Versions Compared

Old Version 12

changes.mady.by.user Denis Pavlov

Saved on

compared with

New Version 13

changes.mady.by.user Denis Pavlov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

Indeed AM Windows® Logon features

The Indeed AM Windows® Logon product provides the users with following capabilities:

  • Logging in to the system with account password
  • Logging in to the system with Indeed AM authentication technology
  • Access to remote desktop with Indeed AM authentication technology
  • Logging in to the system with cached authenticator when connection to Indeed server cannot be established.

To provide for user data security when user is not at his/her workplace, the Indeed AM Windows® Logon supports both manual locking of workstation, and automatic one. The latter is triggered when authentication device is removed or when screen saver becomes active. To unlock the workstation, it is always necessary to confirm user identity again with authenticator, regardless of the locking method.

Advanced features

The Indeed AM Windows® Logon provides for the following advanced features:

  • Registration of authenticator by user and authenticator management using the Indeed AM – Authenticator management application.
  • Indeed AM Paste function, that pastes the user password in hidden form into required field upon pressing the set hotkey combination.

Supported authentication technologies

The Indeed AM Windows® Logon product supports more than 20 modern authentication technologies. These are: two-factor authentication, biometric authentication, certificates, proximity cards, one-time passwords, SMS technologies etc.
You can define the most suitable authentication technology for each category of Indeed AM Windows® Logon users. The users can also be allowed to use several technologies:

  • authentication technology, adapted for remote use;
  • combination of authentication technologies (multi-factor authentication).

Operation of Indeed AM Windows® Logon

This section contains description of the main Indeed AM Windows® Logon operation scenarios:

  • The first authenticator registration
  • Access to system using an authenticator
  • User authenticator caching
  • Password changing by user

Installation

To install the Indeed AM Windows® Logon component, run the IndeedID.WindowsLogon.msi installer and follow the Installation wizard instructions.
After the installation is complete, system has to be restarted. Click Yes to restart the system immediately or No, if you plan to do this later manual.

Info
titleInformation

Files for installation Indeed AM Windows Logon placed:indeed AM\Indeed AM Windows Logon\<version number>\

  • IndeedID.WindowsLogon.msi - installation package for Indeed AM Windows Logon on 32 bit OS.
  • IndeedID.WindowsLogon.x64.msi - installation package for Indeed AM Windows Logon on 64 bit OS.


Info
titleInformation

To deploy the Indeed AM Windows® Logon at user workstations in automatic mode, the group policy mechanism (Microsoft Group Policy) can be used. Or you can use any other tool that allows batch copying and installation of msi packages to user workstations (for example, Microsoft System Center Configuration Manager).
The methods of Indeed AM system component deployment in automatic mode are detailed in the Indeed AM. System Deployment manual.pdf.

Update and removal of Indeed AM Windows® Logon

The product removal/restoring is carried out using the standard procedure for the supported operating systems, via Control panel menu.

Note
titleInformation

Local Administrator privileges are required for the Indeed AM Windows® Logon removal. After the Indeed AM Windows® Logon package is removed, the system has to be restarted.

You don’t have to remove the current version of the software to update it. In the course of update, the installed components are replaced by newer ones.

Info
titleInformation

To update the Indeed AM Windows® Logon at user workstations in automatic mode, the group policy mechanism (Microsoft Group Policy) can be used. You can also use the deployed Microsoft System Center Configuration Manager for this purpose.

The methods of Indeed -Id AM system component update in automatic mode are detailed in the Indeed AM. System Deployment manual.pdf.

Configuration

Configuration from regedit

  1. Open regedit Windows.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Indeed-ID\SrvLocator2.
  3. Change string parameter ServerUrlBase and set URL your Indeed Access Manager Server (example http(s)://dc.indeed-id.local/easerver/).

Configuration from GPO


Info
titleInformation

Group Policy Templates placed: indeed AM\Misc\GroupPolicyTemplates

Add policy IndeedID.ServerUrl.admx on workstantion, with installed indeed AM Windows Logon.

Open gpedit.msc and go to Конфигурация компьютера - Административные шаблоны - Indeed ID ClientConnection - Настройки подключения к серверу. Enable policy.

В поле "URL-адрес АМ сервера" укажите значение URL вашего Indeed Access Manager Server (например http(s)://dc.indeed-id.local/easerver/).

Using the Indeed AM Windows® Logon

The following must be installed at your workstation to provide for access to the system using the Indeed -Id authentication AM authentication technology:

  • Indeed AM Windows® Logon module, that provides for access to system using an authenticator.
  • Indeed AM Provider module, that corresponds to the selected authentication technology.
  • Hardware authentication device (if required).


Note
titleInformation

Logging in with authenticator and authenticator management are only available if permitted by the system administrator.

The first login to the system

After the necessary software is installed onto your workstation, the first login to the system is performed with the user domain password.
After the operating system is loaded, the Windows welcome screen is displayed. Press Ctrl+Alt+Del and select your account. If you need to login under another account, click Other user.
The opened Windows Logon window displays the last username used to login and the authentication method used. Do one of the following:

  1. In the Windows Logon window select the Password login method, then enter your password and click Login.
  2. If the user account name has to be changed, click Switch user, then select the account you want, enter the password and click Log in.

  3. If authenticator registration is allowed for your account, the “First Login Wizard” runs upon logging into operating system and prompts to register an authenticator.

    Info
    titleInformation

    This Wizard is only displayed, if you are licensed Indeed AM user and are permitted to use Indeed AM authentication technology. For more information,
    please contact your system administrator.

You can register an authenticator at once or at any moment later.

  • To continue with authenticator registration, select one of the authentication methods available in the Authenticator management window (for example,
    “One-time matrix”).
  • To login to operating system without authenticator registration, click Exit. In this case, the First Login Wizard shall be displayed at each system login to follow until the firstauthenticator is registered.

If the necessary Indeed AM providers are not found on the user workstation, authenticator registration is not possible.

If this message appears, please contact your system administrator. See also: The first authenticator registration.

The first authenticator registration

If the user is permitted to use Indeed AM authentication technology, then he or she is prompted to register the first authenticator after logging in to workstation with domain account password. To do so, please select the authentication method you need and follow the instructions of Authenticator registration wizard. The window appearance and hints’ text depend on the selected authentication method.
Perform the required actions, following the hints in the Authenticator management window.

If want to return to previous page and select another authentication method, click Back.

After all the necessary actions are complete, the Authenticator management window shows the following message: “New authenticator has been successfully enrolled”.

You can add an arbitrary text comment to the registered authenticator (if allowed by the system administrator). To finish authenticator registration, click Save.
The type of registered authenticator and comment to it, if any, are displayed in the Authenticator management window. If the user account is allowed to have several authenticators, then you can proceed to registration of those by clicking Add login method. You can also modify, verify or remove a registered authenticator (if allowed by the system administrator).

Info
titleInformation

When using certain models of biometric authentication devices (for example, Digent IZZIX FD 2000, FD/FM 1000 fingerprint scanners), errors are possible during registration and recognition of authenticator. These errors are related to scanner sensitivity level and individual features of human body (body temperature, skin wetness, finger provision method). To avoid such errors, it is recommended to verify the authenticator immediately after registration.

Logging in with authenticator shall be available upon the next login attempt.

If random password generation is allowed for your account, the following message is displayed in the Authenticator management window after registration of the first authenticator:

Info
titleInformation

Random password for your account shall be generated upon expiration of the current one. If a random password was generated for your account, the next login is possible with the authenticator only.
If authenticator caching is allowed for the user account, then the authenticator shall be stored in local cache upon the next login to operating system. This makes it possible to login with cached authenticator even if ndeed servers are unavailable.


Backtotop

Table of Contents
classrightFloat