Vanguard ez/Signon Client

Vanguard ez/Signon Client

Installation and User Guide

Version 5.1

Vanguard ez/Signon Version 5.1 Document Number VZSI-081503-511U September, 2003

Copyright © 1997-2003 Vanguard Integrity Professionals-Nevada. All rights reserved. Printed in the USA. No part of this publication may be copied, reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, for any purpose other than the Licensee's personal use, without express written permission from Vanguard Integrity Professionals-Nevada.

Trademarks Vanguard Security Solutions, Vanguard Security Suite, Vanguard Administrator, Vanguard Advisor, Vanguard Analyzer, Vanguard Enforcer, Vanguard ez/AccessControl, Vanguard ez/Compliance, Vanguard ez/Integrator, Vanguard ez/PasswordReset, Vanguard ez/Signon, Vanguard ez/VisualConsole Vanguard Identity Manager, OS/390 Component for ez/PasswordReset, VRA, VSR, VSA, Quality Security Framework, Quality Security/390 Suite, QS/390, SmartPanel, SmartLink, Find-it-Fix-it-Fast, RiskMinder, SmartAssist, eDistribution, AutoPilot, Pathway to Profitability, Enterprise-Wise and Knowledge Expo are trademarks and service marks of Vanguard Integrity Professionals-Nevada. z/OS, OS/390, Security Server, RACF, DB2, CICS, IMS, JES, z/OS and MVS/ESA are registered trademarks of International Business Machines Corporation. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. CA-TopSecret and CA-ACF2 are registered trademarks of Computer Associates International, Inc. All other products mentioned in this publication are trademarks of their respective companies.

About this product The software product accompanying this publication is copyrighted by Vanguard Integrity Professionals Nevada. Please read the Evaluation Agreement and the Terms on the envelope containing the product before it is used. Warranty: Vanguard warrants that the licensed software will perform as specified in the product documentation and that this product is of professional quality, conforming to generally accepted practices within the data processing industry. Vanguard MAKES NO OTHER WARRANTIES, EXPRESSED OR IMPLIED, RELATING TO ITS PRODUCTS, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE. In no event shall Vanguard be liable to the Customer for any damages, including any lost profits, or other incidental or consequential damages arising from the use of Vanguard's products.

V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s iii

Table of Contents About this manual.......................................................................................................v

How to send your comments................................................................................................vi Customer Support ...............................................................................................................vii

We’re here to help ........................................................................................................vii How to contact us .........................................................................................................vii

Vanguard Product Problem Support and Enhancement Request Forms........................... viii Chapter 1. Introduction to Vanguard ez/Signon.......................................................1

Key Features .........................................................................................................................1 Vanguard ez/Signon Components.........................................................................................2

Security on Demand Host Server ...................................................................................2 ez/Signon Client .............................................................................................................2

Chapter 2 Installing the ez/Signon Client .................................................................3 System Requirements............................................................................................................4 About Third Party Software..................................................................................................4 Installation Process Checklist ...............................................................................................5

Chapter 3. Using ez/Signon......................................................................................13 Logging on to Windows with ez/Signon Enabled ..............................................................13

Password Syntax Rules ................................................................................................16 Audit Trails ..................................................................................................................16

Changing Passwords on Windows......................................................................................17 Changing ez/Signon Configuration.....................................................................................19 Using the Vanguard Roaming Profile Utility .....................................................................20 Removing ez/Signon...........................................................................................................23

A b o u t t h i s m a n u a l

V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s v

About this manual This manual includes information about how to install and use Vanguard ez/Signon.

Who should read this manual

This manual is for end users who install software and/or perform security administration tasks. The manual assumes that you are familiar with your particular operating system and log on security procedures as well as IBM RACF.

How this manual is organized

This manual is organized in the following chapters:

Chapter 1. Introduction to ez/Signon is a brief introduction to Vanguard ez/Signon, including descriptions of its main features.

Chapter 2. Installing ez/Signon Client explains how to install and configure the ez/Signon client application.

Chapter 3. Using ez/Signon explains how to logon with ez/Signon, change your password and remove ez/Signon.

V a n g u a r d e z / S i g n o n I n s t a l l a t i o n a n d U s e r G u i d e

vi V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

How to send your comments

Your comments about Vanguard documentation are important in helping us provide useful information about Vanguard software solutions. If you have comments about this book or any other Vanguard publication, send your comments to:

Vanguard Customer Care 180 Anita Drive Orange, California 92868-3306

[email protected]

Be sure to include the document name, the document number, product version and release information, and the page number you are referring to.

A b o u t t h i s m a n u a l

V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s vii

Customer Support

Technical Support is available 24 hours a day. A direct support hotline is fully staffed from 6:30 am to 6:00 pm PST, Monday through Friday. Before and after the direct support hours and on weekends, a responsive system is in place to handle your calls on a priority basis.

We’re here to help

When you call Vanguard for assistance, please be prepared to provide your name, company name, and customer number, product version and release information. You can reach us at:

Vanguard Technical Support

Phone: (714) 939-8057

Fax: (714) 939-0273

E-mail: [email protected]

Please call Vanguard Integrity Professionals if you have questions about the Vanguard products, the annual Vanguard Knowledge Expo™, RACF, or your local RACF Users Group.

How to contact us

Corporate Headquarters Vanguard Integrity Professionals-Nevada 3035 East Patrick Lane, Suite 11 Las Vegas, NV 89120-3478 Direct/International: (702) 794-0014 Fax: (702) 794-0023

California Vanguard Research Institute, Inc. 180 South Anita Drive, Suite 201 Orange, CA 92868-3306 Direct/International: (714) 939-0377 Fax: (714) 939-0273

Note: Vanguard distributes product maintenance to its customers through its Web site (www.go2vanguard.com) or by e-mail. To obtain product maintenance from our Web site, log on to the Customer Zone section of our site and click the Download a PTF link.


viii V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

Vanguard Product Problem Support and Enhancement Request Forms

Vanguard Product Problem Support and Enhancement Request Forms are available in PDF format on the documentation CD supplied with this product as well as in the Support Section of the Customer Zone on the Vanguard web site. Print or photocopy this form as needed.

Vanguard Product Problem Support Form

Please use the Vanguard Product Problem Support Form to report problems with any Vanguard product. Along with this form, fax a copy (when applicable) of the following:

• Screen print of error message(s)

• Symptom dump(s)

• Job log

• any additional information

Vanguard Enhancement Request Form

Use the Enhancement Request Form to help Vanguard Development identify enhancements that will make their products more beneficial to your installation. Fax or E-mail this form along with any appropriate samples.

C h a p t e r 1 . I n t r o d u c t i o n t o V a n g u a r d e z / S i g n o n

V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s 1

Chapter 1. Introduction to Vanguard ez/Signon

Vanguard ez/Signon™ is a universal password solution for multi-platform environments. It allows end-users to use the same password to sign on to multiple enterprise systems and applications within a distributed computing environment by providing password synchronization each time the user logs on.

Key Features • Password authentication technology

• Password synchronization technology

• Integration with other Vanguard products


2 V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

Vanguard ez/Signon Components

To use Vanguard ez/Signon, you must successfully install and customize the following components:

• the Security on Demand host server

• the ez/Signon client application

Security on Demand Host Server

The Security on Demand Host Server is the single point of control for access to the enterprise systems. The Security on Demand Host Server runs as a started task on an IBM mainframe. You must install the Security on Demand Host Server before installing the ez/Signon client application.

With ez/Signon, all logon requests are routed through the Security on Demand Host Server for user ID authentication. The Security on Demand Host Server verifies authentication by comparing the network logon ID information with the host-based user ID profile in the RACF database. Users who are revoked on the mainframe are denied access to the Windows network. All successful or failed logon events are recorded in the mainframe System Management Facility (SMF).

ez/Signon Client

The ez/Signon Client runs as a service account on an NT Primary Domain Controller (PDC) or Windows 2000 root domain controller. Once installed on a Domain Controller (DC), the ez/Signon Client automatically installs itself to the other DCs in the domain and a workstation component to the workstations in the domain.

When a user logs on, the ez/Signon Client sends the logon request to the Security on Demand Host Server for authentication. ez/Signon Client grants or denies logons based on the result of the authentication process.

C h a p t e r 2 I n s t a l l i n g t h e e z / S i g n o n C l i e n t


Chapter 2 Installing the ez/Signon Client After you’ve completed the host server installation and customization, install the ez/Signon Client. This service performs dynamic installations of the ez/Signon client and workstation component to the domain. The ez/Signon NT service requires either Enterprise (Windows 2000) or Domain (Windows NT) Administrator privileges. You cannot install the ez/Signon service to a Windows 2000 child domain server. Install ez/Signon to the root domain. It will then be applied to the child domains through the Enterprise privileges previously mentioned.

If you are upgrading from earlier versions of Vanguard ez/Signon, you must remove the existing program before installing the new version. Refer to “Removing ez/Signon”, on page 23, for instructions.



System Requirements • Windows NT Server 4.0 as a Primary Domain Controller with Service

Packs 5 or later

• Windows NT Server 4.0 as a Backup Domain Controller (BDC) and Windows NT Workstation. Service Packs 5 or later is fully supported, but not required.

• Windows 2000 Server/Advanced Server (Service Pack 1 from the date of publication) as a Domain Controller with active directory with DNS server properly set up

• Windows 2000 Professional (Service Pack 1 from the date of publication) is fully supported, but not required.

• TCP/IP protocol must be installed on all machines. All machines must be able to detect the mainframe IP address using the TCP/IP protocol.

• Compatible Pentium Class: 166 Mhz or Higher

• 3 megabytes estimated hard disk space

• at least 32 Megs of memory

About Third Party Software

Applications that replace the Microsoft Gina, such as PC Anywhere, will not work with ez/Signon. If you are running such an application, you must determine if it has third party Gina support, like some versions of PC Anywhere.

You must first remove programs that support a third-party Gina, install ez/Signon, and then reinstall the program. You must also reinstall third party applications after ez/Signon is removed.



Installation Process Checklist

Use the following checklist to make sure all the steps needed to install and use Vanguard ez/Signon client are complete.

Step 1 Verify TCP/IP communication.

Step 2 Verify that you have Administrator authority to the server.

Step 3 Start the ez/Signon installation program.

Step 4 Define the Security on Demand Host Server.

Step 5 Set up ez/Signon Logon Rules.

Step 6 Set up the Network Polling Timer.

Step 7 Set up Logging

Step 8 Set up the ez/Signon Service Account Domain Administrator.

Step 9 Save the ez/Signon Configuration utility information.

Step 10 Test ez/Signon.

Step 1: Verify TCP/IP communication

Use the TCP/IP ping command to verify that TCP/IP communications between the Security on Demand Host Server and your Windows NT or Windows 2000 server.

Click the Run option, in the Start menu and type the ping command, the IP address of your mainframe and Enter

PING 123.231.1.213

Step 2: Verify that you have Administrator authority access to the server.

In order to install ez/Signon, you must have Enterprise (Windows 2000) or Domain (Windows NT) Administrator privileges. If you are uncertain about your authority level, see your network administrator.



Step 3: Start the ez/Signon installation program

The setup.exe installation program installs the ez/Signon service on your server. It creates a directory structure on the drive you select for ez/Signon.

1. Exit all Windows programs.

2. Insert the installation CD into your CD-ROM drive. The CD will autoload. Click BROWSE CONTENTS to view the root of the CD. Open the ezSIGNON Products folder and then the NT ezSIGNON folder.

3. Double-click the ezSignon NT 5.1 zip file and then click Setup.

4. The Software License Agreement appears. Click Yes to continue.

Figure 1. License Agreement



Figure 2. User Information

5. Type your Name and Company name and click Next.

Figure 3. Start Copying Files

6. Review the ez/Signon Current Settings: and click Next. The ez/Signon Configuration dialog appears.



Figure 4. ez/Signon Confirmation

Step 4: Define the Security on Demand Host Server

In order for ez/Signon to communicate with the mainframe, you must define the mainframe Host Name and Port Number.

Figure 5. TCP/IP Settings

7. Click Add IP address.

8. Type the Host Name and Port Number and click OK. Be sure the port number is the port number used by the Security on Demand Host Server uses. For an explanation of how the Host Server port is configured, refer to the Security on Demand customization instructions in the Vanguard Security Solutions Installation Guide.

9. An ez/Signon confirmation screen appears. Click OK.



Step 5: Set Up ez/Signon Logon Rules

Set up the logon verification rules defaults for users.

Figure 6. Logon Rules

• Mainframe must be available to logon

This rule determines whether a user is allowed to log on without verification from the mainframe when access to the mainframe is unavailable. This option is selected by default. To allow logons when the mainframe is unavailable, clear this box. When this box is cleared, users will be able to log on with their normal user ID and password without verification from the mainframe. To prevent logons without verification from the mainframe, select this box. Mainframe verification is not bypassed simply by disconnecting the Ethernet card or some other means of emulating that the mainframe connection has been broken.

Note: We recommend that you mark the box, so that the mainframe authenticates each user ID at logon.

• Administrator requires mainframe to logon This rule determines whether an Administrator can log on without verification from the mainframe. The default setting is a cleared box. A cleared check box on this option allows the Administrator to make changes to the ez/Signon configuration during the initial installation (when tuning is sometimes required) and in the case of an emergency, such as a network failure. If you want ez/Signon to verify Administrator logons with the mainframe, select this box.

Note: We recommend that you leave this box clear.



Steps 6: Set up the Network Polling Timer

ez/Signon polls the domain for the Domain Controllers (DCs) where it can install the ez/Signon client and workstation component. This same polling process also occurs when a new configuration is saved with the ez/Signon Configuration Utility. The polling timer value determines how often the ez/Signon Service checks the domain for ez/Signon installations. A value of zero stops all polling. The maximum polling value is 5 days (7200 minutes).

Type the number of minutes between ez/Signon network polls.

Figure 7. Network Poling Timer

Step 7: Set up Logging

The Logging feature creates a log file for the ez/Signon Gina and the ez/Signon Service. The log is written to the System32 directory and can assist Vanguard Technical Support in correcting problems.

Trace level determines the amount of data that ez/Signon will log. Set the Trace Level to a higher number to increase the amount of data that ez/Signon logs. At a setting as low as 10, only critical error messages are logged. To include information messages, use a value of 30.

1. Select the Enable Logging box to turn on logging.

2. Type a number, between one and 100, to set the Trace Level.

Figure 8. Logging

Step 8: Setup the ez/Signon Service Account Domain Administrator

ez/Signon installation creates and starts the ez/Signon Service, which performs dynamic installations of the ez/Signon client and workstation component to the domain. The ez/Signon NT service requires either Enterprise (Windows 2000) or Domain (Windows NT) Administrator privileges. You cannot install the ez/Signon service to a Windows 2000 child domain server. Install ez/Signon to the root domain. It will then be applied to the child domains through the Enterprise privileges stated previously.



After the ez/Signon client is automatically installed on a Domain Controller (DC), the ez/Signon Service Account section is blank. Before this DC can propagate ez/Signon throughout the domain, you must specify a Username for the ez/Signon service.

Figure 9. ez/Signon Service Account

Complete the following fields:

1. Username: This field accepts a domain administrator’s user name. If the name you type does not have administrator group access, you are prompted to add those groups to the user’s account. The account chosen for this service should not be one that a user logs on to.

If a Primary Domain Controller (PDC) is downgraded to a Backup Domain Controller (BDC), run the configuration utility and set the Username to blank.

If a BDC is promoted to PDC, install ez/Signon on the BDC before promotion. Run the configuration utility on the promoted machine, and set the Username to the service account.

2. Password: This field is for the related password. In addition, activate the User Cannot Change Password and Password Never Expires options for this account in the Windows User Manager.

Note: Make certain that you type a Username for each PDC that will automatically propagate ez/Signon to the domain. In Windows 2000 for example, specify a Username on the root Domain Controller. The workstation component will then propagate to the child domain.

Step 9: Save the ez/Signon Configuration information

After you have completed Steps 4-8, click Save.

The ez/Signon Configuration utility activates the ez/Signon Service Account and signals the service to begin installation of ez/Signon on the computers within your domain. The ez/Signon Service is installed on DCs and the ez/Signon GINA is installed on workstations.

When the installation process is complete, it informs users that their computers will reboot when they log off. After the reboot, ez/Signon notifies users that ez/Signon has been installed.

Step 10: Test ez/Signon



After a server installs the ez/Signon GINA to a workstation, a message is displayed on this computer to inform you that ez/Signon is installed. The procedure for logging on to Windows with ez/Signon is covered in the next chapter.

At a workstation where ez/Signon is installed, log on using an Administrator ID to test your ez/Signon configuration rules. Then try to log on to the network with a user ID and evaluate the results based on the ez/Signon configuration rules.

Chapter 3. Using ez/Signon

Logging on to Windows with ez/Signon Enabled After the ez/Signon service installs the ez/Signon GINA on your workstation, ez/Signon notifies you with the message below.

Figure 10. Installation Complete Message

The ez/Signon Console is also displayed.

Figure 11. ez/Signon Console

1. When you are ready to log on with ez/Signon, close the ez/Signon Console or restart your computer. Windows displays the Welcome to Windows dialog.

Figure 12. Initial Logon Panel



2. From Welcome to Windows dialog, press Ctrl+Alt+Delete. The Log On to Windows dialog displays. It contains the Vanguard logo, indicating that ez/Signon is enabled.

Figure 13. Log on to Windows Panel

3. Type your network Password. Change the User name and Log on to: information if necessary. Click OK.

4. If this is the first time you have logged on with ez/Signon, using this ID, you are prompted that your account has no user ID on the mainframe. Click OK to display the Mapping To RACF Userid dialog. The sample Mapping To RACF Userid dialog provided below displays all five of the Map Options available through ez/Signon. You can only select from those options that have been enabled, by your administrator, at the Security on Demand Host Server.

Figure 14. Mapping To RACF Userid Options

5. Select a box in the Map Options, section.

Map options create a logical relationship between the network logon ID and a RACF user ID on the mainframe. The Map to RACF Userid options appear during logon, only when a RACF user ID is not defined for your ez/Signon network logon ID.

Note: Mainframe Userid is your RACF User ID. Mainframe Password is your RACF password.

The map option you select determines the information ez/Signon will request to map the network User ID with the RACF User ID. If for example, you select the Map Account To Same Userid On The Mainframe option, only the Mainframe Userid entry box is displayed in the Map Fields section; Mainframe Userid is the only information you are required to type for this mapping.

Map options are:

• Map Account to Same Userid On The Mainframe If your mainframe and Widows User IDs are identical, you can map your workstation User ID to your Mainframe Userid by typing your Mainframe Password when prompted. Once mapped, future logons will require your workstation User ID and your mainframe password.

• Map Account to Existing Mainframe Userid If you have a mainframe User ID, you can map your workstation User ID to it by typing your Mainframe Userid and Mainframe Password. Once mapped, future logons will require your workstation User ID and your mainframe password.

• Create Mainframe Userid And Map Account If you do not have a mainframe User ID, you can create one by selecting this option. When prompted, enter a Mainframe Userid as well as a Mainframe Password and your Full Name. You may not use the password you typed to log on to Windows. Entering this information automatically maps the new mainframe User ID to your workstation User ID. Any future logons will require you to type your workstation User ID and the mainframe password you typed when creating this new mainframe User ID.

• Map Account From Userid Pool On The Mainframe With this option, the mainframe assigns part of the Full Name information you type as your mainframe user ID. When prompted, you must type a Mainframe Password for this User ID. ez/Signon displays your Mainframe Userid. Future logons will require your workstation User ID and the selected mainframe password.

• Attempt Logon Without Mainframe This option allows you to log on normally until a date specified with the Security on Demand Host Server. After that date, you cannot log on.

6. Type the required information in the Map Fields text boxes and click OK.



ez/Signon maps the network User ID with the RACF User ID, according to the map option you select. Once your logon is complete, the Windows desktop displays and Windows NT or Windows 2000 security is enabled.

7. If your RACF password is set to expire immediately, the Vanguard Change Password dialog displays. Changing passwords is explained in the next section (Changing Passwords on Windows) of this guide.

Password Syntax Rules

All verification is done in RACF, according to RACF passwords rules for format, invalid password entry, etc. To avoid conflicts, we recommend that you match the RACF password rules on ez/Signon client systems.

Audit Trails

Each time a user attempts to log on or change a password, a standard RACF type 80 SMF record is generated on the mainframe, as an audit trail of security-related activity.

Changing Passwords on Windows

When your password expires, ez/Signon displays the Change Password dialog.

Figure 15. Change Password Dialog

To change an expired password

Type the new password in the New Password and Confirm Password boxes, and then click OK.

To change an existing password

1. Press CTL-ALT-DEL and click the Change Password…button. The Change Password dialog is displayed.

Figure 16. Change an Existing Password Dialog



2. Type your existing password in the Old Password box, and then type the new password in the New Password and Confirm New Password boxes.

3. Click OK.

Changing ez/Signon Configuration

You can make changes to the ez/Signon configuration anytime after installation.

From the Start menu, select Programs, Vanguard, EzSignon, and then ezSignon Config Utility. The ez/Signon Configuration dialog box appears.

This is the same dialog box that was explained on page 8 of “Chapter 2 Installing the ez/Signon Client.”



Using the Vanguard Roaming Profile Utility

The Vanguard Roaming Profile Utility lets you share a roaming profile on Microsoft Windows NT or Windows 2000 systems with a local user account. Use the roaming profile utility when you have ez/Signon installed, but your workstation is disconnected from the network, such as when you disconnect a laptop. With a shared roaming profile, you can log on to a local workstation, using a local account, and still have the same desktop and settings as when logging on to the domain.

Before reading this section you must understand how the Microsoft Windows operating system manages user profiles.

To install Vanguard Roaming Profile Utility

1. The Vanguard installation CD autoplays when you insert it in a drive. Click BROWSE CONTENTS to view the root of the CD.

2. Open the ez/Signon folder and then the NT ezSIGNON folder.

3. Double-click Roaming Profiles Utility.exe. The installation wizard guides you through the rest of the installation.

Note: You may need Administrator authority to install a program.

To share a roaming profile

To share a roaming profile, you need both a network user account and a local user account. Both user accounts must have had a successful logon through the workstation.

1. On the task bar, click the Start button.

2. Click Programs | Vanguard | Roaming Profiles Utility. The Roaming Profiles Utility dialog appears.

In the example below, the local workstation is MORRIS and the domain of the shared user account is SATURN.

Figure 17. Roaming Profiles Utility

3. From the list box on the left, select the user account name of the profile you want to share with your local user account profile. In this example the account usershare from the domain SATURN is selected.

4. From the list box on the right, select the local user account name. In this example the account userroam, from the local workstation MORRIS, is selected.

5. Click OK. If the profile is successfully shared, the following message appears.

Using this example, the user can log on as usershare from SATURN or userroam from MORRIS and the desktop environment will be the same.

To remove Vanguard Roaming Profile Utility

1. Open the Windows Control Panel and click Add/Remove Programs. The Add/Remove Programs dialog appears.

Note: You may need to have Administrator authority to remove programs.



Figure 18. Add/Remove Programs

2. From the list of programs, select Roaming Profile Utility and click Change/Remove.

Removing ez/Signon

1. From the Start menu, click Programs.

2. Select Vanguard | ezSignon | ezSignon Uninstall Utility. The Uninstall Utility opens.

3. To uninstall ez/Signon from the server only, click the This Computer button.

To remove ez/Signon from the server and all workstations of the domain, click Windows Domain.

Note: Make sure that your workstations are logged on to the network before you use the Windows Domain option. The Uninstall utility can only remove the ez/Signon Gina from workstations with an active network connection.



Documents

Vanguard ez/Signon Client