ESSOM Installation Guide · or usage of the informational material contained in this user guide. Responsibility for the use of any and all information contained in this user guide

E-SSOM INSTALLATION GUIDE

HELP DOCUMENTATION

Copyright © 1998 - 2013 Tools4ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted in any form or by any means without the written permission of Tools4ever. DISCLAIMER - Tools4ever will not be held responsible for the outcome or consequences resulting from your actions or usage of the informational material contained in this user guide. Responsibility for the use of any and all information contained in this user guide is strictly and solely the responsibility of that of the user. All trademarks used are properties of their respective owners.

ESSOM Installation Guide

Copyright © Tools4ever 1998 - 2013 i

Contents

1. Welcome to E-SSOM 1

2. Architecture 2

3. System Requirements 4

4. Backwards compatibility 5

5. Installing the Admin Console 6

5.1. Contents of the Package ............................................................................................................. 6

6. Installing the E-SSOM Central Service 7

6.1. Step by Step Installation ............................................................................................................ 7

7. Installing the E-SSOM Client Software 13

7.1. Manual Installation ................................................................................................................... 13 7.2. GPO Installation ....................................................................................................................... 14 7.3. Citrix ....................................................................................................................................... 14 7.4. E-SSOM AppInit Client .............................................................................................................. 15

8. Installing the E-SSOM Client Extensions 16

8.1. E-SSOM GINA .......................................................................................................................... 16 8.2. E-SSOM Credential Provider ...................................................................................................... 17

9. Index 19


Copyright © Tools4ever 1998 - 2013 1

1. Welcome to E-SSOM

In today's complex and secure networks, passwords and usernames are needed for multiple applications. This includes web portals, email services, financial packages, CRM applications etc. Administrators must support a unique password policy for each application, in addition to the network password. E-SSOM is a software solution that allows an end user to logon to the network only once and gain access to all applications and resources with no additional logins. How does E-SSOM work? E-SSOM operates as an extra layer of software which processes and automatically enters all of the login dialogues for the end user. The end user only needs to remember one username and password and is no longer required to log in multiple times. Benefits of E-SSOM Using E-SSOM in an organization produces multiple benefits: Convenience: Some departments require employees to log in to fifteen or more applications, ranging from

normal LAN based applications to external internet applications. With E-SSOM, the end user no longer needs to log in to several applications at the start of the work day. These logon procedures are handled by E-SSOM.

Security: E-SSOM eliminates the need for users to remember multiple passwords. Instead, they can log in using only a single, strong password. Stricter rules regarding password policy mean that employee passwords are becoming increasingly complex and must be changed more frequently. As a result, end users often write down their passwords and store them in desk drawers, under keyboards, or even on their monitors. This creates a blatant security breach.

Compliance: E-SSOM works on several levels to guarantee compliance. Central access registration: E-SSOM operates as a central gateway to all applications. This allows for multiple compliance options, such as denying an individual employee access to a specific application, instead of having to deny access to every application in the network. Integral reporting: E-SSOM can report both user access and time of access to applications. Access restriction: Before E-SSOM logs in to an application, it can perform several checks: Can the application be accessed from this workstation by the employee in question? Has the access card been inserted into the reader? Is the entered PIN code valid? The system link that allows access to buildings also ensures that designated employees can only launch specific applications within the correct departmental offices. Concept The E-SSOM concept is based on a successful and proven building block system created by Tools4ever. This concept allows new applications to be added quickly to the existing inventory of E-SSOM applications. The building blocks also allow system administrators to extend and adjust current templates. Other E-SSOM Guides Configuration Guide

Scripting Guide

Deployment Guide



2. Architecture

E-SSOM Architecture E-SSOM is designed as a high-level enterprise solution to support networks of any size that necessitate a reliable SSO solution. The diagram below shows an overview of the relationship between the various E-SSOM components:



E-SSOM Admin Console The E-SSOM Admin Console is used to administer the E-SSOM Central Service. With the Admin Console you can perform several tasks including: Install, upgrade and delete Central E-SSOM Services

Create and edit application definitions

Assign users to applications (allowing them to logon automatically)

Create and edit Logon Scripts E-SSOM Central Service The E-SSOM Central Service manages all requests and updates sent to the E-SSOM database. E-SSOM User Clients connect to this Central Service to get configuration and user data. E-SSOM User Client Software The E-SSOM User Client Software is installed on the end users' computer. It performs all of the tasks required to automatically log on to configured applications. The E-SSOM User Client Software consists of multiple components: E-SSOM Client Service: The Client Service manages the connection with the Central Service and caches all

configuration and user data.

E-SSOM User Client: The User Client allows the user to view configured applications and configure personal settings.

E-SSOM Hook: The E-SSOM hook is used to detect the windows that are displayed by an application. If the displayed window matches the configured specifications then a script can be executed to perform various tasks. These tasks may include logging in, handling bad passwords and/or changing passwords.

E-SSOM BHO: The E-SSOM BHO (Browser Helper Object) is used to detect which web pages are being loaded by Internet Explorer*. If the loaded web page matches the configured specifications, a script can be executed to perform various tasks.These tasks may include logging in, handling bad passwords and/or changing passwords.

E-SSOM CLI Monitor: The E-SSOM CLI (Command Line Interface) monitor is used to detect what is being displayed in a console window. When the (part of) text being displayed matches the configured text, a script can be executed to perform various tasks. These tasks may include logging in, handling bad passwords and/or changing passwords.

E-SSOM Java Monitor: The E-SSOM Java Monitor is used to detect the windows that are displayed by a java application. If the displayed window matches the configured specifications then a script can be executed to perform various tasks. These tasks may include logging in, handling bad passwords and/or changing passwords.

*Support for web pages loaded in FireFox will be added in a future release.



3. System Requirements

Server side Client side

Windows 2000 SP4

Windows 2003

Windows 2008

Windows 2012

Internet Explorer 5 or higher

Active Directory

Windows 2003

Windows 2008

Windows XP SP1 or higher

Windows Vista

Windows 7

Windows 8

Internet Explorer 6 or higher*

10 to 20 Mb internal memory *To be able to support SSO for web pages, the 'Enable Browser Extension' GPO

setting must be set to 'Yes'. Fast User Switching The 'terminal services' must be running. For Citrix support, the Citrix client with the 'ICA SDK' must be installed.

Supported platforms: Windows 2000

Windows 2003 (win32, x64)

Windows 2008

Windows 2012

Windows XP (win32, x64)

Windows Vista (win32, x64)



Windows Terminal Server

Citrix

Supported databases: MS SQL Server 2000 or up or all versions of MS SQL Express



4. Backwards compatibility

All versions of E-SSOM can be upgraded to the latest version. However not all versions can communicate with each other. Please note: Always create a full backup prior to upgrading the E-SSOM Central Service. Always perform a test upgrade in a separate test environment. The E-SSOM Central Service and the E-SSOM Admin Console must be of the same version. If the Admin Console is of a lower version, an error will be displayed. If the Admin Console is of a higher version than the E-SSOM Central Service, the Admin Console will ask the user to upgrade the E-SSOM Central Service to the latest version. The E-SSOM Client Software may be of a lower version than the E-SSOM Central Service. It will continue to function properly, but new features will not be available. The E-SSOM Client Software may not be of a higher version than the E-SSOM Central Service. Admin Console > Central Service

Admin Console asks user to upgrade the Central Service

Central Service > Admin Console

Admin Console displays error -2 when connecting to the Central Service

Client Software > Central Service

Client Software displays error -2 when connecting to the Central Service

Client Software < Central Service

Client Software continues to function properly. New features will be activated when the Client Software has been upgraded.



5. Installing the Admin Console

The Admin Console can be installed on any machine in the network that meets the system requirements. The Admin Console installer can be downloaded from the Tools4ever website and contains everything that is needed to install E-SSO-M.

5.1. Contents of the Package The package is called SetupSSO.exe and contains all of the necessary files for installation of E-SSOM in the network. It is installed by default to the 'C:\Program Files\Tools4ever\SSO\Admin Console' directory. This directory contains several sub-directories. Applications: This directory contains pre-configured applications that can be imported into E-SSOM.

Documentation: This directory contains all of the E-SSO-M documentation. The latest versions are also available on the Tools4ever website.

Scripts: This directory contains pre-configured scripts that can be imported into E-SSOM.

SSO Client Software: This directory contains the files necessary to install the SSO Client Software.



6. Installing the E-SSOM Central Service

The E-SSOM Central Service can be installed on any machine in the network that meets the system requirements. The E-SSOM Central Service can only be installed with the Admin Console by a user who has administrative rights on the machine on which the Central Service is to be installed. It is recommended to install the E-SSOM Central Service on a member server in the domain.

6.1. Step by Step Installation

1. Start the Admin Console

2. Select 'Service Management --> Setup...' in the main menu. This will start the E-SSOM Central Service installation wizard:

3. Click on 'Next >' and enter the name of the computer on which the E-SSOM Central Service must be installed. The name may be a NetBIOS name, a DNS name, or an IP address. Click on 'Next >'.

4. Enter the name of the directory in which the E-SSOM Central Service must be installed and click on 'Next >'.



5. Enter the port number that is to be used by the E-SSOM Central Service when it communicates with the clients (Default 36785) and click on 'Next >'. This will display the service account page:

6. Enter the name of the service account that is to be used. If the service account does not exist, a new service account will be created. Please note: If the service account already exists, the password must be entered before continuing to the next page. If the password is not entered correctly the installation will fail!

7. Click on 'Next >'. This will display the service account group membership page:



8. Enter the group name of which the service account must become a member of. Please note that the service account must have enough rights to access the Active Directory and the E-SSOM database.

9. Click on 'Next >'.

10. Enter the name of the group that will be allowed to administer the E-SSOM Central Service. Only members of this group will be allowed to use the Admin Console to change the E-SSOM Central Service configuration. Please note that the account with which you are installing the E-SSOM Central Service must be a member of this group. If you are not a member of this group, the installation will not complete and you will not be able to administer the E-SSOM Central Service.

11. Click on 'Next >' to continue to the database selection screen:

12. Currently E-SSOM supports two database types: Microsoft Jet and Microsoft SQL 2000 or higher. The Microsoft Jet engine can be used easily within a testing environment. However, Tools4ever recommends the use of Microsoft SQL when E-SSOM is utilized in an operational environment. In this example we will select the Microsoft SQL database and check the 'Create the database' option. If you select the 'Microsoft Jet' option in the wizard, you can skip ahead to step 19. Please note that the default provider used for 'Microsoft Jet' is not available on Windows 2008 core editions by default. The 'Microsoft OLE DB Provider for ODBC Drivers' may be used in stead.

13. Click on 'Next >' to continue to the connection string page.



14. Click on the 'Connection String Wizard...' button. This will display the connection string wizard:

Please note: The connection string wizard displays the available providers on the machine that is running the Admin Console. It is possible that the machine running the E-SSO-M Service does not support all of the providers listed here.



15. Select 'Microsoft OLE DB Provider for SQL Server' and click on 'Next >>'.

16. Enter the name of the server running Microsoft SQL server and then select the authentication method. In this example we will use the 'Use Windows NT Integrated security' option.

17. If the database already has been created and the 'Create the database' checkbox in the wizard has not been checked, please select the database that will be used. If the database must be created, leave the 'Select the database on the server' field empty.



18. Click on 'OK'. Click on 'Next >'. This will display the email server page:

19. Enter the mail server that will be used to send notifications and click on 'Next >'.

20. Click on 'Finish' to install the E-SSO-M service. After the installation, the wizard will report if the operation was successful.



7. Installing the E-SSOM Client Software

The E-SSOM Client Software must be installed on clients that want to log onto applications automatically. The E-SSOM Client Software can be installed manually or via GPO.

7.1. Manual Installation The E-SSO-M client can be installed manually for for instance testing purposes. This chapter will guide you through the manual installation process. Please note: The account that is used to install the E-SSO-M User Client Software must have administrative rights on the computer on which the software is installed. 1. Navigate to the directory containing the SSO Client Software installation files. These are installed by default to:

'C:\Program Files\Tools4ever\SSO\Admin Console\SSO Client Software'.

2. Run the 'SSOSetClientReg.exe' executable to set the registry entries that will be used by the client software to locate the E-SSOM Central Service:

3. Enter the name of the server running the E-SSO-M Central Service as well as the port number used to communicate with the service. (Default 36785)

4. Click on 'Save'.



5. Click on 'Close' to close the 'Set Client Registry Settings' tool.

6. Install the E-SSOM client software by running the 'SSOUserClientSoftware.msi' package. After installing the package, the E-SSOM User Client can be started from the 'Start' menu. (Default location: Start --> All Programs --> Tools4ever --> E-SSOM --> User Client --> User Client)

7.2. GPO Installation The E-SSOM Client Software can be automatically deployed by using Group Policies. The E-SSOM Deployment guide describes in detail how to install the E-SSOM Client Software via GPO.

7.3. Citrix The E-SSOM client software must be installed on the Citrix server(s) to provide SSO functionality for Citrix users. Please note: To be able to support published Citrix applications, the SSOUserClientSoftwareAppInit.msi must be installed on the Citrix Server in stead of the SSOUserClientSoftware.msi package. Do not install both packages on the same machine. Refer to the 'E-SSOM AppInit Client chapter' for detailed information.



7.4. E-SSOM AppInit Client The E-SSOM client comes in two forms. The normal E-SSOM client called which is installed by the SSOUserClientSoftware.msi file and the 'AppInit' version which is installed using the SSOUserClientSoftwareAppInit.msi file. The AppInit Client is only used in situations where programs run without a desktop or shell. For instance when running a Citrix published application. Warning: Do not install the SSOUserClientSoftware.msi package and the SSOUserClientSoftwareAppInit.msi on the same machine. The E-SSOM Appinit Client installs several components and changes registry keys. The source files can be found in the SSO Client Software installation directory. Win32 The SSOAppI.dll is copied to the c:\windows\system32 directory The SSOHook.dll is copied to the c:\windows\system32 directory The value 'SSOAppI.dll' must be added to the 'AppInit_DLLs' registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows If the key already contains a value, separate the new value with a comma. The 'LoadAppInit_DLLs' registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows must be set to '1'. x64 The SSOApx64.dll is copied to the c:\windows\system32 directory The SSOHookx64.dll is copied to the c:\windows\system32 directory The value 'SSOApx64.dll' must be added to the 'AppInit_DLLs' registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows If the key already contains a value, separate the new value with a comma. The 'LoadAppInit_DLLs' registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows must be set to '1'. The SSOAppI.dll is copied to the c:\windows\SysWOW64 directory The SSOHook.dll is copied to the c:\windows\SysWOW64 directory The value 'SSOAppI.dll' must be added to the 'AppInit_DLLs' registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows If the key already contains a value, separate the new value with a comma. The 'LoadAppInit_DLLs' registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows must be set to '1'. Please note: If files cannot be copied because they are in use, rename them by adding '.bak'. Then copy the

new files. Reboot the machine after making these changes.

Windows 7 and Windows Server 2008 R2 have an additional key called 'RequireSignedAppInit_DLLs'. E-SSOM builds up to and including 1074 do not have a signed AppInit dll and require that this registry is set to '0'. Later versions of E-SSOM do not have this requirement.



8. Installing the E-SSOM Client Extensions

The E-SSOM Client Extensions package contains software that is used for 'Fast User Switching' and 'Authentication Management'. To be able to use these features, the SSOClientExtensions.msi must be installed on the machines that are using this functionality. The package contains a 32 and 64 bit 'GINA' for Windows 2003 and Windows XP. For Windows Vista, Windows 7 and Windows 2008, the package contains a 32 and 64 bit 'Credential Provider'. The package automatically detects the version of Windows and installs the correct software for the target platform. Please note: The E-SSOM Client Extensions package cannot be installed separately from the E-SSOM Client Software package. The E-SSOM Client Software package must be installed for the Client Extensions to work.

8.1. E-SSOM GINA The Windows GINA is a dll that handles all user identification and authentication procedures. The E-SSOM GINA is designed to replace the default Windows GINA. It performs all the functions that the Windows GINA provides as well as Fast User Switching and Authentication Management. The installation package performs the following actions: 32 bit Windows A registry value called 'GinaDLL' is added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. The value is set to 'SSOGINA.dll'. A DLL called 'SSOGINA.dll' is copied to the system32 directory of Windows. (Default: C:\Windows\System32) 64 bit Windows A registry value called 'GinaDLL' is added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. The value is set to 'SSOGINAx64.dll'. A DLL called 'SSOGINAx64.dll' is copied to the system32 directory of Windows. (Default: C:\Windows\System32)



8.2. E-SSOM Credential Provider The Windows Credential Provider is a dll that handles all user identification and authentication procedures. The E-SSOM Credential Provider is designed to replace the default Windows Credential Provider. It performs all the functions that the Windows Credential Provider provides as well as Fast User Switching and Authentication Management. The installation package performs the following actions: 32 bit Windows A DLL called 'SSOCredProv.dll' is copied to the system32 directory of Windows. (Default: C:\Windows\System32) The following registry keys are set/created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{8bf0340e-160c-4763-9c37-d3eae6d79934} Default value: SSOCredentialProviderFilter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{4c00d5f4-6c53-46b0-923c-de2d2654d784} Default Value: SSOCredentialProvider HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bf0340e-160c-4763-9c37-d3eae6d79934} Default value: SSOCredentialProviderFilter HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bf0340e-160c-4763-9c37-d3eae6d79934}\InprocServer32 Default value: SSOCredProv.dll String Value 'ThreadingModel': Apartment HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4c00d5f4-6c53-46b0-923c-de2d2654d784} Default Value: SSOCredentialProvider HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4c00d5f4-6c53-46b0-923c-de2d2654d784}\InprocServer32 Default value: SSOCredProv.dll String Value 'ThreadingModel': Apartment 64 bit Windows A DLL called 'SSOCredProvx64.dll' is copied to the system32 directory of Windows. (Default: C:\Windows\System32) The following registry keys are set/created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{8bf0340e-160c-4763-9c37-d3eae6d79934} Default value: SSOCredentialProviderFilter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{4c00d5f4-6c53-46b0-923c-de2d2654d784} Default Value: SSOCredentialProvider HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bf0340e-160c-4763-9c37-d3eae6d79934} Default value: SSOCredentialProviderFilter HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bf0340e-160c-4763-9c37-d3eae6d79934}\InprocServer32 Default value: SSOCredProvx64.dll String Value 'ThreadingModel': Apartment HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4c00d5f4-6c53-46b0-923c-de2d2654d784} Default Value: SSOCredentialProvider HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4c00d5f4-6c53-46b0-923c-de2d2654d784}\InprocServer32 Default value: SSOCredProvx64.dll String Value 'ThreadingModel': Apartment




9. Index

A Architecture • 2

B Backwards compatibility • 5

C Citrix • 14 Contents of the Package • 6

E E-SSOM AppInit Client • 15 E-SSOM Credential Provider • 17 E-SSOM GINA • 16

G GPO Installation • 14

I Installing the Admin Console • 6 Installing the E-SSOM Central Service • 7 Installing the E-SSOM Client Extensions • 16 Installing the E-SSOM Client Software • 13

M Manual Installation • 13

S Step by Step Installation • 7 System Requirements • 4

W Welcome to E-SSOM • 1

Documents

ESSOM Installation Guide · or usage of the informational material contained in this user guide. Responsibility for the use of any and all information contained in this user guide