Download Quest Enterprise SSO 8.0.6 - Installation Guide

Document related concepts

Management features new to Windows Vista wikipedia , lookup

Transcript
Enterprise Single Sign-On 8.0.6
Installation Guide
© 2013 Quest Software, Inc. and/or its Licensors
ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this
publication is furnished under a software license or nondisclosure agreement. This software may be used or
copied only in accordance with the terms of the applicable agreement. No part of this publication may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or
otherwise without the prior written permission of the publisher.
DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No
license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS
PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY
EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT
LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY
DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF
EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and
Quest make no representations or warranties with respect to the accuracy or completeness of the contents of
this publication and reserve the right to make changes to specifications and product descriptions at any time
without notice. Evidian and Quest do not make any commitment to update the information contained in this
publication. The information and specifications in this publication are subject to change without notice.
Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother,
DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT
Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse,
PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed,
SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World,
Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the
United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster,
SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks
mentioned in this document are the propriety of their respective owners.
World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656
Website: www.quest.com
Please refer to our website for regional and international office information.
This documentation is also available online at http://documents.quest.com. This site provides robust search
capabilities that allow you to search across all related documents.
Quest Enterprise SSO
Version 8.0.6
Last updated – May 8, 2013
Contents
About This Guide..................................................................................................... 6
Overview ............................................................................................................................ 6
Conventions ............................................................................................................... 6
1. Overview .............................................................................................................. 7
1.1 The Quest ESSO Software Suite ................................................................................ 7
1.1.1 The Quest ESSO Security Services ................................................................. 7
1.1.2 Quest ESSO Components ................................................................................ 7
1.2 Quest ESSO Architecture ............................................................................................ 9
1.3 Quest ESSO and Your Corporate LDAP Directory Infrastructure ............................ 10
1.3.1 Separation of the Quest ESSO Data .............................................................. 10
1.3.2 Inter Domain and Multi Domain ...................................................................... 11
1.3.3 Examples of Supported Active Directory Infrastructures ............................... 13
2. Preparing the Storage of Security Data in the LDAP Directory ..................... 16
2.1 Active Directory ......................................................................................................... 16
2.1.1 Global Installation Process within an Active Directory Infrastructure............. 16
2.1.2 Extending the Schema and Setting ACLs ...................................................... 19
2.1.3 Setting Indexes on Active Directory Attributes (Optional) .............................. 29
2.1.4 Configuring Secure Authentication and Data Securization ............................ 30
2.2 Active Directory + ADAM or AD LDS ........................................................................ 30
2.2.1 Extending the Schema of ADAM/AD LDS ...................................................... 33
2.2.2 Preparing the ADAM/AD LDS Instance Administrator Account ..................... 34
2.2.3 Setting ACLs on ADAM/AD LDS .................................................................... 34
2.2.4 Setting Indexes on ADAM/AD LDS Attributes ................................................ 35
2.2.5 Configuring Secure Authentication and Data Securization ............................ 35
2.3 OpenLDAP ................................................................................................................. 36
2.3.1 Extending the Schema of an OpenLDAP Directory ....................................... 36
2.3.2 Setting ACLs on an OpenLDAP Directory ...................................................... 36
2.3.3 Setting Indexes on OpenLDAP Attributes ...................................................... 37
2.3.4 Integrating SAMBA ......................................................................................... 38
2.3.5 Configuring Secure Authentication ................................................................. 39
2.3.6 Configuring Data Securization ........................................................................ 39
2.4 Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server .............. 40
2.4.1. Extending the Schema of a Netscape iPlanet /Sun Java System /Red Hat /
Fedora Directory Server .......................................................................................... 40
2.4.2 Setting ACLs on a Netscape iPlanet / Sun Java System / Red Hat /
Fedora Directory Server .......................................................................................... 41
2.4.3 Setting Indexes on Netscape iPlanet / Sun Java System / Red Hat /
Fedora Directory Server Attributes .......................................................................... 43
2.4.4 Configuring Secure Authentication ................................................................. 44
2.4.5 Configuring Data Securization ........................................................................ 45
2.5 Novell eDirectory ....................................................................................................... 46
2.5.1 Extending the Schema of a Novell eDirectory ................................................ 46
2.5.2 Setting ACLs for Delegation (Optional) .......................................................... 46
2.5.3 Setting Indexes on Novell eDirectory Attributes ............................................. 47
2.5.4 Configuring Secure Authentication (Optional) ................................................ 49
2.5.5 Configuring Data Securization ........................................................................ 49
3
2.6 IBM Tivoli Directory Server ........................................................................................ 50
2.6.1 Extending the Schema of an IBM Tivoli Directory Server .............................. 50
2.6.2 Setting ACLs on an IBM Tivoli Directory Server ............................................ 51
2.6.3 Setting Indexes on IBM Tivoli Directory Server Attributes ............................. 51
2.6.4 Configuring Secure Authentication ................................................................. 51
2.6.5 Configuring Data Securization ........................................................................ 52
2.7 Deploying a Workstation LDAP User Account .......................................................... 53
3 Installing Quest ESSO Controllers and Audit Databases ............................... 54
3.1 Starting the Administration Tools window ................................................................. 54
3.2 Running the Default Objects Creation Tool............................................................... 56
3.3 Initializing the Primary Controller............................................................................... 57
3.4 Initializing an Associated Controller .......................................................................... 58
3.5 Publishing a New Token Data File ............................................................................ 59
3.6 Defining Administrative Tokens for Self Service Password Request ....................... 59
3.7 Importing an External Key ......................................................................................... 59
3.8 Importing/Exporting the Controller Key ..................................................................... 60
3.9 Installing and Configuring the Local Audit Database ................................................ 61
3.9.1 Installing the Provided Audit V2 MySQL Database Server ............................ 61
3.9.2 Creating Audit V2 Tables in an Existing Database ........................................ 63
3.9.3 Setting up the Connection to the Local Audit Database ................................ 64
3.9.4 Updating the Audit Translation Data .............................................................. 66
3.10 Declaring the Technical Accounts Used by the Quest ESSO Controllers .............. 67
3.11 Defining a Master Audit Database .......................................................................... 68
3.12 Installing a Quest ESSO Controller ......................................................................... 72
4 Installing and Configuring the Software Modules on the Workstations ........ 75
4.1 Configuring Workstations .......................................................................................... 76
4.1.1 Quest ESSO Configuration with Active Directory........................................... 77
4.1.2 Quest ESSO Configuration with a User Database or Directory other than
Microsoft Active Directory ........................................................................................ 79
4.2 Installing Microsoft Redistributables .......................................................................... 82
4.3 Installing a Quest ESSO Client ................................................................................. 83
4.4 Installing French Healthcare Smart Cards (CPS) ..................................................... 86
4.5 Installing Finger Vein Biometric Drivers .................................................................... 87
4.6 Modifying the Possible Domains List ........................................................................ 87
5 Enabling the Self Service Password Request (SSPR) Capability ................... 88
6. Enabling OTP Authentication ........................................................................... 92
6.1 Installing a Radius Plugin .......................................................................................... 92
6.2 Installing an RSA Authentication Server and Agent .................................................. 93
6.2.1 Installing RSA Authentication Server ............................................................. 93
6.2.2 Installing RSA Authentication Agent ............................................................... 93
7 Enabling the Group Membership Modification Feature .................................. 95
8 Centralizing Parameters Using Group Policy Objects (GPO) ......................... 97
8.1 Creating and Configuring Group Policy Objects Using an ADM File ........................ 98
8.2 Creating and Configuring Group Policy Objects Using ADMX Files (optional) ...... 100
8.3 Description of the User Access Administrative Template (optional) ....................... 101
9 Installing Quest ESSO MSI Packages in Silent Mode .................................... 115
9.1 Installing Microsoft Redistributables in Silent Mode ................................................ 116
4
9.2 Installing Quest ESSO Controller in Silent Mode .................................................... 116
9.3 Installing Quest ESSO Client in Silent Mode .......................................................... 118
9.4 Installing Quest ESSO Web Server in Silent Mode ................................................ 127
Appendix A: Advanced Configuration: Audit.................................................... 129
A1 Audit Extension DLL Development Guide ............................................................... 129
A.1.1 Structure of Audit Event: _WG_AUDITEVENT ............................................ 129
A.1.2 Structure of Audit Configuration: _WG_AUDITCONFIG ............................. 130
A.1.3 Prototypes of Functions to Export ................................................................ 130
A.2 Audited Events ........................................................................................................ 130
Appendix B:Activating Traces............................................................................ 131
Appendix C: Retrieving the Serial Number on a MiFARE RFID Badge ........... 133
C.1 Parameters .............................................................................................................. 134
C.2 Configuring the MiFARE RFID Parameters ............................................................ 135
C 3 Resetting the MiFARE RFID Parameters ............................................................... 137
About Quest Software, Inc. ................................................................................. 138
Contacting Quest Software............................................................................................ 138
Contacting Quest Support ............................................................................................. 138
5
Quest Enterprise SSO 8.0.6 - Installation Guide
About This Guide
Overview
This document has been prepared to assist you in becoming familiar with Quest Enterprise
Single Sign-On. This document contains the information required to install and configure
Quest ESSO (advanced installation). It is intended for system integrators administrators,
consultants, analysts, and any other IT professionals using the product.
Conventions
In order to help you get the most out of this guide, we have used specific formatting
conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT
CONVENTION
Select
This word refers to actions such as choosing or highlighting various interface
elements, such as files and radio buttons.
Bolded text
Interface elements that appear in Quest products, such as menus and
commands.
Italic text
Used for comments.
Bold Italic text
Introduces a series of procedures.
Blue text
Indicates a cross-reference. When viewed in Adobe® Acrobat®, this format
can be used as a hyperlink.
Used to highlight additional information pertinent to the process being
described.
Used to provide Best Practice information. A best practice details the
recommended course of action for the best result.
Used to highlight processes that should be performed with care.
+
A plus sign between two keystrokes means that you must press them at the
same time.
|
A pipe sign between elements means that you must select the elements in
that particular sequence.
6
Quest Enterprise SSO 8.0.6 - Installation Guide
1. Overview
Quest ESSO solution enables you to deploy a high level of security. It uses the corporate
LDAP directory of your company to manage single sign-on (SSO) on this distributed LDAP
architecture.
This guide explains how to install Quest ESSO (Quest ESSO gathers Advanced Login and
Quest ESSO SSOWatch modules).
1.1 The Quest ESSO Software Suite
1.1.1 The Quest ESSO Security Services
Quest ESSO is composed of several software applications, which are running through a
middleware, called the Quest ESSO Security Services. It is a Windows service, which is
automatically installed during the Quest ESSO installation process. It provides the
following services:




Authentication (by passwords, smart cards, USB tokens, biometrics...).
Single Sign-on: retrieval of the SSO policy and management of the users’ secure
SSO data depending on the authentication method.
Administration: daily administration tasks and creation and management of the
SSO policy.
Audit.
The Quest ESSO applications do not run directly with the LDAP directory of your
company with your users’ tokens. All the operations are performed by the Security
Services, in a secure system environment.
The Security Services works directly with the corporate LDAP directory, except for the
audit and administration services, for which it can use the Quest ESSO Controller.
1.1.2 Quest ESSO Components
SSOWatch
SSOWatch is the single sign-on (SSO) engine. It is installed on the
client workstations. This software module offers many optional
components.
Advanced Login
Advanced Login software module allows you to enforce users’
authentication and to use other authentication sources than Active
Directory. When installed, it is used instead of the standard Windows
7
Quest Enterprise SSO 8.0.6 - Installation Guide
log on dialog box.
Advanced Login allows users to log on their workstation using several
authentication methods, as login/password, smart cards, or biometrics
authentication methods.
It allows you also to manage primary authentication policies:
authentication methods authorized by workstations or by users.
Quest ESSO Controller
The Quest ESSO Controller is an administration server that enables
the management of administration profiles.
The administration actions are not directly sent from the workstations
to the LDAP account of the Quest ESSO administrator, but through
the Quest ESSO Controller: upon the Quest ESSO installation, you
will have to define an LDAP account that will be used by the Quest
ESSO Controller to perform any Quest ESSO administration action on
the LDAP directory.
You do not have to set different ACLs depending on the Quest ESSO
administrators. You just have to set ACLs only once, on the LDAP
account used by the Quest ESSO Controller, which manages the
administration requests depending on the administration profiles
defined using Quest ESSO Console.
The Quest ESSO Controller runs also as the Quest ESSO audit
server. It retrieves audit information of the Quest ESSO workstations
in an SQL database. The pieces of audit data are available through
Quest ESSO Console, either globally, or contextually (that is
depending on the selected audited Quest ESSO object).
Quest ESSO Console
Quest ESSO Console is a centralized administration and audit
consultation tool that can be installed on any Quest ESSO workstation
client. This administration console allows you also to define extended
security policies by managing Access Points, and by defining
authentication scheduling.
For details on supported authentication devices, see Release Notes.
8
Quest Enterprise SSO 8.0.6 - Installation Guide
1.2 Quest ESSO Architecture
Subject
The following illustration details the different interactions between the different components
of the Quest ESSO software suite, the corporate LDAP directory and applications.
Description
The Security Services components are installed on the Quest ESSO workstations (enduser and administration workstations). They are running as client of the Quest ESSO
Controller to carry out the following functionalities:


Sending Audit events.
Enabling the administration of the Quest ESSO security objects.
It allows Quest ESSO users to authenticate to their corporate LDAP directory, either using
their usual authentication interface, or using Advanced Login if installed on the
workstation.
The authentication allows Quest ESSO users to:

Get the SSO security policies stored in the directory.
9
Quest Enterprise SSO 8.0.6 - Installation Guide


Get their specific container used to store their SSO data.
Get cipher keys to secure their stored SSO data. Each Quest ESSO user has a
unique key pair.
The Quest ESSO Controller gathers all the audit events sent by the Quest ESSO
workstations in an SQL database. The link between the Quest ESSO workstations and the
Quest ESSO Controller is secure (SSPI). An audit cache located on the Quest ESSO
workstation manages network flows and stores the audit events if the workstation is
disconnected from the network.
In disconnected mode, the administration actions are no longer carried out by the Quest
ESSO applications (through the Security Services running as client of the Quest ESSO
Controller), but directly by the Quest ESSO Controller.
1.3 Quest ESSO and Your Corporate LDAP
Directory Infrastructure
Since Quest ESSO works directly with the directory in place to deploy the SSO policies,
you must take into account your directory infrastructure before starting the installation
process. The following sub-sections introduce Quest ESSO concepts related with directory
infrastructure, and provide examples that may correspond to your situation.
1.3.1 Separation of the Quest ESSO Data
Subject
Depending on your LDAP directory infrastructure, you may not want to modify the schema
of your corporate LDAP directory. In this case, it is possible to separate the storage of the
Quest ESSO data.
This feature is available with some of the LDAP directories supported by Quest
ESSO. For details, see Release Notes.
Example
For example, if you are using an Active Directory infrastructure, you can use an
ADAM/AD LDS directory to store the Quest ESSO configuration and the SSO data. In this
mode, the Active Directory service is the identities directory, and ADAM/AD LDS is a
Quest ESSO dedicated directory used to store Quest ESSO data.
The authentication process is not modified, as a user who authenticates to an Active
Directory service can authenticate to an ADAM/AD LDS service using the same
credentials, through the Kerberos SSO mechanisms.
10
Quest Enterprise SSO 8.0.6 - Installation Guide
ADAM/AD LDS Architecture
The following illustration shows a Quest ESSO architecture using an Active Directory
service combined with a Quest ESSO dedicated ADAM/AD LDS infrastructure.
1.3.2 Inter Domain and Multi Domain
Subject
This section introduces two Quest ESSO specific concepts dealing with Active Directory
infrastructures: inter domain and multi domain.
These concepts imply that your directory infrastructure is not a single domain
infrastructure.
Inter-Domain
The inter domain concept refers to the Quest ESSO users. It consists in setting up Quest
ESSO so that a user of one domain can authenticate on workstations of another domain.
For example, to set up Quest ESSO inter domain, you must follow the following
requirements:
11
Quest Enterprise SSO 8.0.6 - Installation Guide


A relationship trust must be set up between the domains.
Users’ workstations must be members of their respective domains.
Multi-Domain
The multi domain concept refers to the Quest ESSO administrators. It consists in setting
up Quest ESSO so that a Quest ESSO administrator can manage several domains at the
same time using the Quest ESSO administration console.
The following illustration shows a Quest ESSO solution running in a multi domain
configuration.
Inter domain can exist in a multi domain configuration.
For an example of AD+ADAM/AD LDS multi domain infrastructure, see 1.3.3.2 Active
Directory + ADAM/AD LDS Infrastructure.
12
Quest Enterprise SSO 8.0.6 - Installation Guide
1.3.3 Examples of Supported Active Directory Infrastructures
Consider the following Active Directory infrastructure:
In this organization, the Active Directory infrastructure consists of the following:


Two Forests: Forest 1 and Forest 2.
Forest 1 is composed as follows:




Domain A1 is the root domain.
Domain B1 is the child domain of the parent domain Domain B1.
Domain C1 is the child domain of the parent domain Domain B1.
Forest 2 is composed as follows:



Domain A2 is the root domain.
Domain B2 is the child domain of the parent domain Domain A2.
Domain C2, which is another domain of Forest 2.
1.3.3.1 Multi-Domain Infrastructure
Infrastructure Example
13
Quest Enterprise SSO 8.0.6 - Installation Guide
Description
This example shows an Active Directory infrastructure designed to set up Quest ESSO
multi domain. You can see that:


Forest 1 and Forest 2 support multi-domain, but multi domain is not supported
for Forest 1 + Forest 2.
Inter-domain is supported for all domains of Forest 1 and for all domains of
Forest 2. But inter domain is not supported between Forest 1 and Forest 2.
1.3.3.2 Active Directory + ADAM/AD LDS Infrastructure
AD + ADAM/AD LDS Infrastructure
The following example shows an Active Directory infrastructure combined with a Quest
ESSO dedicated ADAM/AD LDS infrastructure. You can see that there is one
ADAM/AD LDS instance for one Active Directory domain.
AD + ADAM/AD LDS Multi Domain Infrastructure
The following example infrastructure shows an ADAM/AD LDS infrastructure with AD multi
domain.
14
Quest Enterprise SSO 8.0.6 - Installation Guide
15
Quest Enterprise SSO 8.0.6 - Installation Guide
2. Preparing the Storage of
Security Data in the LDAP Directory
Subject
To implement the Quest ESSO environment, you have to create objects used by Quest
ESSO in the LDAP directory. These objects will allow you to create security rules and to
store the users’ single sign-on data. These pieces of data are ciphered.
Quest ESSO supports the following types of LDAP directory for storing user security data:







Active Directory.
Active Directory Application Mode (ADAM).
Active Directory Lightweight Directory Services (AD LDS)
Netscape iPlanet/Sun Java System/Red Hat/Fedora Directory Server.
OpenLDAP Directory Server.
Novell eDirectory.
IBM Tivoli Directory Server (ITDS).
For information on the supported versions of the listed LDAP directories, see Release
Notes.
2.1 Active Directory
2.1.1 Global Installation Process within an Active Directory
Infrastructure
Subject
Depending on your Active Directory infrastructure, you may have to install several types of
Quest ESSO Controller. This section describes a multi domain architecture example. This
may help you define your own software architecture depending on your requirements.
Definitions
There are three types of controllers that you can or must install depending on your needs:

The primary controller is mandatory. It corresponds to the first server that you
install in a domain.
16
Quest Enterprise SSO 8.0.6 - Installation Guide

Secondary controllers, which correspond to other servers that you install in the
same directory domain as the primary controller. Secondary controllers are
redundant servers: if a controller is unavailable for any reason, user and
administrator stations will just connect to another available controller:

If you are working in a multi-domain environment, you must install Associated
controllers. These controllers are always installed after the primary controller, in
another directory domain and they share the same security database. They allow
Quest ESSO administrators to manage several domains using the same
administration token (hardware protection mode) or pass phrase (software
protection mode):
17
Quest Enterprise SSO 8.0.6 - Installation Guide
Multi Domain Architecture Example
18
Quest Enterprise SSO 8.0.6 - Installation Guide
The above illustration shows multi-domain software architecture that uses four Quest
ESSO Controllers (two controllers per domain) and a Master Audit Database:




The primary controller, which corresponds to the first Quest ESSO Controller,
installed in Domain 1.
An associated controller, which corresponds to the Quest ESSO Controller
installed in Domain 2.
Two secondary controllers (one in each domain).
The Audit Master Database, which contains the log entries of every individual
Quest ESSO Controller. This concerns both user action log entries and
administration action log entries. In this example, the local SQL Server
databases of individual Quest ESSO Controllers are only used to store the audit
events temporarily, before sending them to the Master base.
By default, the Master Database is an SQL server. Note that this audit base can be
hosted on other databases than SQL Server. The list of databases for which this
feature is supported is detailed in Release Notes.
This example of architecture allows administrators to manage users that reside in different
LDAP domains, and they can switch users from one domain to another in the forest. The
secondary controllers provide high-availability.
Global Process
To set the Quest ESSO software architecture described above, do the following:
Extend the Schema and Set the ACLs of your Active Directory service (see 2.1.2
Extending the Schema and Setting ACLs).
1.
2.
3.
4.
5.
6.
Install the Primary controller in Domain A.
In the same domain, install a Secondary controller.
Install an Associated controller in Domain B.
In the same domain, install a Secondary controller.
Install the Master Audit Database.
Then, install the workstation clients (administration workstation and end-users
workstations).
2.1.2 Extending the Schema and Setting ACLs
Subject
For Active Directory, Quest ESSO provides a schema management tool that allows you to:


Install or repair the Active Directory schema extension for Quest ESSO. These
operations will be applied to the Active Directory domain controller that holds the
role of Schema Master. This server must be made accessible for these
operations.
Add or repair the ACLs specific to Quest ESSO on the existing user objects in
the different domains of the forest.
19
Quest Enterprise SSO 8.0.6 - Installation Guide
The modifications to the Active Directory schema for Quest ESSO have been designed to
be least intrusive as possible:


A few optional attributes types are added to the definition of standard classes
like User and Group. These modifications are totally reversible.
All the identifiers of the attributes and classes that are added (LDAP names,
OID, for example) have been registered with Microsoft and with international
organizations.
Before Starting

Check that the Microsoft Active Directory is unlocked before starting the schema
extension:



In the Start menu, click Run and type regedt32.
Open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDS\Parameters key.
If necessary, set the Schema Update Allowed value to 1.
You do not have to restart your computer.

Quest ESSO requires at least one dedicated user account to extend the Active
Directory schema and to apply ACLs on the domain. This account must exist
before starting the installation procedure, as the wizard will prompt you for
account credentials.
So make sure you have a user account in the Active Directory forest which
allows you to:


Modify the Active Directory schema (members of the Schema Admins
group have this right).
Apply Quest ESSO ACLs on your domain (members of the Domain
Admins group have this right).
You are advised to use only one account that is at the same time member of the
Schema Admins and of the Domain Admins groups. If it is not possible (depending on
your Active Directory design), you can use two different accounts.

Each Quest ESSO Controller requires one dedicated user account to perform
operations on the directory (such as the execution of administration requests,
read and save operations on audit events, modifications on Quest ESSO
objects). To simplify the configuration and the use of the solution, it is strongly
recommended to gather these dedicated user accounts in Local groups, as
detailed in the following procedure.
You may find the term "technical account" throughout this manual. We use this
term to designate these Quest ESSO Controllers dedicated accounts.
Depending on your Active Directory design, you may create and use the same
user account for all the Quest ESSO Controllers. Note that this is not possible
in multi-domain infrastructures.
a)
Start Active Directory Users and Computers.
b)
Create one Local Group for each domain of the forest.
20
Quest Enterprise SSO 8.0.6 - Installation Guide
c)
Create one technical account for each Quest ESSO Controller that you will
install on the domain, and define it as a member of the Local Group just
created.




For each technical account, enable the Password never expires option.
Each technical account must have the SE_RESTORE_NAME privilege. To be
sure about it, add the technical account in the Backup Operators group of each
domain.
Each technical account must have the right to force the password change of
users. To assign this right, using Active Directory Users and Computers, start
the Delegation of Control wizard (right-click the container(s) where the users
that will have their passwords reset are located and select Delegate control),
and delegate control of the following common task: Reset user passwords and
force password change at next logon. Repeat the same operation on the
AdminSDHolder container.
In multi-domain mode, each technical account must be included in the other
local groups.

Start Active Directory Sites and Services and for each domain controller of
your forest, select NTDS Settings, then, in the right panel, right-click the
connection objects and select Replicate now, as shown below:

If you are setting-up an inter-domain Active Directory infrastructure, you may
have to deploy a domain account for WGSS to do LDAP requests to avoid
Kerberos-related problems, as described in 2.7 Deploying a Workstation LDAP
User Account.
Windows 2000 Service Pack 2 servers only: if the Schema Master (which is
the domain controller on which the schema extension operation is performed) is
a Windows 2000 Service Pack 2 server, you must define, on each of your
workstation clients, the UseCustomApplicationClass registry variable (DWORD)
with value 1, in HKLM\Software\Enatel\Framework\Directory or
HKLM\Software\Policies\Enatel\Framework\Directory.

21
Quest Enterprise SSO 8.0.6 - Installation Guide
Procedure
If you are installing Quest ESSO in multi-domain mode, read the following:



1.
You must extend the schema and set ACLs only to install the Quest ESSO
primary controller.
To install an associated controller, you just have to set ACLs.
Do not use this tool to install a secondary controller.
On the domain controller where you want to install the primary or the associated
Quest ESSO Controller, open the root folder of the Quest ESSO installation
package and run start.hta.
The following window appears.
If the window does not appear, do the following:


2.
Browse the downloaded installation package and open the folder
corresponding to your Windows system processor: E-SSO for 32 bits
processors and E-SSO.x64 for 64 bits processors.
Browse the TOOLS directory, and run WGAdSetup\WGADSetup.exe, and go
to Step 4 of the current procedure.
In the Advanced Installation area, click one of the following, depending on your
Windows system processor:


Quest Software E-SSO: for 32 bits processors.
Quest Software E-SSO - x64: for 64 bits processors.
The Administration Tools interface appears:
22
Quest Enterprise SSO 8.0.6 - Installation Guide
3.
Click Extend Active Directory Schema.
IAM Active Directory Setup Tool starts.
4.
Follow the displayed instructions with the following guidelines:
STEP
1
WHEN THIS WINDOW
APPEARS…
DO THE FOLLOWING
If you are installing the Quest ESSO
primary controller, enter the dedicated user
account that is member of the Schema
Admins group (for more information, see
Before Starting above).
If you are installing an associated
controller:


Enter the user account of a Quest
ESSO user who is an administrator
of the domain. This user must have
full rights on the domain.
Select Skip schema checking and
jump directly to the domains
setup.
Click Next.
23
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
WHEN THIS WINDOW
APPEARS…
DO THE FOLLOWING
2
Click Next.
3
Click Next.
4
Click Yes.
5
At this step, the Active Directory schema
extension is done. Click Next.
24
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
6
WHEN THIS WINDOW
APPEARS…
DO THE FOLLOWING
At this step, you have two possibilities:
If the user account declared at Step 1 is
also a member of the Domain Admins
group, click Next and see Step 8.
If not, change the user account: click Exit,
restart the wizard and see Step 7.
7
Enter a user account that is member of the
Domain Admins group (for more
information, see Before Starting above).
Select Skip schema checking and jump
directly to the domains setup.
Click Next.
8
Check that the selected domain is correct.
Click Next.
9
If you do not want to store the configuration
data in Program Data\IAM, click Choose
another location and select in the
displayed tree the wanted location.
Click Next.
25
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
10
WHEN THIS WINDOW
APPEARS…
DO THE FOLLOWING
Select With controller.
Click Next.
11
Select Enable the use of software.
Click Next.
12
Read carefully the displayed instructions.
As explained, it is strongly recommended
to select Enable (or Keep, in case of
update) the access control for members
of protected groups.
Click Next.
26
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
13
WHEN THIS WINDOW
APPEARS…
DO THE FOLLOWING
1. Select the mandatory container
Program Data\IAM or the location where
you store the configuration data.
2. Select the following containers:



The Users and Groups who will use
Quest ESSO.
The SSO Applications and SSO
Objects.
The computers where Quest ESSO
is installed.
3. Click Apply changes.
4. Click Next.
14
If you have created a Local Group to gather
the technical accounts used by the Quest
ESSO Controller (for more information, see
Before Starting above), select Give some
administration profiles to a group of the
domain and enter the Group name. Then,
select the Controller Server Account
check box and click Next.
Else, see Step 17.
15
1. In System, select AdminSDHolder (this
container allows you to administer the
Active Directory administrators. Moreover,
it enables any user to delegate accounts to
Active Directory administrators).
The modification is effective within one
hour.
2. Select the container(s) storing the Users,
Groups, Computers and Domain
Controllers that will be administered by the
Administration Group entered at Step 14.
3. Click Apply Changes.
4. Click Next.
27
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
16
WHEN THIS WINDOW
APPEARS…
DO THE FOLLOWING
1. Select the following mandatory
containers:


Program Data\IAM or the location
where you store the configuration
data.
System\AdminSDHolder
2. Select the container(s) storing the Quest
ESSO configuration data that will be
administered by the Administration Group
entered at Step 14 (the containers storing
the configuration data were defined at
Step 9).
3. Click Apply Changes.
4. Click Next.
17
If you want to set another Group, see
Step 14.
Else, select Finished for the selected
domain, and click Next.
18
If you want to set ACLs on another domain
(inter-domain or multi-domain
infrastructures), or if you want to modify a
configuration, select Configure another
domain and click Next (see Step 8).
Else, select Exit this program and click
Exit.
During the existing schema validation phase, objects that use Quest ESSO object
identifiers may be detected. If this is the case, software from other suppliers that do
not adhere to Microsoft’s recommendations for extending the Active Directory schema
may have been installed. In these circumstances, contact the Quest Support.
28
Quest Enterprise SSO 8.0.6 - Installation Guide
2.1.3 Setting Indexes on Active Directory Attributes (Optional)
Subject
This task is optional and may be done only if the directory repository has not been
installed and configured in a standard way.
It is recommended to set indexes on both standard attributes and Quest ESSO specific
attributes.
Before Starting
You must know how to set indexes manually.
2.1.3.1 Indexes on Standard Attributes
General Use
It is strongly recommended to index the following attributes:





cn.
objectCategory.
member.
dNSHostName.
objectGUID.
Custom LDAP Attributes Stored on the Authentication Token
When using a custom LDAP attribute stored on the authentication token, this attribute
must be indexed for presence and equality searches.
User Search for Delegation
When searching users to which delegate an account, several attributes are used to search
the directory using a substring match. These attributes must be indexed for substring
search. By default, the attributes used are:




cn.
sn.
givenName.
mail.
Since administrators can change the attributes used for this search by modifying the
UserSearchFilter registry value, check if the attributes you choose are indexed.
2.1.3.2 Indexes on Quest ESSO Specific Attributes
The following specific attributes must be indexed:


enatelUserSecurityProfileObject.
enatelApplicationProfileObject.
29
Quest Enterprise SSO 8.0.6 - Installation Guide


enatelUserEntityObject.
enatelComputerSecurityProfileObject.
If you plan smart card authentication, set the following attributes:



enatelSerialNumber.
enatelTokenClassName.
enatelTokenState.
If you want to use Web Access Manager with Quest ESSO, set the following attributes:


enatelAccountBaseID.
enatelPersonalApplicationId.
2.1.4 Configuring Secure Authentication and Data Securization
With Active Directory, Quest ESSO uses automatically the most secure available method.
No configuration is needed.
2.2 Active Directory + ADAM or AD LDS
Subject
Microsoft ADAM (Active Directory Application Mode) or Active Directory Lightweight
Directory Services (AD LDS) is an LDAP directory service that runs as a user service,
rather than as a system service.
The use of ADAM/AD LDS with Quest ESSO allows you to store all Quest ESSO data
(configuration objects, user security data, access information and so on) in the
ADAM/AD LDS directory, while the users data remains in the enterprise Active Directory.
In this case, no modification is made to the Active Directory (no schema extension, no ACL
modification or object creation.)
This section explains how to extend the schema of ADAM/AD LDS and set some access
control rules (ACL).
Multi Domain Architecture Example
If you want to work in a multi domain ADAM/AD LDS environment, you must first install all
the necessary AD domain controllers and then install the ADAM/AD LDS directory.
30
Quest Enterprise SSO 8.0.6 - Installation Guide
The above illustration shows a multi-domain software architecture that uses two Quest
ESSO Controllers and a Master Audit Database:



The primary controller, which corresponds to the first Quest ESSO Controller.
One secondary controller.
The Audit Master Database, which contains the log entries of every individual
Quest ESSO Controller. This concerns both user action log entries and
administration action log entries. In this example, the local SQL Server
databases of individual Quest ESSO Controllers are only used to store the audit
events temporarily, before sending them to the Master base.
By default, the Master Database is an SQL server. Note that this audit base can be
hosted on other databases than SQL Server. The list of databases for which this
feature is supported is detailed in Release Notes.
31
Quest Enterprise SSO 8.0.6 - Installation Guide
This example of architecture allows administrators to manage users that reside in different
LDAP domains, and they can switch users from one domain to another in the forest. The
secondary controller provides high-availability.
Global Process
To set the Quest ESSO software architecture described above, do the following:
1.
2.
3.
4.
5.
Extend the Schema and Set the ACLs of your ADAM/AD LDS (see Section 2.2.1,
"Extending the Schema of ADAM/AD LDS" and Section 2.2.3, "Setting ACLs on
ADAM/AD LDS").
Install the Primary controller.
Install a Secondary controller.
Install the Master Audit Database.
Then, install the workstation clients (administration workstation and end-users
workstations).
Before Starting

Download and install ADAM/AD LDS from the Microsoft web site.
For more information on supported versions and operating systems on which it can
be installed, see Release Notes.

Create an ADAM/AD LDS instance with at least one partition and with the
following parameters and restrictions:
Parameters:
WIZARD WINDOW
NAME
QUEST ESSO REQUIREMENTS
"Setup Options"
Choose Unique instance.
"Application Directory
Partition"
Choose Yes
"ADAM
Administrators"
An ADAM/AD LDS administrator is an
account with control over the ADAM/AD LDS
instance.
You must select an account in the Active
Directory domain, not a local account.
In case of a multi domain architecture, you
are advised to select an account with the
Reset Password permission, to change the
primary passwords of the Active Directory
users. This permission is not mandatory if you
do not need to use Quest ESSO Console to
change user passwords (case of a Quest
ESSO installation in session authentication
mode for example).
This account must have the
SE_RESTORE_NAME privilege. To be sure
about it, add the user in the local Backup
Operators group.
32
Quest Enterprise SSO 8.0.6 - Installation Guide
WIZARD WINDOW
NAME
QUEST ESSO REQUIREMENTS
"Importing LDIF Files"
Import all LDIF files. The MS-User.LDF file is
mandatory.
Restrictions:



The Distinguished Name of the ADAM/AD LDS partition must not include the
Naming Context of an existing Windows domain. For example, if your domain
naming context is DC=domain,DC=com, do not set
CN=SSO,DC=domain,DC=COM as your ADAM/AD LDS naming context.
ADAM/AD LDS must not be installed on a Domain Controller.
Quest ESSO uses the Kerberos protocol for authenticating to LDAP with
ADAM/AD LDS servers. To avoid Kerberos-related problems, read carefully the
following:


Enter the real fully qualified DNS name (and not an DNS alias) to set the
name of the ADAM/AD LDS host, and NOT its IP address (if you enter an
IP address, the Kerberos authentication is not guaranteed to be yielded
and you may have Kerberos errors.).
If despite the restriction you absolutely need to install ADAM/AD LDS on a
Domain Controller, some functionalities won’t not work properly. In this
case, you must deploy a domain account for each Quest ESSO Security
Services (wgss) (see 2.7 Deploying a Workstation LDAP User Account)
For more information on how to create an ADAM/AD LDS instance, please refer to
the Microsoft web site and documentation.
2.2.1 Extending the Schema of ADAM/AD LDS
Procedure
In a command line console, change to the %WINDIR%\ADAM directory and type the
following command for each of the provided .ldif files:
ldifde -i -v -k -s <host:port> -f <file.ldif> -c
"CN=Schema,CN=Configuration,DC=X" #schemaNamingContext -b <user> <domain>
<password>
Do not replace the following string: "CN=Schema,CN=Configuration,DC=X".
Where:
STRING
<host:port>
DESCRIPTION
The ADAM/AD LDS server hostname and
TCP port.
For example: adam.domain.local:389.
33
Quest Enterprise SSO 8.0.6 - Installation Guide
STRING
DESCRIPTION
<file.ldif>
The provided .ldif file, which is located in the
TOOLS\ESSODirectory\WGADAM
directory.
<user>
The user name of the ADAM/AD LDS
administrator chosen during the instance
installation.
<domain>
The NetBios domain of the user.
<password>
The user password.
ldifde is located in the %WINDIR%\ADAM directory.
Once you have run the command for each of the .ldif files, the ADAM/AD LDS
schema is extended.
2.2.2 Preparing the ADAM/AD LDS Instance Administrator
Account
The Windows account you chose when setting the AD LDS instance to be the
administrator of this instance (see the Before Starting of Section 2. Preparing the Storage
of Security Data in the LDAP Directory) must have the SE_RESTORE_NAME privilege in
the local computer policy. To do so, set this account in the Backup Operators local group
of the local computer.
2.2.3 Setting ACLs on ADAM/AD LDS
Subject
You must set some access control rules on the partition, for the domain users to store and
retrieve data in ADAM/AD LDS. For that, the ACL-ADAM-EXTMGR.cmd file is provided in
the Quest ESSO installation package.
Procedure
1.
2.
Edit the ACL-ADAM-EXTMGR.cmd file located in the
TOOLS\ESSODirectory\WGADAM directory.
In the ACL-ADAM-EXTMGR.cmd file, uncomment the following lines:
a)
set DSACLS=dsacls.exe or set DSACLS=%WINDIR%\ADAM\dsacls.exe,
depending on your system:


If the Quest ESSO Controller is installed on Windows Server 2008,
uncomment the following line:
set DSACLS=dsacls.exe
If the Quest ESSO Controller is not installed on Windows Server 2008,
uncomment the following line:
set DSACLS=%WINDIR%\ADAM\dsacls.exe
34
Quest Enterprise SSO 8.0.6 - Installation Guide
3.
4.
b)
set HOSTNAME=myadamserver.domain.com:port
Replace myadamserver.domain.com with the fully qualified ADAM/AD LDS
host name and TCP port.
c)
set LDAPROOT=o=my,c=root
Replace o=my,c=root with the partition root chosen during the
ADAM/AD LDS instance installation.
Copy the ACL-ADAM-EXTMGR.cmd file in the %WINDIR%\ADAM directory.
In a command line console, change to the %WINDIR%\ADAM and run the ACLADAM-EXTMGR.cmd script.
2.2.4 Setting Indexes on ADAM/AD LDS Attributes
2.2.4.1 Setting Indexes on Standard Attributes
The following standard attributes must be indexed:




cn.
objectCategory.
member.
objectGUID.
2.2.4.2 Setting Indexes on Quest ESSO Specific Attributes
The following Quest ESSO specific attributes must be indexed:




enatelUserSecurityProfileObject.
enatelApplicationProfileObject.
enatelUserEntityObject.
enatelComputerSecurityProfileObject.
If you plan smart card authentication, set the following attributes:



enatelSerialNumber.
enatelTokenClassName.
enatelTokenState.
If you want to use Web Access Manager with Quest ESSO, set the following attributes:


enatelAccountBaseID.
enatelPersonalApplicationId.
2.2.5 Configuring Secure Authentication and Data Securization
With ADAM/AD LDS, Quest ESSO uses automatically the most secure available method.
No configuration is needed.
35
Quest Enterprise SSO 8.0.6 - Installation Guide
2.3 OpenLDAP
The configuration of Quest ESSO Services with an OpenLDAP directory requires
advanced skills and integration service is required. Please contact Quest Support at
www.quest.com/support.



It is strongly recommended to set up your OpenLDAP directory with TLS support
(Transport Layer Security) to secure critical data (as user account parameters,
passwords…).
It is also recommended to set up the SASL/DIGEST-MD5 authentication on your
directory to secure authentication.
The OpenLDAP installation must include the following schema definitions in the
slapd.conf file:



core.schema
cosine.schema
inetorgperson.schema
2.3.1 Extending the Schema of an OpenLDAP Directory
Subject
To extend the schema of an existing OpenLDAP directory, the wiseguard.schema file is
provided on the Quest ESSO installation package, in
TOOLS\ESSODirectory\WGOpenLdapSetup.
Procedure

Include the Quest ESSO schema definition after the standard schema definitions
by adding the following command line in slapd.conf:
include <file path>/wiseguard.schema
2.3.2 Setting ACLs on an OpenLDAP Directory
Subject
To position ACLs on an OpenLDAP directory, use the wiseguard-em.acl file located on
the Quest ESSO installation package, in TOOLS\ESSODirectory\WGOpenLdapSetup.
Before Starting
If you want to authenticate as an administrator in Quest ESSO, you must create a user or
a group of users and give it administration rights in the directory.
Procedure
Edit slapd.conf to set your ACLs, with the following guidelines:

The access directive, which is used to set ACLs is complex. It allows very fine
control over who can access what objects and attributes and under what
conditions. The side-effect of this complexity and power is that it is very easy to
get the access directive wrong. You must thoroughly test ACL directives with all
possible permissions.
36
Quest Enterprise SSO 8.0.6 - Installation Guide



The access directive may be placed in either the global or the database section
of slapd.conf.
Multiple access directives may be included.
The order of the access directives is very important. If possible, it is strongly
recommended to set them in the following order:





rootDSE.
Password.
Directory administrators.
Quest ESSO.
Others.
Example
The following example shows configuration parameters to enter to integrate the Quest
ESSO rules into existing rules.
# reading the rootDSE special entry
access to dn.base="" by * read
# authentication
access to attrs=userPassword
by dn="cn=administrateur,dc=qesso,dc=fr" write
by groupdn="cn=administrateurs,dc=qesso,dc=fr" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=administrateur,dc=qesso,dc=fr" write
by groupdn="cn=administrateurs,dc=qesso,dc=fr" write
by self write
by * break
# the ACL WG
include <file path>/wiseguard-em.acl
access to * by * read
2.3.3 Setting Indexes on OpenLDAP Attributes
2.3.3.1 Setting Indexes on Standard Attributes
General Use
The following standard attributes must be indexed:





cn (substring, equality, presence).
uid (equality, presence).
objectClass (equality, presence).
member (equality, presence).
uniqueMember (equality, presence).
37
Quest Enterprise SSO 8.0.6 - Installation Guide


displayName (equality, presence).
entryUUID (equality).
Custom LDAP Attributes Stored on the Authentication Token
When using a custom attribute stored on the authentication token, this attribute must be
indexed for presence and equality searches.
User Search for Delegation
When searching users to which delegate an account, several attributes are used to search
the directory using a substring match. These attributes must be indexed for substring
search. By default, the attributes used are:




cn
sn
givenName
mail
Since the administrator can change the attributes used for this search by modifying the
UserSearchFilter registry value, he has to check if the attributes he chooses are indexed.
2.3.3.2 Setting Indexes on Quest ESSO Specific Attributes
To set the indexes definitions for Quest ESSO specific attribute types, open the
wiseguard-extmgr.indexes file. This file is located in
TOOLS\ESSODirectory\WGOpenLdapSetup (in the Quest ESSO installation package).
Just include it in your slapd.conf configuration file.
As the indexes are subsequently changed, the directory needs to be re-indexed using
slapindex with the following guidelines:



Stop the slapd daemon before using slapindex.
If you have several slapd.conf files, check that you specify the right one.
The slpad daemon must be able to write on the created index files.
2.3.4 Integrating SAMBA
You can combine Quest ESSO with a SAMBA domain controller storing its data in an
OpenLDAP server.
We provide slapd-samba-extmgr-sample.conf, a sample OpenLDAP configuration file
showing how to integrate Quest ESSO ACLs and SAMBA ACLs. This file is located in
TOOLS\ESSODirectory\WGOpenLdapSetup (in the Quest ESSO installation package).
SAMBA manages its own computer objects. In order that ESSO uses the SAMBA
computer objects, instead of creating new ones, you must enable integration of SAMBA
computer objects in Quest ESSO. See "Quest ESSO Configuration with a User Database
or Directory other than Microsoft Active Directory" in Section 4.1, "Configuring
Workstations".
38
Quest Enterprise SSO 8.0.6 - Installation Guide
SAMBA uses non-standard LDAP group entries, using the posixGroup objectClass, which
is not handled by Quest ESSO in the default configuration. In order that Quest ESSO uses
the SAMBA group objects, you must enable integration of SAMBA group objects in Quest
ESSO. See "Quest ESSO Configuration with a User Database or Directory other than
Microsoft Active Directory" in Section 4.1, "Configuring Workstations".
If passwords are synchronized from the SAMBA controller to the OpenLDAP server (and
not from OpenLDAP to SAMBA), you must enable password synchronization from the
SAMBA controller to the OpenLDAP server in Quest ESSO. Thus, when a user changes
his password, the password change operation will then use Microsoft APIs calls to the
SAMBA controller, and not LDAP request to the OpenLDAP server, which would have
caused a password desynchronization between SAMBA and OpenLDAP. See "Quest
ESSO Configuration with a User Database or Directory other than
Microsoft Active Directory" in Section 4.1, "Configuring Workstations".
2.3.5 Configuring Secure Authentication
Subject
With OpenLDAP, Quest ESSO supports DIGEST-MD5 SASL mechanisms. This section
explains how to configure Quest ESSO for DIGEST-MD5 with OpenLDAP.
Before Starting
Configure OpenLDAP for DIGEST-MD5: you must configure the matching between SASL
authentication identity and directory users. For an authentication based on the uid
attribute, you must put the following directives in the slapd.conf file:
sasl-regexp
uid=(.*),cn=digest-md5,cn=auth
ldap:///dc=qesso,dc=fr??subtree?(uid=$1)
With OpenLDAP using DIGEST-MD5 implies that user passwords are stored in clear
text in the directory.
Procedure
In the Windows registry set the following value (DWORD type) to 1:
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod
2.3.6 Configuring Data Securization
Subject
This section describes how to configure your LDAP directory to secure authentication
information and other sensitive Quest ESSO data transmitted on the network.
Before Starting
Quest ESSO supports TLS and SSL, but it is strongly recommended to configure your
LDAP directory to support TLS.
39
Quest Enterprise SSO 8.0.6 - Installation Guide
Procedure
In the Windows registry, under the
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the
following values:

TLS: TLS activation. The following values are available:



0: TLS is not activated to secure Quest ESSO communications.
1: TLS is systematically activated. All communications are encrypted. This
can lower the performance on the LDAP server.
2: TLS is only activated when a sensible data is transferred on the network
(during password change or account creation).
It is strongly recommended to set the TLS value to 2.

TLSDemand: configures the behavior in case of TLS failure when it is activated:



TLSVerifyServerCertificate: checks the server certificate.




0: TLS is not mandatory: If TLS fails, the connection is activated without
encryption.
1: TLS is mandatory: if TLS fails, no connection is activated.
0: the server certificate is not checked. You do not need to indicate the
certification authority (CA) certificate.
1: the server certificate is checked with the certification authority. You need
to specify the CA certificate.
TLSCACertificateFile: enter the path to the CA certificate file.
TLSCACertificatePassword: enter the password used if needed to open the CA
certificate file.
A certificate is public data that does not need to be protected.
2.4 Netscape iPlanet / Sun Java System / Red Hat /
Fedora Directory Server
2.4.1. Extending the Schema of a Netscape iPlanet /Sun Java
System /Red Hat / Fedora Directory Server
Subject
To extend the schema of an existing iPlanet/Sun Java System/Red Hat/Fedora Directory
Server, a file is provided on the Quest ESSO installation package,
in TOOLS\ESSODirectory\WGDirectoryServer\wiseguard-schema.ldif.
The configuration of SSO for Java requires advanced skills. To deliver SSO access to
Java applications, integration service is required. Please contact Quest Support at
www.quest.com/support.
Before Starting
To extend the schema, the user needs to have the permission to create new objects.
40
Quest Enterprise SSO 8.0.6 - Installation Guide
Procedure

Extend the schema by typing the following command:
ldapmodify -h <host> –p <port> -D <administrator DN> -w <administrator
password> -f wiseguard-schema.ldif
Where:
STRING
DESCRIPTION
<host>
LDAP server hostname.
<port>
TCP port number of the LDAP server
instance you want to configure.
<administrator DN>
DN of the instance administrator.
<administrator
password>
Password of the instance administrator.
2.4.2 Setting ACLs on a Netscape iPlanet / Sun Java System / Red
Hat / Fedora Directory Server
The procedure is different depending on the data model you want to store Quest ESSO
data:


If you want to store Quest ESSO data in your corporate naming context, see
Section 2.4.2.1, "Standard Storage Mode".
If you want to store Quest ESSO data in a dedicated naming context, see
Section 2.4.2.2, "Cooperative Storage Mode".
2.4.2.1 Standard Storage Mode
Subject
In this mode, Quest ESSO data is stored in your corporate naming context.
Before Starting
If you want to authenticate in Quest ESSO as an administrator, you must create a user or
a group of users and give it administration rights in the directory.
Procedure
1.
In the Quest ESSO installation package, open the
TOOLS\ESSODirectory\WGDirectoryServer\wiseguard-ACL-extmgr.ldif file
in a text editor and perform the following modifications:

2.
Replace ##SUFFIX## with the Distinguished Name of your corporate
naming context.
Apply the modification by typing the following command line:
ldapmodify -h <host> –p <port> -D <administrator DN> -w <administrator
password> -f wiseguard-ACL-extmgr.ldif
41
Quest Enterprise SSO 8.0.6 - Installation Guide
Where:
STRING
DESCRIPTION
<host>
LDAP server hostname.
<port>
TCP port number of the LDAP server
instance you want to configure.
<administrator DN>
DN of the instance administrator.
<administrator
password>
Password of the instance administrator.
2.4.2.2 Cooperative Storage Mode
Subject
In this mode, Quest ESSO data is stored in a dedicated naming context. The ACLs are set
on this naming context.
Before Starting
Before carrying out the following procedure, create the Quest ESSO default objects,
as described in Section 3.2, "Running the Default Objects Creation Tool".
If you want to authenticate in Quest ESSO as an administrator, you must create a user or
a group of users and give it administration rights in the directory.
Procedure
1.
In the Quest ESSO installation package, open the
TOOLS\ESSODirectory\WGDirectoryServer\wiseguard-ACLcooperativemode-extmgr.ldif file in a text editor and perform the following
modifications:



Replace ##SUFFIX## with the Distinguished Name of the dedicated
naming context.
Replace ##AUTHSUFFIX## with the Distinguished Name of your
corporate naming context.
Replace ##WGFOREIGNOBJECTS## with the Distinguished Name of the
container of the Quest ESSO naming context storing the users personal
Quest ESSO data.
To know the value of this DN, you must have previously created the Quest ESSO
default objects. By default the value of this DN is: ou=IAMForeignObjects,ou=Default,
ou=ESSO,<dedicated suffix>
2.
Apply the modification by typing the following command line:
ldapmodify -h <host> –p <port> -D <administrator DN> -w <administrator
password> -f wiseguard-ACL-cooperativemode-extmgr.ldif
42
Quest Enterprise SSO 8.0.6 - Installation Guide
Where:
STRING
DESCRIPTION
<host>
LDAP server hostname.
<port>
TCP port number of the LDAP server instance you want
to configure.
<administrator DN>
DN of the instance administrator.
<administrator
password>
Password of the instance administrator.
2.4.3 Setting Indexes on Netscape iPlanet / Sun Java System / Red
Hat / Fedora Directory Server Attributes
2.4.3.1Setting Indexes on Standard Attributes
General Use
The following standard attributes must be indexed:
Set these attributes in the corporate and in the Quest ESSO dedicated naming
contexts.







cn (substring, equality, presence).
uid (equality, presence).
objectClass (equality, presence).
member (equality, presence).
uniqueMember (equality, presence).
displayName (equality, presence).
nsuniqueid (equality).
Custom LDAP Attributes Stored on the Authentication Token
When using a custom attribute stored on the authentication token, this attribute must be
indexed for presence and equality searches.
Set this attribute in the corporate naming context only.
User Search for Delegation
When searching users to which delegate an account, several attributes are used to search
the directory using a substring match. These attributes must be indexed for substring
search.
Set these attributes in the corporate naming context only.
43
Quest Enterprise SSO 8.0.6 - Installation Guide
By default, the attributes used are:




cn
sn
givenName
mail
Since the administrator can change the attributes used for this search by modifying the
UserSearchFilter registry value, he has to check if the attributes he chooses are indexed.
2.4.3.2 Setting Indexes on Quest ESSO Specific Attributes
The following Quest ESSO specific attributes must be indexed:
Set these specific attributes in the Quest ESSO dedicated naming context only.




enatelUserSecurityProfileObject (equality, presence).
enatelApplicationProfileObject (equality, presence).
enatelUserEntityObject (equality, presence).
enatelComputerSecurityProfileObject (presence).
If you plan smart card authentication, set the following attributes:



enatelSerialNumber (equality, presence).
enatelTokenClassName (equality, presence).
enatelTokenState (equality, presence).
If you want to use Web Access Manager with Quest ESSO, set the following attributes:


enatelAccountBaseID (equality, presence).
enatelPersonalApplicationId (equality, presence).
2.4.4 Configuring Secure Authentication
Subject
With Netscape iPlanet/Sun Java System/Red Hat/Fedora Directory Server, Quest ESSO
supports DIGEST-MD5 SASL mechanisms. This section explains how to configure Quest
ESSO for DIGEST-MD5 with Netscape iPlanet/Sun Java System/Red Hat/Fedora
Directory Server.
This task is optional. Carry out the following procedure only if required.
Before Starting
Configure iPlanet/Sun Java System/Red Hat/Fedora Directory Server for DIGEST-MD5.
44
Quest Enterprise SSO 8.0.6 - Installation Guide
Depending on your directory version, to secure authentication in Quest ESSO it may be
necessary to modify the password encryption method, so that the user password can be
stored in clear text in your directory.
Procedure
In the Windows registry set the following value (DWORD type) to 1:
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod
2.4.5 Configuring Data Securization
Subject
This section describes how to configure your LDAP directory to secure authentication
information and other sensitive Quest ESSO data transmitted on the network.
Before Starting
Quest ESSO supports TLS and SSL, but it is strongly recommended to configure your
LDAP directory to support TLS.
Procedure
In the Windows registry, under the
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the
following values:

TLS: TLS activation. The following values are available:



0: TLS is not activated to secure Quest ESSO communications.
1: TLS is systematically activated. All communications are encrypted. This
can lower the performance on the LDAP server.
2: TLS is only activated when a sensible data is transferred on the network
(during password change or account creation).
It is strongly recommended to set the TLS value to 2.

TLSDemand: configures the behavior in case of TLS failure when it is activated:



TLSVerifyServerCertificate: checks the server certificate.




0: TLS is not mandatory: If TLS fails, the connection is activated without
encryption.
1: TLS is mandatory: if TLS fails, no connection is activated.
0: the server certificate is not checked. You do not need to indicate the
certification authority (CA) certificate.
1: the server certificate is checked with the certification authority. You need
to specify the CA certificate.
TLSCACertificateFile: enter the path to the CA certificate file.
TLSCACertificatePassword: enter the password used if needed to open the CA
certificate file.
A certificate is public data that does not need to be protected.
45
Quest Enterprise SSO 8.0.6 - Installation Guide

TLSCACertificateFileFormat (file format used to store the certificate):
0 - OpenSSL PEM file (Base 64 encoding) or certificate file in the ASCII format of
Directory Server.
2.5 Novell eDirectory
2.5.1 Extending the Schema of a Novell eDirectory
Subject
To extend the schema of a Novell eDirectory, the file wiseguard-schema.ldif is provided in
the directory TOOLS\ESSODirectory\WGeDirectory of the Quest ESSO installation
package. This contains the definition of the Quest ESSO objects.
Procedure
Extend the schema using one of the following commands:
ldapmodify -c -h <host> -p <port>
-D <super-user DN> -w <super-user password>
-f wiseguard-schema.ldif
or:
ice -S LDIF -f wiseguard-schema.ldif
-D LDAP -s <host> -p <port>
-d <super-user DN> -w <super-user password>
Where:




<host> is replaced by your LDAP server hostname.
<port> is replaced by the port number of your LDAP server.
<super-user DN> is replaced by the distinguished name of your directory superuser.
<super-user password> is replaced by the password of the super-user.
2.5.2 Setting ACLs for Delegation (Optional)
Subject
To enable Quest ESSO account delegation, users must be able to search the directory for
other users. The file wiseguard-delegation-ACL.ldif in the directory
TOOLS\ESSODirectory\WGeDirectory of the Quest ESSO installation package is used
to give the necessary access rights for this operation.
This procedure can be performed at any time.
46
Quest Enterprise SSO 8.0.6 - Installation Guide
Procedure
1.
2.
Modify a copy of the file wiseguard-delegation-ACL.ldif and replace the text
##ROOT_DN## with the distinguished name of the root node of your LDAP
server.
Set the ACLs with one of the following command:
ldapmodify -x -h <host> -p <port>
-D <super-user DN> -w <super-user password>
-c -f wiseguard-delegation-ACL.ldif
or:
ice -S LDIF -c -f wiseguard-delegation-ACL.ldif
-D LDAP -s <host> -p <port>
-d <super-user DN> -w <super-user password>
Where:




<host> is replaced by your LDAP server hostname.
<port> is replaced by the port number of your LDAP server.
<super-user DN> is replaced by the distinguished name of your directory superuser.
<super-user password> is replaced by the password of the super-user.
2.5.3 Setting Indexes on Novell eDirectory Attributes
2.5.3.1 Setting Indexes on Standard Attributes
General Use
The following standard attributes must be indexed:







cn (substring, equality, presence).
uid (equality, presence).
objectClass (equality, presence).
member (equality, presence).
uniqueMember (equality, presence).
displayName (equality, presence).
GUID (equality).
Custom LDAP Attributes Stored on the Authentication Token
When using a custom attribute stored on the authentication token, this attribute must be
indexed for presence and equality searches.
47
Quest Enterprise SSO 8.0.6 - Installation Guide
User Search for Delegation
When searching users to which delegate an account, several attributes are used to search
the directory using a substring match. These attributes must be indexed for substring
search. By default, the attributes used are:




cn
sn
givenName
mail
Since the administrator can change the attributes used for this search by modifying the
UserSearchFilter registry value, he has to check if the attributes he chooses are indexed.
2.5.3.2 Setting Indexes on Quest ESSO Specific Attributes
The following specific attributes must be indexed:


























enatelUserSecurityProfileObject (equality, presence)
enatelApplicationProfileObject (equality, presence)
enatelTokenClassName (equality, presence)
enatelSerialNumber (equality, presence)
enatelTokenState (equality, presence)
enatelUserEntityObject (equality, presence)
enatelSoftwareModuleType (equality, presence)
enatelComputerSecurityProfileObject (presence)
enatelSSOParameterPresetId (equality, presence)
enatelComputerObject (equality, presence)
enatelAccountBaseID (equality, presence)
enatelAdmObject (equality, presence)
enatelTokenType (equality, presence)
enatelSSOKeys (presence)
enatelGlobalCertificateState (equality, presence)
enatelAccountType (equality, presence)
enatelAllowedApplicationMask (equality, presence)
enatelApplicationObject (equality, presence)
enatelSSOParameterObject (equality, presence)
enatelUserRoleObject (equality, presence)
enatelUserLocalAccountName (equality, presence)
enatelPasswordChangePolicyObject (equality, presence)
enatelExpirationDate (ordering, equality, presence)
enatelTokenPinState (equality, presence)
enatelLentUntil (ordering, equality, presence)
enatelPersonalApplicationId (equality, presence)
48
Quest Enterprise SSO 8.0.6 - Installation Guide
2.5.4 Configuring Secure Authentication (Optional)
Subject
With Novell eDirectory, Quest ESSO supports the following SASL mechanisms:


DIGEST-MD5.
NMAS: the SASL/NMAS mechanism allows the use of NMAS modular
authentication from Novell, and allows a choice between available authentication
sequences. Quest ESSO only supports the NDS sequence, which consists in a
secure authentication with login and password.
This section explains how to configure Quest ESSO for DIGEST-MD5 and NMAS with
Novell eDirectory.


It is strongly recommended to use the NMAS mechanism
This task is optional. Carry out the following procedure only if required
Before Starting
To use NMAS authentication, the Novell NMAS Client software must be installed on your
Quest ESSO Controller.
Procedure
In the Windows registry, set the DWORD value
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod as follows:


for NMAS: 4.
for DIGEST-MD5: 1.
2.5.5 Configuring Data Securization
Subject
This section describes how to configure your LDAP directory to secure authentication
information and other sensitive Quest ESSO data transmitted on the network.
Before Starting
Quest ESSO supports TLS and SSL, but it is strongly recommended to configure your
LDAP directory to support TLS.
Procedure
In the Windows registry, under the
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the
following values:

TLS: TLS activation. The following values are available:


0: TLS is not activated to secure Quest ESSO communications.
1: TLS is systematically activated. All communications are encrypted. This
can lower the performance on the LDAP server.
49
Quest Enterprise SSO 8.0.6 - Installation Guide

2: TLS is only activated when a sensible data is transferred on the network
(during password change or account creation).
It is strongly recommended to set the TLS value to 2.

TLSDemand: configures the behavior in case of TLS failure when it is activated:



TLSVerifyServerCertificate: checks the server certificate.




0: TLS is not mandatory: If TLS fails, the connection is activated without
encryption.
1: TLS is mandatory: if TLS fails, no connection is activated.
0: the server certificate is not checked. You do not need to indicate the
certification authority (CA) certificate.
1: the server certificate is checked with the certification authority. You need
to specify the CA certificate.
TLSCACertificateFile: enter the path to the CA certificate file.
TLSCACertificatePassword: enter the password used if needed to open the CA
certificate file.
A certificate is public data that does not need to be protected.
2.6 IBM Tivoli Directory Server
2.6.1 Extending the Schema of an IBM Tivoli Directory Server
Subject
To extend the schema of an IBM Tivoli Directory Server, two files are provided on the
Quest ESSO installation package, in TOOLS\ESSODirectory\WGITDS:


wiseguard.at
wiseguard.oc
Before Starting
User objects must possess the enatelUser auxiliary class to be able to use Quest
ESSO.
Procedure
1.
2.
3.
Start the IBM Tivoli Directory Server (ITDS) server configuration tool.
Click the Manage schema files section.
Add the following file in this exact order:


wiseguard.at
wiseguard.oc
50
Quest Enterprise SSO 8.0.6 - Installation Guide
2.6.2 Setting ACLs on an IBM Tivoli Directory Server
Subject
This section explains how to set ACLs on an IBM Tivoli Directory Server.
Before Starting
Users must possess the following entry in their ACL (ibm-filterAclEntry attribute):
id:<DN>:(objectClass=*):object:ad:system:rsc:normal:rwsc:restric
ted:rwsc:sensitive:rwsc
Where the <DN> string must be replaced with the user DN.
Procedure
To set Quest ESSO access permissions on the directory, apply the following LDIF file on
the directory root:
dn: <DNSuffixe>
changetype: modify
add: ibm-filterAclEntry
ibm-filterAclEntry:
group:CN=ANYBODY:(objectClass=*):system:rsc:restricted:rsc:normal:rsc
ibm-filterAclEntry:
group:CN=AUTHENTICATED:(objectClass=enatelSSOStorage):object:a
ibm-filterAclEntry:
group:CN=AUTHENTICATED:(&(objectClass=enatelSSOAccount)(enatelAccountType
=3)):object:d:system:rsc:normal:rwsc:restricted:rwsc:sensitive:rwsc
ibm-filterAclEntry: accessid:CN=THIS:(objectClass=inetOrgPerson):at.userPassword:w
ibm-filterAclEntry: accessid:CN=THIS:(objectClass=enatelComputer):at.userPassword:w
Where:
The <DNSuffixe> string must be replaced with the directory suffix.
2.6.3 Setting Indexes on IBM Tivoli Directory Server Attributes
On IBM Tivoli Directory Server, indexes are set during the schema extension.
2.6.4 Configuring Secure Authentication
Subject
With IBM Directory Server, Quest ESSO supports DIGEST-MD5 SASL mechanisms. This
section explains how to configure Quest ESSO for DIGEST-MD5 with IBM Directory
Server.
Before Starting

The IBM LDAP client is mandatory to perform a DIGEST-MD5 authentication
toward IBM Tivoli Directory Server.
51
Quest Enterprise SSO 8.0.6 - Installation Guide

Configure IBM Tivoli Directory Server for DIGEST-MD5:
With IBM Tivoli Directory Server, it implies that user passwords are stored in clear text in
the directory or with the iMask symmetrical encryption.
Procedure
In the Windows registry set the following value (DWORD type) to 1:
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod
2.6.5 Configuring Data Securization
Subject
This section describes how to configure your LDAP directory to secure authentication
information and other sensitive Quest ESSO data transmitted on the network.
Before Starting
Quest ESSO supports TLS and SSL, but it is strongly recommended to configure your
LDAP directory to support TLS.
Procedure
In the Windows registry, under the
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the
following values:

TLS: TLS activation. The following values are available:



0: TLS is not activated to secure Quest ESSO communications.
1: TLS is systematically activated. All communications are encrypted. This
can lower the performance on the LDAP server.
2: TLS is only activated when a sensible data is transferred on the network
(during password change or account creation).
It is strongly recommended to set the TLS value to 2.

TLSDemand: configures the behavior in case of TLS failure when it is activated:



TLSVerifyServerCertificate: checks the server certificate.




0: TLS is not mandatory: If TLS fails, the connection is activated without
encryption.
1: TLS is mandatory: if TLS fails, no connection is activated.
0: the server certificate is not checked. You do not need to indicate the
certification authority (CA) certificate.
1: the server certificate is checked with the certification authority. You need
to specify the CA certificate.
TLSCACertificateFile: enter the path to the CA certificate file.
TLSCACertificatePassword: enter the password used if needed to open the CA
certificate file.
52
Quest Enterprise SSO 8.0.6 - Installation Guide
A certificate is public data that does not need to be protected.

TLSCACertificateFileFormat file format used to store the certificate:
1 - IBM Keyring "CMS" file.
2.7 Deploying a Workstation LDAP User Account
Subject
You can force Quest ESSO to use a given LDAP account to do requests on the directory
server.
Restrictions
The following procedure runs only with Active Directory and ADAM/AD LDS directories.
Procedure
1.
Create a user account in your directory.
If you are using Active Directory, add the user to the "Domain Computers" group.
2.
At the windows prompt, change to the C:\Program Files\Common Files\Quest
Software\WGSS folder and type the following command: wgss /c
The Administration Tools appears.
3.
Fill in the LDAP Admin User Name (if you are working with Active Directory, do
not forget the Domain name) and Password fields, and click the Get Encrypted
Credentials button to generate and copy the encrypted string in the clipboard.
Deploy the following registry value on all the workstation clients using GPO (for
more details, see Section 8., "Centralizing Parameters Using Group Policy
Objects (GPO)"): in
HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Framework\FmkS
erver, create the following value:
4.



Name: AccessPointLdapCredentials.
Type: String.
Value: paste the encrypted string copied in the clipboard.
53
Quest Enterprise SSO 8.0.6 - Installation Guide
3 Installing Quest ESSO
Controllers and Audit Databases
Subject
Quest ESSO provides a set of administration tools which allow you to:






Initialize the LDAP directory by creating default objects which are necessary for
the use of Quest ESSO modules.
Create the security database in the directory.
Publish your specific token configurations in the directory.
Install and configure the audit databases
Declare the technical accounts used by the Quest ESSO Controllers.
Install Quest ESSO Controllers.
This section details how to start and use the administration tools.
Before Starting


You must have prepared the LDAP Directory (see Section 2., "Preparing the
Storage of Security Data in the LDAP Directory").
Log on to the domain as an LDAP directory administrator.
3.1 Starting the Administration Tools window
Subject
The Administration Tools window is a task-oriented interface that allows you to configure
your Quest ESSO solution.
Procedure
1.
2.
Log on as system administrator.
Open the root folder of the Quest ESSO installation package and run start.hta.
The following window appears.
54
Quest Enterprise SSO 8.0.6 - Installation Guide
If the window does not appear, do the following:


3.
Browse the downloaded installation package and open the folder
corresponding to your Windows system processor: E-SSO for 32 bits
processors and E-SSO.x64 for 64 bits processors.
Browse the TOOLS directory, and run WGSrvConfig\WGSRVConfig.exe.
In the Advanced Installation area, click one of the following, depending on your
Windows system processor:


Quest Software E-SSO: for 32 bits processors.
Quest Software E-SSO - x64: for 64 bits processors.
The Administration Tools window appears.
55
Quest Enterprise SSO 8.0.6 - Installation Guide
Each tool that you can run from the Administration Tools window is a wizard that allows
you to perform a specific operation during the installation process of the Quest ESSO
databases.
3.2 Running the Default Objects Creation Tool
Subject
The "Default objects creation" tool initializes the LDAP directory with default Quest ESSO
objects.
Restrictions
Use this tool only if you are installing primary or associated Quest ESSO Controllers.
Before Starting
Do not use the default account of your LDAP directory as the administrator account (as
CN=directory manager for Netscape iPlanet/Sun Java System/Red Hat/Fedora
directories), or for OpenLDAP directories, the super user defined in the rootdn directive (as
cn=Manager,dc=example,dc=com for example).
Procedure
1.
In the Administration Tools window, click Create default objects.
The LDAP directory initialization wizard appears.
2.
Follow carefully the displayed instructions (for more details, see section Hint just
below).
56
Quest Enterprise SSO 8.0.6 - Installation Guide
Hint
Filling in the "LDAP configuration - Directory initialization" Window
The wizard allows you to choose the administration mode.
The following window appears.
To extend the administration capabilities of the solution, click Activate advanced
administration mode (for more information on advanced administration mode, see Quest
ESSO Console Administrator Guide).
The advanced administration mode cannot be changed later. If this is a new
installation, this mode is recommended. If you are upgrading, existing administration
profiles will be migrated.
3.3 Initializing the Primary Controller
Subject
This section describes how to use the Primary server initialization tool, which creates the
Quest ESSO security database in the directory. For your security database you can
choose either software or hardware protection.
Before Starting

If you use the hardware protection mode:



You must have the Security Module, its associated PIN code and smart
card reader.
Connect the smart card reader on the computer.
If you use the software protection mode, you must provide a pass phrase.
57
Quest Enterprise SSO 8.0.6 - Installation Guide
Procedure
1.
In the Administration Tools window, click Initialize the Primary controller.
The primary controller initialization wizard appears.
2.
Follow the displayed instructions (for more details, see section Hint just below).
Hint
Filling in the Protection mode window
The wizard allows you to choose the protection mode for your security database.
The following window appears.


In software protection mode, administration keys are protected by a pass phrase.
In hardware protection mode, administration encryption keys are protected by
cryptographic smart cards. In this mode, smart cards are required to perform
Quest ESSO administration tasks.
For more information on protection mode, see Quest ESSO Console Administrator Guide.
3.4 Initializing an Associated Controller
Subject
This section describes how to use the Associated controller initialization tool, which
creates the Quest ESSO security database from the primary controller.
Before Starting


The Primary controller must be installed.
You must have the Security Module and its PIN code. It is strongly
recommended to use the same security module as the primary server to allow
administrators to manage several servers.
58
Quest Enterprise SSO 8.0.6 - Installation Guide
Restriction
You must install Associated controllers only if you are implementing a Quest ESSO
software architecture in a multi-domain environment
Procedure
1.
In the Administration Tools window, click Initialize an associated controller.
The associated controller initialization wizard appears.
2.
Follow the displayed instructions.
3.5 Publishing a New Token Data File
Subject
This task is optional: if your organization needs to use smart cards or USB tokens which
are not supported by Quest ESSO, you can import a personalization file in the LDAP
directory, so that the use of specific smart card becomes possible.
To know the list of standard smart cards supported by Quest ESSO, see Release
Notes
The token personalization file is an XML file provided by Quest ESSO.
Before Starting
Make sure you have the appropriate token personalization XML file.
Procedure
1.
In the Administration Tools window, click Publish a new Token data file.
The wizard appears.
2.
Follow the displayed instructions.
3.6 Defining Administrative Tokens for Self Service
Password Request
See Section 5., "Enabling the Self Service Password Request (SSPR) Capability".
3.7 Importing an External Key
Subject
This task allows you to import the public key of an external application into the Quest
ESSO security directory, in order to allow Quest ESSO users to share their accounts with
the external application.
59
Quest Enterprise SSO 8.0.6 - Installation Guide
Before Starting
The public key must be available as a PEM file.
Procedure
1.
In the Administration Tools window, click Import an external key.
The wizard appears.
2.
Follow the displayed instructions.
If you are using Active Directory as the Quest ESSO security repository, when the
wizard asks you to enter the login/password of an administrator account, use the
account who is member of the Domain Admins group and that you have specifically
created to install Quest ESSO.
3.8 Importing/Exporting the Controller Key
Subject
This task allows you to export the key of the primary controller to a secondary or
associated controller. The server key is exported in an authentication description file and
protected by password, then this key is imported into the secondary or associated server.
Before Starting
Before importing or exporting the controller key, make sure Quest ESSO Security Services
are started.
Procedure
1.
In the domain where the primary controller is installed, in the Administration
Tools window, click Import/Export controller key.
The controller key management window appears.
2.
Select Export server key.


Enter and confirm password to protect the key.
Click the Select button to create the authentication description file and
click Ok.
3.
In the domain where the secondary or associated controller is installed, in the
Administration Tools window, click Import/Export server key.
The controller key management window appears.
4.
Select Import server key.


Enter and confirm password.
Select the key file to be imported into a secondary or associated controller
and click Ok.
60
Quest Enterprise SSO 8.0.6 - Installation Guide
3.9 Installing and Configuring the Local Audit
Database
Description
Quest ESSO provides the Audit V2 Database Server, with advanced filtering capabilities.
The installation procedure will differ depending on your needs:


To install and configure a dedicated MySQL audit database server on the Quest
ESSO Controller, go to 3.9.1 Installing the Provided Audit V2 MySQL Database
Server.
To create audit database tables in an existing database system installed on the
Quest ESSO Controller, go to 3.9.2 Creating Audit V2 Tables in an Existing
Database.
Once the database is installed and configured, a tool allows you to import the audit
translation data, as explained in 3.9.4 Updating the Audit Translation Data.
If you want to migrate an existing Quest ESSO Audit database from V1 format to the
V2 format, please contact your Quest Software representative
Before Starting
For each Quest ESSO Controller installed, you must setup a Local Audit Database. If
several Controllers are installed or if you plan to install several Controllers, these
Controllers must share the same master audit database.
To achieve this, you can either install a:


Single database server and configure all Controllers to use that database as
their Local Audit Database.
Local Audit Database on each Controller and install a central Master Audit
Database in which all Controllers upload all their events.
The second solution provides the best performances. Indeed, the unavailability of the
Master Audit Database (e.g. during maintenance periods) does not prevent the collect of
audit events from a workstation.
Install and configure the Master Audit Database right after installing the first Local
Audit Database.
For more information on the installation and configuration of the Master Audit Database,
please refer to section 3.11, "Defining a Master Audit Database".
3.9.1 Installing the Provided Audit V2 MySQL Database Server
Before Starting
You have an Internet connection.
61
Quest Enterprise SSO 8.0.6 - Installation Guide
Procedure
1.
In the Administration Tools window, click Install Audit V2 Server.
The installation wizard appears.
2.
Follow the displayed instructions with the following guidelines:
WHEN THIS WINDOW APPEARS
DO THE FOLLOWING
Click Install a MySQL database
server on this Quest ESSO
controller..
Click Next.
To download the MySQL installation
packages, do the following:
a)
Read carefully the
minimum file version
required and click
Download.
Your favorite web browser
appears and displays the
MySQL download page.
b)
Browse the page to
download the wanted
release.
Enter the locations of the 3 installation
packages and click Next.
The Data folder, Port number and
Super user name fields are already
filled-in.
1. In the Super user password
and Confirm fields, Type a
password for the database
super-user that is about to be
created.
2. Click Next.
The MySQL server installation starts.
62
Quest Enterprise SSO 8.0.6 - Installation Guide
WHEN THIS WINDOW APPEARS
DO THE FOLLOWING
The wizard retrieves the information
given at the MySQL server installation
step.
1. If you want to modify the
displayed data, click the
Advanced button to edit the
fields.
2. Click Next.
The table creation starts.
3.9.2 Creating Audit V2 Tables in an Existing Database
The wizard supports the following database servers:



MySQL Server.
SQL Server.
PostgreSQL
If you need another base, please contact your Quest Software representative.
Procedure
1.
In the Administration Tools window, click Install Audit V2 Server.
The installation wizard appears.
2.
Follow the displayed instructions with the following guidelines:
WHEN THIS WINDOW APPEARS
DO THE FOLLOWING
Click Create audit database
tables in an existing database
server.
The wizard detects the database
server(s) installed on the system
and displays them in the dropdown list.
Select the wanted database
server.
Click Next.
63
Quest Enterprise SSO 8.0.6 - Installation Guide
WHEN THIS WINDOW APPEARS
DO THE FOLLOWING
The wizard retrieves the
necessary information from the
existing database server.
1. Make sure the SQL script
path is correct and modify
it if necessary.
2. Type the name and
password of the super
user of the existing
database server.
If this password is modified,
you must modify the Audit V2
connection parameters by
following the procedure
explained in Section 3.9.3,
"Setting up the Connection to
the Local Audit Database".
Click Next.
The table creation starts.
If you create the audit V2 tables in an existing MySQL database, the connection to
the Quest ESSO Controller is also set up by the wizard: the Quest ESSO local audit
database is operational when the wizard completes.
If the existing database installed on the Quest ESSO Controller is not a MySQL
database, or if you want to set up the connection through the local OLE DB and/or
ODBC driver, you must set up the connection parameters as detailed in Section 3.9.3,
"Setting up the Connection to the Local Audit Database".
3.9.3 Setting up the Connection to the Local Audit Database
Subject
All audit events received by the Quest ESSO Controller are stored in the local audit
database. This section describes how to set up the link between the Quest ESSO
Controller and the local audit database.
Before Starting
You have created the audit V2 tables as detailed in Section 3.9.2, "Creating Audit V2
Tables in an Existing Database".
Procedure
1.
In the Administration Tools window, click Configure local audit database.
64
Quest Enterprise SSO 8.0.6 - Installation Guide
The wizard appears.
2.
Depending on the audit database server, do one of the following:
a)
To set up connection parameters with a Microsoft SQL Server database:

Click Use Quest ESSO embedded database and enter the
administrator's password, as shown below:
Click the Advanced button to set a specific instance (if SQL Server is not installed on the
Quest ESSO Controller) and administrator's name (optional):
Click Apply.
b)
To set up connection parameters with a database server (MySQL,
Microsoft SQL Server, PostgreSQL or Oracle) through the local OLE DB
and/or ODBC driver:
65
Quest Enterprise SSO 8.0.6 - Installation Guide


Click Use existing corporate database and click the
button to fill-in
the Connection string field.
Select in Table name drop-down list the proper audit table.
For an Oracle or a PostgreSQL database server, select Use quotes.


3.
Click the Verify button to check the configuration settings.
Click Apply.
If necessary, restart Quest ESSO Security Services to take configuration
changes into account.
3.9.4 Updating the Audit Translation Data
Subject
This section explains how to import the audit events translation data, so that audit events
can be easily read.
Procedure
1.
In the Administration Tools window, click Update Audit translation data.
The Insert/Update Audit MetaData window appears.
66
Quest Enterprise SSO 8.0.6 - Installation Guide
The metadata .xml file location field is already filled-in.
2.
Select a category to display the errors and resources translations that are about
to be imported:


3.
Errors column: the list of available translations of errors found in the
selected folder, for the selected category.
Resources column: the list of available translations of resources (type,
attribute, known values of objects appearing in audit events) found in the
selected folder, for the selected category.
Select the check box(es) corresponding to the audit database(s) in which you
want to import translations.
If no master database is configured on the controller, the second check box does not
appear.
4.
Click Import.
A confirmation window appears.
3.10 Declaring the Technical Accounts Used by the
Quest ESSO Controllers
Before Starting

The technical accounts are created and configured. For details, see one of the
following sections depending on your LDAP directory type:




Active Directory: see Section 2.1.2, "Extending the Schema and Setting
ACLs".
Active Directory + ADAM/AD LDS: see Section 2.2.2, "Preparing the
ADAM/AD LDS Instance Administrator Account".
In non-Microsoft directory servers, this account must be an administrator of
the directory.
If you are using a local SQL Server database, you must have installed the
audit database, as described in 3.9 Installing and Configuring the Local
Audit Database
67
Quest Enterprise SSO 8.0.6 - Installation Guide


.
You must have configured the audit database, as described in Section
3.9.3,"Setting up the Connection to the Local Audit Database".
Procedure
1.
In the Administration Tools window, click Configure Directory and Audit
login/password.
The wizard appears. It allows you to declare the technical account that will be
used by the Quest ESSO Controller to connect to the directory.
2.
Follow the displayed instructions.
3.11 Defining a Master Audit Database
Subject
This section describes how to set the master audit database connection parameters.
Architecture Example
The following figure describes the use of a master audit database along with Quest ESSO:
All audit events received by the Quest ESSO Controller are stored in the local Quest
ESSO audit cache (1). The local cache prevents losing audit events whenever the master
database is not available.
68
Quest Enterprise SSO 8.0.6 - Installation Guide
The Quest ESSO Controller regularly uploads the contents of the local audit cache to the
master database (3), through a local OLE DB or ODBC driver (2). Once an audit record
was successfully sent to the master database, it is removed from the local Quest ESSO
audit cache.


All requests for audit events issued from Quest ESSO Console query the
master database, and not the local Quest ESSO audit cache.
If the master database is not available, audit queries are not possible.
Before Starting


There is only one master audit database for all Quest ESSO servers.
Before defining a master audit database for a controller, the database must have
been previously created, as explained in Section 3.9, "Installing and Configuring
the Local Audit Database".
Master Database Structure

Audit V2 Server
SQL scripts for creating the Audit V2 structure are available in the installation
package, in the following folder: \TOOLS\WGSrvConfig\Support
These scripts are templates that you must analyze and adapt to you environment
before executing them. If you need another base than those listed below, please
contact your Quest Software representative.




For MySQL Server: MYSQLV2.sql
For SQL Server: MSSQLV2.sql
For PostgreSQL: PostgreSQLV2.sql
For Oracle: OracleV2.sql
The master database used to gather audit events from several Quest ESSO
Controllers must conform to the following definition:
Make sure the columns are created in the same order.
COLUMN NAME
TYPE
NON NULL
id
integer
X
category
integer
X
evt
integer
X
datetime
integer
X
resultcode
integer
accesspointguid
char(36)
accesspointname
varchar(1024)
auditid
char(36)
applicationguid
char(36)
applicationname
varchar(1024)
AUTO
INCREMENT
X
69
Quest Enterprise SSO 8.0.6 - Installation Guide
COLUMN NAME
TYPE
extendedinfo
varchar(2048)
admobjectguid1
char(36)
admobjectdn1
varchar(900)
admobjectguid2
char(36)
admobjectguid3
char(36)
admobjectguid4
char(36)
admobjectguid5
char(36)
admoperationcode
integer
NON NULL
AUTO
INCREMENT
Oracle Specificities


The 'NUMBER' type must be used for "integer" columns.
The automatic increment of the 'id' column must be achieved using a
SEQUENCE associated with a TRIGGER procedure invoked before the insertion
of a row in the audit table. You may for instance use an "AUDIT_SEQ" sequence
when defining your TRIGGER procedure as follows:
begin
if :NEW."ID" is null then
select "AUDIT_SEQ".nextval into :NEW."ID" from dual;
end if;
end;


You can use the Oracle 'VARCHAR2' instead of "varchar".
Before connecting to an Oracle database server, the Oracle client software must
be installed on the Quest ESSO Controller. The Oracle client must be configured
so that tnsping.exe <TNS Name of the Oracle Instance> works.
Procedure
1.
2.
In the Administration Tools window, click Define a master Audit database.
Select Upload audit events in a centralized master database, and complete
the window as detailed below:
70
Quest Enterprise SSO 8.0.6 - Installation Guide
a)
Master Database connection parameters area:



To configure a Microsoft SQL Server master database, click SQL Server
database and fill in the Server name, Database name, Login, Password
and Confirmation fields.
To configure a non-Microsoft SQL Server master database, click Use a
data link to provide a Data Source Name (DSN).
For example, if you want to use a local ODBC connector to access the
master audit database, click the
button and complete the displayed
window as follows:
Select Microsoft OLE DB Provider for ODBC Drivers.
To access an Oracle database, you must select Oracle Provider for OLE DB

In the Connection tab, select an ODBC Data Source Name (DSN) and
provide the proper login and password.
If the wanted DSN does not appear in the list, the DSN may not be declared on the
computer running the local audit cache (this may be the case if you are configuring a
MySQL master database connected to a Microsoft SQL Server local audit cache).
You must install the ODBC Driver for MySQL component on the controller running the
local audit cache and declare the DSN of the master database using the ODBC Data
Source Administrator tool (click Administrative Tools\Data Sources (ODBC) to
start it.

Select Allow saving password.
These connection parameters are stored in the strongly encrypted area of the Quest
ESSO configuration data
b)
Master Database table area:
Select the name of the table where Quest ESSO audit events are to be stored.
For Audit V2, the name of the table to use in case of a master database is
v_iamaudit or dbo.v_iamaudit for SQL Server.
71
Quest Enterprise SSO 8.0.6 - Installation Guide
If the selected database connector refers to a remote Oracle or PostgreSQL
database, select the use double quotes option.
c)
Master database table size management area
If you want that the Quest ESSO Controller sends e-mails to (database or
security) administrators whenever the master database reaches a size threshold,
fill in the following fields:




Size warning threshold
Size threshold (in number of audit records: about 2 KB are required for
each record).
Administrator’s e-mail
E-mail address of the database administrator.
also send e-mail to
A set of comma-separated list of e-mail addresses of other administrators.
SMTP server
Name of the SMTP server in charge of routing e-mails.
E-mails are sent to the database administrator (with copy to co-administrators)
once the master database reaches the specified size. Even though the master
database reached the specified size, the Quest ESSO Controller still uploads
audit events to the master database.
d)
Upload periodicity area:
This area allows you to configure when Quest ESSO audit events are uploaded
to this master database. Specify a fixed daily hour (for example at 02:00
everyday) or a frequency (every day, every 4 hours, every minute for example).
e)
Local database management area:
You may also indicate that local audit events should be uploaded to the master
database as soon as the local SQL Server database reaches a maximum size.
For this purpose, indicate the maximum size (in number of stored events) and
how often Quest ESSO should check the size of the local audit SQL Server
database (every 120 seconds for example).
3.12 Installing a Quest ESSO Controller
Subject
This section explains how to install a Quest ESSO Controller, which is made of the
following components:


Quest ESSO server, which is used by the Quest ESSO Clients during some
operations (administration, audit...). This module must be installed on a clearly
identified machine.
Quest ESSO Console, which is the administration console. This module can be
installed on any client workstations.
To use Quest ESSO Console, Quest ESSO Controller must be installed on a
computer. For more information, see Section 1.2, "Quest ESSO Architecture".
Depending on your needs, you may install these two modules on the same workstation or
separately.
72
Quest Enterprise SSO 8.0.6 - Installation Guide
Interactive/Silent Mode Installation
The Quest ESSO Controller is delivered as installation packages using the Microsoft
Windows Installer (MSI) format.
You can install this package:


In interactive mode: follow the instructions of the installation wizard, as described
in the following procedure.
In silent mode: command line options allow you to specify installation options for
each of the installation package: see Section 9., "Installing Quest ESSO MSI
Packages in Silent Mode".
Before Starting






You must have prepared the LDAP Directory (see Section 2., "Preparing the
Storage of Security Data in the LDAP Directory").
You must have installed the Security and Audit databases (see Section 3.,
"Installing Quest ESSO Controllers and Audit Databases").
Configure the Quest ESSO Security Services (see Section 4.1, "Configuring
Workstations").
Make sure you have installed the Microsoft Redistributables as explained in
Section 4.2, "Installing Microsoft Redistributables".
Check that your Windows operating system is supported by Quest ESSO. For
details, see Release Notes.
If you want to install the Quest ESSO Controller on a Windows x64, you must
previously install OLEDB Provider in 64 bits (it is not included by default in the
OS).
Procedure
1.
2.
Start the Administration Tools window (see 3.1 Starting the Administration
Tools window).
In the Administration Tools, click Install Quest ESSO Controller.
The Quest ESSO Controller installation wizard appears.
If the Quest ESSO Console installation wizard does not automatically appear, from
the Quest ESSO installation package browse the INSTALL directory and double-click
ESSOController.msi.
3.
4.
Follow the displayed instructions and the guidelines given in the following
Controller Wizard Window Description section.
Restart the workstation.
If you have installed Advanced Login, the Advanced Login authentication window
appears.
Controller Wizard Window Description
’Select Installation Type’ and ’Select Features’ Window Description
To choose the components to install, click Custom in the Select Installation Type window.
The feature selection window appears:
73
Quest Enterprise SSO 8.0.6 - Installation Guide




QESSO Controller: Quest ESSO server installation.
QESSO Console: Quest ESSO Console software module installation.
Proximity devices plugin: this feature is necessary if you want to manage RFID
devices from Quest ESSO Console.
Supported languages: possible language of Quest ESSO modules.
74
Quest Enterprise SSO 8.0.6 - Installation Guide
4 Installing and Configuring the
Software Modules on the
Workstations
Subject
After the initialization of the Quest ESSO security database, you must install and configure
the software modules on all the workstations that will run in the Quest ESSO environment.
All these workstations must at least run the Enterprise SSO software module. Depending
on your needs, you can also install the Advanced Login and/or the Quest ESSO Console
modules.
Interactive/Silent Mode
The Quest ESSO software suite is delivered as installation packages using the Microsoft
Windows Installer 2.0 (MSI) format. You can install these packages either in interactive
mode (following the instructions of the installation wizard), or in silent mode using any
software distribution tool. Command line options allow you to specify installation options
for each of the software suite package.
As they are in MSI format, you can install these packages on many workstations if these
workstations are member of a Windows domain, using the MSI distribution functionality of
Windows Server operating systems (Group Policies (GPO)). This section describes how to
install and configure the software modules workstation by workstation.


For information on how to install Quest ESSO software MSI packages in silent
mode, see Section 9., "Installing Quest ESSO MSI Packages in Silent Mode".
For information on how to deploy Quest ESSO modules on workstations using
GPO, see Section 8., "Centralizing Parameters Using Group Policy Objects
(GPO)".
Localization
The Quest ESSO software suite applications support several languages, and use the
language defined in the regional settings of the user workstations without any further
installation. Nevertheless, depending on your installation package, you may find several
installation packages using several languages for one application. The language of the
selected installation package will be the language of the installation wizard and of the
labels of the Windows Start menu.
75
Quest Enterprise SSO 8.0.6 - Installation Guide
4.1 Configuring Workstations
Subject
Before or after installing the software modules, you must configure the workstation, except
for the Advanced Login module for which you must configure the workstation before its
installation.
Procedure
1.
2.
3.
4.
Start the Administration Tools window (see Section 3.1, "Starting the
Administration Tools window").
In the Select a task list, select Install software modules.
In the Software Installation task list, click Configure workstation.
The Configuration Assistant appears.
Follow the displayed instructions in the wizard windows with the following
guidelines:


To configure the Quest ESSO workstation with Active Directory, see 4.1.1
Quest ESSO Configuration with Active Directory.
To configure Quest ESSO workstation with another user database or
directory, see Section 4.1.2, "Quest ESSO Configuration with a User
Database or Directory other than Microsoft Active Directory".
76
Quest Enterprise SSO 8.0.6 - Installation Guide
4.1.1 Quest ESSO Configuration with Active Directory
The following table explains how to configure Quest ESSO workstation to work with Active
Directory.
STEP
1
WHEN THIS WINDOW APPEARS…
DO THE FOLLOWING
If you have been supplied with a
licence key file:


In the Customer ID field,
type your Customer ID
provided by your Quest
Software representative.
Click Import to select your
licence key file.
The licence keys are saved
and appear in the table.

Click Next.
If you have been supplied with
licence keys:



In the Customer ID field,
type your Customer ID.
For each licence key you
have, select the licence
name in the Select licence
list.
Type the licence keys in the
corresponding field and click
Add.
The licence keys are saved
and appears in the table.

Click Next.
To delete a licence key,
double-click it.
77
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
2
WHEN THIS WINDOW APPEARS…
DO THE FOLLOWING
Select with a Controller.
Click Next.
3
Select Microsoft Active Directory.
Click Next.
4
Select a security database storage:


A security database stored in
the domain directory, then go
to step 6.
Else, a security database
stored in an ADAM/AD LDS
server, then go to step 5.
Click Next.
5
Configure the parameters to access
to the LDAP server.
Click Next.
78
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
WHEN THIS WINDOW APPEARS…
DO THE FOLLOWING
Clear Manage access-points if
you do not want that Quest ESSO
manages access points (for more
information on access point
management see Quest ESSO
Console Administrator Guide).
6
Default: Manage access-points
selected.
Click Next.
4.1.2 Quest ESSO Configuration with a User Database or Directory
other than Microsoft Active Directory
The following table explains how to configure Quest ESSO workstation to work with a User
Database or Directory other than Microsoft Active Directory.
STEP
1
WHEN THIS WINDOW APPEARS…
DO THE FOLLOWING
If you have been supplied with a licence
key file:



In the Customer ID field, type
your Customer ID provided by
your Quest Software
representative.
Click Import to select your licence
key file.
The licence keys are saved and
appear in the table.
Click Next.
If you have been supplied with licence
keys:



In the Customer ID field, type
your Customer ID.
For each licence key you have,
select the licence name in the
Select licence list.
Type the licence keys in the
corresponding field and click Add.
The licence keys are saved and
appear in the table.
Click Next.
To delete a licence key, doubleclick it.
79
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
2
WHEN THIS WINDOW APPEARS…
DO THE FOLLOWING
Select with a Controller.
Click Next.
3
Select one of the user authentication
database, other than Microsoft Active
Directory.
Click Next.
4
Configure the parameters to access to
the LDAP server.
Click Next.
80
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
5
WHEN THIS WINDOW APPEARS…
DO THE FOLLOWING
Configure LDAP security options.


LDAP authentication mechanism
Depending on your directory type,
see "Configuring Secure
Authentication" in Section 2.,
"Preparing the Storage of
Security Data in the LDAP
Directory".
LDAP data privacy
Depending on your directory type,
see "Configuring Data
Securization" in Section 2.,
"Preparing the Storage of
Security Data in the LDAP
Directory".
Click Next.
6
Configure your network environment.



To synchronize passwords from
the SAMBA controller to the
OpenLDAP server, select
Passwords are synchronized
only from MS Windows domain
to LDAP server and fill in the
Netbios names of the SAMBA
domain and the SAMBA
controller.
To manage SAMBA computer
object, select Integrate with
SAMBA computer objects.
To manage SAMBA group object,
select Support SAMBA group.
Click Next.
For more information, see Section 2.3.4,
"Integrating SAMBA"
81
Quest Enterprise SSO 8.0.6 - Installation Guide
STEP
WHEN THIS WINDOW APPEARS…
DO THE FOLLOWING
Clear Manage access-points if you do
not want that Quest ESSO manages
access points (for more information on
access point management see Quest
ESSO Console Administrator Guide).
7
Default: Manage access-points
selected.
Click Next.
4.2 Installing Microsoft Redistributables
Subject
Before installing a Quest ESSO Client or Controller, you must install Microsoft Visual C++
2005 Redistributables as explained in the following procedure.
Interactive/Silent Mode Installation
The Microsoft Visual C++ 2005 Redistributables are delivered as installation packages
using the Microsoft Windows Installer (MSI) format.
You can install this package:


In interactive mode: follow the instructions of the installation wizard, as described
in the following procedure.
In silent mode: command line options allow you to specify installation options for
each of the installation package: see Section 9., "Installing Quest ESSO MSI
Packages in Silent Mode".
Procedure
1.
2.
3.
Start the Administration Tools window (see Section 3.1, "Starting the
Administration Tools window").
In the Select a task list, select Install software modules.
In the Software Installation task list, click Install Microsoft Redistributables
and follow the displayed instructions.
If Microsoft Redistributables are already installed on the workstation, the Install
Microsoft Redistributables link does not appear.
The installation starts.
82
Quest Enterprise SSO 8.0.6 - Installation Guide
4.3 Installing a Quest ESSO Client
Subject
The Quest ESSO Client installation wizard allows you to install simultaneously all the
Quest ESSO software modules on a workstation.
The Quest ESSO software modules are:

Advanced Login
Advanced Login is the authentication software module.

SSOWatch module
SSOWatch module is the secure single sign-on (SSO) software module. You can
install it on a single workstation or deploy it on all the workstations of an
enterprise network. This section explains how to install it on a workstation.
For information on enterprise-wide installation, see Section 8., "Centralizing
Parameters Using Group Policy Objects (GPO)", and SSOWatch Administrator
Guide.

Quest ESSO Console
Quest ESSO Console is the administration console. This module can be installed
on any client workstations, together with the File Encryption software module.
Interactive/Silent Mode Installation
The Quest ESSO Client is delivered as installation packages using the Microsoft Windows
Installer (MSI) format.
You can install this package:


In interactive mode: follow the instructions of the installation wizard, as
described in the following procedure.
In silent mode: command line options allow you to specify installation options
for each of the installation package: see Section 9., "Installing Quest ESSO MSI
Packages in Silent Mode".
Before Starting


Make sure you have installed the Microsoft Redistributables as explained in 4.2
Installing Microsoft Redistributables.
Make sure you have enough available hard disk space.
For more information on versions and hardware requirements, see Release Notes.


If you want to install the SSOJava plug-in (which is an installation feature of
Enterprise SSO), a supported Java version must imperatively be already
installed on your workstation (for more details about the supported JRE versions,
see Release Notes).
Close all running applications.
83
Quest Enterprise SSO 8.0.6 - Installation Guide
Procedure
1.
2.
3.
Start the Administration Tools window (see Section 3.1, "Starting the
Administration Tools window").
In the Select a task list, select Install software modules.
In the Software Installation task list, click Install Quest ESSO Client.
If the Client installation wizard does not appear: from the downloaded installation
package browse the INSTALL directory and double-click ESSOAgent.msi.
The Quest ESSO Client installation wizard appears.
4.
5.
Follow the displayed instructions and the guidelines given in the following Client
Wizard Window Description section.
Restart the workstation.
If you have installed Advanced Login, the Advanced Login authentication window
appears.
Client Wizard Window Description
"Select Installation Type" and "Select Features" Window Description
To choose the components to install, click Custom in the Select Installation type window.
The feature selection window appears:
Advanced Login: Advanced Login software module installation, which includes the
following selectable features:


For performance reasons, you are advised to select only the required features.
The selection of the Advanced Login features is not available on Windows XP
and Windows Vista.
84
Quest Enterprise SSO 8.0.6 - Installation Guide




Password and OTP authentication.
Smart card authentication.
RFID authentication.
Biometrics authentication.
For details on the supported authentication devices, see Release Notes

SSPR authentication: users who forgot their password must answer security
questions to open a session. For more information, see Advanced Login Self
Service Password Request Administrator Guide.



You can select only this option (without any other listed under
the Advanced Login node) to enable SSPR while keeping the
standard Windows authentication.
On Windows 7/2008 clients, this option can be combined with
Integration with Windows Authentication (see below) to add
the SSPR option to the Smart Card Logon mode.
Cluster and transparent locking: this feature must be installed to enable the
cluster mode and the transparent locking. For more information,
see Administrator Guide for Cluster Mode of Advanced Login.
SSOWatch: SSOWatch software module installation, which includes the following
selectable features:


Biometrics Enrollment tool: installs the biometrics enrollment wizard on the
workstation, which allows a user to enroll his/her biometric data for fingerprint
authentication. For more information on the Quest ESSO biometrics feature, see
Advanced Login for Windows User Guide.
Integration with Windows Authentication: launches transparently SSOWatch
module of Quest ESSO at session startup using the user Windows credentials. If
this feature is not installed, SSOWatch module of Quest ESSO will be launched
automatically, but it will ask the user for his/her credentials.
If you select this option to implement the Smart Card Logon mode, note that by
default, this feature supports only the Microsoft Credential Provider tile. On
Windows 7 and 2008 systems, you can extend smart card logon to non-Microsoft
credential providers, by creating under
HKLM\Software\Enatel\WiseGuard\FrameWork\ Authentication the following value;





Value name: AltSmartCardCredentialProviders
Value type: REG_SZ (String value).
Data: the credential provider GUID.
(example: {6012D512-EEBB-41E2-8842-28611CD7FE9E}). For information on
the credential provider GUID, see the vendor documentation.
Old IE Plugin: this deprecated Internet Explorer plug-in must only be installed
for compatibility reasons with the previous Quest ESSO versions.
Java plugin: allows SSOWatch module of Quest ESSO to access Java
applications
If you select this feature, make sure a supported Java version is already installed
on your workstation.


If you update your Java version, SSOWatch module of Quest ESSO must be
reinstalled.
The configuration of SSO for Java requires advanced skills. To deliver SSO
85
Quest Enterprise SSO 8.0.6 - Installation Guide
access to Java applications, integration service is required. Please contact
Quest Support at www.quest.com/support.



Personal SSO Studio: allows a single user to configure the applications for
which he/she wants to enable SSO.
Enterprise SSO Studio: this feature is dedicated to administrators: the SSO
configuration is shared by a number of users.
Multi User Desktop: provides a single Windows Desktop to display all the user
applications and launches a single instance of SSOWatch engine. For more
information, please refer to Advanced Login Session Management Administrator
Guide.
This option is incompatible with Advanced Login and Integration with Windows.

Public Access FUS: allows authorized users to share a workstation without
having to restart a Windows session. On smart card, RFID badge or fingerprints
detection, Quest Enterprise SSO prompts the user to type his/her PIN code or
password and starts the SSOWatch engine. The engine stops at smart card or
RFID badge withdrawal, or fingerprints detection.
This option is incompatible with Advanced Login and Integration with Windows

FUS extension DLL: the FUS Extension DLL feature is designed to help you
configure automated actions on running applications when Quest
Enterprise SSO starts or stops on a workstation configured for Fast User
Switching without Advanced Login installed. For details, see Advanced Login
Self Service Password Request Administrator Guide.
Quest ESSO Console: Quest ESSO Console software module installation.
If Quest ESSO Console has already been installed on the machine (with the Quest
ESSO Controller), the Quest ESSO Console feature does not appear in the window.
Supported languages.
You need a specific license to install the Japanese Resources.
4.4 Installing French Healthcare Smart Cards
(CPS)
Subject
If you are using CPS smart cards, you must install the CPS smart card middleware on
every client workstation that will be using it.
Procedure
1.
2.
Start the Administration Tools window (see Section 3.1, "Starting the
Administration Tools window").
In the Select a task list, select Install software modules.
86
Quest Enterprise SSO 8.0.6 - Installation Guide
3.
In the Software Installation task list, click Install French Healthcare (CPS)
smart cards.
If the CPS installation wizard does not appear: from the downloaded installation
package browse the INSTALL directory and double-click ESSOCPS.msi.
The CPS installation wizard appears.
4.
Follow the displayed instructions.
The CPS smart card middleware is installed as a Windows service.
4.5 Installing Finger Vein Biometric Drivers
Subject
If you are using Hitachi finger vein biometrics, you must install finger vein biometric drivers
on every client workstation that will be using it.
Procedure
1.
2.
3.
Start the Administration Tools window (see Section 3.1, "Starting the
Administration Tools window").
In the Select a task list, select Install software modules.
In the Software Installation task list, click Install finger vein biometric drivers.
If the installation does not starts: from the downloaded installation package browse
the DRIVERS directory and double-click BioHitachi_Install.exe.
The installation proceeds.
4.6 Modifying the Possible Domains List
Subject
Upon the Quest ESSO installation process in multi-domain mode, you may need to modify
the list of possible domains displayed by the authentication windows of Quest ESSO
workstation clients. The following procedure describes how to modify the possible domains
list.
Restrictions
Only for Quest ESSO in multi-domain mode with Active Directory or Active
Directory/ADAM (or Active Directory/AD LDS) architectures.
Procedure
1.
2.
On the wanted Quest ESSO Controller, start Registry Editor.
In the HKLM\Software\Enatel\WiseGuard\FrameWork\Directory, add the
following value:
VALUE TYPE
String
VALUE NAME
PossibleDomainsList
VALUE
Domain1 [...] DomainN.
87
Quest Enterprise SSO 8.0.6 - Installation Guide
5 Enabling the Self Service
Password Request (SSPR)
Capability
Subject
Depending on your corporate security policies, you may need to allow end-users to reset
their password connected to a Self Service Password Request server. This server allows
end users to reset their primary password either using the SOS button (or I have
forgotten my password on Windows Seven) of Advanced Login (if installed on
workstations) and/or the Self Service Admin Portal.
This section describes how to install and activate the Self Service Password Request
(SSPR) capability, from downloaded Quest ESSO installation package. You can install
these components on any supported Windows systems.
Interactive/Silent Mode Installation
The Self Service Password Request (SSPR) capability is delivered as installation
packages using the Microsoft Windows Installer (MSI) format.
You can install this package:


In interactive mode: follow the instructions of the installation wizard, as described
in the following procedure.
In silent mode: command line options allow you to specify installation options for
each of the installation packages: see Section 9., "Installing Quest ESSO MSI
Packages in Silent Mode".
The silent installation can only be used for updating the web server: the MSI
does not include the Apache server installation, which is a prerequisite for the
Self-Service Password Request and the Quest ESSO API.
Before Starting
The Self Service Password Request (SSPR) capability requires a dedicated user account
to perform operations in the directory. This account must exist before starting the
installation procedure, as the wizard will prompt you for account credentials. The following
procedure details how to create and configure this account:
From a workstation where Quest ESSO Console is installed, do the following:
88
Quest Enterprise SSO 8.0.6 - Installation Guide

Create or select in your directory a user account that will be used exclusively for
the Self Service Password Request (SSPR) capability.
Enable the Password never expires option for this account.

If you start Quest ESSO Console in hardware protection mode, assign a smart
card to this user account using Quest ESSO Console, with the following
guidelines (this card will be used by the Quest ESSO Security Services to enable
the Self Service Password Request (SSPR) capability):



The assigned smart card must not expire.
The owner of this token must have the Delegate the right to retrieve
SSO data administration right.
The user must have authenticated at least once on Quest ESSO; so that specific
administration rights to manage Self Service Password Request (SSPR) can be
delegated to him/her:


In classic administration mode: SSO Data Recoverer administration role.
In advanced administration mode:
o Self Service Password Request: Answer deletion
o Self Service Password Request: Challenge generation
o Self Service Password Request: Reset attempt counter
o User:password modification.
Restrictions


If you have downloaded the installation packages, do not start the following
procedure from a network drive: copy the installation packages locally before
starting the installation.
Check that port 80 is not used.
Procedure
1.
2.
If you have chosen the Hardware protection mode at Quest ESSO primary
controller initialization (see Section 3.3, "Initializing the Primary Controller"),
install the driver for your smart card reader.
Start the Administration Tools interface, as described in Section 3.1, "Starting
the Administration Tools window".
If you want to install a standalone Quest ESSO SSPR Web server on a 64-bit
environment, where no other Quest ESSO package (client or controller) is installed
and will never be installed, you must select the 32-bit installer.
Use the 64-bit installer only if another Quest ESSO 64-bit package is already installed
on the computer.
3.
In the Select a task drop-down list, click Install Self Service Password
Request capability:
89
Quest Enterprise SSO 8.0.6 - Installation Guide
4.
5.
If you are installing Self Service Password Request (SSPR) on a workstation
where no other Quest ESSO software module is running, click Configure
workstation and follow the displayed instructions (for details, see Section 4.1,
"Configuring Workstations").
Click Install Quest ESSO Web Server.
You can also start the installation wizard by double-clicking
TOOLS\APACHE\WGInstaller.exe.
The following window appears.
If a previous version of the Self Service Password Request (SSPR) is already
installed, the wizard prompts you to select the features to be updated.
6.
Do the following:
a)
Select the Self Service Password Reset check box.
b)
To use the SSPR server with Advanced Login, select the Web Service
check box.
In case of update, you can also start the setup wizard by double-clicking
ESSOWebServer.msi. For 32-bit environment, run the 32-bit package located in ESSO\INSTALL. For 64-bit environment, you can either run the 64-bit package located
in E-SSO.X64\INSTALL, or the 32-bit package, depending on your configuration. For
more details, see the Important note above.
7.
Click the Install (or Update) button to launch installation.
90
Quest Enterprise SSO 8.0.6 - Installation Guide
During the installation process, the Apache web server icon appears on the task
bar.
This Apache web server runs with the Apache mod_ssl module, PHP (used by the
Self Service Admin Portal) and the gSOAP module (used by Advanced Login in
connected mode).
The Apache web server listens on port 80. That port number cannot be changed.
8.
In the Administration Tools window, click Define administrator credentials for
Self Service Password Request.
The following window appears:
9.
Do one of the following, depending on the protection mode you have selected in
Section 3.3, "Initializing the Primary Controller":


If you have chosen the Software protection mode, select Software
credentials and fill-in the Software credentials area with the credentials
of the dedicated user account allowed to manage SSPR (see Before
Starting above).
If you have chosen the Hardware protection mode, select Hardware
credentials, insert the SSPR smart card previously created in the smart
card reader and provide the PIN for the smart card.
10. Click OK to register the administrator’s credentials
11. Declare the users allowed to use the Self Service Password Request (SSPR)
capability. For more information, see Advanced Login Self Service Password
Request Administrator Guide.
91
Quest Enterprise SSO 8.0.6 - Installation Guide
6. Enabling OTP Authentication
OTP authentication allows users to authenticate to Quest ESSO by giving your login name
and OTP (in case a code is needed on the OTP device).
If configured, OTP authentication is accessible from the authentication window (Advanced
Login) and from the authentication client.
OTP authentication in Quest ESSO requires either:

A Radius plugin: Radius only supports online mode.

An RSA authentication server and an RSA authentication agent for online or
online & offline modes. For online & offline mode, the RSA server and agent
must be installed on each workstation on which OTP authentication is needed.
Quest ESSO supports only one activated OTP authentication method at a time.
You can configure the OTP authentication mode from Quest ESSO Console: see Quest
ESSO Console Administrator Guide.
6.1 Installing a Radius Plugin

Copy and paste the following XML code:
<token_class id="OTP" display_name="OTP">
<token_config>
<custom_otp_dll>CustomOTPExtensionRadius.dll</custom_otp_dll>
<ldap_attribute>sAMAccountName</ldap_attribute>
</token_config>
<data_structure>
<module id="0x0100">
</module>
<module id="0x0200">
</module>
</data_structure>
</token_class>


Custom_otp_dll indicates the name of the .dll file to associate with the OTP
method.
ldap_attribute is the LDAP attribute that collects the Radius login depending on
the Quest ESSO login.
92
Quest Enterprise SSO 8.0.6 - Installation Guide

Enter the following keys in the registry base:
VALUE
TYPE
KEY
Radius Server
String
HKEY_LOCAL_MACHINE\SOFTWARE\
Enatel\WiseGuard\FrameWork\Radius\Server
Port
DWORD
HKEY_LOCAL_MACHINE\SOFTWARE\
Enatel\WiseGuard\FrameWork\Radius\Server
Radius Server
Secret
String
HKEY_LOCAL_MACHINE\SOFTWARE\
Enatel\WiseGuard\FrameWork\Radius\Secret
6.2 Installing an RSA Authentication Server and
Agent
6.2.1 Installing RSA Authentication Server
You must install the RSA authentication server on a dedicated system: refer to the RSA
documentation.
6.2.2 Installing RSA Authentication Agent
Subject
By default, OTP authentication is enabled only if the workstation is online. If you want the
OTP authentication to be performed in online and offline mode, you must install the RSA
Authentication Agent on each workstation on which OTP authentication is needed in offline
mode.
The following procedure describes the requirements for installing RSA Authentication
Agent 6.1 for Microsoft Windows, and is extracted from the RSA Authentication Agent API
6.1 for C Developer's Guide.
Requirements
To support offline authentication and logon password integration features, the API requires
services built into the RSA Authentication Agent 6.1 for Microsoft Windows.
On systems running your custom application, you must install at least one component of
the Agent.
Without an RSA Authentication Agent 6.1 for Microsoft Windows installation, you
cannot use the logon password integration and offline authentication capabilities.
However, you can use the API to build and run a standalone product, for which you must
install aceclnt.dll and sdmsg.dll in the %SystemRoot%\System32\ folder.
RSA Security recommends installing the Local Authentication Client (LAC) component of
the Agent. If local protection of those systems is not required, configure the Challenge
option to OFF in the Agent Control Panel.
93
Quest Enterprise SSO 8.0.6 - Installation Guide
After installation, the RSA Authentication Agent places new and enhanced
dynamic link libraries (aceclnt.dll, sdmsg.dll) in the
%SystemRoot%\System32\ folder, and starts new services.
If you install the RSA Authentication Agent on a computer where Advanced Login is
already installed, the RSA logon window is displayed instead of the Advanced Login
authentication window (after you have restarted the system).
To avoid this, you must set the WGSafeGina.dll in the following registry key:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Winlogon\GinaDLL
This way, the Advanced Login authentication window is displayed at system start.
94
Quest Enterprise SSO 8.0.6 - Installation Guide
7 Enabling the Group Membership
Modification Feature
Subject
You can add or remove Users and Access Points from groups directly through the Quest
ESSO Console, without using a third-party group management console. To enable this
feature, you must enable the Quest ESSO Controllers to modify group memberships, by
delegating the Modify the membership of a group task to their dedicated technical
accounts.
Restriction
The following procedure must be performed only if Quest ESSO is used with
Active Directory, ADAM or AD LDS directories.
If you are using another supported LDAP directory, the feature is automatically
enabled.
Procedure
1.
2.
3.
4.
Launch the Active Directory Users and Computer tool on the Active Directory
domain controller.
Right-click the Organization of the users or machines you want to modify and
select Delegate Control.
The Delegation of Control Wizard starts.
Press the Next button and then the Add button.
Select the group containing the technical accounts of the Quest ESSO
Controllers (Active Directory only), or each technical account individually if
necessary.
95
Quest Enterprise SSO 8.0.6 - Installation Guide
5.
Click the Next button and select the Modify the membership of a group checkbox.
6.
Click the Next button and then the Finish button to close the Wizard.
The delegation of control is complete.
For details on how to use this feature, refer to Quest ESSO Console Administrator
Guide.
96
Quest Enterprise SSO 8.0.6 - Installation Guide
8 Centralizing Parameters Using
Group Policy Objects (GPO)
Subject
This section describes how to apply registry-based policy settings to servers and user
computers running Quest ESSO using the Group Policy Management Console. It is
intended to system administrators who want to use Group Policy to manage Quest ESSO
workstations.
If you are new to Group Policy, it is strongly recommended to read the following
documentation before going further (URLs valid in September 2012):




Windows 2000/2003 Server: http://technet.microsoft.com/enus/library/Bb742376.aspx.
Windows 2008 Server: http://technet.microsoft.com/enus/library/cc709647%28v=ws.10%29.
Windows XP: http://support.microsoft.com/kb/307882/en-us.
Windows 7: http://technet.microsoft.com/enus/library/hh147307%28v=ws.10%29.
You will add to the Administrative Templates extension administrative template files
provided by Quest ESSO.
These files allow you to set Quest ESSO policy settings pertaining to the registry and
distribute them to Quest ESSO workstations, in the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Enatel registry key.
These parameters supersede the local parameters, which are located in
HKEY_LOCAL_MACHINE\SOFTWARE\Enatel.
Windows Server 2008 introduces a new format for displaying registry-based policy settings
and uses a new standard-based, XML file format known as ADMX files. These new files
replace ADM files; which used their own markup language.
This section covers the procedures for creating GPO using ADM or ADMX files.
Restrictions
The following procedures apply only to Quest ESSO workstations that are members of a
Windows domain.
97
Quest Enterprise SSO 8.0.6 - Installation Guide
8.1 Creating and Configuring Group Policy Objects
Using an ADM File
Before Starting


Check that the administrative template file (UserAccess-<language>.adm) is
available. This file is located in the Quest ESSO installation package, in
TOOLS\ADM.
For Windows Server 2008, go to Windows 2008 Procedure.
Procedure
1.
2.
Start Active Directory Users and Computers.
In the console tree, right-click the wanted container (site, domain, OU) and select
Properties.
You will apply the Quest ESSO administrative template file to the users and
computers in the selected container.
3.
4.
5.
6.
In the displayed window, click the Group Policy tab.
Click New to create a new group policy (entitled User Access for instance).
Click the Edit button.
In the displayed console tree, right-click Administrative Templates (in Computer
settings) and select Add/Remove Templates.
The Add/Remove Templates window appears.
7.
Click the Add button, select the UserAccess-<language>.adm (where
<language> represents the various supported languages) located on the Quest
ESSO installation package and close the Add/Remove templates window.
The UserAccess folder appears under Computer Settings\Administrative
Templates.
For more information on the User Access administrative template, see "Description of
the User Access Administrative Template" below.
8.
In the UserAccess folder, select a sub folder and double-click a parameter.
The Licenses Properties window associated with this parameter appears, as
shown in the following example:
98
Quest Enterprise SSO 8.0.6 - Installation Guide

Area 1 allows you to set the state of this policy:





Not Configured: the parameter is not taken into account
unless specified by any other GPO.
Disabled: the parameter is not taken into account unless
specified by a GPO with a higher priority.
Enabled: the parameter is taken into account.
Area 2 is generated by the .adm file.
For more information on these policy settings, click the Explain tab.
Windows 2008 Procedure
1.
2.
Start Group Policy Management.
In the console tree, unfold the Domains file, right-click the Group Policy Objects
container and select New.
You will apply the User Access administrative template file to the users and
computers in the selected container.
3.
4.
5.
6.
In the New GPO window, enter the name the new GPO and click the OK button.
In the displayed window, click the Linked Group Policy objects tab.
Right-click the new GPO and select Edit.
In the Group Policy Management Editor, right-click Administrative Templates (in
Computer Configuration) and select Add/Remove Templates.
The Add/Remove Templates window appears.
7.
Click the Add button, select the UserAccess-<language>.adm (where
<language> represents the various supported languages) located on the Quest
ESSO installation package and close the Add/Remove templates window.
The UserAccess folder appears under Computer Configuration\
Administrative Templates.
99
Quest Enterprise SSO 8.0.6 - Installation Guide
For more information on the User Access administrative template, see "Description of
the User Access Administrative Template" below.
8.
In the UserAccess folder, select a sub folder and double-click a parameter.
The Licenses Properties window associated with this parameter appears, as
shown in the following example:

Area 1 allows you to set the state of this policy:





Not Configured: the parameter is not taken into account
unless specified by any other GPO.
Disabled: the parameter is not taken into account unless
specified by a GPO with a higher priority.
Enabled: the parameter is taken into account.
Area 2 is generated by the .adm file.
For more information on these policy settings, click the Explain tab.
8.2 Creating and Configuring Group Policy Objects
Using ADMX Files (optional)
Restriction
ADMX files are XML-based administrative template files that were introduced in Windows
Vista and Windows Server 2008. They are not compatible with earlier versions of the
operating system.
Before Starting

Check that the administrative template files are available. These files are located
in the Quest ESSO installation package, in TOOLS\ADMX.
100
Quest Enterprise SSO 8.0.6 - Installation Guide

If you need more details on the following procedure, see
http://technet.microsoft.com/en-us/library/cc748955 (URL valid in
September 2012).
Procedure
1.
Select the ADMX and ADML files that you need according to the following
guidelines:




2.
UserAccess.admx and UserAccessLicenses.admx are mandatory.
Depending on your Quest ESSO solution, select one of the available
configuration file (UserAccessConfiguration<config>,where <config>
represents an architecture (example: MicrosoftADwithADLS).
Select one of the available licence file according to your Quest Enterprise
SSO licence.
ADML files are language-specific resource files. They are located in the
language subfolder (example: EN-US for United States English). Copy the
equivalent files (UserAccess.adml, UserAccessLicenses.adml,
UserAccessConfiguration<config>.adml and
UserAccessLicences<Licence>.adml).
Store these files in the PolicyDefinitions folder on a Domain Controller:


ADMX files are stored in %systemroot%\sysvol\domain\policies\
PolicyDefinitions.
ADML files are stored in %systemroot%\sysvol\domain\policies\
PolicyDefinitions\<LANG>, where <LANG> represents the language
identifier (example: EN-US).
As the Domain Controllers are replicated, the files are automatically copied to the
other servers
3.
4.
5.
Click Start\Run and type gpedit.msc to launch the Local Group Policy Editor.
In the console tree, unfold the Computer Configuration\Administrative
Templates\User Access folders.
Select a subfolder and double-click a GPO to edit settings as appropriate.
8.3 Description of the User Access Administrative
Template (optional)
The User Access administrative template allows you to configure registry entries taking
action on the following modules:



SSOWatch.
Advanced Login.
Quest ESSO Security Services.
The following tables describe briefly each parameter of the .adm and .admx file.
The number of parameters stored in the .adm files is greater than the number of
parameters of the .admx files. The following tables list the entirety of the parameters,
regardless of the file extension. Entries are not relevant to admx files.
101
Quest Enterprise SSO 8.0.6 - Installation Guide
SSOWatch Parameters

SSOWatch Common Parameters
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig
VALUE NAME
LCID
VALUE
TYPE
DWORD
DESCRIPTION/DEFAULT
VALUE
User interface language.
0: Default.
409: English.
40C: French.
407: German.
411: Japanese.
AllowSmartCard
InactivityTimer
DWORD
Time in second before locking
SSOWatch module of Quest
ESSO.
It concerns only smart card
authentication.
DontUseSmartCard
InOTP
DWORD
If the value is set to 1,
SSOWatch module stores the
user primary password in the
directory to use it for SSO. This
way, the smart card logon is
ignored.
HLL API Parameters

HLL API plug-in global configuration parameters. For more information, see
SSOWatch Administrator Guide).
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\SSOWatch\HllAPI
VALUE NAME
EnableMultiEmulator
VALUE
TYPE
DWORD
DESCRIPTION/ DEFAULT VALUE
Quest Enterprise SSO starts the HllAPI
plug-in with several emulators, specified
in the n value.
n: number of emulators.
HllEntryPoint
String
DLL entry point.
HLLAPI-32bit
DWORD
Specifies that the application using
HLLAPI is a 32-bit or a 16-bit
application.
0: 32-bit.
1: 16-bit (default).
102
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
VALUE
TYPE
HllLibrary
DESCRIPTION/ DEFAULT VALUE
String
Name of the .dll file that corresponds to
the HLLAPI plug-in.
Default: PCSHLL32.dll
IgnoreWindows
Handle
DWORD
The HLLAPI library returns or not
Windows handles.
0: returns Windows handles (default).
1: does not return Windows handles.
The HLLAPI plugin also exists in 64-bit version. To make it interact with 32-bit
applications, install the ESSOHLLAPI.msi and VCRedist_x86.msi packages.
Advanced Login Parameters

Advanced Login configuration parameters.
This parameter is located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\AdvancedLogin
VALUE NAME
VALUE
TYPE
BioAutoValidate
DWORD
DESCRIPTION/DEFAULT VALUE
Automatic validation upon fingerprint
authentication:
0: disabled. (default)
1: enabled.
Advanced Login configuration parameters.
This parameter is located in:


HKLM\SOFTWARE\Enatel\WiseGuard: to be positioned manually
HKLM\SOFTWARE\Policies\Enatel\Wise\Guard: to be positioned with the
GPOs.
VALUE NAME
UnlockWithWindowsAccount
VALUE
TYPE
DWORD
DESCRIPTION/DEFAULT
VALUE
Unlocking a Smart Card
session with Windows
credentials.
0: disabled. (default)
1: enabled.
103
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
DisplayAuthMethodIcon
VALUE
TYPE
DESCRIPTION/DEFAULT
VALUE
DWORD
Displaying authentication
method icon in the Session
Unlocking window.
0: disabled. (default)
1: enabled.
Quest ESSO Security Services Parameters

Installation Type
Quest ESSO installation type.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Config
VALUE NAME
Mode
VALUE
TYPE
DESCRIPTION/
DWORD
Installation type:
DEFAULT VALUE
0: Standalone (default).
1: Client.
This value must not be
modified in the registry. To
modify it, use the wgss
configuration file.
For details on the different
installation modes, see
Section 1., "Overview".
ManageAccessPoints
DWORD
Access point management:
0: Quest ESSO does not manage
access points.
1: Quest ESSO manages access
points (default).
This value must not be
modified in the registry. To
modify it, use the wgss
configuration file.
For more information on access
point management see Quest
ESSO Console Administrator
Guide).
104
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
RegisterSoftware
Modules
VALUE
TYPE
DESCRIPTION/
DEFAULT VALUE
DWORD
Management of software module
objects in the directory:
0: Software module objects are
not managed in the directory.
1: Software module objects are
managed in the directory
(default).

WGSS Parameters
Parameters to deploy a domain account for Quest ESSO to do LDAP requests.
For more information, see Section 2.7, "Deploying a Workstation LDAP User
Account".
This parameter is located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\FmkServer
VALUE NAME
AccessPointLdap
Credentials

VALU
E
TYPE
String
DESCRIPTION/
DEFAULT VALUE
Access Point LDAP account encrypted
by the WGSS /C command.
Security Directory
Configuration of the Quest ESSO security database.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Directory
VALUE NAME
BlobCompression
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
Enables binary data compression:
0: off.
1: on.
105
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
DirectoryType
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
User database or directory:
0: Windows Workstation/SAM Base
(default).
1: Active Directory.
2: SunONE Directory Server.
3: OpenLDAP.
4: Novell eDirectory.
6: IBM Tivoli Directory Server.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
DirectoryUsage
DWORD
Security database storage mode:
0: Authentication (default).
1: Authentication & Security Base.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
PossibleDomains
List
String
Authorized NetBios windows
domains list separated by space.
Only for Active Directory and
ADAM/AD LDS.
By default the Quest ESSO solution
considers that all Windows domains
defined on the station are managed
by the solution. If it is not the case,
the key must be set to indicate the
list of the configured domains.
Quest ESSO Console displays
error messages when it tries to
connect to a domain not managed.
106
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
EnterpriseUser
Authentication
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
Security data location:
0: store Quest ESSO data in
enterprise Directory (default).
1: store Quest ESSO data in
another Directory or Naming
Context.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
SSL
DWORD
SSL:
0: SSL disabled (default).
1: SSL enabled.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
LdapAuthMethod
DWORD
Authentication method:
0: simple clear-text authentication
(default).
1: SASL/DIGEST-MD5
authentication.
2: SASL/NMAS authentication
(Novell specific).
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
TLS
DWORD
TLS:
0: TLS is not activated (default).
1: TLS is always activated.
2: TLS is only activated when a
sensible data is transferred on the
network (during password change
or account creation).
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
107
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
TLSDemand
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
TLS demand:
0: TLS is not mandatory: If TLS
fails, the connection is activated
without encryption.(default).
1: TLS is mandatory: if TLS fails, no
connection is activated.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
ServerList
String
List of servers.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
RootLdapDN
String
Root object DN.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
SearchResultSize
Limit
DWORD
Maximum number of elements
returned by request:
no limit (default).
10 (min.).
UserSearchFilter
String
Attributes used by search request
for the delegation.
ldapAttName=Label,…
Example:
UserPrincipalName=Label,...
AccessResolutionByG
roups
DWORD
Authorization of access request on
groups:
0: access request not authorized.
1: access request authorized
(default).
AccessResolutionByU
O
DWORD
Authorization of access request on
organizational units:
0: access request not authorized.
1: access request authorized
(default).
108
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
AccessResolutionByG
roupOfGroups
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
Authorization access request on
groups of groups:
0: access request not authorized.
1: access request authorized
(default).
LdapAPIDir
String
LDAP library binaries location path.
MustChange
PasswordOnWindows
DWORD
Password must be changed on
Windows (useful if a
synchronization takes place):
0: LDAP server (default).
1: MS Windows domain.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
ExtendedGroup
Integration
DWORD
Support of special type of groups for
SAMBA integration:
0: only standard groups using
distinguished name for members.
1: support SAMBA groups using a
memberUid-like attribute type for
members.
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.
CorporateComputer
Integration
DWORD
Integration of corporate computer
objects as SAMBA computers:
0: do not use SAMBA computer
entries.
1: use SAMBA computer entries
(default).
This value must not be
modified in the registry. To modify it,
use the wgss configuration file.

Secondary Security Directory or Naming Context
Configuration of two directories to separate the Quest ESSO data from your
identities repository. For more information, see Section 1.3.1, "Separation of the
Quest ESSO Data".
109
Quest Enterprise SSO 8.0.6 - Installation Guide
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\WGDirectory
VALUE NAME
DirectoryType
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
Secondary security directory or LDAP naming
context where security data are not stored in the
user Directory:
2: Sun/RedHat/Fedora Directory Server.
7: Microsoft Active Directory Application Mode.
This value must not be modified in the
registry. To modify it, use the wgss configuration
file.
LdapAuthMethod
DWORD
Authentication method:
0: simple clear-text authentication (default).
1: SASL/DIGEST-MD5 authentication.
2: SASL/NMAS authentication (Novell specific).
This value must not be modified in the
registry. To modify it, use the wgss configuration
file.
TLS
DWORD
TLS:
0: TLS is not activated (default).
1: TLS is always activated.
2: TLS is only activated when a sensible data is
transferred on the network (during password
change or account creation).
This value must not be modified in the
registry. To modify it, use the wgss configuration
file.
TLSDemand
DWORD
TLS demand:
0: TLS is not mandatory: If TLS fails, the
connection is activated without
encryption.(default).
1: TLS is mandatory: if TLS fails, no connection
is activated.
This value must not be modified in the
registry. To modify it, use the wgss configuration
file.
110
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
ServerList
VALUE
TYPE
String
DESCRIPTION/
DEFAULT VALUE
List of servers.
This value must not be modified in the
registry. To modify it, use the wgss configuration
file.
RootLdapDN
String
Root object DN.
This value must not be modified in the
registry. To modify it, use the wgss configuration
file.

Authentication
List of the authorized authentication methods.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\Framework\Authentication
VALUE NAME
LogonIntegrated
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
Integrated Windows authentication:
0: off.
1: on.
CacheSynchro
WithAuth
DWORD
SSO account synchronization after login:
0: off.
1: on.
WaitBeforeLogon
Script
DWORD
Time to wait before activation user shell
(only in "stub" mode):
0 (default).
-1
111
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
ManualPwdChang
eMandatory
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
In case the manual password change
policy detects expiration date of the
password when the user authenticates
offline, this option can force the user to
authenticate when the directory is
available again, so that he/she can
manually change his/her directory
password.
0 (default): no authentication forced in the
user session. No manual password
change.
1: authentication forced in the user
session, so that he.she can manually
change his/her directory password.

Single Sign-On
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\SingleSignOn
VALUE NAME
SyncTokenAnd
SessionKeys
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
Enables the SSO keys synchronization: if the
user AD password has been modified with
another tool than Quest ESSO, the user SSO
data cannot be deciphered with the new AD
password when the user authenticates on the
workstation.
1: when the user authenticates on the
workstation, SSO data is deciphered with the
session key.
0 (default): no synchronization is performed.

Audit / Log
Tuning and customizing of the Quest ESSO log.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Audit
112
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
QueueSize
VALUE
TYPE
DESCRIPTION/
DWORD
Audit buffer size:
DEFAULT VALUE
50 (default).
10 (min.).
QueueFlushTimeO
ut
DWORD
Time interval between buffer flush (in
second):
60 (default).
1 (min.).
CustomExtension

String
DLL of audit extension.
Network Cache
Activation and performance tuning of the Quest ESSO network cache.
These parameters are located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Cache
VALUE NAME
CacheDir
VALUE
TYPE
String
DESCRIPTION/
DEFAULT VALUE
Cache files location.
This value must not be modified in the
registry. To modify it, use the wgss
configuration file.
SynchronizeOnLDA
P
ConnectionBack
DWORD
Synchronization of SSO accounts cache
when directory is available:
0: off.
1: on (default).

Directory Network Services (DNS)
Deactivation of the reverse DNS resolution. If the DNS server is slow, retrieving
the name of a connection workstation can take a few seconds. This will slow
down authentication.
These parameters is located in:
HKLM\SOFTWARE\Policies\Enatel\WiseGuard\FrameWork\Network
113
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE NAME
VALUE
TYPE
DisableReverseDns
DWORD
DESCRIPTION/
DEFAULT VALUE
Disable reverse DNS usage:
0: off.
1: on (default).

LDAP Directory Server List
An exhaustive list of LDAP Directory servers potentially used by Quest ESSO.
This parameter must contain a sublist of the existing LDAP Directory servers.
Without this list, Quest ESSO can connect to any LDAP Directory server
available in the domain.
This parameter is located in one of the following directories:


VALUE NAME
ServerList

HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\Directory
HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\WGDirectory
VALUE
TYPE
REG_SZ
DESCRIPTION/
DEFAULT VALUE
Comma separated list of LDAP
directory servers.
LDAP Directory Server List Ordering
Successively try to connect to the LDAP Directory servers according to the
above list, or in a random order.
These parameters are located in:
HKLM\SOFTWARE\Enatel\WiseGuard\FrameWork\Directory
VALUE NAME
FollowServerListOrder
VALUE
TYPE
DWORD
DESCRIPTION/
DEFAULT VALUE
Disable LDAP Server list randomization:
0: The server list is randomized before
the first LDAP server is contacted
(default).
1: The server list is not randomized: the
first LDAP server of the list is used, then
the next ones.
114
Quest Enterprise SSO 8.0.6 - Installation Guide
9 Installing Quest ESSO MSI
Packages in Silent Mode
Subject
This section describes the parameters that can be used when installing Quest ESSO MSI
packages in silent mode.
The (silent) installation of MSI packages does not include the configuration of the
computer.
Silent installation can be performed through the msiexec command, which is part of the
Microsoft Windows Installer. For more details, refer to Windows Installer Microsoft
documentation.
This section explains how to silently install the following elements:




Microsoft Visual Microsoft Visual C++ 2005 Redistributables: see Section 9.1,
"Installing Microsoft Redistributables in Silent Mode".
Quest ESSO Controller: see Section 9.2, "Installing Quest ESSO Controller in
Silent Mode".
Quest ESSO Client: see Section 9.3, "Installing Quest ESSO Client in Silent
Mode".
Quest ESSO Web Server: see Section 9.4, "Installing Quest ESSO Web Server
in Silent Mode".
Silent Installation Methods
To perform a silent installation of an MSI package, you can use one of the following
method:

Use of the MSI properties MODULES and TRANSLATIONS of msiexec
This method is strongly recommended, when available.
These properties facilitate the installation or upgrade of already installed MSI
packages, according to the operating system: when MODULES and/or
TRANSLATIONS properties are used when installing MSI package, the
mandatory and hidden MSI features are automatically selected according to the
operating system.
These properties must be used with INSTALLMODE=Custom parameter and
must not be used with ADDLOCAL parameter.

Use of the MSI property ADDLOCAL of msiexec
115
Quest Enterprise SSO 8.0.6 - Installation Guide
Each feature can be added as values of this property.
Before Starting
Make sure you have the Microsoft Windows Installer version 3.0 (or later version).
9.1 Installing Microsoft Redistributables in Silent
Mode
Subject
The Microsoft Visual Microsoft Visual C++ 2005 SP1 runtime libraries are delivered as a
separate MSI package: the VCRedist_x86.msi (or the VCRedist_x64.msi for x64
platforms).
The installation of this MSI package is a prerequisite to the installation of any Quest ESSO
software module. It must be installed once on each workstation and does not need to be
updated.
Procedure
In the ADDLOCAL property of the msiexec command, add the wanted feature name (see
"Feature Name" column in the following Features table):
Use ADDLOCAL=CRT_WinSXS or ADDLOCAL=ALL msiexec parameters
Features
The VCRedist_x86.msi (or the VCRedist_x64.msi for x64 platforms) contains the
following selectable features:
FEATURE
NAME
DESCRIPTION
CRT_WinSXS
Studio 2005 SP1 Redistribuable.
9.2 Installing Quest ESSO Controller in Silent
Mode
Subject
The ESSOController.msi gathers all software modules required to install a Quest ESSO
Controller.
This package does not include the configuration of the computer.
116
Quest Enterprise SSO 8.0.6 - Installation Guide
Procedure
Installation using the ADDLOCAL property of msiexec

In the ADDLOCAL property of the msiexec command, add the wanted feature
names (see "Feature Name" column in the following Features table).
It is mandatory to select the parent feature in order to select a sub-feature.
For example, it is necessary to select the Translation feature to select the german
feature.
-ORInstallation using the MODULES and TRANSLATIONS properties of msiexec

In the MODULES property of the msiexec command, add the short name of the
wanted features (see "Short Name" column in the following Features table).
In the TRANSLATIONS property of the msiexec command, add the short name
of the wanted languages.

In this case, the ADDLOCAL parameter must not be used.
Example
The following command line installs the Quest ESSO Controller with Quest ESSO Console
without RFID, with all required hidden/mandatory MSI features:
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOController.MSI> /qn /norestart
INSTALLMODE=Custom /PASSIVE MODULES=CSL TRANSLATIONS=DE
Features
The following table gives the list of features that can be selected to perform a silent
installation of Quest ESSO Controller.
Feature and short names are case sensitive.
FEATURE/SUBFEATURE NAME
SHORT
NAME
DESCRIPTION
WGSS
-
Mandatory feature. Quest ESSO
middleware.
WGSSServer
-
Mandatory feature.
ESSO_Console
CSL
Quest ESSO administration Console.

CSLRFID
Adds management of proximity devices
(RFID) to Quest ESSO Console.
RFIDAdmin
117
Quest Enterprise SSO 8.0.6 - Installation Guide
FEATURE/SUBFEATURE NAME
SHORT
NAME
DESCRIPTION
Translations
-
Localized resources of Quest ESSO
software modules. English resources
are always installed.

german
DE
The German translated resources for
Quest ESSO Controller software.

arabic
AR
The Arabic translated resources for
Quest ESSO Controller software.

japanese
JP
Needs a specific license.
The Japanese translated resources for
Quest ESSO Controller software.

french
FR
The French translated resources for
Quest ESSO Controller software.

italian
IT
The Italian translated resources for
Quest ESSO Controller software.

spanish
ES
The Spanish translated resources for
Quest ESSO Controller software.

dutch
NL
The Dutch translated resources for
Quest ESSO Controller software.

russian
RU
The Russian translated resources for
Quest ESSO Controller software.
9.3 Installing Quest ESSO Client in Silent Mode
Subject
The ESSOAgent.msi gathers all software modules that may be installed on a user’s
workstation.
This package does not include the configuration of the workstation.
Procedure
Installation using the ADDLOCAL property of msiexec
In the ADDLOCAL property of the msiexec command, add the wanted feature names (see
"Feature Name" column in the following Features table).
It is mandatory to select the parent feature in order to select a sub-feature.
Examples: To select the SSOJava feature it is necessary to select the SSOWatch
feature.
To select the GinaStub feature it is necessary to select both WindowsStub and
SSOWatch features.
118
Quest Enterprise SSO 8.0.6 - Installation Guide
Example
The following command line installs the Quest ESSO Client with Advanced Login, Quest
ESSO Console without RFID management, SSOWatch module with Personal SSO Studio
and Enterprise SSO Studio and the Java plug-in, along with German resources (with all
required hidden/mandatory MSI features):

On a Windows XP system:
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart
/PASSIVE
ADDLOCAL=WGSS,EssoErrors,Advanced_Login,Gina_NTWG_Gina,WG_Safe_Gina,ESSO_
Console,SSOWatch,SSOJava,Studio_Enterprise,Studio_Personal,translations,g
erman

On a Windows Vista system:
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart /PASSIVE
ADDLOCAL=WGSS,EssoErrors,Sens,Advanced_Login,
VistaCP,WGSens,ESSO_Console,SSOWatch,SSOJava,
Studio_Enterprise,Studio_Personal,translations,german,
devista
Installation using the MODULES and TRANSLATIONS properties of msiexec


In the MODULES property of the msiexec command, add the short name of the
wanted features (see "Short Name" column in the following Features table).
In the TRANSLATIONS property of the msiexec command, add the short name
of the wanted languages.
In this case, the ADDLOCAL parameter must not be used.
Example
The following command line installs the Quest ESSO Client with Advanced Login, Quest
ESSO Console without RFID management, SSOWatch module with Personal SSO Studio
and Enterprise SSO Studio and the Java plug-in, along with German resources (with all
required hidden/mandatory MSI features):
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOAgent.MSI> /norestart
INSTALLMODE=Custom /PASSIVE
MODULES=ADL,CSL,SSO,SSOJAVA,SSOENT,SSOPER TRANSLATIONS=DE
Features
The following table gives the list of features that can be selected to perform a silent
installation of Quest ESSO Client.
It is mandatory to select the parent feature in order to select a sub-feature.
Examples: To select the SSOJava feature it is necessary to select the SSOWatch
feature.
119
Quest Enterprise SSO 8.0.6 - Installation Guide
Feature and short names are case sensitive.
FEATURE/SUBFEATURE NAME
WGSS
SHORT
NAME
DESCRIPTION
-
Mandatory feature.
Select all its sub-features.

EssoErrors
-
Mandatory feature.

Sens
-
Mandatory feature on Windows
Vista, Windows 2008 and Windows
7.
WGSSServer
-
Mandatory feature when installing on
a Quest ESSO Controller.
Advanced_Login
ADL
Advanced Login, which secures
access to the workstation.
Gina_NT
-
Required on Windows 2000,
Windows XP and Windows 2003.
Select all its sub-features.

WG_Gina
-
Required on Windows 2000,
Windows XP and Windows 2003.

WG_Safe_Gina
-
Required on Windows 2000,
Windows XP and Windows 2003.
-
Required on Windows Vista,
Windows 2008 and Windows 7.
Select its sub-feature.
VistaCP

WGSens
Required on Windows Vista,
Windows 2008 and Windows 7.
WGSens
Required on Windows Vista,
Windows 2008 and Windows 7.
PwdTile
PWD
Allow password authentication. Valid
for Windows Vista, 7 and 2008.
TokenTile
TOKEN
Allow smart card authentication.
Valid for Windows Vista, 7 and 2008.
RfidTile
RFID
Allow contact-less badge
authentication. Valid for Windows
Vista, 7 and 2008.
BioTile
BIO
Allow biometrics authentication.
Valid for Windows Vista, 7 and 2008.
120
Quest Enterprise SSO 8.0.6 - Installation Guide
FEATURE/SUBFEATURE NAME
SHORT
NAME
MobileTile
MOBILE
Allow mobile phone authentication.
Valid for Windows 7 and 2008.
SsprTile
SSPR
Allow SSPR and Q&A
authentication. Valid for Windows
Vista, 7 and 2008.
ClusterTile
CLUSTER
Allow transparent locking and
Cluster automatic logging. Valid for
Windows Vista, 7 and 2008.
SSO
Quest Enterprise SSO, which
provides Single Sign On to
applications.
BioEnroll
SSOBIO
Enables users to enroll their
biometrics authentication data.
WindowsStub
SSOWIN
Automatically opens Quest
Enterprise SSO with user's Windows
credentials if Advanced Login is not
installed.

GinaStub
-
Required on Windows 2000,
Windows XP and Windows 2003.

VistaWrapper
-
Required on Windows Vista,
Windows 2008 and Windows 7.
IEPLUGIN
SSOIE
Obsolete Internet Explorer plug-in
(with BHO).
SSOJava
SSOJAVA
Provides Single Sign On to Java
applications and applets.
Studio_Personal
SSOPER
Personal SSO Studio, which allows
end-users to enable SSO on their
applications.
Studio_Enterprise
SSOENT
Enterprise SSO Studio, which is the
SSO configuration management tool.
SSOFUS
SSOFUS
Public Access Fast User Switching
for the free-access to Windows
sessions if neither Advanced Login
nor WindowsStub are installed.
BioFUS
BIOFUS
Multi-User Desktop, if neither
Advanced Login nor WindowsStub
are installed.
SSOWatch
FUS_sessionmgr
ESSO_Console
DESCRIPTION
A customizable extension DLL
dedicated to Fast User Switching.
CSL
Quest ESSO administration
Console.
Mandatory feature when installing on
a Quest ESSO Controller.
121
Quest Enterprise SSO 8.0.6 - Installation Guide
FEATURE/SUBFEATURE NAME
SHORT
NAME
RFIDAdmin
CSLRFID
Adds management of proximity
devices (RFID) to Quest ESSO
Console.
Mandatory feature when installing on
a Quest ESSO Controller and
already installed by
ESSOController.msi
-
Localized resources of Quest ESSO
software modules. English resources
are always installed.
DE
The German translated resources for
Quest ESSO Client software.
translations
german

devista
arabic

Additional German resources for
Windows Vista, Windows 2008 and
Windows 7.
AR
The Arabic translated resources for
Quest ESSO Client software.
-
Additional Arabic resources for
Windows Vista, Windows 2008 and
Windows 7.
JP
Needs a specific license.
The Japanese translated resources for
Quest ESSO Client software.
-
Additional Japanese resources for
Windows Vista, Windows 2008 and
Windows 7.
FR
The French translated resources for
Quest ESSO Client software.
-
Additional French resources for
Windows Vista, Windows 2008 and
Windows 7.
IT
The Italian translated resources for
Quest ESSO Client software.
jpvista
french

-
arvista
japanese

DESCRIPTION
frvista
italian
122
Quest Enterprise SSO 8.0.6 - Installation Guide
FEATURE/SUBFEATURE NAME

Additional Italian resources for
Windows Vista, Windows 2008 and
Windows 7.
ES
The Spanish translated resources for
Quest ESSO Client software.
-
Additional Spanish resources for
Windows Vista, Windows 2008 and
Windows 7.
RU
The Russian translated resources for
Quest ESSO Client software.
-
Additional Russian resources for
Windows Vista, Windows 2008 and
Windows 7.
NL
The Dutch translated resources for
Quest ESSO Client software.
-
Additional Dutch resources for
Windows Vista, Windows 2008 and
Windows 7.
ruvista
dutch

-
esvista
russian

DESCRIPTION
itvista
spanish

SHORT
NAME
nlvista
FEATURE/SUB-FEATURE NAME
WGSS
SHORT
NAME
-
DESCRIPTION
Mandatory feature.
Select all its sub-features.

EssoErrors
-
Mandatory feature.

Sens
-
Mandatory feature on Windows
Vista, Windows 2008 and
Windows 7.
WGSSServer
-
Mandatory feature when
installing on a Quest ESSO
Controller.
Advanced_Login
ADL
Advanced Login, which secures
access to the workstation.
123
Quest Enterprise SSO 8.0.6 - Installation Guide
FEATURE/SUB-FEATURE NAME

Gina_NT
SHORT
NAME
-
DESCRIPTION
Required on Windows 2000,
Windows XP and Windows
2003.
Select all its sub-features.

o
WG_Gina
-
Required on Windows 2000,
Windows XP and Windows
2003.
o
WG_Safe_Gina
-
Required on Windows 2000,
Windows XP and Windows
2003.
-
Required on Windows Vista,
Windows 2008 and Windows 7.
Select its sub-feature.
VistaCP
o
WGSens
Required on Windows Vista,
Windows 2008 and Windows 7.

PwdTile
PWD
Allow password authentication.
Valid for Windows Vista, 7 and
2008.

TokenTile
TOKEN
Allow smart card authentication.
Valid for Windows Vista, 7 and
2008.

RfidTile
RFID
Allow contact-less badge
authentication. Valid for
Windows Vista, 7 and 2008.

BioTile
BIO
Allow biometrics authentication.
Valid for Windows Vista, 7 and
2008.

MobileTile
MOBILE
Allow mobile phone
authentication. Valid for
Windows 7 and 2008.

SsprTile
SSPR
Allow SSPR and Q&A
authentication. Valid for
Windows Vista, 7 and 2008.

ClusterTile
CLUSTER
Allow transparent locking and
Cluster automatic logging. Valid
for Windows Vista, 7 and 2008.
SSO
Quest Enterprise SSO, which
provides Single Sign On to
applications.
SSOBIO
Enables users to enroll their
biometrics authentication data.
SSOWatch

BioEnroll
124
Quest Enterprise SSO 8.0.6 - Installation Guide
FEATURE/SUB-FEATURE NAME

WindowsStub
SHORT
NAME
DESCRIPTION
SSOWIN
Automatically opens Enterprise
SSO with user's Windows
credentials if Advanced Login is
not installed.
o
GinaStub
-
Required on Windows 2000,
Windows XP and Windows
2003.
o
VistaWrapper
-
Required on Windows Vista,
Windows 2008 and Windows 7.

IEPLUGIN
SSOIE
Obsolete Internet Explorer plugin (with BHO).

SSOJava
SSOJAVA
Provides Single Sign On to Java
applications and applets.

Studio_Personal
SSOPER
Personal SSO Studio, which
allows end-users to enable SSO
on their applications.

Studio_Enterprise
SSOENT
Enterprise SSO Studio, which is
the SSO configuration
management tool.

SSOFUS
SSOFUS
Public Access Fast User
Switching for the free-access to
Windows sessions if neither
Advanced Login nor
WindowsStub are installed.

BioFUS
BIOFUS
Multi-User Desktop, if neither
Advanced Login nor
WindowsStub are installed.

FUS_sessionmgr
ESSO_Console
A customizable extension DLL
dedicated to Fast User
Switching.
CSL
Quest ESSO administration
Console
Mandatory feature when
installing on a Quest ESSO
Controller.

RFIDAdmin
CSLRFID
Adds management of proximity
devices (RFID) to Quest ESSO
Console.
Mandatory feature when
installing on a Quest ESSO
Controller and already installed
by ESSOController.msi
125
Quest Enterprise SSO 8.0.6 - Installation Guide
FEATURE/SUB-FEATURE NAME
SHORT
NAME
translations

Additional German resources for
Windows Vista, Windows 2008
and Windows 7.
AR
The Arabic translated resources
for Quest ESSO Client software.
-
Additional Arabic resources for
Windows Vista, Windows 2008
and Windows 7.
JP
Needs a specific license.
-
Additional Japanese resources for
Windows Vista, Windows 2008
and Windows 7.
FR
The French translated resources
for Quest ESSO Client software.
-
Additional French resources for
Windows Vista, Windows 2008
and Windows 7.
IT
The Italian translated resources
for Quest ESSO Client software.
-
Additional Italian resources for
Windows Vista, Windows 2008
and Windows 7.
ES
The Spanish translated resources
for Quest ESSO Client software.
arvista
jpvista
frvista
italian
o

-
devista
french
o

The German translated resources
for Quest ESSO Client software.
japanese
o

DE
arabic
o

Localized resources of Quest
ESSO software modules.
English resources are always
installed.
german
o

DESCRIPTION
itvista
spanish
126
Quest Enterprise SSO 8.0.6 - Installation Guide
FEATURE/SUB-FEATURE NAME
o

DESCRIPTION
esvista
-
Additional Spanish resources for
Windows Vista, Windows 2008
and Windows 7.
RU
The Russian translated resources
for Quest ESSO Client software.
-
Additional Russian resources for
Windows Vista, Windows 2008
and Windows 7.
NL
The Dutch translated resources
for Quest ESSO Client software.
-
Additional Dutch resources for
Windows Vista, Windows 2008
and Windows 7.
russian
o

SHORT
NAME
ruvista
dutch
o
nlvista
9.4 Installing Quest ESSO Web Server in Silent
Mode
Subject
The ESSOWebServer.msi gathers all software modules that may be installed on a web
server.
The silent installation can only be used for updating the web server: the MSI does not
include the Apache server installation, which is a prerequisite for the Self-Service
Password Reset and the Quest ESSO API.
This package does not include the configuration of the computer.
Procedure
Installation using the ADDLOCAL property of msiexec
In the ADDLOCAL property of the msiexec command, add the wanted feature names (see
"Feature Name" column in the following Features table).
It is mandatory to select the parent feature in order to select a sub-feature.
127
Quest Enterprise SSO 8.0.6 - Installation Guide
Installation using the MODULES and TRANSLATIONS properties of msiexec
Procedure

In the MODULES property of the msiexec command, add the short name of the
wanted features (see "Short Name" column in the following Features table).
In the TRANSLATIONS property of the msiexec command, add the short name
of the wanted languages.

In this case, the ADDLOCAL parameter must not be used.
Example
The following command line installs the Quest ESSO Self-Service for Password Reset
(with all required hidden/mandatory MSI features):
msiexec /qn /l*v <pathToLogFile> /i <pathToESSOWebServer.MSI> /qn /norestart
INSTALLMODE=Custom /PASSIVE MODULES=SSPR
Features
The following table gives the list of features that can be selected to perform a silent
installation of Quest ESSO Client.
Feature and short names are case sensitive
FEATURE NAME
WEB
SHORT
NAME
DESCRIPTION
-
Mandatory feature.

WGSSSERVER
-
Mandatory feature when
installing on a Quest ESSO
Controller.

ESSO_SSPR
SSPR
Quest ESSO Self Service for
Password Reset.

WSAPI
WSAPI
Quest ESSO API Web Service.
128
Quest Enterprise SSO 8.0.6 - Installation Guide
Appendix A: Advanced
Configuration: Audit
Quest ESSO offers the possibility to process audit events. Therefore, it is necessary to
develop an extension dll for this processing operation.
A1 Audit Extension DLL Development Guide
A.1.1 Structure of Audit Event: _WG_AUDITEVENT
// structure of exchange with personalized audit extensions
typedef struct _WG_AUDITEVENT
{
UINT32 uID;
into fields)
// Event identifier (divided
__time64_t tDate;
// Event transmission time
HRESULT hResult;
// Event code: success/failure
LPCSTR
lpszUserAuditID;
// User audit identifier
LPCSTR
lpszAppID;
// Application GUID
LPCSTR
lpszExtendedInfo;
// Extended information
LPCSTR lpszAppName;
time the event is generated
// Application name at the
LPCSTR lpszAccessPointName;
time the event is generated
// Access point name at the
LPCSTR lpszAccessPointID;
// Access point GUID
LPCSTR
// Description of audit event
LPCSTR
category
lpszAuditEventDescription;
lpszAuditEventCategoryName; // Name of audit event
} WG_AUDITEVENT, *LPWG_AUDITEVENT;
// The uID (32 bits) is separated in several fields:
// CCIIIIII
// CC
= category (0x00
// IIIIII = id
-> 0xFF)
(0x000000 -> 0xFFFFFF)
#define AUDEVT(ctg,id) (((ctg&0xFF)<<24)|(id&0xFFFFFF))
#define AUDEVT_GET_CATEGORY(id) ((id&0xFF000000)>>24)
129
Quest Enterprise SSO 8.0.6 - Installation Guide
#define AUDEVT_GET_ID(id)
(id&0x00FFFFFF)
A.1.2 Structure of Audit Configuration: _WG_AUDITCONFIG
typedef struct _WG_AUDITCONFIG
{
int
nVersion;
// [IN/OUT] on IN it
indicates the maximum audit version managed by the middleware in OUT,
contains the extension audit version which must be <= to the previous one
BOOL
bSendEventCategoryName;
audit category name with each event
// [OUT]
Sends the
BOOL
bSendEventDescription;
audit event name with each event
// [OUT]
Sends the
int
queue size.
// [IN/OUT]
Audit event
iAuditQueueSize;
DWORD
dwAuditQueueFlushTimeout;
// [IN/OUT]
Timeout before audit event queue flush if it is not full.
LPVOID pUserData;
// [OUT]
For
storing a value which will be passed at each Stop or PutEvents call
} WG_AUDITCONFIG, *LPWG_AUDITCONFIG;
A.1.3 Prototypes of Functions to Export

Function to call when Quest ESSO Security Services is started
typedef BOOL (__cdecl *FN_STARTAUDITEXTENSION)(const
LPWG_AUDITCONFIG lpWGAuditConfig);

Function to call when Quest ESSO Security Services is stopped
typedef BOOL (__cdecl *FN_STOPAUDITEXTENSION)(LPVOID pUserData);

Event-processing function
typedef BOOL (__cdecl *FN_PUTAUDITEVENTS)(LPVOID pUserData, const
LPWG_AUDITEVENT lpWGAuditEvents, int nEventCount);
A.2 Audited Events
The list of audited events is available on all Quest ESSO Controllers and Clients by
opening the Errors and Events tool, available in
Start | Programs | Quest Software | Enterprise SSO | Errors and Events
For more information on this tool, see Quest ESSO Console Administrator Guide.
130
Quest Enterprise SSO 8.0.6 - Installation Guide
Appendix B:Activating Traces
Subject
To diagnose unexpected result from an installation program, you can activate traces as
described in the following procedure.
Before Starting


Create the folder that will store your trace files (C:\Traces for example).
If you want to trace Password Reset, create a specific folder (C:\TracesRP for
example).
Procedure
1.
2.
3.
VALUE
TYPE
Start Registry Editor.
Create the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Debug
key.
Create the following values:
VALUE
NAME
VALUE
String
TraceDir
Location of the trace files (C:\Traces for
example)
DWORD
TraceLevel
Enter a value between 0 and 5:
0: no trace.
5: traces return highly detailed
information.
DWORD
MaxFileSize
Maximum size in KB of the trace files.
DWORD
LimitedLogFile
s
2 by default.
4.
VALUE
TYPE
Maximum number of trace files (enter a
value between 2 and 10).
If you want to trace Password Reset, create the
HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Framework\Reset
Password key, with the following value:
VALUE
NAME
VALUE
131
Quest Enterprise SSO 8.0.6 - Installation Guide
VALUE
TYPE
String
5.
VALUE
NAME
TraceDir
VALUE
Location of the trace files (C:\TracesRP for
example)
Restart your workstation.
When the user logs on his/her workstation, the following trace files are created in
the specified directory:







WGSSxxxx.log: traces of the Quest ESSO Security Services service.
ssoenginexxxx.log: traces of the SSOWatch engine.
GinaSSOWatch.log: traces of the SSOWatch module GINA.
WGSafeGina and winlogonxxxx.log: Advanced Login traces.
WGConfigxxxx.log: traces of WGConfig.exe, which allows you to
configure the Quest ESSO Security Services on the Quest ESSO
workstations.
SSOBuilderxxxx.log: traces of Enterprise SSO Studio.
TokenManagerxxxx.log: traces of the Token Manager software module.
132
Quest Enterprise SSO 8.0.6 - Installation Guide
Appendix C: Retrieving the Serial
Number on a MiFARE RFID Badge
Subject
This section explains how to retrieve the serial number of an RFID badge from a specific
memory block of the badge, in sector 1.
On MiFARE badges, a sector is a set of 4 blocks, each block containing 16 bytes. Reading
serial number from sector 1 means reading serial number from block 4.
Description
To locate the serial number in the block of data, a given number of Most Significant Bytes
or MSB (the left part of the block) and a given number of Least Significant Bytes or LSB
(the right part of the block) are ignored. The remaining middle set of bytes is then written in
ASCII to build the serial number. All leading 0 are removed.
Example
IF...
the block of data contains:
00 01 02 03 04 05 06 07 08 09 0A
0B 0C 0D 0E 0F
MSB --->
<--- LSB
THEN...
only 7 bytes are used to build
the serial number. The serial
number value is then
60708090A.
AND
the MSB is 6
AND
the LSB is 5
no block number is set
the default serial number
(extracted from the UID of the
badge) is used.
a valid block number is set and an error
occurs
no serial number is returned:
the badge is ignored.
133
Quest Enterprise SSO 8.0.6 - Installation Guide
Before Starting


Configuration parameters define how the serial number must be extracted from a
MiFARE RFID badge.
All configuration parameters are stored in the Windows registry.
C.1 Parameters
Description
The parameters can be defined as a GPO. In this case, they are located in the following
registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Enatel\WiseGuard\
FrameWork\PCSC
If parameters are defined locally on the workstation, they are located in:
HKEY_LOCAL_MACHINE\Software\Enatel\WiseGuard\FrameWork\PCSC
A GPO-defined configuration parameter overrules a local parameter.
The following registry values can be defined in the above GPO or local keys.
NAME
MiFAREBlockNumbe
r
TYPE
REG_DWOR
D
DESCRIPTION
Mandatory.
The block number to read.
Values: 0 … 15
MiFAREBlockKey
REG_SZ
The encrypted value of the key
used to read the data block. Once
decrypted, the key must contain 12
hexadecimal digits.
Default key value: FFFFFFFFFFFF
MiFAREBlockMask
REG_SZ
The mask applied to ignore invalid
badges. Must contain 32
hexadecimal digits.
Default (no mask):
FFFFFFFFFFFFFFFFFFFFFFFFF
FFFFF
MiFAREIgnoreMSB
REG_DWOR
D
The number of MSB (left) bytes to
ignore when extracting the serial
number from the block of data.
Values: 0 … 15
Default: 6
134
Quest Enterprise SSO 8.0.6 - Installation Guide
NAME
TYPE
MiFAREIgnoreLSB
REG_DWOR
D
DESCRIPTION
The number of LSB (right) bytes to
ignore when extracting the serial
number from the block of data.
Values: 0 … 15
Default: 5
Conditions
IF...
THEN...
the MiFAREBlockNumber registry value is not
set or set to 0xFFFFFFFF
the default serial number
extracted from the UID of the
badge is used.
the MiFAREBlockNumber is set to a valid
value between 0 and 15 inclusive and an error
occurs, such as wrong key or configuration
no serial number is returned:
the badge is ignored.
Set the MiFAREBlockNumber to a block number, not a sector number.
C.2 Configuring the MiFARE RFID Parameters
Description
A specific tool is delivered to set all required MiFARE RFID configuration parameters. The
configuration tool also handles the encryption of the authentication key; which is encrypted
using AES-256 and a hard-coded secret.
Procedure
1.
Start the configuration tool by executing the MiFAREConfig.exe file.
The following window appears:
135
Quest Enterprise SSO 8.0.6 - Installation Guide
2.
Provide the following information:





Block Number. Do not provide a sector number.
Authentication Key. Default value: FFFFFFFFFFFF.
Block Mask. Use:
o FF to match all byte values.
o 00 to ignore a byte.
Number of MSB (left) bytes to ignore.
Number of LSB (right) bytes to ignore
If an RFID reader is already connected, go to step 5.
3.
4.
Connect the RFID reader and click the Refresh button to update the list of
readers.
Select the RFID reader where a MiFARE badge can be detected.
Test the values by clicking the Test button.
IF...
THEN...
all parameters are
correct
the contents of the selected block and the extracted
serial number are displayed.
the authentication key
does not grant access
to the selected block
an explicit error message is displayed under the
Block contents field.
136
Quest Enterprise SSO 8.0.6 - Installation Guide
IF...
THEN...
the authentication key
is correct and the
contents of the
selected block do not
match the provided
mask
5.
6.
the serial number is shown but an error message
indicates the mismatch:
Once all parameters are correct, click the Save and Exit button to save all
parameters in the Windows Registry of the workstation.
Deploy these values on other workstations using GPO.
The MiFARE RFID parameters have been configured.
C 3 Resetting the MiFARE RFID Parameters
Procedure
1.
2.
3.
Execute the MiFAREConfig.exe file.
Set the Block Number to -1.
Click the Save and Exit button.
The MiFARE RDIF parameters have been reset.
137
Quest Enterprise SSO 8.0.6 - Installation Guide
About Quest Software, Inc.
Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management
solutions that enable more than 100,000 global customers to save time and money across physical and virtual
environments. Quest products solve complex IT challenges ranging from database management, data
protection, identity and access management, monitoring, user workspace management to Windows
management. For more information, visit www.quest.com.
Contacting Quest Software
Email
[email protected]
Mail
Quest Software, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
USA
Web site
www.quest.com
Refer to our Web site for regional and international office information.
Contacting Quest Support
Quest Support is available to customers who have a trial version of a Quest product or who have purchased a
Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to our
Support Portal at www.quest.com/support
From our Support Portal, you can do the following:

Retrieve thousands of solutions from our online Knowledge Base

Download the latest releases and service packs

Create, update and review Support cases
View the Global Support Guide for a detailed explanation of support programs, online services, contact
information, policies and procedures. The guide is available at: www.quest.com/support.
138