• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Core Products
  • Add-On Products
  • Download Trial Software
  • Releases
  • Common Criteria Certification
• Solutions
  • Reduce IT Support Cost
  • Improve User Service
  • Security, Governance and Regulatory Compliance
• Support
  • Customer Portal
  • Request Support Help
• Services
  • Solution Delivery Services
  • Solution Delivery Process
  • Education
  • Upgrades
  • AdMax Program
  • Outsourced IdM Administrator Service
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Upcoming Events
  • Archived Webinars
• Resource Center
  • Technology
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • White Papers
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Partner Programs

Technology Architecture Login Prompt Access

  

Login Prompt Access To Password Reset

Password reset for on-site, locked-out users:

Password Manager can be configured with a secure kiosk account ( SKA (secure kiosk account)), implemented as a special user, user group and group policy object (GPO) in AD. (Configuration under NT domains and NDS environments is similar, but uses the native workstation policy mechanisms.)

Users who forget their passwords can log into AD from their own workstation with the SKA account -- typically called "help" and with an easy-to-remember or blank password.

The GPO attached to this account replaces the default Windows shell with special binary, loaded from a UNC on the Password Manager server. This launches a kiosk-mode web browser on the user's workstation, at a URL that allows the user to perform a self-service password reset.

The GPO prevents the SKA account from being abused:

• It cannot launch a "normal" desktop on workstations.
• It has no network privileges.
• It cannot connect to network shares.

The SKA allows users of Windows / Active Directory domains with any Windows workstation to access self-service password reset without installing client software.

The SKA is easily deployed and centrally controlled and monitored.

Password reset for remote, locked-out users:

When users are off-site and not connected to the corporate network, they can use a telephony solution ( IVR (interactive voice response)) to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords.

A locally-deployed secure kiosk account ( LSKA (local, secure kiosk account)) and a locally-deployed GINA extension service are both available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. The LSKA and GINA (Graphical Identification and Authentication library) solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Password Manager with something other than their domain or VPN password. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation.

Extending the login prompt GUI:

Instead of deploying an SKA account, where users are required to type HELP to sign into the self-service user interface, Hitachi ID Systems customers may elect to deploy a GINA extension service on workstations, which extends the user interface of the workstation login subsystem (GINA) by adding a button that launches a locked-down kiosk-mode web browser.

The GINA option has pros and cons: it is slightly more user friendly (press a button rather than typing "help") and eliminates the password-less SKA account. On the other hand, it requires a software footprint on every workstation, which must be validated against every computer image and operating system patch, to ensure interoperability.

Note that a GINA DLL is not installed on user PCs, even for this option. This is helpful, since buggy GINA DLLs or incorrect un-installation sequence can render a PC inoperable.

© Hitachi ID Systems, Inc. . All rights reserved.