Digital Persona Pro Enterprise 5 Administrator Guide 20140421

Download as pdf or txt
Download as pdf or txt
You are on page 1of 296

DigitalPersona

Pro Enterprise
Version 5
Administrator Guide
1996-2014 DigitalPersona, Inc. All Rights Reserved.
All intellectual property rights in the DigitalPersona software, firmware, hardware and documentation
included with or described in this guide are owned by DigitalPersona or its suppliers and are protected by
United States copyright laws, other applicable copyright laws, and international treaty provisions.
DigitalPersona and its suppliers retain all rights not expressly granted.
U.are.U and DigitalPersona are trademarks of DigitalPersona, Inc. registered in the United States and
other countries. Windows, Windows Server 2003/2008, Windows 8, WIndows 7, Windows Vista and
Windows XP are registered trademarks of Microsoft Corporation. All other trademarks are the property of
their respective owners.
This DigitalPersona Pro Enterprise Administrator Guide and the software it describes are furnished under
license as set forth in the License Agreement screen that is shown during the installation process.
Except as permitted by such license, no part of this document may be reproduced, stored, transmitted and
translated, in any form and by any means, without the prior written consent of DigitalPersona. The
contents of this manual are furnished for informational use only and are subject to change without notice.
Any mention of third-party companies and products is for demonstration purposes only and constitutes
neither an endorsement nor a recommendation. DigitalPersona assumes no responsibility with regard to the
performance or use of these third-party products.
DigitalPersona makes every effort to ensure the accuracy of its documentation and assumes no
responsibility or liability for any errors or inaccuracies that may appear in it.
Feedback
Although the information in this guide has been thoroughly reviewed and tested, we welcome your
feedback on any errors, omissions, or suggestions for future improvements. You can contact us at
[email protected]
or DigitalPersona, Inc.
720 Bay Road
Suite 100
Redwood City, CA 94063
USA
Published: 4/21/2014 (v 5.5.1)
DigitalPersona Pro Enterprise - Administrator Guide
iii
Table of Contents
1 Solution Overview 10
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Server components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Compatible workstation clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
DigitalPersona Pro Workstation for Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
DigitalPersona Pro Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Client user interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authentication and Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Security applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Password Manager Admin Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Licensing model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Changes from previous version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Section One: Installation
2 Pro Server Installation 22
Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Upgrading from Previous Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Extending the Active Directory Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure each domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Install DigitalPersona Pro Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring DigitalPersona Pro Server for Pro Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Changes Made During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
DNS Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Uninstalling DigitalPersona Pro Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3 Pro Client installation 35
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Upgrading from Previous Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Remote installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Remote installation for patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Client Suite installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Local installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Command line Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
DigitalPersona Pro Enterprise - Administrator Guide
iv
Table of Contents
Installation on Citrix Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
About Transform files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Uninstalling Pro Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4 Pro Kiosk installation 46
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Recent changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Changes compared to version 5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Changes compared to version 4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Upgrading from Previous Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Remote Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Remote installation for patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Local installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Command line installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Installation on Citrix Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
About Transform files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5 Optional installations 55
Included in product package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Suite installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
License Activation Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Users and Computers Snap-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Attended Enrollment Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
User Query Tool Snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
GPMC Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Separate product packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Password Manager Admin Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Extended Server Policy Module (ESPM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Pro Cogent FR Plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6 Citrix and remote installation 60
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Installation on Citrix solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Installation & Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Disabling automatic client updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Installing Citrix support after DigitalPersona Pro client installation . . . . . . . . . . . . . . . . . . . . . . 62
Section Two: Administration
7 Administration overview 65
Administration Tools package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8 License Activation & Management 67
DigitalPersona Pro Enterprise - Administrator Guide
v
Table of Contents
License Activation Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
License activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Pro Enterprise Server activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Server activation from another computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Package or component activation (v 5.3 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
9 ADUC snap-ins 82
Users and Computers snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
User properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
User object commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Computer object commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
User Query Tool snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
ActiveX control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Interactive dialog-based application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Command line utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
10 Attended Enrollment 94
Setting up Attended Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
To assign, or remove Register/Delete permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Enrolling user credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Deleting Fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
11 Policies and Settings 99
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Computer Configuration/Policies/Software Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
DigitalPersona Pro Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Security/Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Kiosk Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
DigitalPersona Pro Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Computer Configuration\Policies\Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
DigitalPersona Pro Client (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
DigitalPersona Pro Client (Details) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Authentication Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Event logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
General Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Kiosk Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Managed applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Security/Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
DigitalPersona Pro Enterprise Server (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
DigitalPersona Pro Enterprise - Administrator Guide
vi
Table of Contents
DigitalPersona Pro Enterprise Server (Detail) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
User Configuration\Policies\Software Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
DigitalPersona Pro Client (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
DigitalPersona Pro Client (Detail) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Security/Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
User Configuration\Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
DigitalPersona Pro Client (Summary) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
DigitalPersona Pro Client (Detail) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
12 Single Sign-On 129
Configuring Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Disable Session Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Create managed logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
13 GPMC Extensions 130
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Implementation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Install Workstation Administrative Templates Locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
14 Recovery 134
User recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Computer recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Account lock recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
15 Pro Reports 136
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Setting up DigitalPersona Pro Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Web console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Creating a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Creating a new subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Adding a report to an existing subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Editing a subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Bookmarking a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Deleting a report or subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
16 Pro Events 145
Credential Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Secret Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Credential Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
DNS Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Windows Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
DigitalPersona Pro Enterprise - Administrator Guide
vii
Table of Contents
Authentication Domain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
17 Extended Server Policy Module 152
18 Utilities 153
Cleanup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Section Three: Pro Clients
19 Pro Workstation 155
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Workstation setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Opening the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Using the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Managing user credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Self Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Enrolling your fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Enrolling a PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Enrolling scenes for the Face credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Setting up cards and tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Setting up a smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Setting up a contactless or proximity card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Enrolling a Bluetooth device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Changing your Windows password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Security Applications Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Smart card authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Backing up and restoring your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Setting your preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
ID Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
20 Pro Kiosk 173
Feature overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Comparing Pro Workstation and Pro Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Logging On to Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Using One Touch Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Logging on to Windows without Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Automatic logon using the Shared Kiosk Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Using the Password Manager Admin Tool with Pro Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Logging On to Password-Protected Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
User logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
DigitalPersona Pro Enterprise - Administrator Guide
viii
Table of Contents
Switching Users on Pro Kiosk Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Using multiple Kiosk accounts with Citrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
21 Pro Administrative Console 179
Opening the Administrative Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Using the Administrative Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Configuring your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Setting authentication policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Logon Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Session Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Specifying credentials settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Configuring your applications settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Applications tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Section Four: Appendices
22 Glossary 192
Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
23 Citrix Deployment Scenarios 200
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Installation and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Fast Connect with XenApp and Pro Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
XenApp server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Pro Server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Maintaining local and remote Kiosk identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Setting up kiosks for local and remote identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Using kiosk local and remote identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
IGEL Universal Desktop support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
24 Policies and Settings - Alphabetical list 206
25 Embedded Windows dependencies 210
Required components for supported Windows Embedded platforms . . . . . . . . . . . . . . . . . . . . . . . 210
Required files for supported Windows Embedded platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
26 Identification List 215
27 Pro Events for version 5.3 218
Credential Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Secret Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
System, Services, Settings and User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
DigitalPersona Pro Enterprise - Administrator Guide
ix
Table of Contents
External components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Password Manager Admin Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Fingerprint Match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
DNS Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
License Management, ID Server licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
OTP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Status Notifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
28 Schema extension 228
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Schema extension overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Schema objects details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Class details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Standard Classes Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
29 Index 293
DigitalPersona Pro Enterprise - Administrator Guide
10
Solution Overview 1
This chapter provides a high-level overview of the DigitalPersona Pro Enterprise solution, and
includes the following major topics.
More details on specific components and modules are provided in the remainder of this Administrator
Guide. Additional implementation, administration and reference-level documentation is provided through
a series of Quick Start Guides and Application Guides for many of the components and modules as well as
for major features. A series of integrated help files provide the finest level of detail for all user-centric
features as well as many administrator features and functions.
References to procedures, UI elements and images in this guide are always made to the current version of
DigitalPersona Pro products. References to, and images of, Microsoft Windows products are to Windows
Server 2008 and Windows 7 unless otherwise noted.
Topics Page
Introduction 11
Architecture 11
Components 12
Authentication and Credentials 15
Security applications 15
Licensing model 16
System Requirements 17
Support Resources 17
Changes from previous version 18
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
11
Introduction
DigitalPersona Pro Enterprise is an enterprise-level central management solution for Endpoint
Protection that enables administrators to manage security and authentication within Active Directory
networks including data protection, access management and recovery. It represents an optimal
solution to multiple security needs, including:
Strong Authentication for PC, application and RADIUS logon
Single Sign-On (SSO) for Enterprise applications
For further information on how DigitalPersona Pro Enterprise can help you solve your security needs,
we have white papers, datasheets and case studies on our website at http://www.digitalpersona.com/
enterprise.
Architecture
The conceptual architecture of DigitalPersona Pro Enterprise consists of four layers.
Management Provides an Active Directory-based solution for the enterprise; enabling the IT
Administrator to configure, deploy and administer security policies throughout the organization.
Security Applications Provides pluggable applications and features that are managed through the
DigitalPersona Pro management infrastructure.
Clients - Workstation software installed on notebooks, desktops and shared-user kiosks.
Credentials Provides support for multiple authentication credentials that may be used in specified
combinations for verifying the identity of users accessing managed computers and security
applications.
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
12
Components
DigitalPersona Pro Enterprise is a client-server product. It consists of server and client components that
work within an existing Active Directory environment.
Server components
DigitalPersona Pros server components fulfill four main purposes:
They allow IT Administrators to manage security and authentication policies via Active Directory
Group Policy Objects. For these purposes, DigitalPersona Pro includes various GPMC (Group Policy
Management Console) extensions, installed under the Software Settings and Administrative Templates
nodes, to link product policies and settings to Active Directory containers.
They provide centralized, server-side authentication of various types of credentials (e.g. fingerprints,
smart cards, bluetooth, one-time passwords etc.). For these purposes, DigitalPersona Pro runs
authentication services within your domain and receives authentication requests from managed
computers.
They allow centralized backup and roaming of computers and users credentials and passwords. For
these purposes, DigitalPersona Pro uses Active Directory as a database of relevant data.
They also allow other general administrative tasks, including:
Access recovery into locked workstations
Deployment of license activation codes.
The main server components of the DigitalPersona Pro Enterprise product are briefly described in the
following table, and more fully described in the referenced pages.
Server component Purpose Page
Pro Enterprise Server Provides domain-wide, centralized administration of Pro
clients and enables strong authentication through various
credentials, such as Bluetooth tokens, Windows passwords,
fingerprints, smart cards and more.
22
DigitalPersona Defender Enables two-factor authentication in workstation clients, and
works with any OATH-compliant hardware token.
57
Pro Administration Tools Provides additional tools for administration of various
DigitalPersona Pro features and utilities including License
Management, GPMC Extensions, Access Recovery,
Attended Enrollment and the Password Manager Admin
Tool.
55, 64
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
13
Compatible workstation clients
The DigitalPersona Pro Enterprise solution supports the following clients:
DigitalPersona Pro Workstation for Enterprise - This primary client enforces security and
authentication policies on managed Windows computers while providing intuitive access to end-user
features and functionality. It may be centrally managed by Pro Enterprise Server, or installed as a
stand-alone product.
DigitalPersona Pro Kiosk for Enterprise - This specialized kiosk client provides DigitalPersona Pro
features for environments where users log on to a shared, common Windows account or kiosk. It is
centrally managed by Pro Enterprise Server.
NOTE: The Pro Workstation for Enterprise and Pro Kiosk for Enterprise clients may be installed
individually on computers or deployed through Active Directory GPO, SMS (Systems Management
Server) or logon scripts. They cannot be installed through ghosting or imaging technologies.
DigitalPersona Pro Workstation for Enterprise
DigitalPersona Pro Workstation for Enterprise is the primary client application for end-users, providing an
intuitive means for increasing both security and convenience through a variety of configurable options
including enrollment and use of multiple credentials, and the use of automated logons for enterprise
resources, programs and websites. For more details, see the chapter Pro Workstation on page 155.
DigitalPersona Pro Kiosk
DigitalPersona Pro Kiosk for Enterprise is a client application specifically designed for environments
where users need fast, convenient and secure multi-factor identification on workstations shared by multiple
users. Although users share a common Windows account, DigitalPersona Pro Kiosk for Enterprise
provides separately controlled access to resources, applications and data. For a full description of its
features, see the chapter Pro Kiosk on page 173.
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
14
Client user interfaces
Pro Enterprise Workstation contains two separate program interfaces; a user dashboard and an
Administrative Console. Access to the Administrative Console requires local administrator privileges. The
Pro Kiosk client provides the same user dashboard, but does not have an Administrative Console.
Settings that govern the features and behavior of the user dashboard are in most cases controlled through
Active Directory GPO settings. However, settings that are left Not Configured in Active Directory may
be configured by the local administrator using the Administrative Console. These local settings will then
be effective for all users on the specific computer.
Whenever a setting is configured (enabled or disabled) in Active Directory, the local administrator cannot
modify the setting through the Administrative Console.
For this reason especially if the needs specific to your environment require you to provide end users with
local administrative rights DigitalPersona strongly recommends IT Administrators explicitly configure
each desired setting in Active Directory, rather than relying on default behaviors associated with the
unconfigured state.
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
15
Authentication and Credentials
The default, and simplest, means of authentication, i.e. making sure that you are a person authorized to
access a computer or other resource, is your Windows account name and password. Authentication is
generally required in logging on to Windows, accessing network applications and resources, and logging
into to websites.
DigitalPersona Pro clients provide a means for the IT Administrator to easily setup and enforce strong
authentication such as two-factor and multi-factor authentication using a variety of supported credentials.
DigitalPersona Pro supports the use of various credentials for authentication, including Windows
passwords, fingerprints, smart cards, contactless cards, proximity cards, face, PIN, Bluetooth and One-
Time-Passwords.
An additional Self Password Recovery credential may be used solely for recovering access to a managed
client computer in place of a forgotten password.
Initial setup and enrollment of credentials is provided through a Setup wizard, or may be controlled by an
administrator using Attended Enrollment.
Security applications
DigitalPersona Pro Enterprise security applications integrate with the basic functionality of the solution.
Additional DigitalPersona Pro Enterprise security applications may be available. Contact your
DigitalPersona partner or reseller for further information, or go to our website at:
http://www.digitalpersona.com/enterprise/products/pro-enterprise.
Password Manager Admin Tool
The Password Manager Admin Tool simplifies and secures access to password-protected software
programs and websites through the use of managed logons that allow users to identify themselves through
the use of any supported credential or combination of credentials specified by the administrator, as defined
in the Authentication and Credentials topic above.
Administrators use the DigitalPersona Password Manager Admin Tool to create managed logons
specifying information for logon and change password screens for websites, programs and network
resources. These managed logons are then deployed to managed workstations, where they are accessible to
the user through the Password Manager application and the mini-dashboard. Managed logons always take
precedence over personal logons created by users.
For additional information on the Password Manager Admin Tool, see the DigitalPersona Password
Manager Admin Tool Application Guide (available on our website at http://www.digitalpersona.com/
Support), or see the help file within the program.
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
16
Licensing model
DigitalPersona Pro Enterprise features and functionality as described in this Administrator Guide are
included in the core version of the product, unless otherwise indicated.
The basic licensing model is the User license, which permits enrolling of user credentials by a specified
number of DigitalPersona Pro Enterprise users. The specific DigitalPersona Pro SKU and/or package you
purchased may entitle you to licensing of one or more additional modules or components that are
integrated with DigitalPersona Pro.
You should have received from DigitalPersona or from a DigitalPersona authorized reseller all of the
license activation keys and/or files that are part of the package you purchased. Make sure you contact your
DigitalPersona representative, should you have any questions. Some modules or optional components may
need to be activated individually.
For information on other licensed versions of the product which may be available, and licensing for
specific features, contact your DigitalPersona Account Manager or Reseller - or visit our website at:
http://www.digitalpersona.com/enterprise/products/pro-enterprise.
Licenses may be activated through Active Directory using the License Activation Manager. For more
information about DigitalPersona Pro Enterprise license activation, see License Activation &
Management on page 67.
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
17
System Requirements
* Also supported: Windows XP Embedded SP3, Windows Embedded Standard 2009 and Windows
Embedded Standard 7, with dependencies as documented on page 210.
Personal logons allow end-users to create automated logon to programs, websites and network resources.
Managed logons have the same function but are created by an administrator and deployed to end-users.
NOTE: When using Internet Explorer on Windows 8, Password Manager features are only available when
the browser is launched from the legacy desktop, not from the Metro UI.
Support Resources
The following resources are provided for additional support.
Readme files in the root directory of each product package contain late-breaking product information.
AskPersona.com (http://askpersona.com) is a DigitalPersona knowledge portal providing answers to
many frequently asked questions about our products.
DigitalPersona Maintenance and Support customers will find additional information about technical
support resources in their Maintenance and Support confirmation email.
Online help is included with each component and application.
Product/Component Minimum Requirements
DigitalPersona Pro
Enterprise Server
Microsoft Windows Server 2008 R2 (32/64-bit) or Windows Server
2003 SP2 (32/64 bit) or Windows SBS 2003 SP2
Active Directory
12 MB disk space plus 5Kper user
DigitalPersona Pro
Workstation for Enterprise
Windows Server 2008 R2 (32/64-bit) or Windows Server 2003 SP2
(32/64-bit) or Windows 7/8/Vista (32/64-bit) or Windows XP
Professional SP3 (32/bit).* Home editions of Windows 7/Vista/XP are
not supported.
50 MB disk space, 100 MB during installation
Microsoft Internet Explorer 6-10, Chrome 11+ or Firefox 4+ to create/
use Password Manager personal logons or use managed logons.
Microsoft Internet Explorer 6-10 to create managed logons using the
Password Manager Admin Tool
DigitalPersona Pro
Kiosk for Enterprise
Windows 7/8/Vista (32/64 bit) or Windows XP Professional SP3 (32
bit). Home editions are not supported.
50 MB disk space, 100 MB during installation
Microsoft Internet Explorer 6-10, Chrome 11+ or Firefox 4+ to use
managed logons
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
18
All DigitalPersona Pro Enterprise documentation is available on our website at:
http://www.digitalpersona.com/Support/Reference-Material/DigitalPersona-Pro-Reference-Material-Guides.
Changes from previous version
5.5 vs 5.4.1
The major differences between the 5.5 release and the previous 5.4.1 release are summarized below.
1 Support for Microsoft 2012 server.
2 Support for NetMotion.
3 Fingerprint authentication for Citrix XenDesktop
4 Microsoft Windows Logo Certification.
5 The User Query Tool has been modified to enable reporting users who have answered the Self
Password Recovery questions.
6 Support for U.are.U 5160 PIV Certified fingerprint sensor, Eikon II and Eikon Mini fingerprint
readers.
7 Passwords are treated as credentials, and therefore consume a license, only when used for SSO and for
authentication into the Pro Administrative Console.
8 The Delete License command has been refined so that user data from the local cache is removed
during the process, and the warning (from v5.4.1) not to use DigitalPersona Pro on this account in the
future is no longer necessary.
9 Enhancements to the processes for enrolling and using Card credentials (Smart Cards, Contactless
Cards and Proximity Cards) to simplify their use and align the experience more closely with that of
other credentials.
10 Support for two models of Dell/Wyse thin clients; D90 & Z90 running Ubuntu and SUSE) using ICA
or RDP clients. Requires separate part number and download.
5.4.1 vs 5.4
The major differences between the 5.4.1 release and the previous 5.4 release are summarized below.
1 Delete License - A new feature available through the DigitalPersona Users and Computers snap-in
allows the administrator to delete the DigitalPersona user license for a selected user. This new
command on the context menu for a user in the Active Directory Users and Computers console
releases the DigitalPersona license associated with this user back to the license pool.
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
19
Note that use of this command will delete all DigitalPersona credentials and other user data stored in
Active Directory. The user account should no longer be used with DigitalPersona Pro, and the product
should not be reinstalled in the same user account. If use of DigitalPersona Pro is attempted on this
account, an Access Denied error will be reported due to previously locally cached credentials. See
page 84.
2 User Query Tool - Additional functionality has been added to the User Query Tool which now returns
a flag indicating whether a license was taken by a specified user, and provides the ability to delete the
license. See pages 86 and following.
3 Kiosk access restrictions - Note that in versions prior to 5.4.1, kiosk access restriction through an
identification list (see page 215) applies only to fingerprint access, and access through other
credentials, such as WIndows password, is not restricted. Beginning with version 5.4.1, the restriction
applies to all supported credentials.
4
5.4 vs 5.3
The major differences between the 5.4 release and the previous 5.3 release are summarized below.
1 DigitalPersona Reporter has a brand new interface, with dozens of reports for compliance and
auditing, the ability to schedule, email and export in popular formats such as PDF, XLS, XML, and the
ability to extensively filter and customize reports. Pre-canned reports support HIPAA, PCI and Sox
compliance standards.
2 New simplified Client Suite Installer and Administrative Suite Installer provides a more convenient
way to install related Digitalpersona Pro Enterprise components.
3 DigitalPersona Pro Workstation for Enterprise can now be installed in Evaluation mode, which does
not require connection to a DigitalPersona Pro Enterprise Server.
4 Client licenses are no longer required for DigitalPersona Pro Workstation and Pro Kiosk. Pro Server
User Licenses are required to cover the number of users enrolling credentials in the DigitalPersona Pro
Enterprise environment. Instructions for installing the previous version (5.3) Client Package and
Component licenses are included for reference beginning on page 73.
5 New Fast Connect feature allows for SSO to Citrix Published Applications and Desktops with XenApp
and XenDesktop. See Citrix Deployment Scenarios on page 200.
6 Quick Actions now support the use of smart (contact, contactless and proximity) cards, and the new
Fast Connect feature. See Quick Actions tab on page 170.
7 Support has been added for Windows 8, in Legacy mode only.
8 Additional per-user policies and settings. See User properties on page 82.
Chapter 1 - Solution Overview
DigitalPersona Pro Enterprise - Administrator Guide
20
9 The User Query Tool now reports the dates that fingerprints were first enrolled and last enrolled. See
User Query Tool snap-in on page 86.
10 Password Manager Pro has been renamed the Password Manager Admin Tool.
11 Some pages and settings in the Administrative Console have been changed. Management of
DigitalPersona Pro Users is no longer available through the Administrative Console. See Pro
Administrative Console on page 179.
12 The DigitalPersona Pro 5.4 package includes a new version (v5.7) of DigitalPersona Defender.
13 Support for new contactless (Felica) and proximity (Indala) cards.
14 User secrets (i.e. Password Manager logon account data) created on disconnected computers are now
synchronized with the Pro Server data once reconnect ion is established.
15 New centrally-managed, roaming, question-and-answer-based Self Password Recovery feature allows
the user to recover access to any domain computer where they have logged on at least once.
16 Support for YubiKey tokens used as RFID tokens or as OTP tokens through DigitalPersona Defender.
17 On Windows Server 2003, DigitalPersona 5.4.0 administrative templates are installed in a new
location, the Windows\Inf\{language} folder. When upgrading previous versions of Pro Server to 5.4.0
on Windows Server 2003, all adminstrative templates have to explicitly be removed from GPOs, and
the new adm files added to Administrative Templates.
18 DigitalPersona Drive Encryption is not supported in this version.
DigitalPersona Pro Enterprise - Administrator Guide
21
Section One: Installation
This section of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters:
Chapter Number and Title Purpose Page
2 - Pro Server Installation Requirements and procedure for installing DigitalPersona
Pro Enterprise Server.
22
3 - Pro Client installation Requirements and procedure for installing DigitalPersona
Pro clients.
35
4 - Pro Kiosk installation Requirements and procedure for installing DigitalPersona
Pro Kiosk clients.
46
5 - Optional installations Requirements and procedure for installing optional
DigitalPersona Pro Enterprise components.
55
DigitalPersona Pro Enterprise - Administrator Guide
22
Pro Server Installation 2
This chapter provides instructions for the installation of DigitalPersona Pro Enterprise Server on a domain
controller.
Instructions for uninstalling DigitalPersona Pro Enterprise Server are on page 31.
Deployment Overview
Here is a high-level overview of the steps required for initial deployment of DigitalPersona Pro Enterprise
Server on the domain controller for a Windows 2003/2008 Server network.
Upgrading from Previous Versions
Before upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade
Notes available at http://www.digitalpersona.com/support/reference-material/pro-upgrade-notes/.
Direct upgrades from DigitalPersona Pro for Active Directory versions previous to 4.4.3 are not supported.
If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro 4.4.3 and then
upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized
Procedure Page
1 Extend the Active Directory schema to include attributes and classes used by
DigitalPersona Pro Enterprise Server. Requires AD Schema Administrator rights.
You can view the details of the changes that will be made to the schema by opening
the file dp-schema.ldif located in the AD Schema Extension folder in the
product package.
23
2 Configure each domain on which DigitalPersona Pro Enterprise Server will be
installed by running DPDomainConfig.exe (located in the folder "AD Domain
Configuration" in the product package). Requires AD Domain Administrator
rights.
24
3 Install the DigitalPersona Pro Enterprise Server software. Note that this will set
firewall rules necessary for the operation of DigitalPersona software.
26
4 (Windows Server 2003 only) Add DigitalPersona Administrative Templates to
OUs.
55, 133
5 (Optional) Configure Pro Enterprise Server for use with DigitalPersona Pro Kiosk,
if Pro Kiosk will be used in the domain.
28
Detailed instructions for installation begin on page 22.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
23
channel partner for upgrading from DigitalPersona Pro for Active Directory 4.4.3 to DigitalPersona Pro
Enterprise 5.3.
Also, make sure to review the readme.txt files included with each component in the product package that
you are installing.
Compatibility
DigitalPersona Pro Enterprise Server version 5.4 is compatible with the following DigitalPersona
products:
DigitalPersona Pro Workstation for Enterprise 4.4.3 and above.
DigitalPersona Pro Kiosk for Enterprise 4.4.3 and above.
DigitalPersona Password Manager Admin Tool 5.3.0 and above
DigitalPersona Privacy Manager Pro 5.51 or higher
DigitalPersona Defender Server 5.7
DigitalPersona Pro Server Enterprise 5.4 should NOT be
installed over (or upgraded to) DigitalPersona Pro Server for Active Directory versions prior to 4.4.3.
used in a mixed environment with Pro Server for Active Directory versions 3.x or 4.x or with Pro
Workstation/Kiosk 3.x/4.x.
If any previous version of DigitalPersona Pro Server for Active Directory was installed, the administrator
should uninstall it and run the DigitalPersona Cleanup wizard (located in the product package) to delete all
the previous DigitalPersona Pro data.
This release is not compatible with, and requires the uninstallation of any other DigitalPersona products on
the same computer.
Extending the Active Directory Schema
Prior to installing DigitalPersona Pro Server, the Active Directory schema must be extended to create new
attributes for the user object and new classes, as well as to make modifications to existing classes. The
Active Directory Schema Extension Wizard automatically handles all of the necessary changes to the
schema.
This schema extension is version 2. The schema extension version number is independent of the
DigitalPersona Pro product version number. Each Pro product release will identify the schema extension
version it requires. This schema extension is global to the Active Directory forest.
If you want to view the script that is used to extend the schema (dp-schema.ldif), it is available in the
product package at the following location:
AD Schema Ext ensi on\ dp- schema. l di f
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
24
The Active Directory Schema Extension Wizard must be run from the schema master domain controller, or
the data may not replicate fast enough to allow the wizard to continue. If the data is not replicated fast
enough, the wizard will terminate, and you should then wait one replication cycle before running the
wizard again.
After the schema extension, and again after configuring your domains, you must wait for Active Directory
schema replication to be completed. The amount of time this takes will depend on the complexity of your
Active Directory structure.
You must have Schema Administrator privileges to run the Schema Extension Wizard.
To run the Active Directory Schema Extension Wizard
1 Double-click DPSchemaExt.exe, which is located in the Schema Extension folder in the Server
installation package, to start the Schema Extension Wizard.
2 Read the terms and conditions on the License Agreement page. If you agree with them, select I accept
the license agreement and then click Next.
3 When prompted to proceed with the schema extension, click Yes.
4 Next, specify a location and name for the log file generated by the Schema Extension Wizard in the
Save Log File As dialog box. Then, click Save.
5 If the schema is not writable, the wizard will inform you of the fact and will allow you to make it
writable. If this dialog box displays, click Yes to make the schema writable and perform the schema
extension.
6 The wizard will extend the schema and provide information such as the class and attribute names. To
close the wizard, click Finish.
The name of each new attribute and class added to the Active Directory schema follows Microsoft naming
conventions. The names are assigned a dp prefix, which is registered with Microsoft.
The OID base, generated by Microsoft, is 1.2.840.113556.1.8000.651.
Configure each domain
For each domain on which you plan to install DigitalPersona Pro Server, you need to run the
DigitalPersona Pro Active Directory Domain Configuration Wizard, which configures the required
domain-specific data including the necessary cryptographic keys.
Running the wizard requires administrator privileges on the domain controller.
You should run this wizard only once on each domain where Pro Server will be installed.
When installing multiple DigitalPersona Pro Enterprise Servers, it is critical that you run the wizard only
once during any replication period, allowing full replication to be completed before going on to run the
wizard on the next domain.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
25
Running the wizard a second time during a single replication period will result in corrupted Server data,
and any DigitalPersona Pro Enterprise Servers in the domain will be unusable.
After running the Domain Configuration wizard, domain level permissions to enroll/delete fingerprints are
reset to the default, i.e. Allow.
To run the DigitalPersona Pro Enterprise Domain Configuration Wizard
1 Double-click DPDomainConfig.exe, which is located in the Domain Configuration folder in the
Server installation package.
2 Read the license agreement that displays and, if you agree to the terms and conditions, select I accept
the license agreement and then click Next.
3 A warning reminds you not to run this wizard if you have an existing DigitalPersona Pro Enterprise
Server installation on this domain. If you are sure there are no other DigitalPersona Pro Enterprise
Server installations on the domain you are configuring, check the I accept that the domain will be
configured box and click Next.
4 In the Save Log File As dialog box, specify a file name and folder path for the log file generated by the
wizard and click Save.
5 When you click Save, the wizard performs the changes on the domain.
6 To close the wizard, click Finish.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
26
Install DigitalPersona Pro Enterprise Server
After extending the Active Directory schema and configuring the domain where you will install Pro
Server, you are ready to install the software.
Before installing DigitalPersona Pro Enterprise Server, ensure that the computer meets the minimum
requirements listed on page 17.
WARNING: To avoid possible data loss, wait one data replication cycle after domain configuration before
installing DigitalPersona Pro Enterprise Server.
Note also that the installation will set three inbound firewall policies necessary for the operation of
DigitalPersona software as follows:
To install DigitalPersona Pro Server
1 Double-click Setup.exe to run the DigitalPersona Pro Enterprise Server Installation Wizard, located in
the Pro Enterprise Server folder of the DigitalPersona Pro Enterprise Server installation package.
2 When the wizard opens, click Next.
3 Read the terms and conditions on the License Agreement page. If you agree with them, select the I
accept the license agreement button and then click Next.
4 On the next page, you can specify the folder in which DigitalPersona Pro Enterprise Server will be
installed. If you want to install the server in the default location, which is C: \ Pr ogr am
Fi l es\ Di gi t al Per sona, click Next. Or click Browse to specify a new location and then click Next
to continue.
5 The wizard will install the Server software. To close the wizard, click Finish.
DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions,
installed under the Software Settings and Administrative Templates nodes, to link product policies and
Policy Name Description
DigitalPersona Authentication Service
(Echo Request - ICMPv4-In)
Inbound rule for DigitalPersona
Authentication Service to allow Echo Request
messages to be sent as ping requests.
DigitalPersona Authentication Service
(DCOM-In)
Inbound rule for DigitalPersona
Authentication Service to allow remote
DCOM activation via the RPCSS service.
DigitalPersona Authentication Service
(TCP-In)
Inbound rule for DigitalPersona
Authentication Service to allow it to be
remotely connected via DCOM.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
27
settings to Active Directory containers. These policies and settings are described in the chapter, Policies
and Settings on page 99.
In releases prior to 5.2, administrative templates were automatically copied to the default folder for
administrative templates during installation of DigitalPersona Pro Enterprise Server,
On Windows Server 2003, this folder is C:\Windows\inf.
On Windows Server 2008, the folder is X:\Windows\PolicyDefinitions.
Beginning in release 5.2, these administrative templates are no longer copied as part of the Pro Enterprise
installation. They are now part of the DigitalPersona Pro Administrative Tools, GPMC Extensions
component, which may be installed on any Active Directory aware computer.
For additional information on the GPMC Extensions, see GPMC Extensions on page 130. For policies and
settings available through the GPMC extensions, see Policies and Settings on page 99.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
28
Configuring DigitalPersona Pro Server for Pro Kiosk
Configuration Steps
Complete the following Pro Server and Kiosk installation and configuration steps in the order shown
below. Specific instructions for configuration are described in the following sections and additional pages
as referenced.
Complete the following
1 Install DigitalPersona Pro Server, 5.x or higher version. This includes performing Schema
Extension, Domain Configuration and the Server installation as specified on pages 23 and following. If
previous versions of DigitalPersona Pro Server were installed in the domain, you should run the Domain
Configuration Wizard, but should not run the Schema Extension Wizard again in this case.
2 Install the DigitalPersona Pro Administration Tools. You do not need to install all of the included
Administration Tools components,. However, the GPMC Extensions component must be installed. See
Administration Tools on page 55.
3 Create an OU for each kiosk and assign computers to the kiosk OU. See Creating the OU for the
Kiosk on page 29. By default, the entire domain is considered as one kiosk. You may want to set up
multiple, separate kiosks.
4 Assign kiosk permissions. By default, all domain users are allowed Kiosk permissions. You can restrict
identification to specific groups or users by following the instructions in the chapter Identification List
on page 215. Note that by design, AD Domain Administrator will have access even if not granted
permission on an Identification List. However, you can change the permission for the Domain
Administrator from Allow to Deny for any specific kiosk.
5 Create a Shared Account in Active Directory and specify the account information either by GPO or
on individual kiosk computers. See Kiosk Shared Account Settings on page 29 and Adding Shared
Account Settings Using GPO on page 29.
6 Install DigitalPersona Pro Kiosk on kiosk computers. See Pro Kiosk installation on page 46 for
instructions.
7 Enroll user credentials. By default, all domain users are allowed to enroll their own credentials.
However, you can choose whether you want to supervise the credential enrollment process, or allow
users to enroll credentials themselves when they first log on to or unlock a kiosk computer. For more
information, refer to the topic Attended Enrollment on page 94.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
29
Configuring Kiosk GPO Settings
Perform fingerprint identification on server
The GPO setting Perform fingerprint identification on server must be applied and enabled for all Pro
Kiosk clients that will be using fingerprint credentials. For further details, see Perform fingerprint
identification on server on page 121.
Kiosk Shared Account Settings
At the kiosk level, whether it is the domain or an OU, you must specify the kiosk Shared Account
information. For more information, see Adding Shared Account Settings Using GPO on page 26.
Creating the OU for the Kiosk
When you install DigitalPersona Pro Server and Pro Kiosk, the entire domain is considered as one kiosk
unless you complete further configuration.
To create multiple kiosks in a domain, or to limit the usage of the kiosk to specific computers only, you
should create an organizational unit (OU) for each kiosk and then assign computers to the OU. You might
create several kiosks where each kiosk is associated with its own OU. If computers in the same OU are
geographically located in different sites, each OU per site is a kiosk.
Specifying a Shared Account for the Kiosk
Pro Kiosk requires an account, known as the Shared Account, that is specified on every kiosk computer.
Account information includes the user name, domain name and password for an Active Directory account.
You should have one Shared Account per kiosk with a Password never expires setting.
You can configure the kiosk Shared Account by supplying the kiosk Shared Account information through
GPO settings, as described below.
If the kiosk Shared Account information is distributed through Group Policies settings, all computers that
belong to the selected object level in Active Directory, such as OU, Domain, or Site, receive the kiosk
Shared Account settings.
Pro Kiosk automatically assigns the Impersonate a client after authentication user right to the kiosk
Shared Account. This right allows programs that run on behalf of that user to impersonate a client. This
right allows Pro Kiosk to authenticate multiple users while using only one logon session for the Shared
Account.
Adding Shared Account Settings Using GPO
The Pro Kiosk Shared Account setting is provided as part of the GPMC Extensions component of the
DigitalPersona Pro Administration Tools, a separate installation available in your Pro Enterprise product
package.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
30
Note that beginning with Pro Enterprise 5.3, the AD location of these settings have been changed. The
settings previously found at Computer Configuration/Administrative Templates/DigitalPersona Pro Client
Kiosk Administration have been replaced and are included for backward compatibility only.
The new location is Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Kiosk
Administration.
You can use the Group Policy Editor to modify DigitalPersona settings. For the Kiosk Shared Account
Settings, at the OU level for the kiosk, open the Kiosk Administration node and double-click Kiosk
Workstation Shared Account Settings. Specify the following values:
Kiosk Shared Account user name
Kiosk Shared Account NetBIOS domain name
Kiosk Shared Account password
The Shared Account information will be enabled for all computers in the OU.
Assigning Kiosk Permissions
In situations where additional security restrictions are necessary or desirable, you can modify the default
permissions to allow or deny specific groups or users from using each kiosk. The default installation
permits every domain user to use all kiosks in the domain and no additional configuration is necessary.
For an example of how to restrict identification, see Restricting kiosk identification on page 122.
Password Manager Admin Tool settings
If you plan on using managed logons with DigitalPersona Pro Kiosk, the templates created in the Password
Manager Admin Tool must be accessible by the Shared Accounts that are used to access the kiosks. Make
sure that the templates are available through GPO settings to the kiosk Shared Account rather than kiosk
user accounts.
The Password Manager logon functionality is the same as in Pro Workstation except that kiosk users
cannot create their own personal logons, but can use managed logons created by the administrator. For
more information, on the Password Manager GPO settings, refer to Policies and Settings on page 99. For
additional information on managed logons, see the Password Manager Application Guide.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
31
Changes Made During Installation
Running the Schema Extension Wizard adds the following data to Active Directory.
Active Directory Containers
The Schema Extension Wizard installs two subcontainers in the Active Directory System container. They
contain information administrators can use to verify and administer the DigitalPersona Pro Server
installation. In the ADUC (Active Directory Users and Computers) Snap-in, ensure that Advanced
Features is selected from the View menu in order to view the System container.
The new containers installed are the BAS (Biometric Authentication Servers) container and the Licenses
container.
The Biometric Authentication Servers container provides the objectCategory and objectClass for the BAS.
The Licenses container stores the license files for DigitalPersona Pro products.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
32
Published Information
DigitalPersona Pro Server publishes its service using the following properties:
Service Class Name, set to Authentication Service.
Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56-E3BC77F32D7F}.
Vendor Name, set to DigitalPersona.
Product Name, set to UareUPro.
Product GUID, set to {48F74E29-1CC0-468F-A0A0-8236628A5170}.
Authentication Server Object Name, the DNS name of the host computer.
Service Principal Name, a unique name identifying the instance of a service for a client.
Schema Version Number, the version of the Active Directory schema extension.
Product Version Number, the version of DigitalPersona Pro Server software.
Product Version High, set to [current version].
Product Version Low, set to [current version].
Keywords for searching the server are Service Class GUID, Vendor Name, Product Name and Product
GUID. The keyword values are the same as the property values listed in this section.
The Server publishes its service in compliance with the Active Directory Service Connection Point
specifications.
DNS Registration
The use of DNS registration enables DigitalPersona Pro Workstations to locate Pro Servers without
needing additional local configuration to do so. If your DNS Server supports dynamic registration,
DigitalPersona Pro Server registers itself with the DNS using the service name, _dpproent.
The format of the DNS resource records for DigitalPersona Pro Server is:
_dppr oent . _t cp. [ domai n] 600 I N SRV 0 100 0 [ ser ver name]
_dppr oent . _t cp. [ si t e name] . _si t es. [ domai n] 600 I N SRV 0 100 0 [ ser ver name]
Pro Server calculates site coverage based on the availability of other Pro Servers on the domain (as well as
sites configured for the domain) and then creates Service Resource Records (SRV RRs) for the domain and
sites it covers.
Settings in the DigitalPersona Pro Administrative Template govern whether or not Pro Server utilizes
dynamic registration. For information on this and other DNS related settings, see pages 122 and following.
Automatic Registration
By default, DigitalPersona Pro Server registers itself with DNS every time Pro Server starts, is
automatically refreshed at specified intervals, and unregisters itself every time DigitalPersona Pro Server
stops.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
33
When DigitalPersona Pro Server unregisters itself, it removes only the records it has created during
automatic registration. Records entered by the administrator will be unaffected.
Automatic Registration may be disabled through a GPO setting.
Manual DNS Registration
If your DNS Server does not support dynamic registration, or if dynamic registration is disabled through a
DigitalPersona Pro GPO setting, an administrator can manually register the Pro Servers by entering the
DNS resource records in the format shown above.
You can view the default values of settings created during Pro Server setup by opening the
U.are.UPro.DNS file in Notepad. It is located in the Program Files\ DigitalPersona\bin folder.
To manually register a Pro Server in Microsoft DNS
1 Open the DNS console and expand the Forward Lookup Zone.
2 In the left pane, select and then right-click on [ domai nname] , and select Other New Records in the
context menu.
3 In the Resource Record Type dialog box, click on Service Location, and then click the Create Record
button.
4 In the New Resource Record dialog, set the following values:
Service: _dppr oent
Weight: 100
Port Number: 0
Host offering this service: domai ncomput er name. domai nname. com
5 Click OK to save the settings and return to the main DNS console window.
6 Under the same [ domai nname] , expand the _sites key.
7 In the left pane, select and then right-click on Default-First-Site-Name and select Other New
Records from the context menu.
8 Repeat steps 3 through 5 for each Pro server that you want to register.
If the DP Service Resource Records (SRV RRs) are not added, either dynamically or manually, the
DigitalPersona Pro Workstation will not be able to find the Servers and will perform fingerprint enrollment
and authentication locally.
Chapter 2 - Pro Server Installation
DigitalPersona Pro Enterprise - Administrator Guide
34
Improving Performance
The Priority and Weight settings can be modified to achieve better response time and load-balancing in the
_dpproent.Properties dialog box, which is accessible by double-clicking _dpproent in the DNS Console.
The _dpproent SRV RRs can be found in the following paths in the DNS Console:
DNS/ [ DNS ser ver ] / For war d Lookup Zones/ [ domai n] / _t cp
DNS/ [ DNS ser ver ] / For war d Lookup Zones/ [ domai n] / si t es/ [ si t e name] / _t cp
If your DNS does not support dynamic registration, you will have to add these SRV RRs manually. For
your convenience, these entries are stored in a file, UareUPro.DNS, which is located in the folder in which
you installed DigitalPersona Pro Server.
Configuring DNS Dynamic Registration
Additional parameters for configuring DNS registration are available in the DigitalPersona Pro
Administrative Template when added to the governing GPO. These settings are described beginning on
page 122.
Uninstalling DigitalPersona Pro Server
DigitalPersona Pro Server can be uninstalled from the Add/Remove Programs Control Panel in Windows
if you have administrator privileges on the domain on which Pro Server is installed. The software is listed
as, DigitalPersona Pro Enterprise Server version [ ver si on number ] .
When you uninstall the Server software, the published information (described in Published Information on
page 29) and the DNS SRV RRs (described in DNS Registration on page 29) are removed.
Although the Add/Remove Programs Control Panel uninstalls DigitalPersona Pro Server software, the user
data (such as fingerprint credentials and secure application data) and global domain data remain in Active
Directory. DigitalPersona provides a DigitalPersona Pro Cleanup Wizard to remove this data. See Utilities
on page 153 for details.
DigitalPersona Pro Enterprise - Administrator Guide
35
Pro Client installation 3
This chapter provides instructions for installing the DigitalPersona Pro Workstation for Enterprise client.
Installation of the DigitalPersona Pro Kiosk client is covered in Chapter 4, beginning on page 46.
In most environments, DigitalPersona Pro Enterprise Servers will be used for authentication. They should
be installed and configured before installing DigitalPersona Pro Workstation for Enterprise.
The following topics cover the installation of DigitalPersona Pro Workstation for Enterprise:
System requirements
Installation
Remote installation
Client Suite installation
Local installation
Command line Installation
Installation on Citrix Presentation Server
System requirements
Before installing DigitalPersona Pro Workstation for Enterprise on a computer, make sure it meets the
system requirements listed on page 17, and that you have Administrative Rights on the computer.
Upgrading from Previous Versions
Before upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade
Notes available at http://www.digitalpersona.com/support/reference-material/pro-upgrade-notes/.
Direct upgrades from DigitalPersona Pro for Active Directory versions previous to 4.4.3 are not supported.
If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro 4.4.3 and then
upgrade to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized
channel partner for upgrading from DigitalPersona Pro for Active Directory 4.4.3 to DigitalPersona Pro
Enterprise 5.3. Also, make sure to review the readme.txt files included with each component in the product
package that you are installing.
CAUTION: Upgrading the operating system from Windows XP to any later version of Windows will
uninstall DigitalPersona Pro, and it will need to be reinstalled. Any Pro enrolled credentials will be lost as
well. Before upgrading you should use the Backup and Restore feature (page 169) to backup your
DigitalPersona Pro data, and then restore the data after installing DigitalPersona Pro under the new
operating system.
Compatibility
DigitalPersona Pro Workstation version 5.4 is compatible with the following DigitalPersona products:
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
36
DigitalPersona Pro Enterprise Server 5.4.0 and above.
DigitalPersona Defender 5.7 and above.
DigitalPersona Password Manager Admin Tool 5.4.0 and above
DigitalPersona Privacy Manager Pro 5.51 and above.
This release is not compatible with, and requires the uninstall of, any other DigitalPersona products on the
same computer.
Installation
Remote installation
For remote installation of patches, see the next section.
The installer for Pro Workstation uses Microsoft Windows Installer (MSI) technology, which allows
administrators to remotely install or uninstall the software using Active Directory administration tools, or
other software deployment tools.
Note that this installer only works for computer-based policy installation, not user-based installations.
Prerequisites
Before installing your DigitalPersona Pro client, you must install the following prerequisites.
Windows Management Framework Core package - Includes the following components: Windows
PowerShell 2.0 and Windows Remote Management (WinRM) 2.0. See Windows KB article 968930.
Microsoft .NET Framework version 2.0 or above
Microsoft Visual C++ 2010 SP1 Redistributable package
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
37
Installing Pro Workstation
To install Pro Workstation remotely through Active Directory use the following procedure. Some steps will
vary depending on the operating system version.
For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation
file for each environment.
1 Create an administrative installation package.
a. Open a command prompt session and navigate to the location where you have stored the product
package. Change the directory to Pro Enterprise Workstation\x86 for the 32-bit version or Pro
Enterprise Workstation\x64 for the 64-bit version. Note that the 32-bit version will not install on
64-bit computers.
b. Type set up. exe / a
c. The product installation wizard launches and prompts you for a location where you would like the
administrative installation package to be created. Choose a network shared drive that will be
accessible to the computers where you will be installing the software. For example,
\ \ ser ver name\ I nst al l Di r , where InstallDir is a predefined shared folder. There is no need to
reboot at the end of the wizard.
2 Create a Group Policy Object (GPO) that will be used to distribute the software package.
a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to
Administrative Tools, and then click Active Directory Users and Computers.
b. In the console tree, right-click your domain, and then click Properties.
c. Click the Group Policy tab, and then click New.
d. Type a name for this new policy (for example, DigitalPersona Pro 5.5 distribution), and then press
Enter.
e. Click Properties, and then click the Security tab.
f. Clear the Apply Group Policy check box for the security groups that you don't want this policy to
apply to.
g. Select the Apply Group Policy check box for the groups that you want this policy to apply to.
h. When you are finished, click OK.
3 Assign the package
a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to
Administrative Tools, and then click Active Directory Users and Computers.
b. In the console tree, right-click your domain, and then click Properties.
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
38
c. Click the Group Policy tab, select the policy that you want, and then click Edit.
d. Under Computer Configuration, expand Software Settings.
e. Right-click Software installation, point to New, and then click Package.
f. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared
installer package that you want. For example, \\file server\share\file name.msi. It is important that
you do not use the Browse button to access the location. Make sure that you use the UNC path of
the shared installer package.
g. Click Open.
h. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy
window.
i. For 32-bit installation packages only - Right-click the newly created package and select Properties.
Then, on the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86
application available on Win64 machines. If this checkbox remains selected, the application will
not install.
j. Close the Group Policy snap-in, click OK, and then close the Active Directory Users and
Computers snap-in.
4 Installation will begin on each client during the first reboot after the computer obtains the deployment
policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE
on the local computer.
Remote installation for patches
This topic addresses the remote installation of client patches through slipstreaming. For standard product
installation, see the preceding topic.
The installer for Pro Workstation uses Microsoft Windows Installer (MSI) technology, which allows
administrators to remotely install patches to software using Active Directory administration tools, or other
software deployment tools.
For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation
files for both environments. Note that this installer only works for computer-based policy installation, not
user-based.
To install a Pro Workstation patch remotely through Active Directory, use the following procedure. The
following steps assume that an administrative installation package has been created as described in the
previous topic. Some steps will vary depending on the operating system version.
1 Update the installation package.
Open a command prompt session and type the following command to patch the previously created
installation package.
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
39
msi exec. exe / p [ pat h\ name of updat ed MSP f i l e] \ / a [ pat h\ name of admi ni st r at i ve
i nst al l at i on f i l e]
2 Redeploy the application
a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to
Administrative Tools, and then click Active Directory Users and Computers.
b. Right-click the GPO that governs the computers you want to update and select Edit.
c. Navigate to Comput er Conf i gur at i on/ Pol i ci es/ Sof t war e Set t i ngs/ Sof t war e
I nst al l at i on.
d. Right-click the Pro client software name and select All Tasks\Redeploy application. Confirm
your intent to redeploy the application.
3 Installation will begin on each client during the first reboot after the computer obtains the deployment
policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE
on the local computer.
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
40
Client Suite installation
To install
1 Launch the Client Suite installer by running setup.exe from the Client folder of the product package.
2 Click Next.
3 Select the product to install. Note that only one of these product can be installed on a computer.
DigitalPersona Pro Workstation for Enterprise, or
DigitalPersona Pro Kiosk for Enterprise
4 If you need to install third party drivers for fingerprint or card readers, click the Third Party Drivers
button and select the appropriate drivers for your hardware and operating system. Note that
DigitalPersona does not provide drivers for Authentec fingerprint readers. There is a link on the page
for downloading these drivers. The suggested driver for Authentec fingerprint readers is AT9.
5 On the confirmation page you will see a list of items to be installed.
6 Click Install to begin the installation. Details of the Workstation installation are the same as described
below in the Local Installation topic.
7 Successful installation requires the presence of a VeriSign Primary PCA Root Certificate (G5). If your
system does not have this certificate, the installation will fail. If it does, see the next topic, Install
VeriSign Primary PCA Root Certificate, and then restart the installation.
8 After the Workstation installation is finished, you will need to restart the computer. After the restart,
installation of any third-party drivers will be started automatically.
Install VeriSign Primary PCA Root Certificate
Note that this is only required if the DigitalPersona Pro client installation fails due to the following error.
1 To install a VeriSign Primary PCA Root Certificate
2 Go to http://www.verisign.com/support/roots.html and click the Download a root package link.
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
41
3 Unzip the downloaded file and open the Generation 5 (G5) PCA folder.
4 Launch the file VeriSign Class 3 Public Primary Certification Authority - G5.cer.
5 Select Install Certificate.
6 In the Certificate Import Wizard, select Place all certificates in the following store, and browse to the
Trusted Root Certification Authorities store.
7 Click Next and then click Finish.
Local installation
To install DigitalPersona Pro Workstation for Enterprise on a local computer
1 Launch the installer from the Pro Enterprise Workstation folder of the product package.
For all supported operating systems except Windows XP Embedded and Windows Embedded
Standard 2009, run Setup.exe located in the Client\Pro Enterprise Workstation root folder. Or, for
silent mode, enter set up. exe / s / v / qn at the command line.
On Windows XP Embedded and Windows Embedded Standard 2009 only, run DigitalPersona
Pro Workstation for Enterprise.msi located in the Client\Pro Enterprise Workstation\x86 folder.
In step 5 below, select the Typical installation option.
2 When the Welcome page displays, click Next to proceed with the installation.
3 Read the License Agreement page. If you agree, select the I accept the terms in the license
agreement button and click Next.
4 On the next page, you can specify the folder that DigitalPersona Pro Workstation for Enterprise will be
installed in. If you want to install DigitalPersona Pro to the default location, click Next; otherwise,
click Change to specify a new location and then click Next to continue.
5 On the Choose Installation Mode page, select the operational mode for this installation of the software.
Evaluation mode - All credentials are enrolled on the local machine and do not roam. The
software does not require, and will not connect to, a Pro Enterprise Server.
Standard mode - By default, credentials cannot be enrolled without a connection to a licensed Pro
Enterprise Server. This may be changed by disabling the Allow Pro client to use Pro Server GPO
on the server (see page 113).
The current operational mode is displayed in the About dialog, and a link there allows you to
change the mode.
6 If Standard mode is selected, the Choose Where Biometric Data are stored page displays. This page is
not displayed when installing in Evaluation mode. Select whether to store biometric data remotely (for
use on multiple computers), or locally (for use on this computer only). If a stored locally and a secure
fingerprint reader is used to enroll fingerprints, the fingerprint data will be stored on the reader.
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
42
CAUTION: The choice of whether to store biometric data remotely or locally cannot be changed
without uninstalling and reinstalling the client software. Switching from locally stored data to
remotely stored data will also remove any biometric data and Password Manager logon data that
was stored on the computer. When switching from remotely stored data to locally stored data, the
local user will no longer be able to use previously stored biometric data or Password Manager
logons on the local machine.
7 Choose one the following options to indicate the type of installation you want to perform.
Typical - Installs the most commonly used features.
Custom - Allows selection of which features to install. Optional features include binaries
necessary for developers accessing the DigitalPersona Pro API through .NET and COM interfaces.
8 Click Next and then Install, to begin installation.
After the computer restarts, and at every subsequent restart, the DigitalPersona Pro client software
automatically uses the default DNS Server to locate all DigitalPersona Pro Servers for the domain and its
site. If more than one Pro Server is found, the Workstation will choose the Pro Server for authentication
that offers the most efficient connectivity. If no Pro Servers are found, the client will perform
authentication locally.
For instructions on using DigitalPersona Pro Enterprise clients, see page 154.
Command line Installation
DigitalPersona Pro Workstation can also be installed or uninstalled using MSI at the command line.
The syntax of the msi exec command is shown below and is followed by a description of the command line
options, parameters and values available:
msi exec / i set up. msi I NSTALLDI R=[ di r ect or y] ADDLOCAL=[ sof t war e] REMOVE=[ sof t war e]
TRANSFORMS=[ Name of t r ansf or mf i l e] / qn
Command line Options
Parameters
Options Description
/i (Required) Indicates that MSI will be used to install the DigitalPersona Pro
software. It must be followed by the full pathname to the setup.msi file.
/ qn (Optional) Hides the user interface when installing the software on the computer,
allowing a silent install. If used, it is placed at the end of the command line.
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
43
Three parameters indicate where the software should be installed on the computer, as well as what
components should be included or removed:
ADDLOCAL and REMOVE Values
The table below lists the values that may be provided with the ADDLOCAL and REMOVE parameters and
provides a description of each value:
Following are a few rules when using these parameters and their values:
If ADD LOCAL or REMOVE are not specified, msiexec will install all DigitalPersona Pro
Workstation features.
Parameters Description
I NSTALLDI R (Optional) Specifies the location where the DigitalPersona Pro Workstation software
should be installed. If a folder is not specified, defaults to:
C: \ Pr ogr amFi l es\ Di gi t al Per sona
ADDLOCAL (Optional) Indicates which DigitalPersona Pro Workstation features to install by
providing one of the values listed below.
REMOVE (Optional) Indicates which DigitalPersona Pro software features to uninstall by
providing one of the values listed below.
TRANSFORMS (Optional) Use the TRANSFORMS command line parameter to specify a UI
language other than U.S. English.You can separate multiple transforms with a
semicolon. Because of this, it is recommended that you do not use semicolons in the
name of your transform, as the Windows Installer service will interpret those
incorrectly. See page 44 for a list of the available transform files for supported
languages.
Values Description
ALL Installs all DigitalPersona Pro software components and features or removes all of
the component and features that are currently installed.
Logon Installs or removes the Windows One Touch Logon feature.
PasswordMgr Installs or removes the Password Manager application.
COM Installs or removes COM components necessary for developing DigitalPersona
client applications using the DigitalPersona Pro SDK.
dotNET Installs or removes .NET components necessary for developing DigitalPersona
client applications using the DigitalPersona Pro SDK.
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
44
Individual software features cannot be installed unless the Al l value was used with the ADDLOCAL
parameter first.
To install DigitalPersona Pro Workstation software for the first time while omitting one or more
software features, use ADDLOCAL=ALL, followed by the REMOVE parameter with each software
component you do not want to install separated by a comma. For example;
msi exec / i set up. msi ADDLOCAL=ALL REMOVE=Logon, Passwor dMgr
Installation on Citrix Presentation Server
DigitalPersona Pro Workstation can also be installed on supported Citrix platforms. See the chapter Citrix
and remote installation on page 60 for details.
About Transform files
DigitalPersona uses Transform (.mst) files to create an installation package for DigitalPersona Pro
components in the supported languages listed below. These files are located in the Bin directory of your
product package.
When creating a package for a GPO install, select the Advanced option and then add the transform file
from the Modifications tab. Ensure that the transform file is included in a folder that is shareable by the
Active Directory server computer and all target client computers.
Language Transform file
French 1036.mst
German 1031.mst
Italian 1040.mst
Brazilian Portuguese 1046.mst
Spanish 1034.mst
Chinese Simplified 2052.mst
Chinese Traditional 1028.mst
Japanese 1041.mst
Korean 1042.mst
Chapter 3 - Pro Client installation
DigitalPersona Pro Enterprise - Administrator Guide
45
Uninstalling Pro Workstation
You can remove the DigitalPersona Pro Workstation software using the Add or Remove Programs Control
Panel or through MSI. In the Control Panel, the Workstation software is listed as DigitalPersona Pro
Enterprise version [version number].
Note that when uninstalling through Control Panel and the Uninstallation wizard, you can select whether
or not to save user credentials and logon data. When using MSI in quiet mode, the default behavior is to
delete associated user credentials and logon data.
You must have local administrative privileges to modify installations on the computer.
DigitalPersona Pro Enterprise - Administrator Guide
46
Pro Kiosk installation 4
This chapter provides instructions for installing DigitalPersona Pro Kiosk for Enterprise.
Pro Kiosk uses DigitalPersona Pro Enterprise Servers for user identification and authentication.
DigitalPersona Pro Enterprise Server should be installed and configured before installing Pro Kiosk.
The following topics are covered in this chapter:
System Requirements
Recent changes
Upgrading from Previous Versions
Remote Installation
Local installation
Command line installation
Installation on Citrix Presentation Server
About Transform files
System Requirements
Before installing DigitalPersona Pro Workstation for Enterprise on a computer, make sure it meets the
system requirements listed on page 17.
Recent changes
Changes compared to version 5.2
The current version of Pro Kiosk provides improved functionality and scalability related to Citrix
deployment and RDP access.
Now administrators can deploy multiple kiosks from a Citrix server using different shared accounts for
each kiosk. Credentialed users can log into other kiosk computers in a different OU (using the appropriate
credentials) while retaining the local resources associated with the original kiosk. In prior versions,
logging in to another kiosk replaced any local resources with the resources of the target kiosk. This new
functionality also applies when accessing another kiosk through a Citrix client. See additional information
on page 178.
Changes compared to version 4.4
User identification capabilities were originally available in Pro Kiosk 4.4 through the DigitalPersona Pro
ID Server Add-On Module and a separate edition of the Pro ID Server Kiosk client.
Beginning with DigitalPersona Pro Enterprise 5.x, identification has been integrated into the
DigitalPersona Pro Enterprise Server and the DigitalPersona Pro Kiosk for Enterprise 5.1 client, therefore
Chapter 4 - Pro Kiosk installation
DigitalPersona Pro Enterprise - Administrator Guide
47
a separate ID Server and client are no longer required. However, the GPO setting Perform fingerprint
identification on server must be applied and enabled for any Pro Kiosk clients where fingerprint
credentials will be used.
For optimum performance, identification from a set of more than 10,000 users or 20,000 fingerprint
templates is not recommended. Above these limits, erratic results may occur.
Upgrading from Previous Versions
Before upgrading from a previous version, it is critical that you refer to the DigitalPersona Pro Upgrade
Notes available at http://www.digitalpersona.com/support/reference-material/pro-upgrade-notes/.
Direct upgrades from DigitalPersona Pro for Active Directory versions previous to 4.4.3 are not supported.
If you need to upgrade from a version prior to 4.4.3, you will need to upgrade to Pro 4.4.3 and then upgrade
to Pro Enterprise 5.4. A Migration Guide is available from DigitalPersona or your authorized channel
partner for upgrading from DigitalPersona Pro for Active Directory 4.4.3 to DigitalPersona Pro Enterprise
5.3. Also, make sure to review the readme.txt files included with each component in the product package
that you are installing.
CAUTION: Upgrading the operating system from Windows XP to any later version of Windows will
uninstall DigitalPersona Pro, and it will need to be reinstalled. Any Pro enrolled credentials will be lost as
well. Before upgrading you should use the Backup and Restore feature (page 169) to backup your
DigitalPersona Pro data, and then restore the data after installing DigitalPersona Pro under the new
operating system.
Chapter 4 - Pro Kiosk installation
DigitalPersona Pro Enterprise - Administrator Guide
48
Installation
The following sections provide instructions on installing DigitalPersona Pro Kiosk in a variety of ways.
While not technically part of the installation scenarios described below, the GPO setting Perform
fingerprint identification on server must be applied and enabled for any Pro Kiosk clients where
fingerprint credentials will be used.
Remote Installation
For remote installation of patches, see the next section.
The installer for Pro Kiosk uses Microsoft Windows Installer (MSI) technology, which allows
administrators to remotely install or uninstall the software using Active Directory administration tools, or
other software deployment tools.
Note that this installer only works for computer-based policy installation, not user-based installations.
Prerequisites
Before installing DigitalPersona Pro Kiosk, you must install the following prerequisites.
Windows Management Framework Core package - Includes the following components: Windows
PowerShell 2.0 and Windows Remote Management (WinRM) 2.0. See Windows KB article 968930.
Microsoft .NET Framework version 2.0 or above
Microsoft Visual C++ 2010 SP1 Redistributable package
Installing Pro Kiosk
To install Pro Kiosk remotely through Active Directory use the following procedure. Some steps will vary
depending on the operating system version.
For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation
file for each environment.
1 Create an administrative installation package.
a. Open a command prompt session and change the directory to DigitalPersona Pro Kiosk for
Enterprise\x86 on 32-bit operating systems or DigitalPersona Pro Kiosk for Enterprise\x64 on
64-bit operating systems.
b. Type set up. exe / a
c. A wizard displays and prompts you for a location where you would like the administrative
installation file to be created. Choose a network shared drive that will be accessible to the
computers where you will be installing the software. For example \\servername\InstallDir, where
InstallDir is a predefined shared folder. (There is no need to reboot at the end of the wizard.)
2 Create a Group Policy Object (GPO) that will be used to distribute the software package.
Chapter 4 - Pro Kiosk installation
DigitalPersona Pro Enterprise - Administrator Guide
49
a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to
Administrative Tools, and then click Active Directory Users and Computers.
b. On the context menu of an organizational unit, click Create and link a GPO ..., right-click the
new GPO and click Edit.
c. Under Computer Configuration, expand Software Settings.
d. Right-click Software installation, point to New, and then click Package.
e. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared
installer package that you want. For example, \\servername\InstallDir\ProKiosk.msi. It is
important that you do not use the Browse button to access the location. Make sure that you use the
UNC path of the shared installer package.
f. Click Open.
g. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy
window.
h. For 32-bit installation packages only - Right-click the newly created package and select Properties.
Then, on the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86
application available on Win64 machines. If this checkbox remains selected, the application will
not install.
i. Close the Group Policy snap-in, click OK, and then close the Active Directory Users and
Computers snap-in.
3 Installation will begin on each client during the first reboot after the computer obtains the deployment
policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE /FORCE
on the local computer.
Remote installation for patches
This topic addresses the remote installation of client patches through slipstreaming. For standard product
installation, see the preceding topic.
The installer for Pro Kiosk uses Microsoft Windows Installer (MSI) technology, which allows
administrators to remotely install patches to software using Active Directory administration tools, or other
software deployment tools.
For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation
files for both environments. Note that this installer only works for computer-based policy installation, not
user-based.
To install a Pro Kiosk patch remotely through Active Directory, use the following procedure. The
following steps assume that an administrative install has been created as described in the previous topic.
Some steps will vary depending on the operating system version.
Chapter 4 - Pro Kiosk installation
DigitalPersona Pro Enterprise - Administrator Guide
50
1 Update the installation package.
Open a command prompt session and type the following command to patch the previously created
installation package.
msi exec. exe / p [ pat h\ name of updat ed MSP f i l e] \ / a [ pat h\ name of admi ni st r at i ve
i nst al l at i on f i l e] .
2 Redeploy the aplication.
a. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to
Administrative Tools, and then click Active Directory Users and Computers.
b. Right-click the GPO that governs the computers you want to update and select Edit.
c. Navigate to Comput er Conf i gur at i on/ Pol i ci es/ Sof t war e Set t i ngs/ Sof t war e
I nst al l at i on.
d. Right-click the Pro client software name and select All Tasks\Redeploy application. Confirm
your intent to redeploy the application.
3 Installation will begin on each client during the first reboot after the computer obtains the deployment
policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE
on the local computer.
Local installation
To install DigitalPersona Pro Kiosk for Enterprise locally
1 Launch the installer from the Pro Enterprise Kiosk folder of the product package.
For all supported operating systems except Windows XP Embedded and Windows Embedded
Standard 2009, run Setup.exe located in the Pro Enterprise Kiosk root folder. Or, for silent mode,
enter set up. exe / s / v / qn at the command line.
On Windows XP Embedded and Windows Embedded Standard 2009 only, run DigitalPersona
Pro Kiosk for Enterprise.msi located in the Pro Enterprise Kiosk/x86 folder. In step 5 below,
select the Typical installation option.
2 When the Welcome page displays, click Next to proceed with the installation.
3 Read the License Agreement page. If you agree, select the I accept the terms in the license
agreement button and click Next.
4 On the next page, you can specify the folder that Pro Enterprise Kiosk will be installed in. If you want
to install to the default location, click Next; otherwise, click Change to specify a new location and
then click Next to continue.
5 Choose one of the following options to indicate the type of installation you want to perform.
Chapter 4 - Pro Kiosk installation
DigitalPersona Pro Enterprise - Administrator Guide
51
Typical - Installs the most commonly used features.
Custom - Allows selection of which features to install.
6 Click Next and then Install, to begin installation.
After the computer restarts, and at every subsequent restart, Pro Kiosk automatically uses the default DNS
Server to locate all DigitalPersona Pro Servers for the domain and its site. If more than one Pro Server is
found, Pro Kiosk will choose the Pro Server for authentication that offers the most efficient connectivity. If
no Pro Servers are found, the client will perform authentication locally. For instructions on using Pro
Kiosk, see page 173.
Chapter 4 - Pro Kiosk installation
DigitalPersona Pro Enterprise - Administrator Guide
52
Command line installation
DigitalPersona Pro Kiosk can also be installed or uninstalled using MSI at the command line.
The syntax of the msi exec command is shown below and is followed by a description of the command line
options, parameters and values available:
msi exec / i set up. msi I NSTALLDI R=[ di r ect or y] ADDLOCAL=[ sof t war e] REMOVE=[ sof t war e]
TRANSFORMS=[ Name of t r ansf or mf i l e] / qn
Command line Options
There are one required and one optional command line options:
Parameters
Three parameters indicate where the software should be installed on the computer, as well as what
components should be included or removed:
Options Description
/i (Required) Indicates that MSI will be used to install the DigitalPersona Pro
software.
It must be followed by the path to, and the name of, the .msi file (setup.msi) that
contains the software to install.
/ qn (Optional) Hides the user interface when installing the software on the computer,
allowing a silent install.
If used, it is placed at the end of the command line.
Parameters Description
I NSTALLDI R (Optional) Specifies the location where the software should be installed. If a folder
is not specified, defaults to:
C: \ Pr ogr amFi l es\ Di gi t al Per sona
ADDLOCAL (Optional) Indicates which Pro Kiosk features to install by providing one of the
values listed below.
REMOVE (Optional) Indicates which Pro Kiosk features to uninstall by providing one of the
values listed below.
Chapter 4 - Pro Kiosk installation
DigitalPersona Pro Enterprise - Administrator Guide
53
ADDLOCAL and REMOVE Values
The table below lists the values that may be provided with the ADDLOCAL and REMOVE parameters and
provides a description of each value:
Following are a few rules when using these parameters and their values:
If ADD LOCAL or REMOVE are not specified, msiexec will install all Pro Kiosk features.
Individual software features cannot be installed unless the Al l value was used with the ADDLOCAL
parameter first.
To install Pro Kiosk software for the first time while omitting one or more software features, use
ADDLOCAL=ALL, followed by the REMOVE parameter with each software component you do not want to
install separated by a comma. For example;
msi exec / i set up. msi ADDLOCAL=ALL REMOVE=Logon, Passwor dManager
Installation on Citrix Presentation Server
DigitalPersona Pro Kiosk for Enterprise may also be installed on Citrix Presentation Server. See the
chapter Citrix and remote installation on page 60 for details.
TRANSFORMS (Optional) Use the TRANSFORMS command line parameter to specify a UI
language other than U.S. English.You can separate multiple transforms with a
semicolon. Because of this, it is recommended that you do not use semicolons in
the name of your transform, as the Windows Installer service will interpret those
incorrectly. See page 54 for a list of the available transform files for supported
languages.
Values Description
ALL Installs all Pro Kiosk components and features or removes all of the
component and features that are currently installed.
Logon Installs or removes the Windows Logon feature.
Password Manager Installs or removes the Password Manager application.
COM Installs or removes COM components necessary for developing
DigitalPersona client applications using the DigitalPersona Pro SDK.
dotNET Installs or removes .NET components necessary for developing
DigitalPersona client applications using the DigitalPersona Pro SDK.
Parameters Description
Chapter 4 - Pro Kiosk installation
DigitalPersona Pro Enterprise - Administrator Guide
54
About Transform files
DigitalPersona uses Transform (.mst) files to create an installation package for DigitalPersona Pro
components in the supported languages listed below. These files are located in the Bin directory of your
product package.
When creating a package for a GPO install, select the Advanced option and then add the transform file
from the Modifications tab. Ensure that the transform file is included in a folder that is shareable by the
Active Directory server computer and all target client computers.
Language Transform file
French 1036.mst
German 1031.mst
Italian 1040.mst
Brazilian Portuguese 1046.mst
Spanish 1034.mst
Chinese Simplified 2052.mst
Chinese Traditional 1028.mst
Japanese 1041.mst
Korean 1042.mst
DigitalPersona Pro Enterprise - Administrator Guide
55
Optional installations 5
The following optional DigitalPersona Pro Enterprise components are not automatically installed as part of
either the DigitalPersona Pro Enterprise Server or client installations.
There are two categories of optional components, those included in the DigitalPersona Pro Enterprise
product package, and those available as a separate package.
Included in product package
Suite installers
Your product package includes two suite installers, that install more than one component through a single
installation file.
Administration suite - Installs the DigitalPersona Pro Administration Tools (see below) and the Remote
License Tool, used to activate User licenses on computers without internet access.
Client suite - Installs either DigitalPersona Pro Workstation for Enterprise or Kiosk for Enterprise, and
selected third-party drivers.
Administration Tools
Those tools shown in the following illustration are part of a separate installation package included in the
DigitalPersona Pro Enterprise product package.
These Administration Tools may be installed on a single workstation for centralized administration of
DigitalPersona Pro for Active Directory, or for larger organizations, each tool may be installed on a
separate workstation in order to divide the administration of various features among several people.
Chapter 5 - Optional installations
DigitalPersona Pro Enterprise - Administrator Guide
56
DigitalPersona Pro Workstation for Enterprise must be installed on the computer before the Administration
Tools can be installed.
By default, all Administration Tools are installed. Select Custom Setup to deselect any tools you do not
wish to install.
License Activation Manager
To install the License Activation Manager
1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder
of the DigitalPersona Pro Enterprise product package.
2 Select Complete or Custom installation. To install only the License Activation Manager, select
Custom and deselect all other administrative tools.
3 Click Next, and then click Install. Follow the onscreen instructions.
For a description of the features available through this snap-in, see page 67.
Users and Computers Snap-In
(Requires Windows Server 2008 and the Windows Server 2008 Remote Server Administration Tools, or
Windows Server 2003 and the Windows Server 2003 Administration Tools Pack.)
To install snap-in
1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder
of the DigitalPersona Pro Enterprise product package.
2 Select Complete or Custom installation. To install only the Users and Computers Snap-in, select
Custom and deselect all other administrative tools.
3 Click Next, and then click Install.
For a description of the features available through this snap-in, see page 82.
Attended Enrollment Tool
Attended Enrollment provides a means for an administrator to supervise the enrollment of user credentials
instead of allowing users to enroll the credentials themselves. This feature is automatically installed and
accessible through the ADUC snap-in as part of the DigitalPersona Pro Server installation.
The Attended Enrollment Tool provides the same functionality that is available through the Snap-in, but as
a standalone executable.
To install the Attended Enrollment Tool
1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder
of the DigitalPersona Pro Enterprise product package.
Chapter 5 - Optional installations
DigitalPersona Pro Enterprise - Administrator Guide
57
2 Select Complete or Custom installation. To install only the Attended Enrollment Tool, select Custom
and deselect all other administrative tools.
3 Click Next, and then click Install.
For a description of the features available through this tool, see page 94.
User Query Tool Snap-in
Use of the User Query Snap-in requires a licensed copy of DigitalPersona Pro Workstation, and the logged
on user must have domain administrator privileges.
To install the DigitalPersona User Query Snap-in
1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder
of the DigitalPersona Pro Enterprise product package.
2 Select Complete or Custom installation. To install only the User Query Snap-in, select Custom and
deselect all other administrative tools.
3 Click Next, and then click Install.
For a description of the features available through this tool, and additional implementations of the tool, see
page 86.
GPMC Extensions
DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions,
installed under the Software Settings and Administrative Templates nodes, to link product policies and
settings to Active Directory containers. These policies and settings are described in the chapter, Policies
and Settings on page 99.
To install the DigitalPersona GPMC Extensions
1 Locate and launch the setup.exe located in the Pro Enterprise Server\Pro Administration Tools folder
of the DigitalPersona Pro Enterprise product package.
2 Select Complete or Custom installation. To install only the GPMC Extensions, select Custom and
deselect all other administrative tools.
3 Click Next, and then click Install.
For a description of the features available through this component, see page 130.
Defender
To install the Defender Server and administrator components, refer to the Defender Quick Start Guide
located in the Pro Enterprise Server\Docs folder of the DigitalPersona Pro Enterprise product package.
Additional documentation is available in the installation folder after the product is installed.
Video tutorials are also provided on our website at:
Chapter 5 - Optional installations
DigitalPersona Pro Enterprise - Administrator Guide
58
http://www.digitalpersona.com/enterprise/resources/how-to-videos/enterprise
For a description of the features made available through use of DigitalPersona Defender with
DigitalPersona Password Manager, see the Password Manager Application Guide.
Separate product packages
The following security applications and modules are separately licensed and installed.
Password Manager Admin Tool
The Password Manager Admin Tool is used by DigitalPersona Pro administrators to create automated
managed logons for websites, applications and network resources. For complete product descriptions and
installation instructions, see the associated Password Manager Application Guide on our website at:
http://www.digitalpersona.com/Support/Reference-Material/DigitalPersona-Pro-Reference-Material-Guides
Extended Server Policy Module (ESPM)
The DigitalPersona ESPM adds additional per-user policy settings to Active Directory. For a description of these
settings, see page 152.
To install the Extended Server Policy Module
1 Copy the package received from DigitalPersona, your channel partner or reseller to the computer
where DigitalPersona Pro Server is installed, or any Active Directory-aware computer that will be used
to administer the DigitalPersona Pro Server.
2 Launch the installer by clicking setup.exe, and follow the onscreen instructions.
3 Licensing is included in the product purchase. No additional entry of a license number is required.
Pro Cogent FR Plugin
The Pro Cogent FR Plugin installs Face Recognition for DigitalPersona Pro. This program adds support to
DigitalPersona Pro Enterprise Workstation for facial recognition, i.e. a Face credential, that may be used
for authentication during Windows logon, for session authentication and when using Password Manager
managed or personal logons. Note that the Face credential cannot be used as the sole credential for
authentication, but must be used in combination with another supported credential.
To install the Pro Cogent FR Plugin
1 Copy the package received from DigitalPersona, your channel partner or reseller to a computer where
DigitalPersona Pro Enterprise Workstation is already installed.
2 Launch the installer by clicking setup.exe, and follow the onscreen instructions.
Chapter 5 - Optional installations
DigitalPersona Pro Enterprise - Administrator Guide
59
3 After installation, launch the DigitalPersona Pro user dashboard. Click Credentials, Face. Then click
Start Trial to begin a 60-day trial period, or enter your user name and the license number you received
with your purchase of the product.
For instructions on enrolling your Face credential, see page 162.
DigitalPersona Pro Enterprise - Administrator Guide
60
Citrix and remote installation 6
Overview
DigitalPersona Pro Enterprise Server includes support for accessing DigitalPersona Pro Workstation for
Enterprise and Pro Kiosk clients through Windows Terminal Services (including Remote Desktop
Connection), and through the Citrix XenApp and XenDesktop solutions.
When DigitalPersona Pro Workstation for Enterprise or Pro Kiosk are accessed remotely, the
fingerprint reader attached to a local Workstation or Kiosk can be used to access all DigitalPersona Pro
Workstation for Enterprise or Pro Kiosk features on the remote computer. See Redirect fingerprint
data on page 108. Also see the NOTE below.
When using DigitalPersona Pro Workstation for Enterprise or Pro Kiosk remotely, the remote
computer is locked to prevent interruption of your session.
When completing a Terminal Services session, use "Log Off" to close the session; use "Disconnect" or
"Shutdown", or the Close Window icon to leave your session active.
Multiple installations of DigitalPersona Pro Kiosk may be served from a Citrix server, with each kiosk
using a different shared-user account.
For additional information on Citrix deployment scenarios and Citrix-specific features, see Citrix
Deployment Scenarios on page 200.
NOTE: By default, the Remote Desktop Protocol (RDP) is not enabled on any Microsoft operating system
version. The use of Microsoft Remote Desktop entails opening a port in your firewall and thus creates a
security vulnerability. For more information on this vulnerability, see the Microsoft Security Bulletin
MS05-041 (http://www.microsoft.com/technet/security/Bulletin/MS05-041.mspx).
Installation on Citrix solutions
DigitalPersona Pro Workstation for Enterprise and Kiosk for Enterprise may be installed and run on the
Citrix XenApp and XenDesktop virtualization platforms.
At the time of release, support for the Citrix platform includes
Citrix XenApp (server) 6.5
Citric XenDesktop
Citrix Receiver 3.1.0 and 3.2.0
Citrix online plug-in 11 and 12
For updated information on supported versions and clients, see the readme.txt file in the DigitalPersona
product package.
Chapter 6 - Citrix and remote installation
DigitalPersona Pro Enterprise - Administrator Guide
61
Installation & Configuration
The following instructions assume that Citrix has been installed and configured prior to installing the
DigitalPersona Pro client. For instructions on installing Citrix AFTER a Pro client has been installed, see
Installing Citrix support after DigitalPersona Pro client installation on page 62.
To configure a DigitalPersona Pro client for Citrix support:
1 Install the DigitalPersona Pro client on the Citrix XenApp server that your Citrix client connects to and
on the client computer.
2 Add or modify the following registry value on the XenApp server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
Value Name: LogoffCheckSysModules
Type: REG_SZ
String: DPAgent.exe
3 In Active Directory, apply the DigitalPersona Pro Administrative Template (DPPro5Client) to a GPO
governing the client computer (or apply it to a local policy object on the client computer).
4 In the GPO, enable the "Redirect fingerprint data" setting (page 108).
For Citrix published applications -
1 On the Citrix XenApp server, create a new file called usrlogn1.cmd.
2 Create a new file in %systemroot%\application compatibility scripts\logon with a filename such as
dplauncher.cmd.
3 Add the following line to your dplauncher.cmd file.
St ar t / d c: \ pr ogr amf i l es\ di gi t al per sona\ bi n\ dpagent . exe
4 Add the following line to your usrlogn1.cmd file.
Cal l dpl auncher . cmd
The above procedure is based on the fact that by default, usrlogon.cmd goes into the
%systemroot%\application compatibility scripts\logon directory, and executes usrlogn1.cmd first, and
when it completes, it executes usrlogn2.cmd. Neither usrlogn1.cmd nor usrlogn2.cmd exist by default, but
they are checked for and executed if found.
Also, the usrlogon.cmd exists in a plain TS/RDS environment also.
On a Win7/Win2k8R2 system, the usrlogon file is protected from modification by default, and you will
have to take ownership of it, and change the permission to edit it.
Also, very typically, usrlogon.cmd will fail at the _setpaths.cmd phase very early on, so I typically
comment out the if _setpaths == FAIL statement so that it does not take affect.
Chapter 6 - Citrix and remote installation
DigitalPersona Pro Enterprise - Administrator Guide
62
Finally, on some versions of TS the usrlogon is specified in AppSetup, and in some it is specified in
UserInit. However, the Citrix install will typically insert ctxhide.exe in front of it, which will prevent it
from running the majority of the time (it is known to have serious bugs). Just removing that ctxhide.exe is
a huge help.
Disabling automatic client updates
It is possible that a Citrix update to the client could interfere with DigitalPersona Pro Enterprise
functionality. To prevent this from happening, you may want to disable the automatic updating of clients
from either the client or server machine.
Option 1
1 From the client machine, run Remote Application Manager and deselect Allow Automatic Client
Updates.
2 From the server machine, use the ICA Client Configuration Update Utility to disable automatic client
updates for each product/client model you want to protect.
Option 2
Alternatively, you can modify the client database so that your modifications are in the updated client.
The client database is installed in the %SystemRoot%\Ica\ClientDB directory. Each product/model
combination has a separate directory.
See the MetaFrame XP Server Administrators Guide for more information about Client Auto Update.
Installing Citrix support after DigitalPersona Pro client installation
If Citrix was not present prior to installing DigitalPersona Pro Workstation, files necessary to support
Citrix will not be installed.
To install Citrix support files after installing or reinstalling a DigitalPersona Pro client, perform one of the
following steps after the Pro installation.
1 Select DigitalPersona Pro Workstation in the Windows Control Panel list of programs and run Repair.
2 Or, locate the DPICACnt.dll file in the "Misc\Citrix Support" folder of the DP Product package, and
copy it to the folder on the client computer where the Citrix client components are located (i.e. for the
Program Neighborhood client it might be the "Program Files\Citrix\ICA Client" folder). Then, in the
Run box, using the regsvr32.exe program, register the DPICACnt.dll library. Example: regsvr32
<$FilePath\DPICACnt.dll>.
3 If you have several Citrix clients installed on a computer, deploy the DPICACnt.dll library to the Citrix
client folder for each client to be used with DigitalPersona Pro software.
In all of the above cases, you must reboot the computer in order for the changes to take effect.
Chapter 6 - Citrix and remote installation
DigitalPersona Pro Enterprise - Administrator Guide
63
For additional information on typical Citrix deployment scenarios, see the chapter Citrix Deployment
Scenarios on page 200.
DigitalPersona Pro Enterprise - Administrator Guide
64
Section Two: Administration
Section Two of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters.
Chapter Title Purpose Page
7 - Administration overview Describes the types of tools and utilities available for
administration of DigitalPersona Pro Enterprise.
65
8 - License Management Describes the types of licenses available, the license
activation process, and the information provided to
administrators for managing their licenses.
67
9 - ADUC Snap-in Describes the user properties settings, user object commands
and computer object commands that are added to Active
Directory by the installation of the ADUC Users and
Computers Snap-in.
82
10 - Attended Enrollment Describes the Attended Enrollment feature, which allows the
supervised enrolling of user credentials.
94
11 - Policies and Settings Defines the policies and settings that govern Pro Enterprise
Servers and clients.
99
12 - Single Sign-On Describes how to implement a Single Sign-On (SSO) policy
in the enterprise.
129
13 - GPMC Extensions Describes use of the DigitalPersona GPMC Extensions that
enable configuration of DigitalPersona Pro Enterprise
policies and settings.
130
14 - Recovery Describes the user and computer recovery options made
available through DigitalPersona Pro Enterprise.
134
15 - DigitalPersona Reporter Describes DigitalPersona Reporter, a tool for aggregating
and reporting on Pro Enterprise events generated by Pro
Enterprise Server and clients.
136
16 - Pro Enterprise Events Lists and describes the events that DigitalPersona Pro
Enterprise writes to the Windows Event log.
145
17 - Extended Server Policy
Module
Describes a separately purchased and installed server module
that adds additional per user policies to the DigitalPersona
tab in the AD user Properties tab.
145
18 - Utilities Describes additional utilities provided within the
DigitalPersona Pro Enterprise product package.
153
DigitalPersona Pro Enterprise - Administrator Guide
65
Administration overview 7
DigitalPersona Pro for Active Directory provides a full complement of features, tools and utilities to assist
the administrator in managing various aspects of the product, as well as expanding the functionality of the
product.
Some of these tools and utilities are included in the product packages for either DigitalPersona Pro Server
or Workstation. Others are available as separate modules, which may be obtained from your
DigitalPersona Account Manager or product Reseller.
The following chapters of the Administrator Guide describe each of these administrator tools.
Administration Tools package
Those tools shown in the illustration below are part of a separate installation package included in the
DigitalPersona Pro Enterprise product package. These Administration Tools may be installed on a single
workstation for centralized administration of DigitalPersona Pro Enterprise, or for larger organizations,
each tool may be installed on a separate workstation in order to divide the administration of various
features among several people.
CAUTION: The Administration Tools should not be installed on a computer until after the DigitalPersona
Domain Active Directory Domain Configuration Wizard has been run. Also, when installing the
Chapter 7 - Administration overview
DigitalPersona Pro Enterprise - Administrator Guide
66
Administration Tools on systems where Pro 5.0x or 5.1x were previously installed, the current version of
the Domain Configuration Wizard must be run prior to installing the Administration Tools.
To install the DigitalPersona Administration Tools, do one of the following.
Locate and double-click the setup.exe file located in the Administration Tools directory of the product
package. Follow the instructions in the installer wizard. Select Custom to choose which tools to
install. Press the down arrow to select installation options for a component.
For silent installation, use the syntax shown below to install all tools or remove those you do not want
to install. For example, to install only the Attended Enrollment Tool:
msiexec /i setup.msi ADDLOCAL=ALL REMOVE=LicenseControlManager,UsersComputersSnapin,UserQuerySnapin
In the Client folder of the software package, run Setup.exe. Click Next and select the product to install
(Pro Administration Tools or the Remote License Tool). Click Install.
DigitalPersona Pro Enterprise - Administrator Guide
67
License Activation & Management 8
This chapter covers the following topics.
Activation and management of DigitalPersona Pro 5.4 and above licenses is provided through the two
license management tools described below.
Note that Client Licenses are no longer used in the current version of DigitalPersona Pro Enterprise. For
instructions on installing Client Licenses for Pro 5.3, see page 73 and following.
License Activation Manager - Used to activate Pro Enterprise User licenses through Active Directory.
Remote License Tool - Used for activating Pro Server User licenses for a computer that is not connected
to the internet through another computer that has an internet connection. This tool can be found in the
product package.
IMPORTANT: Any activation of DigitalPersona Pro User Licenses (from the Pro Server or when
activating a license through the Remote License Tool), requires access to the following URL: https://
solo.digitalpersona.com. This URL is also accessed when verifying licenses from the link in the Active
Directory GPME License Properties dialog for the DigitalPersona Pro Server.
Topics Page
License Activation Manager 68
Pro Enterprise Server activation 69
Server activation from another computer 71
Package or component activation (v 5.3 only) 73
You can release the DigitalPersona license associated with a user
back to the license pool through the Delete command in the
DigitalPersona ADUC Snap-in. See page 84 for further details.
81
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
68
License Activation Manager
License Activation Manager is a separately installed DigitalPersona administration tool. It provides an
Active Directory-based means of installing licenses for DigitalPersona Pro User licenses, and provides
some basic information about them. For instructions on installing this component, see page 56.
After installation of the License Activation Manager, two new License Group Policy Objects are added
to Active Directory, Computer Configuration\Policies\Software Settings. Once under DigitalPersona Pro
Client and another under DigitalPersona Pro Enterprise Server. Client licenses are only used with versions
of DigitalPersona Pro clients prior to 5.4. See page 74 for further details.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
69
License activation
The Pro Server User License is issued in a single DigitalPersona License file with an extension of .dplic,
and activated by the administrator through the Active Directory Group Policy Management Editor.
If you need to activate a Pro Server that is not connected to the internet, see page 71.
Pro Enterprise Server activation
In most cases, you will activate your Pro Enterprise Servers over the internet through Active Directory and
the DigitalPersona Activation wizard.
To activate a DigitalPersona Pro Enterprise User license
1 In the Group Policy Management Editor, navigate to: Computer Configuration, Policies, Software
Settings, DigitalPersona, Licenses.
2 Right-click on Pro Enterprise Server\Licenses and select Add license.
3 When the DigitalPersona Activation wizard displays, click Next.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
70
4 Select the option to I want to activate the software over the Internet.
5 On the next page, browse to the License Activation (.dplic) file provided with your purchase. Or, if you
have a License ID and password instead, click the Use License ID ... link to enter them.
6 Click Next. Upon successful activation, a confirmation dialog will display.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
71
Server activation from another computer
If your Pro Enterprise Server does not have access to the internet, you can activate it remotely through the
use of any computer that has internet access.
This procedure will use the DP License (.dplic) file and associated password provided with your purchase
to generate an Activation Request (.xml) file on the Pro Server computer. This file is then copied to a
computer with internet access and used to generate an Activation Response (.xml) file. Finally, this file is
used on the original Pro Server computer to activate the Pro Enterprise Server license.
To remotely activate a DigitalPersona Pro Enterprise User license
1 In the Group Policy Management Editor, navigate to Computer Configuration, Policies, Software
Settings, DigitalPersona Pro Enterprise Server, Licenses.
2 Right-click on Licenses and select Add license.
3 When the DigitalPersona Activation wizard displays, click Next.
4 Select the option to activate the software from another computer.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
72
5 On the next page, browse to the License Activation (.dplic) file provided with your purchase, and enter
the associated password. If you have a License ID and password instead, click the Use License ID ...
link to enter them.
6 Save the resulting Activation Request (.xml) file to a shared directory or device that can be accessed
from a computer with an internet connection.
7 On any internet-enabled computer, install and run the DigitalPersona Remote License Tool. The
default installation target directory is Program Files\DigitalPersona\Remote License Tool and the
filename is DP RemoteLicenseTool.exe.
8 In the Remote License Tool, enter, or Browse to, the location of the Activation Request file saved in
step 6 above.
9 Select the location where you want to save the Activation Response (.xml) file to, and click Next.
10 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page.
11 When activation is reported as successful, click Finish.
12 On the unconnected computer, select the option I want to finalize software activation ....
13 Browse to the location of the Activation Response file (specified in step 9 above).
14 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page.
15 Upon successful activation, a confirmation dialog will display.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
73
Package or component activation (v 5.3 only)
In most cases, you will activate your Pro Enterprise Package or specific component licenses over the
internet through Active Directory using the License Activation Manager and the DigitalPersona Activation
wizard. On computers with no internet connection, your package or component licenses may also be
activated remotely through any internet-connected computer (see the topic beginning on page 74).
To activate a DigitalPersona Pro Enterprise Package or component license
1 In the Group Policy Management Editor, navigate to [domain, site or OU], Computer Configuration,
Policies, Software Settings, DigitalPersona Pro Client, Licenses.
2 Right-click on Licenses and select Add license.
3 When the DigitalPersona Activation wizard displays, click Next.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
74
4 Select the option I want to activate the software over the Internet.
5 Browse to the DigitalPersona License (.dplic) file provided with your purchase and enter the
associated password. If instead, you have a License ID and password, click the provided link to enter
them.
6 Click Next. Upon successful activation, a confirmation dialog will display.
Client licenses for individual workstations and features will be activated when clients access the Pro
Enterprise Server. If it appears that the software has not been activated, you can run GPUPDATE/FORCE
from the command line or Run box to force updating of any changed policies (including licensing) on the
computer.
Package activation from another computer (v5.3 only)
If your Pro Enterprise client does not have access to the internet, you can activate Enterprise Packages or
component\feature licenses through any internet-enabled computer. This procedure will generate an
Activation Request (.xml) file that you take to an internet-enabled computer to activate the license. Then
you can used the generated License Activation (.dplic) file on the original client to activate client,
component or feature licenses.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
75
To activate a DigitalPersona Pro Enterprise Package or component license from another computer
1 In the Group Policy Management Editor, navigate to Computer Configuration, Policies, Software
Settings, DigitalPersona Pro Client, Licenses.
2 Right-click on Licenses and select Add license.
3 When the DigitalPersona Activation wizard displays, click Next.
4 Select the option to activate the software from another computer.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
76
5 On the next page, browse to the License Activation (.dplic) file provided with your purchase. Or, if you
have a License ID and password instead, click the provided link to enter them.
6 Save the resulting Activation Request (.xml) file to a shared directory or device that can be accessed
from a computer with an internet connection.
7 On any internet-enabled computer, install and run the DigitalPersona Remote License Tool.The
default installation target directory is Program Files\DigitalPersona\Remote License Tool and the
filename is DP RemoteLicenseTool.exe.
8 Browse to the location of the Activation Request file saved in step 6.
9 Select the location where you want to save the Activation Response file to, and click Next.
10 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page.
11 When activation is reported as successful, click Finish.
12 On the original unconnected computer, select the option I want to finalize software activation ....
13 Browse to the location of the Activation Response file from step 9 above.
14 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page.
15 Upon successful activation, a confirmation dialog will display.
Activation on the local workstation (v5.3 only)
In some situations, you may see the following dialog, indicating that a component or feature has not been
activated on a client workstation. This may be the case if
the number of seats in your license has been exceeded, or
your Enterprise Package license has not been activated yet on the Pro Enterprise Server, or
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
77
the computer has not received activation information from the Pro Enterprise Server, generally because
GPO settings have not yet been refreshed since activation on the Pro Enterprise Server.
In any of the above scenarios, you can activate the license for the computer (either a current or newly
acquired license) from this dialog, or from the About dialog in the workstation client.
1 Click the Activate product now link to enter your license information.
2 When the DigitalPersona Activation Wizard displays, click Next.
3 Select the option to I want to activate the software over the Internet.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
78
4 Browse to the DigitalPersona License (.dplic) file provided with your purchase, and click Next.
Upon successful activation, a confirmation dialog will display. After activation, licensing information is
shown in the About dialog, accessible from within the client dashboard.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
79
Activation of the local client from another computer (v5.3 only)
Pro Enterprise clients that are not part of the domain, or are not connected to the internet, may be
activated on another internet-enabled computer through the DigitalPersona Activation Wizard.
To remotely activate a Pro Enterprise client license
1 In the user dashboard About box or the unlicensed product warning, click the License Activation link.
2 When the DigitalPersona Activation wizard displays, click Next.
3 Select the option to activate the software from another computer.
4 On the next page, browse to the License Activation (.dplic) file provided with your purchase, and enter
the associated password. Or, if you have a License ID and password instead, click the provided link to
enter them.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
80
5 Save the resulting Activation Request (.xml) file to a shared directory or device that can be accessed
from a computer with an internet connection.
6 On the internet-enabled computer, install and run the DigitalPersona Remote License Tool.The default
installation target directory is Program Files\DigitalPersona\Remote License Tool and the filename is
DP RemoteLicenseTool.exe.
7 Browse to the location of the Activation Request file from step 5.
8 On the next page, select the location where you want to save the Activation Response (.xml) file to, and
click Next.
9 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page.
10 When activation is reported as successful, click Finish.
11 On the unconnected computer, select the option I want to finalize software activation....
12 Enter, or Browse to, the location of the Activation Response file from step 8 above.
13 On the Verify Product Licenses page, click Next. Then click Next on the Product Activated page.
14 Upon successful activation, a confirmation dialog will display.
Chapter 8 - License Activation & Management
DigitalPersona Pro Enterprise - Administrator Guide
81
Releasing user licenses (v5.4.1+)
You can release the DigitalPersona license associated with a user back to the license pool through the
Delete command in the DigitalPersona ADUC Snap-in. See page 84 for further details.
Deactivating client licenses (v5.3 only)
Occasionally, you may need to deactivate a client license on a computer in order to use the license on a
different computer.
To deactivate a client license
1 In the About dialog on the client workstation, right-click on the component that you want to deactivate
and select Deactivate the product now.
2 The icon to the left of the component name will display an X, indicating that the component has been
deactivated.
3 If the computer is connected to the internet, the licenses available as shown on the Customer Service
Portal will be incremented with the newly available license (after the page is refreshed or relaunched).
If the computer cannot connect to the Pro Enterprise Server for deactivation, it will still be deactivated
locally, but you will need to follow these steps to actually regain use of the license.
1 You are asked to save a Deactivation Request file, and use the Remote License Tool to finalize
deactivation from a (proxy) computer that has an internet connection.
2 On the proxy computer, install and run the DigitalPersona Remote License Tool from the Remote
License Tool directory in the product package. The default installation target directory is Program
Files\DigitalPersona\Remote License Tool and the filename is DP RemoteLicenseTool.exe.
3 In the Remote License Tool, browse to the location of the Deactivation Request file.
4 Next, select the location where you want to save the Activation Response file (.dplic) to, and click
Next.
5 On the Product Deactivation page, verify the products that will be deactivated and click Next.
6 When deactivation is reported as successful, click Finish.
DigitalPersona Pro Enterprise - Administrator Guide
82
ADUC snap-ins 9
The DigitalPersona Pro Enterprise Administration Tools includes two snap-ins to ADUC (Active
Directory Users and Computers), the Users and Computers snap-in and the User Query Tool snap-in.
Users and Computers snap-in
The DigitalPersona Users and Computers snap-in adds a new tab to the User Properties page enabling
additional administrative functions; and adds several DigitalPersona commands to the user and computer
object context menus. For installation instructions, see page 56.
User properties
DigitalPersona provides the administrator with several Basic user properties that define settings or
behaviors that apply to a single specific user. They are located on the Properties dialog for the selected
Active Directory user. Additional user properties are available through a separate product, the Extended
Server Policy Module (ESPM) described on page 152. Note that these user properties override any
conflicting computer policies.
To access the DigitalPersona Basic user properties:
1 In the Users and Computers console, open the Users folder.
2 Right-click on a specific user name, select
Properties and click the DigitalPersona Pro tab.
3 Make any desired changes to the user properties, as
listed below.
Randomize user's Windows Password
Enable this setting to randomize a users Windows
Password. This will block them from using their
Windows Password to verify their identity, and a
fingerprint or other authorized and enrolled
credential must be used instead.
When this option is set, DigitalPersona Pro changes
the user password to a random value when you click
OK on this dialog box. This user will no longer be
able to access any domain resources unless they
have an alternative supported and enrolled
credential - even computers where DigitalPersona
Pro software is not installed.
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
83
Warning - Do not enable password randomization with incompatible logon authentication policies,
such as Fingerprint and Password, as users will be unable to log on or enroll new credentials (since
enrollment requires entering their Windows Password). Also, this property should not be used in
combination with the Active Directory policy "User must change password on next logon," since users
will be unable to change their password, and therefore unable to logon.
This option is not available for accounts with administrative privileges.
User provides only Windows credentials to log on
When this option is set, the user will not be subject to any logon policy from DigitalPersona Pro. Users
will be able to logon with password or smart card as defined by the Windows logon settings. By
default this setting is turned off.
Account is locked out from use of fingerprint credentials
This setting is only for unlocking accounts that have been locked out due to failed logon attempts using
fingerprint credentials. If the account is unlocked, the check box is disabled. For instructions on
unlocking an account, see below.
Note that this setting cannot be used by an administrator to lock an account.
Unlocking accounts after failed logon attempts
You can unlock an account that has been locked out of fingerprint authentication due to the user reaching
the threshold number for failed fingerprint attempts. You must have permissions to access the user account.
When an account is unlocked by an administrator, the account becomes immediately available for
fingerprint authentication from all computers, or after the next replication interval if there are multiple
domain controllers.
The administrator can choose to set less strict lockout settings by reducing the the lockout duration time or
reducing the counter reset time.
To unlock a locked account
1 In Active Directory for Users and Computers, right-click on the user name, and select Properties.
2 Click the DigitalPersona Pro tab.
3 Click the Account is locked out from use of fingerprint credentials check box to unselect it. This
check box is for unlocking accounts and cannot be checked by an administrator to lock an account. If
the account is unlocked, the check box is disabled.
4 Click OK to close the dialog box and save the changes.
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
84
User object commands
Installation of DigitalPersona Pro adds the following new commands to the context menu for a user in the
Active Directory Users and Computers console.
Recover User - Enables recovery of the user's access to their
Windows account through a one time access code available
through a link on the Windows logon screen.
Delete License - (Version 5.4.1+) Use this command to release
the DigitalPersona license associated with this user back to the
license pool.
The use of this command will delete all DigitalPersona
credentials and other user data stored in Active Directory.
Note that in v5.4.1, the user account should no longer be used
with DigitalPersona Pro, and the product should not be
reinstalled in the same user account. If use of DigitalPersona
Pro is attempted on this account, an Access Denied error will
be reported due to previously locally cached credentials.
In v5.5.0, this is no longer the case. However, you should note
the following behavior.
The license will be released within a few minutes after the user logs off from their computer.
The ability for a user to log on using their WIndows password is not affected by deleting the license.
Due to cached credentials on the client computer, the user will still be able to use their enrolled
credentials to log on to the computer after the license is deleted. But the cache will be cleared after the
log on with any enrolled credential (except Windows password) and the user will need to re-enroll
their credentials in order to continue to use them with DigitalPersona Pro.
The first time a user tries to save a new Password Manager logon after their license has been deleted,
they will receive an error, Data cannot be saved. If this persists, contact your administrator. The next
time they attempt to do so, the message should not appear and the data should be saved successfully.
After a license has been deleted, a users first attempt to re-enroll their credentials through the user
dashboard, or an administrators attempt to do so through the Attended Enrollment wizard, may fail.
Closing and re-opening the user dashboard or Attended Enrollment wizard should resolve the issue.
Delete Credentials - Use this command to delete specific enrolled credentials for selected users. A dialog
displays where you can select the credentials to be deleted. This does not release the DigitalPersona
license.
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
85
Computer object commands
The DigitalPersona Users and Computers Snap-in adds the following commands to the computer object
context menu.
Recover Computer (Version 5.3 only) - Enables recovery of access to a specific computer, for example
due to lockout at the BIOS or encrypted drive level.
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
86
User Query Tool snap-in
The DigitalPersona Pro User Query Tool snap-in is a component within the DigitalPersona Pro
Administration Tools. These tools are a separate installation and are located in the Pro Administration
Tools folder of your product package. This tool provides a means for the administrator to query the Pro
Enterprise user database for information about DigitalPersona Pro users and to perform certain operations
and to set values associated with a selected user.
It has three separate implementations, as described in the following topics.
ActiveX control (page 86)
Interactive dialog-based application (page 89)
Command line utility (page 92)
The User Query Tool must be installed on a computer running a licensed copy of DigitalPersona Pro
Workstation, and the logged on user must have domain administrator privileges. Once installed, the
Interactive dialog-based application can be run from the Start menu by clicking DigitalPersona, User
Query Tool.
ActiveX control
The ActiveX control provides the most functionality, including performing operations against the user
record and setting certain flags and values. The dialog-based and CLI applications are reporting tools only.
Examples of the types of query information that can be accessed by the ActiveX control are:
Number of installed licenses
Number of licenses used
Number of enrolled credentials for each user
Types of credentials enrolled for each user
Number of users accessing managed logons
Dates of first and last fingerprint enrollment
Additionally certain operations may be performed against the DigitalPersona user database through the
ActiveX control, such as:
Lock user account
Set user logon policy
Delete specific authentication credentials
Delete user Secrets
The Pro User Query Tool ActiveX control provides two interfaces that can be implemented through Visual
Basic or Java script.
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
87
IDPUserQueryControlInterface
This interface is used to return licensing information and create an instance of the DPUserControl object
described in the next section.
[
obj ect ,
uui d( 4AC9BCDA- 7C6F- 4919- A885- D533CBA447DF) ,
dual ,
nonext ensi bl e,
hel pst r i ng( "I DPUser Quer yCont r ol I nt er f ace: ") ,
poi nt er _def aul t ( uni que)
]
val uesAct i veX cont r ol
i nt er f ace I DPUser Quer yCont r ol : I Di spat ch
{
[ pr opget , i d( 1) , hel pst r i ng( "Ret ur ns number of l i censes i nst al l ed. ") ]
HRESULT Number Of Li censesI nst al l ed( [ out , r et val ] LONG* pVal ) ;
[ pr opget , i d( 2) , hel pst r i ng( "Ret ur ns number of l i censes used. ") ]
HRESULT Number Of Li censesUsed( [ out , r et val ] LONG* pVal ) ;
[ i d( 3) , hel pst r i ng( "Cr eat es an i nst ance of DPUser Cont r ol obj ect based on user
DN. ") ]
HRESULT Get User ( [ i n] BSTR User DN, [ out , r et val ] I Di spat ch** ppUser ) ;
};
IDPUserControl
The IDPUserControl is used to get or set a number of different user properties.
[
obj ect ,
uui d( C6AAB663- EA2A- 4195- 940F- 1C56C5736924) ,
dual ,
nonext ensi bl e,
hel pst r i ng( "I DPUser Cont r ol I nt er f ace: ") ,
poi nt er _def aul t ( uni que)
]
i nt er f ace I DPUser Cont r ol : I Di spat ch{
[ pr opget , i d( 1) , hel pst r i ng( "Ret ur ns a f l ag t hat i ndi cat es i f t he account
i s l ocked because of i nt r uder det ect i on. ") ]
HRESULT I sAccount Locked( [ out , r et val ] VARI ANT_BOOL* pf I sAccount Locked) ;
[ pr opput , i d( 1) , hel pst r i ng( "Set s a f l ag t hat i ndi cat es i f t he account i s
l ocked because of i nt r uder det ect i on. ") ]
HRESULT I sAccount Locked( [ i n] VARI ANT_BOOL f I sAccount Locked) ;
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
88
[ pr opget , i d( 2) , hel pst r i ng( "Ret ur ns a user account cont r ol val ue. ") ]
HRESULT Account Cont r ol ( [ out , r et val ] LONG* pVal ) ;
[ pr opput , i d( 2) , hel pst r i ng( "Set s a user account cont r ol val ue. ") ]
HRESULT Account Cont r ol ( [ i n] LONG newVal ) ;
[ pr opget , i d( 3) , hel pst r i ng( "Ret ur ns a user l ogon pol i cy val ue. ") ]
HRESULT LogonPol i cy( [ out , r et val ] LONG* pVal ) ;
[ pr opput , i d( 3) , hel pst r i ng( "Set s a user l ogon pol i cy val ue. ") ]
HRESULT LogonPol i cy( [ i n] LONG newVal ) ;
[ pr opget , i d( 4) , hel pst r i ng( "Ret ur ns a f l ag t hat i ndi cat es i f t he speci f i c
aut hent i cat i on t oken i s enr ol l ed. ") ]
HRESULT I sTokenEnr ol l ed( [ i n] BSTR TokenI D, [ out ] VARI ANT_BOOL*
pf I sTokenEnr ol l ed) ;
[ pr opget , i d( 5) , hel pst r i ng( "Ret ur ns a f l ag t hat i ndi cat es f i nger pr i nt s
enr ol l ed mask. ") ]
HRESULT Fi nger pr i nt Mask( [ out , r et val ] LONG* pVal ) ;
[ pr opget , i d( 6) , hel pst r i ng( "Ret ur ns user r ecover y passwor d. ") ]
HRESULT Recover yPasswor d( [ i n] BSTR Encr ypt edPasswor d, [ out , r et val ]
BSTR* pVal ) ;
[ i d( 7) , hel pst r i ng( "Del et es speci f i c aut hent i cat i on t oken cr edent i al s. ") ]
HRESULT Del et eToken( [ i n] BSTR TokenI D) ;
[ i d( 8) , hel pst r i ng( "Del et es enr ol l ed f i nger pr i nt s. ") ]
HRESULT Del et eFi nger pr i nt s( voi d) ;
[ i d( 9) , hel pst r i ng( "Del et es user Secr et s. ") ]
HRESULT Del et eSecr et s( voi d) ;
[ i d( 10) , hel pst r i ng( "Ret ur ns dat e and t i me of f i r st f i nger pr i nt
enr ol l ment . ") ]
HRESULT Fi nger pr i nt Fi r st Enr ol l ment Ti me( [ out , r et val ] DATE* pVal ) ;
[ i d( 11) , hel pst r i ng( "Ret ur ns dat e and t i me of l ast f i nger pr i nt
enr ol l ment . ") ]
HRESULT Fi nger pr i nt Last Enr ol l ment Ti me( [ out , r et val ] DATE* pVal ) ;
[ pr opget , i d( 12) , hel pst r i ng( "Ret ur ns a f l ag t hat i ndi cat es i f t he speci f i c
aut hent i cat i on t oken i s enr ol l ed. ") ]
HRESULT I sTokenEnr ol l edEx( [ i n] BSTR TokenI D, [ i n] BSTR Pr ef i x, [ out ]
VARI ANT_BOOL* pf I sTokenEnr ol l ed) ;
[ pr opget , i d( 13) , hel pst r i ng( "Ret ur ns a f l ag t hat i ndi cat es i f l i cense
t aken by t hi s user . ") ]
HRESULT I sLi censeTaken( [ out , r et val ] VARI ANT_BOOL* pf I sLi censeTaken) ;
[ i d( 14) , hel pst r i ng( "Cl ear l i cense by del et i ng al l Di gi t al Per sona dat a f or
t hi s user . ") ]
HRESULT Cl ear Li cense( voi d) ;
};
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
89
Sample VB Script
This is a sample of a VB script that returns the date and time of the first and last fingerprint enrollments for
a user.
Di mobj User
Set obj Quer yCont r ol = Cr eat eObj ect ( "DPUser Quer y. DPUser Quer yCont r ol ")
Set obj User = obj Quer yCont r ol . Get User ( "cn=t est user , CN=User s, DC=t est domai n, DC=COM")
wscr i pt . echo obj User . Fi nger pr i nt Fi r st Enr ol l ment Ti me
wscr i pt . echo obj User . Fi nger pr i nt Last Enr ol l ment Ti me
Interactive dialog-based application
To run the interactive dialog-based application:
1 On the Start menu, point to All Programs, DigitalPersona Pro, User Query Tool.
2 In the application dialog, select the type
of information you would like to display
and enter or browse to the location where
you want to save the resulting log file.
3 Click the Run button.
4 The file is saved as a .csv file with the
default name of DPQuery.csv, which can
be opened in Notepad or programs like
Microsoft Excel and other spreadsheet
programs.
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
90
DPQuery.csv format
The file resulting from the use of either the Interactive User Query Tool described above, or the command
line interface User Query Tool described beginning on page 92, have the format described in the table
below.
Additionally, the following totals are provided at the end of the file.
Total number of users
Total number of licenses used (Version 5.4.1+)
Total number of users with fingerprints enrolled
Total number of users with smart cards enrolled
Total number of users with contactless cards enrolled
Column Description
User Name Name of the user being reported against.
Logon Options 0 - No log on option is set.
1 - User provides only Windows credentials to log on.
2 - Randomize users Windows Password.
4 - User must provide Fingerprint and PIN to log on.
8. - Account is locked out from use of fingerprints credentials.
Fingerprints Number of fingerprints enrolled by the user.
Smart Cards Yes or No. Indicates whether this credential has been enrolled
by the specified user.
Contactless Cards Yes or No. Indicates whether this credential has been enrolled
by the specified user.
Proximity Cards Yes or No. Indicates whether this credential has been enrolled
by the specified user.
Bluetooth Yes or No. Indicates whether this credential has been enrolled
by the specified user.
PIN Yes or No. Indicates whether this credential has been enrolled
by the specified user.
Licenses (Version 5.4.1+) Yes or No. Indicates whether a DigitalPersona User license is
being utilized by the specified user.
Self Password Recovery
(Version 5.5+)
Yes or No. Indicates whether the Self Password Recovery
questions have been answered by the specified user.
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
91
Total number of users with proximity cards enrolled
Total number of users with Bluetooth enrolled
Total number of users with PIN enrolled
Total number of users with Self Password Recovery enrolled (Version 5.5+)
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
92
Command line utility
The User Query Tool command line utility must be run from an elevated command prompt.
To run the User Query Tool command line utility
1 Open an elevated command prompt by right-clicking any Command Prompt shortcut on the Windows
Start menu (located by default in the Accessories folder) and selecting Run as administrator.
2 In the Command Prompt window, enter DPQuery.exe using the following syntax and parameters.
Syntax
DPQuer y. exe [ - noui ] [ - dn=BaseDN] [ - out =Fi l eName] [ - ac] [ - f p] [ - sc] [ - cc] [ - pc] [ - bt ]
[ - pi n] [ - l i c] [ - r ec]
Parameters
Parameter Description
-noui Run utility silently with no graphical interface
-dn= BaseDN Sets the Distinguished Name of the search base for the query. If missing, the
Domain DN that the computer belongs to will be used as the search base.
-out=FileName Identifies the path and file name for the output log file. If missing, the file
DPQuery.csv will be created in the directory containing the utility.
-fp Add information about the number of fingerprints enrolled for each user in a
query.
-ac Add information about user account control flags like password randomization.
-sc Add information about smart cards enrolled for each user in a query.
-cc Add information about contactless cards enrolled for each user in a query.
-pc Add information about proximity cards enrolled for each user in a query.
-bt Add information about Bluetooth credentials enrolled for each user in a query.
-pin Add information about PINs enrolled for each user in a query.
-lic (Version 5.4.1+) Add information about licenses utilized for each user in a query.
-rec (Version 5.5+) Add information about Self Recovery Password enrolled for each
user in a query.
Chapter 9 - ADUC snap-ins
DigitalPersona Pro Enterprise - Administrator Guide
93
Examples
DPQuer y. exe noui dn=CN=User s, DN=Di gi t al Per sona, DN=com ac f p
This example query returns information about users in the Users folder of the DIGITAL_PERSONA
domain, and includes user flags (password randomization for example) and information about enrolled
fingerprints.
DPQuer y. exe noui sc cc
The example query above returns information about all users in the DIGITAL_PERSONA domain and
includes information about enrolled smart cards, contactless cards and proximity cards.
DigitalPersona Pro Enterprise - Administrator Guide
94
Attended Enrollment 10
Attended Enrollment is a feature that allows a delegated user, or a member of a delegated user group, to
attend and supervise the enrollment of DigitalPersona Pro credentials for other users. This feature is
included as part of the DigitalPersona Users and Computers Snap-in, and is also available as a separate
component (the Attended Enrollment Tool) in the DigitalPersona Pro Administration Tools package.
Attended Enrollment can add a higher level of security to the implementation and use of DigitalPersona
Pro Enterprise.
By default, the domain administrator is the only user with the permission to save changes to user
credentials to Active Directory, and therefor the only one who can use Attended Enrollment out of the box.
However, a delegated user or user group may be assigned the permission to supervise the credential
enrollment process of other users. Additionally, these users may be prohibited from enrolling or managing
their own credentials.
Attended Enrollment Feature (ADUC Snap-in)
Use of the Attended Enrollment feature within the DigitalPersona Users and Computers Snap-in requires
previous installation of the following components. Note that these are not required for use of the Attended
Enrollment Tool that is part of the Administrative Tools installation.
Attended Enrollment feature system requirements
DigitalPersona Pro Workstation for Enterprise
Windows Server 2008 - requires Microsoft Remote Server Administration Tools (available from the
Microsoft Download Center).
Windows Server 2003 - requires Windows Server 2003 Administration Tools Pack (adminpak.msi).
Attended Enrollment Tool (Standalone program)
Attended Enrollment Tool system requirements
DigitalPersona Pro Workstation for Enterprise. During the installation, you must select the option to
Remotely store Biometric data on the server.
Installation of the DigitalPersona Pro Administration Tools package.
Setting up Attended Enrollment
By default, Attended Enrollment may be performed by any user with domain administrator privileges, and
end-users may also enroll and modify their own credentials from their DigitalPersona Pro workstation. If
this is the desired behavior for your environment, no further setup is necessary.
In some scenarios, you may want to prohibit end-users from enrolling or modifying their credentials. You
may also choose to delegate authority for attended enrollment to another user or user group.
Chapter 10 - Attended Enrollment
DigitalPersona Pro Enterprise - Administrator Guide
95
To assign, or remove Register/Delete permissions
You can use the following procedure to assign permissions to a user or group to supervise attended
enrollment.
You may also Remove the permission to enroll/delete credentials from all other users. Note that in this
case, you should remove the permission, not Deny.
1 Open Active Directory Users and Computers.
2 On the View menu, select Advanced Features.
3 (Optional) If necessary, create a new object for those who will be supervising Attended Enrollment.
4 Right-click the object for which you want to assign, change, or remove permissions, and then click
Properties.
5 On the Security tab, click Advanced to view all of the permission entries that exist for the object.
6 Do one or more of the following:
To assign new permissions on an object or attribute, click Add. Type the name of the group,
computer, or user that you want to add, and then click OK. In the Permission Entry for
ObjectName dialog box, on the Object and Properties tabs, select Descendant User objects from
the Apply to drop-down menu. Then select or clear the Allow or Deny check boxes for the
Register/Delete Fingerprint permission*, as appropriate.
To remove the Register/Delete Fingerprint permissions from an object or attribute, click the
permission entry, and then click Remove.
* Although the permission is titled Register/Delete Fingerprint, it actually applies to all DigitalPersona
Pro credentials.
Chapter 10 - Attended Enrollment
DigitalPersona Pro Enterprise - Administrator Guide
96
Enrolling user credentials
See the previous section on setting up attended enrollment before you can enroll credentials for another
user.
To supervise the enrollment of user credentials:
1 Select the user, and start the Attended
Enrollment Wizard. The first step is
slightly different depending on
whether you are enrolling from the
ADUC snap-in or from the Attended
Enrollment Tool.
DigitalPersona Users and Computers
snap-in - In Active Directory, right-
click a user name. Select All tasks,
Enroll Credentials.
Attended Enrollment Tool - Launch
the tool from the Start Menu shortcut
in the DigitalPersona folder, enter the
name of the user, select the domain
and click OK.
2 The Attended Enrollment wizard
starts.
Chapter 10 - Attended Enrollment
DigitalPersona Pro Enterprise - Administrator Guide
97
3 Select the credentials that you want to enroll
for this user and click Next.
4 Follow the Attended Enrollment wizard
instructions to enroll the users credentials.
The user being enrolled must provide their
user password on the screen that follows in
order to continue through the Enrollment
Wizard.* This requirement prevents the
supervising user from enrolling the incorrect
persons credentials for the user account.
* Resetting a randomized password
If your environment includes use of the
DigitalPersona Pro setting Randomize user's
Windows Password, (see page 82), the user
cannot provide their password - since they do not
know it. During Attended Enrollment, each
credential page provides a Reset randomized password link that the administrator may use to reset the
randomized password temporarily in order to allow the authentication necessary for enrolling new
credentials.
Deleting Fingerprints
If a user does not have permission to delete their own fingerprints, a supervising user can use Pro
Enterprise Server to delete enrolled fingerprints. The enrolled user must be present to provide the password
or fingerprint.
1 In Active Directory Users and Computers, right-click a user name.
2 Select All tasks, Enroll Credentials.
3 The Attended Enrollment Wizard starts.
4 Click Next and follow the Attended Enrollment Wizard instructions.
The user must provide their user password or fingerprint to continue through the Enrollment Wizard.
This requirement prevents the supervising user from deleting the incorrect persons fingerprints for the
user account.
If the account of the supervising user does not have the Enroll/Delete Fingers permission for the user
being enrolled, an Access Denied message displays.
5 On the hand outline, click the finger for the fingerprint that you want to delete.
6 Click Yes in the confirmation dialog.
Chapter 10 - Attended Enrollment
DigitalPersona Pro Enterprise - Administrator Guide
98
7 The fingerprint will be deleted, and the corresponding finger image will no longer be green.
NOTE: An administrator can also delete all enrolled fingerprints for a user from the ADUC console by
right-clicking a user, selecting All Tasks and selecting Delete Credentials. Fingerprints and/or other
credentials may be selected and deleted for the selected user.
DigitalPersona Pro Enterprise - Administrator Guide
99
Policies and Settings 11
DigitalPersona Pro Enterprise provides a comprehensive set of Active Directory-based policies and
settings used for licensing, configuring and administering the DigitalPersona Pro Enterprise Server and its
clients. These policies and settings are implemented through DigitalPersona Pro GPMC extensions and
ADUC snap-ins, available as separate components installed through the DigitalPersona Pro
Administration Tools, which is included in your product package. See page 130 for a description of the
GPMC Extensions and page 82 for information about the ADUC snap-ins.
The Workstation administrative template, installed through the GPMC Extensions component, may also be
added to a local policy object on a standalone workstation without access to Active Directory. See Install
Workstation Administrative Templates Locally on page 133.
Overview
In Active Directory, the DigitalPersona Pro GPMC Extensions component adds Pro Enterprise policies
and settings to the DigitalPersona Pro Client and DigitalPersona Pro Enterprise Server nodes under
Computer Configuration/Policies/Software Settings and adds policies and settings for the DigitalPersona
Pro Client under the User Configuration/Policies\Software Settings and User Configuration/Policies/
Administrative Templates nodes.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
100
Installed computer policies and settings can then be accessed through the Active Directory Group Policy
Management Editor in the Microsoft Management Console.
Local administrators can access the Pro Workstation settings from the Microsoft Management Console
(MMC), after installing the workstation administrative template.
Each setting can be accessed in the Group Policy Management Editor (or MMC) by clicking Properties on
the context menu of the setting and then clicking the Policy tab on the Properties dialog box.
GPO settings have three states: enabled, disabled and not configured.
By default, all settings are not configured. To override the default settings of DigitalPersona Pro, each
setting must be changed to enabled or disabled and, in some cases, additional parameters must be supplied.
On the network, by default, changes made to existing GPOs may take as long as 90 minutes to refresh with
a 30 minute offset.
GPOs applied to computers are refreshed during this time, as well as when the computer is restarted.
GPOs applied to users are refreshed every 90 minutes and when the user logs on or off.
You can use the standard Windows methods of enforcing refresh of DigitalPersona Pro GPOs without
concern for disrupting DigitalPersona Pro functionality on a computer.
The following pages describe the policies and settings made available in Active Directory through the
DigitalPersona Pro GPMC Extensions component. The information is organized according to major Active
Directory nodes, categories and subcategories mirroring their locations in the domain policy tree. Tables
list each policy and setting, and reference the page number where a full description is provided.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
101
Computer Configuration/Policies/Software Settings
During installation of the DigitalPersona Pro Administration Tools, the following nodes are created at the
domain level under the Computer Configuration\Policies\Software Settings node.
DigitalPersona Pro Client
These client settings can be found at the following location:
Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client.
These settings are used to configure and govern DigitalPersona Pro clients.
Security/Authentication
Settings that define DigitalPersona Pro Enterprise authentication policies are stored at:
Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Security/Authentication.
Category/Subcategories Setting name Page
Security
Authentication Logon Authentication Policy 102
Session Authentication Policy 102
Kiosk Session Authentication Policy 103
Enrollment Self Enrollment Policy 104
Licenses [No setting] 104
Kiosk Administration
Allow automatic logon using Shared Kiosk Account 104
Logon/Unlock with Shared Account Credentials 104
Prevent users from logging on outside of a Kiosk session 104
Kiosk Workstation Shared Account Settings 105
Kiosk Unlock Script 105
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
102
Logon Authentication Policy
The Logon Authentication Policy defines the
credentials that may be used to log on to Windows.
By default, all supported credentials are listed on the
tab. Any of the listed credentials or credential
combinations may be used for authentication in the
Logon Authentication Policy.
1 In the Group Policy Management Editor, click
Logon Authentication Policy at the following
location: Computer Configuration/Policies/
Software Settings/DigitalPersona Pro Client/
Security/Authentication.
2 On the Logon Policy tab, make any desired
changes.
To edit or delete a Credential from the list, click
the arrow that appears to the right of the
credential.
To add a credential to the list, click Add at the
top of the list.
3 Click Apply.
Session Authentication Policy
The Session Authentication Policy defines the
credentials that may be used to access Security
applications during a Windows session. By default,
all supported credentials are listed on the tab. Any of
the listed credentials or credential combinations -
Permitted Credentials - may be used for
authentication in the Session Authentication Policy.
1 In the Group Policy Management Editor, click
Session Authentication Policy at the following
location: Computer Configuration/Policies/
Software Settings/DigitalPersona Pro Client/
Security/Authentication.
If enabled, only the specified combination of
credentials in the Policy can be used for
authentication.
If disabled, the user is not prompted to
authenticate by DigitalPersona Pro security
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
103
applications during the Windows session. This configuration provides Single Sign-On functionality.
The user logs on to Windows, and gains access to all security applications without being prompted to
authenticate for each application. However, enrollment of credentials will still require authentication.
If not configured, any of the installed authentication devices can be used for authentication.
2 On the Session Policy tab, make any desired changes.
To edit or delete a Credential from the list, click the arrow that appears to the right of the credential.
To add a credential to the list, click Add at the top of the list.
3 Click Apply.
Kiosk Session Authentication Policy
The Kiosk Session Authentication Policy defines the credentials that may be used to access Security
applications during a Pro Kiosk session. By default, all supported credentials are listed on the tab. Any of
the listed credentials or credential combinations - may be used for authentication in the Kiosk Session
Authentication Policy.
1 In the Group Policy Management Editor, click
Kiosk Session Authentication Policy at the
following location: Computer Configuration/
Policies/Software Settings/DigitalPersona Pro
Client/Security/Authentication.
If enabled, only the specified combination of
credentials in the Policy can be used for
authentication.
If disabled, the user is not prompted to
authenticate by DigitalPersona Pro security
applications during the Windows session. This
configuration provides Single Sign-On
functionality. The user logs on to Windows, and
gains access to all security applications without
being prompted to authenticate for each
application. However, enrollment of credentials
will still require authentication.
If not configured, any of the installed
authentication devices can be used for
authentication.
2 On the Kiosk Session Authentication Policy tab, make any desired changes.
To edit or delete a Credential from the list, click the arrow that appears to the right of the credential.
To add a credential to the list, click Add at the top of the list.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
104
Click Apply.
Security/Enrollment
Computer-level settings that define DigitalPersona Pro Enterprise enrollment policies are stored at:
Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Security/Enrollment.
Self Enrollment Policy
This policy determines the credentials that may be used for self enrollment on a client workstation.
If enabled, only the specified credentials may be used for self enrollment.
If disabled or not configured, any installed and supported credentials may be used.
Note that there is also a user-level Self Enrollment Policy setting that takes precedence over this computer-
level setting.
Licenses
To add new client licenses, right-click the License node and select Add license.
Kiosk Administration
Settings that define DigitalPersona Pro Kiosk policies are stored at:
Computer Configuration/Policies/Software Settings/DigitalPersona Pro Client/Kiosk Administration.
Allow automatic logon using Shared Kiosk Account
Determines whether the automatic logon feature is enabled. Automatic logon uses the Kiosk Shared
Account to log users on to the computer when the Windows operating system starts up. The Log On to
Windows dialog box is not displayed.
If disabled or not configured, the automatic logon is disabled.
CAUTION: The automatic logon setting will allow any user to access a Windows session without
interactive authentication when the Kiosk computer is restarted.
Logon/Unlock with Shared Account Credentials
If enabled, any user who knows the user name and password for the shared account that Kiosk uses can use
those credentials to log on to or unlock the computer.
If disabled or not configured, the shared account credentials cannot be used to log on to or unlock the
computer.
Prevent users from logging on outside of a Kiosk session
When enabled, only those with administrator privileges are able to log on to any Kiosk workstation
controlled by the GPO.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
105
If disabled or not configured, users can log on to the Kiosk workstations as a local user outside of the
Kiosk session.
Kiosk Workstation Shared Account Settings
In order to use a Kiosk workstation, this setting must be enabled and the Windows shared account
information (user name, domain and password) specified. See Kiosk Shared Account Settings on page 29
for additional details.
If disabled or not configured, Kiosk workstations affected by the GPO will not be operable.
Kiosk Unlock Script
Specifies a script file to run whenever a Kiosk session is unlocked by a new user.
By default, the script file should be located in the following directory on a Domain Controller:
%systemroot%\sysvol\sysvol\domain_DNS_name\scripts
Or, you can specify the full path to a shared folder which contains the script file.
DigitalPersona Pro Enterprise Server
These server settings can be found at the following location:
Computer Configuration/Policies/Software Settings/DigitalPersona Pro Enterprise Server.
These settings are used to configure and govern DigitalPersona Pro servers.
Licenses
DigitalPersona Pro Enterprise license information for DigitalPersona Pro Enterprise Server is stored at:
Computer Configuration/Policies/Software Settings/DigitalPersona Pro Enterprise Server/Licenses.
To add a license for Pro Enterprise Server, right-click the License node and select Add license.
For complete information on adding and managing your DigitalPersona Pro Enterprise licenses, see
License Activation & Management on page 67.
Category/Subcategories Setting name Page
Licenses [No setting] 105
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
106
Computer Configuration\Policies\Administrative Templates
During installation of the DigitalPersona Pro Administration Tools, the following nodes and settings are
created at the domain level under the Computer Configuration\Policies\Administrative Templates node.
DigitalPersona Pro Client (Summary)
These settings are used to configure and govern DigitalPersona Pro clients.
Category/Subcategories Setting name Page
Authentication Devices 108
Bluetooth Lock computer when your phone is out of range 108
Silent authentication 108
Fingerprints Redirect fingerprint data 108
Cache user data on local computer 110
Fingerprint enrollment 110
Fingerprint verification 110
PIN PIN enrollment 111
Smart cards Lock the computer upon smart card removal 111
Event logging
Level of detail in event logs 111
Fast Connect Citrix Published Application Name 112
DigitalPersona Reporter DigitalPersona Reporter Event Forwarding 112
General Administration
Quick Actions 112
Do not allow users to run local administrative tools 113
Do not launch the Getting Started wizard upon logon 113
Identification Server domain 113
Allow Pro client to use Pro Server 113
Show Taskbar icon 113
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
107
Kiosk Administration
Allow automatic logon using Shared Kiosk Account 114
Logon/Unlock with Shared Account Credentials 114
Prevent users from logging on outside of a Kiosk session 114
Kiosk Workstation Shared Account Settings 114
Kiosk Unlock Script 114
Managed applications
Disable applications Prevent Password Manager from running 115
Prevent Privacy Manager from running 115
Privacy Manager
Encryption policy 115
Certificate publishing policy 115
Certificate use policy 116
Security
Authentication Logon Authentication Policy 116
Session Authentication Policy 116
Features Enable multi-factor authentication in Windows logon 116
Settings Enable One Step Logon 117
Enable Self Password Recovery 117
Software Updates Allow running auto updates on the computer 117
Enable the Central Management menu item 117
Category/Subcategories Setting name Page
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
108
DigitalPersona Pro Client (Details)
Authentication Devices
Bluetooth
Lock computer when your phone is out of range
Configure whether to lock the computer when a Bluetooth device which was connected during login
moves out of range.
If enabled, locks the computer when the device is out of range.
If disabled or not configured, does not lock the computer when the device is out of range.
The definition of out of range depends on the installed Bluetooth stack. For the Broadcom stack,
whichcan measure the signal strength of the Bluetooth device, out of range is a hardcoded threshold of 10
dB. For non-Broadcom stacks, out of range is defined as whenever the device is not visible to the software.
Silent authentication
Configure whether or not to use silent authentication for Bluetooth credentials.
If enabled, when Bluetooth credentials are allowed for authentication by the Logon or Session Policy
in force, authentication will be attempted with the previously used Bluetooth credential immediately
upon entry to a logon screen.
If disabled, selection of a specific Bluetooth credential is required for authentication.
If not configured, silent Bluetooth authentication is controlled locally by the "Allow silent
authentication" setting in the Administrative Console.
Fingerprints
Redirect fingerprint data
Configure whether or not to allow the client computer to redirect fingerprint data to a remote Terminal
Services session.
If enabled, clients can send fingerprint data to a remote computer. This configuration must be enabled
to support fingerprint authentication on a remote desktop.
If disabled or not configured, fingerprint data redirection is not allowed.
When an administrator changes this setting, only new connections display the behavior specified by the
new setting. Sessions that were initiated before the change must log off and reconnect to be affected by the
new setting.
The Do not compress fingerprint data for redirection checkbox specifies whether to compress
fingerprint data on the client computer before redirecting it to the Terminal Services session.
If checked, fingerprint data is not compressed on the client computers before sending to the Terminal
Server.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
109
If not checked, fingerprint data is compressed on the client computers before sending to the Terminal
Server.
When an administrator changes this setting, only new connections display the behavior specified by the
new setting. Sessions that were initiated before the change must log off and reconnect to be affected by the
new setting.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
110
Cache user data on local computer
Determines whether user data for domain users are cached on the local computer.
If enabled or not configured, user data (fingerprint templates and secure application data) of domain
users is cached locally on the computer. This provides domain users the ability to use their fingerprints
when a DigitalPersona Pro Server cannot be located. This is a convenient but less secure option.
If not enabled, users may only use fingerprints when DigitalPersona Pro Server is accessible.
The data of local users is always stored on the local computer.
Fingerprint enrollment
Configure settings related to fingerprint enrollment.
Set the minimum number of enrolled fingerprints
This setting requires that the user enroll at least the specified number of fingerprints.
Enrolling just one fingerprint increases probability of not being able to authenticate. Enrolling several
fingerprints will increase the probability of false acceptance.
If disabled or not configured, the minimum number of fingerprints required for enrollment is 1.
Set the maximum number of enrolled fingerprints:
This setting restricts the number of fingerprints that a user can enroll. Enrolling several fingerprints
will increase the probability of false acceptance.
If disabled or not configured, the maximum number of fingerprints allowed for enrollment is 10.
Fingerprint verification
Configure settings related to fingerprint verification.
If enabled, allows you to set the False Accept Rate for the fingerprint verification.
If disabled or not configured, a FAR setting of Medium High (1 in 100,000) is used.
Set the False Accept Rate
The False Accept Rate (FAR) is the probability of receiving a false acceptance decision when comparing
fingerprints scanned from different fingers.
When this setting is enabled, you can select one of the following FAR values:
Medium (1 in 10,000)
Medium High (1 in 100,000) - Recommended
High (1 in 1,000,000)
For example: if you select Medium High, on average, one false acceptance will occur when a fingerprint is
compared against one hundred thousand fingerprints scanned from different fingers.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
111
The higher the setting, the lower the chance of receiving a false acceptance. However, at the High setting,
the system may reject legitimate fingerprints.
NOTE: The FAR is set on a per verification basis. When matching a fingerprint against the fingerprints of
multiple users (identification), the internally used FAR is automatically adjusted to maintain the same
effective FAR that was selected for one match.
PIN
PIN enrollment
Configure settings related to enrollment of user PIN.
If enabled, enables setting the minimum length of the user PIN.
If disabled or not configured, the minimum length of the user PIN is 4.
Set the minimum length of user PIN
Use the up and down arrow keys to set the minimum length of the user PIN.
Caution: Setting a very short PIN reduces security by making it easier to try all possible combinations of
numbers comprising the PIN.
Smart cards
Lock the computer on smart card removal
Configure whether or not the computer locks upon removing the smart card from the smart card reader.
If enabled, the computer locks upon removing the smart card from the smart card reader. The computer
will lock only if the smart card was used to log on to Windows.
If disabled or not configured, the computer does not lock upon removing the smart card from the smart
card reader.
Event logging
Level of detail in event logs
Determines the level of detail and type of events written to the Windows Event Log.
If enabled, DigitalPersona Pro logs events on the specified level.
If disabled or not configured, events are logged on the Auditing level.
There are three levels of event logging:
Errors Only
Auditing
Details
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
112
Each higher level includes all previous levels. Events are logged on the computer where the event
occurred.
For most normal tasks it is enough to set the level to Auditing. This would cover all logon events,
authentication events, fingerprint management events, user management events, etc. Setting a very high
level of event logging will fill the log file quickly.
Log Status events
Note that logging of Status events is not enabled by default, and must be separately enabled by selecting
the Log Status Events checkbox. Status events provide information about the state of various policies and
components on client computers.
The interval at which status events are reported can also be configured.
Fast Connect
Citrix Published Application Name
Configures the Fast Connect feature, which provides quick connection and log on to Citrix Published
Applications and Virtual Desktops.
If enabled, specifies the application or desktop to be connected to when the Fast Connect Quick Action is
initiated. The required format is FarmName:ApplicationNameOrDesktopName.
If disabled or not configured, the Fast Connect feature is unavailable.
DigitalPersona Reporter
DigitalPersona Reporter Event Forwarding
Configures forwarding of Pro Workstation events to DigitalPersona Reporter via the Windows Event
Forwarding mechanism.
If enabled, Pro events are forwarded. If disabled or not configured, Pro events are not forwarded.
General Administration
Quick Actions
Specifies administrator-defined Quick Actions that are performed automatically when a user presents an
authorized and enrolled credential, or key+credential combination.
If enabled, the administrator can specify the Quick Action to be performed by the Pro client.
If disabled, no Quick Action will be performed for the selected credential or key+credential
combination.
If not configured, the default or user specified Quick Action will be performed.
Available Quick Actions are described below.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
113
Fast Connect Connects to a Citrix session, runs the Citrix Desktop or Published Application, fills in
specified credentials and logs into an application. If a connection is already active, disconnects from the
session.
Lock Workstation Locks the computer.
Password Manager Action Performs one of the following operations when the associated Quick Action
is initiated.
When the active window has an associated Password Manager personal logon or managed logon, fills-
in account data.
If the window is determined to be a logon screen that does not have an associated personal logon or
managed logon, and the Allow creation of personal logons setting (page 127) is enabled or not
configured, the Add Logon dialog displays.
If none of the above cases are true, the Logons Menu or user dashboard is shown.
Do not allow users to run local administrative tools
Prevents users from running the Administrative Console or the Setup wizard. Users will not be able to
configure security features on their computers.
If enabled, users are not allowed to run local administrative tools.
If disabled or not configured, users are allowed to run local administrative tools.
Do not launch the Getting Started wizard upon logon
If enabled, the DigitalPersona Pro dashboard and the Getting Started page do not start automatically
after user logon.
If disabled or not configured, the DigitalPersona Pro dashboard and the Getting Started page starts
automatically after user logon.
Identification Server domain
Specifies the name of the domain where a DigitalPersona ID Server is hosted. Computers attempting to
identify a user based on their fingerprint credentials will send the query to this domain.
If enabled, and a DNS domain name is entered, queries are sent to the specified domain.
If not configured or disabled, queries are sent to the domain that the computer belongs to.
DNS domain name
Specify the name of the domain where the DigitalPersona ID Server is hosted.
Allow Pro client to use Pro Server
If enabled or not configured, Pro clients will attempt to contact a Pro Server to obtain services.
If disabled, Pro clients will not attempt to contact a Pro Server, and will use cached data.
Show Taskbar icon
If enabled or not configured, a Taskbar icon is displayed on managed workstations.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
114
If disabled, the Taskbar icon is not shown.
Kiosk Administration
The following Kiosk Administration settings, located under the Administrative Templates node are
included for backward compatibility, but have been replaced by the settings described on page 104.
Allow automatic logon using Shared Kiosk Account
Determines whether the automatic logon feature is enabled. Automatic logon uses the Kiosk Shared
Account to log users on to the computer when the Windows operating system starts up. The Log On to
Windows dialog box is not displayed.
If disabled or not configured, the automatic logon is disabled.
CAUTION: The automatic logon setting will allow any user to access a Windows session without
interactive authentication when the Kiosk computer is restarted.
Logon/Unlock with Shared Account Credentials
If enabled, any user who knows the user name and password for the shared account that Kiosk uses can use
those credentials to log on to or unlock the computer.
If disabled or not configured, the shared account credentials cannot be used to log on to or unlock the
computer.
Prevent users from logging on outside of a Kiosk session
When enabled, only those with administrator privileges are able to log on to any Kiosk workstation
controlled by the GPO.
If disabled or not configured, users can log on to the Kiosk workstations as a local user outside of the
Kiosk session.
Kiosk Workstation Shared Account Settings
In order to use a Kiosk workstation, this setting must be enabled and the Windows shared account
information (user name, domain and password) specified. See Kiosk Shared Account Settings on page 29
for additional details.
If disabled or not configured, Kiosk workstations affected by the GPO will not be operable.
Kiosk Unlock Script
Specifies a script file to run whenever a Kiosk session is unlocked by a new user.
By default, the script file should be located in the following directory on a Domain Controller:
%systemroot%\sysvol\sysvol\domain_DNS_name\scripts
Or, you can specify the full path to a shared folder which contains the script file.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
115
Managed applications
Disable Applications
Prevent Password Manager from running
If enabled, the Password Manager application is not available.
If disabled or not configured, the Password Manager application is available.
Prevent Privacy Manager from running
If enabled, the Privacy Manager application is not available.
If disabled or not configured, the Privacy Manager application is available.
Privacy Manager
Encryption policy
Controls the encryption capabilities of Privacy Manager.
If enabled, the administrator can choose to prevent users from accessing the encryption capabilities of
Privacy Manager for
Microsoft Office documents
Microsoft Outlook
If disabled or unconfigured, encryption is allowed.
Certificate publishing policy
Controls how digital certificates are shared using Active Directory.
If enabled, administrators can select one of the following options:
Automatic - a user's certificate is automatically published in Active Directory when either acquired from
Comodo or imported from another source. Additionally, certificates for Trusted Contacts can be
downloaded from Active Directory.
Users can publish manually - users are asked whether to publish a certificate in Active Directory when
either acquired from Comodo or imported from another source. Additionally, certificates for Trusted
Contacts can be downloaded from Active Directory.
Note that when a certificate is issued directly for DigitalPersona CSP, and if a user does not need to do
anything to start using that certificate, then the certificate is not automatically published in Active
Directory but can be manually published if they desire to do so. The certificate can also be published by
other means, for example Microsoft Certificate Authority can publish certificates automatically, when
issuing them.
The ability to download the Address Book (with associated certificates) from within Microsoft Outlook is
not affected by this setting.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
116
Certificates are published in the user Certificate attribute of the user record, this is standard place for the
user certificates in Active Directory.
If disabled or unconfigured, a user's certificates are not published in Active Directory and certificates
of Trusted Contacts are not downloaded from Active Directory.
Certificate use policy
Allows the use of third-party certificates.
If enabled, any certificate having signature, encryption and email protection capabilities is allowed.
If disabled or unconfigured, only special Comodo-issued certificates can be used and only those
certificates are displayed in the Certificate Manager and Trusted Contacts Manager.
Security/Authentication
WARNING: The two authentication settings described below, located under the Policies\Administrative
Templates\DigitalPersona Pro Client\Security\Authentication node, are included for backwards
compatibility with versions prior to 5.2.
Pro Enterprise versions 5.2 and above use new authentication settings, in a new AD location, located under
the Policies\Software Settings\DigitalPersona Pro Client\Security\Authentication node (see page 101).
When upgrading your DigitalPersona Pro products, once all client workstations have been upgraded to 5.2
these two settings should be set to not configured.
Logon Authentication Policy
Defines the credentials that may be used to access the computer, decrypt the hard drive, and log on to
Windows.
If enabled, only the specified authentication devices, in the specified combination, can be used for
authentication.
If disabled or not configured, any of the installed authentication devices can be used for authentication.
Session Authentication Policy
Defines the credentials that may be used to access Security applications during a Windows
session.
If enabled, only the specified authentication devices, in the specified combination, can be used for
authentication.
If disabled or not configured, any of the installed authentication devices can be used for authentication.
Security/Features
Enable multi-factor authentication in Windows logon
Configures whether or not the multi-factor authentication feature is enabled in Windows logon.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
117
If enabled, users are allowed to log on to Windows only if they are authenticated according to the
multi-factor Logon Authentication Policy in effect.
If disabled, the multi-factor Logon Authentication Policy in effect is not enforced, and the standard
Windows logon is used.
If not configured, multi-factor authentication is enabled.
Settings
Enable One Step Logon
One Step Logon simplifies the logon process when multi-factor authentication is enabled both at pre-boot
and Windows logon.
If enabled or not configured, authentication is required at pre-boot only, and users are automatically
logged on to Windows
If disabled, authentication may be required multiple times.
Enable Self Password Recovery
Self Password Recovery is a recovery feature that allows users to gain access to the computer in the event
that they are unable to authenticate with the required credentials.
If enabled, users will be able to use Self Password Recovery to log on.
If disabled, the Self Password Recovery feature is not made available to users.
If not configured, the availability of the Self Password Recovery feature is controlled locally by the
Allow Self Password Recovery recovery setting in the clients Administrative Console.
Software Updates
Allow running auto updates on the computer
If enabled or not configured, auto updates are allowed on the client computers.
If disabled, auto updates are not allowed on the client computers.
Enable the Central Management menu item
If enabled or not configured, the Central Management menu item is shown in the user dashboard.
If disabled, the Central Management menu item is not shown in the user dashboard.aaa
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
118
DigitalPersona Pro Enterprise Server (Summary)
The policies and settings in this table are implemented through AD Administrative Templates and are used
to configure the behavior of DigitalPersona Pro Enterprise Server.
Category/Subcategories Setting name Page
Authentication Devices 119
Fingerprints 119
- Fingerprint verification lockout Account lockout duration 119
Reset account lockout counter after 119
Account lockout threshold 119
Fingerprint enrollment 119
Fingerprint verification 120
PIN PIN enrollment 120
Event logging Level of detail in event logs 121
Identification Server settings
Perform fingerprint identification on server 121
Restrict identification to a specific list of users 122
Pro Enterprise Server DNS
Automated site coverage by Pro Enterprise Server Locator
DNS SRV records
122
Refresh interval of Pro Enterprise Server DNS records 122
Sites covered by Pro Enterprise Server Locator DNS
records
123
Priority set in Pro Enterprise Server DNS records 123
Weight set in Pro Enterprise Server Locator DNS records 123
Register Pro Enterprise Server Locator DNS records for
domain
124
Dynamic registration of Pro Enterprise Server Locator
DNS records
124
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
119
DigitalPersona Pro Enterprise Server (Detail)
Authentication Devices
Fingerprints
Fingerprint verification lockout
Account lockout duration
Configure the number of minutes an account is locked out before automatically being unlocked. To specify
that the account will be locked out until the administrator explicitly unlocks it, set the value to 0. The
Account lockout duration must be greater than or equal to the reset time.
If enabled, you can set a value between 1 and 99999 minutes.
If disabled or not configured, the duration of the lockout is 30 minutes.
Reset account lockout counter after
Configure the number of minutes that must elapse after a failed fingerprint verification attempt before the
account lockout counter is reset to 0. The reset time must be less than or equal to the Account lockout
duration.
If enabled, you can set a value between 1 and 99999 minutes.
If not configured, the counter is reset after 5 minutes.
Account lockout threshold
Configure the number of failed fingerprint verification attempts that causes a user account to be locked out.
The lockout only applies to fingerprint verification. Other enrolled credentials may still be used.
A user cannot access a locked out account using their fingerprint until it is reset by an administrator or until
the account lockout duration has expired.
If enabled, you can set a value between 1 and 999 failed fingerprint verification attempts, or you can
specify that the account will never be locked out to fingerprint verification by setting the value to 0.
If disabled or not configured, the account will never be locked out due to failure of fingerprint verification.
Fingerprint enrollment
Configure settings related to fingerprint enrollment.
Set the minimum number of enrolled fingerprints
This setting requires that the user enroll at least the specified number of fingerprints.
Enrolling just one fingerprint increases probability of not being able to authenticate. Enrolling several
fingerprints will increase the probability of false acceptance.
If disabled or not configured, the minimum number of fingerprints required for enrollment is 1.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
120
Set the maximum number of enrolled fingerprints:
This setting restricts the number of fingerprints that a user can enroll. Enrolling several fingerprints
will increase the probability of false acceptance.
If disabled or not configured, the maximum number of fingerprints allowed for enrollment is 10.
Fingerprint verification
Configures the False Accept Rate (FAR), which is the probability of receiving an acceptance decision
when comparing fingerprints scanned from different fingers.
Specify the value 1 in N where one false acceptance is likely to occur in N verification attempts. For
example, if you select 1 in 10,000 it means that, on average, one false acceptance will occur when a
fingerprint is compared against ten thousand fingerprints scanned from different fingers. If you select 1 in
100,000 the probability is one in one hundred thousand.
The higher the value N specified, the lower the chance of receiving a false acceptance. If this value is too
high, the system may reject legitimate fingerprints.
If enabled, you can set the False Accept Rate for fingerprint verification.
If disabled or not configured, the value of 1 in 100,000 FAR is used.
NOTE: FAR is set on a per verification basis. When matching a fingerprint against fingerprints of multiple
users (identification), the internally used FAR is automatically adjusted to maintain the same effective FAR
as was selected for a single match.
PIN
PIN enrollment
Configure settings related to enrollment of user PIN.
If enabled, enables setting the minimum length of the user PIN.
If disabled or not configured, the minimum length of the user PIN is 4.
Set the minimum length of user PIN
Use the up and down arrow keys to set the minimum length of the user PIN.
Caution: Setting a very short PIN reduces security by making it easier to try all possible combinations of
numbers comprising the PIN.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
121
Event Logging
Level of detail in event logs
Determines whether DigitalPersona Pro logs events, such as fingerprint registration and authentication
attempts, in the Windows Event Log.
There are three levels of event logging:
Errors
Auditing
Details
Each next level includes all previous levels. Each event is logged on the computer where the event
occurred.
For most normal tasks it is enough to set the level to Auditing. This would cover all logon events,
authentication events, fingerprint management events, user management events, etc.
Setting a very high level of event logging will fill the log file quickly.
If enabled, DigitalPersona Pro logs events on the specified level. If not configured, events are logged
on the Auditing level.
If disabled, events are logged on the Auditing level.
Log Status events
Note that logging of Status events (see page 150) is not enabled by default, and must be separately enabled
by selecting the Log Status Events checkbox. Status events provide information about the state of various
policies and components on client computers.
The interval at which status events are reported can also be configured.
Identification Server settings
Perform fingerprint identification on server
Specifies whether fingerprint identification is performed on the DigitalPersona Pro Server or against the
local computer cache. The default is not configured, however this setting must be enabled for
DigitalPersona Pro Kiosk clients where fingerprint credentials will be used.
If enabled, fingerprint identification requests are directed to a DigitalPersona Pro Server, where the
provided fingerprint data is compared to the data for every user with enrolled fingerprints in the Active
Directory domain. Note that after enabling this setting, you will need to wait about 15 minutes before
identification is available - or you can restart the Pro Enterprise Server to refresh the settings.
If disabled or not configured, fingerprint identification requests are processed on the local computer,
where the provided fingerprint data is compared to the data for every user with enrolled fingerprints in
the local computer cache.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
122
Restrict identification to a specific list of users
Allow restricting identification to a specific list of users with permissions for the computer where the
identification request originates.
If enabled, you can define a list of users who can participate in identification, and then assign this list
to a specific computer or set of computers.
If disabled or not configured, identification is performed against all domain users.
For details on how to define this list of users, see the topic Identification List on page 215.
Pro Enterprise Server DNS
Automated site coverage by Pro Enterprise Server Locator DNS SRV records
Configure whether or not Pro Enterprise Server will dynamically register Pro Enterprise Server Locator
site-specific SRV records for the closest sites where no Pro Enterprise Server for the same domain exists.
These DNS records are dynamically registered by Pro Enterprise Server, and they are used by
DigitalPersona Pro Workstation to locate Pro Enterprise Server.
If enabled, the computers to which this setting is applied dynamically register Pro Enterprise Server
Locator site-specific DNS SRV records for the closest sites where no Pro Enterprise Server for the
same domain exists.
If disabled or not configured, the computers will not register site-specific Pro Enterprise Server
Locator DNS SRV records for any other sites but their own.
Refresh interval of Pro Enterprise Server DNS records
Configure the refresh interval of Pro Enterprise Server Locator DNS resource records for computers to
which this setting is applied. These DNS records are dynamically registered by Pro Enterprise Server and
are used by DigitalPersona Pro Workstation to locate Pro Enterprise Server. This setting may be applied
only to computers using dynamic update.
Computers configured to perform dynamic registration of Pro Enterprise Server Locator DNS resource
records periodically re-register their records with DNS servers, even if their records data has not changed.
If authoritative DNS servers are configured to perform scavenging of the stale records, this re-registration
is required so that the authoritative DNS servers (which are configured to automatically remove stale
records) will recognize these records as current and preserve them in the database.
Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this
setting should never be longer than the refresh interval configured for these zones. Setting the refresh
interval of Pro Enterprise Server Locator DNS records to longer than the refresh interval of the DNS zones
may result in unwanted deletion of DNS resource records.
If enabled, allows you to specify a refresh interval longer than the default value of 1800 seconds (30
minutes).
If disabled or not configured, computers use the default value.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
123
Sites covered by Pro Enterprise Server Locator DNS SRV records
Configure the sites for which the domain Pro Enterprise Server registers site-specific Pro Enterprise Server
Locator DNS SRV resource records. These records are in addition to the site-specific SRV records
registered for the site where Pro Enterprise Server resides, and in addition to the records registered by a Pro
Enterprise Server configured to register Pro Enterprise Server Locator DNS SRV records for those sites
without a Pro Enterprise Server that are closest to it.
The Pro Enterprise Server Locator DNS records are dynamically registered by Pro Enterprise Server, and
they are used by DigitalPersona Pro Enterprise clients to locate a Pro Enterprise Server. An Active
Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active
Directory access and replication.
If enabled, configures the sites covered by the Pro Enterprise Server Locator DNS SRV records.
Specify the site names in a space-delimited format. The site names have the following format, in which
the <site name> component must be present and the <priority> and <weight> components are optional.
The <priority> and <weight> components must be a numeric string value.
<site name>:<priority>:<weight>
If disabled or not configured, no site-specific SRV records will be registered.
Priority set in Pro Enterprise Server Locator DNS records
Configure the Priority field in the SRV resource records registered by Pro Enterprise Server to which this
setting is applied. These DNS records are dynamically registered by Pro Enterprise Server and are used by
DigitalPersona Pro Workstation to locate Pro Enterprise Server.
The Priority field in the SRV record sets the preference for target hosts specified in the SRV record Target
field. DNS clients that query for SRV resource records attempt to contact the first reachable host with the
lowest priority number listed.
If enabled, configures the Priority in the Pro Enterprise Server Locator DNS SRV resource records.
Specify a value between 0 and 65535.
If disabled or not configured, computers use a default priority of 0.
Weight set in Pro Enterprise Server Locator DNS records
Configure the Weight field in the SRV resource records registered by Pro Enterprise Server to which this
setting is applied. These DNS records are dynamically registered by Pro Enterprise Server, and they are
used to locate Pro Enterprise Server.
The Weight field in the SRV record can be used in addition to the Priority value to provide a load-
balancing mechanism where multiple servers are specified in the SRV record's Target field and set to the
same priority. The probability with which the DNS client randomly selects the target host to be contacted is
proportional to the Weight field value in the SRV record.
If enabled, configures the Weight in the Pro Enterprise Server Locator DNS SRV records. Specify a
value between 0 and 65535.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
124
If disabled or not configured, computers use a default weight of 100.
Register Pro Enterprise Server Locator DNS records for domain
Configure whether or not Pro Enterprise Server will dynamically register Pro Enterprise Server Locator
domain-specific SRV records for the domain it belongs to. The DNS records are dynamically registered by
Pro Enterprise Server, and they are used by DigitalPersona Pro Workstation to locate Pro Enterprise Server.
If enabled or not configured, computers dynamically register Pro Enterprise Server Locator domain-
specific DNS SRV records.
If disabled, computers will not register the domain-specific Pro Enterprise Server Locator DNS SRV
records for the domain they belong to and register only site-specific records.
Dynamic registration of Pro Enterprise Server Locator DNS records
Configure whether or not dynamic registration of Pro Enterprise Server Locator DNS resource records is
enabled. These DNS records are dynamically registered by Pro Enterprise Server and are used by
DigitalPersona Pro Workstation to locate Pro Enterprise Server.
If enabled or not configured, computers will dynamically register Pro Enterprise Server Locator DNS
resource records through dynamic DNS update-enabled network connections.
If disabled, computers will not register Pro Enterprise Server Locator DNS resource records.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
125
User Configuration\Policies\Software Settings
DigitalPersona Pro Client (Summary)
During installation, DigitalPersona Pro Enterprise places a folder under the User Configuration\ Policies \
Software Settings\DigitalPersona Pro Client folder containing policies and settings that may be applied to
users.
The policies and settings in this table only affect users on supported DigitalPersona Pro Enterprise clients.
DigitalPersona Pro Client (Detail)
Security/Authentication
Settings that define DigitalPersona Pro Enterprise authentication policies are stored at:
User Configuration/Policies/Software Settings/DigitalPersona Pro Client/Security/Authentication.
Session Authentication Policy
The Session Authentication Policy defines the
credentials that may be used to access Security
applications during a Windows session. By default,
all supported credentials are listed on the tab. Any of
the listed credentials or credential combinations -
Permitted Credentials - may be used for
authentication in the Session Authentication Policy.
1 In the Group Policy Management Editor, click
Session Authentication Policy at the following
location: Computer Configuration/Policies/
Software Settings/DigitalPersona/Security/
Authentication.
2 On the Session Policy tab, make any desired
changes.
To edit or delete a Credential from the list, click
the arrow that appears to the right of the credential.
Category/Subcategories Setting name Page
Security
Authentication Session Authentication Policy 125
Enrollment Self Enrollment Policy 126
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
126
To add a credential to the list, click Add at the top of the list.
3 Click Apply.
Security/Enrollment
Settings that define DigitalPersona Pro Enterprise
enrollment policies are stored at:
User Configuration/Policies/Software Settings/
DigitalPersona Pro Client/Security/Enrollment.
Self Enrollment Policy
This policy determines the credentials that may be
used for self enrollment on a client workstation.
If enabled, only the specified credentials may be
used for self enrollment.
If disabled or not configured, any installed and
supported credentials may be used.
Note that this setting takes precedence over the
computer-level Self Enrollment Policy setting.
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
127
User Configuration\Administrative Templates
DigitalPersona Pro Client (Summary)
During installation, DigitalPersona Pro Enterprise places a folder under User
Configuration\Administrative Templates\DigitalPersona Pro Client folder containing policies and settings
that may be applied to users.
The policies and settings in this table only affect users on supported DigitalPersona Pro Enterprise clients.
DigitalPersona Pro Client (Detail)
Managed applications
Password Manager
Allow creation of personal logons
Allows users to create and use personal logons for websites and programs.
If enabled or not configured, personal logons are available.
If disabled, personal logons are not available.
Managed logons
Configure settings for managed logons which govern the access to account data and deployment to users.
Allow users to view managed logon passwords: If enabled or not configured, users are allowed to view
their managed logon passwords after verifying their identity. If disabled, users are not allowed to view
managed logon passwords.
Allow users to edit account data: If enabled or not configured, users can edit their account data. If
disabled, users cannot edit account data.
Allow users to add account data: If enabled or not configured, users can add to their account data. If
disabled, users cannot add new account data.
Category/Subcategories Setting name Page
Managed applications
Password Manager Allow use of personal logons 127
Managed logons 127
Security
Authentication Session Authentication Policy 128
Chapter 11 - Policies and Settings
DigitalPersona Pro Enterprise - Administrator Guide
128
Allow users to delete account data: If enabled or not configured, users can delete their account data. If
disabled, users cannot delete account data.
Path(s) to the managed logons folder(s): If enabled, the logons are copied to the computers that have
this setting applied. You can specify multiple folders by separating the paths with a pipe character (|).
If disabled or not configured, no copy operation will be performed.
Security (versions previous to 5.2)
Authentication
WARNING: The authentication setting described below is included for compatibility with Pro Enterprise
versions prior to 5.2. It is located under the User Configuration\Policies\Administrative
Templates\DigitalPersona Pro Client\Security\Authentication node.
Versions of Pro Enterprise 5.2 and above use new authentication settings, in a new AD location, located
under the User Configuration\Policies\Software Settings\DigitalPersona Pro
Client\Security\Authentication node (see page 101).
Once all client workstations in your environment have been upgraded to 5.2, these setting should be set to
not configured.
Session Authentication Policy
Defines the credentials that may be used to access Pro security applications during the Windows session.
If enabled, only the specified combination of credentials in the Policy can be used for authentication.
If disabled, the user is not prompted to authenticate by DigitalPersona Pro security applications during
the Windows session. This configuration provides Single Sign-On functionality. The user logs on to
Windows, and gains access to all security applications without being prompted to authenticate for each
application.
If not configured, any of the installed authentication devices can be used for authentication.
DigitalPersona Pro Enterprise - Administrator Guide
129
Single Sign-On 12
Single Sign-On (SSO) is a feature of DigitalPersona Pro that allows IT administrators to simplify user
logon to DigitalPersona Security Applications and enterprise applications; including traditional Windows
applications, websites and web applications, terminals, and Citrix or similar software thin client solutions,
without needing to modify existing processes.
Single Sign-On supports multiple authentication credentials in configurable combinations in order to
provide the utmost flexibility in customizing the feature to your environment.
Configuring Single Sign-On
Configuration of Single Sign-On requires two steps.
1 Disable the Session Authentication Policy setting for the computers where you want to implement
SSO.
2 Create managed logons for any resources that you want users to be able to access during a WIndows
session without needing to provide additional authentication. These logons must have their Start
Authentication Immediately property set to Yes when they are created by the administrator.
Disable Session Authentication
In Active Directory, disable Session Authentication for the OU (or domain) where you want to use SSO.
1 In the Group Policy Management Editor, click Session Authentication Policy at the following
location: Computer Configuration/Policies/Software Settings/DigitalPersona/Security/Authentication.
2 On the Session Policy tab, select Disabled.
Create managed logons
The actual creation of managed logons is covered in the DigitalPersona Password Manager Application
Guide, and is beyond the scope of this topic.
However, in order to implement SSO, the managed logon for each resource that will be part of SSO must
include use of the Start Authentication Immediately setting.
When creating a managed logon for a resource,
On the Logon Screen Properties page of the Logon Screen Wizard, choose Yes for the Start
Authentication Immediately setting.
Note that this must be used in conjunction with disabling the Session Authentication Policy in order to
create a SSO experience. If the Session Authentication Policy is not disabled, authentication will start
immediately, but the user will still be prompted for additional authentication.
DigitalPersona Pro Enterprise - Administrator Guide
130
GPMC Extensions 13
Overview
DigitalPersona Pro Enterprise Server and its associated workstation clients use GPMC extensions,
installed under the Software Settings and Administrative Templates nodes, to link product policies and
settings to Active Directory containers. These policies and settings are described in the chapter, Policies
and Settings on page 99.
The GPMC Extensions component includes the Administrative Templates listed in the table below, and the
following extensions, which are not actually Administrative Templates (i.e. admx/.adm files), but provide
additional policies and settings in basically the same manner.
Authentication Policy extension- Settings for specifying the credentials that may be used to log in to
Windows and to log in to DigitalPersona security applications during the Windows session.
Kiosk Administration extension - Settings for configuring the Kiosk Shared Account and additional
kiosk-specific settings.
Additional extensions or templates may be provided as new components are released, and will be specified
in the readme file for each component. Extensions are .admx for Windows Server 2008 or Windows Vista
(and later), and .adm for all other supported versions of Windows.
Adding an administrative template to a container applies the DigitalPersona Pro Enterprise policies and
settings to the computers and users in that container.
For instructions on installing these extensions, see GPMC Extensions on page 57. For a complete listing of
the policies and settings provided by the GPMC extensions, see the topic Policies and Settings on page 99.
File Name (adm/admx) Description
DPPro5Root DigitalPersona Pro Administrative Template - Creates a root-level folder
and categories for all DigitalPersona Pro products, and if not already
present, is installed automatically with any DigitalPersona Pro product.
DPPro5Server DigitalPersona Pro Enterprise Server Administrative Template - Apply to
Active Directory GPOs where it can be distributed to Domain Controllers
running DigitalPersona Pro Enterprise Server.
DPPro5Client DigitalPersona Pro Workstation for Enterprise Administrative Template -
Apply to Active Directory GPOs where it can be distributed to computers
running DigitalPersona Pro Workstation for Enterprise.
It can also be applied to a local GPO for a standalone installation of
DigitalPersona Pro Workstation for Enterprise.
Chapter 13 - GPMC Extensions
DigitalPersona Pro Enterprise - Administrator Guide
131
Implementation Guidelines
Before you add any Administrative Templates to your GPOs, give some thought to your Active Directory
structure, where GPOs are placed, and which GPOs the Administrative Templates should be added to.
Policy configuration needs will vary from network to network and specific policy recommendations are
beyond the scope of this guide. You may want to refer to Microsofts documentation on Group Policy
Object configuration for more information.
Organizational Units and GPOs
DPPro5ClientKiosk DigitalPersona Pro Kiosk for Enterprise Administrative Template - Apply to
Active Directory GPOs where it can be distributed to computers running
DigitalPersona Pro Kiosk for Enterprise.
It can also be applied to a local GPO for a standalone installation of
DigitalPersona Pro Kiosk for Enterprise.
DPPro5IDServer DigitalPersona Pro Enterprise ID Server Administrative Template - Apply
to Active Directory GPOs where it can be distributed to Domain Controllers
running DigitalPersona Pro Enterprise Server.
DPPro5ClientAuthPol DigitalPersona Pro Enterprise Server Authentication Policies
Administrative Template - Apply to Active Directory GPOs where it can be
distributed to computers running DigitalPersona Pro Workstation for
Enterprise.
It can also be applied to a local GPO for a standalone installation of
DigitalPersona Pro Workstation for Enterprise.
DPPasswordManager DigitalPersona Password Manager Administrative Template - Apply to
Active Directory GPOs where it can be distributed to computers running
DigitalPersona Password Manager.
DPPrivacyManager DigitalPersona Privacy Manager Administrative Template - Apply to Active
Directory GPOs where it can be distributed to computers running
DigitalPersona Pro Privacy Manager.
DPPro5EvForwarding DigitalPersona Reporter Administrative Template - Apply to Active
Directory GPOs where it can be distributed to computers running
DigitalPersona Pro Enterprise clients.
DPPro5OneTouchLock DigitalPersona One Touch Unlock Administrative Template - Apply to
Active Directory GPOs where it can be distributed to computers running
DigitalPersona Pro Enterprise clients.
File Name (adm/admx) Description
Chapter 13 - GPMC Extensions
DigitalPersona Pro Enterprise - Administrator Guide
132
Although the use and configuration of organizational units and GPOs varies widely among corporations,
we have provided some general guidelines for structuring Active Directory organizational units.
There are two key factors in deciding how to structure your network:
How you group your users and computers, and
Where the DigitalPersona Pro GPOs are set.
For example, if users and computers are to be grouped according to authentication policies, you should
group them into separate OUs (Organizational Units) and then set specific GPOs for each OU.
However, when authentication policies within organizational units vary, as they often do among
department heads and subordinates, then you should group your users and/or computers into child
organization units reflecting the necessary authentication needs.
Structuring your organizational units based on authentication policies is the easiest way to administer
DigitalPersona Pro.
1 Plan your network structure by identifying the settings you intend to configure.
2 Determine whether to apply the settings to all users and computers in a site or domain, or just to the
users and computers in an organizational unit.
3 Create the organizational units required to implement your design.
4 Add the respective users and computers to the organizational units.
GPO behavior
Here are a few guidelines to keep in mind when configuring DigitalPersona Pro GPOs.
If a GPO setting is not configured, the default value set in the software is used.
If a superior (higher-level) GPO has a value for a setting and a subordinate GPO has a conflicting
value for that setting, the setting in the subordinate is used.
If a GPO has a value for a setting and a subordinate (lower-level) container has the GPO setting with
no value, the setting in the superior (high-level) GPO is used.
GPOs can only be applied to the three Active Directory containers: sites, domains and organizational
units; not to users or computers.
A single GPO can be applied to one or more containers.
A GPO affects all users and computers in the container, and subcontainers, it is applied to.
The DigitalPersona GPO settings apply only to computers with DigitalPersona software installed on them.
In very basic Active Directory deployments, one can simply make a DigitalPersona GPO, linked at the
domain, and set the DigitalPersona Pro Enterprise Server and Pro Workstation settings here for all users
and computers alike.
Chapter 13 - GPMC Extensions
DigitalPersona Pro Enterprise - Administrator Guide
133
Install Workstation Administrative Templates Locally
For local administration of a DigitalPersona Pro Workstation, the Workstation Administrative Templates
(DPPro5Client and DPPro5ClientAuth) can be added to the local policy object of any computer running
DigitalPersona Pro Workstation by using the Microsoft Management Console (MMC) Group Policy
Editor.
To add the Workstation Administrative Template locally
1 On the Start menu, click Run. Type gpedi t . msc and press Enter to launch the Group Policy Editor.
2 Right-click the Administrative Templates folder and select Add/Remove Templates on the
Administrative Templates folder shortcut menu.
3 Click the Add button on the Add/Remove Templates dialog box and then locate and select the
DPPro5Client and DPPro5ClientAuth files from the default administrative templates directory. On
Windows Server 2003, this folder is C:\Windows\inf. On Windows Server 2008, the folder is
X:\Windows\PolicyDefinitions.
4 Click Close.
DigitalPersona Pro Enterprise - Administrator Guide
134
Recovery 14
DigitalPersona Pro Enterprise provides full recovery options to administrators for enabling users
to regain access to their Windows user accounts and computers.
This chapter includes the following main topics.
User recovery
Installation of DigitalPersona Pro Enterprise or the DigitalPersona ADUC Snap-in adds the Recover User
command to Active Directorys context menu for a user in the Active Directory Users and Computers
console. This command enables recovery of the user's access to their Windows account by a one time
access code available through a link on the Windows logon screen.
To recover a user
DigitalPersona Pro Enterprise provides a means to easily recover access to a computer where a
user is unable to access their account, and needs one time access to the pre-boot environment and
their Windows account.
1. The user contacts your helpdesk and provides their Windows user account name. A Pro Enterprise
administrator assists them in recovering their user access.
2. The administrator locates the user in Active Directory, right-clicks the user and selects Recover User,
which launches the Recover access wizard.
3. The administrator transmits the displayed Recovery account name and password to the user. This will
enable them to authenticate at the pre-boot level. Upon use, this password is automatically changed.
4. The user enters the provided information, gaining access to the computer at the pre-boot level.
5. At the Windows logon screen, the user clicks their user tile. On their user tile screen, they click the One
time access link.
6. The user transmits the displayed Security Key to the administrator.
7. The administrator clicks Next, enters the Security Code and clicks Next again.
8. Pro Enterprise displays a One time access code which is transmitted to the user.
9. The user types the One time access code and clicks OK, gaining access to their Windows account.
Topic Page
User recovery 134
Computer recovery 135
Account lock recovery 135
Chapter 14 - Recovery
DigitalPersona Pro Enterprise - Administrator Guide
135
Computer recovery
In Active Directory, installation of DigitalPersona Pro Enterprise or the DigitalPersona ADUC Snap-in
adds the Recover Computer command to Active Directorys computer object context menu. This
command can be used to easily recover access to a computer where a user has been locked out during pre-
boot authentication.
To recover a computer from a pre-boot lockout
1. The user contacts your helpdesk for assistance in recovering from a pre-boot lockout. A Pro
Enterprise administrator assists them in recovering their user access.
2. The administrator locates their computer in Active Directory, right-clicks on the computer and
selects the Recover Computer command.
3. The Computer Recovery wizard launches, displaying recovery information for the computer.
4. The administrator transmits the displayed Recovery Account name and password to the user.
This will enable them to authenticate at the pre-boot level. Upon use, this password is
automatically changed.
Account lock recovery
When a user exceeds the permissible number of authentication attempts (as defined in the Windows
security policy) with a fingerprint credential, they are automatically locked out of their account. A locked
out account cannot be used until it is reset by an administrator or until the account lockout duration has
expired.
When an account is unlocked by an administrator, the account becomes immediately available for
fingerprint authentication from all computers, or after the next replication interval if there are multiple
domain controllers.
To unlock a Windows user account
1 Ensure that you have the required permissions to modify the user account.
2 In Active Directory for Users and Computers, right-click on the user name and select Properties.
3 Click the DigitalPersona Pro tab.
4 Clear the Account is locked out for fingerprint authentication checkbox.This checkbox is for unlocking
accounts and cannot be used by an administrator to lock an account. If the account is unlocked, the
checkbox is disabled.
5 Click OK to close the dialog box and save the changes.
The administrator can choose to set less strict lockout settings by reducing the lockout duration
time or reducing the counter reset time through Windows security settings.
DigitalPersona Pro Enterprise - Administrator Guide
136
Pro Reports 15
DigitalPersona Pro Reports provides a wide-variety of pre-configured template-based reports for
managers, administrators and auditors. These reports include detailed information on managed computers,
users, SSO events and specific reports addressing HIPAA, PCI and SOX compliance.
Pro Reports is an add-on component available from DigitalPersona or your authorized reseller.
Overview
DigitalPersona Pro Reports automatically forwards all events generated by Pro Enterprise clients (versions
5.4 and above) to a designated Collector computer via the Windows Event Forwarding mechanism.
The Pro Ent Report Event import task, which runs every fifteen minutes on the hour, parses the forwarded
events and populates an SQL database. Events are then available to be viewed through the DigitalPersona
Pro Reports web console (see page 139).
Activity events are logged whenever a designated activity occurs on the client. For a complete listing and
description of all events, see the chapter Pro Events beginning on page 145.
There are some events that are not automatically written to the local Windows Event log. Logging of these
events requires additional configuration through selection of the Log Status Events checkbox of the Level
of detail in event logs GPO setting (see page 111). These events provide information about the state of
various policies and components on client computers. The interval at which status events are reported can
also be configured through the GPO. Logging status events at small time intervals may consume system
resources and fill up your Forwarded Events log very quickly.
All logged DigitalPersona Pro client events are written to the local Windows Event Log with a root name
of DigitalPersona\Pro. The channel name includes the name of the component that logs the events.
Currently, the following Component names are defined:
Future components may provide their own channel names, creating a separate Component log under
DigitalPersona\Pro.
Currently, all the events are written into the Operational log under the Component folder.
Component name Description
Core A general log for all DigitalPersona
component events not assigned to a more
specific channel.
Logon User logon/logoff and lock/unlock events.
Password Manager Managed logon events created by the use of
the Password Manager application.
Chapter 15 - Pro Reports
DigitalPersona Pro Enterprise - Administrator Guide
137
Event logging happens on the client workstation whether or not event forwarding to the Collector
computer has been enabled and set up. If the DigitalPersona Reporter Event Forwarding setting (see page
112) has been enabled, then events are forwarded to the Forwarded Events Log folder on the computer
where DigitalPersona Pro Reports is installed. The events are logged in the Event Viewer\Windows
Log\Forwarded Events folder.
In order to use DigitalPersona Pro Reports, the component first needs to be set up.
Setting up DigitalPersona Pro Reports
Setting up DigitalPersona Pro Reports includes the following tasks:
1 Verify that the Pro Enterprise server is licensed.
2 Configure Active Directory GPO settings for event forwarding on the domain controller.
3 Install and configure DigitalPersona Pro Reports on the computer where the events will be collected.
This computer should not be a domain controller and should not have DigitalPersona Pro Enterprise
Server installed on it.
Verify licensing
You can verify license activation in the GPME (Group Policy Management Editor) under Computer
Configuration, Policies, Software Settings, DigitalPersona, Licenses.
Configure GPO settings
Configure the following Active Directory GPO settings.
1 Enable the DigitalPersona Pro Reports Event Forwarding setting. This setting is located in the
GPME at Administrative Templates\DigitalPersona Pro Client\Event Logging\DigitalPersona Pro
Reports.
2 Enable and configure the Level of detail in event logs setting. This setting is located at
Administrative Templates\DigitalPersona Pro Enterprise Server\Event logging.
3 Enable and configure the Configure the server address, refresh interval, and issuer certificate
authority of a target Subscription Manager setting. This setting is located in the GPME at
Administrative Templates\Windows Components\Event Forwarding.
Enable the setting
Click Show, then click Add.
Enter the following string, where <computer name> is the name of the computer where
DigitalPersona Pro Reports will be installed.
Server=HTTP://<computer name>.<domain name>:5985/WSman/SubscriptionManager/
WEC,Refresh=10
Click OK to close the dialog.
Chapter 15 - Pro Reports
DigitalPersona Pro Enterprise - Administrator Guide
138
Install and configure Pro Reports
DigitalPersona Pro Reports may be installed on any computer that is a member of the domain and meets
the following requirements.
Is running Windows Server 2008 (32/64-bit) or Microsoft Windows 7 (32/64-bit)
Should not have DigitalPersona Pro Enterprise Server installed on it
The computer name must not include underscores, for example TEST_0250.
The computer must not be a domain controller.
Installation
The installation file for DigitalPersona Pro Reports is located in the root directory of the DigitalPersona
Pro Reports product package. Be sure to check the readme.txt file for any updated information prior to
installing Pro Reports.
1 Start the installation wizard by launching setup.exe.
2 Follow the onscreen instructions.
3 You will be prompted to either use an existing SQL Server 2008 instance if no other instances of SQL
Server (RTM, R2 SP1, Express RTM or R2 SP1 Express) are detected, or to install SQL Server 2008
R2 Express Edition.
4 Internet Information Services (x86) will be installed.
5 The installation will place a shortcut to the DigitalPersona Pro Reports web console on your desktop.
Chapter 15 - Pro Reports
DigitalPersona Pro Enterprise - Administrator Guide
139
Web console
The DigitalPersona Pro Reports web console allows you to generate, view and schedule reports based on
the activity and status events generated by DigitalPersona Pro Enterprise clients.
Pro Reports provides powerful pre-configured templates for quickly and easily creating various types of
reports as shown in the illustration below.
The URL for the Pro Reports web console is: https://<hostname>/Dashboard/Reports.
The Pro Reports web console supports the following web browsers.
Internet Explorer 6-10
Google Chrome 18-22
Mozilla Firefox 4-16
Note that when creating or editing reports, you must click the Save or Run Now buttons to save any new or
modified information.
Chapter 15 - Pro Reports
DigitalPersona Pro Enterprise - Administrator Guide
140
Creating a report
To create a new report
1 On the main Pro Reports page, click a report type under one of the listed categories.
2 Within the report type, select a template.
3 By default, the report name and description are filled in with the template name and description. You
can also click on the name or description to personalize your reports.
Chapter 15 - Pro Reports
DigitalPersona Pro Enterprise - Administrator Guide
141
4 Select from the available parameters to build the query for your report. Parameters will vary for
different reports.
5 In the image on the previous page, the End Date would be the last date you want included in the report.
Select from the Limit Data by dropdown to indicate how far back you would like to report data from,
i.e. an End Date of today and a Limit Data by selection of End Date - 1 day would give you data
from the beginning of yesterday (000000) to the current time today. When scheduling a report, you
will enter the date ranges to be used for the subscriptions.
6 (Optional) To report on data for all Pro-managed computers, leave the Computer name field blank. To
report on data for a single Pro-managed computer, enter the computer name.
7 To run the report, click Run now.
Note that data entered in the fields on this form is not automatically saved as you move from field to field.
If you close a tab or browser window before Saving or Running a report your data will be lost.
Creating a new subscription
Subscriptions can be created from one or more reports scheduled to be run at regularly scheduled intervals.
They may be created either during the initial definition of the report, or later, by opening a report and
clicking one of the links available to create a new subscription or to add the report to an existing
subscription (see page 143).
To create a new subscription from a report
1 From the previously created reports page, click Create a new subscription (see the image on the
previous page).
2 Enter a name for the subscription and (optionally) a description.
3 Click Create.
4 Enter the email address that you want the report to be sent to. You can also enter multiple email
addresses, separated by semicolons.
Chapter 15 - Pro Reports
DigitalPersona Pro Enterprise - Administrator Guide
142
5 Enter a subject for the email that recipients will receive when they get the report.
6 By default, the subscription is
enabled. To disable the subscription,
i.e. stop the report from running,
deselect the Enabled checkbox.
7 Enter the beginning and ending
dates for the subscription. The
report(s) in this subscription will be
run beginning on the From date
until the To date.
8 Indicate specific parameters to be
used when determining how often
the report(s) are to be run. By
default, the report(s) will be run
daily during the selected time
period.
9 For example, to run the report for a
year (as defined in the above
image), on the first Monday of the
month, deselect the weeks and days when you do not want to run the report.
10 Enter the time when you want the report to be run.
11 Click the Reporting Tools tab to return to the main Pro Reports page. Your new subscription will be
listed under My subscriptions.
Chapter 15 - Pro Reports
DigitalPersona Pro Enterprise - Administrator Guide
143
Adding a report to an existing subscription
To add a report to an existing subscription
1 From the main Pro Reports page, click the report that you want to add.
2 Click add report to an existing subscription.
3 Select the subscription that you want to add the report to.
4 The report will be added to the selected subscription.
Editing a subscription
To edit a subscription
1 From the main Pro Reports page, click the subscription you want to revise.
2 Click one of the reports in the subscription to edit the query details.
Chapter 15 - Pro Reports
DigitalPersona Pro Enterprise - Administrator Guide
144
3 Revise subscription details as required. Changes are saved automatically.
Bookmarking a report
To bookmark a report
1 On the main Pro Reports page, hover over the name of the report.
2 Click the bookmark icon.
Deleting a report or subscription
To delete a report
On the main Pro Reports page, hover over the name of the report or subscription. Click the X that
displays to the right of the report or subscription name.
DigitalPersona Pro Enterprise - Administrator Guide
145
Pro Events 16
DigitalPersona Pro and its security applications write events to the Windows Event Log when significant
activities occur, along with a date and time stamp indicating when they occurred.
By default, all DigitalPersona Pro events are logged - except for those that report the status of applications,
components or devices. These are identified by the use of (Status event) next to the event name in the
following pages.
Activity events are classified into the following categories.
Events are listed in tables under each category in the following sections. For each event, information is
shown indicating where the event is logged (on the Pro Server or on a client workstation) and what level of
logging an event is reported at. For example, if an event is shown as logged on the workstation (Wks) at
the D (Details) level, it will not be written to the log unless the Detail level is specified in the Level of
detail in event logs GPO setting governing that computer (see page 111).
Note that error levels are inclusive, i.e. the Audit level includes all Error level messages, and the Details
level includes all Audit and Error level messages.
Description ID Page
Credential Management 256 146
User Management 512 146
Secret Management 768 147
Service Management 1024 147
Password Manager 1536 148
Credential Authentication 2048 149
DNS Registration 2304 149
Deployment 4096 150
Windows Logon 4864 150
Chapter 16 - Pro Events
DigitalPersona Pro Enterprise - Administrator Guide
146
Credential Management
Task Category: 256
These events may be generated during credentials management.
User Management
Task Category: 512
These events may be generated during user management.
Event ID
Level
Srvr ---- Wks
Failed to enroll credential 259 - A
Credential enrolled 260 - A
Failed to unenroll credential 261 - A
Credential unenrolled 262 - A
Failed to recover user record 263 - E
Failure of user credential consistency check 272 - E
Level: E = Error, A - Audit, Dt = Details
Event ID
Level
Srvr ---- Wks
Cannot update User Account Control Flags 527 - E
User Account Control Flags were updated 528 A -
User account was unlocked 529 A -
User password was randomized 530 A -
Pro User added to the database 531 A -
Cannot add Pro User to the database 532 E -
Pro User deleted from the database 533 A -
Cannot delete Pro User from the database 534 E -
User account was unlocked using Password Reset 535 A E
Level: E = Error, A - Audit, Dt = Details
Chapter 16 - Pro Events
DigitalPersona Pro Enterprise - Administrator Guide
147
Secret Management
Task Category: 768
These events may be generated during Secret management.
Service Management
Task Category: 1024
These events may be generated during the management of system operations.
Event ID
Level
Srvr ---- Wks
Failure of %1 secure application data consistency check 769 E E
Failed to delete secure application data 770 E E
Secure application data deleted 771 A A
Failure to release secure application data 772 E E
Secure application data released 773 A A
Failure of secure application data signature check 774 E E
Failed to store secure application data 775 E E
Secure application data stored 776 A A
Failed to synchronize secure application data 779 E -
Secure application data is synchronized 780 A -
Level: E = Error, A - Audit, Dt = Details
Event ID
Level
Srvr ---- Wks
Failed to start DigitalPersona Authentication Service 1029 E E
DigitalPersona Authentication Service started 1030 A A
DigitalPersona Authentication Service stopped 1031 A A
Failed to reset DigitalPersona Authentication Service configuration parameter 1032 A A
DigitalPersona Authentication Service configuration parameter reset 1033 A A
Chapter 16 - Pro Events
DigitalPersona Pro Enterprise - Administrator Guide
148
Password Manager
Task Category: 1536
These events are generated when personal or managed logons are used, or logon account data is modified.
Failed to update DigitalPersona Authentication Service configuration
parameter
1034 A A
DigitalPersona Authentication Service configuration parameter updated 1035 A A
DNS registration of the server failed - Client workstations will not be able to
locate the server.
1041 E -
Removal of DNS record failed. 1042 E -
Remote DNS server cannot be reached. 1043 E -
No remote DNS servers available. 1044 E -
Level: E = Error, A - Audit, Dt = Details
Event ID
Level (Workstation)
Personal ---- Managed
CRC check failure in %1. 1548 Dt A
Logon created 1549 Dt A
Logon modified 1550 Dt A
Logon deleted 1551 Dt A
Password change has been canceled by user 1552 Dt Dt
Fillin was performed 1553 Dt A
Account data could not be modified 1554 E E
Account data was successfully modified. 1555 Dt A
Account data was successfully entered. 1556 Dt A
Account data was successfully deleted. 1557 Dt A
Level: E = Error, A - Audit, Dt = Details
Event ID
Level
Srvr ---- Wks
Chapter 16 - Pro Events
DigitalPersona Pro Enterprise - Administrator Guide
149
Credential Authentication
Task Category: 2048
These events may be generated during the authentication of credentials.
DNS Registration
Task Category: 2304
These events may be generated during DNS registration.
Event ID
Level
Srvr ---- Wks
Account is locked for fingerprint verification. 2051 E -
User account is locked. 2053 E -
Authentication failure. 2054 A -
Authenticated successfully. 2055 Dt -
User password was reset. 2056 Dt -
Failed to identify user. 2057 A -
User identified. 2058 Dt -
Level: E = Error, A - Audit, Dt = Details
Event ID
Level
Srvr ---- Wks
Registration of the server failed. (Clients will not be able to locate the server.) 2306 E -
Removal of DNS record failed. 2307 E -
Remote server cannot be reached. 2308 - E
No remote servers available. 2309 - E
Level: E = Error, A - Audit, Dt = Details
Chapter 16 - Pro Events
DigitalPersona Pro Enterprise - Administrator Guide
150
Deployment
Task Category: 4096
These events may be generated during license management operations.
Windows Logon
Task Category: 4864
These events may be generated during Logon operations.
Event ID
Level
Srvr ---- Wks
The service is licensed for %1 users. (No more users can be registered at this
time because the license quota has been exceeded.)
4097 E -
The service is licensed for %1 users. (%2 users are already registered.%n The
license quota is nearly exceeded.)
4098 A -
License activation status 4104 - -
Computer set to Standard mode. 4105 - A
User license uninstalled. 4112 - A
User license installed. 4113 - A
Failed to install user license(s). 4114 - E
Software installed. 4130 A -
Software uninstalled. 4131 A -
List of product(s): 4145 - -
Applications enabled. 4146 - -
Level: E = Error, A - Audit, Dt = Details
Event ID
Level
Srvr ---- Wks
Credentials verified for logon 4865 - A
Credentials verified for unlock 4866 - A
Credentials verified for kiosk logon 4867 - A
Chapter 16 - Pro Events
DigitalPersona Pro Enterprise - Administrator Guide
151
Authentication Domain Management
Task Category: 2048
These Status events may be generated at specified intervals by selecting Log Status events within the Level
of detail in event logs setting (see page 111). Status events provide information about the state of various
policies on client computers.
* The logging of Status events is not enabled by default, and must be explicitly enabled by selecting the
Log Status Events checkbox.
Credentials verified for kiosk unlock 4868 - A
Computer locked 4869 - A
User (%1) logged off 4870 - A
Kiosk computer locked 4871 - A
Kiosk user logged off 4872 - A
There is a problem with the Kiosk Shared Account 4873 - E
Level: E = Error, A - Audit, Dt = Details
Event ID
Level
Srvr ---- Wks
Logon Policy for Users (Status event) 5649 * -
Logon Policy for Administrators (Status event) 5650 * -
Session Policy for Users (Status event) 5651 * -
Session Policy for Administrators (Status event) 5652 * -
Logon Policy (Status event) 5653 * -
Session Policy (Status event) 5654 * -
Level: E = Error, A - Audit, Dt = Details
Event ID
Level
Srvr ---- Wks
DigitalPersona Pro Enterprise - Administrator Guide
152
Extended Server Policy Module 17
The Extended Server Policy Module (ESPM) is a separately purchased and installed server module that
adds additional per user policies to the DigitalPersona tab in the AD user Properties dialog.
These policies specify additional requirements for authentication with biometric credentials (such as
fingerprints) when used for authentication during Windows logon and wherever administrator
authentication is requested by the software - for example when requesting access to the DigitalPersona Pro
Administrative Console.
Note that these settings do not affect the use of biometric credentials for authentication when used with
personal or managed logons to websites, applications and network resources.
Installation of the ESPM adds settings to the DigitalPersona tab in the AD user Properties dialog as shown
below.
Included settings are:
User may only log on with Fingerprint credential
The user must verify their identity with a fingerprint
credential in order to log on to Windows. No other
credentials can be used, except for supported
recovery options such as Self Password Recovery.
User must provide Fingerprint and PIN to log on
The user must provide a PIN whenever a fingerprint
is used to log on, to unlock the computer or to
change their Windows password. The fingerprint
PIN option adds another level of security to logging
on with a fingerprint.
User must provide Fingerprint and Windows
Password to log on
The user must verify their identity with their
fingerprint credential in addition to Windows
authentication (a smart card or password according
to the Windows policy setting).
DigitalPersona Pro Enterprise - Administrator Guide
153
Utilities 18
Cleanup Wizard
Although the Add/Remove Programs Control Panel uninstalls DigitalPersona Pro Server software, the user
data - such as fingerprint credentials and secure application data - and global domain data, remain in
Active Directory unless specifically deleted.
DigitalPersona provides the DigitalPersona Pro Cleanup Wizard to remove this data. However, if you are
planning to reinstall DigitalPersona Pro Server, you may want to retain the user data. The Cleanup Wizard
may be requested from DigitalPersona Technical Support.
This wizard provides full cleanup of all DigitalPersona Pro data. For removal of individual user data, see
Delete License on page 84.
To run the DigitalPersona Pro Cleanup Wizard
1 Double-click DPCleanup.exe to launch the DigitalPersona Pro Cleanup Wizard.
2 When the installer runs, you are prompted to choose the type of clean up you want to perform:
Delete DigitalPersona Pro user data. This option removes all DigitalPersona Pro data associated
with users on the domain, such as fingerprint credentials and secure application data. If you
choose to delete DigitalPersona Pro user data, all users in the domain must enroll their fingerprints
again.
Full clean up. This option removes both DigitalPersona Pro data associated with users on the
domain and global data. If you choose full clean up, you must reinstall all DigitalPersona Pro
Servers on the domain and run the Active Directory Domain Configuration Wizard again.
3 When prompted to proceed with the removal of DigitalPersona Pro data, click Yes.
4 Choose a location and name for the log file generated during the data removal process.
The wizard will then remove the data from Active Directory; however, you must manually remove any
DigitalPersona Pro Group Policy Objects.
Data changes take time to propagate in Active Directory. Do not configure a domain for DigitalPersona
Pro Server or reinstall Server software until all changes made by the removal of domain global data are
replicated throughout the domain.
Running the DigitalPersona Pro Clean Up Wizard will render all Pro Servers on the domain inoperable. To
restore the Pro Server functionality after performing a full cleanup, run the Active Directory Domain
Configuration Wizard again, as described in Configure each domain on page 24, and then reinstall Pro
Server.
DigitalPersona Pro Enterprise - Administrator Guide
154
Section Three: Pro Clients
Section Three of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters:
Chapter Title Purpose Page
19 - Pro Workstation Describes the features and functionality of the user
dashboard common to all DigitalPersona Pro Enterprise
compatible clients.
155
20 - Pro Kiosk Describes the features and functionality specific to the user
dashboard provided in the DigitalPersona Pro Kiosk client.
173
21 - Pro Administrative Console Describes the features and functionality of the optionally-
enabled administrative console common to all
DigitalPersona Pro Enterprise compatible clients except
for DigitalPersona Pro Kiosk.
179
DigitalPersona Pro Enterprise - Administrator Guide
155
Pro Workstation 19
This chapter includes the following major topics.
DigitalPersona Pro Enterprise includes support for two workstation clients; DigitalPersona Pro
Workstation for Enterprise and DigitalPersona Pro Kiosk for Enterprise.
DigitalPersona Pro Workstation for Enterprise is a robust and fully featured workstation client which
allows you to significantly and easily increase the security of computers in your enterprise, as well as
centrally manage security applications and features through Active Directory.
DigitalPersona Pro Kiosk is a workstation client specifically designed for environments where shared
access to computers and resources is a requirement. It shares most of the same features and
functionality as DigitalPersona Pro Workstation for Enterprise, with a few differences as explained in
the Pro Kiosk chapter beginning on page 173.
Both clients include a user dashboard that provides access to DigitalPersona Pro Enterprise features and
applications for the end-user. This dashboard allows use of integrated Pro Workstation or Kiosk
applications, as well as additional end-user applications that may be installed depending on the product
package purchased.
DigitalPersona Pro Workstation for Enterprise also includes an integrated Administrative Console that
allows the local administrator of a computer to set logon and session policies and other features. This
console may be enabled or disabled by the DigitalPersona Pro Enterprise administrator through an Active
Directory GPO setting. For further information on the Administrative Console, see the chapter Pro
Administrative Console on page 179.
Most of the content in this chapter is written from the end-user perspective, and is also available through
the Pro Workstation online help.
Note that the availability of some product features described in this chapter may be limited, or behave
differently, as determined by GPO policies and settings described in the Policies and Settings chapter
beginning on page 99.
Main topics in this chapter Page
Getting Started 156
Managing user credentials 159
Windows authentication 166
Backing up and restoring your data 169
Setting your preferences 170
ID Card 171
Learn more 172
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
156
Getting Started
The first time that you log on to your Windows account on a computer equipped with Pro
Workstation, you will be prompted to set up your authentication and recovery credentials. The
specific credentials available to you will be configured by your administrator.
If your credentials were set up through an attended enrollment process, you may click No at the
prompt and select Do not show this message again.
Click Yes at the prompt to launch the Getting Started wizard, which will guide you through the
setup process.
1 On the Welcome screen, click Next.
2 Verify your identity by typing your Windows password. Click Next. If you have not previously created
a Windows password, you will be required to create one.
3 You will be guided through the process of enrolling all credentials supported on your computer and
specified in the Logon and Session policies determined by your local or remote administrator.
Workstation setup
The Getting Started wizard is displayed automatically as the default page in the user dashboard until setup
has been completed.
To set up your workstation, follow these steps:
1 Read the Welcome screen, and then click Next.
2 Verify your identity by entering your Windows password and then click Next.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
157
If you have not yet created a Windows password, you are prompted to create one. A Windows
password is required in order to protect your Windows account from access by unauthorized persons
and in order to use the workstation features.
3 Follow the onscreen instructions for enrolling the credentials authorized by the administrator. Step by
step instructions for enrolling each type of credential are also provided in the following pages.
4 On the final page of the wizard, click Finish. The Home page of the user dashboard is displayed.
Opening the dashboard
In DigitalPersona Pro Workstation and Kiosk, you can open the user dashboard in any of the following
ways:
Click Start, click All Programs, click DigitalPersona, and then click DigitalPersona Pro.
Double-click the DigitalPersona Pro icon in the notification area, at the far right of the taskbar.
Right-click the DigitalPersona Pro icon, and click Open DigitalPersona Pro.
Press the hot key combination ctrl+win+h to open the DigitalPersona Password Manager mini-
dashboard.
Using the dashboard
The user dashboard is the central location for easy access to Pro Workstation features, applications, and
settings.
The dashboard is composed of the following components:
ID Card - Displays the Windows user name and a selected picture identifying the logged on user account.
Security Applications - Displays an expanding menu of links for configuring the following categories of
security. Some of the categories shown below may not be present, and will depend on the product package
installed.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
158
Home- Provides direct links to the most commonly used features.
Status- Displays the status of installed security applications.
My logons - Provides applications for managing your logons with Password Manager and your
credentials with Credential Manager.
Administration - Allows administrators to access the following options:
Administrative Console - Allows administrators to manage security and users.
Central Management - Allows administrators to access additional solutions, product updates and
messages.
Advanced - Displays commands for accessing additional features, including:
Preferences - Allows you to personalize Pro Workstation settings.
Backup and Restore - Allows you to back up or restore data.
About - Displays version information about Pro Workstation, such as the version number and
copyright notice.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
159
Managing user credentials
The credentials that an end-user may use to verify their identity will either be specified through GPO
policies and settings (for managed workstations) or by the local administrator in the Administrative
Console.
Some credentials require the presence of built-in or attached hardware. The following steps will help you
to enroll or set up your credentials for use with the products features and applications.
Self Password Recovery
The Self Password Recovery credential allows you to regain lost access to your computer by
answering three security questions from a list previously defined by the administrator.
On the Self Password Recovery page, you can enroll or manage your Self Password Recovery credential;
for example, change your recovery questions or the associated answers.
In order to use this recovery credential to gain access to a computer, the user must have previously logged
on to the same computer at least once with another valid credential.
To set up Self Password Recovery
1 On the Self Password Recovery page, select three security questions, and then enter an answer for each
question.
2 Click Create.
Administrators can select different security questions or create custom questions in the Administrative
Console, on the Self Password Recovery page under Credential Manager.
After Self Password Recovery is set up, you can access your computer using your personal questions from
a Pre-Boot logon screen or the Windows Welcome screen.
This feature is optional, and must be explicitly configured through the Enable Self Password
Recovery setting (see page 117).
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
160
Enrolling your fingerprints
1 If your computer has a fingerprint
reader built in or connected, the Pro
Workstation Getting Started wizard
guides you through the process of
setting up or enrolling your
fingerprints.
2 To enroll fingerprints through the
dashboard, click Credentials,
Fingerprints,
3 An outline of two hands is displayed.
Fingers that have been previously
enrolled are highlighted in green.
To enroll a fingerprint, click the
image of any finger not previously
enrolled.
To delete a previously enrolled fingerprint, click a highlighted finger on the outline.
4 After selecting a finger to enroll, you are prompted to scan the finger until its fingerprint is
successfully enrolled. Upon completion, that finger image will be highlighted in green.
Index or middle fingers are preferable. Repeat steps 1 to 4 for another finger.
5 Click Next, and then follow the instructions on the screen.
6 Click Save. Note that when enrolling fingerprints through the Getting Started wizard, fingerprint
information is not saved until you click Next. If you leave the computer inactive for a while, or close
the program, the changes you made are not saved.
CAUTION: When using an unlicensed product (such as for evaluation), fingerprints are only stored on the
local computer and are not stored in Active Directory.
WARNING: Users should never enroll the same finger under multiple Windows accounts. Doing so will
cause the finger to be rejected as a valid credential in any WIndows account where it has been enrolled.
Enrolling a PIN
A PIN (Personal Identification Number) is a credential composed of a series of digits. A PIN is often used
in combination with another credential to enhance its security. This PIN should not be confused with a
Smart Card PIN which is used as part of a Smart Card credential.
On the Credential Manager, PIN page, you can create a new PIN or change your existing PIN.
To enroll a PIN
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
161
1 Type your Windows password. Click Authenticate.
2 Enter the number that you want to use as your PIN.
3 Enter the number again to confirm.
4 Click Enroll.
To change your PIN
1 Type your Windows password or use your current PIN. Click Authenticate.
2 Enter the number that you want to use as your new PIN.
3 Enter the number again to confirm.
4 Click Enroll.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
162
Enrolling scenes for the Face credential
If your computer has a webcam built in or connected to it, and Face has been authorized as an acceptable
credential by the administrator, DigitalPersona Pro Workstation for Enterprise prompts you to enroll your
Face credential during initial setup of your workstation through the Getting Started Wizard. Enrolling
consists of capturing several snapshots of your face at slightly different angles, which then form a single
scene.You can also enroll scenes on the Face page under the Credential Manager menu item in the Pro
Workstation dashboard.
Note that your Face credential does not roam on the network, and can only be used for authentication on
the computer where it was enrolled. Also, a Face credential cannot be the only authorized credential for
authentication, and when defining logon or session policies, must be combined with an alternate credential
such as a fingerprint, smart card or Windows password.
You must enroll one or more Face scenes in order to use your Face credential. After you have enrolled
successfully, you may later enroll new scenes if you have experienced difficulty during logon because one
or more of the following conditions have changed:
Your face has changed significantly since your last enrollment.
The lighting is quite different from any of your previous enrollments.
You were wearing glasses (or not) during your last enrollment.
NOTE: If you are having difficulty enrolling scenes, try moving closer to the webcam.
To enroll a scene from the Getting Started wizard
1 On the Face page of the wizard, click Advanced, and then configure additional security. For more
information, refer to the topic Advanced User Settings on page 163.
2 Click OK.
3 Click Start, or if you have enrolled scenes previously, click Enroll a new scene.
4 If you did not select any additional security options, you are prompted to select an Anti-spoof security
option. Follow the on-screen instructions, and then click Next. For more information, refer to
Advanced User Settings.
5 Click the Camera icon, and then follow the on-screen instructions to enroll your scene. Be sure to
look at your image while the scenes are being captured.
6 Click Next and then click Finish.
To enroll a scene from the Pro Workstation dashboard
1 Open the dashboard.
2 Under My Logons, click Credential Manager, and then click Face.
3 Click Advanced, and then configure additional security. For more information, refer to Advanced
User Settings.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
163
4 Click OK.
5 Click Start, or if you have enrolled scenes previously, click Enroll a new scene.
6 If you did not select any additional security options, you are prompted to select an Anti-spoof security
option. Follow the on-screen instructions, and then click Next. For more information, refer to
Advanced User Settings.
7 Click the Camera icon, and then follow the on-screen instructions to enroll your scene. It is important
that you look at your image on the screen as the scenes are being captured.
Advanced User Settings (Face)
These options are also displayed on the Anti-Spoof page if no additional security has been selected.
1 Open the Pro Workstation dashboard.
2 Under My Logons, click Credential Manager, and then click Face.
3 Click Advanced to configure the following security options:
Security tab - Select one of the following options:
No additional security - Select this option if you do not wish to configure additional security for
your face credential.
Use PIN for additional security - Select this option to require a user-specific PIN that must be
entered in addition to the Face Credential. Once a PIN is created, you can select from the following
options: Change, Reset, or Remove a PIN.
Use Bluetooth for additional security - Select this option to pair your Bluetooth-capable phone
with your Face credential. During Windows logon, once your face is authenticated, the presence of
the paired Bluetooth phone will be verified. If the phone is within range and Bluetooth is enabled
on the phone, then you are allowed to log on to Windows.
Be sure that Bluetooth is enabled on both the computer and the phone. If a Bluetooth-enabled
phone is not present, you are prompted to enable the paired Bluetooth phone and restart the
logon process. After 30 seconds, the Face Recognition logon window is paused.
To initiate the logon process, click the Camera icon. If the Bluetooth-enabled phone is not
present, you can use your normal Windows password to log on.
Click Add. When your Bluetooth device is displayed, select it, and then click Next. Click OK.
Other Settings tab - Select the check boxes to enable one or more of the following options, or clear the
check box to disable an option. These settings apply only to the current user.
Play sound on face recognition events - Plays a sound when face logon succeeds or fails.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
164
Prompt to update scenes when logon fails - If face logon is unsuccessful but you enter your
password successfully, you may be prompted to save a series of images to increase the chances of
successful face logon in the future.
Prompt to enroll a new scene when logon fails - If face logon is unsuccessful but you enter your
password successfully, you may be prompted to enroll a new scene to increase the chances of
successful face logon in the future.
Setting up cards and tokens
Pro Workstation supports a wide variety of card readers, card credentials and tokens, including smart cards,
contactless cards and proximity cards. See the glossary entries for each type of card (beginning on page
194) for a list of supported manufacturers.
Instructions for setting up the various types of cards and tokens are given on the following pages.
Setting up a smart card
If a smart card reader is built-in or connected to the users computer, the Getting Started Wizard will
prompt the user to set up a smart card and enter the smart card PIN (personal identification number).
The smart card may also be set up on the Cards and tokens page under Credential Manager in the
DigitalPersona user dashboard.
NOTE: The administrator must have previously enabled smart cards as an authentication credential,
either through the Pro Administrative Console or by GPO, and initialized the card (see Smart card,
Administration tab on page 185).
To set up a smart card
1 Insert a smart card that has been previously formatted and initialized.
2 Enter the smart card PIN.
3 If you have not authenticated within this session you will need to enter your Windows password to
verify your identity.
4 Click Save.
To change your smart card PIN
1 Insert a smart card that has been previously formatted and initialized.
2 Select Change your PIN.
3 Enter your old PIN, and then enter and confirm a new PIN.
4 If you have not authenticated within this session you will need to enter your Windows password to
verify your identity.
5 Click Save.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
165
Setting up a contactless or proximity card
A contactless card is a plastic card with an embedded chip that can be used as a sole authentication
credential. A proximity card is a plastic card with an embedded chip that can be used as an authentication
credential only in combination with another credential as specified in the Logon or Session Policy in force.
To set up a contactless card or proximity card
1 Place the contactless card near the reader attached to your computer.
2 If you have not authenticated within this session you will need to enter your Windows password to
verify your identity.
3 Click Save.
Enrolling a Bluetooth device
Any Bluetooth-enabled device discoverable by this software may be used as a credential for
authentication, when combined with an additional supported credential as defined by the Logon or Session
Policy in force.
All unenrolled and discoverable Bluetooth devices within range are displayed in the bottom portion of the
Device table on the Bluetooth page.
If an expected device is not displayed, ensure that the device is set to be discoverable.
To enroll a Bluetooth device as a credential
1 Enter your Windows password.
2 Select an unenrolled device from the Not enrolled list.
3 Click Enroll. If the Bluetooth device has not been paired with the computer, you will be asked to pair
it, and then the device will be enrolled as a credential. Devices previously paired with the computer
will simply be enrolled.
To delete a Bluetooth credential
1 Enter your Windows password.
2 Select a device from the Enrolled list.
3 Click Delete.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
166
Changing your Windows password
Pro Workstation makes changing your Windows password simpler and quicker than doing it through the
Windows Control Panel.
To change your Windows password, follow these steps:
1 From the dashboard, click Credentials, and then click Password.
2 Enter your current password in the Current Windows password text box.
3 Type a new password in the New Windows password text box, and then type it again in the Confirm
new password text box.
4 Click Change to immediately change your current password to the new one that you entered.
Security Applications Status
The Pro Workstation Applications Status page displays the overall status of your installed security
applications. It shows the applications that are set up and the status for each.
The summary is displayed automatically when you open the dashboard and click Check the status of the
security applications or when you click Security Applications.
Windows authentication
Once your DigitalPersona Workstation client has been installed, logon to Windows is controlled by the
Logon Authentication Policy set by GPO in Active Directory or through the Administrator Console by a
user with administrator privileges on the local computer. For a complete description of logon policies, see
Logon Authentication Policy on page 102.
Credentials that may be used to authenticate for Windows logon will be limited to those specified in the
policy and supported by required hardware or software present on the workstation. Some credentials, such
as smart cards, need to be set up on the computer through the Administrator Console by someone with
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
167
administrative privileges on the computer. Additionally, each credential must be enrolled by the end-user,
either on the computer, or through Attended Enrollment (see page 94).
The actual process of using your DigitalPersona credentials will vary slightly depending on the type of
credential, but generally follow Microsoft usage with the following exceptions.
Smart card authentication
In order to use a contact-type smart card or a Proximity card for logging on to Windows, you must click
your user tile on the Windows Logon screen before presenting the card. Then you can insert your smart
card for authentication, or use a Proximity card in conjunction with another credential as specified by the
Logon Authentication Policy in force.
Other types of (non-Proximity) contactless cards may be presented directly from the Logon screen for
immediate logon to Windows.
Password Manager
Logging on to Windows, websites, and applications is easier and more secure when you use Password
Manager.
End-users can easily create personal logons with stronger passwords that they don't have to write down or
remember, and then log on easily and quickly with any supported credentials, such as a fingerprint, smart
card, or Windows password.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
168
Administrators can create and deploy managed logons for controlled access to resources and allow or
prohibit creation of personal logons by end-users.
Password-protected resources with associated personal logons or managed logons display a Password
Manager icon, shown below, in the upper left corner of the screen (Internet Explorer and Firefox) or to the
right of the first recognized entry field (Google Chrome).
For managed logons, administrators can also add a logon for a change password screens. Users will be
prompted for their account data the first time they log on to a resource. Then, on subsequent logons, they
only need to launch the program, and submit their enrolled credential. DigitalPersona Pro automatically
enters the user name, domain and password and any other necessary account data in the appropriate logon
screen text boxes and, if so configured, submits the account data.
For further information on Password Manager, see the Password Manager Application Guide. It can be
accessed or downloaded from our website by selecting Pro Enterprise Workstation and version 5.x from
the following page.
http://www.digitalpersona.com/Support/Reference-Material/DigitalPersona-Pro-Reference-Material-Guides.
Password Manager Icon for Internet Explorer and Firefox
Password Manager Icon for Internet Explorer and Firefox
as displayed on Change Password screens
Password Manager Icon for Google Chrome
Password Manager Icon for Google Chrome
as displayed on Change Password screens
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
169
Backing up and restoring your data
It is recommended that you back up your workstation data on a regular basis. How often you back it up
depends on how often the data changes. For instance, if you add new logons on a daily basis, you should
probably back up your data daily.
Backups can also be used to migrate from one computer to another, also called importing and exporting.
NOTE: Only the data is backed up by this feature.
A DigitalPersona Pro compatible client must be installed on any computer that is to receive backed up data
before the data can be restored from the backup file.
To back up your data:
1 On the left panel click Advanced, and then click Backup and Restore.
2 Click Back up data.
3 Select the modules that you want to include in the backup. In most cases, you want to select them all.
Then click Next.
4 Enter a name for the storage file. By default, the file is saved to your Documents folder. Click Browse
to specify a different location. Then click Next.
5 Enter and confirm a password that will be used to protect the file.
6 Click Finish.
To restore your data:
1 On the left panel click Advanced, and then click Backup and Restore.
2 Click Restore data.
3 Select the previously created storage file. You can enter the path in the field provided, or click Browse.
4 Enter the password used to protect the file.
5 Select the modules whose data you want to restore. In most cases, this would be all of the modules
listed.
6 Click Finish.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
170
Setting your preferences
Your DigitalPersona workstation client has a number of settings that you can customize.
From the dashboard, click Advanced, and then click Preferences. Available settings are displayed on
three tabs, titled General, Quick Action and Fingerprint. Note that the Fingerprint tab is only displayed
when a supported Fingerprint reader is built-in or attached to the computer.
General tab
The following settings are available on the General tab:
Appearance - Show icon in taskbar notification area
Controls whether or not the Pro Workstation icon is shown in the taskbar notification area (systray).
To enable displaying the icon on the taskbar, select the check box.
To disable displaying the icon on the taskbar, clear the check box.
Quick Actions tab
The following settings are available on the Quick Actions tab:
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
171
Hot Key Configuration - Permits assignment of custom key sequences for performing Password
Manager Quick Actions and configuring the associated default fingerprint or card behavior.
To change the default hot key
1 Click this option and enter a new key combination. Combinations may include one or more of the
following: Ctrl, , Alt or Shift, and any alphabetic or numeric key.
2 Click Apply to save your changes.
Quick Actions - The Quick Actions tab shows you administrator-defined Quick Actions that are performed
automatically in response to the use of the Pro Workstation Hot Key, a credential or a Key+Credential
combination. Only fingerprint and supported smart (contact, contactless and proximity) card credentials
will initiate a Quick Action. Quick Actions may also be defined through the Quick Actions GPO setting.
Fast Connect - provides SSO to Published Applications and Desktops through Citrix XenApp and
XenDesktop. See Citrix Deployment Scenarios on page 200.
Lock Computer - Locks the computer when the associated Quick Action is initiated.
Password Manager Action - Performs one of the following operations when the associated Quick Action
is initiated.
When the active window has an associated Password Manager personal logon or managed logon, fills-
in account data.
If the window is determined to be a logon screen that does not have an associated personal logon or
managed logon, and the Allow creation of personal logons setting (page 127) is enabled or not
configured, the Add Logon dialog displays.
If none of the above cases are true, the Logons Menu or user dashboard is shown.
Fingerprint tab
The following settings are available on the Fingerprint tab:
Fingerprint Scan Feedback - Displays only when a fingerprint reader is available. Use this setting to
adjust the feedback that occurs when you scan your fingerprint.
Enable sound feedback - Pro Workstation gives you audio feedback when a fingerprint has been scanned,
playing different sounds for specific program events. You may assign new sounds to these events through
the Sounds tab in the Windows Control Panel, or disable sound feedback by clearing this option.
Show scan quality feedback - To display all scans, regardless of quality, select the check box. To display
only good-quality scans, clear the check box.
ID Card
Your ID card uniquely identifies you as the owner of this Windows account, showing your name and a
picture of your choice. It is prominently displayed in the upper-left corner of Pro Workstation pages.
Chapter 19 - Pro Workstation
DigitalPersona Pro Enterprise - Administrator Guide
172
You can change the picture and the way that your name is displayed. By default, your full Windows user
name and the picture you selected during Windows setup are shown.
To change the displayed name:
1 From the Pro Workstation dashboard, click the ID Card in the upper left corner.
2 Click the box displaying the name you entered for your account in Windows. The system displays your
Windows user name for this account.
3 To change this name, type the new name, and then click the Save button.
To change the displayed picture:
1 From the Pro Workstation dashboard, click the ID Card in the upper left corner.
2 Click the Choose picture button, click an image, and then click the Save button.
Learn more
Provides a direct link to additional information about DigitalPersona products available on our website. An
active internet connection is required.
From the Pro Workstation dashboard, click Administration and then click Learn more.
If there is no [+] Learn more link in the lower-left portion of the dashboard, it has been disabled by the
administrator of this computer.

DigitalPersona Pro Enterprise - Administrator Guide
173
Pro Kiosk 20
DigitalPersona Pro Kiosk for Enterprise provides users with fast, convenient and secure multi-factor
identification and authentication in environments where users share a common Windows account yet need
separately controlled access to resources, applications and data.
Feature overview
Pro Kiosk provides these features:
Single Sign-On to Enterprise applications - Simplifies user logon to Enterprise applications, including
traditional Windows applications, web applications, Terminals, and Citrix or similar software thin client
solutions. No changes to those applications are required and setup takes only a few minutes per
application.
Multi-factor authentication - Further enhances convenience and security by providing administrators
with a choice of credentials (such as fingerprints, smart cards or Windows Passwords, etc.) that can be
required in any combination to authenticate users logging on to the PC, to enterprise applications, or for
fast user switching between users on the same workstation.
Ability to roam and share user credentials across computers - If your environment requires users to
gain access to multiple workstations or kiosks, they do not need to re-enroll their credentials at each
computer. Pro Kiosk automatically makes users' authentication credentials and other data, such as
passwords for Enterprise applications, available at each computer within the domain.
Local or attended credential enrollment - Users can enroll supported credentials from within Pro Kiosk,
or administrators can prohibit this through a GPO setting and provide centralized enrollment through one
or more supervised computers.
This chapter describes the similarities and differences between DigitalPersona Pro Workstation for
Enterprise and Pro Kiosk functionality from the point of view of the administrator. Most of the basic
functionality is common to both Pro Workstation and Pro Kiosk. Additional details on user tasks are
provided in the DigitalPersona Pro Kiosk Help file.
In the following topics, the term kiosk refers to one or more Kiosk Workstations which, due to Active
Directory Group Policies, are tied to a shared Kiosk account.
Comparing Pro Workstation and Pro Kiosk
This section describes the similarities and differences between DigitalPersona Pro Workstation and
DigitalPersona Pro Kiosk.
Both DigitalPersona Pro Kiosk and DigitalPersona Pro Workstation include the following features:
Multifactor and alternative authentication credentials
Chapter 20 - Pro Kiosk
DigitalPersona Pro Enterprise - Administrator Guide
174
Password Manager - supporting managed logons only, i.e. automatic logons with supported credentials
to resource, programs and websites that are created by an administrator. Personal logons created by the
end-user are available in Pro Workstation but not in Pro Kiosk.
Like DigitalPersona Pro Workstation, Pro Kiosk includes options for allowing users to run the
Credential Enrollment Wizard, or administrators can implement attended enrollment. Pro Kiosk
utilizes the same credential information and Password Manager logon data as DigitalPersona Pro
Workstation.
DigitalPersona Pro Kiosk for Enterprise 5.x requires DigitalPersona Pro Server Version 5.x or above
running on a domain controller.
DigitalPersona Pro Workstation Version 5.x or higher and Pro Kiosk 5.x or above are compatible, i.e.
they can be installed on computers on the same domain and use the same DigitalPersona Pro Server.
When comparing Pro Kiosk to Pro Workstation, Pro Kiosk differs in the following ways:
Use of Pro Kiosk requires that the GPO setting Perform fingerprint identification on server (see page
121) must be enabled for all Pro Kiosk clients where fingerprint credentials will be used.
A specified Shared Account is always used for Windows logon that is independent of the user account
being authenticated. This affects account profile and user preferences.
By default, all domain users are granted Kiosk access and all local (non-domain) users are prohibited
from logging into Kiosk. Further restrictions may be placed on kiosk access through a GPO setting,
Restrict identification to a specific list of users (see page 122).
Any authorized kiosk user can unlock a kiosk computer. For example, a user may log on and lock the
kiosk computer. Then, a second user can unlock it without performing log off and log on.
The name of the last user is not shown in Logon or Unlock dialogs regardless of security settings
A kiosk user can enroll credentials, regardless of which user account was logged on to the kiosk,
without logging on to Windows. The administrator must have allowed permissions for the user to
enroll and delete fingerprints.
Pro Kiosk does not provide a means for creating personal automated logons. Instead, managed logons
can be created and deployed to users by an administrator using the Password Manager Admin Tool.
Then users fill in their personal account data for the automated logons.
Logging On to Windows
One Touch Logon allows users to log on to Windows with any supported credential. Windows credentials
are information used to gain access to Windows accounts, such as a password, fingerprint or smart card.
One Touch Logon guides the user through enrolling any credentials that may be specified as required for
logging on to Windows. When their identity is verified, they are logged on to a Windows Shared Account.
All kiosk users share the same session. If the computer becomes locked, any authorized kiosk user will be
able to unlock it, view the desktop, and run programs. Users may also have the option to not log into the
kiosk session, but instead to log on to their own Windows account instead of the Shared Account, although
this is recommended for administrators only.
Chapter 20 - Pro Kiosk
DigitalPersona Pro Enterprise - Administrator Guide
175
Using One Touch Logon
One Touch Logon displays a customized Welcome dialog box or screen, which is similar to the standard
Windows dialog box. When a user is identified through their submitted credential, they are logged on to
the shared kiosk account.
Users should be advised to generally leave the Share the kiosk session check box checked to allow other
kiosk users to unlock the computer. Only administrators may need to uncheck this option. When logon is
performed with this check box cleared, Pro Kiosk features are not available.
In Windows Vista and above, upon their first logon to Pro Kiosk, users will need to click the balloon
that displays near the notification area to enroll their credentials, or click the Fingerprint Reader tile
and select Credential Enrollment to launch the Credential Enrollment Wizard.
In earlier versions of Windows, the Credential Enrollment Wizard will launch automatically after a
user logs on to Kiosk for the first time.
You must enroll fingerprints before you can log on using the fingerprint reader.
The user name for the Windows shared account that Pro Kiosk uses cannot be used to log on to a kiosk
session. All Kiosk users must use their own Windows user name to log on.
Logging on to Windows without Kiosk
To log on to a computer without using a kiosk session
Windows XP - Clear the Share the kiosk session check box. This check box is only enabled when a
kiosk computer is logging onto the domain. For local logon, it is disabled.
Windows Vista and above - Select Switch User and click Other User. Then enter your Windows user
name and password.
When logging in to a computer outside of a kiosk session, the designated Shared Account for the kiosk is
not used and therefore Pro Kiosk features are not available. Specifically, access to the Pro Kiosk user
dashboard, and the use of Password Manager logons (both managed logons and personal logons) are
disabled.
This feature is intended for administrators who might need to access a computer for administrative
purposes, and without kiosk features enabled. Non-administrators can be prohibited from logging on to the
computer outside of a kiosk session by enabling a DigitalPersona setting in the controlling GPO. See
Prevent users from logging on outside of a Kiosk session. on page 114.
CAUTION: If you lock the computer outside of a kiosk session, other kiosk users will not be able to
unlock it, so be sure to log out of a local session on any kiosk workstation.
Automatic logon using the Shared Kiosk Account
Kiosk can be configured to automatically logon to the Shared Kiosk account when Windows starts or
restarts. The Log On to Windows dialog box will not be displayed.
Chapter 20 - Pro Kiosk
DigitalPersona Pro Enterprise - Administrator Guide
176
The automatic logon setting will allow any user to access a Windows session without interactive
authentication when the Kiosk computer is restarted.
This option is controlled by the Allow automatic logon using Shared Kiosk Account setting described on
page 114.
Changing Your Password
The process of changing your Windows password on a computer with DigitalPersona Pro Kiosk installed
is the same as on a computer without Pro Kiosk installed.
To change your Windows password:
1 Press Ctrl+Alt+Delete.
2 Select Change a Password.
3 Enter your Windows user name and your old password.
4 Enter and confirm a new password.
User Account Control
On Windows Vista and later operating systems, an administrator may use any authorized and supported
credential instead of their user name and password, to give a standard user permission to perform an
activity that is restricted by User Account Control.
When the User Account Control dialog displays, a local administrator with an authorized credential can
use their credential to permit the activity.
Using the Password Manager Admin Tool with Pro Kiosk
The Password Manager Admin Tool is an administrative tool that allows an administrator to provide
automated logon to password-protected resources, programs and websites.
With Pro Kiosk, Password Manager includes the following differences when compared to Pro Workstation
implementations:
Managed logons created with the Password Manager Admin Tool must be deployed to the Shared
Account instead of to user accounts.
Kiosk users do not need to log on to Windows to use managed logons. Their identity is verified each
time they log on to the resource. For kiosk users, the Password Manager logon data is never cached
locally.
Only managed logons created using DigitalPersona Pro version 4.4.3 or higher are compatible with the
current version of Pro Kiosk.
For additional information on the Password Manager Admin Tool and the creation and use of managed
logons, see the Password Manager Application Guide.
Chapter 20 - Pro Kiosk
DigitalPersona Pro Enterprise - Administrator Guide
177
Logging On to Password-Protected Programs
DigitalPersona Pro Kiosk lets a kiosk user log on to password-protected resources, programs and websites
with any enrolled credential. As an administrator, you must enable this feature for specific programs by
creating managed logons for them. Password-protected resources with managed logons display a Password
Manager icon, shown below, in the upper left corner of the screen (Internet Explorer and Firefox) or to the
right of the first recognized entry field (Google Chrome).
You also can add a logon for a change password screen to a managed logon. Refer to the Password
Manager Application Guide for more information about creating managed logons.
Users are prompted for their account data the first time they log on to a resource. Then, on subsequent
logons, they only need to launch the program, and submit their enrolled credential. DigitalPersona Pro
Kiosk automatically enters the user name, domain and password and any other necessary account data in
the appropriate logon screen text boxes and, if so configured, submits the account data.
User logon
Users can log on to resources for which managed logons have been deployed in either of two ways.
Password Manager Icon for Internet Explorer and Firefox
Password Manager Icon for Internet Explorer and Firefox
as displayed on Change Password screens
Password Manager Icon for Google Chrome
Password Manager Icon for Google Chrome
as displayed on Change Password screens
Chapter 20 - Pro Kiosk
DigitalPersona Pro Enterprise - Administrator Guide
178
From the Password Manager menu, or the Password Manager page in the Pro Kiosk dashboard, the
user can click a logon to open the logon page for the resource and automatically submit their account
data.
Users can open the logon screen for the resource and a Password Manager icon will display indicating
that they can automatically submit required logon data using any enrolled credential.
If the system determines that account data is required (generally the first time the logon is used), the Enter
Account Data dialog box displays. Users will type their account data in the fields provided. The next time
this logon is used, the system will fill in the account data. If users have entered multiple sets of account
data for the program, they will be prompted to choose the data that they want to use to log on.
Users can add, change or remove account data for fingerprint logons for programs using the Pro Kiosk
dashboard. However, they cannot delete the fingerprint logons created by administrators.
To access the DigitalPersona Pro Kiosk dashboard
Click the DigitalPersona Pro icon in the system tray and select Open DigitalPersona Pro Kiosk.
Switching Users on Pro Kiosk Computers
You can log on, unlock or gain access to a password-protected resource on a kiosk computer by using your
enrolled credentials. After your work is finished, you can do one of the following:
Close the resource and leave the kiosk computer unlocked. The next user can approach the kiosk
computer and provide their credentials to gain access to the password-protected resource.
Close the resource and lock the kiosk computer. The next user can approach the kiosk computer and
provide their credentials to unlock the computer. They can the open any password-protected resource
with their credentials.
Close the resource and log off from the kiosk computer. The next user can approach the kiosk
computer and provide their credentials to log on to the computer. The user is logged into the Shared
Account for the kiosk.
The installation and configuration of DigitalPersona Pro Kiosk is covered in the chapter Pro Kiosk
installation on page 46.
All other functionality is the same as described in the chapter Pro Workstation on page 155.
Using multiple Kiosk accounts with Citrix
See Citrix Deployment Scenarios on page 200.
DigitalPersona Pro Enterprise - Administrator Guide
179
Pro Administrative Console 21
When desirable or necessary, local administration of a DigitalPersona Pro Enterprise client can be
accomplished through the integrated DigitalPersona Pro Administrative Console on the client workstation.
This console may also be disabled by the IT administrator through a GPO setting (see Do not allow users
to run local administrative tools on page 113).
Using the console, the local administrator can perform the following tasks.
Specifying the credentials required for authentication
Adjusting credential-specific parameters
Configuring installed Pro Workstation applications
Opening the Administrative Console
For administrative tasks, open the console as follows:
Click Start, click All Programs, click DigitalPersona, and then click DigitalPersona Pro
Administrative Console.
or
In the left panel of the DigitalPersona Pro Enterprise client, click Administration.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
180
Using the Administrative Console
The DigitalPersona Pro Administrative Console is the central location for administering Pro Workstation
features and applications.
The console is composed of the following components:
Computer Configuration - Displays the following
categories for configuring security on your computer. Note
that categories without installed application do not display.
Home - Allows you to select the security tasks to
perform.
Authentication - Allows you to configure Logon and
Session Policies for this computer.
Credentials - Provides configuration of credential-
specific settings.
Applications/Settings - Displays general settings for
DigitalPersona Pro Workstation for Enterprise and
integrated applications.
Online Tutorial - Provides a video tutorial of the main
features and advantages of the DigitalPersona Pro
solution.
About - Displays information about Pro Workstation,
such as the version number and copyright notice.
Configuring your system
Access the System group from the Tools menu panel on the
left side of the Administrative Console.
Use these applications to manage the policies and settings for the computer, its users and devices.
The following applications are included in the System group:
Authentication - View or Manage Logon and Session Policies, governing the credentials that may be
used to authenticate during Windows Logon or within Windows sessions. Note that these policies will
be read-only on a client that is being centrally managed by a DigitalPersona Pro Enterprise Server.
Credentials - Manage credential-specific settings.
Setting authentication policies
On the authentication pages, you set Logon and Session policies governing access to the computer. You
can specify the credentials required to authenticate when logging on to Windows or logging on to websites,
programs and network resources managed by DigitalPersona Pro during a user session.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
181
By default, all installed and supported credentials are listed on the included Logon Policy and Session
Policy tabs. Any of the credentials or credential combinations listed in the policy may be used for
authentication in the Logon or Session Policy.
To set local authentication policies on a computer
1 In the left panel of the Administrative Console, click Authentication.
2 Select the tab for the type of policy you want to create or manage, Logon Policy or Session Policy.
3 Make any desired changes.
To add a credential or credential combination to the list, click Add at the top of the list.
To edit a credential or credential combination, click the credential.
To delete a credential or credential combination, hover over it, then click the X that appears at the far
right.
4 Click Apply.
Logon Policy
The Logon Policy defines the credentials that may be used to log on to Windows. By default, all installed
and supported credentials are listed on the tab. Any of the credentials or credential combinations listed in
the Logon Policy may be used for authentication during logon.
1 In the left panel of the Administrative Console, click Authentication.
2 On the Logon Policy tab, make any desired changes.
To add a credential or credential combination to the list, click Add at the top of the list.
To edit a credential or credential combination, click the credential.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
182
To delete a credential or credential combination, hover over it, then click the X that appears at the far
right.
3 Click Apply.
Session Policy
The Session Policy defines the credentials that may be used to access Security applications during a
Windows session. By default, all installed and supported credentials are listed on the tab. Any of the listed
credentials or credential combinations may be used for authentication in the Session Policy.
1 In the left panel of the Administrative Console, click Authentication.
2 On the Session Policy tab, make any desired changes.
To add a credential or credential combination to the list, click Add at the top of the list.
To edit a credential or credential combination, click the credential.
To delete a credential or credential combination, hover over it, then click the X that appears at the far
right.
3 Click Apply.
Specifying credentials settings
Within the Credentials application, you can specify settings that may
be available for any built-in or attached security devices recognized by
the DigitalPersona Pro Enterprise client. Not all credentials will have
settings, and unplugged peripherals will not be displayed in the list.
Self Password Recovery
On the Self Password Recovery page, you can configure whether or not
to allow Self Password Recovery for Windows logon, and manage the
security questions that will be presented to users during the enrollment
of their Self Password Recovery credential.
1 In the left panel of the Administrative Console, click Credentials,
Self Password Recovery.
2 Select the security questions that a user may choose from during their Self Password Recovery
enrollment. You may also specify up to three custom questions.
3 To disable the use of Self Password Recovery for Windows logon, click the associated checkbox.
4 Click Apply.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
183
Fingerprints
The Fingerprints page enables you to adjust policies and settings relating to the use of a supported
fingerprint reader built-in or attached to the computer. This page includes two tabs as described below.
1 In the left panel of the Administrative Console, click Credentials, Fingerprints.
2 Make any desired changes on the included tabs.
3 Click Apply.
Enrollment tab
You can choose the minimum and maximum number of fingerprints that a user is allowed to enroll.
Recognition
On the Recognition tab, you can choose from three levels of fingerprint recognition sensitivity for just the
right balance between security and convenience that is required to address the needs of your organization.
Fingerprint recognition compares a users scanned fingerprint to their enrolled fingerprint in order to verify
their identity.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
184
The comparison should be strict enough that unauthorized people are not given access (false acceptance),
but should not inconvenience legitimate users by rejecting their fingerprints (false rejection). Note that
some people will experience more false rejections than statistically expected due to their fingerprint
characteristics.
If user fingerprints are not recognized consistently, a lower Recognition setting may be necessary. A higher
setting increases the sensitivity to variations in fingerprint scans and therefore decreases the possibility of a
false acceptance. The Medium-High setting provides a good mix of security and convenience.
Move the slider to adjust the sensitivity used by the fingerprint reader when it scans your fingerprints.
Face
On the Face page, you can set the security level for your Face credential in order to balance the ease of use
versus the difficulty of breaching the security of the computer.
1 In the left panel of the Administrative Console, click Credentials, Face.
2 For more convenience, click the slider to move it to the left, or for more accuracy, click the slider to
move it to the right.
Convenience - To make it easier for enrolled users to gain access in marginal situations, click the
slider bar to move it to the Convenience position.
Balance - To provide a good compromise between security and usability, or if you have sensitive
information or your computer is located in an area where unauthorized logon attempts can occur,
click the slider bar to move it to the Balance position.
Accuracy - To make it more difficult for a user to gain access if enrolled scenes or current lighting
conditions are below normal and less likely that a false acceptance can occur, click the slider bar to
move it to the Accuracy position.
NOTE: The Security level applies only to the current user.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
185
Smart card
The Smart cards page enables you to adjust policies and settings relating to the use of a supported smart
card reader built-in or attached to the computer.
This page includes two tabs as described below.
1 In the left panel of the Administrative Console, click Credentials, Smart card.
2 Make any desired changes on the included tabs.
3 Click Apply.
Settings tab
On the Smart card, Settings tab, you can administer settings specific to this credential.
Lock computer upon smart card removal
Enable this setting to lock a computer when the smart card used to log on to Windows is removed. If the
smart card was not used to log on to Windows, removal of the card does not lock the computer.
Administration tab
On the Smart Card: Administration tab, you can initialize and manage a smart card. Initialization must be
performed prior to use of the card by the end user.
Note that the following options are not displayed until a supported smart card has been inserted into the
reader.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
186
Initialize the smart card - Select this option to set up a smart card to be used as a DigitalPersona Pro
credential for this workstation. You must also enter a PIN (Personal Identification Number) and click
Apply. See below for further details.
Change smart card PIN - Select this option to change the PIN used with the smart card. Then type the
new PIN in the provided text box and click Apply.
Erase DigitalPersona Pro Workstation data only - Select this option to erase only Pro Workstation data
on the smart card and click Apply. You may want to use this option if you are assigning this smart card
for use with a different workstation, or no longer wish the holder to have access to the workstation.
Erase all data on the smart card - Select this option to erase all data on the smart card and click Apply.
This option essentially reformats the card, and it will no longer be able to be used as a credential for
any application until re-initialized.
Initializing the smart card
DigitalPersona Pro supports a number of different smart cards. The number and type of characters used as
PIN numbers may vary. The manufacturer of the smart card should provide tools to install a security
certificate and management PIN that will use in its security algorithm.
NOTE: ActivIdentity software must be installed in addition to the driver for the specific reader. The
currently required ActivIdentity software is version 6.2 with on of the following hotfixes.
AC_6.2.0.138_FIXS1201010_x64 or
AC_6.2.0.138_FIXS1201009_x86.
1 Insert the smart card into the reader.
2 Click Start, click All Programs, and then click ActivClient PIN Initialization Tool.
3 Enter and confirm a PIN.
4 Click Next.
The smart card software will provide an unlock key. Most smart cards will lock themselves when the
PIN is entered incorrectly 5 times. The key is used to unlock the card.
5 Click Start, click All Programs, click DigitalPersona, and then click Administrative Console.
6 Click Credentials, and then click Smart Card.
7 Click the Administration tab.
8 Be sure that Initialize the smart card is selected.
9 Enter and confirm a PIN, click Apply, and then follow the on-screen instructions.
10 After the smart card has been successfully initialized, you will need to register the smart card. See
below for further details.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
187
Setting up the smart card
After the smart card is initialized, users can set it up (or enroll it).
1 In the Pro Workstation dashboard, click Credential Manager, and then click Cards and tokens.
2 Insert the smart card. A list of options will be displayed.
3 Be sure that Set up is selected.
4 Enter your Windows password and your PIN, and then click Save.
Changing the smart card PIN
To change your smart card PIN
1 In the Pro Workstation Administrative Console, click Credentials, and then click Smart card.
2 Click Credentials, and then click Smart card.
3 Click the Administration tab.
4 Insert a smart card that has been previously formatted and initialized.
5 Select Change smart card PIN.
6 Enter your old PIN, and then enter and confirm a new PIN.
Registering the smart card
After a smart card is initialized, users can register it in the Pro Workstation dashboard:
1 In the Pro Workstation dashboard, click Start, click All Programs, click DigitalPersona, and then
click DigitalPersona Pro.
2 Click Credentials, and then click Smart card.
3 Be sure that Set up is selected.
4 Enter the Windows account password and the PIN (assigned during the initialization step above), and
then click Save.
Contactless card
To delete credential data on this card for Pro Workstation, select that option and click Apply.
Administration tab
Erase DigitalPersona Pro Workstation data
To erase credential data on this card for Pro Workstation, select that option and click Apply.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
188
Bluetooth
A Bluetooth device may be used for authentication when combined with an additional supported credential
as defined by the Logon or Session Policy in force.
On the Credentials: Bluetooth page, you can administer settings or operations specific to this credential.
Allow silent authentication
To prevent silent authentication, and require selection of a specific Bluetooth credential, uncheck this
option.
By default, silent authentication is enabled, i.e. when Bluetooth credentials are allowed for authentication
by the Logon or Session Policy in force, authentication will be attempted with the previously used
Bluetooth credential immediately upon entry to a logon screen.
PIN
You can configure the minimum length of the DigitalPersona PIN credential. The maximum PIN length is
8 digits
1 Enter or select the minimal PIN length.
2 Click Apply.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
189
Configuring your applications settings
The Applications, Settings page is accessed from the Applications menu panel on the left side of
DigitalPersona Pro Workstation for Enterprise Administrative Console.
You can use Settings to customize the behavior of currently installed Pro Workstation applications.
To edit your application settings:
1 In the Tools menu, under Applications, click Settings.
2 Select the check box to enable or clear the check box to disable a specific setting.
3 Click Apply to save the changes that you have made.
General tab
The following settings are available on the General tab:
Do not automatically launch the Getting Started wizard for users - Select this option to prevent user
setup from automatically opening upon logon.
Chapter 21 - Pro Administrative Console
DigitalPersona Pro Enterprise - Administrator Guide
190
Applications tab
The settings displayed here can change when new applications are added to Pro Workstation.
The minimal settings shown by default are described below. Additional settings may be available
depending on the security applications installed on the computer.
Applications status - Enables status to be displayed for all applications.
Password Manager - Enables the Password Manager application for all users of the computer.
Windows Logon Security - Enables use of DigitalPersona credentials during Windows Logon.
Enable the Central Management button - Allows all users of this computer to add applications to Pro
Workstation by clicking the Central Management button.
To return all applications to their factory settings, click the Restore Defaults button.
DigitalPersona Pro Enterprise - Administrator Guide
191
Section Four: Appendices
Part Four of the DigitalPersona Pro Enterprise Administrator Guide includes the following chapters:
Chapter Title Purpose Page
Chapter 22 - Glossary Explains key concepts and terms used
in this guide.
192
Chapter 24 - Policies and Settings - Alphabetical list Lists all DigitalPersona Pro Enterprise
policies and settings alphabetically.
206
Chapter 23 - Citrix Deployment Scenarios Describes common ways of deploying
DigitalPersona Pro clients through the
Citrix virtualization platform.
200
Chapter 25 - Embedded Windows dependencies Describes dependencies for installing
Pro Workstation on Miscrosoft
Windows Embedded operating
systems.
210
Chapter 26 - Identification List Provides instructions on creating an
identification list.
215
Chapter 27 - Pro Events for version 5.3 Describes events generated by
DigitalPersona Pro Enterprise,
version 5.3.
218
Chapter 28 - Schema extension Provides details on changes made to
the Active Directory schema by
DigitalPersona Pro Enterprise.
228
DigitalPersona Pro Enterprise - Administrator Guide
192
Glossary 22
In order to fully understand and implement the features of DigitalPersona Pro Enterprise, you will need to
be familiar with the terms and concepts covered in this chapter.
If you consider yourself knowledgeable about Active Directory, you may want to skip the rest of this page
and continue with reading about DigitalPersona Pro terminology on page 194.
Concepts
Active Directory
Active Directory is a directory service included with Microsoft Windows servers since Windows 2000
Server. A directory service is a software application that stores and organizes information about a
computer network's users and resources; such as computers, printers and network shares. It enables
network administrators to manage users' access to those resources.
DigitalPersona Pro Enterprise utilizes the Active Directory service for administration of policies and
settings that determine the functionality and features implemented in your organization.
Through Active Directory you can assign enterprise-wide policies and settings to computers in your
network as well as locate and administer objects, users and resources across the network.
Active Directory is structured as a hierarchy of objects and containers laid out in a tree format. In the
Active Directory Users and Computers (ADUC) Snap-in, which is one of the visual tools that can be used
to create and administer objects, the hierarchy looks much the same as the folder structure in Windows
Explorer.
Chapter 22 - Glossary
DigitalPersona Pro Enterprise - Administrator Guide
193
Group Policy
Group Policy is a feature of the Active Directory service that facilitates change and configuration
management.
Group Policy settings are stored in Group Policy Objects (GPOs) in the Active Directory database. These
GPOs are linked to containers, which include Active Directory sites, domains, and organizational units
(OUs).
Because Group Policy is so closely integrated with Active Directory, it is important to have a basic
understanding of both Active Directory structure and the security implications of different design
configuration options within it before you implement Group Policy.
For information about the policies and settings that DigitalPersona Pro adds to a GPO, see Policies and
Settings on page 99.
Organizational Units (OUs)
An OU is a container within an Active Directory domain. An OU may contain users, groups, computers,
and other OUs, which are known as child OUs. You can link a GPO to an OU, and the GPO settings will be
applied to the users and computers that are contained within that OU and its child OUs. To facilitate
administration you can delegate administrative authority to each OU. OUs provide an easy way to group
users, computers, and other security principals, and they also provide an effective way to segment
administrative boundaries. Users and computers are generally assigned to separate OUs, because some
settings only apply to users and other settings only apply to computers.
One of the primary goals of an OU structure design for any environment is to provide a foundation for a
seamless Group Policy implementation that applies to all workstations in Active Directory and ensures that
they meet the security standards of your organization.
The OU structure must also be designed to provide adequate security
settings for specific types of users in an organization. For example,
developers may need some permissions that average users do not need to
have. Also, laptop users may have slightly different security requirements
than desktop users.
The figure on the right shows a basic OU structure for illustration of the
concept only, and is not a recommendation to create your OU structure in
the same way. Your OU structure must be defined by the specific
organizational requirements of your environment.
The authentication process
DigitalPersona Pros authentication process validates the identity of a user
through the submission of one or more administrator-specified
credentials.
Chapter 22 - Glossary
DigitalPersona Pro Enterprise - Administrator Guide
194
This authentication process is used by DigitalPersona Pro Workstation clients in an enterprise deployment
with DigitalPersona Pro Enterprise Servers.
Prior to authentication:
1 A user enrolls or sets up the required credentials, creating an enrollment template that is stored on the
local workstation and also sent securely to the Pro Server.
2 The workstation client captures user data (such as user account or logon information), called Secrets,
and sends them securely to the DigitalPersona Pro Enterprise Server for storage in Active Directory.
By default, it also caches these Secrets locally on the workstation, so that they are available if the
Server cannot be reached. Caching can also be disabled by the administrator. See the topic Cache user
data on local computer on page 110.
The authentication process is initiated when a Pro Enterprise compatible application (such as Pro
Workstation) prompts the user to verify their identity by providing their credentials. This may be in order
to log on to Windows, specific security applications or applications, network resources or websites using
Password Manager logons.
The authentication process is as follows:
1 The user attempts to access a protected resource.
2 Verification of identity is requested through the submission of specific credentials.
3 The submitted credentials are compared to enrollment data cached on the local workstation and then
sent to the Pro Server for confirmation of the users identity.
4 Pro Server compares the presented credential(s) to the enrollment data in the user record in Active
Directory. If the credentials match the enrollment data, Pro Server authenticates the user and sends the
Secret requested by the application securely to the workstation.
5 The requesting application receives the Secret and then uses the information as needed, typically to log
the user on to their Windows account, a program or website.
When a Pro Server is unavailable, such as when a laptop is disconnected from the network, the required
Secret is retrieved from a local cache on the workstation. If a Pro Server is unavailable, and local caching
has been disabled by the administrator, authentication is not possible.
This authentication process can be modified by the administrator using settings provided through the
DigitalPersona Pro GPMC extensions (see Policies and Settings on page 99).
Terminology
Administrative Console
A central location where you can access and manage the features and settings governing a DigitalPersona
Pro Enterprise compatible client.
Chapter 22 - Glossary
DigitalPersona Pro Enterprise - Administrator Guide
195
authentication
Process of verifying that you are the person you claim to be, through the use of credentials specified by an
administrator.
back up
To save a copy of important program information to a location outside the program. It can then be used for
restoring the information at a later date to the same computer or another one.
Bluetooth
A credential that uses paired Bluetooth-enabled devices for authentication.
card reader
A hardware device used for reading smart cards, contactless cards and proximity cards. Supported readers
are listed below. Drivers included with the readers must be installed, and are not provided by DigitalPersona
Pro installations.
Contactless card readers: OMNIKEY CardMan 3321, 5321, 6321
Proximity card readers: CardMan 3325, 5325, with a firmware version of not less than 5.10.
cards
DigitalPersona supports a wide variety of identification cards, including contact smart cards, contactless
cards and proximity cards. For manufacturers and models supported, see the specific type of card as listed
above.
connected device
A hardware device that is connected to a port on the computer.
Contactless card
A plastic card with an embedded chip that can be used as a sole authentication credential. Supported
contactless cards are listed below. Drivers are provided by the card manufacturer or vendor and are not
included in DigitalPersona Pro product installations.
Contactless HID iCLASS memory cards;
Contactless MiFare Classic 1k, 4k and mini memory cards. (MiFare UltraLight cards are not
supported.)
Contact\Contactless HID Crescendo 700 PKI cards
Chapter 22 - Glossary
DigitalPersona Pro Enterprise - Administrator Guide
196
credential
A specific piece of information or hardware device used to authenticate an individual user.
dashboard
A central location where you can access and manage the features and settings in DigitalPersona Pro
Workstation for Enterprise.
dynamic DNS
Dynamic DNS defines a protocol for dynamically updating a DNS server with new or changed values.
DigitalPersona Pro uses Dynamic DNS to update the DNS server with changes made to DigitalPersona Pro
policies and settings.
enroll
The process of capturing and storing information about your fingerprints, which are then used to
authenticate you in order to access Windows, websites, and programs.
fingerprint
A digital extraction of your fingerprint image. Your actual fingerprint image is never stored by Pro
Workstation.
kiosk
A kiosk is a computer, or group of computers, that can be used by designated persons sharing a single
Windows user account and its associated programs. Each user of the kiosk can quickly and easily log on to
Windows, programs and websites using the minimum credentials (such as fingerprints) specified by the
organization.
logon
Account data for a website, program, network resource or password change screen that allows a user to
logon by using specific credentials as specified by the Pro Enterprise administrator. There are two types of
logons, personal logons and managed logons. See separate glossary entries.
managed computer
Any computer running a compatible DigitalPersona Pro client, that has been set up to be managed by a Pro
server.
Chapter 22 - Glossary
DigitalPersona Pro Enterprise - Administrator Guide
197
managed logon
A logon (see above) created using the Password Manager Admin Tool, which can then be deployed to all
managed computers. The term logon is generally used, except when specifically referring to logons created
by an administrator with the Password Manager Admin Tool (managed logons) as contrasted with those
created by an end-user (personal logons). When both managed and personal logons exist for the same
program or website, the personal logon is disabled and only the managed logon may be used for access to
the specified program or website. See also: personal logon.
Password Manager
A security application included with Pro Enterprise- compatible clients, that allows users to create their
own personal logons for programs and websites, in addition to using managed logons created through the
Password Manager Admin Tool. These logons may be used to launch the program or website and
automatically fill in required account data after verifying their identity with any of a variety of
authentication mechanisms (such as password, smart card, fingerprints or Defender-compatible VPN
tokens) as specified by the DigitalPersona Pro administrator.
Password Manager Admin Tool
An optional management application that plugs into Administrative Console of compatible workstation
clients to enable the creation, administration and management of logons for password-protected software
programs and websites. Users simply verify their identity by supplying required credentials to securely
provide data for logon fields, such as user name and password, on any website or program logon screen.
Administrators use the Password Manager Admin Tool to create managed logons specifying information
for the logon screens, and can use application policy settings in the GPO to deploy the One Touch SignOn
templates to end users.
(Requires Internet Explorer 6 or above.)
personal logon
A logon created by an end-user with the Password Manager application. The term logon is generally used,
except when contrasting logons created by an end-user (personal logons) with those created by an
administrator with the Password Manager Admin Tool (managed logons). See also: managed logons.
PIN (Personal Identification Number)
A credential composed of a series of digits. A PIN is often used in combination with another credential to
easily enhance its security. This PIN should not be confused with a Smart Card PIN which is used as part
of a Smart Card credential.
Chapter 22 - Glossary
DigitalPersona Pro Enterprise - Administrator Guide
198
Proximity card
A plastic card with an embedded chip that can be used as an authentication credential, but only in
combination with another credential as specified in the Logon or Session Policy in force.
Proximity cards supported are: Simple HID proximity cards.
Drivers are provided by the card manufacturer or vendor and are not included in DigitalPersona Pro
product installations.
Quick Actions
Quick Actions, which combine the Shift or Control Keys with use of the fingerprint to access
DigitalPersona Pro features, can be created by end users in the DigitalPersona Pro Workstation Properties
dialog.
restore
A process that copies program information from a previously saved backup file into this program.
scene
A photo of an enrolled user to be used for authentication.
Secret
A DigitalPersona Pro Secret is application specific user data that is stored securely in Active Directory by
the DigitalPersona Pro Enterprise Server, or locally by the local authentication server on the workstation.
The Secret is released to the application upon successful identification of the user, and used to log on to
programs and websites for which logon templates have been created.
Service Resource Records (SVR RR)
Active Directory servers publish their addresses so that clients can find them knowing only the domain
name. Active Directory servers are published via Service Resource Records (SRV RRs) in DNS. The SRV
RR is a DNS record used to map the name of a service to the address of a server offering that service. The
name of a SRV RR is in this form: <service>.<protocol>.<domain>
Active Directory servers offer the LDAP service over the TCP protocol with published names in the form:
ldap.tcp.<domain>
For example, the SRV RR for ``Microsoft.com'' is ``ldap.tcp.microsoft.com.'' Additional information on
the SRV RR indicates the priority and weight for the server, allowing clients to choose the best server for
their needs.
Chapter 22 - Glossary
DigitalPersona Pro Enterprise - Administrator Guide
199
When an Active Directory server is installed, it publishes itself via Dynamic DNS. Since TCP/IP addresses
are subject to change over time, servers periodically check their registrations to make sure they are correct,
updating them if necessary.
smart card
A hardware device that can be used for authentication.
Verification Template
A verification template is created from a fingerprint scan whenever a user places their finger on the
fingerprint reader. During authentication, this template is matched to available Enrollment Templates in
order to identify the user. At the end of the authentication process the Verification Template is erased.
Windows administrator
A user with full rights to modify permissions and manage other users.
Windows Logon
Windows Logon provides the ability for you to log on to your Windows account by using any of a variety
of authentication mechanisms (such as password, smart card, fingerprints or Defender-compatible VPN
tokens).
Windows Logon Security
Protects your Windows accounts by requiring the use of specific credentials for access.
Windows user account
Profile for an individual who is authorized to log on to a network or to an individual computer.
DigitalPersona Pro Enterprise - Administrator Guide
200
Citrix Deployment Scenarios 23
Overview
This chapter covers a few of the most common deployment scenarios of DigitalPersona Pro Workstation
for Enterprise and DigitalPersona Pro Kiosk for Enterprise, through the Citrix XenApp or XenDesktop
virtualization platforms.
DigitalPersona Pros Fast Connect feature works with XenApp and XenDesktop to create a streamlined
SSO connection to published applications and desktops.
You can also easily access DigitalPersona Pro Workstation through Citrix from various supported thin
clients. System requirements and setup steps for IGEL thin clients are on page 205.
All authorized and enrolled DigitalPersona Pro credentials are supported in the virtual scenarios, except
for Bluetooth and Face credentials.
Installation and configuration
Specific instructions for the installation and configuration of a DigitalPersona Pro client in the Citrix
environment are covered in the chapter Citrix and remote installation on page 60.
Note that the use of the Fast Connect feature requires a custom installation of DigitalPersona Pro
Workstation for Enterprise on the XenApp Server or in the XenDesktop image with the One Touch Logon
feature deselected.
Chapter 23 - Citrix Deployment Scenarios
DigitalPersona Pro Enterprise - Administrator Guide
201
Fast Connect with XenApp and Pro Workstation
Fast Connect works with XenApp server and the Citrix online plug-in (v12.3 and above) to enable SSO
(Single Sign-On) to published applications and desktops. When configured, you can connect to and log on
to a Citrix published application or desktop using a predefined Quick Action triggered by use of a
credential or key+credential combination.
This scenario assumes that DigitalPersona Pro Workstation has been successfully installed on the XenApp
server (see page 60), using a custom install with the One Touch Logon feature deselected, and on a separate
client computer using a typical install, i.e. including the One Touch Logon feature.
XenApp server configuration
The Login Mode on the XenApp server must be configured for Pass-through authentication. You can
verify this on the client computer running the Citrix online plug-in by right-clicking the Citrix icon,
selecting Options, and ensuring that the Login Mode is Pass-through authentication.
Pro Server configuration
Complete these steps to configure the DigitalPersona Pro Server. (Installation instructions are on page 22.)
1 Configure Group Policies
Quick Action - Choose a Quick Action setting, enable it, and select Fast Connect through the
dropdown menu. Quick Actions perform a specific operation whenever a specified credential or
key+credential combination is presented. This policy is located at: Policies/Administrative Templates/
DigitalPersona Pro Client/General Administration.
Fast Connect - Enable the setting, and specify the Citrix Farm Name and the name of the Published
Application or Desktop to be launched automatically. These are case-sensitive. The syntax is
FarmName:AppOrDesktopName. This setting is located at: Policies/Administrative Templates/
Chapter 23 - Citrix Deployment Scenarios
DigitalPersona Pro Enterprise - Administrator Guide
202
DigitalPersona Pro Client/Fast Connect. Note that Fast Connect will work without this setting enabled,
but will connect to the last accessed Citrix published application or desktop.
2 Disable the Session Authentication Policy - This is optional, but in combination with a Password
Manager managed logon, removes the requirement to log on separately to the Windows session, and is
used to create SSO functionality. This policy is located at: Policies/Administrative Templates/
DigitalPersona Pro Client/Security/Authentication.
3 In the Password Manager Admin Tool, create a managed logon for the published application. When
creating the managed logon, the Start Authentication Immediately property must be set on the Logon
Properties page. For instructions on creating a managed logon, see the Password Manager Application
Guide.
Chapter 23 - Citrix Deployment Scenarios
DigitalPersona Pro Enterprise - Administrator Guide
203
Maintaining local and remote Kiosk identities
(Pro 5.3 and above only) In this scenario, the enterprise wants to implement several local installations of
DigitalPersona Pro Kiosk, as well provide access to Pro Kiosk through the Citrix XenDesktop or a
published Pro Kiosk application.
Additionally, they want the ability for a user to log in to the XenDesktop or Pro Kiosk published
application from a local Kiosk without losing access to the resources mapped to the local Kiosk. With
versions of DigitalPersona Pro Kiosk prior to version 5.3, this was not possible, since a user logging into a
XenDesktop or XenApp published Pro Kiosk application would log into the Shared Account for the
published Kiosk and lose their Shared Account identity from the local kiosk.
In Pro Kiosk 5.3 and above, local Kiosk users logging into a published Pro Kiosk will maintain their local
identity and any resources associated with the local kiosk.
For example, a hospital wants to have a local installation of Pro Kiosk on each floor, as well as provide
access to a XenDesktop or XenApp published Pro Kiosk application in the administrative wing. When
someone needs to log into the XenDesktop published Kiosk, they still have access to local resources for the
floor, such as printers and other peripherals.
Chapter 23 - Citrix Deployment Scenarios
DigitalPersona Pro Enterprise - Administrator Guide
204
Setting up kiosks for local and remote identities
Setup is fairly simple.
1 Each local kiosk is created in a separate Active Directory OU (Organizational Unit).
2 The remote (XenDesktop or XenApp published Pro Kiosk) can be created at either the OU or domain
level.
3 Configure settings for each kiosk as shown in steps 4 through 6 below.
4 In the Group Policy Editor, navigate to Kiosk Administration, Kiosk Shared Account Settings.
5 Enable the following settings; Allow automatic logon using Shared Kiosk Account and Logon/Unlock
with Shared Account Credentials.
6 Enter required information under the Kiosk Workstation Shared Account Settings (user name, domain
and password). Additional configuration options are available. See Kiosk Administration on page 104.
7 Configure Identification Server settings. If fingerprint readers will be used, the Perform fingerprint
identification on server setting must be enabled. Additional configuration options are available, see
Identification Server settings on page 121.
Using kiosk local and remote identities
WIth the scenario described above, once setup has been completed, a local Kiosk user can log onto Pro
Kiosk with their domain credentials as usual. Once logged in, if they have a need to access the remote
XenApp published Pro Kiosk, they can log in with their domain credentials, but the actual Windows
account accessed will be the same Shared Account that they originally logged into on the local Kiosk. Any
resources associated with those credentials will now be available from the remote Kiosk.
So a user who logs into a local Kiosk, and then launches accesses a XenDesktop or XenApp published
Kiosk through a supported XenApp client, will be logged in to the published XenDesktop or published
(remote) Pro Kiosk using the Shared Account credentials from the local Kiosk and will retain access to any
resources associated with that account.
Chapter 23 - Citrix Deployment Scenarios
DigitalPersona Pro Enterprise - Administrator Guide
205
IGEL Universal Desktop support
The Citrix ICA client provided with the IGEL Universal Desktop thin client includes a DigitalPersona Pro
plug-in that provides communication between an attached DigitalPersona fingerprint reader and the
DigitalPersona software running on Citrix XenApp or XenDesktop.
Requirements
Supported IGEL hardware:
UD2-x30 LX
UD3-x31 LX
UD5-x30 LX
UD9-x30 LX
UD9-x31 LX
UDC Universal Desktop Converter
Firmware: Version 4.06.110 or above
Software: DigitalPersona Pro Workstation or Kiosk 5.4 or above running on Citrix XenApp or
XenDesktop.
Setup
To set up an individual IGEL box for use with DigitalPersona Pro
1 Run IGEL Setup.
2 Navigate to ICA/ICA Global/Mapping/Device Support.
3 Select DigitalPersona Fingerprint Channel.
4 Click Apply or OK.
To set up a group of IGEL boxes
IGEL provides a free central management tool, the Universal Management Suite (UMS), for creating and
managing configuration profiles for IGEL clients. It is bundled with every IGEL thin client product and
can also be downloaded from their website: http://igel.com.
UMS supports a variety of operating systems, databases and directory services like Microsoft Active
Directory, and can therefore be easily integrated into every environment.
Procedures for configuring profiles will vary depending on the environment. See UMS documentation for
your specific enterprise environment.
DigitalPersona Pro Enterprise - Administrator Guide
206
Policies and Settings - Alphabetical list 24
The AD nodes, policies, settings and properties included in DigitalPersona Pro Enterprise are listed
alphabetically in the following table, along with a reference to the page where they are described in detail.
Node/Policy/Setting name Page
Authentication (DigitalPersona Pro Client) 101 ff
Authentication Devices (DigitalPersona Pro Client) 108 ff
Authentication Devices (DigitalPersona Pro Enterprise Server) 119 ff
Account lockout duration 119
Account lockout threshold 119
Allow automatic logon using Shared Kiosk Account 114
Allow running auto updates on the computer 117
Allow Pro client to use Pro Server 113
Allow creation of personal logons 127
Allow users to add account data 127
Allow users to delete account data 128
Allow users to edit account data 127
Allow users to view managed logon passwords 127
Automated site coverage by Pro Enterprise Server Locator DNS SRV records 122
Bluetooth 108
Cache user data on local computer 110
Certificate publishing policy 115
Certificate use policy 116
Citrix Published Application Name 112
DigitalPersona Pro Client 101
DigitalPersona Pro Enterprise Server (Policies, Software Settings) 105
DigitalPersona Pro Enterprise Server (Administrative Templates) 118
Chapter 24 - Policies and Settings - Alphabetical list
DigitalPersona Pro Enterprise - Administrator Guide
207
DigitalPersona Reporter Event Forwarding 112
Disable applications 115
Do not allow users to run local administrative tools 113
Do not compress fingerprint data for redirection 108
Do not launch the Getting Started wizard upon logon 113
Dynamic registration of Pro Enterprise Server Locator DNS records 124
Enable multi-factor authentication in Windows logon 116
Enable One Step Logon 117
Enable Self Password Recovery 117
Enable the Central Management menu item 117
Enrollment (computer, user) 104, 126
Event logging (client, server) 111, 121
Fast Connect 112
Features 116
Fingerprint enrollment (client, server) 110, 119
Fingerprint verification (client, server) 110, 120
Fingerprint verification lockout 119
Fingerprints (client, server) 108, 119
Fingerprint verification lockout 119
General Administration 112
Identification Server domain 113
Identification Server settings 121
Kiosk Session Authentication Policy (Computer Configuration) 103
Kiosk Session Authentication Policy (User Configuration) 125
Kiosk Workstation Shared Account Settings 114
Kiosk Unlock Script 114
Node/Policy/Setting name Page
Chapter 24 - Policies and Settings - Alphabetical list
DigitalPersona Pro Enterprise - Administrator Guide
208
Level of detail in event logs (client, server) 111, 121
Licenses (client) 104
Lock the computer upon smart card removal 111
Log Status Events 112
Logon/Unlock with Shared Account Credentials 114
Logon Authentication Policy (Computer Configuration) 102
Logon Authentication Policy (User Configuration) 116
Managed applications (Computer Configuration) 115
Managed applications (User Configuration) 127
Managed logons 127
Password Manager 127
Path(s) to the managed logons folder(s) 128
Perform fingerprint authentication on server 121
PIN enrollment (DigitalPersona Pro Client) 111
PIN enrollment (DigitalPersona Pro Enterprise Server) 120
Prevent Password Manager from running 115
Prevent Privacy Manager from running 115
Prevent users from logging on outside of a Kiosk session 114
Priority set in Pro Enterprise Server Locator DNS records 123
Privacy Manager 115
Pro Enterprise Server DNS 122
Quick Actions 112
Randomize users Windows password 82
Redirect fingerprint data 108
Refresh interval of Pro Enterprise Server DNS records 122
Register Pro Enterprise Server Locator DNS records for domain 124
Node/Policy/Setting name Page
Chapter 24 - Policies and Settings - Alphabetical list
DigitalPersona Pro Enterprise - Administrator Guide
209
Reset account lockout counter after 119
Restrict identification to a specific list of users 122
Self Enrollment Policy (computer, user) 104, 126
Session Authentication Policy (computer, user) 102, 125
Session Authentication Policy (computer, user) 116, 128
Set the False Accept Rate 110
Set the maximum number of enrolled fingerprints 110
Set the minimum number of enrolled fingerprints 110
Set the minimum length of user PIN 111
Settings 117
Show Taskbar icon 113
Silent authentication 108
Sites covered by Pro Enterprise Server Locator DNS records 123
Software updates 117
Smart cards 111
User provides only Windows credentials to log on 83
Weight set in Pro Enterprise Server Locator DNS records 123
Node/Policy/Setting name Page
DigitalPersona Pro Enterprise - Administrator Guide
210
Embedded Windows dependencies 25
This version of DigitalPersona Pro for Enterprise supports several embedded Windows platforms (see
System Requirements on page 17.
However, note that the Client Suite Installer and the Setup.exe file included in the product package cannot
be used to install the DigitalPerwsona Pro client on a Windows XP Embedded OS. Use the SETUP.msi file
located in the installation folder instead.
This chapter contains two tables, documenting the files and components required in order to run the
DigitalPersona Pro Workstation on the supported embedded platforms.
Required components for supported Windows Embedded platforms
Component Name Dependency Description
Accessibility Core Dependency caused by
OLEACC.DLL of type static
Common Control Libraries Version 5 Dependency caused by
COMCTL32.DLL of type static
DigitalPersona Fingerprint Reader Dependency caused by DPCtrls
of type static
Microsoft Visual C++ Run Time Dependency caused by
MSVCRT.DLL of type rawdep
OpenGL Support Dependency caused by
OPENGL32.DLL of type static
Primitive: Crypt32 Dependency caused by
CRYPT32.DLL of type static
Primitive: Mpr Dependency caused by
MPR.DLL of type static
Primitive: Msimg32 Dependency caused by
MSIMG32.DLL of type static
Primitive: Netapi32 Dependency caused by
NETAPI32.DLL of type static
Primitive: Ntdll Dependency caused by
NTDLL.DLL of type static
Primitive: Ole32 Dependency caused by
OLE32.DLL of type static
Chapter 25 - Embedded Windows dependencies
DigitalPersona Pro Enterprise - Administrator Guide
211
Primitive: Oleaut32 Dependency caused by
OLEAUT32.DLL of type static
Primitive: Psapi Dependency caused by
PSAPI.DLL of type rawdep
Primitive: Secur32 Dependency caused by
SECUR32.DLL of type static
Primitive: Setupapi Dependency caused by
SETUPAPI.DLL of type static
Primitive: Shell32 Dependency caused by
SHELL32.DLL of type static
Primitive: Shlwapi Dependency caused by
SHLWAPI.DLL of type static
Primitive: Userenv Dependency caused by
USERENV.DLL of type static
Primitive: Winmm Dependency caused by
WINMM.DLL of type static
RPC Local Support Dependency caused by
RPCRT4.DLL of type static
RPC Server Dependency caused by
RPCSS.DLL of type rawdep
Standard Template Libraries (STL) Dependency caused by
MSVCP60.DLL of type rawdep
Windows API - Advanced Dependency caused by
ADVAPI32.DLL of type static
Windows API - GDI Dependency caused by
GDI32.DLL of type static
Windows API - Kernel Dependency caused by
KERNEL32.DLL of type static
Windows API - User Dependency caused by
USER32.DLL of type static
Windows Logon (Standard) Dependency caused by
MSGINA.DLL of type rawdep
Component Name Dependency Description
Chapter 25 - Embedded Windows dependencies
DigitalPersona Pro Enterprise - Administrator Guide
212
Required files for supported Windows Embedded platforms
File Description Location
activeds.dll ADs Router Layer DLL C:\WINDOWS\system32
adsldpc.dll ADs LDAP Provider C DLL C:\WINDOWS\system32
advapi32.dll Advanced Windows 32 Base API C:\WINDOWS\system32
atioglxx.dll ATI OpenGL driver C:\WINDOWS\system32
atl.dll ATL Module for Windows XP
(Unicode)
C:\WINDOWS\system32
clbcatq.dll Microsoft COM Services
component
C:\WINDOWS\system32
comctl32.dll Common Controls Library C:\WINDOWS\system32
comres.dll Microsoft Communications
module
C:\WINDOWS\system32
crypt32.dll Crypto API32 C:\WINDOWS\system32
dciman32.dll DCI Manager C:\WINDOWS\system32
ddraw.dll Microsoft DirectDraw C:\WINDOWS\system32
dnsapi.dll DNS Client API DLL C:\WINDOWS\system32
gdi32.dll GDI Client DLL C:\WINDOWS\system32
GdiPlus.dll Microsoft GDI+ C:\WINDOWS\WinSxS\x86_Microsoft.Wind
ows.GdiPlus_6595b64144ccf1df_1.0.2600.21
80_x-ww_522f9f82\GdiPlus.dll
glu32.dll OpenGL Utility Library DLL C:\WINDOWS\system32
hnetcfg.dll Home Networking Configuration
Manager
C:\WINDOWS\system32
imagehlp.dll Windows NT Image Helper C:\WINDOWS\system32
iphlpapi.dll IP Helper API C:\WINDOWS\system32
kernel32.dll Windows NT BASE API Client
DLL
C:\WINDOWS\system32
mpr.dll Multiple Provider Router DLL C:\WINDOWS\system32
Chapter 25 - Embedded Windows dependencies
DigitalPersona Pro Enterprise - Administrator Guide
213
msasn1.dll ASN.1 Runtime APIs C:\WINDOWS\system32
msv1_0.dll Microsoft Authentication
Package v1.0
C:\WINDOWS\system32
msvcrt.dll Windows NT CRT DLL C:\WINDOWS\system32
mswsock.dll Microsoft Windows Sockets 2.0
Service Provider
C:\WINDOWS\system32
netapi32.dll Net Win32 API DLL C:\WINDOWS\system32
ntdll.dll NT Layer DLL C:\WINDOWS\system32
ole32.dll Microsoft OLE for Windows C:\WINDOWS\system32
oleaut32.dll Microsoft OLE dll C:\WINDOWS\system32
opengl32.dll OpenGL Client DLL C:\WINDOWS\system32
rasadhlp.dll Remote Access AutoDial Helper C:\WINDOWS\system32
riched20.dll Rich Text Edit Control, v3.0 C:\WINDOWS\system32
riched32.dll Wrapper Dll for Richedit 1.0 C:\WINDOWS\system32
rpcrt4.dll Remote Procedure Call Runtime C:\WINDOWS\system32
rsaenh.dll Microsoft Enhanced
Cryptographic Provider
C:\WINDOWS\system32
secur32.dll Security Support Provider
Interface
C:\WINDOWS\system32
setupapi.dll Windows Setup API C:\WINDOWS\system32
shell32.dll Windows Shell Common Dll C:\WINDOWS\system32
shlwapi.dll Shell Light-weight Utility Library C:\WINDOWS\system32
user32.dll Windows XP USER API Client
DLL
C:\WINDOWS\system32
userenv.dll Userenv C:\WINDOWS\system32
uxtheme.dll Microsoft UxTheme Library C:\WINDOWS\system32
version.dll Version Checking and File
Installation Libraries
C:\WINDOWS\system32
File Description Location
Chapter 25 - Embedded Windows dependencies
DigitalPersona Pro Enterprise - Administrator Guide
214
winmm.dll MCI API DLL C:\WINDOWS\system32
winsta.dll Winstation Library C:\WINDOWS\system32
wintrust.dll Microsoft Trust Verification APIs C:\WINDOWS\system32
wldap32.dll Win32 LDAP API DLL C:\WINDOWS\system32
ws2_32.dll Windows Socket 2.0 32-Bit DLL C:\WINDOWS\system32
ws2help.dll Windows Socket 2.0 Helper for
Windows NT
C:\WINDOWS\system32
wshtcpip.dll Windows Sockets Helper DLL C:\WINDOWS\system32
wtsapi32.dll Windows Terminal Server SDK
APIs
C:\WINDOWS\system32
File Description Location
DigitalPersona Pro Enterprise - Administrator Guide
215
Identification List 26
By default, all domain users are granted Kiosk access. However, DigitalPersona Pro Enterprise provides
the capability to restrict identification to a specific list of users with permissions for the computer where
the identification request originates.
To restrict identification
Enable the Restrict identification to a specific list of users GPO setting (see page 122).
Remove the default domain-level permission that includes all domain users in the identification list.
Assign Allow or Deny permissions to the OU or computers.
Note that in versions prior to 5.4.1, this restriction applies only to fingerprint access, and access through
other credentials, such as a Windows password, is not restricted. Beginning with version 5.4.1, the
restriction applies to all supported credentials.
Also, since the Kiosk rights have to be read from a Pro server to see whether or not there is a restriction, if
the Kiosk can not reach a Pro server all users are assumed to be restricted and will be rejected, except for
those users who have previously logged onto the Kiosk and are therefore cached on the client.The
Example: Restricting kiosk identification
The following procedure assumes that a kiosk has already been created and that required Shared Account
information has been entered. See Kiosk Shared Account Settings on page 29.
1 In the AD Users and Computers console menu, check the View menu to make sure that Advanced
Features is on (has a check mark next to it).
2 Remove the default domain-level Kiosk Membership permission that allows everyone in the domain to
be identified through the ID Server.
Right-click on the domain and select Properties. On the Security tab, click the Advanced
button
Within the Advanced Security Settings dialog, in the list of permissions, locate the permission
Allow\Everyone\Kiosk Membership (DigitalPersona), and click Remove to delete it.
3 Locate (or create) and select the OU or container object that you want to configure the membership for.
4 Ensure that all kiosk computers that you want to use this identification list for are shown within the
container. Add kiosk computers as necessary.
5 If you are not using a previously defined user group for the identification list, create a new user group
object and add the desired users to the group.
6 Right-click on the kiosk container and select Properties. On the Security tab, click the Advanced
button.
7 Set Allow or Deny permissions as desired. On Windows Server 2003/2008, follow steps 8-12 below. On
Windows Server 2012, follow steps 13-18.
Chapter 26 - Identification List
DigitalPersona Pro Enterprise - Administrator Guide
216
8 For Windows 2003/2008, complete the
following steps.
9 In the Advanced Security Settings
dialog, click Add to display the Select
Users, Computers or Groups dialog.
10 Enter the name of the group (or specific
user) that you want to define
permissions for and click OK.
11 In the Permission Entry dialog, in the
Apply To drop-down list, select
Descendent Computer objects.
12 In the list of permissions, locate the
permission Kiosk Membership
(DigitalPersona) and then select either
Allow or Deny.
Chapter 26 - Identification List
DigitalPersona Pro Enterprise - Administrator Guide
217
13 For Windows Server 2012, complete the following steps.
14 In the Advanced Security Settings dialog, click Add to display the Permission Entry dialog.
15 Click the Select a principal link to display the Select Users, Computers or Groups dialog. Then Enter
the name of the group (or specific user) that you want to define permissions for and click OK.
16 Choose the permission type (Allow or Deny) from the Type dropdown menu.
17 In the Applies To drop-down list, select Descendent Computer objects.
18 Select Kiosk Membership (DigitalPersona). Then click OK.
In most cases, it is preferable to manage permissions at the group level rather than on a user-by-user level.
Note that a Deny permission always has precedence over any Allow permissions for a specific group or
user.
DigitalPersona Pro Enterprise - Administrator Guide
218
Pro Events for version 5.3 27
DigitalPersona Pro and its security applications write events to the Windows Event Log when significant
activities occur, along with a date and time stamp indicating when they occurred.
By default, all DigitalPersona Pro events are logged - except for those in the Status Notifier category (see
page 226).
Activity events are classified into the following categories.
Events are listed in tables under each category in the following sections. For each event, information is
shown indicating where the event is logged (on the Pro Server or on a client workstation) and what level of
logging an event is reported at. For example, if an event is shown as logged on the workstation (Wks) at
the Fd (Fine detail) level, it will not be written to the log unless the Fine detail level is specified in the
Level of detail in event logs GPO setting governing that computer (see page 111).
Description ID Page
Credential Management 256 219
User Management 512 219
Secret Management 768 221
System, Services, Settings and User Sessions 1024 221
External components 1280 222
Password Manager Admin Tool 1536 223
Fingerprint Match 2048 223
DNS Registration 2304 223
License Management 4096 224
License Management, ID Server licensing 4112 225
OTP Management 4352 225
Status Notifier 4608 226
Logon 4864 227
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
219
Credential Management
Task Category: 256
These events may be generated during credentials management.
User Management
Task Category: 512
These events may be generated during user management.
Event ID
Level
Srvr ---- Wks
Authentication failure 257 - A
Authenticated successfully 258 - Dt
Failed to enroll credential 259 - A
Credential enrolled 260 - A
Failed to unenroll credential 261 - A
Credential unenrolled 262 - A
Payload recovery has failed 263 - E
Failed to set payload recovery 264 - Fd
Payload recovery set 265 - Fd
Payload recovered successfully 266 - Fd
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Event ID
Level
Srvr ---- Wks
Failed to add user to authentication domain 513 - A
User added to authentication domain 514 - Dt
Failed to remove user from authentication domain 515 - A
User removed from authentication domain 516 - Dt
Failed to set user credentials 517 - A
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
220
User credentials set 518 - Dt
Failed to set user policy 519 - A
User policy set 520 - Dt
Failed to update user information 521 - A
User information updated 522 - Dt
Failed to identify user 523 - A
User identified 524 - Dt
Failure of user credential consistency check 525 - E
Failure of user credential signature check 526 - E
User account was unlocked 529 Dt -
Pro User added to the database 531 A -
Cannot add Pro User to the database 532 E -
Pro User deleted from the database 533 A -
Cannot delete Pro User from the database 534 E -
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Event ID
Level
Srvr ---- Wks
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
221
Secret Management
Task Category: 768
These events may be generated during Secret management.
System, Services, Settings and User Sessions
Task Category: 1024
These events may be generated during the management of system operations.
Event ID
Level
Srvr ---- Wks
Failure of %1 secure application data consistency check 769 E E
Failed to delete secure application data 770 E E
Secure application data deleted 771 A A
Failure to release secure application data 772 E E
Secure application data released 773 A A
Failure of secure application data signature check 774 E E
Failed to store secure application data 775 E E
Secure application data stored 776 A A
Failure to release secure application data 777 E -
Secure application data released 778 A -
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Event ID
Level
Srvr ---- Wks
Failed to activate authentication domain 1025 - A
Authentication domain activated 1026 - A
Failed to deactivate authentication domain 1027 - A
Authentication domain deactivated 1028 - A
Failed to start BAS 1029 E E
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
222
External components
Task Category: 1280
These events may be generated during the management of external components.
BAS started 1030 A A
BAS stopped 1031 A A
Failed to reset BAS configuration parameter 1032 A A
BAS configuration parameter reset 1033 A A
Failed to update BAS configuration parameter 1034 A A
BAS configuration parameter updated 1035 A A
Fingerprint reader connected (%1 reader(s) available.) 1036 - Fd
Fingerprint reader disconnected. ( %1 reader(s) remaining.) 1037 - Fd
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Event ID
Level
Srvr ---- Wks
Credentials verified for logon 1281 - A
Credentials verified for unlock 1282 - A
Failed to change user password 1285 - E
User password changed 1286 - A
Workstation has been unregistered 1289 - A
Software installed 1305 - Dt
Software uninstalled 1306 - Dt
Application enabled 1307 - Dt
Application disabled 1308 - Dt
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Event ID
Level
Srvr ---- Wks
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
223
Password Manager Admin Tool
Task Category: 1536
These events are generated when a managed logon is used or logon account data is modified.
Fingerprint Match
Task Category: 2048
These events may be generated during fingerprint matching operations.
DNS Registration
Task Category: 2304
These events may be generated during DNS registration.
Event ID
Level
Srvr ---- Wks
Initial fillin was performed. 1544 Dt
Fillin was performed. 1545 A
Account data was successfully modified. 1547 A
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Event ID
Level
Srvr ---- Wks
Account is locked for fingerprint verification. 2049 A -
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Event ID
Level
Srvr ---- Wks
Registration of the server failed. (Clients will not be able to locate the server.) 2306 E -
Removal of DNS record failed. 2307 E -
Remote server cannot be reached. 2308 - E
No remote servers available. 2309 - E
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
224
License Management
Task Category: 4096
These events may be generated during license management operations.
Event ID
Level
Srvr ---- Wks
The service is licensed for %1 users. (No more users can be registered at this
time because the license quota has been exceeded.)
4097 A -
The service is licensed for %1 users. (%2 users are already registered.%n The
license quota is nearly exceeded.)
4098 A -
License is not valid. 4099 - E
License activated 4100 - A
License activation failed 4101 - E
License deactivated 4102 - A
License deactivation failed 4103 - A
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
225
License Management, ID Server licensing
Task Category: 4112
These events may be generated during license management operations for the DigitalPersona ID Server.
OTP Management
Task Category: 4352
These events may be generated during One Time Password operations.
Event ID
Level
Srvr ---- Wks
User license installed 4113 - A
Failed to install user license(s) 4114 - E
The number of licensed users has been changed: Total users allowed %t%1%n 4115 - A
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Event ID
Level
Srvr ---- Wks
One Time Password is provisioned 4353 - A
Failed to provision the One Time Password 4344 - E
One Time Password is generated 4355 - A
Failed to generate the One Time Password 4356 - E
One Time Password is deleted 4357 - A
Failed to delete the One Time Password 4358 - E
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
226
Status Notifier
Task Category: 4608
These events are a special category of events that are used in Reports generated by DigitalPersona Pro
Enterprise. By default these events are not written to the Windows Event Log, but must be enabled using
the Level of detail in event logs setting in the GPO governing the DigitalPersona Pro clients that you desire
to report statuses on (see page 111).
Event ID
Level
Srvr ---- Wks
License Activation status 4104 - A
Logon Policy for Users 4609 - A
Session Policy for Users 4611 - A
Logon Policy 4613 - A
Session Policy 4614 - A
Authentication Domain Activation Status 4615 - A
Applications Enabling 4616 - A
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
Chapter 27 - Pro Events for version 5.3
DigitalPersona Pro Enterprise - Administrator Guide
227
Logon
Task Category: 4864
These events may be generated during Logon operations.
Event ID
Level
Srvr ---- Wks
Credentials verified for logon 4865 - Fd
Credentials verified for unlock 4866 - Fd
Credentials verified for kiosk logon 4867 - Fd
Credentials verified for kiosk unlock 4868 - Fd
Computer locked 4869 - Fd
User (%user) logged off 4870 - Fd
Kiosk computer locked 4871 - Fd
Kiosk user logged off 4872 - Fd
Level: E = Error, A - Audit, Dt = Details, Fd = Fine details
DigitalPersona Pro Enterprise - Administrator Guide
228
Schema extension 28
This chapter describes the schema extension made to the Active Directory database in order to support the
operation of DigitalPersona Pro Enterprise, version 5.x. The chapter is composed of two sections.
Introduction
This schema extension is version 2. The schema extension version number is independent of the
DigitalPersona Pro product version number. Each Pro product release will identify the schema extension
version it requires.
The schema extension creates new attributes for the user object, creates new classes and makes changes to
some existing classes (adding links), as shown in the following tables.
The Microsoft naming conventions are followed. The name prefix registered with Microsoft is dp. The
Microsoft-generated OID base is 1.2.840.113556.1.8000.651.
For the full, detailed specifications, see Technical Bulletin 1006B, Schema Extension Specifications.
This document is intended to be used for reference purposes only, and may be superseded at any time by a
new version.
Schema extension overview
Schema objects summary
The following schema objects are created in the Active Directory database.
Section Page
Schema extension overview 228
Schema objects details 235
Class details 277
Standard Classes Extensions 292
Object Description
dp-User-Credentials-Data Stores fingerprint registration templates for the user.
dp-User-Account-Control Specifies the flags to control fingerprint credentials
behavior for the user.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
229
Object structure
dp-User-Private-Data Stores the application secure data of the user.
dp-Servers-Data Stores configuration data for all authentication servers
in a particular domain.
dp-License Stores the license for all servers in the Active
Directory forest.
dp-User-Logon-Policy Stores user logon policy information.
dp-User-Public-Key Stores the users public key.
dp-User-Payload Stores the users unified key data.
dp-User-Recovery-Key Stores the users recovery key.
dp-User-Data-Type Stores the type of the user data stored in the dp-User-
Private-Data attribute.
dp-Lockout-Time Stores the date and time (UTC) that this account was
locked out. This value is stored as a large integer that
represents the number of 100 nanosecond intervals
since January 1, 1601 (UTC). A value of zero means
that the account is not currently locked out.
dp-Recovery-Password-Last-Set-Time Stores data indicating the last time that the Recovery
Password was set.
dp-Recovery-Password Stores the computers recovery password.
dp-Master-Key Stores the computers hard drive encryption key.
Attribute property Description
adminDisplayName Display name of this object for use in directory service
administrative tools.
adminDescription Description of this object for use in directory service
administrative tools
cn Common name.
Object Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
230
lDAPDisplayName The name used by LDAP clients to refer to the object's class.
attributeID A unique OID that identifies the attribute.
objectClass The class of which this object is an instance.
objectCategory Reference to an object class or one of its superclasses, which is
used when searching for this object.
schemaIDGUID A GUID that uniquely identifies this object. You can use this
string value in an ACE to control access to objects of this
object.
attributeSyntax An OID of the syntax. The combination of the attributeSyntax
and oMSyntax properties determines the syntax of an attribute.
oMSyntax Syntax of this attribute as defined by the XAPIA XOM (X/
Open Object Model) specification.
isSingleValued TRUE means that the attribute has a single value, FALSE
means that the attribute can have multiple values.
attributeSecurityGUID An optional GUID that identifies the attribute as a member of
an attribute set (also known as a property set).
isMemberOfPartialAttributeSet TRUE means that the attribute is replicated to the global
catalog.
FALSE means that the attribute is not included in the global
catalog.
searchFlags An integer value whose least significant bit indicates whether
the attribute is indexed. The four bit flags in this value are:
1 = Index over attribute only
2 = Index over container and attribute
4 = Add this attribute to the Ambiguous Name Resolution set,
used together with 0x0001
8 = Preserve this attribute in the tombstone object for deleted
objects.
Attribute property Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
231
Schema classes summary
showInAdvancedViewOnly TRUE means that the object will appear in the Advanced View
of the Users and Computers snap-in only, but not in the
Windows shell.
FALSE means that the object will appear in Normal view of
the Users and Computers snap-in and the Windows shell
systemFlags An integer value that contains flags that define additional
properties of this object. Category 1 classes or attributes have
the 0x10 bit set by the system and cannot be set by users. They
are shipped with Active Directory.
For more information, see ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
systemOnly TRUE means that only Active Directory can modify the class
of this object.
FALSE means users can make the modification as well.
Class Description
dp-Authentication-Servers-Container Object Class Container for Authentication Server
objects.
dp-User-Secret Object Class used to represent application secure
data of user (i.e. user encryption key).
dp-Service-Configuration Object Class used to represent global configuration
information such as schema version and license.
dp-Authentication-Service-Connection-Point Object Class used to represent Authentication
Server. The class contains information about the
Authentication Server version, service principal
name, binding information etc.
Attribute property Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
232
Class structure
Class Property Description
adminDisplayName Display name of this object for use in directory service
administrative tools.
adminDescription Description of this object for use in directory service
administrative tools.
cn Common name.
lDAPDisplayName The name used by LDAP clients to refer to the object's class.
objectClass The class of which this object is an instance.
objectCategory Reference to an object class or one of its superclasses, which is
used when searching for this object.
objectClassCategory 1 means structural classes.
2 means abstract classes.
3 means auxiliary classes
defaultObjectCategory Object-Category used in queries for objects of this class.
rDNAttID Attribute name used as the Relative Distinguished Name
(RDN) for this class.
subClassOf Immediate superclass of this class.
systemAuxiliaryClass Auxiliary classes that this class inherits from.
governsID A unique OID identifying the class.
schemaIDGUID A GUID that uniquely identifies this object. You can use this
string value in an ACE to control access to objects of this
object.
defaultSecurityDescriptor The default security descriptor for new instances of this class.
defaultHidingValue TRUE means that new object instances are hidden in the
Administrative snap-ins and the Windows shell,
FALSE covers all other situations.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
233
showInAdvancedViewOnly TRUE means that the object will appear in the Advanced View
of the Users and Computers snap-in only, but not in the
Windows shell.
FALSE means that the object will appear in the Normal View
of the Users and Computers snap-in and in the Windows shell.
systemPossSuperiors Structural classes that can be containers of instances of this
class. For the complete set of classes that can contain this
class, you must include, in addition to any values shown on the
left, those inherited from its superclasses as listed in the
subClassOf attribute above.
systemOnly TRUE means that only Active Directory can modify the class
of this object.
FALSE means users can make the modification as well.
systemMustContain Mandatory attributes that MUST be present on instances of
this class. For the complete set of mandatory attributes for this
class, you must, in addition to any values shown on the left,
include those inherited from its superclasses as listed in the
subClassOf attribute above and/or those derived from any of
its auxiliary classes as specified in the systemAuxiliary
attribute above and as inherited from its superclasses.
systemMayContain Optional attributes that may be present on instances of this
class. For the complete set of optional attributes for this class,
you must include, in addition to any values shown on the left,
those inherited from its superclasses as listed in the
subClassOf attribute above and/or those derived from any of
its auxiliary classes as specified in the systemAuxiliary
attribute above and as inherited from its superclasses.
Class Property Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
234
Standard Classes Extensions
The following Active Directory classes are extended in the Active Directory Database to support
DigitalPersona Pro.
User Class
mayContain: dp-User-Account-Control
dp-User-Credentials-Data
dpUserLogonPolicy
dpUserPublicKey
dpUserPayload
dpUserRecoveryKey
dpLockoutTime
Computer Class
mayContain: dpRecoveryPasswordLastSetTime
dpRecoveryPassword
dpMasterKey
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
235
Schema objects details
dp-User-Credentials-Data
Stores fingerprint registration templates for the user. The size of DigitalPersona fingerprint data depends
on the number of fingerprints registered to a maximum 6.5 KB.
Attribute property Value Description
adminDisplayName dp-User-Credentials-Data Display name of this object for use
in directory service administrative
tools.
AdminDescription dp-User-Credentials-Data Description of this object for use
in directory service administrative
tools.
Cn dp-User-Credentials-Data Common name.
LDAPDisplayName dpUserCredentialsData The name used by LDAP clients to
refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.1 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is an
instance.
ObjectCategory Attribute-Schema Reference to an object class or one
of its superclasses, which is used
when searching for this object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the attributeSyntax
and oMSyntax properties
determines the syntax of an
attribute.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
236
OMSyntax 4 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
IsSingleValued TRUE TRUE means that the attribute has
a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 128 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with 0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 131072 The maximum value or length of
an attribute.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
237
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
238
dp-User-Account-Control
Specifies the flags that control fingerprint credentials behavior for the user.
Size of DigitalPersona data: 4 bytes.
Attribute property Value Description
adminDisplayName dp-User-Account-Control Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-User-Account-Control Description of this object for use
in directory service administrative
tools.
Cn dp-User-Account-Control Common name.
LDAPDisplayName dpUserAccountControl The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.15 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.9 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
OMSyntax 2 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
239
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 0 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
240
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
241
dp-User-Private-Data
Stores the users secure application data.
Size of DigitalPersona data: Varies, depending on the type and size of the user Secrets saved. Potentially
there is no limit. Usually it is around 530 bytes. OTS Secrets: Approximately 520 bytes + application
logon data. Each application logon data consists of the account name + password + 18 bytes.
Attribute property Value Description
adminDisplayName dp-User-Private-Data Display name of this object for use
in directory service administrative
tools.
AdminDescription dp-User-Private-Data Description of this object for use
in directory service administrative
tools.
Cn dp-User-Private-Data Common name.
LDAPDisplayName dpUserPrivateData The name used by LDAP clients to
refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.2 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is an
instance.
ObjectCategory Attribute-Schema Reference to an object class or one
of its superclasses, which is used
when searching for this object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the attributeSyntax
and oMSyntax properties
determines the syntax of an
attribute.
OMSyntax 4 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
242
IsSingleValued TRUE TRUE means that the attribute has
a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 0 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with 0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 131072 The maximum value or length of
an attribute.
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
243
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
244
dp-Servers-Data
Stores configuration data for all authentication servers in particular domain.
Size of DigitalPersona data: 1KB.
Attribute property Value Description
adminDisplayName dp-Servers-Data Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-Servers-Data Description of this object for use
in directory service administrative
tools.
Cn dp-Servers-Data Common name.
LDAPDisplayName dpServersData The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.10 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
245
OMSyntax 4 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 128 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 32768 The maximum value or length of
an attribute.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
246
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
247
dp-License
Stores license information for all DigitalPersona Pro Servers in the Active Directory forest.
Size of DigitalPersona data: 0 (Not currently used provided for future extension).
Attribute property Value Description
adminDisplayName dp-License Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-License Description of this object for use
in directory service administrative
tools.
Cn dp-License Common name.
LDAPDisplayName dpLicense The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.14 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
248
OMSyntax 4 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 0 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 32768 The maximum value or length of
an attribute.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
249
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
250
dp-User-Logon-Policy
Stores the users logon policy information.
Attribute property Value Description
adminDisplayName dp-User-Logon-Policy Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-User-Logon-Policy Description of this object for use
in directory service administrative
tools.
Cn dp-User-Logon-Policy Common name.
LDAPDisplayName dpUserLogonPolicy The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.16 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID e667KO53BEyWMiMRqj3t4A== A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.9 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
251
OMSyntax 2 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 0 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
252
showInAdvancedViewOnly FALSE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
253
dp-User-Public-Key
Stores the users public key.
Attribute property Value Description
adminDisplayName dp-User-Public-Key Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-User-Public-Key Description of this object for use
in directory service administrative
tools.
Cn dp-User-Public-Key Common name.
LDAPDisplayName dpUserPublicKey The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.17 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
OMSyntax 4 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
254
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 0 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 131072 The maximum value or length of
an attribute.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
255
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
256
dp-User-Payload
Stores the users unified key data.
Attribute property Value Description
adminDisplayName dp-User-Payload Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-User-Payload Description of this object for use
in directory service administrative
tools.
Cn dp-User-Payload Common name.
LDAPDisplayName dpUserPayload The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.18 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
257
OMSyntax 4 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 128 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 32768 The maximum value or length of
an attribute.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
258
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
259
dp-User-Recovery-Key
Stores the users recovery key.
Attribute property Value Description
adminDisplayName dp-User-Recovery-Key Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-User-Recovery-Key Description of this object for use
in directory service administrative
tools.
Cn dp-User-Recovery-Key Common name.
LDAPDisplayName dpUserRecoveryKey The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.19 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
OMSyntax 4 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
260
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 128 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 32768 The maximum value or length of
an attribute.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
261
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
262
dp-User-Data-Type
Stores the type of the user data stored in the dp-User-Private-Data attribute.
Attribute property Value Description
adminDisplayName dp-User-Data-Type Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-User-Data-Type Description of this object for use
in directory service administrative
tools.
Cn dp-User-Data-Type Common name.
LDAPDisplayName dpUserDataType The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.20 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.9 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
OMSyntax 4 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
263
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 0 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
264
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
265
dp-Lockout-Time
Stores the date and time (UTC) that this account was locked out. This value is stored as a large integer that
represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero indicates
that the account is not currently locked out.
Attribute property Value Description
adminDisplayName dp-Lockout-Time Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-Lockout-Time Description of this object for use
in directory service administrative
tools.
Cn dp-Lockout-Time Common name.
LDAPDisplayName dpLockoutTime The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.21 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.16 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
266
OMSyntax 65 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 0 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
267
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object will
appear in Normal view of the
Users and Computers snap-in and
the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
268
dp-Recovery-Password-Last-Set-Time
Stores data indicating the last time that the Recovery Password was set.
Attribute property Value Description
adminDisplayName dp-Recovery-Password-Last-
Set-Time
Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-Recovery-Password-Last-
Set-Time
Description of this object for use
in directory service administrative
tools.
Cn dp-Recovery-Password-Last-
Set-Time
Common name.
LDAPDisplayName dpRecoveryPasswordLastSetT
ime
The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.22 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this string
value in an ACE to control access
to objects of this object.
AttributeSyntax 2.5.5.16 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
OMSyntax 65 Syntax of this attribute as defined
by the XAPIA XOM (X/Open
Object Model) specification.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
269
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute is
not included in the global catalog.
SearchFlags 0 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name Resolution
set, used together with
0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
270
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object. Category
1 classes or attributes have the
0x10 bit set by the system and
cannot be set by users. They are
shipped with Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make the
modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
271
dp-Recovery-Password
Stores the computers recovery password.
Attribute property Value Description
adminDisplayName dp-Recovery-Password Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-Recovery-Password Description of this object for use
in directory service
administrative tools.
Cn dp-Recovery-Password Common name.
LDAPDisplayName dpRecoveryPassword The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.23 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this
string value in an ACE to control
access to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
OMSyntax 4 Syntax of this attribute as
defined by the XAPIA XOM (X/
Open Object Model)
specification.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
272
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute
is not included in the global
catalog.
SearchFlags 128 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name
Resolution set, used together
with 0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 32768 The maximum value or length of
an attribute.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
273
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object
will appear in Normal view of
the Users and Computers snap-in
and the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object.
Category 1 classes or attributes
have the 0x10 bit set by the
system and cannot be set by
users. They are shipped with
Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make
the modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
274
dp-Master-Key
Stores a computers hard drive encryption key.
Attribute property Value Description
adminDisplayName dp-Master-Key Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-Master-Key Description of this object for use
in directory service
administrative tools.
Cn dp-Master-Key Common name.
LDAPDisplayName dpMasterKey The name used by LDAP clients
to refer to the object's class.
AttributeID 1.2.840.113556.1.8000.651.24 A unique OID that identifies the
attribute.
ObjectClass Attribute-Schema The class of which this object is
an instance.
ObjectCategory Attribute-Schema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this
string value in an ACE to control
access to objects of this object.
AttributeSyntax 2.5.5.10 An OID of the syntax. The
combination of the
attributeSyntax and oMSyntax
properties determines the syntax
of an attribute.
OMSyntax 4 Syntax of this attribute as
defined by the XAPIA XOM (X/
Open Object Model)
specification.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
275
IsSingleValued TRUE TRUE means that the attribute
has a single value.
FALSE means that the attribute
can have multiple values.
attributeSecurityGUID Not set An optional GUID that identifies
the attribute as a member of an
attribute set (also known as a
property set).
isMemberOfPartialAttributeSet FALSE TRUE means that the attribute is
replicated to the global catalog.
FALSE means that the attribute
is not included in the global
catalog.
SearchFlags 128 An integer value whose least
significant bit indicates whether
the attribute is indexed.
The four bit flags in this value
are:
1 = Index over attribute only
2 = Index over container and
attribute
4 = Add this attribute to the
Ambiguous Name
Resolution set, used together
with 0x0001
8 = Preserve this attribute in the
tombstone object for deleted
objects
rangeUpper 32768 The maximum value or length of
an attribute.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
276
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object
will appear in Normal view of
the Users and Computers snap-in
and the Windows shell.
SystemFlags 0 An integer value that contains
flags that define additional
properties of this object.
Category 1 classes or attributes
have the 0x10 bit set by the
system and cannot be set by
users. They are shipped with
Active Directory.
For more information, see
ADS_SYSETMFLAG_ENUM
enumeration in ADSI Reference.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make
the modification as well.
Attribute property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
277
Class details
dp-User-Secret
This class represents the user Secret object that stores the secure application data (i.e. encryption keys) for
the user.
Class property Value Description
adminDisplayName dp-User-Secret Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-User-Secret Description of this object for use
in directory service
administrative tools.
Cn dp-User-Secret Common name.
LDAPDisplayName dpUserSecret The name used by LDAP clients
to refer to the object's class.
ObjectClass ClassSchema The class of which this object is
an instance.
ObjectCategory ClassSchema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
ObjectClassCategory 1 1 means structural classes.
2 means abstract classes.
3 means auxiliary classes.
defaultObjectCategory dp-User-Secret Object-Category used in queries
for objects of this class.
rDNAttID cn Attribute name used as the
Relative Distinguished Name
(RDN) for this class.
subClassOf Top Immediate superclass of this
class.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
278
systemAuxiliaryClass Auxiliary classes that this class
inherits from.
governsID 1.2.840.113556.1.8000.651.5 A unique OID identifying the
class.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this
string value in an ACE to control
access to objects of this object.
defaultSecurityDescriptor D:(A;;RPWPCRCCDCLCLOR
CWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORC
WOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
S:(AU;SAFA;WDWOSDDTW
PCRCCDCSW;;;WD)
The default security descriptor
for new instances of this class.
defaultHidingValue TRUE TRUE means that new object
instances are hidden in the
Administrative snap-ins and the
Windows shell.
FALSE covers all other
situations.
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object
will appear in Normal view of
the Users and Computers snap-in
and the Windows shell.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
279
systemPossSuperiors User Structural classes that can be
containers of instances of this
class.
For the complete set of classes
that can contain this class, you
must include, in addition to any
values shown on the left, those
inherited from its superclasses as
listed in the subClassOf attribute
above.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make
the modification as well.
systemMustContain Mandatory attributes that MUST
be present on instances of this
class.
For the complete set of
mandatory attributes for this
class, you must, in addition to
any values shown on the left,
include those inherited from its
superclasses as listed in the
subClassOf attribute above and/
or those derived from any of its
auxiliary classes as specified in
the systemAuxiliary attribute
above and as inherited from its
superclasses.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
280
systemMayContain dpUserPrivateData
dpUserDataType
Optional attributes that may be
present on instances of this class.
For the complete set of optional
attributes for this class, you must
include, in addition to any values
shown on the left, those inherited
from its superclasses as listed in
the subClassOf attribute above
and/or those derived from any of
its auxiliary classes as specified
in the systemAuxiliary attribute
above and as inherited from its
superclasses.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
281
dp-Authentication-Servers-Container
Container for Authentication Server objects.
Class property Value Description
adminDisplayName dp-Authentication-Servers-
Container
Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-Authentication-Servers-
Container
Description of this object for use
in directory service
administrative tools.
Cn dp-Authentication-Servers-
Container
Common name.
LDAPDisplayName dpAuthenticationServersContai
ner
The name used by LDAP clients
to refer to the object's class.
ObjectClass ClassSchema The class of which this object is
an instance.
ObjectCategory ClassSchema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
ObjectClassCategory 1 1 means structural classes.
2 means abstract classes.
3 means auxiliary classes.
defaultObjectCategory dp-Authentication-Servers-
Container
Object-Category used in queries
for objects of this class.
rDNAttID cn Attribute name used as the
Relative Distinguished Name
(RDN) for this class.
subClassOf Container Immediate superclass of this
class.
systemAuxiliaryClass Auxiliary classes that this class
inherits from.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
282
governsID 1.2.840.113556.1.8000.651.11 A unique OID identifying the
class.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this
string value in an ACE to control
access to objects of this object.
defaultSecurityDescriptor D:(A;;RPWPCRCCDCLCLOR
CWOWDSDDTSW;;;SY)
(A;;CCDCLC;;;DA)
(A;;CCDCLC;;;EA)
(A;;CCDCLC;;;BA)
(A;CIIO;RPWPCRCCDCLCL
ORCWOWDSDDTSW;;;BA)
(OA;;RP;BF9679E5-0DE6-
11D0-A285-
00AA003049E2;;AU)
(OA;;RP;26D97369-6070-
11D1-A9C6-
0000F80367C1;;AU)
(A;;LC;;;AU)
The default security descriptor
for new instances of this class.
defaultHidingValue TRUE TRUE means that new object
instances are hidden in the
Administrative snap-ins and the
Windows shell.
FALSE covers all other
situations.
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object
will appear in Normal view of
the Users and Computers snap-in
and the Windows shell.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
283
systemPossSuperiors Container Structural classes that can be
containers of instances of this
class.
For the complete set of classes
that can contain this class, you
must include, in addition to any
values shown on the left, those
inherited from its superclasses as
listed in the subClassOf attribute
above.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make
the modification as well.
systemMustContain Mandatory attributes that MUST
be present on instances of this
class.
For the complete set of
mandatory attributes for this
class, you must, in addition to
any values shown on the left,
include those inherited from its
superclasses as listed in the
subClassOf attribute above and/
or those derived from any of its
auxiliary classes as specified in
the systemAuxiliary attribute
above and as inherited from its
superclasses.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
284
systemMayContain dpServersData Optional attributes that may be
present on instances of this class.
For the complete set of optional
attributes for this class, you must
include, in addition to any values
shown on the left, those inherited
from its superclasses as listed in
the subClassOf attribute above
and/or those derived from any of
its auxiliary classes as specified
in the systemAuxiliary attribute
above and as inherited from its
superclasses.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
285
dp-Service-Configuration
Class that represents global configuration information (i.e. schema version, license).
Class property Value Description
adminDisplayName dp-Service-Configuration Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-Service-Configuration Description of this object for use
in directory service
administrative tools.
Cn dp-Service-Configuration Common name.
LDAPDisplayName dpServiceConfiguration The name used by LDAP clients
to refer to the object's class.
ObjectClass ClassSchema The class of which this object is
an instance.
ObjectCategory ClassSchema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
ObjectClassCategory 1 1 means structural classes.
2 means abstract classes.
3 means auxiliary classes.
defaultObjectCategory dp-Service-Configuration Object-Category used in queries
for objects of this class.
rDNAttID cn Attribute name used as the
Relative Distinguished Name
(RDN) for this class.
subClassOf Top Immediate superclass of this
class.
systemAuxiliaryClass Auxiliary classes that this class
inherits from.
governsID 1.2.840.113556.1.8000.651.12 A unique OID identifying the
class.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
286
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this
string value in an ACE to control
access to objects of this object.
defaultSecurityDescriptor D:(A;;RPWPCRCCDCLCLOR
CWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORC
WOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
S:(AU;SAFA;WDWOSDDTW
PCRCCDCSW;;;WD)
The default security descriptor
for new instances of this class.
defaultHidingValue TRUE TRUE means that new object
instances are hidden in the
Administrative snap-ins and the
Windows shell.
FALSE covers all other
situations.
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object
will appear in Normal view of
the Users and Computers snap-in
and the Windows shell.
systemPossSuperiors Container Structural classes that can be
containers of instances of this
class.
For the complete set of classes
that can contain this class, you
must include, in addition to any
values shown on the left, those
inherited from its superclasses as
listed in the subClassOf attribute
above.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
287
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make
the modification as well.
systemMustContain Mandatory attributes that MUST
be present on instances of this
class.
For the complete set of
mandatory attributes for this
class, you must, in addition to
any values shown on the left,
include those inherited from its
superclasses as listed in the
subClassOf attribute above and/
or those derived from any of its
auxiliary classes as specified in
the systemAuxiliary attribute
above and as inherited from its
superclasses.
systemMayContain AppSchemaVersion
dpLicense
Optional attributes that may be
present on instances of this class.
For the complete set of optional
attributes for this class, you must
include, in addition to any values
shown on the left, those inherited
from its superclasses as listed in
the subClassOf attribute above
and/or those derived from any of
its auxiliary classes as specified
in the systemAuxiliary attribute
above and as inherited from its
superclasses.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
288
dp-Authentication-Service-Connection-Point
This class represents the Authentication Server. It provides information about Authentication Server (i.e.
version, service principal name, binding information).
Class property Value Description
adminDisplayName dp-Authentication-Service-
Connection-Point
Display name of this object for
use in directory service
administrative tools.
AdminDescription dp-Authentication-Service-
Connection-Point
Description of this object for use
in directory service
administrative tools.
Cn dp-Authentication-Service-
Connection-Point
Common name.
LDAPDisplayName dpauthenticationServiceConne
ctionPoint
The name used by LDAP clients
to refer to the object's class.
ObjectClass ClassSchema The class of which this object is
an instance.
ObjectCategory ClassSchema Reference to an object class or
one of its superclasses, which is
used when searching for this
object.
ObjectClassCategory 1 1 means structural classes.
2 means abstract classes.
3 means auxiliary classes.
defaultObjectCategory dp-Authentication-Service-
Connection-Point
Object-Category used in queries
for objects of this class.
rDNAttID cn Attribute name used as the
Relative Distinguished Name
(RDN) for this class.
subClassOf ServiceConnectionPoint Immediate superclass of this
class.
systemAuxiliaryClass Auxiliary classes that this class
inherits from.
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
289
governsID 1.2.840.113556.1.8000.651.13 A unique OID identifying the
class.
SchemaIDGUID A GUID that uniquely identifies
this object. You can use this
string value in an ACE to control
access to objects of this object.
defaultSecurityDescriptor D:(A;;RPWPCRCCDCLCLOR
CWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORC
WOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
S:(AU;SAFA;WDWOSDDTW
PCRCCDCSW;;;WD)
The default security descriptor
for new instances of this class.
defaultHidingValue TRUE TRUE means that new object
instances are hidden in the
Administrative snap-ins and the
Windows shell.
FALSE covers all other
situations.
showInAdvancedViewOnly TRUE TRUE means that the object will
appear in the Advanced View of
the Users and Computers snap-in
only, but not in the Windows
shell.
FALSE means that the object
will appear in Normal view of
the Users and Computers snap-in
and the Windows shell.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
290
systemPossSuperiors Container Structural classes that can be
containers of instances of this
class.
For the complete set of classes
that can contain this class, you
must include, in addition to any
values shown on the left, those
inherited from its superclasses as
listed in the subClassOf attribute
above.
SystemOnly FALSE TRUE means that only Active
Directory can modify the class of
this object.
FALSE means users can make
the modification as well.
systemMustContain Mandatory attributes that MUST
be present on instances of this
class.
For the complete set of
mandatory attributes for this
class, you must, in addition to
any values shown on the left,
include those inherited from its
superclasses as listed in the
subClassOf attribute above and/
or those derived from any of its
auxiliary classes as specified in
the systemAuxiliary attribute
above and as inherited from its
superclasses.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
291
systemMayContain AppSchemaVersion
MarshalledInterface
Vendor
VersionNumber
VersionNumberHi
VersionNumberLo
Optional attributes that may be
present on instances of this class.
For the complete set of optional
attributes for this class, you must
include, in addition to any values
shown on the left, those inherited
from its superclasses as listed in
the subClassOf attribute above
and/or those derived from any of
its auxiliary classes as specified
in the systemAuxiliary attribute
above and as inherited from its
superclasses.
Class property Value Description
Chapter 28 - Schema extension
DigitalPersona Pro Enterprise - Administrator Guide
292
Standard Classes Extensions
User Class:
mayContain: dp-User-Credentials-Data, dp-User-Account-Control.
DigitalPersona Pro Enterprise - Administrator Guide
293
Index
Symbols
_dpproent SRV RR 32
_uareupro SRV RR
DNS Console path 34
modifying Priority and Weight settings 34
.adm and .admx 130
A
account is locked out from use of fingerprint
credentials setting 83
Account lockout duration (setting) 119
Account lockout threshold (setting) 119, 135
Active Directory containers 31
Biometric Authentication Servers container 31
Active Directory Domain Configuration Wizard 24
Active Directory Schema Extension Wizard 24
Active Directory, defined 192
adding
Administrative Templates 26, 57, 58, 130
ADDLOCAL 43, 53
Administration Tools
Cleanup Wizard 153
Administrative Console 194
Administrative Templates 130
ADUC Snap-in 82
Allow Pro client to use Pro Server (setting) 113
Allow running auto updates on the computer
(setting) 117
Allow use of personal logons (setting) 127
Allow users to add account data 127
Allow users to delete account data 128
Allow users to edit account data 127
Allow users to view managed logon passwords 127
Attended Enrollment 94
Authentication Server Object Name property 32
authentication, defined 195
Automated site coverage by Pro Enterprise Server
Locator DNS SRV records (setting) 122
automatic DNS registration 32
Automatic logon using the Shared Kiosk
Account 175
B
back up 195
Biometric Authentication Servers container 31
Bluetooth 108, 195
C
Cache user data on local computer 110
card reader 195
changes made during installation 31
changing passwords 176
Chrome browser 17
Citrix Presentation Server
Workstation installation 44, 53, 60
Citrix Published Application Name 112
Cleanup Wizard 153
configure domain 24
configuring
OUs for kiosks 29
Pro Server GPO settings 29
settings for Pro Kiosk 28
configuring DNS dynamic registration 34
connected device 195
contactless cards supported 195
Credential Authentication events 149
Credential Management events 145, 218
Credentials, defined 196
D
dashboard 196
deactivate a client license 81
Delete Fingerprints command 84
DigitalPersona Pro Workstation 13
DNS Console path 34
DNS Registration 32
DNS Registration events 149, 223
Do not allow users to run local administrative tasks
(setting) 112
Do not launch the Getting Started wizard upon
logon (setting) 113
domain, configuring for Pro Server 24
Dynamic DNS, defined 196
Dynamic registration of Pro Enterprise Server
Locator DNS records (setting) 124
DigitalPersona Pro Enterprise - Administrator Guide
294
Index
E
Enable multi-factor authentication in Windows
logon (setting) 116
Enable One Step Logon (setting) 117
Enable the Discover more button (setting) 117
Encryption policy 115
enroll 196
ESPM 152
events
Credential Authentication 149
Credential Management 145, 218
DNS Registration 149, 223
External components 222
Fingerprint Match 148, 223
License Management 224
License Management, ID Server 225
OTP Management 225
Secret Management 147, 221
System 147, 221
User Management 146, 219
extend the Active Directory schema 24
Extended Server Policy Module 152
External components events 222
F
Fast Connect 112
fingerprint 196
Fingerprint Match events 148, 223
G
ghosting 13
GPMC extensions 130
GPO
implementation guidelines 131
Group Policy 193
I
identification limits 47
imaging 13
implementation guidelines 131
improving performance 34
installing
ADUC User Properties Snap-in 56
DigitalPersona Defender 57
DigitalPersona Pro Enterprise Add-on 58
Pro client software 41, 50
Pro Server 26
installing Citrix support after DigitalPersona Pro
client installation 62
K
kiosk permissions 30
Kiosk Session Authentication Policy 103
L
Level of detail in event logs (Server) 121
Level of detail in event logs (setting) 111, 121
License Management events 224
License Management, ID Server events 225
local installation of Pro Workstation 35, 46
Lock the computer on smart card removal
(setting) 111
locked account 83
Log Status Events 112, 121, 151
logging on to kiosks 175
logging on to programs 177
logon 196
M
managed computer 196
managed logons 197
Managed logons (setting) 127
manual DNS registration 33
modifying
DNS Priority setting 34
O
OMNIKEY CardMan readers 195
online help 17
Organizational Units 193
OTP Management events 225
OTS templates 30
P
Password Manager 197
Password Manager Admin Tool 197
Path(s) to the managed logons folder(s) 128
personal logon 197
DigitalPersona Pro Enterprise - Administrator Guide
295
Index
policies
DigitalPersona Pro client 101
DigitalPersona Pro Enterprise Server 118
Prevent Password Manager from running
(setting) 115
Priority set in Pro Enterprise Server Locator DNS
records (setting) 123
Pro client 196
Pro Reporter Event Forwarding 112
Pro Server
Active Directory containers 31
installation overview 22
installing software 26
published information 32
uninstalling 34
Pro Server GPO settings
OTS templates 30
Product Compatibility 18
Product GUID property 32
Product Name 32
Product Version High property 32
Product Version Low property 32
Product Version Number property 32
published information 32
Authentication Server Object Name property 32
keywords 32
Product GUID property 32
Product Name 32
Product Version High property 32
Product Version Low property 32
Product Version Number 32
Schema Version Number property 32
Service Class GUID property 32
Service Class Name property 32
Service Principal Name property 32
Vendor Name property 32
R
randomize users Windows Password 82
recover a computer 135
recovery
computer 135
from account lock 135
user 134
Refresh interval of Pro Enterprise Server DNS
records (setting) 122
Register Pro Enterprise Server Locator DNS
records for domain (setting) 124
remote activation of the local workstation 79
REMOVE 43, 53
removing Pro data 153
Reset account lockout counter after (setting) 119
restore 198
S
schema
Active Directory Schema Extension Wizard 24
details 22
extending 23
Schema extension
details 235
overview 228
Schema Version Number property 32
Secret 198
Secret Management events 147, 221
Service Class GUID property 32
Service Class Name property 32
Service Principal Name property 32
Service Resource Records 198
_dpproent SRV RR 32
adding manually 34
format 32
Session Authentication Policy 102, 125
Session Authentication Policy (setting) 128
Set the False Accept Rate 110
Set the maximum number of enrolled
fingerprints 110
Set the minimum length of user PIN 111
Set the minimum number of enrolled
fingerprints 110
settings
DigitalPersona Pro client 101
DigitalPersona Pro client (user) 124
DigitalPersona Pro Enterprise Server 118
Shared Accounts, specifying 29
silent authentication 108
Sites covered by Pro Enterprise Server Locator
DNS SRV records (setting) 123
DigitalPersona Pro Enterprise - Administrator Guide
296
Index
slipstreaming 38, 49
smart card 199
specifying Shared Accounts 29
Status Notifier events 112, 121, 136, 151
support
online help 17
readme file 17
SVR RR 198
System events 147, 221
system requirements
DigitalPersona Pro Workstation for
Enterprise 17
Pro Workstation 35, 46
T
to remove user credential data 86
to unlock a locked account 83
Transform files 44, 54
U
uninstalling
Pro Server 34
Pro software remotely 36, 38, 48, 49
unlocking locked accounts 83
upgrading from Previous Versions 23
User Context Menu commands 84, 135
User Management events 146, 219
User must provide Fingerprint and PIN to log
on 152
User must provide Fingerprint and Windows
Password to log on 152
User must provide Fingerprint to log on 152
User provides only Windows credentials to log
on 83
users, switching 178
using
One Touch Logon 175
using Pro Cleanup Wizard 153
V
Vendor Name
published information property 32
W
Weight set in Pro Enterprise Server Locator DNS
records (setting) 123

You might also like