DigitalPersona Pro for Active Directory

Transcription

Administrator Guide
DigitalPersona®Pro
for Active Directory
Version 4.0
DigitalPersona, Inc.
© 2006 DigitalPersona, Inc. All Rights Reserved.
All intellectual property rights in the DigitalPersona software, firmware,
hardware and documentation included with or described in this guide are owned
by DigitalPersona or its suppliers and are protected by United States copyright
laws, other applicable copyright laws, and international treaty provisions.
DigitalPersona and its suppliers retain all rights not expressly granted.
U.are.U®, DigitalPersona® and One Touch® are trademarks of DigitalPersona,
Inc. registered in the United States and other countries.
Windows, Windows 2000, Windows 2003 and Windows XP are registered
trademarks of Microsoft Corporation. All other trademarks are the property of
their respective owners.
This DigitalPersona Pro for Active Directory Administrator Guide and the
software it describes are furnished under license as set forth in the “License
Agreement” screen that is shown during the installation process.
Except as permitted by such license, no part of this document may be
reproduced, stored, transmitted and translated, in any form and by any means,
without the prior written consent of DigitalPersona. The contents of this manual
are furnished for informational use only and are subject to change without
notice. Any mention of third-party companies and products is for demonstration
purposes only and constitutes neither an endorsement nor a recommendation.
DigitalPersona assumes no responsibility with regard to the performance or use
of these third-party products. DigitalPersona makes every effort to ensure the
accuracy of its documentation and assumes no responsibility or liability for any
errors or inaccuracies that may appear in it. This document is subject to the
DigitalPersona LIMITED WARRANTY and other general provisions set forth
in the Appendix of this manual.
Should you have any questions concerning this document, or if you need to
contact DigitalPersona for any other reason, write to:
720 Bay Road
Suite 100
Redwood City, CA 94063
USA
Table of Contents
Part One: Overview
1
Introduction
Chapter Overview
Conventions
Recommended Skill Set
Support Resources
Your Feedback is Requested
2
3
5
7
8
8
2
Key Concepts & Terminology
Concepts
Terminology
9
9
14
3
Product Overview
Product Components and Modules
DigitalPersona Pro Server
DigitalPersona Pro Workstation
Fingerprint Readers
Administration Tools
Extended Server Policy Module
System Requirements
Product Compatibility
Related Products
18
18
19
20
21
22
23
24
25
26
26
Part Two: Deployment & Installation
4
Deploying DigitalPersona Pro Server
Deployment Overview
Upgrading from Previous Versions
Install DigitalPersona Pro Server
Install the Administrative Templates
Install Templates to Active Directory
Install Workstation Template Locally
Changes Made During Installation
DNS Registration
Uninstalling DigitalPersona Pro Server
29
29
29
35
36
39
41
42
44
46
5
Installing DigitalPersona Pro Workstation
System Requirements
Local installation from the product CD
Remote Installation
Command Line Installation
Uninstalling DigitalPersona Pro Workstation
Customizing a DigitalPersona Pro Workstation Installation
47
47
48
51
52
54
54
DigitalPersona Pro for Active Directory Administrator Guide
iii
Table of Contents
Part Three: Administration
6
Configuring Policies and Settings
About DigitalPersona Pro Settings
DigitalPersona Pro Policies and Settings
Event Logging
BAS Locator DNS Records
Fingerprint Verification Lockout
Fingerprint Recognition
Workstation Only
Workstation Properties
One Touch SignOn
User Properties
56
56
58
59
60
64
65
67
70
71
71
7
User Properties
Basic User Properties
Extended User Policies
Unlocking Accounts after Failed Logon Attempts
Deleting User Credentials using the ADSI Edit Tool
72
72
74
75
76
8
DigitalPersona Pro Events
Auditing Using the Windows Event Viewer
Event Log Specifications
Computer Environment
General Secret Management
Fingerprint/Credentials Management
User Management
Logon/Lock
DNS Registration
One Touch SignOn
77
77
79
79
80
80
81
81
82
82
83
9
Overview
License Control Manager
Overview
Connecting to a domain
Getting License Information
Reviewing and installing license files
Viewing license details
Viewing UAL Summary Information
Uninstalling licenses
Attended Fingerprint Registration
Assigning Registration Permissions
Single User
Organizational Unit or Domain
One Touch SignOn Administration Tool
Overview
Installing the OTS Administration Tool
Setting up OTS
Creating OTS Templates
Creating Change Password Screen Templates
84
84
86
86
86
87
88
88
89
89
90
90
90
91
92
92
93
93
97
111
iv
Table of Contents
Managing Containers
Managing Templates
One Touch SignOn Settings
Logging On with One Touch SignOn
Changing Passwords with One Touch SignOn
User Query Tool
Cleanup Wizard
10 DigitalPersona Pro Workstation
Features Overview
One Touch Menu
Reader Icon and Menu
Fingerprint Reader Visual Cues
Fingerprint Registration
One Touch Logon
Using Fingerprint PINs
Using Smart Cards for Logon
One Touch Features
One Touch Internet
Logging On to Web Sites and Programs
Creating Fingerprint Logons
DigitalPersona Pro Workstation Properties
Deleting Registered Fingerprints
Changing Your Windows Password
Fingerprint Reader Usage and Maintenance
121
122
127
129
130
131
136
138
139
141
143
145
147
151
155
157
158
159
160
161
165
167
168
169
Part Four: Appendices
11 Planning & Deployment
Overview
Planning
Deployment
Deployment Plan Checklist
172
172
174
181
185
12 DigitalPersona Pro Settings
187
13 Troubleshooting
Reader Troubleshooting
One Touch Programs Troubleshooting
Installation Troubleshooting
191
191
194
195
14 Customizing Pro Workstation
One Touch Menu Content
Quick Actions
196
196
197
15 Installing High Encryption
198
16 Warranties, Provisions & Regulatory Information
Warranties
General Provisions
Regulatory Information
199
199
201
202
17 Index
204
v
Part One: Overview
Part One of the DigitalPersona Pro for AD Administrator Guide includes the
following chapters:
Chapter Title
Purpose
Page
Introduction
Provides an overview of each chapter in the
Administrator Guide and other information that will
help make your use of the guide more effective.
2
Key Concepts &
Terminology
Defines and describes important concepts and terms
that you need to be familiar with to understand the
features and functions of DigitalPersona Pro for AD.
9
Product Overview
Describes each component of DigitalPersona Pro for
AD and explains the authentication process.
18
1
1
Introduction
The DigitalPersona® Pro for Active Directory Administrator Guide is your
comprehensive resource for information about DigitalPersona Pro for Active
Directory.
The Guide includes a Product Overview which describes the features and
functionality of each component, an explanation of Key Concepts and
Terminology, specific chapters on the Installation, Configuration and
Administration of DigitalPersona Pro Server, as well as a complete guide to the
features of DigitalPersona Pro Workstation.
Appendices include a Planning & Deployment Guide, List of policies and
settings, Troubleshooting section and Warranty information.
See the next page for a complete chapter summary.
The purpose of this chapter is to:
• Give a brief overview of the chapters in the guide.
• Explain the text, naming and other conventions used in the guide.
• Describe the recommended skill set for users of the guide.
• Let you know what additional resources are available for support.
• Provide a means for you to give us feedback on any aspect of our products,
service or documentation.
2
Chapter 1 - Introduction
Chapter Overview
Chapter Overview
Part One of the Administrator Guide includes this chapter, the Product
Overview, and the Key Concepts and Terminology chapters.
The purpose of this section is to provide information that will assist you in
understanding the DigitalPersona Pro for Active Directory product and
components, and establishing the conceptual framework for the remainder of the
guide.
Chapter 1, Introduction, is described on the previous page.
Chapter 2, Key Concepts & Terminology, defines terms and concepts used in the
guide, including an overview of Active Directory.
Chapter 3, Product Overview, describes DigitalPersona Pro for Active Directory
Server and Workstation software and hardware components, system
requirements, compatibility with previous versions and related products. It also
explains the DigitalPersona Pro authentication process.
Part Two includes chapters on deploying DigitalPersona Pro for Active
Directory Server and Workstation.
Chapter 4, Deploying DigitalPersona Pro Server, consists of detailed
instructions for deploying (and uninstalling) DigitalPersona Pro Server.
Chapter 5, Installing DigitalPersona Pro Workstation, contains detailed
instructions for installing (and uninstalling) DigitalPersona Pro Workstation.
Part Three, Administration, describes the configuration and administration of
DigitalPersona Pro for Active Directory, including the policies, settings and
properties used to tailor system behavior to meet the needs of your organization.
Chapter 6, Configuring Policies and Settings, explains each policy and setting
available as part of DigitalPersona Pro for Active Directory and implemented
through the use of Active Directory administration tools for domain-wide
administration and the Microsoft Management Console for local administration.
Chapter 7, User Properties, describes the user settings available through the
User Properties Snap-in and the extended settings available through the
Extended Server Policy Module.
3
Chapter Overview
Chapter 8, DigitalPersona Pro Events, lists and describes the events generated
by DigitalPersona Pro for Active Directory, which can be viewed through the
Windows Event Viewer.
Chapter 9, Administration Tools, provides instructions for using each of the
standalone administration tools that can be used to provide centralized or
decentralized administration of DigitalPersona Pro for Active Directory. Some
of the available tools are: License Control Manager, Attended Fingerprint
Registration Tool, One Touch SignOn Administration Tool, User Query Tool
and the CleanUp Wizard.
Chapter 10, DigitalPersona Pro Workstation, describes and explains the features
of DigitalPersona Pro Workstation for the administrator.
Part Four, Appendices, provides additional information about DigitalPersona
Pro for Active Directory.
Chapter 11, Planning & Deployment, provides design guidelines, assists you in
selecting and planning a deployment scenario and provides tools to help you
create and execute a successful Pro deployment plan.
Chapter 12, DigitalPersona Pro Settings, provides a complete alphabetical list of
all DigitalPersona Pro policies and settings with references to their Active
Directory location and the page number where they are described.
Chapter 13, Troubleshooting, provides solutions to situations where
DigitalPersona Pro for Active Directory software or hardware may be acting in
an unexpected manner.
Chapter 14, Customizing Pro Workstation, describes how to configure One
Touch Menu content and Quick Actions behavior through the Windows
Registry. These settings can then be pushed to all DigitalPersona Pro for Active
Directory Workstations.
Chapter 15, Installing High Encryption, describes how to install 128-bit high
encryption for Windows 2000 without the latest patches.
Chapter 16, Warranties, Provisions and Regulatory Information, provides legal
and regulatory information about the product.
4
Conventions
Conventions
Naming Conventions
In order to make this guide easier and quicker to read, the following naming
conventions are used to describe the DigitalPersona Pro for Active Directory
Server and Workstation software and hardware:
• DigitalPersona Pro Server, Pro Server and Server sometimes replace the full
product name, DigitalPersona Pro for Active Directory Server. In this guide,
these terms always refer to the Active Directory version, and not to any other
version of DigitalPersona Pro Server software.
• DigitalPersona Pro Workstation, Pro Workstation and Workstation are
sometimes used instead of the full name, DigitalPersona Pro for Active
Directory Workstation. They always refer to the Active Directory version of
DigitalPersona Pro when used in this guide.
• Reader or Fingerprint Reader, used in either upper or lower case, refers to the
DigitalPersona U.are.U Reader and third-party swipe readers, unless
otherwise specified in the context.
Notation Conventions
The following notation conventions are used in this guide to call attention to
information of special importance:
Note
A note highlights information that may help you better understand the text and
its concepts.
Warning
A warning advises you that failure to take or avoid a specific action could result
in your inability to complete the required tasks or cause undesirable results.
5
Conventions
Typographic Conventions
This guide uses the following typographic conventions:
• Courier indicates text that is typed by the user.
Example:
“Type http://www.digitalpersona.com/ in the Address text box.”
You would only type “http://www.digitalpersona.com/” and would not type
any surrounding text.
• Text in Courier bold and surrounded by brackets [ ] indicates information
that is always supplied by you and will vary depending on a particular
circumstance.
Example:
“Type http://[your company Web site URL]/ in the Address text box.”
You would type “http://”, then type your company Web site URL—not the
words “[your company Web site URL]”—and then “/”.
Courier bold is also used to display information that is dynamically
generated by DigitalPersona Pro.
6
To fully and effectively utilize the information contained in this guide, we
recommend that you possess the minimum skills and knowledge defined below.
Domain Administrators
If you will be administering DigitalPersona Pro Server for one or more domains,
you should have knowledge of and experience with the Windows 2000 or 2003
Server operating system and its administrative tools. Specifically, you should
have working knowledge of key Active Directory concepts and objects
including group policy objects, containers, sites, domains and organizational
units and be able to use the standard Active Directory administration tools such
as the Active Directory for Users and Computers console and the Group Policy
Editor.
Local Administrators
If you are administering DigitalPersona Pro Workstation on a local computer,
you should understand how to use the Microsoft Management Console (MMC)
to manage computer properties.
Workstation End Users
End users of DigitalPersona Pro for Active Directory Workstation should
possess basic computer and network operation skills, such as logging on to a
computer and using the taskbar, shortcut menus and a Web browser.
7
Support Resources
Support Resources
In addition to this guide, the following resources are provided for additional
support to both users of DigitalPersona Pro Server and Workstation:
• Readme files are provided in the root directory of the product CD for both
DigitalPersona Pro Server and Workstation. These files often contain latebreaking information about the product.
• The DigitalPersona Web site provides an online technical support form at
http://www.digitalpersona.com/support/enterprise/chooseproduct.php, where
you can ask for help with your questions. Simply describe your issue, include
your contact information, and a technical support representative will contact
you shortly by e-mail or phone.
• Phone support is available at (877) 378-2740 in the U.S. only.
Outside the U.S., call +1 650-474-4000.
• Online help is included with DigitalPersona Pro Server and Workstation as
well as with the Administration Tools. Workstation Help is accessible from
various dialog boxes that appear during the use of the software and from the
One Touch Menu, as described in “Help” on page 142.
Your Feedback is Requested
Although the information in this guide has been thoroughly reviewed and tested,
we welcome your feedback on any errors, omissions or suggestions for future
improvements. If you find errors or have suggestions for future publications,
contact us at:
[email protected]
Or at:
720 Bay Road, Suite 100
Redwood City, California 94063 USA
(650) 474-4000
(650) 298-8313 FAX
8
2
Key Concepts & Terminology
In order to fully understand and implement the features of DigitalPersona Pro
for Active Directory, you will need to be familiar with the terms and concepts
covered in this chapter.
If you consider yourself knowledgeable about Active Directory, you may want
to skip the rest of this page and continue with reading about DigitalPersona Pro
concepts and terminology of page 10.
Concepts
Active Directory
Active Directory is a proprietary directory service that has been included with
Microsoft Windows servers since the release of Windows 2000 Server.
A directory service is a software application that stores and organizes
information about a computer network's users and resources; such as computers,
printers and network shares. It enables network administrators to manage users'
access to those resources.
The design, implementation and configuration of Active Directory can be a
complex task, even for a small to medium-sized organization, and is beyond the
scope of this topic. Assuming that Active Directory is setup and working
correctly for your organization’s current needs, this topic will provide the
information that you need in order to utilize a working Active Directory to
administer DigitalPersona Pro.
DigitalPersona Pro for Active Directory utilizes the Active Directory service for
administration of policies and settings that determine the functionality and
features implemented in your organization.
Through Active Directory you can assign enterprise-wide policies and settings
to computers in your network as well as locate and administer objects, users and
resources across the network.
Active Directory is structured as a hierarchy of objects and containers laid out in
a tree format. In the Users and Computers Snap-in (Figure 2-1), which is one of
the visual tools that can be used to create and administer objects, the hierarchy
looks much the same as the folder structure in Windows Explorer.
9
Chapter 2 - Key Concepts & Terminology
Concepts
Figure 2-1. Users and Computers Snap-in
Administrative Templates & Snap-ins
DigitalPersona Pro for Active Directory integrates with Active Directory
through the use of the following Administrative Templates and Snap-ins.
Template/Snap-in
Purpose
Page
DigitalPersonaProSvr.adm
The Active Directory Administrative
Template for DigitalPersona Pro Server is
applied to GPOs governing Domain
Controllers running DigitalPersona Pro
Server.
36
DigitalPersonaProWksta.adm
The Administrative Template for
DigitalPersona Pro Workstation is applied to
GPOs governing computers running
DigitalPersona Pro Workstation, or can be
applied to a local policy object for a
standalone configuration of DigitalPersona
Pro Workstation.
36
User Properties Snap-in
An Active Directory snap-in that enables
DigitalPersona Pro user settings.*
72
An optional snap-in extending
DigitalPersona Pro User Properties.*
74
* User Properties take precedence over GPO settings.
10
Concepts
Group Policy
Group Policy is a feature of the Active Directory service that facilitates change
and configuration management.
Group Policy settings are stored in Group Policy Objects (GPOs) in the Active
Directory database. These GPOs are linked to containers, which include Active
Directory sites, domains, and organizational units (OUs).
Because Group Policy is so closely integrated with Active Directory, it is
important to have a basic understanding of both Active Directory structure and
the security implications of different design configuration options within it
before you implement Group Policy.
For information about the policies and settings that DigitalPersona Pro adds to a
GPO, see “Configuring Policies and Settings” on page 56. For additional
information about security and DigitalPersona Pro, refer to the DigitalPersona
Pro for Active Directory Security Guide.
Organizational Units (OUs)
An OU is a container within an Active Directory domain. An OU may contain
users, groups, computers, and other OUs, which are known as child OUs. You
can link a GPO to an OU, and the GPO settings will be applied to the users and
computers that are contained within that OU and its child OUs. To facilitate
administration you can delegate administrative authority to each OU. OUs
provide an easy way to group users, computers, and other security principals,
and they also provide an effective way to segment administrative boundaries.
Users and computers are generally assigned to separate OUs, because some
settings only apply to users and other settings only apply to computers.
One of the primary goals of an OU structure design for any environment is to
provide a foundation for a seamless Group Policy implementation that applies to
all workstations in Active Directory and ensures that they meet the security
standards of your organization.
11
Concepts
The OU structure must also be designed
to provide adequate security settings for
specific types of users in an
organization. For example, developers
may need some permissions that
average users do not need to have. Also,
laptop users may have slightly different
security requirements than desktop
users.
The figure on the right shows a basic
OU structure for illustration of the
concept only, and is not a recommendation to create your OU structure
in the same way. Your OU structure
must be defined by the specific
organizational requirements of your
environment.
Pro Biometric Authentication Process
DigitalPersona Pro’s biometric authentication process validates the identity of a
user through a scan of their fingerprint, which can also be used in combination
with their password or a smart card for multi-factor authentication.
This biometric authentication process is used by DigitalPersona Pro Workstation
in an enterprise deployment with DigitalPersona Pro Servers.
Prior to authentication:
1 A user registers their fingerprint(s), creating a registration template that is
stored on the local workstation and also sent securely to the Pro Server.
2 Pro Workstation captures user data (such as user account or logon
information), called “secrets” and sends them securely to Pro Server for
storage in Active Directory.
By default, it also caches these secrets locally on the Workstation, so that
they are available if the Server cannot be reached. Caching can be disabled
by the administrator through a setting in the DigitalPersona Pro Active
Directory Administrative Template.
12
Concepts
The authentication process is initiated when a Pro application (such as Pro
Workstation) prompts the user to verify their identity by providing their
fingerprint. This may be in order to logon to Windows using One Touch Logon,
or to logon to a program or Web site using One Touch SIgnOn or One Touch
Internet.
The authentication process is as follows:
1 The user touches the fingerprint reader with a registered finger.
2 The fingerprint is scanned and processed at the workstation, creating a
verification template.
3 The verification template is compared to the registration template cached on
the local workstation and then sent to the Pro Server for confirmation of the
user’s identity.
4 Pro Server compares the verification template to the registration template in
the user record in Active Directory. If the verification template matches the
registration template, Pro Server authenticates the user and sends the “secret”
requested by the application securely to the Workstation.
5 The Pro application receives the Secret and then uses the information as
needed, typically to log the user on to their Windows account, a program or
Web site.
Note
When a Pro Server is unavailable, such as when a laptop is disconnected from
the network, the required secret is retrieved from a local cache on the
Workstation. If a Pro Server is unavailable, and local caching has been disabled
by the administrator, authentication is not possible.
This authentication process can be modified by the administrator using settings
in the DigitalPersona Pro Administrative Templates (see “Configuring Policies
and Settings” on page 56).
13
Terminology
Terminology
Authentication
User Authentication is the process of verifying a user’s identity by validating
one or more credentials provided by the user. Examples of credentials are
passwords, smart cards and biometrics.
Biometric authentication is the process of comparing a user’s previously created
“registration template” with a “verification template” created from a fingerprint
scan of the user at the time of authentication. See also: “Fingerprint
Registration” and “Verification Template” below, as well as “Pro Biometric
Authentication Process” on page 12.
Credentials
Credentials are a set of information used to gain access to your Windows
account or to a password protected Web site or program. Windows credentials
can include a combination of a user name, password, fingerprint, fingerprint
PIN, or smart card. Web site and program credentials usually include a
combination of fingerprint and password, but can sometimes require additional
information.
Dynamic DNS
Dynamic DNS defines a protocol for dynamically updating a DNS server with
new or changed values. DigitalPersona Pro uses Dynamic DNS to update the
DNS server with changes made to DigitalPersona Pro policies and settings.
Fingerprints
Fingerprints provided through supported fingerprint readers are transformed
into highly compressed and digitally encoded representations of fingerprint
features called a fingerprint template. These fingerprint templates are created
whenever a user places a finger on the reader (when logging on for example),
and encoded with a one-way algorithm that cannot be reversed to recreate the
scan of that fingerprint. The actual fingerprint scans are never stored, but are
discarded after the template is created.
14
Terminology
Fingerprint Identification
Fingerprint identification is the process of identifying a user out of a set of users
by fingerprints. It is performed with only a fingerprint, and not a user name, by
matching the verification template to all registration templates in the set of
users.
Fingerprint PINs
The administrator may require that users type a short sequence of characters,
known as a fingerprint PIN, each time they use a fingerprint to log on, unlock
the computer, or change their Windows password. This provides an additional
level of security. Logon settings with fingerprint PINs are supported only on
Windows XP and 2000. Logon settings are managed by your administrator.
Fingerprint registration is the process that begins with a DigitalPersona Pro user
providing one or more fingers to be scanned using a supported fingerprint
reader. Once the finger is successfully scanned four times, the system then
transforms the result into a highly compressed, digitally encoded representation
of fingerprint features called a registration template.
This registration template is then stored in DigitalPersona Pro Server’s user
database for future use during authentication and identification, or on the local
workstation if DigitalPersona Pro Server has not been deployed.
A fingerprint for which a registration template was created is referred to as a
registered fingerprint.
Fingerprint Template
See Fingerprints.
Fingerprint Verification
Fingerprint verification is the process of verifying that the template derived
from the fingerprint scan during the authentication process, the verification
template, and the original registration template are from the same finger. The
verification template is deleted immediately after its use in the matching
process.
15
Terminology
Fingerprint Verification Lockout occurs when a user attempts to identify
themself with their fingerprint, and it a successful match is not made after a
specified number of attempts. The user will be unable to use their fingerprint for
identification until the lockout is released.
The number of attempts allowed, the amount of time the user is locked out, and
the interval before the lockout is removed are configurable by the administrator.
See “Fingerprint Verification Lockout” on page 64 for details.
The lockout can also be manually released by an administrator from the
DigitalPersona Pro tab of the Properties dialog for the user in the Active
Directory Users and Computers console.
One Touch Internet
One Touch Internet (OTI) provides the ability for the end user to create
Fingerprint Logons that can be used to logon to Web sites by touching a
supported fingerprint reader.
One Touch Logon
One Touch Logon provides the ability for you to log on to your Windows
account by simply touching a supported fingerprint reader.
One Touch Unlock
One Touch Unlock provides the ability to lock or unlock Windows by touching a
supported fingerprint reader.
One Touch SignOn
One Touch SignOn (OTS) provides the ability for you to log on to your
Windows account (One Touch Logon), Web sites and password protected
programs by simply touching a supported fingerprint reader. It also includes
One Touch Unlock which enables you to lock and unlock your computer with
your fingerprint.
16
Terminology
Quick Actions
Quick Actions, which combine the Shift or Control Keys with use of the
fingerprint to access DigitalPersona Pro features, can be created by end users in
the DigitalPersona Workstation Properties dialog.
Secret
A DigitalPersona Pro Secret is application specific user data that is stored
securely in Active Directory by the DigitalPersona Pro Server, or locally by the
local authentication server on the workstation. The secret is released to the
application upon successful identification of the user, and used to log on to
programs and Web sites for which logon templates have been created.
Service Resource Records (SVR RR)
Active Directory servers publish their addresses so that clients can find them
knowing only the domain name. Active Directory servers are published via
Service Resource Records (SRV RRs) in DNS. The SRV RR is a DNS record
used to map the name of a service to the address of a server offering that service.
The name of a SRV RR is in this form: <service>.<protocol>.<domain>
Active Directory servers offer the LDAP service over the TCP protocol with
published names in the form:
ldap.tcp.<domain>
For example, the SRV RR for ``Microsoft.com'' is ``ldap.tcp.microsoft.com.''
Additional information on the SRV RR indicates the priority and weight for the
server, allowing clients to choose the best server for their needs.
When an Active Directory server is installed, it publishes itself via Dynamic
DNS. Since TCP/IP addresses are subject to change over time, servers
periodically check their registrations to make sure they are correct, updating
them if necessary.
Verification Template
A verification template is created from a fingerprint scan whenever a user places
their finger on the fingerprint reader. During authentication, this template is
matched to available Registration Templates in order to identify the user. At the
end of the authentication process the Verification Template is erased.
17
3
Product Overview
This chapter provides an overview of DigitalPersona Pro for Active Directory, a
comprehensive biometric authentication software and hardware solution, and
describes the several integrated components that can be used to create a
deployment that addresses your specific organizational needs.
Additionally, you will find system requirements for each of the components,
information on product compatibility and a list of related products.
DigitalPersona Pro for Active Directory combines the security of biometric
authentication with the simplicity and convenience of Single Sign-On (SSO).
Workstation users can conveniently log on to Windows computers, Microsoft
networks, password-protected programs and Web sites by simply touching the
U.are.U® Fingerprint Reader or using one of the many supported third-party
readers embedded in today’s popular notebook computers.
DigitalPersona Pro Server provides central authentication and administration for
deployed Workstations and scales to over one hundred thousand users. Tightly
integrated with Windows Active Directory, it can usually be deployed without
the need for professional services.
18
Chapter 3 - Product Overview
DigitalPersona Pro for Active Directory includes the following components and
modules:
Component
Purpose
Page
DigitalPersona
Pro Server
For domain-wide, centralized authentication and
administration of DigitalPersona Pro Workstations.
20, 172,
29
DigitalPersona
Pro Workstation
Client software providing Single Source SignOn to
Windows, Web sites and password protected
programs. It can also be used in a standalone
installation.
21, 47,
138
Fingerprint
Reader
DigitalPersona’s U.are.U optical fingerprint reader.
22
Administration
Tools
Various administrative tools that can be deployed for
centralized or decentralized administration of
Servers and Workstations.
23, 84
Extended Server
Policy Module
An optional module to extend DigitalPersona Pro
User Properties, available from your DigitalPersona
Account Manager or product Reseller.
24, 72
19
DigitalPersona Pro for Active Directory Server provides scalable domain-wide
authentication and administration of networked DigitalPersona Pro
Workstations. Server software features include:
• Full integration with Active Directory Administration
DigitalPersona Pro Server, installed on either a Windows 2000 or 2003
Server domain controller, uses standard Active Directory administration
tools for implementing and managing policies and settings which control the
behavior of the Workstations and can be used to customize the authentication
process.
For example, using the Group Policy Editor, you can create a GPO that
controls the false accept rate for fingerprint recognition , as well as specifies
credential requirements for logon settings and more. When the GPO is
applied to a group of Workstations, they require no additional configuration
to use the DigitalPersona Pro Server for authentication.
DigitalPersona Pro also provides fault tolerance and load balancing through
Active Directory’s DNS locator service, automatically and transparently
locating all available servers and then selecting one to be used for
authentication.
For additional information on available policies and settings for
DigitalPersona Pro Server, see “Configuring Policies and Settings” on page
56.
• Security architecture
DigitalPersona Pro Server builds on the trust relationship established by
Windows 2000/2003 Server to provide a secure infrastructure for serverclient communication.
• Centralized credential and application databases
DigitalPersona Pro Server extends the Active Directory schema to enable
storing DigitalPersona Pro data and replicating it throughout the network.
This allows a known user to use their fingerprint on any DigitalPersona Pro
Workstation that is connected to a DigitalPersona Pro Server.
20
DigitalPersona Pro for Active Directory Workstation provides fingerprint logon
functionality for Windows computers, including the following features:
• One Touch Logon increases both security and convenience by adding
biometric authentication to the Windows logon procedure. One Touch Logon
replaces the standard Windows logon dialog box, allowing users to log on to
Windows with a fingerprint in addition to, or as an alternative to, Windows
credentials such as a password or a smart card.
One Touch Logon guides users through providing the required credentials to
log on to Windows. It also allows users to quickly lock and unlock their
computers using the credentials specified by the logon settings.
• One Touch SignOn simplifies and secures access to password-protected
software programs and Web sites. Users just touch the reader to
automatically and securely provide data for logon fields, such as user name
and password, on any Web site or program logon screen.
Administrators use the One Touch SignOn Administration Tool to create
templates specifying information for the logon screens, and can use
application policy settings in the GPO to deploy the One Touch SignOn
templates to end users.
• One Touch Internet is an option that can be deployed to provide end users
with many of the capabilities of One Touch SignOn for their personal Web
accounts through the easy-to-use configuration tool.
21
Fingerprint Readers
Fingerprint Readers
U.are.U Fingerprint Reader
The DigitalPersona U.are.U Fingerprint Reader is a high-quality optical scanner
designed especially for reading fingerprints, and is the recommended fingerprint
reader for use with DigitalPersona Pro.
DigitalPersona Pro Workstation works with the U.are.U Reader to read the
fingerprint scan for authentication purposes.
You may have a U.are.U Reader or a keyboard or device with an embedded
U.are.U Reader.
Third-Party Swipe readers
DigitalPersona Pro also supports the use of several third-party “swipe”
fingerprint readers installed in many current models of notebook computers.
For a complete list of supported readers, visit the following page on
DigitalPersona’s Web site:
http://www.digitalpersona.com/products/notebooks.php
22
DigitalPersona Pro for Active Directory provides several tools for administering
various aspects of your implementation as well as expanding the functionality of
the product.
Some of these tools are installed automatically with the installation of
DigitalPersona Pro for Active Directory Server, while others must be selected
through the Custom Install option in the Administration Tools Installation
wizard or run from the product CD.
The following table gives a brief description of each of the tools, and the page
where they are described more fully.
Admin Tool
Purpose
Page
License Control
Manager
Used to control and manage licenses for users of
DigitalPersona Pro Servers, including gathering the
information necessary for requesting a license, adding
and removing licenses and viewing license and user
information.
86
Attended
Fingerprint
Registration Tool
An optional feature requiring supervision of users when
registering their fingerprints.
90
One Touch SignOn
The One Touch SignOn Administration Tool enables
administrators to add biometric authentication to Web
sites and programs.
92
User Properties
Snap-in
An Active Directory Snap-in, automatically installed with
Pro Server for administering DigitalPersona Pro users.
72
User Query Tool
Used to query the DigitalPersona Pro for Active
Directory user database for information about
DigitalPersona Pro users.
131
CleanUp Wizard
Removes user data (such as fingerprint credentials, secure
application data and global domain data) from Active
Directory.
136
23
Basic Server policies are provided by the User Policies Snap-in, installed as part
of DigitalPersona Pro Server, which allow an administrator to configure
fingerprint logon settings and restore the use of fingerprints for a user after the
account has been locked due to failed fingerprint attempts.
The optional Extended Server Policy Module adds the following additional user
policies settings:
• User must type a PIN when providing a fingerprint to log on.
• User must provide a fingerprint to log on (in addition to other authentication
specified by Windows policy setting).
The Extended Server Policy Module is available from your DigitalPersona
For further details, see “Extended User Policies” on page 74.
24
System Requirements
System Requirements
Product/Component
Minimum Requirements
DigitalPersona Pro
Server
Pentium Processor,128 MB RAM
Windows 2003 Server or 2000 (Standard or Enterprise)
Server. Small Business Server is not supported.
Active Directory
10 MB Available hard disk space
5K hard disk space per user
DigitalPersona Pro
Workstation
Pentium 233 MHz Processor, 128 MB RAM
Windows 2000, XP Professional or Embedded, 2003
Server. XP Home Edition is not supported.
30 MB Available hard disk space
CD-ROM drive if installing locally, Network connection
for silent/network installation
Microsoft Internet Explorer 6 (if using One Touch SignOn
or One Touch Internet)
25
DigitalPersona Pro for Active Directory Server
• Can coexist with other Pro Servers that are version 3.0 or above.
• All Pro Workstations that are authenticating to the Pro Server must be at least
version 3.0 or above.
• All Pro Kiosk workstations authenticating to the Pro Server must be at least
1.0 or above.
• Is compatible with DigitalPersona Pro SDK installed on Pro Workstation 3.x
DigitalPersona Pro for Active Directory Workstation • Can coexist with other Pro Workstations that are version 3.0 or above.
• Is not compatible with DigitalPersona Gold, DigitalPersona Platinum or
DigitalPersona Online or with DigitalPersona Pro SDK when installed on
Pro Workstation 4.x.
Supported Fingerprint Readers are:
• DigitalPersona U.are.U 4000 and 4000B series
• Many third-party swipe readers embedded in current models of notebook
computers. For a list of supported swipe readers, visit our Web site at:
http://www.digitalpersona.com/products/notebooks.php.
Related Products
The following related products are also available from your DigitalPersona
Account Manager or product Reseller:
DigitalPersona Pro for Active Directory SDK - Provides developers with
simple, powerful tools to extend DigitalPersona Pro for Active Directory with
custom applications.
Developers can fingerprint enable access to their applications by leveraging
DigitalPersona Pro security, credential management in Active Directory, user
interface and deployment tools.
26
Related Products
The DigitalPersona Pro SDK is designed to work with the DigitalPersona Pro
Server and the DigitalPersona Pro Workstation Software. The DigitalPersona
Pro SDK only supports the DigitalPersona U.are.U Fingerprint Readers
included with Workstation packages.
DigitalPersona Online/SDK - DigitalPersona Online consists of server and
client software to add fingerprint authentication to enable virtually any web
application. DigitalPersona Online enables businesses to provide heightened
security to customers, partners and employees, replacing cumbersome
passwords with the convenience of a single touch of a finger.
DigitalPersona Kiosk - DigitalPersona Pro Kiosk for Active Directory provides
fast, secure and convenient access to shared computer environments, such as
healthcare, retail point of sale and manufacturing lines, where multiple users
share workstations running mission- and life-critical programs.
DigitalPersona Pro Kiosk solves compliance challenges in a multi-user
environment by providing comprehensive audit trails for each user.
DigitalPersona Platinum SDK - DigitalPersona Platinum Software
Development Kit (SDK) enables developers to add the power of DigitalPersona
fingerprint authentication security to their Windows applications.
This toolkit exposes a set of DCOM objects and ActiveX controls which enables
developers to access the functionality of the DigitalPersona Identity Engine to
execute the core tasks of fingerprint capture, template creation, credential
storage and template matching.
The toolkit’s Security Layer is completely transparent to the application
developer. ActiveX (OCX) support allows programming in other scripting
languages.
The toolkit includes sample code for Visual C, C++, Visual Basic and .NET. The
DigitalPersona Platinum SDK only supports the DigitalPersona U.are.U
Fingerprint Readers (sold separately, see details below).
27
Part Two: Deployment & Installation
Part Two of the DigitalPersona Pro for AD Administrator Guide includes the
following chapters:
Chapter Title
Purpose
Page
Deploying DigitalPersona
Pro Server
Describes the procedure for deploying
DigitalPersona Pro Server.
29
Installing DigitalPersona Pro
Workstation
Describes the procedure for installing
DigitalPersona Pro Workstation.
48
For information on planning and deployment, see “Planning & Deployment” on
page 172
28
4
Deploying DigitalPersona Pro Server
This chapter provides instructions for the deployment or upgrading of
DigitalPersona Pro for Active Directory Server on a domain controller.
Instructions for uninstalling DigitalPersona Pro Server are on page 46.
Deployment Overview
Here is a high-level overview of the steps required to deploy DigitalPersona Pro
Server for Active Directory on the domain controller for a Windows 2000 or
2003 network:
1 Extend the Active Directory schema to include attributes and classes used by
2 Configure each domain on which DigitalPersona Pro Server will be installed
by running the Domain Configuration Wizard.
3 Install the DigitalPersona Pro Server software.
4 Install the Administrative Templates.
Detailed instructions for installation begin on page 32.
This topic contains information that is specific to upgrading from version 3.x of
DigitalPersona Pro for Active Directory to the current version which is 4.0.
Upgrading to the current version has been made as straightforward and simple
as possible. In most cases, it is simply a matter of removing the old software and
installing the new software.
However, you should keep the following in mind.
• DigitalPersona Pro for Active Directory 4.0 introduces a new licensing
model for Pro Server which is based on requiring User Authentication
Licenses for each user who will be registering their fingerprints.
29
Chapter 4 - Deploying DigitalPersona Pro Server
You should contact your DigitalPersona Account Manager or product
Reseller to obtain the necessary licenses prior to beginning the upgrade
process.
• Installation of Pro Server 4.0 prior to installing the license will not lock out
your current users, but will prevent any new users from registering their
fingerprints on a version 4.0 Workstation.
To upgrade from a previous version
The recommended sequence of events for upgrading from a previous version to
the current version is:
1 Determine the number of User Authentication Licenses required and
generate a license request file for each domain using the License Control
Manager application included on the Administration Tools CD. Follow
instructions in the topic “Getting License Information” on page 87 for
requesting and installing license files.
2 Remove existing 3.x Pro Servers and install all 4.0 Pro Servers according to
the instructions in “Deploying DigitalPersona Pro Server” on page 29. It is
important to complete the upgrade of ALL Pro Servers before installing any
Pro Workstations.
Warning
DO NOT run the Schema Extension wizard as part of the upgrade process.
This is step 1 in the installation process for new installations, but should not
be followed for upgrading your Pro Server.
3 Enter User Authentication Licenses for each domain where Pro Servers are
installed.
4 Begin installation of Pro Workstation 4.0 according to the instructions in
“Installing DigitalPersona Pro Workstation” on page 47.
The table on the following page will assist you in determining your upgrade path
according to your specific needs.
30
Table 4-1. Feature Comparison
Have Pro 3.x Workstations and want to
upgrade to Pro 4.0 Workstations
X
X
X
X
X
X
X
X
Workstation Administration
Secure Server Authentication
X
Secure Windows Logon
One Touch Logon & One Touch UnLock
X
One Touch SignOn and
One Touch Internet
Have Pro 3.x Server(s) and want to upgrade
to Pro 4.0 Server(s)
Follow upgrade instructions on page 30.
DigitalPersona Pro Features
Purchase Pro 4.0 Server
Deployment Scenario
Have Pro 4.0 Server and Pro 4.0
Workstations and want to add more Pro 4.0
Workstations
31
Extend the Active Directory Schema
Prior to installing DigitalPersona Pro Server, the Active Directory schema must
be extended to create new attributes for the user object and new classes, as well
as to make modifications to existing classes. The Active Directory Schema
Extension Wizard automatically handles all of the necessary changes to the
schema. This schema extension is global to the Active Directory forest.
If you want to view the script that is used to extend the schema (dp-schema.ldif),
it is available on the product CD at the following location:
[cd drive]\AD Schema Extension\dp-schema.ldif
Warning
The Active Directory Schema Extension Wizard must be run from the schema
master domain controller, or the data may not replicate fast enough to allow the
wizard to continue. If the data is not replicated fast enough, the wizard will
terminate, and you should then wait one replication cycle before running the
wizard again.
After the schema extension, and again after configuring your domains, you must
wait for Active Directory schema replication to be completed. The amount of
time this takes will depend on the complexity of your Active Directory
structure.
You must have Schema Administrator privileges to run the Schema Extension
Wizard.
To run the Active Directory Schema Extension Wizard
1 Double-click DPSchemaExt.exe, which is located in the AD Schema
Extension folder on the Server installation CD, to start the Schema Extension
Wizard.
2 Read the terms and conditions on the License Agreement page. If you agree
with them, select I accept the license agreement and then click Next.
3 When prompted to proceed with the schema extension, click Yes.
4 Next, specify a location and name for the log file generated by the Schema
Extension Wizard in the Save Log File As dialog box. Then, click Save.
32
5 If the schema is not writable, the wizard will inform you of the fact and will
allow you to make it writable. If this dialog box displays, click Yes to make
the schema writable and perform the schema extension.
6 The wizard will extend the schema and provide information such as the class
and attribute names. To close the wizard, click Finish.
The name of each new attribute and class added to the Active Directory schema
follows Microsoft naming conventions. The names are assigned a “dp” prefix,
which is registered with Microsoft.
The OID base, generated by Microsoft, is 1.2.840.113556.1.8000.651.
33
Configure each domain
For each domain on which you plan to install DigitalPersona Pro Server, you
need to run the DigitalPersona Pro Active Directory Domain Configuration
Wizard, which configures the required domain-specific data including the
necessary cryptographic keys.
Running the wizard requires administrator privileges on the domain controller.
Warning
You should run this wizard once on each domain controller where Pro Server
will be installed.
When installing multiple Pro Servers, it is critical that you run the wizard only
once during any replication period, allowing full replication to be completed
before going on to run the wizard on the next domain controller.
Running the wizard a second time during a replication period, will result in
corrupted Server data, and any DigitalPersona Pro Servers in the domain will
be unusable.
To run the DigitalPersona Pro Active Directory Domain Configuration Wizard
1 Double-click DPDomainConfig.exe, which is located in the AD Domain
Configuration folder on the Server installation CD.
2 Read the license agreement that displays and, if you agree to the terms and
conditions, select I accept the license agreement and then click Next.
3 A warning reminds you not to run this wizard if you have an existing
DigitalPersona Pro Server installation on this domain. If you are sure there
are no other DigitalPersona Pro Server installations on the domain you are
configuring, check the I accept that the domain will be configured box and
click Next.
4 In the Save Log File As dialog box, specify a file name and folder path for
the log file generated by the wizard and click Save.
5 When you click Save, the wizard performs the necessary changes on the
domain.
6 To close the wizard, click Finish.
34
After extending the Active Directory schema and configuring the domain where
you plan to install DigitalPersona Pro Server, you are ready to install the
DigitalPersona Pro Server software.
In addition to the minimum hardware and software requirements specified by
Microsoft for a domain controller, DigitalPersona Pro Server has the following
requirements:
• Operating System: Windows 2000 Server, Windows 2000 Advanced Server,
Windows 2000 Datacenter Server, or Windows 2003 Server
• Active Directory installed and configured
• High-encryption (128-bit) capability. This is built into Windows 2003 Server
and the latest service packs for Windows 2000 Servers. If you need to install
high encryption capability for an early Windows 2000 OS, see “Installing
High Encryption” on page 198.
• 10 MB of free hard disk space
• Administrator privileges on the domain controller
• No other DigitalPersona products are installed
To install DigitalPersona Pro Server
1 Double-click Setup.exe, which is located in the Install folder on the Server
installation CD, to run the DigitalPersona Pro Server Installation Wizard.
2 When the wizard opens, click Next.
3 Read the terms and conditions on the License Agreement page. If you agree
with them, select the I accept the license agreement button and then click
Next.
4 On the next page, you can specify the folder in which DigitalPersona Pro
Server will be installed. If you want to install DigitalPersona Pro in the
default location, C:\Program Files\DigitalPersona\, click Next;
otherwise, click Browse to specify a new location and then click Next to
continue.
5 The wizard will install the Server software. To close the wizard, click Finish.
35
DigitalPersona Pro Server and Workstation use Active Directory Administrative
Templates to provide access to various policies and settings used in configuring
the DigitalPersona Pro environment. These policies and settings are described in
the chapter, “Configuring Policies and Settings” on page 56.
During installation of DigitalPersona Pro Server, the Administrative Templates
for Pro Server and Workstation are copied to the %system root%\inf\
folder, i.e. in most cases, C:\Windows\inf.
The Workstation Administrative Template is also copied to the same folder
during installation of the Workstation software.
Adding the Administrative Template to a GPO makes the DigitalPersona Pro
policies and settings available.
The two Administrative Templates used to configure DigitalPersona Pro
policies and settings are:
• DigitalPersonaProSvr.adm - Designed for DigitalPersona Pro Servers, this
template should be applied to Active Directory GPOs where it can be
distributed to Domain Controllers running DigitalPersona Pro Server.
• DigitalPersonaProWksta.adm - Designed for DigitalPersona Pro
Workstations, this template should be applied to Active Directory GPOs
where it can be distributed to computers running DigitalPersona Pro
Workstation. It can also be applied to a local policy object for a standalone
installation of DigitalPersona Pro Workstation.
Settings provided include: Fingerprint Verification Accuracy, Number of
Fingerprints, Lockout Policy, Multi-credential Logon, Local Caching, One
Touch Logon and One Touch SignOn settings and more.
36
Implementation Guidelines
Before you add the Administrative Templates to your GPOs, give some thought
to your Active Directory structure, where GPOs are placed, and which GPOs the
Administrative Templates should be added to.
Policy configuration needs will vary from network to network and specific
policy recommendations are beyond the scope of this guide. You may want to
refer to Microsoft’s documentation on Group Policy Object configuration for
more information.
Organizational Units and GPOs
Although the use and configuration of organizational units and GPOs varies
widely among corporations, we have provided some general guidelines for
structuring Active Directory organizational units.
• There are two key factors in deciding how to structure your network:
• How you group your users and computers, and
• Where the DigitalPersona Pro GPOs are set.
For example, if users and computers can be grouped according to
authentication policies, you might group them into separate organizational
units and then set specific GPOs for each unit.
• However, when authentication policies within organizational units vary, as
they often do among department heads and subordinates, then you may want
to group those users and computers into a child organization unit.
Structuring your organizational units based on authentication policies is the
easiest way to administer DigitalPersona Pro.
1 Plan your network structure by identifying the settings you intend to
configure.
2 Determine whether to apply the settings to users and computers in a site or
domain, or just to users and computers in an organizational unit.
3 Create the organizational units required to implement your design.
4 Add the respective users and computers to the organizational units.
37
GPO behavior
Here are a few guidelines to keep in mind when configuring DigitalPersona Pro
GPOs.
• If a GPO setting is not configured, the default value set in the software is
used.
• If a superior (higher-level) GPO has a value for a setting and a subordinate
GPO has a conflicting value for that setting, the setting in the subordinate is
used.
• If a GPO has a value for a setting and a subordinate (lower-level) container
has the GPO setting with no value, the setting in the superior (high-level)
GPO is used.
• GPOs can only be applied to the three Active Directory containers: sites,
domains and organizational units; not to users or computers.
• A single GPO can be applied to one or more containers.
• A GPO affects all users and computers in the container, and subcontainers, it
is applied to.
38
• For centralized administration of DigitalPersona Pro, both Administrative
Templates need to be added to a GPO on the appropriate nodes by the
domain administrator.
• For local administration of a DigitalPersona Pro Workstation, see “Install
Workstation Template Locally” on page 41.
In order to install the DigitalPersona Pro Administrative Templates and access
their settings, you need to have domain administrator rights.
1 In the Active Directory Users and Computers tool, right click on a node
whose GPO can be distributed to Domain Controllers running DigitalPersona
Pro Server and select Properties.
2 In the Properties dialog, click Edit to display the Group Policy Editor.
3 In the Group Policy Editor, right-click on the Computer Configuration/
Administrative Templates folder and select Add/Remove Templates.
4 In the Add/Remove Templates dialog, select DigitalPersonaProSvr and
click Add.
5 Select DigitalPersonaProWksta and click Add.
6 Click Close to exit the dialog.
39
7 A DigitalPersona Pro folder will then be listed under Computer
Configuration/Administrative Templates.
DigitalPersonaProWksta should also be added to the Active Directory GPOs
where it can be distributed to computers running DigitalPersona Pro
Workstation on the Windows 2000, XP or Server 2003 operating systems.
1 In the Active Directory Users and Computers tool, right click on a node
whose GPO can be distributed to computers running DigitalPersona Pro
Workstation and select Properties.
2 In the Properties dialog, click Edit to display the Group Policy Editor.
3 In the Group Policy Editor, right-click on the Computer Configuration/
Administrative Templates folder and select Add/Remove Templates.
4 Select DigitalPersonaProWksta and click Add.
5 Click Close to exit the dialog.
Use the Group Policy Editor to modify DigitalPersona Pro settings by clicking
Properties on the shortcut menu of each setting and then clicking the Policy tab
on the Properties dialog box.
For a complete list of DigitalPersona Pro settings, see “DigitalPersona Pro
Policies and Settings” on page 58.
40
For local administration of a DigitalPersona Pro Workstation, the Workstation
Administrative Template (DigitalPersonaProWksta) can be added to the local
policy object of any workstation running DigitalPersona Pro Workstation by
using the Microsoft Management Console (MMC) Group Policy Editor.
To add the Workstation Administrative Template
1 On the Start menu, click Run. Type gpedit.msc and press Enter to launch
the Group Policy Editor.
2 Right-click the Administrative Templates folder and select Add/Remove
Templates on the Administrative Templates folder shortcut menu.
3 Click the Add button on the Add/Remove Templates dialog box and then
locate and select DigitalPersonaProWksta file located in the following
path:
%system root%\inf (For example, c:\Windows\inf.)
4 Click Close.
41
Running the Schema Extension Wizard adds the following data to Active
Directory.
Active Directory Containers
The Schema Extension Wizard installs three subcontainers in the Active
Directory System container. They contain information administrators can use to
verify and administer the DigitalPersona Pro Server installation.
The three containers are the Biometric Authentication Servers container,
Licenses container and the Policies container.
The Biometric Authentication Servers container provides the class name of the
Server.
The Licenses container holds the license files for DigitalPersona Pro Server.
The Policies container—located under [domain name]/System/
DigitalPersona/UareUPro/Policies—contains all the Policy Objects created
for use with DigitalPersona Pro, as described in “DigitalPersona Pro Policies
and Settings” on page 58.
In addition to these containers, the following data is added to the Service
container:
42
• Service Configuration Container Name, set to Biometric Authentication
Server.
• Service Version Object Name, set to <current BAS version>.
Published Information
DigitalPersona Pro Server publishes its service using the following properties:
• Service Class Name, set to Biometric Authentication Service.
• Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56E3BC77F32D7F}.
• Vendor Name, set to DigitalPersona.
• Product Name, set to UareUPro.
• Product GUID, set to {48F74E29-1CC0-468F-A0A0-8236628A5170}.
• Authentication Server Object Name, the DNS name of the host computer.
• Service Principal Name, a unique name identifying the instance of a service
for a client.
• Schema Version Number, the version of the Active Directory schema
extension.
• Product Version Number, the version of DigitalPersona Pro Server software.
• Product Version High, set to [current version].
• Product Version Low, set to [current version].
• Keywords for searching the server are Service Class GUID, Vendor Name,
Product Name and Product GUID. The keyword values are the same as the
property values listed in this section.
The Server publishes its service in compliance with the Active Directory
Service Connection Point specifications.
43
DNS Registration
DNS Registration
The use of DNS registration enables DigitalPersona Pro Workstations to locate
Pro Servers without needing additional local configuration to do so. If your
DNS Server supports dynamic registration, DigitalPersona Pro Server registers
itself with the DNS using the service name, _uareupro.
The format of the DNS resource records for DigitalPersona Pro Server is:
•
_uareupro._tcp.[domain] 600 IN SRV 0 100 0 [server name]
•
_uareupro._tcp.[site name]._sites.[domain] 600 IN SRV 0 100 0 [server name]
Pro Server calculates site coverage based on the availability of other Pro Servers
on the domain (as well as sites configured for the domain) and then creates
Service Resource Records (SRV RRs) for the domain and sites it covers.
Settings in the DigitalPersona Pro Administrative Template govern whether or
not Pro Server utilizes dynamic registration. For information on this and other
DNS related settings, see “BAS Locator DNS Records” on page 60.
Automatic Registration
If automatic registration is not disabled in the governing GPO, DigitalPersona
Pro Server registers itself with DNS every time Pro Server starts, is
automatically refreshed at specified intervals, and unregisters itself every time
DigitalPersona Pro Server stops.
When DigitalPersona Pro Server unregisters itself, it removes only the records it
has created during automatic registration. Records entered by the administrator
will be unaffected.
Warning
When DigitalPersona Pro Server refreshes (updates the DNS records), it
removes all of its records and registers again according to the current GPO
settings. If there is only one Pro Server covering a site for load-balancing, there
are a few milliseconds when there are no Pro Server records in the DNS server.
If a DigitalPersona Pro Workstation attempts to locate a Pro Server during that
period, it will not find the server, and the Workstation will perform the
Fingerprint registration and authentication locally. The Workstation will attempt
to automatically refresh its Pro Server cached information the next time it
performs registration or authentication, or every two hours, whichever comes
first.
44
DNS Registration
Manual DNS Registration
If your DNS Server does not support dynamic registration, or if dynamic
registration is disabled through a DigitalPersona Pro GPO setting, an
administrator can manually register the Pro Servers by entering the DNS
resource records in the format shown above.
Note
You can view the default values of settings created during Pro Server setup by
opening the U.are.UPro.DNS file in Notepad. It is located in the Program Files\
DigitalPersona\bin folder.
To manually register a Pro Server
1 Open the DNS console and click on the Forward Lookup Zone.
2 Right-click on [domainname], and select Other New Records in the context
menu.
3 In the Resource Record Type dialog box, click on Service Location, and
then click the Create Record button.
4 In the New Resource Record dialog, apply the following values:
•
•
•
•
Service: _uareupro
Weight: 100
Port Number: 0
Host offering this service: domaincomputername.domainname.com
5 Click OK to save the settings and return to the main DNS console window.
6 Under the same [domainname], click on the _sites key.
7 Right-click on Default-First-Site-Name and select Other New Records
from the context menu.
8 Repeat steps 3 through 5 for each Pro server that you want to register.
Warning
If the SRV RRs are not added, either dynamically or manually, the
DigitalPersona Pro Workstation will not be able to find the Servers and will
perform fingerprint registration and authentication locally.
45
Improving Performance
The Priority and Weight settings can be modified to achieve better response time
and load-balancing on the _uareupro.Properties dialog box, which is accessible
by double-clicking _uareupro in the DNS Console.
The _uareupro SRV RRs (Service Resource Records) can be found in the
following paths in the DNS Console:
• DNS/[DNS server]/Forward Lookup Zones/[domain]/_tcp
• DNS/[DNS server]/Forward Lookup Zones/[domain]/sites/[site
name]/_tcp
If your DNS does not support dynamic registration, you will have to add these
SRV RRs manually. For your convenience, these entries are stored in a file,
UareUPro.DNS, which is located in the folder in which you installed
Configuring DNS Dynamic Registration
Additional parameters for configuring DNS registration are available in the
DigitalPersona Pro Administrative Template when added to the governing GPO.
For information on these settings, see “BAS Locator DNS Records” on page 60.
DigitalPersona Pro Server can be uninstalled from the Add/Remove Programs
Control Panel in Windows if you have administrator privileges on the domain
on which Pro Server is installed. The software is listed as, “DigitalPersona Pro
Server for Active Directory version [version number].”
When you uninstall the Server software, the published information (described in
“Published Information” on page 43) and the DNS SRV RRs (described in
“DNS Registration” on page 44) are removed.
Although the Add/Remove Programs Control Panel uninstalls DigitalPersona
Pro Server software, the user data—such as fingerprint credentials and secure
application data—and global domain data remain in Active Directory.
DigitalPersona provides a DigitalPersona Pro Cleanup Wizard to remove this
data. See “Cleanup Wizard” on page 136 for details.
46
5
Installing DigitalPersona Pro Workstation
This chapter defines the hardware and software requirements for DigitalPersona
Pro Workstation, and provides instructions on the three types of installation that
can be used.
• Local installation from the product CD
• Remote Installation
• Command Line Installation
If DigitalPersona Pro Servers will be used for authentication, they should be
installed and configured before installing DigitalPersona Pro Workstation.
System Requirements
Before installing DigitalPersona Pro Workstation, make sure your system meets
the following minimum requirements:
• Windows 2000, XP Professional or 2003 Server
• 30 MB of free hard disk space
• High-encryption (128-bit) capability. This is built in to Windows XP
Professional, 2003 Server and the latest service packs for Windows 2000
Servers. If you need to install high encryption capability for an early
Windows 2000 OS, see the instructions on page 198.
• U.are.U 4000 and 4000B Fingerprint Reader or other supported third-party
swipe readers. For a list of supported readers, visit our Web site at:
http://www.digitalpersona.com/products/notebooks.php
Note
Some supported third-party fingerprint readers require the installation of their
drivers prior to installing DigitalPersona Pro Workstation. If your reader
requires this, you will find the driver on the product CD in the Redistr folder.
47
Chapter 5 - Installing DigitalPersona Pro Workstation
To install DigitalPersona Pro Workstation for Active Directory
1 Insert the DigitalPersona Pro Workstation for Active Directory CD in your
CD-ROM drive. If the installation wizard does not start automatically, locate
and double-click the Setup.exe file on the product CD.
2 When the Welcome page displays, click Next to proceed with the installation.
3 Read the License Agreement page. If you agree, select the I accept the
terms in the license agreement button and click Next.
4 On the next page, you can specify the folder that DigitalPersona Pro will be
installed in. If you want to install DigitalPersona Pro to the default location,
C:\Program Files\DigitalPersona\, click Next; otherwise, click
Browse to specify a new location and then click Next to continue.
48
5 Choose one the following options to indicate the type of installation you
want to perform:
• Complete. Click Next for the Complete installation, which installs the
One Touch Applications. Then, click Next.
• Custom. Click Custom and then click Next to specify the options to
install. Select an installation option on the drop-down menu if you do not
want to install it. You can also check how much disk space a particular
installation will require by clicking Disk Cost. To return the installation
option settings to the default settings, click Reset. When you are finished,
click Next to proceed.
6 When you click Next, the installer begins installing DigitalPersona Pro on
your computer.
7 If prompted to do so, plug the USB cable from the fingerprint reader into
your computer’s USB port.
8 When installation is finished, click Finish to close the installer. Click Yes
when prompted to restart the computer.
49
After the computer restarts, and at every subsequent restart, the Workstation
software automatically uses the default DNS Server to locate all DigitalPersona
Pro Servers for the domain and its site. If more than one Pro Server is found, the
Workstation will choose the Pro Server for authentication that offers the most
efficient connectivity. If no Pro Servers are found, DigitalPersona Pro
Workstation will perform authentication locally.
For instructions on using DigitalPersona Pro Workstation, see “DigitalPersona
Pro Workstation” on page 138.
50
Remote Installation
Remote Installation
The installer for DigitalPersona Pro Workstation uses Microsoft Windows
Installer (MSI) technology, which allows administrators to remotely install or
uninstall the software using Active Directory administration tools, or other
software deployment tools.
To install Pro Workstation remotely through Active Directory
1 Launch the Active Directory Users and Computers administration tool.
2 On the context menu of a site, domain or Organizational Unit, click
Properties and then click the Group Policy tab.
3 Create a new Group Policy Object, or select an existing one, and click Edit
to launch the Group Policy Editor.
4 In the tree, select one of the following folders:
• For a computer-based policy, select Computer Configuration/
Software Settings/Software Installation.
• For a user-based policy, select User Configuration/Software
Settings/Software Installation.
5 Click Properties on the context menu of the Software Installation folder to
open the Software Installation Properties dialog box
6 On the General tab, specify the default software distribution location in the
Default package location text box.
This must be a location on the network that is accessible by the domain
controller or computer on which you want to install the DigitalPersona Pro
Workstation software.
Also, specify the settings for all other options, such as new package and
installation user interface options. Click OK.
7 Right-click the right pane on the Group Policy Editor, point to New and then
click Package.
8 On the Deploy Software dialog box, select the appropriate deployment
option and click OK.
9 After setup is complete, assign the appropriate computers and users to Active
Directory containers that the installation GPO is associated with.
51
DigitalPersona Pro Workstation software can also be installed and uninstalled
using MSI via the command prompt.
The format of the msiexec command is shown below and is followed by a
description of the command line options, parameters and values it uses:
msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software]
REMOVE=[software] /qn
Command Line Options
There are one required and one optional command line options:
• /i indicates that MSI will be used to install DigitalPersona Pro software. It
must be immediately followed by the folder path and name of the .msi file
(setup.msi for DigitalPersona Pro Workstations and Servers) that contains the
software to install.
• /qn hides the user interface when installing the software on the computer,
allowing a “silent install.” If used, it is placed at the end of the command
line. This command line option is not required; however, it is recommended
by DigitalPersona for deploying software in the enterprise.
Parameters
Three parameters indicate where the software should be installed on the
computer, as well as what components should be included or removed:
• INSTALLDIR is an optional parameter used to indicate where DigitalPersona
Pro software components should be installed on the target computer. It is
optional and, if a folder is not specified, defaults to:
C:\Program Files\DigitalPersona
• ADDLOCAL and/or REMOVE indicate which DigitalPersona Pro software
components to install or uninstall. They can be used together or
interchangeably; only one is required. Each command is followed by values
specified in the next section.
52
ADDLOCAL and REMOVE Parameter Values
The table below lists the ADDLOCAL and REMOVE parameter values and provides
a description of each:
Parameter Values
Description
All
Installs all DigitalPersona Pro software components or
removes all of the components that are currently installed.
Logon
Installs or removes the One Touch Logon application.
OTI
Installs or removes the One Touch Internet
application.station.
Following are a few rules when using these parameters and their values:
• Individual software components cannot be installed unless the All value was
used with the ADDLOCAL parameter first.
• To install DigitalPersona Pro Workstation software for the first time while
omitting one or more software components, use ADDLOCAL=ALL, followed
by the REMOVE parameter with each software component you do not want to
install separated by a comma.
53
Uninstalling DigitalPersona Pro Workstation
Uninstalling DigitalPersona Pro
Workstation
You can remove the DigitalPersona Pro Workstation software using the Add or
Remove Programs Control Panel. The Workstation software is listed as
“DigitalPersona Pro Workstation for Active Directory version [version
number].”
You must have local administrative privileges to modify installations on the
computer.
Customizing a DigitalPersona Pro
Workstation Installation
To customize an existing installation of DigitalPersona Pro Workstation, you
can add or remove One Touch Applications using the Add or Remove Programs
Control Panel. Follow the on-screen instructions in the Control Panel for adding
the One Touch Applications. By default, all applications are installed.
54
Part Three: Administration
Part Three of the DigitalPersona Pro for AD Administrator Guide includes the
following chapters:
Chapter Title
Purpose
Page
Configuring Policies
& Settings
Defines the policies and settings that may be applied 56
to Pro Servers and Workstations through installation
of the DigitalPersona Pro Administrative Templates to
an Active Directory GPO (Group Policy Object).
User Properties
72
Describes the Basic and Extended user settings that
are available on the DigitalPersona Pro tab in the User
Properties dialog of the Active Directory Users and
Computers console.
DigitalPersona Pro
Events
Lists and explains the events that DigitalPersona Pro
writes to the Windows Event log.
77
Provides complete instructions for using the
Administration Tools provided with DigitalPersona
Pro Server and Workstation.
84
DigitalPersona Pro
Workstation
A guide for the administrator to the features of
DigitalPersona Pro Workstation.
138
55
6
Configuring Policies and Settings
DigitalPersona Pro for AD provides a comprehensive set of policies and settings
that may be accessed through Active Directory.
These policies and settings are contained in two Administrative Templates
(DigitalPersonProSvr.adm and DigitalPersonaProWksta.adm).
During deployment, the templates are added to specific Active Directory GPOs
(Group Policy Objects) according to instructions on page 36.
The Workstation template may also be added to a local policy object on a
standalone workstation that does not have access to Active Directory. See
“Install Workstation Template Locally” on page 41.
The DigitalPersona Pro Administrative Template is added to both
Administrative Templates folders in the Computer Configuration and User
Configuration trees, and the settings are accessible from the Setting table.
All computer policies and settings can be accessed in the Group Policy Editor
tree from the path: Computer Configuration/Administrative Templates/
DigitalPersona Pro.
Computer Configuration/Administrative Templates/DigitalPersona Pro
56
Chapter 6 - Configuring Policies and Settings
For local administrators of DigitalPersona Pro Workstation, the path is the same,
but the GPO is accessed from the Microsoft Management Console (MMC).
Each setting can be accessed in the Group Policy Editor (or MMC) by clicking
Properties on the context menu of the setting and then clicking the Policy tab on
the Properties dialog box.
GPO settings have three states: enabled, disabled and not configured.
By default, all settings are not configured. To override the default settings of
DigitalPersona Pro, each setting must be changed to enabled or disabled and, in
some cases, additional parameters must be supplied.
On the network, by default, changes made to existing GPOs may take as long as
90 minutes to refresh with a 30 minute offset.
• GPOs applied to computers are refreshed during this time, as well as when
the computer is restarted.
• GPOs applied to users are refreshed every 90 minutes and when the user logs
on or off.
You can use the standard Windows methods of enforcing refresh of
DigitalPersona Pro GPOs without concern for disrupting DigitalPersona Pro
functionality on a computer.
For a description of each setting, click the Explain tab for a setting in the GPO
Properties dialog box, or refer to “DigitalPersona Pro Policies and Settings” on
page 58.
57
The following pages describe the policies and settings made available in Active
Directory through the DigitalPersonaPro Administrative Templates.
Settings in the following list are divided into the following categories:
Category
Svr/
Wks
Event Logging
Description
Page
Both
Separate Event Logging settings are
available for Pro Server and Workstation.
59
BAS Locator DNS
records
Svr
Contains settings that affect DNS
registration which is used to enable Pro
Workstations to locate Pro Servers for
authentication.
60
Fingerprint
Verification Lockout
Svr
Used to unlock a user that has been locked
out due to unsuccessful attempts at
fingerprint authentication.
64
Fingerprint
Recognition
Both
Contains settings concerning how
fingerprint recognition is accomplished.
65
Workstation Only
Wks
Contains settings that affect the
authorization and logon processes.
67
Wks
These settings determine the behavior and
appearance of DigitalPersona Pro
Workstation.
70
One Touch SignOn
Wks
These settings determine the behavior and
appearance of the One Touch SignOn
feature in DigitalPersona Pro Workstation.
71
For a complete alphabetical list of the policies and settings with references to
their Active Directory locations, see “DigitalPersona Pro Settings” on page 187.
58
Event Logging
This setting is included in both the server and workstation Administrative
Templates.
The Event Logging setting defines the level of detail for DigitalPersona Pro
Server and Workstation event logging in the Windows Event Log.
Logged events are accessible from the Windows Event Viewer. If this setting is
not configured, DigitalPersona Pro events are logged at the ‘Auditing” level.
Event logging must also be enabled in the Windows operating system to use this
setting.
For information on how events are logged and a detailed description of each
event, refer to “DigitalPersona Pro Events” on page 77.
59
BAS (Biometric Authentication Service) Locator DNS Records settings allow
registration of Biometric Authentication Service Locator DNS records. These
DNS records are dynamically registered by BAS and are used by DigitalPersona
Pro Workstation to locate BAS. The following BAS Locator settings are
included in the server Administrative Template.
Dynamic Registration of BAS Locator DNS Records
This setting determines if BAS performs dynamic registration of Biometric
Authentication Service (BAS) Locator DNS resource records.
• When enabled or not configured, computers to which this setting is applied
dynamically register BAS Locator DNS resource records through dynamic
DNS update-enabled network connections.
• When disabled, computers will not register BAS Locator DNS resource
records.
Refresh Interval of BAS Locator DNS Records
This setting specifies the Refresh interval of Biometric Authentication Service
(BAS) Locator DNS resource records for computers to which this setting is
applied. These DNS records are dynamically registered by BAS and are used by
DigitalPersona Pro Workstation to locate BAS.
• To specify the Refresh interval of BAS records, select Enabled, and then
specify a value in seconds (minimum is 1800).
• When disabled or not configured, computers will use a default value of 1800
seconds (30 minutes).
This setting may be applied only to computers using dynamic update.
Computers configured to perform dynamic registration of BAS Locator DNS
resource records periodically reregister their records with DNS servers, even if
their records’ data has not changed.
If authoritative DNS servers are configured to perform scavenging of the stale
records, this reregistration informs the DNS servers that these records are
current and should be preserved in the database.
60
If the DNS resource records are registered in zones with scavenging enabled, the
value of this setting should never be longer than the Refresh Interval configured
for these zones. Setting the Refresh interval of BAS Locator DNS records to
longer than the Refresh interval of the DNS zones may result in unwanted
deletion of DNS resource records.
Weight Set in BAS Locator DNS SRV Records
This setting specifies the Weight field in the SRV resource records registered by
Biometric Authentication Service (BAS) to which this setting is applied. These
DNS records are dynamically registered by BAS, and they are used to locate
BAS. The Weight field in the SRV record can be used in addition to the Priority
value to provide a load-balancing mechanism where multiple servers are
specified in the SRV records Target field and set to the same priority. The
probability with which the DNS client randomly selects the target host to be
contacted is proportional to the Weight field value in the SRV record.
• To specify the Weight in the BAS Locator DNS SRV records, select Enabled,
and then specify a value. The range of values is 0 to 65535.
• When disabled or not configured, computers use a default weight of 100.
Priority Set in BAS Locator DNS SRV Records
This setting specifies the Priority field in the SRV resource records registered by
Biometric Authentication Service (BAS) to which this setting is applied. These
DNS records are dynamically registered by BAS and are used by DigitalPersona
Pro Workstation to locate BAS. The Priority field in the SRV record sets the
preference for target hosts specified in the SRV record Target field. DNS clients
that query for SRV resource records attempt to contact the first reachable host
with the lowest priority number listed.
• To specify the Priority in the BAS Locator DNS SRV resource records, select
Enabled, and then specify a value. The range of values is 0 to 65535.
• When disabled or not configured, computers use a default value of 0.
61
Automated Site Coverage by BAS Locator DNS SRV Records
This setting determines whether Biometric Authentication Service (BAS) will
dynamically register BAS Locator site-specific SRV records for the closest sites
where no BAS for the same domain exists.
These DNS records are dynamically registered by BAS, and used by
• When enabled, the computers to which this setting is applied dynamically
register BAS Locator site-specific DNS SRV records for the closest sites
where no BAS for the same domain exists.
• If you disabled or not configured, the computers will not register site-specific
BAS Locator DNS SRV records for any other sites but their own.
Sites Covered by BAS Locator DNS SRV Records
This setting specifies the sites for which the domain Biometric Authentication
Service (BAS) register the site-specific BAS Locator DNS SRV resource
records.
These records are registered in addition to the site-specific SRV records
registered for the site where BAS resides, and records registered by a BAS
configured to register BAS Locator DNS SRV records for those sites without a
BAS that are closest to it. The BAS Locator DNS records are dynamically
registered by BAS, and they are used to locate BAS. An Active Directory site is
one or more well-connected TCP/IP subnets that allow administrators to
configure Active Directory access and replication.
• To specify the sites covered by the BAS Locator DNS SRV records, select
Enabled, and then specify the sites names in a space-delimited format. The
site names have the following format, in which the <site name> component
must be present and the <priority> and <weight> components are optional.
The <priority> and <weight> components must be a numeric string value.
<site name>:<priority>:<weight>
• When disabled or not configured, no site-specific SRV records will be
registered.
62
Register BAS Locator DNS SRV Record for Domain
This setting determines whether Biometric Authentication Service (BAS) will
dynamically register BAS Locator domain-specific SRV record for the domain
it belongs to.
The DNS records are dynamically registered by BAS, and they are used by
• When enabled or not configured, the computers to which this setting is
applied dynamically register BAS Locator domain-specific DNS SRV
records.
• When disabled, computers will not register the domain-specific BAS Locator
DNS SRV records for the domain they belong to and register only sitespecific records.
63
These settings are installed with the Server Administrative Template, and are
located in Computer Configuration/Administrative Templates/
DigitalPersonaPro/DigitalPersonaPro Server/Fingerprint Verification Lockout.
The DigitalPersona Pro account lockout does not affect the Microsoft account
lockout and is managed separately. For users to log on by fingerprint, both
lockout settings must be unlocked. If users are only locked out from using
fingerprints, they can still log on to Windows by typing their passwords.
To unlock a locked user account, see page 75.
The following table describes the setting options.
Setting
Description
Default Value
Account lockout
threshold
Number of failed attempts allowed
before the account is locked
0 (Do not lock out.)
Reset account lockout
counter after
Length of time for counter to track
number of failed attempts
5 minutes
Account lockout
duration
Length of time account is locked
until user can attempt to log on again
30 minutes
Each Authentication Server in the domain maintains individual lockout counters
per user account. When an account is locked out due to failed fingerprint
attempts, the following occurs:
The Logon dialog displays the account locked out message.
• The locked account information is replicated during the next replication
interval in Active Directory.
• A record is added to the DigitalPersona Pro event log.
64
There are three Fingerprint Recognition settings, located in the Computer
Configuration/Administrative Templates/DigitalPersonaPro folder under either
DigitalPersonaPro Server/Fingerprint Registration or DigitalPersonaPro
Workstation/Fingerprint Registration.
Two of the settings are installed through
either the Server or Workstation
Administrative Template:
• False accept rate used in fingerprint
verification
• Maximum number of registered
fingerprint per user
A third setting is installed as part of the
Workstation Administrative Template
only.
• Use Basic Template Format
In the Users and Computers tool, the settings are:
False Accept Rate Used in Fingerprint Verification
This setting specifies the False Accept Rate for fingerprint verification. The
False Accept Rate (FAR) is the mathematical probability (1:n) of two different
fingerprints being falsely matched.
The value of n, which is specified in the Value: (one in) text box, indicates the
likelihood of false fingerprint verification. The higher the value of n, the less
likely a fingerprint will be falsely accepted as verified. For example, setting n to
10,000 indicates that it is probable that one in every 10,000 fingers will be
falsely accepted as verified; setting n to 100,000 sets the probability to one in
100,000.
Particularly high values of n may cause false rejection of fingerprints from the
same finger.
If this setting is not configured, the default value of one in 100,000 is used. The
maximum value for n is one in 1,000,000; the minimum is one in 1,000.
65
False Reject Rates and False Accept Rates are only probabilistic estimates and
not indicators of actual performance in a given deployment. Visit the
DigitalPersona Web site (http://www.digitalpersona.com) for more information.
Note
To estimate the likelihood of false rejects and false accepts, DigitalPersona
recommends following the guidelines described in “Best Practices in Testing
and Reporting Performance of Biometric Devices: Version 2.01,” by A. J.
Mansfield and J. L. Wayman, NPL Report CMSC 14/02, 2002, defining a
transaction as three verification attempts and assuming a single comparison of a
verification template against a single registration template.
Maximum Number of Registered Fingerprints Per User
This setting determines the maximum number of fingers that a user can register.
The value for this setting specified in the Maximum Number of Fingerprints Per
User text box influences both the speed of authentication and the probability of
false accepts. For example, the more fingerprints a user registers, the more time
it takes to authenticate or identify the user. Also, more comparisons increase the
likelihood of false acceptance of the fingerprint. To increase security and
maximize server efficiency, users should be allowed to register a maximum of
two fingers.
The maximum and default value is ten registered fingers. The minimum value is
zero.
Use Basic Template Format
This setting determines whether the Basic Template Format (BTF) or Extended
Template Format (XTF) is used for fingerprint registration templates.
XTF is the default template format, providing optimal recognition performance,
especially for users with poor quality fingerprints. If you have space constraints,
you may want to consider using the BTF template since the size of each
template (550 bytes) is about 1/3 the size of the XTF template (1.5 kb). If not
configured, XTF is used.
66
Workstation Only
The following settings are included in the Workstation Administrative Template.
Warning
When setting the logon policy for Pro Workstations, be aware of the following:
• Certain combinations of policy settings may temporarily prevent a user from
logging on to their computer if the “Fingerprint only” and “Fingerprint and
Password” policy are applied.
• Do not select a logon authentication policy requiring the user to type a
password if password randomization has been enabled for that user.
• If cached credentials are disabled and the logon policy is “Fingerprint only”
or “Fingerprint and Password,” the user will not be able to log on to the
computer if it is disconnected from the network or Pro Server is unavailable.
Refer to “Cached Credentials” on page 154 for more information on cached
credentials.
Use DigitalPersona Pro Server for authentication
This setting determines whether DigitalPersona Pro Workstation will use
DigitalPersona Pro Server for fingerprint registration and authentication or
perform these operations locally instead.
• When enabled (the default) or not configured, Pro Workstation will look for
an available Pro Server for authentication, and if not found, will perform
authentication locally.
• When disabled, Pro Workstation will always perform authentication locally,
whether a Pro Server is accessible or not.
Cache Domain User Data on Local Computer
This setting determines if domain user credentials are cached on DigitalPersona
Pro Workstations.
• When enabled (the default) or not configured, user data (fingerprint
templates and secure application data) of domain users is cached locally on
the computer, meaning that domain users are still able to use fingerprints if
67
the DigitalPersona Pro Server cannot be located. This is a convenient but less
secure option.
• When disabled, users may only use fingerprints when DigitalPersona Pro
Server is accessible. Data of local users is always stored on the local
computer.
Maximum Size of Identification List
The identification list contains an administrator-specified number of user
accounts. It is used in conjunction with cached credentials to identify a user by
their fingerprint and, as an added convenience, frees them from typing their user
name and domain at Windows logon.
• Enable this setting to specify the maximum number of users the
identification list can hold on a particular computer. Type the number of
users in the Maximum size of identification list text box. While the number
of credentials that can be cached is virtually unlimited, the maximum number
of users that can be added to the identification list is 20; the minimum is 0.
• When disabled or not configured, the default value of 5 is used.
Users are added to the identification list in the order they log on. The most
recent user to log on is added to the top of the list. If the list has exceeded its
capacity, the least recent user to log on is removed from the list when another
user logs on. If a user is already on the list and logs on again, they are moved
from their original position on the list and placed on top.
Once removed, a user can still use their cached credentials (if enabled), but they
must type their user name and domain manually.
If DigitalPersona Pro is deployed in a networked environment with Pro Server
support, it performs identification locally out of the set of users in the
identification list and then, for added security, confirms the user identity using
the DigitalPersona Pro Server.
68
Multi-credential Logon to Windows
These logon settings determine the credentials required to log on to Windows.
The default settings allow a fingerprint or a password or a smart card for logon.
The following is the list of settings in DigitalPersona Pro for logon to Windows
XP and 2000:
• User must provide a fingerprint to log on
When checked, the user must provide the fingerprint in addition to the
Windows logon credentials (smart card or password according to the
Windows policy setting).
• Password is not allowed for logon
When checked, users are not allowed to use their Windows password to log
on to computers with DigitalPersona Pro installed, and must use a fingerprint
or smart card instead. They can still log on with their password to
workstations where DigitalPersona Pro is not installed.
To prevent a user from logging on to any workstation, regardless of whether
or not DigitalPersona Pro is installed, see the “Randomize user’s Windows
password” setting in the User Properties chapter (page 73).
• PIN is required when a fingerprint is provided
When checked, the user must provide a PIN code whenever the fingerprint is
used to log on, to unlock the computer or to change the Windows password.
The fingerprint PIN option provides additional security. See “One Touch
Features” on page 158.
• Fingerprint is allowed to unlock the smart card
When checked, the user can use the fingerprint to unlock the smart card
instead of typing the PIN for the smart card.
69
The following settings are installed as part of the DigitalPersona Pro
Workstation Administrative Template, and are enabled by default. They can be
found in the User Configuration/Administrative Templates/DigitalPersona Pro/
DigitalPersona Pro Workstation/Workstation Properties folder.
These settings determine certain properties of DigitalPersona Pro that affect the
usability of DigitalPersona Pro Workstation.
Show One Touch Menu upon fingerprint validation. Controls whether or not
the One Touch Menu appears when users touch the fingerprint reader with a
registered finger.
• When enabled, the One Touch Menu is always displayed upon fingerprint
validation, and cannot be overridden by the end user. Fingerprint validation
refers specifically to authentication of a registered fingerprint, and not to
Quick Actions, (see page 17 for definition).
• If you disable this policy, the One Touch Menu is not displayed upon
fingerprint authentication and cannot be assigned to a Quick Action. This
cannot be overridden by the end user.
• If this policy is not configured, the One Touch Menu is displayed upon
fingerprint validation, but end users can override the behavior through the
DigitalPersona Workstation Properties dialog.
Allow OneTouch Internet. One Touch Internet allows users to create their own
fingerprint logons for Web sites and programs.
• When enabled or not configured, the One Touch Internet feature is available
to users.
• When disabled, this setting prevents use of One Touch Internet.
Show fingerprint icon on the taskbar. When the fingerprint icon is shown on
the taskbar, users can right-click on the icon to access various properties of
DigitalPersona Pro.
• When enabled, the fingerprint icon is shown on the taskbar.
• When disabled, the fingerprint icon does not display on the taskbar.
• When not configured, the fingerprint icon is shown on the taskbar, but end
users can change this in the DigitalPersona Pro Properties dialog.
70
One Touch SignOn
One Touch SignOn settings are included in the Workstation Administrative
Template.
These settings are enabled by default, and configure the way that end users
interact with the One Touch SignOn feature.
• Show clear text passwords. Enable this option to show password field
values to the end user when they are prompted to provide a password.
• Allow users to edit account data. When enabled, this option permits end
users to change the values of logon screen fields by clicking the reader icon
located in the title bar of the logon screen.
• Allow users to add account data. This option allows end users to add
account data fields for Web sites and applications from their computers.
• Allow users to delete account data. Allows end users to remove account
data from a template.
Path to the container of templates. Specify the path to the container in the
Container Path field to provide access to the templates it contains for
DigitalPersona Pro Workstation users. The container path is determined when
creating a new container, as described in “Create an OTS Container” on page 95.
You can add multiple paths by separating them with the pipe (|) character.
User Properties
In addition to the settings available through the Administrative Templates,
installation of DigitalPersona Pro Server automatically adds the DigitalPersona
Pro tab to the User Properties settings in the Active Directory Users and
Computers console.
User Properties can also be enabled on a standalone DigitalPersona Pro
Workstation by adding the User Properties snap-in to the local policy object.
For complete details on DigitalPersona Pro User Properties, see “User
Properties” on page 72.
71
7
User Properties
Installation of DigitalPersona Pro Server automatically adds the DigitalPersona
Pro tab to the User Properties settings in the Active Directory Users and
Computers console.
You can apply user properties in order to increase the overall level of security
for your network while at the same time maintaining flexible options for
individual users.
For example, you can set a stricter multi-credential requirement for all users in
an organization, but then, for a particular user who may be having difficulties
with fingerprint registration, you can lower the requirements. User Properties
override any computer policies that have been set.
User properties allow you to configure fingerprint logon settings and restore the
use of fingerprints for a user after the account has been locked due to failed
fingerprint attempts.
To access User Properties:
1 Launch the Active Directory
Users and Computers console
and open the Users folder.
2 Right-click on a specific user
name, select Properties and
click the DigitalPersona Pro
tab.
User-level settings are available in
two varieties, Basic and Extended.
The Basic User Policies are
included with the DigitalPersona
Pro Server.
The Extended Server Policy Module is available from your DigitalPersona
72
Chapter 7 - User Properties
The Basic User Policies are:
• User provides only Windows credentials to log on
When this option is set, the user will not be subject to any logon policy from
DigitalPersona Pro. Users will be able to logon with password or smart card
as defined by the Windows logon settings. By default this setting is turned
off.
• Randomize user’s Windows password
Upon application of this setting, the user’s Windows Password is randomized
by DigitalPersona Pro. This has the consequence that the user is effectively
blocked from being able to use a password to logon to the network. In this
case, the fingerprint or the smart card, if available, must be used instead.
Without knowledge of their password, the user is prevented from logging on
with a password from any computer on the network, even those where the
Pro software is not installed. When this option is set, DigitalPersona Pro
changes the user password to a random value when you click OK on this
dialog box.
By default this setting is turned off.
• Account is locked out from use of fingerprint credentials
This setting is only for unlocking accounts that have been locked out due to
failed logon attempts. If the account is unlocked, the check box is disabled.
For instructions on unlocking an account, see page 75.
Note that this setting cannot be used by an administrator to lock an account.
Warning
Do not enable password randomization with incompatible logon authentication
policies, such as “Fingerprint and Password,” as users will be unable to log on.
73
The Extended User-level policies
are included in a separate product
module, the DigitalPersona Pro
Extended Server Policy Module,
available as a separately
purchased product from your
DigitalPersona Account Manager
or product Reseller.
Extended policies allow
additional biometrically-enabled
logon policies at the user level,
adding the following settings to
the DigitalPersona Pro tab in the
Active Directory Users and
Computers console, in addition to
those described in the previous
topic.
• User must type a PIN when providing a fingerprint to log on
When this option is enabled, the user must provide a PIN code whenever the
fingerprint is used to log on, to unlock the computer or to change Windows
password. The fingerprint PIN option provides additional security to the
logon with the fingerprint.
• User must provide a fingerprint to log on
The user must verify the fingerprint credential in addition to the Windows
authentication (smart card or password according to the Windows policy
setting).
In order to install the Extended Server Policy Module, the User Properties Snapin must already be installed.
Note
If the Extended Server Policy Module is uninstalled, only the original Basic
User Policy settings will be displayed. If the Administration Tools package is
uninstalled, the Extended Server Policy Module will be uninstalled as well.
74
You can unlock an account that has been locked out of fingerprint authentication
due to the user reaching the threshold number for failed fingerprint attempts.
You must have permissions to access the user account. When an account is
unlocked by an administrator, the account becomes immediately available for
fingerprint authentication from all computers, or after the next replication
interval if there are multiple domain controllers.
The administrator can choose to set less strict lockout settings by reducing the
the lockout duration time or reducing the counter reset time.
To unlock a locked account
1 In Active Directory for Users and Computers, right-click on the user name,
and select Properties.
2 Click the DigitalPersona Pro tab.
3 Click the Account is locked out from use of fingerprint credentials check
box to unselect it. This check box is for unlocking accounts and cannot be
checked by an administrator to lock an account. If the account is unlocked,
the check box is disabled.
4 Click OK to close the dialog box and save the changes.
75
You can remove Pro user credential data for a specified user from Active
Directory by using the ADSI Edit tool included with Windows 2000 and 2003
Server.
To remove user credential data
1 On the Start menu, point to Programs, Windows 2000 Support Tools\
Tools and then click ADSI Edit.
2 In the tree on the ADSI Edit tool, locate the user account and, on its shortcut
menu, click Properties.
3 On the Select a property to view drop-down menu, click
dpUserCredentialsData.
4 Click the Clear button to remove the user credential data.
76
8
DigitalPersona Pro Events
DigitalPersona Pro for AD writes all authentication and user record
modification events to the Windows Event Log with a date and time stamp.
You can view when users have attempted to access networked computers,
password-protected applications and Web sites using Pro authentication, as well
as whether the attempt succeeded or failed.
For a list of events and the logs that the events are stored in, see “Event Log
Specifications” on page 79.
Administrators can view, filter, sort, and export all log events from the Event
Viewer. This aids administrators in securing data and networks for meeting
compliance requirements for Sarbanes-Oxley, Gramm-Leach-Bliley, and
HIPAA.
Filtering DigitalPersona Pro Events in Event Viewer
You can specify a filter that limits the type of information the Event Viewer
displays to only DigitalPersona Pro events.
To filter DigitalPersona Pro events in the Event Viewer
1 To launch the Event Viewer, click Start, point to Programs, point to
Administrative Tools and then click Event Viewer.
2 In the console tree, right-click the log containing the specific DigitalPersona
Pro events you want to view and then click Properties.
3 Click the Filter tab.
4 Use the Filter tab to specify the criteria, such as the event ID or category, that
you want to filter on. Use “DigitalPersona Pro audit” as the event source.
5 Click OK to display the DigitalPersona Pro events matching the criteria you
specified in the Event Viewer.
77
Chapter 8 - DigitalPersona Pro Events
Finding DigitalPersona Pro Events with Event Viewer
You can use the Event Viewer to search for DigitalPersona Pro events. This may
be useful when you are viewing large logs.
To find a specific DigitalPersona Pro event
1 Click Start, point to Programs, point to Administrative Tools and then
click Event Viewer to launch it.
2 On the View menu, click Find.
3 Type the search criteria (specifying, “DigitalPersona Pro Audit,” as the event
source) in the dialog box and click Find Next.
The events matching the search criteria you specified are displayed in the
Event Viewer.
4 Click Close when you are finished.
78
There are several categories of DigitalPersona Pro events, which are logged in
the Windows Event Log.
• Computer Environment
• General Secret Management
• Fingerprint/Credentials Management
• User Management
• Logon/Lock
• DNS Registration
• One Touch SignOn
The following tables give the Event name, type, error level, and whether the
event is logged on the Server or Workstation or both.
Computer Environment
The following events relate to the general computer environment,
Level
Event
Reader connected
Reader disconnected
DPHost started
DPHost stopped
DPHost cannot start
Connection to server succeeded
Connection to server failed
Server busy
Type
I
I
I
I
F
S
W
E
Srv
Dt
Dt
E
E
Wks
Dbg
Dbg
Dt
Dt
E
Dt
Dt
E
Type: S = Success, F = Failure E = Error, W = Warning, I = Information
Level: E = Error, A = Audit, Dt = Details, Dbg = Fine details
79
General Secret Management
The following events may be generated during the management of secrets.
Level
Event
Add secret (Success)
Add secret (Failure)
Delete secret (Success)
Delete secret (Failure)
Replace secret (Success)
Replace secret (Failure)
Secret content released (Logon &
OTS secrets)
Secret consistency check failed
Secret signature check failed
Type
S
F
S
F
S
F
S
Srv
A
A
A
A
A
A
A
Wks
A
A
A
A
A
A
A
E
E
A
A
A
A
The following events may be generated during fingerprint/credentials
management.
Level
Event
Register fingerprint (Success)
Register fingerprint (Failure)
Delete fingerprint(s) (Success)
Delete fingerprint(s) (Failure)
Replace fingerprint(s) (Failure)
Delete All fingerprints (Success)
Delete All fingerprints (Failure)
Type
S
F
S
F
F
S
F
Srv
A
A
Dt
Dt
A
Dt
Dt
Wks
A
A
Dt
Dt
A
Dt
Dt
80
The following events may be generated during the fingerprint credentials
management process.
Level
Event
Match one-to-one failed
Match one-to-many failed
Account locked out
DPHost stopped
Type
F
F
F
I
Srv
A
Dt
Wks
A
A
Dt
User Management
The following events may be logged during the management of users.
Level
Event
Add user record (Success)
Add user record (Failure)
Delete user record (Success)
Delete user record (Failure)
Change account ctrl flags (Success)
Change account ctrl flags (Failure)
Unlock user account
Password randomized
User record consistency check failed
User record signature check failed
Type
S
F
S
F
F
F
S
S
E
E
Srv
Dt
A
Dbg
Dbg
Dt
Dt
Dt
Dt
A
A
Wks
Dt
A
Dbg
Dbg
Dt
Dt
Dt
A
A
81
Logon/Lock
The following events are logged during the logon, lock and unlock processes.
Level
Event
Logon
Kiosk Logon
Logoff
Kiosk Logoff
Lock
Kiosk Lock
Unlock
Kiosk Unlock
Registered PIN
Change PIN
FP used to unlock SC
Shared account problem
Shared account missing
Type
S
S
S
S
S
S
S
S
S
S
S
E
E
Srv
-
Wks
A
A
Dt
Dt
Dt
Dt
A
A
Dt
Dt
Dt
E
E
DNS Registration
DNS Registration events are logged when the Pro Server software fails to
register or remove DigitalPersona Pro registration records from the Active
Directory DNS server.
Level
Event
DNS update disabled
DNS registration failed
DNS unregistration failed
Type
W
E
E
Srv
A
E
E
Wks
-
82
One Touch SignOn
One Touch SignOn settings are included in the Workstation Administrative
Template, and are described in the section “One Touch SignOn Settings” on
page 127.
83
9
DigitalPersona Pro for Active Directory provides several tools for administering
various aspects of your deployment as well as expanding the functionality of the
product.
These Administration Tools are included on the product CD for both
DigitalPersona Pro Server and Workstation. Some of these tools are installed
automatically with the installation of DigitalPersona Pro for Active Directory
Server or Workstation, while others must be selected through the Custom Install
option in the Administration Tools Installation wizard or run from the product
CD.
Overview
The following table lists each of the Administration Tools, their purpose, how
they are installed or used and the page where the tool is explained.
Table 9-1. List of Administration Tools
Admin Tool
Purpose
Installation/Reference
License Control
Manager
Used to control and manage
licenses for DigitalPersona Pro
Servers, including gathering the
information necessary for
requesting a license, adding and
removing licenses and viewing
license and user information.
Automatically installed as
part of the Administration
Tools installation.
Attended
Fingerprint
Registration Tool
Allows supervision of users when
Tools installation, but
needs to be set up before
use. See page 90.
One Touch
SignOn
Administration
Tool
The One Touch SignOn
Administration Tool enables
administrators to add biometric
authentication to Web sites and
programs.
Tools installation.
See page 86.
See page 92.
84
Chapter 9 - Administration Tools
Overview
Admin Tool
Purpose
Installation/Reference
User Query Tool
Used to query the DigitalPersona
Pro for Active Directory user
database for information about
DigitalPersona Pro users, and can
be run as an Interactive Query,
from the command line, or from
within a script.
Tools installation.
Removes Pro user data (such as
fingerprint credentials, secure
application data and global
domain data) from Active
Directory which is not removed
when uninstalling DigitalPersona
Pro Server.
Not automatically
installed as part of the
Administration Tools. It is
run from the product CD
or copied to a hard drive
and run. See page 136.
CleanUp Wizard
See page 131.
All of the tools may be installed on a single workstation for centralized administration of DigitalPersona Pro for Active Directory, or for larger organizations,
each tool may be installed on a separate workstation in order to divide the
administration of various features among several people.
To install the Administration Tools
• Locate and double-click the setup.exe file located in the Administration
Tools/Install directory on the product CD.
85
The DigitalPersona Pro License Control Manager is used by an administrator to
manage User Authentication Licenses (UALs) for users authenticating to
DigitalPersona Pro Servers.
It is used to gather information necessary for requesting a license from
DigitalPersona, for adding and removing licenses, and for viewing license and
user information.
It is automatically installed as part of the DigitalPersona Pro Administration
Tools, but can also be installed separately on a workstation that has access to the
domains that are to be licensed and/or managed.
Overview
The licensing model for DigitalPersona Pro for Active Directory Server requires
that each domain be licensed for the number of users who will register their
fingerprints within that domain.
License Control Manager provides the following features for managing licenses
for DigitalPersona Pro Servers:
•
•
•
•
•
•
Connecting to a domain (page 86)
Getting License Information (page 87)
Reviewing and installing license files (page 88)
Viewing license details (page 88)
Viewing UAL Summary Information (page 89)
Uninstalling licenses (page 89)
Connecting to a domain
By default, when License Control Manager is launched it will connect to the
domain to which the currently logged on user belongs.
If that domain is not the domain that you want to administer at this time, you can
select a different domain.
86
To change the domain:
1 Click the Change Domain button to display the Connect to Domain dialog
box.
2 Type the domain name that you want to connect to, or click Browse to
navigate to the domain.
3 If you want to connect to this domain the next time that License Control
Manager runs, select Connect to this domain the next time you run
License Control Manager.
4 Click OK to connect to the domain and close the dialog box.
After successfully connecting to the domain, License Control Manager will
locate all licenses in the License container and display them in the list view. If
duplicate or incorrect licenses are found during this process, they will be deleted
and you will be notified of the fact.
Getting License Information
Each license for DigitalPersona Pro for Active Directory is tied to a specific
customer domain.
Note
When upgrading from Pro 3.5, User Authentication Licenses must be obtained
for all registered and prospective users.
In order for DigitalPersona to issue a requested license, certain domain
information necessary to bind the license to the domain must be collected and
sent to DigitalPersona, Inc. This step needs be done once for each domain.
To collect the required domain information:
1 Launch License Control Manager.
2 Click the Get License Info button.
3 License Control Manager will collect the domain information that it needs
and display a Save As dialog box.
4 Type a file name that will identify the file as belonging to your company and
what domain it refers to. The file must have a .dplif extension. Click Save to
save the file.
87
5 Request a license for the domain by sending the file as an attachment in an
email containing your Purchase Order # for the number of User
Authentication Licenses needed and address it to [email protected];
or contact your DigitalPersona Sales Account Manager.
Reviewing and installing license files
After sending the required domain information to DigitalPersona, Inc., you will
receive a license file for that domain. Keep a copy of the license file in a secure
place for backup purposes.
To install the license:
1 In License Control Manager, click the Add button.
2 In the Open dialog box, navigate to the license file (.dplic extension) and
click the Open button.
3 In the License Details dialog box, you can review information about the
license before it is added.
4 Click the Add License button to add the license to License Control Manager.
5 The license, along with summary information about the license is added to
the License list.
Viewing license details
License Details are available for each installed license.
To view license details:
1 In the Licenses list, select a license.
2 Click the Details button.
3 License Control Manager displays license details for the selected license.
4 Click Close to close the License Details dialog box.
Note
License Details are only available for issued User Authentication Licenses, not
for the licenses shipped with DigitalPersona Pro Server for evaluation.
88
Viewing UAL Summary Information
License Control Manager does not display the summary information for User
Authentication Licenses (UALs) when launched, since in large organizations it
may take a while to collect the information.
To display the User Authentication License summary information:
• Click the Refresh button.
License Control Manager displays the following summary information:
Total number of licenses Issued
Number of licenses Used
Number of licenses Remaining
Percent of Issued licenses that have been Used
The amount of time that it takes to refresh user information will depend on the
number of users.
Uninstalling licenses
To uninstall a license:
1 In the License list, select a license.
2 Click the Delete button.
3 In the Confirmation dialog box, click Yes to delete the license, or No to
close the dialog box without deleting the license.
When you uninstall the last license in the License list, the Evaluation license
will appear on the list.
89
The Attended Fingerprint Registration Tool is an administrative tool that can be
used to add an additional level of security to the implementation and use of
DigitalPersona Pro for Active Directory.
With attended registration, a designated user (or member of a designated user
group) must be logged in to supervise the fingerprint registration process of
other users. Users can also be prevented from registering other fingerprints or
deleting fingerprints from their own account.
The Attended Fingerprint Registration Tool is automatically installed as part of
the DigitalPersona Pro Administration Tools, but needs to be set up before use.
It can also be installed separately on a workstation.
Assigning Registration Permissions
The user designated to supervise the fingerprint registration of other users can
be an individual user or belong to a user group and must have permission to
register and delete user fingerprints.
The Register/Delete Fingerprint permission can be granted at the single user,
organizational unit or domain level, but not at the user group level.
Single User
You can assign a user or group to supervise a single user’s fingerprint
registration. In most cases however, you will want to make the assignment on an
organizational unit or domain level as shown in the next topic.
To assign a user or group to supervise fingerprint registration permission for a
single user:
1 In Active Directory for Users and Computers, select the user name to be
registered through attended registration.
2 Right-click and select Properties.
3 Click the Security tab.
4 Click the Add button.
90
5 Select the supervising user or group who will have register and delete
fingerprints permission to this account.
6 Click Add and then OK.
7 In the Permissions list, select the Allow check box for the Register/Delete
Fingerprint (DigitalPersona) permission.
8 Click OK.
Organizational Unit or Domain
To assign attended fingerprint registration permissions for an organizational unit
or domain to a supervising user:
1 In Active Directory for Users and Computers, select the domain or
organizational unit to be registered through attended fingerprint registration
by the supervising user.
2 Right-click and select Properties.
3 Click the Security tab.
4 Click the Advanced button.
5 Click Add and add the supervising user or group to the users who have
permissions to this account. Then click OK.
6 Click the Edit/View button.
7 Select User Objects from the Apply onto drop down list.
8 In the Permissions list, select the Allow check box for the Register/Delete
Fingerprint (DigitalPersona) permission.
9 Click OK to close the dialog and save your changes.
91
Overview
One Touch SignOn (OTS) enables administrators to provide controlled access to
Web sites or programs by adding biometric authentication to their logon and
change password screens; simplifying the logon process for end users and
reducing the administrative overhead involved in password maintenance.
The OTS Administration Tool manages access to password-protected Web sites
and programs through the creation and administration of templates that contain
the specifications for:
• Logon screen templates - This template specifies attributes that are utilized
during the logon, such as a user name, password, and Submit button.
• Password Change screen template - This template defines how a password
for an OTS-enabled program or Web site is changed, specifying details such
as whether the password can be changed by the user at will, or must be
changed at prescribed intervals, and any format restrictions that are enabled.
These OTS templates are created in the One Touch SignOn Administration Tool,
and then deployed to end users through a setting in the Active Directory GPO
governing the workstations. (For further information, see “Deploying
Templates” on page 125 and following.
After the templates are created and deployed, the One Touch SignOn application
uses the templates to recognize which logon and change password screens are
fingerprint-enabled, displaying the DigitalPersona icon on the Web site or
program title bar to indicate that the user can log on by fingerprint.
For a description of the end user experience, see “Logging On with One Touch
SignOn” on page 129.
92
Installing the OTS Administration Tool
The OTS Administration Tool is installed as part of the DigitalPersona Pro
Administration Tools.
To install the Administration Tools, navigate to the Administration Tools folder
on the product CD and click the setup.exe file.
Setting up OTS
Before using the OTS Administration Tool to create OTS templates, you will
need to set it up for your network.
Create a shared network folder
Create a shared folder on the network
drive to store OTS templates and assign
appropriate permissions to the users.
1 Create a folder on the server/computer
where you will store the OTS
templates.
2 Share the folder that you just created to
allow users to access it.
3 Right click on the folder and click on
Properties in the context menu.
4 Click on the Sharing tab.
5 Verify the permissions by clicking on
the Permissions button.
Set up the GPO policy for OTS
1 The Workstation Administrative
Template,
DigitalPersonaProWksta.adm file must
be added to the Active Directory
Computer Configuration folder in the
Administrative Templates folder of the Group Policy editor. The ADM file is
93
located in the inf directory on the hard drive where DigitalPersona Pro AD
Server or Workstation was installed.
For further details, see “Install the Administrative Templates” on page 36.
2 Open the GPO where the DigitalPersona template was added.
3 Go to User Configuration\Administrative Templates\DigitalPersonaPro.
4 Double click on One Touch SignOn
Configuration policy (in the right
pane).
The default setting is "Not
Configured". Click on Enable to
enable this policy, and then type in
the path to the shared folder that you
previously created.
5 The new setting will be applied to all
during the usual refresh interval or
the next time they restart Windows.
94
Create an OTS Container
1 Open the OTS Administration Tool from Start/Programs/DigitalPersona Pro.
2 On the toolbar, click the New Container icon.
3 In the Create New Container dialog box, type a name for the container in the
Name text box.
4 Specify the path of the container in the Path field. To browse for a path using
the standard Windows file browser dialog box, click the Browse button.
5 Click OK to create the container.
Using Field Catalogs
The Field Catalog for a container is used to store logon field values and
attributes that can then be reused in creating templates for logon screens that
share common fields. By storing frequently used logon fields in the catalog
once, you can add the same field to several templates without entering its value
or attributes each time.
In addition, changes made to fields in the Field Catalog are propagated to all
templates that use the field. Each container has only one Field Catalog.
95
To add a field to a field catalog for a container:
1 In the OTS Administration Tool, select a container and select Field Catalog
on the Tools menu.
2 On the Field Catalog Editor, click Add to create a new field in the table.
3 In the Field text box, type a name for the field you are adding to the catalog.
4 Specify the type of the field by selecting Password or Text in the Type dropdown list.
5 Specify the value of the field on the Value drop-down menu. See “Logon
Fields options” on page 99 for a description of each value.
6 Add any comments related to this field in the Description text box, and then
click OK to close the Field Catalog Editor.
96
Creating OTS Templates
Logon screen templates enable DigitalPersona Pro administrators to set policy
about how much, and what kind of, user information can be sent to an
application via fingerprint logon.
OTS includes a wizard that can create logon screen templates automatically for
most logon screens. For more complex logon screens, there is a ‘manual’ mode
that provides more sophisticated options for matching the logon process to nonstandard logon screens.
• Automatically -- Open the logon screen for a Web site or program, and then
click Create template in the OTS Administration Tool. The Logon Screen
Wizard detects the fields on the logon screen. You can specify which fields
are required for logon and what type of information should be provided in the
fields.
• Manually -- For logon screens that are difficult for the wizard to detect
automatically, you can create a template manually. When you create a
template manually, you have additional controls for specifying fields and
keystrokes required for logon. For a discussion of the trade-offs involved in
manual template creation, see “Creating a Logon Screen Template
Manually” on page 103.
DigitalPersona recommends you attempt to create a logon template
automatically before you try to create it manually.
Creating a Logon Screen Template automatically
To create a logon screen template automatically:
1 Launch the password-protected application (or browse to a web site) that
contains the logon screen for which you want to create a template.
2 Launch the OTS Administration Tool and on the shortcut menu of the
container for which you want to create a template, click New Template.
3 When the OTS Template Wizard launches, confirm that the title of the logon
screen is displayed on the first page and then click Next.
97
4 The Logon Fields page displays each field on the logon screen, using the
nearest associated label to identify the field. For each field, you can specify
several attributes. See the table “Logon Fields options” on page 99.
5 Click Next after selecting the Logon Fields.
6 On the Submit Option page, choose the button from the list that submits the
logon data for the application. To prevent automatic logon, click Do not
submit. Click Next to continue.
7 On the Logon Screen Properties page, enter the name for this logon screen/
template, and the name for the Quicklink. For more details on this screen see
the table “Logon Screen Properties options” on page 101.
8 Click Next after entering the appropriate data and then click Finish to save
the new template.
98
If the OTS templates are stored on a shared network drive, log off and log
back in to automatically download the newly created templates on your
workstation.
9 Enter Account Data.
You can now go to the web page/application for which you created the
template. You will be prompted to touch the sensor to log on. Once you touch
the sensor with your registered finger, you will be prompted to enter your
account data. You will need to provide this data only when you log on using
OTS for the first time. During subsequent logons, you can log on simply by
touching the sensor with your registered finger!
Table 9-2. Logon Fields options
(See step 4 above.)
Option
Description
Use
Specifies the fields that are used during logon. If a listed field is
not used for logon, leave the field unchecked.
Label
Describes the type and use of the field, as displayed to the user
during logon. These labels represent the Wizard’s best guess, If
the label for a field is not intuitively related to the corresponding
field on the logon screen, enter a new label name in this field.
Type
Specifies the type of field, either text or password. This value is
not editable.
Catalog
For added convenience, you can create specifications for
frequently used fields using the Field Catalog Editor, a
collection of frequently-used fields and their specifications (see
“Using Field Catalogs” on page 95). If the field is in the Field
Catalog, you can right-click it, then choose it from the dropdown list. Its specifications will be provided automatically by
OTS.
99
Option
Description
Value
Alphanumeric data to be supplied by either the user or
DigitalPersona Pro. Type a value for the logon field or use the
Value drop-down menu to indicate a value.
Ask-Reuse prompts the user to enter a value for a logon field
the first time they use the template for logon. This value is
automatically submitted for them on each subsequent logon
without prompting the user again.
Ask-Confirm also prompts the user to enter a value for a logon
field the first time they use it. However, on subsequent logons,
the value is automatically entered and they are then prompted to
confirm this value or change it.
Ask Always prompts the user to enter a value for a logon field
each time they log on.
Specify whether you want the field to be stored in the template
in clear (unencrypted) text or protected (encrypted) text.
If the field is a text field, choose any of the following options to
specify values to be provided by OTS:
Windows User Name
Windows User Principal Name -- the user name and domain
values in the format: [user name]@[domain]
Windows Domain\User Name -- the domain of the user,
followed by a backslash and the user name
Windows Domain -- the name of the user’s domain
Windows E-mail Address -- the user’s email address, as stored
in Active Directory
If the field is a password field, choose Windows User
Password to specify that OTS will provide password
information.
100
Table 9-3. Logon Screen Properties options
(See step 7 above.)
Option
Description
General
Template is the name of the template.
Description contains information about the template and is
viewable in the OTS Administration Tool.
User Hint enables you to provide a message that is displayed
when a user uses the template for logon, such as when users are
prompted to type values for logon fields. For example, if you
want to direct a user to a Web page with custom instructions for
logon, you can enter a URL in the User Hint field.
Show Balloon specifies the number of times a balloon will be
displayed on the fingerprint-enabled logon screen to inform the
user they can touch the reader to log on.
Quick Link
Quick Link Name is the name of the Quick Link, if the
template was created for a Web site, and appears in the One
Touch Menu for accessing Web sites set up for fingerprint
logon. Users touch the reader to display the One Touch Menu,
point to Quick Links and then click the fingerprint logon title
that corresponds to the Web site they want to access. Internet
Explorer is launched automatically and is pointed to the Web
site.
Quick Link URL is the target URL of the Quick Link.
Screen Detection
Window Caption is the title of the logon screen as detected by
the Wizard. The caption information in the template is used by
OTS to recognize the logon screen by matching the window
caption in the logon screen.
Screen Detection,
continued
If portions of the window caption change, specify the portion
of the window caption to match and represent the changing
portion of the caption with special characters, such as *.
The invariant portion of the string will be used to recognize the
logon screen.
101
Option
Description
URL is used by One Touch SignOn to recognize a Web site
logon screen. The URL information in the template is matched
to the URL in the logon screen. If multiple Web sites have the
same title or if portions of the URL change, which can be the
case for Web sites that redirect traffic for load balancing, then
specify the portion of the URL to match. The drop-down menu
allows you to specify the type of matching to perform on the
URL.
Extended Match If you are creating a template for a program,
and not a Web site, you can click the button next to the
Extended Match field. Select labels that should be used for
matching when recognizing the screen. Click the check box
next to labels to use. After making selections and clicking OK,
you can select the type of matching to perform by selecting it
from the drop-down list.
Authentication
Start Authentication Immediately. If set to Yes, the user is
prompted for a fingerprint logon immediately after the logon
screen displays. The default setting is No.
Lock out logon fields. If set to Yes, the user is prevented from
typing data in the logon fields. The default setting is No.
102
Creating a Logon Screen Template Manually
If One Touch SignOn does not detect fields automatically in your Web site and
program logon screens, OR if you want to specify additional controls to be used
during logon (such as adding keystrokes, forcing delays between actions, and
specifying positions of fields), you can create a template for a logon screen
manually.
When you create a template manually, you have additional controls for
specifying fields and keystrokes required for logon; essentially you specify a
“script” to manage the interaction completely. This is much more powerful than
accepting the typical field-to-field navigation supported by the Logon Screen
Wizard in Automatic mode, but it requires much closer study of the logon screen
itself to establish the precise actions required. For example:
• Exactly how many, and what kind of, keystrokes are needed to enter the
data?
• Where should the initial focus of the screen be? (physical location)
• How many tabs are required to navigate the input screen?
To create a logon template manually:
1 Launch the password-protected Web site or program for which you want to
create a template.
Study the logon screen carefully to determine what actions are necessary, and
where the initial focus of the screen should be. (If the screen cursor is already
in the initial field of the logon screen when the screen is displayed, there is
no need to worry about initial focus.)
2 In the OTS Administration Tool, select the container to which you want to
add the new template.
3 Click Create template. OTS Administration Tool launches the Logon
Screen Wizard.
4 Confirm that the title of the logon screen is accurately displayed on the first
page.
5 Select Set up a template manually.
103
6 Click Next. The wizard displays an empty Fill In Actions list, as shown
below.
7 Click Add and select an action from the drop-down menu, as described on
the next page in Table 9-4. Add as many actions to the list as are required, in
the order that they are required. This builds the “script” that governs
interaction between the user and DigitalPersona Pro, and the program.
For example, to create a logon screen template for the Yahoo! Mail logon
page, you might study the page and reveal that focus on the page is always
automatically in the logon field; that you need input fields for Yahoo ID and
Password, and then submit the data with the Sign In button.
Your logon fields would look like this:
104
Table 9-4. Logon Screen Actions: manual selections
Option
Description
Keystroke
This key sequence of one or more keys will be placed in the
keyboard buffer.
Key. You can select keys such as Tab, Enter, Left arrow,
Spacebar or Page Up. The Tab key is the default.
Repeat. Specify a number of times the key sequence is
entered.
Shift, Control, Alt. You can check Generic, Left or Right to
simulate pressing one or more of these keys in addition to the
key you selected. You can specify if the key is from the left or
right side of the keyboard if necessary.
Field
You can define a field and its type.
Label. Type a label name for the corresponding field on the
logon screen. The labels are displayed when users are
prompted to type a value for a logon field.
Type. Select the type of field, either text or password, in the
Type text box. Choosing password as the type hides the
password on the logon screen so it cannot be viewed.
Choosing text displays readable text.
Reference. Specifications for frequently used fields can be
created using the Field Catalog Editor (see “Using Field
Catalogs” on page 95).
If the field is in the Field Catalog, you can click and then
choose it from the drop-down list. Its specifications will be
provided automatically by One Touch SignOn.
Value. Type a value for the logon field or use the Value dropdown menu to indicate a value specified by the user or
provided by One Touch SignOn.
105
Option
Description
Value
There are several options on the Value drop-down menu,
which allow you to specify values that must be provided by the
user or by One Touch SignOn.
The first three options can be used if you require the user to
provide information at logon:
Ask-Reuse prompts the user to enter a value for a logon field
the first time they use the template for logon. This value is
automatically submitted for them on each subsequent logon
without prompting the user again.
Ask-Confirm also prompts the user to enter a value for a
logon field the first time they use it. However, on subsequent
logons, the value is automatically entered and they are then
prompted to confirm this value or change it.
Ask Always prompts the user to enter a value for a logon field
each time they use the template.
Value (Text fields)
For a text field, the next group of options allow you to specify
values which are provided by One Touch SignOn:
Windows User Name provides the Windows user name.
Windows User Principal Name provides the user name and
domain values in UPN format: [user name]@[domain]
Windows Domain\User Name provides the domain of the
user, followed by a backslash and the user name.
Windows Domain provides the user domain name.
Windows E-mail Address provides the email address stored
in Active Directory for the user.
Value (Passwords)
For a password field, you can specify the following value
which is provided by One Touch SignOn:
Windows User Password provides the password used for
Windows logon.
Delay
You can specify how many seconds to wait before the next
action in the list is performed.
106
Option
Description
Position
Using this action, you can specify a location where One Touch
SignOn will perform a mouse click. Position is measured from
the top left corner of the client window area.
Client X. Type a number of pixels for the X axis position for
the action.
Client Y. Type a number of pixels for the Y axis position for
the action.
Target icon. You can click and drag the target icon
to the actual logon screen field to specify the
position. Drop the target icon on the location you
want to specify. When you drop the target icon, the Client X
and Y positions are updated with the target location.
107
8 To continue, click Next. The OTS Administration Tool displays the Logon
Screen Template Properties page.
9 The Logon Screen Template Properties page allows you to view and
modify the following properties of the logon screen template: Details about
the options on this page are described on the following page in
108
Table 9-5. Logon Screen Template: manual options
(See step 9 above.)
Option
Description
General
Template is the name of the template. Choose a name for the
template that is easy to remember, such as YahooEmail.
Description contains information about the template and is
viewable in the OTS Administration Tool.
User Hint allows you to type a message that is displayed
when a user uses the template for logon, such as when users
are prompted to type values for logon fields. For additional
user assistance, if you type a URL in the User Hint field, a
user can click it to be directed to a Web page that you created
to provide custom instructions for logon.
Show Balloon is the number of times a balloon will be
displayed on the fingerprint-enabled logon screen to inform
the user they can touch the reader to log on.
Quick Link
Quick Link Name is the name of the Quick Link, if the
template was created for a Web site, and appears in the One
Touch Menu for accessing Web sites set up for fingerprint
logon.
Users touch the reader to display the One Touch Menu, point
to Quick Links and then click the fingerprint logon title that
corresponds to the Web site they want to access. Internet
Explorer is launched automatically and is pointed to the Web
site.
Quick Link URL is the target URL of the Quick Link.
109
Option
Description
Screen Detection
If portions of the window caption change, specify the portion
of the window caption to match and represent the changing
portion of the caption with special characters, such as *.
The invariant portion of the string will be used to recognize
the logon screen.
URL is used by One Touch SignOn to recognize a Web site
logon screen. The URL information in the template is
matched to the URL in the logon screen. If multiple Web sites
have the same title or if portions of the URL change, which
can be the case for Web sites that redirect traffic for load
balancing, then specify the portion of the URL to match. The
drop-down menu allows you to specify the type of matching
to perform on the URL.
Authentication
Start Authentication Immediately. If set to Yes, the user is
prompted for a fingerprint logon immediately after the logon
screen displays. The default setting is No.
You can specify additional logon screen matching to help
OTS recognize the screen.
10 When done configuring the Logon Screen Properties, click Next.
11 On the Setup Complete page, click Finish to save the changes and exit the
wizard.
110
Creating Change Password Screen Templates
In addition to templates for logon screens, templates can also be created for
most Change Password screens.
To set up a change password screen with One Touch SignOn, use the One Touch
SignOn Change Password Screen Wizard. Using the wizard, you can specify the
fields required by the application for changing passwords, implement password
policies and even automate the entire process for the end user.
The Change Password Screen Wizard provides administrators with two different
ways to create change password screen templates:
• Automatically -- Open the change password screen for a Web site or
program that already has a logon screen template created by the OTS
Administration Tool and stored in DigitalPersona Pro. Find the logon screen
template, then right-click to display that template’s context menu. Choose
Add Change Password Screen.
The Wizard detects the fields on the change password screen. You can
specify which fields are required for logon and what type of information
should be provided in the fields.
• Manually -- For change password screens that are difficult for the wizard to
detect automatically, you can create a template manually. When you create a
template manually, you have additional controls for specifying fields and
keystrokes required for logon. For a discussion of the trade-offs involved in
manual template creation, see “Creating a Logon Screen Template
Manually” on page 103.
111
Creating a Change Password Screen Templates Automatically
To create a change password screen template automatically:
automate the change password operation and then navigate to the Change
Password screen.
2 In the OTS Administration Tool, select the template which was created for
that Web site or program.
3 Right-click to display that template’s context menu, then click Add Change
Password Screen. OTS launches the Change Password Screen wizard.
4 Click Next. The wizard displays the Change Password Screen Field page.
5 Select all fields relevant to the change password process, as described in
Table 9-6.
Table 9-6. Password Screen Template options
Option
Description
Use
Check the Use check box for each field needed in changing the
password.
Type
Specify the type of control on the Change Password screen, such as text
or password field.
Label
The label is displayed next to a field when the user is prompted to type a
value for a field on the change password screen. If the label is not
intuitively related to the corresponding field on the change password
screen, you can enter a new label.
Catalog
Cross-references the fields of the Change Password Screen with the
fields in the Logon Screen. For example, the password used at logon is
re-used during the Change Password process.
The automatically detected value is shown in this field by default, but
you should verify it.
Value
For Old Password, the value type should be Ask-Reuse. For New
Password, the value type should be Write Only.
112
6 Click Next. The wizard
displays the Password Policy
page.
7 If desired, specify the password
policy for a protected field.
Select the corresponding Field
Policy item, and then click the
button which is shown on the
right side.
8 In the Password Policy dialog
box, the following options are available:
• Password is provided by user Allows the user to specify the new
password for the Web site or program.
• Password is generated
automatically - Generates a
randomized password for the user. By
selecting this option, you can ensure
that the user can only log on using a
fingerprint.
To specify constraints on the password
format, length and uniqueness, check the Use password policy checkbox.
These requirements will be followed when the password is generated, and
verified when the password is provided by the user.
The following options are available for the password length:
• Minimum password length - Specifies the maximum number of
characters allowed in the password
• Maximum password length - Specifies the minimum number of
The following options are available for the password contents:
• Letters and numbers - Allows any combination of letters and/or numbers.
113
• Letters only - Allows letters only.
• Numbers only - Allows numbers only.
• Letters and numbers with special characters - Allows passwords that
contain at least one number or at least one letter, and at least one special
character is required. Special characters include symbols such as
!\"#$%&'()*+,-./:;<=>?[\\]^_`{|}~@. Spaces are not allowed.
• Letters and numbers with at least one number - Allows passwords with
any combination of letters and numbers, but both types must be present.
The following additional password constraints are available:
• None - No other constraints are applied to the password.
• Different from Windows password - The new password must be
different from the current Windows password.
• Different from any password registered with OTS - The new password
must be different from all passwords registered for fingerprint-enabled
Web sites or programs by the current Windows user.
• Different from current password - The new password must be different
from the current password for this Web site or program.
9 Click OK to save the changes in the Password Policy dialog box.
Note
The password policy applied in the wizard should be synchronized with that of
the Web site or program.
10 On the Password Policy page, click Next.
11 On the Submit Selection page, choose the button from the list of detected
buttons, which submits the data on the Change Password screen, and then
click Next.
12 On the Change Password Screen Properties page, you can customize the
behavior of the system during the change password operation. The following
settings are available:
• User Hint - Allows customizing the text that will be shown when the user
is prompted to type data into input fields for the Change Password screen.
114
• Windows Caption - Specifies the title of the change password screen as
detected by the wizard. The caption is used by One Touch SignOn to
recognize a fingerprint enabled screen. You may use wildcards to specify
the changeable portion of the caption.
• Monitor Screen Changes - Enables the fingerprint software to recognize
the previously trained screen in case the screen content changes in time
due to system or user activity, for example, when the screen contains some
complex structure such as long-loading ActiveX, Flash, etc. Since most
Web pages do not fall into this category, this setting is turned off by
default.
• URL - Uniform Resource Locator is a unique, identifying address of any
particular page on the Web. URL can be used by One Touch SignOn to
recognize the previously trained screen. The drop-down menu allows you
to specify the type of matching performed on the URL. By default, the
URL is not used to recognize a fingerprint enabled screen.
When done configuring the Change Password Screen Properties, click Next.
wizard.
Change password screens set up with One Touch SignOn display a
DigitalPersona icon in the title bar, as well as a balloon prompting the user to
touch the reader to begin the change password process.
115
Creating a Change Password Screen Template Manually
If you want to specify additional controls to be used during password change
(such as adding keystrokes or forcing delays between actions), you can create a
change password screen template manually.
When you create a template manually, you have additional controls for
specifying fields and keystrokes required for password change; essentially you
specify a “script” to manage the interaction completely. This is much more
powerful than accepting the typical field-to-field navigation supported by the
Change Password Screen Wizard in Automatic mode, but it requires much
closer study of the change password screen itself to establish the precise actions
required. For example:
• Exactly how many, and what kind of, keystrokes are needed to enter the
data?
• Where should the initial focus of the screen be? (physical location)
• How many tabs are required to navigate the input screen?
To create a change password screen template manually:
create a template. Move to that site’s or program’s Change Password screen.
2 In the OTS Administration Tool, select the template for that Web site or
program.
3 Right-click to display that template’s context menu, then click Add Change
Password Screen. OTS launches the Change Password Screen wizard.
4 Select Set up a template manually, then click Next. The wizard displays the
Logon Fields page with an empty Fill in Actions list.
5 Click the Add button and then select an action from the drop-down menu.
Add as many actions to the list as are required, in the order that they are
performed. This builds the “script” that emulates interaction between the
user and the program. Later, this script will be used to play the prerecorded
actions.
116
The following actions are available in the Fill in Actions list:
• Keystroke - Provides navigation to the first field to be filled in or between
fields. It also may be used to submit the data on the Change Password
screen. The list of supported keystrokes is available in the Key drop-down
menu.
• Field - Specifies the field to be filled in on the Change Password screen,
its type (text or password), reference (for example, relationship to the
password field on logon screen) and value, i.e. how the field value is
obtained.
• Delay - Specifies the delay during navigation or prior to submitting data.
This setting is useful when the system performs some actions between the
screen loading and data submitting events. For some terminal applications,
a delay may be required even when moving between neighbor fields on a
the screen.
Note
It is recommended to estimate the required delay and then test it prior to
using the script.
• Position - Moves the cursor to a specified area of Change Password
screen, like a field for data input, without using keystrokes. To use the
Position feature, select Position in the drop-down menu, then, using the
mouse, click and drag the Target icon
until the cross is located over the
desired area on the screen. When the mouse button is released, the chosen
coordinates will be shown in the right panel on the wizard page.
Be aware that using Position action may be sensitive to screen resolution,
because the system deals with coordinates in pixels. This feature also may
not be useful when user needs to scroll the window in order to move a
cursor to the desired area.
6 Repeat step 5 until all the required actions (i.e. fields, cursor movements,
delays, and submission action) are specified.
7 Click Next. The wizard displays the Password Policy page.
8 If desired, specify the password policy for a protected field.
117
Select the corresponding Field Policy item, and then click the button which is
shown on the right side.
9 In the Password Policy dialog box, the
following options are available:
• Password is provided by user Allows the user to specify the new
password for the Web site or program.
• Password is generated
automatically - Generates a
randomized password for the user. By
selecting this option, you can ensure
that the user can only log on using a
fingerprint.
To specify constraints on the password
format, length and uniqueness, check the Use password policy checkbox.
These requirements will be followed when the password is generated, and
verified when the password is provided by the user.
The following options are available for the password length:
• Minimum password length - Specifies the maximum number of
• Maximum password length - Specifies the minimum number of
The following options are available for the password contents:
• Letters and numbers - Allows any combination of letters and/or numbers.
• Letters only - Allows letters only.
• Numbers only - Allows numbers only.
• Letters and numbers with special characters - Allows passwords that
contain at least one number or at least one letter, and at least one special
character is required. Special characters include symbols such as
!\"#$%&'()*+,-./:;<=>?[\\]^_`{|}~@. Spaces are not allowed.
118
• Letters and numbers with at least one number - Allows passwords with
any combination of letters and numbers, but both types must be present.
The following additional password constraints are available:
• None - No other constraints are applied to the password.
• Different from Windows password - The new password must be
different from the current Windows password.
• Different from any password registered with OTS - The new password
must be different from all passwords registered for fingerprint-enabled
Web sites or programs by the current Windows user.
• Different from current password - The new password must be different
from the current password for this Web site or program.
10 Click OK to save the changes in the Password Policy dialog box.
Note
The password policy applied in the wizard should be synchronized with that of
the Web site or program.
11 On the Password Policy page, click Next.
12 On the Submit Selection page, choose the button from the list of detected
buttons, which submits the data on the Change Password screen, and then
click Next.
13 On the Change Password Screen Properties page, you can customize the
behavior of the system during the change password operation. The following
settings are available:
• User Hint - Allows customizing the text that will be shown when the user
is prompted to type data into input fields for the Change Password screen.
• Windows Caption - Specifies the title of the change password screen as
detected by the wizard. The caption is used by One Touch SignOn to
recognize a fingerprint enabled screen. You may use wildcards to specify
the changeable portion of the caption.
• Monitor Screen Changes - Enables the fingerprint software to recognize
the previously trained screen in case the screen content changes in time
due to system or user activity, for example, when the screen contains some
119
complex structure such as long-loading ActiveX, Flash, etc. Since most
Web pages do not fall into this category, this setting is turned off by
default.
• URL - Uniform Resource Locator is a unique, identifying address of any
particular page on the Web. URL can be used by One Touch SignOn to
recognize the previously trained screen. The drop-down menu allows you
to specify the type of matching performed on the URL. By default, the
URL is not used to recognize a fingerprint enabled screen.
When done configuring the Change Password Screen Properties, click Next.
wizard.
Change password screens set up with One Touch SignOn display a
DigitalPersona icon in the title bar, as well as a balloon telling the user to touch
the reader to begin the change password process.
120
Managing Containers
This section describes how to edit, and delete containers. For instructions on
creating a container see“Create an OTS Container” on page 95.
Editing Containers
You cannot change the location of a folder associated with a container, but you
can rename it.
To edit the name of container:
1 Select the container whose name you wish to edit.
2 Right-click the container to display its context menu.
3 Click Properties.
4 Enter a new name for the container and click OK.
Deleting Containers
When you delete a container, you can choose whether or not to delete the
template files in the folder.
To delete a container:
1 Select the container you wish to delete.
2 Right-click the container to display its context menu, then select Delete
Container OR press the Delete key. A confirmation message is displayed.
3 If you are not sure you want to delete the container, click No.
If you are sure you want to delete the container and you also want to delete
all the templates contained in the container folder, select Delete all
templates in the selected container, Then click Yes.
Note
If you delete a container and its templates, you must either update the
corresponding OTS GPO to point to a new container, or delete the GPO itself.
For detailed information about how to work with the DigitalPersona GPOs, refer
to “Configuring Policies and Settings” on page 56.
121
Managing Templates
This section describes various ways to search for templates, as well as how to
edit, delete and deploy templates. It consists of the following topics.
• “Finding Templates” on page 122
• “Finding Fields in Templates” on page 123
• “Finding Redundant Templates” on page 123
• “Editing Templates” on page 124
• “Deploying Templates” on page 125
• “Deploying OTS Templates on a Local Computer” on page 125
For instructions on creating a template see one of the following topics:
• “Creating a Logon Screen Template automatically” on page 97
• “Creating a Logon Screen Template Manually” on page 103
• “Creating a Change Password Screen Templates Automatically” on page 112
• “Creating a Change Password Screen Template Manually” on page 116.
Finding Templates
You can search for templates in specific containers.
To find templates in the OTS Administration Tool:
1 Select Find Template on the Tools menu.
2 The name, caption and URL fields are available for a pattern-matching
search. Select the containers to search in from the list and click Find.
3 The search results display in the dialog.
4 You can save the results of the search by clicking Save. Specify a location
and file name to save the results.
The results are saved as an HTML table that includes the template name, file
name and container.
122
Finding Fields in Templates
You can search for templates that contain certain fields defined in the Field
Catalog of a container. You can select fields from a Field Catalog.
To search for templates that contain certain fields:
1 Select the container that uses the Field Catalog you want to use.
2 Select Field Usage from the Tools menu.
3 Select the fields from the Field Catalog and click Find.
The search results display in the dialog.
The results are saved as an HTML table that includes the caption, template
name, created date, modified date and file name.
Finding Redundant Templates
You can search for redundant templates, which are multiple templates created
for a single logon or change password screen.
To search for redundant templates:
1 Click Check redundancy on the toolbar.
2 In the displayed containers list, select the containers to search in and click
Check.
The search results display in the dialog.
The results are saved as an HTML table that includes the container, template
name, caption, screen type, created date, modified date and file name.
123
Editing Templates
Any logon or change password screen template can be edited in the OTS
Administration Tool.
To edit a template:
1 Select the container that includes the template.
2 Select a template to edit.
3 Right-click the template to display its context menu, then click Edit. OTS
Administration Tool launches the Logon Screen Wizard.
4 Edit the template as described in “Creating a Logon Screen Template
Manually” on page 103 or “Creating Change Password Screen Templates”
on page 111.
5 Click Next to continue with the wizard. Click Finish to exit the wizard.
Deleting Templates
Logon screen setups cannot be deleted without deleting the entire template,
including any change password screen setup.
To delete a template:
1 In the OTS Administration Tool, select the container that includes the
template.
2 Select the template to be deleted.
3 Right-click the template to display its context menu, then click Delete.
4 To delete the entire template, specify All Screens.
To delete only the Change Password Screen, specify Change Password
Screen.
124
Deploying Templates
OTS templates are automatically deployed to all users of DigitalPersona Pro
Workstation users. However, newly created templates will not be available to a
user until they either log out and log in again, or until a local template is created
or edited using either the One Touch Internet or One Touch SignOn tools.
Automatic deployment requires that the path to the container(s) where the
templates are stored has been entered in the GPO governing the specified
workstation, and that the designated folder is accessible to the workstation. See
“Setting up OTS” on page 93 for specific instructions.
Deploying OTS Templates on a Local Computer
Administrators may want to deploy OTS templates on a local computer:
• To test OTS templates on a Pro Workstation before distributing them to other
computers on a network or
• When a specific computer does not have access to the container the template
is stored in.
Note
In order to deploy OTS templates on a local computer, you must first add the
Workstation Administrative Template to the computer. The default
DigitalPersona Pro Workstation installation copies the Workstation
Administrative Template to the computer, but does not install it.
This template can be added to the Local Policy Object on a workstation to
enable GPO settings on the local computer, including the OTS settings. For
instructions on adding the Administrative Template, see “Install Workstation
Template Locally” on page 41.
To set the container path for OTS templates
The following procedure requires that the Workstation Administrative Template
has already been added to the Local Policy object.
1 Create a folder on the local hard drive to use as a container for the OTS
templates.
2 Copy the OTS templates into the folder that you just created.
125
3 In MMC, navigate to the User Configuration/Administrative Templates/
DigitalPersonaPro/DigitalPersona Pro Workstation/OTS node.
4 Double-click the One Touch SignOn configuration setting to open its
Properties dialog.
5 On the Setting tab, select Enable.
6 In the Path to the container of templates box, enter the name of the local
folder that you created in step 1.
7 Click OK to close the dialog box.
126
One Touch SignOn Settings
Two-Factor Authentication and Other Policies
Various authentication policies, specifically, fingerprint and password,
fingerprint or password, and fingerprint only, can be applied to the logon
process with the One Touch SignOn Logon Screen Setup Wizard. Following is a
list of each authentication policy, with instructions for implementing them when
setting up a logon screen with the One Touch SignOn Logon Screen Setup
Wizard:
• Fingerprint and password. Choose Ask Always as the value of the
password field on the Logon Fields page and enable the Start Authentication
Immediately and Lock Out logon fields options on the Logon Screen
Templates Properties page. When a user accesses the logon screen, they are
immediately presented with a fingerprint authentication screen and are
unable to bypass it because the logon fields are locked out. Once they submit
a registered fingerprint, they are prompted by One Touch SignOn to type
their password.
• Fingerprint only. Enable the Start Authentication Immediately and Lock
Out logon fields options on the Logon Screen Templates Properties page.
When a user accesses the logon screen, they are required to touch the reader
with a registered finger and are unable to bypass fingerprint authentication
until they do. Once they submit a registered fingerprint, they are logged on,
assuming that the password value has already been specified in the template
or by the user the first time they logged on via use of the Ask-Reuse option
on the Logon Fields page.
Password only is the default authentication policy for all password-protected
Web sites and applications that do not use One Touch SignOn. A fingerprint or
password policy applies to OTS-enabled logon screens that allow a user to either
type their password manually or touch the reader to automatically provide it.
GPO Settings
Settings in the One Touch SignOn GPO can impact the way users can use
templates for a password-protected Web site or program. Each GPO setting and
a description is provided below. By default, all options are enabled.
127
One Touch SignOn GPOs can be configured using the Group Policy Editor. The
policy settings are found in the following path:
User Configuration/Administrative Templates/
DigitalPersona Pro
Note
If you are upgrading an existing installation of DigitalPersona Pro to include
support for One Touch SignOn, you must add the DigitalPersona Pro ADM file
again, as described in “Install the Administrative Templates” on page 36, to
access One Touch SignOn settings.
With the DigitalPersona Pro folder selected, double-click One Touch SignOn
Configuration to access these GPO settings:
• Show clear text passwords. Enable this option to show password field
values to the end user when they are prompted to provide a password.
• Allow users to edit account data. When enabled, this option permits end
users to change the values of logon screen fields by clicking the reader icon
located in the title bar of the logon screen.
• Allow users to add account data. This option allows end users to add
account data fields for Web sites and applications from their computers.
• Allow users to delete account data. Allows end users to remove account
data from a template.
• Path to the container of templates. Specify the path to the container in the
Container Path field to provide access to the templates it contains for
DigitalPersona Pro Workstation users. The container path is determined
when creating a new container, as described in “Create an OTS Container”
on page 95. You can add multiple paths by separating them with the pipe (|)
character.
128
Logging On with One Touch SignOn
After templates have been created and deployed, end users can launch a logon
screen and touch the fingerprint reader with a registered finger to log on. If a
Quick Link was defined in the template, users can select the Quick Link from
the One Touch Menu to launch the Web site logon screen. Quick Links only
display in the One Touch Menu after the user has visited them and used their
fingerprint to logon.
Logon screens that have a template created for them display a DigitalPersona
icon in the title bar and a balloon informing the user to log on with a fingerprint.
A balloon indicates that the
Web site or program is set up
for fingerprint logon
Depending on the template attributes, the logon process may vary. For example,
the user can be automatically logged on by touching the reader, i.e. the fields can
be automatically populated and submitted.
In other cases, the user is prompted to choose a set of account data or provide
logon field values. If there are multiple accounts for the same logon screen, the
user is prompted to select an account in the Select Account Data dialog box. The
user must click the name of the account to use and click OK to log on.
When the user is prompted to type values for
logon fields, the Enter Account Data dialog
box displays. This dialog box displays when
the user has required fields where the values
are not yet specified. In the dialog box, the
user can provide the appropriate values for
the fields and click OK to log on.
Providing Logon Field Values
If the template contains logon field values
that are provided by the end user, the Logon
Field Values dialog box opens, listing each field needing a value and allowing
the user to enter them before logging on.
129
The appearance of this dialog box is dependent on the Value attribute, such as
Ask- Reuse, Ask-Confirm or Ask Always, for fields in a template.
If the Show Password Values in Fields option in the GPO is enabled or not
configured, the user can click the “Show passwords during editing” button to
display the password as they edit it. Otherwise, the characters in the password
are replaced with a bullet.
Choosing an Account
If a logon screen is set up for multiple
accounts, the Select Account Data dialog
box is displayed, prompting the user to
select the set of account data they want to
use.
When the user selects the set of account
data, they can click OK to log on.
Providing Multiple Credentials
Two-factor authentication, as well as other authentication policies, can be
applied to logon screens, which may require the user to first provide a registered
fingerprint and then a password, for example. Two-factor authentication and
implementing authentication policies with One Touch SignOn is described in
“Two-Factor Authentication and Other Policies” on page 127.
Changing Passwords with One Touch SignOn
Change password screens that have a template created for them display a
DigitalPersona icon in the title bar and a balloon informing the user to provide a
fingerprint. The user is asked to provide the old password, a new password and
to confirm the new password. Depending on the template attributes, the change
password process may vary. For example, the user can be allowed to choose a
new password with or without constraints on the password complexity.
In other cases, the new password is generated automatically by the system. In
this case, the user must log on with a fingerprint.
130
User Query Tool
User Query Tool
The DigitalPersona Pro User Query Tool is used to query the DigitalPersona Pro
for Active Directory user database for information about DigitalPersona Pro
users.
It can provide information such as:
•
•
•
•
Total users
Total registered users
Users registered between certain dates
Number of fingerprints and more
The User Query Tool can be run as an Interactive Query, from the command
line, or from within a script. It can be installed through the Custom option
during installation of the Administration Tools.
Whether a query is run as an interactive query, from the command line, or from
within a script, the results of the query will contain the following information:
•
•
•
•
•
•
•
•
Total users
Total registered users
Found users
Registered between [Begin Date] and [End Date]
Number of fingerprints
Application data
Containers searched [configurable]
Recursive [Yes|No]
For each user that matches the query, the following information is displayed:
•
•
•
•
•
•
•
User Full name (if available)
User NT name
User UPN name
Number of fingerprints registered
Date/Time when user record was created
Date/Time user record was last updated
Total number of secrets in user record (If a specific secret was queried,
reports Yes or No.)
Query results are shown in the Results window, and can be copied to the
clipboard from there. They may also be saved to a tab-delimited file.
131
User Query Tool
Running an Interactive Query
To run an interactive query:
1 On the Start menu, point to All Programs, point to DigitalPersona Pro and
click User Query Tool.
2 In the console, click on the node that you want to query.
3 Select the parameters that you want to use for the query.
4 In order to capture the full detailed results of the query, you must enter a path
and file name to save the results of the query to.
The results of the query will be saved as a tab-delimited file, which can then
be imported into Microsoft Excel or other spreadsheet programs.
5 Click the Run button.
When the query finishes, a brief summary of the results are displayed in the
lower portion of the window. The summary can be copied from the panel to the
Windows clipboard by selecting the summary information, and pressing CTRLA, then CTRL-C.
Note
To add your own Secrets to the Query, click the Add button and enter the name
of the Secret.
Running from the Command Line
To run the User Query Tool from the command line:
1 On the Start menu, click Run to open the Run dialog.
2 Type your user query.
3 Click OK to run the query.
Example:
RunDll32.exe [Full Path]DPUserQuery.dll, CmdQuery
/o "CN=Users;DC=mycompany;DC=com" /d1 "01/23/2006" /d2 "12/
31/2006" /f1 2 /f2 3 /s /s LogonSystemInfo /r /f "C:\dpusers.log"
132
User Query Tool
This query will find all users in the mycompany.com domain whose
fingerprints were either created or modified between January 23rd, 2006 and
December 31st, 2006; and who have registered at least 2 but no more than 3
fingerprints. Additionally it will display the number of secrets each of those
users have, and whether or not they have the "LogonSystemInfo" secret.
Finally, it will write the results to the file "C:\dpusers.log."
All parameters are optional except for /o.
The available parameters for the user query are:
Switch
Description
Example
/o
Required. CN=[common
name];DC=[domain component]
/o "CN=Users;DC=mycompany;DC=com "
/d1
Earliest creation or modification date
to include in the query. Format: mm/
dd/yyy.
/d1 "01/23/2006"
/d2
Latest creation or modification date to
include in the query. Format: mm/dd/
yyy.
/d2 "12/31/2006"
/f1
Minimum number of fingerprints.
Value = 1-10
/f1 1
/f2
Maximum number of fingerprints.
Value = 1-10
/f2 2
/s
Secrets - Display number of Secrets
for each user.
/s
/s LogonSystemInfo
/s LogonSystemInfo /s "OTS
Protected Storage"
If followed by the name of a Secret,
reports Yes or No indicating whether
the Secret exists for the specified user.
/r
If present, the query will be recursive,
i.e. will query any nested containers.
/r
133
User Query Tool
Switch
Description
Example
/f
Enter the path and file name where
you would like to store the results of
the query. If omitted, results are sent
to stdout.
/f "C:\dpusers.log"
@
Specifies the name of a .cmd file
where parameters for the query are
stored. If used:
@"c:\scripts\myquery.cmd"
/? or
/h
•
include the full path and filename.
•
specify the parameters exactly the
same as you would on the
command line, with no extra
characters or lines.
•
do not include any other
parameters on the command line
Displays command line help for the
User Query Tool when used as the
only parameter. Help will also be
displayed if the tool is called with no
parameters.
RunDll32.exe DPSrvQuery.dll, CmdQuery /?
RunDll32.exe DPSrvQuery.dll, CmdQuery /h
RunDll32.exe DPSrvQuery.dll, CmdQuery
Note
Omitting the /d1, /d2, /f1 and /f2 parameters will report all users with registered
fingerprints.
Setting both /f1 and /f2 to 0 will return all users who have no registered
fingerprints.
Script Use
The DigitalPersona Pro User Query Tool may be run from within a script.
See the previous pages for a description of the syntax to use.
Example
RunDll32.exe [Full Path]DPUserQuery.dll, CmdQuery
134
User Query Tool
/o "CN=Users;DC=com;DC=mycompany" /d1 "06/09/2006" /d2 "06/
09/2006" /f1 2 /f2 3 /s LogonSystemInfo /s "OTS Protected Storage" /r
/f "C:\dpusers.log
To specify the query parameters in a text file
• Include the full path and filename.
• Specify parameters the same as on the command line, with no extra
characters or lines.
• Do not include any other parameters on the command line.
Example
RunDll32.exe [Full Path]DPSrvQuery.dll, CmdQuery @[path/filename].cmd
135
Cleanup Wizard
Cleanup Wizard
Although the Add/Remove Programs Control Panel uninstalls DigitalPersona
Pro Server software, the user data—such as fingerprint credentials and secure
application data—and global domain data remain in Active Directory.
DigitalPersona provides the DigitalPersona Pro Cleanup Wizard to remove this
data. However, if you are planning to reinstall DigitalPersona Pro Server, you
may want to retain the user data.
Note
This wizard provides full cleanup of all DigitalPersona Pro data. For removal of
individual user data, see “Deleting User Credentials using the ADSI Edit Tool”
on page 76.
To run the DigitalPersona Pro Cleanup Wizard
1 Double-click DPCleanup.exe to launch the DigitalPersona Pro Cleanup
Wizard, which is located on the Server installation CD in the AD Clean Up
folder in the Administration Tools folder.
2 When the installer runs, you are prompted to choose the type of clean up you
want to perform:
• Delete DigitalPersona Pro user data. This option removes all
DigitalPersona Pro data associated with users on the domain, such as
fingerprint credentials and secure application data. If you choose to delete
DigitalPersona Pro user data, all users in the domain must register their
fingerprints again.
• Full clean up. This option removes both DigitalPersona Pro data
associated with users on the domain and global data. If you choose full
clean up, you must reinstall all DigitalPersona Pro Servers on the domain
and run the Active Directory Domain Configuration Wizard again.
3 When prompted to proceed with the removal of DigitalPersona Pro data,
click Yes.
4 Choose a location and name for the log file generated during the data
removal process.
136
Cleanup Wizard
The wizard will then remove the data from Active Directory; however, you must
manually remove any DigitalPersona Pro Group Policy Objects.
Warning
Data changes take time to propagate in Active Directory. Do not configure a
domain for DigitalPersona Pro Server or reinstall Server software until all
changes made by the removal of domain global data are replicated throughout
the domain.
Running the DigitalPersona Pro Clean Up Wizard will render all Pro Servers on
the domain inoperable. To restore the Pro Server functionality after performing a
full cleanup, run the Active Directory Domain Configuration Wizard again, as
described in “Configure each domain” on page 34, and then reinstall Pro Server.
137
10
DigitalPersona Pro Workstation provides several features that incorporate
biometric authentication for secured Sign on to Windows, applications and Web
sites, as well as locking/unlocking the computer.
This chapter describes the features of DigitalPersona Pro Workstation, and the
procedures for performing common tasks on the Workstation, through the
following topics:
• “Features Overview” on page 139
• “One Touch Menu” on page 141
• “Reader Icon and Menu” on page 143
• “Fingerprint Reader Visual Cues” on page 145
• “Fingerprint Registration” on page 147
• “One Touch Logon” on page 151
• “One Touch Features” on page 158
• “One Touch Internet” on page 159
• “DigitalPersona Pro Workstation Properties” on page 165
• “Deleting Registered Fingerprints” on page 167
• “Changing Your Windows Password” on page 168
• “Fingerprint Reader Usage and Maintenance” on page 169
138
Chapter 10 - DigitalPersona Pro Workstation
Features Overview
Features Overview
DigitalPersona Pro Workstation includes the following features. The availability
of particular features, and the behavior of some features can be configured by
the administrator.
This topic provides a brief description of each feature, in the same order as they
are introduced in the rest of the chapter.
One Touch Menu
The One Touch Menu provides convenient one touch access to many of the
features of the DigitalPersona Pro Workstation. The administrator can control
which features are listed on the menu through modifying the registry keys for
the One Touch Menu, exporting the new settings in a .reg file and importing
those settings on the target machines (see “One Touch Menu Content” on page
196).
The Reader Icon, displayed in the taskbar notification area, indicates whether or
not a fingerprint reader is connected, and provides single-click access to many
of the features of DigitalPersona Pro Workstation.
During the processes of Fingerprint Registration and Authentication (explained
below), an attached or embedded fingerprint reader is used to scan the user’s
fingerprints. Visual cues let the user know the status of the reader, the result of
fingerprint scans, and the success or failure of authentication.
In order to access the main features of DigitalPersona Pro Workstation, the end
user must first register their fingerprints. Templates of their registered
fingerprints are used in the authentication process that provides the convenience
and security of One Touch Logon, One Touch Internet and One Touch Lock/
Unlock.
139
Features Overview
One Touch Logon
One Touch Logon provides the ability to log on to a Windows account by simply
touching a fingerprint reader.
One Touch Unlock
One Touch Unlock provides the ability to lock or unlock your computer by
touching a fingerprint reader.
One Touch Internet
One Touch Internet allows the end user to create Fingerprint Logons that can be
used to log on to Web sites by touching a fingerprint reader.
Certain behaviors of DigitalPersona Pro Workstation can be configured by the
end user through the Workstation Properties dialog.
Changing Your Windows password
This topic provides instructions for changing your Windows password. The
procedure for changing your Windows password is slightly different after
DigitalPersona Pro is installed.
Managing Registered Fingerprints
This topic provides instructions for editing and deleting your registered
fingerprints.
This topic provides instructions on the use and care of the fingerprint reader.
140
One Touch Menu
One Touch Menu
The One Touch Menu provides fast and convenient access to the One Touch
applications, settings and help. To enable and configure the One Touch Menu,
refer to “Quick Actions” on page 165. To display the One Touch Menu, place a
registered finger on the reader.
Create fingerprint
logons for Web sites
and programs
Quick access to
Web sites that are
fingerprint-enabled
Launch Online Help
for Pro Workstation
Configure Pro
Workstation properties
The One Touch Menu provides the following commands:
Create Fingerprint Logon
The Create Fingerprint Logon menu item launches the Fingerprint Logon
Wizard, which guides the user through the process of setting up their personal
Web site logon screens, as described in “One Touch Internet” on page 159.
This item appears on the One Touch Menu if One Touch Internet is installed.
Quick Links
Point to Quick Links to display the One Touch SignOn and One Touch Internet
Quick Links for Web sites. Click a Quick Link to launch the associated
password-protected Web site. The appropriate account data will also be
submitted.
For more information on One Touch SignOn and creating templates for
programs and Web sites, refer to “One Touch SignOn Administration Tool” on
page 92.
141
One Touch Menu
Help
Clicking Help launches the Online Help file for DigitalPersona Pro Workstation
for Active Directory. It contains step-by-step instructions for using various
product features, including use of the One Touch applications.
Properties
Click Properties to configure DigitalPersona Pro on the Workstation, as
described in “DigitalPersona Pro Workstation Properties” on page 165.
142
When DigitalPersona Pro Workstation is installed on a workstation, a reader
icon is placed in the taskbar notification area. It displays the connectivity status
of the reader and provides convenient access to various functions.
• When the reader is connected and the driver is installed, the reader icon
appears.
• If the reader is not connected, a red X is displayed over the reader icon.
Indicates the reader
is connected and the
driver is installed
Indicates the reader
is disconnected or the
driver is not installed
The reader icon also provides a shortcut menu to the features described below:
Lock Computer
Lock Computer immediately locks your computer so that others cannot use it.
The procedure for unlocking the computer will depend on the logon policy
applied to the computer. You can also double-click the reader icon to lock your
computer.
Properties
Click Properties to configure DigitalPersona Pro on your computer, as described
in “DigitalPersona Pro Workstation Properties” on page 165.
143
Help
Clicking Help launches the Online Help for DigitalPersona Pro Workstation.
About
Click About to get the version number for DigitalPersona Pro Workstation.
Hide Icon
To hide the reader icon, click the Hide Icon. To display the icon again, use the
DigitalPersona Pro Properties dialog box, as described in “Show Fingerprint
Reader Icon on Taskbar” on page 166.
144
DigitalPersona Pro Workstation provides several visual cues related to the
process of scanning your fingerprints.
Fingerprint Prompt Feedback
Pro Workstation displays a stylized fingerprint to prompt the user
to place their finger on the fingerprint reader.
If the reader is connected, but not yet available for use, an
hourglass is shown on top of the fingerprint.
When the hourglass disappears, you may place a registered finger
on the reader.
Fingerprint Scan Acquisition Feedback
When your fingerprint has been scanned, the fingerprint image
has a darker background.
You can also specify that a sound plays, and/or disable display of
the feedback icons. See “Enable Sound Feedback” on page 166
and “Enable Visual Feedback” on page 166.
Fingerprint Recognition Feedback
Pro Workstation uses these images to indicate whether the scanned fingerprint is
recognized as a registered fingerprint.
If the fingerprint scan is recognized, it displays a checkmark over
the fingerprint image.
If the fingerprint scan is not recognized, it displays a question
mark over the fingerprint image.
If the account is locked out or fingerprint authentication is not
allowed, a circle with a diagonal line through it is placed over the
fingerprint image.
145
Reader Not Found Feedback
An image that consists of a reader with a red X over it displays on the logon
screen, desktop and notification area on the taskbar if a reader is not connected
or installed.
Icon in logon screen
Icon in notification area
The fingerprint reader may not be available due to the following reasons:
• The fingerprint reader is not connected.
• The fingerprint reader driver is either not installed or requires updating.
Swipe Readers
The user experience is the same with either the DigitalPersona U.are.U
Fingerprint Reader or supported swipe readers embedded in many popular
notebooks.
The user may register their fingerprints with either the DigitalPersona U.are.U
Fingerprint Reader or the embedded swipe reader.
Note
You may only use one fingerprint reader during the fingerprint registration
process. If you use the DigitalPersona Fingerprint Reader, then switch to a swipe
reader, or vise versa, the registration process will fail.
146
The Fingerprint Registration Wizard guides the end user through the process of
• A user must have a Windows user account and be logged on to that account
to register their fingerprints.
• If the user has not registered fingerprints yet, and One Touch Logon is
installed, the Fingerprint Registration Wizard launches automatically after
their first subsequent logon.
• Fingerprints should be registered the first time that the Fingerprint
Registration Wizard displays, since logon settings may require the user to
provide a fingerprint the next time they log on.
In order to successfully register a fingerprint, the fingerprint must be scanned
four times by the fingerprint reader. “Fingerprint Reader Usage and
Maintenance” on page 169 contains guidelines on how to correctly place the
finger on the fingerprint reader.
Note
When using Attended Fingerprint Registration (see page 90), the Fingerprint
Registration Wizard is disabled.
To register fingerprints using the Fingerprint Registration Wizard
1 If the Fingerprint Registration Wizard does not start automatically, launch
the Fingerprint Registration Wizard by doing one of the following:
• Press Ctrl-Alt-Delete and click Manage Fingerprints. Select
Fingerprint Registration from the drop-down menu and click OK.
• If One Touch Logon is not installed: on the Start menu, point to All
Programs, point to DigitalPersona Pro and then click Fingerprint
Registration Wizard.
2 Click Next. If the Fingerprint Registration Wizard cannot locate a
DigitalPersona Pro Server, your registered fingerprints will be saved on this
computer instead of in Active Directory. You are prompted to confirm that
you want to save your fingerprints locally only. This prevents you from using
your registered fingerprints from another computer. Click Yes to confirm, or
147
click No, troubleshoot to determine why a DigitalPersona Pro Server was not
found, and rerun the wizard when the problem is resolved.
3 When prompted, verify your identity, either by typing your Windows
password if you do not have any registered fingerprints yet, or by touching
the reader with any registered finger.
4 An outline of two hands is displayed. Fingers that are already registered are
highlighted in green. Click the finger you want to register on the outline.
Note
Clicking a green highlighted finger deletes the associated registered
fingerprint.
The title bar indicates
local or server storage of
fingerprint credentials.
Fingers highlighted in
green are already registered.
5 When you have selected a finger to register, you are prompted to place that
finger on the reader four times. The Fingerprint Registration Wizard provides
feedback indicating the quality of each fingerprint scan. If the fingerprint
scan is not of an acceptable quality, you are prompted to touch the reader
again.
148
When you have provided four good fingerprint scans, the fingerprint is
successfully registered and is highlighted in green on the outline.
Fingerprint scan
was successful.
Fingerprint scan
was not successful.
6 Click Next or select another finger to register by clicking a finger that is not
highlighted on the outline.
The number of fingers you are allowed to register is determined by the value
of the Maximum Number of Fingers setting, as described on page 66.
If the settings allow, it is recommended that you register two fingers,
preferably the index finger of both hands. Registering two or more fingers
ensures that in the event you cannot use one registered finger, you can use the
other.
7 If you only registered one fingerprint, you may be prompted to register
another. Click Yes to register another fingerprint or click No to close the
prompt.
149
8 Click Finish to exit the wizard and save your changes.
Your registered fingerprint can now be used to log on to your Windows account
as well as programs and Web sites that have been set up for fingerprint logon.
150
One Touch Logon
One Touch Logon
One Touch Logon provides the ability for the user to log on to their Windows
account by simply touching a supported fingerprint reader.
After DigitalPersona Pro Workstation has been installed on a computer:
• If the One Touch Logon feature has been enabled, the standard Windows
logon dialog box is replaced with the One Touch Logon dialog box.
• If the One Touch Logon feature has not been enabled, the user’s logon
procedure will not change. However, they will still need to register their
fingerprints in order to use other DigitalPersona Pro features. See
“Fingerprint Registration” on page 147.
Before a user can use One Touch Logon, they must first log on as usual and
register their fingerprints.
Logging on to Windows
One Touch Logon supports logging on to Windows user accounts by using any
registered fingerprint, a fingerprint and a PIN (Personal Identification Number),
a fingerprint and the Windows password, or a smart card.
One Touch Logon prompts users for their credentials according to the logon
policy, cached credentials, and identification list settings implemented by the
administrator.
151
One Touch Logon
Logon Policy
One Touch Logon first uses the logon policy applied to the computer through
the Workstation Administrative Template (as described in “Multi-credential
Logon to Windows” on page 69) to determine which credentials are needed to
log on.
• If a logon policy requires a registered fingerprint, One Touch Logon will
prompt the user to place a registered finger on the reader. The user can place
a registered finger on the reader or press Ctrl-Alt-Delete.
Touch the reader
with a registered
finger or press
Ctrl-Alt-Delete to
use a password
• If required, they are also prompted for their Windows logon password.
Type your standard
logon credentials,
if required
This dialog box is similar to the standard Windows logon dialog box, on
which a user types their user name, password and domain to authenticate.
Depending on the Windows local security policy applied to the computer,
this may be the only screen a user sees when logging on. If cached
credentials and identification list settings permit, the user name and domain
may be automatically provided, requiring the user to provide only a
password.
152
One Touch Logon
• When a Password is not allowed for logon setting is applied to the
computer, then the user is only prompted for a registered fingerprint.
• A password only policy prompts the user for their standard logon credentials.
• If either a fingerprint or password is required, the user is prompted for a
registered fingerprint. They can press Ctrl-Alt-Delete and enter their
password, however, if the user provides a registered fingerprint, they are not
prompted for their password and are logged on.
Cached Credentials and the Identification List
On the Welcome screen, if cached credentials and the identification list are
enabled, One Touch Logon identifies the user through the identification list.
• If the credentials are cached and the user is on the identification list, they are
immediately logged on if the policy requires a fingerprint only or either a
fingerprint or password. If required, they are also prompted for a password
before logging on; the user name and domain are automatically provided for
them.
• If the credentials are cached, but the user is not on the identification list, they
are prompted to press Ctrl-Alt-Delete and provide their user name and
domain before they can log on, regardless of the logon policy.
• If the user is still not identified, they may attempt to use their registered
fingerprint two more times before they are advised to log on by typing their
account information manually.
The Identification List
Each Workstation has an identification list which contains an administratorspecified number of user accounts. It is used in conjunction with cached
credentials to identify a user by their fingerprint and, as an added convenience,
frees them from typing their user name and domain at Windows logon.
Users are added to the identification list in the order they log on. The most
recent user to log on is added to the top of the list. If the list has exceeded its
capacity, the least recent user to log on is removed from the list when another
user logs on. If a user is already on the list and logs on again, they are moved
from their original position on the list and placed on top.
153
One Touch Logon
Once removed, a user cannot be automatically identified, and must type their
user name and domain at Windows logon. If DigitalPersona Pro is deployed in a
networked environment with Pro Server support, it performs identification
locally out of the set of users in the identification list and then, for added
security, confirms the user identity using the DigitalPersona Pro Server.
The number of users stored in the identification list is determined by the value of
the “Maximum Size of Identification List” GPO setting, as described on
page 68.
Cached Credentials
DigitalPersona Pro user data can be cached on any computer where a user logs
on. The cached user data is used for local authentication when a DigitalPersona
Pro Server is unavailable. Refer to “Cache Domain User Data on Local
Computer” on page 67.
For example, if a user wants to log on to a domain and the computer is either
disconnected from the network or the network is down, then the authentication
can be performed locally using the cached credentials.
All DigitalPersona Pro cached credentials are encrypted for security and privacy
with the local key of the DigitalPersona Pro Workstation.
154
One Touch Logon
Administrative Template settings may be used to provide an additional level of
security by requiring that users type a short sequence of characters, known as a
fingerprint PIN, each time they use a fingerprint to log on, unlock the computer,
or change their Windows password.
Users must register a fingerprint before they can register a fingerprint PIN. If
logon settings require a fingerprint PIN, they will be prompted to register a
fingerprint PIN the first time they log on using a registered fingerprint.
Fingerprint PINs are only used with fingerprints to log on, unlock the computer,
or change the Windows password. They are not used for fingerprint logons to
Web sites and programs or to unlock smart cards.
Registering Fingerprint PINs
When you create a fingerprint PIN, you can choose any sequence of four to
eight numbers or letters. Make sure that you remember this code, or you may not
be able to log on. The Register Fingerprint PIN dialog box displays
automatically after you log on to Windows using a fingerprint if your logon
settings require you to provide a fingerprint PIN in addition to a fingerprint.
You must register a fingerprint PIN when the Register Fingerprint PIN dialog
box displays. If you click Cancel, you will be prevented from logging in with a
fingerprint.
To register a fingerprint PIN
1 In the New fingerprint PIN
text box, type from 4 to 8
characters and then type it
again in the Confirm
fingerprint PIN text box.
2 Click OK to save the
fingerprint PIN.
3 After you register your
fingerprint PIN, you can
change your fingerprint PIN at any time.
155
One Touch Logon
After you register a fingerprint PIN, you will be prompted to type the fingerprint
PIN after each time you use a fingerprint to log on, unlock the computer, or
change the Windows password. The Verify Fingerprint PIN dialog box displays
each time the fingerprint PIN is required.
To use a fingerprint PIN:
1 When the Verify Fingerprint PIN
dialog box displays, type your
fingerprint PIN and click OK.
The fingerprint PIN is not required
when you use fingerprint logons to Web
sites or programs, or when you unlock a smart card with a fingerprint.
Changing Fingerprint PINs
You can change your fingerprint PIN at any time during your Windows session.
You must type the current PIN and then type a new code of four to eight
characters.
To change a fingerprint PIN
1 Press Ctrl-Alt-Delete to display the Windows Security dialog box.
2 Click the Manage Fingerprints button and then select Change Fingerprint
PIN from the drop-down box.
3 On the Change Fingerprint PIN dialog box, type your current fingerprint PIN
in the Old Fingerprint PIN text box.
4 Type a new fingerprint PIN in the New Fingerprint PIN text box and then
type it again in the Confirm New Fingerprint PIN text box.
5 Touch the reader with a registered fingerprint for verification.
A green check mark displays on the reader icon in the dialog box when the
fingerprint is successfully verified.
6 Click OK to change your current fingerprint PIN to the new one you
specified.
156
One Touch Logon
Using Smart Cards for Logon
If the user has a smart card reader connected to their computer, the Welcome
screen includes instructions for using the smart card. If the user is required to
log on with a smart card, they must insert the smart card into the smart card
reader first, before providing any other credentials, such as a fingerprint.
Settings cannot require the user to provide both a smart card and a password for
logon.
Smart card users are required to type a user PIN (Personal Identification
Number) to access the smart card. This PIN is provided with the smart card
package, and is not the same as the Fingerprint PIN discussed in the previous
topic.
To use a smart card to log on
1 Insert the smart card into the smart card reader first, even if you must provide
a fingerprint as one of your credentials.
The PIN dialog box displays,
requesting the PIN to access the
smart card.
2 Type the user PIN for the smart card
and click OK.
If the logon settings allow it, you
can touch the fingerprint reader with
a registered finger instead of typing the PIN for the smart card.
157
One Touch Features
One Touch Features
In addition to One Touch Logon and One Touch SignOn, DigitalPersona Pro
Workstation includes One Touch Unlock and One Touch Internet. This chapter
provides instructions for using them.
One Touch Unlock
To lock your computer, double-click the fingerprint reader icon or click Lock
Computer on the fingerprint reader icon context menu. The reader icon is
located in the notification area on the taskbar.
When your computer becomes locked, One Touch Unlock replaces the standard
Windows Computer Locked dialog box. One Touch Unlock guides you through
providing the required credentials to unlock your computer. The required
credentials depend on the logon settings implemented by your administrator.
You can also press Ctrl-Alt-Delete to type your account information and provide
the required credentials.
Note
This feature is only available if One Touch Logon is installed.
158
One Touch Internet
One Touch Internet
One Touch Internet (OTI) provides end users with the ability to create
fingerprint logons to password-protected programs and Web sites for their
personal use.
In creating a fingerprint logon, you provide your logon data to OTI once, and
then on subsequent logons you just launch the Web site and touch the reader
with a registered finger. OTI automatically enters your user name and password
in the logon screen text boxes. It can also be configured to submit your
credentials for you by clicking the Submit button, or another equivalent button.
Fingerprint logons can also be created with the One Touch SignOn
Administration Tool and deployed to DigitalPersona Pro Workstations through
Active Directory or other means. See “One Touch SignOn Administration Tool”
on page 92 for details on the One Touch SignOn Administration Tool.
The difference between One Touch Internet OTI and One Touch SignOn (OTS)
is:
• OTI is an end-user feature that can be used to create their own fingerprint
logons.
• OTS is an administrator tool for creating and deploying templates that
provide fingerprint logons to end users for one touch access to program and
Web sites. It also provides more advanced options for manually creating
fingerprint logons to non-standard application logon screens, Web sites and
Password Change screens.
If fingerprint logons created by both OTI and OTS exist on the same computer,
for the same logon screen, the OTS fingerprint logon will be used.
Internet Explorer and MSN Explorer users can access fingerprint-enabled Web
accounts from the One Touch Menu. Just touch the reader to display the menu,
point to Quick Links and then click the fingerprint logon for the Web site you
want to access. The browser that was used in setting up the fingerprint logon
will be launched automatically and your logon data will be submitted for you.
159
One Touch Internet
Logging On to Web Sites and Programs
You can log on to a fingerprint-enabled logon screen by doing one of the
following:
• Type the URL in a Web browser or launch the program that contains the
logon screen for which you have created a fingerprint logon. The logon
screen will display a DigitalPersona icon in the title bar of the Web browser
or program, indicating that you can touch the reader with any registered
finger to log on to the specific Web site or program.
A balloon indicates that the
Web site or program is set up
for fingerprint logon
Note
If you created more than one account for the Web site or program, you are
prompted to choose the account data you want to use to log on.
• If you have a Quick Link for a Web site, point to Quick Links on the One
Touch Menu, and then click the fingerprint logon title that corresponds to the
Web site you want to access. If you configured the fingerprint logon to
submit your account information automatically, you are immediately logged
on.
• If required fields were left blank in the account data when the fingerprint
logon was created, the Enter Account Data dialog box displays. Type the
required data in the fields and click OK to log on.
160
One Touch Internet
Creating Fingerprint Logons
Creating a fingerprint logon requires you to enter your account data with
DigitalPersona Pro once. Then, on subsequent logons, you only need to browse
to the Web site, or launch the program, and touch the reader with any registered
finger. DigitalPersona Pro automatically enters your user name and password
and any other necessary account data in the appropriate logon screen text boxes
and, if configured, submits your account data.
Your administrator may have already created fingerprint logons for you. If so,
you should use the fingerprint logons from your administrator instead of
creating your own.
To create a fingerprint logon for a Web site or program
1 Open the logon screen of the Web site or program.
2 Touch the reader with any registered finger and click Create Fingerprint
Logon on the One Touch Menu.
Note
If Create Fingerprint Logon is not on the One Touch Menu, the administrator
has not installed this feature on your computer.
3 The title of the logon screen displays on the Create Fingerprint Logon dialog
box. Click Continue.
4 In the Logon Title text box, the title of the Web site uniquely identifies the
logon screen in the Fingerprint Logon Manager and the Quick Links
submenu on the One Touch Menu. You can type a different title in the text
box.
5 Check Display in Quick Link list to add the fingerprint logon to the Quick
Links submenu on the One Touch Menu.
Note
Quick Links are for Web sites only and not for programs.
6 DigitalPersona Pro determines logon fields and displays them in the Logon
Information area. Type the appropriate account data in the corresponding text
box for each field required for logon. For example, in the Password text box,
you would type the password you use to access the Web site or program. If a
161
One Touch Internet
field required for logon is not displayed in the Logon Information area, click
Choose Fields to select the additional fields.
Note
As you point to each logon field in the Logon Information area, the
corresponding field on the logon screen is highlighted, such as a text box and
drop-down menu.
7 Select the button from the logon screen that is used to submit the account
data. DigitalPersona Pro may recognize multiple buttons on some Web sites
or programs. You may choose to submit your account data yourself each time
you log on to the Web site or program by selecting Do Not Submit.
8 Click OK to create the fingerprint logon.
The DigitalPersona icon on the logon screen title bar of the Web site or program
indicates that touching the reader with any registered finger will log you on to
the Web site or program. You may add more than one account for a Web site or
program.
162
One Touch Internet
Managing Fingerprint Logons
You can add, change or remove fingerprint logons for Web sites and programs
using the Fingerprint Logon Manager. To access it, browse to the Web site or
launch the program and click the DigitalPersona icon, which is located in the
title bar.
Note
When you want to make changes to a fingerprint logon for a Web site, do not use
a Quick Link to browse to the Web site logon screen if the fingerprint logon is
set up to automatically submit your logon information. Instead, browse to the
Web site manually and click the DigitalPersona icon on the title bar.
If a fingerprint logon was created by your administrator, you are only allowed to
add and delete account data. You cannot delete the fingerprint logon.
Select the set
of account data
to edit
The following describes the Fingerprint Logon Manager functions:
• Change. To modify the account data entered by a fingerprint logon, select
the account and then click Change. On the Edit Fingerprint Logon dialog
box, edit your existing account data in the appropriate text boxes and click
OK. You can also change the fingerprint logon title and Quick Link settings.
• Add. To add additional account data to the fingerprint logon for a Web site or
program, click the Add button on the Fingerprint Logon Manager. This will
launch the Create Fingerprint Logon dialog box. Specify the additional
account data for the logon screen as described in Creating a Fingerprint
163
One Touch Internet
Logon. When logging on to the Web site or program using DigitalPersona
Pro, you will be prompted to choose the account data you want to use.
Note
When logging on the Web site, you will now be prompted to choose the set
of account data before you can log on.
• Remove. To remove a fingerprint logon, select the title of the fingerprint
logon in the list on the Fingerprint Logon Manager and click Remove. If you
remove the last account for a fingerprint logon, the fingerprint logon is
deleted. You can delete the account data of a fingerprint logon created by
your administrator, but you cannot delete the actual fingerprint logon.
Note
If there are multiple sets of account data for a logon screen, other logon
screen data, such as the Submit button, is not deleted until you delete all sets.
164
You can edit various Workstation properties using the DigitalPersona Pro
Properties dialog box.
To change Workstation Properties:
1 Click the reader icon in the
notification area and select
Properties.
2 Modify the desired properties and
click OK to implement the new
settings and close the dialog box.
The DigitalPersona Pro Properties
dialog box contains several folders
as described below.
Quick Actions
In the Quick Actions folder, you can
assign actions to be performed when
touching the fingerprint reader, and when touching the reader in combination
with certain keys. The actions that you can assign are:
• None
• Create a fingerprint logon
• Display the Help file
• View the One Touch Menu
• Open the Properties dialog box
• View the Quick Links submenu
You can assign actions to:
• Fingerprint. The default setting is to view the One Touch Menu.
• Ctrl + Fingerprint. The default setting is None.
• Shift + Fingerprint. The default setting is None.
165
Show Fingerprint Reader Icon on Taskbar
When checked, the fingerprint reader icon is displayed in the notification area
on the taskbar, which is described in “Reader Icon and Menu” on page 143.
Enable Visual Feedback
This option enables or disables display of the feedback icons used to show the
status of a fingerprint scan.
For more information about visual and audio feedback when a fingerprint scan
is acquired, refer to “Fingerprint Reader Visual Cues” on page 145.
Enable Sound Feedback
Check Enable Sound Feedback to play a sound when the reader acquires a
fingerprint scan, indicating that you may lift your finger from the reader.
Different sounds are played for successful and unsuccessful scans. You may
select different sounds from Control Panel.
Refer to “Fingerprint Scan Acquisition Feedback” on page 145 for more
information about visual and audio feedback when a fingerprint scan is acquired
by the reader.
One Touch Menu
In the One Touch Menu folder, the following menu items are added to the One
Touch Menu if the check box is selected:
• Create Fingerprint Logon. Displays the Create Fingerprint Logon dialog
box.
• Quick Links. Displays the list of Quick Links.
• Help. Displays this Help file.
• Properties. Displays the Properties dialog box.
166
You can use the Fingerprint Registration Wizard to delete any fingerprints that
you have previously registered. If you are not permitted to delete fingerprints, it
may be because of your settings implemented by your administrator.
To delete registered fingerprints using the Fingerprint Registration Wizard
1 Launch the Fingerprint Registration Wizard by doing one of the following:
• Press Ctrl-Alt-Delete and click Manage Fingerprints. Select
Fingerprint Registration from the drop-down menu and click OK.
• On the Start menu, point to All Programs, point to DigitalPersona Pro
and then click Fingerprint Registration Wizard.
2 Click Next. If changes to registered fingerprints will be saved in the user
database on your computer instead of in Active Directory, you are prompted
to confirm that you want to make changes to your fingerprints locally only.
These changes will not be applied to Active Directory. Click Yes to confirm,
or click No and contact your administrator for guidance.
3 When prompted to verify your identity, touch the reader with any registered
finger.
4 An outline of two hands is displayed with your registered fingers highlighted
in green. Click the highlighted finger that represents the registered
fingerprint you want to delete.
Note
Clicking a finger which is not highlighted starts the registration of that finger.
5 When prompted, click Yes to delete the registered fingerprint. Otherwise,
click No if you do not want to delete that fingerprint.
6 Click Next or select another finger to delete.
7 Click Finish to exit the wizard and save your changes. Canceling or closing
the dialog box does not save your changes.
167
The process of changing your Windows password on Windows XP and
Windows 2000 is very similar to that of computers without DigitalPersona Pro.
To change your Windows password
1 Press Ctrl-Alt-Delete to display the Windows Security dialog box.
2 Click the Change Password button.
3 On the Change Windows Password dialog box, type your current password
in the Old Password text box. You can also touch the reader with a registered
fingerprint. If your identity is verified, One Touch Logon provides the
current password in the Old Password text box.
4 Type a new password in the New Password text box and then type it again in
the Confirm New Password text box.
5 Click OK to change your current password to the new one you specified.
168
This section provides reader usage and maintenance guidelines, which are
intended to maximize fingerprint registration and authentication performance.
Proper usage of the reader during fingerprint registration and authentication, as
well as a well-maintained reader, is crucial to achieving optimal fingerprint
recognition performance.
The next section, “Proper Fingerprint Reader Usage” describes the proper way
to use the reader to register fingerprints and authenticate using them. It is
followed by reader maintenance instructions, provided in “Cleaning the Reader”
on page 169.
Proper Fingerprint Reader Usage
To reduce the number of false rejects, you must place a finger on the reader
correctly when registering fingerprints and authenticating.
During both processes, you must place the pad of your finger—not the tip or the
side—in the center of the oval window of the reader in order to maximize the
area of the finger that touches the reader window.
Apply even pressure. Pressing too hard will distort the scan; pressing too lightly
will produce a faint, unusable scan. Do not “roll” your finger.
To complete the fingerprint scan, hold your finger on the reader until you see the
reader light blink. This may take longer if the skin is dry. When the light blinks
and, if configured, a sound plays, you may lift your finger.
If the reader is capturing your fingerprint scan as indicated by the reader blink,
but DigitalPersona Pro consistently rejects it, you may need to reregister that
finger by first deleting it and then registering it again.
Cleaning the Reader
The condition of the reader window has a large impact on the ability of the
reader to obtain a good quality scan of a fingerprint. Depending on the amount
of use, the reader window may need to be cleaned periodically.
To clean it, apply the sticky side of a piece of adhesive cellophane tape on the
window and peel it away.
169
Under heavy usage, the window coating on some readers may turn cloudy from
the salt in perspiration. In this case, gently wipe the window with a cloth (not
paper) dampened with a mild ammonia-based glass cleaner.
Reader Maintenance Warnings
There are several things you should never do when cleaning or using the reader:
• Do not pour the glass cleaner directly on the reader window.
• Do not use alcohol-based cleaners.
• Never submerge the reader in liquid.
• Never rub the window with an abrasive material, including paper.
• Do not poke the window coating with your fingernail or any other item, such
as a pen.
The fingerprint reader is for indoor home or office use only.
170
Part Four: Appendices
Part Four of the DigitalPersona Pro for AD Administrator Guide includes the
following appendices:
Chapter Title
Purpose
Page
Planning & Deployment
Provides guidelines for planning and
implementing the deployment of DigitalPersona
Pro.
172
DigitalPersona Pro Settings
An alphabetical list of all DigitalPersona Pro
settings with references to Active Directory
location and page number where they are
described.
187
Troubleshooting
Provides assistance in troubleshooting software
and hardware issues.
191
Customizing Workstation
Details registry settings that can be used to
customize DigitalPersona Pro Workstation.
198
Installing High Encryption
Instructions for installing 128-bit High
Encryption for older Windows 2000 machines.
198
Warranties, Provisions &
Defines product warranties, general provisions
and regulatory information.
199
171
11
Planning & Deployment
Overview
DigitalPersona Pro for Active Directory is a scalable solution that can provide
biometric authentication and Single SignOn for a large enterprise, with multiple
domains and a hundred thousand geographically dispersed workstations, a
medium-sized local network, or a small office network.
Whatever the size of the deployment, it is critical to spend some time designing
an implementation that will meet your organization’s needs, provide a
straightforward deployment plan, and allow you to allocate the necessary
hardware and personnel resources.
In designing your DigitalPersona Pro system, you will want to take into account
many factors, including your security needs, performance requirements, levels
of administration, and the amount of control that you want to allow the end user
to have with certain features like One Touch SignOn, One Touch Internet and
fingerprint registration.
While we have made deploying DigitalPersona Pro as simple and
straightforward as possible; a comprehensive design, a well-formed deployment
plan, and a deployment staff with solid Active Directory experience will help to
ensure a successful implementation.
Deploying DigitalPersona Pro includes settings to configure the way that
authentication operates in your specific environment. From various
combinations of multi-factor authorization to fingerprint-only logon, the level of
security that you require is configurable, and quite easily implemented through
standard Active Directory administration tools.
Administrative controls and utilities are also available through a complete set of
DigitalPersona Pro Administrative Tools included with DigitalPersona Pro
Server.
In the following text, the term “users” refers to those who will be registering and
authenticating their fingerprints through DigitalPersona Pro Server, and is not
necessarily the same as the number of Active Directory users.
The information provided in this chapter is not intended to take the place of the
services of a professional systems architect or analyst, and should not be
construed as advice or recommendations addressing your specific situation.
172
Chapter 11 - Planning & Deployment
Overview
Evaluation Support
During evaluation of DigitalPersona Pro for Active Directory, support is available through our Sales Engineering Team at:
1-650-474-5316
Technical Support
If you have purchased DigitalPersona Pro for Active Directory, Technical
Support is available through our Technical Support Request form at:
http://www.digitalpersona.com/support/enterprise/chooseproduct.php
Professional Services
DigitalPersona Professional Services can discuss options ranging from initial
onsite consulting to completely outsourcing all or part of the design, deployment
and installation process as well as customizing the software.
For Professional Services, please contact your DigitalPersona Account Manager
or product Reseller.
173
Planning
Planning
Although the actual steps in a design process will vary from company to
company, the design for your DigitalPersona Pro solution should take into
account at least the elements described in this chapter. Additional steps and
considerations may be required for your specific organization.
Planning Overview
1 Select an Installation Scenario.
2 Determine Required Software & Hardware.
3 Identify Needed Licenses.
4 Select Configuration Options.
5 List OTS Templates.
6 Create Deployment Plan.
Select an Installation Scenario
DigitalPersona Pro for Active Directory is designed with built-in flexibility to
enable delivery of biometric authentication and Single SignOn in the following
scenarios:
• Enterprise level, server supported authentication
• Workstation Only installation
It is also possible to create a solution utilizing a combination of both scenarios.
Enterprise level with Pro Server Support
For optimal enterprise-wide deployment, DigitalPersona Pro Workstation is
installed on a network computer connected to a domain controller that has
DigitalPersona Pro Server installed. Computers such as laptops can be
periodically connected to, and disconnected from, the network.
174
Planning
DigitalPersona Pro Server offers the following capabilities
• Installed on a secure Active Directory Domain Controller
• Centralized User Administration
• Centralized Credential & Application Data Storage
• Secure Server Authentication
• One Touch Logon
• One Touch SignOn Applications
• One Touch Internet
• One Touch Menu
Using a DigitalPersona Pro Workstation with Pro Server support is the most
comprehensive deployment of DigitalPersona Pro because you can take
advantage of both the Workstation and Server features of DigitalPersona Pro for
Active Directory.
In addition to the One Touch applications for the Workstation, this deployment
allows you to manage DigitalPersona Pro with Active Directory administration
tools, and provides secure data storage and user roaming features.
Workstation Only Installation
DigitalPersona Pro Workstation can be installed on computers connected to an
Active Directory domain without DigitalPersona Pro Server support or on a
standalone computer configured to perform authentication locally. With either
of these configurations, you have all the features provided by the DigitalPersona
Pro Workstation software as described in “DigitalPersona Pro Workstation” on
page 21.
175
Planning
The table below compares the features available for DigitalPersona Pro
Workstations with and without Pro Server support:
Table 11-1. Feature Comparison
Workstation without Pro Server support
X
X
X
X
X
X
X
Workstation Administration
Secure Server Authentication
X
Secure Windows Logon
One Touch Logon & One Touch UnLock
X
One Touch SignOn and
One Touch Internet
Workstation with Pro Server support
Centralized User Credential
Data Storage
DigitalPersona Pro Features
Centralized User Administration
Deployment Scenario
DigitalPersona Pro Workstation can be installed on a computer that is not
connected to an Active Directory domain, or not administered with an Active
Directory GPO. The Workstation can then be administered locally through the
Microsoft Management Console (MMC), providing the same functionality as
listed above for Workstations without Pro Server support.
176
Planning
Determine Required Software & Hardware
Server software
DigitalPersona Pro Server has been fully performance tested and shown to be
able to support the authentication of up to 3,000 users within a 10 minute period,
per Server processor.
DigitalPersona Pro Server must be installed on a domain controller serving the
users that will be using it for authentication. Additionally, a Failover/Backup
Pro Server is recommended for each Pro Server installed. Also, if you have
multiple sites, we recommend a Pro Server and a Failover/Backup server at each
site.
After analyzing your network configuration and bandwidth limitations, you may
want to add additional servers for backup/failover, or arrange for additional
servers on a domain or site basis to compensate for potential bandwidth
bottlenecks.
Use the worksheet below to assist you in determining the number of
DigitalPersona Pro servers that you will require.
A. Total number of users _____ /3,000 = Base Minimum Server/Processors _________
B. Backup/Failover Servers (Recommended) _______
C. Additional Servers per network analysis ________
Total Servers (A + B + C) = _______
Workstation software
You will need a copy of DigitalPersona Pro Workstation software for each
computer that will be using biometric authentication and authorization. This
includes laptops and notebooks that will be connected to the network as well as
any offsite computers that may connect to the network.
Total Workstations = _______
177
Planning
Fingerprint Readers
For each workstation, you will need one U.are.U Fingerprint Reader.
Certain notebooks with a supported built-in swipe reader can be used with
DigitalPersona Pro. A list of supported third-party swipe readers can be found
at:
http://www.digitalpersona.com/products/notebooks.php.
Total U.are.U Fingerprint Readers = _______
Identify Needed Licenses
When deploying DigitalPersona Pro Server, a User Authentication License
(UAL) is required covering each user that will be registering their fingerprints
and using them for authentication through the server.
The licenses are bound to the domain, so each license issued covers the users for
that specific domain. In other words, a DigitalPersona Pro User Authentication
License provides license for the users in a single domain. Additional UALs can
be purchased for a domain as the number of users expands.
Use the following table to identify the number of users to include in each
requested UAL.
Number of user licenses needed
Domain Name
Number of Users
Total Number of user licenses needed
178
Planning
Select Configuration Options
While many of the configurations options can be determined as part of your
initial testing or pilot and may be adjusted during and after rollout, there are a
few options that should definitely be part of your planning.
Windows Logon Policies - DigitalPersona Pro policies work in conjunction
with standard Windows policies.
Logon policies can be configured at the Server level or the Workstation level by
adding the appropriate DigitalPersona Pro Administrative Template to the
controlling GPO.
Attended Fingerprint Registration - When implemented, all users must
register their fingerprint in the presence of a designated person or group.
Custom Workstation Installation
The default “Complete” Workstation installation includes the One Touch
SignOn, One Touch Logon and One Touch Internet features.
By using a “Custom” installation, you can select to not install One Touch Logon
and/or One Touch Internet. They can also be added to, or removed from a
particular workstation through the Add or Remove Programs tool in the Control
Panel.
• One Touch SignOn - One Touch SignOn is a major feature of
DigitalPersona Pro, providing users with the ability to access administratordeployed templates for One Touch SignOn to password-protected programs
and Web sites.
• One Touch Logon - One Touch Logon provides the ability for a user to log
on to their Windows account by simply touching a supported fingerprint
reader.
• One Touch Internet - This feature allows end users to create their own
fingerprint logons for programs and Web sites.
Other policies and settings - See “Configuring Policies and Settings” on page
56 for other policies and settings that you may want to consider as part of your
design.
179
Planning
List OTS Templates
For each program or Web site that you want to allow users to sign on to with
One Touch SignOn, you will need to create an OTS template using the One
Touch SignOn Administration Tool. Time and resources to create these
templates should be part of your deployment plan.
Create Deployment Plan
Based on your system design, create a deployment plan. You can use the
checklist at the end of this chapter to make sure that you have covered the basics
that have been discussed.
180
Deployment
Deployment
Factors to Consider
There are a number of factors that you will want to make sure are considered as
you develop your Deployment Plan.
Evaluation & Testing
You will probably want to test your proposed design on a single standalone
workstation and/or in a small server-based pilot program before rolling out the
full implementation.
DigitalPersona Pro Server includes a 10-user license which can be used for
deployment in your test environment.
Note that when moving from a standalone Workstation installation to a Pro
Server based environment, all Pro domain user data on the standalone computer
is lost when it first connects to a DigitalPersona Pro Server. Fingerprints must be
registered again and user account data for fingerprint logons must be provided
again.
Multi-credential Logon Settings
You can configure logon settings that require more than one type of credential to
log on. Possible credentials for Windows logon include fingerprint, password or
smart card. The multi-credential logon settings are configured using the Multicredential Logon to Windows settings in the DigitalPersona Pro Administrative
Template, but can also be overridden on a per user basic in the Active Directory
Users and Computers tool.
Note that DigitalPersona Pro does not provide any setting to control the use of
the smart card for the Windows logon and will apply whatever Windows
policies are in place for smart cards.
For local area network users, allowing either the fingerprint or password to be
used is recommended as a starting Windows logon setting. A simple way to
require two-factor authentication and increase security without compromising
user convenience, is to require a fingerprint PIN in addition to a fingerprint. This
181
Deployment
is the recommended setting for remote users. For more information on
fingerprint PINs, see “One Touch Features” on page 158.
While users adapt to the new fingerprint policies, you might want to begin with
more flexible logon settings. For example, a policy may be set at the beginning
of deployment that requires the user to use a fingerprint. If the user cancels out
of the Fingerprint Registration Wizard, then the next time the user tries to log on
to Windows, the user will be unable to log on. If users have not registered their
fingerprints, they will need to contact an administrator to register their
fingerprints. However, if you allow a fingerprint or a password to log on as part
of an initial phase, users can continue working as they learn to adopt the new
policies.
If smart cards are deployed, in order to provide a more convenient logon
process for multi-credential logons, you can choose to allow the fingerprint to
unlock the smart card instead of requiring users to type the PIN for the smart
card.
All Multi-credential Logon to Windows settings are available as GPO settings.
User-level settings are also available, which will override GPO settings, except
for the Fingerprint is allowed to unlock the smart card option, which is only
available through the GPO.
See also “Multi-credential Logon to Windows” on page 69 and “User
Properties” on page 72.
Fingerprint Registration Options
You can allow users to register their own fingerprints from their computers or
you can require that fingerprint registration is attended by a designated
administrator or supervisor.
With attended fingerprint registration, a designated user must be logged on to
supervise the fingerprint registration process of other users. You can also set
permissions so that the users cannot modify the registered fingerprints.
For more information on using attended fingerprint registration, see “Attended
Fingerprint Registration” on page 90.
Fingerprint Registration statistics can be viewed and monitored with the User
Query Tool, described in the topic “User Query Tool” on page 131.
182
Deployment
Implementing Stronger Security Settings in Stages
For large enterprise deployments, you might want to implement less strict
security settings while users adopt the new process of registering fingerprints
and using fingerprints to log on. During this time, you can configure a setting
allowing a fingerprint or a password for logon to Windows. This allows users to
register their fingerprints and to start using them, for example, over a two week
period.
Afterwards, you can transition to more strict settings to make fingerprints
required for logon. You can increase security by changing the settings in the
DigitalPersona Pro GPO. You may also randomize user passwords which
effectively blocks users from being able to use a password to log on to the
network and forces the use of fingerprints for logon.
If you find that users have not registered fingerprints, you can either complete
attended fingerprint registration with the users, or you can choose to extend the
open registration period. In this case, continue to inform the users that they will
not be able to log on if they do not register their fingerprints before a specific
date.
All users should take additional measures to decrease the likelihood of
unauthorized access to their computers. Suggestions in this manual are specific
to DigitalPersona Pro only and do not represent a complete list of security
measures. All users should create secure passwords for Windows accounts and
applications.
Refer to the Microsoft Web site for more information about securing your
computer from unauthorized access. The Microsoft Web site also contains more
information on creating secure passwords.
Deploying One Touch SignOn Templates
The administrator for One Touch SignOn can decide how much control to
maintain over OTS templates for One Touch SignOn to Web sites and programs.
• Templates can be created by an administrator and then deployed to
Workstations using DigitalPersona GPO settings.
• The ability for users to make changes to OTS account data or create their
own OTS templates can be limited or completely disabled.
183
Deployment
You can also choose to allow some, or all, users to use the OTS Administration
Tool to create their own templates which can be stored on their workstation.
Workstation Installation and Connecting the Reader
Smaller companies may want users to install the hardware. Larger companies
may use a representative from the IT department to install the hardware. To
install software locally, the user must have administrative privileges on the local
computer.
End-User education
Deployment will be most effective and flow more smoothly if you inform your
users about the new user experience before DigitalPersona Pro Workstation is
actually installed on their computers.
• Users need instructions on what to do when they view the DigitalPersona Pro
Welcome screen to log on to Windows and when the Fingerprint Registration
Wizard launches. (See “One Touch Logon” on page 151 and “Fingerprint
Registration” on page 147.)
• Encourage users to read the online help that is available in the DigitalPersona
Pro folder on the Start/Programs menu, or by clicking the reader icon in the
taskbar notification area.
• Let users know that their fingerprint images will not be stored. Instead, only
specific features of the fingerprints are obtained and stored. This data cannot
be reverted to actual fingerprint images.
Warning
Make sure that you do not enable restrictive logon settings based on fingerprints
until users have successfully registered fingerprints.
184
This checklist provides you with a series of basic steps relating specifically to
DigitalPersona Pro which should be included in your overall deployment plan.
1 Plan for the number of Pro Servers and Pro Workstations to be installed in
your deployment. In larger deployments, it is recommended to have enough
servers installed to provide service to the first set of users. Evaluate response
time for user authentication to ensure that enough servers are installed as
each set of users is added. Smaller organizations may decide to deploy all
users at the same time.
2 Determine the number of Pro Servers, Workstations and User Authentication
Licenses (UALs) that you will need. Use the License Control Manager
application (see page 86) to generate a license request file and send it to
DigitalPersona along with your purchase order.
3 Deploy Pro Servers, which includes performing an Active Directory schema
extension, domain configuration and installation of the DigitalPersona Pro
Server software to support the first set of users.
4 Test the DigitalPersona Pro Workstation deployment on a single computer
and set the options that the end users will use. Test the GPO settings set in
Active Directory and confirm the intended effects for users.
5 Inform and educate end users on the deployment process and the tasks that
you want them to complete.
6 If using Attended Fingerprint Registration, register user fingerprints from the
test DigitalPersona Pro Workstation. Attended registration requires a
supervising user and the end user to be present to register the user’s
fingerprints. See “Attended Fingerprint Registration” on page 90 for more
information.
7 Create and deploy One Touch SignOn templates for fingerprint logon to Web
sites and programs.
8 For the initial installation of DigitalPersona Pro Workstation, keep the group
size manageable. Users should be separated into sets either by department or
geography or some other grouping. The first set of users should be a small
test group to make sure you have implemented settings as intended. Later,
other sets of users can be added in stages.
185
9 Connect fingerprint readers to computers. Instruct users on which order to
complete install, hardware connection, and fingerprint registration as needed.
186
12
DigitalPersona Pro Settings
This chapter provides an alphabetical listing of the policies and settings
available in DigitalPersona Pro and Workstation, describes where they are
located in Active Directory, and gives the page number in this guide where they
are defined.
Setting Name
Location
Page
Account lockout duration
Computer Configuration/Administrative 64
Templates/DigitalPersona Pro Server/
Account lockout threshold
Account is locked out from use of
fingerprint credentials
Users and Computers tool/[user name]/
User Properties/DigitalPersona Pro tab
73
(Basic Property)
Allow OneTouch Internet
User Configuration/Administrative
70
Templates/DigitalPersona Pro Workstation/
Allow users to add account data
71
OTS/One Touch SignOn configuration
Allow users to delete account data
71
Allow users to edit account data
71
Automated Site Coverage by BAS
Locator DNS SRV Records
Cache Domain User Data on Local
Computer
67
187
Chapter 12 - DigitalPersona Pro Settings
Setting Name
Location
Page
Dynamic Registration of BAS
Locator DNS Records
Event Logging
Templates/DigitalPersona Pro [Server or
Workstation]/BAS Locator DNS Records
False Accept Rate Used in
Fingerprint Verification
Computer Configuration/Administrative
Workstation]/Fingerprint Recognition
Fingerprint is allowed to unlock the
smart card
69
Multi-credential logon to Windows
Templates/DigitalPersona Pro Workstation
65
Maximum Number of Registered
Fingerprints Per User
Workstation]/Fingerprint Recognition
66
Maximum Size of Identification List
68
69
Password is not allowed for logon
69
Path to the container of templates
71
PIN is required when a fingerprint is
provided
69
Priority Set in BAS Locator DNS
SRV Records
65
188
Setting Name
Location
Page
Randomize user’s Windows
password
73
(Basic Property)
Refresh Interval of BAS Locator
DNS Records
Register BAS Locator DNS SRV
Record for Domain
Reset account lockout counter after
Show clear text passwords
71
Show fingerprint icon on the taskbar. User Configuration/Administrative
70
Show One Touch Menu upon
fingerprint validation
70
Sites Covered by BAS Locator DNS
SRV Records
Use Basic Template Format
66
Use DigitalPersona Pro Server for
authentication
67
User must provide a fingerprint to
log on
69
189
Setting Name
Location
Page
User must provide a fingerprint to
log on
74
(Extended Property)
User must type a PIN when
providing a fingerprint to log on
74
(Extended Property)
User provides only Windows
credentials to log on
73
(Basic Property)
Weight Set in BAS Locator DNS
SRV Records
190
13
Troubleshooting
This chapter provides assistance to users having difficulty using the One Touch
programs, being authenticated their fingerprint, or using the U.are.U Reader.
This section contains reader troubleshooting tips for a variety of symptoms.
Reader Does Not Light Up During Installation or Restart
If the reader does not light up during installation or restart after installation of
DigitalPersona Pro, try the following:
• Ensure the reader is connected directly to a USB port on the computer—not a
USB hub.
• Connect the reader to another USB port on the same computer.
If neither step resolves the issue, try any of the options in the following three
sections:
Reinstall the USB Driver
Reinstalling the USB driver for the reader sometimes corrects the problem.
To reinstall the USB driver for the reader
1 Log on using your Windows password.
2 On the Start menu, point to Settings and click the Control Panel. Click the
Hardware tab and then the Device Manager button.
3 Expand the Biometric item in the table and click Uninstall on the context
menu of the U.are.U 4000 Fingerprint Device listing.
4 Unplug the reader.
5 Locate the UsbDPFp.sys file (C:\Windows\System32\drivers) and delete it.
6 Plug the reader in again. The installation wizard should automatically launch,
locate the reader driver software and install it. If the wizard prompts you to
locate the driver, point to the DpDrv folder in the Windows root folder.
7 Restart the computer.
191
Chapter 13 - Troubleshooting
Test Ports with Second Reader
If available, take a working reader from another computer and plug it in your
computer. If it works, the original reader may be faulty; if not, the USB
controller may be configured improperly (see “Check USB Controller
Configuration” on page 192).
In addition, you can also try plugging the original reader in a USB port on
another computer to verify whether the reader is faulty or the computer on
which you are trying to install it.
Check USB Controller Configuration
Your computer must be configured to use USB devices. This section guides you
through the process of verifying this functionality.
To check the USB controller configuration on your computer
1 On the Start menu, point to Settings and click Control Panel. Then, click
System.
2 Click the Hardware tab and then the Device Manager button to verify that
“Universal Serial Bus controller” is listed as an entry.
3 If the entry exists, click the plus sign (+) next to Universal Serial Bus
controller and verify that icons for USB Root Hub and USB Port are present.
4 If none of the entries or icons are visible or if they have exclamation marks or
red X’s through them, you must contact the manufacturer of your computer
to acquire the necessary software to support USB devices.
Reader Light Went Out When In Use
If the reader light is no longer lit after the reader has been in use for some time,
try these steps to determine the source of the problem:
• Unplug the reader and then plug it in again. Check the USB cable connection
to ensure a secure fit.
• Connect the reader to a different USB port on your computer to verify that
the first USB port is working properly.
192
• Connect the reader to a different computer to see if the reader is
malfunctioning.
If the reader functions on another USB port or computer, the first USB port is
faulty. If the reader works on another computer—but not on the first one—check
the USB controller configuration, as described in “Check USB Controller
Configuration” on page 192.
Reader Does Not Blink When Touched
If the reader light is on, but does not blink when touched, unplug the reader and
then plug it in again.
If this does not correct the problem, clean the reader window.
To clean the reader window, apply the sticky side of a piece of adhesive
cellophane tape on the window and peel it away.
Software Does Not Respond When Reader Is Touched
If the reader light is on and it blinks when touched but the fingerprint is not
scanned, unplug the reader and then plug it in again. If this does not correct the
problem, try cleaning the reader, as described in “Cleaning the Reader” on page
169. If these steps do not correct the problem, try restarting your computer.
Reader Blinks Constantly
If the reader light blinks constantly, the reader window may need cleaning. To
clean the reader window, apply the sticky side of a piece of adhesive cellophane
tape on the window and peel it away.
193
The following sections describe remedies for issues you may encounter with the
One Touch programs of DigitalPersona Pro Workstation.
One Touch Logon Troubleshooting
If logon seems particularly slow, it may be because the computer is spending
excess time looking for the DNS server. In this case, you can speed up
authentication by manually specifying the preferred DNS IP address.
To manually specify the preferred DNS IP address on a DigitalPersona Pro Workstation
1 Locate the My Network Places icon on the desktop and click Properties on its
context menu.
2 On the Network Connections dialog box, locate the Local Area Connection
icon and click Properties on its context menu.
3 Select Internet Protocol (TCP/IP) on the Local Area Connection Properties
dialog box and then click the Properties button.
4 Select the Use the following DNS server addresses radio button and type the
IP address of the DNS server in the Preferred DNS server text box.
Specify the IP address of the
preferred DNS Server(s) to
speed up logon.
5 Close all dialog boxes to save your changes.
194
One Touch Internet and OTS Troubleshooting
Following are issues you may encounter when using One Touch SignOn and
One Touch Internet:
• Due to the design of a particular Web site or program, One Touch Internet or
One Touch SignOn may not be able to automatically create a fingerprint
logon.
In the One Touch SignOn Administration Tool, use the Create Logon
Template Manually or Create Change Password Screen Template Manually
feature for access to more powerful options in designing Logon or Change
Password Screen templates.
• A submit button may not be found when setting up a logon screen that uses a
non-standard method for submitting forms. In this case, you will have to
manually submit logon data by clicking the submit button on the Web page
after One Touch SignOn or One Touch Internet fills in the field values.
• If a Quick Link is not working properly, ensure you have entered the Web
page title in the logon screen setup exactly as it appears on the Web page.
Also, verify that the URL specified in the logon screen setup is correct. Some
Web pages redirect users to a temporary URL that expires after one-time use.
If the logon screen you set up with One Touch SignOn or One Touch Internet
redirects users to temporary and unique URLs, for example, with Microsoft’s
Hotmail, you will have to manually type the URL in the logon profile instead
of using the URL One Touch SignOn assigns by default.
For additional troubleshooting information see:
http://www.digitalpersona.com/support.
195
14
Customizing Pro Workstation
After installation of DigitalPersona Pro, administrators can override the default
DigitalPersona Pro Properties settings in the Windows Registry for One Touch
Menu content and Quick Actions.
Warning
Editing registry settings may damage your system. Before making changes,
back up your data. Use the Last Known Good Configuration startup option if
you encounter problems after making changes to the registry.
Instructions in the next two sections are provided to configure the One Touch
Menu and Quick Actions using the Windows Registry.
Note
Changes made to the settings in the registry do not take precedence over local
configuration by end users.
One Touch Menu Content
You can use the Windows Registry Editor to modify registry keys for the One
Touch Menu, export the new settings in a .reg file and import those settings on
the target machines, which determines what menu items are displayed.
To configure the One Touch Menu menu content
1 Launch the Windows Registry Editor.
2 In the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\
Applications\OTAppSettings\MenuContent
The following keys—all with a default value of 1—are listed:
• Help. Launches the online help for DigitalPersona Pro.
• OTI. Displays the menu item, “Create Fingerprint Logon,” in the One
Touch Menu and launches the Fingerprint Logon Wizard.
• Properties. Opens the DigitalPersona Pro Properties dialog box. See
“DigitalPersona Pro Workstation Properties” on page 140.
196
Chapter 14 - Customizing Pro Workstation
Quick Actions
• QuickLinks. Allows end users to access fingerprint-enabled Web sites
and applications from the One Touch Menu, as described in “One Touch
Internet” on page 159.
• Registration. Launches the Fingerprint Registration Wizard, which is
described in “The user experience is the same with either the
DigitalPersona U.are.U Fingerprint Reader or supported swipe readers
embedded in many popular notebooks.” on page 146. The One Touch
Menu item displays as “Fingerprint Registration Wizard” only if One
Touch Logon is installed.
3 To remove an item from the One Touch Menu, set the corresponding key
value to 0. To add an item, set the key to 1.
Quick Actions
The procedure for modifying Quick Actions settings is similar to the One Touch
Menu registry configuration. Using the Windows Registry Editor, you can
specify the Quick Actions that correspond with a DigitalPersona Pro feature.
To configure Quick Actions in the Windows Registry
1 Launch the Windows Registry Editor.
2 In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\
Applications\OTAppSettings\QuickActions
The key value finger has a default value of None.
3 Select a Quick Action feature by setting the value to 1 of the following
strings:
•
•
•
•
•
•
Help
Lock Workstation
OTI (to access One Touch Internet)
OTMenu (to access One Touch Menu)
Properties
QuickLinks
197
15
Installing High Encryption
If your domain controller is not high-encryption (128-bit) capable, install
Microsoft Windows 2000 High Encryption (128-bit) Capability which is
available for download from Microsoft. Because high encryption capability is
built into Windows XP, 2003 and the latest service packs for Windows 2000,
you do not need to install high encryption pack on these operating systems.
To install Microsoft Windows 2000 High Encryption (128-bit) Capability on your
domain controller
1 Double-click ENCPACK.exe to launch the installer.
2 When prompted to continue with the installation of Microsoft Windows 2000
high-encryption (128-bit) capability, click Yes.
3 To finish the installation, restart the computer.
198
16
Warranties, Provisions & Regulatory Information
The DigitalPersona Pro for Active Directory System (the “SYSTEM”) you
acquired may include: the U.are.U Fingerprint Reader, (the “READER”); and
the DigitalPersona Pro for Active Directory Workstation and DigitalPersona Pro
for Active Directory Server software, the software embedded in the READER
and their associated media, printed material and “online” or electronic
documentation (the “SOFTWARE PRODUCT”). The SOFTWARE PRODUCT
is licensed, not sold, as set forth in the “License Agreement” screen that is
shown during the installation process.
Warranties
LIMITED WARRANTIES; LIMITATION OF REMEDIES
The warranties provided by DigitalPersona in this statement of limited warranty
apply only to SYSTEMS you originally purchased from DigitalPersona or an
authorized reseller for your personal or business use, and not for resale.
DigitalPersona warrants that the SOFTWARE PRODUCT will perform
substantially in accordance with the applicable documentation and that its media
will be free from defects in material and workmanship for a period of ninety
(90) days from the date of original purchase. DigitalPersona does not warrant
that use of the SOFTWARE PRODUCT will be uninterrupted or error-free.
DigitalPersona warrants that the READER will be free from defects in materials
and workmanship for a period of one (1) year from the original date of purchase.
If you discover an error or defect covered under these limited warranties,
DigitalPersona’s sole obligation, and your exclusive remedy, shall be, at
DigitalPersona’s option, either (a) to return the price paid, if any; or (b) to
replace the SOFTWARE PRODUCT or the READER using new or
remanufactured components. Any replacement SOFTWARE PRODUCT will be
warranted for the remainder of the original warranty period or thirty (30) days,
whichever is longer. Any replacement of the READER will be warranted for the
remainder of the original warranty period.
Warranty Service. To obtain your remedy under this warranty you must deliver
the defective product and the original sales receipt to the place of purchase. For
purchases made directly from DigitalPersona, you must first contact
DigitalPersona Customer Service and obtain a Return Merchandise
199
Chapter 16 - Warranties, Provisions & Regulatory Information
Warranties
Authorization (RMA) number before returning the product to DigitalPersona.
You must pre-pay shipping charges to return the product to DigitalPersona and
insure the shipment or accept the risk of loss or damage during shipment.
DigitalPersona shall not be responsible for any returned product that is not
packaged properly or is returned without a valid and visible RMA number.
Product Failures Not Covered By This Warranty. These warranties covers
defects in manufacturing that arise during normal use and proper care in an
office environment. The warranties do not cover damage caused by any misuse,
improper maintenance, including physical abuse to the SOFTWARE
PRODUCT or to the READER (for example, but not limited to, cuts or
scratches to the READER window), or use of corrosive, abrasive, or improper
cleaning materials, or any misapplication, improper modifications or repair,
activity intended to circumvent the security devices incorporated into the
READER or SOFTWARE PRODUCT, criminal activity, moisture, shipping, or
high voltage surges from external sources such as power lines or other
connected equipment. This warranty also does not apply to any product with an
altered or defaced serial number. Opening the READER automatically voids
this warranty.
Disclaimer of Warranties. EXCEPT FOR THE FOREGOING LIMITED
WARRANTIES, DIGITALPERSONA MAKES NO OTHER EXPRESS OR
IMPLIED WARRANTIES TO THE MAXIMUM EXTENT PERMITTED BY
LAW AND SPECIFICALLY DISCLAIMS THE WARRANTIES OF
QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS
WITH REGARDS TO THE SYSTEM AS WELL AS ANY PROVISION OF
OR FAILURE TO PROVIDE SUPPORT SERVICES. IF SUCH DISCLAIMER
OF ANY IMPLIED WARRANTY IS NOT PERMITTED BY LAW, THE
DURATION OF ANY SUCH IMPLIED WARRANTY IS LIMITED TO 90
DAYS FROM THE DATE OF DELIVERY. SOME JURISDICTIONS DO NOT
ALLOW SUCH EXCLUSIONS OR LIMITATIONS, SO THEY MAY NOT
APPLY TO YOU. THESE LIMITED WARRANTIES GIVE YOU SPECIFIC
LEGAL RIGHTS AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH
VARY FROM JURISDICTION TO JURISDICTION.
200
General Provisions
General Provisions
Limitation on Liability. TO THE MAXIMUM EXTENT PERMITTED BY
APPLICABLE LAW, IN NO EVENT SHALL DIGITALPERSONA BE
LIABLE TO YOU OR ANY THIRD PARTY FOR ANY SPECIAL,
INCIDENTAL, INDIRECT, PUNITIVE OR CONSEQUENTIAL DAMAGES
WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
LOSS OF BUSINESS PROFITS, GOODWILL, BUSINESS INTERRUPTION,
LOSS OF BUSINESS INFORMATION, BREACH OF COMPUTER
SECURITY SYSTEMS OR ANY OTHER PECUNIARY LOSS) ARISING
OUT OF THE USE OF OR INABILITY TO USE THE SYSTEM EVEN IF
DIGITALPERSONA HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. DIGITALPERSONA DOES NOT GUARANTEE THAT
THE SYSTEM WILL MEET ALL YOUR REQUIREMENTS OR ALL
REQUIREMENTS OF THE SOFTWARE OR HARDWARE WITH WHICH IT
INTERACTS. IN NO EVENT WILL DIGITALPERSONA’S LIABILITY FOR
ANY CLAIM, WHETHER IN CONTRACT, TORT OR ANY OTHER
THEORY OF LIABILITY, EXCEED THE PURCHASE PRICE OF THE
SYSTEM PAID BY YOU. Some jurisdictions do not allow these exclusions or
limitations, so such exclusions or limitations may not apply to you. The above
limitations will not apply in case of personal injury in countries other than the
U.S.A. and Canada only if and to the extent that such limitations are expressly
prohibited by applicable law.
Reverse Engineering. You may not reverse engineer, decompile, or disassemble the SYSTEM in whole or in part; nor shall you attempt to recreate the
source code from the object code of the SOFTWARE PRODUCT. Any other
activity regarding the form or substance of the SYSTEM will be allowed only to
the extent such activity is expressly permitted by applicable law.
Hazardous Use. The SYSTEM is not designed, made, or intended for use in an
application where failure, malfunction or inaccuracy of the SYSTEM may cause
death, serious bodily injury, including, without limitation, medical equipment,
nuclear facilities, aircraft operation, air traffic control, life support. Any such
use is prohibited without the prior written consent of DigitalPersona. You agree
that neither DigitalPersona nor its suppliers, distributors or resellers will be
liable, in whole or in part, for any claims, losses, costs or damages arising out of
or in connection with the use and performance of the SYSTEM in such
applications. If you use the SYSTEM for such applications without
201
DigitalPersonal’s consent, you agree to indemnify, defend and hold
DigitalPersona harmless from all claims, actions, losses, liabilities, damages,
costs and expenses (including attorney's fees) arising out of or relating to such
prohibited uses.
Export Controls. You agree that you will not directly or indirectly export the
SYSTEM and related technical data in violation of Export Administration
regulations of the U.S. Department of Commerce and other applicable laws. You
further agree that you will not export, re-export, divert or transfer the SYSTEM
(a) into, or to a national or resident of any country to which the United States has
embargoed goods, (b) or to anyone included in the U.S. government List of
Specially Designated Nationals, the Table of Denial Orders, the Entity List, (c)
or to anyone involved in the manufacture and proliferation of weapons in
violation of U.S. applicable laws. By using the SYSTEM you are representing
and warranting that you are not located in, or under the control of, or a national
resident of any such country or on any such lists, or involved in any such
activity.
U.S. Government Rights. If you are an agency or instrumentality of the United
States Government, the software and documentation included in the
SOFTWARE PRODUCT are “commercial computer software” and
“commercial computer software documentation,” and pursuant to FAR 12.212
or DFARS 227.7202, and their successors, as applicable, use, reproduction and
disclosure of the software and documentation are governed by the terms of the
End User License Agreement.
Any changes or modifications not expressly approved by DigitalPersona could
void your authority to operate this equipment.
The U.are.U Fingerprint Reader has been tested and found to comply with the
limits for a Class B digital device under Part 15 of the Federal Communications
Commission (FCC) rules, and it is subject to the following conditions: a) It may
not cause harmful interference, and b) It must accept any interference received,
including interference that may cause undesired operation.
202
This device conforms to emission product standards EN55022(B) and
EN50082-1 of the European Economic Community and AS/NZS 3548 Class B
of Australia and New Zealand.
This digital apparatus does not exceed the Class B limits for radio noise
emission from digital apparatus as set out in the radio interference regulations of
the Canadian Department of Communications.
Le présent appareil numérique n'émet pas de bruits radioélectriques dépassant
les limites applicables aux appareils numériques de Classe B prescrites dans le
règlement sur le brouillage radioélectrique édicté par le Ministère des
Communications du Canada.
203
Index
Symbols
.dplif extension 87
_uareupro SRV RR 44
DNS Console path 46
modifying Priority and Weight settings 46
A
About menu item 144
Account is locked out from use of fingerprint
credentials setting 73
account is locked out from use of fingerprint
credentials setting 75
Account lockout duration 64
Account lockout threshold 64
Active Directory containers 42
Biometric Authentication Servers
container 42
Policies container 42
Active Directory Domain Configuration
Wizard 34
Active Directory Schema Extension
Wizard 32
Active Directory, defined 9
add license 88
Administration Tools 23
Cleanup Wizard 136
installation 85
License Control Manager 86
overview 84
User Query Tool 131
Administrative Templates & Snap-ins 10
ADSI Edit Tool 76
Allow OneTouch Internet setting 70
Allow users to add account data setting 128
Allow users to delete account data
setting 71, 128
Allow users to edit account data setting 128
attended registration
using 90
Authentication Server Object Name
property 43
authentication, defined 14
Automated Site Coverage ... setting 62
automatic DNS registration 44
B
BAS Locator settings 60
Basic Template Format 66
Basic User Properties 72
Biometric Authentication Servers
container 42
Server Version Object Name 43
Service Configuration Container Name 43
BTF 66
C
Cache Domain User Data on Local Computer
setting 67
Cache User Credentials setting 67
cached credentials
defined 154
in One Touch Logon 153
Change Password Screen Template 111
Change Password Screen Templates
automatic 112
manual 116
changes made during installation 42
changing your Windows password 168
chapter overview 3
checklist, deployment plan 185
choosing an account 130
cleaning the reader 169
Cleanup Wizard 136
command line install, Workstation 51
configuration options 179
configure domain 34
configuring DNS dynamic registration 46
Connect to this domain the next time you run
connecting to a domain 86
Containers
deleting 121
editing 121
containers
204
Index
managing 121
conventions
naming 5
notation 5
typographic 6
Creating Change Password Screen
Templates 111
Creating OTS Templates 97
Credentials Management 81
Credentials, defined 14
custom installation of Pro Workstation 49
Custom Workstation installation 179
D
delete user credential data 76
deleting registered fingerprints 167
Deploying DigitalPersona Pro Server 29
deploying OTS templates 125
deployment factors 181
Deployment Plan 180
Deployment Plan Checklist 185
deployment planning 172
DigitalPersona icon 92, 129
DigitalPersona Kiosk 27
DigitalPersona Platinum SDK 27
SDK 26
DigitalPersona Pro Server 20
DigitalPersona Pro Workstation 21
DigitalPersonaProSvr.adm 36
DigitalPersonaProWksta.adm 36
DNS Console path 46
DNS Registration 44
domain, configuring for Pro Server 34
Dynamic DNS, defined 14
Dynamic Registration of BAS Locator DNS
Records setting 60
E
Enable sound feedback 166
Enable visual feedback 166
End-User education 184
205
D-F
event feedback
fingerprint prompt feedback 145
fingerprint recognition feedback 145
fingerprint scan acquisition feedback 145
Event Logging setting 59
event logs specifications 79
extend the Active Directory schema 32
Extended Server Policy Module 24, 74
Extended Template Format 66
Extended User Properties 74
F
Failed logon attempt lockout settings 64
False Accept Rate policy setting 65
FAR 65
feature comparison 31, 176
feedback requested 8
Field Catalog 95
filtering Pro events 77
finding Pro events 78
fingerprint credentials
deleting 167
registering 147
fingerprint identification, defined 15
Fingerprint is allowed to unlock the smart
card 69
fingerprint PINs, using 15, 155
fingerprint prompt feedback 145
Fingerprint readers 22
fingerprint recognition feedback 145
Fingerprint Recognition settings 65
fingerprint registration, defined 15
fingerprint scan acquisition feedback 145
fingerprint template, defined 15
fingerprint templates
defined 14
registration template 15
Fingerprint Verification Lockout setting 64
fingerprint verification, defined 15
Fingerprint/Credentials Management 81
Index
G-O
G
Help menu item 142, 144
Hide Icon menu item 144
High Encryption, installing 198
licensing model 86
list of Administration Tools 84
local installation of Pro Workstation 47
Lock Computer menu item 143
locked account 75
locking a computer 158
Log Events policy setting 59
Logon Screen Actions, manual selections 105
Logon Screen Properties options 101
Logon Screen Template, manual options 109
I
M
getting license information 87
GPO
implementation guidelines 37
Group Policy 11
H
identification list 153
implementation guidelines 37
improving performance 46
installation scenario 174
installing
Administrative Templates 36, 39
Microsoft Windows 2000 High Encryption
(128-bit) Capability 198
Pro Server 35
Pro Workstation software 48
Workstation Template locally 39
installing High Encryption 198
installing license files 88
K
key concepts
authentication 14
cached credentials 154
fingerprint identification 15
fingerprint registration 15
fingerprint templates 14
fingerprint verification 15
identification list 153
L
license
installing 88
UALs 89
uninstalling 89
view details 88
manual DNS registration 45
Maxi Size of Identification List setting 68
Maximum Number of Fingers ... setting 66
Microsoft Windows 2000 High Encryption
(128-bit) Capability
installing 198
modifying
DNS Priority setting 46
Multi-credential Logon ... setting 69
Multi-credential logon settings 181
O
One Touch Internet 16, 21
One Touch Internet, defined 16
One Touch Logon 21
Cached Credentials 153
changing Windows password with 168
Identification List 153
overview 21
One Touch Menu
Help 142
Properties 142
Quick Links 141
One Touch SignOn 21
changing passwords 130
creating templates manually 103
deploying templates 125
logging on 129
overview 21, 92
settings 71, 127
206
Index
One Touch Unlock 158
online help 8
Organizational Units 11
OTS Administration Tool
containers 95
Field Catalogs 95
installing 93
setup 93
OTS Templates
creating automatic 97
creating manual 103
P
Password is not allowed for logon 69
Path to the container of templates
setting 71, 128
PIN is required when a fingerprint is
provided 69
Planning & Deployment 172
planning overview 174
Policies container 42
policy settings
Account Lockout 64
False Accept Rate 65
Log Events 59
Max Size of Ident. List 68
Maximum Number of Fingers... 66
Multi-credential Logon 69
Use Remote Authentication Server 67
Priority Set in BAS Locator DNS SRV Records
setting 61
Pro Server
Active Directory containers 42
installation overview 29
installing software 35
overview 20
published information 43
system requirements 35
uninstalling 46
Pro Workstation
custom installation 54
installing 54
207
P-R
locking 158
system requirements 47
Product Compatibility 26
product components and modules 19
Product GUID property 43
Product Name 43
Product Version High property 43
Product Version Low property 43
Product Version Number property 43
Properties menu item 142
property settings
Cache User Credentials on the
Workstation 67
providing multiple credentials 130
provisions, warranties, & regulatory
Information 199
published information 43
Authentication Server Object Name
property 43
keywords 43
Product GUID property 43
Product Name 43
Product Version High property 43
Product Version Low property 43
Product Version Number 43
Schema Version Number property 43
Service Class GUID property 43
Service Class Name property 43
Service Principal Name property 43
Vendor Name property 43
Q
query users 131
Quick Link 101
Quick Links menu item 141
R
reader
cleaning 169
touching 169
troubleshooting 191
reader icon, indicating connectivity status 143
Index
S-T
reader menu
About 144
Help 144
Hide Icon 144
Lock Computer 143
Properties 143
recommended skill set 7
Refresh Interval of BAS Locator DNS Records
setting 60
Register BAS Locator ... setting 63
registering fingers 147
registration template, defined 15
registry settings, workstation 196
regulatory information 199
Related Products 26
remote installation of Pro Workstation 51
removing Pro data 136
required software & hardware 177
requisite knowledge 7
Reset account lockout counter after 64
running an interactive query 132
Running User Query Tool from the command
line 132
settings, location 56
Show clear text passwords setting 71, 128
Show fingerprint icon setting 70
Show One Touch Menu ... setting 70
Show Reader icon on the taskbar property 166
Sites Covered by BAS Locator ... setting 62
smart cards, using for logon 157
stronger security settings 183
support 8
DigitalPersona Web site 8
during evaluation 173
online help 8
phone support 8
Professional Services 173
readme file 8
technical 173
supported readers 22
SVR RR 17
swipe readers 22
System Requirements 25
system requirements
Pro Server software 35
Pro Workstation 47
S
T
schema
Active Directory Schema Extension
Wizard 32
extending 32
Schema Version Number property 43
SDK 26
Service Class GUID property 43
Service Class Name property 43
Service Configuration Container Name 43
Service Principal Name property 43
Service Resource Records 17
_uareupro SRV RR 44
adding manually 46
format 44
Service Version Object Name 43
settings
categories 56
Templates
finding 122
templates
deleting 124
deploying 125
editing 123
finding fields in 123
finding redundant 123
managing 122
setting container path to 125
to remove user credential data 76
to unlock a locked account 75
touching the reader 169
two-factor authentication 130
typographic conventions 6
208
Index
U-X
U
W
U.are.U Fingerprint Reader 178
uninstalling
Pro Server 46
Pro software remotely 51
Pro Workstation 54
unlocking locked accounts 75
upgrading from Previous Versions 29
Use Basic Template Format setting 66
Use DigitalPersona Pro Server for
authentication setting 67
Use Remote Authentication Server policy
setting 67
User Authentication Licenses 89
user credential data, remove 76
User must provide a fingerprint to log on 69
User must provide a fingerprint to log on
setting 74
User must type a PIN when providing a
fingerprint to log on setting 74
User Policies
Basic 72
User Properties 71, 72
Extended 74
User Query Tool 131
parameters 132
run from script 134
users, attended registration 90
using
attended registration 90
fingerprint PINs 15, 155
smart cards 157
Windows Event Viewer 77
using Pro Cleanup Wizard 136
warranties, provisions & regulatory
Information 199
Weight Set in BAS Locator DNS SRV Records
setting 61
Windows Event Viewer 59
filtering Pro events 77
finding Pro events 78
using 77
Windows Logon Policies 179
Windows Registry 196
workstation only installation 175
Workstation Properties settings 70
X
XTF 66
V
Vendor Name
published information property 43
view license details 88
209

DigitalPersona Pro for Active Directory

Transcription

Similar documents

Invasion to Green Territory War Room Strategy

Ampeg SVT-CL Schematics

Kristeena Logan

details about Intella - e

Lawn Vacs Lawn Vacs Dethatchers Dethatchers Sulkies

Introduction - Iglesia El Candelero de Oro

Holz Bemalen, Kerb Schnitzen, by Christian Rubi. 135 pages, pro

omnipresence 3d pro design

Pro-SuITe™ TeST LIKe A Pro! DoCuMeNT LIKe A Pro! LoAD DATA

Experience the Freedom! - Custom Quick Release Pins