ActivIdentity SecureLogin Single Sign-On Administration Guide

ActivIdentity SecureLogin
Single Sign-On
Administration Guide
Version 6.2 | Released | November 23, 2009
ActivIdentity SecureLogin Single Sign-On | Administration Guide
P2
Table of Contents
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Chapter 2: Installing ActivIdentity SecureLogin Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installing Using Installer Command-line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Windows Installer Command-line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Windows Installer Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ActivIdentity SecureLogin Property Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Install Mode Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Install, Uninstall and Configure Feature Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Java Application Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Mozilla Firefox Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Citrix or Terminal Services Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Group Policy Object Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Smart Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ActivIdentity SecureLogin Installer Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Start-up Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Cache Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
User Interface Install Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Uninstall Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Installer Code Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Mode and Feature Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Installation with User Interface Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Feature Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Silent Citrix Command-line Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 3: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ActivIdentity SecureLogin Personal Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Start the Personal Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ActivIdentity SecureLogin Administrative Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Start the Administrative Management Utility from the Start Menu . . . . . . . . . . . . . . . . . . . . . . . . . 22
Start the Administrative Management Utility using the Active Directory Snap-in . . . . . . . . . . . . . . 23
Chapter 4: Configuring ActivIdentity SecureLogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Setting User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P3
Change a Preference Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Disable User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
ActivIdentity SecureLogin Datastore Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Legacy Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Automatic Datastore Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Changing the Directory Datastore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Change the Organizational Unit Level Datastore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Deploying an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Deleting or Resetting a Users Datastore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Chapter 5: Managing Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
About Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Preference Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Setting a User Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Default Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Inherited Preference Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Preferences Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
General Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Java Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
New JREs Automatically Updated at Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Windows Update Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Security Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Web Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Windows Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Chapter 6: Managing Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
About Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Create a Passphrase Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Reset a Passphrase Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Edit a Passphrase Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Change the Passphrase Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Change a Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Chapter 7: Managing Passphrase Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
About Passphrase Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Passphrase Policy Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
P4
Change a Passphrase Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Enabling Passphrase Security System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Passphrases and Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
PKI Encryption and Passphrase Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Enable Passphrase Security System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Yes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Hidden. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
No . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Check Passphrase Security System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Passphrase Security System Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Scenario 1: Passphrase Security System Disabled in a Previously Enabled Environment . . . . . . 64
Scenario 2: Passphrase Security System Re-enabled in a Previously Disabled Environment . . . 65
Scenario 3: Passphrase Forgotten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Chapter 8: Managing Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
About Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Password Policy Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Open the Password Policies Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Create a New Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Change a Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Delete a Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Linking a Policy to an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Chapter 9: Managing Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
About Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Create a User Logon and Credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Link a Logon to an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Linking Credentials: Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Deleting Logon Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Chapter 10: Managing Security and Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
How ActivIdentity SecureLogin Uses Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Smart Card Logon to a Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Securing ActivIdentity SecureLogin Credentials with Your Smart Card . . . . . . . . . . . . . . . . . . . . 85
Strong Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Network Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Authentication Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
One-Time Password (OTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Scripting for One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
P5
Re-Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
External Re-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Installing ActivIdentity SecureLogin for Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Client Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Server-Side Administration Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Minimum Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Supported Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring ActivIdentity SecureLogin for Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
ActivIdentity SecureLogin Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Require Smart Card is present for SSO and Administration Operation . . . . . . . . . . . . . . . . . . . 91
Use AES for SSO Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Use Smart Card to Encrypt SSO Data: PKI or Symmetric Key. . . . . . . . . . . . . . . . . . . . . . . . . . 92
Seamless Authentication Method Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
PKI Encryption of Data Store and Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Choosing a Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Certificate Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Current Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Check Certificate Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Lost Card Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Lost Card Scenario Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Require Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Allow Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Default. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Temporary Access Using Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Access with No Card Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Restoring a Smart Card Using a Card Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
PKI Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Card Management System (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Chapter 11: Enabling Applications and Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
About Enabling Applications and Web Sites for ActivIdentity SecureLogin . . . . . . . . . . . . . . . . . . .100
Windows Server 2003/2008 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Microsoft Internet Explorer Enhanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Disabling Internet Explorer Enhanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Enabling Applications Using a Predefined Application Definition . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Enabling Applications (Windows/Java) and Web Sites Using the Application Definition Wizard . . .103
Realm Logon and Credential Sharing between Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Enable a Java Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Enable a Terminal Emulator Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Create and Save a Terminal Emulator Session File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
P6
Build a Terminal Emulator Application Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Run Terminal Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Create a Terminal Emulator Desktop Shortcut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Set Terminal Launcher Command-line Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
MEDITECH Predefined Application Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Applications that Cannot be Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Managing Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Chapter 12: Re-Authenticating Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Using the Administrative Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Using the Application Definition Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Using Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Chapter 13: Adding Multiple Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Add Multiple Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Chapter 14: Distributing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
About Distributing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Distribute Configurations Within Directory Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Set Corporate Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Stop Walking Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Copy a Configuration Across Organizational Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Create an Active Directory Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Group Policy Object Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Group Policy Update Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Group Policy Management Console Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Definition of a Group Policy Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Install the GPMC Snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Managing GPOs via the GPMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Resultant Set of Policy (RSoP) Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Retrieving a Policy Applied to the User Object in GPMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Retrieving Policy Precedence and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Retrieving a Policy Applied to the User Object in SLManager . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Configuring Roaming Profiles with ActivIdentity SecureLogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Chapter 15: Exporting and Importing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
About Exporting and Importing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Export XML Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Import XML Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Create a Signing Key for Secure File Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Install a Digital Signing Key Locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
P7
Chapter 16: Using the SLAP Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

About the SecureLogin Attribute Provisioning Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
SLAP Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
SLAP Tool Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
XML File Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Chapter 17: Managing the Workstation Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
About the Workstation Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Create a Backup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Delete the Local Workstation Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Restore the Local Cache Backup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Chapter 18: Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
About Windows Event Log Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Default ActivIdentity SecureLogin Event Log Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Create a Windows Event Log Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Chapter 19: Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Search the ActivIdentity Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Additional Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Contact ActivIdentity Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Appendix A: Deployment Fact Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Who is Affected by this Deployment? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Deployment Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
What is ActivIdentity SecureLogin? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
How will ActivIdentity SecureLogin Benefit You? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Which Applications will be SSO-enabled? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
What do You Need to Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Further Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Appendix B: Schema Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Schema Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Active Directory/ADAM/ADLDS Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Protocom-SSO-Auth-Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Protocom-SSO-Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Protocom-SSO-Entries-Checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Protocom-SSO-Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Protocom-SSO-Security-Prefs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Protocom-SSO-Security-Prefs-Checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
P8
LDAP Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

Protocom-SSO-Auth-Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Protocom-SSO-Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Protocom-SSO-Entries-Checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Protocom-SSO-Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Protocom-SSO-Security-Prefs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Protocom-SSO-Security-Prefs-Checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Security Rights Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
User-based Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Container-based Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
P9
List of Tables
Table 2.1: Windows Installer Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 2.2: ActivIdentity SecureLogin Install Mode Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Table 2.3: ActivIdentity SecureLogin Feature Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 2.4: ActivIdentity SecureLogin REMOVE Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 2.5: ActivIdentity SecureLogin User Interface Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 5.1: Preferences General Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 5.2: Preferences Java Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 5.3: Preferences Security Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 5.4: Preferences Web Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 5.5: Preferences Windows Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 7.1: Passphrase Policy Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 8.1: Password Policy Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Table 11.1: Terminal Launcher Command-line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Table 11.2: Terminal Launcher Command-line Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Table 13.1: Multiple Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Table 14.1: ActivIdentity SecureLogin Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Table 14.2: Single Sign-on Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Table 15.1: Save ActivIdentity SecureLogin Data Configuration Options . . . . . . . . . . . . . . . . . . . . . . 150
Table 15.2: Load ActivIdentity SecureLogin Data Configuration Options . . . . . . . . . . . . . . . . . . . . . . 154
Table 16.1: SLAP Tool Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Table B.1: Protocom-SSO-Auth-Data Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table B.2: Protocom-SSO-Entries Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table B.3: Protocom-SSO-Entries-Checksum Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table B.4: Protocom-SSO-Profile Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Table B.5: Protocom-SSO-Security-Prefs Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Table B.6: Protocom-SSO-Security-Prefs-Checksum Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Table B.7: Protocom-SSO-Auth-Data Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table B.8: Protocom-SSO-Entries Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table B.9: Protocom-SSO-Entries-Checksum Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table B.10: Protocom-SSO-Profile Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table B.11: Protocom-SSO-Security-Prefs Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table B.12: Protocom-SSO-Security-Prefs-Checksum Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table B.13: User-based Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table B.14: Directory Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
P 10
Chapter 1: Introduction
Chapter Contents
10
Product Overview
This guide provides comprehensive instructions for installing, configuring and

managing ActivIdentity SecureLogin Single Sign-On in multi-user and
stand-alone environments.
This includes setting passphrase and password policies, creating application
definitions, and deploying the configurations to end users.
It also explains how to audit and troubleshoot ActivIdentity SecureLogin and
use the security features with smart card support.
Product Overview
This document is for:
System and network
administrators
System integrators
IT support staff with a good
understanding of Windows
operating systems and
management tools (Active
Directory, Management
Console, Group Policy and
LDAP).
ActivIdentity SecureLogin is the single sign-on solution that provides users

with a single, secure logon for accessing corporate resources from dedicated
or shared workstations.
For end users, ActivIdentity SecureLogin eliminates the need to remember
multiple user name/password combinations beyond their initial network logon.
It stores user credentials and automatically enters them when required.
For organizations, ActivIdentity SecureLogin helps to reduce help desk costs,
and improve both network security and user productivity.
For complete product details, see the ActivIdentity SecureLogin Single SignOn Overview.
For complete details on using the Application Definition Wizard, see the
ActivIdentity SecureLogin Single Sign-On Application Definition Wizard
Guide.
P 11
Chapter 2: Installing ActivIdentity SecureLogin

Manually
Chapter Contents
11
Installing Using Installer

Command-line Options
18
User Interface Install Options
19
Uninstall Options
19
Installer Code Examples
Installing Using Installer Command-line Options

You can install, configure and add/remove features without user intervention
using Microsoft Windows Installer (msiexec.exe). Windows Installer
command-line options and parameters are typed directly from the command
line or supplied via a batch file.
The range of available command-line options and parameters depends on the
version of the Windows Installer. The examples given below are based on
Windows Installer version 3.0.
Prerequisites
ActivIdentity SecureLogin version 6.2 requires Microsofts Windows Installer
3.0 or later. ActivIdentity recommends that you use version 3.1.
Microsoft Windows Installer 3.0 is available for download from the Microsoft
web site:
http://www.microsoft.com/downloads/
details.aspx?displaylang=en&FamilyID=5fbc5470-b259-4733-a914a956122e08e8
Microsoft Windows Installer 3.1 is available on the ActivIdentity SecureLogin
installation CD (WindowsInstaller-KB893803-v2-x86.exe in the
Product\Extras\Redistributables\Windows Installer folder).
To check the current version of Windows Installer on your workstation, click,
Start, click Run, type msiexec at the command line, click OK.
The Windows Installer page is displayed.
P 12
Windows Installer Command-line Options

The following are basic Windows Installer command-line options used to
manually install, uninstall, and configure software and components:
TABLE 2.1: Windows Installer Commands
Command
Description
/i
Installs or configures a product
/f
Repairs a product
/a
Installs or configures a product on a network
/x
Uninstalls a product
/p
Applies a patch to a product
/q
Sets the user interface level during the installation of a product
/help
Displays the help and quick reference options
/quiet
Installs without user interaction
/passive
Installs with a progress bar
P 13
TABLE 2.1: Windows Installer Commands
Command
Description
/norestart
No restart after installation
/forcerestart
Always restarts after installation
/promptrestart
Prompts user to restart after installation
/uninstall
Uninstalls an application
/log
Writes a log file after installation
/package
Installs or configures an application
/update
Installs one or multiple patches
For example, to install ActivIdentity SecureLogin on:
32-bit platforms:
msiexec /i C:\ActivIdentity SecureLogin x86 6.2.msi
64-bit platforms:
msiexec /i C:\ActivIdentity SecureLogin x64 6.2.msi
followed by the required property values described in the following sections.

Full examples of installer code for ActivIdentity SecureLogin and its features
are provided in "Installer Code Examples" on page 19.
A comprehensive description of Windows Installer command-line options is
outside the scope of this guide. Details of Windows Installer command-line
options and parameters can be found at:
http://msdn.microsoft.com/en-us/library/aa367988.aspx
Windows Installer Properties

Windows Installer can also install and configure software installations by
using property values defined within the installation package.
Windows Installer uses three categories of properties during an installation:
Private properties
The Installer uses private properties internally and their values must be
authored into the installation database or set to values determined by the
operating environment.
Public properties
P 14
Public properties can be authored into the database and changed by a

user or system administrator on the command line, by applying a
transform, or by interacting with an authored user interface.
Restricted public properties

For security purposes, the installation package can restrict the public
properties that a user can change.
A comprehensive description of Windows Installer properties options is

outside the scope of this guide. Details of Windows Installer properties can be
found at:
ActivIdentity SecureLogin Property Values

The following property values can be used to manually install, configure, or
uninstall ActivIdentity SecureLogin modes and configure components and
features:
"Install Mode Values" on page 14
"Install, Uninstall and Configure Feature Values" on page 15
"Group Policy Object Support" on page 16
"Mozilla Firefox Plug-in" on page 16
"Administration Tools" on page 16
"Smart Card Support" on page 17
"Citrix or Terminal Services Support" on page 16
Install Mode Values

ActivIdentity SecureLogin installation modes specified from the command line
must be set by defining the appropriate "X_INSTALLTYPE" property.
The possible install mode values are:
Notes
These install mode values are
mutually exclusive and only one
mode may be installed at one
time.
If no mode is specified, then
ActivIdentity SecureLogin is
installed in MAD mode by default.
TABLE 2.2: ActivIdentity SecureLogin Install Mode Values
Value
Description
MAD
Microsoft Active Directory mode (default value)
ADAM
Microsoft Active Directory Application mode
LDAP
LDAP directory mode
STANDALONE
Standalone mode
For example, to install ActivIdentity SecureLogin in Microsoft Active Directory

Application mode:
X_INSTALLTYPE=ADAM
Important
The commands are case-sensitive.
P 15
Install, Uninstall and Configure Feature Values

The following property values can be used to manually install, configure, or
uninstall ActivIdentity SecureLogin features:
TABLE 2.3: ActivIdentity SecureLogin Feature Values
Value
Description
X_INSTALLADMIN
The Directory administration tools are provided for corporate

environments to manage users centrally at the directory. In the
Microsoft Active Directory mode, ActivIdentity SecureLogin
installs the Administrative Management Utility.
See "Administration Tools" on page 16
X_INSTALLJAVA
Installs SecureLogin tools against Java runtime

environments.
ActivIdentity SecureLogin supports:
SUN JRE 1.3 and later
Oracle JInitiator 1.3.1 and later

If no supported JRE is detected, a notification message is
displayed.
If the Java option is selected, all permissions must be given to
jar files in SecureLogin sub-folder, ac_lib in JRE_HOME/lib/
ext, where all SecureLogin binaries for Java support are stored.
ActivIdentity SecureLogin needs to modify the java.policy files
in order to give all permissions to the jar files in the
SecureLogin sub-folder by adding a grant block as follows:
grant codeBase "file:${{java.ext.dirs}}/

ac_lib/*" {
permission
java.security.AllPermission;
};
Note:
You must have administrative rights (write access to

the JRE folder) to install this feature.
See "Java Application Support" on page 16.

X_INSTALLSLOMOZ
X_INSTALLCITRIX
Installs SecureLogin plug-ins against Firefox browser.

ActivIdentity SecureLogin supports Firefox 2 and later.
See "Mozilla Firefox Plug-in" on page 16.
Installs ActivIdentity SecureLogin support for Citrix and

Terminal Services according to the detected configuration
(client or server).
See "Citrix or Terminal Services Support" on page 16.
X_USEGPO
Allows management and configuration of user settings through

GPO.
See "Group Policy Object Support" on page 16.
X_SMARTCARD
Enables smart card support in ActivIdentity SecureLogin either

to protect ActivIdentity SecureLogin credentials or to start
ActivIdentity SecureLogin seamlessly after a PKI logon.
See "Smart Card Support" on page 17
P 16
Administration Tools
To install the administration tools (SL Manager, SLAP tool) set:
X_INSTALLADMIN="Yes"
To install the MMC plug-in (either in the Microsoft Active Directory or Microsoft
Active Directory Application mode), add one of the following conditions:
X_INSTALLTYPE = "MAD"
X_INSTALLTYPE = ADAM
Java Application Support

To install the Java application support components set:
X_INSTALLJAVA="Yes"
Mozilla Firefox Plug-in

ActivIdentity SecureLogin supports Mozilla Firefox version 2 and later using
the SLoMoz version 1.5 plug-in:
X_INSTALLSLOMOZ="Yes"
Citrix or Terminal Services Support

To install Citrix or Terminal Services support set:
X_INSTALLCITRIX="Yes"
Detection of the type of Citrix or Terminal Service is automatic and the

relevant installation is performed accordingly.
Group Policy Object Support
To install Group Policy Object support set:
X_USEGPO="Yes"
This option is only available if you are in Microsoft Active Directory or

Microsoft Active Directory Application mode. As a consequence, it requires
one of the following conditions:
X_INSTALLTYPE = "MAD"
X_INSTALLTYPE = "ADAM"
P 17
Note
Smart Card Support
ActivIdentity SecureLogin supports

any smart card middleware
compliant with Microsoft CAPI 2.0.
ActivIdentity SecureLogin checks
the registry key
HKLM\Software\Microsoft\Crypto
graphy\Defaults\Provider\ for CSP
entries.
To install smart card support set:
The X_CSP=Property can be

populated with the CSP name in the
registry entry, if not done
automatically.
X_SMARTCARD="Yes"
The X_INSTALLTYPE property must NOT be STANDALONE.

This feature installation requires a Cryptographic Service Provider and a
PKCS#11 provider to be configured.
ActivClient CSP and PKCS#11 provider configuration can be enforced by
using the following property:
X_USEACTIVCLIENTDEFAULTS="Yes"
Alternatively the cryptographic service provider and smart card PKCS#11

encryption library (DLL file) can be set by defining the X_CSP and
X_SMARTCARDLIB properties respectively.
For example:
X_CSP="ActivClient Cryptographic Service Provider"
X_SMARTCARDLIB="C:\Windows\System32\ACPKCS211.dll"
ActivIdentity SecureLogin Installer Properties

Note
For all parameters, unless
otherwise specified, use =1 to
enable the option or 0 to disable
the option.
The following private properties are written into the ActivIdentity SecureLogin
installer package (.msi file) and can be used to manually install, configure, or
uninstall ActivIdentity SecureLogin:
"Start-up Properties" on page 17
"Cache Properties" on page 17
"Remove" on page 18
Start-up Properties
X_RUNATSTARTUP controls whether ActivIdentity SecureLogin runs at
system start-up.
For example, to run ActivIdentity SecureLogin at start-up:
msiexec /i E:\Product \ActivIdentity SecureLogin x86
6.2.msi X_RUNATSTARTUP=Yes
Important
ActivIdentity strongly recommends
that customers do not change the
default installation directory setting.
Cache Properties
X_CACHEDIR controls whether ActivIdentity SecureLogin uses a nonstandard cache directory.
X_CACHEDIR must be used in conjunction with X_CHANGECACHEDIR=0
to specify the custom directory option.
P 18
For example:
X_CHANGECACHEDIR="0" X_CACHEDIR="C:\My Cache"
Remove
Note
The features available using
REMOVE= are the same as the
options that appear in the Windows
Control Panels Add/Remove
Programs/Change/Modify
Programs.
REMOVE specifies the type of feature to remove from a current ActivIdentity

SecureLogin installation.
The possible ActivIdentity SecureLogin REMOVE mode values are:
TABLE 2.4: ActivIdentity SecureLogin REMOVE Values
Value
Description
Admin
ActivIdentity SecureLogin Administration Tools
Java
ActivIdentity SecureLogin Java application support
Firefox
ActivIdentity SecureLogin Firefox plug-in
Citrix
ActivIdentity SecureLogin Citrix or Terminal Services support
Smartcard
ActivIdentity SecureLogin smart card support
ALL
Uninstalls ActivIdentity SecureLogin
For example, to remove support for Mozilla Firefox:

REMOVE=X_Firefox
To remove more than one feature, there must be no spaces between the
feature type and no comma after the last feature.
For example, to remove both the Administration tools and FireFox features:
REMOVE=Admin,Firefox
User Interface Install Options

There are other options and many parameters that can be used that may
better suit the corporate or enterprise environment.
If administrators prefer to keep control away from the users yet still allow them
to see the product being installed, then the following installation commandline options may be relevant:
TABLE 2.5: ActivIdentity SecureLogin User Interface Values
Value
Description
/qn
Displays no user interface. This option will install and reboot the application and
show nothing to the user to indicate the installation is taking place. A user cannot
cancel the installation
/qb
Displays a basic user interface. This option will install and prompt the user to
reboot the application indicating the installation has taken place. A user can
cancel the installation
P 19
TABLE 2.5: ActivIdentity SecureLogin User Interface Values
Value
Description
/qr
Displays a reduced user interface with a modal dialog box displayed at the end of
the installation
/qf
Displays the full user interface with a modal dialog box displayed at the end
/qn+
Displays no user interface, except for a modal dialog box displayed at the end
/qb+
Displays a basic user interface with a modal dialog box displayed at the end
/qb-
Displays a basic user interface with no modal dialog boxes
For example, to install ActivIdentity SecureLogin silently so that the process is

completely invisible to the user on.
32-bit platforms:
msiexec.exe /i /qn "C:\ActivIdentity SecureLogin x86
6.2.msi
64-bit platforms:
msiexec.exe /i /qn "C:\ActivIdentity SecureLogin x64
6.2.msi
Uninstall Options
The Windows Installer uninstall option requires /x instead of the /i switch.
The following example uninstalls ActivIdentity SecureLogin. The process is
completely invisible to the user.
32-bit platforms:
msiexec /x /qn "ActivIdentity SecureLogin x86 6.2.msi"
64-bit platforms:
msiexec /x /qn "ActivIdentity SecureLogin x64 6.2.msi"
Installer Code Examples

Mode and Feature Installation
The following example installs ActivIdentity SecureLogin:
In Microsoft Active Directory mode.
With the Mozilla Firefox and Group Policy Objects features added.
Where ActivIdentity SecureLogin is not launched at the completion of the

installation (default option).
msiexec /i "C:\ActivIdentity SecureLogin x86 6.2.msi"

X_INSTALLTYPE="MAD" X_USEGPO="Yes" X_INSTALLSLOMOZ="Yes"
P 20
Installation with User Interface Option

The following example installs ActivIdentity SecureLogin
In Microsoft Active Directory mode.
With the Admin tools, Smart card support (using ActivClient default
settings), Mozilla Firefox and Group Policy Objects features added.
Where ActivIdentity SecureLogin is not launched at the completion of the

installation (default option).
Where the user is prompted to reboot the application indicating the

installation has taken place (the user can cancel the installation).
msiexec.exe /i /qb "C:\ActivIdentity SecureLogin x86 6.2.msi"

X_INSTALLTYPE="MAD" X_INSTALLADMIN="Yes" X_USEGPO="Yes"
X_INSTALLSLOMOZ="Yes" X_SMARTCARD="Yes"
X_USEACTIVCLIENTDEFAULTS="Yes"
Feature Removal
The following example removes Mozilla Firefox support.
msiexec /i "C:\ActivIdentity SecureLogin x86 6.2.msi"
REMOVE=Firefox
The following example removes the entire ActivIdentity SecureLogin product

from the machine.
msiexec /i "C:\ActivIdentity SecureLogin x86 6.2.msi" REMOVE=ALL
Silent Citrix Command-line Installation

The following is an example of a successful and tested silent command-line
installation of ActivIdentity SecureLogin on a Citrix client.
msiexec.exe /qn /norestart /i "ActivIdentity SecureLogin x86
6.2.msi" X_INSTALLTYPE="MAD" X_INSTALLCITRIX="Yes"
P 21
Chapter 3: Getting Started

Chapter Contents
21
Personal Management Utility
22
Administrative Management
Utility
23
Start the Administrative

Management Utility using the
Active Directory Snap-in
This chapter explains how to access the ActivIdentity SecureLogin

management tools:
Personal Management Utility
Administrative Management Utility
For a complete description of the user interface and functions of the

Administrative Management Utility and the Personal Management Utility, see
the ActivIdentity SecureLogin Single Sign-On Overview.
ActivIdentity SecureLogin Personal Management

Utility
The Personal Management Utility is the interface that provides users with the
capability to configure and troubleshoot their ActivIdentity SecureLogin
environment and view their own credentials.
It can also be used to:
Test ActivIdentity SecureLogin configuration prior to mass deployment
Create and modify application definitions for testing
Start the Personal Management Utility

Important
Changes made using the Personal
Management Utility on the local
workstation apply only to the
logged-on user and override any
settings made in the directory.
For example, if the ActivIdentity
SecureLogin preference Allow
application definitions to be
modified by users is set to No at
the OU the user object resides in,
but Yes on the actual user object in
the directory, then the user object
setting applies and the user can
modify application definitions.
However, other users in the
container cannot modify application
definitions unless they have the
option set on their user object.
To start the Personal Management Utility, either:
In the Windows notification area, double-click the ActivIdentity

SecureLogin icon
to open the Personal Management Utility.
In the Windows notification area, right-click the ActivIdentity SecureLogin

icon
and click Open.
From the Windows Start menu, point to All Programs, ActivIdentity,

SecureLogin, and then click ActivIdentity SecureLogin.
The Personal Management Utility is displayed.
P 22
ActivIdentity SecureLogin Administrative

Management Utility
The ActivIdentity SecureLogin Administrative Management Utility
(ActivIdentity SecureLogin Manager) contains additional functionality that
is not included in the Personal Management Utility.
It incorporates an LDAP browser for use with LDAP-compliant directories.
Start the Administrative Management Utility from the Start

Menu
1. To start the ActivIdentity SecureLogin Manager, from the Windows Start
menu, point to Programs, ActivIdentity, SecureLogin, and then click
ActivIdentity SecureLogin Manager.
The ActivIdentity SecureLogin Administrative Management Utility is
displayed.
2. In the Object drop-down list, select from or type the full distinguished
name of the user object, container, or organizational unit for
administration. Alternatively, use the browser to navigate to the
appropriate object.
Important
You must press the Enter key to
submit the entry typed in the Object
field. Clicking OK closes the dialog
box but does not accept the entry
you typed.
P 23
3. Press the Enter key.

The Administrative Management Utility starts. The name of the
management object appears in brackets in the title bar.
Start the Administrative Management Utility using the Active

Directory Snap-in
1. From the Windows Start menu, point to Programs, Administrative
Tools, and then click Active Directory Users and Computers.
The Active Directory Users and Computers snap-in is displayed.
2. In the navigation tree, right-click the appropriate container or
organizational unit and then click Properties.
The Users Properties window is displayed.
P 24
Note
The Users Properties dialog box
cannot be closed while the
Administrative Management Utility
is open.
3. Click the ActivIdentity SecureLogin tab.
4. Click Manage.
The Administrative Management Utility is displayed.
P 25
5. Click OK to close the utility.
P 26
Chapter 4: Configuring ActivIdentity SecureLogin

Chapter Contents
26
Setting User Preferences
26
Change a Preference Value
27
Disable User Access
28
Datastore Object
29
Changing the Directory

Datastore
Setting User Preferences

You can set the ActivIdentity SecureLogin user preferences in the
Preferences properties in the Administrative Management Utility, Active
Directory Users and Computers snap-in, or the Personal Management Utility.
Each ActivIdentity SecureLogin preference has a default value that is
implemented until an alternative value is manually configured. In directory
hierarchies, preferences values are inherited from higher level objects, while
some lower level objects can override preferences set at higher levels.
Preference values set at the user object level override all higher level object
values.
This can be controlled for users by restricting their ability to set

preferences.
For more information about inheriting configuration settings, see Chapter

14, "Distributing Configurations."
Change a Preference Value

Prerequisite
Administrative Management Utility is open through:
Active Directory Users and Computers snap-in. For more information, see
"Start the Administrative Management Utility using the Active Directory
Snap-in" on page 23.
or
Note
For more information about the
Preference properties, see
"Managing Preferences" on
page 35.
Windows Start menu. Point to Programs, point to ActivIdentity, point to

SecureLogin, and then click ActivIdentity SecureLogin Manager.
1. In the navigation tree, click Preferences.

The Preferences properties are displayed.
Note
Some of the value settings are text
fields where you type in a number
and some display dialog boxes.
P 27
2. In the General column, locate the setting you want to change and then, in
the Value column, click the appropriate value from the drop-down list
(Yes, No, or Default).
3. Click OK.
4. Click Yes to save the setting.
The selected value is saved and the Administrative Management Utility
closes.
Disable User Access

You can disable a users access to the Personal Management Utility as part of
configuration. By default, the user has permission to change application
definitions and predefined applications, passwords, and functionality. You can
restrict this use through the Active Directory Users and Computers snap-in or
the Administrative Management Utility.
You have several options for restricting access by setting preferences at the
user, group policy, container or organizational unit level including:
Full access to all administration tools.
Access to selected administration tools.
ActivIdentity SecureLogin icon does not appear in the Windows

notification area.
P 28
ActivIdentity SecureLogin icon does appear in the Windows notification

area and is password-protected.
If the ActivIdentity SecureLogin icon is password-protected, anyone who

attempts to access the Personal Management Utility through the ActivIdentity
SecureLogin icon in the Windows notification area is prompted to enter the
users network password. This prevents anyone but the user from viewing
ActivIdentity SecureLogin data. You can modify ActivIdentity SecureLogin
using the administration tools.
ActivIdentity SecureLogin Datastore Object

Background
ActivIdentity SecureLogin version 6.0 introduced a range of new security
features, including encryption of the datastore using Public Key Infrastructure
(PKI)-based credentials and the Advanced Encryption Standard (AES)
encryption algorithm support. These features required changes to the
ActivIdentity SecureLogin datastore format to support them.
ActivIdentity is acutely aware of the disruption that data format changes like
this cause our customers. Consequently features in the new datastore format
are designed to minimize the disruption caused by future ActivIdentity
SecureLogin upgrades.
Legacy Data
The current ActivIdentity SecureLogin client can read data created by all
previous versions of ActivIdentity SecureLogin. However, older versions of
ActivIdentity SecureLogin cannot read data created by version 6.0 and later.
This means that in a mixed corporate environment where some workstations
are running ActivIdentity SecureLogin version 6.0 or later and others an
earlier version, then data compatibility issues arise when a user moves
between different versions of ActivIdentity SecureLogin on different
workstations. This is especially problematic in Citrix environments or in large
enterprise deployments.
Automatic Datastore Detection
When ActivIdentity SecureLogin 6.2 is being installed, it detects that
version 3.5 data is in use and continues to function correctly. While
ActivIdentity SecureLogin 6.2 is operating in this mode all version 3.5
functions will continue to be available. Any new functionality or data available
in ActivIdentity SecureLogin 6.0 or later will not be available.
This notably includes smart card support, PKI and AES encryption of data. If
this new functionality is not required, then there is no impetus to upgrade the
datastore format to version 6.0. However, if this new functionality is required,
then the following processes need to be completed:
P 29
Choose a section of the tree to upgrade, for example:
Group
Container
Organization
User
Ensure that all user workstations in that section of the tree have been
upgraded with the ActivIdentity SecureLogin 6.2 client.
The next time those users log on, their data will be converted to
version 6.0 format and the new features will be available.
Changing the Directory Datastore

When the directory is upgraded, ActivIdentity SecureLogin version 6.0
features on the workstation will not be available until all users are upgraded to
the new version.
Administrators can configure directory datastore versions at group policy, user
object, container and organizational unit levels.
ActivIdentity recommends administrators set the datastore version at the
container and organizational unit levels. This should help enterprises manage
the datastore base and minimize the possibility of conflicting versions.
If an administrator tries to change a ActivIdentity SecureLogin preference that
requires the use of the version 6.0 datastore, for example Use AES for SSO
data encryption, they are prompted with the following warning message:
Once the datastore mode version is upgraded to v6.0, the encryption

algorithm is automatically upgraded to AES, providing then a higher
encryption standard to the ActivIdentity SecureLogin data.
Change the Organizational Unit Level Datastore

To set the directory datastore version at the organizational unit level:
1. On the Windows Start menu, point to Programs, point to Administrative
Tools and then click Active Directory Users and Computers.
The Microsoft Management Console (MMC) is displayed.
P 30
2. Right-click the desired object (in this example, Users) and click
Properties.
The Properties window is displayed.

The ActivIdentity SecureLogin page is displayed.
4. Click Manage.
The ActivIdentity SecureLogin Administrative Management Utility is
displayed.
5. In the left navigation tree, click Advanced Settings.
P 31
6. Click the Datastore tab on the right.
7. Select the required version from the Select version drop-down list.
A Warning is displayed.
8. Click Yes.
When a users directory data version is upgraded, the datastore information
displayed in the ActivIdentity SecureLogin About box is not updated until
such time as the user right-clicks the ActivIdentity SecureLogin icon
in the
Windows notification area, points to Advanced and clicks Refresh Cache, or
logs out then logs in again.
P 32
Once the datastore mode version is upgraded to v6.0, the encryption

algorithm is automatically upgraded to AES for all users in this container,
providing a higher encryption standard to the ActivIdentity SecureLogin data.
Deploying an Upgrade
When an upgrade is deployed on across a series of workstations, follow the
above procedure to change the directory datastore version. The next time the
directory server and the workstation caches are synchronized, ActivIdentity
SecureLogin will operate in the new version mode.
Refer to the applicable ActivIdentity SecureLogin installation guide for your
directory environment for specific details on upgrading datastore versions.
Important
Deleted data is irretrievable!
Deleting or Resetting a Users Datastore

If a user has forgotten their network password and their ActivIdentity
SecureLogin passphrase response or if the user's logon credentials have
been corrupted, administrators must delete all the users ActivIdentity
SecureLogin data (since the user wont have access to it).
Administrators can reset the object by selecting Delete single sign-on
configuration for this datastore object in the Advanced Settings panel of
the Administrative Management Utility. Deleting a configuration
permanently deletes all user data, including all the following object-specific:
Credentials (including user names and passwords)
Application definitions
Predefined applications
Password policies
Preferences
Passphrase questions and answers
Before an administrator deletes a users datastore object, administrators must

ensure they have:
Selected the required

directory object only.
The Delete single sign-on configuration for this

datastore object option is available at the container,
Group Policy, OU, and user object level.
Recorded (outside
SecureLogin) all user
names, passwords, and
other essential credential
information.
If an administrator deletes a SSO-enabled application at

the OU level, they may also delete the credentials for all
users that reside in that container.
Deleted the local cache on

the workstation.
The object or user continues to inherit configuration from

higher level objects in the directory, even though the
user data in the directory cache was deleted.
Administrators must first delete the local cache on the
workstation to ensure it does not synchronize with the
directory cache and recreate the configuration in the
directory.
P 33
To delete a users datastore:

1. Open the Administrative Management Utility. On the Windows Start
menu, point to Programs, point to ActivIdentity, point to SecureLogin,
and then click ActivIdentity SecureLogin Manager.
2. In the navigation tree, click Advanced Settings.
The Advanced Settings pane is displayed.
3. Click the Datastore tab.

The Datastore object details are displayed.
P 34
4. Click Delete.
A Warning message appears.
5. Click Yes.
The Datastore object data is deleted.
The next time the user logs on, they will be asked to set up the
passphrase question and response previously configured and then reenter the credentials for each SSO-enabled application.
P 35
Chapter 5: Managing Preferences

Chapter Contents
35
About Preferences
36
Preferences Properties
37
General Preferences
42
Java Preferences
43
Security Preferences
47
Web Preferences
48
Windows Preferences
About Preferences
ActivIdentity SecureLogin preferences are tools, options and parameters used
by enterprise administrators to configure the users ActivIdentity SecureLogin
corporate environment. Administrators can restrict a user's access to their
ActivIdentity SecureLogin preferences via centrally-controlled administrative
preferences.
ActivIdentity SecureLogin preferences also include applications permitted to
be SSO-enabled and the tools to enable users to access their own
ActivIdentity SecureLogin management and administration functions.
ActivIdentity SecureLogin version 6.0 introduced several new features and
preferences, including the encryption of the datastore using Public Key
Infrastructure (PKI)-based credentials, and support for the Advanced
Encryption Standard (AES) encryption algorithm. All these new preferences
required changes to the ActivIdentity SecureLogin datastore format to support
them.
Prior to configuring preferences, administrators should also read:
"ActivIdentity SecureLogin Datastore Object" on page 28 and
"Changing the Directory Datastore" on page 29.
Preference Categories
ActivIdentity SecureLogin preferences are divided into the following
categories:
General
Java
Security
Web
Windows
Setting a User Preference

Administrators
Administrators set ActivIdentity SecureLogin user preferences from within the
Preferences properties in the Administrative Management Utility accessed
via the Active Directory Users and Computers snap-in.
Users
Users can set their personal ActivIdentity SecureLogin preferences from
within the Preferences properties in the Personal Management Utility
accessed by right-clicking the ActivIdentity SecureLogin Windows notification
area icon
and clicking Open.
P 36
Default Preferences
Each ActivIdentity SecureLogin preference has a default value. An alternative
preference value must be manually configured by an administrator or user.
In the following tables, default values are shown in bold.
Inherited Preference Values
In corporate directory hierarchies, preferences are inherited from higher level
objects, while some lower level objects can override preferences set at higher
levels. Preferences set at the user object level override all higher object
values.
Preferences Properties
To access the Preferences properties, open the Administrative
Management Utility through either the:
Active Directory Users and Computers snap-in.
Windows Start menu. Point to All Programs, point to ActivIdentity, point

to SecureLogin, and then click ActivIdentity SecureLogin Manager.
The Administrative Management Utility is displayed. The Preferences

properties display on the right after you select the appropriate Preferences
category in the navigation tree on the left.
P 37
The following is important information for administrators about the Allow

application definition to be modified by users and the Allow application
definition to be viewed by users general preferences options introduced in
ActivIdentity SecureLogin version 6.1.
In previous versions of ActivIdentity SecureLogin, 6.0 and earlier, the
application definition preference was a single preference titled Allow users to
view and modify application definitions.
When upgrading from previous versions of ActivIdentity SecureLogin to 6.1
and later using legacy directory data (versions 6.0 or 5.5) and the old
Allow users to view and modify application definitions was set to No,
then the new Allow application definition to be modified by users
preferences for the current version will be disabled (grayed out).
To allow users to modify application definitions, administrators will need to
reset:
Allow application definition to be viewed by users to Yes
Allow application definition to be modified by users to Yes
General Preferences
Table 5.1 describes the Preferences General properties.
TABLE 5.1: Preferences General Properties
Property
Value
Description
Comment
Allow application definition

to be modified by users
Yes/ No/
Default
Enables or disables a users ability to modify application definitions

using the Definitions tabs in the Applications pane of the Personal
Management Utility. Default value is Yes.
Administrative
Management
Utility preference
only.
Notes:
If the Allow application definitions to be viewed by users

preference is set to No, then this option is grayed out
Disabling this preference does not disable users creating new
applications through the wizards
For legacy datastore, see the note under "Legacy Data" on
page 28
Requires ActivIdentity SecureLogin version 6.0 datastore if
value is changed
Allow application definition

to be viewed by users
Yes/ No/
Default
Enables or disables a users ability to view application definitions

using the Definitions tabs in the Applications pane of the Personal
Management Utility. Default value is Yes.
Administrative
Management
Utility preference
only.
Allow credentials to be
deleted by users through
the GUI
Yes/ No/
Default
Enables or disables a user's ability to delete their credentials using

the Personal Management Utility available from Open from the
ActivIdentity SecureLogin Windows notification area icon. Default
value is Yes.
Administrative
Management
Utility preference
only.
Notes:
If the Allow users to modify credentials through the GUI

preference is set to No, then this option is automatically set to
No and grayed out
Requires ActivIdentity SecureLogin version 6.0 datastore if
value is changed
P 38
TABLE 5.1: Preferences General Properties (Continued)
Property
Value
Description
Comment
Allow credentials to be
modified by users through
the GUI
Yes/ No/
Default
Enables or disables a user's ability to modify their credentials using

the Personal Management Utility available from Open from the
ActivIdentity SecureLogin Windows notification area icon. Default
value is Yes.
When set to No, a user can only view their credentials.
Note:
Requires ActivIdentity SecureLogin version 6.0 datastore
if value is changed.
Administrative
Management
Utility preference
only.
Allow users to (de) activate

SSO via system tray
Yes/ No/
Default
Enables or disables a users ability to activate or deactivate

ActivIdentity SecureLogin through the Windows notification area
(previously known as system tray) icon. Default value is Yes.
Note:
Administrative
Management
Utility preference
only.
Allow users to backup/

restore
Yes/ No/
Default
Enables or disables a users ability to backup and restore user

information from the Advanced menu of the ActivIdentity
SecureLogin Windows notification area icon. Default value is Yes.
Administrative
Management
Utility preference
only.
Allow users to change

passphrase
Yes/ No/
Default
Enables or disables a users ability to change their passphrase

question and answer. The Change Passphrase option is available
from the Advanced menu of the ActivIdentity SecureLogin Windows
notification area icon. Default value is Yes.
When set to No, the Change Passphrase option is not displayed.
Administrative
Management
Utility preference
only.
Allow users to close

via system tray
Yes/ No/
Default
Enables or disables the user's ability to close a SecureLogin session

using the Close option from the ActivIdentity SecureLogin Windows
notification area (previously known as system tray) icon. Default
value is No.
When set to No, the Close option is not displayed.
Note:
Administrative
Management
Utility preference
only.
Allow users to modify

names of applications and
logins
Yes/ No/
Default
Enables or disables a users ability to edit the names of their

Application login credentials using the Edit function from the
Details tab in the Personal Management Utility. Default value is No.
Administrative
Management
Utility preference
only.
Allow users to refresh

cache via system tray
Yes/ No/
Default
Enables or disables the user's ability to refresh cache using the

Refresh Cache option available from the Advanced options from
the ActivIdentity SecureLogin Windows notification area (previously
known as system tray) icon. Default value is No.
When set to Yes, the Refresh Cache option is not displayed.
Note:
Administrative
Management
Utility preference
only.
Allow users to view and

change preferences
Yes/ No/
Default
Enables or disables a users ability to view and update their

preferences. Default value is Yes.
Note:
ActivIdentity recommends the creation of a separate OU
for administrators to ensure they are not adversely
affected by general user configuration preferences at the
OU level.
Administrative
Management
Utility preference
only.
P 39
Property
Value
Description
Comment
Allow users to view and

modify API preferences
Yes/ No/
Default
Enables or disables a users ability to view and modify API options

using the Preferences pane of the Personal Management Utility.
Default value is Yes.
This API preference defines the following options for users:
Enter an API licence key(s), and
Provide API access.
Administrative
Management
Utility preference
only.
Notes:
This preference affects what is displayed in the Personal

Management Utility using Change Preferences from the
Advanced menu of the ActivIdentity SecureLogin Windows
notification area icon.
Contact ActivIdentity Support for assistance with APIs.
Allow users to view

passwords through the
GUI
Yes/ Yes per

application/
No/Default
Enables or disables a users ability to view their passwords using

Show Passwords in the Details tab of the Applications pane of
the Personal Management Utility. Default value is Yes.
Note:
Allowing users to view their passwords gives them an
opportunity to view and record passwords if they need to
reset their ActivIdentity SecureLogin configuration.
Administrative
Management
Utility preference
only.
Allow users to work offline

via system tray
Yes/ No/
Default
Enables or disables the user's ability to work offline cache using the
Work Offline option available from the Advanced options from the
ActivIdentity SecureLogin Windows notification area (previously
known as system tray) icon. Default value is Yes.
When set to No, the Work Offline option is not displayed.
Note:
Administrative
Management
Utility preference
only.
Disable ActivIdentity
SecureLogin
Yes/ No/
Default
Enables or disables access to ActivIdentity SecureLogin. Default

value is No.
Note:
ActivIdentity recommends that you create a separate OU
for administrators to ensure they are not adversely
affected by general user configuration preferences at the
OU level.
Administrative
Management
Utility preference
only.
Display splash screen on

startup
Yes/ No/
Default
Enables or disables the display of the ActivIdentity SecureLogin

splash screen during startup. Default value is Yes.
Note:
Administrative
Management
Utility preference
only.
Display system tray icon
Yes/ No/
Default
Enables or disables the ActivIdentity SecureLogin icon in the

Windows notification area (previously known as system tray).
Administrative
Management
Utility preference
only.
Notes:
Enable cache file
Yes/ No/
Default
When the ActivIdentity SecureLogin icon is active, users can

double-click it to start the Personal Management Utility.
When the ActivIdentity SecureLogin icon is inactive, users can
only start the Personal Management Utility through the
Windows Start, All Programs, ActivIdentity, SecureLogin
menu.
Enables or disables the creation and updating of a SecureLogin

cache file on the local workstation. This cache file stores all user
configuration data, local and inherited. Default value is Yes.
Set this value to:
Yes for mobile users.
No when storing files locally is not possible or conflicts with

organization security policies.
Personal and
Administrative
Management
Utilities.
P 40
Property
Value
Description
Comment
Enable logging to Windows

Event log
Yes/ No/
Default
Enables or disables log events being automatically sent to Windows

Event Log. Includes all user configuration data, both local and
inherited. Default value is Yes.
Only the following OU or user objects events are logged:
SSO client started
SSO client exited
SSO client activated by user
SSO client deactivated by user
Password provided to an application by a script
Password changed by the user in response to a change

password command
Password changed automatically in response to a change

password command.
Application script executed AuditEvent command.
Administrative
Management
Utility preference
only.
Note:

Enable the New Login

Wizard via the system tray
icon
Yes/ No/
Default
Enables or disables the users ability to create multiple ActivIdentity

SecureLogin logons for different accounts on the same application
or server using the Add New Login wizard or the New Login option
from the ActivIdentity SecureLogin Windows notification area
(previously known as system tray) icon. Default value is Yes.
Administrative
Management
Utility preference
only.
Enforce passphrase
enrollment
Yes/ No/
Default
Enforces the user definition of a passphrase question and answer

the next time a user starts ActivIdentity SecureLogin. Default value
is No.
When set to Yes, users must complete the setup of their
passphrase definition before they can proceed with any other
activity on the workstation.
When set to No, users can click Cancel and postpone the definition
of the passphrase. Users will then be prompted with the
Passphrase dialog box each time they log on to the workstation
until the passphrase is set.
Note:
Refer to "Managing Passphrase Policies" on page 57for
detailed passphrase information.
Administrative
Management
Utility preference
only.
Enter the API license key provided by ActivIdentity SecureLogin to

activate API functionality for an application.
Contact ActivIdentity Support for help configuring APIs.
Personal and
Administrative
Management
Utilities.
Enter API license key(s)
Password protect the

system tray icon
Yes/ No/
Default
Restricts users from accessing the ActivIdentity SecureLogin

Windows notification area (previously known as system tray) icon
menu options without re-authentication using their network
password or smart card PIN. Default value is No.
Personal and
Administrative
Management
Utilities.
Provide API access
Yes/ No/
Default
Enables or disables API functionality. Default value is No.

Note:
Contact ActivIdentity Support for help configuring APIs.
Personal and
Administrative
Management
Utilities.
P 41
Property
Value
Description
Comment
Set the cache refresh

interval (in minutes)
Defines the time (in minutes) of the synchronization of the user data
and directory on the local workstation. The default value is
5 minutes. However, according to the network traffic and the
number of users, this interval may be set between 240 and 480
minutes (4 and 8 hours).
A user can manually refresh the cache by clicking Refresh Cache
from Advanced on the ActivIdentity SecureLogin Windows
notification area icon menu.
When the interval is set to 0, the cache and directory are only
synchronized when a "force" refresh is performed (that is, when
ActivIdentity SecureLogin starts, or by double-clicking the
notification area icon
, opening the user console, or using the
refresh option from the notification area menu.
Personal and
Administrative
Management
Utilities.
Standalone distributed
settings have priority over
users
Yes/ No/
Default
This preference allows or disallows the values of configuration

settings made by the user to take precedence over those set after
settings distribution. Default setting is No.
This preference is only for use in advanced stand-alone mode for
the overwriting of locally applied scripts, settings and credentials by
centrally-created credentials.
This preference should also be used for users who receive their
encrypted and signed settings through the signed and encrypted
distribution method.
Administrative
Management
Utility preference
only.
Stop walking here
Yes/ No/
Default
Enables or disables inheritance of settings from higher level

containers or organizational units. Default is No.
Administrative
Management
Utility preference
only.
Notes:
Wizard mode
Administrator
/ User/
Disabled
Select Yes during phased upgrades in which higher levels may

have a different version of ActivIdentity SecureLogin
implemented. If inheritance of settings from higher levels is
required, select No.
For tips and typical settings for a corporate deployment,
contact ActivIdentity Customer Support.
Controls access to the Application Definition Wizard. Default setting

is Administrator.
Note:
ActivIdentity recommends that access to the Application
Definition Wizard is restricted to administrators.
The Wizard mode preference has three settings:
Administrator - the default setting. This setting allows users

full access to the Application Definition Wizard to create or
modify their own application definitions.
User - Users are only allowed to create new logon forms or

credential sets, or add pre-defined application definitions for
new applications using the auto-detection settings.
Disabled - This will disable the launching of the wizard.
Administrative
Management
Utility preference
only.
For more information, see the ActivIdentity SecureLogin Single

Sign-On Application Definition Wizard Guide.
Note:
P 42
Java Preferences
Table 5.2 describes the Preferences Java properties.
TABLE 5.2: Preferences Java Properties
Property
Value
Description
Comment
Add application prompts

for Java applications
Yes/ No/
Default
Prompts for Java applications. Default value is Yes.

Note:
SecureLogin requires Sun Java Runtime Engine (JRE)
version 1.3 or later or Oracle JInitiator version 1.3.1 or
later to SSO-enable Java-based logons.
Personal and
Administrative
Management Utilities.
Allow single sign-on to

Java applications
Yes/ No/
Default
Enable or disables single sign-on to Java type applications. Default

value is Yes.
Note:
SecureLogin requires Sun Java Runtime Engine (JRE)
version 1.3 or later or Oracle JInitiator version 1.3.1 or
later to SSO-enable Java applications
Personal and
Administrative
New JREs Automatically Updated at Runtime

ActivIdentity SecureLogin now checks for new JREs installed on the client at
ActivIdentity SecureLogin startup. When new JREs are detected, and where
allowed by the users permissions, these new JREs are single sign-on
enabled automatically, with no user prompts or intervention.
The JRE update process requires local administrative rights on the client. If
the user is not logged on with the appropriate permissions, the update fails
silently with no notification to the user. The update will occur automatically the
next time a user with the necessary permissions starts ActivIdentity
SecureLogin on the workstation.
Windows Update Rights
Note
In User Access Control (UAC)-enabled mode, Windows Vista, Windows 7

and Windows Server 2008 controls require elevated privileges to perform
certain runtime updates. Windows enforces elevated privileges for JRE
updates that ActivIdentity SecureLogin must honor to SSO-enable new JREs
at runtime.
Windows does not enforce this

elevation as part of the installation
process. An administrator can install
ActivIdentity SecureLogin and
automatically SSO-enable JREs.
In general, this means when a new JRE is installed on such a Windows

version, an administrator must carry out the update after having elevated their
privileges via standard Windows processes: using the Run As command and
selecting the appropriate administrator account.
P 43
Security Preferences
Table 5.3 describes the Preferences Security properties.
TABLE 5.3: Preferences Security Properties
Property
Value
Description
Comment
Certificate selection criteria
Text field
Allows you to enter text to uniquely identify a certificate (within

searchable fields only).
Administrative
Management Utility
preference only.
Notes:
Check certificate validity
Yes/No
This preference is only available if you set Use PKI

credentials from smart card to encrypt SSO data to Yes.
This preference is not available to users who have not
upgraded their datastore to version 6.0. For more information
refer to "ActivIdentity SecureLogin Datastore Object" on
page 28.
Allows you to check the validity of the certificate used to encrypt

ActivIdentity SecureLogin data.
In both cases, if the certificate is expired or revoked, ActivIdentity
SecureLogin decrypts the data with this certificate and uses a
replacement certificate to encrypt the data.
If this preference is set to Yes, and if the certificate is expired or
revoked, and no replacement certificate is found, ActivIdentity
SecureLogin does not start.
If this preference is set to No, if the certificate is expired or revoked,
and no replacement certificate is found, ActivIdentity SecureLogin
starts and decrypts the data with the expired/revoked certificate.
Administrative
Management Utility
preference only.
Notes:
Current certificate

page 28.
Provides information about the currently selected certificate.

Notes:

page 28.
Administrative
Management Utility
preference only.
P 44
Property
Value
Description
Comment
Enable passphrase
security system
Yes/ No/
Hidden
Prevents a rogue administrator from accessing users' ActivIdentity

SecureLogin credentials as they will be prompted for the users'
passphrase answer if they try to reset the users' network password
and start ActivIdentity SecureLogin.
When set to Hidden, users are not prompted to set a user defined
passphrase. A user key will be generated automatically without user
input.
Administrative
Management Utility
preference only.
Notes:
Lost card scenario
Allow
passphrase/
Require
smart card
ActivIdentity recommends either the Yes or Hidden option if

key escrow or key backup is not used.
page 28.
The No option is only available if Use PKI credentials from
smart card to encrypt SSO data is set to Yes.
This preference determines how ActivIdentity SecureLogin handles

a user forgetting, losing or damaging their smart card.
Default value is Allow passphrase.
If set to Allow passphrase, the backup mechanism relies on the
Enable passphrase security system preference.
If set to Require smart card, the passphrase answer is never asked
and, as a consequence, Enable passphrase security system can be
set to No.
Administrative
Management Utility
preference only.
Notes:
Require Smart Card is

present for SSO and
administration operations
Yes/ No/
Default

credentials from smart card to encrypt SSO data or Use
symmetric key stored on smart card to encrypt SSO data
to Yes.
page 28.
Requires user's smart card to be present before allowing an

ActivIdentity SecureLogin session or administration function. Also
checks the user's smart card has not been removed after an
ActivIdentity SecureLogin session has started to prevent swapping
of smart card and copying a user's credentials.
Default value is No.
Administrative
Management Utility
preference only.
Notes:

credentials from smart card to encrypt SSO data or Use
to Yes, and if you set Lost card scenario to Require smart
card.
page 28.
P 45
Property
Value
Description
Comment
Seamless authentication
method switch
Yes / No/
Default
Enables users to change their Windows authentication method from

smart card to password (and vice versa) while providing seamlessly
access to ActivIdentity SecureLogin.
When enabled, ActivIdentity SecureLogin protects access to

the ActivIdentity SecureLogin data with keys derived from both
the smart card and the password, so that either credential
(smart card or password) can provide access to ActivIdentity
SecureLogin.
When disabled, ActivIdentity SecureLogin protects access to

the ActivIdentity SecureLogin data with a key derived from the
last authentication method (smart card or password). In this
case, a change of authentication method during a screen
unlock or logon will require usage of the passphrase (if
enabled) in order to provide access to ActivIdentity
SecureLogin.
Administrative
Management Utility
preference only.
Notes:
Use AES for SSO data

encryption
Yes/ No

credentials from smart card to encrypt SSO data and Use
to No.
This preference is only available if the smart card option was
selected during ActivIdentity SecureLogin installation.
page 28.
Allows you to use AES instead of Triple DES for encrypting

Note:
upgraded their datastore to version 6.0. For more
information refer to "ActivIdentity SecureLogin Datastore
Object" on page 28.
Administrative
Management Utility
preference only.
P 46
Property
Value
Description
Comment
Use PKI credentials from

smart card to encrypt SSO
data
Yes/No/
Default
Allows smart card-based PKI credentials as the encryption source to

encrypt the ActivIdentity SecureLogin data in the directory.
When set to No, all other smart card options are disabled (grayed
out).
When set to Yes, ActivIdentity SecureLogin data is encrypted using
the user's PKI credentials. ActivIdentity SecureLogin data stored in
the directory and in the offline cache (if enabled) is encrypted using
the public key from the selected certificate and the private key
(stored on a PIN-protected smart card) is used for decryption.
This preference provides access to additional smart card options:
Certificate selection criteria
Check certificate validity
Current certificate
Lost card scenario
Require smart card is present for SSO and administrative

operations
Administrative
Management Utility
preference only.
Note:
Use symmetric key stored

on smart card to encrypt
SSO data
Yes/No/
Default

Object" on page 28.
Allows smart card-based symmetric key as the encryption source to

encrypt the ActivIdentity SecureLogin data in the directory.
When set to No, all other smart card options are disabled (grayed
out).
When set to Yes, ActivIdentity SecureLogin data stored in the
directory and in the offline cache (if enabled) is encrypted and
decrypted using a symmetric key (stored on a PIN-protected smart
card). This symmetric key is generated by ActivIdentity SecureLogin
on a per user basis. Storage and reading of this symmetric key on
the card requires the smart card middleware PKCS#11 library to be
configured at installation time.
This preference provides access to additional smart card options:
Lost card scenario
Require smart card is present for SSO and administrative

operations
Note:
Administrative
Management Utility
preference only.

Object" on page 28.
P 47
Web Preferences
Table 5.4 describes the Preferences Web properties.
TABLE 5.4: Preferences Web Properties
Property
Value
Description
Comment

for Internet Explorer
Yes/ No/
Default
Enables or disables the display of the Web login detected wizard

and confirmation dialog box when an application type is detected
and recognized using Internet Explorer . Default value is Yes.
Selecting Yes at the dialog prompt launches the wizard to

record the application definition and the associated credentials
after SecureLogin prompt to enter them.
Selecting No, not this time at the dialog box stops SSOenabling this time but the dialog box is displayed again the next
time the application type is detected.
Selecting No, never prompt me again for this screen

ensures ActivIdentity SecureLogin will not prompt for this
application type again.
Note:
Disabling the display of a ActivIdentity SecureLogin automated

prompt does not restrict users from SSO-enabling the
applications.
Personal and
Administrative

for Mozilla Firefox
Yes/ No/
Default
Enables or disables the display of the Web login detected wizard

and confirmation dialog when an application type is detected and
recognized using Mozilla Firefox. Default value is Yes.


Note:
Disabling the display of the ActivIdentity SecureLogin
automated prompt does not restrict users from SSOenabling the applications.
Personal and
Administrative

Internet Explorer
Yes/ No/
Default
Enables or disables ActivIdentity SecureLogin access to web

applications using Internet Explorer. Default value is Yes.
Personal and
Administrative

Mozilla Firefox
Yes/ No/
Default
Enables or disables ActivIdentity SecureLogin access to web

applications using Mozilla Firefox. Default value is Yes.
Personal and
Administrative
Detect incorrect passwords
Yes/ No/
Default
Predefined applications generally include commands to respond to

incorrect password dialogs, however, this preference enables
ActivIdentity SecureLogin to respond to incorrect passwords for web
applications. Default value is Yes.
Personal and
Administrative
P 48
Windows Preferences
Table 5.5 describes the Preferences Windows properties.
TABLE 5.5: Preferences Windows Properties
Property
Value
Description
Comment

for Windows applications
Yes/ No/
Default
Enables or disables the display of a Windows login detected and

confirmation dialog box when a Windows application type is
detected and recognized. Default value is Yes.


Note:
Disabling the display of a ActivIdentity SecureLogin
automated prompt does not restrict users from SSOenabling the applications.
Personal and
Administrative

Windows applications
Yes/ No/
Default
Enables or disables ActivIdentity SecureLogin access to Windows

applications. Default value is Yes.
Personal and
Administrative
P 49
Chapter 6: Managing Passphrases

Chapter Contents
49
About Passphrases
50
Create a Passphrase Question
51
Reset a Passphrase Response
51
Edit a Passphrase Question
52
Change the Passphrase

Prompt
54
Change a Passphrase
About Passphrases
A passphrase is something that the user should always remember and that no
other person would know. It is presented in a question-and-answer format:
Q. What was your first pets name?
A. Fluffy
Passphrases are an important security component in a ActivIdentity
SecureLogin implementation. Passphrases are a unique question-andanswer combination created to verify and authenticate the individual. In a
directory environment, you can create passphrase questions for users to
select and answer. You can also permit users to create their own questionand-answer combinations.
Passphrases protect user credentials from unauthorized use. For example, in
a Microsoft Active Directory environment, administrators can potentially log on
to the network as the user by resetting the users network password. With
ActivIdentity SecureLogin, if someone other than the user resets their network
password, ActivIdentity SecureLogin triggers the passphrase question. An
administrator cannot access the users SSO-enabled applications without
knowing the users passphrase answer.
Note: You can disable the passphrase security system but this removes the
features listed.
When ActivIdentity SecureLogin starts for the first time on the users
workstation, the Passphrase Setup window is displayed.
Passphrases are used to authenticate when:
A user is working remotely or offline in a non-Microsoft Active Directory

LDAP environment.
Someone other than the user has reset the users network password.
When the smart card used to encrypt ActivIdentity SecureLogin data is not
available or a smart card is not required (see Chapter 10, "Managing
Security and Smart Cards," on page 85)
Benefits:
Prohibits administrators from accessing a user's credentials through

network password reset.
Disables access to user credentials if the computer is stolen.
Can be used in conjunction with the Emergency Access services (feature

of the ActivIdentity Authentication Client), enabling users to reset their
own network password after answering passphrase questions (reducing
help desk costs).
You can configure the passphrase settings using the Administrative

Management Utility. To access the tool:
P 50
Use the Active Directory Users and Computers snap-in. For more
information, see "Start the Administrative Management Utility using the
Active Directory Snap-in" on page 23.
From the Windows Start menu, point to Programs, ActivIdentity,

Create a Passphrase Question

You can:
Note
When you set up passphrase
policies, ActivIdentity recommends
you keep them simple so that users
can easily remember them and
retain access to their data.
Create one or more passphrase questions for users to select from.
Enable users to create their own passphrase questions and answers.
Set up a combination of both.
By default passphrase responses are required to contain a minimum of six

characters. You can change the passphrase policy (see "Change a
Passphrase Policy" on page 58). Applying strict policies to passphrases is not
recommended, as it can make them harder to remember.
ActivIdentity recommends that you:
Use a multi-value question.
Design questions based on facts and avoid prompting the user for a
favorite as the favorite can change over time.
For example: "What was your first car plus your driver's license number?"
Note
The User-defined passphrase
questions option is selected by
default. Clear this option if you do
not want users to create their own
passphrase questions.
1. In the Administrative Management Utility navigation tree, click Advanced

Settings.
The Advanced Settings pane is displayed with the Passphrase tab.
Inherited Passphrase Settings

You can configure that the user
object inherits passphrase
questions/policy from the directory
(OU inheritance) by selecting the
relevant options.
If you clear the inherited options,
the passphrase settings are only a
local configuration (that is, specific
to the object).
Note
This passphrase question displays
to all users associated with the
selected object.
P 51
2. Click New.
3. In the Corporate passphrase questions field, type a question.
The question is displayed in the Corporate passphrase questions
section.
5. Repeat the above steps to create additional passphrases as required.
Reset a Passphrase Response

If a user forgets their passphrase answer, to ensure that the user's data is
secure, you must reset the users ActivIdentity SecureLogin configuration.
This deletes all user-specific information, including user names and
passwords. For more information, see "Deleting or Resetting a Users
Datastore" on page 32.
Edit a Passphrase Question

Settings.
Note
You can create, edit, and delete
passphrase questions at any time.
P 52
2. In the Corporate passphrase questions field, right-click the passphrase

you want to edit, then click Edit and make the appropriate changes.
The passphrase question is updated with the changes.
Change the Passphrase Prompt

You can change the passphrase prompt that users see in the Passphrase
Setup dialog box the first time they log on.
P 53
.
Settings.
P 54
2. Select the Modify the passphrase prompt window text option.

The Customized passphrase prompt text field is now active.
3. Type the new prompt in the text field.
4. Click OK to save the changes and close the Administrative Management
Utility.
5. Log on as a new test user to view the customized prompt.
Change a Passphrase
Depending on how you configure ActivIdentity SecureLogin, users can
change their passphrase answer.
Users who do not have access to the ActivIdentity SecureLogin icon in the
Windows notification area cannot change their passphrases. You can enable
access to the icon temporarily to allow the user to change their passphrase.
1. On the Windows notification area, right-click the ActivIdentity SecureLogin
icon
, point to Advanced, and then click Change Passphrase.
The passphrase dialog box is displayed.
P 55
2. Type the passphrase answer in the field.

3. Click OK.
The Passphrase Setup dialog box is displayed.
P 56
4. In the Enter a question text field, select or type a passphrase question.

5. In the Enter the answer text field, type the new passphrase answer.
6. In the Confirm the answer text field, re-type the passphrase answer.
7. Click OK.
P 57
Chapter 7: Managing Passphrase Policies

Chapter Contents
57
About Passphrase Policies
58
Change a Passphrase Policy
60
Enabling Passphrase Security

System
63
Check Passphrase Security

System Status
64
Passphrase Security System

Scenarios
About Passphrase Policies

Administrators can set passphrase policies in the Passphrase policy
properties of the ActivIdentity SecureLogin Administrative Management Utility,
the Active Directory Users and Computers or Group Policy snap-ins.
Administrators can set a policy to restrict the format and content of
passphrase answers. For security reasons passphrase answers, and
therefore any passphrase policy, must contain a minimum of six characters.
Since passphrase answers are case sensitive, setting the passphrase policy
to require responses in a combination of uppercase or lowercase may help
users to accurately recall the passphrase answer.
For example, by setting Begin with an uppercase character to Yes,
Maximum uppercase characters to 1, and Prohibit characters to disallow
spaces, administrators can force all passphrase answers to start with an
uppercase character and continue in lowercase. The help desk can remind
users of this fact if they forget their passphrase answer or enter it incorrectly.
If a passphrase policy is set, the policy must be applicable to all passphrase
questions. Administrators cannot enforce a passphrase policy similar to the
policy described above, and then include a passphrase question such as
What was your first mobile phone number?, since it will not contain a
combination of uppercase and lowercase characters.
Passphrase Policy Properties

Organizations and applications often have rules about the content of
passphrase, including the required number and type of characters.
The Passphrase Policy properties help to create and enforce these
passphrase rules through a passphrase policy, and apply this policy to one or
more application logons.
TABLE 7.1: Passphrase Policy Properties
Property
Value
Comment
Minimum length
Whole number
Minimum zero, no upper limit.
Maximum length
Whole number
Minimum punctuation characters
Punctuation character
Maximum punctuation characters
Whole number
Minimum uppercase characters
Whole number
Maximum uppercase characters
Whole number
Minimum lowercase characters
Whole number
Maximum lowercase characters
Whole number
Minimum numeric characters
Whole number
P 58
TABLE 7.1: Passphrase Policy Properties
Property
Value
Comment
Maximum numeric characters.
Whole number
Disallow repeat characters.
No / Yes
Yes, case insensitive
Yes is not case sensitive, therefore does not prohibit

upper/lowercase of the same character. The default
value is No.
Disallow duplicate characters.
No / Yes
Yes does not prohibit upper/lowercase of the same

character. The default value is No.
Disallow sequential characters.
No / Yes
Yes is not case sensitive. This setting applies to any

sequence direction, for example, 87654 and edcba.
The default value is No.
Begin with uppercase character.
No / Yes
Enforces the definition of a password with an

uppercase alpha character as the first character.
The default value is No.
End with uppercase character.
No / Yes
Enforces the definition of a password with an

uppercase letter as the last character. The default
value is No.
Prohibited characters.
Any keyboard characters
Defines a list of prohibited characters that can be

can be defined in a password. List is case sensitive.
Begin with any alpha character
No / Yes
Enforces the use of an Alpha character as the first

character of the password. Default value is No.
Begin with any number.
No / Yes
Enforces the use of a numeric character as the first

Begin with any symbol.
No / Yes
Enforces the use of a Symbol character as the first

End with any alpha character.
No / Yes
Enforces the use of an Alpha character as the last

character of the password. The default value is No.
End with any number.
No / Yes
Enforces the use of a numeric character as the last

End with any symbol
No / Yes
Enforces the use of a Symbol character as the last

Change a Passphrase Policy

Settings.
The Advanced Settings pane is displayed with the Passphrase tab.
P 59
2. Select the Use a passphrase policy option.

3. Either:
Click Edit Policy.
In the navigation tree, click Passphrase policy under Advanced

Settings.
The Passphrase policy properties are displayed.
Note
The passphrase policy now applies
to all users inheriting configuration
from the selected object. You can
change or disable it at any time.
P 60
4. In the Description column, click the policy rule you want to edit, and then
in the Value column, type the required value. In this example, to ensure
lower-case letters are used, the rule Minimum lowercase characters is
selected, and the number 6 is typed.
5. Click Apply.
The new or selected value is added to the Value column.
6. Click OK.
Enabling Passphrase Security System

The Enable passphrase security system preference determines if the
passphrase is to be used to encrypt ActivIdentity SecureLogin data. Choosing
Yes, No, or Hidden depends on enterprise security requirements and
determines whether ActivIdentity SecureLogin is to be available for users to
authenticate using their smart card and PIN or a user name and password.
Enable passphrase security system cannot be set to No unless Use PKI
credentials from smart card to encrypt SSO data is set to Yes.
The passphrase is an integral part of the security architecture of ActivIdentity
SecureLogin and secures a user's ActivIdentity SecureLogin data that is used
to authenticate to applications.
If the Enable passphrase security system preference is set to Yes (default)
or Hidden, the passphrase is set when ActivIdentity SecureLogin is launched
by a particular user. First-time users will be prompted to set a passphrase
question and answer.
The following passphrase security options are available to administrators:
The user chooses both the passphrase question and answer. The
passphrase question can be anything the user decides, as can the
answer.
Administrator predefines a list of questions and user selects one of the

questions and enters the answer.
Once the passphrase is set, a random key is generated and a one-way hash
of the passphrase answer is used to encrypt this key. The new key is then
encrypted using the application key and is used to protect the users
ActivIdentity SecureLogin credentials. This new user-specific key also
protects the users passwords so even administrators with full rights to the
network and access to the Microsoft Management Console are unable to view
a user's passwords.
The next time (and every time after that) a user logs onto the network,
ActivIdentity SecureLogin loads seamlessly. Typically, users are never
prompted with the passphrase question ever again. However, to protect a
users ActivIdentity SecureLogin data from unauthorized use, a user will be
prompted for their passphrase if the user's directory or network password is
reset by an administrator. The next time ActivIdentity SecureLogin loads, the
P 61
passphrase question must be answered before ActivIdentity SecureLogin will

continue. This prevents anyone other than the user from changing the user's
directory password, logging on as them, and obtaining access to their
ActivIdentity SecureLogin data and applications.
Passphrases and Smart Cards

Administrators cannot simply toggle the Enable passphrase security
system setting on the day the user forgets their smart card unless the user
has previously set a passphrase (or had it randomly generated using the
Hidden option).
PKI Encryption and Passphrase Security

In the Preferences Security properties, when the Use PKI credentials
from smart card to encrypt SSO data option is set to Yes, the user's
ActivIdentity SecureLogin data is encrypted using the public key from the
selected certificate. It is decrypted using the private key stored on a PINprotected container on the users smart card. Both the users directory
datastore and local cache are protected by the PKI credentials.
With the Use PKI credentials from smart card to encrypt SSO data option
is set to Yes, Enable passphrase security system can optionally be set to
No.
Enable Passphrase Security System

To set Enable passphrase security system in the Administration
Management Utility:
1. In the navigation tree, click Preferences.
2. Click Security.
The Preferences Security properties are displayed.
P 62
Yes
If this preference is selected, users must select a passphrase question and
answer when they first log on to ActivIdentity SecureLogin. Passphrase
questions can be entered either by the user or predefined by the ActivIdentity
SecureLogin administrator, or a combination of both, depending on what the
administrator allows. With the passphrase system enabled, users will be
prompted to answer their passphrase question if their password has been
reset by the administrator.
Important
With the passphrase security
system set to Hidden, a directory
administrator could potentially reset
a user's directory password, log on
as the user, and access their
ActivIdentity SecureLogin data as
they would not be prompted to
answer a passphrase question.
Note
Supported directory modes for
disabling the passphrase security
system are:
Microsoft Active Directory
LDAP-compatible
If either the Use PKI credentials from smart card to encrypt SSO data or
the Use symmetric key stored on smart card to encrypt SSO data options
are set to Yes, the passphrase can also be used to decrypt ActivIdentity
SecureLogin data if the users smart card is lost or damaged. This setting
must be used in conjunction with the Lost card scenario preference set to
Allow passphrase. These preferences can be toggled by the administrator if
the users smart card is forgotten, providing the users passphrase has
already been set. The user will be prompted to answer their passphrase
question before ActivIdentity SecureLogin will load. Refer to Chapter 10, "Lost
Card Scenarios" on page 95. for additional information.
Hidden
If this preference is selected, users will not be prompted to set a user-defined
passphrase. A user key will be generated automatically without user input.
If users are required to authenticate to the network using passwords, Enable
passphrase security system must be set to Yes or Hidden.
ActivIdentity recommends enterprises discuss their corporate security
requirements with ActivIdentity Professional Services prior to deployment of
their solution.
No
If this preference is selected, the users passphrases are completely disabled
and the users smart card is always required to decrypt ActivIdentity
SecureLogin data.
P 63
If you disable the passphrase security system:
Administrators can access a users credentials through network password

reset.
Functionality for using passphrases in conjunction with Emergency

Access services (feature of ActivIdentity Authentication Client) is
disabled. Emergency Access enables a user to access their Windows
session without knowing their Windows password. The user answers of a
set of enrolled questions and resets their network password (to minimize
calls to the help desk).
To view likely scenarios of what the user will experience in environments

where Enable passphrase security system has been set to No, see
"Passphrase Security System Scenarios" on page 64.
Check Passphrase Security System Status

Prerequisite: ActivIdentity SecureLogin must be running and you have
access to the Windows notification area icon.
1. In the Windows notification area, right-click the ActivIdentity SecureLogin
icon
and click About.
The About window is displayed.
P 64
The status appears next to Database Mode and is listed as either PP

Enabled or PP Disabled.
Passphrase Security System Scenarios

The information below describes what the user will experience in
environments where the passphrase security system has been enabled and
disabled.
Scenario 1: Passphrase Security System Disabled in a

Previously Enabled Environment
When the passphrase security system is disabled in an environment where it
was previously enabled, the following message appears to users the first time
they log on after the change.
Note
The passphrase must be answered
(users may have forgotten it) to
prevent administrators from simply
toggling this preference and
providing a possible back door to
start ActivIdentity SecureLogin as
another user.
P 65
If the user clicks:
OK. Approves the removal of passphrase security system and the user is
prompted for the current passphrase answer that, when provided,
completes the approval.
Cancel. This delays the approval and the user is then prompted at each
subsequent logon until they click OK to approve the change.
Scenario 2: Passphrase Security System Re-enabled in a

Previously Disabled Environment
If the passphrase security system is re-enabled, the Passphrase Setup
dialog box is displayed (just like when a user logs on for the first time after
ActivIdentity SecureLogin client is installed).
If the user clicks:
OK. After entering a passphrase question and answer, the user has reset
their passphrase question and answer and enabled their workstation.
Cancel. This delays enabling passphrases for the users workstation. The
user is prompted at each subsequent logon until they enter a passphrase
question and answer and clicks OK.
Scenario 3: Passphrase Forgotten

In the event a user forgets their passphrase answer, the directory
administrator will need to delete the users existing ActivIdentity SecureLogin
datastore from the Advanced Settings/Datastore tab.
When the users ActivIdentity SecureLogin datastore is deleted, the users
corporate-enabled applications, credentials, preferences and user policies will
be permanently removed. The directory administrator must then reset the
users corporate password before the user can log on and reconfigure
applications using ActivIdentity SecureLogin again.
Note
Directory administrators can
optionally predefine a list of
passphrase questions so users do
not need to think of one.
The next time ActivIdentity SecureLogin starts, the user will have to manually
log on and ActivIdentity SecureLogin will detect that a passphrase has not
been set, and will re-prompt the user to enter a new passphrase question and
answer before continuing.
P 66
Once the user has set a new passphrase the user is required to re-enter their
application user names and passwords. If this was not the case, an
unauthorized user could breach security by simply clearing your passphrase,
entering a new one and accessing your secrets.
Administrators may have to reset the user's application passwords as they will
probably have forgotten them or ActivIdentity SecureLogin may have
substituted strong passwords when the application requested a new
password (depending on configuration).
P 67
Chapter 8: Managing Password Policies

Chapter Contents
67
About Password Policies
70
Open the Password Policies

Pane
70
Create a New Password Policy
73
Change a Password Policy
73
Delete a Password Policy
74
Linking a Policy to an
Application
About Password Policies

ActivIdentity SecureLogin provides password policy functionality to enable
you to efficiently and effectively manage user passwords in order to comply
with your organization's security policies.
You can create password policies at the container, organizational unit, group
policy and user object levels.
Policies set at the container or organizational unit level are inherited by all
associated directory objects.
Password policies set at the user object level override all higher-level
policies.
Password policies are linked to application definitions through scripting. You

can do this by:
Using the Application Definition Wizard by defining a change password

form for an application. Password policy can be created or selected
through the wizard interface.
Creating a password policy in the Password Policies pane and then

linking the policy to the application definition using the RestrictVariable
command.
Password policies comprise one or more password rules applicable to one or

more single sign-on enabled applications and to specific directory objects.
You can configure password policies in the:
ActivIdentity SecureLogin management utilities
Application Definition Wizard
Microsoft Active Directory Users and Computers snap-in (MMC)
Group Policy snap-in
For more information, see the ActivIdentity SecureLogin Single Sign-On

Overview.
Password policies are created by the Application Definition Wizard as part of
the process of enabling an application, but you cannot edit or delete password
policies from within the wizard. For more information, see the ActivIdentity
SecureLogin Single Sign-On Application Definition Wizard Guide.
ActivIdentity SecureLogin remembers passwords and can also handle
password changes when required by applications (every 30 days, for
example) or when users decide to change their passwords. ActivIdentity
SecureLogin password management functionality includes the capability to
set password expiration periods and generate random passwords that comply
with specified password policies. For more information, see the ActivIdentity
SecureLogin Single Sign-On Application Definition Wizard Guide.
P 68
Password policies are typically created to match existing password policies.

You should consult application owners before changing an existing password
policy.
To determine the requirements and parameters of the password policy and
the applications the password policy apply to, we recommend that you test
complex policies on a test user account to ensure they are viable.
Note
Password Policy Properties
The default value settings for a

password policy are bold.
Organizations and applications often have rules about the content of

passwords, including the required number and type of characters. The
Password Policies properties help to create and enforce these password rules
through a password policy, and apply this policy to one or more application.
TABLE 8.1: Password Policy Properties
Property
Value
Description
Minimum length
Number, e.g 7
Defines the minimum password length in number of characters.
Maximum length
Numeric, e.g.12
Defines the maximum password length in number of characters.
Minimum special characters
Number, e.g 1
Defines the minimum number of special characters, namely:

~!@#$%^&*()_+|-=\\{}[]:\\";'<>?/,.`
Maximum special characters
Number, e.g 3
Defines the maximum number of special characters.
Minimum uppercase characters
Number, e.g 1
Defines the minimum number of uppercase characters that must be used

in a password.
Maximum uppercase characters
Number, e.g 3
Defines the maximum number of uppercase characters that can be used

in a password.
Minimum lowercase characters
Number, e.g 3
Defines the minimum number of lowercase characters that must be used

in a password.
Maximum lowercase characters
Number, e.g 4
Defines the maximum number of lowercase characters that can be used

in a password.
Minimum numeric characters
Number, e.g 1
Defines the minimum number of numeric characters that must be used in

a password.
Maximum numeric characters
Number, e.g 3
Defines the maximum number of numeric characters that can be used in a

password.
Disallow repeated characters
No / Yes / Yes, case

insensitive
Disallows the use of repeated characters, or the use of the same

successive characters. By default, repeated characters are allowed.
Note:
When set to Yes, same alpha characters in a different case are
considered as different characters. For example A and a are
different.
When set to Yes, case insensitive, the successive use of the
same alpha characters in a different case is disallowed.
P 69
Property
Value
Description
Disallow duplicate characters

insensitive
Disallows the use of the same non-successive characters. By default,

duplicate characters are allowed.
Note:
When set to Yes, same alpha characters in a different case are
considered as different characters. For example A and a are
different.
When set to Yes, case insensitive, the duplication of the same
alpha characters in a different case is disallowed.
Disallow sequential characters

insensitive
Disallows the use of successive characters in alphabetical order. By

default, sequential characters are allowed.
Note:
When set to Yes, sequential characters in a different case are
considered as non-sequential. For example A and b are nonsequential.
When set to Yes, case insensitive, the use of sequential
characters in a different case is disallowed.
Begin with an uppercase character
No / Yes
Enforces the definition of a password with an uppercase alpha character

as the first character. The default value is No.
Note:
Choosing Yes for this policy will automatically disable all other
Begin password with policies.
Choosing Yes for any of the Begin password with first
character policies will automatically disable this uppercase
policy. Only one type of character can be nominated as the first
value of a password.
End with an uppercase character
No / Yes
Enforces the definition of a password with an uppercase letter as the last

character. The default value is No.
Note:
Choosing Yes for this policy automatically disables all other
End with any password policies.
Choosing Yes for any of the End with any character policies,
will automatically disable this policy.
Prohibited characters
Any characters
Defines a list of prohibited characters that cannot be used in a password.

Note:
There is no need of a separator in the list of prohibited
characters, for example @#$%&*
Begin with any alpha character
No / Yes
Enforces the use of an alpha character as the first character of the

password. Default value is No.
Note:
Choosing Yes for any Begin with any alpha character policy
automatically disables all other first character policies.
Begin with any number
No / Yes
Enforces the use of a numeric character as the first character of the

Note:
Choosing Yes for any Begin with any number policy
Begin with any symbol
No / Yes
Enforces the use of a symbol character as the first character of the

Note:
Choosing Yes for any Begin with any symbol policy
End with any alpha character
No / Yes
Enforces the use of an alpha character as the last character of the

password. The default value is No.
Note:
Choosing Yes for any End with any alpha character policy
automatically disables the selection of the other end with
character policies.
P 70
Property
Value
Description
End with any number
No / Yes
Enforces the use of a numeric character as the last character of the

Note:
Choosing Yes for any End with any number policy
automatically disables the selection of the other end with
character policies.
End with any symbol.
No / Yes
Enforces the use of a symbol character as the last character of the

Note:
Choosing Yes for any End with any policy automatically
disables the selection of the other end with character policies.
Open the Password Policies Pane

You can create, change and delete password policies using the Password
Policies pane of the ActivIdentity SecureLogin Administrative
Management Utility.
1. To open the Administrative Management Utility, either:
Use the Active Directory Users and Computers snap-in. For more
information, see "Start the Administrative Management Utility using
the Active Directory Snap-in" on page 23.
On the Windows Start menu, point to All Programs, ActivIdentity,

2. In the navigation tree, click Password Policies.
Create a New Password Policy

Note
You can also create but not edit or
delete a password policy as part of
the process of enabling an
application using the Application
Definition Wizard. See the
ActivIdentity SecureLogin Single
Sign-On Application Definition
Wizard Guide for more information.
You can design a password policy by selecting set of policy rules and
adjusting the parameters of each one.
P 71
1. In the Administrative Management Utility, select Password Policies.
Note
It is important to use a unique name
for all logon, application and
password policies. Password
policies cannot have the same
name as any other ActivIdentity
SecureLogin attribute.
Organizations typically employ the
naming convention
ApplicationName PwdPolicy (for
example, LotusNotesPwdPolicy).
2. Click New.
The New password policy dialog box is displayed.
3. In the Enter a name for the new password policy field, type a name for
the policy (in this example, RestrictServerPwdPolicy).
4. Click OK.
The new policy is added under Password Policies in the navigation tree.
P 72
5. Click the new password policy.

Note
Most policy rules are not enforced
and do not have a default value.
The Password Policy RestrictServerPwdPolicy properties are displayed

on the right. The table lists properties and corresponding values.
6. Select the policy you want to change and then either:
Type in a value, or
Click the appropriate value from the available drop-down list.
Values are either No, Yes, Yes case insensitive, or a whole number:
Yes treats B and b as different characters.
Yes, case insensitive treats B and b as the same character.

For example:
7. Click Apply.
8. Click OK.
P 73
Change a Password Policy

You can change a password policy by adjusting the parameters of each rule
or by having no parameters for a rule.
1. In the Administrative Management Utility, open Password Policies.
2. In the navigation tree, under Password Policies, click the policy you
want to change (in this example, RestrictServerPwdPolicy).
3. Locate the policy you want to change in the list and then click the
appropriate value from the drop-down list or type a value on the right.
4. Click Apply.
5. Click OK.
Delete a Password Policy

Before you delete a password policy, you should make sure that it is not used
by any application.
P 74
1. In the Administrative Management Utility navigation tree, select

Password Policies.
2. In the Password Policies pane, click the policy you want to delete.
3. Click Delete.
4. Alternatively, you can delete a password policy by right-clicking it and
clicking Delete.
5. Click Apply.
6. Click OK.
Linking a Policy to an Application

You can set or select a password policy while defining an application
definition to handle a change password screen using the Application
Definition Wizard. For more information, see the ActivIdentity SecureLogin
Single Sign-On Application Definition Wizard Guide.
Alternatively, password policies are linked to applications using the

ActivIdentity SecureLogin application definition command RestrictVariable.
With RestrictVariable, password policies can be applied to one or more
P 75
applications. For more information, see the ActivIdentity SecureLogin Single

Sign-On Application Definition Guide.
The following application definition restricts the $Password variable to the
Finance password policy. The users password must match the policy when
they first save their credentials. When the password requires changing, the
application definition generates a new password based on that policy
randomly (no user intervention required) when Random is included in the
definition at ChangePassword.
# Set the Password to use the Finance Password Policy
RestrictVariable $Password FinancePwdPolicy
# Logon dialog box
Dialog
Class #32770
Title Logon
EndDialog
Type $Username #1001
Type $Password #1002
# Change password dialog box
Dialog
Class #32770
Title Change Password
EndDialog
ChangePassword $Password Random
Click #1
The following example uses an application definition to restrict the ?NewPwd

variable to the Finance password policy. When the application starts for the
first time and prompts the user to enter their credentials, then their current
password ($Password) is saved and used.
When the password expires, the password policy is enforced on any new
password. This is a way to enforce tougher password policies (than are
currently in place) when you cannot guarantee all existing passwords meet
the new policy.
# Set the password to use the Finance Password Policy
RestrictVariable ?NewPwd FinancePwdPolicy
# Logon dialog box
Dialog
Class #32770
Title "Log on"
EndDialog
P 76

Click #1
# Change password dialog box
Dialog
Class #32770
Title "Change password"
EndDialog
ChangePassword ?NewPwd Random
Type ?NewPwd #1005
Type ?NewPwd #1006
Set $Password ?NewPwd
Click #1
P 77
Chapter 9: Managing Credentials

Chapter Contents
77
About Credentials
77
Create a User Logon and

Credential
80
Link a Logon to an Application
About Credentials
After you have created an application definition and activated it for
ActivIdentity SecureLogin, then the first time a user logs on, they will be
prompted to enter their credentials in a ActivIdentity SecureLogin dialog box.
ActivIdentity SecureLogin then stores and associates these credentials with
the application definition that will be used in subsequent logons.
You can display and manage these credentials in the Logins pane of the
Administrative Management Utility or the My Logins pane of the Personal
Management Utility.
Since individual application requirements determine the credentials that users
must enter when manually logging on, only those credentials are stored and
remembered by ActivIdentity SecureLogin . For example, if a user has an
application that requires their user name and password only, then
ActivIdentity SecureLogin will encrypt and store this information for
subsequent logons. Alternatively, some applications require users to enter
domain and database names, IP addresses and to select check boxes on web
pages ActivIdentity SecureLogin can accommodate and manage these
credentials on behalf of the user.
Credentials stored in a directory environment apply to all associated objects.
For example, if users access an application located on a specific domain, and
they are required to manually select or type the domain address, then you can
configure the domain as a credential in the Logins pane at the organizational
unit level. This removes the requirement for users to manually enter the
domain location when they log on. You can then change the domain at any
time without notifying users.
Application credentials such as email, finance system, HR system, and the
travel system are typically stored for user objects and only apply to (and can
be used by) the particular user. For example, Johns application credentials
are encrypted and stored against Johns user object and are available only to
him. When he starts an application, ActivIdentity SecureLogin retrieves,
decrypts, and enters the credentials on his behalf.
Create a User Logon and Credential

Prerequisite: Personal Management Utility is open. For more information,
see "ActivIdentity SecureLogin Personal Management Utility" on page 21.
Logons and credentials are typically created automatically as part of the
application definition, but you can manually create and edit them if required.
1. In the navigation tree, click My Logins.
The My Logins pane is displayed.
P 78
2. Click New.
The Create Login dialog box is displayed.
3. In the Name/Id field, type a name or ID for the logon (for example,
ActivIdentity Server).
4. Click OK.
The logon name or ID is added to the navigation tree under My Logins
and to the My Logins pane.
5. In the navigation tree, click your new credential set (in this example,
ActivIdentity Server).
6. Click New.
The Create Credential dialog box is displayed.
P 79
7. In the Name field, type a name for the new credential (for example,
Server Location).
8. Click OK.
The new credential is added to the Login - ActivIdentity Server pane.
9. In the right column, type a value for the credential (for example, the server
IP address).
10. Click Apply.
The credential variable and its value display in the Login - ActivIdentity
Server pane.
P 80
Link a Logon to an Application

You can link a logon to an application in the appropriate Login pane.
For example, if users are logging on to a Microsoft Outlook email client using
a set of credentials and they are also logging on to Outlook Web Access, then
they can share or link the credentials to the web logon application definition.
Linking Credentials: Example

In the following example, we are linking the server IP address credential set to
a ActivIdentity SecureLogin application on the server.
1. In the navigation tree, click My Logins.
The My Logins pane is displayed.
P 81
2. Double-click the logon that you want to link an application to (in this
example, ActivIdentity Server).
The Login - ActivIdentity Server pane is displayed.
3. Click Link.
P 82
The Applications List window is displayed. This lists the enabled

predefined applications and application definitions.
4. Click the application you want to link (in this example, Internet Explorer)
5. Click OK.
The linked application is added to the Login - ActivIdentity Server pane
under Application.
P 83
6. Click OK.
Deleting Logon Credentials

To delete a logon credential:
1. Open the Administrative Management Utility or Personal
Management Utility.
The Management Utility is displayed.
2. In the Navigation tree select My Logins.
3. Select the login credential to be deleted.
4. In the right hand Login Properties pane, select Username.
5. Click Delete.
P 84
6. Select Password and click Delete.
P 85
Chapter 10: Managing Security and Smart Cards

Chapter Contents
How ActivIdentity SecureLogin Uses Smart Cards
85
How ActivIdentity SecureLogin

Uses Smart Cards
Prerequisites
89
Installing ActivIdentity
SecureLogin for Smart Cards
91
Configuring ActivIdentity
SecureLogin for Smart Cards
95
Lost Card Scenarios
99
Card Management System

(CMS)
The use of a smart card with ActivIdentity SecureLogin is based on the

enterprise preference to have users utilize a smart card to log on or to encrypt
their directory data using a Public Key Infrastructure (PKI) token.
To enable smart card support with ActivIdentity SecureLogin, the Smart card
support option must be selected during installation, regardless of the
administrators intended preferences for setting any of the ActivIdentity
SecureLogin smart card security preferences.
Administrators should refer to the ActivIdentity SecureLogin installation guide
for their directory environment and "Installing ActivIdentity SecureLogin for
Smart Cards" on page 89 for more information on enabling smart card support
during installation and deployment.
Smart Card Logon to a Workstation

ActivIdentity SecureLogin allows a user to alternate their logon method using
both a smart card and their logon credentials (user name and password).
However, a user can log on using both a smart card and password logon and
access their ActivIdentity SecureLogin credentials only if the Use smart card
or cryptographic token option has been selected during ActivIdentity
SecureLogin installation. (See "Prerequisites" on page 85 for details.) If the
Use smart card or cryptographic token option is not selected during
installation, any user attempting to access ActivIdentity SecureLogin on the
workstation is forced to log on with their user name and password.
Securing ActivIdentity SecureLogin Credentials with Your

Smart Card
Important
To use smart card-specific features
such as the encryption of the
datastore using PKI-based
credentials, and AES encryption
algorithm support, the data store
mode must be version 6.0. See
Chapter 4, "ActivIdentity
SecureLogin Datastore Object" on
page 28.
ActivIdentity SecureLogin uses a store-and-forward approach to single signon credentials and records user IDs and passwords in a local store. It is likely
that many, if not all, of an individual user's passwords will be stored in this
credential store. Given this architecture, the security controlling the
ActivIdentity SecureLogin credential store is extremely important.
When a smart card is used in conjunction with ActivIdentity SecureLogin, a
number of optional features can be implemented including using the smart
card to encrypt ActivIdentity SecureLogin data, and tying ActivIdentity
SecureLogin availability to the smart card so only users that log on using a
smart card are able to start (and administer) ActivIdentity SecureLogin.
ActivIdentity SecureLogin uses a two-tier encryption process to secure
sensitive user credentials and information. All user passwords are encrypted
using the user key, and all user data, including password fields, are then
encrypted using the master key.
P 86
The result is a two-tier encryption process where password values are

encrypted twice (once with the user key and once with the master key), while
all other data is encrypted once with the master key.
Note
Once the datastore mode version is
upgraded to v6.0, the encryption
algorithm is automatically upgraded
to AES for all users in this
container, providing a higher
encryption standard to the
Using ActivIdentity SecureLogin in conjunction with a smart card provides an

additional level of security since the key used to decrypt data is stored on the
smart card, and authentication is via two-factor authentication; something you
have (a smart card) and something you know (PIN). If the administrator
selects the Use PKI credentials from smart card to encrypt SSO data or
Use symmetric key stored on smart card to encrypt SSO data options,
the user must insert their smart card and enter their PIN for ActivIdentity
SecureLogin to start.
Strong Authentication Methods

Network Authentication
Network authentication is the verification of a users logon credentials before
granting access to a network or operating system. Users typically
authenticate to a network using one of the following methods:
Password
Biometric device (fingerprint or iris scan)
Smart card and PIN
Token
Once the user authenticates successfully and the operating system has
loaded, ActivIdentity SecureLogin starts and manages the logon credentials
to all the user's single sign-on enabled applications.
If you wish to enforce biometric, smart card or token authentication, including
at the application (or even transaction) level, ActivIdentity SecureLogin reauthentication features or third party authentication module can be integrated
with ActivIdentity SecureLogin to prompt the user to re-authenticate before
ActivIdentity SecureLogin will retrieve their credentials and log on to single
sign-on enabled applications.
Authentication Client
ActivIdentity Authentication Client (AAC) provides a Smart Card Password
Login (SCPL) feature, enabling a user to log on to Windows with username
and password stored on a PIN-protected smart card. This is designed for
customers that have not deployed a Public Key Infrastructure (PKI) yet and is
specifically designed to simplify a users Windows, network and single sign-on
experience.
ActivIdentity Authentication Client is available as part of the ActivClient
Advanced license.
For more information about installing, using and managing SCPL, see the
ActivIdentity Authentication Client documentation.
P 87
One-Time Password (OTP)

The use of multiple passwords places a high maintenance overhead on large
enterprises. Users routinely required to use and manage multiple passwords
can result in a significant cost, particularly with calls to the help desk to reset
forgotten passwords, or ensuring all passwords are provided when a new
user starts and deleted when a user leaves the organization.
A one-time password (OTP) is an authentication method specifically designed
to avoid the security risks inherit in traditional fixed and static passwords.
OTPs rely upon a pre-defined relationship between the user and an
authenticating server. The encryption key is shared between the user's token
generator (a token or OTP-enabled smart card) and the server, with each
performing the pseudo-random code calculation at user logon. If the codes
match, the user is authenticated.
The main benefit of OTP systems is that it is impossible for a password to be
captured on the wire and replayed to the server. This is particularly important
if a system does not encrypt the password when it is sent to the server, as is
the case with many mainframe systems.
ActivIdentity SecureLogin integrates with ActivIdentitys one-time password
(OTP) authentication functionality to provide administrators with access to the
application definition command GenerateOTP, that can be used to generate
synchronous authentication and asynchronous authentication for smart card
user authentication. The GenerateOTP command is integrated in the
Application Definition Wizard, and an OTP can be generated and entered in a
logon form as a password.
For further information, see the ActivIdentity SecureLogin Single Sign-On
Application Definition Wizard Guide for re-authentication details using OTP,
and the ActivIdentity SecureLogin Single Sign-On Application Definition
Guide for GenerateOTP details.
Scripting for One-Time Passwords
The ActivIdentity SecureLogin application definition command,
GenerateOTP, incorporates one-time password (OTP) generation
functionality in its ActivClient smart card functionality.
This OTP functionality can only be used with ActivClient and smart cards that
have been set up using a card management system to include an OTP applet
on the smart card.
This option is available in the Application Definition Wizard as well as through
scripting.
Synchronous mode
Synchronous authentication or ActivIdentitys patented time-plus-event
authentication replaces static alpha-numeric passwords with a pseudorandom code that is dynamically generated based on a shared encryption
key and the current time.
P 88
In Synchronous mode the GenerateOTP command requires the

administrator to pass a mode variable to the GenerateOTP command.
Asynchronous mode
Asynchronous authentication or challenge/response authorization
replaces static alpha-numeric passwords with a pseudo-random code (the
response) that is dynamically generated based on a shared encryption
key and a challenge.
If you use the Wizard, you first need to configure from where the
challenge has to be read and then where to pass the new generated
password.
In Asynchronous mode the challenge is passed to the GenerateOTP
command as an argument.
For more information on OTP functionality and specific examples of the
use of application definitions incorporating the GenerateOTP command,
see the ActivIdentity SecureLogin Single Sign-On Application Definition
Guide.
Re-Authentication
As part of the ActivIdentity SecureLogin advanced authentication features,
you can choose whether users are prompted to re-authenticate (with their
network credentials or authentication device) before using an application's
P 89
credentials. This second strong authentication can provide an extra layer of

security around certain applications.
If you select No, ActivIdentity SecureLogin will not re-authenticate users

before supplying credentials to the application or web page.
If you select Yes. Enforce re-authentication before accessing this

application you must specify which credentials ActivIdentity SecureLogin
should use to re-authenticate the users identity.

Application Definition Wizard Guide.
External Re-authentication
ActivIdentity SecureLogin offers the ability to re-authenticate the user in
conjunction with a third-party authentication module, offering support for
methods such as biometrics. For further information, see the ActivIdentity
SecureLogin Single Sign-On Application Definition Guide.
Installing ActivIdentity SecureLogin for Smart

Cards
Client Setup
During the installation of ActivIdentity SecureLogin the Smart card support
option must be selected by the administrator to enable a ActivIdentity
SecureLogin user to support configurations such as smart card-based
Windows Logon or more advanced features such as SecureLogin leveraging
the smart card to encrypt the user credentials.
Existing ActivClient smart card settings will be used by ActivIdentity
SecureLogin if they are detected (highly recommended) unless the
administrator chooses otherwise.
The administrator can optionally select an alternative cryptographic service
provider (Microsoft Crypto API) from a drop-down list.
P 90
If you intend to use the Use symmetric key stored on smart card to
encrypt SSO data option, then you need to select a smart card PKCS#11
library during ActivIdentity SecureLogin installation. In all other configurations,
selection of a cryptographic service provider (aka CSP) is sufficient.
Server-Side Administration Preferences

ActivIdentity SecureLogin is a highly configurable and flexible product and
numerous preferences and options are available to the system administrator
to implement and enforce corporate directory policy across an enterprise.
Corporate policies may include, but are not limited to, enabling strong
application security, how ActivIdentity SecureLogin data is encrypted and
stored, how password and passphrase policies are implemented and
enforced, and setting of management procedures for lost smart card
scenarios.
In the case of strong security requirements, administrators should be fully
aware of the implications of linking the use of ActivIdentity SecureLogin to a
smart card and disabling the passphrase functionality.
Various combinations and permutations of configuring ActivIdentity
SecureLogin for use with smart cards are covered in following sections.
ActivIdentity recommends organizations discuss their requirements with
ActivIdentity Professional Services prior to deployment of their solution.
Minimum Requirements
For general information about the minimum requirements for using smart
cards with ActivIdentity SecureLogin, see the ActivIdentity SecureLogin
installation guide for your directory environment.
Supported Configurations
ActivIdentity SecureLogin currently supports any smart card middleware with
a CAPI 2.0 compliant CSP (Cryptographic Service Provider).
For the Use symmetric key stored on smart card to encrypt SSO data
preference, ActivIdentity SecureLogin currently supports any smart card
middleware with a PKCS#11 compliant library. It has been tested with
ActivClient, Aladdin, AET SafeSign and Gemalto (formerly Axalto) smart card
middleware.
When deployed with ActivClient, ActivIdentity SecureLogin will automatically
configure the cryptographic service provider and PKCS#11 dynamic link
library file during installation.
If ActivClient is installed after ActivIdentity SecureLogin is installed, then the
registry key settings need to be changed to activate smart card support,
uninstall or re-install ActivIdentity SecureLogin. ActivIdentity recommends that
you modify the ActivIdentity SecureLogin installation using the Add/remove
Programs tool. In the setup wizard, select the smart card option and configure
the CSP and PKCS libraries.
P 91
Configuring ActivIdentity SecureLogin for Smart

Cards
Important
ActivIdentity SecureLogin Preferences
To use smart card features such as

encryption of the datastore using
PKI-based credentials, and AES
encryption algorithm support, the
data store mode must be
version 6.0. See Chapter 4,
"ActivIdentity SecureLogin
Datastore Object" on page 28.
Because no two organizations have the same environment and requirements,

ActivIdentity SecureLogin has a number of preferences that control its
behavior, such as how ActivIdentity SecureLogin data is encrypted (using the
smart card or a passphrase or both) and how to handle scenarios such as lost
cards. These preferences are explained in this section. Contact ActivIdentity
Professional Services for recommendations based on your requirements.
Once the datastore mode version is

upgraded to v6.0, the encryption
algorithm is automatically upgraded
to AES for all users in this
container, providing a higher
encryption standard to the
To configure the preferences, use the Microsoft Management Console snapin within Active Directory environments, and ActivIdentity SecureLogin
Manager in LDAP-compliant directories such as Sun, Oracle and IBM.
Require Smart Card is present for SSO and Administration Operation

This preference determines if a users smart card must be present before
allowing a ActivIdentity SecureLogin session or administration function. This
preference checks the user's smart card has not been removed after a
session has started and prevents the swapping of smart cards during a
session to copy credentials.
Notes
There is no message given when
the smart card is removed, only
when the next ActivIdentity
SecureLogin operation occurs.
If the smart card is removed while
the MMC management console,
SLmanager or the Personal
Management Utility is open, the
console closes.
If the smart card is removed after the ActivIdentity SecureLogin session has
started, on re-insertion of the smart card, the card serial number is checked to
validate that the card now being used is the same card used to initiate the
session.
If the Lost card scenario preference is set to:
Allow passphrase, then the Require smart card is present for SSO
and administration operations preference is not available (grayed out).
Require smart card, then the Require smart card is present for SSO
and administration operations preference is available and defaults to
No.
Note
Administrators can manually
disable inheritance of higher level
preferences by selecting the Yes
option for Stop walking here in the
Administrative Management Utility,
Preferences General options.
Notes
The input key for DES is 64 bits
long and includes 8 parity bits.
These 8 parity bits are not used
during the encryption process
resulting in a DES encryption key
length of 56 bits. Therefore the key
strength for triple DES is actually
168 bits.
If an earlier version of ActivIdentity
SecureLogin has been implemented
with passphrase security enabled,
users will need to answer their
passphrase question before data
can be re-encrypted using AES
when this preference is set to Yes.
P 92
If the No option is selected, then the users smart card is not required for
ActivIdentity SecureLogin and administration operations.
If the Yes option is selected, then the users smart card is required for
ActivIdentity SecureLogin and administration operations.
If the Default option is selected, then the user's credentials will inherit the
Require smart card for SSO and administration operations
preference set on a higher-level container. If that preference is not set,
this option is set to No.
You must restart ActivIdentity SecureLogin on the client for any changes to
the Require smart card for SSO and administrative operations preference
to take effect.
Use AES for SSO Data Encryption
This preference determines the level and standard of encryption used to
encrypt ActivIdentity SecureLogin data by allowing the use of AES encryption
instead of triple DES encryption.
If the No option is selected, then a 168-bit key used with triple DES (EDE)
in cipher-block chaining (CBC) mode is used to encrypt the users
credentials.
If the Yes option is selected, then a 256-bit key used with AES (EDE) in
CBC mode is used to encrypt the users credentials.
Use Smart Card to Encrypt SSO Data: PKI or Symmetric Key

There are a number of encryption options in ActivIdentity SecureLogin. By
default, ActivIdentity SecureLogin encrypts your SSO data using:
Note
Some preferences become
available and the default values
may vary based on the SSO data
encryption mode. ActivIdentity
therefore recommends to set the
security preferences in the following
order:
A key generated automatically based on your password (when you login

to Windows with username/password).
A key generated automatically based on your smart card (when you login
to Windows with a smart card-based certificate).
A key generated automatically based on your user-defined passphrase (if

passphrase is enabled).
Use symmetric key stored on

smart card to encrypt SSO data
ActivIdentity SecureLogin offers two preferences to leverage your smart card

to encrypt the user's ActivIdentity SecureLogin data.
Use PKI credentials from smart

card to encrypt SSO data
Seamless authentication method

switch
Enable passphrase security
system
Lost card scenario
Require Smart Card is present for
SSO and administration
operations
And then the other smart card
related preferences
If you set Use PKI credentials from smart card to encrypt SSO data to
Yes, ActivIdentity SecureLogin data is encrypted using the user's PKI
credentials. ActivIdentity SecureLogin data stored in the directory and in
the offline cache (if enabled) is encrypted using the public key from the
selected certificate and the private key (stored on a PIN-protected smart
card) is used for decryption.
In this configuration, additional smart card options are enabled, and are
described in the following section.
If you set Use symmetric key stored on smart card to encrypt SSO
data to Yes, ActivIdentity SecureLogin data stored in the directory and in
the offline cache (if enabled) is encrypted using a symmetric key (stored
P 93
on a PIN-protected smart card). This symmetric key is generated by

ActivIdentity SecureLogin on a per user basis. Storage and reading of this
symmetric key on the card requires the smart card middleware PKCS#11
library to be configured at installation time.
Seamless Authentication Method Switch
Note
This preference is only available if
you set Use PKI credentials from
and Use symmetric key stored on
to No.
Important
In configurations where users alternate their Windows logon method between

username/password and smart card-based PKI, you might want to ensure
that users have access to ActivIdentity SecureLogin in all configurations,
without having to rely on passphrase authentication (which can be disruptive if
too frequent).
To do so, set the Seamless Authentication Method Switch preference to
Yes.
When enabled, ActivIdentity SecureLogin protects access to the

ActivIdentity SecureLogin data with keys derived from both the smart card
and the password, so that either credential (smart card or password) can
provide access to ActivIdentity SecureLogin.
When disabled, ActivIdentity SecureLogin protects access to the

ActivIdentity SecureLogin data with a key derived from the last
authentication method (smart card or password). In this case, a change of
authentication method during a screen unlock or logon will require the use
of the passphrase (if enabled) in order to provide access to ActivIdentity
SecureLogin.
When a smart card is deployed with

a user's PKI credentials, consider
using key escrow/archiving/backup
via an enterprise card management
system (CMS) in order for the
user's private key to be recovered
in a lost card scenario. If no escrow
is used, then Enable passphrase
security system should be set to
Yes or Hidden to prevent the loss
of the user's ActivIdentity
SecureLogin credentials should
they lose their card.
PKI Encryption of Data Store and Cache
ActivIdentity recommends that you

consider the impact (e.g. a user
forgets their passphrase or loses a
smart card) and their requirements
before implementing smart card
related preferences.
Without private key recovery, the ActivIdentity SecureLogin administrator

would have to clear the users ActivIdentity SecureLogin data store and reset
their application passwords before they are able to use ActivIdentity
SecureLogin again. This is a high security solution but is inconvenient to end
users as they will not have ActivIdentity SecureLogin access without the
smart card.
The following preferences are only available if Use PKI credentials from
smart card to encrypt SSO data is set to Yes.
If PKI credentials are used to encrypt ActivIdentity SecureLogin data with the
passphrase security system off (set to No), you should consider implementing
a key archive/backup and recovery. If key archive/backup and recovery is not
implemented and the passphrases security system is not enabled, the user
will never be able to decrypt their ActivIdentity SecureLogin data if they lose
their smart card because the private key is stored on the lost smart card.
Choosing a Certificate
When a smart card is configured to use PKI credentials to encrypt
ActivIdentity SecureLogin data, ActivIdentity SecureLogin will retrieve the
serial number of the current certificate and locate the certificate in the
certificate store specified in the relevant ActivIdentity SecureLogin
preference. ActivIdentity SecureLogin then loads the associated private key
P 94
(which may cause a PIN prompt) and attempts to decrypt the user key with
the private key.
If the decryption fails or the certificate cannot be located, and a smart card is
present and a certificate that matches the selection criteria can be located,
then ActivIdentity SecureLogin assumes that a recovered smart card is in use.
It then attempts to decrypt the user key with each key pair stored on the card.
Certificate Selection Criteria
Allows administrators to select an encryption or authentication certificate to
encrypt user's ActivIdentity SecureLogin information in the directory.
The certificate selection criteria determines which certificate to select if
multiple certificates are in use (for example if an enterprise has configured an
Entrust certificate for ActivIdentity SecureLogin encryption and a Microsoft
certificate for logon or authentication).
Note
If the certificate selection criteria
relies on the certificates friendly
name, and if you use ActivClient,
you should disable Microsoft
certificate propagation in order to
rely on ActivClient certificate
propagation to set the expected
friendly name. For further
information, see the ActivIdentity
ActivClient documentation.
If only one certificate is used, then the field should be blank and the certificate
will be detected automatically and set to User certificate.
When entering certificate selection criteria, no special formatting is required
and the search string is not case sensitive. Wild cards are not used and a
search will match if the search text is a substring of the certificate subject
field. ActivIdentity SecureLogin will attempt to match against the certificate
Subject, then Issuer and finally Friendly Name in that order.
For example if the certificate subject is:
CN=Neil
Moffat,OU=Users,OU=Accounts,OU=APAC,DC=Protocom,DC=Int
Then Moffat would be a valid search value, as would Accounts, APAC and
Int. The prefixes CN=, OU= or DC= are not required.
Similarly if the certificate issuer is:
CN=IssuingCA1,OU=AD,DC=undiscovered,DC=com
Then IssuingCA1 would be a valid search value, as would AD,
undiscovered and com.
If several certificates match the selection criteria, then the most recent one will
be selected by ActivIdentity SecureLogin.
Current Certificate
This preference displays the certificate that is currently being used by
ActivIdentity SecureLogin to encrypt a users ActivIdentity SecureLogin data.
P 95
Check Certificate Validity

Allows you to check the validity of the certificate used to encrypt SSO data.
Whatever the value of this preference, if the certificate is expired or revoked,
ActivIdentity SecureLogin decrypts the data with this certificate and tries to
use a replacement certificate to encrypt the data.
If this preference is set to Yes, and if the certificate is expired or revoked,

and no replacement certificate is found, ActivIdentity SecureLogin does
not start.
If this preference is set to No, and if the certificate is expired or revoked,

and no replacement certificate is found, ActivIdentity SecureLogin starts
and decrypts the data with the expired/revoked certificate.
Lost Card Scenarios

Lost Card Scenario Preference
The Lost card scenario preference determines how ActivIdentity

SecureLogin handles a user forgetting, losing or damaging their smart card.
The Lost card scenario can only be used if the passphrase security system
Note
For users upgrading from
version 5.5, setting Enable
passphrase security system to
Hidden is equivalent to setting the
old Disable passphrase security
system to Off.
has been enabled (Enable passphrase security system set to Yes or

Hidden).
If a smart card is being used to encrypt ActivIdentity SecureLogin data and the
card is lost, stolen or damaged and key escrow/recovery is not used, the user
will not have access to their ActivIdentity SecureLogin data unless Enable
passphrase security system is set to Yes or Hidden:
If Enable passphrase security system is set to Yes and the user has
set a passphrase, and Lost card scenario is set to Allow passphrase,
the user will be prompted to answer their passphrase question before
ActivIdentity SecureLogin continues.
If Enable passphrase security system is set to Hidden, the user is not

prompted for their answer and ActivIdentity SecureLogin loads
seamlessly.
Important
If the Lost card scenario
preference is changed to Require
Smartcard while the user is logged
on, refreshing the cache using the
Advanced/Refresh Cache function
from the Windows notification area
will not refresh the preference. The
user will need to log off and on
again or restart ActivIdentity
SecureLogin for the new preference
to take effect.
Important
For the user to decrypt data using
their passphrase, the passphrase
must already have been set.
Administrators cannot simply toggle
the Enable passphrase security
system preference on the day the
user forgets their smart card unless
the user has previously set a
passphrase (or had it randomly
generated using Hidden).
Note
Administrators can manually disable
inheritance of higher level
preferences by selecting the Yes
option for Stop walking here in the
Administrative Management Utility,
Preferences General options.
P 96
For other lost or damaged card scenarios, refer to "Card Management System
(CMS)" on page 99.
Require Smart Card
This option will not allow a user to start ActivIdentity SecureLogin without their
smart card. This option is for high security implementations where
organizations wish to tie the use of a users ActivIdentity SecureLogin
credentials to the users smart card. This means that the user cannot access
ActivIdentity SecureLogin by any other method (user name or password)
other than the smart card.
Allow Passphrase
This preference allows the user to start ActivIdentity SecureLogin using their
passphrase if their smart card is not available. The Enable passphrase
security system preference must be set to Yes or Hidden for this to work.
Hidden replaces a user-generated passphrase with a system-generated
passphrase, effectively removing the need for the user to remember the
passphrase answer.
Default
The default preference is to allow the user to start ActivIdentity SecureLogin
using their passphrase, unless it inherits a Lost card scenario preference
from a higher-level container.
Temporary Access Using Passphrases

There are a number of options available that permit access if a user loses or
forgets their smart card, however, users should expect that there are no back
doors to the system (such as Enable passphrase security system set to
Hidden). The perception by users should be that a strong and secure solution
has been implemented and that they are responsible for looking after the
smart card (similar to their passport or credit card).
If a user loses or forgets their smart card and the Lost card scenario
preference is set to Require smart card, temporary access to systems can
be granted by the system administrator resetting the user's password. The
P 97
user is then required to log on and enter their passphrase, if and only if the
Enable passphrase security system is turned on.
Access with No Card Management System

If an enterprise opts to deploy corporate smart cards without a suitable card
management system (CMS)-based using key escrow, archiving and backup
system combined with a very high level of security by setting Enable
passphrase security system to No and Use PKI credentials from smart
card to encrypt SSO data to Yes, in the event of a lost or damaged smart
card the user will never be able to decrypt their ActivIdentity SecureLogin
data because the key stored on the smart card is not recoverable.
The administrator will need to delete the users existing ActivIdentity
SecureLogin configuration data store from the Advanced Settings/
Datastore tab.
Warning
Deleting the users ActivIdentity
SecureLogin data store will
permanently delete all the users
enabled applications, credentials,
preferences and user policies.
The procedure to reset a users data store is described in "Deleting or

Resetting a Users Datastore" on page 32.
P 98
The administrator must then reset the users corporate passwords and issue a
new smart card (with a new key pair) before the user can log on and
reconfigure their single sign-on enabled applications using ActivIdentity
SecureLogin again.
The user will have to re-enter all their application credentials into ActivIdentity
SecureLogin the first time it is used after having them deleted from the
directory.
Restoring a Smart Card Using a Card Management System

Notes
The smart card restoration
techniques described in this
section have been extensively
tested using the functionality of
ActivIdentitys Card Management
System version 4.1. Other server
or web-based CMS applications
might not work as described in
this section.
ActivIdentity recommends
administrators extensively test
their ActivIdentity ActivID CMS
and smart card restoration
techniques before selecting the
high security preferences that tie
ActivIdentity SecureLogin to the
user's smart card.
ActivIdentity recommends that enterprises consider implementing key escrow,

archiving and backup using a suitable card management system (CMS) that
will allow a user's encryption key to be recovered in the event of a lost or
damaged smart card.
The use of a CMS is crucial if an enterprise opts to deploy corporate smart
cards with a very high level of security by setting Enable passphrase
security system to No and Use PKI credentials to encrypt SSO data to
Yes. In the event of a lost or damaged smart card the user will never be able
to decrypt their ActivIdentity SecureLogin data because the key stored on the
smart card is not recoverable.
PKI Credentials
If the Use PKI credentials to encrypt SSO data preference is set to Yes to
encrypt a users ActivIdentity SecureLogin data and Enable passphrase
security system is set to No, in the event of a lost or damaged smart card
the user will never be able to decrypt their ActivIdentity SecureLogin data
because the key stored on the smart card is the only key that can be used for
decryption and is not recoverable unless key archive and recovery is
implemented.
P 99
If a CMS-based key archive is used, then the encryption key needs to be

recovered to the new smart card, the ActivIdentity SecureLogin data
unencrypted, and the administrator needs to chose a new certificate to
encrypt the users data.
Using a CMS-based recovery system, the administrator must issue the user a
replacement smart card based on a CMS backup of the users original key.
Card Management System (CMS)

Enterprise server or web-based card management system (CMS) software
enables corporations to implement and easily manage smart card-based
identity management, provisioning, and authentication devices and enforce
policy across geographically-dispersed locations.
ActivIdentity CMS provides a complete and flexible solution to manage the
issuance, administration and configuration required for a successful and
seamless smart card integration with ActivIdentity SecureLogin and
ActivIdentity ActivClient. It can be configured to perform key escrow, archive
and recovery as described throughout this document. See the ActivIdentity
web site www.actividentity.com or contact ActivIdentity for further information.
P 100
Chapter 11: Enabling Applications and

Web Sites
Chapter Contents
100
About Enabling Applications

and Web Sites for ActivIdentity
SecureLogin
ActivIdentity SecureLogin:
Enabling Applications Using a

Predefined Application
Definition
Has predefined application definitions for access to a wide range of

commercially available applications. For more information, see the
ActivIdentity SecureLogin Single Sign-On Overview.
Enabling Applications
(Windows/Java) and Web Sites
Using the Application Definition
Wizard
Provides wizards and application definition editors to facilitate single signon (SSO) to almost any new or proprietary application. This helps you
build an application definition for almost any application.
Has additional ActivIdentity SecureLogin tools, such as the Application

Definition Wizard, LoginWatch and Window Finder, which help you SSOenable even the most difficult applications. For more information, see the
ActivIdentity SecureLogin Single Sign-On Application Definition Wizard
Guide and ActivIdentity SecureLogin Single Sign-On Application
Definition Guide.
Supports ActivIdentity SecureLogin-enabling of most standard terminal

emulator applications.
Stores the logon information requirements for applications including:
101
Windows Server 2003/2008

Requirements
102
103
About Enabling Applications and Web Sites for

108
Enable a Java Application
109
Enable a Terminal Emulator

Application
121
Applications that Cannot be

Enabled
124
Managing Application
Definitions
Credentials including but not

limited to:
User name
User ID
Logon ID
Password
PINs
Domain
Database names
Server IP addresses
Responses to dialog boxes,

messages and events, for example:
Logon
Incorrect credentials
Password expiration and reset
Error messages, including non-compliance to
password rules
Account locked
Database unavailable
Note
You can SSO-enable terminal
emulators using the Terminal
Launcher tool.
Before ActivIdentity SecureLogin can SSO-enable an application for a

particular user, it must learn a users application credentials so it can encrypt
and store them for future logons (unless it is used in conjunction with identity
management solutions such as IBM Tivoli).
When a user starts an application for the first time after it has been SSOenabled, ActivIdentity SecureLogin prompts the user for application
credentials, and then encrypts and stores them in the directory against the
user object. The credentials will be passed automatically to the application for
subsequent logons.
P 101
Automated ActivIdentity SecureLogin is achieved using proprietary application

definitions. Application definitions are managed in directory environments
through ActivIdentity SecureLogin management utilities, including the
Administrative Management Utility and Active Directory MMC snap-ins.
Locally and in stand-alone deployments, application definitions are managed
in the Personal Management Utility or distributed using the advanced offline
signed and encrypted method.
There is a wide range of options in ActivIdentity SecureLogin to enable
applications. You can easily create application definitions with the
ActivIdentity SecureLogin Application Definition Wizard. SSO-enabled
application definitions may also be created, modified or deleted in the
Applications pane of the management utilities. Regardless of the origin of
the application definition, when an application is SSO-enabled, it is added to
and maintained in the Applications properties.
Windows Server 2003/2008 Requirements

The following information applies to the configuration of a server in a Windows
Server 2003 or Server 2008 environment.
Microsoft Internet Explorer Enhanced Security

By default, Windows Server 2003 and 2008 installs Internet Explorer
Enhanced Security Configuration, designed to decrease the exposure of
enterprise servers to potential attacks that can occur through web content and
application scripts.
As a result, some web sites accessed directly from a Windows Server 2003
server may not display or perform as expected with ActivIdentity SecureLogin
installed. Add-ons and other Browser Help Objects (BHOs) such as
ActivIdentity SecureLogin will not be fully functional.
For information on Internet Explorer Enhanced Security refer to Microsofts
Knowledge Base article (ID) 815141 or go to:
http://support.microsoft.com/kb/815141/en-us
Disabling Internet Explorer Enhanced Security

If you are experiencing difficulty accessing single sign-on enabled web pages
from a Windows Server 2003 or 2008 Server, you can disable the enhanced
security feature.
On both Windows Server 2003 and 2008:
Go to Internet Options, click the Advanced tab and, under the

Browsing heading, select the Enable Third party web browser
extensions (requires restart) option.
On Windows Server 2003 only:
Disable Microsofts Internet Explorer Enhanced Security

Configuration through the Control Panel using Add/Remove
Windows Components.
P 102
On a Windows Server 2008 only:
From the Start menu, point to Server Manager, Security

Information, and then click Configure IE ESC.
Enabling Applications Using a Predefined

Application Definition
The following example demonstrates SSO-enabling a Windows application
using a ActivIdentity SecureLogin predefined application definition. This
process assumes you have an existing user account for the application.
1. Start your Windows application.
ActivIdentity SecureLogin automatically detects whether a predefined
application definition exists for that application.
Notes
If a Windows application is
already up and running before
ActivIdentity SecureLogin starts,
then wizard proposes to enable
the application or directly run the
script if application is already
defined.
The ActivIdentity SecureLogin page is displayed.
Auto-detection only applies only to

logon forms. If you want to define
other forms (such as notifications
or change password), you need to
start the wizard manually.
The resulting application definition
can be edited or tested using the
wizard if you have been granted
permissions.
Citrix Applications
The wizard cannot detect Citrix
published applications. Run the
application on your workstation to
create an application definition.
Either:
Click Yes to have ActivIdentity SecureLogin automatically create an

application definition using the default settings.
An application definition is created to handle the user name and password
fields and submit button automatically identified by the wizard.
Follow the wizard instructions to enable the application for single sign on.
All the steps are pre-filled by the wizard's default selection and you can
accept the definition as it is. If the dialog contains several controls that
require your input, the wizard asks to check the different steps to ensure
that no action is forgotten in the definition.
Click No, not this time to cancel the use of the wizard this time.
P 103
The next time ActivIdentity SecureLogin detects the application logon

dialog box, you are prompted again.
Click No, never prompt me to single sign this screen to stop

ActivIdentity SecureLogin prompting to enable this application again.
If you click Yes, the Enter your credentials dialog box is displayed.
2. In the Username field, enter your user name.

3. In the Password field, enter your password.
4. Click OK.
ActivIdentity SecureLogin saves your credentials and uses them to log on
to the application in the future.
5. To test that SSO-enabling your application has been successful, sign out
of the application and log on again.
Note for Users
System administrators may choose
to restrict user access to the
Application Definition Wizard by
setting the Wizard Mode
preference. This guide generally
assumes you have full access, the
default setting. However, you may
only be allowed to create new
logons for new applications, or you
may have no access. See the
Sign-On Application Definition
Wizard Guide for more detail.
Enabling Applications (Windows/Java) and

Web Sites Using the Application Definition Wizard
In most instances the Application Definition Wizard will open automatically
when it detects a new logon screen, but you can also choose to create or
modify application definitions using the wizard to automate the handling of
notification screens including prompts to change your password and error
messages.
You can learn more about using the Application Definition Wizard to create or
modify application definitions in the ActivIdentity SecureLogin Single Sign-On
Either:
P 104
If the wizard is enabled, ActivIdentity SecureLogin will automatically

prompt you to open the wizard when it detects a new logon screen.
Note
ActivIdentity SecureLogin identifies
the Java web page by its URL or
web address. You can change the
application description, however, it
is important not to change the
application name, as this uniquely
identifies the web page.
Note
The resultant application definition
can be edited or tested using the
wizard if you have been granted
permissions.
An application definition is created to handle the user name and

password fields and submit button automatically identified by the
wizard.
When you have typed your logon credentials, click OK and

ActivIdentity SecureLogin will store those credentials and
automatically log on to that application when it is opened in the future.
Note
This option may be disabled by your
system administrators.
Click Yes to have ActivIdentity SecureLogin automatically create an

application definition using the default settings.
Click No, not at this time to cancel the use of the wizard this time.
Click No, never prompt me to single sign this screen to stop

ActivIdentity SecureLogin asking about this application again.
P 105
If the prompt does not display, right-click on the ActivIdentity

SecureLogin icon
in the Windows notification area and select New
Application to create a new application definition.
To choose the application, drag the Choose icon

window.
to the relevant logon
If you have already created an application definition for this

application but not for the form that you pointed with the drag choose
arrow, ActivIdentity SecureLogin will ask whether you want to add this
form to the existing definition.
If you have already created an application definition for this

application and this specific form, ActivIdentity SecureLogin will ask
you whether you want to edit the existing definition.
P 106
If you click Yes, the Application Definition Wizard will open the
application definition.
If you click No, ActivIdentity SecureLogin will proceed using the

existing application definition.
Right-click on the ActivIdentity SecureLogin icon

in the Windows
notification area and select Open to modify an existing application
definition.
When the ActivIdentity SecureLogin Personal Management Utility opens:

a. Select the application definition you want to edit from the list on the
left.
P 107
b. Select the Definition tab on the right.

c.
Click Edit Wizard or double-click on the form you want to edit.
Realm Logon and Credential Sharing between Web

Browsers
Microsoft Internet Explorer versions 6 and 7 and Mozilla Firefox version 2 and
later all support multiple credentials per domain by appending the credential
request name to the credential to make it unique, for example, user name and
password for "IE Login - Normal" at http://actividentity.com.
Microsoft Internet Explorer Connect to <domain name> page.
P 108
Mozilla Firefox Authentication Required page.
Note
If Java application support option is
selected at installation, ActivIdentity
SecureLogin automatically detects
whether Java is installed and adds
the required component if
permissions are set (write access
the java directory).
Contact ActivIdentity Support for more information on realm logon and

credential sharing if required.
Enable a Java Application

ActivIdentity SecureLogin supports SSO access to Java applets and
applications implementing AWT and SWING Java GUI components.
ActivIdentity SecureLogin enables Java applets and applications
implementing AWT and SWING Java GUI components, as well as JavaScript.
Both Java and JavaScript are included in the functionality labeled Java
throughout the ActivIdentity SecureLogin user interface. Java applications are
recognized and handled by the wizard like any other web or Windows
application.
P 109
Enable a Terminal Emulator Application

Note
You can configure terminal emulators for ActivIdentity SecureLogin in the

application definition editor in the Administrative Management Utility and
Personal Management Utility and the Terminal Launcher tool.
Instructions for enabling specific

terminal emulators, documentation,
and assistance with customization
are available from ActivIdentity
Support.
To SSO-enable a terminal emulator, you must run TLaunch.exe, which you

configure in Terminal Launcher, and link to the configuration in an application
definition. For more information, see the ActivIdentity SecureLogin Single
Terminal Launcher helps you configure terminal emulator applications for
ActivIdentity SecureLogin. Follow the steps below:
1. "Create and Save a Terminal Emulator Session File" on page 109.
2. "Build a Terminal Emulator Application Definition" on page 110.
3. "Run Terminal Launcher" on page 114.
4. "Create a Terminal Emulator Desktop Shortcut" on page 117.
5. "Set Terminal Launcher Command-line Parameters" on page 119.
The example application in the above steps is Eicon Aviva. Although these
procedures apply to most terminal emulators, the application definition and
other configuration information may differ for each emulator application.
Contact ActivIdentity Support for information.
Typically, the session file already exists and you just need to configure
Terminal Launcher to point to the relevant file.
Prior to SSO-enabling any terminal emulator, you must identify or create a
session file that includes all the required settings for the server connection
and any other parameters required for deployment to users. Terminal
Launcher is configured to run this session file when launching the emulator.
Any modifications to the session must be saved to this file. The session file
can be saved locally or on the server.
Create and Save a Terminal Emulator Session File

1. Start the terminal emulator application.
2. Connect to the required host.
3. Change the terminal emulator settings as required.
4. Save the session (default is usually the applications installation
directory).
5. On the Connection menu, click Disconnect.
P 110
The session file remains loaded but you have disconnected from the host.
6. On the File menu, click Save [session name] to save changes to the
session file.
7. Exit the terminal emulator application.
Build a Terminal Emulator Application Definition

In the following example, we are building a terminal emulator application
definition on the local workstation for Eicon Aviva. For more information
about application definitions, see the ActivIdentity SecureLogin Single SignOn Overview.
1. On the File menu, point to New, and then click Application.
The New Application dialog box is displayed.
2. Select Use SecureLogin script editor.
P 111
3. From the Type drop-down list, click Terminal Emulator.

4. Enter a name for the application definition.
5. If necessary, enter a description and click Yes to proceed with the
application definition creation.
The new application definition is added to the Applications pane.
P 112
6. Double-click the new application definition.

The Details tab is displayed.
7. Click the Definition tab.
P 113
The application definition editor is displayed.
8. Delete the placeholder text displayed in the text field:

# place your application definition here
Note
You must type the screen syntax
accurately in the application
definition editor; otherwise it will fail
to operate. Where possible, cut and
paste the text directly from the
emulator screen into the editor.
9. In this example, for Eicon Aviva, type the following into the text field:
WaitForText "WELCOME TO THE EICON TECHNOLOGY DATA CENTER"
Type @E
WaitForText "ENTER USERID -"
Type $Username
Type @E
WaitForText "Password
===>"
Type $Password
Type @E
WaitForText "Welcome to Eicon Technology"
WaitForText "***"
Delay 1000
Type @E
10. Click the Details tab and make sure the Enabled option is selected.
11. Click OK.
P 114
Run Terminal Launcher

Terminal applications require Terminal Launcher to execute for ActivIdentity
SecureLogin. After you create the application definition in the management
utility, you must configure it to start Terminal Launcher. A shortcut is created
to enable the user to run Terminal Launcher and the terminal emulator from
the desktop with ActivIdentity SecureLogin to the application or server.
1. On the Windows Start menu, point to Programs, point to SecureLogin,
and then click ActivIdentity Terminal Launcher.
The Terminal Launcher window is displayed.
2. In the Available applications list, click the required application definition

(in this example, Eicon Aviva).
3. Click Add to move the selected application to the Login to list.
P 115
4. Click Edit Available Emulators.

The Available Emulators dialog box is displayed.
5. In the Available Emulators list, click Eicon Aviva.

6. Click Edit.
The HLLAPI Emulator Configuration dialog box is displayed.
P 116
7. In the Emulator Path field, type the emulator executables location.

8. In the Home Directory field, type the emulators home directory.
9. In the HLLAPI DLL field, type the file name and path.
10. In the Session Files field, select and delete the current session files.
11. Click Add.
The Emulator Session File dialog box is displayed.
12. Click Browse
to select the configured session file (for more
information, see "Create and Save a Terminal Emulator Session File" on

page 109).
13. Click OK to close the Emulator Session File dialog box.
14. Click OK to close the HLLAPI Emulator Configuration dialog box.
15. Click Done to close the Available Emulators dialog box.
16. In the Terminal Launcher dialog box, ensure Eicon Aviva is selected in
the Emulator drop-down list.
P 117
17. Under Options, select the Save Settings On Exit option.

18. Click Close.
Stand-alone users or administrators can choose to start emulator applications
in Terminal Launcher, however, users may not have access to Terminal
Launcher. To simplify logon for users, a desktop shortcut is created.
Note
Record the exact name given to the
terminal emulator in the Terminal
Launcher dialog box, since it will
be referred to in the desktop
shortcut.
Since Terminal Launcher must start before the terminal emulator application
to successfully SSO, the desktop shortcut includes the command to run
Terminal Launcher first and then the emulator application.
Create a Terminal Emulator Desktop Shortcut

1. On the Windows Start menu, point to Programs, point to ActivIdentity,
point to SecureLogin, and then click ActivIdentity Terminal Launcher.
The Terminal Launcher window is displayed.
2. Click Create Shortcut.

The Terminal Launcher Shortcut Options dialog box is displayed.
P 118
3. Under Location, select Desktop.

4. Under Options, select the appropriate options as required (Quiet mode
and Suppress errors are the default options).
5. In the Command Line field, ensure the following parameters are included
(in this example, /auto /e"Eicon Aviva" /pEicon Aviva /q /s):
TABLE 11.1: Terminal Launcher Command-line Options
Parameter
Description
/auto
Indicates to Terminal Launcher that the following will

be a parameter requesting the execution of a
Terminal Launcher SSO-configured terminal
emulator application.
Note:
This parameter is mandatory.
/e[application name]
Initiates the execution of the terminal emulator.
/p[Terminal Launcher config name]
Initiates execution of the application created in

Terminal Launcher.
/q
Quiet mode (no cancel dialog box).
/s
Suppress errors.
6. Add any additional parameters as required (for more information, see "Set
Terminal Launcher Command-line Parameters" on page 119).
7. Click Create.
P 119
The
shortcut is created on the desktop and you can deploy it
to users in the preferred mode for your organization.
8. Click Close to close the Terminal Launcher dialog box.
9. Double-click
The terminal emulator application is executed with Terminal Launcher and

the Enter your credentials dialog box is displayed.
10. In the Enter login credentials boxes, type your user name and
password.
11. Click OK.
ActivIdentity SecureLogin has stored the logon credentials and uses them to
log on to the application or server. Subsequently, double-clicking the desktop
shortcut logs the user directly on to the application or server.
Set Terminal Launcher Command-line Parameters

To run the required terminal emulator, Terminal Launcher command-line
parameters are included in the desktop shortcut command. For more
information, see "Create a Terminal Emulator Desktop Shortcut" on
P 120
page 117). The following table lists the parameters (also referred to as
switches) you can set in conjunction with commands.
TABLE 11.2: Terminal Launcher Command-line Parameters
Parameter
Description
/auto
Indicates to Terminal Launcher that the following will be

a parameter requesting the execution of a Terminal
Launcher SSO-configured terminal emulator
application.
For example:
C:\<....>\TLaunch.exe /auto /
pApplication1
Note:
/p[platform/application/application
definition name]
This parameter is mandatory.
Initiates the execution of the terminal emulator as listed

in the Terminal Launcher Login to field.
To run multiple applications from the same command
add /p[TL application/Application Definition name]
You can run up to 15 applications simultaneously from
the shortcut command line.
For example:
eEicon Aviva /pApplication1 /
pApplication2
Note:
You must type the emulator name exactly as

it appears in the Terminal Launcher
Available Emulators drop-down list.
/b
Specifies the background authentication mode.
/e[emulator name]
The parameter /e[Terminal Launcher config name]

initiates the execution of the terminal emulator as listed
in the Terminal Launcher Available Emulators dropdown list.
Note:
You must type the emulator name exactly as
it appears in the Terminal Launcher
Available Emulators drop-down list.
/h[hllapi short name]
Commands TLaunch.exe connect to the specified

HLLAPI session.
/k[executable name]
Quits (Kills) the specified executable prior to launching

the terminal emulator.
/m
Enables multiple concurrent connections to specified

sessions. This parameter is required for background
authentication.
/n
Starts the selected terminal emulator without executing

a ActivIdentity SecureLogin application definition.
For example:
n
Note:
This parameter does not function with VBA

emulators.
P 121
TABLE 11.2: Terminal Launcher Command-line Parameters (Continued)
Parameter
Description
/n[number 1-15]
Starts the specified number of terminal emulator

sessions without executing ActivIdentity SecureLogin
application definition.
For example:
n3
Note:
/q
This parameter does not function with VBA

emulators.
Quiet Mode (no cancel dialog box).

For example:
q
/s
Suppress errors.
/t
Unlimited timeout during connection.

For example:
eEicon Aviva /pBackground /b /
t /m /hA /s /q
MEDITECH Predefined Application Definition

ActivIdentity SecureLogin supports MEDITECH (version 3 and 4) and is
dependant on the mandatory presence of the MEDITECH mrwscript.dll. The
.dll file is provided by MEDITECH and must be installed during the installation
of the MEDITECH application on the workstation.
Existing MEDITECH customers can obtain the mrwscript.dll file as part of
their MEDITECH support agreement.
When you are SSO-enabling MEDITECH using the predefined application
definition, ActivIdentity SecureLogin must detect the presence of the
mrwscript.dll and warns immediately if it cannot be located. A warning is
displayed.
Applications that Cannot be Enabled

By default, ActivIdentity SecureLogin cannot single sign-on enable certain
applications. The applications that cannot be enabled include certain
installers, ActivIdentity SecureLogin dialogs and Windows system files.
P 122
Enabling these applications could affect your computers performance or

create a security risk.
The list of excluded applications can be modified by creating an exclude.ini
file that you store in the ActivIdentity SecureLogin folder.
The default list of applications that cannot be enabled is:
_isdel.exe
aac_winsso.exe
ac.aac.run.exe
ac.sharedstore.exe
acachsrv.exe
acadvcfm.exe
acautoup.exe
accertutil.exe
accoca.exe
accomacomx.exe
accombsi21.exe
accomcsp.exe
accompiv.exe
accrdsub.exe
acdiagwz.exe
acevents.exe
acnstool.exe
acregcrt.exe
acsagent.exe
acsrcfg.exe
actsinit.exe
actswzdg.exe
acuscons.exe
adamconfig.exe
aicommapi.exe
aipinch.exe
aipinit.exe
ConsoleOne.exe
devenv.exe
loginw32.exe
loginw95.exe
P 123
MMC.exe
modutil.exe
MSDEV.exe
msiexec.exe
nswebsso.exe
Nwadmn32.exe
Nwadmn95.exe
Nwadmnnt.exe
NWTray.exe
ProtocomSysTray.exe
rdbgwiz.exe
scrnlock.scr
setup.exe
SLBroker.exe
SLBroker64.exe
SLLauncher.exe
sllock.scr
SLManager.exe
SLManager64.exe
SLProto.exe
SLProto64.exe
slwinsso.exe
slwinsso64.exe
tlaunch.exe
Note
tlaunch64.exe
If you include an application in

exclude.ini that is already in the
default list, it has no effect, the
application is still excluded.
To extend the list, create the file exclude.ini in the ActivIdentity SecureLogin
folder and list other application executables that you do not want enabled:
testlogon.exe
trillian.exe
vmware.exe
To ignore the default list, use the command NoDefault in exclude.ini. Only the
applications you list will be excluded. For example, to disable enabling of the
application Trillian only, exclude.ini would read:
NoDefault
trillian.exe
To reverse the exclude list and use it to define the list of applications that can
P 124
be enabled, use the Include command. For example, to allow enabling of the
application only, exclude.ini would read:
Include
trillian.exe
Managing Application Definitions

ActivIdentity SecureLogin is designed to handle different types of application
dialogs and messages. It first requires that the logon page of an application is
defined. From that point, all the messages and dialogs that relate to the
credentials defined in the logon form should be defined in the application
definition. This enables ActivIdentity SecureLogin to respond and adapt the
credentials according to the application requirements.
When building a ActivIdentity SecureLogin application definition for an
application, it is important to respond to any messages that the application
generates, such as logon notifications, change password or change password
notifications. Actions for each of these messages should be included in the
application definition to ensure ActivIdentity SecureLogin responds
appropriately.
P 125
Chapter 12: Re-Authenticating Applications

Chapter Contents
125
Using the Administrative

Management Utility
126
Using the Application Definition

Wizard
127
Using Scripting
With ActivIdentity SecureLogin, a user normally runs an application and

ActivIdentity SecureLogin seamlessly retrieves the user's application
credentials (user name, password, database name) and authenticates in the
background so that the user is not prompted to enter a password. ActivIdentity
SecureLogin can also be configured to prompt the user for stronger
authentication to all or specific applications.
Individual applications can be re-authenticated against an advanced
authentication device where ActivIdentity SecureLogin is used in conjunction
with ActivIdentity SecureLogin re-authentication or third party compatible reauthentication module.
ActivIdentity SecureLogin can be configured to request application
re-authentication by using either the:
Re-authentication option in the Application Definition Wizard logon form

settings (you can fully define either the synchronous or asynchronous
modes).
This option is only available with ActivIdentity SecureLogin reauthentication.
Re-authentication settings in the Administrative Management Utility.

This option is only available with ActivIdentity SecureLogin reauthentication
AAVerify command in an application definition.

This command can be configured to either use ActivIdentity SecureLogin
re-authentication method or a third party compatible module. See the
AAVerify command description in the ActivIdentity SecureLogin Single
Administrators can configure which applications require re-authentication and

which do not. The application itself is not changed and no additional modules
are required on the application servers if the re-authentication is performed
against ActivIdentity SecureLogin methods.
Using the Administrative Management Utility

Note
This option is available only if the
application was NOT defined
through the wizard.
To configure ActivIdentity SecureLogin to re-authenticate an application using

the ActivIdentity SecureLogin Administrative Management Utility, you can set
the re-authentication method for a users individual applications using the
Settings preference for that application.
1. Open the Administrative Management Utility.

2. In the navigation tree, click Applications.
The Application pane is displayed.
P 126
3. Double-click the application that you want to use for re-authentication.

4. Click the Settings tab.
The Settings properties are displayed.
5. From the Prompt for device reauthentication for this application dropdown list, click Yes.
6. From the Reauthentication Method drop-down list, select either
Password or Smartcard as the method.
Using the Application Definition Wizard

Re-authentication can be configured by the Application Definition Wizard
during creation of an application definition to handle a logon screen.
If you select No, ActivIdentity SecureLogin will not re-authenticate users

before supplying credentials to the application or web page.
If you select Yes. Enforce re-authentication before accessing this

application you must specify which credentials ActivIdentity SecureLogin
should use to re-authenticate the users identity.
P 127
You can select the method ActivIdentity SecureLogin should use to reauthenticate from the drop-down list:
Use same credentials as network logon
Password
The network password. (Only available in Active Directory and ADAM
modes.)
Smart card
A smart card that ActivIdentity SecureLogin checks as belonging to the
user after the PIN has been checked.

Using Scripting
ActivIdentity offers some scripting capability to support re-authentication with
either password, smart card, or other third-party authentication method such
as biometrics. For further information, see the ActivIdentity SecureLogin
Single Sign-On Application Definition Guide.
P 128
Chapter 13: Adding Multiple Logons

Chapter Contents
Add Multiple Logons
128
To begin, SSO-enable the application using any account.
Add Multiple Logons
To create additional logons, make a list of user names and passwords with a
name to uniquely identify the logon. The following is an example. When the
list is completed, SSO-enable the first logon in the list following the relevant
procedure.
TABLE 13.1: Multiple Logons
Name
User name
Password
Administrator
admin
123456
Support
help
abcdef
User
test1
xyz123
In this example, we have enabled the Yahoo! Mail account with the
ActivIdentity SecureLogin Application Definition Wizard.
1. SSO-enable the first account. For more information, see "About Enabling
Applications and Web Sites for ActivIdentity SecureLogin" on page 100 or
the ActivIdentity SecureLogin Single Sign-On Application Definition
Wizard Guide.
icon
, and then click Open.
The Personal Management Utility is displayed.

3. In the navigation tree, under either Applications or My Logins, doubleclick the existing definition.
P 129
4. In the Application pane, under Credentials, click New and select Login.
Alternatively, in the Login pane, click New.
5. Right-click the new login and select Rename Login.
6. Modify the login name and click OK.
P 130
7. Enter the username and password for the additional login and click
Apply.
8. Click OK to close the Personal Management Utility.
9. Start the application (in this example, the Yahoo Mail web site).
The [application] login selection dialog box is displayed.
P 131
10. Select the required credential set and click OK.

ActivIdentity SecureLogin enters the credentials, and you are
automatically logged on to the application.
P 132
Chapter 14: Distributing Configurations

Chapter Contents
132
About Distributing
Configurations
132
Distribute Configurations Within

Directory Domains
138
Create an Active Directory

Group Policy
147
Configuring Roaming Profiles

with ActivIdentity SecureLogin
About Distributing Configurations

ActivIdentity SecureLogin preferences, application definitions, password rules
and credentials are collectively the ActivIdentity SecureLogin configured user
environment. You can deploy and maintain this environment at all object
levels, including by file import, backup of stand-alone users, and through
group policies in Active Directory networks.
An ActivIdentity SecureLogin environment that is configured at the container,
organizational unit, or group policy level is inherited by all associated directory
objects in the hierarchy.
ActivIdentity recommends that you first SSO-enable applications locally in a
test user account, then copy to the container, organizational unit, or group
policy for mass deployment. This applies to all ActivIdentity SecureLogin
configurations including password policies and preferences. Lower-level
settings that you manually configure will always override higher-level settings,
therefore, configuration at the user object level overrides all higher-level
configuration settings. You can manually disable inheritance by setting Stop
walking here to Yes in the Preferences properties.
For more information about configuring ActivIdentity SecureLogin for
deployment to specific directories, refer to the ActivIdentity SecureLogin
installation guide for your directory environment.
Distribute Configurations Within Directory Domains

There are two options for distributing an SSO-configured environment within a
domain:
Corporate redirection. Specifies the object from which the selected

object will inherit its ActivIdentity SecureLogin configuration settings.
These settings are redirected and inherited by the object. For more
information, see "Set Corporate Redirection" on page 133.
Copy ActivIdentity SecureLogin configuration. This option replicates

and stores the ActivIdentity SecureLogin environment from one directory
object to another. For more information, see "Copy a Configuration Across
Organizational Units" on page 135.
P 133
Choose the appropriate option based on the additional information in the

following table.
TABLE 14.1: ActivIdentity SecureLogin Configuration Options
If...
Then...
Multiple containers or organizational units require
the same ActivIdentity SecureLogin environment,
and you want to manage configuration from one
directory object, or
Inheritance from a higher level than the object
selected for Corporate redirection is not required, or
The container or OUs are on the same directory tree.
Note:
ActivIdentity does not recommend using

Corporate redirection across a LAN or WAN.
To:
Distribute configurations within the same domain

across a LAN or WAN.
Quickly replicate a complete SecureLogin

configuration environment from one object to
another in the directory.
Note:
Click Corporate redirection.
Click Copy SecureLogin

configuration.
Do not use XML files to distribute ActivIdentity

SecureLogin configuration data.
Set Corporate Redirection

Prerequisite: Active Directory Users and Computers snap-in is open.
Corporate redirection functionality bypasses native directory inheritance by
specifying, in the Corporate redirection tab of the Advanced Settings pane,
the object from which the object will inherit its ActivIdentity SecureLogin
configuration. Although inheritance is redirected to a specific object, such as a
container or organizational unit, local user object settings continue to override
the inherited settings.
Note
Corporate redirection cannot be
applied to a group object because
they are not part of the hierarchy but
linked to it.
The Corporate redirection preference can only be configured to redirect to a

specific organizational unit or container:
When set to a user, the user does not inherit any ActivIdentity
SecureLogin preferences from their nominal hierarchy but from the other
organizational unit or container.
When applied to an organizational unit or container, any user in that

object does not inherit ActivIdentity SecureLogin preferences from its
container settings but from the other organizational unit or container.
To get the correct inheritance, users must be granted the correct rights to
inherit from the other object.
The inheritance process stops at the redirected container. There is no
inheritance from the redirected objects hierarchy.
P 134
In the following example, the Finance organizational unit is redirected to

inherit the ActivIdentity SecureLogin configuration from the Development
organizational unit.
1. In the navigation tree, right-click the appropriate container or
organizational unit and then click Properties.
The Properties dialog box is displayed.
3. Click Manage.
4. In the navigation tree, click Advanced Settings.
5. Click the Corporate redirection tab and in the Corporate redirection

field, type the full distinguished name of the object, in this example, the
Development organizational
unit:(ou=development,dc=training7,dc=com).
Important
To uniquely identify the container or
organizational unit, the full
distinguished name is required.
P 135
7. In the navigation tree, click Applications to view the application

definitions inherited from the object, and then click Preferences to view
inherited preferences (in this example, inherited from the Development
organizational unit).
8. Click OK.
Note
You can delete Corporate
redirection at any time by clicking
Remove.
Important
Ensure you do not overwrite
administrator settings when
distributing ActivIdentity
SecureLogin configuration
environments. For example, if you
set the preference Allow users to
view and change settings to No
and then copy this as part of a
environment to the container or
organizational unit, including the
Administrator user object, the
administrator cannot view or
change ActivIdentity SecureLogin
settings since they reside in that
organizational unit. To prevent this
from happening, ActivIdentity
recommends that all administrator
user objects are located in a
separate organizational unit, and
administrator preferences are
manually configured.
Stop Walking Here

The Stop walking here preference can be applied to a user, container, or
organizational unit in the domain tree. Once the Stop walking here
preference is set and located while collecting the inherited preferences for a
specific user, the tree analysis process stops.
If the Stop walking here preference is set on a user object, then all the
ActivIdentity SecureLogin settings are the settings defined on the user object
only.
Stop walking here cannot be applied to group. This setting is not read when
defined to a group as groups are not part of the hierarchy tree but linked to it.
Copy a Configuration Across Organizational Units

Prerequisite: Active Directory Users and Computers snap-in is open.
You can copy an objects ActivIdentity SecureLogin configuration to another
object from the Distribution pane in the Administrative Management Utility.
This functionality replicates the ActivIdentity SecureLogin configuration
internally in the same directory tree.
In the following example, the Development organizational unit ActivIdentity
SecureLogin environment is copied to the Finance organizational unit.
1. In the navigation tree, right-click the appropriate container/organizational
unit (in this example, the Development organizational unit), and then
click Properties.
The Development Properties dialog box is displayed.
P 136
3. Click Manage.
4. In the navigation tree, click Distribution.
The Distribution pane is displayed.
5. Click Copy.
The Copy dialog box is displayed.
P 137
6. Under Select Single Sign-on Configuration, select or clear the

appropriate options (in this example, all the options are selected except
for Passphrase Question).
The following table describes each option.
TABLE 14.2: Single Sign-on Configuration Options
Configuration
Function
Applications
Copies/exports/imports all configured application definitions, as

displayed in the Applications pane.
Credentials
Copies/exports/imports all credentials as displayed in the

Logins pane, excluding passwords for copy settings and
unencrypted export/import.
Password Policies
Copies/exports/imports password policies as displayed in the

Password Policies properties.
Preferences
Copies/exports/imports all preferences manually set in the

Preferences pane.
Passphrase Question
Provides users with a selection of passphrase questions. This

option copies/exports/imports only the passphrase question the
user has responded to.
7. In the Destination Object drop-down list, click the name of the object or
type the full distinguished name in the field (in this example, the Finance
organizational unit).
8. Click OK.
If a predefined application or an application definition currently exists in
the destination object, a confirmation message is displayed. It confirms or
rejects the overwriting of the imported data. For more information on
P 138
predefined applications, see the ActivIdentity SecureLogin Single Sign-On

Overview.
9. Click Yes or No as required.
The selected ActivIdentity SecureLogin configuration is copied across to
the destination user object, organizational unit or container. A
confirmation message appears, advising what information has been
loaded to the destination object.
10. Click OK.
Create an Active Directory Group Policy

Group Policy Object Support
Prerequisites:
ActivIdentity SecureLogin was installed with support for group policies.

See the ActivIdentity SecureLogin Single Sign-On Installation and
Deployment Guide for Microsoft Active Directory.
Active Directory Users and Computers snap-in or Group Policy

Management Console is open.
Administrators can manage ActivIdentity SecureLogin users in Active

Directory at the container (CN), organizational unit (OU), and user object
levels using Group Policy Object (GPO) support.
Group Policy Object support is useful for organizations with flat directory
structures (few organizational units with many users in each), where a more
granular approach is required when applying settings, policies and application
definitions for users, such as when applying a group policy for a global
marketing group in a worldwide organization. Several group policies can be
defined and applied to any user, group or container at the directory level.
These different policies then apply to a specific user object, container or
organizational unit through the inheritance process.
Group Policy Update Interval

In order to limit network traffic during Group Policy Object synchronization,
ActivIdentity SecureLogin leverages an existing Microsoft Windows feature to
specify that policy settings are only updated when the Group Policy Object
changes.
The NoGPOListChanges key is set to 1 under ActivIdentity SecureLogin GP
extensions in the Windows registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{2893059c-117511d9-8088-00e018f97d4d
P 139
For more information on Microsoft Windows group policy configuration

policies go to:
http://www.microsoft.com/windows/windows2000/en/advanced/help/
ComputerADM.htm
For information on the Registry NoGPOListChanges setting go to:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/
regentry/93807.mspx?mfr=true
Group Policy Management Console Support

In ActivIdentity SecureLogin, an administrator has the ability to see the set of
ActivIdentity SecureLogin policy settings that apply to a particular user object
when multiple ActivIdentity SecureLogin group policies, organizational unit, or
user object settings are applied via Microsofts Group Policy Management
Console (GPMC), that now includes support for Resultant Set of Policy
(RSoP).
Important
Definition of a Group Policy Object
Group policy functionality is enabled

during the installation of
ActivIdentity SecureLogin in
Microsoft Active Directory mode.
For more information, see the
Sign-On Installation and
Deployment Guide for Microsoft
Active Directory.
For more information about Group Policy Objects (GPOs), go to:

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/
default.aspx
Policy settings are stored in Group Policy Objects (GPOs). Settings for each
GPO can be edited using the GPO Editor from within Microsofts Group Policy
Management Console (GPMC).
When an administrator defines a ActivIdentity SecureLogin GPO, they can
now use the GPMC to add this group policy or edit and configure the
SecureLogin settings.
Note
Install the GPMC Snap-in
The GPMC snap-in must be

available on the workstation
where the administrator is
required to see the resultant set of
policies.
After installation, the Group Policy

tab that previously appeared on
the Property pages of sites,
domains, and organizational units
(OUs) in the Active Directory
snap-in is updated to provide a
direct link to GPMC. The
functionality that existed on the
original Group Policy tab is no
longer available because all
functionality for managing group
policy is available through the
GPMC snap-in.
For Windows XP and Windows Server 2003, ActivIdentity recommends

using Microsofts Group Policy Management Console (GPMC) snap-in for
managing core aspects of group policy across enterprises.
For existing Windows XP and Windows Server users, the GPMC installer
package (gpmc.msi) can be downloaded from:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
Run the gpmc.msi installer package to install the GPMC snap-in.
For Windows Vista SP1 or SP2, install the Microsoft Remote Server
Administration Tools snap-in. It can be downloaded from:
For 32-bit platforms:
P 140
details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FCD52065DE9960&displaylang=en
For 64-bit platforms:

details.aspx?FamilyID=D647A60B-63FD-4AC5-9243BD3C497D2BC5&displaylang=en
It is installed by default on Windows Vista no SP.

To make it accessible, customize the System Administration Tools to
display the Remote Server Administration Tools.
For Windows 7, install the Remote Server Administration Tools snap-in. It

can be downloaded (both 32-bit and 64-bit versions) from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7656B-4313-A005-4E344E43997D&displaylang=en#filelist
To make it accessible, customize the System Administration Tools to
display the Remote Server Administration Tools.
For Windows Server 2008, install the Group Policy Management snap-in
in the Server Manager Administrative Tools in server manager.
Alternatively, if your server is running the Active Directory Domain
Services (AD DS) role, the Group Policy Management snap-in is installed
by default.
Managing GPOs via the GPMC

To open the GPMC snap-in, use one of the following methods:
Click Start, point to All Programs, point to Administrative Tools, click

Active Directory Users and Computers.
The Active Directory Users and Computers page is displayed.
a. In the navigation tree, right-click the appropriate organizational unit (in
this example, the EMEA organizational unit), and then click
Properties.
The properties page is displayed.
P 141
b. Click the Group Policy tab.
P 142
c.
Click Open.
Click Start, point to Administrative Tools, click Group Policy

Management.
Click Start, click Run.

The Run dialog box is displayed.
a. At Open, type mmc and click OK.
The Management Console is displayed.
P 143
b. Click File, then Add/Remove Snap-in.
c.
Click Add.
P 144
d. Select Group Policy Management and click Add, and then Close.
P 145
e. Click OK.
The Group Policy Management page is displayed.
P 146
Note
The first time GPMC is started it
loads the forest and domain
containing the user object logged on
to the computer. Administrators can
then specify which forests and
domains to display. When the
GPMC is closed it automatically
saves the last view and returns to
that view the next time a user opens
the console.
Resultant Set of Policy (RSoP) Settings

Resultant set of policy (RSoP) is a feature of group policy that makes the
implementation, troubleshooting, and planning of group policies easier and
allows administrators to plan how group policy changes may affect a targeted
user or remotely verify the policies currently in effect for a specific user.
When multiple Group Policy Objects (GPOs) apply to a given user, the
policies may contain conflicting settings. For most policy settings, the final
value is set only by the highest precedent GPO that contains that setting.
RSoP assists directory administrators to understand and identify the final set
of policies that are applied, as well as settings that did not apply as a result of
policy inheritance.
An administrator can see the final ActivIdentity SecureLogin settings that
apply to a user when they start ActivIdentity SecureLogin. Administrators
have the ability to:
Retrieve the policy applied to the User object in MMC.
Retrieve the policy applied to the User object in SLManager.
Retrieve from which policy the setting is inherited.
Retrieving a Policy Applied to the User Object in GPMC

Because GPOs are defined by the administrator at the directory level,
changes can now be seen immediately at the user, container, or
organizational unit level, depending on the level where the group policies and
ActivIdentity SecureLogin preferences have been applied.
P 147
Retrieving Policy Precedence and Rules

Notes
The retrieval of all ActivIdentity
SecureLogin configuration
information is subject to both
ActivIdentity SecureLogin and
native directory access controls. In
the unlikely circumstance that the
user has rights to read a GPO but
the administrator does not, this
system will display incorrect RSoP
information. This is because the
administrator cannot access the
same information as the user, and
any mechanism for allowing this
would introduce a security problem.
In this specific circumstance, if
ActivIdentity SecureLogin has no
way to retrieve the exact policy
applied to the user object, then the
message RSoP not available is
displayed at the bottom-left of the
Administration Management
console.
The result of the settings must follow the rules already defined of inheritance
and precedence:
Check of the Stop walking here preference.
Check of the Corporate redirection setting.
Check of the GPO settings and their priorities.
Check of the directory hierarchy settings.
The precedence rules are respected and follow the rules already defined:
The deepest object in the tree has precedence over any higher level
object.
The group policies have lower precedence than all User and OU objects.
As a consequence of all these processes, the administrator is now able to see

the resultant set of the policies in the user object either through MMC or
SLManager.
The resultant set of the policies are displayed in the bottom-left corner of the
SecureLogin Administration Management Console and show from which
group policy the current setting has been inherited.
Retrieving a Policy Applied to the User Object in SLManager

Because GPOs are defined by the administrator at the directory level, any
changes can now be seen immediately at the user, container, or
organizational unit level, depending on the levels where the group policy and
ActivIdentity SecureLogin preferences have been applied.
Configuring Roaming Profiles with ActivIdentity

SecureLogin
Enterprises often create roaming profiles for specific groups of users as
defined by their organizational function or role, for example, field engineers
connecting from remote locations or accounting staff who work at different
sites.
Configuring ActivIdentity SecureLogin for use with a roaming profile requires
additional support for successful deployment. Administrators should contact
ActivIdentity Support for assistance.
P 148
Chapter 15: Exporting and Importing

Configurations
Chapter Contents
148
About Exporting and Importing

Configurations
148
Export XML Settings
152
Import XML Settings
155
Create a Signing Key for

Secure File Distribution
158
Install a Digital Signing Key

Locally
About Exporting and Importing Configurations

ActivIdentity SecureLogin provides a range of options for backing up and
distributing any or all components of the ActivIdentity SecureLogin
configuration environment, including backing up and restoring the local
configuration on the workstation.
The export and import functionality creates an XML file, internal or external to
the directory. You can distribute and back up this file across directory types,
servers, domains, containers, group policies, organizational objects, and user
objects.
You can also encrypt and password-protect or digitally sign the exported file to
ensure the information is secure. Alternatively an unencrypted file can be
created for unrestricted distribution.
You can export or import the following XML file types:
Unencrypted.
Encrypted and password-protected.
Digitally signed and encrypted. (For stand-alone mode. This type of file is
useful for users who do not regularly connect to the corporate directory.
The XML file can be distributed via email or downloaded from a web site.)
From the Distribution pane, you can:
Export XML settings (see page 148)
Import XML settings (see page 152)
Create a signing key for secure file distribution (see page 155)
Install a digital signing key locally (see page 158)
Export XML Settings

In the following example, ActivIdentity SecureLogin settings are exported from
the Finance organizational unit and imported to the Development
organizational unit.
1. Navigate the Administrative Management Utility directory tree to the
Finance organizational unit and open its ActivIdentity SecureLogin
properties.
P 149
3. Click Save.
The Save dialog box is displayed.
P 150
4. Select or clear the appropriate check boxes. The following table describes
each option.
TABLE 15.1: Save ActivIdentity SecureLogin Data Configuration Options
Configuration
Function
Applications

Credentials

Password Policies

Preferences

Preferences properties.
Passphrase Question

P 151
5. Under Select File Protection, select either:

Important
Not encrypted.
Credentials cannot be saved to an

unencrypted XML file. If you are
saving credentials, you must select
either the Password-protected
and encrypted or Digitally signed
and encrypted option for file
protection.
Password protected and encrypted and then enter and confirm a

password in the relevant fields.
The password must be at least eight characters.
6. Click OK.
The Select applications to export page is displayed.
7. From the Applications List, expand the nodes and select the individual
applications to export and move to the Applications to export list using
the right arrow. If a node is selected, then all applications under that node
are selected.
8. Click OK.
The Save file as dialog box is displayed.
9. Select the file location.
10. In the File name field, enter a file name.
11. Click Save.
The following confirmation message appears listing ActivIdentity
SecureLogin data saved to the XML file.
P 152
The file is exported as either an:
Unencrypted XML document (.xml).
Encrypted XML document (.esx).
12. Click OK.
Import XML Settings

In the following example, the Finance organizational unit settings are
imported to the Development organizational unit.
1. Navigate the Administrative Management Utility directory tree to the
Development organizational unit and open its ActivIdentity SecureLogin
properties.
P 153
3. Click Load.
The Load dialog box is displayed.
P 154
4. Select or clear the appropriate options. The following table describes

each option.
TABLE 15.2: Load ActivIdentity SecureLogin Data Configuration Options
Configuration
Function
Applications

Credentials

Password Policies

Preferences

Preferences properties.
Passphrase Question

5. Click OK.
The Open file to load dialog box is displayed.
6. Select the exported XML file (in this example, finance.esx on the
Desktop).
7. Click Open.
If the file is encrypted, the Password dialog box is displayed.
8. Enter the password and click OK.
If a predefined application or an application definition currently exists in
the destination object that is also contained in the import file, a
confirmation prompt is displayed.
P 155
Click either:
Yes if you are sure that the imported application definition is preferred
over the application definition currently stored, as the application
definition cannot be retrieved.
No to prohibit importing of the application definition and to retain the

application definition currently stored in the user cache.
The selected ActivIdentity SecureLogin configuration is copied across to

the destination user object, organizational unit, or container.
A confirmation message is displayed stating the information that has been
loaded to the destination object.
9. Click OK.
Note
When a digital signing key is
created, the key pair is randomly
generated by ActivIdentity
SecureLogin to increase security.
Create a Signing Key for Secure File Distribution

After you have configured and tested a ActivIdentity SecureLogin user
environment, you can create a digital signing key which will be embedded in
the distribution file (.msi file). Then you can distribute the file as a web
download or email attachment. When users receive the file, they double-click
it to load the configuration to their local workstation. This will update their:
Preferences
Password rules
Credentials
This is collectively known as the ActivIdentity SecureLogin configured user

environment and is designed for users who use ActivIdentity SecureLogin in
stand-alone mode (such as mobile or remote users) and those who
infrequently connect to the corporate network.
P 156
1. In the Administrative Management Utility navigation tree, click

Distribution.
2. Click Save.
The Save dialog box is displayed.
Important
Selecting Administrative data will
overwrite users data without
notification results in user data
being overwritten with settings
saved in the .msi file for any items
which are present in both the users
local configuration and the
administrative configuration (.msi
file).
For example, if a user has a locally
configured Yahoo! Mail application
definition and a Yahoo! Mail
application definition is supplied in
the .msi file, the.msi file application
definition will overwrite the users
without notification. If the user has a
locally configured application
definition, and there is no matching
application definition in the .msi file,
the users application definition
remains unchanged.
Clearing the option results in users
being prompted by ActivIdentity
SecureLogin before any data is
overwritten with settings saved in
the.msi file. Users can then choose
to accept the administrative
configuration or retain their existing
settings.
3. Select or clear the required options.

4. Under Select File Protection, select Digitally signed and encrypted.
5. Select or clear the Administrative data will overwrite users data
without notification option as required.
6. Click Manage Keys.
The Manage signing keys for secure file distribution dialog box is
displayed.
P 157
7. In the Generate Digital Signing Key field, enter a name.

8. Click Create.
9. In the Key List field, select the newly created key.
10. Under Install, click Install package.
The Load Settings dialog box is displayed.
P 158
11. Locate the distribution file (.msi file) in which you want to embed the key.
12. Click Open.
Note
Once keys have been created, they
must not be deleted, as they are
randomly generated. The key used
must correspond to the key that has
been previously packaged with the
distributed installer.
The key is embedded in the .msi file and a confirmation message

appears.
13. Click OK.
You can now distribute and install the .msi file on the users machine. This
allows them to import files that are signed and encrypted.
Install a Digital Signing Key Locally

The Manage signing keys for secure file distribution dialog box provides a
tool to install a digital signing key locally, enabling loading of XML files
generated using this key.
1. In the Administrative Management Utility navigation tree, click
Distribution.
2. Click Manage Keys.
The Manage signing keys for secure file distribution dialog box is
displayed.
P 159
3. In the Key List field, select the new key.

4. Under Install, click Install locally.
A confirmation message is displayed.
5. Click OK.
P 160
Chapter 16: Using the SLAP Tool

Chapter Contents
160
About the SecureLogin Attribute

Provisioning Tool
161
SLAP Syntax
About the SecureLogin Attribute Provisioning Tool

The ActivIdentity SecureLogin Attribute Provisioning (SLAP) tool allows
ActivIdentity SecureLogin to leverage user data from an organizations
provisioning system. You can use SLAP to import data in XML format from
third party applications into the ActivIdentity SecureLogin users data store as
well as export information (except users passphrases and application
passwords).
Data that can be manipulated includes:
User variables
Organizational settings
Password policies
Logons
Passphrase questions and answers
The slaptool command operates as a provisioning tool between ActivIdentity

SecureLogin data in a directory and in an XML file. The XML schema used is
the same as the Copy Settings GUI importer/exporter. In addition to Copy
Settings, the SLAP tool can extract user names. The SLAP tool cannot
export sensitive data such as passphrases and passwords.
For example, an organization with 10,000 users in a SAP system
implementing ActivIdentity SecureLogin can speed deployment significantly
by automating the initial user logon with the SLAP tool. You can take a file
containing multiple users user name and password combinations from SAP,
and import the file into the ActivIdentity SecureLogin data store as a bulk
process using the SLAP tool. The SLAP tool removes the requirement for
each user to enter credentials on first logon to ActivIdentity SecureLogin.
Notes
The SLAP Tool is located in the
installation folder.
When the SLAP tool is used for
initial provisioning of ActivIdentity
SecureLogin user accounts,
before any ActivIdentity
SecureLogin data has been
stored for users, the XML file must
include a passphrase question
and response. This question and
answer can be the same for each
user and changed by the user
after deployment.
If the SLAP tool is used to import data into ActivIdentity SecureLogin from
either an encrypted or an unencrypted file, and any preferences are set that
require the ActivIdentity SecureLogin version 6.0 data store format, then the
datastore version must be specified in the file. Preferences that require the
version 6.0 format are:
EncryptionType
NRKeySource
UseEnhancedProtectionByDefault
The datastore version is set as:

<preference>
<name>AppliedSSODataStoreVersion</name>
<value>600000</value>
<isdatastore/>
P 161
</preference>
If the value of this preference is not set to 6, 6.0 or 600000 then an error
message is returned from the SLAP tool: "Cannot import version 6.0
datastore preferences into a lower versioned datastore."
SLAP Syntax
slaptool [-hlaspcPef] -r object_name_file | -o "object"
[file ...]
The following table describes the command options.

TABLE 16.1: SLAP Tool Command Options
Commands
Description
-h
Displays help message and exit (all other options are ignored)
-l
Excludes user IDs
-v
Excludes variables (passwords will not be exported in current version)
-a
Excludes applications
-s
Excludes settings
-p
Excludes password policies
-c
Excludes credential sets
-P
Excludes passphrase (affects import only)
-e
Performs export rather than import
-r
object_name_file
Specifies a file containing line-delimited object names on which to
perform the operation.
-o
object
Specifies a particular object on which to operate.
-f
Uses the cache file, rather than accessing a directory (cannot be used
with -r or -o, and ActivIdentity SecureLogin must be set to use Dummy
mode - user will be selected interactively at run time).
P 162
TABLE 16.1: SLAP Tool Command Options
Commands
Description
[file...]
Specifies one or more XML files from which to read data (or to write to in
the case of exporting). No file specification reads/writes data from/to
stdin/stdout.
For example:
./slaptool.exe -o
"CN=bernie.O=actividentity.T=DEVTEST"
initial_setup.xml
This reads user IDs, applications, settings and password policies from the
file initial_setup.xml and writes them out to the object:
CN=bernie.O=actividentity.T=DEVTEST
-k [password]
Enables the creation of a passphrase answer for individual users in LDAP

and Microsoft Active Directory environments.
It is mandatory for users to save a passphrase answer on first logon to
ActivIdentity SecureLogin. The SLAP tool requires password
authorization to save user data. The -k switch provides the user
password, enabling automated creation of the passphrase answer. This
answer can be manually changed by users after provisioning.
For example, the following command is used to import user data and a
passphrase question/response combination:
slaptool.exe -k password -o context

filename.xml
SLAP Tool Example

The following Perl script, created for the example organization discussed
previously, assumes user names and passwords are stored in a text file
named listofnames.txt. There is one space between each user name and
password pair per line.
An XML file (see the following example) is required to run this script,
containing the data for import. Where the data is customized on an individual
user name basis, the string to be substituted is replaced with
*usernamegoeshere*.
For example:
Note
******************************************************
The example Perl script does not

include error handling.
open FILE,"listofnames.txt";
foreach (<FILE>) {
chomp;
# Clean string
@lines = split(/\n/);
# Split up string
foreach $l (@lines) {
@fields = split(/\s/);
$name = $fields[0];
$pass = $fields[1];
open DATAFILE,"source.xml";
P 163
open OUTFILE,">data.xml";
foreach (<DATAFILE>) { # Write up a file specific to
this user
s/\*usernamegoeshere\*/$name/;
s/\*passwordgoeshere\*/$pass/;
# Any other variable substitution can be done here
print OUTFILE "$_";
}
close DATAFILE;
close OUTFILE;
system "slaptool.exe -k \"$pass\" -o
\"CN=$name.O=myorg.T=OURCOMPANY\" data.xml";
}
}
close FILE;
unlink 'data.xml';
****************************************************
Using an XML file called source.xml, run the script with the data that is to be
imported. For example, you can manually export data from a single user
setup with the value for the user name replaced with the string
"*usernamegoeshere*".
XML File Example

<?xml version="1.0"?>
<SecureLogin>
<passphrasequestions>
<question>Please enter a passphrase for SLAP
testing. </question>
</passphrasequestions>
<passphrase>
<activequestion>Please enter a passphrase for SLAP
testing.</activequestion>
<answer>passphrase</answer>
</passphrase>
<logins>
<login>
<name>ford</name>
<symbol>
<name>username</name>
<value>bob</value>
</symbol>
<symbol>
<name>Password</name>
<value>test</value>
</symbol>
P 164
</login>
<login>
<name>notepad.exe</name>
<symbol>
<value>asdf</value>
</symbol>
<symbol>
<value>test</value>
</symbol>
</login>
<login>
<name>testlogin</name>
<symbol>
<value>ActivIdentity</value>
</symbol>
<symbol>
<value>test</value>
</symbol>
</login>
</logins>
</SecureLogin>
P 165
Chapter 17: Managing the Workstation Cache

Chapter Contents
165
About the Workstation Cache
166
Create a Backup File
167
Delete the Local Workstation

Cache
168
Restore the Local Cache

Backup File
About the Workstation Cache

The ActivIdentity SecureLogin cache is an encrypted local copy of SSOenabled data. It allows users who are not connected to the network (or
working offline using a laptop) to continue to use ActivIdentity SecureLogin
even if the directory becomes unavailable.
User data includes credentials, preferences, policies, and ActivIdentity
SecureLogin application definitions. By default, a cache file is created on the
workstation as part of ActivIdentity SecureLogin installation. The cache file
stores user data locally and is synchronized regularly with the users data in
the directory. You can set this in the Administrative Management Utility. You
can also disable cache synchronization, storing all user data in the directory.
Depending on the type of installation, the cache is stored under either <file
path to ActivIdentity SecureLogin >\Cache, for example:
C:\Program Files\ActivIdentity\SecureLogin\Cache
Or in the user's profile, for example:
On Windows XP:
C:\Documents and Settings\<Username>\Application
Data\SecureLogin\Cache
On Windows Vista:
C:\Users\<Username>\AppData\Roaming\SecureLogin\Cache
Note
The default ActivIdentity
SecureLogin cache refresh interval
is five minutes. You can change
this in the Preferences General properties.
Directory and workstation caches are synchronized regularly, by default every

five minutes, and whenever the user logs off or on to the workstation. When
changes are made, either by the user on the workstation or the administrator
in the directory, ActivIdentity SecureLogin user data is compared and updated
during synchronization. Any settings configured by the user on the local
workstation take precedence over those made in the directory.
If you require full administrative control of a users ActivIdentity SecureLogin
environment, you can disable the user's access to administration tools
through the settings in the Preferences properties. This prohibits users from
overriding your changes while configuring changes on the workstation.
Since ActivIdentity SecureLogin data is stored in the directory, existing
directory backups also backup ActivIdentity SecureLogin data. In addition, the
local cache synchronizes with the directory for further redundancy of data.
Backup or restore using the ActivIdentity SecureLogin menu options is
typically performed by users who have been disconnected from the network
for long periods of time, such as weeks or months.
Using workstation backup or restore, users can securely back up their
ActivIdentity SecureLogin cache in stand-alone or directory deployments. All
P 166
user data, including passwords and passphrases, is saved in a passwordprotected encrypted XML file.
Note
The General preference Allow
users to backup/restore must be
set to Yes.
Create a Backup File

icon
For further information, see

"General Preferences" on page 37.
, point to Advanced, and then click Backup User Information.
The Save As dialog box is displayed.

2. Select a folder to store the backup file. The file can be stored in any
location.
3. In the File name field, type a name for the backup file.
4. Click Save.
The Password dialog box is displayed.
5. In the Password fields, type a password and confirm the password.

6. Click OK.
ActivIdentity SecureLogin checks the password for errors:
If the password length is less than 8 characters, the following Error

message is displayed.
If the confirmation password is inconsistent, the following Error message

is displayed.
P 167
The following confirmation message is displayed listing and confirming

the ActivIdentity SecureLogin data that has been saved to a passwordprotected backup file.
7. Click OK.
Delete the Local Workstation Cache

Before restoring the backup file, you must delete the cache file on the
workstation and in directory environments, deleting the user object data in the
directory (see "Changing the Directory Datastore" on page 29). This is
important in cases of data corruption locally or in the directory.
For more information about the ActivIdentity SecureLogin cache file, see the
ActivIdentity SecureLogin Single Sign-On Overview.
Note
Be sure you have selected Show
hidden files and folders in the
Windows Folder Options dialog
box.
1. Right-click the Windows Start button and then click Explore.

2. Browse to the users cache directory as described on page 165.
3. Delete the cache directory.
4. Close Windows Explorer.
P 168
Restore the Local Cache Backup File

1. In the Windows notification area, right-click the SecureLogin icon
point to Advanced, and then click Restore User Information.
The Open dialog box is displayed.

2. Select the backup file and click Open.
The Password dialog box is displayed.
3. Type the Password.

4. Click OK.
If the password is incorrect the following Error message is displayed.
Click OK and retype the correct password.
ActivIdentity SecureLogin processes the file to restore the users

data. If one or more applications are already defined, a series of
messages are displayed.
P 169
Click Yes to overwrite the workstation cache or click No.

At the completion of the restoration process the following message is
displayed.
It confirms cache data has been loaded to the local workstation cache.
5. Click OK.
P 170
Chapter 18: Auditing

Chapter Contents
170
About Windows Event Log

Alerts
170
Default ActivIdentity
SecureLogin Event Log Alerts
171
Create a Windows Event Log

Alert
ActivIdentity SecureLogin provides monitoring functionality with Windows

event logging. Event alerts are activated through ActivIdentity SecureLogin
application definitions. An understanding of application definition is useful to
enable event monitoring.
For additional information about auditing Windows Events or log files, contact
ActivIdentity Customer Support.
About Windows Event Log Alerts

Windows event log application, logevent.exe, is activated through the Run
command in an application definition.
Windows event logging from ActivIdentity SecureLogin requires that the
Windows Event Log system is active on the computer receiving the alerts,
along with the executable logevent.exe on each audited client workstation to
generate the alerts.
Note
Logevent.exe is included in the
Windows 2000 Resource Kit.
Microsoft licensing regulations
apply.
For more information about the use and configuration of logevent.exe, go to:
http://support.microsoft.com
Default ActivIdentity SecureLogin Event Log Alerts

ActivIdentity SecureLogin can be configured to log some events to the
Windows Event log.
To do so, set the Enable logging to Windows Event log preference to Yes.
The following events are then audited and tracked in the Windows Event log:
SecureLogin client started
SecureLogin client shutdown
P 171
SecureLogin client activated by user
SecureLogin client deactivated by user
Password provided to an application script
Password changed by the user in response to a Change password

command
Password changed automatically in response to a Change password

command
Application script executed AuditEvent command
For further information about the AuditEvent command, see the ActivIdentity
SecureLogin Single Sign-On Application Definition Guide.
Create a Windows Event Log Alert

In addition to the AuditEvent command, you may create customized events in
the Windows Event log.
The following procedure uses the Windows Notepad application as an
example.
1. In the Windows notification area, double-click the ActivIdentity
SecureLogin icon
to open the Personal Management Utility.
2. In the navigation tree, click Applications.
3. On the right, double-click the application description (in this example,

Untitled - Notepad).
The Application pane is displayed.
P 172
4. Click the Definition tab.

The application definition editor is displayed.
Note
Details of the command parameters
and event IDs are available on the
Microsoft web site.
The command syntax to run logevent.exe is:

logevent -m \\computername-s severity-c categorynumber-r
source-e eventID-t timeout"event text"
5. After EndDialog, type the LogEvent command for the required alert.
For example:
Run C:\Program Files\Resource Kit\LogEvent.exe m
SecureLogin s e 99Notepad has started
This command requests an alert be sent to the console with a security

level of W warning and event ID number 99.
6. Click OK to close the Personal Management Utility.
7. Start Notepad.
The alert is sent to the Windows Event Log system.
P 173
P 174
Chapter 19: Getting Help

Chapter Contents
174
Search the ActivIdentity

Knowledge Base
174
Additional Documentation
174
Contact ActivIdentity Support
If you have trouble with any aspect of ActivIdentity SecureLogin you have
several options for help.
Search the ActivIdentity Knowledge Base

The ActivIdentity Knowledge Base provides detailed instructions for resolving
issues that may arise in specific environments. It is constantly updated with
new information and is a valuable resource. Contact ActivIdentity Customer
Support to obtain access to the knowledge base.
Additional Documentation
Additional documents such as instructional guides and terminal emulation
configuration guides are available on request.
Contact ActivIdentity Support

If your question requires one-on-one help from an expert, ActivIdentity
Support is available to help.
For contact details, go to http://www.actividentity.com/support/contact/.
P 175
Appendix A: Deployment Fact Sheet

Appendix Contents
Use this deployment fact sheet as the basis for creating your own information
document for users.
175
Who is Affected by this

Deployment?
175
Deployment Date
175
What is ActivIdentity
SecureLogin?
List the users or groups affected by the deployment. If it will be a phased roll
out, list who will be affected in date order.
175
How will ActivIdentity

SecureLogin Benefit You?
Deployment Date
175
Which Applications will be

SSO-enabled?
175
What do You Need to Do?
176
Further Information
Who is Affected by this Deployment?
The ActivIdentity SecureLogin software will be deployed to your computer

when you next log on after <date>.
What is ActivIdentity SecureLogin?

ActivIdentity SecureLogin is password management software that stores your
logons so that you need to remember only one user name and password
combination to access all systems that previously required different user
names and passwords. This is called single sign-on (SSO).
How will ActivIdentity SecureLogin Benefit You?

ActivIdentity SecureLogin will save you time by reducing the number of
applications you need to spend time logging on to. As you have less to
remember, you will not need to contact the help desk as often for assistance
with logging on, which saves both you and the help desk time.
Which Applications will be SSO-enabled?
<List SSO-enabled applications>
<Application 1>
<Application 2>
<Application 3>
<Application 4>
What do You Need to Do?

The ActivIdentity SecureLogin software will be installed on your workstation
by <an administrator? or downloaded automatically?> on the deployment date
specified above.
1. Switch on or restart your computer
2. Log on to the network as usual.
The Passphrase Setup dialog box is displayed.
Passphrases are used to uniquely identify you when confirming a
password change.
P 176
3. Select a passphrase from the drop-down list or enter a question.

<Or type in a passphrase question?>
4. Type in a response to the passphrase question that is easy for you to
remember.
5. Open <Application 1>.
The Enter Your User ID Information dialog box is displayed.
6. In the Username field, type your user name or logon ID.
7. In the Password field, type your password.
Repeat for each of your SSO-enabled applications. ActivIdentity SecureLogin
will store your logon details so that the next time you start these applications,
ActivIdentity SecureLogin will enter your details on your behalf. Additional
applications will be SSO-enabled in the future.
You will be kept informed regarding any ActivIdentity SecureLogin news
through email or newsletter.
Further Information
If you require any further information, see the company intranet:
<http://intranet.company.com/secureloginhelp>
or contact <IT Support> on <123456>.
P 177
Appendix B: Schema Updates

Appendix Contents
177
Schema Attributes
177
Active Directory/ADAM/
ADLDS Environments
180
LDAP Environments
181
Security Rights Assignments
Schema Attributes
ActivIdentity SecureLogin adds six schema attributes to the directory. The
attributes are added during installation using the appropriate schema
extension tool, depending on your choice of directory for ActivIdentity
SecureLogin data storage.
In Active Directory environments, use adsschema.exe.
In ADAM/ADLDS environments, use AdamConfig.exe.
In LDAP environments, use LDAPSchema.exe.
Note: Each tool is available for both 32-bit and 64-bit platforms.
If you are upgrading from a ActivIdentity SecureLogin version older than 3.5,
you need to extend your schemas.
These attributes are required for the encryption and storage of ActivIdentity
SecureLogin data against directory objects such as user objects and
organizational units. The following descriptions include the type of data stored
for each attribute and the security rights required to save the data for the
ActivIdentity SecureLogin client.
Before installing ActivIdentity SecureLogin, you need to extend the directory
schema. This process is described in:
ActivIdentity SecureLogin Single Sign-On Installation and Deployment

Guide for Microsoft Active Directory

Guide for Citrix and Terminal Services

Guide for Microsoft Active Directory Application Mode (ADAM)

Guide for Lightweight Directory Access Protocol (LDAP)
Active Directory/ADAM/ADLDS Environments

Protocom-SSO-Auth-Data
This attribute contains all user-specific authentication data, such as the
passphrase.
TABLE B.1: Protocom-SSO-Auth-Data Attributes
Attribute name
Classes assigned to
User
Syntax
Octet string
P 178
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.2
Protocom-SSO-Entries
This attribute contains the following:
All the user's logon credentials, including passwords.
Specific preferences and application definitions at the user object.
Corporate application definitions and preferences at the container and

organizational unit objects.
TABLE B.2: Protocom-SSO-Entries Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
Syntax
Octet string
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.1
Protocom-SSO-Entries-Checksum
This attribute stores a checksum so that the ActivIdentity SecureLogin client
can easily determine whether a complete reload of ActivIdentity SecureLogin
adapter information is required.
TABLE B.3: Protocom-SSO-Entries-Checksum Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
Syntax
Octet string
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.5
P 179
Protocom-SSO-Profile
This attribute stores the address of the organizational unit to be redirected to.
TABLE B.4: Protocom-SSO-Profile Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
Syntax
Distinguished name
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.7
Protocom-SSO-Security-Prefs
This attribute stores the data required for advanced passphrase policies. This
data includes administrator-set passphrase questions, passphrase help
information, and settings.
TABLE B.5: Protocom-SSO-Security-Prefs Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
Syntax
Octet string
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.3
Protocom-SSO-Security-Prefs-Checksum
A checksum used to optimize reading of the security preferences attribute.
TABLE B.6: Protocom-SSO-Security-Prefs-Checksum Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
Syntax
Octet string
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.6
P 180
LDAP Environments
This attribute contains all user-specific authentication data, such as the
passphrase.
Attribute name
Classes assigned to
User
OID
2.16.840.1.113719.2.26.4.1.1
This attribute contains the following:
All the user's logon credentials, including passwords.
Specific preferences and application definitions at the user object.
Corporate application definitions and preferences at the container and

organizational unit objects.
TABLE B.8: Protocom-SSO-Entries Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.2.1
This attribute stores a checksum so that the ActivIdentity SecureLogin client
can easily determine whether a complete reload of ActivIdentity SecureLogin
adapter information is required.
TABLE B.9: Protocom-SSO-Entries-Checksum Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.5.1
P 181
This attribute stores the address of the organizational unit to be redirected to.
TABLE B.10: Protocom-SSO-Profile Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.17.1
This attribute stores the data required for advanced passphrase policies. This
data includes administrator-set passphrase questions, passphrase help
information, and settings.
TABLE B.11: Protocom-SSO-Security-Prefs Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.4.1
A checksum used to optimize reading of the security preferences attribute.
TABLE B.12: Protocom-SSO-Security-Prefs-Checksum Attributes
Attribute name
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.6.1
Security Rights Assignments

User-based Attributes
The directory user objects for people using the ActivIdentity SecureLogin
software require the following attribute rights against their own objects.
TABLE B.13: User-based Attributes
Attribute name
Rights required
Read/Write
Read/Write
P 182
TABLE B.13: User-based Attributes
Attribute name
Rights required
Read/Write
Read/Write
Read/Write
Read/Write
Container-based Attributes
In addition, users require the following directory attribute rights against all
container objects.
TABLE B.14: Directory Attributes
Attribute name
Rights required
Read
Read
Read
Read
Read
P 183
Legal Disclaimer
Americas
+1 510.574.0100
US Federal
+1 571.522.1000
Europe
+33 (0) 1.42.04.84.00
Asia Pacific
+61 (0) 2.6208.4888
Email
info@actividentity.com
Web
www.actividentity.com
Trademarks: ActivIdentity, ActivIdentity (logo), and/or other ActivIdentity products or marks

referenced herein are either registered trademarks or trademarks of ActivIdentity in the United
States and/or other countries. The absence of a mark, product, service name or logo from this
list does not constitute a waiver of the ActivIdentity trademark or other intellectual property
rights concerning that name or logo. The names of actual companies, trademarks, trade
names, service marks, images and/or products mentioned herein may be the trademarks of
their respective owners. Any rights not expressly granted herein are reserved.

ActivIdentity SecureLogin Single Sign-On Administration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ActivIdentity SecureLogin Single Sign-On Administration Guide

Uploaded by

Copyright:

Available Formats

ActivIdentity SecureLogin

Version 6.2 | Released | November 23, 2009

ActivIdentity SecureLogin Single Sign-On | Administration Guide

ActivIdentity SecureLogin Single Sign-On | Administration Guide

Change a Preference Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

ActivIdentity SecureLogin Single Sign-On | Administration Guide

Change a Passphrase Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

ActivIdentity SecureLogin Single Sign-On | Administration Guide

ActivIdentity SecureLogin Single Sign-On | Administration Guide

Build a Terminal Emulator Application Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

ActivIdentity SecureLogin Single Sign-On | Administration Guide

Chapter 16: Using the SLAP Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

ActivIdentity SecureLogin Single Sign-On | Administration Guide

LDAP Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

ActivIdentity SecureLogin Single Sign-On | Administration Guide

ActivIdentity SecureLogin Single Sign-On | Administration Guide

This guide provides comprehensive instructions for installing, configuring and

ActivIdentity SecureLogin is the single sign-on solution that provides users

ActivIdentity SecureLogin Single Sign-On | Administration Guide

Chapter 2: Installing ActivIdentity SecureLogin

Installing Using Installer

User Interface Install Options

Installer Code Examples

Installing Using Installer Command-line Options

ActivIdentity SecureLogin Single Sign-On | Administration Guide

Windows Installer Command-line Options

Installs or configures a product

Installs or configures a product on a network

Applies a patch to a product

Sets the user interface level during the installation of a product

Displays the help and quick reference options

Installs without user interaction

Installs with a progress bar

ActivIdentity SecureLogin Single Sign-On | Administration Guide

TABLE 2.1: Windows Installer Commands

No restart after installation

Always restarts after installation

Prompts user to restart after installation

Writes a log file after installation

Installs or configures an application

Installs one or multiple patches

For example, to install ActivIdentity SecureLogin on:

followed by the required property values described in the following sections.

Windows Installer Properties

ActivIdentity SecureLogin Single Sign-On | Administration Guide

Public properties can be authored into the database and changed by a

Restricted public properties

A comprehensive description of Windows Installer properties options is

ActivIdentity SecureLogin Property Values

"Install Mode Values" on page 14

"Install, Uninstall and Configure Feature Values" on page 15

"Group Policy Object Support" on page 16

"Mozilla Firefox Plug-in" on page 16

"Administration Tools" on page 16

"Smart Card Support" on page 17

"Citrix or Terminal Services Support" on page 16

Install Mode Values

TABLE 2.2: ActivIdentity SecureLogin Install Mode Values

Microsoft Active Directory mode (default value)

Microsoft Active Directory Application mode

LDAP directory mode

For example, to install ActivIdentity SecureLogin in Microsoft Active Directory

ActivIdentity SecureLogin Single Sign-On | Administration Guide

Install, Uninstall and Configure Feature Values