable the roaming session in case a user has lost his/her token. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Roaming: Delete users sessions".
For more information on administration modes, see Enterprise SSO Console Administrator Guide.

Procedure 1. 2. In the Enterprise SSO Console, from the directory panel, click the user for who you want to display the roaming session information. Click the Connection/Authentication tab.
The Authentication tab appears. It displays the roaming session duration time left for the selected user.

25

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

3.

To delete the displayed roaming session, click the Delete roaming session button.
The current user session remains open on the computer, but he/she will have to authenticate again at next session opening.

3.3.2 Administering Current Roaming Session from the Users Workstation

Subject From his/her workstation, a user can administer his/her own roaming session: he can decide to delete a roaming session. In this case, the current user session remains open. The functionality described in this section is not available if the user has authenticated with his password, or with Biometrics. Procedure 1. On the workstation, in the notification area, right-click the credential manager icon and click Roaming Session.
The following window appears, it displays the roaming session duration time left.

26

Administrator Guide

2.

To delete the roaming session, click Terminate.

The current user session remains open.

27

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

4. The Cluster Mode

4.1 Cluster ModeOverview
Definitions A cluster of access points is a set of computers on which the Windows sessions are synchronized by Enterprise SSO. Operations that a user performs on the Windows session (opening, closing, locking, unlocking) of a computer that belongs to the cluster are automatically and simultaneously performed on all the other computers that form the cluster, as illustrated in the following figure:

Session Opening

Session Locking

Master

Master

Session Opening

Session Opening

Slave

Slave

Slave

Slave

The number of workstations you can include in a cluster is not limited. In a cluster of access points, the computer on which the user performs an action is called the master computer. The same action is simultaneously performed on the other computers of the cluster, called slaves.
An Enterprise SSO Controller does not work in Cluster mode.

28

Administrator Guide

Mechanism Description When a user performs an operation (opening, closing, locking, unlocking) on a computer, this computer becomes the master computer and periodically informs the slave computers of the operation performed. This allows the management of slave computer behaviors. Session Opening/Session Unlocking
When a user opens a session on a computer of the cluster, all the sessions of other computers of the cluster open with the same user account. If a slave computer is not reachable at session opening on the master computer, the session opening operation on this slave computer will be performed as soon as the network is restored. If a slave computer restarts, and if the last operation performed on the master computer is a session opening, a session will be opened on this slave computer as soon as it is available. If the session of a slave computer is locked by another user, the session is unlocked only if the Fast User Switching (FUS) option is activated for the user (see Section 2, The Fast User Switching (FUS) Function). If a user performs a FUS on a computer, all the other computers of the cluster perform the FUS. If an "Excluded Account" opens a session on a computer that is part of the cluster, this computer is automatically excluded from the cluster. For more information on excluded accounts, see Enterprise SSO Console Administrator Guide.

Session Locking
When a computer is locked, all the other computers are locked according to their defined lock mode (see Section 4.2, Creating and Configuring a Cluster of Access Points). If a slave computer with an open session does not receive any information from the master for a period of 30 seconds, it is automatically locked according to its defined lock mode ((see Section 4.2, Creating and Configuring a Cluster of Access Points).

Session Closing When the user closes a computer, all the other computers of the cluster are closed.
A slave computer can only accept orders from the master computer if they are compatible with its current session. For example, if a user locks a computer session while all the other cluster computer sessions are closed, these sessions will remain closed.

Screensaver When a computer screensaver is activated, the computer is not locked. It becomes locked at the end of the screensaver period: it then becomes the master and locks all computers of the cluster. You must configure the screensaver according to the wanted computer behavior.

29

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

4.2 Creating and Configuring a Cluster of Access Points

Subject You create and configure the cluster mode from the Enterprise SSO Console, as explained in the following procedure. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster: Creation/Modification".
For more information on administration modes, see Enterprise SSO Console Administrator Guide.

Make sure that none of the computer you want to place in the cluster is an Enterprise SSO Controller. Make sure all the computers you want to gather in a cluster are connected to each other, and configured according to your needs (automatic screen-saver launching, locking). DNS resolution must work properly so that orders sent from the master can be easily transmitted to slaves. Port 3644 must be open on all computers you want to gather in a cluster. Enterprise SSO must be configured in "manage-access-point" mode. The following license keys must be installed on the Enterprise SSO Controller and Enterprise SSO Clients: "Cluster mode" and "Audit and advanced security".

Procedure 1. In Enterprise SSO Console, in the tree structure of the Directory panel, rightclick the Organizational Unit that must contain your Cluster of access points and select New\Cluster of access points.
The Configuration tab appears.

2. 3.

4. 5.

Fill in the Name field. Click the Add button to select the access points you want to add to the cluster. Use the Browse tab to browse the directory tree structure or use the Search tab to find the access point by typing its name. Define the cluster properties as explained in the following Configuration Tab Description section. Click Apply.
The Cluster object is created and configured.

30

Administrator Guide

Configuration Tab Description

Allow users to temporarily withdraw a computer from the cluster check box If this check box is selected, users allowed to access one of the cluster computer will be able to temporarily exclude a computer from the cluster, from the SSOWatch application module: see Section 4.6, Removing Temporarily an Access Point From the Cluster for more details. Option button Gives access to the Cluster Lock Mode window.

For each computer of the cluster, this button allows you to define its behavior as a slave in the following cases:
When it receives a locking order from the master computer. When it does not receive any order from the master for more than 30 seconds.

31

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

The behavior selected here only applies when the computer is a slave.
Do nothing The selected computer is not locked. Lock keyboard and mouse The selected computer is not locked, but keyboard and mouse are disabled. Pressing Ctrl+Alt+Del on this computer unlocks it. Lock session (default value) The selected computer is locked.

Remove button Removes the selected computer from the cluster. Add button Allows you to select the access points you want to add to the cluster. The Browse tab allows you to browse the directory tree structure and the Search tab allows you to find the access point by typing its name.

4.3 Displaying Cluster Event Logs (Events Tab)

Subject The Events tab allows you to display all the events that are directly or indirectly linked to the selected object, for a defined period (the last two days by default). This report contains both User action and administration log entries. Restriction The Events tab appears only if you have at least the following administration role: In classic administration mode: "Auditor". In advanced administration mode, your role must contain the following right: "Audit: Visualization".
For more details on administration roles, see Enterprise SSO Console Administrator Guide.

Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Cluster. Click the Events tab.
The Events tab appears.

In the Filter area, define a period of time to filter the log entries and click Apply (for more information on event logs, see Enterprise SSO Console Administrator Guide).

32

Administrator Guide

4.4 Renaming Clusters

Subject This section describes how to rename a Cluster. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster: Creation/Modification".
For more information on administration modes, see Enterprise SSO Console Administrator Guide.

Procedure 1. 2. In the tree structure of the Directory panel, right-click the Cluster and select Rename. In the Configuration tab, type the new name of the object and press Enter.

4.5 Deleting Clusters

Subject This section describes how to delete Clusters. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster: Deletion".
For more details on administration roles, see Enterprise SSO Console Administrator Guide.

Procedure In the tree structure of the Directory panel, right-click the Cluster to delete and select Delete. The Cluster is deleted.

33

Quest Enterprise SSO 8.0.3 Kiosk and Cluster Modes

4.6 Removing Temporarily an Access Point From the Cluster

Subject From his/her workstation, a user can temporarily remove a computer from the cluster. This can be useful for maintenance operations: the PC can be rebooted independently from the others. Before Starting This functionality is only available to the user if it has been activated from the Enterprise SSO Console (see Section 4.2, Creating and Configuring a Cluster of Access Points). Procedure 1. 2. On the workstation, in the notification area, right click the SSOWatch icon.
The SSOWatch pop-up menu appears.

Select Deactivate cluster mode.

The workstation is excluded from the cluster. It remains excluded even when you restart the computer.

3.

To include again the computer in the cluster, click Activate cluster mode.

34

Administrator Guide

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management productshelping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

Phone Email Mail 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com

Web site

Please refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/ From SupportLink, you can do the following: Retrieve thousands of solutions from our online Knowledgebase Download the latest releases and service packs Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.

35