Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides

Introduction

��

ii Introduction

Contents

Chapter 1. Introduction . . . . . . . . 1

Introduction . . . . . . . . . . . . . . 1

Introduction . . . . . . . . . . . . . . 2

Product Overview . . . . . . . . . . . . 2

About the Console . . . . . . . . . . . . 3

What’s New in TAM E-SSO . . . . . . . . . 4

Chapter 2. Administrative Procedures . . 7

Considerations Before Deploying TAM E-SSO . . . 7

User Work Modes . . . . . . . . . . . 7

Mobility Configuration . . . . . . . . . . 9

Rollout . . . . . . . . . . . . . . . 10

Administration and Management . . . . . . 10

Configuring TAM E-SSO . . . . . . . . . . 10

Configuring for Windows Authentication . . . 11

Directory Servers: Configuring the Agent . . . 11

File Systems: Configuring the Agent . . . . . 12

Database Synchronization: Configuring the Agent 12

Configuring TAM E-SSO in a Citrix Environment 13

Configuring the Server for TAM E-SSO . . . . . 15

Directory Servers: Configuring the server . . . 15

File Systems: Configuring the Server . . . . . 16

Database Synchronization: Configuring the server 17

Distributing Predefined Application Logons . . . 17

Understanding the Application Configuration

Files . . . . . . . . . . . . . . . . 18

General Guidelines for Setting Up Applications 22

Adding Windows applications . . . . . . . 22

Adding Web Applications . . . . . . . . 23

Adding Host/Mainframe Applications . . . . 24

Adding Java applications and applets . . . . 25

Adding Telnet Applications . . . . . . . . 25

First Time Use (Bulk-Add) . . . . . . . . 28

Using and Creating Templates . . . . . . . 28

Managing User Data . . . . . . . . . . . 29

Setting Password Policies . . . . . . . . . 29

Creating password sharing groups . . . . . . 30

User Credentials and Settings . . . . . . . 31

File-Based Backup/Restore . . . . . . . . 31

Synchronization . . . . . . . . . . . . . 32

Directory Server Synchronization Support . . . 33

File System Synchronization Support . . . . . 34

Database Synchronization Support . . . . . . 35

Multiple Synchronizer Support . . . . . . . 36

Configuration Objects . . . . . . . . . . 36

Event Logging . . . . . . . . . . . . . 37

Event Logging: Agent Configuration . . . . . 38

Event Logging: Server Configuration . . . . . 39

Distributing TAM E-SSO . . . . . . . . . . 39

Microsoft Windows Installer (MSI) Package . . . 39

Deployment Options . . . . . . . . . . 40

Glossary . . . . . . . . . . . . . . . 41

Chapter 3. Using the Console . . . . . 47

Console Main Menu Commands . . . . . . . 47

Applications . . . . . . . . . . . . . . 52

Applications List . . . . . . . . . . . 52

Add Application dialog box . . . . . . . . 53

New Windows/Java application . . . . . . 55

New Web application . . . . . . . . . . 69

New Host/Mainframe application . . . . . . 73

Bulk Add tab . . . . . . . . . . . . . 77

Selected application . . . . . . . . . . 78

Import/Export . . . . . . . . . . . . 84

Manage Templates . . . . . . . . . . . 86

Kiosk Adapter . . . . . . . . . . . . . 88

Applications to Leave Running on Session End 88

Applications to Close on Session End . . . . . 89

Provisioning Adapter . . . . . . . . . . . 90

Provisioning Adapter (for role/group support) 90

Password Generation Policy . . . . . . . . . 90

Add Password Policy . . . . . . . . . . 91

Selected Password Policy . . . . . . . . 91

Password Sharing Groups . . . . . . . . . 93

Add Sharing Group . . . . . . . . . . 93

Domain password group . . . . . . . . . 94

LDAP Password Group . . . . . . . . . 94

Selected Password Sharing Group . . . . . 95

Global Agent Settings . . . . . . . . . . . 95

Add Set of Settings . . . . . . . . . . . 96

Selected Set of Global Agent Settings . . . . . 97

Repository . . . . . . . . . . . . . . 151

Connect to Repository . . . . . . . . . 151

Configure SSO Support . . . . . . . . . 152

Add Locator Object . . . . . . . . . . 153

Chapter 4. SSO Administrative

Console Reference Topics . . . . . . 155

Pre-configured Applications and Templates . . . 159

Directory Server Schema Definition . . . . . . 161

Directory Server Schema Definition . . . . . 161




Configuring Host Emulators to Enable HLLAPI

Short Session Names . . . . . . . . . . . 162

Attachmate EXTRA! / myExtra! . . . . . . 163

G&R Glink . . . . . . . . . . . . . 163

Ericom PowerTerm . . . . . . . . . . 164

Hummingbird HostExplorer . . . . . . . 164

IBM Client Access . . . . . . . . . . . 164

IBM Client Access Express . . . . . . . . 165

IBM Host On-Demand . . . . . . . . . 165

IBM Personal Communications . . . . . . 167

NetManage Rumba . . . . . . . . . . 168

NetManage ViewNow / Chameleon Hostlink 97 168

Novell LAN Workplace . . . . . . . . . 168

Scanpak Aviva for Desktops . . . . . . . 169

WRQ Reflection . . . . . . . . . . . 169

Zephyr PC to Host . . . . . . . . . . 169

iii

Zephyr Web to Host . . . . . . . . . . 169

Command-Line Options . . . . . . . . . . 169

Smartcard Monitor Utility ( ssoSCDetect.exe) . . . 171

Configuring the Windows Event Logging Server 172

Configuring the Windows Event Logging Server 172

Error Loop Quick Reference . . . . . . . . 172

MSI Package Contents . . . . . . . . . . 174

ftulist.ini Keys . . . . . . . . . . . . . 176

Root Keys . . . . . . . . . . . . . 176

Password Windows Section Keys . . . . . . 177

My Logons Section Keys . . . . . . . . 178

Bulk Add Logon Section Keys . . . . . . . 178

Keys for entlist.ini . . . . . . . . . . . . 180

Root Keys . . . . . . . . . . . . . 181

Windows Application Keys . . . . . . . . 186

Host/Mainframe Application Keys . . . . . 214

Web Application Keys . . . . . . . . . 224

Password Policy Keys . . . . . . . . . 233

Global Agent Settings . . . . . . . . . . 235

Global Agent Settings . . . . . . . . . 236

Troubleshooting . . . . . . . . . . . . 299

Regular Expression Syntax . . . . . . . . 301

Installation . . . . . . . . . . . . . 302

Agent Performance . . . . . . . . . . 305

Authentication . . . . . . . . . . . . 306

Application Configuration . . . . . . . . 308

Event Logging . . . . . . . . . . . . 312

Password Sharing Groups . . . . . . . . 312

Synchronizer Extensions . . . . . . . . . 312

Chapter 5. TAM E-SSO Add-On

Modules . . . . . . . . . . . . . 315

Authentication Adapter . . . . . . . . . . 315

TAM E-SSO: Authentication Adapter . . . . 315

TAM E-SSO: Authentication Adapter . . . . 317

Graded Authentication . . . . . . . . . 318

Kiosk Adapter . . . . . . . . . . . . . 320

TAM E-SSO: Kiosk Adapter . . . . . . . 320

TAM E-SSO: Kiosk Adapter - SendKeys Format 321

iv Introduction

Chapter 1. Introduction

IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides users with one

password to logon to every application on both the company network and the Internet. It works

″out-of-the-box″ (without programming or additional network infrastructure) with virtually any

Windows, Web, proprietary, and host-based application, lowering IT and Help Desk costs without the

expense and burden of integration.

TAM E-SSO is intelligent agent software that works by responding to logon requests on behalf of the

user, directly from their desktop. The agent responds to each software applications logon request by

providing the correct credentials (that is, username/ID, password, and other fields) directly and

automatically. A strong authentication mechanism controls access to the agent, ensuring access by only

the designated user.

System Requirements

Collected links

TAM E-SSO: Authentication Adapter



Introduction











System Requirements

Collected links




1

Authentication_Manager.HTM






Introduction











System Requirements

Collected links




Product Overview

IBM Tivoli Access Manager for Enterprise Single Sign-On uses a patented process for detecting

requests for credentials, analyzing the response necessary, responding reliably, logging events, and

administering settings.

Architecture/Modules

The TAM E-SSO component architecture provides maximum flexibility to meet your organizations needs.

[ view diagram ]

The TAM E-SSO architecture consists of seven areas: Authentication; Encryption; Intelligent Agent

Response; Core (including Storage); Credential Synchronization; Event Logging; and Miscellaneous

components. In addition, Administration is facilitated by the Administrative Console.

Common Scenarios

Resources

TAM E-SSO stores all program files, settings, and data in the following places:

v The %ProgramFiles% \Passlogix\v-GO SSO directory contains TAM E-SSO program files. (Default:

C:\Program Files \Passlogix\v-GO SSO)

2 Introduction




v The %ProgramFiles% \Passlogix\v-GO SSO \Console directory contains Administrative Console

program files. (Default: C:\Program Files \Passlogix\v-GO SSO \Console)

v The %ProgramFiles% \ Passlogix\SSO File Sync Service directory contains SSO File Sync Service

program files. (Default: C:\Program Files\ Passlogix\SSO File Sync Service)

v The %AppData% \Passlogix directory contains user data files. (Default: depends on OS; Windows

2000: C:\Documents and Settings\ %UserName%\%AppData% \Passlogix)

v The HKCU registry tree stores user default settings.

v The HLKM registry tree stores overriding setting (settings that override user settings) and TAM E-SSO

defaults.

v The SSOLocator objects on a directory server direct TAM E-SSO to where each users’ credentials are

stored (a SSOConfig object).

v The SSOConfig objects on directory servers and similar objects on File Systems store overriding settings

and user data.. Note: Settings in SSOConfig objects override registry settings. Note: SSOConfig is the

default name, but can be named anything.

Collected links

view diagram


Configuring for Windows Authentication

Settings Controlling Security

Application Configurations Included

Configuring Application Logons

Configuring Host Emulators

Mobility Configuration

Storing User Credentials and Settings

Directory Server Synchronization Support

Database Synchronization Support

File System Synchronization Support

Event Logging

First Time Use (Bulk-Add)

User Work Modes

Settings Controlling Usability

Deploying the Agent

About the Console

The Administrative Console enables both agent and server configuration of most agent options.

Specifically, the Administrative Console enables:

v Easy creation, management, and deployment of:

– Application configurations and application configuration lists

– Password-Sharing Groups

– Password Policies

Chapter 1. Introduction 3


Configuring_for_Windows_Authentication.HTM

Reference/Application_Configurations_Included.HTM

Mobility_Configuration.HTM

User_Work_Modes.HTM

– Bulk-add lists

– Agent configuration settings (through registry settings)v Easy setup and management of synchronizer extensions:

– LDAP Directory Servers, including Tivoli Directory Server, Novell eDirectory, Oracle Directory

Server, Sun Java System Directory Server 5.1, Critical Path Directory Server, And OpenLDAP

Directory Server.

– Microsoft Active Directory Server systems (including Application Mode)

– Relational database systems, including Microsoft SQL Serve, IBM DB2, and Oracle 9i/10g.

– File systems

The Administrative Console obsoletes the need for editing configuration files or the registry by hand,

with the associated risks of errors such as ″fat-fingering″ or providing invalid parameters.

The Administrative Console functionality is divided into the areas, listed below with their associated

topics.

Action Console Feature See topic:

Creating and managing application

configurations

Applications Configuring Application Logons

Creating and managing password

generation policies

Password Generation Policies Setting Password Policies

Creating and managing password

sharing groups

Password Sharing Groups Creating password sharing groups

Creating and managing bulk-add lists Applications, Bulk Add tab First time use

Agent configuration settings Global Agent Settings Configuring Global Agent Settings

Setting up and managing

synchronizer extensions

Synchronization Synchronization

Collected links


Setting Password Policies

Creating password sharing groups

First time use

Configuring Global Agent Settings

Synchronization

What’s New in TAM E-SSO

TAM E-SSO version 5.0 is the latest edition of TAM E-SSO Agent and the TAM E-SSO Administrative

Console. It includes new enhancements and options for using, deploying, and managing TAM E-SSO.

4 Introduction

Collected links

TAM E-SSO:Authentication Adapter

adding the application logon

adding an application logon

Web

Windows

deployment options

New settings

SSOLauncher

Chapter 1. Introduction 5


6 Introduction

Chapter 2. Administrative Procedures

Considerations Before Deploying TAM E-SSO

The topics in this section discuss important concepts and considerations regarding the deployment and

administration of TAM E-SSO.

User Work Modes Understanding the different ways to set up the agent

side of supporting users working in different

configurations, and how to optimize your configuration

for each set of scenarios.

Configuration Understanding the different ways to set up the server

side of supporting users working in different

configurations, and how to optimize your configuration

for each set of scenarios.

Rollout Understanding the process and issues surrounding

rolling out TAM E-SSO to an organization.

Administration and Management Understanding the post-rollout issues for TAM E-SSO

deployments.

Collected links

User Work Modes

Configuration

Rollout

Administration and Management

User Work Modes

Users access their computers in a variety of work modes:

v Some users are always at a given workstation and are the sole user

v Some users move frequently among a limited number of workstations (for example, nurses in a

department) or s move to a different workstation every day or few hours (for example, a call center).

v Multiple users may share a single workstation, for example, in shifts. Such a workstation may be used

as a kiosk, that is, by multiple users who logon on using a smartcard or other token.

v Some users are not always connected to the network.

TAM E-SSO supports all these scenarios and can be optimized for each user’s most common scenario.

(Default: Users are always at a given workstation, but share with others)

7

User_Work_Modes.HTM


Rollout.HTM

User_Work_Modes.HTM


Rollout.HTM

One Workstation, One User

When users are always at a given workstation, their credentials can be backed up to a remote location

using an SSO synchronizer extension. See Synchronization for more information.

Alternately the Backup/Restore facility module can store credentials on the workstation without the use

of a remote repository. The Backup/Restore module is not installed by default. Users can perform

backups manually, or the backup can be automated. See File-Based Backup/Restore for more information.

Frequent Movement Among Few Workstations

When users move frequently among a few workstations, but are always on those few workstations, you

have two basic options for supporting their TAM E-SSO credentials.

The recommended option is to utilize a remote SSO repository. Both starting the agent and any change

to credentials forces a record-level comparison ( synchronization) of all records, ensuring that the user

always has the most current credentials possible.

One other option is to configure automated s ilent backup to a network file share. With proper

configuration, the agent will perform a silent backup to a remote store (network drive) with each change

of credentials ( Refresh Task). When the agent first starts, it will see if the remote store is newer than the

local store; if so, it will perform a silent restore; either way, the user will have his current credentials.

Because this is a file-level (as opposed to record-level) comparison, this option is not safe if the user

might ever be logged into more than one computer at the same time.

Frequent Movement Among Many Workstations

When users move frequently among many workstations, you have two basic options for supporting their

credentials.

The recommended option is to utilize a remote SSO synchronization repository. Both starting the agent

and any change to credentials forces a record-level comparison ( synchronization) of all records, ensuring

that the user always has the most current credentials possible. In addition, to increase security and to

reduce disk space use, enable the Delete Local Cache (on Shutdown) option.

Alternately, if your Windows environment is already set up with Windows Roaming Profiles, user data is

automatically available to the user since it is included in the %AppData% file directory. However, due to

the bandwidth-intensive nature of Windows Roaming Profiles, it is not recommended for use with SSO

credentials.

One Workstation, Many Users

A single workstation may be accessed by a number of users, such as a kiosk. A smart card (or other

token) and a PIN can be used to log on to a kiosk (TAM E-SSO: Authentication Adapter only). To enable

these users’ access to the remote SSO repository the ssoSCDetect utility can be used to start the TAM

E-SSO agent and prompt for primary logon whenever a smart card is inserted in the reader. When the

card is removed, the user is automatically logged out of the agent. See ssoSCDetect (smartcard monitor

utility) for more information.

Disconnected

When users use laptops or are in remote locations, they often stay disconnected from the network for

long periods of time.

8 Introduction

SSOSCDetect.HTM

SSOSCDetect.HTM

The TAM E-SSO agent stores credentials locally, providing full independence for mobile users who cannot

rely on a network connection. TAM E-SSO modules like Storing User Credentials and Settings and Event

Logging support occasional reconnecting, ensuring reliability.

With File-Based Backup/Restore, users can save their own data to a floppy or zip drive. With TAM

E-SSO: Authentication Adapter, users can save their own data to a smart card.

The TAM E-SSO synchronizer extensions are configured for offline users using Synchronization options.

including Disconnected Operation (See Settings Controlling Mobility).

Usability and Security

Other Settings

You can customize TAM E-SSO in many ways, and you can enforce these settings at the user, computer,

or group level. (The ″group″ level can include the entire enterprise.) See Global Agent Settings for

details.

Collected links

Synchronization

File-Based Backup/Restore

synchronization

automated s ilent backup

synchronization

Delete Local Cache (on Shutdown)

ssoSCDetect (smartcard monitor utility)


Event Logging



Synchronization options

Global Agent Settings

Mobility Configuration

Some organizations configure their SSO repository (e.g., directory servers, relational databases, file system

share) in a very centralized fashion (for example, all user data store objects under one parent object).

Other organizations use a decentralized structure (for example, a parent object for each department,

location, level of employee, and so on). Each has its advantages and disadvantages, depending on your

specific current and future network topology. Below are some general advantages and disadvantages.

Collected links



Chapter 2. Administrative Procedures 9



SSOSCDetect.HTM


Rollout

Collected links

Adding Windows Applications

Adding Mainframe applications

Adding Web applications




After the initial deployment, you can continue to manage how TAM E-SSO modules are deployed for

updates and upgrades. You can do this using the Console or your own current deployment method.

Configuring TAM E-SSO

These topics describe how to configure TAM E-SSO to support specific environments.

v for Windows authentication

v For directory servers

v For databases

v For file systems

v For Citrix MetaFrame

[Related Topics]


Collected links

for Windows authentication

For directory servers

For databases

For file systems

For Citrix MetaFrame


10 Introduction


Citrix_Metaframe.HTM


Citrix_Metaframe.HTM

Configuring for Windows Authentication

TAM E-SSO supports Windows Authentication as the Primary Logon Method (Authenticator). This

offers a true single sign-on user experience. The agent can use the Windows logon credentials as its

authentication. In order for TAM E-SSO to support this, the Administrator needs to be aware of two

issues. First, the OS must have 128-bit encryption installed. Second, user-level profiles need to be

enabled. For Microsoft Windows 2000/XP, user-level profile support is part of the base feature set when

installed.

Confirming 128-bit Encryption

To check the encryption strength of the OS, start Microsoft Internet Explorer, and select Help | About.

Cipher Strength should be 128-bit.

If the OS is not 128-bit, you can download the update from Microsoft at this address:

http://www.microsoft.com/windows/ie/download/128bit/default.asp.

Collected links

http://www.microsoft.com/windows/ie/download/128bit/default.asp

Directory Servers: Configuring the Agent

This topic describes the settings needed to configure TAM E-SSO to use a directory server as a repository.

The configuration is essentially similar for all supported directory servers, with explanations of any

differences.

v See Directory Server Synchronization Support for more information about how TAM E-SSO makes use

of directory server resources.

v See Overriding Settings for detailed descriptions of the associated registry entries.

Note: Where the LDAP AUI and LDAP Directory Server extension are both installed, values must exist in

both AUI\LDAP and Extensions\SyncManager\Syncs\%LDAP%.

Collected links


Overriding Settings


Synchronization

add the appropriate extension

related objects

Required

Advanced




LDAP

Active Directory

LDAP

Active Directory

LDAP

Active Directory

Directory Servers: Configuring the server

Role/Group Support

Add Locator Object

File Systems: Configuring the Agent

This topic describes the settings needed to initially configure the TAM E-SSO Agent to synchronize

application logons, global agent settings, and user credentials with a network file share.

The configuration settings described below can be distributed to the client workstations either as part of

the general deployment of the Agent software (by modifying the MSI installer file) or, after Agent

deployment, by distributing a registry-entries (.REG) file that can be merged with the client workstation’s

registry.

v See Deployment Options for topics about TAM E-SSO Agent rollout.

v See File System Synchronization Support for more information about how TAM E-SSO makes use of

file system resources.


Collected links

Deployment Options


Overriding Settings


Synchronization

Customize the MSI package

.REG file that you export from the Console

File Systems: Configuring the Server

Database Synchronization: Configuring the Agent

This topic describes the settings needed to configure the TAM E-SSO Agent to use a database server for

synchronization.

12 Introduction

The configuration settings described below can be distributed to the client workstations either as part of

the general deployment of the Agent software (by modifying the MSI installer file) or, after Agent

deployment, by distributing a registry-entries (.REG) file that can be merged with the client workstation’s

registry.

v See Deployment Options for topics about TAM E-SSO Agent rollout.v See Database Synchronization Support for more information about how TAM E-SSO makes use of

database server resources.


Collected links

Deployment Options


Overriding Settings

AgentSettings

Synchronization

Customize the MSI package

.REG file that you export from the Console

Database Servers: Configuring the server

Configuring TAM E-SSO in a Citrix Environment

Default installation of TAM E-SSO in Citrix MetaFrame:

The TAM E-SSO default installation process automatically detects and installs the components necessary

for TAM E-SSO to function in a Citrix environment. The installation process enables TAM E-SSO support

for every application published on that Citrix server.

Controlling TAM E-SSO for specific applications in Citrix:

The following section explains how to change the from the default installation of TAM E-SSO and to

enable TAM E-SSO for only specific applications in a Citrix environment. There are two steps in this

process. The first step is to remove the global TAM E-SSO support. The second is to specify which

applications are going to be SSO- enabled through their Published application configuration.

Enabling MetaFrame Monitoring

To enable TAM E-SSO to be monitored by Citrix MetaFrame, so that TAM E-SSO will not keep

otherwise-ended sessions alive, go to the following registry tree:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Citrix\Wfshell\TWI

If an entry named LogoffCheckSysModules exists, append to it ,ssoshell.exe. For example, change

app1.exe,app2.exe to app1.exe,app2.exe,ssoshell.exe.

If the entry does not exist, create LogoffCheckSysModules as type STRING and set to ssoshell.exe.

Collected links


SSOLauncher for MetaFrame XP Servers

SSOLauncher for MetaFrame XP Servers

This utility lets you control the delivery of TAM E-SSO with published applications in a Citrix

MetaFrame XP environment.

1. Copy the ssolauncher utility in the WINNT\system32 folder otherwise you must include the full

path to where ssolauncher resides.

2. You can now manage the applications you want TAM E-SSO to run with by utilizing the

ssolauncher utility. By accessing the Citrix Published Application Management console and applying

the ssolauncher command through the Application Definition command line you can make TAM

E-SSO run on an application by application basis.

Note: The ssolauncher command is applied in front of the command line.

Example:

ssolauncher .exe /application ″C:\Program Files\Internet Explorer\EXPLORER.EXE″

The following are the commands for ssolauncher

Command Use *

/application The full path of the application to execute. This is

required.

/command Used to supply command parameters to an application.

This is optional.

/directory Used to supply working to an application. This is

optional.

/wait The number of milliseconds to wait for an application to

shutdown. This is optional. If not specified ssolauncher

will wait forever for the application to terminate.

/verbose This supplies dialog boxes for error message if

ssolauncher has any failures.

/nossoshutdown Prevents shutting down sso when application completes

/SSOCOMMAND LOGON Used to initiate a command to the ″Logon Using TAM

E-SSO″ trigger, located in the system tray icon.

Sample command line to launch aim

ssolauncher.exe /verbose /application ″C:\Program Files\AIM95\aim.exe″ /directory ″C:\Program Files\AIM95″

* The command should begin and end in a quote if it contains \ characters.

14 Introduction

Configuring the Server for TAM E-SSO

The topics below describe how to configure your server for TAM E-SSO deployment and support for

synchronization and event logging:

v Directory server configuration: for LDAP services, including

– IBM Tivoli Directory Server

– Microsoft Active Directory and ADAM

– Novell eDirectory

– Oracle Directory Server

– Sun Java System Directory Server 5.1

– Critical Path Directory Server

– OpenLDAP Directory Serverv Database system configuration: for Microsoft SQL Server, IBM DB2, and Oracle database systems.

v File system configuration: for any UNC (Universal Naming Convention).- compliant network drive or

device.

v Event logging: to configure a Microsoft Windows 2000 or XP server to receive TAM E-SSO Event Log

messages

Collected links

Directory server configuration

Critical Path

Database system configuration:

File system configuration

Event logging

Directory Servers: Configuring the server

This topic describes how to extend directory servers to work with TAM E-SSO. Although this process

simplifies some directory-related tasks, it assumes that the Administrator has knowledge of the planning

and deployment of directory services. This guide only covers concepts specific to TAM E-SSO

deployments.

v See Directory Server Synchronization Support for more information about how TAM E-SSO makes use

of directory server resources.

Configuring a directory server for TAM E-SSO entails using the Console to extend the schema and set up

objects in the directory structure.

When you connect to a directory server, you must provide Administrator-privileged authentication

information. This information includes the directory type, server’s name or IP address (IP address may

not be valid for Microsoft Active Directory Server), port, SSL-use selection, user ID and password.


Your user ID should be in DN format; for example,

uid=yourname,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot

Directory operations must be performed from Microsoft Windows 2000XP.

v The ADAM server instance must be installed and running before you begin the following procedure.

v The naming context for the Application Directory Partition (step 2, below) must be an organization unit (ou). The

example given in the ADAM Setup Wizard panel shows a cn (container name).

Collected links


Configure SSO Support

Administrative Console

Data File

Directory Structure

Add Locator Object


Add Locator Object


This topic describes how to extend File Systems to work with TAM E-SSO. Although this process

simplifies some tasks, it assumes that the Administrator has knowledge of the planning and deployment

of file system shares. This guide only covers concepts specific to TAM E-SSO deployments.

v See File System Synchronization Support for more information about how TAM E-SSO makes use of

file system resources.

Configuring a File System share for TAM E-SSO entails using the Administrative Console to set up

objects in the directory structure.

Note: When you connect to a File System, you may need to provide Administrator-privileged

authentication information. This information includes the synchronizer extension type, UNC path, user

ID, and password.

Your user ID should be in domain name format, for example,

yourdomain\yourname

Collected links




Data File


16 Introduction

Database Synchronization: Configuring the server

This topic describes how to configure a relational database server to work with TAM E-SSO. It assumes

that you have basic knowledge of relational database administration and operation. This guide only

covers concepts specific to TAM E-SSO deployments.

v See Database Synchronization Support for more information about how TAM E-SSO makes use of

database resources.

Configuring TAM E-SSO for database synchronization entails using Administrative Console to extend

the database schema and to create the container objects.

Collected links


Connect to Repository



Data File

Database Servers: Configuring the Agent

Distributing Predefined Application Logons

TAM E-SSO can recognize and respond to a wide array of logon scenarios. Users can configure each

logon in advance or as they encounter them. When a user configures a logon, the agent displays a list of

predefined applications. Users can select an application from this list or create a logon for an unlisted

application.

Predefined applications simplify configuration for the user and increase the reliability of both recognizing

and responding to logon and password-change requests.

Preconfigured application logons for many popular Windows applications are included with

Administrative Console in the form of templates that contain all or part of the logon’s configuration.

Predefined logons for network and web pop-up logon dialogs and for many online service providers are

provided in the applist.ini file (located in the installation directory in the Plugin\LogonMgr directory).

Collected links

templates

Export to INI file


synchronization

Location of entlist.ini file

Understanding the Application Configuration Files

Using and Creating Templates

Add Application dialog box


Add Application from Template






TAM E-SSO stores its application logon instructions in a file named aelist.ini that typically resides in the

each user’s %AppData% \Passlogix directory (C:\Documents and Settings\ username\Application

Data\Passlogix). The Agent creates aelist.ini by merging two component files:

v entlist.ini, which you create using the Administrative Console to provide your organization with

customized logons for Windows, Web site, and mainframe/host applications. The Agent’s synchronizer

extension places entlist.ini in the %AppData% \Passlogix

v applist.ini, which is included in the Agent installation package and contains predefined logons for

network and web pop-up logon dialogs and for many online service providers. The applist.ini file

resides in the Agent’s installation directory.

Notes:

v Beginning with TAM E-SSO version 5.0, preconfigured logons for Windows and Web application are

provided in Console templates, rather than in the Agent’s applist.ini.

v All TAM E-SSO configuration files (including entlist.ini and ftulist.ini) can only be created and edited

using the Administrative Console .

How the Agent uses entlist.ini

The agent merges entlist.ini with applist.ini to create aelist.ini in the %AppData% \Passlogix directory.

The agent overwrites aelist.ini periodically, including at agent startup. The agent then uses aelist.ini to

detect ″known″ applications.

If using a synchronizer extension (for example, Directory Server or File System), a remote object overrides

any local entlist.ini file, and is then merged with applist.ini.

If there is no remote object or local entlist.ini file, the agent will utilize applist.ini without creating the

aelist.ini file.

Note: While the agent is running, you can modify entlist.ini or the SSOentlist object. To force the agent

to re-merge to create a new aelist.ini, select Refresh in Logon Manager.

See the following topics for more information about creating and distributing application logons:

Creating logons from templates: Adding Windows Applications Adding Web Applications Adding

Host/Mainframe Applications Add Application dialog box

Distributing Logons: Distributing Predefined Application Logons Administration and Management

Overriding Settings Objects

18 Introduction

How the Agent uses aelist.ini

The file that results from the merger of, aelist.ini, contains all the information necessary to identify and

respond to logon and password change events for all configured applications. This information

comprises:

v Application-type settings. such as Error Loop settings, for example, how many times the agent will

retry a logon within the specified time period.

v Application-specific configuration information, for example, application executable name or Web Site

URL, password change behavior Password Policies, Error Loop settings, data file extension.

v Scenario-specific configuration information for the Logon and Password Change scenarios, for example,

window dialog title strings, form names, and locations for credentials.

v Dialog-specific matching settings (for example, that a string or control is or is not present).

v Other settings (for example, name of a third or fourth field).

The merged file, aelist.ini, has a hierarchical structure, containing all the information necessary for the

agent to uniquely identify and respond to logon and password change events for each application to

configure. It organizes logons in sections and subsections as follows:

[*Other Apps]

Section1=Application logon 1

Section2=Application logon 2

&

This section references two administrator-defined

Windows applications defined later in the file. See

Adding Windows Applications for details.

[*Mainframe]

Section1=Host logon 1

Section2=Host logon 2

&

This section references two host/mainframe applications

defined later in the file. See Adding Mainframe

applications for details

[*Shared Groups]

Section1=Shared Group 1

Section2=Shared Group 2

&

Section N=Shared Group N

&

This section references two groups used for password

sharing. See Creating password sharing groups for

details.

[*PasswordPolicies]

&

This section enables Password Policies. See Setting

Password Policies for details.

The application configurations in entlist.ini allow the agent to automatically recognize and respond to

logon and password-change requests from applications specific to your organization.

When present as a local file or downloaded from a remote object, the agent downloads an entlist object

(if available) to an entlist.ini file, and combines your downloaded or local entlist.ini with those IBM

supplies in applist.ini to create aelist.ini, the complete list of predefined applications available to users.

(If entlist.ini is not present, the agent utilizes applist.ini.)

Note: Because IBM provides updates to applist.ini, it is strongly recommended that you make no changes

to applist.ini: future TAM E-SSO releases may overwrite your applist.ini changes, and IBM provides no


guarantees that future releases will support changes you make to applist.ini.

Preconfigured Application Templates with TAM E-SSO 5.0

The following table lists the preconfigured application logons that are included with he Administrative

Console and any information that the administrator must supply before deploying the logons to the

Agent.

Application Logon Forms

Microsoft Word v Microsoft Word Logon

v Microsoft Word 2000 Logon


MS Dial-Up Networking v MS Dial-Up Networking Logon (admin supplies

WindowTitle)

Netscape Mail v Netscape Mail Logon

v Netscape Mail 7.1 Logon

PKZIP v PKZIP Logon

v PKZIP v8 Logon

Siebel Sales v Siebel Sales Logon

v Siebel Sales Change Password

Adobe Acrobat Reader v Adobe Acrobat Unlock

ICQ v ICQ Logon - Registration

v ICQ Logon

Meeting Maker v MM 7.3 Logon

v MM 5.5.2 Logon

v MM 8.0 Logon

WinZip v WinZip Set Password Confirm

v WinZip Set/Use Password

v WinZip 9.0 Decrypt File(s) Password

Yahoo! Messenger v Yahoo! Messenger Logon

Oracle v Oracle Logon

v Oracle 10g SQL*Plus Logon

MS SQL v MS SQL Logon

Novell GroupWise v Novell GroupWise Logon

v Novell GroupWise 6.5 Logon

Microsoft FrontPage v Microsoft FrontPage Logon

Visual SourceSafe v VSS Logon

v VSS Change Password

OpenNetwork Directory Smart v OpenNetwork Directory Smart Logon (admin supplies

URL)

Oblix NetPoint v Oblix NetPoint Logon (admin supplies URL)

Citrix ICA Client/Program Neighborhood (2-field) v CICA2 Logon (admin supplies WindowTitle)

Citrix NFuse Classic (2-field) v CNFC2 Logon (admin supplies URL)

20 Introduction

Act v Act Logon (admin supplies WindowTitle)

v Act Set Password

QuickBooks Pro v QBP Change Password

v QBP Logon

QuickBooks Pro (Password-Only) v QBPPO Change Password

v QBPPO Logon

Lotus Organizer v Lotus Organizer Logon (admin supplies WindowTitle)

Citrix Program Neighborhood Agent (3-field) v CPN3 Logon

GoldMine v GoldMine Logon

v GoldMine Clhange Password




AIM v AIM Logon

Eudora v Eudora Logon

v Eudora Change

v Eudora Confirm

Lotus Notes v Lotus Notes

Microsoft Outlook v Logon

v Change Password

Microsoft Outlook 2003 v Logon

v Change Password

MSN Messenger v MSN Messenger Logon

Windows Logon v WL MPR Logon

v WL MPR Change Password

v WL WinLogon Logon

v WL WinLogon Change Password

ICQ 4.0 v ICQ 4.0 Logon (Password Only)

Collected links

Console templates


Adding Web Applications

Adding Host/Mainframe Applications


Distributing Predefined Application Logons


Overriding Settings Objects






General Guidelines for Setting Up Applications

Setting up and configuring applications is easiest with the following conditions:

v Have the target applications on the same computer as the Administrative Console.

v Minimize the number of other applications running during configuration.

v To facilitate creating application configurations and testing:

– Configure your computer not to use a synchronizer extension.

– When the application logon request causes the Agent to respond, tell the Agent to ignore it.

– In the Administrative Console, create the application configuration and then use Export Apps to

Agent (on the Tools menu) to overwrite the local entlist.ini file.

– Keep Logon Manager visible, and select Refresh whenever you finish exporting from the Console.

– Bring up the application logon dialog to see if your new configuration works properly within the

agent.

Adding Windows applications

The easiest, and most precise way to configure Windows applications is by using the Windows Form

Wizard.

Before you begin Windows logon configuration, refer to the General Guidelines for configuring

applications.

Collected links

Windows Form Wizard

General Guidelines

Fields tab

Miscellaneous tab

Miscellaneous tab







22 Introduction

New Windows application

Windows Form Wizard

General tab

Fields tab

Matching tab

Miscellaneous tab


TAM E-SSO detects and responds to logon and password-change requests for predefined Web

applications. Much like Windows and host/mainframe applications, administrators define Web

applications by including a section in entlist.ini.

The agent recognizes specific strings of data at specified locations within the HTML code of a Web page.

This data tells the agent how to detect the Web sites logon and password-change screen, where to enter

the user credentials, and how to submit those credentials.

The easiest, and most precise way to configure Web applications is by using the Web Form Wizard.

Before you begin this procedure, refer to the General Guidelines for configuring applications.

Notes:

v Web applications can have the logon and password change forms on the same page, on different pages

within the same URL, or at different URLs. Furthermore, logons can be in the same form at different

URLs or on different forms at different URLs.

v If you add a configuration for a site where the user already has added a logon to their local store, your

new configuration will override the user’s. The user will need to re-enter credentials for this

application. Note: The user can still view the old logon in Logon Manager.

[Related Topics]

Collected links

Web Form Wizard

General Guidelines







New Web application

Web Form Wizard

Web General tab

Web Matching tab



TAM E-SSO provides single sign-on functionality to host/mainframe applications through host emulators

that

v implement HLLAPI (high-level language application programming interface), or

v have a built-in scripting language that can display a dialog.

The host emulator enables an end user to connect the Windows workstation to a mainframe, AS/400,

OS/390, Unix, or other host-based session. TAM E-SSO recognizes a terminal screen by looking for

specific strings of data at specific screen locations.

In order for host emulators to be recognized by , mainframe support must be enabled:

v The Administrator can enable mainframe support as an administrative override by selecting MFEnable

in the Host/Mainframe Apps dialog in the Console.

v If the Administrator has not enabled (or disabled) mainframe support as override, the end user can

enable support within the TAM E-SSO agent by selecting Enable Mainframe Support on the

Mainframe tab of the Settings dialog box. Refer to the TAM E-SSO User Guide for more information.

All host/mainframe applications must be predefined by the Administrator: the TAM E-SSO end user has

no means to define host/mainframe applications. The Administrator must also configure the host

emulators themselves in order for TAM E-SSO to recognize them. An application logon created using one

host emulator is usable by any host emulator. See Configuring Host Emulators for information on

configuring TAM E-SSO-supported emulators.

Notes:

v For multi-screen logons, you must create a application form for each screen.

v Logon creation is easiest using a host emulator that allows you to select text and displays the row and

column coordinates of your selection.

v For information on how to configure an emulator that does not support HLLAPI but does have a

scripting language, please contact IBM.

v For emulators that do not implement HLLAPI or have a scripting language, you can, in some cases,

configure the host/mainframe application as a Windows application (to detect the form by its window

title) and using SendKeys to supply user credentials. See Adding Windows Applications: Special

Issues for more information.

Collected links

MFEnable

Host/Mainframe Apps


Adding Windows Applications: Special Issues

Host/Mainframe Form Wizard

General Guidelines

General Guidelines


Create a new host/mainframe application logon.

General

Text Matching

24 Introduction

SendKeys (Host/Mainframe)

Options

Password Change

New Host/Mainframe application


Telnet Support

Adding Java applications and applets

You can configure Java application logons and Java applet logons (in Web pages) by using the Windows

Form Wizard. The procedures for creating and deploying are generally identical for Java and Windows

applications.

Before you begin Java logon configuration, refer to the General Guidelines for configuring applications.

Important Note: In order for Agent to detect and use Java application logons, the Java Runtime

Environment (JRE), version 1.3 or later, must be installed on the workstation prior to installing TAM

E-SSO. If JRE is not already present when the TAM E-SSO is installed, then the Agent’s Java Helper

component is not available for installation. [Related Topics]

Collected links

Windows Form Wizard

General Guidelines

New Windows/Java application

Windows Form Wizard

General tab

Fields tab

Matching tab

Miscellaneous tab

Adding Telnet Applications

TAM E-SSO supports Telnet sessions using HLLAPI (high-level language application programming

interface) implemented by a mainframe/host emulator. The emulators TAM E-SSO currently supports

for Telnet with HLLAPI are ScanPak Aviva and NetManage Rumba.

Configuring a logon for a Telnet application is essentially identical to adding host/mainframe

applications generally, but with these exceptions:

v Host applications generally display text captions and data fields in fixed positions, which lets TAM

E-SSO detect a screen as a logon form using text matching and absolute row/column coordinates. By

contrast a Telnet application, including its logon screen, appears in a scrolling text window. The screen


position of the text caption for TAM E-SSO to match (and begin the logon) should be set as a row

number relative to the cursor (negative for above, positive for below) and an absolute column number;

see the example, below. If one or both of the caption’s coordinates are unpredictable, you can use an

asterisk (*) for the row setting to match text in any row (and a fixed column) , for the column setting to

match text in any column (and a row relative to the cursor), or for both settings to match text

anywhere on screen.

v When it supplies credentials for a Telnet logon, TAM E-SSO ignores the row and column coordinate

settings for field-matching. However, the settings must be present in the logon configuration. Use 1 as

the values for both row and column coordinates for all credential fields in a Telnet logon.

v In order to ensure that the Telnet logon credentials are filled in properly, TAM E-SSO is enabled with

timing logic. The Delay Field setting (on the Options tab for configuring a host/mainframe logon

form) indicates the time in milliseconds that the Agent should pause between each action; for example,

when entering value into a field.

See Configuring Host Emulators for additional information on HLLAPI configuration.

To ad a new Telnet application logon

The easiest, and most precise way to configure Telnet applications is by using the Host/Mainframe Form

Wizard. Before you begin this procedure, refer to the General Guidelines for configuring applications.

To configure a Telnet application logon manually

The following procedure describes the steps for manually configuring or modifying a Telnet logon. Refer

to the specific dialogs and controls for more information. Before you begin this procedure, refer to the

General Guidelines for configuring applications.

1. Start the application and configure the host emulator.

2. In the Console, do one of the following

v Create a new host/mainframe application logon.

or

a. In the left pane, click Applications and select a host/mainframe application.

b. Click the General tab in the right pane.

c. Select a logon form from the list and click Edit.

The Host/Mainframe form-configuration dialog appears, displaying the General tab.

3. In the General tab:

a. Specify one or more Text Matching captions, so that this page can be identified uniquely from

other pages. Specify the identifying Text string of the caption and its starting Row and Column

numbers.

v The row numbers should be relative to the current cursor position and can be negative

integers. See the example below.

v The column number is an absolute position.

v You can also use an asterisk (*) for the row or column as a wildcard.

b. Specify the Fields for credentials. Click Edit (under Fields) to display the SendKeys

(Host/Mainframe) dialog box. Select each field, and set the Row and Column for each field to 1.

If needed, specify any additional keystrokes that should follow each field entry.

4. If the terminal response-time requires a pause between credential field entries, select the Options tab

and type the number of milliseconds to pause in Delay Field.

5. Repeat the steps above for each additional logon form.

6. To add Password Change information, repeat the process with the Password Change tab and the

password change dialog(s) in the target application.

26 Introduction

Text matching example

Since the text in a Telnet application scrolls, the row positioning must be set relative to the cursor’s row,

which is always row 1. Therefore the row coordinate for a caption (″Welcome to VAX/VMS_V6.1″) that is

two rows above the cursor is -2. The column setting of the start of the caption text is an absolute

coordinate; in the example here, 9.

Row# Screen text column

1 2 3

12345678

9012345678901234567890123

-4

-3

-2 Welcome_to_VAX/VMS_V6.1_

-1

1 Username:

_

2

3

4

For TAM E-SSO to identify this sample screen, you could set these text matching criteria (using the Text

Matching dialog box):

Match 1

Text Welcome to VAX/VMS V6.1

Row -2

Column 9

Match 2

Text Username:

Row 1

Column 1

[Related Topics]


Collected links

ScanPak Aviva

NetManage Rumba

adding host/mainframe applications


text matching

Options tab



General Guidelines

General Guidelines


General

Text Matching


Options

Password Change

Text Matching



Host General tab

Host Options tab


After the initial product installation, the First-Time Use Wizard requests various items of information to

complete the setup process. IF multiple authenticators are installed, the user is prompted to choose a

Primary Logon Method. In addition, TAM E-SSO can also prompt the user for application

usernames/IDs and passwords to quickly populate the user’s store.

The configuration settings for the First-Time Use Wizard are specified in the ftulist.ini file. End-users can

be prompted to provide credentials (username/ID, password, third field) for their existing logons.

Combining first-time use configuration with predefined logons ensures that users reap the benefits of

single sign-on immediately after installation. Alternatively, users can configure their individual logons as

they encounter each application.

Note: All TAM E-SSO configuration files (including entlist.ini and ftulist.ini) can only be created and

edited using the Administrative Console.

Collected links

Select Application

Bulk add tab

Bulk-Add tab

Bulk add tab (for selected application)

Export an ftulist.ini file

Export an ftulist object

Using and Creating Templates

28 Introduction

Preconfigured application logons for many popular Windows applications are included with

Administrative Console in the form of templates that contain all or part of the logon’s configuration.

You can also convert the application logons that you create with Administrative Console into templates.

Templates provide two practical benefits for creating and managing pre-configured logons:

v You can store, share, and reuse a group of specific logon settings as a ″starter set″ for creating new

logons based on the template. Your templates appear as options in the Add Application dialog box.

v If you make changes to a template’s source logon, you can easily apply your changes to any logons

based on that template, by using the Update Applications command on the Tools menu.

You create a template by:

v Selecting an existing application logon with the Manage Templates dialog box (from the Tools menu).

v Choosing the logon settings (for the application and for individual forms) that you want to be able to

override later; use the Overriding Settings tab in the Edit Template dialog box (click Edit in the

Manage Templates dialog). For Web and Windows applications, you can also choose a setting that the

template user must provide in order to complete the logon configuration (on the Supply Info tab).

v Saving the current file to the Templates folder under the Console’s program directory (typically, this is

C:\Program Files\ Passlogix\ Administrative Console\Templates).

You use a template to create a logon by selecting it from the Applications drop-down list in the Add

Application dialog box. You are prompted if additional information is needed to complete the

configuration.

You can update application logons with any changes made in their originating template. Open the

Console XML file containing the applications and choose the Update Applications command from the

Tools menu. [Related Topics]

Collected links


Update Applications

Manage Templates

Overriding Settings

Supply Info

Add Application

Update Applications

Manage Templates

Update Applications (from template)

Managing User Data



TAM E-SSO allows administrators to set policies that control automatic password generation. Password

policies simplify user logons while ensuring the organization’s security.

Most applications have constraints for passwords how long they can or must be, whether you can use

numbers or symbols, and so on. TAM E-SSO’s password-generation feature improves application logon

security by automatically creating passwords made up of random characters according to predefined sets

of constraints, stored as password policies. Each policy can apply to multiple applications, or subscribers.

Using predefined password policies, you can completely automate password changes and implement

sophisticated security schemes, including complex passwords, frequent password changes, and

application-specific passwords unknown to users.

Note: If the policy you create makes a password difficult or impossible, TAM E-SSO will try to create a

password for up to five seconds and then notify the user that it was unable to generate a password. You

can preview the passwords a particular policy generates using the Test Password Policy dialog box.

[Related Topics]

Collected links

Test Password Policy

Password Generation Policy

Password Policy Subscribers tab

Password Change tab (for selected application)

Password Constraints


Password sharing groups let users automatically apply a password change made in one application to

other specified applications.

When TAM E-SSO handles a password change for any application that is a member of the sharing group,

it automatically applies the password change to all other group members. Any number or combination

of Windows, mainframe/host, and Web applications can share a single password. If the Windows

(Domain) or Directory Server (LDAP) authenticator is used, selected applications can share a single

password with the authenticator as well.

For example, an enterprise might have a new web interface to an old mainframe application. One way

to share the password between these two is to use a password sharing group. Some applications share a

common password (for example, an Intranet application and an E-Mail application). These applications

should be in the same password sharing group.

See Password Sharing Groups for the procedures for creating and managing sharing groups.

Notes:

v The Windows authenticator password is in a predefined group named Domain.

v The LDAP Directory Server authenticator is in a predefined group named LDAP.

The Administrative Console does not currently support adding predefined applications (those included in

the default configuration file applist.ini) to password sharing groups. You will need to do this manually

30 Introduction

by creating identically-named sections in entlist.ini (the custom-application configuration file) that

identifies the sharing group. The following example adds Microsoft Outlook to the password sharing

group OurServer.

Example:

[Microsoft Outlook] Group=OurServer

[Related Topics]

Collected links

Password Sharing Groups

Domain

LDAP


Selected Password Sharing group

LDAP Password

Domain

User Credentials and Settings

TAM E-SSO stores user credentials locally in the ...\ Application Data \Passlogix folder. Global agent

settings are stored in in the Local Machine registry key ( HKLM); settings modified the user are stored in

the Current User registry key (HKCU).

TAM E-SSO can also perform a complete backup of credentials and settings to a file ( .bkv). The backup

can be performed manually by the user, or automatically by administrative configuration) For details on

this feature, see File-Based Backup/Restore .

TAM E-SSO can also synchronize individual user credentials with these remote sources, including

file-systems, databases, and directory servers. These remote sources can provide the agent with

application logons. first-time-use (setup) information and administrative overrides (global agent settings).

For details on this feature, see Synchronization.

Collected links


Synchronization

Enable Storing Credentials under User Object

Store data under the user objects

Location for storing user credentials



If the backup/restore module is installed, the Administrative Console can perform a complete

backup/restore of user credentials and settings to/from another location. The backup/restore can be

performed manually (by the user) or automatically (by administrative configuration). Also, a selective

backup/restore (writing the newer information over the older information) can be performed

automatically (by administrative configuration).

Note: If the Backup/Restore module is installed, the user can perform a manual backup, store to any

location (even a floppy drive), and select any password (even a one-character password).

Collected links

Default Backup path

Environment

Default Backup path

Environment

When logons change

Special Tasks

Default Backup path

Environment

Default Backup path

Environment

After Agent starts up

Special Tasks

Synchronization

TAM E-SSO synchronizer extensions let you synchronize credentials between an end user’s local store (on

a workstation) and a store in a remote SSO repository (file system share, relational database or directory

server). You can also use these extensions to deploy Administrative Overrides of local Agent settings,

application logon configurations (overriding entlist.ini and to be merged with applist.ini), and bulk-add

lists (overriding ftulist.ini). See Overriding Settings for more information

Synchronizer extensions can communicate with directory servers, database servers, file systems, and other

storage devices. Each type of extension has its own configuration issues. The extensions included with

TAM E-SSO support:

v Microsoft Active Directory server, including Application Mode.

v An LDAP-compliant directory server, including IBM Tivoli Directory Server, Novell eDirectory, Oracle

Directory Server, Sun Java System Directory Server 5.1, Critical Path Directory Server, and OpenLDAP

Directory Server.

v Relational databases, including Microsoft SQL Server. IBM DB2 and Oracle 9i/10g.v Network file systems.

The synchronizer extensions are capable of performing the following tasks:

v Connecting to (or bind with) a destination device/resource/store

v Retrieving any overriding settings (Administrative Overrides, application configuration information,

and first-time use configuration information)

v Synchronizing the local user store (credentials) with the remote store

32 Introduction

TAM E-SSO supports using each extension multiple times, which allows you to support multiple

configurations. For example, if the LDAP Directory Server and File System synchronizer extensions are

installed, the agent will synchronize credentials with, and download overriding settings from, both an

LDAP Directory Server and a File System.) See Multiple Synchronizer Extensions for more information

about the procedures. [Related Topics]


Collected links

Overriding Settings

Microsoft Active Directory

server

An LDAP-compliant directory server

Relational databases

Network file systems.

Multiple Synchronizer Extensions




Multiple Synchronizer Support

Repository (Connecting)


Synchronization


Administrative Console supports any LDAP directory server, including:

v IBM Tivoli Directory Server

v Microsoft Active Directory (including Application Mode)

v Novell eDirectory

v Oracle Directory Server

v Sun Java System Directory Server 5.1

v Critical Path Directory Server

v OpenLDAP Directory Server

TAM E-SSO uses directory server resources for administrative configuration, mobility, and backup.

Administrators can deploy configuration overrides to provide new registry, entlist.ini, and ftulist.ini

(bulk-add) settings or to update existing settings. Users can store credentials (for backup) and move

among multiple computers (for mobility). When TAM E-SSO connects to a directory server, it utilizes a

specific directory structure to determine where the user’s credentials and overriding settings reside.

Note: Each Directory Server presents platform-specific configuration issues. These are addressed in

the individual configuration topics.


[Related Topics]

Directory Structure

Within each directory, TAM E-SSO utilizes the following object structure:

[ view diagram ]

When a user first connects to a directory server, the computer is configured to locate a specific path on

the directory tree. Using the process described below, the Agent is able to find the SSOConfig object,

which contains overriding settings and a People object, which contains the user’s settings, preferences,

and credentials.

Collected links

Critical Path

Directory Servers: Configuring the Server


Add Locator Object

[ view diagram ]

Sync Order

Synchronization

User Paths

Required

Naming Attribute string

Advanced






Synchronization


Administrative Console supports file system synchronization with any network drive/device that can be

addressed by UNC (Universal Naming Convention). File system synchronization can also be used to

support a kiosk user scenario, where multiple users share a single workstation. [Related Topics]

File System Structure

Within each file system, TAM E-SSO utilizes the following object structure:

[ view diagram ]

When a user first connects to the file system, the computer is configured to locate a specific path. The

Agent is then directed to find the SSOConfig object, which contains overriding settings and a People

object, which contains the user’s settings, preferences, and credentials.

34 Introduction

[Related Topics]


Collected links



[ view diagram ]






Synchronization


Administrative Console supports synchronization of user credentials, application logons, and global agent

settings between client workstations and a relational database server. Supported servers include

Microsoft SQLServer 2000, IBM DB2, and Oracle 9i/10g.

In this type of synchronization, TAM E-SSO configuration objects and user data containers are stored on

the server as as database records in TAM E-SSO-specific tables:

SSO_ADMIN stores, as records, the configuration objects you create in the Console: EntList

(application logons), FTUList (Setup Wizard configurations), and AdminOverride (Global Agent

Settings) During synchronization, all workstation users read their logons and overrides from this

table; only the administrator, using the Console) can write to it. These configuration object are

depicted in the Console in the same hierarchal layout as for file system and directory server

synchronizers.

SSO_USERS stores user credentials, preferences, and synchronization states as records. During

synchronization, users read and write to their own records; only the record for the user currently

logged in can be accessed. In the Console, the records for each user are depicted within the user

container.

When TAM E-SSO connects to the database server, it reads the configuration objects and overriding

settings (from SSO_ADMIN) and synchronizes the user data (in SS_USERS).

The procedure for configuring database synchronization is similar to that for other synchronization

methods.

v The first step is to extend the database schema to create the two tables described above.

v The second step is to create the container objects: an SSOConfig object, which contains overriding settings

and a People object, which holds the user containers for each user’s settings, preferences, and

credentials.


Refer to the following topics for more information:

[Related Topics]

Collected links

Database Synchronization: Configuring the Agent Database Synchronization

: Configuring the Server




Synchronization


TAM E-SSO supports synchronizing to multiple synchronizer extensions and multiple configurations of

the same extension. In either scenario, the Agent attempts to complete synchronization with the first

extension and then with each subsequent extension.

Overriding settings can exist on each extension. See Handling Multiple Sets of Overriding Settings for

an explanation of how the agent handles multiple extensions with overriding settings.

Note: References to %AD%, %LDAP%, and %File% refer to the respective extensions, and %Extension%

refers to any of those extensions.

Collected links

Handling Multiple Sets of Overriding Settings

TAM E-SSO:Authentication Adapter



Synchronization

Manage Synchronizers

Add



Synchronization

Manage Synchronizers

Add

Configuration Objects

36 Introduction


Synchronizer extensions can download overriding configurations for global agent settings (Administrative

Overrides), application configuration information (EntList), and first-time use scenarios (FTUlist). Each

of these objects has a local equivalent:

Settings Type Local Equivalent Directory Server/ Database

Object Name

File System Object Name

Administrative Overrides Registry entries under

HKLM

SSOAdminOverride AdminOverride

Application logon

configuration information

The entlist.ini file SSOentlist entlist

First-time-use configuration

information (including

bulk-add information)

The ftulist.ini file SSOftulist ftulist

The latter two types of objects are similar in format/layout to their local equivalents, entlist.ini and

ftulist.ini. The first type of object has the following syntax:

[HKLM\Software\ Passlogix]

REQUIRED: RegistryPath\RegistryPath:KeyName=TYPE:Value

This format is exported by TAM E-SSO Console.

Example:

[HKLM\Software\ Passlogix]

Shell:AutoBackupPath=STRING:\\FS\Home

Shell:ShowAccessBtn=DWORD:1

Extensions\AccessManager:ReauthOnReveal=DWORD:0

Note: In directory server installations, this configuration information can be enabled with support for role

group-based access.

Handling Multiple Sets of Overriding Settings

The Agent attempts to retrieve each type of overriding settings from each extension until it finds an

extension that has at least one of each; once an overriding setting is downloaded, the agent does not

queried other extensions for that overriding setting.

Event Logging

The topics in this section describe the Administrative Console Event Logging feature and the associated

setup process. Event Logging monitors a variety of user events including:


v Agent startup/shutdown

v logon

v password changes

v credential addition, change, and deletion

v authenticator changes

v backup and restore

v credential synchronization

v settings changes

v help-system use

The Console lets you control what events are logged, where and when they are logged, and whether to

maintain a local copy of the log. The addition of extensions allows for various log destinations and

formats. [Related Topics]

Event Logging Settings

Collected links

Configuring the Agent

Configuring the Server

Event Logging Settings

Event Logging: Agent Configuration

Event Logging is an optional feature of TAM E-SSO. It does not install by default.

To install Event Logging, choose Custom Install and enable the Event Manager and any Event Logging

extensions you wish to use within the Extensions selection. After installation, certain parameters should

be setup for Event Logging and any installed extensions.

Notes:

v Global settings are set in HKLM\...\Extensions\EventManager.

v Extension-specific settings are set in HKLM\...\Extensions\EventManager\ %Extension%.

v TAM E-SSO ships with the Local (XML) File extension ( LocalStorage) and the Windows Event

Logging extension ( WindowsEvent).

Collected links

LocalStorage

WindowsEvent

Event Manager

Filter

LocalStorage

Filter

WindowsEvent

Filter

38 Introduction

Configuring the Server

EventManager

Event Logging: Server Configuration

Collected links

Configuring the Agent

EventManager

Distributing TAM E-SSO

The topics in this section describe the options for packaging, deploying, and managing TAM E-SSO in a

networked environment,

v Microsoft Windows Installer (MSI) Package

v Deployment Options

v Administration and Management

v Storing User Credentials and Settings

v File-Based Backup/Restore

Collected links

Microsoft Windows Installer (MSI) Package

Deployment Options





TAM E-SSO ships as an MSI package, a standard format used by installers from Microsoft and other

vendors, and many other installers can read MSI files. For information on the contents of the TAM E-SSO

Setup MSI, see MSI Package Contents.

The Microsoft Windows Installer exists as a service (Windows Installer) on all Microsoft Windows

2000/XP computers (refer to Microsoft Knowledgebase article #q255905). You can customize the MSI

package to meet special requirements, such as:

v Providing custom applications and TAM E-SSO agent configurations.


v Deactivating some options or components (for example, different authenticators) before the end users

install the Agent themselves.

v Adding options or components to accommodate a complex environment, for example, one using

biometric security devices or having an unusual network topology.

To meet these needs, there are these options:

v Use a command-line installation

v Customize the installer package

v Include Console-created logons and Global Agent Settings in the installer

v Deploy using a third-party deployment tools

[Related Topics]

Microsoft Windows Installer (MSI) Package Deployment Options Generate MSI package MSI

Package Contents

Collected links

MSI Package Contents

Use a command-line installation

Customize the installer package

Include Console-created logons and Global Agent Settings in the installer

Deploy using a third-party deployment tools

Deployment Options

Generate MSI package


Deployment Options

This section describes using the default MSI package from the following perspectives:

v Performing an installation with the shipped MSI package

v Launching the MSI package from the command line

v Remote installation

v Editing the MSI package

v Adding Console-created logons and settings to the MSI package

v Alternate tools and methods

Collected links


Generate MSI




40 Introduction

Glossary

*nix A common reference to all operating systems that are

similar to Unix. This includes Linux, NetBSD, FreeBSD,

and many others.

Access icon menu Near the minimize button on each application, the agent

can display its logo with a drop-down menu that offers

access to selected menu entries (for example, logon, add

application, and so on).

Access Manager A TAM E-SSO feature, whereby the agent handles

identifying applications and responding with credentials.

Active Directory (AD) Microsoft Active Directory, a Directory Server similar to

LDAP Directory Servers.

applist.ini A file containing configuration information for various

online services and Web/network pop-up logon dialogs

. These configurations are supplied by IBM and should

not be changed.

AUI ( Authentication User Interface) See ″authenticator″.

authenticator An authenticator is the primary logon method to the

system and/or to the agent. If the user uses the

Windows, RSA Keon (TAM E-SSO: Authentication Adapter

only), or Entrust authenticators (TAM E-SSO:

Authentication Adapter only), logging onto the system

unlocks the agent.

auto-enter A TAM E-SSO feature, whereby the agent performs a

logon after the user adds the applications credentials to

the agent. This feature can be enabled/disabled on a

per-user basis.

auto-recognize A TAM E-SSO feature, whereby the agent automatically

performs a logon when it recognizes an application. The

user can turn this feature off for selected credentials as

needed.

Backup/Restore Wizard A TAM E-SSO feature, whereby the agent can save and

restore all user data to a file.

Bulk Add A TAM E-SSO feature, whereby the agent helps the user

select a primary logon method (authenticator) and

(optionally) starts the Bulk Add Wizard.

Part of the FTU scenario, where a user can enter

application credentials into the agent en masse. Also see

″FTU″.

credentials A set of credentials consists of the user-specific

information the agent needs to perform a logon. This

consists of a password and one or more of:

username/ID, third field, fourth field.

DAMA dialog A TAM E-SSO feature, ″Don’t Ask Me Again″, whereby a

user can tell the agent to not prompt the user to add a

Web application.

DAP ″Directory Access Protocol″ See ″LDAP″.


Directory Server schema Structure/definition of objects/classes/attributes.

Directory Server A specialized kind of database supporting a ″tree″

structure rather than tables. The semantic equivalents to

database records are objects and the equivalent to

database fields are attributes.

Disconnected mode When a user is not connected to the network or is

otherwise unable to connect to a server.

DN ″Distinguished Name″ An LDAP Directory Server notation. See ″LDAP.″

entlist.ini A file containing configuration information for

applications specific to an enterprise. This includes

logon, password change, Password Sharing Groups,

Password Policies, and other information.

Error-Loop dialog A TAM E-SSO feature, to help prevent the user from

being locked out of an application. When an application

prompts the user repeatedly for logon credentials, the

agent detects this and asks the user whether to keep

providing credentials, to try a different set of credentials,

or to stop all actions.

Event Logging When the agent performs any action (″event″), such as

starting up or providing logon credentials, that event can

be recorded (″logged″).

Event Viewer A Microsoft tool that view the Windows Event Log.

Start by running eventvwr.exe.

Fourth field See ″Other field.″

FTU ″First-time use″ The scenario when a user first uses the agent. Also see

″Bulk Add.″

ftulist.ini A file containing the steps that are to occur when a user

first uses the agent.

HKCU HKEY_CURRENT_USER\Software\ Passlogix: the

primary key for storing user-specific settings.

HKLM HKEY_LOCAL_MACHINE\Software\ Passlogix: the

primary key for storing computer-specific settings.

HLLAPI ″High Level Language API″ The emulator-provided standard API for an application

(such as TAM E-SSO) to communicate with host

emulators. See ″Host emulator.″

Host emulator A program that enables a user to interact with a host.

See ″Host.″

Host In the context of TAM E-SSO, a host is either a

Mainframe or Unix computer. The agent provides

credentials to a ″host emulator″ that connects to the

host. See ″Host emulator.″

LDAP ″Lightweight Directory Access Protocol″ A Directory Server protocol/standard. A

TCP/IP-compatible subset of ″DAP″, the ″Directory

Access Protocol.″ Refer to RFC 1777 and others.

Logon Chooser A TAM E-SSO feature, whereby the user can select from

two or more sets of credentials for a given logon or

password change request.

Logon Manager A TAM E-SSO feature, whereby the user can manage

(add/delete/modify/copy/review) sets of credentials.

Mainframe High-end computer, running applications on multi-user

operating systems such as AS/400 and OS/390.

42 Introduction

mfrmlist.ini A file containing configuration information for host

emulators. These configurations are supplied by IBM

and should not be changed.

mobility The ability for the agent to access credentials from

multiple desktops, whether via Windows Roaming

Profiles, access to a network drive, use of a floppy, use of

a directory or database, and so on.

Other fields Applications sometimes ask for a password, a

username/ID, and one or two additional fields. These

fields are referred to as the ″Other fields″, or ″Third

field″ and ″Fourth field.″ The most common uses of the

third field are for ″Domain″ or ″Database.″

Password Policies A TAM E-SSO feature, whereby the user or administrator

can define criteria that the agent will use to define a new,

random password when performing an automatic

password change. There can be multiple policies, as

many as one for each predefined application. For

example, one policy might generate a ″PIN″ (a 4-8

character password consisting of just numbers), and

another policy might generate a Windows Domain

password (6-127 characters, including uppercase,

lowercase, numeric, and special characters).

Password Sharing Groups When two or more applications are linked at the back

end, such that changing the password for one changes

the password for all, the agent needs to be configured to

know this.

PKI ″Public Key Infrastructure.″

Predefined Applications Applications with configuration information listed in

applist.ini and/or entlist.ini.

Primary Logon Manager A TAM E-SSO feature, whereby the user can select a

different Primary Logon Method.

reauthentication After using the agent for a period of time, or upon

certain ″important″ events (for example, backup/restore),

the agent will ask the authenticator to confirm the same

user is still using the system. At this time, the

authenticator will prompt the user to authenticate again,

or reauthenticate.

RFC ″Request For Comment″ Documents that define Internet standards such as LDAP,

SNMP, SMTP, POP3, and HTTP.

schema See ″Directory Server schema″

SendKeys The agent has several methods for sending credentials to

applications. The first, safest, most secure, and most

reliable method is directly (via Windows Events, an

embedded COM object, or HLLAPI). The second

method is to send the credential field in a block. The

third method is to send one character at a time (if a

DelayKey is specified). Specifying UseSendKeys

(Windows) or AltTabKey (Host), forces the agent to use

the latter methods.

Settings dialog A TAM E-SSO feature, whereby the user can alter agent

settings.

A TAM E-SSO feature, whereby the agent helps the user

select a primary logon method (authenticator) and

(optionally) starts the Bulk Add Wizard.


SLA (Single Logon Authentication) The Windows authenticator, where the user logs onto

Windows to authenticate to the agent.

SSL ″Secure Sockets Layer″ Protocol for securing and encrypting data over a TCP/IP

connection. TAM E-SSO uses SSL for data exchange

with Directory Servers.

teaching tool If a user wishes to add a Windows application that is not

predefined, the agent provides a wizard-based tool so the

user can ″teach″ the agent where to submit credentials.

This tool is referred to generically as the ″teaching tool.″

It functions similarly to the ″Finder Tool″ in Microsoft

Spy++.

Template A stored specification for a preconfigured application

logon. Some templates require the administrator to

supply application-specific information before the logons

can be distributed to end users Templates for many

popular Windows and Web applications are provided

with TAM E-SSO, and administrators can create

templates from existing application logons.

Telnet A protocol for connecting to nix computers. See ″Host″

and ″nix.″

Third field See ″Other field.″

UNC ″Universal Naming Convention″ The Windows format for defining the full path to a file,

including File System share information.

Share Example: ″\\Server\Share″

Path Example: ″\\Server\Share\Program Files\

Passlogix\v-GO SSO″

Filename Example: ″\\Server\Share\Path\Long Filename.ext.″

URL (Universal Resource Locator) The basic address of anything on the World Wide Web. A

URL can consist of up to seven parts, as in

<https://johns:[email protected]:32/cgi-bin/path/whatever.bin?param1=123&param2istrue>, where: https

is the case-insensitive protocol name johns is the

usually-case-sensitive username abc123 is the

usually-case-sensitive password www.site.com is the

case-insensitive name (or IP address) of the computer to

connect to 32 is the port to connect to cgi

bin/path/whatever.bin is the path/filename of the

program/page to execute/load (OS determines

case-sensitivity) param1 and param2istrue are parameters

(program determines case-sensitivity of both parameter

names and values), with the first parameter having a

value of 123.

User work modes Users can work in several work modes, including ″one

workstation″ ″one or multiple users.″ ″frequent

movement among few workstations.″ ″frequent

movement among many workstations,″ and

″disconnected.″ The work mode drives how TAM E-SSO

needs to be configured.

Windows Event Viewer See Event Viewer.

44 Introduction

XML ″eXtensible Markup Language″, A text formatting standard like HTML. XML documents

can be viewed with Microsoft Internet Explorer. TAM

E-SSO ships with an XML extension to the Event

Logging API that writes to a UNC-specified file.


46 Introduction

Chapter 3. Using the Console

Console Main Menu Commands

The table below describes the commands available on the Console main menu and the corresponding keyboard and

mouse shortcuts.

When you use Administrative Console as a snap-in to

Microsoft Management Console, you can access these

commands by right-clicking an item in the left pane and

choosing a command from the shortcut menu.

v For File menu commands, right-click TAM E-SSO (the

top-level item) and point to File.

v For Edit menu commands, right-click a specific item

(application logon, policy, group, or set of Settings).

v For Insert menu commands, right- click TAM E-SSO

(the top-level item) and point to New.

v For Repository menu commands, right-click

Repository.

v For Tools menu commands, right- click TAM E-SSO

(the top-level item) and point to Tools.

Command Description Shortcuts

New Start a new configuration. Ctrl+N

Open Open a Console

configuration file (XML).

Ctrl+O

Merge

Merge current

configuration (applications,

password generation

policies, password sharing

groups) with a

configuration file.

v If the merged file

contains items with same

names as those in current

configuration, the

Import/Merge Conflict

dialog box appears.

Select the items to

import and click OK.

Save Save the current

configuration to a file

(XML).

Ctrl+S

Save As Save a copy of the current

configuration to a different

file.

47

Import Import configuration from

an Administrative override

object (INI) file or a

registration-entries (REG)

file as a new set of Global

Agent Settings

Notes:

v If the imported file

contains items

(applications, policies,

groups) with same

names as those in current

configuration, the


dialog box appears.

v If the imported file

contains a set Global

Agent Settings with the

same name as an existing

set in the current

configuration, the

imported set is named

″Copy of existing

settings.″

Right-click Applications

and choose Import

or Ctrl+I

Note: Choose Import from

HKLM to import Global

Agent Settings from the

local-machine registry to

the Console as a set named

″Live.″

Export Export selected applications

and all password policies

and groups to an entlist.ini

file- a store of application

logons.


and choose Export

or Ctrl+E


Delete

Delete the item selected in

the left pane.

Notes:

v If a password policy or

sharing group with

subscribing applications

is selected, a

delete-confirmation

prompt appears. Click

Yes to confirm or No to

cancel.

v There is no

delete-confirmation

prompt for applications,

global agent settings, or

for unsubscribed policies

or groups.

Del


48 Introduction

Application Add a new application

configuration; displays the

Add Application dialog

box.


and choose

New Windows App,

New Web App or

New Host App.

Password Generation

Policy

Add a new password

generation policy; displays

the Add Password Policy

dialog box.

v Type Policy Name and

click OK.

Right-click Password

Generation Policy and

choose New Policy.

Password Sharing Group Add a new password

sharing group; displays the

Add Sharing Group dialog

box.

v Type Group Name and

click OK.

Right-click Password

Sharing Group and choose

New Group.

Global Agent Settings Add a new group of Global

Agent Settings; displays the

Add Set of Settings dialog

box

v Type Set of Settings

Name and click OK.

Right-click Global Agent

Settings and choose New

Settings.

Synchronizer Add synchronizers or

change search order.

Displays the Synchronizers

dialog box:

Right-click Synchronizers

and choose Manage

Synchronizers.


Extend Schema Connect to synchronization

repository and create a new

synchronization schema

(for LDAP and database

sync support). Displays


dialog box.

Chapter 3. Using the Console 49

Enable Storing Credentials

under User Object (AD

only)

(Active Directory only)

Allow users’ TAM E-SSO

credential containers to be

stored under their

respective User objects.

This command updates the

directory schema to allow

user-credential containers

as children of user objects,

and it modifies the

directory-root security

settings to grant users the

rights to create the

credential containers.

Note: If you enable this

option, do not enable the

Prepend Domain global

agent setting option (under

Synchronization\Active

Directory\Advanced). If

both this option and

Prepend Domain are

enabled, no synchronization

will occur.

Show User Credential

Containers

Display/hide TAM E-SSO

user-credential containers

in the Repository window

tree view.

Show Users (AD only) (Active Directory only)

Display/hide user objects

in the Repository window

tree view.


Export Apps to Agent Add the application logons

in current console session

to the list of pre-configured

logons for the

locally-installed Agent. This

option updates the local

entlist.ini file, and

optionally, the ftulist.ini

(first time use) file.

Write Global Agent

Settings to HKLM

Export Global Agent

Settings to local-machine

registry; displays a

confirmation message.

Edit Passphrase Questions Add or edit the passphrase

questions that appear

during First-Time Use;

displays the Edit

Passphrase Questions

dialog box.

50 Introduction

Generate Customized MSI Create an .msi file for

distributing an Agent

configuration as a Windows

Installer package; displays

the Generate MSI dialog

box.

Manage Templates Create, modify, and remove

templates for application

logons; displays the

Manage Templates dialog

box.

Update Applications Update applications based

on templates that have

been modified since the

application’s creation;

displays the Update

Applications dialog box..

Modify Configuration View or edit the

configuration (INI) files for

the locally-installed TAM

E-SSO Agent. Choose

Applist, EntList, FTUlist or

MfrmList, or open any

Other INI file by name.

Collected links

File menu

Edit menu

Insert menu

Repository menu

Tools menu



Add Application

Add Password Policy

Add Sharing Group

Add Set of Settings

Synchronizers


Prepend Domain

Repository

Repository

First-Time Use

Edit Passphrase Questions

Generate MSI

Manage Templates

Update Applications


Applications

100

Displays application configuration information and provides access to logon settings.

v Click Applications in the left pane to display these tabs in the right pane:

– the Application List displaying currently configured logons.

– the Bulk Add (multiple logon deployment) controlsv Right-click Applications in the left pane to display a shortcut menu with these options:

New Windows App

Configure a new Windows application. Displays the

Add Application dialog box.

New Web App

Configure a new Website application. Displays the


New Host App

Configure a new mainframe application. Displays the


Import Open stored application configurations in a .REG or .INI

file.

Export Save one or more application configurations in an INI

file.

When Administrative Console is used as a snap-in to Microsoft Management Console, point to New

on the shortcut menu, then click the item to create.

[Related Topics]


Collected links

Application List

Bulk Add





Applications List

110/tab list

52 Introduction

Displays a list of applications with logons configured for use with TAM E-SSO.

v To add new applications, click Add

v To modify a listed application’s logon configuration, click an application, then click Edit

v To delete one or more logon configurations, click an application (use Ctrl+click or Shift+click to select

multiple entries.), then click Delete.

To display this tab:

v Click Applications in the left pane, then click the Applications List tab in the right pane.

[Related Topics]


Collected links

Add

Edit



120/dialog

Use the Add Application dialog to begin configuring a new application logon. You can define an

application logon from scratch or you can use a stored template that provides pre-configured values for

some or all logon settings.

1. Type a Name for the new logon.

2. Select an Application Type:

v Windows

v Web

v Host/Mainframe

3. Do one of the following:

v Select a template from the Application drop down list and click Next to provide any additional

information needed to complete the logon.

v Leave the Application selection as New [ type] Application and click Finish to create the logon

from scratch.4. Windows applications only: If this application requires authentication by RSA (SecurID/SoftID) token,

select the RSA secured? check box.

5. Click Finish.

The Form Wizard for the selected A pplication Type begins. See Windows Form Wizard, Web Form

Wizard or Host/Mainframe Form Wizard for more information.

To display the Add Application dialog, do one of the following:


v Right-click Applications in the left pane then choose the application type (Windows, Web or

Host/Mainframe) from the shortcut menu.

or

v Click Add in the Applications List.

[Related Topics]

Collected links

Windows

Web

Host/Mainframe

Next

Windows Form Wizard

Web Form Wizard


Applications

Applications List








170

Use this wizard page to supply application logon configuration settings that are not provided by the

application logon template. Settings that must be supplied to complete the logon are marked in the left

pane of the page with a red X.

1. In the left pane of the dialog, click a logon setting item that is marked by a red X. The corresponding

dialog box for supplying the setting appears in the right pane.

2. Enter or choose the requested setting. A green checkmark replaces the red X when the setting is

completed.

3. Click Finish to close the wizard and add the new application.

To display this page:


v Right-click Applications in the left pane then choose the application type (Windows, Web or

Host/Mainframe) from the shortcut menu.

or

54 Introduction

v Click Add in the Applications List.2. In the New Applications dialog box, select a template from the Application drop down list and click

Next.

[Related Topics]

Collected links

Applications

Applications List

New Applications








200

Collected links

Add Application

Windows Form Wizard


Windows Form Wizard

General tab

Fields tab

Matching tab

Miscellaneous tab

Windows Form Wizard

220

Use the Windows Form Wizard to perform any of these tasks:

v configure new logons for Windows applications or for Java applets and applications.

v add new forms to existing logons

v create forms for automatic password changes.


The Windows Form Wizard lets you use the application itself to identify its logon/password-change

forms, the individual fields, and the submit (OK) button.

Before you begin this procedure, refer to the General Guidelines for configuring applications. Also see

Adding Windows Applications for specific information about configuring Windows application logons.

To display the Windows Form Wizard, do one of the following:

v Create a new Windows or Java application logon

or

v In the General tab (Windows), click Wizard

Collected links

General Guidelines


Create a new Windows or Java application logon

General


General tab

Fields tab

Matching tab

Miscellaneous tab

Application window (Windows Form Wizard):

230

Use this Form Wizard page to select the application’s logon or password/PIN change window.

See Windows Form Wizard for details of the procedure for configuring Windows applications.

Collected links

Windows Form Wizard

Credential field (Windows Form Wizard):

240

Use this Form Wizard page to select the fields of application’s logon or password change window.

56 Introduction

See Windows Form Wizard for details of the procedure for configuring Windows applications.

Credential Fields Displays the fields of the currently selected application

window. Click on the headers ( Class, ID or Text, to sort

the list. Right-click a field in the list to display a shortcut

menu of field types and the submit control:

v UserID

v Password

v Third Field

v Fourth Field

v OK (submit control)

Refresh Updates the field list.

Use ″Send Keys″ for this form, do not use Control IDs Indicates that the Agent should transmit logon data to

this form as a series of keystrokes, rather than by

addressing individual fields by Control ID. See

SendKeys for more information.

Detect Fields Scans the field list and attempts to match them with field

types. Note that although Detect Fields is usually

accurate with typical applications, the fields should be

checked for proper field types.

Refresh Updates the field list.

Back Go back to the previous Wizard page

Next Go forward to the next Wizard page.

Collected links

Windows Form Wizard

SendKeys

Summary:

250/wizard

Displays the results of the Wizard. Do one of the following:

v Click Finish to save your settings and close the Wizard.

or

v Click Back to return to a previous page and modify your settings.

General tab (for configuring a Windows logon form)


210/tab list

Use the General (Windows) tab to modify program and window information about a Windows

application logon configuration

v You can configure a logon manually by adding, editing or deleting entries in the AppPathKeys and

Window Titles list, or

v You can use the Windows Form Wizard to define windows, titles and fields by pointing and clicking.

To display this tab, do one of the following:

v Create a new Windows application logon.

or

1. In the left pane, click Applications and select a Windows application.

2. Click the General tab in the right pane.

3. Select a logon form from the list and click Edit.

The Windows form-configuration dialog appears, displaying the General tab.

Collected links

Windows Form Wizard

Create a new Windows application logon.

Window Titles

Wizard

Form Wizard

Wizard

Select Window


Windows Form Wizard

Fields tab

Matching tab

Miscellaneous tab

Select Window Title:

215/dialog

Use the Select Window dialog to choose the title of an application’s logon or password change window.

v Select the logon or password change window and click OK.

Fields tab (for configuring a Windows logon form)

58 Introduction

300/tab property sheet

Use the Fields (Windows) tab to define how the Agent interacts with the fields of the logon form. You

can identify one of the following for the currently-selected application form:

v Up to four logon fields (user ID, password, etc.), using Control IDs

v A series of keystrokes (with optional timings) that fill-in and submit the logon form, using SendKeys.



or




The Windows form-configuration dialog appears, displaying the General tab. Click the Fields tab.

Collected links


Control ID

SendKeys

SendKeys using Journal Hook

Control ID

SendKeys


Windows Form Wizard

General tab

Matching tab

Miscellaneous tab

ControlID

SendKeys

ControlID:

310/dialog

Use the Control ID dialog box to identify the fields and the submit button of a logon form in order to

configure TAM E-SSO’s response.

Collected links


Fields

Matching

SendKeys (for a Windows application logon):


320/dialog

Use the SendKeys dialog box to specify a series of keystrokes that TAM E-SSO should transfer to the

logon form.

Use the SendKeys option for Windows applications that:

v cannot receive credentials from the Windows message queue or by other techniques the Agent

normally uses to send credentials.

v do not use standard Windows controls that have Control IDs.

v dynamically generate controls or do not use Windows controls at all (for example, Flash applications).

The tabs in the right pane of the SendKeys dialog provide the keystroke options. Select or type the

options you need on each tab. Click the Insert button to add the key or action to the series.

Your selections appear in the list in the left pane. To change the order of the series, select an item and

click the up or down arrows to move it. To delete an item, select it, and click Remove.

Collected links


Matching tab (for configuring a Windows logon form)

400/tab list

Use the Matching (Windows) tab to map user credentials of the currently selected logon to other logon,

password-change or password-confirmation forms (referred to here as target forms) within the same

application. The Agent uses the match criteria you supply to distinguish among similar forms that use

the same credential data. This lets the Agent apply a single set of user credentials appropriately to these

multiple forms. You can use also use matching to identify forms that the Agent should ignore.

Do one of the following:

v Click Add to create a new matching criterion.

or

v Select a Match and click Edit.

The Matching dialog box appears.

Note:

The easiest and most efficient way to create match criteria is by using the Control Match Wizard. The

Wizard lets you specify match criteria by selecting elements from the target form itself. You can also

create and modify match criteria manually.



60 Introduction

or




The Windows form-configuration dialog appears, displaying the General tab. Click the Matching tab.

Collected links

Matching

Control Match Wizard


Matching dialog box:

410/dialog

Use this dialog box to create match criteria that the Agent can use to distinguish among similar target

forms that use the same credential data. This lets the Agent apply a single set of user credentials

appropriately to these multiple forms.

The easiest and most efficient way to create match criteria is by using the Control Match Wizard. The

Wizard lets you specify match criteria by selecting elements from the target form itself. You can also

create and modify match criteria manually.

Collected links


Wizard

General

Control Matching

Control Matching

Control ID

Control ID

Wizard


Matching

Add/Edit Window Title:

420/prompt


Use this dialog box to add or modify the text string that the Agent uses to detect specific application

windows (e.g., for logon entry or password change) by their window title.

Collected links

regular expressions

Control Matching:

430/dialog

Use the Control Matching dialog box to specify a match criterion based on the properties of a

target-form control (such as a text caption, or a control style).

Control ID dialog box (Windows Fields tab):

440/dialog

Use the Control ID dialog box to identify the fields and the submit button of a logon form in order to

configure the Agent’s response.

Collected links

Windows Form Wizard

Control Match Wizard:

500/Wizard

Use the Control Match Wizard to define match criteria by choosing from the windows and controls of

the target application. Match criteria lets the Agent identify a target form, such as a password-change

dialog, that is similar to the currently-selected logon. The Agent can then supply data to the matched

target form using the same credentials as the original logon. You can also use match criteria to specify

target forms similar to the current logon that the Agent should ignore.

Collected links

Ignore

Logon

Password Change

Password Confirm

Matching

Matching

Matching

Ignore App Window

62 Introduction

Ignore Match Fields

Logon App Window

Logon Match Fields

Logon Credential

Password Change App Window

Password Change Match Fields

Password Change Credential

Password Confirm App Window

Password Confirm Match Fields

Password Confirm Credential

Ignore:

Ignore App Window:

505/wizard

Use this Wizard page to choose the application window that the Agent should recognize.

1. Select the application window that the Agent should ignore from the Window List.

2. Click Next to display the Match Fields page.

Collected links

Match Fields


Ignore Match Fields:

510/wizard

Use this Wizard page to choose a set of match fields: one or more window objects that uniquely identify

the application window that the Agent should recognize. You can identify a match field by its Class (the

type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number),

or its Text.

1. In the field list, right-click a field and select the match criteria

2. Click Next to display the Summary page.

Collected links

Summary


Logon:


Logon App Window:

515/wizard


1. Select the application window that the Agent should recognize as a logon form from the Window

List.


Window List Displays the windows of currently applications. Click on

the column heads to sort the list.

Show hidden window Select to include hidden windows in the Window list

Refresh Updates the list


Next Go forward to the next Wizard page

[Related Topics]


Collected links

Match Fields


Logon Match Fields:

520/wizard




or its Text.


2. Click Next to display the Credentials page.

Collected links

Credentials

64 Introduction


Logon Credential:

525/wizard

Use this Wizard page to identify the field in which the Agent should supply credential data.

1. In the field list, right-click a field and select the credentials.



window. Click on the headers ( Class, ID, Text or Style)

to sort the list. Right-click a field in the list to display a

shortcut menu of field types:

v None (deselect field)

v UserID

v Password

v Third Field

v Fourth Field




[Related Topics]


Collected links

Summary


Password Change:

Password Change App Window:

530/wizard



1. Select the application window that the Agent should recognize as a password-change form from the

Window List.








Collected links

Match Fields

Password Change Match Fields:

535/wizard




or its Text.



Collected links

Credentials

Password Change Credential:

540/wizard




Collected links

Summary

Password Confirm:

66 Introduction

Password Confirm App Window:

545/wizard


1. Select the application window that the Agent should recognize as a password-confirmation form

from the Window List.








Collected links

Match Fields

Password Confirm Match Fields:

550/wizard




or its Text.



Match Fields Displays the fields of the currently selected application



shortcut menu of match criteria:


v Class

v Style

v Text





Collected links

Credentials

Password Confirm Credential:

555/wizard







shortcut menu of field types:


v UserID

v Old Password

v New Password

v Confirm Password




Collected links

Summary

Miscellaneous tab (for configuring a Windows logon form)

68 Introduction


Use the Miscellaneous (Windows) tab to refine properties of the currently-selected application logon

form for special configurations.



or




The Windows form-configuration dialog appears, displaying the General tab. Click the Miscellaneous

tab.

Collected links


Allowable Class

Select Window

Ignore this Window Class

Select Window

New Windows application

Windows Form Wizard

General tab

Fields tab

Matching tab

New Web application

700/dialog

Collected links

Add Application

Web Form Wizard


Web Form Wizard

Web General tab

Web Matching tab

Web Form Wizard


720

The Web Form Wizard lets you browse the Web application itself to capture the identifiers for its

logon/password-change windows, the individual fields, and the submit (OK) button. To display the Web

Form Wizard:

v Create a New Web application.

v In the New Web Application configuration dialog, click Wizard. The Web Form Wizard appears.

Collected links

New Web application

New Web application

Web General tab

Web Matching tab

General tab (for configuring a Web logon form)

710

Use the General (Web) dialog to modify program and window information for a Web application logon

configuration.

v You can configure a logon manually by adding, editing or deleting entries in the URL and Fields list,

or

v You can use the Web Form Wizard to define URLs, forms and fields by pointing and clicking.

To display this tab, do one of the following

v Create a new Web application logon.

or

1. In the left pane, click Applications and select a Web application.


3. Select a form from the list and click Edit.

The Web form-configuration dialog appears, displaying the General tab.

Collected links

Web Form Wizard

Create a new Web application logon.

URL

URL

Fields

Web Fields

Wizard

Form Wizard

New Web application

Web Form Wizard

Web Matching tab

70 Introduction

Matching tab (for configuring a Web application)

750

Use the Web Matching tab to distinguish among logon, password-change or password-confirmation

forms (referred to here as target forms) within the same Web application, typically a multi-form portal

page. The Agent uses the matching criteria you supply here to distinguish among similar forms.

This tab is typically used to refine the detection match criteria: the set of HTML tags and values you use

to identify a specific page. You can then create an offset match that uses a subset of the detection match

to identify the desired logon or password-change form on the page.


v Create a new Web application logon.

or

1. In the left pane, click Applications and select a Web application.


3. Select a form from the list and click Edit.

The Web form-configuration dialog appears, displaying the General tab. Click the Matching tab.

Collected links

Create a new Web application logon.

Edit Match

Edit Match

New Web application

Web Form Wizard

Web General tab

Edit Match (for a Web Form):

760

Use this dialog box to create or modify matching criteria for the selected Web form.

Tag Type a HTML tag type; for example, ″<TD>″ for a table

cell.

Match Tag Instance Select to match a specific instance of the Tag and select

the instance number; for example 3 for the third table

cell on the page.


Criteria Select one criteria type:

v Text: the plain-text (InnerText) content of the tag

element (for example. ″Enter your password″).

v HTML: the rich-text (InnerHTML) content of the tag

element (for example, ″<b>Enter your

password</b>″).

v Property: an HTML attribute of the tag element (for

example, ″id =password″).

Value Type the text of the Criteria to match

Match Whole Value Select to e nforce strict matching of Value (that is, any

additional text in the tag element will cause the match to

fail).

Operation Select the relationship of this match to any others:

And: This match is one of multiple matches that identify

the form.

Or: This match alone identifies the form.

[Related Topics]

Web Matching tab

Collected links

Web Matching tab

Add/Edit URL:

730/prompt

Use this prompt to specify the URL (or Uniform Resource Locator, commonly called a Web address) of the

logon or password-change form to configure.

v Type the Web address, then click OK.

Web Field:

740/dialog

72 Introduction

Use this dialog box to specify a credential field or submit button on a Web form.

Function Select a credential type:

v UserID

v Password

v Third Field

v Fourth Field

v New Password

v Confirm New Password

v Submit

Frame Type the target name of the browser frame in which the

field appears (specified by the NAME attribute in a

<frame> element in the target’ page’s parent frameset )

Form Type the name of the form in which the field appears

(specified by the NAME attribute in the <form> element

in the target page).

Field Name Type the field name (the NAME attribute of the field’s

<input> element) .

Field Type Select the field type (corresponding to the type attribute

of the field’s <input> element) or a hyperlink anchor tag

(<A HREF=...>) used as a ″submit″ button.

Credential Type <INPUT TYPE=...> Options

UserID

Password

Third Field

Fourth Field

New Password

Confirm New Password

Text

Password

Select-One

Select-Multiple

Submit Submit

Image

Button

Anchor (<A HREF...> tag)


800/dialog

Use this dialog box to configure a new logon for a host/mainframe application.


See Adding Mainframe Applications for the full procedure.

Collected links

Adding Mainframe Applications

Add Application


Adding Mainframe Applications

Host General tab

Host Options tab

General Host

Options


855

Use the Host/Mainframe Form Wizard to perform any of these tasks:

v configure new logons for a host/mainframe emulator or Telnet (scrolling-screen) applications

v add new forms to existing logons

v create forms for automatic password changes

The Host/Mainframe Form Wizard lets you use the application itself to identify its logon/password-change windows and the individual username/ID, password, and other fields. The general steps for

creating a logon are as follows:

Start the target emulator or Telnet application

Select the Form Type and Screen Type

Copy the text of the application’s logon/password-change screen and paste it to the Console

Indicate the text and position of onscreen captions that identifies the screen as a

logon/password-change form.

Indicate the position (or, for Telnet applications, the sequence) of the individual username/ID,

password, and other fields.

Review the configuration and make changes as needed, using the Back and Next buttons.

To modify a host/mainframe logon’s settings manually, use the General tab (for configuring a

host/mainframe logon form).

Before you begin this procedure, refer to the General Guidelines for configuring applications. Also see

Adding Host/Mainframe Applications for specific information about creating and configuring

host/mainframe logons.

Collected links

Screen Type

Copy the text

Indicate the text and position of onscreen captions

74 Introduction

position

sequence

Review the configuration

General tab (for configuring a host/mainframe logon form)

General Guidelines



Select an existing host mainframe application

Choose screen type

Paste Text

Cursor Position

Text matching

Field matching - fixed screen

Field matching scrolling screen

Summary

General tab (for configuring a host/mainframe logon form)

810/tab list

Use this dialog to modify information about a Host/Mainframe application logon form.

Note: See Adding Telnet Applications for information about configuring logons for Telnet applications.



or

1. In the left pane, click Applications and select a host/mainframe application.



The Host/Mainframe form-configuration dialog appears, displaying the General tab.

Collected links



Text Matching

Add

Edit

Fields


Wizard




Telnet Support

Host Options tab

Text Matching


Text Matching (on a host/mainframe logon form):

820/dialog

Use the Text Matching dialog box to specify the text and position of an onscreen caption that identifies

the screen as a logon/password-change form.

You must also specify the location (row and column number) of the first character of the text. Use the

cursor-position indicator in the status bar at the bottom of the session window to find the row and

column numbers of the text.

Note: For Telnet applications, use row coordinates relative to the cursor position. See Adding Telnet

Applications for an example. You can also use an asterisk for wildcard matching of a row, column or

both.

When you have completed your entries for a match, click OK.

Collected links

Telnet


Telnet

Telnet

General tab for configuring a host/mainframe logon form


Host General tab

Host Options tab

Edit Fields/Actions (for a Host Mainframe application logon):

850/dialog

Use the Edit Fields/Actions dialog box to specify a series of keystrokes that TAM E-SSO should transfer

to the host application’s logon form.

The tabs in the right pane of the Edit Fields/Actions dialog provide the keystroke options. Select or type

the options you need on each tab. Click the Insert button to add the key or action to the series.

Your selections appear in the list in the left pane. To change the order of the series, select an item and

click the up or down arrows to move it. To modify an item select it, and click Edit to display the Fields

dialog. To delete an item, select it, and click Delete.

76 Introduction

Collected links

Fields

Create a new Host/Mainframe application logon.


Host General tab

Host Options tab

Options tab (for configuring a host/mainframe logon form)


Use the Host/Mainframe Options tab to set emulator options for a host/mainframe logon.



or

1. In the left pane, click Applications and select a host/mainframe application.



The Host/Mainframe form-configuration dialog appears, displaying the General tab. Click the Options

tab.

Collected links



Host General tab

Bulk Add tab

910/tab list

See First Time Use (Bulk-Add) for more information.

Collected links


To enable a logon for Bulk-Add

Select Application

Miscellaneous tab (for selected application)



Selected application

1000

Represents a configured application. You can use the tabs in the right pane to view or modify this logon’s

properties.

Collected links

Applications

Applications

General


General tab (for a selected Application)

1010

Use the General tab to add or modify form or field configuration for the selected application.

Description Type an optional text comment to appear in the

Description field of the Agent Logon Manager.

Add Add a new form for the selected application. The

corresponding configuration dialog for the selected

application type appears.

Edit Modify an existing logon form. Select a form from the

Forms window, then click Edit. The corresponding

configuration dialog for the selected application type

appears.

Delete Remove a form. Select a form from the Forms window,

then click Delete. If only one form is listed, deleting it

will remove the application entirely.

Add [Edit] Notes Type or modify optional comments or documentation

To display this tab

1. Do one of the following

v Select an application

or

v Configure a new application.

78 Introduction


[Related Topics]


Collected links

Select an application

Configure a new application


Password Change (for a selected logon)

1020

Use the Password Change tab to set or modify options that control how the Agent manages password

changes.

Collected links

password generation policy

Policy Subscribers

password sharing group







Authentication tab (for selected application)

Note: This tab only appears if you have TAM E-SSO: Authentication Adapter installed. TAM E-SSO:

Authentication Adapter is an add-on module to TAM E-SSO available separately from IBM.

Use this tab to set the minimum authentication grade for the selected application. The Primary Logon

Method used must have a Authentication Grade equal to or higher than this value in order for TAM

E-SSO to logon to the selected application.

If the end-user’s Primary Logon Method has an authentication grade lower that the minimum set for this

application, when the application is requested, a message appears requesting the user to authenticate at a

higher grade and they will only gain access if successful.


To set the authenticator grade for primary logon methods, the Authenticator Grade setting.

Minimum Authentication Grade Select or type the numeric value of

the lowest Authentication Grade the

end user’s Primary Logon Method

must have. The default is 1.

To display this tab



or

v Configure a new application.2. Click the Authentication tab in the right pane.

[Related Topics]

Primary Logon Methods\LDAP\Advanced Primary Logon Methods\LDAP v2\Advanced Primary

Logon Methods\Windows\Advanced Primary Logon Methods\Windows v2\Advanced Primary

Logon Methods\Smart Card\Advanced

Collected links


Authenticator Grade



Primary Logon Methods\LDAP\Advanced

Primary Logon Methods\LDAP v2\Advanced

Primary Logon Methods\Windows\Advanced

Primary Logon Methods\Windows v2\Advanced

Primary Logon Methods\Smart Card\Advanced

Error Loop (for a selected logon)


Use the Error Loop tab (under a selected application) to control the appearance and behavior of the

Logon Error (Error Loop) dialog f or individual applications.

v To set Error Loop globally, for all applications, use the Error Loop global agent settings (see Error Loop

(End-User Experience - Response)).

v To set Error Loop by application type, use the Error Loop global agent settings for each type ( Windows,

Web, Host/Mainframe).

Note: These application-specific Error Loop settings override the global Agent and application-type

settings, except where the Mask Password setting (in any scope) is set to Yes.

80 Introduction

See Settings Controlling Repeated Logon Attempts for more information.

Collected links

Error Loop

Error Loop (End-User Experience - Response)

Windows

Web

Host/Mainframe



Miscellaneous tab (for a selected application)


Use this tab for special configurations of the currently-selected application.

Miscellaneous Settings

Allow Reveal Password

Select to enable the Reveal button for password in

Wizards and property pages.

Force Reauthentication

Select to require the user to reauthenticate before

providing credentials to this application.

Auto Submit

Select to have the agent automatically select OK for this

application logon after providing credentials.

Service Logon

Select to let the agent detect an application that runs as a

Windows service (that is, in the System space, rather

than the User space).

ConfigName Click Choose to select the windows and control that

contains the text to use to create the new logon’s initial

configuration name (Windows applications only).

UserID Field Label

Type a text label to be used by the Agent for the

username/ID field.

Password Field Label

Type a text label to be used by the Agent for the

password field.

Third Field Label

Type a text label to be used by the Agent when

displaying a third logon field.

Fourth Field Label

Type a text label to be used by the Agent when

displaying a fourth logon field.

File extension for Icon

Type a Windows file extension associated with a logon;

lets agent to map an icon to the configuration.

Add Logon Event


Run this command when a logon for this application is

added

This setting allows you to define a process (i.e., exe, web,

script, etc.) to be run immediately after the Add Logon

Wizard is completed for an application.

For example, this setting could be used to launch a

password change application right after credentials are

entered into TAM E-SSO, thus allowing TAM E-SSO to

immediately change the application password.

Click the Browse button to locate a command to be

entered.

To display this tab



or

v Configure a new application.2. Click the Miscellaneous tab in the right pane.

Collected links

ConfigName

Add Logon Wizard



ConfigName:

620/wizard

Use the ConfigName wizard to select a logon window’s text control to use as the initial name of the

application logon. You can use this feature to name a logon (when it is added to the Agent) with a

variable text item (such as an account name) that appears on the logon window.

1. Select the window that contains the text control you want to use, then click Next.

2. Select the control that contains the text item to use as logon’s initial configuration name. Click Finish.

Bulk Add tab (for a selected application)


82 Introduction

Use this tab for special configurations of the currently-selected application Also see Bulk-Add tab

(general) for more information.

Enable Bulk-Add capability for

this application

Select to enable this application to be

included in a bulk-add.

Confirm UserID during Bulk-Add Select to require the user to confirm

username in order to perform a

bulk-add

Confirm Password during

Bulk-Add

Select to require the user to confirm

password in order to perform a

bulk-add

Confirm Other Field during

Bulk-Add

Select to require the user to confirm

additional field information in order

to perform a bulk-add

To display this tab



or

v Configure a new application.2. Click the Bulk Add tab in the right pane.

Collected links

Bulk-Add tab



Security tab (for role/group support)

2450

Use this tab to set the access rights for the currently-selected configuration item. You can assign access

rights to these items:

v Application logons (including associated password sharing groups)

v Password generation policies

v Global agent settings

v Passphrase question sets.

Collected links

LDAP

Active Directory


Import/Export

Generate MSI

2000/dialog

Create a new .MSI file (a Windows Installer package), from an existing MSI package, in order to add

configured application logons and/or Agent configuration settings.

Generate MSI is typically used to modify the TAM E-SSO installation package ( \Full\setup.msi on the

TAM E-SSO distribution disk) to include logons or settings in the initial desktop installation of TAM

E-SSO. The MSI file you create can include:

v Selected application logons from an entlist.ini file or from the current Console configuration.

v Agent settings from an Administrative Overrides (.ini) file or from the current Console configuration.

Collected links

Configure Applications

Configure Global Agent Settings


Deployment Options

Export to INI file

140/dialog

Export selected applications and all password policies and groups to an entlist.ini file- a store of

application logons.


v Select applications to export (use Ctrl+click or Shift+click to select multiple entries), then click OK

or

v Click Export All to export all listed applications.2. If any applications you have selected are enabled for Bulk-Add, you can select Create First-Time-Use

file to generate a bulk-add (ftulist.ini) file.

3. Click OK. The Export EntList file dialog box appears.

a. Locate and open the folder for the file, name the file, and click Save.

b. If you chose to create a First-Time Use file, the Export First-Time Use dialog appears. Locate and

open the folder for the file (rename the file if desired), and click Save.

To display this dialog:

v Right-click Applications and choose Export from the shortcut menu.

or

v Choose Export from the File menu.

84 Introduction

Collected links

enabled for Bulk-Add

Export EntList file

Export EntList file

150/dialog

Save an exported application configuration file ( enlist.ini) to disk. The Export EntList file dialog

displays when you export application logon information using the Export to INI file dialog.

1. Locate and open the folder for the file, name the file, and click Save.

2. If you chose to create a First-Time Use file, the Export First-Time Use dialog appears. Locate and

open the folder for the file (rename the file if desired), and click Save.

Collected links

Export to INI file

Export First-Time Use

160/dialog

Save a first-time-use file ( ftulist.ini) to disk. The Export First-Time Use dialog appears when you choose

to create a First-Time Use file while exporting application logon information to an enlist.ini file.

v Locate and open the folder for the file (rename the file if desired), and click Save.

Collected links

exporting application logon

Import Merge Conflict

130/dialog

The Import/Merge Conflict dialog box appears if the merged file contains items with same names as

those in current configuration.

v Select the items to import and click OK.

The items you select overwrite the current like-named items.


Manage Templates

2100

Use this dialog to create, modify, and remove templates for application logons.

Do one of the following:

Collected links

Select Applications

Edit Template

Edit Template


Override Settings tab (Edit Template dialog box)

2120

Use this tab to select the settings that the template updates in all logons that are based on it. You can

choose global overrides that apply to all of the forms in the application logon configuration, and you can

also select specific overrides for individual forms.

The left pane displays the hierarchy of the application and its component forms:

v The global override Settings for applications correspond to the general configuration settings for each

application-type.

v The form-specific Settings correspond to the configuration controls for individual logons.

Both Setting types are listed in the right pane with a Category that corresponds to the application-

configuration dialog in which you make the setting. Refer to the dialog or tab for each information on

each setting.

Applications General

Error Loop

Password Change

Miscellaneous

Windows forms General

Fields

Matching

Miscellaneous

86 Introduction

Web forms General

Matching

Mainframe/Host forms General

Options


1. Choose Manage Templates from the Tools menu.


v Add a new template.

or

v Select an existing template and click Edit.3. In the Edit Templates dialog box, click the Overriding Settings tab.

[Related Topics]

Collected links

General

Error Loop

Password Change

Miscellaneous

General

Fields

Matching

Miscellaneous

General

Matching

General

Options

Manage Templates

Add a new template

Supply Info tab (Edit Template dialog box)

2110

Use this tab to specify what information an Administrator must provide in order to complete an

application logon based on this template.


You can choose all items or choose individual items by selecting checkboxes.


2130

Use this dialog box to update application logons based on a template that has been modified since the

logons were created. Only logons whose templates have been modified appear in the list

Select the applications to update (use shift-click or Ctrl-click for multiple applications), then click Update.

[Related Topics]

Collected links

Manage Templates

Kiosk Adapter

Applications to Leave Running on Session End

210/tab list

Note: This topic applies to TAM E-SSO: Kiosk Adapter only.

Use this dialog to define a list of applications that can be left running when a session ends. A default set

of process names are also available to be added to this list.

Collected links

TAM E-SSO: Kiosk Adapter

default

Defaults

Kiosk Adapter Configuration Settings

Applications to Leave Running on Session End - Advanced

Applications to Close on Session End

Applications to Close on Session End - Advanced


88 Introduction

210/tab list


Use this dialog to create an advanced list of applications that can be left running on session end.

Collected links


regular expressions






210/tab list


Use this dialog to create a list of applications to be closed by TAM E-SSO: Kiosk Adapter on session end.

Collected links







210/tab list


Use this dialog to create a list of advanced applications to be closed by TAM E-SSO: Authentication

Adapter on session end.

Note: If an application is added to the Applications to Close on Session End list, and is also added to the

Advanced list, the Advanced List takes priority.

Collected links


Transmission of keystroke sequences to the application


regular expressions





Provisioning Adapter

Provisioning Adapter (for role/group support)

2450

Use this node to manage provisioning rights for users. There are two tabs to set the rights:

v Default Rights

v Delete SSO User Right

Default Rights

Use this tab to define the provisioning rights for each new application created. This feature sets standard

rights for each application created. Once each application is created, change the rights as needed.

Add User or Group Dialog Box

The Select User or Group dialog varies based on the directory server being used:

v LDAP

v Active Directory/ADAM

LDAP

Use this dialog to select the individual users or user groups that are to be added to the access list for the

current configuration item (Add Logon, Modify Logon, or Delete Logon).

Delete SSO User Right

Use this tab to define the users to grant the Delete SSO User functionality to in the TAM E-SSO:

Provisioning Adapter Administrative Console.

The controls function the same as on the Default Rights tab.


90 Introduction

1100

Displays the currently available password generation policies and provides access to policy settings. Click

Password Generation Policy in the left pane to display the current password policies in the right pane.

See Setting Password Policies for more information.

Collected links


Policy Subscribers

Policy Subscribers




Add Password Policy

1105/dialog

Use this dialog to add and name a new password generation policy

v Type a Policy Name and click OK.


v Right-click Password Generation Policy “Password Generation Policy” on page 90and choose New

Policy from the shortcut menu.

or

v Choose Password Generation Policy from the Insert menu.

Collected links


Selected Password Policy

1110

Represents a configured password generation policy. You can use the tabs in the right pane to view or

modify this policy’s properties and add or remove applications that use this policy.



Collected links

view or modify this policy’s properties

add or remove applications


Policy Subscribers

Policy Subscribers

Policy Subscribers tab

1120/tab list

Use the Policy Subscribers tab to add or manage the applications that use the selected password

generation policy.


Collected links


Select Application

Select a password policy

Create a new password policy




Password Constraints tab


Use the Password Constraints tab to set or modify the allowed type, number, position, and repetition of

characters in passwords. These constraints apply to new passwords that TAM E-SSO automatically

generates for applications that subscribe to the selected policy.

To view a set of test passwords based on the passwords constraints for this policy, click the Test Policy

button.


Collected links


Select a password policy

Create a new password policy


92 Introduction




2450







Collected links

LDAP

Active Directory


1200/list

Displays the currently available password sharing groups and provides access to group settings.

See Creating password sharing groups for more information.

Collected links


To add applications to a password group


LDAP Password

Domain

Add Sharing Group

1205/dialog

Use this dialog to add and name a new password generation policy

v Type a Group Name and click OK.



v Right-click Password Sharing Group and choose New Group from the shortcut menu.

or

v Choose Password Sharing Group from the Insert menu.

Collected links

Password Sharing Group

Domain password group

1210

The predefined password sharing group for the Windows authenticator.

See To add applications to a password group for more information.

To select the Domain password sharing group:

1. Click Password Sharing Groups in the left pane

2. Select Domain from the list in the right pane, then click Edit.

or

1. In the left pane, click the plus sign (+) next to the Password Sharing Groups icon (or double-click

Password Sharing Groups) to display the configured groups.

2. Click Domain.

[Related Topics]

Collected links





LDAP Password

LDAP Password Group

1220

The predefined password sharing group for the Directory Service authenticator.

See To add applications to a password group for more information.

94 Introduction

To select the LDAP password sharing group:

1. Click Password Sharing Groups in the left pane

2. Select LDAP from the list in the right pane, then click Edit.

or

1. In the left pane, click the plus sign (+) next to the Password Sharing Groups icon (or double-click

Password Sharing Groups) to display the configured groups.

2. Click LDAP.

[Related Topics]

Collected links





Domain

Selected Password Sharing Group

1230

Represents a configured password sharing group. Use the list in the right pane to add or remove

applications from the selected group.

Click Add Notes to type notes.

See Creating password sharing groups for more information.

Collected links


Select Application


LDAP Password

Domain


1300/list

Displays agent configuration information and provides access to stored sets of Global Agent Settings.


v Click Global Agent Settings in the left pane to display a list of sets of Global Agent Settings in the

right pane.

v Right-click Global Agent Settings in the left pane to display a shortcut menu with these options:

New Settings Create a new set of Global Agent Settings. Displays the Add Set of Settings

dialog box.

Import Import a set of Global Agent Settings from an external source:

From File Import a set of settings from an

administrative override object (INI)

file or a registration-entries (REG)

file. Navigate to the file and click

Open.

From Live HKLM Import the current Agent

configuration from the local-machine

registry (HKLM) as a set of settings

named Live.

Notes:

v If the imported settings have the same name as an existing set in the

current configuration, the imported set is named ″Copy of existing

settings.″

v To import Global Agent Settings from an Administrative Overrides object

in a synchronizer Repository.

v If this version of the console is installed on a foreign OS (any OS other

than English), do not use the New Settings option. Rather, use the

Import option. If the New Settings option is used, the path for

synchronization extension points to an invalid path, which results in a

synchronization failure.

[Related Topics]

Collected links

New Settings

Add Set of Settings

Repository

Add Set of Settings

1305/dialog

Use this dialog to add and name a new set of Global Agent Settings.

v Type Set of Settings Name and click OK.

96 Introduction


v Right-click Global Agent Settings and choose New Settings from the shortcut menu.

or

v Choose Global Agent Settings from the Insert menu.

When Administrative Console is used as a snap-in to Microsoft Management Console, point to New

on the shortcut menu, then click the item to create.

Collected links


Selected Set of Global Agent Settings

1310

Represents a stored set of Global Agent Settings: defaults, switches, and other configuration information

that modify the behavior of TAM E-SSO on the desktop. Double-click items in the list in the right pane

to view or modify the individual settings. Click Add Notes to type notes about this set of settings.


2450







Collected links

LDAP

Active Directory

End-User Experience

2501

Node path: End-User Experience


The End-User Experience settings control the Agent as a Windows application, including its interactions

with the end-user and with other programs.

Show the Tray Icon This setting determines whether to show the TAM E-SSO

Tray Icon in the System Tray.

Options:

v Do not show

v Show (default)

Reg Node: Shell:ShowTrayIcon

Title Bar Button This setting determines whether to show the TAM E-SSO

Title Bar Button on all window/dialog title bars.

Options:

v Do not show (default)

v Show

Reg Node: Shell:ShowAccessBtn

Title Bar Button Menu This setting determines whether to show the TAM E-SSO

Title Bar Button menu from the Title Bar Button.

Options:

v Do not show

v Show (if the Title Bar Button setting is enabled

[default])

Tray Icon Tooltip Text to provide in the Tray Icon Label. Recommended

use: labeling each Citrix MetaFrame Server session

(default: ″IBM Tivoli Access Manager for Enterprise

Single Sign-On″)

Reg Node: Shell:ShowAccessBtnMenu

Tray Icon Tooltip: Show System Name Show computer name after the Tray Icon Name. A string

consisting of space-dash-space is inserted before the

computer name if either TrayIconName is not set, or if

set and not empty/null.

Options:

v Do not show (default)

v Show

Reg Node: Shell:TrayIconName

98 Introduction

Tray Icon: Use which icon This setting determines whether to show the standard

TAM E-SSO icon or the alternate server icon in the

system tray.

Options:

v Standard (default)

v Server

Reg Node: Shell:TrayIconDisplaySysName

Use strict window detection Enable this setting to control strict window detection. If

this setting is enabled, TAM E-SSO will not respond to

hidden and minimized windows.

Options:

v No (default)

v Yes

Note: This entry is not required.

Advanced (End-User Experience):

2502

Node path: End-User Experience > Advanced

The Advanced End-User Experience settings control the appearance of the Agent when performing a

logon and of the information presented in the Logon Manager and Logon Chooser dialogs.

Logon Manager Refresh button Display the Logon Manager Refresh button.

Options:

v Disable the Refresh button.

v Enable the Refresh button (default).

Reg Node: Extensions\AccessManager:AllowRefresh

Logon Animation’s duration Duration (in milliseconds) the animated spinner appears

(pausing response). A value of 0 (the default) disables the

spinner.

Reg Node: Shell:AutoLogonAnimationTime


Logon Chooser Columns Click ... to display the Edit Columns dialog box to

choose the appearance and order of columns in the

Agent’s Logon Chooser dialog box. The default is

Username/ID, Application Name, Description.

v Username/ID

v Application Name

v Description

Reg Node: Extensions\AccessManager\LogonChooser:Columns

Logon Manager ″Details″ Columns Click ... to display the Edit Columns dialog box to

choose the appearance and order of columns in the

Agent’s Logon Manager.

v Application Name

v URL/Module

v Username/ID

v Password

v Modified

v Last Used

v Description

v Group

v Third Field

v Fourth Field

The default is all columns, except Third Field and Fourth

Field, in the preceding order.

Reg Node: Extensions\AccessManager\LogonManager:Columns

User can shut down from the System Tray Icon Menu When enabled (the default), the end user can shut down

the Agent by selecting ″Shut Down″ from the System

tray Icon Menu. When disabled, this menu item is

unavailable (greyed out).

Options:

v Do not allow shutdown from menu.

v Allow shutdown from menu (default).

Reg Node: Shell\″AllowShutdown

Collected links

Edit Columns

Special Tasks (End-User Experience Advanced):

2503

100 Introduction

Node path: End-User Experience > Advanced > Special Tasks

The Special Tasks settings control the tasks (lists of commands) that should executed when specific

Agent actions occur. For each set of tasks, select the checkbox and click ... to open the Edit List dialog

box. Type one command on each line; end each line by pressing Enter. Do not use any other delimiter

characters.

When logons change (add, delete, copy, modify) Command(s) that will run every time credentials and

user configurations are modified.

Reg Node: Shell\Tasks:RefreshTask

When logons are deleted Command(s) that will run every time a user deletes an

application configuration.

Reg Node: Shell\Tasks:DeletionTask

After Agent starts up Command(s) that will run every time the background

task starts (the taskbar tray icon).

Reg Node: Shell\Tasks:StartupTask

Before Agent starts Command(s) that will run before any agent process

starts. The agent will not continue if any of these tasks

fail (as indicated by the resultant registry value located

at License:PreCheck).

Reg Node: Shell\Tasks:PreTask

Performance (End-User Experience Advanced ):

2546

Node path: End-User Experience > Advanced > Performance

The Advanced Performance settings provide fine-tuning of how and when the Agent stores user

credentials and other data. The first three settings apply only if Store user data on disk in encrypted file

is set to ″Do not store,″ which affords optimal Agent performance; This setting defaults to ″Store user

data in disk file″ for compatibility with previous versions of TAM E-SSO.

Increase user data storage priority Sets processing priority for storing changes to user data

(e.g., credentials). Set to ″Increase processing priority″

only if the workstation’s CPU typically runs at 100%

usage.

Options:

v Increase processing priority

v Do not increase processing priority (default).

Reg Node: Extensions\StorageManager\InMemShr:ThreadPriority


Set delay for updating stored user data (ms) Set an interval to wait (in milliseconds) before writing

changes in user data (e.g., credentials) to the internal

database (default 500ms).

Reg Node:Extensions\StorageManager\InMemShr:ThreadDelay

Set delay for first update (after startup) to stored user

data (ms)

Set an interval (in milliseconds) to wait after TAM E-SSO

starts up before writing changes in user data (e.g.,

credentials) to the internal database (default 5000ms).

Reg Node: Extensions\StorageManager\InMemShr:IntitialThreadDelay

Store user data on disk in encrypted file Store a copy of user data (e.g., credentials) locally in an

encrypted database file in each user’s Application Data

folder.

Options:

v Store user data in a disk file.

v Do not store user data in disk file (default)

Reg Node: Extensions\StorageManager\InMemShr:LocalStorage

Environment (End-User Experience):

2504

Node path: End-User Experience > Environment

The End-User Experience Environment settings control important directory paths used by the Agent and

its language support.

Default Backup path Default backup path for silent backup. If this is not

specified here (and is not specified within the command

line), then the default is the user’s application data

directory, %AppData% \Passlogix.

Reg Node: Shell:AutoBackupPath

Location of entlist.ini file Fully qualified path and filename of the entlist.ini file.

This setting should be set only if synchronization is not

used to deploy pre-configured application logons created

with the Console. See Configuring Application Logons

for more information.

Reg Node: Extensions\AccessManager:EntList

102 Introduction

Language Language to be used. Note: Other values may be

acceptable based on localized versions Note: The display

font should support the desired characters in the

specified language. (default: ENG)

Options:

v ENG English

Reg Node: :Language

SubLanguage Language settings for the language set by Language.

Note: Other values may be acceptable based on localized

versions Note: The display font should support the

desired characters in the specified language. (default:

ENG)

Options:

v ENG Default support

v DBL Extended support

Reg Node: :SubLanguage

Collected links


Password Change:

Common (End-User Experience - Password Change):

2507

Node path: End-User Experience > Password Change > Common

The Common Password Change setting controls the user interface of the Agent’s Password Change

Wizard.


Default Change Password Wizard behavior Sets the behavior of the Password Change Wizard when

a user encounters a password-change request.

Options:

v Prompt: Prompts user with the Password Change

Wizard (default).

v Manual, offer auto: Prompts user to select a new

password, but also allows the Password Change

Wizard to offer to automatically generate the

password.

v Auto, offer manual: Generates the new password

automatically, but also allows the user to select the

new password.

v Manual only: Prompts user to select a new password,

does not allow Password Change Wizard to

automatically generate the password.

v Auto only: Generates the new password automatically,

does not allow the user to select the new password.

Reg Node: Extensions\AccessManager:CPWFlag

Required (End-User Experience - Password Change):

2508

Node path: End-User Experience > Password Change > Required

The Required Password Change setting controls the sharing of credentials among logons in password

sharing groups. There is one setting that is required for password sharing. See Creating Password Sharing

Groups for more information.

Password Groups Enables password sharing between credentials in a

group.

Notes:

v If you are using the Domain group and the Windows

Authenticator v2 is to be included in the group, then

do not disable Include in ″Domain″ Password

Sharing Group in Primary Logon Methods\Windows

v2\ Advanced.

v If using the LDAP group and the LDAP Authenticator

v2 is to be included in the group, then do not disable

Include in ″LDAP″ Password Sharing group in

Primary Logon Methods\LDAP2\ Advanced.

Options:

v Inform the user about a password change (default).

v Do not inform the user about a password change.

Reg Node: Extensions\AccessManager:PWSEnable

104 Introduction

Collected links

Creating Password Sharing Groups

Include in ″Domain″ Password Sharing Group

Advanced

Include in ″LDAP″ Password Sharing group

Advanced

Change Policies (End-User Experience - Password Change):

2506

Node path: End-User Experience > Password Change > Change Policies

The Password Change Policies settings controls the sets of characters that are used to define

password-change polices and the administrator defined policy that is to be used as a default

password-change policy.

Characters: Numeric List of characters allowed as ″Numeric″ characters in

password policies. (default: 1234567890)

Reg Node: Extensions\AccessManager:NumericChars

Characters: Special List of non-alphanumeric (special) characters allowed for

passwords (default: !@#$^&*()_-+=[]\|,?).

Reg Node: Extensions\AccessManager:SpecialChars

Characters: Uppercase List of characters allowed as ″Uppercase Alphabet″

characters in password policies. (default:

ABCDEFGHIJKLMNOPQRSTUVWXYZ)

Reg Node: Extensions\AccessManager:Uppercase

AlphabetChars

Characters: Lowercase List of characters allowed as ″Lowercase Alphabet″

characters in password policies. (default:

abcdefghijklmnopqrstuvwxyz)

Reg Node: Extensions\AccessManager:Lowercase

AlphabetChars

Default Policy Name of section in entlist.ini that contains the default

password policy. (If no policy is specified in entlist.ini,

the default policy in applist.ini is used.)

Reg Node: Extensions\AccessManager:DefaultPolicy


Advanced (End-User Experience - Password Change):

2505

Node path: End-User Experience > Password Change > Advanced

The Advanced Password Change settings control special-case functions for password-sharing and

automatic password generation.

Allow user to exclude logons from password groups Allows the TAM E-SSO user to exclude an application

logon from the administrator-assigned password sharing

group.

Options:

v Do not allow (default)

v Allow

Reg Node: Extensions\AccessManager:AllowExcludePWSG

Notify Primary Logon Method Apply password sharing to the current authenticator

when credentials in its password-sharing group are

changed.

Options:

v Do not notify the authenticator (default)

v Notify the authenticator

Notes:

v Password sharing is currently supported only for

Windows Authenticator version 2 and LDAP

Authenticator version 2.

v Because the end-user is not notified of the new

password, you should not use automatic password

generation to change the passwords of applications in

the sharing group.

Reg Node: AUI:ShareToAuth

Quietly Change Passwords Quietly generate a random password for a password

change.

Options:

v Inform the user about a password change (default).

v Do not inform the user about a password change.

Reg Node: Extensions\AccessManager:QuietGenerator

Response (End-User Experience):

106 Introduction

2509

Node path: End-User Experience > Response

The general Response settings control the behavior of the Agent when the end-user provides credentials

for new logons and when detecting applications requiring logons. You can also control whether end-users

can create logons for applications not created by the administrator.

Automatically logon to applications Automatically provide credentials to applications.

Options:

v Do not automatically provide credentials.

v Automatically provide credentials (default).

Reg Node: Shell:UseActiveLogin

Delay after Java runtime startup Amount of time (in milliseconds) the JHO should wait

before listening to window events at Java startup.

Adding a delay can resolve timing conflicts during Java

runtime initialization.

Display ″Add another logon″ checkbox Enable/disable display of the ″Add another logon″

checkbox in the Add Wizard.

Options:

v Disable (default)

v Enable

Reg Node: Extensions\AccessManager:ShowAddAdditionalLogon

Limit user to predefined applications Allow user to add credentials for applications that are

not predefined.

Options:

v Do not allow the user to add credentials for unknown

applications (default).

v Allow the user to add credentials for unknown

applications.

Reg Node: Extensions\AccessManager:AllowUnknown

Logon to waiting applications upon agent startup Enable the agent, at startup, to submit credentials to a

Windows or Java application that has already presented

its logon form. Note: The agent always submits

credentials to Web applications and to host/mainframe

application logons that use polling to elicit logon entry.

These applications are not affected by this setting.

Options:

v Do not logon (default)

v Logon at startup

Reg Node: Shell:LogonOnStartup


Prompt user to add new logons Recognize new applications and ask if the user wants to

add a logon.

Options:

v Do not prompt the user to add new applications.

v Prompt the user to add new applications (default).

Reg Node: Shell:UseAutoSense

Time allowed for Java applets to load Maximum time (in seconds) that the Agent waits for a

Java applet to be fully loaded in the browser (default: 6

seconds).

Reg Node: Shell:UseAutoSense

Utilize the just-added Logon Logon to an application after configuring it (adding its

credentials).

Options:

v Do not logon to an application after adding its

credentials.

v Logon to an application after adding its credentials

(default).

Reg Node: Extensions\AccessManager:LogonAfterConfig

Error Loop (End-User Experience - Response):

2510

Node path: End-User Experience > Response > Error Loop

The Error Loop settings control the Agent’s default behavior when it supplies incorrect credentials. A

logon error usually occurs when a user enters the wrong password when creating a logon, or changes

the application password from another computer. When a logon error occurs, The Agent’s displays the

Logon Error dialog box to let the user enter and store the proper credentials.

Notes

v Use the Error Loop controls to set the Error Loop for specific application types:

– Windows

– Web

– Host/Mainframev Application-type, and application-specific Error Loop settings override these global settings, except

where the Mask password field setting is set here (i.e., globally) to Mask.

v To set the Error Loop for a specific application, select the application (under Applications), then select the

Error Loop tab. Application-specific Error Loop settings override the global Agent and application type

settings, except where the Mask password field setting (in any scope) is set to Mask.

108 Introduction

Mask password field(s) Indicate whether to mask the password in the Logon

Error dialog; default is Mask.

Note: If this setting, the application-type setting, or the

application-specific setting is set to mask, then the

password is masked.

Reg Node: Extensions\AccessManager\Dlg:MaskPW

Maximum retries before prompting Maximum number of retries (after first try) allowed

before Logon Error dialog appears; default is 1. This

setting applies for each set of credentials.

Reg Node: Extensions\AccessManager\Dlg:MaxRetry

Maximum time for retries before prompting Maximum time in seconds between successive logon

attempts before Logon Error dialog appears; default is

30. This setting applies for each set of credentials.

Reg Node: Extensions\AccessManager\Dlg:Timeout

Require password confirmation when modifying

password

Indicate whether to display the Confirm Password field

in the Logon Error dialog; the default is to Require

password confirmation.

Reg Node: Extensions\AccessManager\Dlg:HideConfirmPW

Collected links

Windows

Web

Host/Mainframe

Error Loop tab

Host/Mainframe Applications (End-User Experience - Response):

2512

Node path: End-User Experience > Response > Host/Mainframe Apps

The Host/Mainframe Response settings control the behavior of the Agent with host/mainframe

applications.

Host/Mainframe support Enable host /mainframe support. See Adding Mainframe

applications for more information

Options:

v Host/mainframe support disabled (default).

v Host/mainframe support enabled.

Reg Node: Extensions\AccessManager:MFEnable


Polling Interval Interval (in milliseconds) between when the agent checks

the host emulator for changes. Lower values can use

more CPU time, higher values can increase the time

between when a screen appears and when the agent

provides credentials (default: 700).

Reg Node: Extensions\AccessManager\MHO:CycleInterval

Collected links


Web Applications (End-User Experience - Response):

2513

Node path: End-User Experience > Response > Web Apps

The Web Applications Response settings control the behavior of the Agent with Web applications.

Applications to ignore

Comma delimited list of applications that BHO should

skip when searching for logons.

Border Appearance Set the default border color, size, and style of Web

credential fields (default setting: red 6px solid). See

Border Appearance for more information.

Reg Node: Extensions\AccessManager:DNLevelsToMatch

Enable disable button Indicates whether or not to enable the ″Disable″ button

on the ″Would you like the Agent to remember your

logon information for this web application?″ dialog.

Reg Node: Extensions\AccessManager\BHO:FeedbackColor

Show Border

Display a highlighted border around the credential fields

of a Web form during logon.

Options:

v Do not enable the border around fields.

v Enable the border around fields (default).

URL Matching Precision Number of levels of the URL to use as the matching

criteria.

Options (for the Web URL http://mail.passlogix.com) :

v Match to *passlogix.com (default)

v Match to *mail.passlogix.com

Collected links

110 Introduction

Border Appearance

Windows Applications (End-User Experience - Response):

2514

Node path: End-User Experience > Response > Windows Apps

The Windows Applications Response settings control the behavior of the Agent with Windows

applications.

Supported Window Classes for Applications The list of window class names that the Agent recognizes

as applications. This setting is provided to improve

performance by restricting the Agent to this list. To

enable support for dynamic window classes, delete the

default settings to set this value to null.

Reg Node: Extensions\AccessManager:AppClasses

Supported Window Classes for Services The list of window class names that the Agent recognizes

as Windows services. This setting is provided to improve

performance by restricting the Agent to this list. To

enable support for dynamic window classes, delete the

default settings to set this value to null.

(default: #32770;Dialog;ThunderRT5FormDC;ThunderRT6FormDC)

Reg Node: Extensions\AccessManager:ServiceClasses

Wait for a Window Title For slow-appearing dialogs/applications, this setting

determines how long (in half-seconds) the Agent should

wait for a window title to appear. If the window title

does not appear in this interval, the dialog is ignored. A

higher value uses more CPU cycles. (default: 6)

Reg Node: Extensions\AccessManager:EmptyTitleRetryCount

Setup Wizard (End-User Experience):

2515

Node path: End-User Experience > Setup Wizard

The Setup Wizard settings control the behavior of the Setup Wizard, which is displayed during

first-time use. See First Time Use for more information.


Enable/disable First-Time-Use (FTU) wizard. Controls whether the Setup Wizard is displayed when

first-time-use is invoked.

Options:

v Do not hide (default).

v Hide.

Note: If more than one authenticator (primary logon

method) is installed, then the first authenticator in the

list is automatically selected as the end user’s primary

logon method.

Reg Node: Extensions\SetUpManager:HideWizard

Selected Primary Logon Enables the selected logon method as the primary logon

method and hides all other installed logon methods. The

default is no selection (i.e., end-users select their own

primary logon method).

Note: To hide the primary logon method selection menu,

use the Enable/Disable First-Time-Use (FTU) Wizard

setting. If the primary logon method selection page is

hidden, and this setting is blank, then the first installed

logon method in the list is automatically selected.

Reg Node: AUI:Selected

Skip ″selection″ page if only one Primary Logon

Method installed

Hide the ″Select Primary Logon Method″ step in the

Setup Wizard if only one authenticator (primary logon

method) is installed.

Options:

v Do not hide/skip the Select step of the Setup Wizard

(default).

v Hide/skip the Select step of the Setup Wizard.

Reg Node: AUI:HideSingleSelection

Collected links

First Time Use

Event Logging

2516

Node path: Event Logging

The Event Logging settings control how the Agent records program events.

v Use the XML File (Event Logging) settings to set different options for local logging.

v Use the Advanced (Event Logging - Windows Event Viewer) settings to set different options for

Windows Event logging.

112 Introduction

Select events to log: Displays the Event Logging Filter to specify which

events to log to log. Click ... to display a checklist of

events.

Reg Node: Extensions\EventManager:Filter

Collected links

Event Logging Filter

Advanced (Event Logging):

2517

Node path: Event Logging > Advanced

The Advanced Event Logging settings let you change the default paths to the logging extension and

event mesage components. You can also modify the retry interval and size of the logging cache.

Event Server Message Library location Path/filename to the event message library,

SSOeventmessage.dll, used for viewing events in

Windows Event Viewer. (Default path: C:\Program File s

\Passlogix\v-GO SSO \Plugin\EventMgr\SSOeventmessage.dll

Reg Node: Extensions\EventManager:EventMessagePath

Extension location The path/filename to the event logging extension,

eventmgr.dll. (Default path : C:\Program Files

\Passlogix\v-GO SSO \Plugin\EventMgr\eventmgr.dll)

Reg Node: Extensions\EventManager:Path

Cache Retry Interval Interval (in minutes) between retries for all Event

Logging extensions. The default is 30 minutes.

Reg Node: Extensions\EventManager:Retry

Cache Limit Maximum number of event log entries to be cached the

default is 200 entries.

Reg Node: Extensions\EventManager:CacheLimit

Windows Event Viewer (Event Logging):

2518


Node path: Event Logging > Windows Event Viewer

The Windows Event Viewer settings enable event logging to be performed on a remote server.

Windows Event Logging Server Server name for the Windows Event Logging extension

(do not provide leading ″\\″ characters). If not provided,

logging is performed on the local computer.

The server should have a trusted relationship with the

user’s account and the user’s computer, depending on

access rights and restrictions.

Reg Node: Extensions\EventManager\WindowsEvent:EventServer

Advanced (Event Logging - Windows Event Viewer):

2519

Node path: Event Logging > Windows Event Viewer > Advanced

The Advanced Windows Event Viewer settings let you specify which events should be logged. You can

also change the default path to the Windows Event logging extension and Windows event message

components, and you can modify the retry interval of the logging cache.

Cache Retry Interval Interval (in minutes) between retries for Windows Event

Logging; the default is 30 minutes.

Reg Node: Extensions\EventManager\WindowsEvent:Retry

Extension location Path/filename to the Windows Event Logging extension,

WindowsEvent.dll.

(Default path: C:\Program Files \Passlogix\v-GO SSO

\Plugin\EventMgr\WindowsEvent.dll)

Reg Node: Extensions\EventManager\Logs:WindowsEvent

Of logged events, limit for Windows server to: Displays the Event Logging Filter to specify which

events to log to the Windows Event Server. Click ... to

display a checklist of events.

Reg Node: Extensions\EventManager\WindowsEvent:Filter

Collected links


114 Introduction

XML File (Event Logging):

2520

Node path: Event Logging > XML File

The XML File Event Logging settings let you specify which events should be logged locally. You can also

change the default path to the local logging extension, and you can modify the retry interval of the

logging cache.

Cache Retry Interval Interval (in minutes) between retries for Local (XML) File

Logging; the default is 30 minutes

Reg Node: Extensions\EventManager\LocalStorage:Retry

Extension location The path/filename to the Local (XML) File Logging

extension, XMLEvent.dll.

(Default path: C:\Program Files \Passlogix\v-GO SSO

\Plugin\EventMgr\XMLEvent.dll)

Reg Node: Extensions\EventManager\Logs:LocalStorage

Of logged events, limit for XML file to: Displays the Event Logging Filter to specify which

events to log to the Local (XML) File Logging extension.

Click ... to display a checklist of events.

Reg Node: Extensions\EventManager\LocalStorage:Filter

Collected links


Kiosk Adapter

TAM E-SSO: Kiosk Adapter:

3000

The TAM E-SSO: Kiosk Adapter settings let you control the operation of the Kiosk Adapter.

Note: These settings apply to TAM E-SSO: Kiosk Adapter only. TAM E-SSO: Kiosk Adapter is an add-on

module to TAM E-SSO available separately from IBM.

Close suspended session after how many seconds Enter the amount of time (in seconds) of inactivity after

which a session should be closed.

Reg Node: SM\Agent:ExpireTerm


Event Log Machine Name Enter the name of the local machine where events should

be logged.

Reg Node: SM\Agent:EventLogMachine

Event Log Name Enter the name of the Windows event log where events

should be logged.

Reg Node: SM\Agent:EventLogName

How should we determine which applications to close This setting controls how applications should be closed.

Options:

v Do not close any applications

v Only close applications configured to be closed on

session end

v Close all applications except those configured to be left

running on session end Note: If this option is selected,

a list of applications to be left running on session end

must been defined and must include all the mandatory

default processes. The list of the default processes can

be found on the Applications to Leave Running on

Session End panel by clicking the Default button.

Please note that this list only contains some suggested

default processes; the actual processes may vary from

machine to machine. If this list is not defined, ″ALL″

running processes will try to be closed and a crash

may occur.

Reg Node: SM\Agent:TermOpType

Lock session when only configured applications are

running

This setting determines whether a session should be

locked (after a specified period of time) if only

applications open are those configured to be left running

on session end. Set the amount of time in the next

setting, Lock the session after how many seconds.

Note: If Yes is selected, at least one application must be

configured to be left running on session end. These

applications are configured in the Kiosk

Adapter\Applications to Leave Running on Session End

list.

Options:

v No

v Yes

Reg Node: SM\Agent:LockonWhite

Lock the session after how many seconds This setting determines the amount of time (in seconds)

after which TAM E-SSO: Kisok Adapter should check for

applications which are configured to be left running on

session end. If only those applications are running, the

session will be locked after the amount of time specified

in this setting. The default is three minutes.

Note: This setting is only needed if Yes is selected on the

above setting, Lock session when only configured

applications are running .

Reg Node: SM\Agent:LockonWhiteTimer

116 Introduction

Number of times to process termination Enter the number of times that the termination of an

application should be processed. This setting instructs

the termination process to loop a certain number of times

(or until it is done), which ever comes first. This allows

TAM E-SSO: Kiosk Adapter to react to an application if it

displays multiple screens during the termination process.

The default is one.

Reg Node: SM\Agent:TerminationIteration

Restart computer This setting determines whether the restart computer

option is enabled on the Desktop Manager.

Note: Even if this setting is enabled, the option may still

be disabled if the Kiosk account does not have sufficient

privileges.

Options:

v Disable

v Enable

Reg Node: SM\Agent:AllowRestart

Show the tray icon This setting determines whether or not to show the Tray

Icon.

Options:

v Show (default)

v Do not show

Reg Node: SM\Agent:ShowTrayIcon

Shutdown computer This setting determines whether the shutdown computer

option is enabled on the Desktop Manager.

Note: Even if this setting is enabled, the option may still

be disabled if the Kiosk account does not have sufficient

privileges.

Options:

v Disable

v Enable

Reg Node: SM\Agent:AllowShutdown

Collected links



Advanced:

Advanced (Kiosk Adapter):

3000


The TAM E-SSO: Kiosk Adapter advanced settings let you control the confirmation messages presented.



Show confirmation message when restarting kiosk This setting determines whether a user should be

prompted with a confirmation message after choosing to

restart the kiosk.

Reg Node: SM\Agent:ConfirmRestart

Show confirmation message when shutting down kiosk This setting determines whether a user should be


shut down the kiosk.

Reg Node: SM\Agent:ConfirmShutdown

Show confirmation message when starting a new session This setting determines whether a user should be


start a new session. This message appears only if there is

an existing session open.

Reg Node: SM\Agent:ConfirmNewSession

Special Tasks (Kiosk Adapter\Advanced):

2503

Node path: End-User Experience > Advanced > Special Tasks

The Special Tasks settings control the tasks (lists of commands) that should executed when TAM E-SSO:

Kiosk Adapter actions occur. For each set of tasks, select the checkbox and click ... to open the Edit List

dialog box. Type one command on each line; end each line by pressing Enter. Do not use any other

delimiter characters.



After session is closed Command(s) that will run after a session is closed.

Reg Node: SM\Agent\Tasks:PostTermSessTaskN

Reg Node: Shell\Tasks:RefreshTask

After starting a new session Command(s) that will run after a new session is started.

Reg Node: SM\Agent\Tasks:PostSyncTaskN

Reg Node: Shell\Tasks:StartupTask

118 Introduction

Before starting a new session Command(s) that will run before a new session is

started.

Reg Node: SM\Agent\Tasks:PreSyncTaskN

Reg Node: Shell\Tasks:PreTask

Primary Logon Method

TAM E-SSO: Authentication Manager (Primary Logon Methods):

2547

Node path: Primary Logon Methods > Authentication Manager

The TAM E-SSO: Authentication Manager settings specify the primary logon methods (authenticators)

that are to be used by the Multi-Authenticator primary logon.

Allowed number of logon methods This setting allows you to set the maximum number of

logon methods that will be presented to a user. Once this

number of logon methods have been presented (and

skipped by) the user, a ″Choose Logon″ dialog is

displayed.

Defaults to 1.

This setting is only used for the Multi-Authenticator

primary logon.

Reg Node: AUI\MultiAuth:MaxPreferred

Allow user to change order of primary logon methods? This setting allows you to choose whether a user will

have the ability to change the order in which logon

methods are presented to them. If this is set to Yes, the

user can created a preferred order list.

Defaults to No.


primary logon.

Reg Node: AUI\MultiAuth:ChangeAuthOrder

Collected links

TAM E-SSO: Authentication Manager

Enrollment (Primary Logon Methods\Authentication Manager):


2549

Node path: Primary Logon Methods > Authentication Manager > Enrollment

The Authentication Manager\ Enrollment settings specify the primary logon methods (authenticators)

that can be used by the Multi-Authenticator primary logon.

The settings on this page will determine whether a user will be required to set up a specific logon

method during the First Time Use Wizard, if Authentication Manager is chosen as the primary logon

method.

For each primary logon method, select Optional, Required, or Disabled.

Note: These settings are used in TAM E-SSO: Authentication Adapter only.

Entrust Select whether a user will be required to set up Entrust

as a primary logon method.

Reg Node: AUI\Entrust:AuthState

LDAP Select whether a user will be required to set up LDAP as

a primary logon method.

Reg Node: AUI\LDAP:AuthState

LDAP v2 Select whether a user will be required to set up LDAP v2


Reg Node: AUI\LDAPauth:AuthState

Smart Card Select whether a user will be required to set up Smart

Card as a primary logon method.

Reg Node: AUI\SCauth:AuthState

Windows Select whether a user will be required to set up Windows


Reg Node: AUI\WinAuth:AuthState

Windows v2 Select whether a user will be required to set up Windows

v2 as a primary logon method.

Reg Node: AUI\MSAuth:AuthState

Collected links

First Time Use Wizard


Grade (Primary Logon Methods\Authentication Manager ):

120 Introduction

2550

Node path: Primary Logon Methods > Authentication Manager > Grade

The Authentication Manager\ Grade settings specify an authentication grade for each primary logon

method.

Authentication Grades are numeric values. An authentication grade will automatically default to grade

level 1 if authentication grading is turned on and no grade level is specified. The higher the grade level

specified, the stronger the authentication level that is being requested.

The grading scale can be arbitrarily configured. For example, an expected normal scenario would be a

scale of 1-3, but you have the flexibility to make this 1-5 or 1-n, as required. Any grade less than 1 will be

converted to 1.

The Multi-Authenticator primary logon supports the authentication grades by mapping the grades to the

authentication methods used.

If a user tries to access credentials with a grade level that is too low, they will be asked to authenticate at

a higher grade and only gain access if successful.

Lockouts occur as per normal TAM E-SSO authentication lockout policy. Since graded authentication uses

the core TAM E-SSO authentication process, this will happen naturally.

Set a number grade value (>=1) for each logon method.


Entrust This setting assigns an authentication grade to Entrust.

This value is used for Multi-Authenticator primary

logon. Set a number grade value (>=1).

Reg Node: AUI\Entrust:AuthGrade

LDAP This setting assigns an authentication grade to LDAP.



Reg Node: AUI\LDAP:AuthGrade

LDAP v2 This setting assigns an authentication grade to LDAP v2.



Reg Node: AUI\LDAPauth:AuthGrade

Smart Card This setting assigns an authentication grade to Smart

Card. This value is used for Multi-Authenticator primary


Reg Node: AUI\SCauth:AuthGrade

Windows This setting assigns an authentication grade to Windows.



Reg Node: AUI\WinAuth:AuthGrade


Windows v2 This setting assigns an authentication grade to Windows

v2. This value is used for Multi-Authenticator primary


Reg Node: AUI\MSAuth:AuthGrade

Collected links

Authentication Grades


Order (Primary Logon Methods\Authentication Manager):

2551

Node path: Primary Logon Methods > Authentication Manager > Order

The Authentication Manager\ Order settings specify the sequence that the installed logon methods will

be presented to the end user during the First Time Use Wizard and the application logon, if

Authentication Manager is chosen as the primary logon method.

For each primary logon method, select or type a number to indicate the logon method’s position in the

FTU/logon order.


Allowed number of logon methods This setting allows you to set the maximum number of

logon methods that will be presented to a user. Once this

number of logon methods have been presented (and

skipped by) the user, a ″Choose Logon″ dialog is

displayed.

Defaults to 1.


primary logon.

Reg Node: AUI\MultiAuth:MaxPreferred

Entrust This setting sets the ordered position for Entrust. This

will be the order that Entrust will be presented to the

end user during the First-Time-Use Wizard and

application logons. This setting is only used for

Multi-Authenticator logons.

Defaults to 4.

Reg Node: AUI\Entrust:AuthOrder

122 Introduction

LDAP This setting sets the ordered position for LDAP. This

will be the order that LDAP will be presented to the end

user during the First-Time-Use Wizard and application

logons. This setting is only used for Multi-Authenticator

logons.

Defaults to 3.

Reg Node: AUI\LDAP:AuthOrder

LDAP v2 This setting sets the ordered position for LDAP v2. This

will be the order that Entrust will be presented to the




Defaults to 3.

Reg Node: AUI\LDAPauth:AuthOrder

Smart Card This setting sets the ordered position for Smart Card.

This will be the order that Smart Card will be presented

to the end user during the First-Time-Use Wizard and



Defaults to 1.

Reg Node: AUI\SCauth:AuthOrder

Windows This setting sets the ordered position for Windows. This

will be the order that Windows will be presented to the




Defaults to 2.

Reg Node: AUI\WinAuth:AuthOrder

Windows v2 This setting sets the ordered position for Windows v2.

This will be the order that Windows v2 will be presented

to the end user during the First-Time-Use Wizard and



Defaults to 2.

Reg Node: AUI\MSAuth:AuthOrder

Collected links

First Time Use Wizard


LDAP:

Advanced (Primary Logon Methods - LDAP version 2 - Advanced):


2521

Node path: Primary Logon Methods > LDAP v2 > Advanced

The Advanced LDAP Primary Logon Methods settings control special-case options for enabling LDAP

version 2 authentication.

Alternate User ID location Indicates where to locate a user object when the user

validates against an attribute other than the username.

Example:

If users authenticate with an employee ID # for logon

(validation against the empid attribute) and the user

object is in ou=people,dc=computer, then set this location

to

empid=% user,ou= people,dc= computer

instead of to

uid= user,ou= people,dc= computer

Notes:

v For Novell eDirectory, Alternate User ID

locationshould be:

uid=% user, path to the object%.

v If you use Alternate User ID location, do not use

Naming Attribute string or User Paths.

Authenticator Grade Assigns an authentication grade to this primary logon

method. This value is used for multi-level authentication

in which applications may be assigned a minimum grade

that the primary logon method must have in order for

the Agent to log on. See Authentication tab (for selected

application).

BIND Timeout The time (in milliseconds) to time out of LDAP BIND

call (default depends on the operating system).

Reg Node: AUI\LDAPauth:PWSEnable

124 Introduction

Include in ″LDAP″ Password Sharing group Share password changes from the LDAP authenticator to

credentials in the LDAP Password Group. This setting

requires that password sharing be enabled; see the

Password Groups setting

Options:

v Do not share password changes from the LDAPauth

authenticator to credentials in the Group LDAP.

v Share password changes from the LDAPauth

authenticator to credentials in the Group LDAP

(default).

Reg Node: AUI\LDAPauth:UserLocation

Naming Attribute string String to prepend to UserPaths. This is required when

the domain name for a user is in the form:

cn=% UserName%, ou= people, dc= computer&n

bsp;

instead of the form:

namingattribute=% UserName% ,ou= people ,dc=

computer

(where namingattribute can be any string). If

needed, set to cn.

Notes:

v

v Reg Node: AUI\LDAPauth:UserPrepend

Passphrase Enables the passphrase challenge for additional security.

Users must provide a passphrase answer during First

Time Use; this is the default setting.

Options:

v Disable

v Enable (default)

Reg Node: AUI\LDAPauth:ResetEnable


When SSL fails Fallback to an insecure connection when an SSL

connection fails.

Options:

v Do not connect if the SSL connection fails (default).

v Connect without SSL (insecure) if the SSL connection

fails.

Note: If you select SSLFallback and any of the servers

listed in Servers includes a port specification, the

fallback port must also be specified as an additional

Servers entry.

Example:

If the SSL connection is to mycomputer.com:1272 then an

additional entry must point to the fallback port, such as:

Server1=mycomputer.com:1272 ;My secure SSL Port

Server2=mycomputer.com:389 ;My fallback port

Reg Node: AUI\LDAPauth:SSLFallback

Windows Title Name Use this setting to customize the Window title name for

this authenticator.


Collected links

User Paths


LDAP Password Group

Password Groups

Servers

Required (Primary Logon Methods - LDAP version 2- Required):

2522

Node path: Primary Logon Methods > LDAP v2 > Required

The Required LDAP v2 Primary Logon Methods settings are the primary controls for enabling LDAP

version 2 authentication. These settings must be used in order for the Agent to use LDAP v. 2 as a

primary logon method.

126 Introduction

Servers Servers to try, in the format ″computer[:port]″ (one server

per line), where computer is the server name or IP, and

port is assumed to be default (636 for SSL, 389 for no

SSL) if not specified. Example: 127.0.0.1 127.0.0.1:456

somewhereelse.com:8080 anotherplace.com Note: At least

one server must be specified for this extension to work.

Note: If specifying a port value, see SyncManager\Syncs\%LDAP%:SSLFallback.

Reg Node: AUI\LDAPauth\Servers:Server

SSL Select to connect via SSL.

Options:

v Connect without SSL (insecure) (default port #389).

v Connect via SSL (default port #636) (default setting).

Reg Node: AUI\LDAPauth:UseSSL

SSL CertDB location Path\filename of the cert7.db certificate database file.

(Do not change the name of the file from cert7.db.)

Reg Node: AUI\LDAPauth:CertDBPath

User Paths Fully qualified path of where the user account is located.

There can be unlimited paths to search. The extension

searches these in order, looking for the user account. If

not found, the extension will search the directory tree.

Note: A value for either Naming Attribute string or at

least one value for User Paths must be specified for this

extension to work. Note: If using User Paths, do not use

Alternate User ID location.

Reg Node: AUI\LDAPauth:UserPath

Collected links


Alternate User ID location

Advanced (Primary Logon Methods - LDAP - Advanced):

2523

Node path: Primary Logon Methods > LDAP > Advanced

The Advanced LDAP Primary Logon Methods settings control special-case options for enabling

standard LDAP authentication.


Active Directory: Domain name support enabled Enables Active Directory domain-name support. End

users can specify the domain name (e.g., domainname\

username) at primary logon. Alternatively, the

administrator can specify a default domain name (see

Active Directory: Set domain name) to let end users log

on by username alone. If no domain is specified, then the

local workstation’s domain is used.

Options:

v Do not use AD domain names (default)

v Use AD domain names

Reg Node: AUI\LDAP:UsingAD

Active Directory: Set domain name The Active Directory domain name to use for primary

logon if no domain is specified for the username/ID

credential (e.g., domainname\ username). This setting is

used only if Active Directory: Domain name support

enabled is set to ″Use AD domain names.″ If

domain-name support is enabled and this setting is blank

(and the end user does not specify a domain), then local

workstation’s domain is used.

Reg Node: AUI\LDAP:ADDomain



Example:




to:


instead of to


Notes:

v For Novell eDirectory, Alternate User ID location

should be:




Reg Node: AUI\LDAP:UserLocation






application).



128 Introduction

SSL Fallback Fallback to an insecure connection when an SSL

connection fails.

Options:



fails.




Servers entry.

Example:



Server1=mycomputer.com:1272 ;My secure SSL Port


Reg Node: AUI\LDAP:SSLFallback

Naming Attribute string String to prepend to User Paths. This is required when



bsp;



computer


needed, set to cn.

Notes:

v This value usually needs to be set to cn for Novell

eDirectory.

v If you use Naming Attribute string, you must use

User Paths and not use Alternate User ID location

Window Title Name Registry Location: AUI\LDAP:WindowTitle

Use this setting to customize the Window title name for

this authenticator.


Collected links

User Paths


Servers

User Paths


User Paths

Required (Primary Logon Methods - LDAP - Required):

2524

Node path: Primary Logon Methods > LDAP > Required

The Required LDAP Primary Logon Methods settings are the primary controls for enabling standard

LDAP authentication. These settings must be used in order for the Agent to use LDAP as a primary

logon method.

Servers Servers to try, in the format ″computer[:port]″ (one server

per line), where computer is the server name or IP, and

port is assumed to be default (636 for SSL, 389 for no

SSL) if not specified. Example: 127.0.0.1 127.0.0.1:456

somewhereelse.com:8080 anotherplace.com Note: At least

one server must be specified for this extension to work.

Note: If specifying a port value, see SyncManager\Syncs\%LDAP%:SSLFallback.

Reg Node: AUI\LDAP\Servers:Server


Options:

v Connect without SSL (insecure) (default port #389).

v Connect via SSL (default port #636) (default setting).

Reg Node: AUI\LDAP:UseSSL



Reg Node: AUI\LDAP:CertDBPath

User Paths Fully qualified path where the user account is located.




Notes:

v A value for either Naming Attribute string or at least

one value for User Paths must be specified for this

extension to work.

v If using User Paths, do not use Alternate User ID

location.

Reg Node: AUI\LDAP:UserPath

Collected links



130 Introduction

Advanced (Primary Logon Methods - Smart Card):

2525

Node path: Primary Logon Methods > Smart Card > Advanced

The Smart Card Primary Logon Methods settings control special-case options for smart card

authentication.

Authentication Grade Assigns an authentication grade to this primary logon





application).


The passphrase can be supplied either by the user

entering the passphrase in a dialog box (the default

setting), or by the newest non-default encryption

certificate on the card itself.

Note: The default setting requires users to provide a

passphrase answer during First Time Use.

Options:

v Disable

v Enable using a dialog box (default)

v Enable using the card’s certificate

Allow the Reset passphrase to be used. (default: 1)

Options:

0 Disable

1 Enable

Reg Node: AUI\SCauth:ResetEnable

Use the default certificate for authentication Use the default logon certificate (provided by the

administrator) on the card for authentication. If not

enabled (the default), use (and create if necessary) the

public/private keys in the SSO container on the card.

Options:

v Use SSO-generated keys (default)

v Use the default logon certificate

Reg Node: AUI\SCauth:UseCertOnCard

Windows Subtitle Name Use this setting to customize the Window subtitle name

for this authenticator.



Windows Title Name Use this setting to customize the Window title name for

this authenticator.


Whether to store the PIN Whether to store the smart card PIN (and thus the Agent

may prompt for the PIN), or to let the smart card drivers

deal with requesting the PIN.

Options:

v Do not store PIN (default)

v Store PIN

Reg Node: AUI\SCauth:AuthOptions

Collected links


Windows (Primary Logon Methods):

2527

Node path: Primary Logon Methods > Windows

The Windows Primary Logon Methods settings controls standard Windows authentication.

When user’s Windows password changes... Require the user to enter the old Windows password

when a new one is in use. This setting is disabled by

default.

Options:

v Do not require the old Windows password (default).

v Require the old Windows password

Reg Node: AUI\WinAuth:PWEnable

Advanced (Primary Logon Methods - Windows):

2526

Node path: Primary Logon Methods > Windows > Advanced

132 Introduction






application).

Window Subtitle Name Use this setting to customize the Window subtitle name



Window Title Name Use this setting to customize the Window title name for

this authenticator.


Collected links


Windows v2 (Primary Logon Methods):

2528

Node path: Primary Logon Methods > Windows v2

The Windows v2 Primary Logon Methods settings are the primary controls for the Windows

Authenticator version 2.

Include in ″Domain″ Password Sharing Group Share password changes between the MS Windows

authenticator and credentials in the Domain

password-sharing group. This setting requires that

password sharing be enabled; see the Password Groups

in Required Password Change settings.

Options:

v Password sharing between this authenticator and

group Domain is disabled.

v Password sharing between this authenticator and

group Domain is enabled (default).

Reg Node: AUI\MSauth:PWSEnable


Reauthentication dialog Select which method to use when TAM E-SSO requires

the end-user to reauthenticate.

Options:

v Use TAM E-SSO dialog: reauthenticate using the

Agent’s own dialog; TAM E-SSO functionality is

suspended until authentication is successful (default).

v Use GINA: reauthenticate using Windows GINA

authenticator dialog; the workstation is locked until

authentication is successful.

Reg Node: AUI\MSauth:AuthOptions

Collected links

Domain

Password Groups

Required Password Change

Advanced (Primary Logon Methods - Windows version 2 ):

2529

Node path: Primary Logon Methods > Windows v2 > Advanced

The Advanced Windows v2 Primary Logon Methods settings control special-case options for the

Windows Authenticator version 2.

Authentication Grade Assigns an authentication grade to this primary logon





application).

MultiAuth: Require setup for multi-authentication Determines whether to require user to set up this logon

method during First Time Use if ″MultiAuth″ is selected

as the primary logon method. This setting is only used

for multi-authenticator primary logon.


Users must provide a passphrase answer during First

Time Use; this is the default setting.

Options:

v Disable

v Enable (default)

134 Introduction

Passphrase Checkbox Message Use this setting to customize the user agreement style

dialog checkbox.

Note: This checkbox must be checked before the dialog

can be dismissed. The OK button is disabled until this

checkbox is checked.

(Default: I have read and understand the provisions

listed above.)

Passphrase Message Use this setting to display a user agreement style dialog

where the user must check a checkbox to continue. This

is typically used to suggest the importance of the

passphrase that they enter.

Note: This message may contain multiple lines, 180

character maximum. The character sequence ″\n″ will be

replaced with carriage return and newline characters. If

this setting is not set, the dialog is skipped.

Passphrase Message Dialog Title Use this setting to customize the user agreement style

dialog title.

Passphrase Minimum Length Default required length of a passphrase. This setting can

be overridden by setting the required length for a

specific question. Default is 8.

Window Subtitle Name Use this setting to customize the Window subtitle name



Window Title Name Use this setting to customize the Window title name for

this authenticator.


Reg Node: AUI\MSauth:ResetEnable

Collected links


Security

Common (Security):

2531

Node path: Security > Common

The Common Security setting controls the frequency by which end users must re-enter their primary

logon passwords.


Reauthentication timer Time between reauthentication requests (in milliseconds).

If set to 4,294,967,295 (0xFFFFFFFF), the time will never

expire and the user will never need to reauthenticate,

except in forced authentication scenarios.

Notes:

v Default value for client-side installation is 900000 (15

minutes)

v Default value n a Terminal Services environment is

4,294,967,295 (disabled).

Reg Node: Extensions\AccessManager:AutoLogin

Advanced (Security):

2530

Node path: Security > Advanced

The Advanced Security setting control end-users’ access to view their application logon passwords. You

can also set the preferred encryption provider and strength.

Allow Password Revealing Allow user to reveal passwords in Wizards and on

property pages.

Options:

v Do not allow the user to reveal passwords.

v Allow the user to reveal passwords (default).

Reg Node: Extensions\AccessManager:AllowReveal

Default encryption Select an encryption algorithm and strength:

Options:

v Cobra 128-bit

v Blowfish 448-bit

v Triple-DES 168-bit

v AES 256-bit

v Triple-DES (MS CAPI) (All OSs) (default)

v Triple-DES (MS CAPI) (XP only)

v RC-4 (MS CAPI) (All OSs)

v RC-4 (MS CAPI) (XP only)

v AES (MS CAPI) (XP only)

Note: Setting PreferredCSP with an option that is

supported only on Windows XP/2003 disables a TAM

E-SSO agent running on another operating system.

Reg Node: CSP:PreferredCSP

136 Introduction

Require reauthentication to Reveal passwords Require reauthentication if the user selects Reveal or

Reveal All in Logon Manager and in dialogs.

Options:

v Do not require reauthentication.

v Require reauthentication (default).

Reg Node: Extensions\AccessManager:ReauthOnReveal

Synchronization

2532

Node path: Synchronization

The Synchronization settings are the general options for credential synchronization for all synchronizer

extensions. Use these settings to control the following functions and features:

LDAP:

Required (Synchronization - LDAP):

2540

Node path: Synchronization > %LDAP% > Required

The Required LDAP Synchronization settings must be set for all LDAP synchronizer extensions.

Directory Type The specific type of directory server. If the directory

server is not listed, select ″Unspecified LDAP Directory″

(the default) for backwards compatibility in upgrade

scenarios; otherwise select ″Generic LDAP Directory″

Options:

v Unspecified LDAP Directory (default)

v Novell eDirectory

v Novell NDS

v Generic LDAP Directory

v Sun Java System Directory

v IBM Tivoli Directory Server

v Oracle Directory Server

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:DirectoryType


User Paths Fully qualified path where the user account is located.




Notes:

v A value for either Naming Attribute string or at least

one value for User Paths must be specified for this

extension to work.

v If using User Paths, do not use Alternate User ID

location.

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UserPath

Extension location Path\filename of the LDAP Directory Server

synchronizer extension.

(Default path: C:\Program Files \Passlogix\v-GO SSO\

\Plugin\SyncMgr\LDAPEXT\ldapsync.dll)

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:Path

Servers Specify the servers and the order to attempt connection

for synchronization. Select the checkbox and click ... to

open the Edit List dialog box. Type one server on each

line; end each line by pressing Enter. Do not use any

other delimiter characters.

The format is

computer [: port ],

where

computer is the server name or IP, and

port is assumed to be default (636 for SSL, 389 for

no SSL) if not specified.

Example:

127.0.0.1 127.0.0.1:456 somewhereelse.com:8080

anotherplace.com

Notes:

v At least one server must be specified for the extension

to work.

v If you specify a port, see SSLFallback.

Reg Node: Extensions\SyncManager\Syncs\%LDAP%\Servers:Server

138 Introduction


Options:

v Connect without SSL (insecure; default port #389)

(default setting).

v Connect via SSL (default port #636) .

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UseSSL



Reg Node: Extensions\SyncManager\Syncs\%LDAP%:CertDBPath

Collected links



SSLFallback

Advanced (Synchronization - LDAP):

2539

Node path: Synchronization > %LDAP% > Advanced

The Advanced LDAP Synchronization settings control special-case options for all LDAP synchronizer

extensions.

Logon attempts Number of times to present the retry dialog to the user

(default: 3).

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:RetryLockCount



connection fails.

Options:



fails.




Servers entry.

Example:



Server1=mycomputer.com:1272 ;My secure SSL

Port


Reg Node: Extensions\SyncManager\Syncs\%LDAP%:SSLFallback

Security Version Update the ACI with a new AdminGroup value when

this value is higher than SecurityUpgrade.

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:SecurityVersion

Admin Group DN DN for the Administrative group. It is placed this value

in the ACI. Example: cn=configuration

administrators,ou=groups,ou=topologymanagement,o=netscaperoot

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:AdminGroup

Naming Attribute string String to prepend to User Paths. This is required when



bsp;



computer


needed, set to cn.

Notes:

v This value usually needs to be set to cn for Novell

eDirectory.

v If you use Naming Attribute string, you must use

User Paths and not use Alternate User ID location

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UserPrepend

140 Introduction

DSAME disabled-account support Recognize disabled accounts on Sun Java System

Directory Server 5.1/6.0, formerly known as iPlanet

Directory Server Access Management Edition (DSAME).

Options:

v The server is not a Sun Java System Directory Server

5.1 (default).

v The server is a Sun Java System Directory Server 5.1.

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UsingDSAME

Descriptive name Logon dialog title, to help differentiate between multiple

synchronizer extensions having the same name.


Reg Node: Extensions\SyncManager\Syncs\%LDAP%:DisplayName

Configuration Objects Base Locations Where to begin the search for role/group-enabled

configuration objects. The search is from the specified

location(s) downward. If there are no entries for this

setting, the search is from the base location.

Reg Node: Extensions\SyncManager\Syncs\%LDAP%\COBaseLocations:Location



Reg Node: Extensions\SyncManager\Syncs\%LDAP%:Timeout



Example:




to:


instead of to


Notes:

v For Novell eDirectory, Alternate User ID location

should be:




Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UserLocation

v


Prompt when disconnected Allow the user to work offline without

prompting/notification if a synchronization event fails.

Options:

v Prompt/notify the user (default).

v Do not prompt

Reg Node: Extensions\SyncManager\Syncs\%LDAP%:AllowOffline

Collected links

Servers

User Paths

User Paths

User Paths

Active Directory:

Required (Synchronization - Active Directory):

2534

Node path: Synchronization > %AD% > Required

The Required Active Directory Synchronization settings must be set for all Active Directory

synchronizer extensions.

Extension location Path\filename of the Active Directory synchronizer

extension.

(Default: C:\Program Files \Passlogix\v-GO SSO

\Plugin\SyncMgr\ADEXT\adsync.dll

Reg Node: Extensions\SyncManager\Syncs\%AD%:Path

SSL Connect via SSL.

Options:

v Connect without SSL (insecure), default to port #389

(default).

v Connect via SSL, default to port #636.

Reg Node: Extensions\SyncManager\Syncs\%AD%:UseSSL

Advanced (Synchronization - Active Directory):

142 Introduction

2533

Node path: Synchronization > %AD% > Advanced

The Advanced Active Directory Synchronization settings control special-case options for all Active

Directory synchronizer extensions.

Search for locator and override objects Controls how the Agent searches for locator and override

objects.

Options:

v Search all servers for locator/override.

v Limit locator/override search to the server root

(default).

Reg Node: Extensions\SyncManager\Syncs\%AD%:StopAtRoot



location(s) downward. If no entries, the search is from

the base location.

Reg Node: Extensions\SyncManager\Syncs\%AD%\COBaseLocations:Location

User Paths Fully qualified path of where the user account is located.




Note: This entry is not required for this extension.

Reg Node: Extensions\SyncManager\Syncs\%AD%:UserPath


connection fails. Note: If SSLFallback=1 and any of

Servers includes a port specification, the fallback port

must also be specified as an additional Servers entry. For

example, if the SSL connection is to

mycomputer.com:1272 then an additional entry must

point to the fallback port, for example:

mycomputer.com:1272 ;My secure SSL Port

mycomputer.com:389 ;My fallback port

Options:

v Do not connect if the SSL connection fails.


fails.

Reg Node: Extensions\SyncManager\Syncs\%AD%:SSLFallback


Servers Specify the servers and the order to attempt connection

for synchronization. Select the checkbox and click ... to

open the Edit List dialog box. Type one server name on

each line; end each line by pressing Enter. Do not use

any other delimiter characters.

Valid formats are determined by your network’s DNS

configuration

computername [: port ]

or

[ host. ] domainname. [ tld ][: port ]

Examples:

sales sales:389 ourdomain.net sales.ourdomain.net

sales.ourdomain.net:389

Notes:

v If no Servers are entered for the Active Directory

extension, and the user account is in an Active

Directory domain, TAM E-SSO uses AD domain

resources to discover the server. If one or more Servers

are provided, TAM E-SSO uses the Servers list to

locate the server.

v Unless otherwise configured, TAM E-SSO queries the

domain name server (DNS) for the name of the

preferred domain controller assigned to the local

subnet.

v In Active Directory networks with multiple servers, be

sure to enable replication in order to include the SSO

schema extension and related objects. This assures that

TAM E-SSO will always find SSO information on

every server it connects with.

v Active Directory requires use of computer names (not

IP addresses).

v If specifying a port value, see SSLFallback.

Reg Node: Extensions\SyncManager\Syncs\%AD%\Servers:Server

Prepend Domain when naming objects Enable/disable prepending of the user’s domain to the

username in naming the user’s container. Example: For

the domain ″passlogix″ and user ″jamesk″, the container

is named ″jamesk″ with this flag disabled and

″passlogix.jamesk″ with this flag enabled.

Note: If you enable Prepend Domain, do not enable

Enable Storing Credentials under User Object (in the

Repository menu). If you do enable credential storage in

User Objects, this option must be disabled (the default

setting). If both options are enabled, no synchronization

will occur.

Reg Node: Extensions\SyncManager\Syncs\%AD%:AppendDomain

144 Introduction


(default: 3).

Reg Node: Extensions\SyncManager\Syncs\%AD%:RetryLockCount

Credentials to use Which credentials to use when authenticating to the

Active Directory Server.

Options:

v Use local computer credentials only

v Use Active Directory server account only

(recommended that User Paths be set)

v Try local computer credentials; if it fails, use Active

Directory server account (default).

Reg Node: Extensions\SyncManager\Syncs\%AD%:AuthType




Reg Node: Extensions\SyncManager\Syncs\%AD%:DisplayName



Options:


v Do not prompt.

Reg Node: Extensions\SyncManager\Syncs\%AD%:AllowOffline

Location for storing user credentials Enables storage of user-credential containers under their

respective directory User objects and no locator object is

used. When disabled (the default), credentials are stored

as specified by the locator object.

Note: This setting requires updating the directory

schema and modifying the directory-root security

settings. To do this, use the Enable Storing Credentials

under User Object command on the Repository menu.

Options:

v Store user credentials as specified by locator object

(default)

v Store user credentials under respective directory user

objects

Reg Node: Extensions\SyncManager\Syncs\%AD%:LocateInUser

Collected links

related objects




Required (Synchronization - ADAM):

2536

Node path: Synchronization > %ADAM% > Required

The Required ADAM Synchronization settings must be set for all ADAM synchronizer extensions.

Extension location Path\filename of the Active Directory synchronizer

extension.

(default: C:\Program Files \Passlogix\v-GO SSO

\Plugin\ SyncMgr\ADAMext\ADAMsyncExt.dll)

Reg Node: Extensions\SyncManager\Syncs\%ADAM%:Path

Servers Specify the servers (and ports) and the order to attempt

connection for synchronization. Select the checkbox and

click ... to open the Edit List dialog box. Type one server

name on each line; end each line by pressing Enter. Do

not use any other delimiter characters.

Valid formats are determined by your network’s DNS

configuration. Use the port parameter to specify a

particular instance of ADAM on a target server.

computername [: port ]

or

[ host. ] domainname. [ tld ][: port ]

Examples:

sales sales:389 ourdomain.net sales.ourdomain.net

sales.ourdomain.net:389

Notes:

v At least one server must be specified for the extension

to work.

v ADAM requires use of computer names (not IP

addresses).

Reg Node: Extensions\SyncManager\Syncs\%ADAM%\Servers:Server

Advanced (Synchronization - ADAM):

146 Introduction

2535

Node path: Synchronization > %ADAM% > Advanced

The Advanced ADAM Synchronization settings control special-case options for all Active Directory




location(s) downward. If no entries, the search is from

the base location.

Reg Node: Extensions\SyncManager\Syncs\%ADAM%\COBaseLocations:Location

Credentials to use Which credentials to use when authenticating to the

ADAM server.

Options:

v Connect to ADAM with current user name

v Use ADAM server account only

v Try local computer credentials; if it fails, use ADAM

server account (default)

Reg Node: Extensions\SyncManager\Syncs\%ADAM%:AuthType

Descriptive Name Logon dialog title, to help differentiate between multiple



Prepend Domain when naming objects Enables prepending of the user’s domain to the





Options:

v Disable (default)

v Enable

Reg Node: Extensions\SyncManager\Syncs\%ADAM%:AppendDomain



Options:


v Do not prompt.

Reg Node: Extensions\SyncManager\Syncs\%ADAM%:AllowOffline


User domain name to use Domain name to use in the container name (e.g.,

″DomainName.UserName″) when Prepend Domain

when naming objects is enabled. The user can specify

another domain the in the login dialog.

Example: If User domain is ″MyDomain″ (with Prepend

Domain enabled) and the user logs on as ″jamesk,″ the

container name used is MyDomain.jamesk If the user

logs on as ″AltDomain\jamesk″ the container name used

is AltDomain.jamesk

Reg Node: Extensions\SyncManager\Syncs\%ADAM%:UserDomain

File System:

Required (Synchronization - File System):

2538

Node path: Synchronization > %File% > Required

The Required File System Synchronization settings must be set for all file system synchronizer

extensions.

Extension location Path\filename of the File System synchronizer extension.


\Plugin\SyncMgr\FileSyncExt\filesync.dll)

Reg Node: Extensions\SyncManager\Syncs\%File%:Path

Server This is a list of UNC paths to try for synchronization. At

least one server must be specified for this extension to

work.

Examples:

\\FS1\Users \FS2\Extras D:\Backup

Notes:

v The File System extension requires use of proper UNC

paths.

v As of TAM E-SSO 4.0, only one path is supported.

Reg Node: Extensions\SyncManager\Syncs\%File%\Servers:Server1

148 Introduction

Advanced (Synchronization - File System):

2537

Node path: Synchronization > %File% > Advanced

The Advanced File System Synchronization settings control special-case options for all file-system





Reg Node: Extensions\SyncManager\Syncs\%File%:DisplayName


(default: 3).

Reg Node: Extensions\SyncManager\Syncs\%File%:RetryLockCount



Options:


v Do not prompt.

Reg Node: Extensions\SyncManager\Syncs\%File%:AllowOffline

Prepend Domain when naming user folders Enable/disable prepending of the user’s domain to the





Reg Node: Extensions\SyncManager\Syncs\%File%:AppendDomain

Database:

Required (Synchronization - Database):

2544


Node path: Synchronization > %DB% > Required

The Required Database Synchronization settings must be set for all database synchronizer extensions.

Extension location Path\filename of the database synchronizer extension.


\Plugin\SyncMgr\DBEXT\DBExt.dll)

Reg Node: Extensions\SyncManager\Syncs\%DB%:Path

Servers Specify the database servers and the order to attempt

connection for synchronization. Select the checkbox and

click ... to open the Edit List dialog box. Type the full

connection address ( computerName .d bServerName) for

one database server on each line; end each line by

pressing Enter. Do not use any other delimiter characters.

Note: At least one server must be specified for the

extension to work.

Reg Node: Extensions\SyncManager\Syncs\%DB%\Servers:Server

Note for SQL Server: To connect to a SQL Server that is hosting multiple instances, use the following

connection string (with no manual line break):

Provider=SQLOLEDB; Data Source="SeverName\Instance"; Initial

Catalog="DatabaseName"; Trusted_Connection=Yes

Advanced (Synchronization - Database):

2545

Node path: Synchronization > %DB% > Advanced

The Advanced Database Synchronization settings control special-case options for all database


Append Domain when naming objects Enables appending of the user’s domain to the username

in naming the user’s container. Example: For the domain

″passlogix″ and user ″jamesk″, the container is named

″jamesk″ with this flag disabled and ″jamesk.passlogix″

with this flag enabled. (default: 0)

Options:

v Disable

v Enable

Reg Node: Extensions\SyncManager\Syncs\%DB%:AppendDomain

150 Introduction

Repository

1900

Displays and provides connection to a synchronization repository.

v Click Repository in the left pane. to display the current SSO synchronization repository.

Or, if no connection is active:

v Right-click Repository in the left pane and choose Connect to... from the short cut menu.

Collected links

Connect to


Add Locator Object

New Container

Configure

View







Synchronization


1905/dialog

Connects Administrative Console to a synchronization repository.

Collected links

Repository

Edit List

manually extended

Repository

Repository



Use the Configure SSO Support wizard to deploy Administrative Overrides and application

configurations to end users using file-system, database or directory-service synchronizers. The objects you

can export can include:

v one or more application logons

v a first-time use ( bulk-add) object

v a set of Global Agent Settings

The Configure SSO Support wizard helps you export the overrides, from current Console settings or

from one or more data files, to a selected synchronizer container object.

See Synchronization for more information.

Collected links

bulk-add

Synchronization

Connect to the SSO synchronizer repository.


Data File






Synchronization

Configure SSO Support (from Console)

1930/dialog

Use this wizard page to export an Agent configuration to a selected synchronizer container using the

current Console settings as the source. You can export:


v a (first-time use ( bulk-add) object

v a set of Global Agent Settings

Collected links

bulk-add

Select Applications

Connect to the SSO repository.

152 Introduction

Configure SSO Support from Data File

1940/dialog

Use this wizard page to export an Agent configuration to a selected synchronizer container using one or

more data files as the source. You can export:


v a (first-time use ( bulk-add) object

v a set Global Agent Settings (from an .ini or .reg file)

Collected links

bulk-add

Connect to the synchronizer repository.

Add Locator Object

1910/dialog

Use the Add Locator Object dialog to create a locator, a directory object that points the Agent to the

container in which user credentials are (or can be) stored. You can create a default locator for all end

users or a locator for a specific end user.

See Directory Servers: Create Locator Objects for more information.

Collected links

Directory Servers: Create Locator Object


Location for storing user credentials

Synchronization\Selected Active Directory sync\Advanced

Connect to the synchronizer directory.


154 Introduction

Chapter 4. SSO Administrative Console Reference Topics


Setting Registry Settings and Admin Overrides

Overriding Settings


Telnet Support

Attachmate EXTRA!

G&R Glink

Hummingbird HostExplorer

IBM Client Access

IBM Client Access Express

IBM Host On-Demand

In Microsoft Internet Explorer

In Host On-Demand

IBM Personal Communications

NetManage Rumba

NetManage ViewNow

Scanpak Aviva for Desktops

WRQ Reflection

Command-Line Options

Configuring the Windows Event Logging Server

Windows Event Logging extension

Directory Server Schema Definition

SSOSecret

155

SSOUserData Object

SSOConfig Object

SSOLocatorClass

entlist.ini Keys

Root Keys

Application Type Section Keys

Windows Application Keys

Windows Application Keys for Section N subsection

Windows Application Keys for Match N subsection

Host/Mainframe Application Keys

Host Application Keys for Page N subsection

Web Application Keys

Web Application Keys for Section N subsection

Password Policy Keys

Error Loop

ftulist.ini Keys

Root Keys

Password Windows Section Keys

My Logons Section Keys

Bulk Add Logon Section Keys


Pre-configured Applications and Templates

Troubleshooting

Installation

Authenticators

Synchronizer Extensions

Uninstall

Agent Performance

156 Introduction

Application_Configurations_Included.HTM

Application Response

Authentication

Reauthentication.

Application Configuration

All Applications

Windows Applications

Web Applications

Host Applications



Directory Extensions

File System Server

Event Logging

Collected links


Setting Registry Settings and Admin Overrides

Overriding Settings


Telnet Support

Attachmate EXTRA!

G&R Glink


IBM Client Access


IBM Host On-Demand


In Host On-Demand


NetManage Rumba

NetManage ViewNow


WRQ Reflection



Chapter 4. SSO Administrative Console Reference Topics 157



SSOSecret

SSOUserData Object

SSOConfig Object

SSOLocatorClass

entlist.ini Keys

Root Keys






Host Application Keys for Page N subsection




Error Loop

ftulist.ini Keys

Root Keys






Troubleshooting

Installation

Authenticators


Uninstall

Agent Performance


Authentication

Reauthentication.


All Applications


Web Applications

Host Applications




File System Server

Event Logging

158 Introduction

Application_Configurations_Included.HTM


Preconfigured logons for Windows and Web application are provided in Console templates.

Configurations for common network/web pop-up logons and for online service logons are stored in the

configuration file applist.ini, which is located in the installation directory.

Note: Predefined application logons that had been stored in applist.ini on the client in previous

TAM E-SSO versions have are now stored as templates in the Administrative Console. See

Compatibility with Previous Product Versions for more information.

The following applications and are included in TAM E-SSO, either as Templates with the Administrative

Console or in applist.ini .

The following applications are configured to work, but need to be added to user configurations. Some of

these require customization to meet your environment (e.g., specifying internal URLs or application

Window Titles).

Application Logon Forms

Microsoft Word v Microsoft Word Logon



MS Dial-Up Networking v MS Dial-Up Networking Logon (admin supplies

WindowTitle)

Netscape Mail v Netscape Mail Logon

v Netscape Mail 7.1 Logon

PKZIP v PKZIP Logon

v PKZIP v8 Logon

Siebel Sales v Siebel Sales Logon

v Siebel Sales Change Password

Adobe Acrobat Reader v Adobe Acrobat Unlock

ICQ v ICQ Logon - Registration

v ICQ Logon

Meeting Maker v MM 7.3 Logon

v MM 5.5.2 Logon

v MM 8.0 Logon

WinZip v WinZip Set Password Confirm

v WinZip Set/Use Password

v WinZip 9.0 Decrypt File(s) Password

Yahoo! Messenger v Yahoo! Messenger Logon

Oracle v Oracle Logon

v Oracle 10g SQL*Plus Logon

MS SQL v MS SQL Logon


Novell GroupWise v Novell GroupWise Logon

v Novell GroupWise 6.5 Logon

Microsoft FrontPage v Microsoft FrontPage Logon

Visual SourceSafe v VSS Logon

v VSS Change Password

OpenNetwork Directory Smart v OpenNetwork Directory Smart Logon (admin supplies

URL)

Oblix NetPoint v Oblix NetPoint Logon (admin supplies URL)



Act v Act Logon (admin supplies WindowTitle)

v Act Set Password

QuickBooks Pro v QBP Change Password

v QBP Logon

QuickBooks Pro (Password-Only) v QBPPO Change Password

v QBPPO Logon

Lotus Organizer v Lotus Organizer Logon (admin supplies WindowTitle)


GoldMine v GoldMine Logon

v GoldMine Clhange Password




AIM v AIM Logon

Eudora v Eudora Logon

v Eudora Change

v Eudora Confirm

Lotus Notes v Lotus Notes

Microsoft Outlook v Logon

v Change Password

Microsoft Outlook 2003 v Logon

v Change Password

MSN Messenger v MSN Messenger Logon

Windows Logon v WL MPR Logon

v WL MPR Change Password

v WL WinLogon Logon

v WL WinLogon Change Password

ICQ 4.0 v ICQ 4.0 Logon (Password Only)

160 Introduction

Online Services

v AOL

v Compuserve

v Earthlink

v MSN

v Prodigy

v ATT WorldNet

Internet Explorer logons

Collected links

Console templates


The following are Directory Server Container and Class Objects, their rights, and their attributes.










Configuring Host Emulators to Enable HLLAPI Short Session Names

TAM E-SSO provides single sign-on functionality for the following host/terminal emulators using built-in

HLLAPI support (high-level language application programming interface). The topics listed here outline

how to enable HLLAPI support in each emulator.

v Telnet Support

v Attachmate Extra! / myExtra! / Xtra! X-Treme

v Ericom PowerTerm

v G&R Glink

v Hummingbird HostExplorer

v IBM Client Access

v IBM Client Access Express

v IBM Host on-Demand

v IBM Personal Communications

v NetManage Rumba

v NetManage ViewNow / Chameleon Hostlink 97

v Novell LAN Workplace

v Scanpak Aviva for Desktops

v WRQ Reflection

v Zephyr PC to Host

v Zephyr Web to Host

Note: For emulators that do not implement HLLAPI support, you can configure a host/mainframe

application as a Windows application (to detect the form by its window title) and using SendKeys (to

supply user credentials). See Adding Windows Applications: Special Issues for more information.

Collected links

Telnet SupportClick to view

Attachmate Extra! / myExtra! / Xtra! X-TremeClick to view

Ericom PowerTerm

162 Introduction

G&R GlinkClick to view

Hummingbird HostExplorerClick to view

IBM Client AccessClick to view

IBM Client Access ExpressClick to view

IBM Host on-DemandClick to view

IBM Personal CommunicationsClick to view

NetManage RumbaClick to view

NetManage ViewNow / Chameleon Hostlink 97Click to view

Novell LAN Workplace

Scanpak Aviva for DesktopsClick to view

WRQ ReflectionClick to view

Zephyr PC to Host

Zephyr Web to Host

Adding Windows Applications: Special Issues

Attachmate EXTRA! / myExtra!

TAM E-SSO supports Attachmate EXTRA! 6.3/6.4/6.5/2000 and myExtra! 7.0,7.1. To set up each session

of Attachmate EXTRA! 6.3, 6.4, 6.5, 2000, myExtra!, and Extra! X-treme to work with TAM E-SSO :

1. Open the session.

2. Select Global Preferences from the Options menu.

3. Select Advanced, select the Short name (for example, A), select Browse, select the session document,

and click OK.

Notes:

v This setting needs to be saved with each session configuration file.

v Background processes sometimes remain running after a mainframe or host session has ended. This

may disrupt the Auto-Logon process and prevent the session from restarting.

G&R Glink


TAM E-SSO supports G&R Glink. To set up G&R Glink to work with TAM E-SSO:

Configure short names in the glHLLAPI.ini file, which is found in the GLWin\WHLLAPI directory

within the G&R Glink installation path. This file must be copied to the user’s %WinDir% directory to

take effect. It is recommended that the default values be left as they are, except for those values that

refer to the short names, which take the form of:

[A]

Name=HLLAPI long name

Config=config file name

where ’A’ represents the short name.

Ericom PowerTerm

TAM E-SSO supports the following versions of Ericom PowerTerm:

v PowerTerm InterConnect (see Note below)

v PowerTerm Plus (see Note below)

v PowerTerm Lite (see Note below)

v PowerTerm Pro

v PowerTerm Pro Enterprise

To set up Ericom PowerTerm to work with TAM E-SSO:


TAM E-SSO supports Hummingbird HostExplorer. To set up Hummingbird HostExplorer 8.0/9.0/10.0 to

work with TAM E-SSO:

1. Select API Settings from the Options menu.

2. Under HLLAPI Options, select Update screen after PS update.

3. Under EHLLAPI Compatibility, select Attachmate

4. Click OK.

IBM Client Access

164 Introduction

TAM E-SSO supports IBM Client Access. No steps are necessary to set up IBM Client Access to work

with TAM E-SSO.


TAM E-SSO supports IBM Client Access Express. No steps are necessary to set up IBM Client Access

Express to work with TAM E-SSO.

IBM Host On-Demand

TAM E-SSO supports IBM Host On-Demand 4/5. TAM E-SSO support for IBM Host On-Demand is

tested with Microsoft Windows XP/2000/2003 and Microsoft Internet Explorer 5.5 (SP2) and the updated

JVM (Java Virtual Machine). If Microsoft Internet Explorer 5.x is installed, the JVM should not have to

be updated.

Note: One issue with these methods is that clients may not be able to save configured sessions, and

entering the auto-start name each time a session is used is quite tedious. Alternatively, administrators

can replicate the existing sessions that are available to the client, and HLLAPI-enable these sessions as

explained below. Clients can then be offered both standard and HLLAPI-enabled sessions.

To set up IBM Host On-Demand 4 to work with TAM E-SSO:


1. Start Microsoft Internet Explorer.

2. Go to http://www-4.ibm.com/software/webservers/hostondemand/downloads.html and download

the Host On-Demand EHLLAPI Bridge Download for the particular version of IBM Host On-Demand.

3. Unzip the downloaded file to the TAM E-SSO installation directory (default: %ProgramFiles%\Passlogix\ v-GO SSO).

4. Select Internet Options from the Tools menu.

5. Select the Advanced tab.

6. Under Microsoft VM, select Java console enabled (requires restart).

7. Click Apply, then OK. If needed, exit Microsoft Internet Explorer.

8. Restart the computer.

In Host On-Demand

1. Configure each individual session to run the HLLAPI enabler through the Host On-Demand applet.

2. Select Properties from the menu.


http://www-4.ibm.com/software/webservers/hostondemand/downloads.html


4. Select Applet from the Auto-Start drop-down list box.

5. Type com.ibm.eNetwork.hllbridge.HLLAPIEnabler in the Auto-Start Name text box.

6. Alternatively, the administrator may run this applet after the session has been started by selecting

Assist then Run applet.

Collected links


IBM Host On-Demand




be updated.
















In Host On-Demand








Collected links

166 Introduction




IBM Host On-Demand




be updated.
















In Host On-Demand








Collected links







TAM E-SSO supports IBM Personal Communication 4.3. To set up IBM Personal Communications 4.3 to

work with TAM E-SSO:

NetManage Rumba

TAM E-SSO supports NetManage Rumba 2000 (formerly WallData Rumba 6.0). To set up NetManage

Rumba 2000 to work with TAM E-SSO:

NetManage ViewNow / Chameleon Hostlink 97

TAM E-SSO supports NetManage ViewNow 1.0.5 and Chameleon Hostlink 97. To set up NetManage

ViewNow 1.0.5 to work with TAM E-SSO:

1. Open the Host Access Manager.

2. Select Workspace, then New. Select 3270 Display, 5250 Display, or Telnet from the menu to start a

new session of the specified type.

3. Select Object, then Properties from the menu.

4. Select the Session tab and set the Short name to Any.

5. Select the Advanced tab and set Host graphics display type to PS Graphics, and verify that no

HLLAPI Options are selected.

6. Click OK.

Novell LAN Workplace

In order to enable TAM E-SSO support for Novell LAN Workplace Pro 5.2, the complete and exact path

to the emulator must be specified in the Agent’s host/mainframe-configuration file, MfrmList.ini. The

default path in the mainframe configuration is c:\Program Files\Novell\LAN Workplace Pro

5.2\Terminals\Bin

If the Novell LAN Workplace emulator is installed in any other directory or on any other drive, you must

modify this default path in MfrmList.ini. This file can only be edited using the Administrative Console.

1. On the Tools menu, point to Modify Configuration, then click MfrmList.

2. In the INI editor, select Novell LAN Workplace Pro 5.2 from the Section dropdown list.

3. For ValueName= edit the path to the emulator as needed.

4. Click Save (click OK to restart the Agent if prompted), then Close.

168 Introduction


TAM E-SSO supports Scanpak Aviva for Desktops (formerly Eicon Aviva). To set up Scanpak Aviva for

Desktops to work with TAM E-SSO:

WRQ Reflection

TAM E-SSO supports WRQ Reflection 7/8/9/10. To set up WRQ Reflection 8 to work with TAM E-SSO:

Zephyr PC to Host

TAM E-SSO supports Zephyr PC to Host. To set up Passport to work with TAM E-SSO:

Zephyr Web to Host

TAM E-SSO supports Passport Web to Host. No steps are necessary to setup Web to Host to work with

TAM E-SSO.



TAM E-SSO can be invoked from the command line to perform certain tasks.

Note: Items in [brackets] are optional in this section only.

Task Use / Description

Backup ssoshell.exe /mobility /backup [ path] /silent [confirm]

Example: [ path] The actual path to the directory

where the backup file is placed. (Default: the last

directory a command line backup file was stored, or

where Shell:AutoBackupPath points.)

Example: silent Do not show the Backup/Restore

Wizard when performing the backup.

Example: [confirm] Show all dialog boxes. When

doing a silent backup where the confirm switch is not

present, the user will not see the Yes/No dialog and the

agent will default to Yes. (Example of a confirm dialog:

″Overwrite backup file?″)

Logon Manager ssoshell.exe

Example: Show Logon Manager.

No FTU ssoshell.exe /background /noftu

Description: Prevents the agent from starting twice when

logging on to the computer. This should be enabled in

the Userinit registry key, which is located in

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon.

Description: The /noftu command should be preceded

by the /background command, as follows:

″c:\winnt\system32\userinit.exe,C:\Program Files

\Passlogix\v-GO SSO\ ssoshell.exe /background

/noftu″

Description: Using /noftu ensures that the agent does

not run for users who do not have it in their Windows

Startup folder. This allows the administrator to roll out

TAM E-SSO to only specific (not all) users of a particular

computer.

Note: This command applies only to Microsoft Windows

2000/XP.

Options ssoshell.exe /options

Example: Show the Settings property

page.

170 Introduction

Restore ssoshell.exe /mobility /restore [ path] /silent [confirm]

Example:[ path] The actual path to the directory

where the backup file exists. (Default: the last directory

a command line backup file was stored, or where

Shell:AutoBackupPath points.)

Example:/silent Do not show the

Backup/Restore Wizard when performing the backup.

Example:[confirm] Show all dialog boxes. When

doing a silent backup and the confirm switch is not

present, the user will not see the Yes/No dialog and the

agent will default to Yes. (Example of a confirm dialog:

″Backup file has been restored″)

Example: Notes: The restore password submitted

by default is the Windows password. The Restore

command is executed with a Startup task (see

Shell\Tasks:StartupTaskN ).

Setup ssoshell.exe /setupmgr

Example: Show the Setup Wizard.

Shutdown ssoshell.exe /shutdown

Startup ssoshell.exe /background

Synchronize ssoshell.exe /syncmgr /sync Execute

synchronization with the first synchronizer in the Sync

Order list (see Synchronization in Global Agent Settings);

displays a logon to connect to the first-listed

synchronizer.

Collected links

Shell\Tasks:StartupTaskN

Sync Order

Synchronization

Smartcard Monitor Utility ( ssoSCDetect.exe)

The utility program ssoSCDetect monitors a workstation’s smartcard reader, making it possible to use as

the workstation as a multiple-user ″kiosk″ that can access and synchronize the remote SSO credential

store of any user authenticated by a smartcard.

When a user inserts a card into the reader, the ssoSCDetect utility starts the Agent and prompts for the

user’s primary logon credentials. It then synchronizes the user’s credentials with the remote repository.

When the user logs out of the workstation (e.g., by removing the card from the reader), ssoSCDetect

shuts down the Agent.


To run the utility, copy the executable file ssoSCDetect.exe from the Utilities directory of the TAM E-SSO

CD to the TAM E-SSO installation directory ( %ProgramFiles%/Passlogix/v-GO SSO ) then launch the

program.

Recommended global agent settings for SSO kiosk operation

For best performance and security, the following global agent settings should be applied to the TAM

E-SSO agent running on a workstation configured as a kiosk:

User Paths (Active Directory only) For best performance, specify one

or more fully-qualified paths to begin searching for user

accounts See the Advanced options, under

Synchronization\Active Directory.

Collected links

User Paths

Advanced options



Error Loop Quick Reference

This section serves as a quick-reference to the basic Error Loop settings. Note: Configure these settings

in the Administrative Console. The table is provided only for reference.

The settings are inherited downward from Global to Application Type to Application. More-specific

settings override more-general (Application Overrides Application Type, which overrides Global). Note:

For security settings (for example, MaskPW), the most-secure setting is used, regardless of whether it set

Globally, for an Application Type, or for an Application.

Place the application-type settings in the entlist.ini [*Root] section.

Example

172 Introduction

[*Root]

AppsTimeout=8

WebMaxRetry=3

Place the Application settings in the specific application’s entlist.ini section.

Example

[Payroll]

WindowTitle1=Payroll

MaxRetry=3

Timeout=30

IDCtrl=203

...

Global (Registry) Application Type

([*Root])

Parameter

Purpose

Extensions\

AccessManager\Dlg

Windows Web Host/Mainframe

Application Default

Max # of

retries (after

first try) before

Error Loop

dialog appears

MaxRetry AppsMaxRetry WebMaxRetry MainframeMaxRetry MaxRetry 1

Max time

between

successive

logon attempts

before Error

Loop dialog

appears

Timeout AppsTimeout WebTimeout MainframeTimeout Timeout 30

Setting to

indicate

whether to

hide the

password

confirmation

field in the

Error Loop

dialog

HideConfirmPW AppsHideConfirmPW WebHideConfirmPW MainframeHideConfirmPW HideConfirmPW 0 (do not hide)


Setting to

indicate

whether to

mask the

password in

the Error Loop

dialog

MaskPW AppsMaskPW WebMaskPW MainframeMaskPW MaskPW 1 (mask)


This section documents the basic contents of each package feature. The Display Name and Description

are as in the Custom display of the Installer. For the exact feature details, review the package.

Note: Any ″child″ package requires all parent packages. For example, LDAP_Sync requires SyncMgr.

Note: Required features are in bold. In addition, at least one authenticator must be installed, though it

need not be one of the shipped authenticators. All other features are optional; however, IBM

recommends installation of the InternetExplorer component.

Display Name Description Feature Name

Application Required files and settings Core

Authenticators SSO authentication support Authenticators

Windows Domain The Microsoft Windows

Authenticator

SLA

LDAP Authenticator The LDAP Authenticator LDAP

Windows Authenticator v2 The Microsoft Windows

Authenticator version 2

MSauth

GINA authenticator Passlogix GINA (required with

Windows Authenticator v2)

SSOGina

LDAP Authenticator v2 The LDAP Authenticator version 2 LDAPauth

Authentication Manager Multiple authentication support (AM

only)

MultiAuth

Smart Card Smart Card (MS CAPI-compliant)

authenticator (AM only)

SCAuth

Entrust Entrust PKI authentication support

(AM only)

Entrust

SecurID RSA PKI authentication support (AM

only)

SecurID

SecureTec I/O Software PKI authentication

support (AM only)

STAuth

174 Introduction

Extensions SSO Plug-ins Extensions

Setup Manager Plug-in for initial SSO experience

setup

SetupMgr

Logon Manager Plug-in for logon/credential request

events

LogonMgr

Internet Explorer Helper Internet Explorer credential request

integration

InternetExplorer

Mainframe Emulator Helper Mainframe session credential request

emulator integration

MainframeEmulators

DOS Helper Console window support (for

mainframe emulators)

DOSHelper

Java Helper Java virtual machine session

credential request integration

JavaHelper

SSO Terminal Services Support SSO Terminal Services Support vGOwts

Backup/Restore Manager Plug-in for backup/restore of SSO

credentials and settings

BackupMgr

Synchronization Manager Plug-in for synchronization of

credentials and settings to/from

additional data sources

SyncMgr

Active Directory Synchronizer Active Directory synchronization

support

AD_Sync

ADAM Synchronizer Active Directory/Application Mode

synchronization support

ADAM_Sync

LDAP Synchronizer LDAP directory synchronization

support

LDAP_Sync

DB Synchronizer SQL relational database

synchronization support

DB _Sync

File System Synchronizer File System synchronization support File_Sync

Event Manager Plug in for Event Manager EventMgr

XML Plug in for the Local File Extension LocalFileExt

Windows Event Extension Plug in for the Windows Event

Extension

WindowsEventExt

Languages Localized language support files Languages

English English English_Pack

[Related Topics]

Microsoft Windows Installer (MSI) Package Deployment Options Generate MSI package MSI

Package Contents

Collected links


Deployment Options



ftulist.ini Keys

ftulist.ini determines special actions the agent will take the first time a user starts it. The file can exist as

a local file or as a directory-server or database object. If it is deployed using synchronization, ftulist.ini is

placed in the %AppData/Passlogix% directory.


edited using the Administrative Console. The information in the topics listed below is provided only for

reference.

The tables in the following topics list the keys and acceptable values for each section of ftulist.ini :

v Root Keys for ftulist.ini

v Password Windows Section Keys

v My Logons Section Keys

v Bulk Add Logon Section Keys

Collected links

Root Keys for ftulist.ini




Root Keys

These settings are used strictly within the [FTU] section and are required.

Example

[FTU]

Ver=20020523

Step1=Password Windows

Step2=My Logons

First-Time Use Keys Description Acceptable values

176 Introduction

Ver = %s Required. String of the date of the

last ftulist.ini file. If the value of this

key is higher (newer) than the

decimal value in the user’s registry

(in HKCU\&\Extensions\SetupManager:Completed), then the

user will see the bulk add list the

next time the user starts up the

agent.

Example: 20020523

%s = string representing the decimal

equivalent of a date in yyyymmdd

(year-month-date) format, as in

20020523 for May 23, 2002.

Step1 = %s Required, do not alter. Calls the

section that launches Primary Logon

Method. This module forces the user

to select an authenticator.

%s = ″Password Windows″

Step2 = %s Required, do not alter. Calls the

section that launches Access

Manager. This module enables bulk

adding of credentials.

%s = ″My Logons″


These settings are required and used strictly within the [Password Windows] section.

Example

[Password Windows]

ExtensionName=<core>

Action1=Password Window


ExtensionName = %s Required, do not alter. Internal

name of the extension module.

%s = ″<core>″

Action1 = %s Required, do not alter. Launches

Primary Logon Method. This

module forces the user to select an

authenticator.

%s = ″Password Window″



These settings are required and used strictly within the [My Logons] section.

Example

[My Logons]

ExtensionName=AccessManager

Section1=Corporate Win App

Section2=Intranet

&


ExtensionName = %s Required, do not alter. Internal

name of the extension module.

%s = ″AccessManager″

Section%d = %s Required, do not alter. Specifies

logons to include in the bulk add

wizard.

%d = consecutive integers

%s = application logon section name;

link to relevant logon class section


These settings are required and used in each bulk add logon section.

Example

[My Logons]

ExtensionName=AccessManager

Section1=Corporate Win App

Section2=Intranet

178 Introduction

[Intranet]

ConfigKey=*Other Webs

ConfigName=Corporate Intranet

FTU_NeedID=0

FTU_NeedOther=0

FTU_NeedPwd=1

FTU_CONFIRMID=0

FTU_CONFIRMOTHER=0

FTU_CONFIRMPASSWORD=1

URL=Corp Intranet


ConfigKey = %s Link to logon configuration in

entlist.ini

%s = application logon section name

in entlist.ini or applist.ini. Use

[*Mainframe] for host/mainframe

logons, [*Other Webs] for Web

logons, [*Online Services] for Online

service logons, and [*Other Apps] for

other Windows application logons.

ConfigName = %s The name to use in the First-Time

Use Wizard to describe the logon.

%s = application logon name

Description = %s The name to use in Logon Manager

to describe the logon.

%s = application logon name

FTU_CONFIRMID = %b Flag indicating if the First-Time Use

Wizard will require the user to

confirm their username/ID

(optional).

%b = 0, user will not have to confirm

username/ID (default)

%b = 1, user will have to confirm

username/ID

FTU_CONFIRMOTHER = %b Flag indicating if the First-Time Use


confirm a third field, if one exists

(optional).


third field (default)


third field

FTU_CONFIRMPASSWORD = %b Flag indicating if the First-Time Use


confirm their password (optional).


password (default)


password

FTU_NeedID = %b Flag to indicate whether the

application requires a username/ID.

%b = 0, application does not require

a username/ID

%b = 1, logon requires a

username/ID (default)



FTU_NeedOther = %b Flag to indicate whether the

application requires a third field

(optional).


a third field (default)

%b = 1, application requires a third

field

FTU_NeedPwd = %b Flag to indicate whether the

application requires a password.


a password

%b = 1, logon requires a password

(default)

URL = %s Section name in entlist.ini for a Web

or Host application, or URL for a

Web site that is not predefined in

entlist.ini.

%s = Web/Host section name or Web

URL

Keys for entlist.ini

The entlist.ini file is located in the directory the administrator designates. In most instances, this should

be a subdirectory under the TAM E-SSO program directory.


edited using the Administrative Console. The information in the topics listed below is provided only for

reference.

This is also the format used for synchronizer objects that override local entlist.ini files. Note: A

directory-based object causes the agent to ignore any local entlist.ini file. The remote object (if it exists) is

downloaded over a local entlist.ini file.

Then, entlist.ini is merged with applist.ini to create a new file ( aelist.ini) in the %AppData% \Passlogix

directory. The aelist.ini file is overwritten periodically, including when TAM E-SSO starts, when it

re-merges applist.ini and entlist.ini. The agent then uses aelist.ini to detect ″known″ applications.

The tables in the following topics list the keys and acceptable values for each section of entlist.ini :

v Root Keys for entlist.ini

v Windows Application Keys

v Web Application Keys

v Host/Mainframe Application Keys

v Password Policy Keys

Collected links

180 Introduction

Root Keys for entlist.ini





Root Keys

These settings are used strictly within the [*Root] section.

Example

[*Root]

Section1=*Other Apps

Section2=*Other Webs

Section3=*Mainframe

AppsMaxRetry=1

WebMaxRetry=3

HostMaxRetry=2

WebTimeout=90

&

Global Application Keys Description Acceptable values

[*Root] Root section, from which application

types (logon classes) are derived.

N/A

AppsHideConfirmPW = %b Indicates whether to hide the

password confirmation field in the

Logon Error dialog for all Windows

applications.

%b = 0; do not hide confirmation

field (default)

%b = 1; hide confirmation field

AppsMaskPW = %b Indicates whether to mask the

password field(s) in the Logon Error

dialog for all Windows applications.

%b = 0; do not mask password

%b = 1; mask password (default)

AppsMaxRetry = %d Indicates the number of logon retries

for all Windows applications the

agent makes before displaying the

Logon Error dialog.

%d = the number of retries (default:

1)


AppsTimeout = %d Indicates the maximum time between

successive logon attempts that will

trigger Error Loop detection for all

Windows applications.

%d = amount of time in seconds

(default: 30)

MainframeHideConfirmPW = %b Indicates whether to hide the


Logon Error dialog for all Host

applications.


field (default)


MainframeMaskPW = %b Indicates whether to mask the


dialog for all Host applications.



MainframeMaxRetry = %d Indicates the number of logon retries

for all Host applications the agent

makes before displaying the Logon

Error dialog.


1)

MainframeTimeout = %d Indicates the maximum time between



Host applications.


(default: 30)

Section%d = %s Declaration of supported subsections.

Note: Because *Other Webs, *Online

Services, and *Other Apps are

defined in applist.ini, they need not

be defined in [*Root] in entlist.ini.


%s = *Other Apps (Windows applications)

%s = *Mainframe (Host/Mainframe applications)

%s = *Other Webs (Predefined Web applications)

%s = *Online Services

WebHideConfirmPW = %b

Indicates whether to hide the password confirmation field in the Logon Error dialog for all Web applications.

%b = 0; do not hide confirmation field (default)


WebMaskPW = %b

Indicates whether to mask the password field(s) in the Logon Error dialog for all Web applications.



WebMaxRetry = %d

Indicates the number of logon retries for all Web applications the agent makes before displaying the Logon Error

dialog.

%d = the number of retries (default: 1)

WebTimeout = %d

Indicates the maximum time between successive logon attempts that will trigger Error Loop detection for all Web

applications.

%d = amount of time in seconds (default: 30)


These settings are used for the Windows, Web, and Host application sections that delineate the list of

predefined applications.

182 Introduction

Example

[*Other Apps]

Section1=Corporate WinApp

&

[*Other Webs]

Section1=Corporate Intranet

&

[*Mainframe]

Section1=Corporate Mainframe


[%s] Section heading that identifies an

application category section.

%s = [*Other Apps] (Windows applications)

%s = [*Mainframe] (Host/Mainframe applications)

%s = [*Other Webs] (Predefined Web applications)

Section%d = %s

Declaration of application sections.


%s = section name

Root Keys

These settings are used strictly within the [*Root] section.

Example

[*Root]

Section1=*Other Apps


Section2=*Other Webs

Section3=*Mainframe

AppsMaxRetry=1

WebMaxRetry=3

HostMaxRetry=2

WebTimeout=90

&


[*Root] Root section, from which application

types (logon classes) are derived.

N/A

AppsHideConfirmPW = %b Indicates whether to hide the


Logon Error dialog for all Windows

applications.


field (default)


AppsMaskPW = %b Indicates whether to mask the


dialog for all Windows applications.



AppsMaxRetry = %d Indicates the number of logon retries

for all Windows applications the

agent makes before displaying the

Logon Error dialog.


1)

AppsTimeout = %d Indicates the maximum time between



Windows applications.


(default: 30)

MainframeHideConfirmPW = %b Indicates whether to hide the


Logon Error dialog for all Host

applications.


field (default)


MainframeMaskPW = %b Indicates whether to mask the


dialog for all Host applications.



MainframeMaxRetry = %d Indicates the number of logon retries

for all Host applications the agent

makes before displaying the Logon

Error dialog.


1)

MainframeTimeout = %d Indicates the maximum time between



Host applications.


(default: 30)

Section%d = %s Declaration of supported subsections.

Note: Because *Other Webs, *Online

Services, and *Other Apps are

defined in applist.ini, they need not

be defined in [*Root] in entlist.ini.

184 Introduction


%s = *Other Apps (Windows applications)

%s = *Mainframe (Host/Mainframe applications)

%s = *Other Webs (Predefined Web applications)

%s = *Online Services

WebHideConfirmPW = %b

Indicates whether to hide the password confirmation field in the Logon Error dialog for all Web applications.

%b = 0; do not hide confirmation field (default)


WebMaskPW = %b

Indicates whether to mask the password field(s) in the Logon Error dialog for all Web applications.



WebMaxRetry = %d

Indicates the number of logon retries for all Web applications the agent makes before displaying the Logon Error

dialog.

%d = the number of retries (default: 1)

WebTimeout = %d

Indicates the maximum time between successive logon attempts that will trigger Error Loop detection for all Web

applications.

%d = amount of time in seconds (default: 30)


These settings are used for the Windows, Web, and Host application sections that delineate the list of

predefined applications.

Example

[*Other Apps]


&

[*Other Webs]

Section1=Corporate Intranet

&

[*Mainframe]




[%s] Section heading that identifies an

application category section.

%s = [*Other Apps] (Windows applications)

%s = [*Mainframe] (Host/Mainframe applications)

%s = [*Other Webs] (Predefined Web applications)

Section%d = %s

Declaration of application sections.


%s = section name


These settings are used within applications delineated in the [*Other Apps] section.

Example

[*Other Apps]


&

[Corporate WinApp]

(the keys below)

Windows Application Keys Description Acceptable values

AllowReveal = %b Flag that enables or disables the

Reveal button for password in


%b = 0; disabled

%b = 1; enabled (default)

186 Introduction

AppPathKey%d = %s Windows registry key identifying the

application associated with a logon to

match against running processes.

Used in combination with the

WindowTitle for exact matching of

logon requests. %d is replaced with

a number, starting at 1, so that

multiple registry keys can be

associated with a single logon.


%s = application name string used in

Windows registry (typically

corresponds to executable name)

AutoOK = %b Flag instructs the agent to

automatically select OK for this

application logon after insertion of

logon data.

%b = 0; disabled


ChangeTitle%d = %s Text matched against password

change window titles to identify

password change requests. %d is

replaced with a number, starting at 1,

so that multiple windows can be

identified for a single password

change request.

There must be a duplicate

WindowTitle entry for each

ChangeTitle entry.


%s = window title string

ChgCtrl0 = %d Control ID used to identify the

username/ID field in a

password-change request window.

%d = -1; change request does not

require a username/ID

%d = 1; change request requires a

username/ID, but it will be sent to

the application using Send Keys. If

this value is 1, all other Control IDs (

IDCtrl, PassKeyCtrl, OtherCtrl1,

OtherCtrl2, OKCtrl, ChgCtrl1,

ChgCtrl2, and ChgCtrl3) must also be

1 or -1.

%d = 2 - 99,999; control ID value

ChgCtrl1 = %d Control ID used to identify the old

password field in a password change

request window.


require an old password


password, but it will be sent to the

application using Send Keys. If this

value is 1, all other Control IDs must

also be 1 or -1.


ChgCtrl2 = %d Control ID used to identify the new


request window.


require a new password.





also be 1 or -1.




password confirmation field in a

password change request window.


require a ″confirm new password″

entry.


″confirm new password″ entry, but it

will be sent to the application using

SendKeys. If this value is 1, all other

Control IDs must also be 1 or -1.


ConfigName = %d Control ID identifying the control

that contains the text used to create

the initial configuration name when

the user adds this logon.


CPWFlag = %d Determines the behavior of the

Password Change Wizard, for specific

applications, when a user encounters

a password-change request. This key

is specified in the application’s root

section, not in a password-change

subsection.

Note: This setting can also be set

globally, for all applications, via the

Registry. See for instructions.

%d = 1; Prompts user with Password

Change Wizard (default).

%d = 2; Prompts user to manually

enter a new password, but also

provides the option of having the

agent automatically generate the

password.

%d = 4; Generates the new password

automatically, but also provides the

option of manually creating the new

password.


enter a new password, without

providing the option of having the


password.

%d = 12; Generates the new

password automatically, without

providing the option of manually

creating the new password.

188 Introduction

CtrlOrder = %s1, %s2, %s3& Determines the order in which fields

are sent when UseSendKeys is

enabled. For example, specifying

CtrlOrder = OtherCtrl1, IDCtrl,

PassKeyCtrl tells the agent that the

tab order in the dialog box should be

OtherCtrl1, then IDCtrl, followed by

PassKeyCtrl.

For logons, the default order is


OtherCtrl2.

Tony/Drew: What is CtrlOrder

default for password change

scenario?

For password changes, the default

order is ChgCtrl0, ChgCtrl1,

ChgCtrl2, ChgCtrl3.

Note: This setting applies only when

UseSendKeys is enabled and works

only with Windows applications.

%s1 = The first field sent

%s2 = The second field sent

%s3 = The third field sent

etc.

Description = %s Text describing this application, also

stored in the Description field in

Logon Manager.

%s = any string

ExtMap = %s Windows file extension associated

with a logon. Allows the agent to

map an icon to the configuration.

%s = three-character string for file

extension

ForceReauth = %b Force the user to reauthenticate

before providing credentials to this

application.

Note: Applies to all subsections; the

user would have to reauthenticate

multiple times in a multiple-section

password change scenario .

%b = 0; do not require

reauthentication (default)

%b = 1; require reauthentication

Group = %s Group section name that this

application is a part of. Used when

configuring for Password Sharing

Groups. Special values include:

LDAP: Application uses LDAP

Directory Server authenticator

password.

Domain: Application uses the

Windows authenticator password.

Refer to for detailed instructions.

Note: Must set Windows Registry

entry PWSEnable=1 to enable

Groups.

%s = the section name of the

application group that the application

belongs to.

HideConfirmPW = %b Determines whether to hide the


Logon Error dialog.


field (default)



IDCtrl = %d Identifies the username/ID control

field and/or the mechanism to

provide the username/ID data to the

appropriate username/ID control.

%d = 0; the user must use the the

agent’s ″teaching tool″ mechanism

during application setup (default)

%d = -1; application does not require

a username/ID

%d = 1; application requires a



this value is set to 1, all other Control

IDs ( PassKeyCtrl, OtherCtrl1,


ChgCtrl1, ChgCtrl2, and ChgCtrl3)

must also be 1 or -1.

%d = 2 - 99,999; username/ID control

ID value

IDCtrlType = %d Identifies the control type of the

username/ID control field.

%d = 0; edit control (default)

%d = 1; combobox control

%d = 2; listbox control

IgnoreClassName = %s Identifies the class name of the logon

or password-change window that

should be ignored when submitting

credentials. Used in cases where an

application contains a second, hidden

logon or password-change window.

%s = class name string

InteractionMode = %b Prevents the agent from attaching to

the application’s window’s message

queue.

%b = 0; disabled (default)

%b = 1; enabled

MaskPW = %b Determines whether to mask the

password in the Logon Error dialog.



Match%d = %s Maps to a matching section for the

application. Use this method if the

same application has multiple logon

and password change screens. This

is most useful when one set of user

credentials is for multiple screens

within an application. By using this

method, the matching sections could

be set up for logons, password

change (pick and manual), and

ignores.


%s = application logon name (logon

definition sections)

MaxRetry = %d Determines the number of logon

retries the agent makes before

displaying the Logon Error dialog.


1)

ModuleName%d = %s Application module name associated

with a logon to match against

running processes. Used in

conjunction with WindowTitle key to

identify a specific application logon

or password-change request. %d is


so that multiple application modules

can be associated with a single logon.


%s = application name string

(typically corresponds to executable

name)

190 Introduction

OKCtrl = %d Identifies the control ID of the OK

button for this application.

%d = 1; use the agent’s internal logic

(default)

%d = 2 - 99,999; OK button control

ID

%d = -1; requires the user to

manually select OK

OtherCtrl1 = %d Identifies the control ID of a third

logon field and/or the mechanism to

provide the additional field data to

the appropriate control.


a third field

%d = 1; application requires a third

field, but it will be sent to the


value is set to 1, all other Control IDs


%d = 2 - 99,999; third field control ID

value; can be any value if Send Keys

is used

OtherCtrl1Type = %d Identifies the control type of a third

logon field.




OtherCtrl2 = %d Identifies the control ID of a fourth





a fourth field

%d = 1; application requires a fourth





%d = 2 - 99,999; fourth field control

ID value; can be any value if Send

Keys is used

OtherCtrl2Type = %d Identifies the control type of a fourth

logon field.




OtherLabel1 = %s The text label used by the agent

when displaying a third logon field.

%s = the text the agent will display


when displaying a fourth logon field.


ParentKey1 = %s Maps a subsection to its parent

section.

%s = parent application/section

name


PassKeyCtrl = %d Identifies the password control field

and/or the mechanism to provide the

password data to the appropriate

password control.

%d = 0; the user must use the agent’s

″teaching tool″ mechanism during

application setup


a password






%d = 2 - 99,999; password control ID


is used

PassKeyCtrlType = %d Identifies the control type of the

password control field.




PassPolicy = %s Identifies which password policy

section to associate with this

application logon configuration.

%s = Policy Section Name

PresetFocusAll = %b Specifies whether to set the focus to a

logon field before the agent actually

places data in that field.


%b = 1; enabled

QuietGenerator = %b When set, this flag instructs the agent

to handle password change requests

automatically and not inform the

user that a password change request

has been handled.

%b = 0; do not use quiet generator,

use standard password change

process with user intervention

(default)

%b = 1; use quiet generator

Section%d = %s Declaration of application

subsections.


%s = subsection name

SystemLogon = %b RESERVED. Flag identifying if a

logon section is a system logon

section.

%b = 0; not a system logon section

(default)

%b = 1; system logon section

Timeout = %d Determines the maximum time

period between successive logon

attempts that will trigger Error Loop

detection.


(default: 30)

UseSendKeys = %b Send fields via keystrokes to the

application.

If UseSendKeys is selected, then


OtherCtrl2, and (if present) ChgCtrl0,

ChgCtrl1, ChgCtrl2, and ChgCtrl3

variables must all be set to 1, if

needed.

%b = 0; do not use Send Keys; use

control IDs (default)

%b = 1; use Send Keys

192 Introduction

VTabKey%d0 = %d1 Specifies the character/delay

sequence to send before/after each

credential field.

Note: Fields are sent in the order

specified by CtrlOrder.

Note: UseSendKeys must also be

enabled.

Note: To send nothing for the

specified value, specify a value of ``

(two back-quotes in a row).

%d0 = 1; sequence to send before the

first credential field

%d0 = 2; sequence to send after the

first field, before the second

- so on; %d is not bound.

%d1 = Code sequence to send (see)

(default: standard tab key)

VTabKeyPWC%d0 = %d1 Specifies the character/delay


credential field.




enabled.



(two back-quotes).








WindowTitle%d = %s Text matched against logon window

titles to identify logon requests. %d

is replaced with a number, starting at

1, so that multiple windows can be

identified for a single logon.




These settings are used within subsections delineated by SectionN.

Example

[Corporate WinApp]

Section1=~Corporate WinApp Logon

Section2=~Corporate WinApp Password Change

&

[~Corporate WinApp Logon]

(the keys below)



AppPathKey%d = %s (See in parent section, above) (See in parent section, above)

ChangeTitle%d = %s (See in parent section, above) (See in parent section, above)

ChgCtrl0 = %d (See in parent section, above) (See in parent section, above)




CtrlOrder = %s1, %s2, %s3& (See in parent section, above) (See in parent section, above)

IDCtrl = %d (See in parent section, above) (See in parent section, above)

IDCtrlType = %d (See in parent section, above) (See in parent section, above)

IgnoreClassName = %s (See in parent section, above) (See in parent section, above)

InteractionMode = %b (See in parent section, above) (See in parent section, above)

Match%d = %s (See in parent section, above) (See in parent section, above)

ModuleName%d = %s (See in parent section, above) (See in parent section, above)

OKCtrl = %d (See in parent section, above) (See in parent section, above)

OtherCtrl1 = %d (See in parent section, above) (See in parent section, above)

OtherCtrl1Type = %d (See in parent section, above) (See in parent section, above)



ParentKey1 = %s (See in parent section, above) (See in parent section, above)

PassKeyCtrl = %d (See in parent section, above) (See in parent section, above)

PassKeyCtrlType = %d (See in parent section, above) (See in parent section, above)

VTabKey%d0 = %d1 (See in parent section, above) (See in parent section, above)

VTabKeyPWC%d0 = %d1 (See in parent section, above) (See in parent section, above)

UseSendKeys = %b (See in parent section, above) (See in parent section, above)

WindowTitle%d = %s (See in parent section, above) (See in parent section, above)


These settings are used within subsections delineated by MatchN.

Example

[Corporate WinApp

Section1=~Whatever subsection

Match1=~Corporate WinApp Logon Match

Match2=~Corporate WinApp Ignore Match

&

[~Corporate WinApp Ignore Match]

194 Introduction

(the keys below)

Match Section Keys Description Acceptable values






Field%d0 = %d1,%s1,%s2,%s3 The match criteria for the fields.

%d1 is replaced with a number,

starting at 1, so that multiple

matching criteria could be set up for

one screen. %d2 is replaced with the

control ID of the matching criteria.

%s1 is replaced with the control

type. %s2 is replaced with the

comparison operator. %s3 is

replaced with the compare value.

%d0 = consecutive integers

%d1 = control ID of the matching

criteria

%s1 = the control type could be the

following, with the appropriate value

in %s3:

text actual text from the control

style numeric value for the style of the control

class the class of the control, usually Edit or Static

Edit edit or combobox controls

Static static controls (for example, text labels).

%s2 = the comparison operator could be the following:

EQ equals

NE not equal

%s3 = compared value

Logon logon events

Change password change events

Confirm confirm the new password

Ignore bypass all events for the application




Example

[*Other Apps]


&

[Corporate WinApp]

(the keys below)





%b = 0; disabled


















logon data.

%b = 0; disabled








change request.



ChangeTitle entry.



196 Introduction













1 or -1.




request window.







also be 1 or -1.




request window.







also be 1 or -1.







entry.



















subsection.










password.




password.





password.












PassKeyCtrl.



OtherCtrl2.



scenario?



ChgCtrl2, ChgCtrl3.







etc.



Logon Manager.

%s = any string





extension

198 Introduction



application.














password.






Groups.



belongs to.



Logon Error dialog.


field (default)










a username/ID










ID value
















queue.


%b = 1; enabled















ignores.








1)













name)




(default)


ID


manually select OK






a third field








is used


logon field.




200 Introduction






a fourth field








Keys is used


logon field.











section.


name




password control.



application setup


a password








is used














%b = 1; enabled





has been handled.




(default)




subsections.





section.


(default)





detection.


(default: 30)


application.






needed.






credential field.




enabled.













credential field.




enabled.



(two back-quotes).















202 Introduction



Example

[Corporate WinApp]



&


(the keys below)






























Example

[Corporate WinApp




&


(the keys below)



















criteria



in %s3:






204 Introduction


EQ equals

NE not equal


Logon logon events






Example

[*Other Apps]


&

[Corporate WinApp]

(the keys below)





%b = 0; disabled



















logon data.

%b = 0; disabled








change request.



ChangeTitle entry.















1 or -1.




request window.







also be 1 or -1.




request window.







also be 1 or -1.







entry.







206 Introduction












subsection.










password.




password.





password.












PassKeyCtrl.



OtherCtrl2.



scenario?



ChgCtrl2, ChgCtrl3.







etc.



Logon Manager.

%s = any string





extension




application.














password.






Groups.



belongs to.



Logon Error dialog.


field (default)










a username/ID










ID value













208 Introduction



queue.


%b = 1; enabled















ignores.








1)













name)




(default)


ID


manually select OK






a third field








is used


logon field.










a fourth field








Keys is used


logon field.











section.


name




password control.



application setup


a password








is used














%b = 1; enabled





has been handled.




(default)


210 Introduction


subsections.





section.


(default)





detection.


(default: 30)


application.






needed.






credential field.




enabled.













credential field.




enabled.



(two back-quotes).


















Example

[Corporate WinApp]



&


(the keys below)


























212 Introduction




Example

[Corporate WinApp




&


(the keys below)



















criteria



in %s3:








EQ equals

NE not equal


Logon logon events





These settings are used within applications delineated in the [*Mainframe] section.

For all keys below that have row/column values, the row/column value starts at 1 (that is, top-left is

1,1).

Note: For Telnet the value must be 1,1.

Example

[*Mainframe]


&

[Corporate Mainframe]

(the keys below)

Host Application Keys Description Acceptable values




%b = 0; disabled


214 Introduction

AltTabKey = %d Flag to indicate how to send

credentials to the host emulator.

Normally, credentials are sent

through a direct HLLAPI call but this

setting specifies using another

method. If this is set to 1, then Enter

is pressed in between two fields.

This is usually used for password

change screens that separate the new

password and confirmation password

into two screens.

Note: %d=1 is usually used for

password-change scenarios that

separate the new-password field and

confirm-password into two screens.

%d = 0; Use HLLAPI to submit

credentials directly to the credential

fields (default).

%d = 1; Replace the Tab key with the

Enter key between two fields.

%d = 2; Use HLLAPI SendKeys and

enable support for CtrlOrder, PreKey,

and TabKey N. This is useful for

logon scenarios with non-standard

credential delimiters.


automatically send Enter for this


logon data.

%b = 0; disabled








subsection.










password.




password.





password.





CtrlOrder = %s1,%s2,%s3,%s4,%s5 Determines the order in which fields

are sent when AltTabKey=2.

For example, specifying

CtrlOrder=OtherField1,IDField,PassField

tells the agent that the order in the

dialog box should be OtherField1,

then IDField, followed by PassField.

%s1 = The first field sent (default:

IDField)

%s2 = The second field sent (default:

PassField)

%s3 = The third field sent (default:

OtherField1)

%s4 = The fourth field sent (default:

NewPWField)

%s5 = The fifth field sent (default:

NewPWField2)

%s5 = The sixth field sent (default:

OtherField2)


DelayField = %d Numeric value in milliseconds for the

agent to delay between actions

(entering value into a field).

%d = integer value in milliseconds



Logon Manager.

%s = any string

Field%d0 = %d1, %d2, %s Strings to match against text fields as

displayed on the screen for

identifying a host/mainframe logon.


starting at 1, so that multiple text

strings can be used to uniquely

identify a logon. For Telnet

applications, the values must be 1,1.


%d1 = row of first text string

character

%d2 = column of first text string

character

%s = text string



application.














password.






Groups.



belongs to.



Logon Error dialog.


field (default)


IDField = %d1, %d2 Location of first input character of

username/ID field as displayed on a

host/mainframe logon screen. For

Telnet applications, this value is

ignored and is optional. Set to 1,0 if

the field is not present.


character


character









1)

216 Introduction

NewPWField = %d1,%d2 This is the key-value pair that

identifies the location of the new

password field.


character


character

NewPWField2 = %d1,%d2 This is the key-value pair that


password confirmation field. This is

optional. This is not necessary if

only one new password field is

required.


character


character

OtherField1 = %d1, %d2 Location of first input character of

third logon field as displayed on a



ignored and is optional.


character


character


fourth logon field as displayed on a





character


character

OtherLabel1 = %s The label presented within the agent

for the third logon field.

%s = text string


for the fourth logon field.

%s = text string

Page%d = %s Pointer to subsections used for

multiple pages for one

host/mainframe application. One

application logon may have multiple

pages.


%s = name of the subsection


section.


name

PassField = %d1, %d2 Location of first input character of

password field as displayed on a


Telnet applications, the values must

be 1,1. Set to 1,0 if the field is not

present.


character


character





PreKey = %d A string of characters and mnemonics

defining what should be sent prior to

any credential submission.

Any combination of characters

and/or ASCII mnemonics.

Maximum length is 25 characters.





has been handled.




(default)


TabKey1 = %d A string of characters and mnemonics

defining what should be sent after

IDField is submitted.







PassField is submitted.






OtherField1 is submitted.






NewPWField is submitted.






NewPWField2 is submitted.













detection.


(default: 30)

Host Applications: Keys for Page N subsection

These settings are used within subsections delineated by PageN.

Example


Page1=~Corporate Mainframe Logon

Page2=~Corporate Mainframe Password Change

[~Corporate Mainframe Logon]

(the keys below)


AllowReveal = %b (See in parent section, above) (See in parent section, above)

AltTabKey = %d (See in parent section, above) (See in parent section, above)

AutoOK = %b (See in parent section, above) (See in parent section, above)

CPWFlag = %d (See in parent section, above) (See in parent section, above)

CtrlOrder = %s1,%s2,%s3,%s4,%s5 (See in parent section, above) (See in parent section, above)

DelayField = %d (See in parent section, above) (See in parent section, above)

Description = %s (See in parent section, above) (See in parent section, above)

Field%d0 = %d1, %d2, %s (See in parent section, above) (See in parent section, above)

218 Introduction

ForceReauth = %b (See in parent section, above) (See in parent section, above)

Group = %s (See in parent section, above) (See in parent section, above)

HideConfirmPW = %b (See in parent section, above) (See in parent section, above)

IDField = %d1, %d2 (See in parent section, above) (See in parent section, above)

MaskPW = %b (See in parent section, above) (See in parent section, above)

MaxRetry = %d (See in parent section, above) (See in parent section, above)

NewPWField = %d1,%d2 (See in parent section, above) (See in parent section, above)

NewPWField2 = %d1,%d2 (See in parent section, above) (See in parent section, above)

OtherField1 = %d1, %d2 (See in parent section, above) (See in parent section, above)


OtherLabel1 = %s (See in parent section, above) (See in parent section, above)


Page%d = %s (See in parent section, above) (See in parent section, above)


PassField = %d1, %d2 (See in parent section, above) (See in parent section, above)

PassPolicy = %s (See in parent section, above) (See in parent section, above)

PreKey = %d (See in parent section, above) (See in parent section, above)

QuietGenerator = %b (See in parent section, above) (See in parent section, above)

TabKey1 = %d (See in parent section, above) (See in parent section, above)





Timeout = %d (See in parent section, above) (See in parent section, above)


These settings are used within applications delineated in the [*Mainframe] section.

For all keys below that have row/column values, the row/column value starts at 1 (that is, top-left is

1,1).

Note: For Telnet the value must be 1,1.

Example

[*Mainframe]



&


(the keys below)





%b = 0; disabled


AltTabKey = %d Flag to indicate how to send

credentials to the host emulator.

Normally, credentials are sent

through a direct HLLAPI call but this

setting specifies using another

method. If this is set to 1, then Enter

is pressed in between two fields.

This is usually used for password

change screens that separate the new

password and confirmation password

into two screens.

Note: %d=1 is usually used for

password-change scenarios that

separate the new-password field and

confirm-password into two screens.

%d = 0; Use HLLAPI to submit

credentials directly to the credential

fields (default).

%d = 1; Replace the Tab key with the

Enter key between two fields.

%d = 2; Use HLLAPI SendKeys and

enable support for CtrlOrder, PreKey,

and TabKey N. This is useful for

logon scenarios with non-standard

credential delimiters.




logon data.

%b = 0; disabled








subsection.










password.




password.





password.





220 Introduction

CtrlOrder = %s1,%s2,%s3,%s4,%s5 Determines the order in which fields

are sent when AltTabKey=2.

For example, specifying

CtrlOrder=OtherField1,IDField,PassField

tells the agent that the order in the

dialog box should be OtherField1,

then IDField, followed by PassField.

%s1 = The first field sent (default:

IDField)

%s2 = The second field sent (default:

PassField)

%s3 = The third field sent (default:

OtherField1)

%s4 = The fourth field sent (default:

NewPWField)

%s5 = The fifth field sent (default:

NewPWField2)

%s5 = The sixth field sent (default:

OtherField2)

DelayField = %d Numeric value in milliseconds for the

agent to delay between actions

(entering value into a field).

%d = integer value in milliseconds



Logon Manager.

%s = any string

Field%d0 = %d1, %d2, %s Strings to match against text fields as

displayed on the screen for

identifying a host/mainframe logon.


starting at 1, so that multiple text

strings can be used to uniquely

identify a logon. For Telnet

applications, the values must be 1,1.



character


character

%s = text string



application.














password.






Groups.



belongs to.




Logon Error dialog.


field (default)


IDField = %d1, %d2 Location of first input character of

username/ID field as displayed on a



ignored and is optional. Set to 1,0 if

the field is not present.


character


character









1)

NewPWField = %d1,%d2 This is the key-value pair that


password field.


character


character

NewPWField2 = %d1,%d2 This is the key-value pair that


password confirmation field. This is

optional. This is not necessary if

only one new password field is

required.


character


character


third logon field as displayed on a





character


character


fourth logon field as displayed on a





character


character


for the third logon field.

%s = text string


for the fourth logon field.

%s = text string

Page%d = %s Pointer to subsections used for

multiple pages for one

host/mainframe application. One

application logon may have multiple

pages.


%s = name of the subsection


section.


name

PassField = %d1, %d2 Location of first input character of

password field as displayed on a


Telnet applications, the values must

be 1,1. Set to 1,0 if the field is not

present.


character


character

222 Introduction





PreKey = %d A string of characters and mnemonics

defining what should be sent prior to

any credential submission.








has been handled.




(default)




IDField is submitted.






PassField is submitted.












NewPWField is submitted.






NewPWField2 is submitted.













detection.


(default: 30)

Host Applications: Keys for Page N subsection

These settings are used within subsections delineated by PageN.

Example


Page1=~Corporate Mainframe Logon

Page2=~Corporate Mainframe Password Change

[~Corporate Mainframe Logon]

(the keys below)



AllowReveal = %b (See in parent section, above) (See in parent section, above)

AltTabKey = %d (See in parent section, above) (See in parent section, above)

AutoOK = %b (See in parent section, above) (See in parent section, above)

CPWFlag = %d (See in parent section, above) (See in parent section, above)

CtrlOrder = %s1,%s2,%s3,%s4,%s5 (See in parent section, above) (See in parent section, above)

DelayField = %d (See in parent section, above) (See in parent section, above)

Description = %s (See in parent section, above) (See in parent section, above)

Field%d0 = %d1, %d2, %s (See in parent section, above) (See in parent section, above)

ForceReauth = %b (See in parent section, above) (See in parent section, above)

Group = %s (See in parent section, above) (See in parent section, above)

HideConfirmPW = %b (See in parent section, above) (See in parent section, above)

IDField = %d1, %d2 (See in parent section, above) (See in parent section, above)

MaskPW = %b (See in parent section, above) (See in parent section, above)

MaxRetry = %d (See in parent section, above) (See in parent section, above)

NewPWField = %d1,%d2 (See in parent section, above) (See in parent section, above)

NewPWField2 = %d1,%d2 (See in parent section, above) (See in parent section, above)





Page%d = %s (See in parent section, above) (See in parent section, above)


PassField = %d1, %d2 (See in parent section, above) (See in parent section, above)

PassPolicy = %s (See in parent section, above) (See in parent section, above)

PreKey = %d (See in parent section, above) (See in parent section, above)

QuietGenerator = %b (See in parent section, above) (See in parent section, above)






Timeout = %d (See in parent section, above) (See in parent section, above)


224 Introduction

These settings are used within applications delineated in the [*Other Webs] section.

Example

[*Mainframe]


&


(the keys below)

Web Application Keys Description Acceptable values




%b = 0; disabled





logon data.

%b = 0; disabled








subsection.










password.




password.





password.







Logon Manager.

%s = any string




application.














password.






Groups.



belongs to.



Logon Error dialog.


field (default)


IDField = %s1,%s2,%s3,%s4 Identification of the field for entering

a username/ID.

Note: If a frame/form/field name

consists solely of digits, the

enumerated value must be used.

%s1 = Frame name/number

%s2 = Form name/number

%s3 = Field name/number

%s4 = Field type (text/password)









1)

NewPWField = %s1,%s2,%s3,%s4 Identification of the field for entering

a new password.





NewPWField2 = %s1,%s2,%s3,%s4 Identification of the field for

confirming a new password.





226 Introduction

OtherField1 = %s1,%s2,%s3,%s4 Identification of the third logon field. %s1 = Frame name/number




OtherField2 = %s1,%s2,%s3,%s4 Identification of the fourth logon

field.






for a third logon field.

%s = text string


for a fourth logon field.

%s = text string


section.


name

PassField = %s1,%s2,%s3,%s4 Identification of the field for entering

the password.













has been handled.




(default)



subsections.



StrictURLCheck = %b Determines whether to require an

exact (case-insensitive) URL match or

to use substring matching.

%b = 0; use substring matching

(default)

%b = 1; use precise matching

SubmitField = %s1,%s2,%s3,%s4 Identification of the Submit button

(or equivalent).

The value format is frame

name/number, form name/number,

field name/number/URL, and Field

type. If the field type is image, the

field name must be the entire/exact

URL.

Note: This entry is optional. If not

specified, the agent uses its own

internal search logic to locate and

press this button.



%s3 = Field name/number/URL

%s4 = Field type (submit/image)





detection.


(default: 30)

URL%d = %s The address(es) of a Web site’s logon

page(s).

Note: If the web address consists of

spaces or special characters, use the

URL quoting method (RFC 2396) to

define the web address. This means

substituting %20 for each space in the

URL and substituting similar

″%″-escaped ASCII hexadecimal

values for all characters other than

the following: : / , . = ? @

%d = consecutive integers starting

with 1

%s = Web URL



Example

[Corporate WebApp]

Section1=~Corporate Intranet Logon #1


&

[~Corporate Intranet Logon #1]

(the keys below)


IDField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

NewPWField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

NewPWField2 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

OtherField1 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)



PassField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

SubmitField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

URL%d = %s (See in parent section, above) (See in parent section, above)

228 Introduction


These settings are used within applications delineated in the [*Other Webs] section.

Example

[*Mainframe]


&


(the keys below)





%b = 0; disabled





logon data.

%b = 0; disabled









subsection.










password.




password.





password.







Logon Manager.

%s = any string



application.














password.






Groups.



belongs to.



Logon Error dialog.


field (default)


230 Introduction

IDField = %s1,%s2,%s3,%s4 Identification of the field for entering

a username/ID.

Note: If a frame/form/field name

consists solely of digits, the

enumerated value must be used.













1)

NewPWField = %s1,%s2,%s3,%s4 Identification of the field for entering

a new password.





NewPWField2 = %s1,%s2,%s3,%s4 Identification of the field for

confirming a new password.





OtherField1 = %s1,%s2,%s3,%s4 Identification of the third logon field. %s1 = Frame name/number




OtherField2 = %s1,%s2,%s3,%s4 Identification of the fourth logon

field.






for a third logon field.

%s = text string


for a fourth logon field.

%s = text string


section.


name

PassField = %s1,%s2,%s3,%s4 Identification of the field for entering

the password.














has been handled.




(default)



subsections.



StrictURLCheck = %b Determines whether to require an

exact (case-insensitive) URL match or

to use substring matching.

%b = 0; use substring matching

(default)

%b = 1; use precise matching

SubmitField = %s1,%s2,%s3,%s4 Identification of the Submit button

(or equivalent).

The value format is frame

name/number, form name/number,

field name/number/URL, and Field

type. If the field type is image, the

field name must be the entire/exact

URL.

Note: This entry is optional. If not

specified, the agent uses its own

internal search logic to locate and

press this button.



%s3 = Field name/number/URL

%s4 = Field type (submit/image)




detection.


(default: 30)

URL%d = %s The address(es) of a Web site’s logon

page(s).

Note: If the web address consists of

spaces or special characters, use the

URL quoting method (RFC 2396) to

define the web address. This means

substituting %20 for each space in the

URL and substituting similar

″%″-escaped ASCII hexadecimal

values for all characters other than

the following: : / , . = ? @

%d = consecutive integers starting

with 1

%s = Web URL



Example

[Corporate WebApp]



232 Introduction

&

[~Corporate Intranet Logon #1]

(the keys below)


IDField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

NewPWField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

NewPWField2 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)




PassField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

SubmitField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)

URL%d = %s (See in parent section, above) (See in parent section, above)


These settings are used within subsections delineated by SectionN in the [*PasswordPolicies] section.

Example

[*PasswordPolicies

Section1=A policy

Section2=PIN

Section3=Windows

&

[A policy]

(the keys below)


Password Policy Keys Description Acceptable values

ALPHA = %s Flag instructing the agent to use

alphabetic characters when

generating a password.

%s = U; use upper case alphabetic

characters only

%s = L; use lower case alphabetic

characters only

%s = UL; use upper and lower

characters (default)

%s = (nothing); use no alphabetic

characters

NAME = %s Descriptive name of this password

policy.

%s = any string

NUMCONSMAX = %d Number of times a character can be

adjacent to itself.

%d =0 - 127 (default: 8)

NUMERIC = %b Flag instructing the agent to use

numeric characters when generating

a password.

%b = 0; do not use numeric

characters (default)

%b = 1; use numeric characters

NUMFLAGFIRST = %b Flag indicating if a numeric character

can start a password.

%b = 0; numeric character cannot

start (default)

%b = 1; numeric character can start

NUMFLAGLAST = %b Flag indicating if a numeric character

can end a password.

%b = 0; numeric character cannot end

(default)

%b = 1; numeric character can end

NUMRPTMAX = %d Number of times a character can be

repeated in a password.

%d =0 - 127 (default: 8)

NUMSIZE = %d Maximum number of numeric

characters.

%d =0 - 128 (default: 0)

NUMSIZEMIN = %d Minimum number of numeric

characters.

%d =0 - 128 (default: 0)

SBYE = %s List of special characters to exclude

when generating this password.

%s = any string of special characters,

to exclude, such as:

!@#$

The Windows registry key pair that

holds the list of special characters

normally used, but which can be

excluded, is

AccessManager:SpecialChars.

SCHARFLAGFIRST = %b Flag specifying if a special character

can start a password.

%b = 0; special character cannot start

(default)

%b = 1; special character can end

SCHARFLAGLAST = %b Flag specifying if a special character

can end a password.

%b = 0; special character cannot end

(default)

%b = 1; special character can start

234 Introduction

SCHARS = %b Flag instructing the agent to use

special characters when generating a

password.

%b = 0; do not use special characters

(default)

%b = 1; use special characters

SCHARSIZE = %d Maximum number of special

characters.

%d =0 - 128 (default: 0)

SCHARSIZEMIN = %d Minimum number of special

characters.

%d =0 - 128 (default: 0)

SIZE = %d Maximum total length of a password. %d = 1 255 (default: 8)

SIZEMIN = %d Minimum total length of a password. %d = 1 255 (default: 8)

Collected links

AccessManager:SpecialChars


Various functions and behaviors of TAM E-SSO can be centrally defined by using the Settings dialog,

setting Windows registry settings on the local workstation, and specifying Administrative Overrides via a

Synchronizer extension. Note: Configure these settings in the Administrative Console. The table is

provided only for reference.

Registry settings can be set by the agent, by the Administrative Console, with the RegEdit Windows

utility and via a centrally managed software distribution mechanism. Registry settings are found in the

following Windows Registry locations:

v HKLM\ ... \ for computer-specific settings

v HKCU\ ... \ for user-specific settings

Administrative Override objects from Synchronizer extensions specify settings that override HKLM\ ... \

Windows Registry settings, which in turn overrides the HKCU\ ... \ Windows Registry settings.

Example:

Synchronizer extension object Extensions\AccessManager:MFEnable=DWORD:0

overrides

Computer-specific Registry Location ( HKLM\...\) HKLM\ ... \Extensions\AccessManager:MFEnable

overrides

User-specific Registry Location ( HKCU\...\) or User

setting in Settings dialog i n TAM E-SSO Mainframe

Enable

HKCU\ ... \Extensions\AccessManager:MFEnable

Collected links



Agent Settings

Export

Directory Server Support


File Server Support


Various functions and behaviors of TAM E-SSO can be centrally defined by using the Settings dialog,

setting Windows registry settings on the local workstation, and specifying Administrative Overrides via a

Synchronizer extension. Note: Configure these settings in the Administrative Console. The table is

provided only for reference.

Registry settings can be set by the agent, by the Administrative Console, with the RegEdit Windows

utility and via a centrally managed software distribution mechanism. Registry settings are found in the

following Windows Registry locations:

v HKLM\ ... \ for computer-specific settings

v HKCU\ ... \ for user-specific settings

Administrative Override objects from Synchronizer extensions specify settings that override HKLM\ ... \

Windows Registry settings, which in turn overrides the HKCU\ ... \ Windows Registry settings.

Example:

Synchronizer extension object Extensions\AccessManager:MFEnable=DWORD:0

overrides

Computer-specific Registry Location ( HKLM\...\) HKLM\ ... \Extensions\AccessManager:MFEnable

overrides

User-specific Registry Location ( HKCU\...\) or User

setting in Settings dialog i n TAM E-SSO Mainframe

Enable

HKCU\ ... \Extensions\AccessManager:MFEnable

Collected links


Agent Settings

Export

Directory Server Support


File Server Support

Overriding Settings: Registry Values

236 Introduction

In the table below, each registry location is listed, followed (where applicable) by:

v The Display Path (the node in the Console’s left pane navigator) and Display Name (the setting in

the right pane property sheet).

v The actual registry path and value name and a description of the setting, defaults, and options (the

actual value and its definition.)

v The Registry Type (DWORD, String, or Binary) and Data Type.

Display Path DisplayName DescriptionText Options Default RegType DataType

End-User

Experience

Show the Tray

Icon

Shell:ShowTrayIcon

Whether to

show the Tray

Icon.

0 Do not

show

1 Show

default: 1 dword

End-User

Experience

Title Bar

Button

Shell:ShowAccessBtn

Whether to

show the Title

Bar Button on

window/dialog title

bars.

0 Do not

show

1 Show

default: 0 dword

End-User

Experience

Title Bar

Button Menu

Shell:ShowAccessBtnMenu

Whether to

show the

menu from the

Title Bar

Button.

0 Do not

show

1 Show

default: 1 dword

End-User

Experience

Tray Icon

tooltip

Shell:TrayIconName

Text to provide

in the Tray

Icon Label.

(Recommended

use: Labeling

each Citrix

Metaframe/Terminal

Services/Remote

server/session.)

default: v-GO

Single Sign-On

string string


End-User

Experience

Tray Icon

tooltip: Show

System Name

Shell:TrayIconDisplaySysName

Whether to

show

computer

name after the

Tray Icon

Name. A string

consisting of

space-dash-space is

inserted before

the computer

name if either

TrayIconName

is not set, or if

set and not

empty/null.

0 Do not

show

1 Show

default: 0 dword

End-User

Experience\Advanced

Logon

Animation’s

duration

Shell:AutoLogonAnimationTime

Time (in

milliseconds)

the animated

spinner

appears

(pausing

response).

Note: A value

of 0 disables

the spinner..

default: 0 dword int

End-User

Experience\Advanced

Logon Chooser

Columns

Extensions\AccessManager\LogonChooser:Columns

Order of

columns

displayed in

Logon

Chooser.

1

Username/ID

2

Application

Name

3

Description

default: 1,2,3 string

End-User

Experience\Advanced

Logon

Manager

″Details″

Columns

Extensions\AccessManager\LogonManager:Columns

Columns to

display and

order to use in

Logon

Manager in the

″Details″ view.

1

Application

Name

2

URL/Module

3

Username/ID

4 Password

5 Modified

6 Last Used

7

Description

8 Group

9 Third Field

10Fourth Field

default:

1,2,3,4,5,6,7,8

string

238 Introduction

End-User

Experience\Advanced

Logon

Manager

Refresh button

Extensions\AccessManager:AllowRefresh

Enable/disable

the Logon

Manager

Refresh button.

0 Disable

1 Enable

default: 1 dword

End-User

Experience\Advanced

User can shut

down TAM

E-SSO from the

System Tray

Icon Menu

Shell:AllowShutdown

When enabled

(default), end

user can shut

down the

Agent by

selecting ″Shut

Down ″ from

the System

Tray Icon

Menu. When

disabled, this

menu item is

unavailable

(greyed out).

0 Do not

allow

shutdown

from menu

1 Allow

shutdown

from menu

default: 1 dword

End-User

Experience\Advanced\Performance

Increase user

data storage

priority

Extensions\StorageManager\InMemShr:ThreadPriority

Increase

processing

priority for

storing

changes to

user data (e.g.,

credentials).

Set to Increase

only if the

workstation’s

CPU typically

runs at 100%

usage.

1 Increase

processing

priority

0 Do not

increase

processing

priority

default: 0 dword

End-User


Set delay for

first update

(after startup)

to stored user

data (ms)

Extensions\StorageManager\InMemShr:IntitialThreadDelay

Set an interval

(in

milliseconds)

to wait after

v-GO starts up

before writing

changes in

user data (e.g.,

credentials) to

the internal

database.



End-User


Set delay for

storing user

data (ms)

Extensions\StorageManager\InMemShr:ThreadDelay

Set an interval

to wait (in

milliseconds)

before writing

changes in

user data (e.g.,

credentials) to

the internal

database.


End-User


Store user data

on disk in

encrypted file

Extensions\StorageManager\InMemShr:LocalStorage

Store a copy of

user data (e.g.,

credentials)

locally in an

encrypted

database file in

each user’s

ApplicationData

folder

1 Store user

data in a disk

file

0 Do not

store user data

in disk file

default: 1 dword

End-User

Experience\Advanced\Special Tasks

After Agent

starts up

Shell\Tasks:StartupTaskN

Command(s)

that will run

every time the

background

task starts (the

Tray Icon

appears).

default: none string

End-User


Before Agent

starts

Shell\Tasks:PreTaskN

Command(s)

that will run

before any

agent process

starts. Note:

The agent will

not continue if

any of these

tasks fail (as

indicated by

the resultant

registry value

located at

License:PreCheck).


End-User


When logons

are deleted

Shell\Tasks:DeletionTaskN

Command(s)

that will run

every time a

user deletes an

application

configuration.


240 Introduction

End-User


When logons

change (add,

delete, copy,

modify)

Shell\Tasks:RefreshTaskN

Command(s)

that will run

every time

credentials and

user

configurations

are modified.


End-User

Experience\Environment

Default Backup

path

Shell:AutoBackupPath

Default backup

path for silent

backup. If this

is not present

and not

specified

within the

command line,

then the user’s

application

data directory

(%AppData%\SSO) is used.

default: none string filename

End-User


Language [Root]:Language

Language to be

used. Note:

Other values

may be

acceptable

based on

localized

versions Note:

The display

font should

support the

desired

characters in

the specified

language.

ENG

English

default: ENG string

End-User


Location of

entlist.ini file

Extensions\AccessManager:EntList

Fully qualified

path and

filename to the

entlist.ini file.



End-User


SubLanguage [Root]:SubLanguage

Language

settings for the

language set

by Language.

Note: Other

values may be

acceptable

based on

localized

versions Note:

The display

font should

support the

desired

characters in

the specified

language.

ENG

Default

support

DBL

Extended

support

default: ENG string

End-User

Experience\Password

Change\Advanced

Allow user to

exclude logons

from password

groups

Extensions\AccessManager:AllowExcludePWSG

Allows end

user to exclude

application

logons from an

assigned

password

sharing group.

0 Do not

allow

1 Allow

default: 0 dword

End-User

Experience\Password

Change\Advanced

Notify Primary

Logon Method

AUI:ShareToAuth

Support

Password

Sharing back

to the current

Authenticator

when a

credential in its

share group is

changed. Note:

Currently

supported only

for Windows

Authenticator

v2 and LDAP

Authenticator

v2. Note: Since

the user will

not be made

aware of the

new password,

it is not

advised to use

automatic

password

generation for

password

changes for

applications in

the share

group.

0 Do not

notify the

Authenticator

1 Notify the

Authenticator

default: 0 dword

242 Introduction

End-User

Experience\Password

Change\Advanced

Quietly

Change

Passwords

Extensions\AccessManager:QuietGenerator

Whether to

inform the

user about a

password

change.

0 Inform the

user

1 Do not

inform the

user

default: 0 dword

End-User

Experience\Password

Change\Change

Policies

Characters:

Lowercase

Extensions\AccessManager:LowerAlphaChars

List of

characters

allowed as

″Lowercase

Alphabet″

characters in

password

policies.

default:

abcdefghijklmnopqrstuvwxyz

string UniqueChars

End-User

Experience\Password

Change\Change

Policies

Characters:

Numeric

Extensions\AccessManager:NumericChars

List characters

allowed as

″Numeric″

characters in

password

policies.

default:

1234567890

string UniqueChars

End-User

Experience\Password

Change\Change

Policies

Characters:

Special

Extensions\AccessManager:SpecialChars

List of

characters

allowed as

″Special″

characters in

password

policies.

default:

!@#$^&*_-+=[]\|,?

string UniqueChars

End-User

Experience\Password

Change\Change

Policies

Characters:

Uppercase

Extensions\AccessManager:UpperAlphaChars

List of

characters

allowed as

″Uppercase

Alphabet″

characters in

password

policies.

default:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

string UniqueChars


End-User

Experience\Password

Change\Change

Policies

Default Policy Extensions\AccessManager:DefaultPolicy

Name of

section in

entlist.ini that

contains the

default

password

policy. (If no

policy is

specified in

entlist.ini, the

default policy

in applist.ini is

used.)

default: none string PasswordPolicy

End-User

Experience\Password

Change\Common

Default

Change

Password

Wizard

behavior

Extensions\AccessManager:CPWFlag

Determines the

behavior of the

Password

Change Wizard

when a user

encounters a

password-change

request.

1 Prompt

2 Manual,

offer auto

4 Auto, offer

manual

10Manual only

12Auto only

default: 1 dword

244 Introduction

End-User

Experience\Password

Change\Required

Password

Groups

Extensions\AccessManager:PWSEnable

Enable/disable

password

sharing

between

credentials in a

group. (If this

setting is not

enabled,

Password

Sharing

Groups are not

used.) Note: If

using the

Domain group

and Windows

Authenticator

v2 is to be

included in the

group, then do

not disable

AUI\Windows

Authenticator

v2:PWSEnable.

Note: If using

the LDAP

group and

LDAP

Authenticator

v2 is to be

included in the

group, then do

not disable

AUI\LDAP

Authenticator

v2:PWSEnable.

0 Disabled

1 Enabled

default: 0 dword

End-User

Experience\Response

Automatically

logon to

applications

Shell:UseActiveLogin

Whether to

automatically

provide

credentials to

applications.

0 Do not

automatically

provide

credentials

1

Automatically

provide

credentials

default: 1 dword

End-User

Experience\Response

Display ″Add

another logon″

checkbox

Extensions\AccessManager:ShowAddAdditionalLogon

Enable/disable

display of the

″Add another

logon″

checkbox in

the Add

Wizard.

0 Disable

1 Enable

default: 0 dword


End-User

Experience\Response

Limit user to

predefined

applications

Extensions\AccessManager:AllowUnknown

Whether to

allow the user

to add

credentials for

applications

that are not

predefined.

0 Limit

1 Do not

limit

default: 1 dword

End-User

Experience\Response

Logon to

waiting

applications

upon agent

startup

Shell:LogonOnStartup

Enable the

agent, at

startup, to

submit

credentials to a

Windows or

Java

application

that has

already

presented its

logon form.

Note: Web and

host/mainframe

application

logons are not

affected by this

setting.

0 Do not

logon

1 Logon at

startup

default: 0 dword

End-User

Experience\Response

Prompt user to

add new

logons

Shell:UseAutoSense

Whether to

prompt the

user to ask if

the user wants

to add a logon

when a new

application is

detected.

0 Do not

prompt

1 Prompt

default: 1 dword

End-User

Experience\Response

Time allowed

for Java

applets to load

Extensions\AccessManage:MaxAppletLoadTime

Maximum time

(in seconds)

that the Agent

waits for a

Java applet to

be fully loaded

in the browser.


246 Introduction

End-User

Experience\Response

Utilize the

just-added

Logon

Extensions\AccessManager:LogonAfterConfig

Whether to

logon to an

application

after

configuring it

(adding its

credentials).

Note:

Overridden by

application

configuration-specific setting.

0 Do not

logon

1 Logon

default: 1 dword

End-User

Experience\Response\Error Loop

Maximum

retries before

prompting

Extensions\AccessManager\Dlg:MaxRetry

Number of

logon retries

before

displaying the

Error Loop

dialog. Note:

Overridden by

application-type and

application

configuration-specific

settings. Note:

This is for each

set of

credentials.


End-User


Maximum time

for retries

before

prompting

Extensions\AccessManager\Dlg:Timeout

Maximum

seconds for all

successive

logon attempts

before the

Error Loop

dialog appears.

Note:

Overridden by


application


settings. Note:

This is for each

set of

credentials.



End-User


Require

password

confirmation

when

modifying

password

Extensions\AccessManager\Dlg:HideConfirmPW

Indicate

whether to

display the

Confirm

Password field

in the Logon

Error dialog;

the default is

to Require

password

confirmation.

Note:

Overridden by


application


settings.

0 Require

1 Do not

require

default: 0 dword

End-User

Experience\Response\Host/Mainframe

Apps

Host/Mainframe

support

Extensions\AccessManager:MFEnable

Enable/disable

host/mainframe

support.

0 Disable

1 Enable

default: 1 dword

End-User


Apps

Polling Interval Extensions\AccessManager\MHO:CycleInterval

Interval (in

milliseconds)

between when

the agent

check the host

emulator for

changes.

Lower values

can use more

CPU time,

higher values

can increase

the time

between when

a screen

appears and

when the

agent provides

credentials.


End-User


Apps\Error

Loop

Maximum

retries before

prompting

Extensions\AccessManager\Dlg:MainframeMaxRetry

Controls the

number of

logon retries

for

host/mainframe

logons.


248 Introduction

End-User


Apps\Error

Loop

Maximum time

for retries

before

prompting

Extensions\AccessManager\Dlg:MainframeTimeout

Controls the

timeout for

mainframe.

The default is

30 seconds


End-User


Apps\Error

Loop

Require

password

confirmation

when

modifying

password

Extensions\AccessManager\Dlg:MainframeHideConfirmPW

Indicate

whether to

display the

Confirm

Password field

in the Logon

Error dialog

for

host/mainframe

logons; the

default is to

Require

password

confirmation.

0 Require

1 Do not

require

default: 0 dword

End-User

Experience\Response\Web

Apps

Border

Appearance

Extensions\AccessManager\BHO:FeedbackColor

Default border

color/size/style.

default: red

6px solid

string string

End-User


Apps

Show Border Extensions\AccessManager\BHO:ShowBorder

Enable/disable

the border

around fields.

0 Disable

1 Enable

default: 1 dword

End-User


Apps

URL Matching

Precision

Extensions\AccessManager:DNLevelsToMatch

Number of

levels of the

URL that is

used as the

matching

criteria. Note:

Values below 2

are treated as

2. For the Web

URL

http://mail.Passlogix.com:

2=match to

*Passlogix.com

3=match to

*mail.Passlogix.com


End-User


Apps\Error

Loop

Maximum

retries before

prompting

Extensions\AccessManager\Dlg:WebMaxRetry

Controls the

retry for web.

The default

value is 1



End-User


Apps\Error

Loop

Maximum time

for retries

before

prompting

Extensions\AccessManager\Dlg:WebTimeout

Controls the

timeout for

web. The

default is 30

seconds


End-User


Apps\Error

Loop

Require

password

confirmation

when

modifying

password

Extensions\AccessManager\Dlg:WebHideConfirmPW

Indicate

whether to

display the

Confirm

Password field

in the Logon

Error dialog

for Web

logons; the

default is to

Require

password

confirmation.

0 Require

1 Do not

require

default: 0 dword

End-User

Experience\Response\Windows Apps

Supported

Window

Classes for

Applications

Extensions\AccessManager:AppClasses

Default

Window Class

Names

recognized as

applications.

default:

#32770;Dialog;ThunderRT5FormDC;ThunderRT6FormDC

string string

End-User


Supported

Window

Classes for

Services

Extensions\AccessManager:ServiceClasses

Default

Window Class

Names

recognized as

services.

default:

#32770;Dialog;ThunderRT5FormDC;ThunderRT6FormDC

string string

End-User


Wait for a

Window Title

Extensions\AccessManager:EmptyTitleRetryCount

For

slow-appearing

dialogs/applications,

this value is

how long (in

half-seconds)

the Agent will

wait for a

window title to

appear. If the

window title

does not

appear in this

time, the

dialog will be

ignored. A

higher value

uses more

CPU cycles.


250 Introduction

End-User

Experience\Response\Windows

Apps\Error

Loop

Maximum

retries before

prompting

Extensions\AccessManager\Dlg:AppsMaxRetry

Controls the

retry for apps

The default

value is 1


End-User


Apps\Error

Loop

Maximum time

for retries

before

prompting

Extensions\AccessManager\Dlg:AppsTimeout

Controls the

timeout for

apps. The

default is 30

seconds


End-User


Apps\Error

Loop

Require

password

confirmation

when

modifying

password

Extensions\AccessManager\Dlg:AppsHideConfirmPW

Indicate

whether to

display the

Confirm

Password field

in the Logon

Error dialog

for Windows

logons; the

default is to

Require

password

confirmation.

0 Require

1 Do not

require

default: 0 dword

End-User

Experience\Setup Wizard

Enable/disable

First-Time-Use

(FTU) wizard.

Extensions\SetUpManager:HideWizard

Controls

whether the

Setup Wizard

is displayed

when

first-time-use is

invoked. Note:

If more than

one

authenticator

(primary logon

method) is

installed, then

the first

authenticator

in the list is

automatically

selected as the

end user’s

primary logon

method.

0 Do not

hide

1 Hide

default: 0 dword


End-User


Selected

Primary Logon

AUI:Selected

Enables the

selected logon

method as the

primary logon

method and

hides all other

installed logon

methods. The

default is no

selection (i.e.,

end-users

select their

own primary

logon method).

Note: To hide

the primary

logon method

selection

menu, use the

″Enable/Disable

First-Time-Use

(FTU) Wizard″

setting. If the

primary logon

method

selection page

is hidden, and

this setting is

blank, then the

first installed

logon method

in the list is

automatically

selected.

None

MSauth

Windows v2

WinAuth

Windows

LDAP

LDAP

LDAPauth

LDAP v2

MultiAuth

Authentication Manager


End-User


Skip

″selection″

page if only

one Primary

Logon Method

installed

AUI:HideSingleSelection

Hide the

″Select Primary

Logon

Method″ step

in the Setup

Wizard if only

one Primary

Logon Method

is installed.

0 Do not

hide/skip the

Select step of

the Setup

Wizard.

1 Hide/skip

the Select step

of the Setup

Wizard.

default: 0 dword

252 Introduction

Event Logging Select events to

log:

Extensions\EventManager:Filter

Event Logging

filter

delineating

which events

to log.

4 Credential

Edit

8

Credential

Delete

10

Credential

Copy

20

Credential Add

100

Provisioning

200

Startup/Shutdown

400

Help

800

Settings

Change

1000

Reauthentication

20000

Logon Field:

System

Username

40000

Logon Field:

System

Domain

80000

Logon Field:

Third Field

100000

Logon Field:

Username

200000

Logon Field:

Fourth Field

800000

Application

Password

Change

1000000

Primary Logon

Method

Change

4000000

Backup/Restore

40000000

Event Types:

default: 0 dword


Event

Logging\Advanced

Cache Limit Extensions\EventManager:CacheLimit

Maximum

number of

event log

entries to be

cached before

old events are

discarded.


Event

Logging\Advanced

Cache Retry

Interval

Extensions\EventManager:Retry

Interval (in

minutes)

between retries

for all Event

Logging

extensions.


Event

Logging\Advanced

Event Server

Message

Library

location

Extensions\EventManager:EventMessagePath

Path/filename

to the Event

Message

library

(SSOeventmessage.dll),

used for

viewing events

in Windows

Event Viewer.

default:

C:\Program

Files\Passlogix\v-GO

SSO\Plugin\EventMgr\SSOeventmessage.dll

string filename

Event

Logging\Advanced

Extension

location

Extensions\EventManager:Path

Path/filename

to the Event

Logging

extension

(eventmgr.dll).

default:

C:\Program


SSO\Plugin\EventMgr\eventmgr.dll

string filename

254 Introduction

Event

Logging\Windows

Event Viewer

Windows

Event Logging

Server

Extensions\EventManager\WindowsEvent:EventServer

Server name

for the

Windows

Event Logging

extension (do

not provide

leading ″\\″

characters). If

missing,

logged to local

computer. The

server should

have a trusted

relationship

with the user’s

account and

the user’s

computer,

depending on

access rights

and

restrictions.

default: none string string

Event

Logging\Windows

Event

Viewer\Advanced

Cache Retry

Interval

Extensions\EventManager\WindowsEvent:Retry

Interval (in

minutes)

between retries

for the

Windows

Event Logging

extension.


Event

Logging\Windows

Event

Viewer\Advanced

Extension

location

Extensions\EventManager\Logs:WindowsEvent

Path/filename

to the

Windows

Event Logging

extension

(WindowsEvent.dll).

default:

C:\Program


SSO\Plugin\EventMgr\WindowsEvent.dll

string filename


Event

Logging\Windows

Event

Viewer\Advanced

Of logged

events, limit

for Windows

server to:

Extensions\EventManager\WindowsEvent:Filter

Event logging

filter

delineating

which events

(of those

logged by the

root Filter

setting) to log

to the

Windows

Event Logging

extension.

4

Credential Edit

8

Credential

Delete

10

Credential

Copy

20

Credential Add

100

Provisioning

200

Startup/Shutdown

400

Help

800

Settings

Change

1000

Reauthentication

20000

Logon Field:

System

Username

40000

Logon Field:

System

Domain

80000

Logon Field:

Third Field

100000

Logon Field:

Username

200000

Logon Field:

Fourth Field

800000

Application

Password

Change

1000000

Primary Logon

Method

Change

4000000

Backup/Restore

40000000

Event Types:

default: 0 dword

256 Introduction

Event

Logging\XML

File

Cache Retry

Interval

Extensions\EventManager\LocalStorage:Retry

Interval (in

minutes)

between retries

for the Local

(XML) File

Logging

extension.


Event

Logging\XML

File

Extension

location

Extensions\EventManager\Logs:LocalStorage

Path/filename

to the Local

(XML) File

Logging

extension

(XMLEvent.dll).

default:

C:\Program


SSO\Plugin\EventMgr\XMLEvent.dll

string filename


Event

Logging\XML

File

Of logged

events, limit

for XML file

to:

Extensions\EventManager\LocalStorage:Filter

Event Logging

filter

delineating

which events

(of those

logged by the

root Filter

setting) to log

to the Local

(XML) File

Logging

extension.

4

Credential Edit

8

Credential

Delete

10

Credential

Copy

20

Credential Add

100

Provisioning

200

Startup/Shutdown

400

Help

800

Settings

Change

1000

Reauthentication

20000

Logon Field:

System

Username

40000

Logon Field:

System

Domain

80000

Logon Field:

Third Field

100000

Logon Field:

Username

200000

Logon Field:

Fourth Field

800000

Application

Password

Change

1000000

Primary Logon

Method

Change

4000000

Backup/Restore

40000000

Event Types:

default: 0 dword

258 Introduction

Primary Logon

Methods\Authentication

Manager

Allowed

number of

logon methods

AUI\MultiAuth:MaxPreferred

This setting

allows you to

set the

maximum

number of

logon methods

that will be

presented to a

user. Once this

number of

logon methods

have been

presented (and

skipped by)

the user, a

″Choose

Logon″ dialog

is displayed.

Defaults to 1.

This setting is

only used for

the

Multi-Authenticator

primary logon.

Note: This

setting applies

to TAM E-SSO:

Authentication

Adapter only.



Primary Logon

Methods\LDAP

v2\Advanced

Alternate User

ID location

AUI\LDAPauth:UserLocation

Use to indicate

where to locate

a user object

when the user

validates

against an

attribute other

than the

username.

Example: If

users

authenticate

with an

employee ID #

for logon

(validation

against the

empid

attribute) and

the user object

is in

ou=people,dc=computer,

then set

UserLocation

to

empid=%user,ou=people,dc=computer

instead of to

uid=user,ou=people,dc=computer.

Note: For

Novell

eDirectory,

UserLocation

should be:

uid=%user,path to

the object.

Note: If using

UserLocation,

do not use

UserPrepend

or UserPaths.


Primary Logon

Methods\LDAP

v2\Advanced

Authenticator

Grade

AUI\LDAPauth:AuthGrade

Assigns an

authentication

grade to this

primary logon

method. This

value is used

for multi-level

authentication.

Note: This

setting applies

to TAM E-SSO:

Authentication

Adapter only.


260 Introduction

Primary Logon

Methods\LDAP

v2\Advanced

BIND Timeout AUI\LDAPauth:Timeout

Timeout (in

milliseconds)

of LDAP BIND

call.

default:

Depends on

the operating

system

dword int

Primary Logon

Methods\LDAP

v2\Advanced

Include in

″LDAP″

Password

Sharing group

AUI\LDAPauth:PWSEnable

Enables

password

sharing from

the Primary

Logon Method

to credentials

in the Group

Domain. (Also

requires

AccessManager:PWSEnable

to be enabled.)

0 Disable

1 Enable

default: 1 dword

Primary Logon

Methods\LDAP

v2\Advanced

Naming

Attribute

string

AUI\LDAPauth:UserPrepend

String to

prepend to

UserPaths

when the DN

for a user is in

the form of

cn=%UserName%,ou=people,dc=computer

instead of the

form

namingattribute=%UserName%,ou=people,dc=computer

(where

namingattribute

can be any

string). Note:

This value

usually needs

to be set to cn

for Novell

eDirectory.

Note: If using

UserPrepend,

you must use

UserPathN and

do not use

UserPrepend.


Primary Logon

Methods\LDAP

v2\Advanced

Passphrase AUI\LDAPauth:ResetEnable

Allow the

Reset

passphrase to

be used.

0 Disable

1 Enable

default: 1 dword


Primary Logon

Methods\LDAP

v2\Advanced

When SSL fails AUI\LDAPauth:SSLFallback

Whether to

fallback to an

insecure

connection

when an SSL

connection

fails. Note: If

set to 1 and

any of Servers

includes a port

specification,

the fallback

port must also

be specified as

an additional

Servers entry.

For example, if

the SSL

connection is

to

mycomputer.com:1272

then an

additional

entry must

point to the

fallback port,

such as:

mycomputer.com:1272

;My secure SSL

Port

mycomputer.com:389

;My fallback

port

0 Do not

connect if the

SSL connection

fails

1 Connect

without SSL

(insecure) if

the SSL

connection

fails

default: 0 dword

262 Introduction

Primary Logon

Methods\LDAP

v2\Required

Servers AUI\LDAPauth\Servers:ServerN

Servers to try,

in the format

″computer[:port]″

(one server per

line), where

computer is

the server

name or IP,

and port is

assumed to be

default (636 for

SSL, 389 for no

SSL) if not

specified.

Example:

127.0.0.1

127.0.0.1:456

somewhereelse.com:8080

anotherplace.com

Note: At least

one server

must be

specified for

this extension

to work. Note:

If specifying a

port value, see

SyncManager\Syncs\%LDAP%:SSLFallback.


Primary Logon

Methods\LDAP

v2\Required

SSL AUI\LDAPauth:UseSSL

Connect via

SSL.

0 Connect

without SSL

(insecure)

(default to port

#389)

1 Connect

via SSL

(default to port

#636)

default: 1 dword

Primary Logon

Methods\LDAP

v2\Required

SSL CertDB

location

AUI\LDAPauth:CertDBPath

Path\filename

of the cert7.db

certificate

database file.

(Do not change

the name of

the file from

cert7.db.)



Primary Logon

Methods\LDAP

v2\Required

User Paths AUI\LDAPauth:UserPathN

Fully qualified

path of where

the user

account is

located. There

can be

unlimited

paths to

search. The

extension

searches these

in order,

looking for the

user account. If

not found, the

extension will

search the

directory tree.

Note: A value

for either

UserPrepend

or at least one

value for

UserPaths

must be

specified for

this extension

to work. Note:

If using

UserPaths, do

not use

UserLocation.


264 Introduction

Primary Logon

Methods\LDAP\Advanced

Active

Directory:

Domain name

support

enabled

AUI\LDAPauth:UsingAD

Enables Active

Directory

domain-name

support. End

users can

specify the

domain name

(e.g.,

domainname\username) at

primary logon.

Alternatively,

the

administrator

can specify a

default domain

name (see the

″Active

Directory: Set

domain name″

setting) to let

end users log

on by

username

alone. If no

domain is

specified, then

the local

workstation’s

domain is

used.

0 Do not use

AD domain

names

1 Use AD

domain names

default: 0 dword


Primary Logon


Active

Directory: Set

domain name

AUI\LDAP:ADDomain

The Active

Directory

domain name

to use for

primary logon

if no domain is

specified for

the

username/ID

credential (e.g.,

domainname\username).

This setting is

used only if

the ″Active

Directory:

Domain name

support

enabled″

setting is set to

″Use AD

domain

names.″ If

domain-name

support is

enabled and

this setting is

blank (and the

end user does

not specify a

domain), then

local

workstation’s

domain is

used.


266 Introduction

Primary Logon


Alternate User

ID location

AUI\LDAP:UserLocation

Use to indicate

where to locate

a user object

when the user

validates

against an

attribute other

than the

username.

Example: If

users

authenticate

with an

employee ID #

for logon

(validation

against the

empid

attribute) and

the user object

is in


then set

UserLocation

to


instead of to


Note: For

Novell

eDirectory,

UserLocation

should be:

uid=%user,path to

the object.

Note: If using

UserLocation,

do not use

UserPrepend

or UserPaths.


Primary Logon


Authenticator

Grade

AUI\LDAP:AuthGrade

Assigns an

authentication

grade to this

primary logon

method. This

value is used

for multi-level

authentication.

Note: This

setting applies

to TAM E-SSO:

Authentication

Adapter only.



Primary Logon


BIND Timeout AUI\LDAP:Timeout

Timeout (in

milliseconds)

of LDAP BIND

call.

default:

Depends on

the operating

system

dword int

Primary Logon


Naming

Attribute

string

AUI\LDAP:UserPrepend

String to

prepend to

UserPaths

when the DN

for a user is in

the form of


instead of the

form


(where

namingattribute

can be any

string). Note:

This value

usually needs

to be set to cn

for Novell

eDirectory.

Note: If using

UserPrepend,

you must use

UserPathN and

do not use

UserPrepend.


268 Introduction

Primary Logon


SSL Fallback AUI\LDAP:SSLFallback

Fallback to an

insecure

connection

when an SSL

connection

fails. Note: If

set to 1 and

any of Servers

includes a port

specification,

the fallback

port must also

be specified as

an additional

Servers entry.

For example, if

the SSL

connection is

to

mycomputer.com:1272

then an

additional

entry must

point to the

fallback port,

such as:

mycomputer.com:1272

;My secure SSL

Port

mycomputer.com:389

;My fallback

port

0 Do not

connect if the

SSL connection

fails

1 Connect

without SSL

(insecure) if

the SSL

connection

fails

default: 0 dword


Primary Logon

Methods\LDAP\Required

Servers AUI\LDAP\Servers:ServerN

Servers to try,

in the format


(one server per

line), where

computer is

the server

name or IP,

and port is

assumed to be

default (636 for

SSL, 389 for no

SSL) if not

specified.

Example:

127.0.0.1

127.0.0.1:456


anotherplace.com

Note: At least

one server

must be

specified for

this extension

to work. Note:

If specifying a

port value, see



Primary Logon


SSL AUI\LDAP:UseSSL

Whether to

connect via

SSL.

0 Connect

without SSL

(insecure)

(default to port

#389)

1 Connect

via SSL

(default to port

#636)

default: 1 dword

Primary Logon


SSL CertDB

location

AUI\LDAP:CertDBPath

Path\filename

of the cert7.db

certificate

database file.

(Do not change

the name of

the file from

cert7.db.)


270 Introduction

Primary Logon


User Paths AUI\LDAP:UserPathN

Fully qualified

path of where

the user

account is

located. There

can be

unlimited

paths to

search. The

extension

searches these

in order,

looking for the

user account. If

not found, the

extension will

search the

directory tree.

Note: A value

for either

UserPrepend

or at least one

value for

UserPaths

must be

specified for

this extension

to work. Note:

If using

UserPaths, do

not use

UserLocation.


Primary Logon

Methods\Windows

When user’s

Windows

password

changes...

AUI\WinAuth:PWEnable

Provide

enhanced

security by

requiring entry

of the old

password

when a new

one is in use.

0 Do not

require the old

Windows

password

1 Require

the old

Windows

password

default: 0 dword

Primary Logon

Methods\Windows v2

Include in

″Domain″

Password

Sharing Group

AUI\MSauth:PWSEnable

Enables

password

sharing from

the Primary

Logon Method

to credentials

in the Group

Domain. (Also

requires

AccessManager:PWSEnable

to be enabled.)

0 Disable

1 Enable

default: 1 dword


Primary Logon

Methods\Windows v2

Reauthentication

dialog

AUI\MSauth:AuthOptions

Determines

how the user

needs to

reauthenticate.

0 Use TAM

E-SSO dialog

1 Use GINA

default: 0 dword

Primary Logon

Methods\Windows

v2\Advanced

Authenticator

Grade

AUI\MSauth:AuthGrade

Assigns an

authentication

grade to this

primary logon

method. This

value is used

for multi-level

authentication.

Note: This

setting applies

to TAM E-SSO:

Authentication

Adapter only.


Primary Logon

Methods\Windows

v2\Advanced

MultiAuth:

Require set up

for

multi-authentication

AUI\MSauth:AuthState

Determines

whether to

require user to

set up this

logon method

during First

Time Use if

″MultiAuth″ is

selected as the

primary logon

method. This

setting is only

used for

multi-authenticator

primary logon.

0 Disable

this logon

method for

multi-authenticator

use

1 User has

option to set

up this logon

method

2 User is

required to set

up this logon

method

default: 1 dword

Primary Logon

Methods\Windows

v2\Advanced

Passphrase AUI\MSauth:ResetEnable

Allow the

Reset

passphrase to

be used.

0 Disable

1 Enable

default: 1 dword

272 Introduction

Primary Logon

Methods\Windows\Advanced

Authenticator

Grade

AUI\WinAuth:AuthGrade

Assigns an

authentication

grade to this

primary logon

method. This

value is used

for multi-level

authentication.

Note: This

setting applies

to TAM E-SSO:

Authentication

Adapter only.


Provisioning

Manager

Add All

Approval

Extensions\Provisioning\Settings:AddAllApproval

One means we

approve all

and modify

operations at

once. Zero

means we

require

individual

approval. The

default value is

one. This

setting applies

to v-GO

Provisioning

Manager only.

0 Require

Individual

Approval

1 Approve

All

default: 1 dword

Provisioning

Manager

Add Approval Extensions\Provisioning\Settings:AddApproval

One means we

require user

approval for

an add

operation, Zero

means we do

not require

user approval

for an add

operation. The

default value is

0. This setting

applies to

v-GO

Provisioning

Manager only.

0 Do Not

Require

Approval

1 Require

Approval

default: 1 dword


Provisioning

Manager

If logon does

not exist for a

modify

Extensions\Provisioning\Settings:ModifyNotExist

One means if a

logon does not

exist for a

modify

operation, treat

it as an add.

Zero means if

a logon does

not exist for a

modify

operation, treat

it as a failure.

The default

value is 1. This

setting applies

to v-GO

Provisioning

Manager only.

0 Treat as

failure

1 Treat as

add

default: 1 dword

Provisioning

Manager

If there are

multiple

logons for a

modify

Extensions\Provisioning\Settings:MultipleModify

One means if

there are

multiple

logons for a

modify

operation, then

display to the

user the list

and allow

them to

choose. Zero

means if there

are multiple

logons for

modify

operation then

do not allow

the user a

choice. The

default is 0.

This setting

applies to

v-GO

Provisioning

Manager only.

0 Do not

allow choice

1 Display list

and allow a

choice

default: 1 dword

274 Introduction

Provisioning

Manager

Modify

Approval

Extensions\Provisioning\Settings:ModifyApproval

One means we

approve all

and modify

operations at

once. Zero

means we

require

individual

approval. The

default value is

one. This

setting applies

to v-GO

Provisioning

Manager only.

0 Do Not

Require

Approval

1 Require

Approval

default: 1 dword

Security\Advanced

Allow

Password

Revealing

Extensions\AccessManager:AllowReveal

Whether to

allow users to

reveal

passwords in

Wizards and

on property

pages. Note: If

this setting or

the application

configuration-specific setting

are set to not

allow reveal,

then the

password will

not be

revealed.

0 Do not

allow

1 Allow

default: 1 dword


Security\Advanced

Default

encryption

CSP:PreferredCSP

Select the

encryption

algorithm/strength for

new/modified

credentials.

Note: Setting

this to a value

supported only

on XP/2003

will disable the

Agent on other

OSs.

0

Cobra 128-bit

512

Cobra 128-bit

(also)

513

Blowfish

448-bit

1028

Triple-DES

168-bit

1285

AES 256-bit

25700

Triple-DES (MS

CAPI) (All

OSs)

25723

Triple-DES (MS

CAPI)

(XP/2003 only)

25956

RC-4 (MS

CAPI) (All

OSs)

25979

RC-4 (MS

CAPI)

(XP/2003 only)

26491

AES (MS

CAPI)

(XP/2003 only)

default: 25700 dword

Security\Advanced

Require

reauthentication

to Reveal

passwords

Extensions\AccessManager:ReauthOnReveal

Whether to

require

reauthentication

if the user

selects Reveal

or Reveal All

in Logon

Manager and

in dialogs.

0 Do not

require

reauthentication

1 Require

reauthentication

default: 1 dword

276 Introduction

Security\Common

Reauthentication

timer

Extensions\AccessManager:AutoLogin

Time (in

milliseconds)

between

reauthentication

requests. If set

to 4,294,967,295

(0xFFFFFFFF),

the time will

never expire

and the user

will never

need to

reauthenticate,

except in

forced

authentication

scenarios.

Note: Default

value for

client-side

installation is

900,000 (15

minutes),

default in a

Terminal

Services

environment is

4,294,967,295

(disabled).



Synchronization Aggressive

Synchronization

Extensions\SyncManager:AggressiveSync

Determine

whether to

allow

Aggressive

Sync, which is

to have the

system

perform a

synchronization

whenever a

user performs

any action that

would require

the most

current

credentials or

settings

available (e.g.,

an application

requests

credentials).

Note: There is

a significant

performance

impact on both

the client and

server

computers.

0 Do not

allow

1 Allow

default: 0 dword

Synchronization Delete local

cache

Shell:CleanupOnShutdown

Whether to

delete the

user’s data

files and

registry keys

upon

shutdown of

the agent.

0 Do not

delete

1 Delete

default: 0 dword

Synchronization Deleted-credential

cleanup

Shell:nDelDays

Time (in days)

before a

credential’s

″deleted″ flag

is retained,

after a

credential is

deleted.


278 Introduction

Synchronization Disconnected

Operation

Extensions\SyncManager:AllowDisconnected

Determines

whether TAM

E-SSO executes

first-time-use

setup when it

is unable to

connect to any

synchronizer

extension and

no local cache

is present. This

check occurs

when run with

the

/background

parameter (for

example, at

startup).

0 Do not

continue

running

1 Allow

disconnected

operation

default: 1 dword

Synchronization Enable

role/group

security

support

Extensions\SyncManager:RetrieveCO

Enables

role/group

support for

application

logons,

password

policies, global

agent settings,

and passphrase

question sets.

0 Do not use

role/group

security.

1 Use

role/group

security

default: 0 dword

Synchronization Interval for

automatic

re-sync

Extensions\SyncManager:CycleInterval

Interval (in

minutes)

between

automatic

re-sync. This

occurs whether

a

user-generated

sync event

occurs or not.

A value of 0

disables this

setting.



Synchronization Optimized

Synchronization

Extensions\SyncManager:OptimizedSync

Enable/disable

Optimized

Sync (using a

checksum to

determine

changed

credentials/settings, rather

than retrieving

all

credentials/settings).

0 Disable

1 Enable

default: 1 dword

Synchronization Re-sync when

network or

connection

status changes

Shell:MonitorNetwork

Enables/disables

monitoring for

changes in the

network

connection

status. When

enabled, the

Agent

performs

re-synchonization

when a status

change occurs

(for example,

re-connectiing

to the

network).

0 Ignore

network status

changes

1 Watch for

and re-sync on

network status

changes

default: 1 dword

Synchronization Sync Order Extensions\SyncManager:SyncOrder

Order to

synchronize to

synchronization

extensions (by

extension

name, not

type).

Examples:

SalesADAM,CorporateLDAP,CorporateAD

FileSync

Remote,AD,FileSync

Local,SomethingElse

CorpDir,CorpADAM,ADRemote

Note: If no

value is

specified then

all extensions

will be used

(in an

unpredictable

order).

default: none string synchronizers

280 Introduction

Synchronization Wait for

synchronization

at startup

Extensions\SyncManager:WaitForStartupSync

Determine

whether to

wait for

synchronization

at startup,

which ensures

that the user’s

data is current.

Note: There is

a minor

performance

impact on the

client

computer.

1 Wait for

sync

0 Do not

wait for sync

default: 1 dword

Synchronization\%AD%\Advanced Configuration

Objects Base

Locations

Extensions\SyncManager\Syncs\%AD%\COBaseLocations:LocationN

Where to begin

the search for

Configuration

Objects. The

search is from

the specified

location(s)

downward. If

no entries, the

search is from

the base

location.


Synchronization\%AD%\Advanced Credentials to

use

Extensions\SyncManager\Syncs\%AD%:AuthType

Which

credentials to

use when

authenticating

to the Active

Directory

Server.

0 Use local

computer

credentials

only

1 Use Active

Directory

server account

only

(recommended

that

UserPathN be

set)

2 Try local

computer

credentials; if it

fails, use

Active

Directory

server account

default: 2 dword


Synchronization\%AD%\Advanced Descriptive

name

Extensions\SyncManager\Syncs\%AD%:DisplayName

Logon dialog

title, to help

differentiate

between

multiple

synchronizer

extensions

having the

same name.

Note: This

entry is not

required.


Synchronization\%AD%\Advanced Location for

storing user

credentials

Extensions\SyncManager\Syncs\%AD%:LocateInUser

Enables

storage of

user-credential

containers

under their

respective

directory User

objects and no

locator object

is used. When

disabled (the

default),

credentials are

stored as

specified by

the locator

object.

0 Store user

credentials as

specified by

locator object

1 Store user

credentials

under

respective

directory user

objects

default: 0 dword

Synchronization\%AD%\Advanced Logon

attempts

Extensions\SyncManager\Syncs\%AD%:RetryLockCount

Number of

times to

present the

retry dialog to

the user.


282 Introduction

Synchronization\%AD%\Advanced Prepend

Domain when

naming objects

Extensions\SyncManager\Syncs\%AD%:AppendDomain

Enables

prepending of

the user’s

domain to the

username in

naming the

user’s

container.

Example: For

the domain

″passlogix″

and user

″jamesk″ the

container is

named

″jamesk″ with

this flag

disabled and

″passlogix.jamesk″

with this flag

enabled. Note:

If you enable

Prepend

Domain, do

not enable

Enable Storing

Credentials

under User

Object (in the

Directory

menu). If you

do enable

credential

storage in User

Objects, this

option must be

disabled (the

default

setting). If both

options are

enabled, no

synchronization

will occur.

0 Disable

1 Enable

default: 0 dword

Synchronization\%AD%\Advanced Prompt when

disconnected

Extensions\SyncManager\Syncs\%AD%:AllowOffline

Allow the user

to work offline

without

prompting/notification if a

synchronization

event fails.

0

Prompt/notify

the user

1 Do not

prompt

default: 0 dword


Synchronization\%AD%\Advanced Search for

locator and

override

objects

Extensions\SyncManager\Syncs\%AD%:StopAtRoot

Controls how

the Agent

search for

locator and

override

objects.

0 Search all

servers for

locator/override.

1 Limit

locator/override search

to the server

root.

default: 1 string

Synchronization\%AD%\Advanced Servers Extensions\SyncManager\Syncs\%AD%\Servers:ServerN

Servers to try,

in the format


(one server per

line), where

computer is

the server

name, and port

is assumed to

be default (636

for SSL, 389 for

no SSL) if not

specified.

Example:

somewhereclose.com

also.somewhereclose.com


anotherplace.com

Note: At least

one server

must be

specified for

this extension

to work. Note:

Active

Directory

requires use of

computer

names (not IP

addresses).

Note: If

specifying a

port value, see



284 Introduction

Synchronization\%AD%\Advanced User Paths Extensions\SyncManager\Syncs\%AD%:UserPathN

Fully qualified

path of where

the user

account is

located. There

can be

unlimited

paths to

search. The

extension

searches these

in order,

looking for the

user account. If

not found, the

extension will

search the

directory tree.

Note: This

entry is not

required for

this extension.



Synchronization\%AD%\Advanced When SSL fails Extensions\SyncManager\Syncs\%AD%:SSLFallback

Fallback to an

insecure

connection

when an SSL

connection

fails. Note: If

SSLFallback=1

and any of

Servers

includes a port

specification,

the fallback

port must also

be specified as

an additional

Servers entry.

For example, if

the SSL

connection is

to

mycomputer.com:1272

then an

additional

entry must

point to the

fallback port,

such as:

mycomputer.com:1272

;My secure SSL

Port

mycomputer.com:389

;My fallback

port

0 Do not

connect if the

SSL connection

fails.

1 Connect

without SSL

(insecure) if

the SSL

connection

fails.

default: none dword

Synchronization\%AD%\Required Extension

location

Extensions\SyncManager\Syncs\%AD%:Path

Path\filename

of the Active

Directory

synchronizer

extension.

default:

C:\Program


SSO\Plugin\SyncMgr\ADEXT\adsync.dll

string filename

Synchronization\%AD%\Required SSL Extensions\SyncManager\Syncs\%AD%:UseSSL

Connect via

SSL.

0 Connect

without SSL

(insecure)

(default to port

#389).

1 Connect

via SSL

(default to port

#636).

default: 1 dword

286 Introduction

Synchronization\%ADAM%\Advanced Configuration

Objects Base

Locations

Extensions\SyncManager\Syncs\%ADAM%\COBaseLocations:LocationN

Where to begin

the search for

Configuration

Objects. The

search is from

the specified

location(s)

downward. If

no entries, the

search is from

the base

location.


Synchronization\%ADAM%\Advanced Credentials to

use

Extensions\SyncManager\Syncs\%ADAM%:AuthType

Which

credentials to

use when

authenticating

to the ADAM

server.

0 Connect to

ADAM with

current user

name

1 Use

ADAM server

account only

2 Try local

computer

credentials; if it

fails, use

ADAM server

account

default: 2 dword

Synchronization\%ADAM%\Advanced Prepend

Domain when

naming objects

Extensions\SyncManager\Syncs\%ADAM%:AppendDomain

Enables

prepending of

the user’s

domain to the

username in

naming the

user’s

container.

Example: For

the domain

″passlogix″

and user

″jamesk″, the

container is

named

″jamesk″ with

this flag

disabled and


with this flag

enabled.

0 Disable

1 Enable

default: 0 dword


Synchronization\%ADAM%\Advanced Prompt when

disconnected

Extensions\SyncManager\Syncs\%ADAM%:AllowOffline

Allow the user

to work offline

without


synchronization

event fails.

0

Prompt/notify

the user

1 Do not

prompt

default: 0 dword

Synchronization\%ADAM%\Advanced User domain

name to use

Extensions\SyncManager\Syncs\%ADAM%:UserDomain

Domain name

to use in the

container name

(e.g.,

DomainName.UserName)

when Prepend

Domain is

enabled. The

user can

specify another

domain the in

the login

dialog.

Example: If

User Domain

is ″MyDomain″

(with Prepend

Domain

enabled) and

the user logs

on as jamesk,

the container

name used is

MYDOMAIN.jamesk

If the user logs

on as

HISDOMAIN\jamesk the

container name

used is

HISDOMAIN.jamesk.


Synchronization\%ADAM%\Required Extension

location

Extensions\SyncManager\Syncs\%ADAM%:Path

Path\filename

of the Active

Directory

synchronizer

extension.

default:

C:\Program


SSO\Plugin\SyncMgr\ADAMext\ADAMsyncExt.dll

string filename

288 Introduction

Synchronization\%ADAM%\Required Servers Extensions\SyncManager\Syncs\%ADAM%\Servers:ServerN

Servers to try,

in the format


(one server per

line), where

computer is

the server

name, and port

is assumed to

be default (636

for SSL, 389 for

no SSL) if not

specified.

Example:

somewhereclose.com

also.somewhereclose.com


anotherplace.com

Note: At least

one server

must be

specified for

this extension

to work. Note:

Active

Directory

requires use of

computer

names (not IP

addresses).

Note: If

specifying a

port value, see




Synchronization\%DB%\Advanced Append

Domain when

naming objects

Extensions\SyncManager\Syncs\%DB%:AppendDomain

Enables

appending of

the user’s

domain to the

username in

naming the

user’s

container.

Example: For

the domain

″passlogix″

and user

″jamesk″, the

container is

named

″jamesk″ with

this flag

disabled and

″jamesk.passlogix″

with this flag

enabled.

0 Disable

1 Enable

default: 0 dword

Synchronization\%DB%\Required Extension

location

Extensions\SyncManager\Syncs\%DB%:Path

Path\filename

of the

Database

synchronizer

extension.

default:

C:\Program


SSO\Plugin\SyncMgr\DBEXT\DBExt.dll

string filename

Synchronization\%DB%\Required Servers Extensions\SyncManager\Syncs\%DB%\Servers:Server

List of servers

to try, in the

format

″connection

string″ (one

server per line)

Note: At least

one server

must be

specified for

this extension

to work.


290 Introduction

Synchronization\%File%\Advanced Descriptive

name

Extensions\SyncManager\Syncs\%File%:DisplayName

Logon dialog

title, to help

differentiate

between

multiple

synchronizer

extensions

having the

same name.

Note: This

entry is not

required.


Synchronization\%File%\Advanced Logon

attempts

Extensions\SyncManager\Syncs\%File%:RetryLockCount

Number of

times to

present the

retry dialog to

the user.


Synchronization\%File%\Advanced Prepend

Domain when

naming user

folders

Extensions\SyncManager\Syncs\%File%:AppendDomain

Enables

prepending of

the user’s

domain to the

username in

naming the

user’s

container.

Example: For

the domain

″passlogix″

and user

″jamesk″, the

container is

named

″jamesk″ with

this flag

disabled and


with this flag

enabled.

0 Disable

1 Enable

default: 1 dword


Synchronization\%File%\Advanced Prompt when

disconnected

Extensions\SyncManager\Syncs\%File%:AllowOffline

Allow the user

to work offline

without


synchronization

event fails.

0

Prompt/notify

the user

1 Do not

prompt

default: 0 dword

Synchronization\%File%\Required Extension

location

Extensions\SyncManager\Syncs\%File%:Path

Path\filename

of the File

System

synchronizer

extension.

default:

C:\Program


SSO\Plugin\SyncMgr\FileSyncExt\filesync.dll

string filename

Synchronization\%File%\Required Server Extensions\SyncManager\Syncs\%File%\Servers:Server1

UNC path to

try. Examples:

\\FS1\Users

\\FS2\Extras

D:\Backup

Note: Server1

must be

specified for

this extension

to work. Note:

The File

System

extension

requires use of

proper UNC

paths. Note: As

of TAM E-SSO

4.0, only one

path is

supported;

failover is not

supported.


Synchronization\%LDAP%\Advanced Admin Group

DN

Extensions\SyncManager\Syncs\%LDAP%:AdminGroup

DN for the

Administrative

group. It is

placed this

value in the

ACI. Example:

cn=configuration

administrators,ou=groups,ou=topologymanagement,o=netscaperoot


292 Introduction

Synchronization\%LDAP%\Advanced Alternate User

ID location

Extensions\SyncManager\Syncs\%LDAP%:UserLocation

Use to indicate

where to locate

a user object

when the user

validates

against an

attribute other

than the

username.

Example: If

users

authenticate

with an

employee ID #

for logon

(validation

against the

empid

attribute) and

the user object

is in


then set

UserLocation

to


instead of to


Note: For

Novell

eDirectory,

UserLocation

should be:

uid=%user,path to

the object.

Note: If using

UserLocation,

do not use

UserPrepend

or UserPaths.


Synchronization\%LDAP%\Advanced BIND Timeout Extensions\SyncManager\Syncs\%LDAP%:Timeout

Timeout (in

milliseconds)

of LDAP BIND

call.

default:

Depends on

the operating

system

dword int


Synchronization\%LDAP%\Advanced Configuration

Objects Base

Locations

Extensions\SyncManager\Syncs\%LDAP%\COBaseLocations:LocationN

Where to begin

the search for

Configuration

Objects. The

search is from

the specified

location(s)

downward. If

no entries, the

search is from

the base

location.


Synchronization\%LDAP%\Advanced Descriptive

name

Extensions\SyncManager\Syncs\%LDAP%:DisplayName

Logon dialog

title, to help

differentiate

between

multiple

synchronizer

extensions

having the

same name.

Note: This

entry is not

required.


Synchronization\%LDAP%\Advanced DSAME

disabled-account

support

Extensions\SyncManager\Syncs\%LDAP%:UsingDSAME

Recognize

disabled

accounts on a

Sun ONE

Identity Server,

formerly

known as

iPlanet

Directory

Server Access

Management

Edition

(DSAME).

0 The server

is not a Sun

ONE Identity

Server.

1 The server

is a Sun ONE

Identity Server.

default: 0 dword

Synchronization\%LDAP%\Advanced Logon

attempts

Extensions\SyncManager\Syncs\%LDAP%:RetryLockCount

Number of

times to

present the

retry dialog to

the user.


294 Introduction

Synchronization\%LDAP%\Advanced Naming

Attribute

string

Extensions\SyncManager\Syncs\%LDAP%:UserPrepend

String to

prepend to

UserPaths

when the DN

for a user is in

the form of


instead of the

form


(where

namingattribute

can be any

string). Note:

This value

usually needs

to be set to cn

for Novell

eDirectory.

Note: If using

UserPrepend,

you must use

UserPathN and

do not use

UserPrepend.


Synchronization\%LDAP%\Advanced Prompt when

disconnected

Extensions\SyncManager\Syncs\%LDAP%:AllowOffline

Allow the user

to work offline

without


synchronization

event fails.

0

Prompt/notify

the user

1 Do not

prompt

default: 0 dword

Synchronization\%LDAP%\Advanced Security

Version

Extensions\SyncManager\Syncs\%LDAP%:SecurityVersion

Update the

ACI with a

new

:AdminGroup

value when

this value is

higher than

:SecurityUpgrade.

default: none dword int


Synchronization\%LDAP%\Advanced When SSL fails Extensions\SyncManager\Syncs\%LDAP%:SSLFallback

Fallback to an

insecure

connection

when an SSL

connection

fails. Note: If

SSLFallback=1

and any of

Servers

includes a port

specification,

the fallback

port must also

be specified as

an additional

Servers entry.

For example, if

the SSL

connection is

to

mycomputer.com:1272

then an

additional

entry must

point to the

fallback port,

such as:

mycomputer.com:1272

;My secure SSL

Port

mycomputer.com:389

;My fallback

port

0 Do not

connect if the

SSL connection

fails.

1 Connect

without SSL

(insecure) if

the SSL

connection

fails.

default: none dword

296 Introduction

Synchronization\%LDAP%\Required Directory Type Extensions\SyncManager\Syncs\%LDAP%:DirectoryType

The specific

type of

directory

server. If the

directory

server is not

listed, select

″Unspecified

LDAP

Directory″ for

backwards

compatibility

in upgrade

scenarios;

otherwise

select ″Generic

LDAP

Directory″

0

Unspecified

LDAP

Directory

3 Novell

eDirectory

4 Novell

NDS

5 Generic

LDAP

Directory

8 Sun ONE

Directory

9 IBM Tivoli

Directory

Server

10Oracle

Internet

Directory

default: 0 dword

Synchronization\%LDAP%\Required Extension

location

Extensions\SyncManager\Syncs\%LDAP%:Path

Path\filename

of the LDAP

Directory

Server

synchronizer

extension.

default:

C:\Program


SSO\Plugin\SyncMgr\LDAP\ldapsync.dll

string filename


Synchronization\%LDAP%\Required Servers Extensions\SyncManager\Syncs\%LDAP%\Servers:ServerN

List of servers

to try, in the

format


(one server per

line), where

computer is

the server

name or IP

,and port is

assumed to be

default (636 for

SSL, 389 for no

SSL) if not

specified.

Example:

127.0.0.1

127.0.0.1:456


anotherplace.com

Note: At least

one server

must be

specified for

this extension

to work. Note:

If specifying a

port value, see



Synchronization\%LDAP%\Required SSL Extensions\SyncManager\Syncs\%LDAP%:UseSSL

Connect via

SSL.

0 Connect

without SSL

(insecure)

(default to port

#389).

1 Connect

via SSL

(default to port

#636).

default: 1 dword

Synchronization\%LDAP%\Required SSL CertDB

location

Extensions\SyncManager\Syncs\%LDAP%:CertDBPath

Path\filename

of the cert7.db

certificate

database file.

(Do not change

the name of

the file from

cert7.db.)


298 Introduction

Synchronization\%LDAP%\Required User Paths Extensions\SyncManager\Syncs\%LDAP%:UserPathN

Fully qualified

path of where

the user

account is

located. There

can be

unlimited

paths to

search. The

extension

searches these

in order,

looking for the

user account. If

not found, the

extension will

search the

directory tree.

Note: A value

for either

UserPrepend

or at least one

value for

UserPaths

must be

specified for

this extension

to work. Note:

If using

UserPaths, do

not use

UserLocation.


Troubleshooting

Installation

Authenticators


Uninstall


Agent Performance


Authentication

Initial Authentication

Reauthentication.


All Applications


Web Applications

Host Applications

Event Logging

Windows Event Viewer




File System Server

Collected links

Installation

Authenticators


Uninstall

Agent Performance


Authentication


Reauthentication.


All Applications


Web Applications

Host Applications

Event Logging

Windows Event Viewer


300 Introduction



File System Server

Regular Expression Syntax

The following operators and meta-characters can be used to specify a text string pattern that the Agent

uses to detect specific application windows. See Add Edit Window Title for more information.

The following explanations are adapted for the .NET regular expression reference. The complete

description and syntax of regular expressions can be found on the Microsoft Developer Network website

(msdn.microsoft.com).

Grouping

[ ] Indicates a character class that matches any character

inside the brackets. Example: [abc] matches ″a″, ″b″, and

″c″.

( ) Indicates a character grouping operator. Example:

(\d+,)*\d+ matches a list of numbers separated by

commas (such as ″1″ or ″1,23,456″).

{ } Indicates a match class.

| Separates two expressions, exactly one of which matches

(for example, T|the matches ″The″ or ″the″).

Matching

. Matches any single character.

^ If ^ occurs at the start of a character class, it negates the

character class. A negated character class matches any

character except those inside the brackets. Example,

[^abc] matches all characters except ″a″, ″b″, and ″c″).

If ^ is at the beginning of the regular expression, it

matches the beginning of the input (for example, ^[abc]

will only match input that begins with ″a″, ″b″, or ″c″).

$ At the end of a regular expression, $ matches the end of

the input. Example: [0-9]$ matches a digit at the end of

the input.

- In a character class, a hyphen indicates a range of

characters. Example: [0-9] matches any of the digits ″0″

through ″9″.

Repeat operators

! Negates the expression that follows.

? Indicates that the preceding expression is optional: it

matches once or not at all. Example: [0-9][0-9]?

matches ″2″ and ″12″).

+ Indicates that the preceding expression matches one or

more times. Example: [0-9]+ matches ″1″, ″13″, ″666″,

and so on.


http://msdn.microsoft.com/

* Indicates that the preceding expression matches zero or

more times.

??, +?, *? ″Non-greedy″ versions of ?, +, and *. These match as

little as possible, unlike the greedy versions which match

as much as possible. Example: given the input

″<abc><def>″, <.*?> matches ″<abc>″ while <.*> matches

″<abc><def>″.

Escape and abbreviation

\

Escape character that forces the next character to be

interpreted literally. Example: [0-9]+ matches one or

more digits, but [0-9]\+ matches a digit followed by a

plus character).

If \ is followed by a number n, it matches the nth match

group (starting from 0). Example: <{.*?}>.*?</\0>

matches ″<head>Contents</head>″.

The \ is also used for abbreviations as described in the

following table.

Abbreviation Meaning Matches

\a Any alphanumeric character [a-z A-Z 0-9]

\b White space (blank) [ \\t]

\c Any alphabetic character [a-z A-Z]

\d Any decimal digit [0-9]

\h Any hexadecimal digit [0-9 a-f A-F]

\n New line \r|\r?\n

\q A quoted string \″[^\″]*\″|\’[^\’]*\’

\w A simple word [a-z A-Z]+

\z An integer [0-9]+

Collected links

Add Edit Window Title

Microsoft Developer Network website

Installation

Authenticators

An authenticator is not installed when selected.

v By default, the installer does not install authenticators that will not work on the system. For example,

if the Entrust Entelligence client is not installed, then the authenticator for the Entrust PKI will not be

installed (Entrust Entelligence is available with TAM E-SSO: Authentication Adapter only).

302 Introduction

http://msdn.microsoft.com/


The Microsoft Active Directory extension is not installed when selected.

v By default, the installer does not install synchronizer extensions that will not work on the system. For

example, if the Microsoft Active Directory client is not installed, then the synchronizer extension for the

Microsoft Active Directory Server will not be installed.

Uninstall

User credentials remain after uninstall.

v Only the current user’s credentials can be removed by the standard uninstall. A simple batch file can

handle removing other credentials. For Windows 2000, for example:

CD /D %UsersProfile%

CD ..

For /D %Z in (*.*) do Del /F/S/Q ″%Z\Application Data\SSO″

v You will need to manually delete registry entries for other users. This can be done in RegEdit or

RegEdit32 ( RegEdt32.exe), or you can push the following *.reg file to each user:

Windows Registry Editor Version 5.00

[-HKey_Current_User\Software\ Passlogix]

Installation

Authenticators










Uninstall






CD ..






Installation

Authenticators










Uninstall





CD ..




304 Introduction



Installation

Authenticators










Uninstall





CD ..






Agent Performance



The agent responds slowly, applications are slowed, or specific functions within applications are slowed,

when the agent is running.

v Some antiviral software programs check agent modules too aggressively. To resolve this, disable

checks of ssoshell.exe and/or of the %ProgramFiles% \Passlogix\v-GO SSO directory tree.

v Some antiviral software programs check *.mdb files too aggressively. The agent stores user credentials

in *.mdb files. To resolve this, disable checks of *.mdb files, of the file %UserName% aml.mdb,

and/or of files in the %AppData% \Passlogix directory.

Agent Performance


The agent responds slowly, applications are slowed, or specific functions within applications are slowed,

when the agent is running.

v Some antiviral software programs check agent modules too aggressively. To resolve this, disable

checks of ssoshell.exe and/or of the %ProgramFiles% \Passlogix\v-GO SSO directory tree.

v Some antiviral software programs check *.mdb files too aggressively. The agent stores user credentials

in *.mdb files. To resolve this, disable checks of *.mdb files, of the file %UserName% aml.mdb,

and/or of files in the %AppData% \Passlogix directory.

Authentication

All Authenticators

Windows Authentication

LDAP Directory Server Authentication

Entrust PKI Authentication (TAM E-SSO: Authentication Adapter only)

RSA Keon Authentication (TAM E-SSO: Authentication Adapter only)


User logs onto a computer with different domain/workgroup accounts but sees the same credentials.

306 Introduction

v The problem is that the local computer’s Windows account provides the user’s Registry Hive ( HKCU),

not the domain/workgroup account. There are two workarounds: use the CleanupOnShutdown

feature or use a different Windows account for each domain/workgroup logon.

Reauthentication.

Users are never asked to reauthenticate.

v Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in

milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.

Users have to reauthenticate too frequently.



v Make sure other force-reauth settings are set appropriately. These settings include:

– Overriding settings: Extensions\AccessManager:ReauthOnReveal

– Application configuration settings: ForceReauth

Authentication

All Authenticators










Reauthentication.











Authentication

All Authenticators










Reauthentication.











308 Introduction

All Applications

After an upgrade of the Agent to version 5.0, users report that application logons for which they have

previously provided credentials no longer function. Instead, a message box appears, advising that the

credentials do not correspond to configured logons. The applications appear in Logon Manager in grey,

italicized text.

v Create a Bulk Add list to update the user’s entlist.ini. Also note that in TAM E-SSO version 5.0,

preconfigured logons for Windows and Web applications are provided in Console templates, rather

than in the Agent’s applist.ini. Create the required application logons, using Console templates. then

create the Bulk Add list to update the user’s entlist.ini.

An application is not available in the list of predefined applications when you add credentials.

v Shutdown the agent making sure that no ssoshell.exe processes are running, and restart the agent.

The agent can be started and Logon Manager can be opened without the user authenticating.

v Shutdown the agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the agent.


Web Applications

Host Applications

Collected links

Bulk Add

Console templates

General tab

form configuration dialog


All Applications




italicized text.











Web Applications

Host Applications

Collected links

Bulk Add

Console templates

General tab



All Applications




italicized text.










Web Applications

Host Applications

Collected links

Bulk Add

Console templates

General tab



310 Introduction

All Applications




italicized text.










Web Applications

Host Applications

Collected links

Bulk Add

Console templates

General tab



All Applications




italicized text.











Web Applications

Host Applications

Collected links

Bulk Add

Console templates

General tab


Event Logging

Collected links




Password Sharing Groups are not working.

v Make sure Extensions\AccessManager:PWSEnable=1.

A Password Change within an application in the Domain or LDAP groups does not notify the

authenticator of the change.

v Make sure AUI:ShareToAuth=1.


All Synchronizer Extensions


File System Server


312 Introduction



File System Server




File System Server


314 Introduction

Chapter 5. TAM E-SSO Add-On Modules

TAM E-SSO has add-on modules available separately from IBM.

Authentication Adapter

TAM ESSO: Authentication Adapter provides strong

authentication support and multiple authenticator

support. An administrator can define “grades” or levels

to restrict access to applications based upon the

authenticator used.

Kiosk Adapter

TAM E-SSO: Kiosk Adapter manages user sessions in a

Kiosk environment.

Collected links


Kiosk Adapter



IBM Tivoli Access Manager Enterprise Single Sign-On: Authentication Adapter (TAM E-SSO:

Authentication Adapter), part of the TAM E-SSO Platform, enables organizations to seamlessly bridge

strong authentication to all of their applications, including smart cards and entrust authenticators. Users

can employ different authenticators at different times and application access can be controlled based

upon the authenticator used.

Note: TAM E-SSO: Authentication Adapter is an add-on module to TAM E-SSO available separately from

IBM.

TAM E-SSO: Authentication Adapter adds three capabilities to TAM E-SSO:

v Strong authentication support from a variety of strong authenticators, including smart cards, for all

authentication events: initial authentication, re-authentication and forced authentication.

v Multiple Authenticator support allows multiple logon methods to be used to authenticate an end-user

and provides an authenticator that is capable of supporting graded authentication as well as alternative

logon methods. This allows end-users the ability to mix and match multiple logon methods on-the-fly.

315



v Administrators can define “ grades” or levels to authentication methods and to applications. This

provides the ability to control what functions users can execute based upon the type of authenticator

presented.

Multiple Authenticator Support

Multiple Authentication supports the use of multiple logon methods to authenticate an end-user. This

feature provides an authenticator that is capable of supporting graded authentication as well as

alternative authentication methods.

TAM E-SSO: Authentication Adapter’s Multiple Authenticator:

v Accepts authentication using different authenticators.

v Supports Graded Authentication.

v Allows multiple authenticators to be used interchangeably during a user session, i.e. between the initial

logon and the logout.

v Allows multiple authenticators to be used interchangeably between sessions.

v Provides administrators the ability to:1. Allow or disallow the use of multiple authenticators.

2. Specify which authenticator is the default primary authenticator.

3. Specify which authenticators are mandatory or required for enrollment.

4. Restrict access to applications based upon the strength of the authenticator used.

5. Allow or disallow the use of multiple authenticators interchangeably during a single session.

6. Allow or disallow the use of multiple authenticators interchangeably between sessions.

[Related Topics]

Graded Authentication


Enrollment

Grade

Order

Collected links

grades


enrollment



Enrollment

Grade

Order

316 Introduction


IBM Tivoli Access Manager Enterprise Single Sign-On: Authentication Adapter (TAM E-SSO:

Authentication Adapter), part of the TAM E-SSO Platform, enables organizations to seamlessly bridge

strong authentication to all of their applications, including smart cards and entrust authenticators. Users

can employ different authenticators at different times and application access can be controlled based

upon the authenticator used.

Note: TAM E-SSO: Authentication Adapter is an add-on module to TAM E-SSO available separately from

IBM.

TAM E-SSO: Authentication Adapter adds three capabilities to TAM E-SSO:

v Strong authentication support from a variety of strong authenticators, including smart cards, for all

authentication events: initial authentication, re-authentication and forced authentication.

v Multiple Authenticator support allows multiple logon methods to be used to authenticate an end-user

and provides an authenticator that is capable of supporting graded authentication as well as alternative

logon methods. This allows end-users the ability to mix and match multiple logon methods on-the-fly.

v Administrators can define “ grades” or levels to authentication methods and to applications. This

provides the ability to control what functions users can execute based upon the type of authenticator

presented.

Multiple Authenticator Support

Multiple Authentication supports the use of multiple logon methods to authenticate an end-user. This

feature provides an authenticator that is capable of supporting graded authentication as well as

alternative authentication methods.

TAM E-SSO: Authentication Adapter’s Multiple Authenticator:

v Accepts authentication using different authenticators.

v Supports Graded Authentication.

v Allows multiple authenticators to be used interchangeably during a user session, i.e. between the initial

logon and the logout.

v Allows multiple authenticators to be used interchangeably between sessions.

v Provides administrators the ability to:1. Allow or disallow the use of multiple authenticators.

2. Specify which authenticator is the default primary authenticator.

3. Specify which authenticators are mandatory or required for enrollment.

4. Restrict access to applications based upon the strength of the authenticator used.

5. Allow or disallow the use of multiple authenticators interchangeably during a single session.

6. Allow or disallow the use of multiple authenticators interchangeably between sessions.

[Related Topics]


Chapter 5. TAM E-SSO Add-On Modules 317


Enrollment

Grade

Order

Collected links

grades


enrollment



Enrollment

Grade

Order


Graded Authentication lets you define “grades” or levels to authentication in TAM E-SSO: Authentication

Manager. Graded Authentication controls what functions of TAM E-SSO: Authentication Adapter users

can execute based upon the type of authenticator presented. Levels, or grades, can be applied and used

to ensure the correct level of authentication has been performed for specific events/activities.

Configuring Application-level Authentication Grades

How does TAM E-SSO: Authentication Adapter work with Graded Authentication?

v TAM E-SSO: Authentication Adapter controls application logons, which can be initiated by the user,

based upon the authenticator used by the end user on the most recent authentication request. The most

recent authentication request may be the initial logon, the last re-authentication, or the forced

authentication requested by TAM E-SSO: Authentication Adapter.

v TAM E-SSO: Authentication Adapter has an authentication grading scheme to which different

authenticators are mapped and, separately, to which application logons are mapped. TAM E-SSO:

Authentication Adapter only allows users to logon to an application when the grade of the

authenticator used equals or exceeds that of the application logon.

v When a user does not respond to an authentication request with an authenticator of sufficiently high

grade, TAM E-SSO: Authentication Adapter prompts the use to either re-authenticate with an

authenticator of sufficiently high grade or cancel the requested logon.

v If a user repeatedly attempts to initiate a logon or function with an authenticator of insufficient grade,

TAM E-SSO: Authentication Adapter locks out the user, logs an event in the Event Manager, and

notifies the user and administrator.

318 Introduction



v If a user does not have TAM E-SSO: Authentication Adapter installed, but their application logons have

been configured to require strong authentication, the user will not have access to those applications (i.e.

strong authentication is deployed in the enterprise, but not to that user).v Logon Manager only displays the application logons that are currently available, based upon the

authenticator used in the most recent authentication request.

v The following TAM E-SSO: Authentication Adapter functions can be configured to be accessible or

inaccessible based upon the grade of authenticator used in the most recent authentication request:

a. System Tray: Logon Manager

b. Logon Manager: Delete, Properties, and Reveal All functions

c. Logon Manager | Properties Page: Reveal Password function

d. If the Reveal All function is accessible based upon a grade of authentication used, it only reveals

passwords for those applications whose grade is equal to or lower than the grade used to authenticate for

that function.

[Related Topics]

Authentication Manager General


Enrollment

Grade

Order

Collected links

TAM E-SSO: Authentication Manager



End User Experience

Setup Wizard

Selected Primary Logon

per application

grade

per-application

Authentication Manager General


Enrollment

Grade

Order





Kiosk Adapter


3000

IBM Tivoli Access Manager Enterprise Single Sign-On: Kiosk Adapter (TAM E-SSO: Kiosk Adapter)

manages user sessions in a Kiosk environment. The following settings are configured through the TAM

E-SSO Administrative Console:

v Applications to leave running on session end

v Applications to close on session end

v General operation settings

v Confirmation messages

v Special Tasks to execute when kiosk actions occur

Note: TAM E-SSO: Kiosk Adapter is an add-on module to TAM E-SSO available separately from IBM. For

more detailed information on TAM E-SSO: Kiosk Adapter, please refer to the TAM E-SSO: Kiosk Adapter

product documentation.

TAM E-SSO: Kiosk Adapter adds the following capabilities to TAM E-SSO:

v System Logon Two modes of system logon are supported:

v

– Automatic – when kiosk boots up, it automatically logs on to a generic user account, and all

subsequent logons/logouts into Windows are disabled

– Manual – when kiosk boots up, it prompts the user to log inv Session Suspend and Un-suspend A session is suspended upon either of two events:

v

– Current session has been inactive for a predefined period of time

– User logs out of current session

A session is resumed when the user re-authenticates to the suspended session

v Session Logoff A suspended session is automatically logged off upon either of two events:

v

– The session has been suspended for a predefined period of time

– A new user initiates a new session at the kiosk

Applications can be closed using multiple methods, including:

v Transmission of keystroke sequences to the application

v Window messages (application closure requests)

v Process termination

[Related Topics]

Kiosk Adapter Configuration Settings Applications to Leave Running on Session End Applications

to Close on Session End SendKeys Format

320 Introduction

Collected links

Applications to leave running on session end

Applications to close on session end

General operation settings

Confirmation messages

Special Tasks to execute when kiosk actions occur

Transmission of keystroke sequences to the application




SendKeys Format

TAM E-SSO: Kiosk Adapter - SendKeys Format

Note: When using keystroke sequences to terminate an application, a visual flicker occurs on the end

users screen. This flicker is a function of using sendkeys to terminate an application.

210/tab list

Each key is represented by one or more characters. To specify a single keyboard character, use the

character itself. For example, to represent the letter A, pass in the string ″A″ to the method. To represent

more than one character, append each additional character to the one preceding it. To represent the letters

A, B, and C, specify the parameter as ″ABC″.

The plus sign (+), caret (^), percent sign (%), tilde (~), and parentheses () have special meanings to

SendKeys. To specify one of these characters, enclose it within braces ({}). For example, to specify the plus

sign, use ″{+}″. To specify brace characters, use ″{{}″ and ″{}}″. Brackets ([ ]) have no special meaning to

SendKeys, but you must enclose them in braces. In other applications, brackets do have a special

meaning that might be significant when dynamic data exchange (DDE) occurs.

To specify characters that aren’t displayed when you press a key, such as ENTER or TAB, and keys that

represent actions rather than characters, use the codes in the following table.

Key Code

BACKSPACE {BACKSPACE}, {BS}, or {BKSP}

BREAK {BREAK}

CAPS LOCK {CAPSLOCK}

DEL or DELETE {DELETE} or {DEL}

DOWN ARROW {DOWN}

END {END}

ENTER {ENTER}or ~


ESC {ESC}

HELP {HELP}

HOME {HOME}

INS or INSERT {INSERT} or {INS}

LEFT ARROW {LEFT}

NUM LOCK {NUMLOCK}

PAGE DOWN {PGDN}

PAGE UP {PGUP}

PRINT SCREEN {PRTSC} (reserved for future use)

RIGHT ARROW {RIGHT}

SCROLL LOCK {SCROLLLOCK}

TAB {TAB}

UP ARROW {UP}

F1 {F1}

F2 {F2}

F3 {F3}

F4 {F4}

F5 {F5}

F6 {F6}

F7 {F7}

F8 {F8}

F9 {F9}

F10 {F10}

F11 {F11}

F12 {F12}

F13 {F13}

F14 {F14}

F15 {F15}

F16 {F16}

Keypad add {ADD}

Keypad subtract {SUBTRACT}

Keypad multiply {MULTIPLY}

Keypad divide {DIVIDE}

To specify keys combined with any combination of the SHIFT, CTRL, and ALT keys, precede the key code

with one or more of the following codes.

Key Code

SHIFT +

CTRL ^

ALT %

322 Introduction

To specify that any combination of SHIFT, CTRL, and ALT should be held down while several other keys

are pressed, enclose the code for those keys in parentheses. For example, to specify to hold down SHIFT

while E and C are pressed, use ″+(EC)″. To specify to hold down SHIFT while E is pressed, followed by

C without SHIFT, use ″+EC″.

To specify repeating keys, use the form {key number}. You must put a space between key and number.

For example, {LEFT 42} means press the LEFT ARROW key 42 times; {h 10} means press H 10 times.

Note: In addition to the above SendKeys, there is also a wait command. The wait command is in the

format {WAIT number} where the number is the number of milliseconds delay. The wait can be anywhere

in the string (i.e. beginning, middle, end} and can be used as many times as needed.

For example, if you want to send Ctrl+Shift+F7, then wait for 5 seconds, and then send Alt+F4, the

format should be as follows:

^+{F7}{WAIT 5000}%{F4}

© 2001-2002 Microsoft Corporation. All rights reserved.
