DigitalPersona Pro Administrator Guide

Transcription

Administrator Guide
DigitalPersona®Pro
for Active Directory
Version 4.2
DigitalPersona, Inc.
© 2007 DigitalPersona, Inc. All Rights Reserved.
All intellectual property rights in the DigitalPersona software, firmware,
hardware and documentation included with or described in this guide are owned
by DigitalPersona or its suppliers and are protected by United States copyright
laws, other applicable copyright laws, and international treaty provisions.
DigitalPersona and its suppliers retain all rights not expressly granted.
U.are.U®, DigitalPersona® and One Touch® are trademarks of DigitalPersona,
Inc. registered in the United States and other countries.
Windows, Windows 2000, Windows 2003 and Windows XP are registered
trademarks of Microsoft Corporation. All other trademarks are the property of
their respective owners.
This DigitalPersona Pro for Active Directory Administrator Guide and the
software it describes are furnished under license as set forth in the “License
Agreement” screen that is shown during the installation process.
Except as permitted by such license, no part of this document may be
reproduced, stored, transmitted and translated, in any form and by any means,
without the prior written consent of DigitalPersona. The contents of this manual
are furnished for informational use only and are subject to change without
notice. Any mention of third-party companies and products is for demonstration
purposes only and constitutes neither an endorsement nor a recommendation.
DigitalPersona assumes no responsibility with regard to the performance or use
of these third-party products. DigitalPersona makes every effort to ensure the
accuracy of its documentation and assumes no responsibility or liability for any
errors or inaccuracies that may appear in it.
Should you have any questions concerning this document, or if you need to
contact DigitalPersona for any other reason, write to:
720 Bay Road
Suite 100
Redwood City, CA 94063
USA
Document Publication Date: 06/22/07
Table of Contents
Part One: Overview
1
Introduction
Chapter Overview
Conventions
Recommended Skill Set
Support Resources
Your Feedback is Requested
2
3
6
8
9
9
2
Key Concepts & Terminology
Concepts
Terminology
10
10
15
3
Product Overview
DigitalPersona Pro for Active Directory
Product Components and Modules
DigitalPersona Pro Server
DigitalPersona Pro Workstation
DigitalPersona Pro Kiosk
Fingerprint Readers
Administration Tools
Extended Server Policy Module
System Requirements
Product Compatibility
Related Products
20
20
21
22
23
24
26
27
28
29
30
31
Part Two: Deployment & Installation
4
Deploying DigitalPersona Pro Server
Deployment Overview
Upgrading from Previous Versions
Install DigitalPersona Pro Server
Install the Administrative Templates
Install Templates to Active Directory
Server Template
Workstation and Kiosk Templates
Configuring DigitalPersona Pro Server for Pro Kiosk
Configuration Steps
Configuring DigitalPersona Pro Server GPO Settings
Changes Made During Installation
DNS Registration
Uninstalling DigitalPersona Pro Server
33
33
33
39
40
43
43
44
46
46
47
51
53
55
5
Installing DigitalPersona Pro Workstation
System Requirements
Local installation from the product CD
Remote Installation
56
56
57
60
DigitalPersona Pro for Active Directory Administrator Guide
iii
Table of Contents
Command Line Installation
Installation on Citrix Presentation Server
Uninstalling DigitalPersona Pro Workstation
Customizing a DigitalPersona Pro Workstation Installation
6
61
62
64
64
Installing Pro Kiosk
System Requirements
Installing DigitalPersona Pro Kiosk
Uninstalling DigitalPersona Pro Kiosk
65
65
66
67
68
Part Three: Administration
7
Configuring Policies and Settings
About DigitalPersona Pro Settings
DigitalPersona Pro Policies and Settings
Event Logging
BAS Locator DNS Records
Fingerprint Verification Lockout
Kiosk Server Settings
Fingerprint Recognition
Allow Fingerprint Data Redirection
Workstation Only
Workstation Properties
One Touch SignOn
Kiosk Workstation Only
User Properties
70
70
72
74
75
79
79
80
82
83
86
87
88
89
8
User Properties & Commands
User Properties
Basic User Properties
Extended User Policies
Unlocking Accounts after Failed Logon Attempts
User Context Menu Commands
Deleting User Credentials using the ADSI Edit Tool
90
90
91
92
93
94
94
9
Overview
License Control Manager
Overview
Connecting to a domain
Getting License Information
Reviewing and installing license files
Viewing license details
Viewing UAL Summary Information
Uninstalling licenses
Attended Fingerprint Registration
Assigning Registration Permissions
Single User
Organizational Unit or Domain
One Touch SignOn Administration Tool
Overview
96
96
98
98
98
99
100
100
101
101
102
102
102
103
104
104
iv
Table of Contents
Installing the OTS Administration Tool
Setting up OTS
Creating OTS Templates
Creating Change Password Screen Templates
Managing Containers
Managing Templates
One Touch SignOn Settings
Logging On with One Touch SignOn
Changing Passwords with One Touch SignOn
User Query Tool
Cleanup Wizard
10 DigitalPersona Pro Events
Auditing Using the Windows Event Viewer
Event Log Specifications
Computer Environment
General Secret Management
Fingerprint/Credentials Management
User Management
Logon/Lock
DNS Registration
Kiosk Core Events
Kiosk User Management Events
Kiosk User Authentication Events
105
105
109
123
133
134
139
141
142
144
149
151
151
153
153
154
154
155
155
156
156
157
157
158
Part Four: Clients
11 DigitalPersona Pro Workstation
Features Overview
One Touch Menu
Reader Icon and Menu
Fingerprint Reader Visual Cues
Fingerprint Registration
One Touch Logon
Using Fingerprint PINs
Using Smart Cards for Logon
User Account Control
One Touch Features
One Touch Internet
Logging On to Web Sites and Programs
Creating Fingerprint Logons
DigitalPersona Pro Workstation Properties
Deleting Registered Fingerprints
Changing Your Windows Password
Fingerprint Reader Usage and Maintenance
160
161
163
165
167
169
172
176
178
178
179
180
181
182
186
188
189
190
12 DigitalPersona Pro Kiosk
Overview
Identification List
How Pro Kiosk Works
Comparing Pro Workstation and Pro Kiosk
192
192
192
193
195
v
Table of Contents
Using One Touch SignOn with Pro Kiosk
Logging On to Windows
Using One Touch Logon
Logging on to Windows without Kiosk
Using One Touch Unlock
Changing Your Password
Logging On to Password-Protected Programs
Using Fingerprint Logons for Programs
Adding Account Data
Changing Account Data
Removing Account Data
Switching Users on Pro Kiosk Computers
Fingerprint Reader Icon and Menu
Fingerprint Reader Status
Fingerprint Reader Icon Context Menu
Using the Start Menu
196
197
197
198
199
199
200
201
201
202
203
203
204
204
204
204
205
Part Five: Appendices
13 Planning & Deployment
Overview
Planning
Deployment
Deployment Plan Checklist
207
207
209
216
220
14 DigitalPersona Pro Settings
222
15 Troubleshooting
Reader Troubleshooting
One Touch Programs Troubleshooting
Installation Troubleshooting
228
228
231
232
16 Customizing Pro Workstation
One Touch Menu Content
Quick Actions
233
233
234
17 Installing High Encryption
236
18 Regulatory Information
237
19 Index
239
vi
Part One: Overview
Part One of the DigitalPersona Pro for Active Directory Administrator Guide
includes the following chapters:
Chapter Title
Purpose
Page
1 - Introduction
Provides an overview of each chapter in the
Administrator Guide and other information that will
help make your use of the guide more effective.
2
2 - Key Concepts
& Terminology
Defines and describes important concepts and terms
that you need to be familiar with to understand the
features and functions of DigitalPersona Pro.
10
3 - Product
Overview
Describes each component of DigitalPersona Pro and
explains the authentication process.
20
1
1
Introduction
The DigitalPersona® Pro for Active Directory Administrator Guide is your
comprehensive resource for information about DigitalPersona Pro for Active
Directory.
The guide includes a Product Overview which describes the features and
functionality of each component, an explanation of Key Concepts and
Terminology, specific chapters on the Installation, Configuration and
Administration of DigitalPersona Pro Server, as well as a complete guide to the
features of DigitalPersona Pro Workstation and Kiosk.
Appendices include a Planning & Deployment Guide, List of policies and
settings, Troubleshooting section, instructions for customizing Workstation
through Registry settings and instructions on installing High Encryption on
Windows 2000 computers.
See the next page for a complete chapter summary.
The purpose of this chapter is to:
• Give a brief overview of the chapters in the guide.
• Explain the text, naming and other conventions used in the guide.
• Describe the recommended skill set for users of the guide.
• Let you know what additional resources are available for support.
• Provide a means for you to give us feedback on any aspect of our products,
service or documentation.
2
Chapter 1 - Introduction
Chapter Overview
Chapter Overview
Part One of the Administrator Guide includes this chapter, the Key Concepts
and Terminology and Product Overview chapters.
The purpose of this section is to provide information that will assist you in
understanding the DigitalPersona Pro for Active Directory product and
components, and establishing the conceptual framework for the remainder of the
guide.
Chapter 1, Introduction, is described on the previous page.
Chapter 2, Key Concepts & Terminology, defines terms and concepts used in the
guide, including an overview of Active Directory and the DigitalPersona Pro
authentication process.
Chapter 3, Product Overview, describes DigitalPersona Pro for Active Directory
Server, Workstation and Kiosk software, hardware components, system
requirements and compatibility with previous versions and related products.
Part Two includes chapters on the deployment of DigitalPersona Pro for Active
Directory Server, Pro Workstation and Pro Kiosk.
Chapter 4, Deploying DigitalPersona Pro Server, consists of detailed
instructions for deploying (and uninstalling) DigitalPersona Pro Server,
including configuration of Pro Server for the Kiosk environment.
Chapter 5, Installing DigitalPersona Pro Workstation, contains detailed
instructions for installing (and uninstalling) DigitalPersona Pro Workstation.
Chapter 6, Installing DigitalPersona Pro Kiosk, contains detailed instructions for
installing (and uninstalling) DigitalPersona Pro Workstation.
Part Three, Administration, describes the configuration and administration of
DigitalPersona Pro for Active Directory, including the policies, settings and
properties used to tailor system behavior to meet the needs of your organization
as well as descriptions of the events generated by the system.
Chapter 7, Configuring Policies and Settings, explains each policy and setting
available as part of DigitalPersona Pro for Active Directory and implemented
through the use of Active Directory administration tools for domain-wide
administration and the Microsoft Management Console for local administration.
3
Chapter Overview
Chapter 8, User Properties, describes the user settings available through the
User Properties Snap-in and the extended settings available through the
Extended Server Policy Module.
Chapter 9, Administration Tools, provides instructions for using each of the
standalone administration tools that can be used to provide centralized or
decentralized administration of DigitalPersona Pro for Active Directory. Some
of the available tools are: License Control Manager, Attended Fingerprint
Registration Tool, One Touch SignOn Administration Tool, User Query Tool
and the CleanUp Wizard.
Chapter 10, DigitalPersona Pro Events, lists and describes the events generated
by DigitalPersona Pro for Active Directory, which can be viewed through the
Windows Event Viewer.
Part Four, DigitalPersona Pro Clients, describes the features and functionality
of the DigitalPersona Pro Workstation and Kiosk clients from the
administrator’s perspective.
Chapter 11, DigitalPersona Pro Workstation, describes and explains the features
of DigitalPersona Pro Workstation for the administrator.
Chapter 12, DigitalPersona Pro Kiosk, describes and explains the features of
DigitalPersona Pro Kiosk for the administrator.
Part Five, Appendices, provides additional information about DigitalPersona
Pro for Active Directory.
Chapter 13, Planning & Deployment, provides design guidelines, assists you in
selecting and planning a deployment scenario and provides tools to help you
create and execute a successful Pro deployment plan.
Chapter 14, DigitalPersona Pro Settings, provides a complete alphabetical list of
all DigitalPersona Pro policies and settings with references to their Active
Directory location and the page number where they are described.
Chapter 15, Troubleshooting, provides solutions to situations where
DigitalPersona Pro for Active Directory software or hardware may be acting in
an unexpected manner.
Chapter 16, Customizing Pro Workstation, describes how to configure One
Touch Menu content and Quick Actions behavior through the Windows
4
Chapter Overview
Registry. These settings can then be pushed to all DigitalPersona Pro for Active
Directory Workstations.
Chapter 17, Installing High Encryption, describes how to install 128-bit high
encryption for an installation of Windows 2000 that does not have the latest
patches.
5
Conventions
Conventions
Naming Conventions
In order to make this guide easier and quicker to read, the following naming
conventions are used to describe the DigitalPersona Pro for Active Directory
Server and Workstation software and hardware:
• DigitalPersona Pro Server, Pro Server and Server sometimes replace the full
product name, DigitalPersona Pro for Active Directory Server. In this guide,
these terms always refer to the Active Directory version, and not to any other
version of DigitalPersona Pro Server software.
• DigitalPersona Pro Workstation, Pro Workstation and Workstation are
sometimes used instead of the full name, DigitalPersona Pro for Active
Directory Workstation. They always refer to the Active Directory version of
DigitalPersona Pro Workstation when used in this guide.
• DigitalPersona Pro Kiosk, Pro Kiosk and Kiosk are sometimes used instead
of the full name, DigitalPersona Pro for Active Directory Kiosk. They
always refer to the Active Directory version of DigitalPersona Pro Kiosk
when used in this guide.
• Reader or Fingerprint Reader, used in either upper or lower case, refers to the
DigitalPersona U.are.U Reader and third-party swipe readers, unless
otherwise specified in the context.
Notation Conventions
The following notation conventions are used in this guide to call attention to
information of special importance:
Note
A note highlights information that may help you better understand the text and
its concepts.
Warning
A warning advises you that failure to take or avoid a specific action could result
in your inability to complete the required tasks or cause undesirable results.
6
Conventions
Typographic Conventions
This guide uses the following typographic conventions:
• Courier indicates text that is typed by the user.
Example:
“Type http://www.digitalpersona.com/ in the Address text box.”
You would only type “http://www.digitalpersona.com/” and would not type
any surrounding text.
• Text in Courier bold and surrounded by brackets [ ] indicates information
that is always supplied by you and will vary depending on a particular
circumstance.
Example:
“Type http://[your company Web site URL]/ in the Address text box.”
You would type “http://”, then type your company Web site URL—not the
words “[your company Web site URL]”—and then “/”.
Courier bold is also used to display information that is dynamically
generated by DigitalPersona Pro.
7
To fully and effectively utilize the information contained in this guide, we
recommend that you possess the minimum skills and knowledge defined below.
Domain Administrators
If you will be administering DigitalPersona Pro Server for one or more domains,
you should have knowledge of and experience with the Windows 2000 or 2003
Server operating system and its administrative tools. Specifically, you should
have working knowledge of key Active Directory concepts and objects
including group policy objects, containers, sites, domains and organizational
units and be able to use the standard Active Directory administration tools such
as the Active Directory for Users and Computers console and the Group Policy
Editor.
Local Administrators
If you are administering DigitalPersona Pro Workstation on a local computer,
you should understand how to use the Microsoft Management Console (MMC)
to manage computer properties.
Workstation End Users
End users of DigitalPersona Pro for Active Directory Workstation should
possess basic computer and network operation skills, such as logging on to a
computer and using the taskbar, shortcut menus and a Web browser.
8
Support Resources
Support Resources
In addition to this guide, the following resources are provided for additional
support to users of DigitalPersona Pro Server, Workstation and Kiosk:
• Readme files are provided in the root directory of the product CD for each
product. These files often contain late-breaking information about the
product.
• The DigitalPersona Web site provides an online technical support form at
http://www.digitalpersona.com/support/enterprise/chooseproduct.php, where
you can ask for help with your questions. Simply describe your issue, include
your contact information, and a technical support representative will contact
you shortly by e-mail or phone.
• Phone support is available at (877) 378-2740 in the U.S. only.
Outside the U.S., call +1 650-474-4000.
• Online help is included with each product as well as with the Administration
Tools. Online Help is accessible from various dialog boxes that appear
during the use of the software and from the One Touch Menu, as described in
“Help” on page 164.
Your Feedback is Requested
Although the information in this guide has been thoroughly reviewed and tested,
we welcome your feedback on any errors, omissions or suggestions for future
improvements. If you find errors or have suggestions for future publications,
contact us at:
[email protected]
Or at:
720 Bay Road, Suite 100
Redwood City, California 94063 USA
(650) 474-4000
(650) 298-8313 FAX
9
2
Key Concepts & Terminology
In order to fully understand and implement the features of DigitalPersona Pro
for Active Directory, you will need to be familiar with the terms and concepts
covered in this chapter.
If you consider yourself knowledgeable about Active Directory, you may want
to skip the rest of this page and continue with reading about DigitalPersona Pro
concepts and terminology of page 10.
Concepts
Active Directory
Active Directory is a proprietary directory service that has been included with
Microsoft Windows servers since the release of Windows 2000 Server.
A directory service is a software application that stores and organizes
information about a computer network's users and resources; such as computers,
printers and network shares. It enables network administrators to manage users'
access to those resources.
The design, implementation and configuration of Active Directory can be a
complex task, even for a small to medium-sized organization, and is beyond the
scope of this topic. Assuming that Active Directory is setup and working
correctly for your organization’s current needs, this topic will provide the
information that you need in order to utilize a working Active Directory to
administer DigitalPersona Pro.
DigitalPersona Pro for Active Directory utilizes the Active Directory service for
administration of policies and settings that determine the functionality and
features implemented in your organization.
Through Active Directory you can assign enterprise-wide policies and settings
to computers in your network as well as locate and administer objects, users and
resources across the network.
Active Directory is structured as a hierarchy of objects and containers laid out in
a tree format. In the Users and Computers Snap-in (Figure 2-1), which is one of
the visual tools that can be used to create and administer objects, the hierarchy
looks much the same as the folder structure in Windows Explorer.
10
Chapter 2 - Key Concepts & Terminology
Concepts
Figure 2-1. Users and Computers Snap-in
Administrative Templates & Snap-ins
DigitalPersona Pro for Active Directory integrates with Active Directory
through the use of the following Administrative Templates and Snap-ins.
Template/Snap-in
Purpose
Page
DigitalPersonaProSvr.adm
The Active Directory Administrative
Template for DigitalPersona Pro Server is
applied to GPOs governing Domain
Controllers running DigitalPersona Pro
Server.
40
DigitalPersonaProWksta.adm
The Administrative Template for
DigitalPersona Pro Workstation is applied
to GPOs governing computers running
DigitalPersona Pro Workstation, or can be
applied to a local policy object for a
standalone configuration of DigitalPersona
Pro Workstation.
40
DigitalPersonaProKioskWks.adm
The Administrative Template for
DigitalPersona Pro Kiosk is applied to
GPOs governing computers running
40
User Properties Snap-in
An Active Directory snap-in that enables
DigitalPersona Pro user settings.*
90
11
Concepts
Template/Snap-in
Purpose
Page
An optional snap-in extending
DigitalPersona Pro User Properties.*
92
* User Properties take precedence over GPO settings.
Group Policy
Group Policy is a feature of the Active Directory service that facilitates change
and configuration management.
Group Policy settings are stored in Group Policy Objects (GPOs) in the Active
Directory database. These GPOs are linked to containers, which include Active
Directory sites, domains, and organizational units (OUs).
Because Group Policy is so closely integrated with Active Directory, it is
important to have a basic understanding of both Active Directory structure and
the security implications of different design configuration options within it
before you implement Group Policy.
For information about the policies and settings that DigitalPersona Pro adds to a
GPO, see “Configuring Policies and Settings” on page 70. For additional
information about security and DigitalPersona Pro, refer to the DigitalPersona
Pro for Active Directory Security Guide.
Organizational Units (OUs)
An OU is a container within an Active Directory domain. An OU may contain
users, groups, computers, and other OUs, which are known as child OUs. You
can link a GPO to an OU, and the GPO settings will be applied to the users and
computers that are contained within that OU and its child OUs. To facilitate
administration you can delegate administrative authority to each OU. OUs
provide an easy way to group users, computers, and other security principals,
and they also provide an effective way to segment administrative boundaries.
Users and computers are generally assigned to separate OUs, because some
settings only apply to users and other settings only apply to computers.
One of the primary goals of an OU structure design for any environment is to
provide a foundation for a seamless Group Policy implementation that applies to
12
Concepts
all workstations in Active Directory and ensures that they meet the security
standards of your organization.
The OU structure must also be designed
to provide adequate security settings for
specific types of users in an
organization. For example, developers
may need some permissions that
average users do not need to have. Also,
laptop users may have slightly different
security requirements than desktop
users.
The figure on the right shows a basic
OU structure for illustration of the
concept only, and is not a recommendation to create your OU structure
in the same way. Your OU structure
must be defined by the specific
organizational requirements of your
environment.
Pro Biometric Authentication Process
DigitalPersona Pro’s biometric authentication process validates the identity of a
user through a scan of their fingerprint, which can also be used in combination
with their password or a smart card for multi-factor authentication.
This biometric authentication process is used by DigitalPersona Pro Workstation
in an enterprise deployment with DigitalPersona Pro Servers.
Prior to authentication:
1 A user registers their fingerprint(s), creating a registration template that is
stored on the local workstation and also sent securely to the Pro Server.
2 Pro Workstation captures user data (such as user account or logon
information), called “secrets” and sends them securely to Pro Server for
storage in Active Directory.
By default, it also caches these secrets locally on the Workstation, so that
they are available if the Server cannot be reached. Caching can be disabled
13
Concepts
by the administrator through a setting in the DigitalPersona Pro Active
Directory Administrative Template.
The authentication process is initiated when a Pro application (such as Pro
Workstation) prompts the user to verify their identity by providing their
fingerprint. This may be in order to logon to Windows using One Touch Logon,
or to logon to a program or Web site using One Touch SIgnOn or One Touch
Internet.
The authentication process is as follows:
1 The user touches the fingerprint reader with a registered finger.
2 The fingerprint is scanned and processed at the workstation, creating a
verification template.
3 The verification template is compared to the registration template cached on
the local workstation and then sent to the Pro Server for confirmation of the
user’s identity.
4 Pro Server compares the verification template to the registration template in
the user record in Active Directory. If the verification template matches the
registration template, Pro Server authenticates the user and sends the “secret”
requested by the application securely to the Workstation.
5 The Pro application receives the Secret and then uses the information as
needed, typically to log the user on to their Windows account, a program or
Web site.
Note
When a Pro Server is unavailable, such as when a laptop is disconnected from
the network, the required secret is retrieved from a local cache on the
Workstation. If a Pro Server is unavailable, and local caching has been disabled
by the administrator, authentication is not possible.
This authentication process can be modified by the administrator using settings
in the DigitalPersona Pro Administrative Templates (see “Configuring Policies
and Settings” on page 70).
14
Terminology
Terminology
Authentication
User Authentication is the process of verifying a user’s identity by validating
one or more credentials provided by the user. Examples of credentials are
passwords, smart cards and biometrics.
Biometric authentication is the process of comparing a user’s previously created
“registration template” with a “verification template” created from a fingerprint
scan of the user at the time of authentication. See also: “Fingerprint
Registration” and “Verification Template” below, as well as “Pro Biometric
Authentication Process” on page 13.
Credentials
Credentials are a set of information used to gain access to your Windows
account or to a password protected Web site or program. Windows credentials
can include a combination of a user name, password, fingerprint, fingerprint
PIN, or smart card. Web site and program credentials usually include a
combination of fingerprint and password, but can sometimes require additional
information.
Dynamic DNS
Dynamic DNS defines a protocol for dynamically updating a DNS server with
new or changed values. DigitalPersona Pro uses Dynamic DNS to update the
DNS server with changes made to DigitalPersona Pro policies and settings.
Fingerprints
Fingerprints provided through supported fingerprint readers are transformed
into highly compressed and digitally encoded representations of fingerprint
features called a fingerprint template. These fingerprint templates are created
whenever a user places a finger on the reader (when logging on for example),
and encoded with a one-way algorithm that cannot be reversed to recreate the
scan of that fingerprint. The actual fingerprint scans are never stored, but are
discarded after the template is created.
15
Terminology
Fingerprint Identification
Fingerprint identification is the process of identifying a user out of a set of users
by fingerprints. It is performed with only a fingerprint, and not a user name, by
matching the verification template to all registration templates in the set of
users.
Fingerprint PINs
The administrator may require that users type a short sequence of characters,
known as a fingerprint PIN, each time they use a fingerprint to log on, unlock
the computer, or change their Windows password. This provides an additional
level of security. Logon settings are managed by your administrator.
Fingerprint registration is the process that begins with a DigitalPersona Pro user
providing one or more fingers to be scanned using a supported fingerprint
reader. Once the finger is successfully scanned four times, the system then
transforms the result into a highly compressed, digitally encoded representation
of fingerprint features called a registration template.
This registration template is then stored in DigitalPersona Pro Server’s user
database for future use during authentication and identification, or on the local
workstation if DigitalPersona Pro Server has not been deployed.
A fingerprint for which a registration template was created is referred to as a
registered fingerprint.
Fingerprint Template
See Fingerprints.
Fingerprint Verification
Fingerprint verification is the process of verifying that the template derived
from the fingerprint scan during the authentication process, the verification
template, and the original registration template are from the same finger. The
verification template is deleted immediately after its use in the matching
process.
16
Terminology
Fingerprint Verification Lockout occurs when a user attempts to identify
themself with their fingerprint, and it a successful match is not made after a
specified number of attempts. The user will be unable to use their fingerprint for
identification until the lockout is released.
The number of attempts allowed, the amount of time the user is locked out, and
the interval before the lockout is removed are configurable by the administrator.
See “Fingerprint Verification Lockout” on page 79 for details.
The lockout can also be manually released by an administrator from the
DigitalPersona Pro tab of the Properties dialog for the user in the Active
Directory Users and Computers console.
Kiosk
A kiosk is an environment that allows eligible users to share a Windows session
and programs on the computer while still tracking the individual user’s access
for logging purposes.
A kiosk consists of a group of computers organized into an Organizational Unit
(OU) in Active Directory and an associated kiosk identification list. If
computers in the same OU are geographically located in different sites, each OU
per site is a kiosk.
Pro Kiosk validates users’ identities against the kiosk identification list using
their registered fingerprints.
Kiosk Computer
A kiosk computer has DigitalPersona Pro Kiosk installed and is a member of a
specific kiosk, designated by the OU to which the computer belongs.
Kiosk Identification List
The identification list is a file with the kiosk OU-based name and predefined
location which contains the list of recent users authenticated on the kiosk
computers.This file is located on the hard drive of the server and is replicated by
file replication services to other domain controllers.
17
Terminology
Kiosk User
A user in the Active Directory who is allowed to be in the identification list due
to extended rights granted by the administrator. An active kiosk user is a kiosk
user who was added to the identification list after successful authentication
occurred.
One Touch Internet
One Touch Internet (OTI) provides the ability for the end user to create
Fingerprint Logons that can be used to log on to Web sites by touching a
supported fingerprint reader.
One Touch Logon
One Touch Logon provides the ability for you to log on to your Windows
account by simply touching a supported fingerprint reader.
One Touch Unlock
One Touch Unlock provides the ability to lock or unlock Windows by touching a
supported fingerprint reader.
One Touch SignOn
One Touch SignOn (OTS) provides the ability for you to log on to your
Windows account (One Touch Logon), Web sites and password protected
programs by simply touching a supported fingerprint reader.
Quick Actions
Quick Actions, which combine the Shift or Control Keys with use of the
fingerprint to access DigitalPersona Pro features, can be created by end users in
the DigitalPersona Workstation Properties dialog.
Secret
A DigitalPersona Pro Secret is application specific user data that is stored
securely in Active Directory by the DigitalPersona Pro Server, or locally by the
local authentication server on the workstation. The secret is released to the
18
Terminology
application upon successful identification of the user, and used to log on to
programs and Web sites for which logon templates have been created.
Service Resource Records (SVR RR)
Active Directory servers publish their addresses so that clients can find them
knowing only the domain name. Active Directory servers are published via
Service Resource Records (SRV RRs) in DNS. The SRV RR is a DNS record
used to map the name of a service to the address of a server offering that service.
The name of a SRV RR is in this form: <service>.<protocol>.<domain>
Active Directory servers offer the LDAP service over the TCP protocol with
published names in the form:
ldap.tcp.<domain>
For example, the SRV RR for ``Microsoft.com'' is ``ldap.tcp.microsoft.com.''
Additional information on the SRV RR indicates the priority and weight for the
server, allowing clients to choose the best server for their needs.
When an Active Directory server is installed, it publishes itself via Dynamic
DNS. Since TCP/IP addresses are subject to change over time, servers
periodically check their registrations to make sure they are correct, updating
them if necessary.
Verification Template
A verification template is created from a fingerprint scan whenever a user places
their finger on the fingerprint reader. During authentication, this template is
matched to available Registration Templates in order to identify the user. At the
end of the authentication process the Verification Template is erased.
19
3
Product Overview
This chapter provides an overview of DigitalPersona Pro for Active Directory, a
comprehensive biometric authentication software and hardware solution, and
describes the several integrated components that can be used to create a
deployment that addresses your specific organizational needs.
Additionally, you will find system requirements for each of the components,
information on product compatibility and a list of related products.
DigitalPersona Pro for Active Directory combines the security of biometric
authentication with the simplicity and convenience of Single Sign-On (SSO).
Pro Workstation users can conveniently log on to Windows computers,
Microsoft networks, password-protected programs and Web sites by simply
touching the U.are.U® Fingerprint Reader or using one of the many supported
third-party readers embedded in today’s popular notebook computers.
Pro Kiosk allows a designated set of Windows users to use their fingerprints to
log on to Windows, unlock the computer, and log on to programs.
Pro Server provides central authentication and administration for deployed
Workstations and Kiosks, scaling to over one hundred thousand users. Tightly
integrated with Windows Active Directory, it can usually be deployed without
the need for professional services.
20
Chapter 3 - Product Overview
DigitalPersona Pro for Active Directory includes the following components and
modules:
Component
Purpose
Page
DigitalPersona
Pro Server
For domain-wide, centralized authentication and
administration of DigitalPersona Pro Workstations.
22, 207,
33
DigitalPersona
Pro Workstation
Client software providing single source signon to
Windows, Web sites and password protected
programs. It can also be used in a standalone
installation.
23, 56,
160
DigitalPersona
Pro Kiosk
Client software providing single source signon to
Windows and password protected programs for
kiosk computers using a single shared account.
24, 66,
192
Fingerprint
Reader
DigitalPersona’s U.are.U optical fingerprint reader.
Many other third-party readers are supported.
26
Administration
Tools
Various administrative tools that can be deployed for
centralized or decentralized administration of
Servers and Workstations.
27, 96
Extended Server
Policy Module
An optional module to extend DigitalPersona Pro
User Properties, available from your DigitalPersona
Account Manager or product Reseller.
28, 90
21
DigitalPersona Pro for Active Directory Server provides scalable domain-wide
authentication and administration of networked DigitalPersona Pro
Workstations. Server software features include:
• Full integration with Active Directory Administration
DigitalPersona Pro Server, installed on either a Windows 2000 or 2003
Server domain controller, uses standard Active Directory administration
tools for implementing and managing policies and settings which control the
behavior of the Workstations and can be used to customize the authentication
process.
For example, using the Group Policy Editor, you can create a GPO that
controls the false accept rate for fingerprint recognition , as well as specifies
credential requirements for logon settings and more. When the GPO is
applied to a group of Workstations, they require no additional configuration
to use the DigitalPersona Pro Server for authentication.
DigitalPersona Pro also provides fault tolerance and load balancing through
Active Directory’s DNS locator service, automatically and transparently
locating all available servers and then selecting one to be used for
authentication.
For additional information on available policies and settings for
DigitalPersona Pro Server, see “Configuring Policies and Settings” on page
70.
• Security architecture
DigitalPersona Pro Server builds on the trust relationship established by
Windows 2000/2003 Server to provide a secure infrastructure for serverclient communication.
• Centralized credential and application databases
DigitalPersona Pro Server extends the Active Directory schema to enable
storing DigitalPersona Pro data and replicating it throughout the network.
This allows a known user to use their fingerprint on any DigitalPersona Pro
Workstation that is connected to a DigitalPersona Pro Server.
22
DigitalPersona Pro for Active Directory Workstation provides fingerprint logon
functionality for Windows computers, including the following features:
• One Touch Logon increases both security and convenience by adding
biometric authentication to the Windows logon procedure. One Touch Logon
replaces the standard Windows logon dialog box, allowing users to log on to
Windows with a fingerprint in addition to, or as an alternative to, Windows
credentials such as a password or a smart card.
One Touch Logon guides users through providing the required credentials to
log on to Windows. It also allows users to quickly lock and unlock their
computers using the credentials specified by the logon settings.
• One Touch SignOn simplifies and secures access to password-protected
software programs and Web sites. Users just touch the reader to
automatically and securely provide data for logon fields, such as user name
and password, on any Web site or program logon screen. (Requires Internet
Explorer 6 or above.)
Administrators use the One Touch SignOn Administration Tool to create
templates specifying information for the logon screens, and can use
application policy settings in the GPO to deploy the One Touch SignOn
templates to end users.
• One Touch Internet is an option that can be deployed to provide end users
with many of the capabilities of One Touch SignOn for their personal Web
accounts through the easy-to-use configuration tool.
• Remote Access - If you enable the feature, Pro Workstation can be accessed
remotely through Windows Terminal Services (including Remote Desktop
Connection) and through Citrix clients such as the Metaframe Presentation
Server Client and the Citrix Java Web based client. Pro Workstation can also
be run on Citrix Metaframe Presentation Server. For the specific versions
supported, see the readme.txt file on the product CD.
For instructions on enabling or disabling this feature, see “Allow Fingerprint
Data Redirection” on page 82
Additional installation steps for use of Pro Kiosk or Pro Workstation with Citrix
are located in the chapters (5 and 6) describing installation of the products.
23
DigitalPersona Pro Kiosk for Active Directory provides fast, secure and
convenient access to shared computer environments, such as healthcare, retail
point of sale and manufacturing lines, where multiple users share workstations
running mission- and life-critical programs.
In environments where many users share the same computer, fast and secure
access in quick succession is important. Pro Kiosk does not require Windows
log on and off between users. Pro Kiosk allows a designated set of Windows
users to use their fingerprints to log on to Windows, unlock the computer, and
log on to programs.
Users are uniquely identified by their fingerprints without requiring them to type
account information to log on. Although each user provides unique credentials
that can be used for logging and auditing purposes, a Shared Account is used to
log on to Windows.
• One Touch Logon increases both security and convenience by adding
biometric authentication to the Windows logon procedure. One Touch Logon
replaces the standard Windows logon dialog box, allowing users to log on to
Windows with a fingerprint in addition to, or as an alternative to, Windows
credentials such as a password or a smart card.
One Touch Logon guides users through providing the required credentials to
log on to Windows. It also allows users to quickly lock and unlock their
computers using the credentials specified by the logon settings.
• One Touch SignOn simplifies and secures access to password-protected
software programs and Web sites. Users just touch the reader to
automatically and securely provide data for logon fields, such as user name
and password, on any Web site or program logon screen. (Requires Internet
Explorer 6 or above.)
Administrators use the One Touch SignOn Administration Tool to create
templates specifying information for the logon screens, and can use
application policy settings in the GPO to deploy the One Touch SignOn
templates to end users.
24
• One Touch Unlock means that any kiosk user can unlock a kiosk computer.
For example, a user may log on and lock the kiosk computer. Then, a second
user can unlock it without performing log off and log on.
• Remote Access - If you enable the feature, Pro Kiosk can be accessed
remotely through Windows Terminal Services (including Remote Desktop
Connection) and through Citrix clients such as the Metaframe Presentation
Server Client and the Citrix Java Web based client. Pro Kiosk can also be run
on Citrix Metaframe Presentation Server. For the specific versions supported,
see the readme.txt file on the product CD.
For instructions on enabling or disabling this feature, see “Allow Fingerprint
Data Redirection” on page 82.
Additional installation steps for use of Pro Kiosk or Pro Workstation with
Citrix are located in the chapters (5 and 6) describing installation of the
products.
25
Fingerprint Readers
Fingerprint Readers
U.are.U Fingerprint Reader
The DigitalPersona U.are.U Fingerprint Reader is a high-quality optical scanner
designed especially for reading fingerprints, and is the recommended fingerprint
reader for use with DigitalPersona Pro.
DigitalPersona Pro Workstation works with the U.are.U Reader to read the
fingerprint scan for authentication purposes.
You may have a U.are.U Reader or a keyboard or device with an embedded
U.are.U Reader.
Third-Party Swipe readers
DigitalPersona Pro also supports the use of several third-party “swipe”
fingerprint readers embedded in selected models of notebook computers.
Note that the DigitalPersona Pro installation does not install any drivers or other
software for third-party readers. Install necessary drivers/support files for the
reader and verify that it works as expected prior to DigitalPersona Pro
installation.
Some redistributable packages for third-party fingerprint readers are located on
the product CD in the "Redistr\Third party reader support\" folder along with a
Readme file which contains additional details.
Refer to the DigitalPersona Web site at http://www.digitalpersona.com/products/
notebooks.php for the most recent list of supported models.
26
DigitalPersona Pro for Active Directory provides several tools for administering
various aspects of your implementation as well as expanding the functionality of
the product.
Some of these tools are installed automatically with the installation of
DigitalPersona Pro for Active Directory Server, while others must be selected
through the Custom Install option in the Administration Tools Installation
wizard or run from the product CD.
The following table gives a brief description of each of the tools, and the page
where they are described more fully.
Admin Tool
Purpose
Page
License Control
Manager
Used to control and manage licenses for users of
DigitalPersona Pro Servers, including gathering the
information necessary for requesting a license, adding
and removing licenses and viewing license and user
information.
98
Attended
Fingerprint
Registration Tool
An optional feature requiring supervision of users when
registering their fingerprints.
102
One Touch SignOn
The One Touch SignOn Administration Tool enables
administrators to add biometric authentication to Web
sites and programs.
104
User Properties
Snap-in
An Active Directory Snap-in, automatically installed with
Pro Server for administering DigitalPersona Pro users.
Can also be installed on Pro Workstation.
90
User Query Tool
Used to query the DigitalPersona Pro for Active
Directory user database for information about
DigitalPersona Pro users.
144
CleanUp Wizard
Removes user data (such as fingerprint credentials, secure
application data and global domain data) from Active
Directory.
149
89
27
Basic Server policies are provided by the User Policies Snap-in, installed as part
of DigitalPersona Pro Server, which allow an administrator to configure
fingerprint logon settings and restore the use of fingerprints for a user after the
account has been locked due to failed fingerprint attempts.
The optional Extended Server Policy Module adds the following additional user
policies settings:
• User must type a PIN when providing a fingerprint to log on.
• User must provide a fingerprint to log on (in addition to other authentication
specified by Windows policy setting).
The Extended Server Policy Module is available from your DigitalPersona
Account Manager or product Reseller.
For further details, see “Extended User Policies” on page 92.
28
System Requirements
System Requirements
Product/Component
Minimum Requirements
DigitalPersona Pro
Server
Pentium Processor,128 MB RAM
Windows 2003 Server/SBS or 2000 (Standard or
Enterprise) Server.
Active Directory
10 MB Available hard disk space
5K hard disk space per user
DigitalPersona Pro
Workstation
Pentium 233 MHz Processor, 128 MB RAM
Windows 2000, XP Professional or Embedded, Vista
(Business, Ultimate or Enterprise) or 2003 Server. XP
Home Edition is not supported.
CD-ROM drive if installing locally, Network connection
for silent/network installation
Microsoft Internet Explorer 6 or above (required for One
Touch SignOn or One Touch Internet features)
DigitalPersona Pro
Kiosk
Pentium 233 MHz Processor, 128 MB RAM
Windows 2000, XP Professional, Vista (Business, Ultimate
or Enterprise) or 2003 Server. XP Home Edition is not
supported.
CD-ROM drive if installing locally, Network connection
for silent/network installation
Microsoft Internet Explorer 6 or above (required for One
Touch SignOn feature)
29
DigitalPersona Pro for Active Directory Server 4.x
• Can coexist with other Pro Servers that are version 3.0 or above.
• Requires that all Pro Workstations that are authenticating to the Pro Server
must be at least version 3.0 or above. However, we recommend that all
workstations in the domain are version 4.0 or above.
• Requires that all Pro Kiosk workstations authenticating to the Pro Server
must be at least 1.0 or above.
• Is compatible with DigitalPersona Pro SDK installed on Pro Workstation 3.x
DigitalPersona Pro Workstation for Active Directory • Can coexist with other Pro Workstations that are version 3.0 or above.
However, especially for those using One Touch SignOn templates, we
recommend that all workstations in the domain are version 4.0 or above.
• Is not compatible with DigitalPersona Gold, DigitalPersona Platinum or
DigitalPersona Online or with DigitalPersona Pro SDK when installed on
Pro Workstation 4.x.
DigitalPersona Pro for Active Directory Kiosk • Can coexist with other Pro Kiosks that are version 1.0 or above.
• Is not compatible with DigitalPersona Gold, DigitalPersona Platinum or
DigitalPersona Online or with DigitalPersona Pro SDK when installed on
Pro Kiosk 4.x.
Supported Fingerprint Readers are:
• DigitalPersona U.are.U 4000 and 4000B series
• Many third-party swipe readers embedded in current models of notebook
computers. For a list of supported swipe readers, visit our Web site at:
http://www.digitalpersona.com/products/notebooks.php.
30
Related Products
Related Products
The following related products are also available from your DigitalPersona
Account Manager or product Reseller:
DigitalPersona Pro for Active Directory SDK - Provides developers with
simple, powerful tools to extend DigitalPersona Pro for Active Directory with
custom applications.
Developers can fingerprint enable access to their applications by leveraging
DigitalPersona Pro security, credential management in Active Directory, user
interface and deployment tools.
The DigitalPersona Pro SDK is designed to work with the DigitalPersona Pro
Server and the DigitalPersona Pro Workstation Software. The DigitalPersona
Pro SDK only supports the DigitalPersona U.are.U Fingerprint Readers
included with Workstation packages.
DigitalPersona Online SDK - DigitalPersona Online consists of server and
client software to add fingerprint authentication to virtually any web
application. DigitalPersona Online enables businesses to provide heightened
security to customers, partners and employees, replacing cumbersome
passwords with the convenience of a single touch of a finger.
DigitalPersona Platinum SDK - DigitalPersona Platinum Software
Development Kit (SDK) enables developers to add the power of DigitalPersona
fingerprint authentication security to their Windows applications.
This toolkit exposes a set of DCOM objects and ActiveX controls which enables
developers to access the functionality of the DigitalPersona Identity Engine to
execute the core tasks of fingerprint capture, template creation, credential
storage and template matching.
The toolkit’s Security Layer is completely transparent to the application
developer. ActiveX (OCX) support allows programming in other scripting
languages.
The toolkit includes sample code for Visual C, C++, Visual Basic and .NET. The
DigitalPersona Platinum SDK only supports the DigitalPersona U.are.U
Fingerprint Readers (sold separately).
31
Part Two: Deployment & Installation
Part Two of the DigitalPersona Pro for AD Administrator Guide includes the
following chapters:
Chapter Title
Purpose
Page
4 - Deploying DigitalPersona
Pro Server
Describes the procedure for deploying
DigitalPersona Pro Server.
33
5 - Installing DigitalPersona
Pro Workstation
Describes the procedure for installing
DigitalPersona Pro Workstation.
57
6 - Installing DigitalPersona
Pro Kiosk
Describes the procedure for installing
DigitalPersona Pro Kiosk.
66
For information on planning and deployment, see “Planning & Deployment” on
page 207
32
4
Deploying DigitalPersona Pro Server
This chapter provides instructions for the deployment or upgrading of
DigitalPersona Pro for Active Directory Server on a domain controller.
Instructions for uninstalling DigitalPersona Pro Server are on page 55.
Deployment Overview
Here is a high-level overview of the steps required to deploy DigitalPersona Pro
Server for Active Directory on the domain controller for a Windows 2000 or
Windows Server 2003 network.
1 Extend the Active Directory schema to include attributes and classes used by
2 Configure each domain on which DigitalPersona Pro Server will be installed
by running the Domain Configuration Wizard.
3 Install the DigitalPersona Pro Server software.
4 Install the Administrative Templates.
Detailed instructions for installation begin on page 36.
This topic contains information that is specific to upgrading from version 3.x of
DigitalPersona Pro for Active Directory to a 4.x version.
Upgrading to the current version has been made as straightforward and simple
as possible. In most cases, it is simply a matter of removing the old software and
installing the new software.
However, you should keep the following in mind.
• DigitalPersona Pro for Active Directory 4.0 introduced a new licensing
model for Pro Server which is based on requiring User Authentication
Licenses for each user who will be registering their fingerprints.
33
Chapter 4 - Deploying DigitalPersona Pro Server
You should contact your DigitalPersona Account Manager or product
Reseller to obtain the necessary licenses prior to beginning the upgrade
process.
• Installation of Pro Server 4.x prior to installing the license will not lock out
your current users, but will prevent any new users from registering their
fingerprints on a version 4.x Workstation or Kiosk.
To upgrade from a previous version
The recommended sequence of events for upgrading from a previous version to
the current version is:
1 Determine the number of User Authentication Licenses required and
generate a license request file for each domain using the License Control
Manager application included on the Administration Tools CD. Follow
instructions in the topic “Getting License Information” on page 99 for
requesting and installing license files.
2 Remove existing 3.x Pro Servers and install all 4.x Pro Servers according to
the instructions in “Deploying DigitalPersona Pro Server” on page 33. It is
important to complete the upgrade of ALL Pro Servers before upgrading any
Pro Workstations.
Warning
DO NOT run the Schema Extension wizard as part of the upgrade process.
This is step 1 in the installation process for new installations, but should not
be followed for upgrading your Pro Server.
3 Enter User Authentication Licenses for each domain where Pro Servers are
installed.
4 Begin installation of Pro Workstation or Kiosk 4.x according to the
instructions in “Installing DigitalPersona Pro Workstation” on page 56, or
“Installing Pro Kiosk” on page 65.
The table on the following page will assist you in determining your upgrade path
according to your specific needs.
34
Table 4-1. Feature Comparison
Have Pro 3.x Workstations and want to
upgrade to Pro 4.x Workstations
X
X
X
X
X
X
X
X
Workstation Administration
Secure Server Authentication
X
Secure Windows Logon
One Touch Logon & One Touch UnLock
X
One Touch SignOn and
One Touch Internet
Have Pro 3.x Server(s) and want to upgrade
to Pro 4.x Server(s)
Follow upgrade instructions on page 34.
DigitalPersona Pro Features
Purchase Pro 4.x Server
Deployment Scenario
Have Pro 4.x Server and Pro 4.x
Workstations and want to add more Pro 4.x
Workstations
35
Extend the Active Directory Schema
Prior to installing DigitalPersona Pro Server, the Active Directory schema must
be extended to create new attributes for the user object and new classes, as well
as to make modifications to existing classes. The Active Directory Schema
Extension Wizard automatically handles all of the necessary changes to the
schema. This schema extension is global to the Active Directory forest.
If you want to view the script that is used to extend the schema (dp-schema.ldif),
it is available on the product CD at the following location:
[cd drive]\AD Schema Extension\dp-schema.ldif
Warning
The Active Directory Schema Extension Wizard must be run from the schema
master domain controller, or the data may not replicate fast enough to allow the
wizard to continue. If the data is not replicated fast enough, the wizard will
terminate, and you should then wait one replication cycle before running the
wizard again.
After the schema extension, and again after configuring your domains, you must
wait for Active Directory schema replication to be completed. The amount of
time this takes will depend on the complexity of your Active Directory
structure.
You must have Schema Administrator privileges to run the Schema Extension
Wizard.
To run the Active Directory Schema Extension Wizard
1 Double-click DPSchemaExt.exe, which is located in the AD Schema
Extension folder on the Server installation CD, to start the Schema Extension
Wizard.
2 Read the terms and conditions on the License Agreement page. If you agree
with them, select I accept the license agreement and then click Next.
3 When prompted to proceed with the schema extension, click Yes.
4 Next, specify a location and name for the log file generated by the Schema
Extension Wizard in the Save Log File As dialog box. Then, click Save.
36
5 If the schema is not writable, the wizard will inform you of the fact and will
allow you to make it writable. If this dialog box displays, click Yes to make
the schema writable and perform the schema extension.
6 The wizard will extend the schema and provide information such as the class
and attribute names. To close the wizard, click Finish.
The name of each new attribute and class added to the Active Directory schema
follows Microsoft naming conventions. The names are assigned a “dp” prefix,
which is registered with Microsoft.
The OID base, generated by Microsoft, is 1.2.840.113556.1.8000.651.
37
Configure each domain
For each domain on which you plan to install DigitalPersona Pro Server, you
need to run the DigitalPersona Pro Active Directory Domain Configuration
Wizard, which configures the required domain-specific data including the
necessary cryptographic keys.
Running the wizard requires administrator privileges on the domain controller.
Warning
You should run this wizard only once on each domain where Pro Server will be
installed.
When installing multiple Pro Servers, it is critical that you run the wizard only
once during any replication period, allowing full replication to be completed
before going on to run the wizard on the next domain.
Running the wizard a second time during a single replication period, will result
in corrupted Server data, and any DigitalPersona Pro Servers in the domain
will be unusable.
After running the Domain Configuration wizard, permissions to register/delete
fingerprints are reset to the default, i.e. Allow.
To run the DigitalPersona Pro Active Directory Domain Configuration Wizard
1 Double-click DPDomainConfig.exe, which is located in the AD Domain
Configuration folder on the Server installation CD.
2 Read the license agreement that displays and, if you agree to the terms and
conditions, select I accept the license agreement and then click Next.
3 A warning reminds you not to run this wizard if you have an existing
DigitalPersona Pro Server installation on this domain. If you are sure there
are no other DigitalPersona Pro Server installations on the domain you are
configuring, check the I accept that the domain will be configured box and
click Next.
4 In the Save Log File As dialog box, specify a file name and folder path for
the log file generated by the wizard and click Save.
5 When you click Save, the wizard performs the necessary changes on the
domain.
6 To close the wizard, click Finish.
38
After extending the Active Directory schema and configuring the domain where
you plan to install DigitalPersona Pro Server, you are ready to install the
DigitalPersona Pro Server software.
In addition to the minimum hardware and software requirements specified by
Microsoft for a domain controller, DigitalPersona Pro Server has the following
requirements:
• Operating System: Windows 2000 Server, Windows 2000 Advanced Server,
Windows 2000 Datacenter Server, or Windows 2003 Server/SBS
• Active Directory installed and configured
• High-encryption (128-bit) capability. This is built into Windows 2003 Server
and the latest service packs for Windows 2000 Servers. If you need to install
high encryption capability for an early Windows 2000 OS, see “Installing
High Encryption” on page 236.
• 10 MB of free hard disk space
• Administrator privileges on the domain controller
• No other DigitalPersona products are installed
To install DigitalPersona Pro Server
1 Double-click Setup.exe, which is located in the Install folder on the Server
installation CD, to run the DigitalPersona Pro Server Installation Wizard.
2 When the wizard opens, click Next.
with them, select the I accept the license agreement button and then click
Next.
4 On the next page, you can specify the folder in which DigitalPersona Pro
Server will be installed. If you want to install DigitalPersona Pro in the
default location, C:\Program Files\DigitalPersona\, click Next;
otherwise, click Browse to specify a new location and then click Next to
continue.
5 The wizard will install the Server software. To close the wizard, click Finish.
39
DigitalPersona Pro Server and Workstation use Active Directory Administrative
Templates to provide access to various policies and settings used in configuring
the DigitalPersona Pro environment. These policies and settings are described in
the chapter, “Configuring Policies and Settings” on page 70.
During installation of DigitalPersona Pro Server, the Administrative Templates
for Pro Server, Workstation and Kiosk are copied to the %system root%\inf\
folder, i.e. in most cases, C:\Windows\inf.
The Workstation Administrative Template is also copied to the same folder
during installation of the Workstation software.
Adding the Administrative Template to a GPO makes the DigitalPersona Pro
policies and settings available.
There are three Administrative Templates used to configure DigitalPersona Pro
policies and settings:
• DigitalPersonaProSvr.adm - Designed for DigitalPersona Pro Servers, this
template should be applied to Active Directory GPOs where it can be
distributed to Domain Controllers running DigitalPersona Pro Server.
• DigitalPersonaProWksta.adm - Designed for DigitalPersona Pro
Workstations, this template should be applied to Active Directory GPOs
where it can be distributed to computers running DigitalPersona Pro
Workstation. It can also be applied to a local policy object for a standalone
installation of DigitalPersona Pro Workstation.
• DigitalPersonaProKioskWks.adm - Designed for DigitalPersona Pro Kiosk.
It should be applied to Active Directory GPOs where it can be distributed to
computers running DigitalPersona Pro Kiosk.
Settings provided include: Fingerprint Verification Accuracy, Number of
Fingerprints, Lockout Policy, Multi-credential Logon, Local Caching, One
Touch Logon and One Touch SignOn settings and more.
40
Implementation Guidelines
Before you add the Administrative Templates to your GPOs, give some thought
to your Active Directory structure, where GPOs are placed, and which GPOs the
Administrative Templates should be added to.
Policy configuration needs will vary from network to network and specific
policy recommendations are beyond the scope of this guide. You may want to
refer to Microsoft’s documentation on Group Policy Object configuration for
more information.
Organizational Units and GPOs
Although the use and configuration of organizational units and GPOs varies
widely among corporations, we have provided some general guidelines for
structuring Active Directory organizational units.
• There are two key factors in deciding how to structure your network:
• How you group your users and computers, and
• Where the DigitalPersona Pro GPOs are set.
For example, if users and computers can be grouped according to
authentication policies, you might group them into separate organizational
units and then set specific GPOs for each unit.
• However, when authentication policies within organizational units vary, as
they often do among department heads and subordinates, then you may want
to group those users and computers into a child organization unit.
Structuring your organizational units based on authentication policies is the
easiest way to administer DigitalPersona Pro.
1 Plan your network structure by identifying the settings you intend to
configure.
2 Determine whether to apply the settings to users and computers in a site or
domain, or just to users and computers in an organizational unit.
3 Create the organizational units required to implement your design.
4 Add the respective users and computers to the organizational units.
41
GPO behavior
Here are a few guidelines to keep in mind when configuring DigitalPersona Pro
GPOs.
• If a GPO setting is not configured, the default value set in the software is
used.
• If a superior (higher-level) GPO has a value for a setting and a subordinate
GPO has a conflicting value for that setting, the setting in the subordinate is
used.
• If a GPO has a value for a setting and a subordinate (lower-level) container
has the GPO setting with no value, the setting in the superior (high-level)
GPO is used.
• GPOs can only be applied to the three Active Directory containers: sites,
domains and organizational units; not to users or computers.
• A single GPO can be applied to one or more containers.
• A GPO affects all users and computers in the container, and subcontainers, it
is applied to.
42
• For centralized administration of DigitalPersona Pro Workstations, both
Server and Workstation Administrative Templates need to be added to
GPO(s) on the appropriate node(s) by the domain administrator.
• For local administration of a DigitalPersona Pro Workstation, see “Install
Workstation Template Locally” on page 45.
• For Kiosk installations, the Kiosk Administrative Template needs to be
added to the GPO for the Kiosk OU. See page 46 for additional instructions
in setting up Pro Server for a Kiosk environment.
• For mixed (Workstation and Kiosk) installations, the appropriate
Administrative Template needs to be added to the GPO(s) for the Server,
Workstations and Kiosks.
In order to install the DigitalPersona Pro Administrative Templates and access
their settings, you need to have domain administrator rights.
Server Template
1 In the Active Directory Users and Computers tool, right click on a node
whose GPO can be distributed to Domain Controllers running DigitalPersona
Pro Server and select Properties.
2 In the Properties dialog, click Edit to display the Group Policy Editor.
3 In the Group Policy Editor, right-click on the Computer Configuration/
Administrative Templates folder and select Add/Remove Templates.
4 In the Add/Remove Templates dialog, select DigitalPersonaProSvr and
click Add.
43
Workstation and Kiosk Templates
5 Add the Administrative Templates for your intended environment.
• If Pro Workstations are part of your environment, select
DigitalPersonaProWksta and click Add.
• If Pro Kiosks are part of your environment, select
DigitalPersonaProKioskWks.adm and click Add.
6 Click Close to exit the dialog.
7 A DigitalPersona Pro folder will then be listed under Computer
Configuration/Administrative Templates.
DigitalPersonaProWksta and/or DigitalPersonaProKioskWks.adm should also
be added to the Active Directory GPOs where it can be distributed to computers
running DigitalPersona Pro Workstation or Kiosk.
1 In the Active Directory Users and Computers tool, right click on a node
whose GPO can be distributed to computers running DigitalPersona Pro
Workstation or Kiosk and select Properties.
2 In the Properties dialog, click Edit to display the Group Policy Editor.
44
3 In the Group Policy Editor, right-click on the Computer Configuration/
Administrative Templates folder and select Add/Remove Templates.
4 Select DigitalPersonaProWksta or DigitalPersonaProKioskWks.adm and
click Add.
5 Click Close to exit the dialog.
Use the Group Policy Editor to modify DigitalPersona Pro settings by clicking
Properties on the shortcut menu of each setting and then clicking the Policy tab
on the Properties dialog box.
For a complete list of DigitalPersona Pro settings, see “DigitalPersona Pro
Policies and Settings” on page 72.
Install Workstation Template Locally
For local administration of a DigitalPersona Pro Workstation, the Workstation
Administrative Template (DigitalPersonaProWksta) can be added to the local
policy object of any workstation running DigitalPersona Pro Workstation by
using the Microsoft Management Console (MMC) Group Policy Editor.
To add the Workstation Administrative Template
1 On the Start menu, click Run. Type gpedit.msc and press Enter to launch
the Group Policy Editor.
2 Right-click the Administrative Templates folder and select Add/Remove
Templates on the Administrative Templates folder shortcut menu.
3 Click the Add button on the Add/Remove Templates dialog box and then
locate and select DigitalPersonaProWksta file located in the following
path:
%system root%\inf (For example, c:\Windows\inf.)
4 Click Close.
45
Configuration Steps
Complete the following Pro Server and Kiosk installation and configuration
steps in the order shown below. Specific instructions for configuration are
described in the following sections or referred to in the previous pages.
Complete the following
1 Install DigitalPersona Pro Server, 4.x or higher version. This includes
performing Schema Extension, Domain Configuration and the Server
installation as specified on pages 36 and following. If previous versions of
DigitalPersona Pro Server were installed in the domain, you should run the
Domain Configuration Wizard, but do not need to run the Schema Extension
Wizard again in this case.
2 Add and configure settings for DigitalPersona Pro Server administrative
templates for GPO in Active Directory. See “Install the Administrative
Templates” on page 40. For DigitalPersona Pro Server GPO settings that are
specific to Pro Kiosk, see “Configuring DigitalPersona Pro Server GPO
Settings” on page 47.
3 Create an OU for each kiosk and assign computers to the kiosk OU. See
“Creating the OU for the Kiosk” on page 47. By default, the entire domain is
considered as one kiosk. You may want to set up multiple, separate kiosks.
4 Assign kiosk permissions. To change permissions for specific groups or
users, see “Assigning Kiosk Permissions” on page 48.
5 Create a Shared Account in Active Directory and specify the account
information either by GPO or on individual kiosk computers. See
“Specifying a Shared Account for the Kiosk” on page 48, “Adding Shared
Account Settings Using GPO” on page 49 and “Adding Shared Account
Settings into the Registry” on page 50.
6 Install DigitalPersona Pro Kiosk on kiosk computers. See “Installing
DigitalPersona Pro Kiosk” on page 66 for instructions.
7 Register user fingerprints. You can choose whether you want to supervise
the fingerprint registration process, or allow users to register fingerprints by
themselves when they first log on to or unlock a kiosk computer. For more
information, refer to the topic “Attended Fingerprint Registration” on page
102.
46
Configuring DigitalPersona Pro Server GPO Settings
Size of the Identification List for Kiosks
This setting specifies the maximum number of user accounts that the
identification list can contain. The identification list is shared among all kiosk
computers in each kiosk. The default setting for the list size is 50 users. You can
specify any number between 1 and 50 users.
Log Kiosk Events
The Log Events setting allows you to specify whether Pro Kiosk events are
logged. In the Log Events setting, you can enable kiosk event logging and
enable Log Success Audit events and Log Failure Audit events. For more
information on kiosk event IDs, see “DigitalPersona Pro Events” on page 151.
OTS Template Settings
The One Touch SignOn templates must be accessible by the Shared Accounts
that are used to access the kiosks. Make sure that the OTS templates are
available though GPO settings to the kiosk Shared Account rather than kiosk
user accounts.
The OTS functionality is the same as in Pro Workstation. For more information,
on the OTS GPO settings, refer to “GPO Settings” on page 139.
Kiosk Shared Account Settings
At the kiosk level, whether it is the domain or an OU, you must specify the kiosk
Shared Account information. For more information, see “Adding Shared
Account Settings Using GPO” on page 49.
Creating the OU for the Kiosk
When you install DigitalPersona Pro and Pro Kiosk, the entire domain is
considered as one kiosk unless you complete further configuration. To create
several kiosks in the domain or to limit the usage of the kiosk to specific
computers only, it is recommended to create an organizational unit (OU) for
each kiosk and then assign computers to the OU. You might create several
47
kiosks where each kiosk is associated with its own OU. If computers in the same
OU are geographically located in different sites, each OU per site is a kiosk.
Assigning Kiosk Permissions
For further security, you may assign permissions to allow or deny specific
groups or users from using each kiosk. Without further configuration, every
domain user is allowed to use all the kiosks created in this domain.
To configure kiosk membership for a group or user
1 Locate the kiosk object in the Active Directory (OU or domain).
2 At the object level, open Properties > Security > Advanced.
3 The Access Control Properties dialog box for the selected kiosk displays.
4 To add a permission entry, click Add, and then select the group or user.
5 The Permission Entry dialog box for the selected kiosk displays.
6 In the Apply Onto drop-down list, select This object and all child objects.
7 In the list of permissions, locate the permission Kiosk Membership (Digital
Persona) and then select either Allow or Deny.
Note
Deny has precedence over Allow for the specific group or user. By default, the
group “Everyone” is configured as Allowed.
Depending on your security requirements, you may apply Allow permissions to
specific groups only. Then you may delete the Allow permission for everyone
from kiosk membership. To delete a permission entry from the Access Control
Properties dialog box, select the required permission and then click Remove. It
is recommended to manage permissions on the group level rather than the user
level.
Specifying a Shared Account for the Kiosk
In order to work, Pro Kiosk requires an account, known as the Shared Account,
that is specified on every kiosk computer. The account information includes the
user name, the domain name and the password for an Active Directory account.
48
It is recommended to have only one Shared Account per kiosk and to select the
Password never expires setting for the Shared Account.
You can configure the kiosk Shared Account either by applying kiosk Shared
Account settings through GPO settings for the entire kiosk or by applying the
settings manually in the Registry on individual Pro Kiosk computers.
If the kiosk Shared Account information is distributed through Group Policies
settings, all computers that belong to the selected object level in Active
Directory, such as OU, Domain, or Site, receive the kiosk Shared Account
settings.
Pro Kiosk automatically assigns the “Impersonate a client after authentication”
user right to the kiosk Shared Account. This right allows programs that run on
behalf of that user to impersonate a client. This right allows Pro Kiosk to
authenticate multiple users while using only one logon session for the Shared
Account.
Adding Shared Account Settings Using GPO
To specify the Shared Account setting using GPO, you must add the
administrative template named DigitalPersonaProKioskWks.adm to the
Computer Configuration folder, located in the Administrative Templates folder
in the Group Policy Editor tree.
You can use the Group Policy Editor to modify DigitalPersona settings. For the
Kiosk Shared Account Settings, at the OU level for the kiosk, open Computer
Configuration/Administrative Templates/DigitalPersona/Kiosk Settings in the
Group Policy Editor. Double-click Kiosk Workstation Shared Account Settings
and specify the following values:
• Kiosk Shared Account user name
• Kiosk Shared Account domain name
• Kiosk Shared Account password
The Shared Account information will be enabled for all computers in the OU.
The password information is in clear text.
49
Adding Shared Account Settings into the Registry
You can choose to specify the Shared Account information manually on each
kiosk computer. To do so, you must specify the credentials of the Shared
Account used for Windows logon by adding the values in the Registry of the
kiosk computer. You can use the Registry Editor or a .reg file.
In the Registry key, HKLM\Software\DigitalPersona\Kiosk\Logon, specify the
following string values:
• DefaultDomain - kiosk shared user account domain
• DefaultUsername - kiosk shared user account name
• DefaultPassword - kiosk shared user account password
Note
In a situation where several kiosks are configured in the domain using several
Shared Accounts, it can be useful to work with one group of Shared Accounts
rather than with each account individually.
50
Running the Schema Extension Wizard adds the following data to Active
Directory.
Active Directory Containers
The Schema Extension Wizard installs three subcontainers in the Active
Directory System container. They contain information administrators can use to
verify and administer the DigitalPersona Pro Server installation.
The three containers are the Biometric Authentication Servers container,
Licenses container and the Policies container.
The Biometric Authentication Servers container provides the class name of the
Server.
The Licenses container holds the license files for DigitalPersona Pro Server.
The Policies container—located under [domain name]/System/
DigitalPersona/UareUPro/Policies—contains all the Policy Objects created
for use with DigitalPersona Pro, as described in “DigitalPersona Pro Policies
and Settings” on page 72.
In addition to these containers, the following data is added to the Service
container:
51
• Service Configuration Container Name, set to Biometric Authentication
Server.
• Service Version Object Name, set to <current BAS version>.
Published Information
DigitalPersona Pro Server publishes its service using the following properties:
• Service Class Name, set to Biometric Authentication Service.
• Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56E3BC77F32D7F}.
• Vendor Name, set to DigitalPersona.
• Product Name, set to UareUPro.
• Product GUID, set to {48F74E29-1CC0-468F-A0A0-8236628A5170}.
• Authentication Server Object Name, the DNS name of the host computer.
• Service Principal Name, a unique name identifying the instance of a service
for a client.
• Schema Version Number, the version of the Active Directory schema
extension.
• Product Version Number, the version of DigitalPersona Pro Server software.
• Product Version High, set to [current version].
• Product Version Low, set to [current version].
• Keywords for searching the server are Service Class GUID, Vendor Name,
Product Name and Product GUID. The keyword values are the same as the
property values listed in this section.
The Server publishes its service in compliance with the Active Directory
Service Connection Point specifications.
52
DNS Registration
DNS Registration
The use of DNS registration enables DigitalPersona Pro Workstations to locate
Pro Servers without needing additional local configuration to do so. If your
DNS Server supports dynamic registration, DigitalPersona Pro Server registers
itself with the DNS using the service name, _uareupro.
The format of the DNS resource records for DigitalPersona Pro Server is:
•
_uareupro._tcp.[domain] 600 IN SRV 0 100 0 [server name]
•
_uareupro._tcp.[site name]._sites.[domain] 600 IN SRV 0 100 0 [server name]
Pro Server calculates site coverage based on the availability of other Pro Servers
on the domain (as well as sites configured for the domain) and then creates
Service Resource Records (SRV RRs) for the domain and sites it covers.
Settings in the DigitalPersona Pro Administrative Template govern whether or
not Pro Server utilizes dynamic registration. For information on this and other
DNS related settings, see “BAS Locator DNS Records” on page 75.
Automatic Registration
If automatic registration is not disabled in the governing GPO, DigitalPersona
Pro Server registers itself with DNS every time Pro Server starts, is
automatically refreshed at specified intervals, and unregisters itself every time
DigitalPersona Pro Server stops.
When DigitalPersona Pro Server unregisters itself, it removes only the records it
has created during automatic registration. Records entered by the administrator
will be unaffected.
Warning
When DigitalPersona Pro Server refreshes (updates the DNS records), it
removes all of its records and registers again according to the current GPO
settings. If there is only one Pro Server covering a site for load-balancing, there
are a few milliseconds when there are no Pro Server records in the DNS server.
If a DigitalPersona Pro Workstation attempts to locate a Pro Server during that
period, it will not find the server, and the Workstation will perform the
Fingerprint registration and authentication locally. The Workstation will attempt
to automatically refresh its Pro Server cached information the next time it
performs registration or authentication, or every two hours, whichever comes
first.
53
DNS Registration
Manual DNS Registration
If your DNS Server does not support dynamic registration, or if dynamic
registration is disabled through a DigitalPersona Pro GPO setting, an
administrator can manually register the Pro Servers by entering the DNS
resource records in the format shown above.
Note
You can view the default values of settings created during Pro Server setup by
opening the U.are.UPro.DNS file in Notepad. It is located in the Program Files\
DigitalPersona\bin folder.
To manually register a Pro Server
1 Open the DNS console and click on the Forward Lookup Zone.
2 Right-click on [domainname], and select Other New Records in the context
menu.
3 In the Resource Record Type dialog box, click on Service Location, and
then click the Create Record button.
4 In the New Resource Record dialog, apply the following values:
•
•
•
•
Service: _uareupro
Weight: 100
Port Number: 0
Host offering this service: domaincomputername.domainname.com
5 Click OK to save the settings and return to the main DNS console window.
6 Under the same [domainname], click on the _sites key.
7 Right-click on Default-First-Site-Name and select Other New Records
from the context menu.
8 Repeat steps 3 through 5 for each Pro server that you want to register.
Warning
If the SRV RRs are not added, either dynamically or manually, the
DigitalPersona Pro Workstation will not be able to find the Servers and will
perform fingerprint registration and authentication locally.
54
Improving Performance
The Priority and Weight settings can be modified to achieve better response time
and load-balancing on the _uareupro.Properties dialog box, which is accessible
by double-clicking _uareupro in the DNS Console.
The _uareupro SRV RRs (Service Resource Records) can be found in the
following paths in the DNS Console:
• DNS/[DNS server]/Forward Lookup Zones/[domain]/_tcp
• DNS/[DNS server]/Forward Lookup Zones/[domain]/sites/[site
name]/_tcp
If your DNS does not support dynamic registration, you will have to add these
SRV RRs manually. For your convenience, these entries are stored in a file,
UareUPro.DNS, which is located in the folder in which you installed
Configuring DNS Dynamic Registration
Additional parameters for configuring DNS registration are available in the
DigitalPersona Pro Administrative Template when added to the governing GPO.
For information on these settings, see “BAS Locator DNS Records” on page 75.
DigitalPersona Pro Server can be uninstalled from the Add/Remove Programs
Control Panel in Windows if you have administrator privileges on the domain
on which Pro Server is installed. The software is listed as, “DigitalPersona Pro
Server for Active Directory version [version number].”
When you uninstall the Server software, the published information (described in
“Published Information” on page 52) and the DNS SRV RRs (described in
“DNS Registration” on page 53) are removed.
Although the Add/Remove Programs Control Panel uninstalls DigitalPersona
Pro Server software, the user data—such as fingerprint credentials and secure
application data—and global domain data remain in Active Directory.
DigitalPersona provides a DigitalPersona Pro Cleanup Wizard to remove this
data. See “Cleanup Wizard” on page 149 for details.
55
5
Installing DigitalPersona Pro Workstation
This chapter defines hardware and software requirements for DigitalPersona Pro
Workstation, and provides instructions on the various installation scenarios.
•
•
•
•
Remote Installation
Citrix Installation
If DigitalPersona Pro Servers will be used for authentication, they should be
installed and configured before installing DigitalPersona Pro Workstation.
System Requirements
Before installing DigitalPersona Pro Workstation, make sure your system meets
the following minimum requirements:
• Windows 2000, Windows XP Professional, Windows Vista (Business,
Ultimate and Enterprise) or Windows 2003 Server
• Microsoft Internet Explorer 6 or above (required for One Touch SignOn or
One Touch Internet features)
• 30 MB of free hard disk space
• High-encryption (128-bit) capability. This is built in to Windows beginning
with Windows 200 SP2. If you need to install high encryption capability for
an earlier Windows 2000 OS, see the instructions on page 236.
• U.are.U 4000 and 4000B Fingerprint Reader or other supported third-party
swipe reader embedded in selected models of notebooks. Note that the
DigitalPersona Pro installation does not install any drivers or other software
for third-party readers. Install necessary drivers/support files for the reader
and verify that it works as expected prior to DigitalPersona Pro installation.
Some redistributable packages for third-party fingerprint readers are located
on the product CD in the "Redistr\Third party reader support\" folder along
with a Readme file which contains additional details.
Refer to the DigitalPersona Web site at http://www.digitalpersona.com/
products/notebooks.php for the most recent list of supported models.
Note
Either the embedded reader or a DigitalPersona U.are.U reader may be used
for fingerprint registration and authentication, i.e. a user can register with the
embedded reader and authenticate using the Digital Persona U.are.U reader,
and vice versa.
56
Chapter 5 - Installing DigitalPersona Pro Workstation
To install DigitalPersona Pro Workstation for Active Directory
1 Insert the DigitalPersona Pro Workstation for Active Directory CD in your
CD-ROM drive. If the installation wizard does not start automatically, locate
and double-click the Setup.exe file on the product CD.
2 When the Welcome page displays, click Next to proceed with the installation.
3 Read the License Agreement page. If you agree, select the I accept the
terms in the license agreement button and click Next.
4 On the next page, you can specify the folder that DigitalPersona Pro will be
installed in. If you want to install DigitalPersona Pro to the default location,
C:\Program Files\DigitalPersona\, click Next; otherwise, click
Browse to specify a new location and then click Next to continue.
57
5 Choose one the following options to indicate the type of installation you
want to perform:
• Complete. Click Next for the Complete installation, which installs the
One Touch Applications. Then, click Next.
• Custom. Click Custom and then click Next to specify the options to
install. Select an installation option on the drop-down menu if you do not
want to install it. You can also check how much disk space a particular
installation will require by clicking Disk Cost. To return the installation
option settings to the default settings, click Reset. When you are finished,
click Next to proceed.
6 When you click Next, the installer begins installing DigitalPersona Pro on
your computer.
7 If prompted to do so, plug the USB cable from the fingerprint reader into
your computer’s USB port.
8 When installation is finished, click Finish to close the installer. Click Yes
when prompted to restart the computer.
58
After the computer restarts, and at every subsequent restart, the Workstation
software automatically uses the default DNS Server to locate all DigitalPersona
Pro Servers for the domain and its site. If more than one Pro Server is found, the
Workstation will choose the Pro Server for authentication that offers the most
efficient connectivity. If no Pro Servers are found, DigitalPersona Pro
Workstation will perform authentication locally.
For instructions on using DigitalPersona Pro Workstation, see page160.
59
Remote Installation
Remote Installation
The installer for DigitalPersona Pro Workstation uses Microsoft Windows
Installer (MSI) technology, which allows administrators to remotely install or
uninstall the software using Active Directory administration tools, or other
software deployment tools.
To install Pro Workstation remotely through Active Directory
1 Launch the Active Directory Users and Computers administration tool.
2 On the context menu of a site, domain or Organizational Unit, click
Properties and then click the Group Policy tab.
3 Create a new Group Policy Object, or select an existing one, and click Edit
to launch the Group Policy Editor.
4 In the tree, select one of the following folders:
• For a computer-based policy, select Computer Configuration/
Software Settings/Software Installation.
• For a user-based policy, select User Configuration/Software
Settings/Software Installation.
5 Click Properties on the context menu of the Software Installation folder to
open the Software Installation Properties dialog box
6 On the General tab, specify the default software distribution location in the
Default package location text box.
This must be a location on the network that is accessible by the domain
controller or computer on which you want to install the DigitalPersona Pro
Workstation software.
Also, specify the settings for all other options, such as new package and
installation user interface options. Click OK.
7 Right-click the right pane on the Group Policy Editor, point to New and then
click Package.
8 On the Deploy Software dialog box, select the appropriate deployment
option and click OK.
9 After setup is complete, assign the appropriate computers and users to Active
Directory containers that the installation GPO is associated with.
60
DigitalPersona Pro Workstation software can also be installed and uninstalled
using MSI via the command prompt.
The format of the msiexec command is shown below and is followed by a
description of the command line options, parameters and values it uses:
msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software]
REMOVE=[software] /qn
Command Line Options
There are one required and one optional command line options:
• /i indicates that MSI will be used to install DigitalPersona Pro software. It
must be immediately followed by the folder path and name of the .msi file
(setup.msi for DigitalPersona Pro Workstations and Servers) that contains the
software to install.
• /qn hides the user interface when installing the software on the computer,
allowing a “silent install.” If used, it is placed at the end of the command
line. This command line option is not required; however, it is recommended
by DigitalPersona for deploying software in the enterprise.
Parameters
Three parameters indicate where the software should be installed on the
computer, as well as what components should be included or removed:
• INSTALLDIR is an optional parameter used to indicate where DigitalPersona
Pro software components should be installed on the target computer. It is
optional and, if a folder is not specified, defaults to:
C:\Program Files\DigitalPersona
• ADDLOCAL and/or REMOVE indicate which DigitalPersona Pro software
components to install or uninstall. They can be used together or
interchangeably; only one is required. Each command is followed by values
specified in the next section.
61
ADDLOCAL and REMOVE Parameter Values
The table below lists the ADDLOCAL and REMOVE parameter values and provides
a description of each:
Parameter Values
Description
All
Installs all DigitalPersona Pro software components or
removes all of the components that are currently installed.
Logon
Installs or removes the One Touch Logon application.
OTI
Installs or removes the One Touch Internet application.
Following are a few rules when using these parameters and their values:
• Individual software components cannot be installed unless the All value was
used with the ADDLOCAL parameter first.
• To install DigitalPersona Pro Workstation software for the first time while
omitting one or more software components, use ADDLOCAL=ALL, followed
by the REMOVE parameter with each software component you do not want to
install separated by a comma.
Citrix Presentation Server is a remote access and application publishing product
that allows users to remotely connect to applications available from central
servers. DigitalPersona Pro clients (Workstation and Kiosk) support fingerprint
authentication through the Citrix communication channel.
The following types of Citrix clients are supported:
• Program Neighborhood
• Program Neighborhood Agent
• Web Client
To configure DigitalPersona Pro Workstation for Citrix support:
1 Install the DigitalPersona Pro client on the Citrix Presentation Server
computer that your Citrix client connects to and on the client computer.
62
2 In Active Directory, apply the DigitalPersona Pro Administrative Template
(DigitalPersonaProWksta.adm) to a GPO governing the client computer (or
apply it to a local policy object on the client computer).
3 In the GPO, enable the "Allow Fingerprint Data Redirection" setting.
4 Deploy the DP library for Citrix support into Citrix client folder on the client
computer:
• Locate the DPICACnt.dll file on the DP Product CD in the "Misc\Citrix
Support" folder, and copy it to the folder on the client computer where the
Citrix client components are located (i.e. for the Program Neighborhood
client it might be the "Program Files\Citrix\ICA Client" folder).
• Using the regsvr32.exe program, register the DPICACnt.dll library.
• If you have several Citrix clients installed on a computer, deploy the
DPICACnt.dll library to the Citrix client folder for each client to be used
with DigitalPersona Pro software.
5 For Citrix published applications • In order to use One Touch SignOn with a logon dialog displayed by a
Citrix published application, the DPAgent process must be started in the
same session as the published application, and be running before the
dialog displays on the screen. The easiest way to do this is through
executing a script on the Citrix Presentation Server at the same time the
published application is launching.
• On Citrix Presentation Server, make sure that the UsrLogon.cmd is
specified in the Registry under the following node:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\AppSetup.
• Locate the UsrLogon.cmd file on the hard drive. By default, it's in the
%systemroot%\system32 folder.
• At the beginning of the UsrLogon.cmd file, insert a command to launch
the DPAgent process, and then specify a delay to allow the process to be
successfully started before the published application dialog displays on the
screen. Five seconds should be adequate for even a slower computer. Here
is an example of what that might look like.
start /D"c:\Program Files\DigitalPersona\Bin" DpAgent.exe
REM ¦ "C:\WINDOWS\SYSTEM32\CHOICE.EXE" /C:AB /T:A,5 > NUL
63
Uninstalling DigitalPersona Pro Workstation
Choice.exe and sleep.exe (another alternative) were not installed with Windows
2000, but are available in the Windows 2000 Resource Kit, which is no longer
available through Microsoft, but is still available through third-party retailers
and can be downloaded from the web.
Uninstalling DigitalPersona Pro
Workstation
You can remove the DigitalPersona Pro Workstation software using the Add or
Remove Programs Control Panel. The Workstation software is listed as
“DigitalPersona Pro Workstation for Active Directory version [version
number].”
You must have local administrative privileges to modify installations on the
computer.
Customizing a DigitalPersona Pro
Workstation Installation
To customize an existing installation of DigitalPersona Pro Workstation, you
can add or remove One Touch Applications using the Add or Remove Programs
Control Panel. Follow the on-screen instructions in the Control Panel for adding
the One Touch Applications. By default, all applications are installed.
64
6
Installing Pro Kiosk
This chapter defines the hardware and software requirements for DigitalPersona
Pro Kiosk, and provides instructions on its installation.
DigitalPersona Pro Servers to be used for authentication should be installed and
configured before installing DigitalPersona Pro Kiosk.
System Requirements
Before installing DigitalPersona Pro Kiosk, make sure that the computer meets
the following hardware and software requirements:
• Hardware: Pentium 233 MHz Processor, 128 MB RAM
CD-ROM drive if local install, network connection for silent/network install
• Microsoft Internet Explorer 6 or above (required for the One Touch SignOn
feature)
• DigitalPersona Pro Server Version 4.0 or above must be installed and
configured on a domain server with Active Directory before Kiosk
installation.
• Supported Operating Systems: Windows 2000 Professional, Windows XP
Professional, Windows Vista (Business, Ultimate and Enterprise) and
Windows 2000/ 2003 Server. (DigitalPersona Pro Kiosk cannot be installed
on the same computer as DigitalPersona Pro Server.)
• U.are.U 4000 and 4000B Fingerprint Reader or other supported third-party
swipe reader embedded in selected models of notebooks.
Note that the DigitalPersona Pro installation does not install any drivers or
other software for third-party readers. Install necessary drivers/support files
for the reader and verify that it works as expected prior to DigitalPersona Pro
installation.
Some redistributable packages for third-party fingerprint readers are located
on the product CD in the "Redistr\Third party reader support\" folder along
with a Readme file which contains additional details.
• Refer to the DigitalPersona Web site at http://www.digitalpersona.com/
products/notebooks.php for the most recent list of supported models.
Note
Either the embedded reader or a DigitalPersona U.are.U reader may be used
for fingerprint registration and authentication, i.e. a user can register with the
embedded reader and authenticate using the Digital Persona U.are.U reader,
and vice versa.
65
Chapter 6 - Installing Pro Kiosk
To install DigitalPersona Pro Kiosk for Active Directory
1 Insert the DigitalPersona Pro Kiosk for Active Directory CD in your CDROM drive.
2 If the installation wizard does not start automatically, locate and double-click
the Setup.exe file to run the DigitalPersona Pro Kiosk for Active Directory
Installation Wizard.
3 When the installer runs, click Next to proceed with the installation.
with them, select the I accept the license agreement button and then click
Next.
5 On the next page, you may specify the folder that DigitalPersona Pro Kiosk
will be installed in. If you want to install DigitalPersona Pro Kiosk in the
default location, C:\Program Files\DigitalPersona\, click Next;
otherwise, click Browse to specify a new location and then click Next to
continue.
6 Click Next again and the installer will begin to install DigitalPersona Pro
Kiosk on your computer.
7 Connect the fingerprint reader when prompted to do so. The installer will
place the necessary driver files on your hard drive to use the reader with
DigitalPersona Pro Kiosk.
8 When installation is finished, click Finish to close the installer. Click Yes
when prompted to restart the computer.
After the computer restarts, and at every subsequent restart, the Pro Kiosk
software automatically uses the default DNS Server to locate all DigitalPersona
Pro Servers for the domain and its site. If more than one Pro Server is found, Pro
Kiosk will choose the Pro Server for authentication that offers the most efficient
connectivity. If no Pro Servers are found, DigitalPersona Pro Kiosk cannot
perform authentication by fingerprints.
66
Citrix Presentation Server is a remote access and application publishing product
that allows users to remotely connect to applications available from central
servers. DigitalPersona Pro clients (Workstation and Kiosk) support fingerprint
authentication through the Citrix communication channel.
The following types of Citrix clients are supported:
• Program Neighborhood
• Program Neighborhood Agent
• Web Client
To configure DigitalPersona Pro Kiosk for Citrix support:
1 Install the DigitalPersona Pro client on the Citrix Presentation Server
computer that your Citrix client connects to and on the client computer.
2 In Active Directory, apply the DigitalPersona Pro Administrative Template
(DigitalPersonaProKioskWks.adm) to a GPO governing the client computer
(or apply it to a local policy object on the client computer).
3 In the GPO, enable the "Allow Fingerprint Data Redirection" setting.
4 Deploy the DP library for Citrix support into Citrix client folder on the client
computer:
• Locate the DPICACnt.dll file on the DP Product CD in the "Misc\Citrix
Support" folder, and copy it to the folder on the client computer where the
Citrix client components are located (i.e. for the Program Neighborhood
client it might be the "Program Files\Citrix\ICA Client" folder).
• Using the regsvr32.exe program, register the DPICACnt.dll library.
• If you have several Citrix clients installed on a computer, deploy the
DPICACnt.dll library to the Citrix client folder for each client to be used
with DigitalPersona Pro software.
5 For Citrix published applications • In order to use One Touch SignOn with a logon dialog displayed by a
Citrix published application, the DPAgent process must be started in the
same session as the published application, and be running before the
67
dialog displays on the screen. The easiest way to do this is through
executing a script on the Citrix Presentation Server at the same time the
published application is launching.
• On Citrix Presentation Server, make sure that the UsrLogon.cmd is
specified in the Registry under the following node:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\AppSetup.
• Locate the UsrLogon.cmd file on the hard drive. By default, it's in the
%systemroot%\system32 folder.
• At the beginning of the UsrLogon.cmd file, insert a command to launch
the DPAgent process, and then specify a delay to allow the process to be
successfully started before the published application dialog displays on the
screen. Five seconds should be adequate for even a slower computer. Here
is an example of what that might look like.
start /D"c:\Program Files\DigitalPersona\Bin" DpAgent.exe
REM ¦ "C:\WINDOWS\SYSTEM32\CHOICE.EXE" /C:AB /T:A,5 > NUL
Choice.exe and sleep.exe (another alternative) were not installed with Windows
2000, but are available in the Windows 2000 Resource Kit, which is no longer
available through Microsoft, but is still available through third-party retailers
and can be downloaded from the web.
The DigitalPersona Pro Kiosk software is removed using the Add or Remove
Programs Control Panel. The Pro Kiosk software is listed as “DigitalPersona
Pro Kiosk for Active Directory version [version number].” You must have
local administrative privileges to modify installations on the computer.
68
Part Three: Administration
Part Three of the DigitalPersona Pro for AD Administrator Guide includes the
following chapters:
Chapter Title
Purpose
Page
7 - Configuring
Defines the policies and settings that may be applied 70
Policies & Settings to Pro Servers and Workstations through installation
of the DigitalPersona Pro Administrative Templates to
an Active Directory GPO (Group Policy Object).
8 - User Properties
90
Describes the Basic and Extended user settings that
are available on the DigitalPersona Pro tab in the User
Properties dialog of the Active Directory Users and
Computers console.
9 - Administration
Tools
Provides complete instructions for using the
Administration Tools provided with DigitalPersona
Pro Server and Workstation.
96
10 - DigitalPersona
Pro Events
Lists and explains the events that DigitalPersona Pro
writes to the Windows Event log.
151
69
7
Configuring Policies and Settings
DigitalPersona Pro for AD provides a comprehensive set of policies and settings
that may be accessed through Active Directory.
These policies and settings are contained in the three Administrative Templates
(DigitalPersonProSvr.adm, DigitalPersonaProWksta.adm and
DigitalPersonaProKioskWkst.adm).
During deployment, the templates are added to specific Active Directory GPOs
(Group Policy Objects) according to instructions on page 40.
The Workstation template may also be added to a local policy object on a
standalone workstation that does not have access to Active Directory. See
“Install Workstation Template Locally” on page 45.
The DigitalPersona Pro Administrative Template is added to both
Administrative Templates folders in the Computer Configuration and User
Configuration trees, and the settings are accessible from the Setting table.
All computer policies and settings can be accessed in the Group Policy Editor
tree from the path: Computer Configuration/Administrative Templates/
DigitalPersona Pro.
Computer Configuration/Administrative Templates/DigitalPersona Pro
70
Chapter 7 - Configuring Policies and Settings
For local administrators of DigitalPersona Pro Workstation, the path is the same,
but the GPO is accessed from the Microsoft Management Console (MMC).
Each setting can be accessed in the Group Policy Editor (or MMC) by clicking
Properties on the context menu of the setting and then clicking the Policy tab on
the Properties dialog box.
GPO settings have three states: enabled, disabled and not configured.
By default, all settings are not configured. To override the default settings of
DigitalPersona Pro, each setting must be changed to enabled or disabled and, in
some cases, additional parameters must be supplied.
On the network, by default, changes made to existing GPOs may take as long as
90 minutes to refresh with a 30 minute offset.
• GPOs applied to computers are refreshed during this time, as well as when
the computer is restarted.
• GPOs applied to users are refreshed every 90 minutes and when the user logs
on or off.
You can use the standard Windows methods of enforcing refresh of
DigitalPersona Pro GPOs without concern for disrupting DigitalPersona Pro
functionality on a computer.
For a description of each setting, click the Explain tab for a setting in the GPO
Properties dialog box, or refer to “DigitalPersona Pro Policies and Settings” on
page 72.
71
The following pages describe the policies and settings made available in Active
Directory through the DigitalPersonaPro Administrative Templates.
Settings in the list are divided into general categories indicating the type of
setting.
Category
Svr/
Wks/
Kiosk
Event Logging
Description
Page
All
Separate Event Logging settings are
available for Pro Server, Workstation and
Kiosk.
74
BAS Locator DNS
records
Svr
Contains settings that affect DNS
registration which is used to enable Pro
Workstations to locate Pro Servers for
authentication.
75
Fingerprint
Verification Lockout
Svr
Used to unlock a user that has been locked
out due to unsuccessful attempts at
fingerprint authentication.
79
Svr
Sets the size of the Kiosk Identification
List.
79
Fingerprint
Recognition
All
Contains settings concerning how
fingerprint recognition is accomplished.
80
Allow Fingerprint
Data Redirection
Wks/
Kiosk
The setting determines whether or not to
allow the client computer to redirect
fingerprint data to the Terminal Services
(i.e. RDP or Remote Access) session.
82
Workstation Only
Wks
Contains settings that affect the
authorization and logon processes.
83
Wks
These settings determine the behavior and
appearance of DigitalPersona Pro
Workstation.
86
72
Category
Svr/
Wks/
Kiosk
One Touch SignOn
Wks/
Kiosk
Kiosk Workstation
Only
Kiosk
Description
Page
appearance of the One Touch SignOn
feature in DigitalPersona Pro Workstation
or Kiosk.
87
appearance of DigitalPersona Pro Kiosk.
88
For a complete alphabetical list of the policies and settings with references to
their Active Directory locations, see “DigitalPersona Pro Settings” on page 222.
73
Event Logging
This setting is included in both the server and workstation Administrative
Templates.
The Event Logging setting defines the level of detail for DigitalPersona Pro
Server and Workstation event logging in the Windows Event Log.
Logged events are accessible from the Windows Event Viewer. If this setting is
not configured, DigitalPersona Pro events are logged at the ‘Auditing” level.
Event logging must also be enabled in the Windows operating system to use this
setting.
For information on how events are logged and a detailed description of each
event, refer to “DigitalPersona Pro Events” on page 151.
74
BAS Locator DNS Records
BAS (Biometric Authentication Service) Locator DNS Records settings allow
registration of Biometric Authentication Service Locator DNS records. These
DNS records are dynamically registered by BAS and are used by DigitalPersona
Pro Workstation to locate BAS. The following BAS Locator settings are
included in the server Administrative Template.
Dynamic Registration of BAS Locator DNS Records
This setting determines if BAS performs dynamic registration of Biometric
Authentication Service (BAS) Locator DNS resource records.
• When enabled or not configured, computers to which this setting is applied
dynamically register BAS Locator DNS resource records through dynamic
DNS update-enabled network connections.
• When disabled, computers will not register BAS Locator DNS resource
records.
Refresh Interval of BAS Locator DNS Records
This setting specifies the Refresh interval of Biometric Authentication Service
(BAS) Locator DNS resource records for computers to which this setting is
applied. These DNS records are dynamically registered by BAS and are used by
DigitalPersona Pro Workstation to locate BAS.
• To specify the Refresh interval of BAS records, select Enabled, and then
specify a value in seconds (minimum is 1800).
• When disabled or not configured, computers will use a default value of 1800
seconds (30 minutes).
This setting may be applied only to computers using dynamic update.
Computers configured to perform dynamic registration of BAS Locator DNS
resource records periodically reregister their records with DNS servers, even if
their records’ data has not changed.
If authoritative DNS servers are configured to perform scavenging of the stale
records, this reregistration informs the DNS servers that these records are
current and should be preserved in the database.
75
If the DNS resource records are registered in zones with scavenging enabled, the
value of this setting should never be longer than the Refresh Interval configured
for these zones. Setting the Refresh interval of BAS Locator DNS records to
longer than the Refresh interval of the DNS zones may result in unwanted
deletion of DNS resource records.
Weight Set in BAS Locator DNS SRV Records
This setting specifies the Weight field in the SRV resource records registered by
Biometric Authentication Service (BAS) to which this setting is applied. These
DNS records are dynamically registered by BAS, and they are used to locate
BAS. The Weight field in the SRV record can be used in addition to the Priority
value to provide a load-balancing mechanism where multiple servers are
specified in the SRV records Target field and set to the same priority. The
probability with which the DNS client randomly selects the target host to be
contacted is proportional to the Weight field value in the SRV record.
• To specify the Weight in the BAS Locator DNS SRV records, select Enabled,
and then specify a value. The range of values is 0 to 65535.
• When disabled or not configured, computers use a default weight of 100.
Priority Set in BAS Locator DNS SRV Records
This setting specifies the Priority field in the SRV resource records registered by
Biometric Authentication Service (BAS) to which this setting is applied. These
DNS records are dynamically registered by BAS and are used by DigitalPersona
Pro Workstation to locate BAS. The Priority field in the SRV record sets the
preference for target hosts specified in the SRV record Target field. DNS clients
that query for SRV resource records attempt to contact the first reachable host
with the lowest priority number listed.
• To specify the Priority in the BAS Locator DNS SRV resource records, select
Enabled, and then specify a value. The range of values is 0 to 65535.
• When disabled or not configured, computers use a default value of 0.
76
Automated Site Coverage by BAS Locator DNS SRV Records
This setting determines whether Biometric Authentication Service (BAS) will
dynamically register BAS Locator site-specific SRV records for the closest sites
where no BAS for the same domain exists.
These DNS records are dynamically registered by BAS, and used by
• When enabled, the computers to which this setting is applied dynamically
register BAS Locator site-specific DNS SRV records for the closest sites
where no BAS for the same domain exists.
• If you disabled or not configured, the computers will not register site-specific
BAS Locator DNS SRV records for any other sites but their own.
Sites Covered by BAS Locator DNS SRV Records
This setting specifies the sites for which the domain Biometric Authentication
Service (BAS) register the site-specific BAS Locator DNS SRV resource
records.
These records are registered in addition to the site-specific SRV records
registered for the site where BAS resides, and records registered by a BAS
configured to register BAS Locator DNS SRV records for those sites without a
BAS that are closest to it. The BAS Locator DNS records are dynamically
registered by BAS, and they are used to locate BAS. An Active Directory site is
one or more well-connected TCP/IP subnets that allow administrators to
configure Active Directory access and replication.
• To specify the sites covered by the BAS Locator DNS SRV records, select
Enabled, and then specify the sites names in a space-delimited format. The
site names have the following format, in which the <site name> component
must be present and the <priority> and <weight> components are optional.
The <priority> and <weight> components must be a numeric string value.
<site name>:<priority>:<weight>
• When disabled or not configured, no site-specific SRV records will be
registered.
77
Register BAS Locator DNS SRV Record for Domain
This setting determines whether Biometric Authentication Service (BAS) will
dynamically register BAS Locator domain-specific SRV record for the domain
it belongs to.
The DNS records are dynamically registered by BAS, and they are used by
• When enabled or not configured, the computers to which this setting is
applied dynamically register BAS Locator domain-specific DNS SRV
records.
• When disabled, computers will not register the domain-specific BAS Locator
DNS SRV records for the domain they belong to and register only sitespecific records.
78
These settings are installed with the Server Administrative Template, and are
located in Computer Configuration/Administrative Templates/
DigitalPersonaPro/DigitalPersonaPro Server/Fingerprint Verification Lockout.
The DigitalPersona Pro account lockout does not affect the Microsoft account
lockout and is managed separately. For users to log on by fingerprint, both
lockout settings must be unlocked. If users are only locked out from using
fingerprints, they can still log on to Windows by typing their passwords.
To unlock a locked user account, see page 93.
The following table describes the setting options.
Setting
Description
Default Value
Account lockout
threshold
Number of failed attempts allowed
before the account is locked
0 (Do not lock out.)
Reset account lockout
counter after
Length of time for counter to track
number of failed attempts
5 minutes
Account lockout
duration
Length of time account is locked
until user can attempt to log on again
30 minutes
Each Authentication Server in the domain maintains individual lockout counters
per user account. When an account is locked out due to failed fingerprint
attempts, the following occurs:
The Logon dialog displays the account locked out message.
• The locked account information is replicated during the next replication
interval in Active Directory.
• A record is added to the DigitalPersona Pro event log.
The single Kiosk Server Setting is “Size of the Identification List for Kiosks.”
The default is 50 users. Valid values are between 1 and 50.
79
There are three settings related to Fingerprint Recognition.
The first two:
• False accept rate used in fingerprint verification
• Maximum number of registered fingerprints per user
are located in the Computer Configuration/Administrative Templates/
DigitalPersonaPro folder under each of the following folders • DigitalPersonaPro Server/Fingerprint Registration
• DigitalPersonaPro Workstation/Fingerprint Registration
• DigitalPersonaPro Kiosk Workstation/Fingerprint Registration.
A third setting is installed as part of the Workstation and Kiosk Administrative
Templates only.
• Use Basic Template Format
Each of the settings are described below.
False Accept Rate Used in Fingerprint Verification
This setting specifies the False Accept Rate for fingerprint verification. The
False Accept Rate (FAR) is the mathematical probability (1:n) of two different
fingerprints being falsely matched.
80
The value of n, which is specified in the Value: (one in) text box, indicates the
likelihood of false fingerprint verification. The higher the value of n, the less
likely a fingerprint will be falsely accepted as verified. For example, setting n to
10,000 indicates that it is probable that one in every 10,000 fingers will be
falsely accepted as verified; setting n to 100,000 sets the probability to one in
100,000.
Particularly high values of n may cause false rejection of fingerprints from the
same finger.
If this setting is not configured, the default value of one in 100,000 is used. The
maximum value for n is one in 1,000,000; the minimum is one in 1,000.
False Reject Rates and False Accept Rates are only probabilistic estimates and
not indicators of actual performance in a given deployment. Visit the
DigitalPersona Web site (http://www.digitalpersona.com) for more information.
Note
To estimate the likelihood of false rejects and false accepts, DigitalPersona
recommends following the guidelines described in “Best Practices in Testing
and Reporting Performance of Biometric Devices: Version 2.01,” by A. J.
Mansfield and J. L. Wayman, NPL Report CMSC 14/02, 2002, defining a
transaction as three verification attempts and assuming a single comparison of a
verification template against a single registration template.
Maximum Number of Registered Fingerprints Per User
This setting determines the maximum number of fingers that a user can register.
The value for this setting specified in the Maximum Number of Fingerprints Per
User text box influences both the speed of authentication and the probability of
false accepts. For example, the more fingerprints a user registers, the more time
it takes to authenticate or identify the user. Also, more comparisons increase the
likelihood of false acceptance of the fingerprint. To increase security and
maximize server efficiency, users should be allowed to register a maximum of
two fingers.
The maximum and default value is ten registered fingers. The minimum value is
zero.
81
Use Basic Template Format
This setting determines whether the Basic Template Format (BTF) or Extended
Template Format (XTF) is used for fingerprint registration templates created by
Pro Workstation or Kiosk.
XTF is the default template format, providing optimal recognition performance,
especially for users with poor quality fingerprints. If you have space constraints,
you may want to consider using the BTF template since the size of each
template (550 bytes) is about 1/3 the size of the XTF template (1.5 kb). If not
configured, XTF is used.
This setting is available separately for either Pro Workstation or Pro Kiosk.
The setting determines whether or not to allow the client computer to redirect
fingerprint data to the Terminal Services (i.e. RDP or Remote Access) session.
• If the status is set to Enabled, clients that are capable of fingerprint data
redirection send their fingerprint data to the server. The server then uses
fingerprint data for usual tasks like logon and OTS, etc.
• If the status is set to Disabled or Not Configured, fingerprint data redirection
is not possible.
When this setting is changed, only new connections are affected. Sessions that
were initiated before the change must log off and reconnect to be affected by the
new setting.
NOTES
By default, the Remote Desktop Protocol (RDP) is not enabled on any Microsoft
operating system version. The use of Microsoft Remote Desktop entails opening
a port in your firewall and thus creates a security vulnerability. For more
information on this vulnerability, see the Microsoft Security Bulletin MS05-041.
The Remote Access capability is a feature of DigitalPersona Pro 4.01 and above.
To use Remote Access with Workstation or Kiosk 4.01 and above and Pro
Server 4.x, apply the appropriate template (DigitalPersonaProWksta.adm or
DigitalPersonaProKioskWkst.adm) to the GPO governing the DigitalPersona
Pro clients and enable the Allow Fingerprint Data Redirection setting.
82
Workstation Only
The following settings are specific to the DigitalPersona Pro Workstation, and
are included in the Workstation Administrative Template.
Warning
When setting the logon policy for Pro Workstations, be aware of the following:
• Certain combinations of policy settings may temporarily prevent a user from
logging on to their computer if the “Fingerprint only” and “Fingerprint and
Password” policy are applied.
• Do not select a logon authentication policy requiring the user to type a
password if password randomization has been enabled for that user.
• If cached credentials are disabled and the logon policy is “Fingerprint only”
or “Fingerprint and Password,” the user will not be able to log on to the
computer if it is disconnected from the network or Pro Server is unavailable.
Refer to “Cached Credentials and the Identification List” on page 174 for
more information on cached credentials.
Use DigitalPersona Pro Server for authentication
This setting determines whether DigitalPersona Pro Workstation will use
DigitalPersona Pro Server for fingerprint registration and authentication or
perform these operations locally instead.
• When enabled (the default) or not configured, Pro Workstation will look for
an available Pro Server for authentication, and if not found, will perform
authentication locally.
• When disabled, Pro Workstation will always perform authentication locally,
whether a Pro Server is accessible or not.
Cache Domain User Data on Local Computer
This setting determines if domain user credentials are cached on DigitalPersona
Pro Workstations.
• When enabled (the default) or not configured, user data (fingerprint
templates and secure application data) of domain users is cached locally on
83
the computer, meaning that domain users are still able to use fingerprints if
the DigitalPersona Pro Server cannot be located. This is a convenient but less
secure option.
• When disabled, users may only use fingerprints when DigitalPersona Pro
Server is accessible. Data of local users is always stored on the local
computer.
Maximum Size of Identification List
The identification list contains an administrator-specified number of user
accounts. It is used in conjunction with cached credentials to identify a user by
their fingerprint and, as an added convenience, frees them from typing their user
name and domain at Windows logon.
• Enable this setting to specify the maximum number of users the
identification list can hold on a particular computer. Type the number of
users in the Maximum size of identification list text box. While the number
of credentials that can be cached is virtually unlimited, the maximum number
of users that can be added to the identification list is 20; the minimum is 0.
• When disabled or not configured, the default value of 5 is used.
Users are added to the identification list in the order they log on. The most
recent user to log on is added to the top of the list. If the list has exceeded its
capacity, the least recent user to log on is removed from the list when another
user logs on. If a user is already on the list and logs on again, they are moved
from their original position on the list and placed on top.
Once removed, a user can still use their cached credentials (if enabled), but they
must type their user name and domain manually.
If DigitalPersona Pro is deployed in a networked environment with Pro Server
support, it performs identification locally out of the set of users in the
identification list and then, for added security, confirms the user identity using
the DigitalPersona Pro Server.
84
Multi-credential Logon to Windows
These logon settings determine the credentials required to log on to Windows.
The default settings allow a fingerprint or a password or a smart card for logon.
The following is the list of settings in DigitalPersona Pro for logon to Windows
XP and 2000:
• User must provide a fingerprint to log on
When checked, the user must provide the fingerprint in addition to the
Windows logon credentials (smart card or password according to the
Windows policy setting).
• Password is not allowed for logon
When checked, users are not allowed to use their Windows password to log
on to computers with DigitalPersona Pro installed, and must use a fingerprint
or smart card instead. They can still log on with their password to
workstations where DigitalPersona Pro is not installed.
To prevent a user from logging on to any workstation, regardless of whether
or not DigitalPersona Pro is installed, see the “Randomize user’s Windows
password” setting in the User Properties chapter (page 91).
• PIN is required when a fingerprint is provided
When checked, the user must provide a PIN code whenever the fingerprint is
used to log on, to unlock the computer or to change the Windows password.
The fingerprint PIN option provides additional security. See “One Touch
Features” on page 179.
• Fingerprint is allowed to unlock the smart card
When checked, the user can use the fingerprint to unlock the smart card
instead of typing the PIN for the smart card.
85
The following settings are installed as part of the DigitalPersona Pro
Workstation Administrative Template, and are enabled by default. They can be
found in the User Configuration/Administrative Templates/DigitalPersona Pro/
DigitalPersona Pro Workstation/Workstation Properties folder.
These settings determine certain properties of DigitalPersona Pro that affect the
usability of DigitalPersona Pro Workstation.
Show One Touch Menu upon fingerprint validation. Controls whether or not
the One Touch Menu appears when users touch the fingerprint reader with a
registered finger.
• When enabled, the One Touch Menu is always displayed upon fingerprint
validation, and cannot be overridden by the end user. Fingerprint validation
refers specifically to authentication of a registered fingerprint, and not to
Quick Actions, (see page 18 for definition).
• If you disable this policy, the One Touch Menu is not displayed upon
fingerprint authentication and cannot be assigned to a Quick Action. This
cannot be overridden by the end user.
• If this policy is not configured, the One Touch Menu is displayed upon
fingerprint validation, but end users can override the behavior through the
DigitalPersona Workstation Properties dialog.
Allow OneTouch Internet. One Touch Internet allows users to create their own
fingerprint logons for Web sites and programs.
• When enabled or not configured, the One Touch Internet feature is available
to users.
• When disabled, this setting prevents use of One Touch Internet.
Show fingerprint icon on the taskbar. When the fingerprint icon is shown on
the taskbar, users can right-click on the icon to access various properties of
DigitalPersona Pro.
• When enabled, the fingerprint icon is shown on the taskbar.
• When disabled, the fingerprint icon does not display on the taskbar.
• When not configured, the fingerprint icon is shown on the taskbar, but end
users can change this in the DigitalPersona Pro Properties dialog.
86
One Touch SignOn
One Touch SignOn settings are included in the Workstation and Kiosk
Administrative Templates.
These settings are enabled by default, and configure the way that end users
interact with the One Touch SignOn feature.
• Show clear text passwords. Enable this option to show password field
values to the end user when they are prompted to provide a password.
• Allow users to edit account data. When enabled, this option permits end
users to change the values of logon screen fields by clicking the arrow on the
fingerprint logon icon and selecting Edit an account from the shortcut menu.
• Allow users to add account data. This option allows end users to add
account data fields for Web sites and applications by clicking the arrow on
the fingerprint logon icon and selecting Add a new account from the shortcut
menu.
• Allow users to delete account data. Allows end users to remove account
data from a template from within the FIngerprint Logon Manager.
Path to the container of templates. Specify the path to the container in the
Container Path field to provide access to the templates it contains for
DigitalPersona Pro Workstation or Kiosk users. The container path is
determined when creating a new container, as described in “Create an OTS
Container” on page 107. You can add multiple paths by separating them with the
pipe (|) character.
87
Kiosk Workstation Only
The following settings are specific to DigitalPersona Pro Kiosk, and are
included in the Kiosk Administrative Template. They are located in the Kiosk
Workstation Settings folder.
These settings affect the operation of all Kiosk workstations in the domain, site
or OU to which the GPO is applied. By default, they are not configured.
• Allow automatic logon using Shared Kiosk Account. Determines whether
the automatic logon feature is enabled. Automatic logon uses the Kiosk
Shared Account to log users on to the computer when the Windows operating
system starts up. The Log On to Windows dialog box is not displayed.
When this policy is Disabled or Not Configured, the automatic logon is
disabled.
Warning
Use of this setting will allow any user to access a Windows session without
interactive authentication when the Kiosk computer is restarted.
• Kiosk Workstation Shared Account Settings. In order to use a Kiosk
workstation, this setting must be enabled and the Windows shared account
information (user name, domain and password) specified. See “Configuring
DigitalPersona Pro Server for Pro Kiosk” on page 46 for additional details.
If not configured or disabled, Kiosk workstations affected by the GPO will
not be operable.
• Prevent users from logging on outside of a Kiosk session. When enabled,
only those with administrator privileges are able to log on to any Kiosk
workstation controlled by the GPO.
If not configured or disabled, users can log on to the Kiosk workstations as a
local user outside of the Kiosk session.
• Force Authentication on Server. When enabled, authentication is
performed on the server in addition to local authentication using the
Identification List. If the server cannot be connected to, users will not be able
to use the Kiosk.
If not configured or disabled, users are authenticated using the Identification
List cached on the local Kiosk workstation.
88
User Properties
In addition to the settings available through the Administrative Templates,
installation of DigitalPersona Pro Server automatically adds the DigitalPersona
Pro tab to the User Properties settings in the Active Directory Users and
Computers console.
User Properties can also be enabled on a DigitalPersona Pro Workstation by
adding the User Properties snap-in to the Active Directory Users and Computers
component.
• The appropriate Windows Administration Pack for your OS must be installed
on the computer.
• Install the DigitalPersona Administration Tools and select to install the
optional component, User Properties Snap-in.
For complete details on DigitalPersona Pro User Properties, see “User
Properties & Commands” on page 90.
89
8
User Properties & Commands
Installation of DigitalPersona Pro Server automatically adds the DigitalPersona
Pro tab to the User Properties settings in the Active Directory Users and
Computers console. It also adds a few commands to the user context menu.
User Properties can also be enabled on a standalone DigitalPersona Pro
Workstation by adding the User Properties snap-in to the local policy object.
(See page 89.)
User Properties
You can apply user properties in order to increase the overall level of security
for your network while at the same time maintaining flexible options for
individual users.
For example, you can set a stricter multi-credential requirement for all users in
an organization, but then, for a particular user who may be having difficulties
with fingerprint registration, you can lower the requirements. User Properties
override any computer policies that have been set.
User properties allow you to configure fingerprint logon settings and restore the
use of fingerprints for a user after the account has been locked due to failed
fingerprint attempts.
90
Chapter 8 - User Properties & Commands
User Properties
To access User Properties:
1 Launch the Active Directory
Users and Computers console
and open the Users folder.
2 Right-click on a specific user
name, select Properties and
click the DigitalPersona Pro
tab.
Basic User Properties
User-level settings are available in
two varieties, Basic and Extended.
The Basic User Policies are
included with the DigitalPersona
Pro Server.
The Extended Server Policy
Module is available from your DigitalPersona Account Manager or product
Reseller.
The Basic User Policies are:
• User provides only Windows credentials to log on
When this option is set, the user will not be subject to any logon policy from
DigitalPersona Pro. Users will be able to logon with password or smart card
as defined by the Windows logon settings. By default this setting is turned
off.
• Randomize user’s Windows password
Upon application of this setting, the user’s Windows Password is randomized
by DigitalPersona Pro. This has the consequence that the user is effectively
blocked from being able to use a password to logon to the network. In this
case, the fingerprint or the smart card, if available, must be used instead.
Without knowledge of their password, the user is prevented from logging on
with a password from any computer on the network, even those where the
Pro software is not installed. When this option is set, DigitalPersona Pro
91
User Properties
changes the user password to a random value when you click OK on this
dialog box.
By default this setting is turned off.
• Account is locked out from use of fingerprint credentials
This setting is only for unlocking accounts that have been locked out due to
failed logon attempts. If the account is unlocked, the check box is disabled.
For instructions on unlocking an account, see page 93.
Note that this setting cannot be used by an administrator to lock an account.
Warning
Do not enable password randomization with incompatible logon authentication
policies, such as “Fingerprint and Password,” as users will be unable to log on.
Extended User Policies
The Extended User-level policies
are included in a separate product
module, the DigitalPersona Pro
Extended Server Policy Module,
available as a separately
purchased product from your
DigitalPersona Account Manager
or product Reseller.
Extended policies allow
additional biometrically-enabled
logon policies at the user level,
adding the following settings to
the DigitalPersona Pro tab in the
Active Directory Users and
Computers console, in addition to
those described in the previous
topic.
92
User Properties
• User must type a PIN when providing a fingerprint to log on
When this option is enabled, the user must provide a PIN code whenever the
fingerprint is used to log on, to unlock the computer or to change Windows
password. The fingerprint PIN option provides additional security to the
logon with the fingerprint.
• User must provide a fingerprint to log on
The user must verify the fingerprint credential in addition to the Windows
authentication (smart card or password according to the Windows policy
setting).
In order to install the Extended Server Policy Module, the User Properties Snapin must already be installed.
Note
If the Extended Server Policy Module is uninstalled, only the original Basic
User Policy settings will be displayed. If the Administration Tools package is
uninstalled, the Extended Server Policy Module will be uninstalled as well.
Unlocking Accounts after Failed Logon Attempts
You can unlock an account that has been locked out of fingerprint authentication
due to the user reaching the threshold number for failed fingerprint attempts.
You must have permissions to access the user account. When an account is
unlocked by an administrator, the account becomes immediately available for
fingerprint authentication from all computers, or after the next replication
interval if there are multiple domain controllers.
The administrator can choose to set less strict lockout settings by reducing the
the lockout duration time or reducing the counter reset time.
To unlock a locked account
1 In Active Directory for Users and Computers, right-click on the user name,
and select Properties.
2 Click the DigitalPersona Pro tab.
3 Click the Account is locked out from use of fingerprint credentials check
box to unselect it. This check box is for unlocking accounts and cannot be
93
checked by an administrator to lock an account. If the account is unlocked,
the check box is disabled.
4 Click OK to close the dialog box and save the changes.
Installation of DigitalPersona Pro adds the following commands to the context
menu for a user in the Active Directory Users and Computers console.
Delete fingerprint PIN - Use this command to delete the fingerprint PIN for a
selected user. They will be prompted to enter a new fingerprint PIN the next
time that they log on.
Delete fingerprints - Use this command to delete all the registered fingerprints
for a selected user.
Register fingerprints - Displays only when DigitalPersona Pro Workstation is
also installed on a computer used to administer Active Directory, such as when
the Windows Server Administration Tools Pack is installed on a Pro
Workstation client computer. Use this command to start the Fingerprint
Registration Wizard and register fingerprints for a selected user.
To delegate fingerprint registration of users to someone without their needing to
access the Active Directory Users and Computers console, use the Attended
Fingerprint Registration Tool described on page 102.
You can remove Pro user credential data for a specified user from Active
Directory by using the ADSI Edit tool included with Windows 2000 and 2003
Server.
To remove user credential data
1 On the Start menu, point to Programs, Windows 2000 Support Tools\
Tools and then click ADSI Edit.
2 In the tree on the ADSI Edit tool, locate the user account and, on its shortcut
menu, click Properties.
94
3 On the Select a property to view drop-down menu, click
dpUserCredentialsData.
4 Click the Clear button to remove the user credential data.
95
9
DigitalPersona Pro for Active Directory provides several tools for administering
various aspects of your deployment as well as expanding the functionality of the
product.
These Administration Tools are included on the product CD for both
DigitalPersona Pro Server and Workstation. Some of these tools are installed
automatically with the installation of DigitalPersona Pro for Active Directory
Server or Workstation, while others must be selected through the Custom Install
option in the Administration Tools Installation wizard or run from the product
CD.
Overview
The following table lists each of the Administration Tools, their purpose, how
they are installed or used and the page where the tool is explained.
Table 9-1. List of Administration Tools
Admin Tool
Purpose
Installation/Reference
License Control
Manager
Used to control and manage
licenses for DigitalPersona Pro
Servers, including gathering the
information necessary for
requesting a license, adding and
removing licenses and viewing
license and user information.
Automatically installed as
part of the Administration
Tools installation.
Attended
Fingerprint
Registration Tool
Allows supervision of users when
registering their fingerprints.
Tools installation, but
needs to be set up before
use. See page 102.
One Touch
SignOn
Administration
Tool
The One Touch SignOn
Administration Tool enables
administrators to add biometric
authentication to Web sites and
programs.
Tools installation.
See page 98.
See page 104.
96
Chapter 9 - Administration Tools
Overview
Admin Tool
Purpose
Installation/Reference
User Query Tool
Used to query the DigitalPersona
Pro for Active Directory user
database for information about
DigitalPersona Pro users, and can
be run as an Interactive Query,
from the command line, or from
within a script.
Tools installation.
Removes Pro user data (such as
fingerprint credentials, secure
application data and global
domain data) from Active
Directory which is not removed
when uninstalling DigitalPersona
Pro Server.
Not automatically
installed as part of the
Administration Tools. It is
run from the product CD
or copied to a hard drive
and run. See page 149.
CleanUp Wizard
See page 144.
All of the tools may be installed on a single workstation for centralized administration of DigitalPersona Pro for Active Directory, or for larger organizations,
each tool may be installed on a separate workstation in order to divide the
administration of various features among several people.
To install the Administration Tools
• Locate and double-click the setup.exe file located in the Administration
Tools/Install directory on the product CD.
97
The DigitalPersona Pro License Control Manager is used by an administrator to
manage User Authentication Licenses (UALs) for users authenticating to
DigitalPersona Pro Servers.
It is used to gather information necessary for requesting a license from
DigitalPersona, for adding and removing licenses, and for viewing license and
user information.
It is automatically installed as part of the DigitalPersona Pro Administration
Tools, but can also be installed separately on a workstation that has access to the
domains that are to be licensed and/or managed.
Overview
The licensing model for DigitalPersona Pro for Active Directory Server requires
that each domain be licensed for the number of users who will register their
fingerprints within that domain.
License Control Manager provides the following features for managing licenses
for DigitalPersona Pro Servers:
•
•
•
•
•
•
Connecting to a domain (page 98)
Getting License Information (page 99)
Reviewing and installing license files (page 100)
Viewing license details (page 100)
Viewing UAL Summary Information (page 101)
Uninstalling licenses (page 101)
Connecting to a domain
By default, when License Control Manager is launched it will connect to the
domain to which the currently logged on user belongs.
If that domain is not the domain that you want to administer at this time, you can
select a different domain.
98
To change the domain:
1 Click the Change Domain button to display the Connect to Domain dialog
box.
2 Type the domain name that you want to connect to, or click Browse to
navigate to the domain.
3 If you want to connect to this domain the next time that License Control
Manager runs, select Connect to this domain the next time you run
License Control Manager.
4 Click OK to connect to the domain and close the dialog box.
After successfully connecting to the domain, License Control Manager will
locate all licenses in the License container and display them in the list view. If
duplicate or incorrect licenses are found during this process, they will be deleted
and you will be notified of the fact.
Getting License Information
Each license for DigitalPersona Pro for Active Directory is tied to a specific
customer domain.
Note
When upgrading from Pro 3.5, User Authentication Licenses must be obtained
for all registered and prospective users.
In order for DigitalPersona to issue a requested license, certain domain
information necessary to bind the license to the domain must be collected and
sent to DigitalPersona, Inc. This step needs be done once for each domain.
To collect the required domain information:
1 Launch License Control Manager.
2 Click the Get License Info button.
3 License Control Manager will collect the domain information that it needs
and display a Save As dialog box.
4 Type a file name that will identify the file as belonging to your company and
what domain it refers to. The file must have a .dplif extension. Click Save to
save the file.
99
5 Request a license for the domain by sending the file as an attachment in an
email containing your Purchase Order # for the number of User
Authentication Licenses needed and address it to [email protected];
or contact your DigitalPersona Sales Account Manager.
Reviewing and installing license files
After sending the required domain information to DigitalPersona, Inc., you will
receive a license file for that domain. Keep a copy of the license file in a secure
place for backup purposes.
To install the license:
1 In License Control Manager, click the Add button.
2 In the Open dialog box, navigate to the license file (.dplic extension) and
click the Open button.
3 In the License Details dialog box, you can review information about the
license before it is added.
4 Click the Add License button to add the license to License Control Manager.
5 The license, along with summary information about the license is added to
the License list.
Viewing license details
License Details are available for each installed license.
To view license details:
1 In the Licenses list, select a license.
2 Click the Details button.
3 License Control Manager displays license details for the selected license.
4 Click Close to close the License Details dialog box.
Note
License Details are only available for issued User Authentication Licenses, not
for the licenses shipped with DigitalPersona Pro Server for evaluation.
100
Viewing UAL Summary Information
License Control Manager does not display the summary information for User
Authentication Licenses (UALs) when launched, since in large organizations it
may take a while to collect the information.
To display the User Authentication License summary information:
• Click the Refresh button.
License Control Manager displays the following summary information:
Total number of licenses Issued
Number of licenses Used
Number of licenses Remaining
Percent of Issued licenses that have been Used
The amount of time that it takes to refresh user information will depend on the
number of users.
Uninstalling licenses
To uninstall a license:
1 In the License list, select a license.
2 Click the Delete button.
3 In the Confirmation dialog box, click Yes to delete the license, or No to
close the dialog box without deleting the license.
When you uninstall the last license in the License list, the Evaluation license
will appear on the list.
101
The Attended Fingerprint Registration Tool is an administrative tool that can be
used to add an additional level of security to the implementation and use of
DigitalPersona Pro for Active Directory.
With attended registration, a designated user (or member of a designated user
group) must be logged in to supervise the fingerprint registration process of
other users. Users can also be prevented from registering other fingerprints or
deleting fingerprints from their own account.
The Attended Fingerprint Registration Tool is automatically installed as part of
the DigitalPersona Pro Administration Tools, but needs to be set up before use.
It can also be installed separately on a workstation.
Assigning Registration Permissions
The user designated to supervise the fingerprint registration of other users can
be an individual user or belong to a user group and must have permission to
register and delete user fingerprints.
The Register/Delete Fingerprint permission can be granted at the single user,
organizational unit or domain level, but not at the user group level.
Single User
You can assign a user or group to supervise a single user’s fingerprint
registration. In most cases however, you will want to make the assignment on an
organizational unit or domain level as shown in the next topic.
To assign a user or group to supervise fingerprint registration permission for a
single user:
1 In Active Directory for Users and Computers, select the user name to be
registered through attended registration.
2 Right-click and select Properties.
3 Click the Security tab.
4 Click the Add button.
102
5 Select the supervising user or group who will have register and delete
fingerprints permission to this account.
6 Click Add and then OK.
7 In the Permissions list, select the Allow check box for the Register/Delete
Fingerprint (DigitalPersona) permission.
8 Click OK.
Organizational Unit or Domain
To assign attended fingerprint registration permissions for an organizational unit
or domain to a supervising user:
1 In Active Directory for Users and Computers, select the domain or
organizational unit to be registered through attended fingerprint registration
by the supervising user.
2 Right-click and select Properties.
3 Click the Security tab.
4 Click the Advanced button.
5 Click Add and add the supervising user or group to the users who have
permissions to this account. Then click OK.
6 Click the Edit/View button.
7 Select User Objects from the Apply onto drop down list.
8 In the Permissions list, select the Allow check box for the Register/Delete
Fingerprint (DigitalPersona) permission.
9 Click OK to close the dialog and save your changes.
103
Overview
One Touch SignOn (OTS) enables administrators to provide controlled access to
Web sites or programs by adding biometric authentication to their logon and
change password screens; simplifying the logon process for end users and
reducing the administrative overhead involved in password maintenance.
The OTS Administration Tool manages access to password-protected Web sites
and programs through the creation and administration of templates that contain
the specifications for:
• Logon screen templates - This template specifies attributes that are utilized
during the logon, such as a user name, password, and Submit button.
• Password Change screen template - This template defines how a password
for an OTS-enabled program or Web site is changed, specifying details such
as whether the password can be changed by the user at will, or must be
changed at prescribed intervals, and any format restrictions that are enabled.
These OTS templates are created in the One Touch SignOn Administration Tool,
and then deployed to end users through a setting in the Active Directory GPO
governing the workstations. (For further information, see “Deploying
Templates” on page 137 and following.
After the templates are created and deployed, the One Touch
SignOn application uses the templates to recognize which logon
and change password screens are fingerprint-enabled,
displaying the DigitalPersona fingerprint logon icon in the
upper left corner of the Web site or program window to indicate
that the user can log on with their fingerprint, as well as a balloon prompting the
user to touch the reader to log on.
For a description of the end user experience, see “Logging On with One Touch
SignOn” on page 141.
104
Installing the OTS Administration Tool
The OTS Administration Tool is installed as part of the DigitalPersona Pro
Administration Tools.
To install the Administration Tools, navigate to the Administration Tools folder
on the product CD and click the setup.exe file.
Setting up OTS
Before using the OTS Administration Tool to create OTS templates, you will
need to set it up for your network.
Create a shared network folder
Create a shared folder on the network
drive to store OTS templates and assign
appropriate permissions to the users.
1 Create a folder on the server/computer
where you will store the OTS
templates.
2 Share the folder that you just created to
allow users to access it.
3 Right click on the folder and click on
Properties in the context menu.
4 Click on the Sharing tab.
5 Verify the permissions by clicking on
the Permissions button.
Set up the GPO policy for OTS
1 The Workstation Administrative
Template,
DigitalPersonaProWksta.adm file must
be added to the Active Directory
Computer Configuration folder in the
Administrative Templates folder of the Group Policy editor. The ADM file is
105
located in the inf directory on the hard drive where DigitalPersona Pro AD
Server or Workstation was installed.
For further details, see “Install the Administrative Templates” on page 40.
2 Open the GPO where the DigitalPersona template was added.
3 Go to User Configuration\Administrative Templates\DigitalPersonaPro.
4 Double click on One Touch SignOn
Configuration policy (in the right
pane).
The default setting is "Not
Configured". Click on Enable to
enable this policy, and then type in
the path to the shared folder that you
previously created.
5 The new setting will be applied to all
during the usual refresh interval or
the next time they restart Windows.
106
Create an OTS Container
1 Open the OTS Administration Tool from Start/Programs/DigitalPersona Pro.
2 On the toolbar, click the New Container icon.
3 In the Create New Container dialog box, type a name for the container in the
Name text box.
4 Specify the path of the container in the Path field. To browse for a path using
the standard Windows file browser dialog box, click the Browse button.
5 Click OK to create the container.
Using Field Catalogs
The Field Catalog for a container is used to store logon field values and
attributes that can then be reused in creating templates for logon screens that
share common fields. By storing frequently used logon fields in the catalog
once, you can add the same field to several templates without entering its value
or attributes each time.
In addition, changes made to fields in the Field Catalog are propagated to all
templates that use the field. Each container has only one Field Catalog.
107
To add a field to a field catalog for a container:
1 In the OTS Administration Tool, select a container and select Field Catalog
on the Tools menu.
2 On the Field Catalog Editor, click Add to create a new field in the table.
3 In the Field text box, type a name for the field you are adding to the catalog.
4 Specify the type of the field by selecting Password or Text in the Type dropdown list.
5 Specify the value of the field on the Value drop-down menu. See “Logon
Fields options” on page 111 for a description of each value.
6 Add any comments related to this field in the Description text box, and then
click OK to close the Field Catalog Editor.
108
Creating OTS Templates
Logon screen templates enable DigitalPersona Pro administrators to set policy
about how much, and what kind of, user information can be sent to an
application via fingerprint logon.
OTS includes a wizard that can create logon screen templates automatically for
most logon screens. For more complex logon screens, there is a ‘manual’ mode
that provides more sophisticated options for matching the logon process to nonstandard logon screens.
• Automatically -- Open the logon screen for a Web site or program, and then
click Create template in the OTS Administration Tool. The Logon Screen
Wizard detects the fields on the logon screen. You can specify which fields
are required for logon and what type of information should be provided in the
fields.
• Manually -- For logon screens that are difficult for the wizard to detect
automatically, you can create a template manually. When you create a
template manually, you have additional controls for specifying fields and
keystrokes required for logon. For a discussion of the trade-offs involved in
manual template creation, see “Creating a Logon Screen Template
Manually” on page 115.
DigitalPersona recommends you attempt to create a logon template
automatically before you try to create it manually.
Creating a Logon Screen Template automatically
To create a logon screen template automatically:
1 Launch the password-protected application (or browse to a web site) that
contains the logon screen for which you want to create a template.
2 Launch the OTS Administration Tool and on the shortcut menu of the
container for which you want to create a template, click New Template.
3 When the OTS Template Wizard launches, confirm that the title of the logon
screen is displayed on the first page and then click Next.
109
4 The Logon Fields page displays each field on the logon screen, using the
nearest associated label to identify the field. For each field, you can specify
several attributes. See the table “Logon Fields options” on page 111.
5 Click Next after selecting the Logon Fields.
6 On the Submit Option page, choose the button from the list that submits the
logon data for the application. To prevent automatic logon, click Do not
submit. Click Next to continue.
7 On the Logon Screen Properties page, enter the name for this logon screen/
template, and the name for the Quicklink. For more details on this screen see
the table “Logon Screen Properties options” on page 113.
8 Click Next after entering the appropriate data and then click Finish to save
the new template.
110
If the OTS templates are stored on a shared network drive, log off and log
back in to automatically download the newly created templates on your
workstation.
9 Enter Account Data.
You can now go to the web page/application for which you created the
template. You will be prompted to touch the sensor to log on. Once you touch
the sensor with your registered finger, you will be prompted to enter your
account data. You will need to provide this data only when you log on using
OTS for the first time. During subsequent logons, you can log on simply by
touching the sensor with your registered finger!
Table 9-2. Logon Fields options
(See step 4 above.)
Option
Description
Use
Specifies the fields that are used during logon. If a listed field is
not used for logon, leave the field unchecked.
Label
Describes the type and use of the field, as displayed to the user
during logon. These labels represent the Wizard’s best guess, If
the label for a field is not intuitively related to the corresponding
field on the logon screen, enter a new label name in this field.
Type
Specifies the type of field, either text or password. This value is
not editable.
Catalog
For added convenience, you can create specifications for
frequently used fields using the Field Catalog Editor, a
collection of frequently-used fields and their specifications (see
“Using Field Catalogs” on page 107). If the field is in the Field
Catalog, you can right-click it, then choose it from the dropdown list. Its specifications will be provided automatically by
OTS.
111
Option
Description
Value
Alphanumeric data to be supplied by either the user or
DigitalPersona Pro. Type a value for the logon field or use the
Value drop-down menu to indicate a value.
Ask-Reuse prompts the user to enter a value for a logon field
the first time they use the template for logon. This value is
automatically submitted for them on each subsequent logon
without prompting the user again.
Ask-Confirm also prompts the user to enter a value for a logon
field the first time they use it. However, on subsequent logons,
the value is automatically entered and they are then prompted to
confirm this value or change it.
Ask Always prompts the user to enter a value for a logon field
each time they log on.
Specify whether you want the field to be stored in the template
in clear (unencrypted) text or protected (encrypted) text.
If the field is a text field, choose any of the following options to
specify values to be provided by OTS:
Windows User Name
Windows User Principal Name -- the user name and domain
values in the format: [user name]@[domain]
Windows Domain\User Name -- the domain of the user,
followed by a backslash and the user name
Windows Domain -- the name of the user’s domain
Windows E-mail Address -- the user’s email address, as stored
in Active Directory
If the field is a password field, choose Windows User
Password to specify that OTS will provide password
information.
112
Table 9-3. Logon Screen Properties options
(See step 7 above.)
Option
Description
General
Template is the name of the template.
Description contains information about the template and is
viewable in the OTS Administration Tool.
User Hint enables you to provide a message that is displayed
when a user uses the template for logon, such as when users are
prompted to type values for logon fields. For example, if you
want to direct a user to a Web page with custom instructions for
logon, you can enter a URL in the User Hint field.
Show Balloon specifies the number of times a balloon will be
displayed on the fingerprint-enabled logon screen to inform the
user they can touch the reader to log on.
Quick Link
Quick Link Name is the name of the Quick Link, if the
template was created for a Web site, and appears in the One
Touch Menu for accessing Web sites set up for fingerprint
logon. Users touch the reader to display the One Touch Menu,
point to Quick Links and then click the fingerprint logon title
that corresponds to the Web site they want to access. Internet
Explorer is launched automatically and is pointed to the Web
site.
Quick Link URL is the target URL of the Quick Link.
Screen Detection
Window Caption is the title of the logon screen as detected by
the Wizard. The caption information in the template is used by
OTS to recognize the logon screen by matching the window
caption in the logon screen.
Screen Detection,
continued
If portions of the window caption change, specify the portion
of the window caption to match and represent the changing
portion of the caption with special characters, such as *.
The invariant portion of the string will be used to recognize the
logon screen.
113
Option
Description
URL is used by One Touch SignOn to recognize a Web site
logon screen. The URL information in the template is matched
to the URL in the logon screen. If multiple Web sites have the
same title or if portions of the URL change, which can be the
case for Web sites that redirect traffic for load balancing, then
specify the portion of the URL to match. The drop-down menu
allows you to specify the type of matching to perform on the
URL.
Extended Match If you are creating a template for a program,
and not a Web site, you can click the button next to the
Extended Match field. Select labels that should be used for
matching when recognizing the screen. Click the check box
next to labels to use. After making selections and clicking OK,
you can select the type of matching to perform by selecting it
from the drop-down list.
Authentication
Start Authentication Immediately. If set to Yes, the user is
prompted for a fingerprint logon immediately after the logon
screen displays. The default setting is No.
Lock out logon fields. If set to Yes, the user is prevented from
typing data in the logon fields. The default setting is No.
114
Creating a Logon Screen Template Manually
If One Touch SignOn does not detect fields automatically in your Web site and
program logon screens, OR if you want to specify additional controls to be used
during logon (such as adding keystrokes, forcing delays between actions, and
specifying positions of fields), you can create a template for a logon screen
manually.
When you create a template manually, you have additional controls for
specifying fields and keystrokes required for logon; essentially you specify a
“script” to manage the interaction completely. This is much more powerful than
accepting the typical field-to-field navigation supported by the Logon Screen
Wizard in Automatic mode, but it requires much closer study of the logon screen
itself to establish the precise actions required. For example:
• Exactly how many, and what kind of, keystrokes are needed to enter the
data?
• Where should the initial focus of the screen be? (physical location)
• How many tabs are required to navigate the input screen?
To create a logon template manually:
1 Launch the password-protected Web site or program for which you want to
create a template.
Study the logon screen carefully to determine what actions are necessary, and
where the initial focus of the screen should be. (If the screen cursor is already
in the initial field of the logon screen when the screen is displayed, there is
no need to worry about initial focus.)
2 In the OTS Administration Tool, select the container to which you want to
add the new template.
3 Click Create template. OTS Administration Tool launches the Logon
Screen Wizard.
4 Confirm that the title of the logon screen is accurately displayed on the first
page.
5 Select Set up a template manually.
115
6 Click Next. The wizard displays an empty Fill In Actions list, as shown
below.
7 Click Add and select an action from the drop-down menu, as described on
the next page in Table 9-4. Add as many actions to the list as are required, in
the order that they are required. This builds the “script” that governs
interaction between the user and DigitalPersona Pro, and the program.
For example, to create a logon screen template for the Yahoo! Mail logon
page, you might study the page and reveal that focus on the page is always
automatically in the logon field; that you need input fields for Yahoo ID and
Password, and then submit the data with the Sign In button.
Your logon fields would look like this:
116
Table 9-4. Logon Screen Actions: manual selections
Option
Description
Keystroke
This key sequence of one or more keys will be placed in the
keyboard buffer.
Key. You can select keys such as Tab, Enter, Left arrow,
Spacebar or Page Up. The Tab key is the default.
Repeat. Specify a number of times the key sequence is
entered.
Shift, Control, Alt. You can check Generic, Left or Right to
simulate pressing one or more of these keys in addition to the
key you selected. You can specify if the key is from the left or
right side of the keyboard if necessary.
Field
You can define a field and its type.
Label. Type a label name for the corresponding field on the
logon screen. The labels are displayed when users are
prompted to type a value for a logon field.
Type. Select the type of field, either text or password, in the
Type text box. Choosing password as the type hides the
password on the logon screen so it cannot be viewed.
Choosing text displays readable text.
Reference. Specifications for frequently used fields can be
created using the Field Catalog Editor (see “Using Field
Catalogs” on page 107).
If the field is in the Field Catalog, you can click and then
choose it from the drop-down list. Its specifications will be
provided automatically by One Touch SignOn.
Value. Type a value for the logon field or use the Value dropdown menu to indicate a value specified by the user or
provided by One Touch SignOn.
117
Option
Description
Value
There are several options on the Value drop-down menu,
which allow you to specify values that must be provided by the
user or by One Touch SignOn.
The first three options can be used if you require the user to
provide information at logon:
Ask-Reuse prompts the user to enter a value for a logon field
the first time they use the template for logon. This value is
automatically submitted for them on each subsequent logon
without prompting the user again.
Ask-Confirm also prompts the user to enter a value for a
logon field the first time they use it. However, on subsequent
logons, the value is automatically entered and they are then
prompted to confirm this value or change it.
Ask Always prompts the user to enter a value for a logon field
each time they use the template.
Value (Text fields)
For a text field, the next group of options allow you to specify
values which are provided by One Touch SignOn:
Windows User Name provides the Windows user name.
Windows User Principal Name provides the user name and
domain values in UPN format: [user name]@[domain]
Windows Domain\User Name provides the domain of the
user, followed by a backslash and the user name.
Windows Domain provides the user domain name.
Windows E-mail Address provides the email address stored
in Active Directory for the user.
Value (Passwords)
For a password field, you can specify the following value
which is provided by One Touch SignOn:
Windows User Password provides the password used for
Windows logon.
Delay
You can specify how many seconds to wait before the next
action in the list is performed.
118
Option
Description
Position
Using this action, you can specify a location where One Touch
SignOn will perform a mouse click. Position is measured from
the top left corner of the client window area.
Client X. Type a number of pixels for the X axis position for
the action.
Client Y. Type a number of pixels for the Y axis position for
the action.
Target icon. You can click and drag the target icon
to the actual logon screen field to specify the
position. Drop the target icon on the location you
want to specify. When you drop the target icon, the Client X
and Y positions are updated with the target location.
119
8 To continue, click Next. The OTS Administration Tool displays the Logon
Screen Template Properties page.
9 The Logon Screen Template Properties page allows you to view and
modify the following properties of the logon screen template: Details about
the options on this page are described on the following page in
120
Table 9-5. Logon Screen Template: manual options
(See step 9 above.)
Option
Description
General
Template is the name of the template. Choose a name for the
template that is easy to remember, such as YahooEmail.
Description contains information about the template and is
viewable in the OTS Administration Tool.
User Hint allows you to type a message that is displayed
when a user uses the template for logon, such as when users
are prompted to type values for logon fields. For additional
user assistance, if you type a URL in the User Hint field, a
user can click it to be directed to a Web page that you created
to provide custom instructions for logon.
Show Balloon is the number of times a balloon will be
displayed on the fingerprint-enabled logon screen to inform
the user they can touch the reader to log on.
Quick Link
Quick Link Name is the name of the Quick Link, if the
template was created for a Web site, and appears in the One
Touch Menu for accessing Web sites set up for fingerprint
logon.
Users touch the reader to display the One Touch Menu, point
to Quick Links and then click the fingerprint logon title that
corresponds to the Web site they want to access. Internet
Explorer is launched automatically and is pointed to the Web
site.
Quick Link URL is the target URL of the Quick Link.
121
Option
Description
Screen Detection
If portions of the window caption change, specify the portion
of the window caption to match and represent the changing
portion of the caption with special characters, such as *.
The invariant portion of the string will be used to recognize
the logon screen.
URL is used by One Touch SignOn to recognize a Web site
logon screen. The URL information in the template is
matched to the URL in the logon screen. If multiple Web sites
have the same title or if portions of the URL change, which
can be the case for Web sites that redirect traffic for load
balancing, then specify the portion of the URL to match. The
drop-down menu allows you to specify the type of matching
to perform on the URL.
Authentication
Start Authentication Immediately. If set to Yes, the user is
prompted for a fingerprint logon immediately after the logon
screen displays. The default setting is No.
You can specify additional logon screen matching to help
OTS recognize the screen.
10 When done configuring the Logon Screen Properties, click Next.
11 On the Setup Complete page, click Finish to save the changes and exit the
wizard.
122
Creating Change Password Screen Templates
In addition to templates for logon screens, templates can also be created for
most Change Password screens.
To set up a change password screen with One Touch SignOn, use the One Touch
SignOn Change Password Screen Wizard. Using the wizard, you can specify the
fields required by the application for changing passwords, implement password
policies and even automate the entire process for the end user.
The Change Password Screen Wizard provides administrators with two different
ways to create change password screen templates:
• Automatically -- Open the change password screen for a Web site or
program that already has a logon screen template created by the OTS
Administration Tool and stored in DigitalPersona Pro. Find the logon screen
template, then right-click to display that template’s context menu. Choose
Add Change Password Screen.
The Wizard detects the fields on the change password screen. You can
specify which fields are required for logon and what type of information
should be provided in the fields.
• Manually -- For change password screens that are difficult for the wizard to
detect automatically, you can create a template manually. When you create a
template manually, you have additional controls for specifying fields and
keystrokes required for logon. For a discussion of the trade-offs involved in
manual template creation, see “Creating a Logon Screen Template
Manually” on page 115.
123
Creating a Change Password Screen Templates Automatically
To create a change password screen template automatically:
automate the change password operation and then navigate to the Change
Password screen.
2 In the OTS Administration Tool, select the template which was created for
that Web site or program.
3 Right-click to display that template’s context menu, then click Add Change
Password Screen. OTS launches the Change Password Screen wizard.
4 Click Next. The wizard displays the Change Password Screen Field page.
5 Select all fields relevant to the change password process, as described in
Table 9-6.
Table 9-6. Password Screen Template options
Option
Description
Use
Check the Use check box for each field needed in changing the
password.
Type
Specify the type of control on the Change Password screen, such as text
or password field.
Label
The label is displayed next to a field when the user is prompted to type a
value for a field on the change password screen. If the label is not
intuitively related to the corresponding field on the change password
screen, you can enter a new label.
Catalog
Cross-references the fields of the Change Password Screen with the
fields in the Logon Screen. For example, the password used at logon is
re-used during the Change Password process.
The automatically detected value is shown in this field by default, but
you should verify it.
Value
For Old Password, the value type should be Ask-Reuse. For New
Password, the value type should be Write Only.
124
6 Click Next. The wizard
displays the Password Policy
page.
7 If desired, specify the password
policy for a protected field.
Select the corresponding Field
Policy item, and then click the
button which is shown on the
right side.
8 In the Password Policy dialog
box, the following options are available:
• Password is provided by user Allows the user to specify the new
password for the Web site or program.
• Password is generated
automatically - Generates a
randomized password for the user. By
selecting this option, you can ensure
that the user can only log on using a
fingerprint.
To specify constraints on the password
format, length and uniqueness, check the Use password policy checkbox.
These requirements will be followed when the password is generated, and
verified when the password is provided by the user.
The following options are available for the password length:
• Minimum password length - Specifies the maximum number of
characters allowed in the password
• Maximum password length - Specifies the minimum number of
The following options are available for the password contents:
• Letters and numbers - Allows any combination of letters and/or numbers.
125
• Letters only - Allows letters only.
• Numbers only - Allows numbers only.
• Letters and numbers with special characters - Allows passwords that
contain at least one number or at least one letter, and at least one special
character is required. Special characters include symbols such as
!\"#$%&'()*+,-./:;<=>?[\\]^_`{|}~@. Spaces are not allowed.
• Letters and numbers with at least one number - Allows passwords with
any combination of letters and numbers, but both types must be present.
The following additional password constraints are available:
• None - No other constraints are applied to the password.
• Different from Windows password - The new password must be
different from the current Windows password.
• Different from any password registered with OTS - The new password
must be different from all passwords registered for fingerprint-enabled
Web sites or programs by the current Windows user.
• Different from current password - The new password must be different
from the current password for this Web site or program.
9 Click OK to save the changes in the Password Policy dialog box.
Note
The password policy applied in the wizard should be synchronized with that
of the Web site or program.
10 On the Password Policy page, click Next.
11 On the Submit Selection page, choose the button from the list of detected
buttons, which submits the data on the Change Password screen, and then
click Next.
12 On the Change Password Screen Properties page, you can customize the
behavior of the system during the change password operation. The following
settings are available:
• User Hint - Allows customizing the text that will be shown when the user
is prompted to type data into input fields for the Change Password screen.
126
• Windows Caption - Specifies the title of the change password screen as
detected by the wizard. This caption is used by One Touch SignOn to
recognize a fingerprint enabled screen. You may use an asterisk (*) as a
wildcard at the beginning, inside of or at the end of the caption to help
define which portions of the caption to match. You cannot use more than
one asterisk in the caption. For example:
*Some Application Login
Some Company*Login
My Bank Login*
• Monitor Screen Changes - Enables the fingerprint software to recognize
the previously trained screen in case the screen content changes in time
due to system or user activity, for example, when the screen contains some
complex structure such as long-loading ActiveX, Flash, etc. Since most
Web pages do not fall into this category, this setting is turned off by
default.
• URL - Uniform Resource Locator is a unique, identifying address of any
particular page on the Web. URL can be used by One Touch SignOn to
recognize the previously trained screen. The drop-down menu allows you
to specify the type of matching performed on the URL.
You may use an asterisk (*) as a wildcard at the beginning, inside of or at
the end of the URL to help specify which portion of the caption not to
match. You cannot use more than one asterisk in the caption. For example:
*mycompany.com/login.html
http://www.*.mycompany.com
http://www.mycompany.com/login.*
By default, the URL is not used to recognize a fingerprint enabled screen.
13 When done configuring the Change Password Screen Properties, click Next.
14 Click Finish to save the changes and exit the wizard.
Change password screens set up with One Touch SignOn display the
DigitalPersona fingerprint logon icon in the upper left corner of the Web site or
program window to indicate that the user can log on with their fingerprint, as
well as a balloon prompting the user to touch the reader to begin the change
password process.
127
Creating a Change Password Screen Template Manually
If you want to specify additional controls to be used during password change
(such as adding keystrokes or forcing delays between actions), you can create a
change password screen template manually.
When you create a template manually, you have additional controls for
specifying fields and keystrokes required for password change; essentially you
specify a “script” to manage the interaction completely. This is much more
powerful than accepting the typical field-to-field navigation supported by the
Change Password Screen Wizard in Automatic mode, but it requires much
closer study of the change password screen itself to establish the precise actions
required. For example:
• Exactly how many, and what kind of, keystrokes are needed to enter the
data?
• Where should the initial focus of the screen be? (physical location)
• How many tabs are required to navigate the input screen?
To create a change password screen template manually:
create a template. Move to that site’s or program’s Change Password screen.
2 In the OTS Administration Tool, select the template for that Web site or
program.
3 Right-click to display that template’s context menu, then click Add Change
Password Screen. OTS launches the Change Password Screen wizard.
4 Select Set up a template manually, then click Next. The wizard displays the
Logon Fields page with an empty Fill in Actions list.
5 Click the Add button and then select an action from the drop-down menu.
Add as many actions to the list as are required, in the order that they are
performed. This builds the “script” that emulates interaction between the
user and the program. Later, this script will be used to play the prerecorded
actions.
128
The following actions are available in the Fill in Actions list:
• Keystroke - Provides navigation to the first field to be filled in or between
fields. It also may be used to submit the data on the Change Password
screen. The list of supported keystrokes is available in the Key drop-down
menu.
• Field - Specifies the field to be filled in on the Change Password screen,
its type (text or password), reference (for example, relationship to the
password field on logon screen) and value, i.e. how the field value is
obtained.
• Delay - Specifies the delay during navigation or prior to submitting data.
This setting is useful when the system performs some actions between the
screen loading and data submitting events. For some terminal applications,
a delay may be required even when moving between neighbor fields on a
the screen.
Note
It is recommended to estimate the required delay and then test it prior to
using the script.
• Position - Moves the cursor to a specified area of Change Password
screen, like a field for data input, without using keystrokes. To use the
Position feature, select Position in the drop-down menu, then, using the
mouse, click and drag the Target icon
until the cross is located over the
desired area on the screen. When the mouse button is released, the chosen
coordinates will be shown in the right panel on the wizard page.
Be aware that using the Position action may be sensitive to screen
resolution, because the system deals with coordinates in pixels. This
feature also may not be useful when user needs to scroll the window in
order to move a cursor to the desired area.
6 Repeat step 5 until all the required actions (i.e. fields, cursor movements,
delays, and submission action) are specified.
7 Click Next. The wizard displays the Password Policy page.
8 If desired, specify the password policy for a protected field.
129
Select the corresponding Field Policy item, and then click the button which is
shown on the right side.
9 In the Password Policy dialog box, the
following options are available:
• Password is provided by user Allows the user to specify the new
password for the Web site or program.
• Password is generated
automatically - Generates a
randomized password for the user. By
selecting this option, you can ensure
that the user can only log on using a
fingerprint.
To specify constraints on the password
format, length and uniqueness, check the Use password policy checkbox.
These requirements will be followed when the password is generated, and
verified when the password is provided by the user.
The following options are available for the password length:
• Minimum password length - Specifies the maximum number of
• Maximum password length - Specifies the minimum number of
The following options are available for the password contents:
• Letters and numbers - Allows any combination of letters and/or numbers.
• Letters only - Allows letters only.
• Numbers only - Allows numbers only.
• Letters and numbers with special characters - Allows passwords that
contain at least one number or at least one letter, and at least one special
character is required. Special characters include symbols such as
!\"#$%&'()*+,-./:;<=>?[\\]^_`{|}~@. Spaces are not allowed.
130
• Letters and numbers with at least one number - Allows passwords with
any combination of letters and numbers, but both types must be present.
The following additional password constraints are available:
• None - No other constraints are applied to the password.
• Different from Windows password - The new password must be
different from the current Windows password.
• Different from any password registered with OTS - The new password
must be different from all passwords registered for fingerprint-enabled
Web sites or programs by the current Windows user.
• Different from current password - The new password must be different
from the current password for this Web site or program.
10 Click OK to save the changes in the Password Policy dialog box.
Note
The password policy applied in the wizard should be synchronized with that
of the Web site or program.
11 On the Password Policy page, click Next.
12 On the Submit Selection page, from the list of detected buttons, choose the
button that submits the data on the Change Password screen, and then click
Next.
13 On the Change Password Screen Properties page, you can customize the
behavior of the system during the change password operation. The following
settings are available:
• User Hint - Allows customizing the text that will be shown when the user
is prompted to type data into input fields for the Change Password screen.
• Windows Caption - Specifies the title of the change password screen as
detected by the wizard. This caption is used by One Touch SignOn to
recognize a fingerprint enabled screen. You may use an asterisk (*) as a
wildcard at the beginning, inside of or at the end of the caption to help
define which portions of the caption to match. You cannot use more than
one asterisk in the caption. For example:
*Some Application Login
131
Some Company*Login
My Bank Login*
• Monitor Screen Changes - Enables the fingerprint software to recognize
the previously trained screen in case the screen content changes in time
due to system or user activity, for example, when the screen contains some
complex structure such as long-loading ActiveX, Flash, etc. Since most
Web pages do not fall into this category, this setting is turned off by
default.
• URL - Uniform Resource Locator is a unique, identifying address of any
particular page on the Web. URL can be used by One Touch SignOn to
recognize the previously trained screen. The drop-down menu allows you
to specify the type of matching performed on the URL.
You may use an asterisk (*) as a wildcard at the beginning, inside of or at
the end of the URL to help specify which portion of the caption not to
match. You cannot use more than one asterisk in the caption. For example:
*mycompany.com/login.html
http://www.*.mycompany.com
http://www.mycompany.com/login.*
By default, the URL is not used to recognize a fingerprint enabled screen.
14 When done configuring the Change Password Screen Properties, click Next.
15 On the Setup Complete page, click Finish to save the changes and exit the
wizard.
Change password screens set up with One Touch SignOn display the
DigitalPersona fingerprint logon icon in the upper left corner of the Web site or
program window to indicate that the user can log on with their fingerprint, as
well as a balloon telling the user to touch the reader to begin the change
password process.
132
Managing Containers
This section describes how to edit, and delete containers. For instructions on
creating a container see“Create an OTS Container” on page 107.
Editing Containers
You cannot change the location of a folder associated with a container, but you
can rename it.
To edit the name of container:
1 Select the container whose name you wish to edit.
2 Right-click the container to display its context menu.
3 Click Properties.
4 Enter a new name for the container and click OK.
Deleting Containers
When you delete a container, you can choose whether or not to delete the
template files in the folder.
To delete a container:
1 Select the container you wish to delete.
2 Right-click the container to display its context menu, then select Delete
Container OR press the Delete key. A confirmation message is displayed.
3 If you are not sure you want to delete the container, click No.
If you are sure you want to delete the container and you also want to delete
all the templates contained in the container folder, select Delete all
templates in the selected container, Then click Yes.
Note
If you delete a container and its templates, you must either update the
corresponding OTS GPO to point to a new container, or delete the GPO itself.
For detailed information about how to work with the DigitalPersona GPOs, refer
to “Configuring Policies and Settings” on page 70.
133
Managing Templates
This section describes various ways to search for templates, as well as how to
edit, delete and deploy templates. It consists of the following topics.
• “Finding Templates” on page 134
• “Finding Fields in Templates” on page 135
• “Finding Redundant Templates” on page 135
• “Editing Templates” on page 136
• “Deploying Templates” on page 137
• “Deploying OTS Templates on a Local Computer” on page 137
For instructions on creating a template see one of the following topics:
• “Creating a Logon Screen Template automatically” on page 109
• “Creating a Logon Screen Template Manually” on page 115
• “Creating a Change Password Screen Templates Automatically” on page 124
• “Creating a Change Password Screen Template Manually” on page 128.
Finding Templates
You can search for templates in specific containers.
To find templates in the OTS Administration Tool:
1 Select Find Template on the Tools menu.
2 The name, caption and URL fields are available for a pattern-matching
search. Select the containers to search in from the list and click Find.
3 The search results display in the dialog.
4 You can save the results of the search by clicking Save. Specify a location
and file name to save the results.
The results are saved as an HTML table that includes the template name, file
name and container.
134
Finding Fields in Templates
You can search for templates that contain certain fields defined in the Field
Catalog of a container. You can select fields from a Field Catalog.
To search for templates that contain certain fields:
1 Select the container that uses the Field Catalog you want to use.
2 Select Field Usage from the Tools menu.
3 Select the fields from the Field Catalog and click Find.
The search results display in the dialog.
The results are saved as an HTML table that includes the caption, template
name, created date, modified date and file name.
Finding Redundant Templates
You can search for redundant templates, which are multiple templates created
for a single logon or change password screen.
To search for redundant templates:
1 Click Check redundancy on the toolbar.
2 In the displayed containers list, select the containers to search in and click
Check.
The search results display in the dialog.
The results are saved as an HTML table that includes the container, template
name, caption, screen type, created date, modified date and file name.
135
Editing Templates
Any logon or change password screen template can be edited in the OTS
Administration Tool.
To edit a template:
1 Select the container that includes the template.
2 Select a template to edit.
3 Right-click the template to display its context menu, then click Edit. OTS
Administration Tool launches the Logon Screen Wizard.
4 Edit the template as described in “Creating a Logon Screen Template
Manually” on page 115 or “Creating Change Password Screen Templates” on
page 123.
5 Click Next to continue with the wizard. Click Finish to exit the wizard.
Deleting Templates
Logon screen setups cannot be deleted without deleting the entire template,
including any change password screen setup.
To delete a template:
1 In the OTS Administration Tool, select the container that includes the
template.
2 Select the template to be deleted.
3 Right-click the template to display its context menu, then click Delete.
4 To delete the entire template, specify All Screens.
To delete only the Change Password Screen, specify Change Password
Screen.
136
Deploying Templates
OTS templates are automatically deployed to all users of DigitalPersona Pro
Workstation users. However, newly created templates will not be available to a
user until they either log out and log in again, or until a local template is created
or edited using either the One Touch Internet or One Touch SignOn tools.
Automatic deployment requires that the path to the container(s) where the
templates are stored has been entered in the GPO governing the specified
workstation, and that the designated folder is accessible to the workstation. See
“Setting up OTS” on page 105 for specific instructions.
Deploying OTS Templates on a Local Computer
Administrators may want to deploy OTS templates on a local computer:
• To test OTS templates on a Pro Workstation before distributing them to other
computers on a network or
• When a specific computer does not have access to the container the template
is stored in.
Note
In order to deploy OTS templates on a local computer, you must first add the
Workstation Administrative Template to the computer. The default
DigitalPersona Pro Workstation installation copies the Workstation
Administrative Template to the computer, but does not install it.
This template can be added to the Local Policy Object on a workstation to
enable GPO settings on the local computer, including the OTS settings. For
instructions on adding the Administrative Template, see “Install Workstation
Template Locally” on page 45.
To set the container path for OTS templates
The following procedure requires that the Workstation Administrative Template
has already been added to the Local Policy object.
1 Create a folder on the local hard drive to use as a container for the OTS
templates.
2 Copy the OTS templates into the folder that you just created.
137
3 In MMC, navigate to the User Configuration/Administrative Templates/
DigitalPersonaPro/DigitalPersona Pro Workstation/OTS node.
4 Double-click the One Touch SignOn configuration setting to open its
Properties dialog.
5 On the Setting tab, select Enable.
6 In the Path to the container of templates box, enter the name of the local
folder that you created in step 1.
7 Click OK to close the dialog box.
138
One Touch SignOn Settings
Two-Factor Authentication and Other Policies
Various authentication policies, specifically, fingerprint and password,
fingerprint or password, and fingerprint only, can be applied to the logon
process with the One Touch SignOn Logon Screen Setup Wizard. Following is a
list of each authentication policy, with instructions for implementing them when
setting up a logon screen with the One Touch SignOn Logon Screen Setup
Wizard:
• Fingerprint and password. Choose Ask Always as the value of the
password field on the Logon Fields page and enable the Start Authentication
Immediately and Lock Out logon fields options on the Logon Screen
Templates Properties page. When a user accesses the logon screen, they are
immediately presented with a fingerprint authentication screen and are
unable to bypass it because the logon fields are locked out. Once they submit
a registered fingerprint, they are prompted by One Touch SignOn to type
their password.
• Fingerprint only. Enable the Start Authentication Immediately and Lock
Out logon fields options on the Logon Screen Templates Properties page.
When a user accesses the logon screen, they are required to touch the reader
with a registered finger and are unable to bypass fingerprint authentication
until they do. Once they submit a registered fingerprint, they are logged on,
assuming that the password value has already been specified in the template
or by the user the first time they logged on via use of the Ask-Reuse option
on the Logon Fields page.
Password only is the default authentication policy for all password-protected
Web sites and applications that do not use One Touch SignOn. A fingerprint or
password policy applies to OTS-enabled logon screens that allow a user to either
type their password manually or touch the reader to automatically provide it.
GPO Settings
Settings in the One Touch SignOn GPO can impact the way users can use
templates for a password-protected Web site or program. Each GPO setting and
a description is provided below. By default, all options are enabled.
139
One Touch SignOn GPOs can be configured using the Group Policy Editor. The
policy settings are found in the following path:
User Configuration/Administrative Templates/
DigitalPersona Pro
Note
If you are upgrading an existing installation of DigitalPersona Pro to include
support for One Touch SignOn, you must add the DigitalPersona Pro ADM file
again, as described in “Install the Administrative Templates” on page 40, to
access One Touch SignOn settings.
With the DigitalPersona Pro folder selected, double-click One Touch SignOn
Configuration to access these GPO settings:
• Show clear text passwords. Enable this option to show password field
values to the end user when they are prompted to provide a password.
• Allow users to edit account data. When enabled, this option permits end
users to change the values of logon screen fields through the Fingerprint
Logon Manager.
• Allow users to add account data. This option allows end users to add
account data fields for Web sites and applications from their computers.
• Allow users to delete account data. Allows end users to remove account
data from a template.
• Path to the container of templates. Specify the path to the container in the
Container Path field to provide access to the templates it contains for
DigitalPersona Pro Workstation users. The container path is determined
when creating a new container, as described in “Create an OTS Container”
on page 107. You can add multiple paths by separating them with the pipe (|)
character.
140
Logging On with One Touch SignOn
After templates have been created and deployed, end users can launch a logon
screen and touch the fingerprint reader with a registered finger to log on. If a
Quick Link was defined in the template, users can select the Quick Link from
the One Touch Menu to launch the Web site logon screen. Quick Links only
display in the One Touch Menu after the user has visited them and used their
fingerprint to logon.
Logon screens that have a template created for them display a fingerprint logon
icon in the upper left corner of the screen and a balloon informing the user to log
on with a fingerprint.
Depending on the template attributes, the logon process may vary. For example,
the user can be automatically logged on by touching the reader, i.e. the fields can
be automatically populated and submitted.
In other cases, the user is prompted to choose a set of account data or provide
logon field values. If there are multiple accounts for the same logon screen, the
user is prompted to select an account in the Select Account Data dialog box. The
user must click the name of the account to use and click OK to log on.
When the user is prompted to type values for
logon fields, the Enter Account Data dialog
box displays. This dialog box displays when
the user has required fields where the values
are not yet specified. In the dialog box, the
user can provide the appropriate values for
the fields and click OK to log on.
Providing Logon Field Values
If the template contains logon field values
that are provided by the end user, the Logon
141
Field Values dialog box opens, listing each field needing a value and allowing
the user to enter them before logging on.
The appearance of this dialog box is dependent on the Value attribute, such as
Ask- Reuse, Ask-Confirm or Ask Always, for fields in a template.
If the Show Password Values in Fields option in the GPO is enabled or not
configured, the user can click the “Show passwords during editing” button to
display the password as they edit it. Otherwise, the characters in the password
are replaced with a bullet.
Choosing an Account
If a logon screen is set up for multiple
accounts, the Select Account Data dialog
box is displayed, prompting the user to
select the set of account data they want to
use.
When the user selects the set of account
data, they can click OK to log on.
Providing Multiple Credentials
Two-factor authentication, as well as other authentication policies, can be
applied to logon screens, which may require the user to first provide a registered
fingerprint and then a password, for example. Two-factor authentication and
implementing authentication policies with One Touch SignOn is described in
“Two-Factor Authentication and Other Policies” on page 139.
Changing Passwords with One Touch SignOn
Change password screens that have a template created for them display a
fingerprint logon icon in the upper left corner of the screen and a balloon
informing the user to provide a fingerprint. The user is asked to provide the old
password, a new password and to confirm the new password. Depending on the
template attributes, the change password process may vary. For example, the
user can be allowed to choose a new password with or without constraints on the
password complexity.
142
In other cases, the new password is generated automatically by the system. In
this case, the user must log on with a fingerprint.
143
User Query Tool
User Query Tool
The DigitalPersona Pro User Query Tool is used to query the DigitalPersona Pro
for Active Directory user database for information about DigitalPersona Pro
users.
It can provide information such as:
•
•
•
•
Total users
Total registered users
Users registered between certain dates
Number of fingerprints and more
The User Query Tool can be run as an Interactive Query, from the command
line, or from within a script. It can be installed through the Custom option
during installation of the Administration Tools.
Whether a query is run as an interactive query, from the command line, or from
within a script, the results of the query will contain the following information:
•
•
•
•
•
•
•
•
Total users
Total registered users
Found users
Registered between [Begin Date] and [End Date]
Number of fingerprints
Application data
Containers searched [configurable]
Recursive [Yes|No]
For each user that matches the query, the following information is displayed:
•
•
•
•
•
•
•
User Full name (if available)
User NT name
User UPN name
Number of fingerprints registered
Date/Time when user record was created
Date/Time user record was last updated
Total number of secrets in user record (If a specific secret was queried,
reports Yes or No.)
Query results are shown in the Results window, and can be copied to the
clipboard from there. They may also be saved to a tab-delimited file.
144
User Query Tool
Running an Interactive Query
To run an interactive query:
1 On the Start menu, point to All Programs, point to DigitalPersona Pro and
click User Query Tool.
2 In the console, click on the node that you want to query.
3 Select the parameters that you want to use for the query.
4 In order to capture the full detailed results of the query, you must enter a path
and file name to save the results of the query to.
The results of the query will be saved as a tab-delimited file, which can then
be imported into Microsoft Excel or other spreadsheet programs.
5 Click the Run button.
When the query finishes, a brief summary of the results are displayed in the
lower portion of the window. The summary can be copied from the panel to the
Windows clipboard by selecting the summary information, and pressing CTRLA, then CTRL-C.
Note
To add your own Secrets to the Query, click the Add button and enter the name
of the Secret.
Running from the Command Line
To run the User Query Tool from the command line:
1 On the Start menu, click Run to open the Run dialog.
2 Type your user query.
3 Click OK to run the query.
Example:
RunDll32.exe [Full Path]DPUserQuery.dll, CmdQuery
/o "CN=Users;DC=mycompany;DC=com" /d1 "01/23/2006" /d2 "12/
31/2006" /f1 2 /f2 3 /s /s LogonSystemInfo /r /f "C:\dpusers.log"
145
User Query Tool
This query will find all users in the mycompany.com domain whose
fingerprints were either created or modified between January 23rd, 2006 and
December 31st, 2006; and who have registered at least 2 but no more than 3
fingerprints. Additionally it will display the number of secrets each of those
users have, and whether or not they have the ‘LogonSystemInfo’ secret.
Finally, it will write the results to the file ‘C:\dpusers.log”
All parameters are optional except for /o.
The available parameters for the user query are:
Switch
Description
Example
/o
Required. CN=[common
name];DC=[domain component]
/o "CN=Users;DC=mycompany;DC=com "
/d1
Earliest creation or modification date
to include in the query. Format: mm/
dd/yyy.
/d1 "01/23/2006"
/d2
Latest creation or modification date to
include in the query. Format: mm/dd/
yyy.
/d2 "12/31/2006"
/f1
Minimum number of fingerprints.
Value = 1-10
/f1 1
/f2
Maximum number of fingerprints.
Value = 1-10
/f2 2
/s
Secrets - Display number of Secrets
for each user.
/s
/s LogonSystemInfo
/s LogonSystemInfo /s "OTS
Protected Storage"
If followed by the name of a Secret,
reports Yes or No indicating whether
the Secret exists for the specified user.
/r
If present, the query will be recursive,
i.e. will query any nested containers.
/r
146
User Query Tool
Switch
Description
Example
/f
Enter the path and file name where
you would like to store the results of
the query. If omitted, results are sent
to stdout.
/f "C:\dpusers.log"
@
Specifies the name of a .cmd file
where parameters for the query are
stored. If used:
@"c:\scripts\myquery.cmd"
/? or
/h
•
include the full path and filename.
•
specify the parameters exactly the
same as you would on the
command line, with no extra
characters or lines.
•
do not include any other
parameters on the command line
Displays command line help for the
User Query Tool when used as the
only parameter. Help will also be
displayed if the tool is called with no
parameters.
RunDll32.exe DPSrvQuery.dll, CmdQuery /?
RunDll32.exe DPSrvQuery.dll, CmdQuery /h
RunDll32.exe DPSrvQuery.dll, CmdQuery
Note
Omitting the /d1, /d2, /f1 and /f2 parameters will report all users with registered
fingerprints.
Setting both /f1 and /f2 to 0 will return all users who have no registered
fingerprints.
Script Use
The DigitalPersona Pro User Query Tool may be run from within a script.
See the previous pages for a description of the syntax to use.
Example
RunDll32.exe [Full Path]DPUserQuery.dll, CmdQuery
147
User Query Tool
/o "CN=Users;DC=com;DC=mycompany" /d1 "06/09/2006" /d2 "06/
09/2006" /f1 2 /f2 3 /s LogonSystemInfo /s "OTS Protected Storage" /r
/f "C:\dpusers.log
To specify the query parameters in a text file
• Include the full path and filename.
• Specify parameters the same as on the command line, with no extra
characters or lines.
• Do not include any other parameters on the command line.
Example
RunDll32.exe [Full Path]DPSrvQuery.dll, CmdQuery @[path/filename].cmd
148
Cleanup Wizard
Cleanup Wizard
Although the Add/Remove Programs Control Panel uninstalls DigitalPersona
Pro Server software, the user data—such as fingerprint credentials and secure
application data—and global domain data remain in Active Directory.
DigitalPersona provides the DigitalPersona Pro Cleanup Wizard to remove this
data. However, if you are planning to reinstall DigitalPersona Pro Server, you
may want to retain the user data.
Note
This wizard provides full cleanup of all DigitalPersona Pro data. For removal of
individual user data, see “Deleting User Credentials using the ADSI Edit Tool”
on page 94.
To run the DigitalPersona Pro Cleanup Wizard
1 Double-click DPCleanup.exe to launch the DigitalPersona Pro Cleanup
Wizard, which is located on the Server installation CD in the AD Clean Up
folder in the Administration Tools folder.
2 When the installer runs, you are prompted to choose the type of clean up you
want to perform:
• Delete DigitalPersona Pro user data. This option removes all
DigitalPersona Pro data associated with users on the domain, such as
fingerprint credentials and secure application data. If you choose to delete
DigitalPersona Pro user data, all users in the domain must register their
fingerprints again.
• Full clean up. This option removes both DigitalPersona Pro data
associated with users on the domain and global data. If you choose full
clean up, you must reinstall all DigitalPersona Pro Servers on the domain
and run the Active Directory Domain Configuration Wizard again.
3 When prompted to proceed with the removal of DigitalPersona Pro data,
click Yes.
4 Choose a location and name for the log file generated during the data
removal process.
149
Cleanup Wizard
The wizard will then remove the data from Active Directory; however, you must
manually remove any DigitalPersona Pro Group Policy Objects.
Warning
Data changes take time to propagate in Active Directory. Do not configure a
domain for DigitalPersona Pro Server or reinstall Server software until all
changes made by the removal of domain global data are replicated throughout
the domain.
Running the DigitalPersona Pro Clean Up Wizard will render all Pro Servers on
the domain inoperable. To restore the Pro Server functionality after performing a
full cleanup, run the Active Directory Domain Configuration Wizard again, as
described in “Configure each domain” on page 38, and then reinstall Pro Server.
150
10
DigitalPersona Pro Events
DigitalPersona Pro for AD writes all authentication and user record
modification events to the Windows Event Log with a date and time stamp.
You can view when users have attempted to access networked computers,
password-protected applications and Web sites using Pro authentication, as well
as whether the attempt succeeded or failed.
For a list of events and the logs that the events are stored in, see “Event Log
Specifications” on page 153.
Administrators can view, filter, sort, and export all log events from the Event
Viewer. This aids administrators in securing data and networks for meeting
compliance requirements for Sarbanes-Oxley, Gramm-Leach-Bliley, and
HIPAA.
Filtering DigitalPersona Pro Events in Event Viewer
You can specify a filter that limits the type of information the Event Viewer
displays to only DigitalPersona Pro events.
To filter DigitalPersona Pro events in the Event Viewer
1 To launch the Event Viewer, click Start, point to Programs, point to
Administrative Tools and then click Event Viewer.
2 In the console tree, right-click the log containing the specific DigitalPersona
Pro events you want to view and then click Properties.
3 Click the Filter tab.
4 Use the Filter tab to specify the criteria, such as the event ID or category, that
you want to filter on. Use “DigitalPersona Pro audit” as the event source.
5 Click OK to display the DigitalPersona Pro events matching the criteria you
specified in the Event Viewer.
151
Chapter 10 - DigitalPersona Pro Events
Finding DigitalPersona Pro Events with Event Viewer
You can use the Event Viewer to search for DigitalPersona Pro events. This may
be useful when you are viewing large logs.
To find a specific DigitalPersona Pro event
1 Click Start, point to Programs, point to Administrative Tools and then
click Event Viewer to launch it.
2 On the View menu, click Find.
3 Type the search criteria (specifying, “DigitalPersona Pro Audit,” as the event
source) in the dialog box and click Find Next.
The events matching the search criteria you specified are displayed in the
Event Viewer.
4 Click Close when you are finished.
152
There are several categories of DigitalPersona Pro events, which are logged in
the Windows Event Log.
• Computer Environment
• General Secret Management
• Fingerprint/Credentials Management
• User Management
• Logon/Lock
• DNS Registration
The following tables give the Event name, type, error level, and whether the
event is logged on the Server, Workstation, Kiosk or some combination of the
three.
Computer Environment
The following events relate to the general computer environment,
Level
Event
Reader connected
Reader disconnected
DPHost started
DPHost stopped
DPHost cannot start
Connection to server succeeded
Connection to server failed
Server busy
Type
I
I
I
I
F
S
W
E
Srv
Dt
Dt
E
E
Wks
Dbg
Dbg
Dt
Dt
E
Dt
Dt
E
Type: S = Success, F = Failure E = Error, W = Warning, I = Information
Level: E = Error, A = Audit, Dt = Details, Dbg = Fine details
153
General Secret Management
The following events may be generated during the management of secrets.
Level
Event
Add secret (Success)
Add secret (Failure)
Delete secret (Success)
Delete secret (Failure)
Replace secret (Success)
Replace secret (Failure)
Secret content released (Logon &
OTS secrets)
Secret consistency check failed
Secret signature check failed
Type
S
F
S
F
S
F
S
Srv
A
A
A
A
A
A
A
Wks
A
A
A
A
A
A
A
E
E
A
A
A
A
The following events may be generated during fingerprint/credentials
management.
Level
Event
Register fingerprint (Success)
Register fingerprint (Failure)
Delete fingerprint(s) (Success)
Delete fingerprint(s) (Failure)
Replace fingerprint(s) (Failure)
Delete All fingerprints (Success)
Delete All fingerprints (Failure)
Type
S
F
S
F
F
S
F
Srv
A
A
Dt
Dt
A
Dt
Dt
Wks
A
A
Dt
Dt
A
Dt
Dt
154
The following events may be generated during the fingerprint credentials
management process.
Level
Event
Match one-to-one failed
Match one-to-many failed
Account locked out
DPHost stopped
Type
F
F
F
I
Srv
A
Dt
Wks
A
A
Dt
User Management
The following events may be logged during the management of users.
Level
Event
Add user record (Success)
Add user record (Failure)
Delete user record (Success)
Delete user record (Failure)
Change account ctrl flags (Success)
Change account ctrl flags (Failure)
Unlock user account
Password randomized
User record consistency check failed
User record signature check failed
Type
S
F
S
F
F
F
S
S
E
E
Srv
Dt
A
Dbg
Dbg
Dt
Dt
Dt
Dt
A
A
Wks
Dt
A
Dbg
Dbg
Dt
Dt
Dt
A
A
155
Logon/Lock
The following events are logged during the logon, lock and unlock processes.
Level
Event
Logon
Kiosk Logon
Logoff
Kiosk Logoff
Lock
Kiosk Lock
Unlock
Kiosk Unlock
Registered PIN
Change PIN
FP used to unlock SC
Shared account problem
Shared account missing
Type
S
S
S
S
S
S
S
S
S
S
S
E
E
Srv
-
Wks
A
A
Dt
Dt
Dt
Dt
A
A
Dt
Dt
Dt
E
E
DNS Registration
DNS Registration events are logged when the Pro Server software fails to
register or remove DigitalPersona Pro registration records from the Active
Directory DNS server.
Level
Event
DNS update disabled
DNS registration failed
DNS unregistration failed
Type
W
E
E
Srv
A
E
E
Wks
-
156
Kiosk Core Events
Kiosk Core Events are logged when Identification Lists are created or deleted.
Level
Event
Kiosk ID List created
Kiosk ID List deleted
Type
S,F
S,F
Srv
A
A
Kiosk
Dt
Dt
Type: S = Success, F = Fa ilure E = Error, W = Wa rning, I = Informa tion
Level: E = Error, A = Audit, Dt = Deta ils, Dbg = Fine deta ils
Kiosk User Management Events
Kiosk User Events are logged when a user record is created, update or deleted.
Event
User added to kiosk ID List
User deleted from kiosk ID List
User pushed out of the kiosk ID List
Type
S,F
S,F
S
Srv
A
A
A
Level
Kiosk
Dt
Dt
Dt
Type: S = Success, F = Fa ilure E = Error, W = Wa rning, I = Informa tion
157
Kiosk User Authentication Events
Kiosk User Authentication Events are logged when DigitalPersona Pro Kiosk
software requests secure application data for a particular user.
Level
Event
Kiosk Account logon failed
The kiosk account is not configured
properly.
Type
F
S,F
Srv
A
A
Kiosk
Dt
Dt
158
Part Four: Clients
Part Four of the DigitalPersona Pro for AD Administrator Guide includes the
following chapters:
Chapter Title
Purpose
Page
11 - DigitalPersona Pro
Workstation
Provides full instructions on the use of
DigitalPersona Pro Workstation software
including information for administrators.
160
Kiosk
Provides full instructions on the use of
DigitalPersona Pro Kiosk software including
information for administrators.
192
159
11
DigitalPersona Pro Workstation provides several features that incorporate
biometric authentication for secured Sign on to Windows, applications and Web
sites, as well as locking/unlocking the computer.
This chapter describes the features of DigitalPersona Pro Workstation, and the
procedures for performing common tasks on the Workstation, through the
following topics:
• Features Overview on page 161
• One Touch Menu on page 163
• Reader Icon and Menu on page 165
• Fingerprint Reader Visual Cues on page 167
• Fingerprint Registration on page 169
• One Touch Logon on page 172
• One Touch Features on page 179
• One Touch Internet on page 180
• Managing Fingerprint Logons on page 184
• DigitalPersona Pro Workstation Properties on page 186
• Deleting Registered Fingerprints on page 188
• Changing Your Windows Password on page 189
• Fingerprint Reader Usage and Maintenance on page 190
160
Chapter 11 - DigitalPersona Pro Workstation
Features Overview
Features Overview
DigitalPersona Pro Workstation includes the following features. The availability
of particular features, and the behavior of some features can be configured by
the administrator.
This topic provides a brief description of each feature, in the same order as they
are introduced in the rest of the chapter.
One Touch Menu
The One Touch Menu provides convenient one touch access to many of the
features of the DigitalPersona Pro Workstation. The administrator can control
which features are listed on the menu through modifying the registry keys for
the One Touch Menu, exporting the new settings in a .reg file and importing
those settings on the target machines (see “One Touch Menu Content” on page
233).
The Reader Icon, displayed in the taskbar notification area, indicates whether or
not a fingerprint reader is connected, and provides single-click access to many
of the features of DigitalPersona Pro Workstation.
During the processes of Fingerprint Registration and Authentication (explained
below), an attached or embedded fingerprint reader is used to scan the user’s
fingerprints. Visual cues let the user know the status of the reader, the result of
fingerprint scans, and the success or failure of authentication.
In order to access the main features of DigitalPersona Pro Workstation, the end
user must first register their fingerprints. Templates of their registered
fingerprints are used in the authentication process that provides the convenience
and security of One Touch Logon, One Touch Internet and One Touch Lock/
Unlock.
161
Features Overview
One Touch Logon
One Touch Logon provides the ability to log on to a Windows account by simply
touching a fingerprint reader.
One Touch Unlock
One Touch Unlock provides the ability to lock or unlock your computer by
touching a fingerprint reader.
One Touch Internet
One Touch Internet allows the end user to create Fingerprint Logons that can be
used to log on to Web sites by touching a fingerprint reader.
Certain behaviors of DigitalPersona Pro Workstation can be configured by the
end user through the Workstation Properties dialog.
Changing Your Windows password
This topic provides instructions for changing your Windows password. The
procedure for changing your Windows password is slightly different after
DigitalPersona Pro is installed.
Managing Registered Fingerprints
This topic provides instructions for editing and deleting your registered
fingerprints.
This topic provides instructions on the use and care of the fingerprint reader.
162
One Touch Menu
One Touch Menu
The One Touch Menu provides fast and convenient access to the One Touch
applications, settings and help. To enable and configure the One Touch Menu,
refer to “Quick Actions” on page 186. To display the One Touch Menu, place a
registered finger on the reader.
Create fingerprint
logons for Web sites
and programs
Quick access to
Web sites that are
fingerprint-enabled
Launch Online Help
for Pro Workstation
Configure Pro
Workstation properties
The One Touch Menu provides the following commands:
Create Fingerprint Logon
The Create Fingerprint Logon menu item launches the Fingerprint Logon
Wizard, which guides the user through the process of setting up their personal
Web site logon screens, as described in “One Touch Internet” on page 180.
This item appears on the One Touch Menu if One Touch Internet is installed.
Quick Links
Point to Quick Links to display the One Touch SignOn and One Touch Internet
Quick Links for Web sites. Click a Quick Link to launch the associated
password-protected Web site. The appropriate account data will also be
submitted.
For more information on One Touch SignOn and creating templates for
programs and Web sites, refer to “One Touch SignOn Administration Tool” on
page 104.
163
One Touch Menu
Help
Clicking Help launches the Online Help file for DigitalPersona Pro Workstation
for Active Directory. It contains step-by-step instructions for using various
product features, including use of the One Touch applications.
Properties
Click Properties to configure DigitalPersona Pro on the Workstation, as
described in “DigitalPersona Pro Workstation Properties” on page 186.
164
When DigitalPersona Pro Workstation is installed on a workstation, a reader
icon is placed in the taskbar notification area. It displays the connectivity status
of the reader and provides convenient access to various functions.
• When the reader is connected and the driver is installed, the reader icon
appears.
• If the reader is not connected, a red X is displayed over the reader icon.
Indicates the reader
is connected and the
driver is installed
Indicates the reader
is disconnected or the
driver is not installed
The reader icon also provides a shortcut menu to containing the features
described below:
Lock Computer
Lock Computer immediately locks your computer so that others cannot use it.
The procedure for unlocking the computer will depend on the logon policy
applied to the computer. You can also double-click the reader icon to lock your
computer.
Launches the Fingerprint Registration Wizard, which guides you through the
process of registering your fingerprints. (See page 161.)
165
Fingerprint Logon Manager
Opens the Fingerprint Logon Manager, described on page 184.
Properties
Click Properties to configure DigitalPersona Pro on your computer, as described
in “DigitalPersona Pro Workstation Properties” on page 186.
Help
Clicking Help launches the Online Help for DigitalPersona Pro Workstation.
About
Click About to get the version number for DigitalPersona Pro Workstation.
Hide Icon
To hide the reader icon, click the Hide Icon. To display the icon again, use the
DigitalPersona Pro Properties dialog box, as described in “Show Fingerprint
Reader Icon on Taskbar” on page 187.
166
DigitalPersona Pro Workstation provides several visual cues related to the
process of scanning your fingerprints.
Fingerprint Prompt Feedback
Pro Workstation displays a stylized fingerprint to prompt the user
to place their finger on the fingerprint reader.
If the reader is connected, but not yet available for use, an
hourglass is shown on top of the fingerprint.
When the hourglass disappears, you may place a registered finger
on the reader.
Fingerprint Scan Acquisition Feedback
When your fingerprint has been scanned, the fingerprint image
has a darker background.
You can also specify that a sound plays, and/or disable display of
the feedback icons. See “Enable Sound Feedback” on page 187
and “Enable Visual Feedback” on page 187.
Fingerprint Recognition Feedback
Pro Workstation uses these images to indicate whether the scanned fingerprint is
recognized as a registered fingerprint.
If the fingerprint scan is recognized, it displays a checkmark over
the fingerprint image.
If the fingerprint scan is not recognized, it displays a question
mark over the fingerprint image.
If the account is locked out or fingerprint authentication is not
allowed, a circle with a diagonal line through it is placed over the
fingerprint image.
167
Reader Not Found Feedback
An image that consists of a reader with a red X over it displays on the logon
screen, desktop and notification area on the taskbar if a reader is not connected
or installed.
Icon in logon screen
Icon in notification area
The fingerprint reader may not be available due to the following reasons:
• The fingerprint reader is not connected.
• The fingerprint reader driver is either not installed or requires updating.
Swipe Readers
The user experience is the same with either the DigitalPersona U.are.U
Fingerprint Reader or supported swipe readers embedded in many popular
notebooks.
The user may register their fingerprints with either the DigitalPersona U.are.U
Fingerprint Reader or the embedded swipe reader.
Note
You may only use one fingerprint reader during the fingerprint registration
process. If you use the DigitalPersona Fingerprint Reader, then switch to a swipe
reader, or vise versa, the registration process will fail.
168
The Fingerprint Registration Wizard guides the end user through the process of
registering their fingerprints. If you are not permitted to register fingerprints, it
may be because of settings implemented by your administrator.
• If you have not registered fingerprints yet, and One Touch Logon is installed,
the Fingerprint Registration Wizard launches automatically after logging on.
• On Windows Vista, click the balloon that displays near the notification area
to register your fingerprints, or click the Fingerprint Reader icon and select
Fingerprint Registration to launch the Fingerprint Registration Wizard.
You should register your fingerprints the first time that the Fingerprint
Registration Wizard displays because your administrator may have implemented
logon settings that require you to provide a fingerprint the next time you log on.
• You must have a Windows user account and be logged on to that account to
register your fingerprints.
• In order to successfully register one fingerprint, that fingerprint must be
scanned four times by the fingerprint reader. “Fingerprint Reader Usage and
Maintenance” on page 190 contains guidelines on how to correctly place the
finger on the fingerprint reader.
Note
When using Attended Fingerprint Registration (see page 102), the Fingerprint
Registration Wizard is disabled.
To register fingerprints using the Fingerprint Registration Wizard
1 Launch the Fingerprint Registration Wizard by clicking the reader icon in the
notification area, and selecting Fingerprint Registration.
2 Click Next. If the Fingerprint Registration Wizard cannot locate a
DigitalPersona Pro Server, your registered fingerprints will be saved on this
computer instead of in Active Directory. You are prompted to confirm that
you want to save your fingerprints locally only. This prevents you from using
your registered fingerprints from another computer. Click Yes to confirm, or
click No, troubleshoot to determine why a DigitalPersona Pro Server was not
found, and rerun the wizard when the problem is resolved.
169
If the licensed number of users has been exceeded, you will receive an error
message and cannot register your fingerprints. Contact your administrator for
guidance.
3 When prompted, verify your identity, either by typing your Windows
password if you do not have any registered fingerprints yet, or by touching
the reader with any registered finger.
If you have more than one fingerprint reader attached to your computer, you
will be prompted to select one of them to use for fingerprint registration.
4 An outline of two hands is displayed. Fingers that are already registered are
highlighted in green. Click the finger you want to register on the outline.
Note
Clicking a green highlighted finger deletes the associated registered
fingerprint.
The title bar indicates
local or server storage of
fingerprint credentials.
Fingers highlighted in
green are already registered.
5 When you have selected a finger to register, you are prompted to place that
finger on the reader four times. The Fingerprint Registration Wizard provides
feedback indicating the quality of each fingerprint scan. If the fingerprint
scan is not of an acceptable quality, you are prompted to touch the reader
again.
When you have provided four good fingerprint scans, the fingerprint is
successfully registered and is highlighted in green on the outline.
170
Fingerprint scan
was successful.
Fingerprint scan
was not successful.
6 Click Next or select another finger to register by clicking a finger that is not
highlighted on the outline.
The number of fingers you are allowed to register is determined by the value
of the Maximum Number of Fingers setting, as described on page 81.
If the settings allow, it is recommended that you register two fingers,
preferably the index finger of both hands. Registering two or more fingers
ensures that in the event you cannot use one registered finger, you can use the
other.
7 If you only registered one fingerprint, you may be prompted to register
another. Click Yes to register another fingerprint or click No to close the
prompt.
8 Click Finish to exit the wizard and save your changes. Your registered
fingerprint can now be used to log on to your Windows account as well as
programs and Web sites that have been set up for fingerprint logon.
171
One Touch Logon
One Touch Logon
One Touch Logon provides the ability for the user to log on to their Windows
account by simply touching a supported fingerprint reader.
If the One Touch Logon feature has been enabled:
• Under most versions of Windows, One Touch Logon modifies the standard
Windows logon dialog box prompting you for your credentials according to
the logon settings implemented by your administrator. For example, you may
need to provide both a smart card and a fingerprint to log on. One Touch
Logon guides you through providing the required credentials so that you can
log on to Windows.
• In Windows Vista, the logon dialog has been replaced with the Welcome
screen, where One Touch Logon adds an additional tile with the title Place
finger to log on to the screen.
If the One Touch Logon feature has not been enabled, the user’s logon
procedure will not change. However, they will still need to register their
fingerprints in order to use other DigitalPersona Pro features. See “Fingerprint
Registration” on page 169.
Before a user can use One Touch Logon, they must first log on as usual and
register their fingerprints.
172
One Touch Logon
Logging on to Windows
One Touch Logon supports logging on to Windows user accounts by using any
registered fingerprint, a fingerprint and a PIN (Personal Identification Number),
a fingerprint and the Windows password, or a smart card.
One Touch Logon prompts users for their credentials according to the logon
policy, cached credentials, and identification list settings implemented by the
administrator.
Logon Policy
One Touch Logon first uses the logon policy applied to the computer through
the Workstation Administrative Template (as described in “Multi-credential
Logon to Windows” on page 85) to determine which credentials are needed to
log on.
• If a logon policy requires a registered fingerprint, One Touch Logon will
prompt the user to place a registered finger on the reader. The user can place
a registered finger on the reader or press Ctrl+Alt+Delete.
• If required, they are also prompted for their Windows logon password.
If cached credentials and identification list settings permit, the user name and
domain may be automatically provided, requiring the user to provide only a
password.
• When a Password is not allowed for logon setting is applied to the
computer, then the user is only prompted for a registered fingerprint.
• A password only policy prompts the user for their standard logon credentials.
• If either a fingerprint or password is required, the user is prompted for a
registered fingerprint. They can press Ctrl+Alt+Delete and enter their
password, however, if the user provides a registered fingerprint, they are not
prompted for their password and are logged on.
173
One Touch Logon
Cached Credentials and the Identification List
On the Welcome screen, if cached credentials and the identification list are
enabled, One Touch Logon identifies the user through the identification list.
• If the credentials are cached and the user is on the identification list, they are
immediately logged on if the policy requires a fingerprint only or either a
fingerprint or password. If required, they are also prompted for a password
before logging on; the user name and domain are automatically provided for
them.
• If the credentials are cached, but the user is not on the identification list, they
are prompted to press Ctrl+Alt+Delete and provide their user name and
domain before they can log on, regardless of the logon policy.
• If the user is still not identified, they may attempt to use their registered
fingerprint two more times before they are advised to log on by typing their
account information manually.
The Identification List
Each Workstation has an identification list which contains an administratorspecified number of user accounts. It is used in conjunction with cached
credentials to identify a user by their fingerprint and, as an added convenience,
frees them from typing their user name and domain at Windows logon.
Users are added to the identification list in the order they log on. The most
recent user to log on is added to the top of the list. If the list has exceeded its
capacity, the least recent user to log on is removed from the list when another
user logs on. If a user is already on the list and logs on again, they are moved
from their original position on the list and placed on top.
Once removed, a user cannot be automatically identified, and must type their
user name and domain at Windows logon. If DigitalPersona Pro is deployed in a
networked environment with Pro Server support, it performs identification
locally out of the set of users in the identification list and then, for added
security, confirms the user identity using the DigitalPersona Pro Server.
The number of users stored in the identification list is determined by the value of
the “Maximum Size of Identification List” GPO setting, as described on
page 84.
174
One Touch Logon
Cached Credentials
DigitalPersona Pro user data can be cached on any computer where a user logs
on. The cached user data is used for local authentication when a DigitalPersona
Pro Server is unavailable. Refer to “Cache Domain User Data on Local
Computer” on page 83.
For example, if a user wants to log on to a domain and the computer is either
disconnected from the network or the network is down, then the authentication
can be performed locally using the cached credentials.
All DigitalPersona Pro cached credentials are encrypted for security and privacy
with the local key of the DigitalPersona Pro Workstation.
Fast User Switching
Fast User Switching is a feature in Windows that allows you to switch to a
different computer user account without closing programs and files first. With
One Touch Logon, you can use your fingerprint to switch to your Windows
account on a computer with multiple users.
Domain users can also use their registered fingerprint to switch to their account
if they have recently used the computer and are on the identification list.
175
One Touch Logon
Administrative Template settings may be used to provide an additional level of
security by requiring that users type a short sequence of characters, known as a
fingerprint PIN, each time they use a fingerprint to log on, unlock the computer,
or change their Windows password.
Users must register a fingerprint before they can register a fingerprint PIN. If
logon settings require a fingerprint PIN, they will be prompted to register a
fingerprint PIN the first time they log on using a registered fingerprint.
Fingerprint PINs are only used with fingerprints to log on, unlock the computer,
or change the Windows password. They are not used for fingerprint logons to
Web sites and programs or to unlock smart cards.
Registering Fingerprint PINs
When you create a fingerprint PIN, you can choose any sequence of four to
eight numbers or letters. Make sure that you remember this code, or you may not
be able to log on. The Register Fingerprint PIN dialog box displays
automatically after you log on to Windows using a fingerprint if your logon
settings require you to provide a fingerprint PIN in addition to a fingerprint.
You must register a fingerprint PIN when the Register Fingerprint PIN dialog
box displays. If you click Cancel, you will be prevented from logging in with a
fingerprint.
To register a fingerprint PIN
1 In the New fingerprint PIN
text box, type from 4 to 8
characters and then type it
again in the Confirm
fingerprint PIN text box.
2 Click OK to save the
fingerprint PIN.
3 After you register your
fingerprint PIN, you can
change your fingerprint PIN at any time.
176
One Touch Logon
After you register a fingerprint PIN, you will be prompted to type the fingerprint
PIN after each time you use a fingerprint to log on, unlock the computer, or
change the Windows password. The Verify Fingerprint PIN dialog box displays
each time the fingerprint PIN is required.
To use a fingerprint PIN:
1 When the Verify Fingerprint PIN
dialog box displays, type your
fingerprint PIN and click OK.
The fingerprint PIN is not required
when you use fingerprint logons to Web
sites or programs, or when you unlock a smart card with a fingerprint.
Changing Fingerprint PINs
You can change your fingerprint PIN at any time during your Windows session.
You must type the current PIN and then type a new code of four to eight
characters.
To change a fingerprint PIN
1 Press Ctrl+Alt+Delete.
2 Click the Manage Fingerprints button and then select Change Fingerprint
PIN from the drop-down box.
In Windows Vista, click Change a password, then select Change
fingerprint PIN.
3 On the Change Fingerprint PIN dialog box, type your current fingerprint PIN
in the Old Fingerprint PIN text box.
4 Type a new fingerprint PIN in the New Fingerprint PIN text box and then
type it again in the Confirm New Fingerprint PIN text box.
5 Touch the reader with a registered fingerprint for verification.
A green check mark displays on the reader icon in the dialog box when the
fingerprint is successfully verified.
6 Click OK to change your current fingerprint PIN to the new one you
specified.
177
One Touch Logon
Using Smart Cards for Logon
If the user has a smart card reader connected to their computer, the Welcome
screen includes instructions for using the smart card. If the user is required to
log on with a smart card, they must insert the smart card into the smart card
reader first, before providing any other credentials, such as a fingerprint.
Settings cannot require the user to provide both a smart card and a password for
logon.
Smart card users are required to type a user PIN (Personal Identification
Number) to access the smart card. This PIN is provided with the smart card
package, and is not the same as the Fingerprint PIN discussed in the previous
topic.
To use a smart card to log on
1 Insert the smart card into the smart card reader first, even if you must provide
a fingerprint as one of your credentials.
The PIN dialog box displays,
requesting the PIN to access the
smart card.
2 Type the user PIN for the smart card
and click OK.
If the logon settings allow it, you
can touch the fingerprint reader with
a registered finger instead of typing the PIN for the smart card.
On Windows Vista, you can also use your fingerprint to give your permission to
proceed whenever you are presented with a User Account Control dialog box.
178
One Touch Features
One Touch Features
In addition to One Touch Logon and One Touch SignOn, DigitalPersona Pro
Workstation includes One Touch Unlock and One Touch Internet.
One Touch Unlock
To lock your computer, double-click the fingerprint reader icon or click Lock
Computer on the fingerprint reader icon context menu. The reader icon is
located in the notification area on the taskbar.
• On most versions of Windows, when your computer becomes locked One
Touch Unlock replaces the standard Windows Computer Locked dialog box.
One Touch Unlock guides you through providing the required credentials to
unlock your computer. The required credentials depend on the logon settings
implemented by your administrator. You can also press Ctrl+Alt+Delete to
type your account information and provide the required credentials.
• On Windows Vista, the Locked screen is displayed. Press Ctrl+Alt+Delete
to display the Computer Locked screen and click the fingerprint icon to
unlock the computer, or press Ctrl+Alt+Delete to type your account
information and provide the required credentials
Note
This feature is only available if One Touch Logon is installed.
179
One Touch Internet
One Touch Internet
One Touch Internet (OTI) provides end users with the ability to create
fingerprint logons to password-protected programs and Web sites for their
personal use.
In creating a fingerprint logon, you provide your logon data to OTI once, and
then on subsequent logons you just launch the Web site and touch the reader
with a registered finger. OTI automatically enters your user name and password
in the logon screen text boxes. It can also be configured to submit your
credentials for you by clicking the Submit button, or another equivalent button.
Fingerprint logons can also be created with the One Touch SignOn
Administration Tool and deployed to DigitalPersona Pro Workstations through
Active Directory or other means. See “One Touch SignOn Administration Tool”
on page 104 for details on the One Touch SignOn Administration Tool.
The differences between One Touch Internet and One Touch SignOn are:
• OTI allows end-users to easily create their own fingerprint logons to Web
sites and programs.
• OTS is an administrator tool for creating and deploying templates that
provide fingerprint logons to end users for one touch access to program and
Web sites. It also provides more advanced options for manually creating
fingerprint logons to non-standard application logon screens, Web sites and
Password Change screens.
If fingerprint logons created by both OTI and OTS exist on the same computer,
for the same logon screen, the OTS fingerprint logon will be used.
Internet Explorer and MSN Explorer users can access fingerprint-enabled Web
accounts from the One Touch Menu. Just touch the reader to display the menu,
point to Quick Links and then click the fingerprint logon for the Web site you
want to access. The browser that was used in setting up the fingerprint logon
will be launched automatically and your logon data will be submitted for you.
180
One Touch Internet
Logging On to Web Sites and Programs
You can log on to a fingerprint-enabled logon screen by doing one of the
following:
• Type the URL in a Web browser or launch the program that contains the
logon screen for which you have created a fingerprint logon. The logon
screen will display a fingerprint logon icon in the upper left corner of the
screen, indicating that you can touch the reader with any registered finger to
log on to the specific Web site or program.
Note
If you created more than one account for the Web site or program, you are
prompted to choose the account data you want to use to log on.
• If you have a Quick Link for a Web site, point to Quick Links on the One
Touch Menu, and then click the fingerprint logon title that corresponds to the
Web site you want to access. If you configured the fingerprint logon to
submit your account information automatically, you are immediately logged
on.
• If required fields were left blank in the account data when the fingerprint
logon was created, the Enter Account Data dialog box displays. Type the
required data in the fields and click OK to log on.
181
One Touch Internet
Creating Fingerprint Logons
Creating a fingerprint logon requires you to enter your account data with
DigitalPersona Pro once. Then, on subsequent logons, you only need to browse
to the Web site, or launch the program, and touch the reader with any registered
finger. DigitalPersona Pro automatically enters your user name and password
and any other necessary account data in the appropriate logon screen text boxes
and, if configured, submits your account data.
Your administrator may have already created fingerprint logons for you. If so,
you should use the fingerprint logons from your administrator instead of
creating your own.
To create a fingerprint logon for a Web site or program
1 Open the logon screen of the Web site or program.
2 Touch the reader with any registered finger and click Create Fingerprint
Logon on the One Touch Menu.
Note
If Create Fingerprint Logon is not on the One Touch Menu, the administrator
has not installed this feature on your computer.
3 The title of the logon screen displays on the Create Fingerprint Logon dialog
box. Click Continue.
4 In the Logon Title text box, the title of the Web site uniquely identifies the
logon screen in the Fingerprint Logon Manager and the Quick Links
submenu on the One Touch Menu. You can type a different title in the text
box.
5 Check Display in Quick Link list to add the fingerprint logon to the Quick
Links submenu on the One Touch Menu.
Note
Quick Links are for Web sites only and not for programs.
6 DigitalPersona Pro determines logon fields and displays them in the Logon
Information area. Type the appropriate account data in the corresponding text
box for each field required for logon. For example, in the Password text box,
you would type the password you use to access the Web site or program. If a
182
One Touch Internet
field required for logon is not displayed in the Logon Information area, click
Choose Fields to select the additional fields.
Note
As you point to each logon field in the Logon Information area, the
corresponding field on the logon screen is highlighted, such as a text box and
drop-down menu.
7 Select the button from the logon screen that is used to submit the account
data. DigitalPersona Pro may recognize multiple buttons on some Web sites
or programs. You may choose to submit your account data yourself each time
you log on to the Web site or program by selecting Do Not Submit.
8 Click OK to create the fingerprint logon.
On subsequent visits to the Web site or program the fingerprint logon icon
displays, indicating that touching the reader with any registered finger will log
you on to the Web site or program. You may add more than one account for a
Web site or program.
183
One Touch Internet
Managing Fingerprint Logons
You can add, change or remove fingerprint logons for Web sites and programs
using the Fingerprint Logon Manager. To access it, click the fingerprint reader
icon and select Fingerprint Logon Manager from the shortcut menu.
Note
When you want to make changes to a fingerprint logon for a Web site, do not use
a Quick Link to browse to the Web site logon screen if the fingerprint logon is
set up to automatically submit your logon information. Instead, browse to the
Web site manually and click the white arrow on the fingerprint logon icon, then
select Fingerprint Logon Manager from the shortcut menu.
If a fingerprint logon was created by your administrator, you are only allowed to
add and delete account data. You cannot delete the fingerprint logon.
The following describes the Fingerprint Logon Manager functions:
• Add Logon. To add a new Fingerprint Logon, display the logon screen for
the Web site or program and then click Add Logon.
• Remove Logon. To remove a Fingerprint Logon, select the fingerprint logon
and click Remove Logon.
• Edit. To modify the account data entered by a fingerprint logon, select the
account and then click Edit. On the Edit Account dialog box, edit your
existing account data in the appropriate text boxes and click OK. You can
also change the fingerprint logon title and Quick Link settings.
184
One Touch Internet
• Add. To add additional account data to the fingerprint logon for a Web site or
program, click the Add button. This will launch the Add New Account dialog
box. Specify the additional account data for the logon screen as described in
Creating a Fingerprint Logon. When logging on to a Web site or program that
has more than one set of account data, you will be prompted to choose the
account data you want to use.
• Remove. To remove a set of account data, select the title of the account in the
Accounts list and click Remove. If you remove the last account for a
fingerprint logon, the fingerprint logon is deleted. You can delete the account
data of a fingerprint logon created by your administrator, but you cannot
delete the actual fingerprint logon.
185
You can edit various Workstation properties using the DigitalPersona Pro
Properties dialog box.
To change Workstation Properties:
1 Click the reader icon in the
notification area and select
Properties.
2 Modify the desired properties and
click OK to implement the new
settings and close the dialog box.
The DigitalPersona Pro Properties
dialog box contains several folders as
described below.
Quick Actions
In the Quick Actions folder, you can
assign actions to be performed when touching the fingerprint reader, and when
touching the reader in combination with certain keys. The actions that you can
assign are:
• None
• Create a fingerprint logon
• Display the Help file
• View the One Touch Menu
• Open the Properties dialog box
• View the Quick Links submenu
You can assign actions to:
• Fingerprint. The default setting is to view the One Touch Menu.
• Ctrl + Fingerprint. The default setting is None.
• Shift + Fingerprint. The default setting is None.
186
Show Fingerprint Reader Icon on Taskbar
When checked, the fingerprint reader icon is displayed in the notification area
on the taskbar, which is described in “Reader Icon and Menu” on page 165.
Enable Visual Feedback
This option enables or disables display of the feedback icons used to show the
status of a fingerprint scan.
For more information about visual and audio feedback when a fingerprint scan
is acquired, refer to “Fingerprint Reader Visual Cues” on page 167.
Enable Sound Feedback
Check Enable Sound Feedback to play a sound when the reader acquires a
fingerprint scan, indicating that you may lift your finger from the reader.
Different sounds are played for successful and unsuccessful scans. You may
select different sounds from Control Panel.
Refer to “Fingerprint Scan Acquisition Feedback” on page 167 for more
information about visual and audio feedback when a fingerprint scan is acquired
by the reader.
One Touch Menu
In the One Touch Menu folder, the following menu items are added to the One
Touch Menu if the check box is selected:
• Help. Displays this Help file.
• Properties. Displays the Properties dialog box.
• Quick Links. Displays the list of Quick Links.
• Create Fingerprint Logon. Displays the Create Fingerprint Logon dialog
box.
187
You can use the Fingerprint Registration Wizard to delete any fingerprints that
you have previously registered. If you are not permitted to delete fingerprints, it
may be because of your settings implemented by your administrator.
To delete registered fingerprints using the Fingerprint Registration Wizard
1 Launch the Fingerprint Registration Wizard by clicking the reader icon in the
notification area, and selecting Fingerprint Registration.
2 Click Next. If changes to registered fingerprints will be saved in the user
database on your computer instead of in Active Directory, you are prompted
to confirm that you want to make changes to your fingerprints locally only.
These changes will not be applied to Active Directory. Click Yes to confirm,
or click No and contact your administrator for guidance.
3 When prompted to verify your identity, touch the reader with any registered
finger.
4 An outline of two hands is displayed with your registered fingers highlighted
in green. Click the highlighted finger that represents the registered
fingerprint you want to delete.
Note
Clicking a finger which is not highlighted starts the registration of that finger.
5 When prompted, click Yes to delete the registered fingerprint. Otherwise,
click No if you do not want to delete that fingerprint.
6 Click Next or select another finger to delete.
7 Click Finish to exit the wizard and save your changes. Canceling or closing
the dialog box does not save your changes.
188
The process of changing your Windows password on Windows XP and
Windows 2000 is very similar to that of computers without DigitalPersona Pro.
To change your Windows password
1 Press Ctrl+Alt+Delete.
2 Click Change Password.
In Windows Vista, click Change a password and select your tile.
3 Touch the reader with a registered fingerprint. If your identity is verified,
One Touch Logon provides the current password in the Old Password text
box.
Or type your current password in the Old Password text box.
4 Type a new password in the New Password text box and then type it again in
the Confirm New Password text box.
5 Click OK to change your current password to the new one you specified.
189
This section provides reader usage and maintenance guidelines, which are
intended to maximize fingerprint registration and authentication performance.
Proper usage of the reader during fingerprint registration and authentication, as
well as a well-maintained reader, is crucial to achieving optimal fingerprint
recognition performance.
The next section, “Proper Fingerprint Reader Usage” describes the proper way
to use the reader to register fingerprints and authenticate using them. It is
followed by reader maintenance instructions, provided in “Cleaning the Reader”
on page 190.
Proper Fingerprint Reader Usage
To reduce the number of false rejects, you must place a finger on the reader
correctly when registering fingerprints and authenticating.
During both processes, you must place the pad of your finger—not the tip or the
side—in the center of the oval window of the reader in order to maximize the
area of the finger that touches the reader window.
Apply even pressure. Pressing too hard will distort the scan; pressing too lightly
will produce a faint, unusable scan. Do not “roll” your finger.
To complete the fingerprint scan, hold your finger on the reader until you see the
reader light blink. This may take longer if the skin is dry. When the light blinks
and, if configured, a sound plays, you may lift your finger.
If the reader is capturing your fingerprint scan as indicated by the reader blink,
but DigitalPersona Pro consistently rejects it, you may need to reregister that
finger by first deleting it and then registering it again.
Cleaning the Reader
The condition of the reader window has a large impact on the ability of the
reader to obtain a good quality scan of a fingerprint. Depending on the amount
of use, the reader window may need to be cleaned periodically.
To clean it, apply the sticky side of a piece of adhesive cellophane tape on the
window and peel it away.
190
Under heavy usage, the window coating on some readers may turn cloudy from
the salt in perspiration. In this case, gently wipe the window with a cloth (not
paper) dampened with a mild ammonia-based glass cleaner.
Reader Maintenance Warnings
There are several things you should never do when cleaning or using the reader:
• Do not pour the glass cleaner directly on the reader window.
• Do not use alcohol-based cleaners.
• Never submerge the reader in liquid.
• Never rub the window with an abrasive material, including paper.
• Do not poke the window coating with your fingernail or any other item, such
as a pen.
The fingerprint reader is for indoor home or office use only.
191
12
This chapter provides an in-depth examination of DigitalPersona Pro Kiosk,
describing the similarities and differences between it and Pro Workstation, and
explaining how to use Kiosk features.
Additional details on user tasks are provided in the DigitalPersona Pro Kiosk
Help file.
Overview
DigitalPersona Pro Kiosk provides fast, convenient and secure fingerprint logon
access for multiple users of shared Windows computers.
In environments where many users share the same computer, fast and secure
access in quick succession is important.
• Pro Kiosk does not require Windows log on and off between users.
• Pro Kiosk allows a designated set of Windows users to use their fingerprints
to log on to Windows, unlock the computer, and log on to programs.
• Users are uniquely identified by their fingerprints without requiring them to
type account information to log on. Although each user provides unique
credentials that can be used for logging and auditing purposes, a Shared
Account is used to log on to Windows.
You can configure several kiosk computers to share the same identification list.
In this case, users can work at several kiosk computers and gain access with
their fingerprints. Users accessing the same kiosk computer in quick succession
can also securely log on to password-protected programs by providing their
fingerprints. For example, users can provide fingerprints to log on to the
program and when finished, they can close the program. Immediately
afterwards, another user can provide a fingerprint to gain access to that program.
All of the Pro Kiosk actions that are initiated with a fingerprint are logged for
purposes of compliance to legal regulations or policy requirements.
Identification List
A key security component to the recognition of users solely by their fingerprint
is the identification list. This is the list of users who have recently accessed a
192
Chapter 12 - DigitalPersona Pro Kiosk
Overview
kiosk computer and who can be identified and authenticated only by their
fingerprints. This provides fast access to a shared kiosk computer.
Kiosk users in the identification list can log on or unlock a computer and log on
to a program only with fingerprints. They do not need to specify their user
names and domain names. DigitalPersona Pro Kiosk determines a user’s identity
by comparing the fingerprint to the fingerprints of the users in the identification
list.
For security and performance reasons, the identification list contains a limited
number of user accounts. The number of users kept in the identification list is
controlled by the administrator and can be up to fifty users. Once the
identification list is full, the least recently used user name is removed from the
list when another new user is added.
When there are several DigitalPersona Pro Servers on a domain, the
identification list is replicated among the domain controllers. Pro Servers keeps
the identification list current. The identification list is replicated by Windows
and made available to other Pro Servers on the domain. Pro Kiosk caches the
identification list and requests an updated file from Pro Server. This is how users
can move to other kiosk computers and be identified while they are on the kiosk
identification list.
If the user name is not in the identification list, the user must provide a user
name, domain and fingerprint. After the user provides the account information
and successfully accesses the kiosk, the user is added to the identification list.
Users might not be identified when they are new users, or not recent users of a
kiosk computer, or because the administrator has not allowed them to access the
kiosk.
How Pro Kiosk Works
Before a user can begin using a kiosk computer, DigitalPersona Pro Kiosk
checks for the following requirements:
• Is the user name on the identification list?
• Does the user have a registered fingerprint on file?
To access the kiosk, either to log on, unlock or access a password-protected
program, a user does the following:
193
Overview
1 The user provides a fingerprint. Pro Kiosk checks if the fingerprint belongs
to a user in the identification list. If yes, the fingerprint authentication
process is performed and the user is granted access. If no, Pro Kiosk prompts
the user for the account information.
2 When the user provides a user name, domain name and a fingerprint, the
fingerprint authentication process is performed and if successful, the user is
granted access to the kiosk and added to the identification list. The
administrator can determine the group of users that are eligible to be added to
a kiosk’s identification list.
The next time the user provides a fingerprint to access a kiosk computer or
program, the user name is in the identification list, and the user is authenticated
by a fingerprint only and granted access. In environments where many users
access the same computer in a short amount of time, users may be pushed out of
the list more often.
If a user does not have registered fingerprints, the user is prompted for a
password. After password authentication is successfully completed, Pro Kiosk
checks if the user is eligible for the identification list. If yes, the user is added to
the identification list.
and the Fingerprint Registration Wizard launches.
• On most versions of Windows, if you have not registered fingerprints yet, the
Fingerprint Registration Wizard launches automatically after logging on or
unlocking the computer.
• On Windows Vista, click the balloon that displays near the notification area
to register your fingerprints, or click the Fingerprint Reader icon and select
Administrators can require attended fingerprint registration (see “Attended
Fingerprint Registration” on page 102) so that users’ fingerprints are registered
before accessing the kiosk for the first time.
194
Overview
Comparing Pro Workstation and Pro Kiosk
The section describes the similarities and differences between DigitalPersona
Pro Workstation and DigitalPersona Pro Kiosk. Both DigitalPersona Pro Kiosk
and DigitalPersona Pro Workstation include the following One Touch
applications:
• One Touch Logon
• One Touch Unlock
• One Touch SignOn
Like DigitalPersona Pro Workstation, Pro Kiosk also includes options for
allowing users to run the Fingerprint Registration Wizard or administrators can
implement attended fingerprint registration. Pro Kiosk uses the same fingerprint
information and One Touch SignOn logon data as DigitalPersona Pro.
DigitalPersona Pro Kiosk requires DigitalPersona Pro Server Version 4.0 or
higher running on a domain controller. DigitalPersona Pro Workstation Version
4.0 or higher and Pro Kiosk are compatible, i.e. they can be installed on
computers on the same domain and use the same DigitalPersona Pro Server.
When comparing Pro Kiosk to Pro Workstation, Pro Kiosk differs in the
following ways:
• One Touch Logon is always installed when Pro Kiosk is installed on a
computer. In the Pro Workstation installation, One Touch Logon is an option
when performing custom installations.
• The identification list is shared among designated kiosk computers on the
domain or in the same Organizational Unit (OU). This enables recent users to
move from computer to computer in a kiosk and use their fingerprints for
logon. For Pro Workstation, the user identification list is cached locally and
not shared with any other computer.
• Multi-credential logon is not available on kiosk computers even if it is
configured in the DigitalPersona Pro GPO in Active Directory.
• A specified Shared Account is always used for Windows logon that is
independent of the user account being authenticated. This affects account
profile and user preferences.
195
Overview
• Any kiosk user can unlock a kiosk computer. For example, a user may log on
and lock the kiosk computer. Then, a second user can unlock it without
performing log off and log on.
• The name of the last user is not shown in Logon or Unlock dialogs regardless
of security settings
• A kiosk user can register fingerprints, regardless of which user account was
logged on to the kiosk, without logging on to Windows. The administrator
must have allowed permissions for the user to register and delete
fingerprints.
• Pro Kiosk does not include Quick Links or One Touch Internet or the One
Touch Menu.
Using One Touch SignOn with Pro Kiosk
One Touch SignOn (OTS) provides fingerprint logon to password-protected
programs. If you created OTS templates using DigitalPersona Pro Version 3.2 or
higher, they are compatible with Pro Kiosk and can be used for kiosk users. If
you have OTS templates from versions earlier than DigitalPersona Pro Version
3.2, you can use the OTS Administration tool to perform a conversion.
With Pro Kiosk, One Touch SignOn includes the following differences when
compared to Pro Workstation implementations:
• OTS templates must be deployed to the Shared Account instead of user
accounts.
• Kiosk users do not need to log on to Windows to use fingerprint-enabled
programs. Their identity is verified each time they log on to the program. For
kiosk users, the OTS logon data is never cached locally.
196
One Touch Logon allows you to log on to Windows with any registered
fingerprint as an alternative to your Windows credentials. Windows credentials
are information used to gain access to Windows accounts, such as a password.
One Touch Logon guides you through providing the credentials required for
logging on to Windows. When your identity is verified by your fingerprint or
Windows credentials, you are logged on to a Shared Account, which has been
configured by your administrator.
All kiosk users share the same session. If your computer becomes locked, any
kiosk user will be able to unlock it, view the desktop, and run programs. You
also have the option to not share the kiosk session to log on to your account
instead of the Shared Account, although this is recommended for administrators
only.
To log on using only your fingerprint, you must have a registered fingerprint and
must have recently used a kiosk computer. If your identity cannot be verified,
you will be prompted to provide your user name and domain as well as a
fingerprint to log on.
Using One Touch Logon
One Touch Logon displays a customized Welcome dialog box or screen, which
is similar to the standard Windows dialog box. When you touch the fingerprint
reader, One Touch Logon attempts to identify you using your fingerprint. If you
are not identified, touch the fingerprint reader again to provide a better quality
scan. Refer to “Proper Fingerprint Reader Usage” on page 190 for details.
You will not be identified if you are a new user and may not be identified if you
are not a recent user of the kiosk. In this case, press Ctrl+Alt+Delete and
specify your user name and domain, and then touch the fingerprint reader or
type your password. You will be added to the identification list after successful
authentication.
Leave the Share the kiosk session check box checked to allow other kiosk users
to unlock the computer. Only administrators may need to uncheck this option.
When this check box is not checked, Pro Kiosk features are not available.
197
If you are a new user without any registered fingerprints, you can log on by
providing your name, domain and password.
• In most versions of Windows, the Fingerprint Registration Wizard will
launch automatically after you logon.
• In Windows Vista, click the balloon that displays near the notification area to
register your fingerprints, or click the Fingerprint Reader icon and select
You must register fingerprints before you can log on using the fingerprint reader.
Note
The user name for the Windows shared account that Pro Kiosk uses cannot be
used to log on to a kiosk session. All Kiosk users must use their own Windows
user name to log on.
Logging on to Windows without Kiosk
To log on the a computer without using a kiosk session, uncheck the Share the
kiosk session check box. This check box is only enabled when the kiosk
computer is logging onto the domain. For local logon, it is disabled.
The designated Shared Account for the kiosk is not used and several Pro Kiosk
features are not available. In this case, the user name is not added to the kiosk
identification list and One Touch SignOn to programs is disabled.
This feature is intended for administrators who might need to access a computer
without kiosk features enabled for administrative purposes. Non-administrators
can be prohibited from logging on to the computer outside of a kiosk session by
enabling the appropriate setting in the controlling GPO. See “Prevent users from
logging on outside of a Kiosk session.” on page 88.
Note
If you lock the computer outside of a kiosk session, other kiosk users will not be
able to unlock it, so be sure to log out of a local session on any kiosk
workstation.
198
Using One Touch Unlock
To lock your computer, double-click the fingerprint reader icon or click Lock
Computer on the fingerprint reader icon context menu. The reader icon is
located in the notification area on the taskbar.
When your computer is locked, One Touch Unlock replaces the standard
Windows Computer Locked dialog box. One Touch Unlock guides you through
providing the required credentials to unlock your computer.
Recent users of a kiosk can unlock any kiosk computer by providing a registered
fingerprint. To unlock the computer, touch the reader with a registered
fingerprint. If you are not identified, touch the fingerprint reader again to
provide a better quality scan.
You cannot be identified if you are a new user or you are not a recent user of the
kiosk. In this case, press Ctrl+Alt+Delete and specify your user name and
domain, and then touch the fingerprint reader or type your password. The
previous user account name is not displayed in the One Touch Unlock dialog
box. You will be added to the identification list after successful authentication.
If you do not have any registered fingerprints, you can unlock the computer by
providing your name, domain and password and then the Fingerprint
Registration Wizard will launch. You must register fingerprints before you can
unlock the kiosk computer with your fingerprint.
Changing Your Password
The process of changing your Windows password on a computer with
DigitalPersona Pro Kiosk installed is similar to doing so on a computer without
Pro Kiosk installed.
To change your Windows password
1 Press Ctrl+Alt+Delete to display the Windows Security dialog box.
2 Click the Change Password button.
3 On the Change Windows Password dialog box, type your user name and
touch the reader with a registered finger. If your identity is verified, One
Touch Logon provides the current password in the Old Password text box.
You can also type your current password in the Old Password text box.
199
4 Type a new password in the New Password text box and then type it again in
the Confirm New Password text box.
5 Click OK to change your current password to the new one you specified.
On Windows Vista, you can also use your fingerprint to give your permission to
proceed whenever you are presented with a User Account Control dialog box.
200
DigitalPersona Pro Kiosk lets a kiosk user log on to password-protected
programs, either Windows or Web-based programs, with any registered
fingerprint. As an administrator, you must enable this feature for specific
programs by configuring fingerprint logons for them. Password-protected
programs that are fingerprint-enabled display a fingerprint logon icon in the
upper left corner of the screen. You also can create fingerprint logons that
include fingerprint-enabled screens for changing your password.
Refer to the topic “One Touch SignOn Administration Tool” on page 104 for
more information about creating fingerprint logons using OTS templates.
Users are prompted for account data the first time they log on. Then, on
subsequent logons, they only need to launch the program, and touch the reader
with any registered finger. DigitalPersona Pro Kiosk automatically enters the
user name, domain and password and any other necessary account data in the
appropriate logon screen text boxes and, if configured, submits the account data.
Fingerprint logons may also be used to prevent users from typing their user
name and password so that they must always provide a fingerprint to log on to
the program.
Using Fingerprint Logons for Programs
To log on to a fingerprint-enabled logon screen
1 Open the logon screen of the program.
2 The logon screen displays a fingerprint logon icon in the upper left corner of
the screen, indicating that you can touch the reader with any registered finger
to log on.
3 Touch the fingerprint reader. You must be a recent user of the kiosk to log on
with a fingerprint. If required, type your user name and domain and then
touch the fingerprint reader again to log on.
4 If the system determines that account data is required, the Enter Account
Data dialog box displays. Type the required data in the fields. Then click OK
to log on. Next time you log on, the system will provide this account data for
you.
201
Note
If you specified additional account data for the program, you are prompted to
choose the data that you want to use to log on.
Users can add, change or remove account data for fingerprint logons for
programs using the Fingerprint Logon Manager. However, they cannot delete
the fingerprint logons created by administrators.
To access the Fingerprint Logon Manager, click the fingerprint reader icon and
select Fingerprint Logon Manager.
Adding Account Data
Users may add additional sets of account data for a program. In this case, when
logging on to the program using DigitalPersona Pro Kiosk, users will be
prompted to choose the account data to use.
To add additional account data to the fingerprint logon for a program
1 Click the fingerprint reader icon and select Fingerprint Logon Manager.
2 In the Verify Your Identity dialog box, touch the reader with a registered
finger.
If your identity is not verified, type your user name and touch the reader
again.
3 In the Fingerprint Logon Manager, click the Add button to display the Add
Fingerprint Logon dialog box.
4 In the Logon Title text box, the title uniquely identifies the logon screen in
the Fingerprint Logon Manager. You can type a different title in the text box.
5 DigitalPersona Pro Kiosk determines logon fields and displays them in the
Logon Information area. Type the appropriate account data in the
corresponding text box for each field required for logon. For example, in the
Password text box, you would type the password used to access the program.
6 Click OK to save the account data.
7 The Verify Your Identify dialog box displays. Touch the fingerprint reader to
verify your identity.
202
Changing Account Data
To modify the account data entered by a fingerprint logon
2 In the Verify Your Identity dialog box, touch the reader with a registered
finger.
If your identity is not verified, type your user name and touch the reader
again.
3 In the Fingerprint Logon Manager, select the account and then click Change.
4 In the Edit Fingerprint Logon dialog box, edit your existing account data in
the text boxes and click OK. You can also change the fingerprint logon title.
Removing Account Data
To remove the account data of a fingerprint logon
2 Touch the reader with a registered finger. If your identity is not verified, click
the Provide your account information hyperlink. In the next dialog box, type
your Windows user name and domain and touch the reader again.
3 Select the title of the fingerprint logon in the list on the Fingerprint Logon
Manager and click Remove.
You can delete the account data of a fingerprint logon created by your
administrator, but you cannot delete the actual fingerprint logon.
203
You can log on, unlock or gain access to a fingerprint-enabled program on a
kiosk computer by using your fingerprint. After your work is finished, you can
do one of the following:
• Close the fingerprint-enabled programs and leave the kiosk computer
unlocked. The next user can approach the kiosk computer and provide a
registered fingerprint to gain access to the password-protected program.
• Close the programs and lock the kiosk computer. The next user can
approach the kiosk computer and provide a registered fingerprint to unlock
the computer. Then the user can launch a fingerprint-enabled program and
touch the reader again to access the program.
• Close the programs and log off from the kiosk computer. The next user
can approach the kiosk computer and provide a registered fingerprint to log
on to the computer. The user is logged into the Shared Account for the kiosk.
Fingerprint Reader Icon and Menu
DigitalPersona Pro Kiosk displays a fingerprint reader icon in the notification
area on the taskbar that shows whether the reader is ready for use. In addition, it
provides convenient access to various functions on its context menu.
Fingerprint Reader Status
When the reader is ready to scan fingerprints, the reader icon appears normally.
Otherwise, a red X displays over the reader icon.
Fingerprint Reader Icon Context Menu
Click the fingerprint reader icon to open its context menu. On it, several features
are available:
Lock Computer. Locks your computer. Double-clicking the reader icon also
locks your computer.
204
Fingerprint Registration. Launches the Fingerprint Registration Wizard,
which guides you through the process of registering your fingerprints.
Fingerprint Logon Manager. Opens the Fingerprint Logon Manager.
Help. Launches DigitalPersona Pro Kiosk Help.
About. Displays the DigitalPersona Pro Kiosk software version number.
• You can access DigitalPersona Pro Kiosk and Kiosk Help from the Start
menu. On the Start menu, point to All Programs, point to DigitalPersona Pro
Kiosk and then click the menu item that corresponds to the task you want to
perform.
205
Part Five: Appendices
Part Five of the DigitalPersona Pro for AD Administrator Guide includes the
following appendices:
Chapter Title
Purpose
Page
13 - Planning &
Deployment
Provides guidelines for planning and
implementing the deployment of DigitalPersona
Pro.
207
Settings
An alphabetical list of all DigitalPersona Pro
settings with references to Active Directory
location and page number where they are
described.
222
15 - Troubleshooting
Provides assistance in troubleshooting software
and hardware issues.
228
16 - Customizing
Workstation
Details registry settings that can be used to
customize DigitalPersona Pro Workstation.
233
17 - Installing High
Encryption
Instructions for installing 128-bit High
Encryption for older Windows 2000 machines.
236
18 - Fingerprint Reader
Includes regulatory information for the
Regulatory Information DigitalPersona U.are.U Fingerprint Reader.
237
206
13
Planning & Deployment
Overview
DigitalPersona Pro for Active Directory is a scalable solution that can provide
biometric authentication and Single SignOn for a large enterprise, with multiple
domains and a hundred thousand geographically dispersed workstations, a
medium-sized local network, or a small office network.
Whatever the size of the deployment, it is critical to spend some time designing
an implementation that will meet your organization’s needs, provide a
straightforward deployment plan, and allow you to allocate the necessary
hardware and personnel resources.
In designing your DigitalPersona Pro system, you will want to take into account
many factors, including your security needs, performance requirements, levels
of administration, and the amount of control that you want to allow the end user
to have with certain features like One Touch SignOn, One Touch Internet and
fingerprint registration.
While we have made deploying DigitalPersona Pro as simple and
straightforward as possible; a comprehensive design, a well-formed deployment
plan, and a deployment staff with solid Active Directory experience will help to
ensure a successful implementation.
Deploying DigitalPersona Pro includes settings to configure the way that
authentication operates in your specific environment. From various
combinations of multi-factor authorization to fingerprint-only logon, the level of
security that you require is configurable, and quite easily implemented through
standard Active Directory administration tools.
Administrative controls and utilities are also available through a complete set of
DigitalPersona Pro Administrative Tools included with DigitalPersona Pro
Server.
In the following text, the term “users” refers to those who will be registering and
authenticating their fingerprints through DigitalPersona Pro Server, and is not
necessarily the same as the number of Active Directory users.
The information provided in this chapter is not intended to take the place of the
services of a professional systems architect or analyst, and should not be
construed as advice or recommendations addressing your specific situation.
207
Chapter 13 - Planning & Deployment
Overview
Evaluation Support
During evaluation of DigitalPersona Pro for Active Directory, support is
available through our Sales Engineering Team at:
1-650-474-5316
Technical Support
If you have purchased DigitalPersona Pro for Active Directory, Technical
Support is available through our Technical Support Request form at:
http://www.digitalpersona.com/support/enterprise/chooseproduct.php
Professional Services
DigitalPersona Professional Services can discuss options ranging from initial
onsite consulting to completely outsourcing all or part of the design, deployment
and installation process as well as customizing the software.
For Professional Services, please contact your DigitalPersona Account Manager
or product Reseller.
208
Planning
Planning
Although the actual steps in a design process will vary from company to
company, the design for your DigitalPersona Pro solution should take into
account at least the elements described in this chapter. Additional steps and
considerations may be required for your specific organization.
Planning Overview
1 Select an Installation Scenario.
2 Determine Required Software & Hardware.
3 Identify Needed Licenses.
4 Select Configuration Options.
5 List OTS Templates.
6 Create Deployment Plan.
Select an Installation Scenario
DigitalPersona Pro for Active Directory is designed with built-in flexibility to
enable delivery of biometric authentication and Single SignOn in the following
scenarios:
• Enterprise level, server supported authentication
• Workstation Only installation
It is also possible to create a solution utilizing a combination of both scenarios.
Enterprise level with Pro Server Support
For optimal enterprise-wide deployment, DigitalPersona Pro Workstation and/or
Kiosk are installed on a network computer connected to a domain controller that
has DigitalPersona Pro Server installed. Computers such as laptops can be
periodically connected to, and disconnected from, the network.
209
Planning
DigitalPersona Pro Server offers the following capabilities
• Installed on a secure Active Directory Domain Controller
• Centralized User Administration
• Centralized Credential & Application Data Storage
• Secure Server Authentication
DigitalPersona Pro Workstation/Kiosk
• One Touch Logon
• One Touch SignOn Applications
• One Touch Internet (Workstation only)
• One Touch Menu (Workstation only)
Using a DigitalPersona Pro Workstation with Pro Server support is the most
comprehensive deployment of DigitalPersona Pro because you can take
advantage of both the Workstation and Server features of DigitalPersona Pro for
Active Directory.
In addition to the One Touch applications for the Workstation, this deployment
allows you to manage DigitalPersona Pro with Active Directory administration
tools, and provides secure data storage and user roaming features.
DigitalPersona Pro Kiosk requires the availability of a DigitalPersona Pro
Server in order to function.
Workstation Only Installation
DigitalPersona Pro Workstation can be installed on computers connected to an
Active Directory domain without DigitalPersona Pro Server support or on a
standalone computer configured to perform authentication locally. With either
of these configurations, you have all the features provided by the DigitalPersona
210
Planning
Pro Workstation software as described in “DigitalPersona Pro Workstation” on
page 23.
The table below compares the features available for DigitalPersona Pro
Workstations with and without Pro Server support:
Table 13-1. Feature Comparison
Workstation without Pro Server support
X
X
X
X
X
X
X
Workstation Administration
Secure Server Authentication
X
Secure Windows Logon
One Touch Logon & One Touch UnLock
X
One Touch SignOn and
One Touch Internet
Workstation with Pro Server support
Centralized User Credential
Data Storage
DigitalPersona Pro Features
Centralized User Administration
Deployment Scenario
DigitalPersona Pro Workstation can be installed on a computer that is not
connected to an Active Directory domain, or not administered with an Active
Directory GPO. The Workstation can then be administered locally through the
Microsoft Management Console (MMC), providing the same functionality as
listed above for Workstations without Pro Server support.
211
Planning
Determine Required Software & Hardware
Server software
DigitalPersona Pro Server has been fully performance tested and shown to be
able to support the authentication of up to 3,000 users within a 10 minute period,
per Server processor.
DigitalPersona Pro Server must be installed on a domain controller serving the
users that will be using it for authentication. Additionally, a Failover/Backup
Pro Server is recommended for each Pro Server installed. Also, if you have
multiple sites, we recommend a Pro Server and a Failover/Backup server at each
site.
After analyzing your network configuration and bandwidth limitations, you may
want to add additional servers for backup/failover, or arrange for additional
servers on a domain or site basis to compensate for potential bandwidth
bottlenecks.
Use the worksheet below to assist you in determining the number of
DigitalPersona Pro servers that you will require.
A. Total number of users _____ /3,000 = Base Minimum Server/Processors _________
B. Backup/Failover Servers (Recommended) _______
C. Additional Servers per network analysis ________
Total Servers (A + B + C) = _______
Workstation software
You will need a copy of DigitalPersona Pro Workstation software for each
computer that will be using biometric authentication and authorization. This
includes laptops and notebooks that will be connected to the network as well as
any offsite computers that may connect to the network.
Total Workstations = _______
Kiosk software
You will need a copy of DigitalPersona Pro Kiosk software for each computer
that will be used as a kiosk.
Total Kiosks = _______
212
Planning
Fingerprint Readers
For each workstation, you will need one U.are.U Fingerprint Reader.
Certain notebooks with a supported built-in swipe reader can be used with
DigitalPersona Pro. A list of supported third-party swipe readers can be found
at:
http://www.digitalpersona.com/products/notebooks.php.
Total U.are.U Fingerprint Readers = _______
Identify Needed Licenses
When deploying DigitalPersona Pro Server, a User Authentication License
(UAL) is required covering each user that will be registering their fingerprints
and using them for authentication through the server.
The licenses are bound to the domain, so each license issued covers the users for
that specific domain. In other words, a DigitalPersona Pro User Authentication
License provides license for the users in a single domain. Additional UALs can
be purchased for a domain as the number of users expands.
Use the following table to identify the number of users to include in each
requested UAL.
Number of user licenses needed
Domain Name
Number of Users
Total Number of user licenses needed
213
Planning
Select Configuration Options
While many of the configuration options can be determined as part of your
initial testing or pilot and may be adjusted during and after rollout, there are a
few options that should definitely be part of your planning.
Windows Logon Policies - DigitalPersona Pro policies work in conjunction
with standard Windows policies.
Logon policies can be configured at the Server level or the Workstation level by
adding the appropriate DigitalPersona Pro Administrative Template to the
controlling GPO.
Attended Fingerprint Registration - When implemented, all users must
register their fingerprint in the presence of a designated person or group.
Custom Workstation Installation
The default “Complete” Workstation installation includes the One Touch
SignOn, One Touch Logon and One Touch Internet features.
By using a “Custom” installation, you can select to not install One Touch Logon
and/or One Touch Internet. They can also be added to, or removed from a
particular workstation through the Add or Remove Programs tool in the Control
Panel.
• One Touch SignOn - One Touch SignOn is a major feature of
DigitalPersona Pro, providing users with the ability to access administratordeployed templates for One Touch SignOn to password-protected programs
and Web sites.
• One Touch Logon - One Touch Logon provides the ability for a user to log
on to their Windows account by simply touching a supported fingerprint
reader.
• One Touch Internet - This feature allows end users to create their own
fingerprint logons for programs and Web sites.
Other policies and settings - See “Configuring Policies and Settings” on page
70 for other policies and settings that you may want to consider as part of your
design.
214
Planning
List OTS Templates
For each program or Web site that you want to allow users to sign on to with
One Touch SignOn, you will need to create an OTS template using the One
Touch SignOn Administration Tool. Time and resources to create these
templates should be part of your deployment plan.
Create Deployment Plan
Based on your system design, create a deployment plan. You can use the
checklist at the end of this chapter to make sure that you have covered the basics
that have been discussed.
215
Deployment
Deployment
Factors to Consider
There are a number of factors that you will want to make sure are considered as
you develop your Deployment Plan.
Evaluation & Testing
You will probably want to test your proposed design on a single standalone
workstation and/or in a small server-based pilot program before rolling out the
full implementation.
DigitalPersona Pro Server includes a 10-user license which can be used for
deployment in your test environment.
Note that when moving from a standalone Workstation installation to a Pro
Server based environment, all Pro domain user data on the standalone computer
is lost when it first connects to a DigitalPersona Pro Server. Fingerprints must be
registered again and user account data for fingerprint logons must be provided
again.
Multi-credential Logon Settings
You can configure logon settings that require more than one type of credential to
log on. Possible credentials for Windows logon include fingerprint, password or
smart card. The multi-credential logon settings are configured using the Multicredential Logon to Windows settings in the DigitalPersona Pro Administrative
Template, but can also be overridden on a per user basic in the Active Directory
Users and Computers tool.
Note that DigitalPersona Pro does not provide any setting to control the use of
the smart card for the Windows logon and will apply whatever Windows
policies are in place for smart cards.
For local area network users, allowing either the fingerprint or password to be
used is recommended as a starting Windows logon setting. A simple way to
require two-factor authentication and increase security without compromising
user convenience, is to require a fingerprint PIN in addition to a fingerprint. This
216
Deployment
is the recommended setting for remote users. For more information on
fingerprint PINs, see “One Touch Features” on page 179.
While users adapt to the new fingerprint policies, you might want to begin with
more flexible logon settings. For example, a policy may be set at the beginning
of deployment that requires the user to use a fingerprint. If the user cancels out
of the Fingerprint Registration Wizard, then the next time the user tries to log on
to Windows, the user will be unable to log on. If users have not registered their
fingerprints, they will need to contact an administrator to register their
fingerprints. However, if you allow a fingerprint or a password to log on as part
of an initial phase, users can continue working as they learn to adopt the new
policies.
If smart cards are deployed, in order to provide a more convenient logon process
for multi-credential logons, you can choose to allow the fingerprint to unlock
the smart card instead of requiring users to type the PIN for the smart card.
All Multi-credential Logon to Windows settings are available as GPO settings.
User-level settings are also available, which will override GPO settings, except
for the Fingerprint is allowed to unlock the smart card option, which is only
available through the GPO.
See also “Multi-credential Logon to Windows” on page 85 and “User Properties
& Commands” on page 90.
Fingerprint Registration Options
You can allow users to register their own fingerprints from their computers or
you can require that fingerprint registration is attended by a designated
administrator or supervisor.
With attended fingerprint registration, a designated user must be logged on to
supervise the fingerprint registration process of other users. You can also set
permissions so that the users cannot modify the registered fingerprints.
For more information on using attended fingerprint registration, see “Attended
Fingerprint Registration” on page 102.
Fingerprint Registration statistics can be viewed and monitored with the User
Query Tool, described in the topic “User Query Tool” on page 144.
217
Deployment
Implementing Stronger Security Settings in Stages
For large enterprise deployments, you might want to implement less strict
security settings while users adopt the new process of registering fingerprints
and using fingerprints to log on. During this time, you can configure a setting
allowing either a fingerprint or a password for logon to Windows. This allows
users to register their fingerprints and to start using them, for example, over a
two week period.
Afterwards, you can transition to more strict settings such as making
fingerprints required for logon, or randomizing user passwords - which
effectively blocks users from being able to use a password to logon to the
network and forces the use of fingerprints for logon. These and other securityrelated settings can be found in the DigitalPersona Pro Administrative
Templates.
If you find that users have not registered fingerprints, you can either complete
attended fingerprint registration with the users, or you can choose to extend the
open registration period. In this case, continue to inform the users that they will
not be able to log on if they do not register their fingerprints before a specific
date.
All users should take additional measures to decrease the likelihood of
unauthorized access to their computers. Suggestions in this manual are specific
to DigitalPersona Pro only and do not represent a complete list of security
measures. All users should create secure passwords for Windows accounts and
applications.
Refer to the Microsoft Web site for more information about securing your
computer from unauthorized access. The Microsoft Web site also contains more
information on creating secure passwords.
Deploying One Touch SignOn Templates
The administrator for One Touch SignOn can decide how much control to
maintain over OTS templates for One Touch SignOn to Web sites and programs.
• Templates can be created by an administrator and then deployed to
Workstations using DigitalPersona GPO settings.
218
Deployment
• The ability for users to make changes to OTS account data or create their
own OTS templates can be limited or completely disabled.
You can also choose to allow some, or all, users to use the OTS Administration
Tool to create their own templates which can be stored on their workstation.
Workstation Installation and Connecting the Reader
Smaller companies may want users to install the hardware. Larger companies
may use a representative from the IT department to install the hardware. To
install software locally, the user must have administrative privileges on the local
computer.
End-User education
Deployment will be most effective and flow more smoothly if you inform your
users about the new user experience before DigitalPersona Pro Workstation or
Kiosk is actually installed on their computers.
• Users need instructions on what to do when they view the DigitalPersona Pro
Welcome screen to log on to Windows and when the Fingerprint Registration
Wizard launches. (See “One Touch Logon” on page 172 and “Fingerprint
Registration” on page 169.)
• Encourage users to read the online help that is available in the DigitalPersona
Pro folder on the Start/Programs menu, or by clicking the reader icon in the
taskbar notification area.
• Let users know that their fingerprint images will not be stored. Instead, only
specific features of the fingerprints are obtained and stored. This data cannot
be reverted to actual fingerprint images.
Warning
Make sure that you do not enable restrictive logon settings based on fingerprints
until users have successfully registered fingerprints.
Let users know that their fingerprint images will not be stored. Instead,
fingerprints are converted into binary data and then stored. This data cannot be
reverted to actual fingerprint images.
219
This checklist provides you with a series of basic steps relating specifically to
DigitalPersona Pro which should be included in your overall deployment plan.
1 Plan for the number of Pro Servers, Pro Workstations and Pro Kiosks to be
installed in your deployment.
In larger deployments, it is recommended to have enough servers installed to
provide service to the first set of users.
Evaluate response time for user authentication to ensure that enough servers
are installed as each set of users is added.
Smaller organizations may decide to deploy all users at the same time.
2 Determine the number of Pro Servers, Workstations, Kiosks and User
Authentication Licenses (UALs) that you will need.
Use the License Control Manager application (see page 98) to generate a
license request file and send it to DigitalPersona along with your purchase
order.
3 Deploy Pro Servers, which includes performing an Active Directory schema
extension, domain configuration and installation of the DigitalPersona Pro
Server software to support the first set of users.
If your deployment includes Pro Kiosk, see the Administrator’s Guide for
additional Kiosk-related Pro Server setup instructions.
4 Test the DigitalPersona Pro Workstation deployment on a single computer
and set the options that the end users will use.
Test the GPO settings in Active Directory and confirm the intended effects
for users.
5 Inform and educate end users on the deployment process and the tasks that
you want them to complete.
6 If using Attended Fingerprint Registration, register user fingerprints from the
test DigitalPersona Pro Workstation and/or Kiosk. Attended registration
requires a supervising user and the end user to be present to register the
220
user’s fingerprints. See “Attended Fingerprint Registration” on page 102 for
more information.
7 Create and deploy One Touch SignOn templates for fingerprint logon to Web
sites and programs.
8 For the initial installation of DigitalPersona Pro Workstations or Kiosks,
keep the group size manageable. Users should be separated into sets either by
department or geography or some other grouping.
The first set of users should be a small test group to make sure you have
implemented settings as intended. Later, other sets of users can be added in
stages.
9 Connect fingerprint readers to computers. Instruct users on which order to
complete install, hardware connection, and fingerprint registration as needed.
221
14
DigitalPersona Pro Settings
This chapter provides an alphabetical listing of the policies and settings
available in DigitalPersona Pro and Workstation, describes where they are
located in Active Directory, and gives the page number in this guide where they
are defined.
Setting Name
Location
Page
Account lockout duration
Computer Configuration/Administrative 79
Templates/DigitalPersona Pro/
DigitalPersona Pro Server/Fingerprint
Account lockout threshold
Account is locked out from use of
fingerprint credentials
Users and Computers tool/[user name]/
User Properties/DigitalPersona Pro tab
92
(Basic Property)
DigitalPersona [Workstation and Kiosk]
Allow OneTouch Internet
User Configuration/Administrative
DigitalPersona Pro Workstation/
86
Allow users to add account data
DigitalPersona Pro [Workstation and
Kiosk]/OTS/One Touch SignOn
configuration
87
Allow users to delete account data
configuration
87
222
Chapter 14 - DigitalPersona Pro Settings
Setting Name
Location
Page
Allow users to edit account data
configuration
87
Automated Site Coverage by BAS
Locator DNS SRV Records
DigitalPersona Pro Server/BAS Locator
DNS Records
Cache Domain User Data on Local
Computer
Dynamic Registration of BAS
Locator DNS Records
DNS Records
Event Logging
Computer Configuration/Administrative
DigitalPersona Pro [Server, Workstation
and Kiosk]
74
False Accept Rate Used in
Fingerprint Verification
DigitalPersona Pro [Server, Workstation
and Kiosk]/Fingerprint Recognition
80
Fingerprint is allowed to unlock the
smart card
DigitalPersona Pro Workstation/Multicredential logon to Windows
85
Kiosk]
80
Kiosk Workstation Shared Account
Settings
DigitalPersona Pro Kiosk Workstation
83
223
Setting Name
Location
Page
Maximum Number of Registered
Fingerprints Per User
Templates/DigitalPersona Pro [Server,
Workstation and Kiosk]/Fingerprint
Recognition
81
Maximum Size of Identification List
84
Multi-credential logon to Windows
85
Password is not allowed for logon
85
Path to the container of templates
configuration
87
PIN is required when a fingerprint is
provided
85
Priority Set in BAS Locator DNS
SRV Records
DNS Records
Randomize user’s Windows
password
91
(Basic Property)
Refresh Interval of BAS Locator
DNS Records
DNS Records
224
Setting Name
Location
Register BAS Locator DNS SRV
Record for Domain
DNS Records
Reset account lockout counter after
Show clear text passwords
configuration
Show fingerprint icon on the taskbar. User Configuration/Administrative
Page
87
86
Show One Touch Menu upon
fingerprint validation
86
Templates/DigitalPersona Pro [Workstation
and Kiosk]/ Workstation Properties
Sites Covered by BAS Locator DNS
SRV Records
DNS Records
Size of the Identification List for
Kiosks
DigitalPersona Pro Kiosk Workstation/
Use Basic Template Format
82
Templates/DigitalPersona Pro [Workstation
and Kiosk]/Fingerprint Recognition
Use DigitalPersona Pro Server for
authentication
79
83
225
Setting Name
Location
Page
User must provide a fingerprint to
log on
85
93
(Extended Property)
User must type a PIN when
providing a fingerprint to log on
93
(Extended Property)
User provides only Windows
credentials to log on
91
(Basic Property)
Weight Set in BAS Locator DNS
SRV Records
DNS Records
Kiosk-Specific Settings
Allow automatic logon using Shared
Kiosk Account
Templates/DigitalPersona Pro Kiosk
Workstation
Force Authentication On Server
Workstation
Settings
Workstation
88
Prevent users from logging on
outside of a Kiosk session.
Workstation
88
Size of the identification list for
Kiosks
Templates/Kiosk Server Settings
79
88
226
Setting Name
Location
Unlock with Shared Account
Credentials
Workstation
Page
227
15
Troubleshooting
This chapter provides assistance to users having difficulty using the One Touch
programs, being authenticated their fingerprint, or using the U.are.U Reader.
This section contains reader troubleshooting tips for a variety of symptoms.
Reader Does Not Light Up During Installation or Restart
If the reader does not light up during installation or restart after installation of
DigitalPersona Pro, try the following:
• Ensure the reader is connected directly to a USB port on the computer—not a
USB hub.
• Connect the reader to another USB port on the same computer.
If neither step resolves the issue, try any of the options in the following three
sections:
Reinstall the USB Driver
Reinstalling the USB driver for the reader sometimes corrects the problem.
To reinstall the USB driver for the reader
1 Log on using your Windows password.
2 On the Start menu, point to Settings and click the Control Panel. Click the
Hardware tab and then the Device Manager button.
3 Expand the Biometric item in the table and click Uninstall on the context
menu of the U.are.U 4000 Fingerprint Device listing.
4 Unplug the reader.
5 Locate the UsbDPFp.sys file (C:\Windows\System32\drivers) and delete it.
6 Plug the reader in again. The installation wizard should automatically launch,
locate the reader driver software and install it. If the wizard prompts you to
locate the driver, point to the DpDrv folder in the Windows root folder.
7 Restart the computer.
228
Chapter 15 - Troubleshooting
Test Ports with Second Reader
If available, take a working reader from another computer and plug it in your
computer. If it works, the original reader may be faulty; if not, the USB
controller may be configured improperly (see “Check USB Controller
Configuration” on page 229).
In addition, you can also try plugging the original reader in a USB port on
another computer to verify whether the reader is faulty or the computer on
which you are trying to install it.
Check USB Controller Configuration
Your computer must be configured to use USB devices. This section guides you
through the process of verifying this functionality.
To check the USB controller configuration on your computer
1 On the Start menu, point to Settings and click Control Panel. Then, click
System.
2 Click the Hardware tab and then the Device Manager button to verify that
“Universal Serial Bus controller” is listed as an entry.
3 If the entry exists, click the plus sign (+) next to Universal Serial Bus
controller and verify that icons for USB Root Hub and USB Port are present.
4 If none of the entries or icons are visible or if they have exclamation marks or
red X’s through them, you must contact the manufacturer of your computer
to acquire the necessary software to support USB devices.
Reader Light Went Out When In Use
If the reader light is no longer lit after the reader has been in use for some time,
try these steps to determine the source of the problem:
• Unplug the reader and then plug it in again. Check the USB cable connection
to ensure a secure fit.
• Connect the reader to a different USB port on your computer to verify that
the first USB port is working properly.
229
• Connect the reader to a different computer to see if the reader is
malfunctioning.
If the reader functions on another USB port or computer, the first USB port is
faulty. If the reader works on another computer—but not on the first one—check
the USB controller configuration, as described in “Check USB Controller
Configuration” on page 229.
Reader Does Not Blink When Touched
If the reader light is on, but does not blink when touched, unplug the reader and
then plug it in again.
If this does not correct the problem, clean the reader window.
To clean the reader window, apply the sticky side of a piece of adhesive
cellophane tape on the window and peel it away.
Software Does Not Respond When Reader Is Touched
If the reader light is on and it blinks when touched but the fingerprint is not
scanned, unplug the reader and then plug it in again. If this does not correct the
problem, try cleaning the reader, as described in “Cleaning the Reader” on page
190. If these steps do not correct the problem, try restarting your computer.
Reader Blinks Constantly
If the reader light blinks constantly, the reader window may need cleaning. To
clean the reader window, apply the sticky side of a piece of adhesive cellophane
tape on the window and peel it away.
230
The following sections describe remedies for issues you may encounter with the
One Touch programs of DigitalPersona Pro Workstation.
One Touch Logon Troubleshooting
If logon seems particularly slow, it may be because the computer is spending
excess time looking for the DNS server. In this case, you can speed up
authentication by manually specifying the preferred DNS IP address.
To manually specify the preferred DNS IP address on a DigitalPersona Pro Workstation
1 Locate the My Network Places icon on the desktop and click Properties on its
context menu.
2 On the Network Connections dialog box, locate the Local Area Connection
icon and click Properties on its context menu.
3 Select Internet Protocol (TCP/IP) on the Local Area Connection Properties
dialog box and then click the Properties button.
4 Select the Use the following DNS server addresses radio button and type the
IP address of the DNS server in the Preferred DNS server text box.
Specify the IP address of the
preferred DNS Server(s) to
speed up logon.
5 Close all dialog boxes to save your changes.
231
One Touch Internet and OTS Troubleshooting
Following are issues you may encounter when using One Touch SignOn and
One Touch Internet:
• Due to the design of a particular Web site or program, One Touch Internet or
One Touch SignOn may not be able to automatically create a fingerprint
logon.
In the One Touch SignOn Administration Tool, use the Create Logon
Template Manually or Create Change Password Screen Template Manually
feature for access to more powerful options in designing Logon or Change
Password Screen templates.
• A submit button may not be found when setting up a logon screen that uses a
non-standard method for submitting forms. In this case, you will have to
manually submit logon data by clicking the submit button on the Web page
after One Touch SignOn or One Touch Internet fills in the field values.
• If a Quick Link is not working properly, ensure you have entered the Web
page title in the logon screen setup exactly as it appears on the Web page.
Also, verify that the URL specified in the logon screen setup is correct. Some
Web pages redirect users to a temporary URL that expires after one-time use.
If the logon screen you set up with One Touch SignOn or One Touch Internet
redirects users to temporary and unique URLs, for example, with Microsoft’s
Hotmail, you will have to manually type the URL in the logon profile instead
of using the URL One Touch SignOn assigns by default.
For additional troubleshooting information see:
http://www.digitalpersona.com/support.
232
16
Customizing Pro Workstation
After installation of DigitalPersona Pro, administrators can override the default
DigitalPersona Pro Properties settings in the Windows Registry for One Touch
Menu content and Quick Actions.
Warning
Editing registry settings may damage your system. Before making changes,
back up your data. Use the Last Known Good Configuration startup option if
you encounter problems after making changes to the registry.
Instructions in the next two sections are provided to configure the One Touch
Menu and Quick Actions using the Windows Registry.
Note
Changes made to the settings in the registry do not take precedence over local
configuration by end users.
One Touch Menu Content
You can use the Windows Registry Editor to modify registry keys for the One
Touch Menu, export the new settings in a .reg file and import those settings on
the target machines, which determines what menu items are displayed.
To configure the One Touch Menu menu content
1 Launch the Windows Registry Editor.
2 In the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\
Applications\OTAppSettings\MenuContent
233
Chapter 16 - Customizing Pro Workstation
Quick Actions
The following keys—all with a default value of 1—are listed:
String Value Name
Result of One Touch Menu command
Help
Displays the online Help file.
OTI
(Create Fingerprint Logon) Displays the Create
Fingerprint Logon dialog when clicked.
Properties
Displays the Properties dialog.
QuickLinks
Displays Quick Links that you have created.
3 To remove an item from the One Touch Menu, set the corresponding key
value to 0. To add an item, set the key to 1.
Quick Actions
The procedure for modifying Quick Actions settings is similar to the One Touch
Menu registry configuration. Using the Windows Registry Editor, you can
specify the Quick Actions that correspond with a DigitalPersona Pro feature.
To configure Quick Actions in the Windows Registry
1 Launch the Windows Registry Editor.
2 In the Registry Editor, navigate to the following registry key:
HKEY_CURRENT_USER\SOFTWARE\DigitalPersona\Applications
\OTAppSettings\QuickActions
During program installation, a single String Value (Default) is created. If any
of the Quick Link settings in the Properties dialog box have been changed,
three more String Values will exist:
Name
Definition
Type
F+Ctrl
Defines action to perform when the Control key is
pressed in conjunction with use of a registered
fingerprint.
REG_SZ
234
Chapter 16 - Customizing Pro Workstation
Quick Actions
Name
Definition
Type
F+Shift
Defines action to perform when the Shift key is
pressed in conjunction with use of a registered
fingerprint.
REG_SZ
Finger
Defines action to perform when no key is pressed in
conjunction with use of a registered fingerprint.
REG_SZ
3 You can assign a Quick Action to any of the three String Values by setting the
Value data to any of the following values.
Value
Result
None
Validates fingerprint, but does not perform any
additional action.
OTI
Displays the Create Fingerprint Logon dialog.
Help
Displays the online Help file.
LockWorkstation
Locks the workstation.
OTMenu
Displays the One Touch Menu.
Properties
Displays the Properties dialog.
QuickLinks
Displays Quick Links that you have created.
235
17
Installing High Encryption
If your domain controller is not high-encryption (128-bit) capable, install
Microsoft Windows 2000 High Encryption (128-bit) Capability which is
available for download from Microsoft. Because high encryption capability is
built into Windows XP, 2003 and the latest service packs for Windows 2000,
you do not need to install high encryption pack on these operating systems.
To install Microsoft Windows 2000 High Encryption (128-bit) Capability on your
domain controller
1 Double-click ENCPACK.exe to launch the installer.
2 When prompted to continue with the installation of Microsoft Windows 2000
high-encryption (128-bit) capability, click Yes.
3 To finish the installation, restart the computer.
236
18
Regulatory Information
DigitalPersona U.are.U® Fingerprint Reader Regulatory Information
Warning
To protect against risk of fire, bodily injury, electric shock or damage to the equipment:
•
•
•
•
Do not immerse any part of this product in water or other liquid.
Do not spray liquid on this product or allow excess liquid to drip inside.
Do not use this product if it has sustained damage, such as damaged cord or plug
Disconnect this product before cleaning.
Tested to comply with FCC Standards. For home or office use. Any changes or
modifications not expressly approved by Digital Persona, Inc. could void your
authority to operate this equipment. This device is rated as a commercial
product for operation at +32°F (+0°C) to +104°F (+40°C).
The U.are.U Fingerprint Reader has been tested and found to comply with the
limits for a Class B digital device under Part 15 of the Federal Communications
Commission (FCC) rules, and it is subject to the following conditions: a) It may
not cause harmful interference, and b) It must accept any interference received,
including interference that may cause undesired operation.
This device conforms to emission product standards EN55022(B) and
EN50082-1 of the European Economic Community and AS/NZS 3548 Class B
of Australia and New Zealand.
This digital apparatus does not exceed the Class B limits for radio noise
emission from digital apparatus as set out in the radio interference regulations of
the Canadian Department of Communications.
Le présent appareil numérique n'émet pas de bruits radioélectriques dépassant
les limites applicables aux appareils numéri-ques de Classe B prescrites dans le
règlement sur le brouillage radioélectrique édicté par le Ministère des
Communications du Canada.
This product has been tested to comply with International Standard IEC 608251:1993, A1:1997, A2:2001; IEC 60825-2:2000
237
18 - Regulatory Information
CAUTION - USE OF CONTROLS OR ADJUSTMENTS OR
PERFORMANCE OF PROCEDURES OTHER THAN THOSE SPECIFIED
HEREIN MAY RESULT IN HAZARDOUS RADIATION EXPOSURE.
Attention - L'utilisation de contrôles et de réglages ou l'application de
procédures autres que ceux spécifiés dans le présentdocument peuvent entraîner
une exposition à des radiations dangereuses.
Achtung - Die hier nicht aufgeführte Verwendung von Steuerelementen,
Anpassungen oder Ausführung von Vorgängen kann eine gefährliche
Strahlenbelastung verursachen.
Precaución - La utilización de controles, ajustes o procedimientos distintos a
los aquí especificados puede dar lugar a niveles de radiación peligrosos.
Attenzione - L'utilizzo di controlli, aggiustamenti o di procedure diverse da
quelle qui specificate puo' portare all'esposizione ad un livello di radiazioni
pericoloso.
This product uses LEDs that are inherently Class 1.
238
Index
Symbols
.dplif extension 99
_uareupro SRV RR 53
DNS Console path 55
modifying Priority and Weight settings 55
A
About menu item 166
Account is locked out from use of fingerprint
credentials setting 92
account is locked out from use of fingerprint
credentials setting 93
Account lockout duration 79
Account lockout threshold 79
Active Directory containers 51
Biometric Authentication Servers
container 51
Policies container 51
Active Directory Domain Configuration
Wizard 38
Active Directory Schema Extension
Wizard 36
Active Directory, defined 10
add license 100
Administration Tools 27
Cleanup Wizard 149
installation 97
License Control Manager 98
overview 96
User Query Tool 144
Administrative Templates & Snap-ins 11
ADSI Edit Tool 94
Allow automatic logon using Shared Kiosk
Account 226
Allow Fingerprint Data Redirection 72
Allow Fingerprint Data Redirection setting 82
Allow OneTouch Internet setting 86
Allow users to add account data setting 140
Allow users to delete account data
setting 87, 140
Allow users to edit account data setting 140
attended registration
using 102
Authentication Server Object Name
property 52
authentication, defined 15
Automated Site Coverage ... setting 77
automatic DNS registration 53
Automatic logon 226
B
BAS Locator settings 75
Basic Template Format 82
Basic User Properties 91
Biometric Authentication Servers
container 51
Server Version Object Name 52
Service Configuration Container Name 52
BTF 82
C
Cache Domain User Data on Local Computer
setting 83
Cache User Credentials setting 83
cached credentials
defined 175
in One Touch Logon 174
Change Password Screen Template 123
Change Password Screen Templates
automatic 124
manual 128
changes made during installation 51
changing passwords 199
changing your Windows password 189
chapter overview 3
checklist, deployment plan 220
choosing an account 142
Citrix 23, 25
Citrix Presentation Server
Kiosk installation 67
Workstation installation 62
cleaning the reader 190
Cleanup Wizard 149
command line install, Workstation 60
239
Index
D-F
configuration options 214
configure domain 38
configuring
OUs for kiosks 47
Pro Server GPO settings 47
settings for Pro Kiosk 46
configuring DNS dynamic registration 55
Connect to this domain the next time you run
connecting to a domain 98
Containers
deleting 133
editing 133
containers
managing 133
conventions
naming 6
notation 6
typographic 7
Creating Change Password Screen
Templates 123
Creating OTS Templates 109
Credentials Management 155
Credentials, defined 15
custom installation of Pro Workstation 58
Custom Workstation installation 214
D
Delete fingerprint PIN 94
Delete Fingerprints 94
delete user credential data 94
deleting registered fingerprints 188
Deploying DigitalPersona Pro Server 33
deploying OTS templates 137
deployment factors 216
Deployment Plan 215
Deployment Plan Checklist 220
deployment planning 207
DigitalPersona icon 104, 127, 132, 141
DigitalPersona Platinum SDK 31
SDK 31
DigitalPersona Pro Kiosk 24
DigitalPersona Pro Server 22
DigitalPersona Pro Workstation 23
DigitalPersonaProKioskWkst.adm 70
DigitalPersonaProSvr.adm 40
DigitalPersonaProWksta.adm 40
DNS Console path 55
DNS Registration 53
domain, configuring for Pro Server 38
Dynamic DNS, defined 15
Dynamic Registration of BAS Locator DNS
Records setting 75
E
Enable sound feedback 187
Enable visual feedback 187
End-User education 219
event feedback
fingerprint prompt feedback 167
fingerprint recognition feedback 167
fingerprint scan acquisition feedback 167
event logging 47
Event Logging setting 74
event logs specifications 153
extend the Active Directory schema 36
Extended Server Policy Module 28, 93
Extended Template Format 82
Extended User Properties 92
F
Failed logon attempt lockout settings 79
False Accept Rate policy setting 80
FAR 80
FCC Standards 237
feature comparison 35, 211
feedback requested 9
Field Catalog 107
filtering Pro events 151
finding Pro events 152
fingerprint credentials
deleting 188
registering 169
240
Index
G-L
fingerprint identification, defined 16
Fingerprint is allowed to unlock the smart
card 85
fingerprint PINs, using 16, 176
fingerprint prompt feedback 167
Fingerprint readers 26
fingerprint recognition feedback 167
Fingerprint Recognition settings 80
fingerprint registration, defined 16
fingerprint scan acquisition feedback 167
fingerprint template, defined 16
fingerprint templates
defined 15
registration template 16
Fingerprint Verification Lockout setting 79
fingerprint verification, defined 16
Fingerprint/Credentials Management 155
Force Authentication On Server setting 226
Force Authentication on Server setting 88
G
getting license information 99
GPO
implementation guidelines 41
Group Policy 12
H
Help menu item 164, 166
Hide Icon menu item 166
High Encryption, installing 236
I
identification list 174
defined 17
overview 192
identification list size 47
implementation guidelines 41
improving performance 55
installation scenario 209
installing
Administrative Templates 40, 43
Microsoft Windows 2000 High Encryption
(128-bit) Capability 236
Pro Server 39
Pro Workstation software 57
Workstation Template locally 43
installing High Encryption 236
installing license files 100
Installing Pro Kiosk 65
installing Pro Kiosk 66
K
key concepts
authentication 15
cached credentials 175
fingerprint identification 16
fingerprint registration 16
fingerprint templates 15
fingerprint verification 16
identification list 174
Kiosk 24
kiosk computer, defined 17
Kiosk Installation on Citrix Presentation
Server 67
kiosk permissions 48
Kiosk Server Settings 72, 79
Kiosk settings 88
kiosk user, defined 18
Settings 88
Kiosk Workstation Shared Account Settings
setting 226
kiosk, defined 17
Kiosk-Specific Settings 226
L
license
installing 100
UALs 101
uninstalling 101
view details 100
licensing model 98
list of Administration Tools 96
local installation of Pro Workstation 56
241
Index
M-P
Lock Computer menu item 165
locked account 93
locking a computer 179
Log Events policy setting 74
logging events 47
logging on to kiosks 197
logging on to programs 201
Logon Screen Actions, manual selections 117
Logon Screen Properties options 113
Logon Screen Template, manual options 121
M
manual DNS registration 54
Maxi Size of Identification List setting 84
Maximum Number of Fingers ... setting 81
Microsoft Windows 2000 High Encryption
(128-bit) Capability
installing 236
modifying
DNS Priority setting 55
Multi-credential Logon ... setting 85
Multi-credential logon settings 216
O
One Touch Internet 18, 23, 25
One Touch Internet, defined 18
One Touch Logon 23, 24
Cached Credentials 174
changing Windows password with 189
Identification List 174
overview 23, 24
One Touch Menu
Help 164
Properties 164
Quick Links 163
One Touch SignOn 23, 24
changing passwords 142
creating templates manually 115
deploying templates 137
logging on 141
overview 23, 24, 104
settings 87, 139
One Touch Unlock 179
online help 9
Organizational Units 12
OTS Administration Tool
containers 107
Field Catalogs 107
installing 105
setup 105
OTS Templates
creating automatic 109
creating manual 115
OTS templates 47
P
Password is not allowed for logon 85
Path to the container of templates
setting 87, 140
PIN is required when a fingerprint is
provided 85
Planning & Deployment 207
planning overview 209
Policies container 51
policy settings
Account Lockout 79
False Accept Rate 80
Log Events 74
Max Size of Ident. List 84
Maximum Number of Fingers... 81
Multi-credential Logon 85
Use Remote Authentication Server 83
Prevent users from logging on outside of a
Kiosk session. 88, 226
Priority Set in BAS Locator DNS SRV Records
setting 76
Pro Kiosk, installing 68
Pro Server
Active Directory containers 51
installation overview 33
installing software 39
overview 22
published information 52
system requirements 39
242
Index
uninstalling 55
Pro Server GPO settings
identification list size for kiosks 47
logging kiosk events 47
OTS templates 47
Pro Workstation
custom installation 64
installing 64
locking 179
system requirements 56
Product Compatibility 30
product components and modules 21
Product GUID property 52
Product Name 52
Product Version High property 52
Product Version Low property 52
Product Version Number property 52
Properties menu item 164
property settings
Cache User Credentials on the
Workstation 83
providing multiple credentials 142
published information 52
Authentication Server Object Name
property 52
keywords 52
Product GUID property 52
Product Name 52
Product Version High property 52
Product Version Low property 52
Product Version Number 52
Schema Version Number property 52
Service Class GUID property 52
Service Class Name property 52
Service Principal Name property 52
Vendor Name property 52
Q
query users 144
Quick Link 113
Quick Links menu item 163
Q-S
R
RDP 82
reader
cleaning 190
touching 190
troubleshooting 228
reader icon, indicating connectivity status 165
reader menu
About 166
Help 166
Hide Icon 166
Lock Computer 165
Properties 166
recommended skill set 8
Refresh Interval of BAS Locator DNS Records
setting 75
Register BAS Locator ... setting 78
Register fingerprints 94
registering fingers 169
registration template, defined 16
registry settings, workstation 233
Regulatory Information 237
Related Products 31
Remote Access 25
remote access 23, 82
remote installation of Pro Workstation 60
removing Pro data 149
required software & hardware 212
requisite knowledge 8
Reset account lockout counter after 79
running an interactive query 145
Running User Query Tool from the command
line 145
S
schema
Active Directory Schema Extension
Wizard 36
extending 36
Schema Version Number property 52
SDK 31
Service Class GUID property 52
243
Index
T-U
Service Class Name property 52
Service Configuration Container Name 52
Service Principal Name property 52
Service Resource Records 19
_uareupro SRV RR 53
adding manually 55
format 53
Service Version Object Name 52
settings
categories 70
settings, location 70
Shared Accounts, specifying 48
Show clear text passwords setting 87, 140
Show fingerprint icon setting 86
Show One Touch Menu ... setting 86
Show Reader icon on the taskbar property 187
Sites Covered by BAS Locator ... setting 77
Size of the Identification List for Kiosks
setting 79
Size of the identification list for Kiosks
setting 226
smart cards, using for logon 178
specifying Shared Accounts 48
start menu 205
stronger security settings 218
support 9
DigitalPersona Web site 9
during evaluation 208
online help 9
phone support 9
Professional Services 208
readme file 9
technical 208
SVR RR 19
swipe readers 26
System Requirements 29
system requirements
Pro Server software 39
Pro Workstation 56
T
Templates
finding 134
templates
deleting 136
deploying 137
editing 135
finding fields in 135
finding redundant 135
managing 134
setting container path to 137
Terminal Services 82
to remove user credential data 94
to unlock a locked account 93
touching the reader 190
two-factor authentication 142
typographic conventions 7
U
U.are.U Fingerprint Reader 213
uninstalling
Pro Server 55
Pro software remotely 60
Pro Workstation 64
uninstalling Pro Kiosk 68
Unlock with Shared Account Credentials
setting 227
unlocking kiosks 199
unlocking locked accounts 93
upgrading from Previous Versions 33
Use Basic Template Format setting 82
Use DigitalPersona Pro Server for
authentication setting 83
Use Remote Authentication Server policy
setting 83
User Authentication Licenses 101
User Context Menu commands 94
user credential data, remove 94
User must provide a fingerprint to log on 85
User must provide a fingerprint to log on
setting 93
User must type a PIN when providing a
fingerprint to log on setting 93
User Policies
244
Index
V-X
Basic 91
User Properties 89, 90
Extended 92
User Query Tool 144
parameters 145
run from script 147
users, attended registration 102
users, switching 204
using
attended registration 102
fingerprint PINs 16, 176
One Touch Logon 197
One Touch Unlock 199
smart cards 178
Windows Event Viewer 151
using Pro Cleanup Wizard 149
V
Vendor Name
published information property 52
view license details 100
W
Weight Set in BAS Locator DNS SRV Records
setting 76
Windows Administration Pack 89
Windows Event Viewer 74
filtering Pro events 151
finding Pro events 152
using 151
Windows Logon Policies 214
Windows Registry 233
workstation only installation 210
Workstation Properties settings 86
Workstation User Properties 89, 90
X
XTF 82
245

DigitalPersona Pro Administrator Guide

Transcription

Similar documents

WHY THE YAKTRAX PRO WORKS

SCAG 12.cdr

Fundamentals Class Outline

Seamless integration

InStyle September, 2008 - New York Dermatology Group

Power Pick Global Communicator Pro

dixie chopper pro bagger

VEKAdeck PDF - Courtland Vinyl Windows Ltd.

ocean pro - Hewescraft

Outlaw Drag Racing Association (ODRA) at U.S. 19 Dragway