DigitalPersona Pro for Active Directory: Administrator Guide

Administrator GuideDigitalPersona ® Profor Active DirectoryVersion 4.4

Table of ContentsPart One: Overview1 Introduction 2Chapter Overview 3Conventions 6Recommended Skill Set 8Support Resources 9Your Feedback is Requested 92 Key Concepts & Terminology 10Concepts 10Terminology 163 Product Overview 21DigitalPersona Pro for Active Directory 21Product Components and Modules 22DigitalPersona Pro Server 23DigitalPersona Pro Workstation 24DigitalPersona Pro Kiosk 25DigitalPersona Pro Kiosk for ID Server 27Fingerprint Readers 28Administration Tools 29Extended Server Policy Module 30Pro ID Server Add-0n Module 30System Requirements 31Product Compatibility 32Related Products 34Part Two: Deployment & Installation4 Deploying Pro Server 36Deployment Overview 36Upgrading from Previous Versions 36Install DigitalPersona Pro Server 42Install the Administrative Templates 43Install Templates to Active Directory 46Server Template 46For Windows 2000 and 2003 46Workstation and Kiosk Templates 47Configuring DigitalPersona Pro Server for Pro Kiosk 50Configuration Steps 50Configuring DigitalPersona Pro Server GPO Settings 51Changes Made During Installation 55DNS Registration 57Uninstalling DigitalPersona Pro Server 595 Installing Pro Workstation 61DigitalPersona Pro for Active Directory Administrator Guideiii

Table of ContentsCreating Fingerprint Logons 197DigitalPersona Pro Workstation Properties 201Deleting Enrolled Fingerprints 203Changing Your Windows Password 204Fingerprint Reader Usage and Maintenance 20512 DigitalPersona Pro Kiosk 206Overview 206Identification List 207How Pro Kiosk Works 208Comparing Pro Workstation and Pro Kiosk 210Using One Touch SignOn with Pro Kiosk 211Logging On to Windows 212Using One Touch Logon 212Logging on to Windows without Kiosk 213Automatic logon using the Shared Kiosk Account 214Using One Touch Unlock 214Changing Your Password 215User Account Control 215Logging On to Password-Protected Programs 216Using Fingerprint Logons for Programs 216Adding Account Data 217Changing Account Data 218Removing Account Data 218Switching Users on Pro Kiosk Computers 219Fingerprint Reader Icon and Menu 219Fingerprint Reader Status 219Fingerprint Reader Icon Context Menu 219Using the Start Menu 220Part Five: Appendices13 Planning & Deployment 223Overview 223Planning 225Deployment 233Deployment Plan Checklist 23714 Use and Maintenance Guide for Optical Fingerprint Readers 239Using the Fingerprint Reader 239Cleaning the Fingerprint Reader 24015 Use and Maintenance Guide for Swipe Readers 241Using the Fingerprint Reader 241Cleaning the Fingerprint Reader 24216 DigitalPersona Pro Settings 24317 Troubleshooting 248Reader Troubleshooting 248One Touch Logon Troubleshooting 252One Touch Internet and OTS Troubleshooting 253Miscellaneous Troubleshooting 254DigitalPersona Pro for Active Directory Administrator Guidevi

Table of ContentsAdditional Troubleshooting 25518 Customizing Pro Workstation 256One Touch Menu Content 256Quick Actions 25719 Installing High Encryption 25920 Regulatory Information 26021 DigitalPersona Pro ID Server 262System Requirements 262Pro Workstation 263Pro Kiosk 263Pro Kiosk for ID Server 263Installation 264Configuration 26422 Pro Kiosk Unlock Scripting 266Overview 266Interface methods 26723 Fingerprint Logon Retraining 269Overview 26924 Index 271DigitalPersona Pro for Active Directory Administrator Guidevii

Part One: OverviewPart One of the DigitalPersona Pro for Active Directory Administrator Guideincludes the following chapters:Chapter Title Purpose Page1 - Introduction Provides an overview of each chapter in theAdministrator Guide and other information that willhelp make your use of the guide more effective.22 - Key Concepts& TerminologyDefines and describes important concepts and termsthat you need to be familiar with to understand thefeatures and functions of DigitalPersona Pro.103 - ProductOverviewDescribes each component of DigitalPersona Pro. 21DigitalPersona Pro for Active Directory Administrator Guide 1

Introduction 1The DigitalPersona® Pro for Active Directory Administrator Guide is yourcomprehensive resource for information about DigitalPersona Pro for ActiveDirectory.The guide includes a Product Overview which describes the features andfunctionality of each component, an explanation of Key Concepts andTerminology, specific chapters on the Installation, Configuration andAdministration of DigitalPersona Pro Server, as well as a complete guide to thefeatures of DigitalPersona Pro Workstation and Kiosk.Appendices include a Planning & Deployment Guide, List of policies andsettings, Troubleshooting section, instructions for customizing Workstationthrough Registry settings and instructions on installing High Encryption onWindows 2000 computers.See the next page for a complete chapter summary.The purpose of this chapter is to:• Give a brief overview of the chapters in the guide.• Explain the text, naming and other conventions used in the guide.• Describe the recommended skill set for users of the guide.• Let you know what additional resources are available for support.• Provide a means for you to give us feedback on any aspect of our products,services or documentation.DigitalPersona Pro for Active Directory Administrator Guide 2

Chapter 1 - IntroductionChapter OverviewChapter OverviewPart One of the Administrator Guide includes this chapter, the Key Conceptsand Terminology and Product Overview chapters.The purpose of this section is to provide information that will assist you inunderstanding the DigitalPersona Pro for Active Directory product andcomponents, and establishing the conceptual framework for the remainder of theguide.Chapter 1, Introduction, is described on the previous page.Chapter 2, Key Concepts & Terminology, defines terms and concepts used in theguide, including an overview of Active Directory and the DigitalPersona Proauthentication process.Chapter 3, Product Overview, describes DigitalPersona Pro for Active DirectoryServer, Workstation and Kiosk software, hardware components, systemrequirements and compatibility with previous versions and related products.Part Two includes chapters on the deployment of DigitalPersona Pro for ActiveDirectory Server, Pro Workstation and Pro Kiosk.Chapter 4, Deploying DigitalPersona Pro Server, consists of detailedinstructions for deploying (and uninstalling) DigitalPersona Pro Server,including configuration of Pro Server for the Kiosk environment.Chapter 5, Installing DigitalPersona Pro Workstation, contains detailedinstructions for installing (and uninstalling) DigitalPersona Pro Workstation.Chapter 6, Installing DigitalPersona Pro Kiosk, contains detailed instructions forinstalling (and uninstalling) DigitalPersona Pro Kiosk.Part Three, Administration, describes the configuration and administration ofDigitalPersona Pro for Active Directory, including the policies, settings andproperties used to tailor system behavior to meet the needs of your organizationas well as descriptions of the events generated by the system.Chapter 7, Configuring Policies and Settings, explains each policy and settingavailable as part of DigitalPersona Pro for Active Directory and implementedthrough the use of Active Directory administration tools for domain-wideadministration and the Microsoft Management Console for local administration.DigitalPersona Pro for Active Directory Administrator Guide3

Chapter 1 - IntroductionChapter OverviewChapter 8, User Properties, describes the user settings available through theUser Properties Snap-in and the extended settings available through theExtended Server Policy Module.Chapter 9, Administration Tools, provides instructions for using each of thestandalone administration tools that can be used to provide centralized ordecentralized administration of DigitalPersona Pro for Active Directory. Someof the available tools are: License Control Manager, Attended FingerprintEnrollment Tool, One Touch SignOn Administration Tool, User Query Tool andthe CleanUp Wizard.Chapter 10, DigitalPersona Pro Events, lists and describes the events generatedby DigitalPersona Pro for Active Directory, which can be viewed through theWindows Event Viewer.Part Four, DigitalPersona Pro Clients, describes the features and functionalityof the DigitalPersona Pro Workstation and Kiosk clients from theadministrator’s perspective.Chapter 11, DigitalPersona Pro Workstation, describes and explains the featuresof DigitalPersona Pro Workstation for the administrator.Chapter 12, DigitalPersona Pro Kiosk, describes and explains the features ofDigitalPersona Pro Kiosk for the administrator.Part Five, Appendices, provides additional information about DigitalPersonaPro for Active Directory.Chapter 13, Planning & Deployment, provides design guidelines, assists you inselecting and planning a deployment scenario and provides tools to help youcreate and execute a successful Pro deployment plan.Chapter 14, Use and Maintenance Guide for Optical Fingerprint Readers,provides guidelines for the use and maintenance of optical fingerprint readers.Chapter 15, Use and Maintenance Guide for Swipe Fingerprint Readers,provides guidelines for the use and maintenance of swipe fingerprint readers.Chapter 16, DigitalPersona Pro Settings, provides a complete alphabetical list ofall DigitalPersona Pro policies and settings with references to their ActiveDirectory location and the page number where they are described.DigitalPersona Pro for Active Directory Administrator Guide4

Chapter 1 - IntroductionChapter OverviewChapter 17, Troubleshooting, provides solutions to situations whereDigitalPersona Pro for Active Directory software or hardware may be acting inan unexpected manner.Chapter 18, Customizing Pro Workstation, describes how to configure OneTouch Menu content and Quick Actions behavior through the WindowsRegistry. These settings can then be pushed to all DigitalPersona Pro for ActiveDirectory Workstations.Chapter 19, Installing High Encryption, describes how to install 128-bit highencryption for an installation of Windows 2000 that does not have the latestpatches.Chapter 20, Regulatory Information, provides information about this productrequired by various federal or national agencies.Chapter 21, DigitalPersona Pro ID Server, describes the installation and use ofthe DigitalPersona Pro ID Server Add-on module.Chapter 22, Pro Kiosk Unlock Scripting, describes the use of Pro Kiosk UnlockScripting.DigitalPersona Pro for Active Directory Administrator Guide5

Chapter 1 - IntroductionConventionsConventionsNaming ConventionsIn order to make this guide easier and quicker to read, the following namingconventions are used to describe the DigitalPersona Pro for Active DirectoryServer and Workstation software and hardware:• DigitalPersona Pro Server, Pro Server and Server sometimes replace the fullproduct name, DigitalPersona Pro Server for Active Directory. In this guide,these terms always refer to the Active Directory version, and not to any otherversion of DigitalPersona Pro Server software.• DigitalPersona Pro Workstation, Pro Workstation and Workstation aresometimes used instead of the full name, DigitalPersona Pro Workstation forActive Directory. They always refer to the Active Directory version ofDigitalPersona Pro Workstation when used in this guide.• DigitalPersona Pro Kiosk, Pro Kiosk and Kiosk are sometimes used insteadof the full name, DigitalPersona Pro Kiosk for Active Directory. They alwaysrefer to the Active Directory version of DigitalPersona Pro Kiosk when usedin this guide.• Reader or Fingerprint Reader, used in either upper or lower case, refers to theDigitalPersona U.are.U Reader and third-party swipe readers, unlessotherwise specified in the context.Notation ConventionsThe following notation conventions are used in this guide to call attention toinformation of special importance:NoteA note highlights information that may help you better understand the text andits concepts.WarningA warning advises you that failure to take or avoid a specific action could resultin your inability to complete the required tasks or cause undesirable results.DigitalPersona Pro for Active Directory Administrator Guide6

Chapter 1 - IntroductionConventionsTypographic ConventionsThis guide uses the following typographic conventions:• Courier indicates text that is typed by the user.Example:“Type http://www.digitalpersona.com/ in the Address text box.”You would only type “http://www.digitalpersona.com/” and would not typeany surrounding text.• Text in Courier bold and surrounded by brackets [ ] indicates informationthat is always supplied by you and will vary depending on a particularcircumstance.Example:“Type http://[your company Web site URL]/ in the Address text box.”You would type “http://”, then type your company Web site URL—not thewords “[your company Web site URL]”—and then “/”.Courier bold is also used to display information that is dynamicallygenerated by DigitalPersona Pro.DigitalPersona Pro for Active Directory Administrator Guide7

Chapter 1 - IntroductionRecommended Skill SetRecommended Skill SetTo fully and effectively utilize the information contained in this guide, werecommend that you possess the minimum skills and knowledge defined below.Domain AdministratorsIf you will be administering DigitalPersona Pro Server for one or more domains,you should have knowledge of and experience with the Windows 2000, 2003 or2008 Server operating system and its administrative tools. Specifically, youshould have working knowledge of key Active Directory concepts and objectsincluding group policy objects, containers, sites, domains and organizationalunits and be able to use the standard Active Directory administration tools suchas the Active Directory for Users and Computers console and the Group PolicyEditor.Local AdministratorsIf you are administering DigitalPersona Pro Workstation on a local computer,you should understand how to use the Microsoft Management Console (MMC)to manage computer properties.Workstation End UsersEnd users of DigitalPersona Pro for Active Directory Workstation shouldpossess basic computer and network operation skills, such as logging on to acomputer and using the taskbar, shortcut menus and a Web browser.DigitalPersona Pro for Active Directory Administrator Guide8

Key Concepts & Terminology 2In order to fully understand and implement the features of DigitalPersona Profor Active Directory, you will need to be familiar with the terms and conceptscovered in this chapter.If you consider yourself knowledgeable about Active Directory, you may wantto skip the rest of this page and continue with reading about DigitalPersona Proterminology on page 16.ConceptsActive DirectoryActive Directory is a proprietary directory service that has been included withMicrosoft Windows servers since the release of Windows 2000 Server.A directory service is a software application that stores and organizesinformation about a computer network's users and resources; such as computers,printers and network shares. It enables network administrators to manage users'access to those resources.The design, implementation and configuration of Active Directory can be acomplex task, even for a small to medium-sized organization, and is beyond thescope of this topic. Assuming that Active Directory is setup and workingcorrectly for your organization’s current needs, this topic will provide theinformation that you need in order to utilize a working Active Directory toadminister DigitalPersona Pro.DigitalPersona Pro for Active Directory utilizes the Active Directory service foradministration of policies and settings that determine the functionality andfeatures implemented in your organization.Through Active Directory you can assign enterprise-wide policies and settingsto computers in your network as well as locate and administer objects, users andresources across the network.Active Directory is structured as a hierarchy of objects and containers laid out ina tree format. In the Users and Computers Snap-in (Figure 2-1), which is one ofthe visual tools that can be used to create and administer objects, the hierarchylooks much the same as the folder structure in Windows Explorer.DigitalPersona Pro for Active Directory Administrator Guide 10

Chapter 2 - Key Concepts & TerminologyConceptsFigure 2-1. Users and Computers Snap-inAdministrative Templates & Snap-insDigitalPersona Pro for Active Directory integrates with Active Directorythrough the use of the following Administrative Templates and Snap-ins.Template/Snap-in Purpose PageDigitalPersonaProSvrDigitalPersonaProWkstaThis Administrative Template providessettings for DigitalPersona Pro Server whenapplied to GPOs governing DomainControllers running DigitalPersona ProServer.This Administrative Template providessettings for DigitalPersona ProWorkstations when applied to GPOsgoverning computers runningDigitalPersona Pro Workstation. It can alsobe applied to a local policy object for astandalone configuration of DigitalPersonaPro Workstation.4343DigitalPersona Pro for Active Directory Administrator Guide11

Chapter 2 - Key Concepts & TerminologyConceptsTemplate/Snap-in Purpose PageDigitalPersonaProWkstaKioskDigitalPersonaProIDSvrUser Properties Snap-inExtended Server Policy ModuleThis Administrative Template providessettings for either of the DigitalPersona ProKiosk clients when applied to GPOsgoverning computers runningDigitalPersona Pro Kiosk, orDigitalPersona Kiosk for ID Server.(Optional as part for theDigitalPersona Pro Add-On module)This template should be applied toActive Directory GPOs where it canbe distributed to Domain Controllersrunning the DigitalPersona Pro IDServer.This Active Directory snap-in enablesDigitalPersona Pro user settings.*This optional snap-in extendsDigitalPersona Pro User Properties.*43,262102103* User Properties take precedence over GPO settings.Group PolicyGroup Policy is a feature of the Active Directory service that facilitates changeand configuration management.Group Policy settings are stored in Group Policy Objects (GPOs) in the ActiveDirectory database. These GPOs are linked to containers, which include ActiveDirectory sites, domains, and organizational units (OUs).Because Group Policy is so closely integrated with Active Directory, it isimportant to have a basic understanding of both Active Directory structure andthe security implications of different design configuration options within itbefore you implement Group Policy.For information about the policies and settings that DigitalPersona Pro adds to aGPO, see “Configuring Policies and Settings” on page 80.DigitalPersona Pro for Active Directory Administrator Guide12

Chapter 2 - Key Concepts & TerminologyConceptsOrganizational Units (OUs)An OU is a container within an Active Directory domain. An OU may containusers, groups, computers, and other OUs, which are known as child OUs. Youcan link a GPO to an OU, and the GPO settings will be applied to the users andcomputers that are contained within that OU and its child OUs. To facilitateadministration you can delegate administrative authority to each OU. OUsprovide an easy way to group users, computers, and other security principals,and they also provide an effective way to segment administrative boundaries.Users and computers are generally assigned to separate OUs, because somesettings only apply to users and other settings only apply to computers.One of the primary goals of an OU structure design for any environment is toprovide a foundation for a seamless Group Policy implementation that applies toall workstations in Active Directory and ensures that they meet the securitystandards of your organization.The OU structure must also be designedto provide adequate security settings forspecific types of users in anorganization. For example, developersmay need some permissions thataverage users do not need to have. Also,laptop users may have slightly differentsecurity requirements than desktopusers.The figure on the right shows a basicOU structure for illustration of theconcept only, and is not a recommendationto create your OU structurein the same way. Your OU structuremust be defined by the specificorganizational requirements of yourenvironment.Pro Biometric Authentication ProcessDigitalPersona Pro for Active Directory Administrator Guide13

Chapter 2 - Key Concepts & TerminologyConceptsDigitalPersona Pro’s biometric authentication process validates the identity of auser through a scan of their fingerprint, which can also be used in combinationwith their password or a smart card for multi-factor authentication.This biometric authentication process is used by DigitalPersona Pro Workstationin an enterprise deployment with DigitalPersona Pro Servers.Prior to authentication:1 A user enrolls their fingerprint(s), creating a enrollment template that isstored on the local workstation and also sent securely to the Pro Server.2 Pro Workstation captures user data (such as user account or logoninformation), called “secrets” and sends them securely to Pro Server forstorage in Active Directory.By default, it also caches these secrets locally on the Workstation, so thatthey are available if the Server cannot be reached. Caching can be disabledby the administrator through a setting in the DigitalPersona Pro ActiveDirectory Administrative Template.The authentication process is initiated when a Pro application (such as ProWorkstation) prompts the user to verify their identity by providing theirfingerprint. This may be in order to logon to Windows using One Touch Logon,or to logon to a program or Web site using One Touch SignOn or One TouchInternet.The authentication process is as follows:1 The user touches the fingerprint reader with an enrolled finger.2 The fingerprint is scanned and processed at the workstation, creating averification template.3 The verification template is compared to the enrollment template cached onthe local workstation and then sent to the Pro Server for confirmation of theuser’s identity.4 Pro Server compares the verification template to the enrollment template inthe user record in Active Directory. If the verification template matches theenrollment template, Pro Server authenticates the user and sends the “secret”requested by the application securely to the Workstation.DigitalPersona Pro for Active Directory Administrator Guide14

Chapter 2 - Key Concepts & TerminologyConcepts5 The Pro application receives the Secret and then uses the information asneeded, typically to log the user on to their Windows account, a program orWeb site.NoteWhen a Pro Server is unavailable, such as when a laptop is disconnected fromthe network, the required secret is retrieved from a local cache on theWorkstation. If a Pro Server is unavailable, and local caching has been disabledby the administrator, authentication is not possible.This authentication process can be modified by the administrator using settingsin the DigitalPersona Pro Administrative Templates (see “Configuring Policiesand Settings” on page 80).DigitalPersona Pro for Active Directory Administrator Guide15

Chapter 2 - Key Concepts & TerminologyTerminologyTerminologyAuthenticationUser Authentication is the process of verifying a user’s identity by validatingone or more credentials provided by the user. Examples of credentials arepasswords, smart cards and biometrics.Biometric authentication is the process of comparing a user’s previously created“enrollment template” with a “verification template” created from a fingerprintscan of the user at the time of authentication. See also: “Fingerprint Enrollment”and “Verification Template” below, as well as “Pro Biometric AuthenticationProcess” on page 13.CredentialsCredentials are a set of information used to gain access to your Windowsaccount or to a password protected Web site or program. Windows credentialscan include a combination of a user name, password, fingerprint, fingerprintPIN, or smart card. Web site and program credentials usually include acombination of fingerprint and password, but can sometimes require additionalinformation.Dynamic DNSDynamic DNS defines a protocol for dynamically updating a DNS server withnew or changed values. DigitalPersona Pro uses Dynamic DNS to update theDNS server with changes made to DigitalPersona Pro policies and settings.FingerprintsFingerprints provided through supported fingerprint readers are transformedinto highly compressed and digitally encoded representations of fingerprintfeatures called a fingerprint template. These fingerprint templates are createdwhenever a user places a finger on the reader (when logging on for example),and encoded with a one-way algorithm that cannot be reversed to recreate thescan of that fingerprint. The actual fingerprint scans are never stored, but arediscarded after the template is created.DigitalPersona Pro for Active Directory Administrator Guide16

Chapter 2 - Key Concepts & TerminologyTerminologyFingerprint IdentificationFingerprint identification is the process of identifying a user out of a set of usersby fingerprints. It is performed with only a fingerprint, and not a user name, bymatching the verification template to all enrollment templates in the set of users.Fingerprint PINsThe administrator may require that users type a short sequence of characters,known as a fingerprint PIN, each time they use a fingerprint to log on, unlockthe computer, or change their Windows password. This provides an additionallevel of security. Logon settings are managed by your administrator.Fingerprint EnrollmentFingerprint enrollment is the process that begins with a DigitalPersona Pro userproviding one or more fingers to be scanned using a supported fingerprintreader. Once the finger is successfully scanned four times, the system thentransforms the result into a highly compressed, digitally encoded representationof fingerprint features called an enrollment template.This enrollment template is then stored in DigitalPersona Pro Server’s userdatabase for future use during authentication and identification, or on the localworkstation if DigitalPersona Pro Server has not been deployed.A fingerprint for which an enrollment template was created is referred to as anenrolled fingerprint.Fingerprint TemplateSee Fingerprints.Fingerprint VerificationFingerprint verification is the process of verifying that the template derivedfrom the fingerprint scan during the authentication process, the verificationtemplate, and the original enrollment template are from the same finger. Theverification template is deleted immediately after its use in the matchingprocess.DigitalPersona Pro for Active Directory Administrator Guide17

Chapter 2 - Key Concepts & TerminologyTerminologyFingerprint Verification LockoutFingerprint Verification Lockout occurs when a user attempts to identifythemself with their fingerprint, and a successful match is not made after aspecified number of attempts. The user will be unable to use their fingerprint foridentification until the lockout is released.The number of attempts allowed, the amount of time the user is locked out, andthe interval before the lockout is removed are configurable by the administrator.See “Fingerprint Verification Lockout” on page 89 for details.The lockout can also be manually released by an administrator from theDigitalPersona Pro tab of the Properties dialog for the user in the ActiveDirectory Users and Computers console.KioskA kiosk is a computer, or group of computers, that can be used by designatedpersons sharing a single Windows user account and its associated programs. Asingle kiosk may be as large as the entire domain, or restricted to specific groupsof computers, or even a single computer. DigitalPersona Pro Kiosk or Pro KioskID must be installed on each computer that is part of the kiosk.By default, a kiosk is available to all domain users, but can be restricted tosecurity groups as defined in Active Directory.Each user of the kiosk can quickly and easily log on to Windows, programs andwebsites using the minimum credentials (such as fingerprints) specified by theorganization.See “DigitalPersona Pro Kiosk” on page 206.Kiosk ComputerA kiosk computer has DigitalPersona Pro Kiosk installed and is a member of aspecific kiosk, designated by the OU to which the computer belongs.Kiosk Identification ListThe identification list is a file used by the standard editions of DigitalPersonaPro Kiosk up to and including version 4.4, with the kiosk OU-based name andDigitalPersona Pro for Active Directory Administrator Guide18

Chapter 2 - Key Concepts & TerminologyTerminologypredefined location which contains the list of recent users authenticated on thekiosk computers.This file is located on the hard drive of the server and isreplicated by file replication services to other domain controllers.Kiosk UserA Kiosk User is a user in the Active Directory who is allowed to be in theidentification list due to extended rights granted by the administrator. An activekiosk user is a kiosk user who was added to the identification list aftersuccessful authentication occurred.One Touch InternetOne Touch Internet (OTI) provides the ability for the end user to createFingerprint Logons that can be used to log on to Web sites by touching asupported fingerprint reader.One Touch LogonOne Touch Logon provides the ability for you to log on to your Windowsaccount by simply touching a supported fingerprint reader.One Touch UnlockOne Touch Unlock provides the ability to lock or unlock Windows by touching asupported fingerprint reader.One Touch SignOnOne Touch SignOn (OTS) simplifies and secures access to your Windowsaccount, password-protected software programs and Web sites. Users just touchthe reader to automatically and securely provide data for logon fields, such asuser name and password, on any Web site or program logon screen. (RequiresInternet Explorer 6 or above.)Administrators use the One Touch SignOn Administration Tool to createtemplates specifying information for the logon screens, and can use applicationpolicy settings in the GPO to deploy the One Touch SignOn templates to endusers.DigitalPersona Pro for Active Directory Administrator Guide19

Chapter 2 - Key Concepts & TerminologyTerminologyQuick ActionsQuick Actions, which combine the Shift or Control Keys with use of thefingerprint to access DigitalPersona Pro features, can be created by end users inthe DigitalPersona Workstation Properties dialog.SecretA DigitalPersona Pro Secret is application specific user data that is storedsecurely in Active Directory by the DigitalPersona Pro Server, or locally by thelocal authentication server on the workstation. The secret is released to theapplication upon successful identification of the user, and used to log on toprograms and Web sites for which logon templates have been created.Service Resource Records (SVR RR)Active Directory servers publish their addresses so that clients can find themknowing only the domain name. Active Directory servers are published viaService Resource Records (SRV RRs) in DNS. The SRV RR is a DNS recordused to map the name of a service to the address of a server offering that service.The name of a SRV RR is in this form: ..Active Directory servers offer the LDAP service over the TCP protocol withpublished names in the form:ldap.tcp.For example, the SRV RR for ``Microsoft.com'' is ``ldap.tcp.microsoft.com.''Additional information on the SRV RR indicates the priority and weight for theserver, allowing clients to choose the best server for their needs.When an Active Directory server is installed, it publishes itself via DynamicDNS. Since TCP/IP addresses are subject to change over time, serversperiodically check their registrations to make sure they are correct, updatingthem if necessary.Verification TemplateA verification template is created from a fingerprint scan whenever a user placestheir finger on the fingerprint reader. During authentication, this template ismatched to available Enrollment Templates in order to identify the user. At theend of the authentication process the Verification Template is erased.DigitalPersona Pro for Active Directory Administrator Guide20

Product Overview 3This chapter provides an overview of DigitalPersona Pro for Active Directory, acomprehensive biometric authentication software and hardware solution, anddescribes the several integrated components that can be used to create adeployment that addresses your specific organizational needs.Additionally, you will find system requirements for each of the components,information on product compatibility and a list of related products.DigitalPersona Pro for Active DirectoryDigitalPersona Pro for Active Directory combines the security of biometricauthentication with the simplicity and convenience of Single Sign-On (SSO).Pro Workstation users can conveniently log on to Windows computers,Microsoft networks, password-protected programs and Web sites by simplytouching the U.are.U® Fingerprint Reader or using one of the many supportedthird-party readers embedded in today’s popular notebook computers.Pro Kiosk allows a designated set of Windows users to use their fingerprints tolog on to Windows, unlock the computer, and log on to programs.Pro Server provides central authentication and administration for deployedWorkstations and Kiosks, scaling to over one hundred thousand users. Tightlyintegrated with Windows Active Directory, it can usually be deployed withoutthe need for professional services.NoteWorkstation and Kiosk may be installed individually on computers or deployedthrough Active Directory GPO, SMS (Systems Management Server) or logonscripts. They cannot be installed through any ghosting or imaging technologies.DigitalPersona Pro for Active Directory Administrator Guide 21

Chapter 3 - Product OverviewProduct Components and ModulesProduct Components and ModulesDigitalPersona Pro for Active Directory includes the following components andmodules:Component Purpose PageDigitalPersonaPro ServerDigitalPersonaPro WorkstationDigitalPersonaPro KioskFingerprintReaderAdministrationToolsExtended ServerPolicy ModulePro ID ServerAdd-On ModuleFor domain-wide, centralized authentication andadministration of DigitalPersona Pro Workstationsand Kiosks.Client software providing single source signon toWindows, Web sites and password protectedprograms. It can also be used in a standaloneinstallation.Client software providing single source signon toWindows and password protected programs forkiosk computers using a single shared account.DigitalPersona’s U.are.U optical fingerprint reader.Many other third-party readers are supported.Various administrative tools that can be deployed forcentralized or decentralized administration ofServers and Workstations.An optional module to extend DigitalPersona ProUser Properties, available from your DigitalPersonaAccount Manager or product Reseller.An optional module that adds centralizedidentification to a Pro Server installation, availablefrom your DigitalPersona Account Manager orproduct Reseller.23, 223,3624, 61,17525, 75,2062829, 10830, 102262DigitalPersona Pro for Active Directory Administrator Guide22

Chapter 3 - Product OverviewDigitalPersona Pro ServerDigitalPersona Pro ServerDigitalPersona Pro for Active Directory Server provides scalable domain-wideauthentication and administration of networked DigitalPersona ProWorkstations. Server software features include:• Full integration with Active Directory AdministrationDigitalPersona Pro Server, installed on a Windows Server 2000, 2003 or2008 domain controller, uses standard Active Directory administration toolsfor implementing and managing policies and settings which control thebehavior of the workstations and can be used to customize the authenticationprocess.For example, using the Group Policy Editor, you can create a GPO thatcontrols the false accept rate for fingerprint recognition, specific credentialrequirements for logon settings and more. When the GPO is applied to agroup of Workstations, they require no additional configuration to use theDigitalPersona Pro Server for authentication.DigitalPersona Pro also provides fault tolerance and load balancing throughActive Directory’s DNS locator service, automatically and transparentlylocating all available servers and then selecting one to be used forauthentication.For additional information on available policies and settings forDigitalPersona Pro Server, see “Configuring Policies and Settings” on page80.• Security architectureDigitalPersona Pro Server builds on the trust relationship established byWindows Server 2000 and above to provide a secure infrastructure forserver-client communication.• Centralized credential and application databasesDigitalPersona Pro Server extends the Active Directory schema to enablestoring DigitalPersona Pro data and replicating it throughout the network.This allows a known user to use their fingerprint on any DigitalPersona ProWorkstation that is connected to a DigitalPersona Pro Server.DigitalPersona Pro for Active Directory Administrator Guide23

Chapter 3 - Product OverviewDigitalPersona Pro WorkstationDigitalPersona Pro WorkstationDigitalPersona Pro for Active Directory Workstation provides fingerprint logonfunctionality for Windows computers, including the following features:• One Touch Logon increases both security and convenience by addingbiometric authentication to the Windows logon procedure. One Touch Logonreplaces the standard Windows logon dialog box, allowing users to log on toWindows with a fingerprint in addition to, or as an alternative to, Windowscredentials such as a password or a smart card.One Touch Logon guides users through providing the required credentials tolog on to Windows. It also allows users to quickly lock and unlock theircomputers using the credentials specified by the logon settings.• One Touch SignOn simplifies and secures access to password-protectedsoftware programs and Web sites. Users just touch the reader toautomatically and securely provide data for logon fields, such as user nameand password, on any Web site or program logon screen. (Requires InternetExplorer 6 or above.)Administrators use the One Touch SignOn Administration Tool to createtemplates specifying information for the logon screens, and can useapplication policy settings in the GPO to deploy the One Touch SignOntemplates to end users.• One Touch Internet is an option that can be deployed to provide end userswith many of the capabilities of One Touch SignOn for their personal Webaccounts through the easy-to-use configuration tool.• Remote Access - If you enable the feature, Pro Workstation can be accessedremotely through Windows Terminal Services (including Remote DesktopConnection) and through Citrix clients such as the Metaframe PresentationServer Client and the Citrix Java Web based client. Pro Workstation can alsobe run on Citrix Metaframe Presentation Server.For instructions on enabling or disabling this feature, see “Allow FingerprintData Redirection” on page 93. Additional installation steps for use of ProKiosk or Pro Workstation with Citrix are located in the chapters (5 and 6)describing installation of the products.DigitalPersona Pro for Active Directory Administrator Guide24

Chapter 3 - Product OverviewDigitalPersona Pro KioskDigitalPersona Pro KioskDigitalPersona Pro Kiosk for Active Directory provides fast, secure andconvenient access to shared computer environments, such as healthcare, retailpoint of sale and manufacturing lines, where multiple users must shareworkstations.In environments where many users share the same computer, fast and secureaccess in quick succession is important. Pro Kiosk does not require Windowslog on and off between users. Pro Kiosk allows a designated set of Windowsusers to use their fingerprints to log on to Windows, unlock the computer, andlog on to programs.Users are uniquely identified by their fingerprints without requiring them to typeaccount information to log on. Although each user provides unique credentialsthat can be used for logging and auditing purposes, a Shared Account is used tolog on to Windows.• One Touch Logon increases both security and convenience by addingbiometric authentication to the Windows logon procedure. One Touch Logonreplaces the standard Windows logon dialog box, allowing users to log on toWindows with a fingerprint in addition to, or as an alternative to, Windowscredentials such as a password or a smart card.One Touch Logon guides users through providing the required credentials tolog on to Windows. It also allows users to quickly lock and unlock theircomputers using the credentials specified by the logon settings.• One Touch SignOn simplifies and secures access to password-protectedsoftware programs and Web sites. Users just touch the reader toautomatically and securely provide data for logon fields, such as user nameand password, on any Web site or program logon screen. (Requires InternetExplorer 6 or above.)Administrators use the One Touch SignOn Administration Tool to createtemplates specifying information for the logon screens, and can useapplication policy settings in the GPO to deploy the One Touch SignOntemplates to end users.DigitalPersona Pro for Active Directory Administrator Guide25

Chapter 3 - Product OverviewDigitalPersona Pro Kiosk• One Touch Unlock means that any kiosk user can unlock a kiosk computer.For example, a user may log on and lock the kiosk computer. Then, a seconduser can unlock it without performing log off and log on.• Remote Access - If you enable the feature, Pro Kiosk can be accessedremotely through Windows Terminal Services (including Remote DesktopConnection) and through Citrix clients such as the Metaframe PresentationServer Client and the Citrix Java Web based client. Pro Kiosk can also be runon Citrix Metaframe Presentation Server.For instructions on enabling or disabling this feature, see “Allow FingerprintData Redirection” on page 93.Additional installation steps for use of Pro Kiosk or Pro Workstation withCitrix are located in the chapters (5 and 6) describing installation of theproducts.DigitalPersona Pro for Active Directory Administrator Guide26

Chapter 3 - Product OverviewDigitalPersona Pro Kiosk for ID ServerDigitalPersona Pro Kiosk for ID ServerDigitalPersona Pro Kiosk for ID Server is a separate edition of the Pro Kioskclient, that provides the same functionality as the DigitalPersona Pro Kiosk,except that it centralizes the identification of users logging on to the kioskaccount within Active Directory, and no longer uses a cached local identificationlist on the kiosk computer.This edition of the Pro Kiosk requires both DigitalPersona Pro Server 4.4 orabove and the DigitalPersona Pro ID Server module, which is available fromyour DigitalPersona Account Manager or product Reseller. It will not work withthe Pro Server alone, and previous editions of the Pro Kiosk do not work withthe Pro ID Server module.DigitalPersona Pro for Active Directory Administrator Guide27

Chapter 3 - Product OverviewFingerprint ReadersFingerprint ReadersU.are.U Fingerprint ReaderThe DigitalPersona U.are.U Fingerprint Reader is a high-quality optical scannerdesigned especially for reading fingerprints, and is the recommended fingerprintreader for use with DigitalPersona Pro.DigitalPersona Pro Workstation works with the U.are.U Reader to read thefingerprint scan for authentication purposes.You may have a U.are.U Reader or a keyboard or device with an embeddedU.are.U Reader.Third-Party Swipe readersDigitalPersona Pro also supports the use of several third-party “swipe”fingerprint readers embedded in selected models of notebook computers.Refer to the DigitalPersona Web site at http://www.digitalpersona.com/notebooks for the most recent list of supported models.DigitalPersona Pro for Active Directory Administrator Guide28

Chapter 3 - Product OverviewAdministration ToolsAdministration ToolsDigitalPersona Pro for Active Directory provides several tools for administeringvarious aspects of your implementation as well as expanding the functionality ofthe product.Some of these Administration Tools are included in the product packages foreither DigitalPersona Pro Server or Workstation. Others are available in aseparate Administration Tools product package, which may be obtained fromyour DigitalPersona Account Manager or product Reseller.The following table gives a brief description of each of the tools, and the pagewhere they are described more fully.Admin Tool Purpose PageLicense ControlManagerAttendedFingerprintEnrollment ToolOne Touch SignOnUser PropertiesSnap-inUser Query ToolUsed to control and manage licenses for users ofDigitalPersona Pro Servers, including gathering theinformation necessary for requesting a license, addingand removing licenses and viewing license and userinformation.An optional feature which can be used to require thesupervision of users when enrolling their fingerprints.The One Touch SignOn Administration Tool enablesadministrators to add biometric authentication to Websites and programs.An Active Directory Snap-in which extends the ActiveDirectory Users and Computers snap-in to include aDigitalPersona tab on User objects and DigitalPersonafunctions on User object context menus.It isautomatically installed with Pro Server. It can also beinstalled on an administrative workstation where theMicrosoft adminpack is already installed, or on DomainControllers where Pro Server is not installed.Used to query the DigitalPersona Pro for ActiveDirectory user database for information aboutDigitalPersona Pro users.110114117101,102158DigitalPersona Pro for Active Directory Administrator Guide29

Chapter 3 - Product OverviewExtended Server Policy ModuleAdmin Tool Purpose PageCleanUp WizardRemoves user data (such as fingerprint credentials, secureapplication data and global domain data) from ActiveDirectory.163Extended Server Policy ModuleBasic Server policies are provided by the User Policies Snap-in, installed as partof DigitalPersona Pro Server, which allow an administrator to configurefingerprint logon settings and restore the use of fingerprints for a user after theaccount has been locked due to failed fingerprint attempts.The optional Extended Server Policy Module adds the following additional userpolicies settings:• User must type a PIN when providing a fingerprint to log on.• User must provide a fingerprint to log on (in addition to other authenticationspecified by Windows policy setting).• Randomize user's Windows PasswordThe Extended Server Policy Module is available from your DigitalPersonaAccount Manager or product Reseller.For further details, see “Extended User Properties” on page 103.Pro ID Server Add-0n ModuleThe Pro ID Server Add-On Module is an optional component that performs 1-to-many matching, adding identification capabilities with the ability to performhigh-speed searches on a collection of enrolled fingerprints.For optimum performance, the current recommended limits are 10,000 users or20,000 fingerprint templates.The Pro ID Server Add-On Module is available from your DigitalPersonaAccount Manager or product Reseller.For further details, see “DigitalPersona Pro ID Server” on page 262.DigitalPersona Pro for Active Directory Administrator Guide30

Chapter 3 - Product OverviewSystem RequirementsSystem RequirementsProduct/ComponentDigitalPersona ProServerPro ID Server Add-OnPro WorkstationPro KioskPro Kiosk for IDServerMinimum RequirementsPentium Processor,128 MB RAMWindows Server 2008 (32 and 64-bit) or Server 2003 (32and 64-bit) or Windows SBS 2003 or Windows 2000Server SP4.Active Directory10 MB Available hard disk space5K hard disk space per user(Optional module) In addition to the requirements listedabove for the DigitalPersona Pro Server, see page 262.Pentium 233 MHz Processor, 128 MB RAMWindows Server 2008 (32 and 64-bit) or Server 2003 (32and 64-bit) or Windows Vista (32 and 64-bit Business,Ultimate or Enterprise) or Windows XP Professional (32and 64-bit) or Windows XP Embedded (32-bit only) orWindows 2000 SP4.Windows Vista Home and Windows XP Home Editions arenot supported.30 MB Available hard disk spaceCD-ROM drive if installing locally, Network connectionfor silent/network installationMicrosoft Internet Explorer 6 or above, or Firefox 3.0(required for One Touch SignOn or One Touch Internetfeatures)(Available only as part of the Pro ID Server Add-Onmodule) Same minimum requirements as the Pro Kioskabove, except that it also requires the Pro ID Server Add-On module.DigitalPersona Pro for Active Directory Administrator Guide31

Chapter 3 - Product OverviewProduct CompatibilityProduct CompatibilityDigitalPersona Pro for Active Directory Server 4.x• Can coexist with other Pro Servers that are version 3.0 or above, as long asthere are no 4.x Pro Workstations in the domain.• Requires that all Pro Workstations that are authenticating to the Pro Servermust be at least version 3.0 or above.If you are using 3.x Workstation or Kiosk, with a 4.x or above Pro Serverrunning on Windows Server 2003 SP1 or later, you must make certainchanges in the DCOM permissions to enable Pro Server to communicatewith the 3.x clients. Step by step procedures for making those changes areavailable in the “Windows2003SP1Notice.pdf,” which can be downloadedfrom the support section of our website at http://www.digitalpersona.com/support.However, we recommend that all workstations in the domain served by ProServer 4.x are version 4.0 or above.• Requires that all Pro Kiosk workstations authenticating to the Pro Servermust be at least 1.0 or above.• Is compatible with DigitalPersona Pro SDK installed on Pro Workstation 3.xDigitalPersona Pro Workstation for Active Directory 4.x• Can coexist with other Pro Workstations that are version 3.0 or above.However, especially for those using One Touch SignOn templates, werecommend that all workstations in the domain are version 4.0 or above.• Is not compatible with DigitalPersona Gold, DigitalPersona Platinum, or theDigitalPersona Pro SDK.DigitalPersona Pro for Active Directory Kiosk 4.x-• Can coexist with other Pro Kiosks that are version 1.0 or above.• Is not compatible with DigitalPersona Gold, DigitalPersona Platinum,DigitalPersona Online or DigitalPersona Pro SDK when installed on ProKiosk 4.x.DigitalPersona Pro for Active Directory Administrator Guide32

Chapter 3 - Product OverviewProduct CompatibilityDigitalPersona Pro for Active Directory Kiosk for ID Server 4.4• Cannot coexist with other versions of Pro Kiosk using the same Pro Server.• Requires the Pro ID Server Add-On module.• Is not compatible with DigitalPersona Gold, DigitalPersona Platinum,DigitalPersona Online or DigitalPersona Pro SDK when installed on ProKiosk 4.x.Supported Fingerprint Readers are:• DigitalPersona U.are.U family of fingerprint readers and keyboards• Many built-in swipe readers embedded in current models of notebookcomputers. For a list of supported built-in swipe readers, visit our Web siteat: http://www.digitalpersona.com/notebooksDigitalPersona Pro for Active Directory Administrator Guide33

Chapter 3 - Product OverviewRelated ProductsRelated ProductsThe following related products are also available from your DigitalPersonaAccount Manager or product Reseller:DigitalPersona Pro for Active Directory Software Development Kit (SDK) -Provides developers with simple, powerful tools to extend DigitalPersona Profor Active Directory with custom applications.Developers can fingerprint-enable access to their applications by leveragingDigitalPersona Pro security, credential management in Active Directory, userinterface and deployment tools.This SDK works with the DigitalPersona Pro Server and Workstation Software.The DigitalPersona Pro SDK only supports the DigitalPersona U.are.UFingerprint Readers included with Workstation packages.DigitalPersona Online SDK - DigitalPersona Online consists of server andclient software to add fingerprint authentication to virtually any Webapplication. DigitalPersona Online enables businesses to provide heightenedsecurity to customers, partners and employees, replacing cumbersomepasswords with the convenience of a single touch of a finger.DigitalPersona One Touch for Windows SDK - The DigitalPersona OneTouch for Windows Software Development Kit (SDK) gives developers thepower of DigitalPersona fingerprint authentication security within theirWindows applications. The One Touch for Windows SDK supports theDigitalPersona U.are.U Fingerprint Readers, Modules and Keyboard.The development kit includes an API to provide image capture fromDigitalPersona fingerprint readers, feature extraction, fingerprint enrollment andmatching in ANSI C, C++, C#, VB.NET as well as Active X/COMprogramming environments. Also included are a fully distributableDigitalPersona runtime engine, sample code and a detailed developer’s guide.DigitalPersona One Touch for CE SDK - The DigitalPersona One Touch forCE SDK enables application developers to enhance their Windows CE .NET 4.0applications with the DigitalPersona fingerprint authentication security. Thetoolkit includes the DigitalPersona IDentity Engine and sample code forembedded Visual C++. The DigitalPersona One Touch for CE SDK supports theDigitalPersona U.are.U 4000B Fingerprint Reader and U.are.U 4000BFingerprint Module.DigitalPersona Pro for Active Directory Administrator Guide34

Part Two: Deployment & InstallationPart Two of the DigitalPersona Pro for AD Administrator Guide includes thefollowing chapters:Chapter Title Purpose Page4 - Deploying DigitalPersonaPro Server5 - Installing DigitalPersonaPro Workstation6 - Installing DigitalPersonaPro KioskDescribes the procedure for deployingDigitalPersona Pro Server.Describes the procedure for installingDigitalPersona Pro Workstation.Describes the procedure for installingDigitalPersona Pro Kiosk.366275For information on planning and deployment, see “Planning & Deployment” onpage 223DigitalPersona Pro for Active Directory Administrator Guide 35

Deploying Pro Server 4This chapter provides instructions for the deployment or upgrading ofDigitalPersona Pro Server for Active Directory Server on a domain controller.Instructions for uninstalling DigitalPersona Pro Server are on page 59.Deployment OverviewHere is a high-level overview of the steps required to deploy DigitalPersona ProServer for Active Directory on the domain controller for a Windows 2000/2003/2008 Server network.1 Extend the Active Directory schema to include attributes and classes used byDigitalPersona Pro Server. Details of the changes that will be made to theschema are available on the DigitalPersona Web site at:http://www.digitalpersona.com/support/refMaterial/ProSchemaExt/ProExt.php.2 Configure each domain on which DigitalPersona Pro Server will be installedby running the Domain Configuration Wizard.3 Install the DigitalPersona Pro Server software.4 Install the Administrative Templates.Detailed instructions for installation begin on page 39.Upgrading from Previous VersionsThis topic contains information that is specific to upgrading from version 3.x ofDigitalPersona Pro for Active Directory to a 4.x version.Upgrading to the current version has been made as straightforward and simpleas possible. In most cases, it is simply a matter of removing the old software andinstalling the new software.However, you should keep the following in mind.• DigitalPersona Pro for Active Directory 4.0 introduced a new licensingmodel for Pro Server which is based on requiring User AuthenticationLicenses for each user who will be enrolling their fingerprints.DigitalPersona Pro for Active Directory Administrator Guide 36

Chapter 4 - Deploying Pro ServerUpgrading from Previous VersionsYou should contact your DigitalPersona Account Manager or productReseller to obtain the necessary licenses prior to beginning the upgradeprocess.• Installation of Pro Server 4.x prior to installing the license will not lock outyour current users, but will prevent any new users from enrolling theirfingerprints on a version 4.x Workstation or Kiosk.To upgrade from a previous versionThe recommended sequence of events for upgrading from a previous version tothe current version is:1 Determine the number of User Authentication Licenses required andgenerate a license request file for each domain using the License ControlManager application included in the Administration Tools package. Followinstructions in the topic “Getting License Information” on page 111 forrequesting and installing license files.2 Remove existing 3.x Pro Servers and install all 4.x Pro Servers according tothe instructions in “Deploying Pro Server” on page 36. It is important tocomplete the upgrade of ALL Pro Servers before upgrading any ProWorkstations.WarningDO NOT run the Schema Extension wizard as part of the upgrade process.This is step 1 in the installation process for new installations, but should notbe followed for upgrading your Pro Server.3 Enter User Authentication Licenses for each domain where Pro Servers areinstalled.4 Begin installation of Pro Workstation or Kiosk 4.x according to theinstructions in “Installing Pro Workstation” on page 61, or “Installing ProKiosk” on page 73.The table on the following page will assist you in determining your upgrade pathaccording to your specific needs.DigitalPersona Pro for Active Directory Administrator Guide37

Chapter 4 - Deploying Pro ServerUpgrading from Previous VersionsTable 4-1. Feature ComparisonDeployment ScenarioDigitalPersona Pro FeaturesPurchase Pro 4.x ServerFollow upgrade instructions on page 37.Secure Server AuthenticationOne Touch SignOn andOne Touch InternetSecure Windows LogonOne Touch Logon & One Touch UnLockWorkstation AdministrationHave Pro 3.x Server(s) and want to upgradeto Pro 4.x Server(s)X X X X X XHave Pro 3.x Workstations and want toupgrade to Pro 4.x WorkstationsX X X XHave Pro 4.x Server and Pro 4.xWorkstations and want to add more Pro 4.xWorkstationsDigitalPersona Pro for Active Directory Administrator Guide38

Chapter 4 - Deploying Pro ServerUpgrading from Previous VersionsExtend the Active Directory SchemaPrior to installing DigitalPersona Pro Server, the Active Directory schema mustbe extended to create new attributes for the user object and new classes, as wellas to make modifications to existing classes. The Active Directory SchemaExtension Wizard automatically handles all of the necessary changes to theschema. This schema extension is global to the Active Directory forest.If you want to view the script that is used to extend the schema (dp-schema.ldif),it is available in the product package at the following location:AD Schema Extension\dp-schema.ldifAlso, details of the changes that will be made to the schema are available on theDigitalPersona Web site at:http://www.digitalpersona.com/support/refMaterial/ProSchemaExt/ProExt.php.WarningThe Active Directory Schema Extension Wizard must be run from the schemamaster domain controller, or the data may not replicate fast enough to allow thewizard to continue. If the data is not replicated fast enough, the wizard willterminate, and you should then wait one replication cycle before running thewizard again.After the schema extension, and again after configuring your domains, you mustwait for Active Directory schema replication to be completed. The amount oftime this takes will depend on the complexity of your Active Directorystructure.You must have Schema Administrator privileges to run the Schema ExtensionWizard.To run the Active Directory Schema Extension Wizard1 Double-click DPSchemaExt.exe, which is located in the AD SchemaExtension folder in the Server installation package, to start the SchemaExtension Wizard.2 Read the terms and conditions on the License Agreement page. If you agreewith them, select I accept the license agreement and then click Next.DigitalPersona Pro for Active Directory Administrator Guide39

Chapter 4 - Deploying Pro ServerUpgrading from Previous Versions3 When prompted to proceed with the schema extension, click Yes.4 Next, specify a location and name for the log file generated by the SchemaExtension Wizard in the Save Log File As dialog box. Then, click Save.5 If the schema is not writable, the wizard will inform you of the fact and willallow you to make it writable. If this dialog box displays, click Yes to makethe schema writable and perform the schema extension.6 The wizard will extend the schema and provide information such as the classand attribute names. To close the wizard, click Finish.The name of each new attribute and class added to the Active Directory schemafollows Microsoft naming conventions. The names are assigned a “dp” prefix,which is registered with Microsoft.The OID base, generated by Microsoft, is 1.2.840.113556.1.8000.651.DigitalPersona Pro for Active Directory Administrator Guide40

Chapter 4 - Deploying Pro ServerUpgrading from Previous VersionsConfigure each domainFor each domain on which you plan to install DigitalPersona Pro Server, youneed to run the DigitalPersona Pro Active Directory Domain ConfigurationWizard, which configures the required domain-specific data including thenecessary cryptographic keys.Running the wizard requires administrator privileges on the domain controller.WarningYou should run this wizard only once on each domain where Pro Server will beinstalled.When installing multiple Pro Servers, it is critical that you run the wizard onlyonce during any replication period, allowing full replication to be completedbefore going on to run the wizard on the next domain.Running the wizard a second time during a single replication period, will resultin corrupted Server data, and any DigitalPersona Pro Servers in the domainwill be unusable.After running the Domain Configuration wizard, domain level permissions toenroll/delete fingerprints are reset to the default, i.e. Allow.To run the DigitalPersona Pro Active Directory Domain Configuration Wizard1 Double-click DPDomainConfig.exe, which is located in the AD DomainConfiguration folder in the Server installation package.2 Read the license agreement that displays and, if you agree to the terms andconditions, select I accept the license agreement and then click Next.3 A warning reminds you not to run this wizard if you have an existingDigitalPersona Pro Server installation on this domain. If you are sure thereare no other DigitalPersona Pro Server installations on the domain you areconfiguring, check the I accept that the domain will be configured box andclick Next.4 In the Save Log File As dialog box, specify a file name and folder path forthe log file generated by the wizard and click Save.5 When you click Save, the wizard performs the necessary changes on thedomain.6 To close the wizard, click Finish.DigitalPersona Pro for Active Directory Administrator Guide41

Chapter 4 - Deploying Pro ServerInstall the Administrative TemplatesInstall the Administrative TemplatesDigitalPersona Pro Server and its associated workstation and kiosk clients useActive Directory administrative templates to provide access to various policiesand settings used in configuring the DigitalPersona Pro environment. Thesepolicies and settings are described in the chapter, “Configuring Policies andSettings” on page 80.Adding the administrative template to a GPO makes the DigitalPersona Propolicies and settings available.During installation of DigitalPersona Pro Server, the Pro Server, Workstation andKiosk administrative templates are copied to the %system root%\inf\ folder.On most Windows systems, this folder is C:\Windows\inf. On Windows Server2008, the folder is X:\Windows\PolicyDefinitions.The Workstation and Kiosk administrative templates are also copied to the samefolder during installation of the client software.The administrative templates provided in the current version of DigitalPersonaPro are listed below. Additional templates may be added as new components arereleased, and will be specified in the readme file for the component. Extensionsare .admx for Windows Server 2008 and .adm for all other supported versions ofWindows.• DigitalPersonaProSvr - Designed for DigitalPersona Pro Servers, thistemplate should be applied to Active Directory GPOs where it can bedistributed to Domain Controllers running DigitalPersona Pro Server.• DigitalPersonaProIDSvr - (Optional as part for the DigitalPersona Pro Add-On module) This template should be applied to Active Directory GPOswhere it can be distributed to Domain Controllers running the DigitalPersonaPro Kiosk for ID Server.• DigitalPersonaProWksta - Designed for DigitalPersona Pro Workstations,this template should be applied to Active Directory GPOs where it can bedistributed to computers running DigitalPersona Pro Workstation. It can alsobe applied to a local policy object for a standalone installation ofDigitalPersona Pro Workstation.DigitalPersona Pro for Active Directory Administrator Guide43

Chapter 4 - Deploying Pro ServerInstall the Administrative Templates• DigitalPersonaProWkstaKiosk - Designed for DigitalPersona Pro Kiosk. Itshould be applied to Active Directory GPOs where it can be distributed tocomputers running a DigitalPersona Pro Kiosk client.Settings provided include: Fingerprint Verification Accuracy, Number ofFingerprints, Lockout Policy, Multi-credential Logon, Local Caching, OneTouch Logon and One Touch SignOn settings and more. See the topic“DigitalPersona Pro Policies and Settings” on page 82 for the complete list.Implementation GuidelinesBefore you add the Administrative Templates to your GPOs, give some thoughtto your Active Directory structure, where GPOs are placed, and which GPOs theAdministrative Templates should be added to.Policy configuration needs will vary from network to network and specificpolicy recommendations are beyond the scope of this guide. You may want torefer to Microsoft’s documentation on Group Policy Object configuration formore information.Organizational Units and GPOsAlthough the use and configuration of organizational units and GPOs varieswidely among corporations, we have provided some general guidelines forstructuring Active Directory organizational units.• There are two key factors in deciding how to structure your network:• How you group your users and computers, and• Where the DigitalPersona Pro GPOs are set.For example, if users and computers can be grouped according toauthentication policies, you might group them into separate organizationalunits and then set specific GPOs for each unit.• However, when authentication policies within organizational units vary, asthey often do among department heads and subordinates, then you may wantto group those users and computers into a child organization unit.Structuring your organizational units based on authentication policies is theeasiest way to administer DigitalPersona Pro.DigitalPersona Pro for Active Directory Administrator Guide44

Chapter 4 - Deploying Pro ServerInstall the Administrative Templates1 Plan your network structure by identifying the settings you intend toconfigure.2 Determine whether to apply the settings to users and computers in a site ordomain, or just to users and computers in an organizational unit.3 Create the organizational units required to implement your design.4 Add the respective users and computers to the organizational units.GPO behaviorHere are a few guidelines to keep in mind when configuring DigitalPersona ProGPOs.• If a GPO setting is not configured, the default value set in the software isused.• If a superior (higher-level) GPO has a value for a setting and a subordinateGPO has a conflicting value for that setting, the setting in the subordinate isused.• If a GPO has a value for a setting and a subordinate (lower-level) containerhas the GPO setting with no value, the setting in the superior (high-level)GPO is used.• GPOs can only be applied to the three Active Directory containers: sites,domains and organizational units; not to users or computers.• A single GPO can be applied to one or more containers.• A GPO affects all users and computers in the container, and subcontainers, itis applied to.NoteThe DigitalPersona GPO settings apply only to computers with DigitalPersonasoftware installed on them. In simple AD deployments, one can simply make aDigitalPersona GPO, linked at the domain, and set the Pro Server and ProWorkstation settings here for all users and computers alike.DigitalPersona Pro for Active Directory Administrator Guide45

Chapter 4 - Deploying Pro ServerInstall Templates to Active DirectoryInstall Templates to Active Directory• For centralized administration of DigitalPersona Pro Workstations, bothServer and Workstation Administrative Templates need to be added toGPO(s) on the appropriate node(s) by the domain administrator.• For local administration of a DigitalPersona Pro Workstation, see “InstallWorkstation Template Locally” on page 48.• For Kiosk installations, the Kiosk Administrative Template needs to beadded to the GPO for the Kiosk OU. See page 50 for additional instructionsin setting up Pro Server for a Kiosk environment.• For mixed (Workstation and Kiosk) installations, the appropriateAdministrative Template needs to be added to the GPO(s) for the Server,Workstations and Kiosks.In order to install the DigitalPersona Pro Administrative Templates and accesstheir settings, you need to have domain administrator rights.Server TemplateFor Windows Server 20081 In the Server Manager, open Features, Group Policies Management,Domains, .2 Right click on Default Domain Policies and select Edit to display theGroup Policy Management Editor.3 In the Group Policy Management Editor, open Computer Configuration,Policies. Right-click on the Administrative Templates folder and select Add.4 In the Add/Remove Templates dialog, select DigitalPersonaProSvr andclick Add. (Continue at step 5 below.)For Windows 2000 and 20031 Launch the Group Policy Editor through one of the following means.DigitalPersona Pro for Active Directory Administrator Guide46

Chapter 4 - Deploying Pro ServerInstall Templates to Active Directory• In the Active Directory Users and Computers tool, right click on a nodewhose GPO can be distributed to Domain Controllers running DigitalPersonaPro Server and select Properties. - OR -• In the Group Policy Management Console (GPMC), choose the GPOdistributed to Domain Controllers running DigitalPersona Pro.2 Click Edit to display the Group Policy Editor.3 In the Group Policy Editor, right-click on the Computer Configuration/Administrative Templates folder and select Add/Remove Templates.4 In the Add/Remove Templates dialog, select DigitalPersonaProSvr andclick Add. (Continue at step 5 below.)Workstation and Kiosk Templates5 Add the Administrative Templates for your intended environment, i.e. theComputers and/or users in the Site/Domain/OU scope of this GPO.• If Pro Workstations are part of your environment, selectDigitalPersonaProWksta and click Add.• If Pro Kiosk clients are part of your environment, selectDigitalPersonaProWkstaKiosk and click Add.6 Click Close to exit the dialog.DigitalPersona Pro for Active Directory Administrator Guide47

Chapter 4 - Deploying Pro ServerInstall Templates to Active Directory7 A DigitalPersona Pro folder will then be listed under ComputerConfiguration/Administrative Templates.One or both of the client templates should also be added to the Active DirectoryGPOs where they can be distributed to computers running DigitalPersona ProWorkstation or Kiosk clients.1 In the Active Directory Users and Computers tool, right click on a nodewhose GPO can be distributed to computers running DigitalPersona ProWorkstation or Kiosk and select Properties.2 In the Properties dialog, click Edit to display the Group Policy Editor.3 In the Group Policy Editor, right-click on the Computer Configuration/Administrative Templates folder and select Add/Remove Templates.4 Select DigitalPersonaProWksta or DigitalPersonaProWkstaKiosk andclick Add.5 Click Close to exit the dialog.Use the Group Policy Editor to modify DigitalPersona Pro settings by clickingProperties on the shortcut menu of each setting and then clicking the Policy tabon the Properties dialog box.For a complete list of DigitalPersona Pro settings, see “DigitalPersona ProPolicies and Settings” on page 82.Install Workstation Template LocallyFor local administration of a DigitalPersona Pro Workstation, the WorkstationAdministrative Template (DigitalPersonaProWksta) can be added to the localpolicy object of any workstation running DigitalPersona Pro Workstation byusing the Microsoft Management Console (MMC) Group Policy Editor.To add the Workstation Administrative Template locally1 On the Start menu, click Run. Type gpedit.msc and press Enter to launchthe Group Policy Editor.2 Right-click the Administrative Templates folder and select Add/RemoveTemplates on the Administrative Templates folder shortcut menu.DigitalPersona Pro for Active Directory Administrator Guide48

Chapter 4 - Deploying Pro ServerInstall Templates to Active Directory3 Click the Add button on the Add/Remove Templates dialog box and thenlocate and select the DigitalPersonaProWksta file located in the followingpath:%system root%\inf (For example, c:\Windows\inf.)4 Click Close.DigitalPersona Pro for Active Directory Administrator Guide49

Chapter 4 - Deploying Pro ServerConfiguring DigitalPersona Pro Server for Pro KioskConfiguring DigitalPersona Pro Server for Pro KioskConfiguration StepsComplete the following Pro Server and Kiosk installation and configurationsteps in the order shown below. Specific instructions for configuration aredescribed in the following sections or referred to in the previous pages.Complete the following1 Install DigitalPersona Pro Server, 4.x or higher version. This includesperforming Schema Extension, Domain Configuration and the Serverinstallation as specified on pages 39 and following. If previous versions ofDigitalPersona Pro Server were installed in the domain, you should run theDomain Configuration Wizard, but should not run the Schema ExtensionWizard again in this case.2 Add and configure settings for DigitalPersona Pro Server administrativetemplates for GPO in Active Directory. See “Install the AdministrativeTemplates” on page 43. For DigitalPersona Pro Server GPO settings that arespecific to Pro Kiosk, see “Configuring DigitalPersona Pro Server GPOSettings” on page 51.3 Create an OU for each kiosk and assign computers to the kiosk OU. See“Creating the OU for the Kiosk” on page 52. By default, the entire domain isconsidered as one kiosk. You may want to set up multiple, separate kiosks.4 Assign kiosk permissions. By default, all domain users are allowed Kioskpermissions. To change permissions for specific groups or users, see“Assigning Kiosk Permissions” on page 53.5 Create a Shared Account in Active Directory and specify the accountinformation either by GPO or on individual kiosk computers. See “KioskShared Account Settings” on page 51 and “Adding Shared Account SettingsUsing GPO” on page 52.6 Install DigitalPersona Pro Kiosk on kiosk computers. See “InstallingDigitalPersona Pro Kiosk” on page 75 for instructions.7 Enroll user fingerprints. By default, all domain users are allowed to enrolltheir own fingerprints. However, you can choose whether you want tosupervise the fingerprint enrollment process, or allow users to enrollfingerprints by themselves when they first log on to or unlock a kioskDigitalPersona Pro for Active Directory Administrator Guide50

Chapter 4 - Deploying Pro ServerConfiguring DigitalPersona Pro Server for Pro Kioskcomputer. For more information, refer to the topic “Attended FingerprintEnrollment” on page 114.Configuring DigitalPersona Pro Server GPO SettingsSize of the Identification List for KiosksThis setting specifies the maximum number of user accounts listed in theidentification list. The list is shared among all kiosk computers in each kiosk.The default setting for the list size is 50 users. Valid values are 1 through 100.Note that this does not apply to the Pro ID Server edition of the Kiosk client thatis provided with the optional DigitalPersona Pro ID Server Add-On module,since it doesn’t use an identification list.Log Kiosk EventsThe Log Events setting allows you to specify whether Pro Kiosk events arelogged. In the Log Events setting, you can enable kiosk event logging andenable Log Success Audit events and Log Failure Audit events. For moreinformation on kiosk event IDs, see “DigitalPersona Pro Events” on page 165.OTS Template SettingsThe One Touch SignOn templates must be accessible by the Shared Accountsthat are used to access the kiosks. Make sure that the OTS templates areavailable though GPO settings to the kiosk Shared Account rather than kioskuser accounts.The OTS functionality is the same as in Pro Workstation. For more information,on the OTS GPO settings, refer to “GPO Settings” on page 152.Kiosk Shared Account SettingsAt the kiosk level, whether it is the domain or an OU, you must specify the kioskShared Account information. For more information, see “Adding SharedAccount Settings Using GPO” on page 52.DigitalPersona Pro for Active Directory Administrator Guide51

Chapter 4 - Deploying Pro ServerConfiguring DigitalPersona Pro Server for Pro KioskCreating the OU for the KioskWhen you install DigitalPersona Pro Server and Pro Kiosk, the entire domain isconsidered as one kiosk unless you complete further configuration.To create multiple kiosks in a domain, or to limit the usage of the kiosk tospecific computers only, you should create an organizational unit (OU) for eachkiosk and then assign computers to the OU. You might create several kioskswhere each kiosk is associated with its own OU. If computers in the same OUare geographically located in different sites, each OU per site is a kiosk.Specifying a Shared Account for the KioskPro Kiosk requires an account, known as the Shared Account, that is specifiedon every kiosk computer. Account information includes the user name, domainname and password for an Active Directory account. You should have oneShared Account per kiosk with a Password never expires setting.You can configure the kiosk Shared Account by supplying the kiosk SharedAccount information through GPO settings, as described below.If the kiosk Shared Account information is distributed through Group Policiessettings, all computers that belong to the selected object level in ActiveDirectory, such as OU, Domain, or Site, receive the kiosk Shared Accountsettings.Pro Kiosk automatically assigns the “Impersonate a client after authentication”user right to the kiosk Shared Account. This right allows programs that run onbehalf of that user to impersonate a client. This right allows Pro Kiosk toauthenticate multiple users while using only one logon session for the SharedAccount.Adding Shared Account Settings Using GPOTo specify the Shared Account setting using GPO, you must add theadministrative template named DigitalPersonaProWkstaKiosk.adm to theComputer Configuration folder, located in the Administrative Templates folderin the Group Policy Editor tree.You can use the Group Policy Editor to modify DigitalPersona settings. For theKiosk Shared Account Settings, at the OU level for the kiosk, open ComputerDigitalPersona Pro for Active Directory Administrator Guide52

Chapter 4 - Deploying Pro ServerConfiguring DigitalPersona Pro Server for Pro KioskConfiguration/Administrative Templates/DigitalPersona/Kiosk Settings in theGroup Policy Editor (On Windows Server 2008, the path is ComputerConfiguration/Default Domain/Policies/Administrative Templates/DigitalPersona/Kiosk Settings). Double-click Kiosk Workstation SharedAccount Settings and specify the following values:• Kiosk Shared Account user name• Kiosk Shared Account NetBIOS domain name• Kiosk Shared Account passwordThe Shared Account information will be enabled for all computers in the OU.The password information is in clear text.Assigning Kiosk PermissionsIn situations where additional security restrictions are necessary or desirable,you can modify the default permissions to allow or deny specific groups or usersfrom using each kiosk. The default installation permits every domain user to useall kiosks in the domain and no additional configuration is necessary.To configure kiosk membership for a specific group or userThe following procedure assumes that a kiosk has already been created and theShared Account information specified as described in the topics on the previouspages.1 In the AD Users and Computers console menu, check the View menu tomake sure that Advanced Features is on (has a check mark next to it).2 You must first remove the default domain-level Kiosk Membershippermission that allows everyone in the domain to be identified through theID Server.• Within the Advanced Security Settings dialog, in the list of permissions,locate the permission Allow\Everyone\Kiosk Membership(DigitalPersona), and click Remove to delete it.3 Locate (or create) and select the kiosk OU or container object that you wantto configure the membership for.4 Right-click on the object and select Properties. On the Security tab, clickthe Advanced button.DigitalPersona Pro for Active Directory Administrator Guide53

Chapter 4 - Deploying Pro ServerConfiguring DigitalPersona Pro Server for Pro Kiosk5 Click Add to display the Select User, Computer or Group dialog.6 Enter the name of the kiosk object that you want to define permission for.and click OK.7 On the Permission Entry dialog, in the Apply Onto drop-down list, selectThis object and all child objects.8 In the list of permissions, locate the permission Kiosk Membership(DigitalPersona) and then select either Allow or Deny.Note that a Deny permission always has precedence over any Allow permissionsfor a specific group or user. Generally, it is preferable to manage permissions onthe group level rather than on a user-by-user level.DigitalPersona Pro for Active Directory Administrator Guide54

Chapter 4 - Deploying Pro ServerChanges Made During InstallationChanges Made During InstallationRunning the Schema Extension Wizard adds the following data to ActiveDirectory.Active Directory ContainersThe Schema Extension Wizard installs three subcontainers in the ActiveDirectory System container. They contain information administrators can use toverify and administer the DigitalPersona Pro Server installation. To access theSystem Container, select Advanced Features from the View menu.The three containers are the Biometric Authentication Servers container,Licenses container and the Policies container.The Biometric Authentication Servers container provides the class name of theServer.The Licenses container holds the license files for DigitalPersona Pro Server.The Policies container—located under [domain name]/System/DigitalPersona/UareUPro/Policies—contains all the Policy Objects createdfor use with DigitalPersona Pro, as described in “DigitalPersona Pro Policiesand Settings” on page 82.DigitalPersona Pro for Active Directory Administrator Guide55

Chapter 4 - Deploying Pro ServerChanges Made During InstallationIn addition to these containers, the following data is added to the Servicecontainer:• Service Configuration Container Name, set to Biometric AuthenticationServer.• Service Version Object Name, set to .Published InformationDigitalPersona Pro Server publishes its service using the following properties:• Service Class Name, set to Biometric Authentication Service.• Service Class GUID, set to {EFE03FEC-2A6C-4DFB-9B56-E3BC77F32D7F}.• Vendor Name, set to DigitalPersona.• Product Name, set to UareUPro.• Product GUID, set to {48F74E29-1CC0-468F-A0A0-8236628A5170}.• Authentication Server Object Name, the DNS name of the host computer.• Service Principal Name, a unique name identifying the instance of a servicefor a client.• Schema Version Number, the version of the Active Directory schemaextension.• Product Version Number, the version of DigitalPersona Pro Server software.• Product Version High, set to [current version].• Product Version Low, set to [current version].• Keywords for searching the server are Service Class GUID, Vendor Name,Product Name and Product GUID. The keyword values are the same as theproperty values listed in this section.The Server publishes its service in compliance with the Active DirectoryService Connection Point specifications.DigitalPersona Pro for Active Directory Administrator Guide56

Chapter 4 - Deploying Pro ServerDNS RegistrationDNS RegistrationThe use of DNS registration enables DigitalPersona Pro Workstations to locatePro Servers without needing additional local configuration to do so. If yourDNS Server supports dynamic registration, DigitalPersona Pro Server registersitself with the DNS using the service name, _uareupro.The format of the DNS resource records for DigitalPersona Pro Server is:• _uareupro._tcp.[domain] 600 IN SRV 0 100 0 [server name]• _uareupro._tcp.[site name]._sites.[domain] 600 IN SRV 0 100 0 [server name]Pro Server calculates site coverage based on the availability of other Pro Serverson the domain (as well as sites configured for the domain) and then createsService Resource Records (SRV RRs) for the domain and sites it covers.Settings in the DigitalPersona Pro Administrative Template govern whether ornot Pro Server utilizes dynamic registration. For information on this and otherDNS related settings, see “BAS Locator DNS Records” on page 85.Automatic RegistrationIf automatic registration is not disabled in the governing GPO, DigitalPersonaPro Server registers itself with DNS every time Pro Server starts, isautomatically refreshed at specified intervals, and unregisters itself every timeDigitalPersona Pro Server stops.When DigitalPersona Pro Server unregisters itself, it removes only the records ithas created during automatic registration. Records entered by the administratorwill be unaffected.WarningWhen DigitalPersona Pro Server refreshes (updates the DNS records), itremoves all of its records and registers again according to the current GPOsettings. If there is only one Pro Server covering a site for load-balancing, thereare a few milliseconds when there are no Pro Server records in the DNS server.If a DigitalPersona Pro Workstation attempts to locate a Pro Server during thatperiod, it will not find the server, and the Workstation will perform thefingerprint enrollment and authentication locally. However, all otherworkstation functions will perform normally using the Workstation’s local cacheand the DNS refresh will be transparent to the user. The Workstation willattempt to automatically refresh its Pro Server cached information the next timeDigitalPersona Pro for Active Directory Administrator Guide57

Chapter 4 - Deploying Pro ServerDNS Registrationit performs enrollment or authentication, or every two hours, whichever comesfirst.Manual DNS RegistrationIf your DNS Server does not support dynamic registration, or if dynamicregistration is disabled through a DigitalPersona Pro GPO setting, anadministrator can manually register the Pro Servers by entering the DNSresource records in the format shown above.NoteYou can view the default values of settings created during Pro Server setup byopening the U.are.UPro.DNS file in Notepad. It is located in the Program Files\DigitalPersona\bin folder.To manually register a Pro Server in Microsoft DNS1 Open the DNS console and expand the Forward Lookup Zone.2 In the left pane, select and then right-click on [domainname], and selectOther New Records in the context menu.3 In the Resource Record Type dialog box, click on Service Location, andthen click the Create Record button.4 In the New Resource Record dialog, set the following values:• Service: _uareupro• Weight: 100• Port Number: 0• Host offering this service: domaincomputername.domainname.com5 Click OK to save the settings and return to the main DNS console window.6 Under the same [domainname], expand the _sites key.7 In the left pane, select and then right-click on Default-First-Site-Name andselect Other New Records from the context menu.8 Repeat steps 3 through 5 for each Pro server that you want to register.DigitalPersona Pro for Active Directory Administrator Guide58

Chapter 4 - Deploying Pro ServerUninstalling DigitalPersona Pro ServerWarningIf the SRV RRs are not added, either dynamically or manually, theDigitalPersona Pro Workstation will not be able to find the Servers and willperform fingerprint enrollment and authentication locally.Improving PerformanceThe Priority and Weight settings can be modified to achieve better response timeand load-balancing on the _uareupro.Properties dialog box, which is accessibleby double-clicking _uareupro in the DNS Console.The _uareupro SRV RRs (Service Resource Records) can be found in thefollowing paths in the DNS Console:• DNS/[DNS server]/Forward Lookup Zones/[domain]/_tcp• DNS/[DNS server]/Forward Lookup Zones/[domain]/sites/[sitename]/_tcpIf your DNS does not support dynamic registration, you will have to add theseSRV RRs manually. For your convenience, these entries are stored in a file,UareUPro.DNS, which is located in the folder in which you installedDigitalPersona Pro Server.Configuring DNS Dynamic RegistrationAdditional parameters for configuring DNS registration are available in theDigitalPersona Pro Administrative Template when added to the governing GPO.For information on these settings, see “BAS Locator DNS Records” on page 85.Uninstalling DigitalPersona Pro ServerDigitalPersona Pro Server can be uninstalled from the Add/Remove ProgramsControl Panel in Windows if you have administrator privileges on the domainon which Pro Server is installed. The software is listed as, “DigitalPersona ProServer for Active Directory version [version number].”When you uninstall the Server software, the published information (described in“Published Information” on page 56) and the DNS SRV RRs (described in“DNS Registration” on page 57) are removed.DigitalPersona Pro for Active Directory Administrator Guide59

Chapter 4 - Deploying Pro ServerUninstalling DigitalPersona Pro ServerAlthough the Add/Remove Programs Control Panel uninstalls DigitalPersonaPro Server software, the user data—such as fingerprint credentials and secureapplication data—and global domain data remain in Active Directory.DigitalPersona provides a DigitalPersona Pro Cleanup Wizard to remove thisdata. See “Cleanup Wizard” on page 163 for details.DigitalPersona Pro for Active Directory Administrator Guide60

Installing Pro Workstation 5This chapter defines hardware and software requirements for DigitalPersona ProWorkstation, and provides instructions on the various installation scenarios.• Local installation from the product package• Remote Installation• Command Line Installation• Citrix InstallationIf DigitalPersona Pro Servers will be used for authentication, they should beinstalled and configured before installing DigitalPersona Pro Workstation.System RequirementsBefore installing DigitalPersona Pro Workstation, make sure your system meetsthe following minimum requirements:• Windows Server 2008 (32 and 64-bit) or Server 2003 (32 and 64-bit) orWindows Vista (32 and 64-bit Business, Ultimate or Enterprise) or WindowsXP Professional (32 and 64-bit) or Windows XP Embedded (32-bit only) orWindows 2000 SP4. Windows Vista Home and Windows XP Home Editions are notsupported.• Microsoft Internet Explorer 6 or above, or Firefox 3.0 (required for OneTouch SignOn or One Touch Internet features)• 150 MB of free hard disk space• High-encryption (128-bit) capability. This is built in to Windows beginningwith Windows 2000 SP2. If you need to install high encryption capability foran earlier Windows 2000 OS, see the instructions on page 259.• U.are.U 4000B or 4500 Fingerprint Reader or other supported third-partyswipe reader embedded in selected models of notebooks. Refer to theDigitalPersona Web site at http://www.digitalpersona.com/notebooks for themost recent list of supported models.NoteEither the embedded reader or a DigitalPersona U.are.U reader may be usedfor fingerprint enrollment and authentication, i.e. a user can enroll with theembedded reader and authenticate using the Digital Persona U.are.U reader,and vice versa.DigitalPersona Pro for Active Directory Administrator Guide 61

Chapter 5 - Installing Pro WorkstationLocal installation from the product packageLocal installation from the product packageTo install DigitalPersona Pro Workstation for Active Directory:1 Locate and double-click the Setup.exe file in the Pro Workstation folder ofthe product package.2 When the Welcome page displays, click Next to proceed with the installation.3 Read the License Agreement page. If you agree, select the I accept theterms in the license agreement button and click Next.4 On the next page, you can specify the folder that DigitalPersona Pro will beinstalled in. If you want to install DigitalPersona Pro to the default location,C:\Program Files\DigitalPersona\, click Next; otherwise, clickChange to specify a new location and then click Next to continue.If another DigitalPersona product is already installed, the Change buttondoes not display.DigitalPersona Pro for Active Directory Administrator Guide62

Chapter 5 - Installing Pro WorkstationLocal installation from the product package5 Choose one the following options to indicate the type of installation youwant to perform:• Complete. Click Next for the Complete installation, which installs theOne Touch Applications. Then, click Next and proceed to step 6 below.• Custom. Click Custom and then click Next to specify the options toinstall. On the next page of the wizard, select a feature and choose aninstallation option. You can also check how much disk space a particularinstallation will require by clicking Disk Space. When you are finished,click Next to proceed.6 When you click Install, the installation of DigitalPersona Pro Workstationbegins.7 If prompted to do so, plug the USB cable from the fingerprint reader intoyour computer’s USB port. When installation is finished, click Finish toclose the installer. Click Yes when prompted to restart the computer.After the computer restarts, and at every subsequent restart, the Workstationsoftware automatically uses the default DNS Server to locate all DigitalPersonaDigitalPersona Pro for Active Directory Administrator Guide63

Chapter 5 - Installing Pro WorkstationLocal installation from the product packagePro Servers for the domain and its site. If more than one Pro Server is found, theWorkstation will choose the Pro Server for authentication that offers the mostefficient connectivity. If no Pro Servers are found, DigitalPersona ProWorkstation will perform authentication locally.For instructions on using DigitalPersona Pro Workstation, see page175.DigitalPersona Pro for Active Directory Administrator Guide64

Chapter 5 - Installing Pro WorkstationRemote InstallationRemote InstallationThe installer for DigitalPersona Pro Workstation uses Microsoft WindowsInstaller (MSI) technology, which allows administrators to remotely install oruninstall the software using Active Directory administration tools, or othersoftware deployment tools. Note that the installer is meant for computer-basedpolicy installation, not user-based.To install Pro Workstation remotely through Active Directory1 Copy the appropriate .msi file to a local directory (such as C:\InstallDir) onthe server.2 Launch the Active Directory Users and Computers administration tool.3 On the context menu of a site, domain or Organizational Unit, clickProperties and then click the Group Policy tab.4 Create a new Group Policy Object, or select an existing one, and click Editto launch the Group Policy Editor.5 In the tree, select Computer Configuration/Software Settings/Software Installation.6 Right-click Software Installation and select New, Package.7 In the resulting dialog, enter the network location of the installation directorythat you created - for example \\servername\InstallDir\setup.msi, whereInstallDir is a predefined shared folder.8 In the Run box, run gpupdate.Installation will start on each client as soon as they reboot.DigitalPersona Pro for Active Directory Administrator Guide65

Chapter 5 - Installing Pro WorkstationAbout Transform filesAbout Transform filesDigitalPersona uses Transform (.mst) files to create an installation package forDigitalPersona Pro components in the supported languages listed below. Thesefiles are located in the Bin directory of your product package.When creating a package for a GPO install, select the• Advanced (Windows 2003/2008) or• Advanced published or assigned (Windows Server 2000)option and then add the transform file from the Modifications tab. Ensure thatthe transform file is included in a folder that is shareable by the Active Directoryserver computer and all target client computers.LanguageFrenchGermanItalianBrazilian PortugueseSpanishChinese SimplifiedChinese TraditionalJapaneseKoreanTransform file1036.mst1031.mst1040.mst1046.mst1034.mst2052.mst1028.mst1041.mst1042.mstDigitalPersona Pro for Active Directory Administrator Guide66

Chapter 5 - Installing Pro WorkstationCommand Line InstallationCommand Line InstallationDigitalPersona Pro Workstation can also be installed or uninstalled using MSI atthe command line.The syntax of the msiexec command is shown below and is followed by adescription of the command line options, parameters and values available:msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software]REMOVE=[software] TRANSFORMS=[Name of transform file]/qnCommand Line OptionsThere are one required and one optional command line options:OptionsDescription/i (Required) Indicates that MSI will be used to install theDigitalPersona Pro software.It must be followed by the path to, and the name of, the .msi file(setup.msi) that contains the software to install./qn(Optional) Hides the user interface when installing the software onthe computer, allowing a “silent install.”If used, it is placed at the end of the command line.ParametersThree parameters indicate where the software should be installed on thecomputer, as well as what components should be included or removed:ParametersINSTALLDIRDescription(Optional) Specifies the location where the DigitalPersonaPro Workstation software should be installed. If a folder isnot specified, defaults to:C:\Program Files\DigitalPersonaDigitalPersona Pro for Active Directory Administrator Guide67

Chapter 5 - Installing Pro WorkstationCommand Line InstallationParametersADDLOCALREMOVETRANSFORMSDescription(Optional) Indicates which DigitalPersona Pro Workstationfeatures to install by providing one of the values listedbelow.(Optional) Indicates which DigitalPersona Pro softwarefeatures to uninstall by providing one of the values listedbelow.(Optional) Use the TRANSFORMS command lineparameter to specify a UI language other than U.S.English.You can separate multiple transforms with asemicolon. Because of this, it is recommended that you donot use semicolons in the name of your transform, as theWindows Installer service will interpret those incorrectly.See page 66 for a list of the available transform files forsupported languages.ADDLOCAL and REMOVE ValuesThe table below lists the values that may be provided with the ADDLOCAL andREMOVE parameters and provides a description of each value:ValuesALLLogonOTIDescriptionInstalls all DigitalPersona Pro software components andfeatures or removes all of the component and features thatare currently installed.Installs or removes the One Touch Logon feature.Installs or removes the One Touch Internet feature.Following are a few rules when using these parameters and their values:• If ADD LOCAL or REMOVE are not specified, msiexec will install allDigitalPersona Pro Workstation features.• Individual software features cannot be installed unless the All value wasused with the ADDLOCAL parameter first.DigitalPersona Pro for Active Directory Administrator Guide68

Chapter 5 - Installing Pro WorkstationCommand Line Installation• To install DigitalPersona Pro Workstation software for the first time whileomitting one or more software features, use ADDLOCAL=ALL, followed bythe REMOVE parameter with each software component you do not want toinstall separated by a comma. For example;msiexec /i setup.msi ADDLOCAL=ALL REMOVE=Logon,OTIDigitalPersona Pro for Active Directory Administrator Guide69

Chapter 5 - Installing Pro WorkstationInstallation on Citrix Presentation ServerInstallation on Citrix Presentation ServerCitrix Presentation Server is a remote access and application publishing productthat allows users to remotely connect to applications available from centralservers. DigitalPersona Pro clients (Workstation and Kiosk) support fingerprintauthentication through the Citrix communication channel.The following types of Citrix clients are supported:• Program Neighborhood• Program Neighborhood Agent• Web ClientInstallation & ConfigurationThe following instructions assume that Citrix has been installed and configuredprior to installing DigitalPersona Pro Workstation. For instructions on installingCitrix AFTER Pro Workstation has been installed, see “Installing Citrix supportafter DigitalPersona Pro client installation.” on page 255.To configure DigitalPersona Pro Workstation for Citrix support:1 Install the DigitalPersona Pro client on the Citrix Presentation Servercomputer that your Citrix client connects to and on the client computer.2 Add or modify the following registry value on Citrix Presentation Server:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWIValue Name: LogoffCheckSysModulesType: REG_SZString: DPAgent.exe3 In Active Directory, apply the DigitalPersona Pro Administrative Template(DigitalPersonaProWksta) to a GPO governing the client computer (or applyit to a local policy object on the client computer).4 In the GPO, enable the "Allow Fingerprint Data Redirection" setting.5 For Citrix published applications -• In order to use One Touch SignOn with a logon dialog displayed by aCitrix published application, the DPAgent process must be started in theDigitalPersona Pro for Active Directory Administrator Guide70

Chapter 5 - Installing Pro WorkstationInstallation on Citrix Presentation Serversame session as the published application, and be running before thedialog displays on the screen. The easiest way to do this is throughexecuting a script on the Citrix Presentation Server at the same time thepublished application is launching.• On Citrix Presentation Server, make sure that the UsrLogon.cmd isspecified in the Registry under the following node:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\AppSetup.This key ensures that the Citrix license is released when it should be.• Locate the UsrLogon.cmd file on the hard drive. By default, it's in the%systemroot%\system32 folder.• At the beginning of the UsrLogon.cmd file, insert a command to launchthe DPAgent process, and then specify a delay to allow the process to besuccessfully started before the published application dialog displays on thescreen. Five seconds should be adequate for even a slower computer. Hereis an example of what that might look like.start /D"c:\Program Files\DigitalPersona\Bin" DpAgent.exe"C:\WINDOWS\SYSTEM32\CHOICE.EXE" /C:AB /D:A /t:5 > NUL• Choice.exe and sleep.exe (another alternative) were not installed withWindows 2000, but are available in the Windows 2000 Resource Kit,which is no longer available through Microsoft, but is still availablethrough third-party retailers and can be downloaded from the web.Disabling automatic client updatesIt is possible that a Citrix update to the client could interfere with DigitalPersonaPro functionality. To prevent this from happening, you may want to disable theautomatic updating of clients from either the client or server machine.Option 11 From the client machine, run Remote Application Manager and deselectAllow Automatic Client Updates.2 From the server machine, use the ICA Client Configuration Update Utility todisable automatic client updates for each product/client model you want toprotect.DigitalPersona Pro for Active Directory Administrator Guide71

Chapter 5 - Installing Pro WorkstationUninstalling DigitalPersona Pro WorkstationOption 2Alternatively, you can modify the client database so that your modifications arein the updated client.The client database is installed in the %SystemRoot%\Ica\ClientDB directory.Each product/model combination has a separate directory.See the MetaFrame XP Server Administrator.s Guide for more informationabout Client Auto Update.Uninstalling DigitalPersona ProWorkstationYou can remove the DigitalPersona Pro Workstation software using the Add orRemove Programs Control Panel. The Workstation software is listed as“DigitalPersona Pro Workstation for Active Directory version [versionnumber].”You must have local administrative privileges to modify installations on thecomputer.Customizing a DigitalPersona ProWorkstation InstallationTo customize an existing installation of DigitalPersona Pro Workstation, youcan add or remove One Touch Applications using the Add or Remove ProgramsControl Panel. Follow the on-screen instructions in the Control Panel for addingthe One Touch Applications. By default, all applications are installed.DigitalPersona Pro for Active Directory Administrator Guide72

Installing Pro Kiosk 6This chapter defines the hardware and software requirements for theDigitalPersona Pro Kiosk client, and provides instructions on its installation.DigitalPersona Pro Servers to be used for authentication should be installed andconfigured before installing DigitalPersona Pro Kiosk.Kiosk editionsThere are two editions of the kiosk client for DigitalPersona Pro Server. Theyare identical in most respects (see page 27 for differences), have the samesystem requirements, and are installed in the same way - with the followingexceptions:Pro KioskThe standard edition of the DigitalPersona Pro Kiosk cannot utilize theexpanded identification capabilities of the optional DigitalPersona Pro IDServer Add-On Module (see page 30).Pro ID Server KioskRequires installation of the DigitalPersona Pro ID Server Add-On Module (seepage 30).System RequirementsBefore installing DigitalPersona Pro Kiosk, make sure that the computer meetsthe following hardware and software requirements:• Hardware: Pentium 233 MHz Processor, 128 MB RAM30 MB Available hard disk spaceCD-ROM drive if local install, network connection for silent/network install• Windows Server 2008 (32 and 64-bit) or Server 2003 (32 and 64-bit) orWindows Vista (32 and 64-bit Business, Ultimate or Enterprise) or WindowsXP Professional (32 and 64-bit) or Windows XP Embedded (32-bit only) orWindows 2000 SP4. Windows Vista Home and Windows XP Home Editionsare not supported.• DigitalPersona Pro Server Version 4.0 or above must be installed andconfigured on a domain server with Active Directory before Kioskinstallation.DigitalPersona Pro for Active Directory Administrator Guide 73

Chapter 6 - Installing Pro KioskSystem Requirements• DigitalPersona Pro Kiosk cannot be installed on the same computer asDigitalPersona Pro Server.• Microsoft Internet Explorer 6 or above, or Firefox 3.0 (required for the OneTouch SignOn feature)• U.are.U 4000B/4500 Fingerprint Reader or other supported third-party swipereader embedded in selected models of notebooks. Refer to theDigitalPersona Web site at http://www.digitalpersona.com/notebooks for themost recent list of supported models.NoteEither the embedded reader or a DigitalPersona U.are.U reader may be usedfor fingerprint enrollment and authentication, i.e. a user can enroll with theembedded reader and authenticate using the DigitalPersona U.are.U reader,and vice versa.DigitalPersona Pro for Active Directory Administrator Guide74

Chapter 6 - Installing Pro KioskInstalling DigitalPersona Pro KioskInstalling DigitalPersona Pro KioskTo install DigitalPersona Pro Kiosk for Active Directory:1 Locate and double-click the Setup.exe file in the Pro Kiosk folder of theproduct package to run the Installation Wizard.2 When the installer runs, click Next to proceed with the installation.3 Read the terms and conditions on the License Agreement page. If you agreewith them, select the I accept the license agreement button and then clickNext.4 On the next page, you may specify the folder that DigitalPersona Pro Kioskwill be installed in. If you want to install DigitalPersona Pro Kiosk in thedefault location, C:\Program Files\DigitalPersona\, click Next;otherwise, click Browse to specify a new location and then click Next tocontinue.5 Click Next again and the installer will begin to install DigitalPersona ProKiosk on your computer.6 Connect the fingerprint reader when prompted to do so. The installer willplace the necessary driver files on your hard drive to use the reader withDigitalPersona Pro Kiosk.7 When installation is finished, click Finish to close the installer. Click Yeswhen prompted to restart the computer.After the computer restarts, and at every subsequent restart, the Pro Kiosksoftware automatically uses the default DNS Server to locate all DigitalPersonaPro Servers for the domain and its site. If more than one Pro Server is found, ProKiosk will choose the Pro Server for authentication that offers the most efficientconnectivity. If no Pro Servers are found, DigitalPersona Pro Kiosk cannotperform authentication by fingerprints.Installation on Citrix Presentation ServerCitrix Presentation Server is a remote access and application publishing productthat allows users to remotely connect to applications available from centralservers. DigitalPersona Pro clients (Workstation and Kiosk) support fingerprintauthentication through the Citrix communication channel.DigitalPersona Pro for Active Directory Administrator Guide75

Chapter 6 - Installing Pro KioskInstallation on Citrix Presentation ServerThe following types of Citrix clients are supported:• Program Neighborhood• Program Neighborhood Agent• Web ClientInstallation & ConfigurationThe following instructions assume that Citrix has been installed and configuredprior to installing DigitalPersona Pro Kiosk. For instructions on installing CitrixAFTER Kiosk has been installed, see “Installing Citrix support afterDigitalPersona Pro client installation.” on page 255.To configure DigitalPersona Pro Kiosk for Citrix support:1 Install the DigitalPersona Pro client on the Citrix Presentation Servercomputer that your Citrix client connects to and on the client computer.2 Add or modify the following registry value on Citrix Presentation Server:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWIValue Name: LogoffCheckSysModulesType: REG_SZString: DPAgent.exe3 In Active Directory, apply the DigitalPersona Pro Administrative Template(DigitalPersonaProWkstaKiosk.adm) to a GPO governing the clientcomputer (or apply it to a local policy object on the client computer).4 In the GPO, enable the "Allow Fingerprint Data Redirection" setting.5 For Citrix published applications -• In order to use One Touch SignOn with a logon dialog displayed by aCitrix published application, the DPAgent process must be started in thesame session as the published application, and be running before thedialog displays on the screen. The easiest way to do this is throughexecuting a script on the Citrix Presentation Server at the same time thepublished application is launching.• On Citrix Presentation Server, make sure that the UsrLogon.cmd isspecified in the Registry under the following node:DigitalPersona Pro for Active Directory Administrator Guide76

Chapter 6 - Installing Pro KioskInstallation on Citrix Presentation ServerHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\AppSetup.• Locate the UsrLogon.cmd file on the hard drive. By default, it's in the%systemroot%\system32 folder.• At the beginning of the UsrLogon.cmd file, insert a command to launchthe DPAgent process, and then specify a delay to allow the process to besuccessfully started before the published application dialog displays on thescreen. Five seconds should be adequate for even a slower computer. Hereis an example of what that might look like.start /D"c:\Program Files\DigitalPersona\Bin" DpAgent.exeREM ¦ "C:\WINDOWS\SYSTEM32\CHOICE.EXE" /C:AB /D:A /t:5 > NULChoice.exe and sleep.exe (another alternative) were not installed with Windows2000, but are available in the Windows 2000 Resource Kit, which is no longeravailable through Microsoft, but is still available through third-party retailersand can be downloaded from the web.Disabling automatic client updatesIt is possible that a Citrix update to the client could interfere with DigitalPersonaPro functionality. To prevent this from happening, you may want to disable theautomatic updating of clients from either the client or server machine.Option 11 From the client machine, run Remote Application Manager and deselectAllow Automatic Client Updates.2 From the server machine, use the ICA Client Configuration Update Utility todisable automatic client updates for each product/client model you want toprotect.Option 2Alternatively, you can modify the client database so that your modifications arein the updated client.The client database is installed in the %SystemRoot%\Ica\ClientDB directory.Each product/model combination has a separate directory.DigitalPersona Pro for Active Directory Administrator Guide77

Chapter 6 - Installing Pro KioskUninstalling DigitalPersona Pro KioskSee the MetaFrame XP Server Administrator.s Guide for more informationabout Client Auto Update.Uninstalling DigitalPersona Pro KioskThe DigitalPersona Pro Kiosk software is removed using the Add or RemovePrograms Control Panel. The Pro Kiosk software is listed as “DigitalPersonaPro Kiosk for Active Directory version [version number] or“DigitalPersona Pro Kiosk for ID Server,” depending on which edition you haveinstalled. You must have local administrative privileges to modify installationson the computer.DigitalPersona Pro for Active Directory Administrator Guide78

Part Three: AdministrationPart Three of the DigitalPersona Pro for AD Administrator Guide includes thefollowing chapters:Chapter Title Purpose Page7 - ConfiguringPolicies & SettingsDefines the policies and settings that may be appliedto Pro Servers and Workstations through installationof the DigitalPersona Pro Administrative Templates toan Active Directory GPO (Group Policy Object).8 - User Properties Describes the Basic and Extended user settings thatare available on the DigitalPersona Pro tab in the UserProperties dialog of the Active Directory Users andComputers console.801029 - AdministrationTools10 - DigitalPersonaPro EventsProvides complete instructions for using theAdministration Tools provided with certainDigitalPersona Pro packages. The tools are alsoavailable as a separate package.Lists and explains the events that DigitalPersona Prowrites to the Windows Event log.108165DigitalPersona Pro for Active Directory Administrator Guide 79

Configuring Policies and Settings 7DigitalPersona Pro for AD provides a comprehensive set of policies and settingsthat may be accessed through Active Directory.These policies and settings are contained in the three Administrative Templates(DigitalPersonProSvr, DigitalPersonaProWksta andDigitalPersonaProWkstaKiosk.adm).During deployment, the templates are added to specific Active Directory GPOs(Group Policy Objects) according to instructions on page 43.The Workstation template may also be added to a local policy object on astandalone workstation that does not have access to Active Directory. See“Install Workstation Template Locally” on page 48.About DigitalPersona Pro SettingsThe DigitalPersona Pro Administrative Template is added to bothAdministrative Templates folders in the Computer Configuration and UserConfiguration trees, and the settings are accessible from the Setting table.All computer policies and settings can be accessed in the Group Policy Editortree from the path: Computer Configuration/Administrative Templates/DigitalPersona Pro.Computer Configuration/Administrative Templates/DigitalPersona ProDigitalPersona Pro for Active Directory Administrator Guide 80

Chapter 7 - Configuring Policies and SettingsAbout DigitalPersona Pro SettingsFor local administrators of DigitalPersona Pro Workstation, the path is the same,but the GPO is accessed from the Microsoft Management Console (MMC).Each setting can be accessed in the Group Policy Editor (or MMC) by clickingProperties on the context menu of the setting and then clicking the Policy tab onthe Properties dialog box.GPO settings have three states: enabled, disabled and not configured.By default, all settings are not configured. To override the default settings ofDigitalPersona Pro, each setting must be changed to enabled or disabled and, insome cases, additional parameters must be supplied.On the network, by default, changes made to existing GPOs may take as long as90 minutes to refresh with a 30 minute offset.• GPOs applied to computers are refreshed during this time, as well as whenthe computer is restarted.• GPOs applied to users are refreshed every 90 minutes and when the user logson or off.You can use the standard Windows methods of enforcing refresh ofDigitalPersona Pro GPOs without concern for disrupting DigitalPersona Profunctionality on a computer.For a description of each setting, click the Explain tab for a setting in the GPOProperties dialog box, or refer to “DigitalPersona Pro Policies and Settings” onpage 82.DigitalPersona Pro for Active Directory Administrator Guide81

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsDigitalPersona Pro Policies and SettingsThe following pages describe the policies and settings made available in ActiveDirectory through the DigitalPersonaPro Administrative Templates.Settings in the list are divided into general categories indicating the type ofsetting.CategorySvr/Wks/Kiosk Description PageEvent Logging All Separate Event Logging settings areavailable for Pro Server, Workstation andKiosk.84BAS Locator DNSrecordsSvrContains settings that affect DNSregistration which is used to enable ProWorkstations to locate Pro Servers forauthentication.85FingerprintVerification LockoutSvrUsed to unlock a user that has been lockedout due to unsuccessful attempts atfingerprint authentication.89Allow use of Kerberosauthentication toaccess DigitalPersonadataSvrUsed in conjunction with “Allow use ofSingle Sign-on” (Workstation Only)setting to enable the Single Sign-onfeature.90Kiosk Server Settings Svr Sets the size of the Kiosk IdentificationList.90FingerprintRecognitionAllContains settings concerning howfingerprint recognition is accomplished.91Allow FingerprintData RedirectionWks/KioskThe setting determines whether or not toallow the client computer to redirectfingerprint data to the Terminal Services(i.e. RDP or Remote Access) session.93Workstation Only Wks Contains settings that affect theauthorization and logon processes.94DigitalPersona Pro for Active Directory Administrator Guide82

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsCategorySvr/Wks/Kiosk Description PageWorkstation Properties Wks These settings determine the behavior andappearance of DigitalPersona ProWorkstation.98One Touch SignOnWks/KioskThese settings determine the behavior andappearance of the One Touch SignOnfeature in DigitalPersona Pro Workstationor Kiosk.99Kiosk WorkstationOnlyKioskThese settings determine the behavior andappearance of DigitalPersona Pro Kiosk.100For a complete alphabetical list of the policies and settings with references totheir Active Directory locations, see “DigitalPersona Pro Settings” on page 243.DigitalPersona Pro for Active Directory Administrator Guide83

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsEvent LoggingThis setting is included in the Server, Workstation and Kiosk AdministrativeTemplates.The Event Logging setting defines the level of detail for DigitalPersona ProServer and Workstation event logging in the Windows Event Log.Logged events are accessible from the Windows Event Viewer. If this setting isnot configured, DigitalPersona Pro events are logged at the Auditing level.Event logging must also be enabled in the Windows operating system to use thissetting.For information on how events are logged and a detailed description of eachevent, refer to “DigitalPersona Pro Events” on page 165.DigitalPersona Pro for Active Directory Administrator Guide84

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsBAS Locator DNS RecordsBAS (Biometric Authentication Service) Locator DNS Records settings allowregistration of Biometric Authentication Service Locator DNS records. TheseDNS records are dynamically registered by BAS and are used by DigitalPersonaPro Workstation to locate BAS. The following BAS Locator settings areincluded in the server Administrative Template.Dynamic Registration of BAS Locator DNS RecordsThis setting determines if BAS performs dynamic registration of BiometricAuthentication Service (BAS) Locator DNS resource records.• When enabled or not configured, computers to which this setting is applieddynamically register BAS Locator DNS resource records through dynamicDNS update-enabled network connections.• When disabled, computers will not register BAS Locator DNS resourcerecords.Refresh Interval of BAS Locator DNS RecordsThis setting specifies the Refresh interval of Biometric Authentication Service(BAS) Locator DNS resource records for computers to which this setting isapplied. These DNS records are dynamically registered by BAS and are used byDigitalPersona Pro Workstation to locate BAS.• To specify the Refresh interval of BAS records, select Enabled, and thenspecify a value in seconds (minimum is 1800).• When disabled or not configured, computers will use a default value of 1800seconds (30 minutes).This setting may be applied only to computers using dynamic update.Computers configured to perform dynamic registration of BAS Locator DNSresource records periodically reregister their records with DNS servers, even iftheir records’ data has not changed.If authoritative DNS servers are configured to perform scavenging of the stalerecords, this reregistration informs the DNS servers that these records arecurrent and should be preserved in the database.DigitalPersona Pro for Active Directory Administrator Guide85

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsIf the DNS resource records are registered in zones with scavenging enabled, thevalue of this setting should never be longer than the Refresh Interval configuredfor these zones. Setting the Refresh interval of BAS Locator DNS records tolonger than the Refresh interval of the DNS zones may result in unwanteddeletion of DNS resource records.Weight Set in BAS Locator DNS SRV RecordsThis setting specifies the Weight field in the SRV resource records registered byBiometric Authentication Service (BAS) to which this setting is applied. TheseDNS records are dynamically registered by BAS, and they are used to locateBAS. The Weight field in the SRV record can be used in addition to the Priorityvalue to provide a load-balancing mechanism where multiple servers arespecified in the SRV records Target field and set to the same priority. Theprobability with which the DNS client randomly selects the target host to becontacted is proportional to the Weight field value in the SRV record.• To specify the Weight in the BAS Locator DNS SRV records, select Enabled,and then specify a value. The range of values is 0 to 65535.• When disabled or not configured, computers use a default weight of 100.Priority Set in BAS Locator DNS SRV RecordsThis setting specifies the Priority field in the SRV resource records registered byBiometric Authentication Service (BAS) to which this setting is applied. TheseDNS records are dynamically registered by BAS and are used by DigitalPersonaPro Workstation to locate BAS. The Priority field in the SRV record sets thepreference for target hosts specified in the SRV record Target field. DNS clientsthat query for SRV resource records attempt to contact the first reachable hostwith the lowest priority number listed.• To specify the Priority in the BAS Locator DNS SRV resource records, selectEnabled, and then specify a value. The range of values is 0 to 65535.• When disabled or not configured, computers use a default value of 0.DigitalPersona Pro for Active Directory Administrator Guide86

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsAutomated Site Coverage by BAS Locator DNS SRV RecordsThis setting determines whether Biometric Authentication Service (BAS) willdynamically register BAS Locator site-specific SRV records for the closest siteswhere no BAS for the same domain exists.These DNS records are dynamically registered by BAS, and used byDigitalPersona Pro Workstation to locate BAS.• When enabled, the computers to which this setting is applied dynamicallyregister BAS Locator site-specific DNS SRV records for the closest siteswhere no BAS for the same domain exists.• If disabled or not configured, the computers will not register site-specificBAS Locator DNS SRV records for any other sites but their own.Sites Covered by BAS Locator DNS SRV RecordsThis setting specifies the sites for which the domain Biometric AuthenticationService (BAS) register the site-specific BAS Locator DNS SRV resourcerecords.These records are registered in addition to the site-specific SRV recordsregistered for the site where BAS resides, and records registered by a BASconfigured to register BAS Locator DNS SRV records for those sites without aBAS that are closest to it. The BAS Locator DNS records are dynamicallyregistered by BAS, and they are used to locate BAS. An Active Directory site isone or more well-connected TCP/IP subnets that allow administrators toconfigure Active Directory access and replication.• To specify the sites covered by the BAS Locator DNS SRV records, selectEnabled, and then specify the sites names in a space-delimited format. Thesite names have the following format, in which the componentmust be present and the and components are optional.The and components must be a numeric string value.::• When disabled or not configured, no site-specific SRV records will beregistered.DigitalPersona Pro for Active Directory Administrator Guide87

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsRegister BAS Locator DNS SRV Record for DomainThis setting determines whether Biometric Authentication Service (BAS) willdynamically register BAS Locator domain-specific SRV record for the domainit belongs to.The DNS records are dynamically registered by BAS, and they are used byDigitalPersona Pro Workstation to locate BAS.• When enabled or not configured, the computers to which this setting isapplied dynamically register BAS Locator domain-specific DNS SRVrecords.• When disabled, computers will not register the domain-specific BAS LocatorDNS SRV records for the domain they belong to and register only sitespecificrecords.DigitalPersona Pro for Active Directory Administrator Guide88

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsFingerprint Verification LockoutThese settings are installed with the Server Administrative Template, and arelocated in Computer Configuration/Administrative Templates/DigitalPersonaPro/DigitalPersonaPro Server/Fingerprint Verification Lockout.The DigitalPersona Pro account lockout does not affect the Microsoft accountlockout and is managed separately. For users to log on by fingerprint, bothlockout settings must be unlocked. If users are only locked out from usingfingerprints, they can still log on to Windows by typing their passwords.To unlock a locked user account, see page 104.The following table describes the setting options.Setting Description Default ValueAccount lockoutthresholdReset account lockoutcounter afterAccount lockoutdurationNumber of failed attempts allowedbefore the account is lockedLength of time for counter to tracknumber of failed attemptsLength of time account is lockeduntil user can attempt to log on again0 (Do not lock out.)5 minutes30 minutesEach Authentication Server in the domain maintains individual lockout countersper user account. When an account is locked out due to failed fingerprintattempts, the following occurs:The Logon dialog displays the account locked out message.• The locked account information is replicated during the next replicationinterval in Active Directory.• A record is added to the DigitalPersona Pro event log.DigitalPersona Pro for Active Directory Administrator Guide89

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsAllow use of Kerberos authentication to access DigitalPersona data• Is only available with the add-on Single SignOn module.• Specifies whether to allow the client computer to access DigitalPersonaprotected data using Kerberos authentication.• When enabled, Pro Workstation clients do not need to provide a fingerprintto access DigitalPersona protected data, they can use a Kerberos ticketinstead.• When disabled or not configured (the default), Pro Workstation clients mustprovide a fingerprint to access DigitalPersona protected data.• For further information, see DigitalPersona Technical Bulletin 0802.WarningEnabling this policy may make DigitalPersona data more vulnerable toattackers.Kiosk Server SettingsThe single Kiosk Server Setting is “Size of the Identification List for Kiosks.”The default is 50 users. Valid values are between 1 and 100.DigitalPersona Pro for Active Directory Administrator Guide90

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsFingerprint RecognitionThere are two settings related to Fingerprint Recognition.They are:• False accept rate used in fingerprint verification• Maximum number of enrolled fingerprints per userand they are located in the Computer Configuration/Administrative Templates/DigitalPersonaPro folder under each of the following folders -• DigitalPersonaPro Server/Fingerprint Recognition• DigitalPersonaPro Workstation/Fingerprint Recognition• DigitalPersonaPro Kiosk Workstation/Fingerprint Recognition.Each of the settings are described below.False Accept Rate Used in Fingerprint VerificationThis setting specifies the False Accept Rate for fingerprint verification. TheFalse Accept Rate (FAR) is the mathematical probability (1:n) of two differentfingerprints being falsely matched.DigitalPersona Pro for Active Directory Administrator Guide91

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsThe value of n, which is specified in the Value: (one in) text box, indicates thelikelihood of false fingerprint verification. The higher the value of n, the lesslikely a fingerprint will be falsely accepted as verified. For example, setting n to10,000 indicates that it is probable that one in every 10,000 fingers will befalsely accepted as verified; setting n to 100,000 sets the probability to one in100,000.Particularly high values of n may cause false rejection of fingerprints from thesame finger.If this setting is not configured, the default value of one in 10,000 is used. Themaximum value for n is one in 1,000,000; the minimum is one in 1,000.False Reject Rates and False Accept Rates are only probabilistic estimates andnot indicators of actual performance in a given deployment.NoteTo estimate the likelihood of false rejects and false accepts, DigitalPersonarecommends following the guidelines described in “Best Practices in Testingand Reporting Performance of Biometric Devices: Version 2.01,” by A. J.Mansfield and J. L. Wayman, NPL Report CMSC 14/02, 2002, defining atransaction as three verification attempts and assuming a single comparison of averification template against a single enrollment template.Maximum Number of Enrolled Fingerprints Per UserThis setting determines the maximum number of fingers that a user can enroll.The value for this setting specified in the Maximum Number of Fingerprints PerUser text box influences both the speed of authentication and the probability offalse accepts. For example, the more fingerprints a user enrolls, the more time ittakes to authenticate or identify the user. Also, more comparisons increase thelikelihood of false acceptance of the fingerprint. To increase security andmaximize server efficiency, users should be allowed to enroll a maximum of twofingers.The maximum and default value is ten enrolled fingers. The minimum value iszero.DigitalPersona Pro for Active Directory Administrator Guide92

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsAllow Fingerprint Data RedirectionThis setting is available separately for either Pro Workstation or Pro Kiosk. It islocated under Computer Configuration/Administrative Templates/DigitalPersonaPro folder under each of the following folders -• DigitalPersonaPro Workstation• DigitalPersonaPro Kiosk WorkstationThe setting determines whether or not to allow the client computer to redirectfingerprint data to the Terminal Services (i.e. RDP or Remote Access) session.• If the status is set to Enabled, clients that are capable of fingerprint dataredirection send their fingerprint data to the server. The server then usesfingerprint data for usual tasks like logon and OTS, etc.• If the status is set to Disabled or Not Configured, fingerprint data redirectionis not possible.The data from the “client” fingerprint reader device is redirected to the “server."This is much like using a Smart Card physically on a workstation to authenticateon a remote server, or like printing from a Terminal Server session to a localprinter. Your redirected fingerprint reader device functions as though it was alocal device on the server.So, for example, you RDP and log in to a "server" desktop, then launch afingerprint enabled website. You touch the reader on the "client" and thefingerprint data is redirected to the "server" OS.When this setting is changed, only new connections are affected. Sessions thatwere initiated before the change must log off and reconnect to be affected by thenew setting.• Pro Workstation or Pro Kiosk must also be installed on the computer that isthe target of the redirection.• By default, the Remote Desktop Protocol (RDP) is not enabled on anyMicrosoft operating system version. The use of Microsoft Remote Desktopentails opening a port in your firewall and thus creates a securityvulnerability. For more information on this vulnerability, see the MicrosoftSecurity Bulletin MS05-041.DigitalPersona Pro for Active Directory Administrator Guide93

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and Settings• The Remote Access capability is a feature of DigitalPersona Pro 4.01 andabove. To use Remote Access with Workstation or Kiosk 4.01 and above andPro Server 4.x, apply the appropriate template (DigitalPersonaProWksta orDigitalPersonaProWkstaKiosk.adm) to the GPO governing theDigitalPersona Pro clients and enable the Allow Fingerprint DataRedirection setting.Workstation OnlyThe following settings are specific to the DigitalPersona Pro Workstation, andare included in the Workstation Administrative Template.WarningWhen setting the logon policy for Pro Workstations, be aware of the following:• Certain combinations of policy settings may temporarily prevent a user fromlogging on to their computer if the “Fingerprint only” and “Fingerprint andPassword” policy are applied.• Do not select a logon authentication policy requiring the user to type apassword if password randomization has been enabled for that user.• If cached credentials are disabled and the logon policy is “Fingerprint only”or “Fingerprint and Password,” the user will not be able to log on to thecomputer if it is disconnected from the network or Pro Server is unavailable.Refer to “Cached Credentials and the Identification List” on page 189 formore information on cached credentials.Allow use of Single Sign-OnSpecifies whether to allow DigitalPersona Pro Workstations to use Single Sign-On to access DigitalPersona protected data.• When enabled, Pro Workstation users will not need to provide a fingerprintevery time they try to access DigitalPersona protected data.• When disabled or not configured (the default), a fingerprint must be providedevery time an attempt is made to access DigitalPersona protected data.DigitalPersona Pro for Active Directory Administrator Guide94

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and Settings• Requires separate purchase of the Single SignOn module. For furtherinformation, see DigitalPersona Technical Bulletin 0802.Cache Domain User Data on Local ComputerThis setting determines if domain user credentials are cached on DigitalPersonaPro Workstations.• When enabled or not configured (the default), user data (fingerprinttemplates and secure application data) of domain users is cached locally onthe computer, meaning that domain users are still able to use fingerprints ifthe DigitalPersona Pro Server cannot be located. This is a convenient but lesssecure option.• When disabled, users may only use fingerprints when DigitalPersona ProServer is accessible. Data of local users is always stored on the localcomputer.Do not compress Fingerprint Data for RedirectionSpecifies whether to compress fingerprint data on the client computer beforeredirecting it to the Terminal Services session.• When enabled, clients that are capable of fingerprint data direction send theirfingerprint data to the server uncompressed.• When disabled or Not Configured, clients compress fingerprint data beforesending it to the server.When this setting is changed, only new connections are affected. Sessions thatwere initiated before the change must log off and reconnect to be affected by thechange.Use DigitalPersona Pro Server for authenticationThis setting determines whether DigitalPersona Pro Workstation will useDigitalPersona Pro Server for fingerprint enrollment and authentication orperform these operations locally instead.• When enabled or not configured (the default), Pro Workstation will look foran available Pro Server for authentication, and if not found, will performauthentication locally.DigitalPersona Pro for Active Directory Administrator Guide95

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and Settings• When disabled, Pro Workstation will always perform authentication locally,whether a Pro Server is accessible or not.Maximum Size of Identification ListThe identification list contains an administrator-specified number of useraccounts. It is used in conjunction with cached credentials to identify a user bytheir fingerprint and, as an added convenience, frees them from typing their username and domain at Windows logon.• Enable this setting to specify the maximum number of users theidentification list can hold on a particular computer. Type the number ofusers in the Maximum size of identification list text box. While the numberof credentials that can be cached is virtually unlimited, the maximum numberof users that can be added to the identification list is 100; the minimum is 0.• When disabled or not configured, the default value of 10 is used.Users are added to the identification list in the order they log on. The mostrecent user to log on is added to the top of the list. If the list has exceeded itscapacity, the least recent user to log on is removed from the list when anotheruser logs on. If a user is already on the list and logs on again, they are movedfrom their original position on the list and placed on top.Once removed, a user can still use their cached credentials (if enabled), but theymust type their user name and domain manually.If DigitalPersona Pro is deployed in a networked environment with Pro Serversupport, it performs identification locally out of the set of users in theidentification list and then, for added security, confirms the user identity usingthe DigitalPersona Pro Server.Multi-credential Logon to WindowsThese logon settings are computer-based, and determine the credentials requiredto log on to Windows. The default settings allow a fingerprint or a password or asmart card for logon. The following is the list of settings in DigitalPersona Profor logon to Windows.DigitalPersona Pro for Active Directory Administrator Guide96

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and Settings• User must provide a fingerprint to log onWhen checked, the user must provide the fingerprint in addition to theWindows logon credentials (smart card or password according to theWindows policy setting).• Password is not allowed for logonWhen checked, users are not allowed to use their Windows password to logon to computers with DigitalPersona Pro installed, and must use a fingerprintor smart card instead. They can still log on with their password toworkstations where DigitalPersona Pro is not installed.• PIN is required when a fingerprint is providedWhen checked, the user must provide a PIN code whenever the fingerprint isused to log on, to unlock the computer or to change the Windows password.The fingerprint PIN option provides additional security. See “One TouchFeatures” on page 194.• Fingerprint is allowed to unlock the smart cardWhen checked, the user can use the fingerprint to unlock the smart cardinstead of typing the PIN for the smart card.Allow automatic software updatesSpecifies whether to allow automatic software updates for DigitalPersona ProWorkstation.• When disabled or not configured (the default), the software does not checkfor updates automatically, and the Automatic Updates tab is not displayed inthe Property dialog.• When enabled, the Automatic Updates feature is turned on, the related tab isdisplayed for all Workstation users, the software checks for updates every 7days and a command appears on the reader icon context menu that allowsusers to check for software updates manually. They can then change thefrequency with which the software checks for updates, and install foundupdates.DigitalPersona Pro for Active Directory Administrator Guide97

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsWorkstation PropertiesThe following settings are installed as part of the DigitalPersona ProWorkstation Administrative Template, and are not configured by default. Theycan be found in the User Configuration/Administrative Templates/DigitalPersona Pro/DigitalPersona Pro Workstation/Workstation Propertiesfolder.These settings affect the behavior of certain DigitalPersona Pro Workstationfeatures.Show One Touch Menu upon fingerprint validation. Controls whether or notthe One Touch Menu appears when users touch the fingerprint reader with aenrolled finger.• When enabled, the One Touch Menu is always displayed upon fingerprintvalidation, and cannot be overridden by the end user. Fingerprint validationrefers specifically to authentication of a enrolled fingerprint, and not toQuick Actions, (see page 20 for definition).• If you disable this policy, the One Touch Menu is not displayed uponfingerprint authentication and cannot be assigned to a Quick Action. Thiscannot be overridden by the end user.• If this policy is not configured, the One Touch Menu is displayed uponfingerprint validation, but end users can override the behavior through theDigitalPersona Workstation Properties dialog.Allow One Touch Internet. One Touch Internet allows users to create their ownfingerprint logons for Web sites and programs.• When enabled or not configured, the One Touch Internet feature is availableto users.• When disabled, this setting prevents use of One Touch Internet.Show fingerprint icon on the taskbar. When the fingerprint icon is shown onthe taskbar, users can right-click on the icon to access various properties ofDigitalPersona Pro.• When enabled, the fingerprint icon is shown on the taskbar.• When disabled, the fingerprint icon does not display on the taskbar.DigitalPersona Pro for Active Directory Administrator Guide98

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and Settings• When not configured, the fingerprint icon is shown on the taskbar, but endusers can change this in the DigitalPersona Pro Properties dialog.One Touch SignOnThe One Touch SignOn configuration setting is included in the Workstation andKiosk Administrative Templates.The following four subsettings are enabled (checked) by default when the OneTouch SignOn configuration setting is enabled. They configure the way that endusers interact with the One Touch SignOn feature.• Show clear text passwords. Enable this option to show password fieldvalues to the end user when they are prompted to provide a password.• Allow users to edit account data. When enabled, this option permits endusers to change the values of logon screen fields by clicking the arrow on theDigitalPersona fingerprint logon icon and selecting Edit an account from theshortcut menu.• Allow users to add account data. This option allows end users to addaccount data fields for Web sites and applications by clicking the arrow onthe DigitalPersona fingerprint logon icon and selecting Add a new accountfrom the shortcut menu.• Allow users to delete account data. Allows end users to remove accountdata from a template from within the FIngerprint Logon Manager.• Path to the container of templates. Specify the path to the container in theContainer Path field to provide access to the templates it contains forDigitalPersona Pro Workstation or Kiosk users. The container path isdetermined when creating a new container, as described in “Create an OTSContainer” on page 119. You can add multiple paths by separating them withthe pipe (|) character.DigitalPersona Pro for Active Directory Administrator Guide99

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsKiosk Workstation OnlyThe following settings are specific to DigitalPersona Pro Kiosk, and areincluded in the Kiosk Administrative Template. They are located in the KioskWorkstation Settings folder.These settings affect the operation of all Kiosk workstations in the domain, siteor OU to which the GPO is applied. By default, they are not configured.• Allow automatic logon using Shared Kiosk Account. Determines whetherthe automatic logon feature is enabled. Automatic logon uses the KioskShared Account to log users on to the computer when the Windows operatingsystem starts up. The Log On to Windows dialog box is not displayed.When this policy is Disabled or Not Configured, the automatic logon isdisabled.The automatic logon setting will allow any user to access a Windows sessionwithout interactive authentication when the Kiosk computer is restarted.WarningUse of this setting will allow any user to access a Windows session withoutinteractive authentication when the Kiosk computer is restarted.• Kiosk Workstation Shared Account Settings. In order to use a Kioskworkstation, this setting must be enabled and the Windows shared accountinformation (user name, domain and password) specified. See “ConfiguringDigitalPersona Pro Server for Pro Kiosk” on page 50 for additional details.If not configured or disabled, Kiosk workstations affected by the GPO willnot be operable.• Prevent users from logging on outside of a Kiosk session. When enabled,only those with administrator privileges are able to log on to any Kioskworkstation controlled by the GPO.If not configured or disabled, users can log on to the Kiosk workstations as alocal user outside of the Kiosk session.• Force Authentication on Server. When enabled, authentication isperformed on the server in addition to local authentication using theDigitalPersona Pro for Active Directory Administrator Guide100

Chapter 7 - Configuring Policies and SettingsDigitalPersona Pro Policies and SettingsIdentification List. If the server cannot be connected to, users will not be ableto use the Kiosk.If not configured or disabled, users are authenticated using the IdentificationList cached on the local Kiosk workstation.• Unlock with Shared Account Credentials. When enabled, any user whoknows the user name and password for the shared account that Kiosk usescan use those credentials to unlock the computer.If not configured or disabled, the shared account credentials cannot be usedto unlock the computer.User PropertiesIn addition to the settings available through the Administrative Templates,installation of DigitalPersona Pro Server automatically adds the DigitalPersonaPro tab to the User Properties settings in the Active Directory Users andComputers console.User Properties can also be enabled on a DigitalPersona Pro Workstation byadding the User Properties snap-in to the Active Directory Users and Computerscomponent.• The appropriate Windows Administration Pack for your OS must be installedon the computer.• Install the DigitalPersona Administration Tools and select to install theoptional component, User Properties Snap-in.For complete details on DigitalPersona Pro User Properties, see “UserProperties & Commands” on page 102.DigitalPersona Pro for Active Directory Administrator Guide101

User Properties & Commands 8Installation of DigitalPersona Pro Server automatically adds the DigitalPersonaPro tab to the User Properties settings in the Active Directory Users andComputers console. It also adds a few commands to the user context menu.User PropertiesYou can apply user properties in order to increase the overall level of securityfor your network while at the same time maintaining flexible options forindividual users.User properties allow you to configure fingerprint logon settings and restore theuse of fingerprints for a user after the account has been locked due to failedfingerprint attempts.To access User Properties:1 Launch the Active DirectoryUsers and Computers consoleand open the Users folder.2 Right-click on a specific username, select Properties andclick the DigitalPersona Protab.Basic User PropertiesUser-level settings are available intwo varieties, Basic and Extended.The Basic User Properties areincluded with the DigitalPersonaPro Server.The Extended Server PolicyModule is available from your DigitalPersona Account Manager or productReseller.DigitalPersona Pro for Active Directory Administrator Guide 102

Chapter 8 - User Properties & CommandsUser PropertiesThe Basic User Properties are:• User provides only Windows credentials to log onWhen this option is set, the user will not be subject to any logon policy fromDigitalPersona Pro. Users will be able to logon with password or smart cardas defined by the Windows logon settings. By default this setting is turnedoff.• Account is locked out from use of fingerprint credentialsThis setting is only for unlocking accounts that have been locked out due tofailed logon attempts. If the account is unlocked, the check box is disabled.For instructions on unlocking an account, see page 104.Note that this setting cannot be used by an administrator to lock an account.WarningDo not enable password randomization with incompatible logon authenticationpolicies, such as “Fingerprint and Password,” as users will be unable to log on.Extended User PropertiesThe Extended User-levelproperties are included in aseparate product module, theDigitalPersona Pro ExtendedServer Policy Module, availableas a separately purchased productfrom your DigitalPersonaAccount Manager or productReseller.Extended properties allowadditional biometrically-enabledlogon properties at the user level,adding the following settings tothe DigitalPersona Pro tab in theActive Directory Users andDigitalPersona Pro for Active Directory Administrator Guide103

Chapter 8 - User Properties & CommandsUser PropertiesComputers console, in addition to those described in the previous topic.• User must type a PIN when providing a fingerprint to log onWhen this option is enabled, the user must provide a PIN code whenever thefingerprint is used to log on, to unlock the computer or to change Windowspassword. The fingerprint PIN option provides additional security to thelogon with the fingerprint.• User must provide a fingerprint to log onThe user must verify the fingerprint credential in addition to the Windowsauthentication (smart card or password according to the Windows policysetting).• Randomize user’s Windows passwordUpon application of this setting, the user’s Windows Password is randomizedby DigitalPersona Pro. In this case, a fingerprint or smart card, if available,must be used instead.Without knowledge of their password, the user is prevented from logging onwith a password from any computer on the network, even those where thePro software is not installed. When this option is set, DigitalPersona Prochanges the user password to a random value when you click OK on thisdialog box.By default this setting is turned off.In order to install the Extended Server Policy Module, the User Properties Snapinmust already be installed.NoteIf the Extended Server Policy Module is uninstalled, only the original BasicUser Property settings will be displayed. If the Administration Tools package isuninstalled, the Extended Server Policy Module will be uninstalled as well.Unlocking Accounts after Failed Logon AttemptsYou can unlock an account that has been locked out of fingerprint authenticationdue to the user reaching the threshold number for failed fingerprint attempts.You must have permissions to access the user account. When an account isunlocked by an administrator, the account becomes immediately available forDigitalPersona Pro for Active Directory Administrator Guide104

Chapter 8 - User Properties & CommandsUser Context Menu Commandsfingerprint authentication from all computers, or after the next replicationinterval if there are multiple domain controllers.The administrator can choose to set less strict lockout settings by reducing thethe lockout duration time or reducing the counter reset time.To unlock a locked account1 In Active Directory for Users and Computers, right-click on the user name,and select Properties.2 Click the DigitalPersona Pro tab.3 Click the Account is locked out from use of fingerprint credentials checkbox to unselect it. This check box is for unlocking accounts and cannot bechecked by an administrator to lock an account. If the account is unlocked,the check box is disabled.4 Click OK to close the dialog box and save the changes.User Context Menu CommandsInstallation of DigitalPersona Pro adds the following commands to the contextmenu for a user in the Active Directory Users and Computers console.Delete fingerprint PIN - Use this command to delete the fingerprint PIN for aselected user. They will be prompted to enter a new fingerprint PIN the nexttime that they log on. The process of deleting the fingerprint PIN so that a usercan enter a new one is often referred to as “resetting” the fingerprint PIN.Delete fingerprints - Use this command to delete all the enrolled fingerprintsfor a selected user.Enroll fingerprints - Displays only when DigitalPersona Pro Workstation isalso installed on a computer used to administer Active Directory, such as whenthe Windows Server Administration Tools Pack is installed on a ProWorkstation client computer. Use this command to start the FingerprintEnrollment Wizard and enroll fingerprints for a selected user.To delegate fingerprint enrollment of users to someone without their needing toaccess the Active Directory Users and Computers console, use the AttendedFingerprint Enrollment Tool described on page 114.DigitalPersona Pro for Active Directory Administrator Guide105

Chapter 8 - User Properties & CommandsDeleting User Credentials using the ADSI Edit ToolDeleting User Credentials using the ADSI Edit ToolYou can remove Pro user credential data for a specified user from ActiveDirectory by using the ADSI Edit tool included with Windows Server 2000 andabove.Note that the ADSI Edit tool is not installed by default, but is a separate installfrom the Windows Operating system. See the next topic for installationinstructions.To remove user credential data1 Launch ADSI Edit by running adsiedit.msc in the Run box.2 In the tree on the ADSI Edit tool, navigate to the specified user account.3 Right-click on the user account and select Properties.4 Navigate to and select dpUserCredentialsData.5 On Windows Server 2003/2008 only, click Edit.6 Click the Clear button to remove the user credential data.ADSI Edit Tool InstallationWindows 20001 Insert the Windows 2000 CD-ROM into your CD-ROM drive.2 Click Browse this CD, and then open the Support\Tools folder.4. Double-click Setup.exe, and then follow the instructions that appear on thescreen.Windows 2003Run the Suptools.msi program that is in the Support\Tools folder on theWindows Server 2003 SP1 CD.Windows 20081 In Server Manager, click on Features, then Add Features in the right pane.DigitalPersona Pro for Active Directory Administrator Guide106

Chapter 8 - User Properties & CommandsDeleting User Credentials using the ADSI Edit Tool2 Expand Remote Server Administration Tools –> Role AdministrationTools –> Active Directory Domain Services Tools.3 Put a check next to Active Directory Domain Controller Tools.4 Click Next, then Install.DigitalPersona Pro for Active Directory Administrator Guide107

Administration Tools 9DigitalPersona Pro for Active Directory provides a full complement of tools foradministering various aspects of your deployment as well as expanding thefunctionality of the product.Some of these Administration Tools are included in the product packages foreither DigitalPersona Pro Server or Workstation. Others are available as separatemodules, which may be obtained from your DigitalPersona Account Manager orproduct Reseller.OverviewThe following table lists each of the Administration Tools, their purpose, howthey are installed or used and the page where the tool is explained.Table 9-1. List of Administration ToolsAdmin Tool Purpose Installation/ReferenceLicense ControlManagerAttendedFingerprintEnrollment ToolUsed to control and managelicenses for DigitalPersona ProServers, including gathering theinformation necessary forrequesting a license, adding andremoving licenses and viewinglicense and user information.Allows supervision of users whenenrolling their fingerprints.Automatically installed aspart of the AdministrationTools installation run fromthe Administration Toolsproduct package.See page 110.Automatically installed aspart of the AdministrationTools installation run fromthe Administration Toolsproduct package, butneeds to be set up beforeuse. See page 114.DigitalPersona Pro for Active Directory Administrator Guide 108

Chapter 9 - Administration ToolsOverviewAdmin Tool Purpose Installation/ReferenceOne TouchSignOnAdministrationToolUser Query ToolCleanUp WizardThe One Touch SignOnAdministration Tool enablesadministrators to add biometricauthentication to Web sites andprograms.Used to query the DigitalPersonaPro for Active Directory userdatabase for information aboutDigitalPersona Pro users, and canbe run as an Interactive Query,from the command line, or fromwithin a script.Removes Pro user data (such asfingerprint credentials, secureapplication data and globaldomain data) from ActiveDirectory which is not removedwhen uninstalling DigitalPersonaPro Server.The One Touch SignOnAdministration Tool isavailable as a separateproduct from yourDigitalPersona AccountManager or productReseller.See page 117.Automatically installed aspart of the AdministrationTools installation run fromthe Administration Toolsproduct package.See page 158.Not installed. Copy fromthe Pro Server productpackage to a local driveand run. See page 163.All of the tools may be installed on a single workstation for centralized administrationof DigitalPersona Pro for Active Directory, or for larger organizations,each tool may be installed on a separate workstation in order to divide theadministration of various features among several people.To install the DigitalPersona Administration Tools, do one of the following.• Locate and double-click the setup.exe file located in the AdministrationTools directory of the product package. Follow the instructions in theinstaller wizard. Select Custom to choose which tools to install.• To install a single administration tool, use the syntax shown below: Forexample, to install only the Attended Fingerprint Enrollment Tool:msiexec /i setup.msi ADDLOCAL=ALL REMOVE=LicenseControlManager,UserPropSnapin,UserQuerySnapinDigitalPersona Pro for Active Directory Administrator Guide109

Chapter 9 - Administration ToolsLicense Control ManagerLicense Control ManagerThe DigitalPersona Pro License Control Manager is used by an administrator tomanage User Authentication Licenses (UALs) for users authenticating toDigitalPersona Pro Servers.It is used to gather information necessary for requesting a license fromDigitalPersona, for adding and removing licenses, and for viewing license anduser information.It is automatically installed as part of the DigitalPersona Pro AdministrationTools, but can also be installed separately on a workstation that has access to thedomains that are to be licensed and/or managed.OverviewThe licensing model for DigitalPersona Pro for Active Directory Server requiresthat each domain be licensed for the number of users who will enroll theirfingerprints within that domain.License Control Manager provides the following features for managing licensesfor DigitalPersona Pro Servers:• Connecting to a domain (page 110)• Getting License Information (page 111)• Reviewing and installing license files (page 112)• Viewing license details (page 112)• Viewing UAL Summary Information (page 113)• Uninstalling licenses (page 113)Connecting to a domainBy default, when License Control Manager is launched it will connect to thedomain to which the currently logged on user belongs.If that domain is not the domain that you want to administer at this time, you canselect a different domain.DigitalPersona Pro for Active Directory Administrator Guide110

Chapter 9 - Administration ToolsLicense Control ManagerTo change the domain:1 Click the Change Domain button to display the Connect to Domain dialogbox.2 Type the domain name that you want to connect to, or click Browse tonavigate to the domain.3 If you want to connect to this domain the next time that License ControlManager runs, select Connect to this domain the next time you runLicense Control Manager.4 Click OK to connect to the domain and close the dialog box.After successfully connecting to the domain, License Control Manager willlocate all licenses in the License container and display them in the list view. Ifduplicate or incorrect licenses are found during this process, they will be deletedand you will be notified of the fact.Getting License InformationEach license for DigitalPersona Pro for Active Directory is tied to a specificcustomer domain.NoteWhen upgrading from Pro 3.5, User Authentication Licenses must be obtainedfor all enrolled and prospective users.In order for DigitalPersona to issue a requested license, certain domaininformation necessary to bind the license to the domain must be collected andsent to DigitalPersona, Inc. This step needs to be done once for each domain.To collect the required domain information:1 Launch License Control Manager.2 Click the Get License Info button.3 License Control Manager will collect the domain information that it needsand display a Save As dialog box.4 Type a file name that will identify the file as belonging to your company andwhat domain it refers to. The file must have a .dplif extension. Click Save tosave the file.DigitalPersona Pro for Active Directory Administrator Guide111

Chapter 9 - Administration ToolsLicense Control Manager5 Request a license for the domain by sending the file as an attachment in anemail containing your Purchase Order # for the number of UserAuthentication Licenses needed and address it to dplis@digitalpersona.com;or contact your DigitalPersona Sales Account Manager.Reviewing and installing license filesAfter sending the required domain information to DigitalPersona, Inc., you willreceive a license file for that domain. Keep a copy of the license file in a secureplace for backup purposes.To install the license:1 In License Control Manager, click the Add button.2 In the Open dialog box, navigate to the license file (.dplic extension) andclick the Open button.3 In the License Details dialog box, you can review information about thelicense before it is added.4 Click the Add License button to add the license to License Control Manager.5 The license, along with summary information about the license is added tothe License list.Viewing license detailsLicense Details are available for each installed license.To view license details:1 In the Licenses list, select a license.2 Click the Details button.3 License Control Manager displays license details for the selected license.4 Click Close to close the License Details dialog box.NoteLicense Details are only available for issued User Authentication Licenses, notfor the licenses shipped with DigitalPersona Pro Server for evaluation.DigitalPersona Pro for Active Directory Administrator Guide112

Chapter 9 - Administration ToolsLicense Control ManagerViewing UAL Summary InformationLicense Control Manager does not display the summary information for UserAuthentication Licenses (UALs) when launched, since in large organizations itmay take a while to collect the information.To display the User Authentication License summary information:• Click the Refresh button.License Control Manager displays the following summary information:Total number of licenses IssuedNumber of licenses UsedNumber of licenses RemainingPercent of Issued licenses that have been UsedThe amount of time that it takes to refresh user information will depend on thenumber of users.Uninstalling licensesTo uninstall a license:1 In the License list, select a license.2 Click the Delete button.3 In the Confirmation dialog box, click Yes to delete the license, or No toclose the dialog box without deleting the license.When you uninstall the last license in the License list, the Evaluation licensewill appear on the list.DigitalPersona Pro for Active Directory Administrator Guide113

Chapter 9 - Administration ToolsAttended Fingerprint EnrollmentAttended Fingerprint EnrollmentThe Attended Fingerprint Enrollment Tool is an administrative tool that can beused to add an additional level of security to the implementation and use ofDigitalPersona Pro for Active Directory.With attended enrollment, a designated user (or member of a designated usergroup) must be logged in to supervise the fingerprint enrollment process of otherusers. Users can also be prevented from enrolling other fingerprints or deletingfingerprints from their own account.Installation• The Attended Fingerprint Enrollment Tool is automatically installed as partof the DigitalPersona Pro Administration Tools installation, or can beinstalled separately by choosing Custom during the installation process.• For a silent install of only the Attended Fingerprint Enrollment Tool, use thefollowing syntax.msiexec /i setup.msi ADDLOCAL=ALL REMOVE=LicenseControlManager,UserPropSnapin,UserQuerySnapin• After installation, follow the instructions below to set up attended fingerprintenollment.Assigning Enrollment PermissionsSetting up attended fingerprint enrollment involves two main tasks, as listedbelow and described in the following topics.1 Remove the permission/object "Self = Register/Delete Fingerprint (DigitalPersona)" at the domain level.2 Assign permission to the appropriate user or group at the desiredorganizational unit level.The Register/Delete Fingerprint permission can be granted at the single user,organizational unit or domain level, but not at the user group level.DigitalPersona Pro for Active Directory Administrator Guide114

Chapter 9 - Administration ToolsAttended Fingerprint EnrollmentRemove Domain-Level Self Registration1 In Active Directory for Users and Computers, select the domain where youwant to use attended enrollment.2 Right-click and select Properties.3 Click the Security tab.4 In the Permissions list, select the Register/Delete Fingerprint(DigitalPersona) permission for Self.5 Click the Remove button.Assign New Registration Permission(s)Assign for a Single UserYou can assign a user or group to supervise a single user’s fingerprintenrollment. In most cases however, you will want to make the assignment on anorganizational unit or domain level as shown in the next topic.To assign a user or group to supervise fingerprint enrollment permission for asingle user:1 In Active Directory for Users and Computers, select the user name to beenrolled through attended enrollment.2 Right-click and select Properties.3 Click the Security tab.4 Click the Add button.5 Select the supervising user or group who will have enroll and deletefingerprints permission to this account.6 Click Add and then OK.7 In the Permissions list, select the Allow check box for the Register/DeleteFingerprint (DigitalPersona) permission.8 Click OK.DigitalPersona Pro for Active Directory Administrator Guide115

Chapter 9 - Administration ToolsAttended Fingerprint EnrollmentAssign for an OU or DomainTo assign attended fingerprint enrollment permissions for an organizational unitor domain to a supervising user:1 In Active Directory for Users and Computers, select the domain ororganizational unit to be enrolled through attended fingerprint enrollment bythe supervising user.2 Right-click and select Properties.3 Click the Security tab.4 Click the Advanced button.5 Click Add and add the supervising user or group to the users who havepermissions to this account. Then click OK.6 Click the Edit/View button.7 Select User Objects from the Apply onto drop down list.8 In the Permissions list, select the Allow check box for the Register/DeleteFingerprint (Digital Persona) permission.9 Click OK to close the dialog and save your changes.DigitalPersona Pro for Active Directory Administrator Guide116

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolOne Touch SignOn Administration ToolOverviewOne Touch SignOn (OTS) enables administrators to provide controlled access toWeb sites or programs by adding biometric authentication to their logon andchange password screens, thus simplifying the logon process for end users andreducing the administrative overhead involved in password maintenance.The OTS Administration Tool manages access to password-protected Web sitesand programs through the creation and administration of OTS templates.There are two types of OTS templates.• Logon screen templates - specify attributes that are used during the logon,such as a user name, password, and Submit button.• Password Change screen templates - define how a password for an OTSenabledprogram or Web site is changed, specifying details such as whetherthe password can be changed by the user at will, or must be changed atprescribed intervals, and any format restrictions that are enabled.These OTS templates are created in the One Touch SignOn Administration Tool,and then deployed to end users through a setting in the Active Directory GPOgoverning the workstations. (For further information, see “DeployingTemplates” on page 149 and following.After the templates are created and deployed, the One TouchSignOn application uses the templates to recognize whichlogon and change password screens are fingerprint-enabled,displaying the DigitalPersona fingerprint logon icon in theupper left corner of the Web site or program window toindicate that the user can log on with their fingerprint, as wellas a balloon prompting the user to touch the reader to log on.The One Touch SignOn Administration Tool is included with some Pro Serverpackages, and is also available as an optional add-in from your DigitalPersonaPartner or directly from DigitalPersona, Inc.For a description of the end user experience, see “Logging On with One TouchSignOn” on page 154.DigitalPersona Pro for Active Directory Administrator Guide117

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolInstalling the OTS Administration ToolTo install the OTS Administration Tool, locate and launch the Setup.exe file inthe OTS folder of the product package. If the folder is not in the package, youwill need to obtain the OTS Administration Tool separately fromDigitalPersona, Inc. or your Reseller. Follow the onscreen instructions.Setting up OTSBefore using the OTS Administration Tool to create OTS templates, you willneed to set it up for your network.Create a shared network folderCreate a shared folder on the networkdrive to store OTS templates and assignappropriate permissions to the users.1 Create a folder on the server/computerwhere you will store the OTStemplates.2 Share the folder that you just created toallow users to access it.3 Right click on the folder and click onProperties in the context menu.4 Click on the Sharing tab.5 Verify the permissions by clicking onthe Permissions button.Set up the GPO policy for OTS1 The Workstation AdministrativeTemplate, DigitalPersonaProWksta filemust be added to the Active DirectoryComputer Configuration folder in theAdministrative Templates folder of theGroup Policy editor. For further details, see “Install the AdministrativeTemplates” on page 43.DigitalPersona Pro for Active Directory Administrator Guide118

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool2 Open the GPO where the DigitalPersona template was added.3 Go to User Configuration\Administrative Templates\DigitalPersonaPro.4 Double click on One Touch SignOnConfiguration policy (in the rightpane).The default setting is "NotConfigured". Click on Enable toenable this policy, and then type inthe path to the shared folder that youpreviously created.5 The new setting will be applied to allDigitalPersona Pro Workstationsduring the usual refresh interval orthe next time they restart Windows.Create an OTS Container1 Open the OTS Administration Tool from Start/Programs/DigitalPersona Pro.2 On the toolbar, click the New Container icon.DigitalPersona Pro for Active Directory Administrator Guide119

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool3 In the Create New Container dialog box, type a name for the container in theName text box.4 Specify the path of the container in the Path field. This is the path that wascreated in the topic “Create a shared network folder” on page 118. To browsefor a path using the standard Windows file browser dialog box, click theBrowse button.5 Click OK to create the container.Using Field CatalogsThe Field Catalog for a container is used to store logon field values andattributes that can then be reused in creating templates for logon screens thatshare common fields. By storing frequently used logon fields in the catalogonce, you can add the same field to several templates without entering its valueor attributes each time.In addition, changes made to fields in the Field Catalog are propagated to alltemplates that use the field. Each container has only one Field Catalog.To add a field to a field catalog for a container:1 In the OTS Administration Tool, select a container and select Field Catalogon the Tools menu.DigitalPersona Pro for Active Directory Administrator Guide120

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool2 On the Field Catalog Editor, click Add to create a new field in the table.3 In the Field text box, type a name for the field you are adding to the catalog.4 Specify the type of the field by selecting Password or Text in the Type dropdownlist.5 Specify the value of the field on the Value drop-down menu. See “LogonFields options” on page 124 for a description of each value.6 Add any comments related to this field in the Description text box, and thenclick OK to close the Field Catalog Editor.DigitalPersona Pro for Active Directory Administrator Guide121

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolCreating OTS TemplatesLogon screen templates enable DigitalPersona Pro administrators to set policyabout how much, and what kind of, user information can be sent to anapplication via fingerprint logon.OTS includes a wizard that can create logon screen templates automatically formost logon screens. For more complex non-standard logon screens whereautomatic creation is unsuccessful, there is a 'manual' mode that provides moresophisticated options for matching each required action and event in the logonprocess..• Automatically -- Open the logon screen for a Web site or program, and thenclick Create template in the OTS Administration Tool. The Logon ScreenWizard detects the fields on the logon screen. You can specify which fieldsare required for logon and what type of information should be provided in thefields.Smart domain matching means that a template created for one Web site willwork for other sites that use the same top-level domain name and logon form.For example, Web sites like GMail, Google Docs and Orkut all havegoogle.com as part of the domain name for their logon screens and use thesame logon form.• Manually -- For logon screens that are difficult for the wizard to detectautomatically, you can create a template manually. When you create atemplate manually, you have additional controls for specifying fields andkeystrokes required for logon. For a discussion of the trade-offs involved inmanual template creation, see “Creating a Logon Screen TemplateManually” on page 128.DigitalPersona strongly recommends attempting to create a logon templateautomatically before you try to create it manually, since the process is mucheasier and the resulting template is more robust.Creating a Logon Screen Template automaticallyTo create a logon screen template automatically:1 Launch the password-protected application (or browse to a web site) thatcontains the logon screen for which you want to create a template.DigitalPersona Pro for Active Directory Administrator Guide122

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool2 Launch the One Touch SignOn Administration Tool and on the shortcutmenu of the container for which you want to create a template, click NewTemplate.3 When the OTS Logon Screen Wizard launches, confirm that the title of thelogon screen is displayed on the first page and then click Next.4 The Logon Fields page displays each field on the logon screen, using thenearest associated label to identify the field. For each field, you can specifyseveral attributes. See the table “Logon Fields options” on page 124.5 Click Next after selecting the Logon Fields.6 On the Submit Option page, choose the button from the list that submits thelogon data for the application. To prevent automatic logon, click Do notsubmit. Click Next to continue.DigitalPersona Pro for Active Directory Administrator Guide123

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool7 On the Logon Screen Properties page, enter the name for this logon screen/template, and the name for the Quick Link. For more details on this screensee the table “Logon Screen Properties options (See step 7 above.)” on page126.8 Click Next after entering the appropriate data and then click Finish to savethe new template.If the OTS templates are stored on a shared network drive, log off and logback in to automatically download the newly created templates on yourworkstation.9 Enter Account Data.You can now go to the web page/application for which you created thetemplate. You will be prompted to touch the reader to log on. Once you touchthe reader with your enrolled finger, you will be prompted to enter youraccount data.If you selected Ask - Reuse for the field values on The Logon Fields page ofthe wizard, a user will need to provide this data only when they log on usingOTS for the first time. During subsequent logons, they can log on simply bytouching the reader with their enrolled finger!Table 9-2. Logon Fields options(See step 4 above.)OptionUseLabelTypeDescriptionSpecifies the fields that are used during logon. If a listed field isnot used for logon, leave the field unchecked.Describes the type and use of the field, as displayed to the userduring logon. These labels represent the Wizard’s best guess, Ifthe label for a field is not intuitively related to the correspondingfield on the logon screen, enter a new label name in this field.Specifies the type of field, either text or password. This value isnot editable.DigitalPersona Pro for Active Directory Administrator Guide124

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolOptionCatalogValueDescriptionFor added convenience, you can create specifications forfrequently used fields using the Field Catalog Editor, acollection of frequently-used fields and their specifications (see“Using Field Catalogs” on page 120). If the field is in the FieldCatalog, you can click it, then choose it from the drop-down list.Its specifications will be provided automatically by OTS.Alphanumeric data to be supplied by either the user orDigitalPersona Pro. Type a value for the logon field or use theValue drop-down menu to indicate a value.Ask-Reuse prompts the user to enter a value for a logon fieldthe first time they use the template for logon. This value isautomatically submitted for them on each subsequent logonwithout prompting the user again.Ask-Confirm also prompts the user to enter a value for a logonfield the first time they use it. However, on subsequent logons,the value is automatically entered and they are then prompted toconfirm this value or change it.Ask Always prompts the user to enter a value for a logon fieldeach time they log on.If the field is a text field, choose any of the following options tospecify values to be provided by OTS:Windows User Name -- the Windows user name for a user.Windows User Principal Name -- the user name and domainvalues in the format: [user name]@[domain]Windows Domain\User Name -- the domain of the user,followed by a backslash and the user nameWindows Domain -- the name of the user’s domainWindows E-mail Address -- the user’s email address, as storedin Active DirectoryIf the field is a password field, choose Windows UserPassword to specify that OTS will provide passwordinformation.DigitalPersona Pro for Active Directory Administrator Guide125

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolTable 9-3. Logon Screen Properties options (See step 7 above.)OptionGeneralDisplay in QuickLink ListScreen DetectionDescriptionTemplate is the name of the template.Description contains information about the template and isviewable in the OTS Administration Tool.User Hint enables you to provide a message that is displayedwhen a user uses the template for logon. For example, if youwant to direct a user to a Web page with custom instructions forlogon, you can enter a URL in the User Hint field.Show Balloon specifies the number of times a balloon will bedisplayed on the fingerprint-enabled logon screen to inform theuser they can touch the reader to log on.Quick Link Name is the name that appears in the One TouchMenu for accessing Web sites and programs set up for fingerprintlogon. Users touch the reader to display the One TouchMenu, point to Quick Links and then click the fingerprint logontitle that corresponds to the Web site or program that they wantto access. The specified program or Web site is launched.Quick Link URL is the target URL of the Quick Link.Window Caption is the title of the logon screen as detected bythe Wizard. The caption information in the template is used byOTS to recognize the logon screen by matching the windowcaption in the logon screen.Monitor Screen Changes - When enabled, the client softwarecontinually monitors the titlebar, URL and content of thespecified web page for changes that may affect the fingerprintlogon. When disabled, only the titlebar and the URL aremonitored.For example, if a page were using frames and a link in oneframe changes another frame in the page in such a way that itchanges to a logon page, with this setting on, the change isrecognized and appropriate action taken. With the settingdisabled, the change would not be recognized.Use of this setting is resource intensive, and it is disabled bydefault.DigitalPersona Pro for Active Directory Administrator Guide126

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolOptionDescriptionURL is used by One Touch SignOn to recognize a Web sitelogon screen. The URL information in the template is matchedto the URL in the logon screen. If multiple Web sites have thesame title or if portions of the URL change, which can be thecase for Web sites that redirect traffic for load balancing, thenspecify the portion of the URL to match. The drop-down menuallows you to specify the type of matching to perform on theURL.Extended Match If you are creating a template for a Web sitethat uses Windows Security, you can click the button next tothe Extended Match field. Select labels that should be used formatching when recognizing the screen. Click the check boxnext to labels to use. After making selections and clicking OK,you can select the type of matching to perform by selecting itfrom the drop-down list.AuthenticationStart authentication immediately. If set to Yes, the user isprompted for a fingerprint logon immediately after the logonscreen displays. The default setting is No.Lock out logon fields. If set to Yes, the user is prevented fromtyping data in the logon fields. The default setting is No.Creating a Logon Screen Template ManuallyIf One Touch SignOn does not detect fields automatically in your Web site andprogram logon screens, OR if you want to specify additional controls to be usedduring logon (such as adding keystrokes, forcing delays between actions, andspecifying positions of fields), you can create a template for a logon screenmanually.When you create a template manually, you have additional controls forspecifying fields and keystrokes required for logon; essentially you specify a“script” to manage the interaction completely. This is much more powerful thanaccepting the typical field-to-field navigation supported by the Logon ScreenWizard in Automatic mode, but it requires much closer study of the logon screenitself to establish the precise actions required. For example:DigitalPersona Pro for Active Directory Administrator Guide127

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool• Exactly how many, and what kind of, keystrokes are needed to enter thedata?• Where should the initial focus of the screen be? (physical location)• How many tabs are required to navigate the input screen?Note that the security when using manual mode is not as robust as that providedby automatic mode, since in manual mode Web sites and programs are identifiedsolely by their caption, whereas in automatic mode much more sophisticatedmatching is available. For example, see “Screen Detection” on page 126.To create a logon template manually:1 Launch the password-protected Web site or program for which you want tocreate a template.Study the logon screen carefully to determine what actions are necessary, andwhere the initial focus of the screen should be. (If the screen cursor is alreadyin the initial field of the logon screen when the screen is displayed, there isno need to worry about initial focus.)2 In the OTS Administration Tool, select the container to which you want toadd the new template.3 Click Create template. OTS Administration Tool launches the LogonScreen Wizard.4 Confirm that the title of the logon screen is accurately displayed on the firstpage.5 Select Set up a template manually.DigitalPersona Pro for Active Directory Administrator Guide128

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool6 Click Next. The wizard displays an empty Fill In Actions list, as shownbelow.7 Click Add and select an action from the drop-down menu, as described onthe next page in Table 9-4. Add as many actions to the list as are required, inthe order that they are required. This builds the “script” that governsinteraction between the user and DigitalPersona Pro, and the program.For example, to create a logon screen template for the Yahoo! Mail logonpage, you might study the page and reveal that focus on the page is alwaysautomatically in the logon field; that you need input fields for Yahoo ID andPassword, and then submit the data with the Sign In button.Your logon fields would look like this:DigitalPersona Pro for Active Directory Administrator Guide129

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolTable 9-4. Logon Screen Actions: manual selectionsOptionKeystrokeFieldDescriptionThis key sequence of one or more keys will be placed in thekeyboard buffer.Key. You can select keys such as Tab, Enter, Left arrow,Spacebar or Page Up. The Tab key is the default.Repeat. Specify a number of times the key sequence isentered.Shift, Control, Alt. You can check Generic, Left or Right tosimulate pressing one or more of these keys in addition to thekey you selected. You can specify if the key is from the left orright side of the keyboard if necessary.You can define a field and its type.Label. Type a label name for the corresponding field on thelogon screen. The labels are displayed when users areprompted to type a value for a logon field.Type. Select the type of field, either text or password, in theType text box. Choosing password as the type hides thepassword on the logon screen so it cannot be viewed.Choosing text displays readable text.Reference. Specifications for frequently used fields can becreated using the Field Catalog Editor (see “Using FieldCatalogs” on page 120).If the field is in the Field Catalog, you can click and thenchoose it from the drop-down list. Its specifications will beprovided automatically by One Touch SignOn.Value. Type a value for the logon field or use the Value dropdownmenu to indicate a value specified by the user orprovided by One Touch SignOn.DigitalPersona Pro for Active Directory Administrator Guide130

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolOptionValueValue (Text fields)Value (Passwords)DelayDescriptionThere are several options on the Value drop-down menu,which allow you to specify values that must be provided by theuser or by One Touch SignOn.The first three options can be used if you require the user toprovide information at logon:Ask-Reuse prompts the user to enter a value for a logon fieldthe first time they use the template for logon. This value isautomatically submitted for them on each subsequent logonwithout prompting the user again.Ask-Confirm also prompts the user to enter a value for alogon field the first time they use it. However, on subsequentlogons, the value is automatically entered and they are thenprompted to confirm this value or change it.Ask Always prompts the user to enter a value for a logon fieldeach time they use the template.For a text field, the next group of options allow you to specifyvalues which are provided by One Touch SignOn:Windows User Name provides the Windows user name.Windows User Principal Name provides the user name anddomain values in UPN format: [user name]@[domain]Windows Domain\User Name provides the domain of theuser, followed by a backslash and the user name.Windows Domain provides the user domain name.Windows E-mail Address provides the email address storedin Active Directory for the user.For a password field, you can specify the following valuewhich is provided by One Touch SignOn:Windows User Password provides the password used forWindows logon.You can specify how many seconds to wait before the nextaction in the list is performed.DigitalPersona Pro for Active Directory Administrator Guide131

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolOptionPositionDescriptionUsing this action, you can specify a location where One TouchSignOn will perform a mouse click. Position is measured fromthe top left corner of the client window area.Client X. Type a number of pixels for the X axis position forthe action.Client Y. Type a number of pixels for the Y axis position forthe action.Target icon. You can click and drag the target iconto the actual logon screen field to specify theposition. Drop the target icon on the location youwant to specify. When you drop the target icon, the Client Xand Y positions are updated with the target location.DigitalPersona Pro for Active Directory Administrator Guide132

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool8 To continue, click Next. The OTS Administration Tool displays the LogonScreen Template Properties page.9 The Logon Screen Properties page allows you to view and modify thefollowing properties of the logon screen template: Details about the optionson this page are described on the following page.10 When done configuring the Logon Screen Properties, click Next.11 On the Setup Complete page, click Finish to save the changes and exit thewizard.DigitalPersona Pro for Active Directory Administrator Guide133

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolTable 9-5. Logon Screen Properties: manual options(See step 9 above.)OptionGeneralScreen DetectionAuthenticationDescriptionTemplate is the name of the template. Choose a name for thetemplate that is easy to remember, such as YahooEmail.Description contains information about the template and isviewable in the OTS Administration Tool.User Hint allows you to type a message that is displayedwhen a user uses the template for logon, such as when usersare prompted to type values for logon fields. For additionaluser assistance, if you type a URL in the User Hint field, auser can click it to be directed to a Web page that you createdto provide custom instructions for logon.Show Balloon is the number of times a balloon will bedisplayed on the fingerprint-enabled logon screen to informthe user they can touch the reader to log on.Window Caption is the title of the logon screen as detectedby the Wizard. The caption information in the template isused by OTS to recognize the logon screen by matching thewindow caption in the logon screen.Start authentication immediately. If set to Yes, the user isprompted for a fingerprint logon immediately after the logonscreen displays. The default setting is No.DigitalPersona Pro for Active Directory Administrator Guide134

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolCreating Change Password Screen TemplatesIn addition to templates for logon screens, templates can also be created formost Change Password screens.To set up a change password screen with One Touch SignOn, use the OTSChange Password Screen wizard. Using the wizard, you can specify the fieldsrequired by the application for changing passwords, implement passwordpolicies and even automate the entire process for the end user.The Change Password Screen Wizard provides administrators with two differentways to create change password screen templates:• Automatically -- Open the change password screen for a Web site orprogram that already has a logon screen template created by the OTSAdministration Tool and stored in DigitalPersona Pro. Find the logon screentemplate, then right-click to display that template’s context menu. ChooseAdd Change Password Screen.The Wizard detects the fields on the change password screen. You canspecify which fields are required for logon and what type of informationshould be provided in the fields.• Manually -- For change password screens that are difficult for the wizard todetect automatically, you can create a template manually. When you create atemplate manually, you have additional controls for specifying fields andkeystrokes required for logon. For a discussion of the trade-offs involved inmanual template creation, see “Creating a Logon Screen TemplateManually” on page 127.Creating a Change Password Screen Template AutomaticallyTo create a change password screen template automatically:1 Launch the password-protected Web site or program for which you want toautomate the change password operation and then navigate to the ChangePassword screen.2 In the OTS Administration Tool, select the template which was created forthat Web site or program.DigitalPersona Pro for Active Directory Administrator Guide135

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool3 Right-click to display that template’s context menu, then click Add ChangePassword Screen. OTS launches the OTS Change Password Screen Wizard.4 Click Next. The wizard displays the Change Password Screen Field page.5 Select all fields relevant to the change password process, as describedTable 9-6. Password Screen Template optionsOptionUseLabelTypeCatalogValueDescriptionCheck the Use check box for each field needed in changing thepassword.The label is displayed next to a field when the user is prompted to type avalue for a field on the change password screen. If the label is notintuitively related to the corresponding field on the change passwordscreen, you can enter a new label.Specify the type of control on the Change Password screen, such as textor password field.Cross-references the fields of the Change Password Screen with thefields in the Logon Screen. For example, the password used at logon isre-used during the Change Password process.The automatically detected value is shown in this field by default, butyou should verify it.For Old Password, the value type should generally be Ask-Reuse. ForNew Password, the value type is usually Write Only.6 Click Next. The wizarddisplays the Password Policypage.7 If desired, specify the passwordpolicy for a protected field.Select the corresponding FieldPolicy item, and then click thebutton which is shown on theright side.DigitalPersona Pro for Active Directory Administrator Guide136

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool8 In the Password Policy dialog box, thefollowing options are available:• Password is provided by user -Allows the user to specify the newpassword for the Web site or program.• Password is generatedautomatically - Generates arandomized password for the user. Byselecting this option (and enabling aGPO setting that prohibits the enduserfrom showing the password), youcan ensure that the user can only logon using a fingerprint.To specify constraints on the password format, length and uniqueness, checkthe Use password policy checkbox. These requirements will be followedwhen the password is generated, and verified when the password is providedby the user.The following options are available for the password length:• Minimum password length - Specifies the minimum number ofcharacters allowed in the password• Maximum password length - Specifies the maximum number ofcharacters allowed in the passwordThe following options are available for the password contents:• Letters and numbers - Allows any combination of letters and/or numbers.• Numbers only - Allows numbers only.• Letters only - Allows letters only.• Letters and numbers with special characters - Allows passwords thatcontain at least one number or at least one letter, and at least one specialcharacter is required. Special characters include symbols such as!\"#$%&'()*+,-./:;?[\\]^_`{|}~@. Spaces are not allowed.DigitalPersona Pro for Active Directory Administrator Guide137

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool• Letters and numbers with at least one number - Allows passwords withany combination of letters and numbers, but both types must be present.The following additional password constraints are available:• None - No other constraints are applied to the password.• Different from Windows password - The new password must bedifferent from the current Windows password.• Different from any password registered with OTS - The new passwordmust be different from all passwords registered for fingerprint-enabledWeb sites or programs by the current Windows user.• Different from current password - The new password must be differentfrom the current password for this Web site or program.9 Click OK to save the changes in the Password Policy dialog box.NoteThe password policy applied in the wizard should be synchronized with thatof the Web site or program.10 On the Password Policy page, click Next.11 On the Submit Selection page, choose the button from the list of detectedbuttons, which submits the data on the Change Password screen, and thenclick Next.12 On the Change Password Screen Properties page, you can customize thebehavior of the system during the change password operation. The followingsettings are available:• User Hint - Allows customizing the text that will be shown when the useris prompted to type data into input fields for the Change Password screen.• Windows Caption - Specifies the title of the change password screen asdetected by the wizard. This caption is used by One Touch SignOn torecognize a fingerprint enabled screen. You may use an asterisk (*) as awildcard at the beginning or at the end of the caption to help define whichportions of the caption to match. You cannot use more than one asterisk inthe caption. For example:*Some Application LoginDigitalPersona Pro for Active Directory Administrator Guide138

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolMy Bank Login*• Monitor Screen Changes - (Web sites only) When enabled, theWorkstation software continually monitors the titlebar, URL and contentof the specified web page for changes that may affect the fingerprintlogon. When disabled, only the titlebar and the URL are monitored.For example, if a page were using frames and a link in one frame changesanother frame in the page in such a way that it changes to a logon page,with this setting on, the change is recognized and appropriate action taken.With the setting disabled, the change would not be recognized.Use of this setting is resource intensive, and it is disabled by default.• URL - Uniform Resource Locator is a unique, identifying address of anyparticular page on the Web. URL can be used by One Touch SignOn torecognize the previously trained screen. The drop-down menu allows youto specify the type of matching performed on the URL.By default, the URL is not used to recognize a fingerprint enabled screen.• Extended Match If you are creating a template for a program, and not aWeb site, you can click the button next to the Extended Match field. Selectlabels that should be used for matching when recognizing the screen. Clickthe check box next to labels to use. After making selections and clickingOK, you can select the type of matching to perform by selecting it from thedrop-down list.• Authentication: Lock out logon fields. If set to Yes, the user is preventedfrom typing data in the logon fields. The default setting is Yes.13 When done configuring the Change Password Screen Properties, click Next.14 Click Finish to save the changes and exit the wizard.Change password screens set up with One Touch SignOndisplay the DigitalPersona fingerprint logon icon in the upperleft corner of the website or program window to indicate thatthe user can log on with their fingerprint, as well as a balloonprompting the user to touch the reader to begin the changepassword process.DigitalPersona Pro for Active Directory Administrator Guide139

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolCreating a Change Password Screen Template ManuallyIf you want to specify additional controls to be used during password change(such as adding keystrokes or forcing delays between actions), you can create achange password screen template manually.When you create a template manually, you have additional controls forspecifying fields and keystrokes required for password change; essentially youspecify a “script” to manage the interaction completely. This is much morepowerful than accepting the typical field-to-field navigation supported by theChange Password Screen Wizard in Automatic mode, but it requires muchcloser study of the change password screen itself to establish the precise actionsrequired. For example:• Exactly how many, and what kind of, keystrokes are needed to enter thedata?• Where should the initial focus of the screen be? (physical location)• How many tabs are required to navigate the input screen?To create a change password screen template manually:1 Launch the password-protected Web site or program for which you want tocreate a template. Move to that site’s or program’s Change Password screen.2 In the OTS Administration Tool, select the template for that Web site orprogram.3 Right-click to display that template’s context menu, then click Add ChangePassword Screen. The OTS Change Password Screen Wizard displays.4 Select Set up a template manually, then click Next. The wizard displays theLogon Fields page with an empty Fill in Actions list.5 Click the Add button and then select an action from the drop-down menu.Add as many actions to the list as are required, in the order that they areperformed. This builds the “script” that emulates interaction between theuser and the program. Later, this script will be used to play the pre-recordedactions.The following actions are available in the Fill in Actions list:DigitalPersona Pro for Active Directory Administrator Guide140

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool• Keystroke - Provides navigation to the first field to be filled in or betweenfields. It also may be used to submit the data on the Change Passwordscreen. The list of supported keystrokes is available in the Key drop-downmenu.• Field - Specifies the field to be filled in on the Change Password screen,its type (text or password), reference (for example, relationship to thepassword field on logon screen) and value, i.e. how the field value isobtained.• Delay - Specifies the delay during navigation or prior to submitting data.This setting is useful when the system performs some actions between thescreen loading and data submitting events. For some terminal applications,a delay may be required even when moving between neighbor fields on athe screen.NoteIt is recommended to estimate the required delay and then test it prior tousing the script.• Position - Moves the cursor to a specified area of Change Passwordscreen, like a field for data input, without using keystrokes. To use thePosition feature, select Position in the drop-down menu, then, using themouse, click and drag the Target icon until the cross is located over thedesired area on the screen. When the mouse button is released, the chosencoordinates will be shown in the right panel on the wizard page.Be aware that using the Position action may be sensitive to screenresolution, because the system deals with coordinates in pixels. Thisfeature also may not be useful when user needs to scroll the window inorder to move a cursor to the desired area.6 Repeat step 5 until all the required actions (i.e. fields, cursor movements,delays, and submission action) are specified.7 Click Next. The wizard displays the Password Policy page.8 If desired, specify the password policy for a protected field.Select the corresponding Field Policy item, and then click the button which isshown on the right side.DigitalPersona Pro for Active Directory Administrator Guide141

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool9 In the Password Policy dialog box, thefollowing options are available:• Password is provided by user -Allows the user to specify the newpassword for the Web site or program.• Password is generatedautomatically - Generates arandomized password for the user. Byselecting this option (and enabling aGPO setting that prohibits the enduserfrom showing the password), youcan ensure that the user can only logon using a fingerprint.• To specify constraints on the password format, length and uniqueness,check the Use password policy checkbox. These requirements will befollowed when the password is generated, and verified when the passwordis provided by the user.The following options are available for the password length:• Minimum password length - Specifies the minimum number ofcharacters allowed in the password• Maximum password length - Specifies the maximum number ofcharacters allowed in the passwordThe following options are available for the password contents:• Letters and numbers - Allows any combination of letters and/or numbers.• Numbers only - Allows numbers only.• Letters only - Allows letters only.• Letters and numbers with special characters - Allows passwords thatcontain at least one number or at least one letter, and at least one specialcharacter is required. Special characters include symbols such as!\"#$%&'()*+,-./:;?[\\]^_`{|}~@. Spaces are not allowed.DigitalPersona Pro for Active Directory Administrator Guide142

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool• Letters and numbers with at least one number - Allows passwords withany combination of letters and numbers, but both types must be present.The following additional password constraints are available:• None - No other constraints are applied to the password.• Different from Windows password - The new password must bedifferent from the current Windows password.• Different from any password registered with OTS - The new passwordmust be different from all passwords registered for fingerprint-enabledWeb sites or programs by the current Windows user.• Different from current password - The new password must be differentfrom the current password for this Web site or program.10 Click OK to save the changes in the Password Policy dialog box.NoteThe password policy applied in the wizard should be synchronized with thatof the Web site or program.11 On the Password Policy page, click Next.12 On the Change Password Screen Properties page, you can customize thebehavior of the system during the change password operation. The followingsettings are available:• User Hint - Allows customizing the text that will be shown when the useris prompted to type data into input fields for the Change Password screen.• Windows Caption - Specifies the title of the change password screen asdetected by the wizard. This caption is used by One Touch SignOn torecognize a fingerprint enabled screen. You may use an asterisk (*) as awildcard at the beginning, inside of or at the end of the caption to helpdefine which portions of the caption to match. You cannot use more thanone asterisk in the caption. For example:*Some Application LoginSome Company*LoginMy Bank Login*13 When done configuring the Change Password Screen Properties, click Next.DigitalPersona Pro for Active Directory Administrator Guide143

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool14 On the Setup Complete page, click Finish to save the changes and exit thewizard.Change password screens set up with One Touch SignOndisplay the DigitalPersona fingerprint logon icon in the upperleft corner of the Web site or program window to indicatethat the user can log on with their fingerprint, as well as aballoon telling the user to touch the reader to begin thechange password process.Example: Change password Screen with Randomized passwordThe following sample procedure will give you an idea of how you can manuallyset up a Change Password screen with a randomized password. This will cause anew random password to be generated each time that the user scans theirenrolled fingerprint on the specified change password screen.In this sample, the original logon screen template was set up using values fromthe field catalog.1 In the One Touch SignOn Administration Tool, right-click the template thatyou want to add the Change Password screen to and click Add ChangePassword Screen to display the OTS Change Password Screen wizard2 Launch the change password screen for the password-protected website orprogram.3 On the first page of the wizard, confirm that the title of the detected page isthe same as the title shown in the titlebar of the browser window. Select Setup template manually and then click Next.4 On the Logon Fields page, click Add. Select Field, and on the right, fill inthe action properties for Label (Current Password), Type (Password),Reference (Password: Login) and Value (Ask - Reuse).5 Click Add and select Keystroke to add specify any keystrokes (such as theTab key) needed to move to the next field, or select Position to specify the xand y coordinates of the field on the target client monitor.6 Click Add and select Field for the next field, filling in the action propertiesfor Label (New Password), Type (Password), Reference (Password: Login)and Value (Write Only).DigitalPersona Pro for Active Directory Administrator Guide144

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool7 Use a Keystroke or Position action to move to the next field.8 Click Add again and select Field for the final field, filling in the requiredvalues for Label (Confirm New Password), Type (Password), Reference(Password: Login) and Value (Write Only).9 Click Next to display the Password Policy page.10 Click the ellipsis (...) to display the Password Policy dialog, and selectPassword is generated automatically. You can also set passwordrequirements here, such as password length and type of characters to be used.11 Click OK to close the dialog.12 Click Next to display the Change Password Screen Properties page. Youcan customize the behavior of the system during the change passwordoperation. The following settings are available:• User Hint - Allows customizing the text that will be shown when the useris prompted to type data into input fields for the Change Password screen.• Screen Detection\Windows Caption - Specifies the title of the changepassword screen as detected by the wizard. This caption is used by OneTouch SignOn to recognize a fingerprint enabled screen. You may use anasterisk (*) as a wildcard at the beginning, inside of or at the end of thecaption to help define which portions of the caption to match. You cannotuse more than one asterisk in the caption. For example:*Some Application LoginSome Company*LoginMy Bank Login*• Fingerprint logon icon - Allows you to define a unique Location IDwhich can then be used in creating other logon screens, and to specifywhere the fingerprint logon icon will be display on the screen.13 Click Next.14 On the Setup Complete page, click Finish to close the wizard.DigitalPersona Pro for Active Directory Administrator Guide145

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolManaging ContainersThis section describes how to edit, and delete containers. For instructions oncreating a container see “Create an OTS Container” on page 119.Editing ContainersYou cannot change the location of a folder associated with a container, but youcan rename it.To edit the name of container:1 Select the container whose name you wish to edit.2 Right-click the container to display its context menu.3 Click Properties.4 Enter a new name for the container and click OK.Deleting ContainersWhen you delete a container, you can choose whether or not to delete thetemplate files in the folder.To delete a container:1 Select the container you wish to delete.2 Right-click the container to display its context menu, then select DeleteContainer. A confirmation message is displayed.3 If you are not sure you want to delete the container, click No.If you are sure you want to delete the container and you also want to deleteall the templates contained in the container folder, select Delete alltemplates in the selected container. Then click Yes.NoteIf you delete a container and its templates, you must either update thecorresponding OTS GPO to point to a new container, or delete the GPO itself.For detailed information about how to work with the DigitalPersona GPOs, referto “Configuring Policies and Settings” on page 80.DigitalPersona Pro for Active Directory Administrator Guide146

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolManaging TemplatesThis section describes various ways to search for templates, as well as how toedit, delete and deploy templates. It consists of the following topics.• “Finding Templates” on page 147• “Finding Fields in Templates” on page 148• “Finding Redundant Templates” on page 148• “Editing Templates” on page 148• “Deploying Templates” on page 149• “Deploying OTS Templates on a Local Computer” on page 150For instructions on creating a template see one of the following topics:• “Creating a Logon Screen Template automatically” on page 122• “Creating a Logon Screen Template Manually” on page 127• “Creating a Change Password Screen Template Automatically” on page 135• “Creating a Change Password Screen Template Manually” on page 140.Finding TemplatesYou can search for templates in specific containers.To find templates in the OTS Administration Tool:1 Select Find Template on the Tools menu.2 The name, caption and URL fields are available for a pattern-matchingsearch. Select the containers to search in from the list and click Find.3 The search results display in the dialog.4 You can save the results of the search by clicking Save. Specify a locationand file name to save the results.The results are saved as an HTML table that includes the template name, filename and container.DigitalPersona Pro for Active Directory Administrator Guide147

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolFinding Fields in TemplatesYou can search for templates that contain certain fields defined in the FieldCatalog of a container. You can select fields from a Field Catalog.To search for templates that contain certain fields:1 Select the container that uses the Field Catalog you want to use.2 Select Field Usage from the Tools menu.3 Select the fields from the Field Catalog and click Find. The search resultsdisplay in the dialog.4 You can save the results of the search by clicking Save. Specify a locationand file name to save the results.The results are saved as an HTML table that includes the caption, templatename, created date, modified date and file name.Finding Redundant TemplatesYou can search for redundant templates, which are multiple templates createdfor a single logon or change password screen.To search for redundant templates:1 Click Check Redundancy on the toolbar.2 In the displayed containers list, select the containers to search in and clickCheck. The search results display in the dialog.3 You can save the results of the search by clicking Save. Specify a locationand file name to save the results.The results are saved as an HTML table that includes the container, templatename, caption, screen type, created date, modified date and file name.Editing TemplatesAny logon or change password screen template can be edited in the OTSAdministration Tool.DigitalPersona Pro for Active Directory Administrator Guide148

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolTo edit a template:1 Select the container that includes the template.2 Select a template to edit.3 Right-click the template to display its context menu, then click Edit. TheLogon Screen Wizard displays.4 Edit the template as described in “Creating a Logon Screen TemplateManually” on page 127 or “Creating Change Password Screen Templates”on page 135.5 Click Next to continue with the wizard. Click Finish to exit the wizard.Deleting TemplatesLogon screen setups cannot be deleted without deleting the entire template,including any change password screen setup.To delete a template:1 In the OTS Administration Tool, select the container that includes thetemplate.2 Select the template to be deleted.3 Right-click the template to display its context menu, then click Delete.4 Specify one of the following:• To delete the entire template, specify All Screens.• To delete only the Change Password Screen, specify Change PasswordScreen.Deploying TemplatesOTS templates are automatically deployed to all users of DigitalPersona ProWorkstation or Kiosk. However, newly created templates will not be available toa user until they either log out and log in again, or until a local template iscreated or edited using either the One Touch Internet or One Touch SignOntools.DigitalPersona Pro for Active Directory Administrator Guide149

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolAutomatic deployment requires that the path to the container(s) where thetemplates are stored has been entered in the GPO governing the specifiedworkstation, and that the designated folder is accessible to the workstation. See“Setting up OTS” on page 118 for specific instructions.Deploying OTS Templates on a Local ComputerAdministrators may want to deploy OTS templates on a local computer:• To test OTS templates on a Pro Workstation before distributing them to othercomputers on a network or• When a specific computer does not have access to the container the templateis stored in.NoteIn order to deploy OTS templates on a local computer, you must first add theWorkstation Administrative Template to the computer. The defaultDigitalPersona Pro Workstation installation copies the WorkstationAdministrative Template to the computer, but does not install it.This template can be added to the Local Policy Object on a workstation toenable GPO settings on the local computer, including the OTS settings. Forinstructions on adding the Administrative Template, see “Install WorkstationTemplate Locally” on page 48.To set the container path for OTS templatesThe following procedure requires that the Workstation Administrative Templatehas already been added to the Local Policy object.1 Create a folder on the local hard drive to use as a container for the OTStemplates.2 Copy the OTS templates into the folder that you just created.3 In MMC, navigate to the User Configuration/Administrative Templates/DigitalPersona Pro/DigitalPersona Pro Workstation/OTS node.4 Double-click the One Touch SignOn configuration setting to open itsProperties dialog.5 On the Setting tab, select Enable.DigitalPersona Pro for Active Directory Administrator Guide150

Chapter 9 - Administration ToolsOne Touch SignOn Administration Tool6 In the Path to the container of templates box, enter the name of the localfolder that you created in step 1.7 Click OK to close the dialog box.DigitalPersona Pro for Active Directory Administrator Guide151

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolOne Touch SignOn SettingsTwo-Factor Authentication and Other PoliciesVarious authentication policies, specifically, fingerprint and password,fingerprint or password, and fingerprint only, can be applied to the logonprocess with the OTS Logon Screen Setup Wizard. Following is a list of eachauthentication policy, with instructions for implementing them when setting upa logon screen with the OTS Logon Screen Setup Wizard:• Fingerprint and password. Choose Ask Always as the value of thepassword field on the Logon Fields page and enable the Start authenticationimmediately and Lock out logon fields options on the Logon ScreenProperties page. When a user accesses the logon screen, they areimmediately presented with a fingerprint authentication screen and areunable to bypass it because the logon fields are locked out. Once they submitan enrolled fingerprint, they are prompted by One Touch SignOn to typetheir password.• Fingerprint only. Enable the Start authentication immediately and Lock outlogon fields options on the Logon Screen Properties page. When a useraccesses the logon screen, they are required to touch the reader with anenrolled finger and are unable to bypass fingerprint authentication until theydo. Once they submit an enrolled fingerprint, they are logged on, assumingthat the password value has already been specified in the template or by theuser the first time they logged on via use of the Ask-Reuse option on theLogon Fields page.Password only is the default authentication policy for all password-protectedWeb sites and applications that do not use One Touch SignOn. A fingerprint orpassword policy applies to OTS-enabled logon screens that allow a user to eithertype their password manually or touch the reader to automatically provide it.GPO SettingsSettings in the One Touch SignOn GPO can impact the way users can usetemplates for a password-protected Web site or program. Each GPO setting anda description is provided below. By default, all options are enabled.One Touch SignOn GPOs can be configured using the Group Policy Editor. Thepolicy settings are found in the following path:DigitalPersona Pro for Active Directory Administrator Guide152

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolUser Configuration/Administrative Templates/DigitalPersona ProNoteIf you are upgrading an existing installation of DigitalPersona Pro to includesupport for One Touch SignOn, you must add the DigitalPersona Pro ADM fileagain, as described in “Install the Administrative Templates” on page 43, toaccess One Touch SignOn settings.With the DigitalPersona Pro folder selected, double-click One Touch SignOnConfiguration to access these GPO settings:• Show clear text passwords. Enable this option to show password fieldvalues to the end user when they are prompted to provide a password.• Allow users to edit account data. When enabled, this option permits endusers to change the values of logon screen fields through the FingerprintLogon Manager.• Allow users to add account data. This option allows end users to addaccount data fields for Web sites and applications from their computers.• Allow users to delete account data. Allows end users to remove accountdata from a template.• Path to the container of templates. Specify the path to the container in theContainer Path field to provide access to the templates it contains forDigitalPersona Pro Workstation users. The container path is determinedwhen creating a new container, as described in “Create an OTS Container”on page 119. You can add multiple paths by separating them with the pipe (|)character.DigitalPersona Pro for Active Directory Administrator Guide153

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolLogging On with One Touch SignOnAfter templates have been created and deployed, end users can launch a logonscreen and touch the fingerprint reader with an enrolled finger to log on. If aQuick Link was defined in the template, users can select the Quick Link fromthe One Touch Menu to launch the Web site or program logon screen. QuickLinks only display in the One Touch Menu after the user has visited them andused their fingerprint to logon.Logon screens that have a template created for them display a DigitalPersonafingerprint logon icon in the upper left corner of the screen and a ballooninforming the user to log on with a fingerprint.Logon screens that do not have a template created for them display an addDigitalPersona fingerprint logon icon. A Workstation user can turn this featureoff in the Properties dialogDepending on the template attributes, the logon process may vary. For example,the user can be automatically logged on by touching the reader, i.e. the fields canbe automatically populated and submitted.In other cases, the user is prompted to choose a set of account data or providelogon field values. If there are multiple accounts for the same logon screen, theuser is prompted to select an account in the Select Account Data dialog box. Theuser must click the name of the account to use and click OK to log on.DigitalPersona Pro for Active Directory Administrator Guide154

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolWhen the user is prompted to typevalues for logon fields, the EnterAccount Data dialog boxdisplays. This dialog box displayswhen the user has required fieldswhere the values are not yetspecified. In the dialog box, theuser can provide the appropriatevalues for the fields and click OKto log on.Providing Logon FieldValuesIf the template contains logon fieldvalues that are provided by the end user, the Enter Account Data dialog boxopens, listing each field needing a value and allowing the user to enter thembefore logging on.The appearance of this dialog box is dependent on the Value attribute, such asAsk-Reuse, Ask-Confirm or Ask Always, for fields in a template.If the Show Clear text passwords setting in the GPO is enabled or notconfigured, the user can click the Show password button to display thepassword as they edit it. Otherwise, the characters in the password are replacedwith a bullet.DigitalPersona Pro for Active Directory Administrator Guide155

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolChoosing an AccountIf a logon screen is set up formultiple accounts, the SelectAccount Data dialog box isdisplayed, prompting the user toselect the set of account data theywant to use.When the user selects the set ofaccount data, they can click OK tolog on.Providing Multiple CredentialsTwo-factor authentication, and other authentication policies, can be applied tologon screens, which may require the user to first provide an enrolled fingerprintand then a password, for example. Authentication policies are described in“Two-Factor Authentication and Other Policies” on page 152.Changing Passwords with One Touch SignOnChange password screens that have a template created for them display aDigitalPersona fingerprint logon icon in the upper left corner of the screen and aballoon informing the user to provide a fingerprint. The user is asked to providethe old password, a new password and to confirm the new password. Dependingon the template attributes, the change password process may vary. For example,the user can be allowed to choose a new password with or without constraints onthe password complexity.In other cases, the new password is generated automatically by the system. Inthis case, the user must log on with a fingerprint.Checking Template CompatibilityWhenever you upgrade to a new version of DigitalPersona Pro, you should run acompatibility check on any previously created templates, and then convert anytemplates that are identified as not compatible.During the compatibility check, any templates incompatible with the currentversion of One Touch SignOn will be identified as "Needs conversion."DigitalPersona Pro for Active Directory Administrator Guide156

Chapter 9 - Administration ToolsOne Touch SignOn Administration ToolTo check the compatibility of current templates1 Click Check Compatibility on the OTS Admin Tool toolbar.2 In the Compatibility Check dialog, all containers are selected by default.Deselect any containers that you may not want to search in, and click Checkto display the search results.3 Optionally, click Save to save the results to an HTML file.4 In the Results panel, you can right-click on any template to display a shortcutmenu with options to Edit, Open the containing folder, or Delete thetemplate.To convert incompatible templates to the latest format1 In the Results panel, select a template.2 Click Convert.3 As soon as the template is converted, the Results panel will refresh and theword "Converted" will appear in the Results column next to the template.4 Click Close to close the window.DigitalPersona Pro for Active Directory Administrator Guide157

Chapter 9 - Administration ToolsUser Query ToolUser Query ToolThe DigitalPersona Pro User Query Tool is used to query the DigitalPersona Profor Active Directory user database for information about DigitalPersona Prousers.It can provide information such as:• Total users• Total enrolled users• Users enrolled between certain dates• Number of enrolled fingerprints per user• Number of users using fingerprint logon• Number of users using OTS or OTI• and much moreThe User Query Tool can be run as an Interactive Query, from the commandline, or from within a script. It can be installed through the Custom optionduring installation of the Administration Tools.Whether a query is run as an interactive query, from the command line, or fromwithin a script, the results of the query will contain the following information:• Total users• Total enrolled users• Found users• Enrolled between [Begin Date] and [End Date]• Number of enrolled fingerprints per user• Application data• Containers searched [configurable]• Recursive [Yes|No]For each user that matches the query, the following information is displayed:• User Full name (if available)• User NT name• User UPN name• Number of fingerprints enrolled• Date/Time when user record was created• Date/Time user record was last updatedDigitalPersona Pro for Active Directory Administrator Guide158

Chapter 9 - Administration ToolsUser Query Tool• Total number of secrets in user record (If a specific secret was queried,reports Yes or No.)Query results are shown in the Results window, and can be copied to theclipboard from there. They may also be saved to a tab-delimited file.Running an Interactive QueryTo run an interactive query:1 On the Start menu, point to All Programs, point to DigitalPersona Pro andclick User Query Tool.2 In the console, click on the node that you want to query.3 Select the parameters that you want to use for the query.4 In order to capture the full detailed results of the query, you must enter a pathand file name to save the results of the query to.The results of the query will be saved as a tab-delimited file, which can thenbe imported into Microsoft Excel or other spreadsheet programs.5 Click the Run button.When the query finishes, a brief summary of the results are displayed in thelower portion of the window. The summary can be copied from the panel to theWindows clipboard by selecting the summary information, and pressing CTRL-A, then CTRL-C.NoteTo add your own Secrets to the Query, click the Add button and enter the nameof the Secret.Running from the Command LineTo run the User Query Tool from the command line:1 On the Start menu, click Run to open the Run dialog.2 Type your user query.3 Click OK to run the query.DigitalPersona Pro for Active Directory Administrator Guide159

Chapter 9 - Administration ToolsUser Query ToolExample:RunDll32.exe [Full Path]DPUserQuery.dll, CmdQuery/o "CN=Users;DC=mycompany;DC=com" /d1 "01/23/2006" /d2 "12/31/2006" /f1 2 /f2 3 /s /s LogonSystemInfo /r /f "C:\dpusers.log"This query will find all users in the mycompany.com domain whosefingerprints were either created or modified between January 23rd, 2006 andDecember 31st, 2006; and who have enrolled at least 2 but no more than 3fingerprints. Additionally it will display the number of secrets each of thoseusers have, and whether or not they have the ‘LogonSystemInfo’ secret.Finally, it will write the results to the file ‘C:\dpusers.log”All parameters are optional except for /o.The available parameters for the user query are:Switch Description Example/o Required. CN=[commonname];DC=[domain component]/d1 Earliest creation or modification dateto include in the query. Format: mm/dd/yyy./d2 Latest creation or modification date toinclude in the query. Format: mm/dd/yyy./f1 Minimum number of fingerprints.Value = 1-10/f2 Maximum number of fingerprints.Value = 1-10/s Secrets - Display number of Secretsfor each user.If followed by the name of a Secret,reports Yes or No indicating whetherthe Secret exists for the specified user./o "CN=Users;DC=mycompany;DC=com "/d1 "01/23/2006"/d2 "12/31/2006"/f1 1/f2 2/s/s LogonSystemInfo/s LogonSystemInfo /s "OTSProtected Storage"DigitalPersona Pro for Active Directory Administrator Guide160

Chapter 9 - Administration ToolsUser Query ToolSwitch Description Example/r If present, the query will be recursive,i.e. will query any nested containers./f Enter the path and file name whereyou would like to store the results ofthe query. If omitted, results are sentto stdout (standard output stream,usually the screen)./r/f "C:\dpusers.log"@/? or/hSpecifies the name of a .cmd filewhere parameters for the query arestored. If used:• include the full path and filename.• specify the parameters exactly thesame as you would on thecommand line, with no extracharacters or lines.• do not include any otherparameters on the command lineDisplays command line help for theUser Query Tool when used as theonly parameter. Help will also bedisplayed if the tool is called with noparameters.@"c:\scripts\myquery.cmd"RunDll32.exe DPSrvQuery.dll, CmdQuery /?RunDll32.exe DPSrvQuery.dll, CmdQuery /hRunDll32.exe DPSrvQuery.dll, CmdQueryNoteOmitting the /d1, /d2, /f1 and /f2 parameters will report all users with enrolledfingerprints.Setting both /f1 and /f2 to 0 will return all users who have no enrolledfingerprints.DigitalPersona Pro for Active Directory Administrator Guide161

Chapter 9 - Administration ToolsUser Query ToolScript UseThe DigitalPersona Pro User Query Tool may be run from within a script.See the previous pages for a description of the syntax to use.ExampleRunDll32.exe [Full Path]DPUserQuery.dll, CmdQuery/o "CN=Users;DC=com;DC=mycompany" /d1 "06/09/2006" /d2 "06/09/2006" /f1 2 /f2 3 /s LogonSystemInfo /s "OTS Protected Storage" /r/f "C:\dpusers.logTo specify the query parameters in a text file:• Include the full path and filename.• Specify parameters the same as on the command line, with no extracharacters or lines.• Do not include any other parameters on the command line.ExampleRunDll32.exe [Full Path]DPSrvQuery.dll, CmdQuery @[path/filename].cmdDigitalPersona Pro for Active Directory Administrator Guide162

Chapter 9 - Administration ToolsCleanup WizardCleanup WizardAlthough the Add/Remove Programs Control Panel uninstalls DigitalPersonaPro Server software, the user data—such as fingerprint credentials and secureapplication data—and global domain data remain in Active Directory.DigitalPersona provides the DigitalPersona Pro Cleanup Wizard to remove thisdata. However, if you are planning to reinstall DigitalPersona Pro Server, youmay want to retain the user data.NoteThis wizard provides full cleanup of all DigitalPersona Pro data. For removal ofindividual user data, see “Deleting User Credentials using the ADSI Edit Tool”on page 106.To run the DigitalPersona Pro Cleanup Wizard1 Double-click DPCleanup.exe to launch the DigitalPersona Pro CleanupWizard. It is located in the Server installation package in the AdministrationTools, AD Clean Up folder.2 When the installer runs, you are prompted to choose the type of clean up youwant to perform:• Delete DigitalPersona Pro user data. This option removes allDigitalPersona Pro data associated with users on the domain, such asfingerprint credentials and secure application data. If you choose to deleteDigitalPersona Pro user data, all users in the domain must enroll theirfingerprints again.• Full clean up. This option removes both DigitalPersona Pro dataassociated with users on the domain and global data. If you choose fullclean up, you must reinstall all DigitalPersona Pro Servers on the domainand run the Active Directory Domain Configuration Wizard again.3 When prompted to proceed with the removal of DigitalPersona Pro data,click Yes.4 Choose a location and name for the log file generated during the dataremoval process.DigitalPersona Pro for Active Directory Administrator Guide163

Chapter 9 - Administration ToolsCleanup WizardThe wizard will then remove the data from Active Directory; however, you mustmanually remove any DigitalPersona Pro Group Policy Objects.WarningData changes take time to propagate in Active Directory. Do not configure adomain for DigitalPersona Pro Server or reinstall Server software until allchanges made by the removal of domain global data are replicated throughoutthe domain.Running the DigitalPersona Pro Clean Up Wizard will render all Pro Servers onthe domain inoperable. To restore the Pro Server functionality after performing afull cleanup, run the Active Directory Domain Configuration Wizard again, asdescribed in “Configure each domain” on page 41, and then reinstall Pro Server.DigitalPersona Pro for Active Directory Administrator Guide164

DigitalPersona Pro Events 10DigitalPersona Pro for AD writes all authentication and user recordmodification events to the Windows Event Log with a date and time stamp.You can view when users have attempted to access networked computers,password-protected applications and Web sites using Pro authentication, as wellas whether the attempt succeeded or failed.DigitalPersona Pro events are provided within the following task categories.Category Description Page256 Fingerprint/Credentials Management 166512 User Management 166768 General Secret Management 1671024 Logon/Unlock 1681280 One Touch SignOn 1691536 Kiosk 1701792 Computer Environment 1712048 Fingerprint Match 1712304 DNS Registration 1724096 License Management 173The following tables list all Pro events by task category, providing the Eventname and ID, error type, and error level (on the Pro Server or Workstation/Kioskor both).DigitalPersona Pro for Active Directory Administrator Guide 165

Chapter 10 - DigitalPersona Pro EventsFingerprint/Credentials ManagementTask Category: 256These events may be generated during fingerprint/credentials management.Event ID TypeLevelSrvr ---- WksRegister fingerprint (Success) 257 S Dt DtRegister fingerprint (Failure) 258 F A ADelete fingerprint(s) (Success) 259 S A ADelete fingerprint(s) (Failure) 260 F A AReplace fingerprint(s) (Success) 261 S A AReplace fingerprint(s) (Failure) 262 F A AType: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsUser ManagementTask Category: 512The following events may be logged during the management of users.Event ID TypeLevelSrvr ---- WksAdd user record (Success) 513 S A AAdd user record (Failure) 514 F A ADelete user record (Success) 515 S Dbg DbgDelete user record (Failure) 516 F Dbg DbgChange account ctrl flags (Success) 517 S Dt DtDigitalPersona Pro for Active Directory Administrator Guide166

Chapter 10 - DigitalPersona Pro EventsEvent ID TypeLevelSrvr ---- WksChange account ctrl flags (Failure) 518 F Dt DtUnlock user account 519 S Dt -Password randomized 521 S Dt DtUser record consistency check failed 523 E A AUser record signature check failed 524 E A AType: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsGeneral Secret ManagementTask Category: 768The following events may be generated during the management of secrets.Event ID TypeLevelSrvr ---- WksAdd secret (Success) 769 S Dt DtAdd secret (Failure) 770 F A ADelete secret(Success) 771 S Dt DtDelete secret (Failure) 772 S Dt DtReplace secret (Success) 773 S Dt DtReplace secret (Failure) 774 F A ASecret content released (Logon &OTS secrets)775 S A ASecret consistency check failed 776 E A ADigitalPersona Pro for Active Directory Administrator Guide167

Chapter 10 - DigitalPersona Pro EventsEvent ID TypeLevelSrvr ---- WksSecret signature check failed 777 E A AType: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsLogon/UnLockTask Category: 1024The following events are logged during the logon, lock and unlock processes.Event ID TypeLevelSrvr ---- WksLogon 1025 S - AKiosk Logon 1026 S - ALogoff 1027 S - DtKiosk Logoff 1028 S - DtLock 1029 S - DtKiosk Lock 1030 S - DtUnlock 1031 S - AKiosk Unlock 1032 S - ARegistered PIN 1033 S - DtChange PIN 1034 S - DtFP used to unlock smart card 1035 S - DtShared account problem 1036 E - EDigitalPersona Pro for Active Directory Administrator Guide168

Chapter 10 - DigitalPersona Pro EventsEvent ID TypeLevelSrvr ---- WksShared account missing 1037 E - EType: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsOne Touch SignOnTask Category: 1280These events may be generated by the One Touch SignOn component (Pro 4.xonly).Event ID TypeLevelSrvr ----- WksOTS started 1281 S - DbgOTS stopped 1282 S - DbgAgent cannot start 1283 E - E or DbgPassword change canceled by user 1285 S - DbgInitial fillin was performed 1288 S - DbgFillin was performed 1289 S - AAccount datacould not bemodifiedAccount data successfullymodified1290 E - E1291 S - ACRC check failure 1292 E - EType: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsDigitalPersona Pro for Active Directory Administrator Guide169

Chapter 10 - DigitalPersona Pro EventsKioskTask Category: 1536Kiosk events are logged when the Kiosk ID List is created, deleted or modified.Event ID TypeLevelSrvr ---- WksUser added to Kiosk ID List 1537 S A DtUser deleted from Kiosk ID List 1538 S A DtUser pushed out of the User ID List 1539 S A DtKiosk ID List created 1540 S, F A DtKiosk ID List deleted 1541 S, F A DtType: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsDigitalPersona Pro for Active Directory Administrator Guide170

Chapter 10 - DigitalPersona Pro EventsComputer EnvironmentTask Category: 1792The following events relate to the general computer environment.Event ID TypeLevelSrvr ---- WksReader connected 1793 I - DtReader disconnected 1794 I - DbgDPHost started 1795 I Dt DtDPHost cannot start 1797 F E EConnection to server succeeded 1798 S - DtConnection to server failed 1799 W - DtServer busy 1800 E E EType: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsFingerprint MatchTask Category: 2048The following events may be generated during the fingerprint matching process.Event ID TypeLevelSrvr ---- WksMatch one-to-one failed 2049 F - AMatch one-to-many failed 2050 F - AAccount locked out 2051 F A -DigitalPersona Pro for Active Directory Administrator Guide171

Chapter 10 - DigitalPersona Pro EventsEvent ID TypeLevelSrvr ---- WksDPHost stopped 1796 I Dt DtType: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsDNS RegistrationTask Category: 2304DNS Registration events are logged when the Pro Server software fails toregister or remove DigitalPersona Pro registration records from the ActiveDirectory DNS server.Event ID TypeLevelSrvr ---- WksDNS update disabled 2305 W A -DNS registration failed 2306 E E -DNS unregistration failed 2307 E E -Type: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsDigitalPersona Pro for Active Directory Administrator Guide172

Chapter 10 - DigitalPersona Pro EventsLicense ManagementTask Category: 4096License Management events are logged to provide information about yourlicense use.Event ID TypeLevelSrvr ---- WksLicense quota exceeded 4097 E A -License quota near limit 4098 W A -Type: S=Success, F = Failure, E = Error, W = Warning, I = InformationLevel: E = Error, A - Audit, Dt = Details, Dbg = Fine detailsDigitalPersona Pro for Active Directory Administrator Guide173

Part Four: ClientsPart Four of the DigitalPersona Pro for AD Administrator Guide includes thefollowing chapters:Chapter Title Purpose Page11 - DigitalPersona ProWorkstation12 - DigitalPersona ProKioskProvides full instructions on the use ofDigitalPersona Pro Workstation softwareincluding information for administrators.Provides full instructions on the use ofDigitalPersona Pro Kiosk software includinginformation for administrators.175206DigitalPersona Pro for Active Directory Administrator Guide 174

DigitalPersona Pro Workstation 11DigitalPersona Pro Workstation provides several features that incorporatebiometric authentication for secured sign on to Windows, applications and Websites, as well as locking/unlocking the computer.This chapter describes the features of DigitalPersona Pro Workstation, and theprocedures for performing common tasks on the workstation, through thefollowing topics:• Features Overview on page 176• One Touch Menu on page 178• Reader Icon and Menu on page 180• Fingerprint Reader Visual Cues on page 182• Fingerprint Enrollment on page 184• One Touch Logon on page 187• One Touch Features on page 194• One Touch Internet on page 195• Managing Fingerprint Logons on page 199• DigitalPersona Pro Workstation Properties on page 201• Deleting Enrolled Fingerprints on page 203• Changing Your Windows Password on page 204• Fingerprint Reader Usage and Maintenance on page 205DigitalPersona Pro for Active Directory Administrator Guide 175

Chapter 11 - DigitalPersona Pro WorkstationFeatures OverviewFeatures OverviewDigitalPersona Pro Workstation includes the following features. The availabilityof particular features, and the behavior of some features can be configured bythe administrator.This topic provides a brief description of each feature, in the same order as theyare introduced in the rest of the chapter.One Touch MenuThe One Touch Menu provides convenient one touch access to many of thefeatures of the DigitalPersona Pro Workstation. The administrator can controlwhich features are listed on the menu through modifying the registry keys forthe One Touch Menu, exporting the new settings in a .reg file and importingthose settings on the target machines (see “One Touch Menu Content” on page256).Reader Icon and MenuThe Reader Icon, displayed in the taskbar notification area, indicates whether ornot a fingerprint reader is connected, and provides single-click access to manyof the features of DigitalPersona Pro Workstation.Fingerprint Reader Visual CuesDuring the processes of Fingerprint Enrollment and Authentication (explainedbelow), an attached or embedded fingerprint reader is used to scan the user’sfingerprints. Visual cues let the user know the status of the reader, the result offingerprint scans, and the success or failure of authentication.Fingerprint EnrollmentIn order to access the main features of DigitalPersona Pro Workstation, the enduser must first enroll their fingerprints. Templates of their enrolled fingerprintsare used in the authentication process that provides the convenience and securityof One Touch Logon, One Touch Internet and One Touch Lock/Unlock.One Touch LogonDigitalPersona Pro for Active Directory Administrator Guide176

Chapter 11 - DigitalPersona Pro WorkstationFeatures OverviewOne Touch Logon provides the ability to log on to a Windows account by simplytouching a fingerprint reader.One Touch UnlockOne Touch Unlock provides the ability to lock or unlock your computer bytouching a fingerprint reader.One Touch InternetOne Touch Internet allows the end user to create Fingerprint Logons that can beused to log on to Web sites by touching a fingerprint reader.DigitalPersona Pro Workstation PropertiesCertain behaviors of DigitalPersona Pro Workstation can be configured by theend user through the Workstation Properties dialog.Changing Your Windows passwordThis topic provides instructions for changing your Windows password. Theprocedure for changing your Windows password is slightly different afterDigitalPersona Pro is installed.Managing Enrolled FingerprintsThis topic provides instructions for editing and deleting your enrolledfingerprints.Fingerprint Reader Usage and MaintenanceThis topic provides instructions on the use and care of the fingerprint reader.DigitalPersona Pro for Active Directory Administrator Guide177

Chapter 11 - DigitalPersona Pro WorkstationOne Touch MenuOne Touch MenuThe One Touch Menu provides fast and convenient access to the One Touchapplications, settings and help. To enable and configure the One Touch Menu,refer to “Quick Actions” on page 201. To display the One Touch Menu, place aenrolled finger on the reader.Create fingerprintlogons for Web sitesand programsLaunch Online Helpfor Pro WorkstationQuick access toWeb sites that arefingerprint-enabledConfigure ProWorkstation propertiesThe One Touch Menu provides the following commands:Create Fingerprint LogonThe Create Fingerprint Logon menu item launches the Fingerprint LogonWizard, which guides the user through the process of setting up their personalWeb site logon screens, as described in “One Touch Internet” on page 195.This item appears on the One Touch Menu if One Touch Internet is installed.Quick LinksPoint to Quick Links to display the One Touch SignOn and One Touch InternetQuick Links for Web sites. Click a Quick Link to launch the associatedpassword-protected Web site. The appropriate account data will also besubmitted.For more information on One Touch SignOn and creating templates forprograms and Web sites, refer to “One Touch SignOn Administration Tool” onpage 117.DigitalPersona Pro for Active Directory Administrator Guide178

Chapter 11 - DigitalPersona Pro WorkstationOne Touch MenuHelpClicking Help launches the Online Help file for DigitalPersona Pro Workstationfor Active Directory. It contains step-by-step instructions for using variousproduct features, including use of the One Touch applications.PropertiesClick Properties to configure DigitalPersona Pro on the Workstation, asdescribed in “DigitalPersona Pro Workstation Properties” on page 201.DigitalPersona Pro for Active Directory Administrator Guide179

Chapter 11 - DigitalPersona Pro WorkstationReader Icon and MenuReader Icon and MenuWhen DigitalPersona Pro Workstation is installed on a workstation, a readericon is placed in the taskbar notification area. It displays the connectivity statusof the reader and provides convenient access to various functions.• When the reader is connected and the driver is installed, the reader iconappears.• If the reader is not connected, a red X is displayed over the reader icon.Indicates the readeris connected and thedriver is installedIndicates the readeris disconnected or thedriver is not installedThe reader icon also provides a shortcut menu containing the features describedbelow:Lock ComputerLock Computer immediately locks your computer so that others cannot use it.The procedure for unlocking the computer will depend on the logon policyapplied to the computer. You can also double-click the reader icon to lock yourcomputer.Fingerprint EnrollmentLaunches the Fingerprint Enrollment Wizard, which guides you through theprocess of enrolling your fingerprints. (See page 184.)DigitalPersona Pro for Active Directory Administrator Guide180

Chapter 11 - DigitalPersona Pro WorkstationReader Icon and MenuFingerprint Logon ManagerOpens the Fingerprint Logon Manager, described on page 199.PropertiesClick Properties to configure DigitalPersona Pro on your computer, as describedin “DigitalPersona Pro Workstation Properties” on page 201.HelpClicking Help launches the Online Help for DigitalPersona Pro Workstation.Hide IconTo hide the reader icon, click the Hide Icon. To display the icon again, use theDigitalPersona Pro Properties dialog box, as described in “Show FingerprintReader Icon on Taskbar” on page 202.DigitalPersona Pro for Active Directory Administrator Guide181

Chapter 11 - DigitalPersona Pro WorkstationFingerprint Reader Visual CuesFingerprint Reader Visual CuesDigitalPersona Pro Workstation provides several visual cues related to theprocess of scanning your fingerprints.Fingerprint Prompt FeedbackPro Workstation displays a stylized fingerprint to prompt the userto place their finger on the fingerprint reader.If the reader is connected, but not yet available for use, anhourglass is shown on top of the fingerprint.When the hourglass disappears, you may place an enrolled fingeron the reader.Fingerprint Scan Acquisition FeedbackWhen your fingerprint has been scanned, the fingerprint imagehas a darker background.You can also specify that a sound plays, and/or disable display ofthe feedback icons. See “Enable Sound Feedback” on page 202.Fingerprint Recognition FeedbackPro Workstation uses these images to indicate whether the scanned fingerprint isrecognized as an enrolled fingerprint.If the fingerprint scan is recognized, it displays a checkmark overthe fingerprint image.If the fingerprint scan is not recognized, it displays a questionmark over the fingerprint image.If the account is locked out or fingerprint authentication is notallowed, a circle with a diagonal line through it is placed over thefingerprint image.DigitalPersona Pro for Active Directory Administrator Guide182

Chapter 11 - DigitalPersona Pro WorkstationFingerprint Reader Visual CuesReader Not Found FeedbackAn image that consists of a reader with a red X over it displays on the logonscreen, desktop and notification area on the taskbar if a reader is not connectedor installed.Icon in notification areaIcon in logon screenThe fingerprint reader may not be available due to the following reasons:• The fingerprint reader is not connected.• The fingerprint reader driver is either not installed or requires updating.Built-in Swipe ReadersThe user experience is the same with either the DigitalPersona U.are.UFingerprint Reader or supported built-in swipe readers embedded in manypopular notebooks.The user may enroll their fingerprints with either the DigitalPersona U.are.UFingerprint Reader or the embedded built-in swipe reader.NoteYou may only use one fingerprint reader during the fingerprint enrollmentprocess. If you use the DigitalPersona Fingerprint Reader, then switch to a builtinswipe reader, or vise versa, the enrollment process will fail.DigitalPersona Pro for Active Directory Administrator Guide183

Chapter 11 - DigitalPersona Pro WorkstationFingerprint EnrollmentFingerprint EnrollmentThe Fingerprint Enrollment Wizard guides the end user through the process ofenrolling their fingerprints. If you are not permitted to enroll fingerprints, it maybe because of settings implemented by your administrator.• If you have not enrolled fingerprints yet, and One Touch Logon is installed,the Fingerprint Enrollment Wizard launches automatically after logging on.• On Windows Vista, click the balloon that displays near the notification areato enroll your fingerprints, or click the Fingerprint Reader icon and selectFingerprint Enrollment to launch the Fingerprint Enrollment Wizard.You should enroll your fingerprints the first time that the Fingerprint EnrollmentWizard displays because your administrator may have implemented logonsettings that require you to provide a fingerprint the next time you log on.• You must have a Windows user account and be logged on to that account toenroll your fingerprints.• In order to successfully enroll one fingerprint, that fingerprint must bescanned four times by the fingerprint reader. “Fingerprint Reader Usage andMaintenance” on page 205 contains guidelines on how to correctly place thefinger on the fingerprint reader.NoteWhen using Attended Fingerprint Enrollment (see page 114), the FingerprintEnrollment Wizard is disabled.To enroll fingerprints using the Fingerprint Enrollment Wizard1 Launch the Fingerprint Enrollment Wizard by clicking the reader icon in thenotification area, and selecting Fingerprint Enrollment.2 Click Next. If the Fingerprint Enrollment Wizard cannot locate aDigitalPersona Pro Server, your enrolled fingerprints will be saved on thiscomputer instead of in Active Directory. You are prompted to confirm thatyou want to save your fingerprints locally only. This prevents you from usingyour enrolled fingerprints from another computer. Click Yes to confirm, orclick No, troubleshoot to determine why a DigitalPersona Pro Server was notfound, and rerun the wizard when the problem is resolved.DigitalPersona Pro for Active Directory Administrator Guide184

Chapter 11 - DigitalPersona Pro WorkstationFingerprint EnrollmentIf the licensed number of users has been exceeded, you will receive an errormessage and cannot enroll your fingerprints. Contact your administrator forguidance.3 When prompted, verify your identity, either by typing your Windowspassword if you do not have any enrolled fingerprints yet, or by touching thereader with any enrolled finger.If you have more than one fingerprint reader attached to your computer, youwill be prompted to select one of them to use for fingerprint enrollment.4 An outline of two hands is displayed. Fingers that are already enrolled arehighlighted in green. Click the finger you want to enroll on the outline.NoteClicking a green highlighted finger deletes the associated enrolledfingerprint.The title bar indicateslocal or server storage offingerprint credentials.Fingers highlighted ingreen are already enrolled.5 When you have selected a finger to enroll, you are prompted to place thatfinger on the reader four times. The Fingerprint Enrollment Wizard providesfeedback indicating the quality of each fingerprint scan. If the fingerprintscan is not of an acceptable quality, you are prompted to touch the readeragain.When you have provided four good fingerprint scans, the fingerprint issuccessfully enrolled and is highlighted in green on the outline.DigitalPersona Pro for Active Directory Administrator Guide185

Chapter 11 - DigitalPersona Pro WorkstationFingerprint EnrollmentFingerprint scanwas successful.Fingerprint scanwas not successful.6 Click Next or select another finger to enroll by clicking a finger that is nothighlighted on the outline.The number of fingers you are allowed to enroll is determined by the value ofthe Maximum Number of Fingers setting, as described on page 92.If the settings allow, it is recommended that you enroll two fingers,preferably the index finger of both hands. Enrolling two or more fingersensures that in the event you cannot use one enrolled finger, you can use theother.7 If you only enrolled one fingerprint, you may be prompted to enroll another.Click Yes to enroll another fingerprint or click No to close the prompt.8 Click Finish to exit the wizard and save your changes. Your enrolledfingerprint can now be used to log on to your Windows account as well asprograms and Web sites that have been set up for fingerprint logon.DigitalPersona Pro for Active Directory Administrator Guide186

Chapter 11 - DigitalPersona Pro WorkstationOne Touch LogonOne Touch LogonOne Touch Logon provides the ability for users to log on to their Windowsaccount by simply touching a supported fingerprint reader.If the One Touch Logon feature has been enabled:• On the Welcome screen, you will see a tile with a caption of Touch thereader to log on.• Under Windows XP and previous versions of Windows, One Touch Logonmodifies the standard Windows logon dialog box prompting you for yourcredentials according to the logon settings implemented by youradministrator. For example, you may need to provide both a smart card and afingerprint to log on. One Touch Logon guides you through providing therequired credentials so that you can log on to Windows.• If a Secure Attention Sequence policy is enabled, the user will always berequired to press Ctrl-Alt-Del prior to logging on.If the One Touch Logon feature has not been enabled, the user’s logonprocedure will not change. However, they will still need to enroll theirfingerprints in order to use other DigitalPersona Pro features. See “FingerprintEnrollment” on page 184.Before a user can use One Touch Logon, they must first log on as usual andenroll their fingerprints.DigitalPersona Pro for Active Directory Administrator Guide187

Chapter 11 - DigitalPersona Pro WorkstationOne Touch LogonLogging on to WindowsOne Touch Logon supports logging on to Windows user accounts by using anyenrolled fingerprint, a fingerprint and a PIN (Personal Identification Number), afingerprint and the Windows password, or a smart card.One Touch Logon prompts users for their credentials according to the logonpolicy, cached credentials, and identification list settings implemented by theadministrator.Logon PolicyOne Touch Logon first uses the logon policy applied to the computer throughthe Workstation Administrative Template (as described in “Multi-credentialLogon to Windows” on page 96) to determine which credentials are needed tolog on.• If a logon policy requires an enrolled fingerprint, One Touch Logon willprompt the user to place an enrolled finger on the reader. The user can placean enrolled finger on the reader or press Ctrl+Alt+Delete.• If required, they are also prompted for their Windows logon password.If cached credentials and identification list settings permit, the user name anddomain may be automatically provided, requiring the user to provide only apassword.• When a Password is not allowed for logon setting is applied to thecomputer, then the user is only prompted for an enrolled fingerprint.• A password only policy prompts the user for their standard logon credentials.• If either a fingerprint or password is required, the user is prompted for anenrolled fingerprint. They can press Ctrl+Alt+Delete and enter theirpassword, however, if the user provides an enrolled fingerprint, they are notprompted for their password and are logged on.DigitalPersona Pro for Active Directory Administrator Guide188

Chapter 11 - DigitalPersona Pro WorkstationOne Touch LogonCached Credentials and the Identification ListOn the Welcome screen, if cached credentials and the identification list areenabled, One Touch Logon identifies the user through the identification list.• If the credentials are cached and the user is on the identification list, they areimmediately logged on if the policy requires a fingerprint only or either afingerprint or password. If required, they are also prompted for a passwordbefore logging on; the user name and domain are automatically provided forthem.• If the credentials are cached, but the user is not on the identification list, theyare prompted to press Ctrl+Alt+Delete and provide their user name anddomain before they can log on, regardless of the logon policy.• If the user is still not identified, they may attempt to use their enrolledfingerprint two more times before they are advised to log on by typing theiraccount information manually.The Identification ListEach Workstation has an identification list which contains an administratorspecifiednumber of user accounts. It is used in conjunction with cachedcredentials to identify a user by their fingerprint and, as an added convenience,frees them from typing their user name and domain at Windows logon.Users are added to the identification list in the order they log on. The mostrecent user to log on is added to the top of the list. If the list has exceeded itscapacity, the least recent user to log on is removed from the list when anotheruser logs on. If a user is already on the list and logs on again, they are movedfrom their original position on the list and placed on top.Once removed, a user cannot be automatically identified, and must type theiruser name and domain at Windows logon. If DigitalPersona Pro is deployed in anetworked environment with Pro Server support, it performs identificationlocally out of the set of users in the identification list and then, for addedsecurity, confirms the user identity using the DigitalPersona Pro Server.The number of users stored in the identification list is determined by the value ofthe “Maximum Size of Identification List” GPO setting, as described onpage 96.DigitalPersona Pro for Active Directory Administrator Guide189

Chapter 11 - DigitalPersona Pro WorkstationOne Touch LogonCached CredentialsDigitalPersona Pro user data can be cached on any computer where a user logson. The cached user data is used for local authentication when a DigitalPersonaPro Server is unavailable. Refer to “Cache Domain User Data on LocalComputer” on page 95.For example, if a user wants to log on to a domain and the computer is eitherdisconnected from the network or the network is down, then the authenticationcan be performed locally using the cached credentials.All DigitalPersona Pro cached credentials are encrypted for security and privacywith the local key of the DigitalPersona Pro Workstation.Fast User SwitchingFast User Switching is a feature in Windows that allows you to switch to adifferent computer user account without closing programs and files first. WithOne Touch Logon, you can use your fingerprint to switch to your Windowsaccount on a computer with multiple users.Domain users can also use their enrolled fingerprint to switch to their account ifthey have recently used the computer and are on the identification list.DigitalPersona Pro for Active Directory Administrator Guide190

Chapter 11 - DigitalPersona Pro WorkstationOne Touch LogonUsing Fingerprint PINsAdministrative Template settings may be used to provide an additional level ofsecurity by requiring that users type a short sequence of characters, known as afingerprint PIN, each time they use a fingerprint to log on, unlock the computer,or change their Windows password.Users must enroll a fingerprint before they can register a fingerprint PIN. Iflogon settings require a fingerprint PIN, they will be prompted to register afingerprint PIN the first time they log on using an enrolled fingerprint.Fingerprint PINs are only used with fingerprints to log on, unlock the computer,or change the Windows password. They are not used for fingerprint logons toWeb sites and programs or to unlock smart cards.Registering Fingerprint PINsWhen you create a fingerprint PIN, you can choose any sequence of four toeight numbers or letters. Make sure that you remember this code, or you may notbe able to log on. The Register Fingerprint PIN dialog box displaysautomatically after you log on to Windows using a fingerprint if your logonsettings require you to provide a fingerprint PIN in addition to a fingerprint.You must register a fingerprint PIN when the Register Fingerprint PIN dialogbox displays. If you click Cancel, you will be prevented from logging in with afingerprint.To register a fingerprint PIN1 In the New fingerprint PINtext box, type from 4 to 8characters and then type itagain in the Confirmfingerprint PIN text box.2 Click OK to save thefingerprint PIN.3 After you register yourfingerprint PIN, you canchange your fingerprint PIN at any time.DigitalPersona Pro for Active Directory Administrator Guide191

Chapter 11 - DigitalPersona Pro WorkstationOne Touch LogonUsing Fingerprint PINsAfter you register a fingerprint PIN, you will be prompted to type the fingerprintPIN after each time you use a fingerprint to log on, unlock the computer, orchange the Windows password. The Verify Fingerprint PIN dialog box displayseach time the fingerprint PIN is required.To use a fingerprint PIN:1 When the Verify Fingerprint PINdialog box displays, type yourfingerprint PIN and click OK.The fingerprint PIN is not requiredwhen you use fingerprint logons to Websites or programs, or when you unlock a smart card with a fingerprint.Changing Fingerprint PINsYou can change your fingerprint PIN at any time during your Windows session.You must type the current PIN and then type a new code of four to eightcharacters.To change a fingerprint PIN1 Press Ctrl+Alt+Delete.2 Click the Manage Fingerprints button and then select Change FingerprintPIN from the drop-down box.In Windows Vista, click Change a password, then select Changefingerprint PIN.3 On the Change Fingerprint PIN dialog box, type your current fingerprint PINin the Old Fingerprint PIN text box.4 Type a new fingerprint PIN in the New Fingerprint PIN text box and thentype it again in the Confirm New Fingerprint PIN text box.5 Touch the reader with an enrolled fingerprint for verification.A green check mark displays on the reader icon in the dialog box when thefingerprint is successfully verified.6 Click OK to change your current fingerprint PIN to the new one youspecified.DigitalPersona Pro for Active Directory Administrator Guide192

Chapter 11 - DigitalPersona Pro WorkstationOne Touch LogonUsing Smart Cards for LogonIf the user has a smart card reader connected to their computer, the Welcomescreen includes instructions for using the smart card. If the user is required tolog on with a smart card, they must insert the smart card into the smart cardreader first, before providing any other credentials, such as a fingerprint.Settings cannot require the user to provide both a smart card and a password forlogon.Smart card users are required to type a user PIN (Personal IdentificationNumber) to access the smart card. This PIN is provided with the smart cardpackage, and is not the same as the Fingerprint PIN discussed in the previoustopic.To use a smart card to log on1 Insert the smart card into the smart card reader first, even if you must providea fingerprint as one of your credentials.The PIN dialog box displays,requesting the PIN to access thesmart card.2 Type the user PIN for the smart cardand click OK.If the logon settings allow it, youcan touch the fingerprint reader withan enrolled finger instead of typing the PIN for the smart card.User Account ControlOn Windows Vista, the fingerprint of someone with administrator privileges onthe computer can be used, instead of their user name and password, to give astandard user permission to perform an activity that is restricted by UserAccount Control.When the User Account Control dialog displays, a local administrator with anenrolled fingerprint can use their fingerprint to permit the activity.DigitalPersona Pro for Active Directory Administrator Guide193

Chapter 11 - DigitalPersona Pro WorkstationOne Touch FeaturesOne Touch FeaturesIn addition to One Touch Logon and One Touch SignOn, DigitalPersona ProWorkstation includes One Touch Unlock and One Touch Internet.One Touch UnlockTo lock your computer, double-click the fingerprint reader icon or click LockComputer on the fingerprint reader icon context menu. The reader icon islocated in the notification area on the taskbar.• On most versions of Windows, when your computer becomes locked OneTouch Unlock replaces the standard Windows Computer Locked dialog box.One Touch Unlock guides you through providing the required credentials tounlock your computer. The required credentials depend on the logon settingsimplemented by your administrator. You can also press Ctrl+Alt+Delete totype your account information and provide the required credentials.• On Windows Vista, the Locked screen is displayed. Press Ctrl+Alt+Deleteto display the Computer Locked screen and click the fingerprint icon tounlock the computer, or press Ctrl+Alt+Delete to type your accountinformation and provide the required credentialsNoteThis feature is only available if One Touch Logon is installed.DigitalPersona Pro for Active Directory Administrator Guide194

Chapter 11 - DigitalPersona Pro WorkstationOne Touch InternetOne Touch InternetOne Touch Internet (OTI) provides end users with the ability to createfingerprint logons to password-protected programs and Web sites for theirpersonal use.In creating a fingerprint logon, you provide your logon data to OTI once, andthen on subsequent logons you just launch the Web site and touch the readerwith an enrolled finger. OTI automatically enters your user name and passwordin the logon screen text boxes. It can also be configured to submit yourcredentials for you by clicking the Submit button, or another equivalent button.Fingerprint logons can also be created with the One Touch SignOnAdministration Tool and deployed to DigitalPersona Pro Workstations throughActive Directory or other means. See “One Touch SignOn Administration Tool”on page 117 for details on the One Touch SignOn Administration Tool.The differences between One Touch Internet and One Touch SignOn are:• OTI allows end-users to easily create their own fingerprint logons to Websites and programs.• OTS is an administrator tool for creating and deploying templates thatprovide fingerprint logons to end users for one touch access to Web sites andprograms. It also provides more advanced options for manually creatingfingerprint logons for non-standard application logon screens, Web sites andPassword Change screens.• OTS is centrally administered and stored in Active Directory, so that if a userneeds to be re-created, or if the user gets a new workstation, or even usesmultiple workstations “roams” with the user. OTI fingerprint logons areunique to an individual user profile.If fingerprint logons created by both OTI and OTS exist on the same computer,for the same logon screen, the OTS fingerprint logon will be used.Users can access fingerprint-enabled Web accounts from the One Touch Menu.Just touch the reader to display the menu, point to Quick Links and then clickthe fingerprint logon for the Web site you want to access. The browser that wasused in setting up the fingerprint logon will be launched automatically and yourlogon data will be submitted for you.DigitalPersona Pro for Active Directory Administrator Guide195

Chapter 11 - DigitalPersona Pro WorkstationOne Touch InternetLogging On to Web Sites and ProgramsYou can log on to a fingerprint-enabled logon screen by doing one of thefollowing:• Type the URL in a Web browser or launch the program that contains thelogon screen for which you have created a fingerprint logon. The logonscreen will display a DigitalPersona fingerprint logon icon in the upper leftcorner of the screen, indicating that you can touch the reader with anyenrolled finger to log on to the specific Web site or program.NoteIf you created more than one account for the Web site or program, you areprompted to choose the account data you want to use to log on.• If you have a Quick Link for a Web site, point to Quick Links on the OneTouch Menu, and then click the fingerprint logon title that corresponds to theWeb site or program you want to access. If you configured the fingerprintlogon to submit your account information automatically, you areimmediately logged on.• If required fields were left blank in the account data when the fingerprintlogon was created, the Enter Account Data dialog box displays. Type therequired data in the fields and click OK to log on.DigitalPersona Pro for Active Directory Administrator Guide196

Chapter 11 - DigitalPersona Pro WorkstationOne Touch InternetCreating Fingerprint LogonsCreating a fingerprint logon requires you to enter your account data withDigitalPersona Pro once. Then, on subsequent logons, you only need to browseto the Web site, or launch the program, and touch the reader with any enrolledfinger. DigitalPersona Pro automatically enters your user name and passwordand any other necessary account data in the appropriate logon screen text boxesand, if configured, submits your account data.Your administrator may have already created fingerprint logons for you. If so,you should use the fingerprint logons from your administrator instead ofcreating your own.To create a fingerprint logon for a Web site or program1 Open the logon screen of the Web site or program.2 Touch the reader with any enrolled finger and click Create FingerprintLogon on the One Touch Menu.NoteIf Create Fingerprint Logon is not on the One Touch Menu, the administratorhas not installed this feature on your computer.3 The title of the logon screen displays on the Create Fingerprint Logon dialogbox. Click Continue.4 In the Logon Title text box, the title of the Web site uniquely identifies thelogon screen in the Fingerprint Logon Manager and the Quick Linkssubmenu on the One Touch Menu. You can type a different title in the textbox.5 Check Display in Quick Link list to add the fingerprint logon to the QuickLinks submenu on the One Touch Menu.6 DigitalPersona Pro determines logon fields and displays them in the LogonInformation area. Type the appropriate account data in the corresponding textbox for each field required for logon. For example, in the Password text box,you would type the password you use to access the Web site or program. If afield required for logon is not displayed in the Logon Information area, clickChoose Fields to select the additional fields.DigitalPersona Pro for Active Directory Administrator Guide197

Chapter 11 - DigitalPersona Pro WorkstationOne Touch InternetNoteAs you point to each logon field in the Logon Information area, thecorresponding field on the logon screen is highlighted, such as a text box anddrop-down menu.7 Select the button from the logon screen that is used to submit the accountdata. DigitalPersona Pro may recognize multiple buttons on some Web sitesor programs. You may choose to submit your account data yourself each timeyou log on to the Web site or program by selecting Do Not Submit.8 Click OK to create the fingerprint logon.On subsequent visits to the Web site or program the DigitalPersona fingerprintlogon icon displays, indicating that touching the reader with any enrolled fingerwill log you on to the Web site or program. You may add more than one accountfor a Web site or program.DigitalPersona Pro for Active Directory Administrator Guide198

Chapter 11 - DigitalPersona Pro WorkstationOne Touch InternetManaging Fingerprint LogonsYou can add, change or remove fingerprint logons for Web sites and programsusing the Fingerprint Logon Manager. To access it, click the fingerprint readericon and select Fingerprint Logon Manager from the shortcut menu.NoteWhen you want to make changes to a fingerprint logon for a Web site, do not usea Quick Link to browse to the Web site logon screen if the fingerprint logon isset up to automatically submit your logon information. Instead, browse to theWeb site manually and click the white arrow on the DigitalPersona fingerprintlogon icon, then select Fingerprint Logon Manager from the shortcut menu.If a fingerprint logon was created by your administrator, you are only allowed toadd and delete account data. You cannot delete the fingerprint logon.The following describes the Fingerprint Logon Manager functions:• Add Logon. To add a new Fingerprint Logon, display the logon screen forthe Web site or program and then click Add Logon.• Remove Logon. To remove a Fingerprint Logon, select the fingerprint logonand click Remove Logon.• Edit. To modify the account data entered by a fingerprint logon, select theaccount and then click Edit. On the Edit Account dialog box, edit yourexisting account data in the appropriate text boxes and click OK. You canalso change the fingerprint logon title and Quick Link settings.DigitalPersona Pro for Active Directory Administrator Guide199

Chapter 11 - DigitalPersona Pro WorkstationOne Touch Internet• Add. To add additional account data to the fingerprint logon for a Web site orprogram, click the Add button. This will launch the Add New Account dialogbox. Specify the additional account data for the logon screen as described inCreating a Fingerprint Logon. When logging on to a Web site or program thathas more than one set of account data, you will be prompted to choose theaccount data you want to use.• Remove. To remove a set of account data, select the title of the account in theAccounts list and click Remove. If you remove the last account for afingerprint logon, the fingerprint logon is deleted. You can delete the accountdata of a fingerprint logon created by your administrator, but you cannotdelete the actual fingerprint logon.DigitalPersona Pro for Active Directory Administrator Guide200

Chapter 11 - DigitalPersona Pro WorkstationDigitalPersona Pro Workstation PropertiesDigitalPersona Pro Workstation PropertiesYou can edit various Workstation properties using the DigitalPersona ProProperties dialog box.To change Workstation Properties:1 Click the reader icon in thenotification area and selectProperties.2 Modify the desired properties andclick OK to implement the newsettings and close the dialog box.The DigitalPersona Pro Propertiesdialog box contains several folders asdescribed below.Quick ActionsIn the Quick Actions folder, you canassign actions to be performed when touching the fingerprint reader, and whentouching the reader in combination with certain keys. The actions that you canassign are:• None• Create Fingerprint Logon• Lock Computer• Quick LinksYou can assign actions to:• Shift + Fingerprint. The default setting is None.• Ctrl + Fingerprint. The default setting is None.DigitalPersona Pro for Active Directory Administrator Guide201

Chapter 11 - DigitalPersona Pro WorkstationDigitalPersona Pro Workstation PropertiesShow Fingerprint Reader Icon on TaskbarWhen checked, the fingerprint reader icon is displayed in the notification areaon the taskbar, which is described in “Reader Icon and Menu” on page 180.Enable Sound FeedbackCheck Enable Sound Feedback to play a sound when the reader acquires afingerprint scan, indicating that you may lift your finger from the reader.Different sounds are played for successful and unsuccessful scans. You mayselect different sounds from Control Panel.Refer to “Fingerprint Scan Acquisition Feedback” on page 182 for moreinformation about visual and audio feedback when a fingerprint scan is acquiredby the reader.One Touch Menu ContentIn the One Touch Menu Content folder, the following menu items are added tothe One Touch Menu if the check box is selected:• Create Fingerprint Logon. Displays the Create Fingerprint Logon dialogbox.• Fingerprint Logon Manager. Opens the Fingerprint Logon Managerwindow.• Quick Links. Displays the list of Quick Links.• Properties. Displays the Properties dialog box.• Help. Displays this Help file.DigitalPersona Pro for Active Directory Administrator Guide202

Chapter 11 - DigitalPersona Pro WorkstationDeleting Enrolled FingerprintsDeleting Enrolled FingerprintsYou can use the Fingerprint Enrollment Wizard to delete any fingerprints thatyou have previously enrolled. If you are not permitted to delete fingerprints, itmay be because of settings implemented by your administrator.To delete enrolled fingerprints using the Fingerprint Enrollment Wizard1 Launch the Fingerprint Enrollment Wizard by clicking the reader icon in thenotification area, and selecting Fingerprint Enrollment.2 Click Next. If changes to enrolled fingerprints will be saved in the userdatabase on your computer instead of in Active Directory, you are promptedto confirm that you want to make changes to your fingerprints locally only.These changes will not be applied to Active Directory. Click Yes to confirm,or click No and contact your administrator for guidance.3 When prompted to verify your identity, touch the reader with any enrolledfinger.4 An outline of two hands is displayed with your enrolled fingers highlightedin green. Click the highlighted finger that represents the enrolled fingerprintyou want to delete.NoteClicking a finger which is not highlighted starts the enrollment of that finger.5 When prompted, click Yes to delete the enrolled fingerprint. Otherwise, clickNo if you do not want to delete that fingerprint.6 Click Next or select another finger to delete.7 Click Finish to exit the wizard and save your changes. Canceling or closingthe dialog box does not save your changes.DigitalPersona Pro for Active Directory Administrator Guide203

Chapter 11 - DigitalPersona Pro WorkstationChanging Your Windows PasswordChanging Your Windows PasswordThe process of changing your Windows password on a computer withDigitalPersona Pro installed is very similar to changing your Windows passwordon a computer without DigitalPersona Pro installed.To change your Windows password1 Press Ctrl+Alt+Delete.2 Click Change Password.In Windows Vista, click Change a password and select your tile.3 Touch the reader with a enrolled fingerprint. If your identity is verified, OneTouch Logon provides the current password in the Old Password text box.Or type your current password in the Old Password text box.4 Type a new password in the New Password text box and then type it again inthe Confirm New Password text box.5 Click OK to change your current password to the new one you specified.DigitalPersona Pro for Active Directory Administrator Guide204

Chapter 11 - DigitalPersona Pro WorkstationFingerprint Reader Usage and MaintenanceFingerprint Reader Usage and MaintenanceThis section provides reader usage and maintenance guidelines, which areintended to maximize fingerprint enrollment and authentication performance.Proper usage of the reader during fingerprint enrollment and authentication, aswell as a well-maintained reader, is crucial to achieving optimal fingerprintrecognition performance.Proper Fingerprint Reader UsageTo reduce the number of false rejects, you must place a finger on the readercorrectly when enrolling fingerprints and authenticating.During both processes, you must place the pad of your finger—not the tip or theside—in the center of the oval window of the reader in order to maximize thearea of the finger that touches the reader window.Apply even pressure. Pressing too hard will distort the scan; pressing too lightlywill produce a faint, unusable scan. Do not “roll” your finger.To complete the fingerprint scan, hold your finger on the reader until you see thereader light blink. This may take longer if the skin is dry. When the light blinksand, if configured, a sound plays, you may lift your finger.If the reader is capturing your fingerprint scan as indicated by the reader blink,but DigitalPersona Pro consistently rejects it, you may need to reenroll thatfinger by first deleting it and then enrolling it again.Cleaning and Maintaining the ReaderSee the Use and Maintenance Guide for Optical Fingerprint Readers on page239 or the Use and Maintenance Guide for Swipe Readers on page 241.DigitalPersona Pro for Active Directory Administrator Guide205

DigitalPersona Pro Kiosk 12This chapter provides an in-depth examination of DigitalPersona Pro Kiosk,describing the similarities and differences between it and Pro Workstation, andexplaining how to use Kiosk features.Additional details on user tasks are provided in the DigitalPersona Pro KioskHelp file.NOTE: References to the Identification List in this chapter are not applicable tothe Pro Kiosk for ID Server, which uses Active Directory to maintain the list ofusers permitted to access the kiosk. All other features described in this chapterapply to both the standard edition of the Kiosk and the Kiosk for ID Server. Foradditional detials, see “Pro Kiosk for ID Server” on page 263.OverviewDigitalPersona Pro Kiosk software provides fast, convenient and securefingerprint logon access for multiple users of a single shared Windows computeror multiple users of multiple shared Windows computers.A Kiosk refers to one or more Kiosk Workstations which, due to AD grouppolicy, share a Kiosk ID list and Kiosk shared account.In environments where many users share the same computer, fast and secureaccess in quick succession is important.• Pro Kiosk does not require Windows log on and off between users.• Pro Kiosk allows a designated set of Windows users to use their fingerprintsto log on to Windows, unlock the computer, and log on to programs.• Users are uniquely identified by their fingerprints without requiring them totype account information to log on. Although each user provides uniquecredentials that can be used for logging and auditing purposes, a SharedAccount is used to log on to Windows.You can configure several kiosk computers to share the same identification list.In this case, users can work at several kiosk computers and gain access withtheir fingerprints. Users accessing the same kiosk computer in quick successioncan also securely log on to password-protected programs by providing theirfingerprints. For example, users can provide fingerprints to log on to theDigitalPersona Pro for Active Directory Administrator Guide 206

Chapter 12 - DigitalPersona Pro KioskOverviewprogram and when finished, they can close the program. Immediatelyafterwards, another user can provide a fingerprint to gain access to that program.All of the Pro Kiosk actions that are initiated with a fingerprint are logged forpurposes of compliance to legal regulations or policy requirements.Identification ListA key security component to the recognition of users solely by their fingerprintis the identification list. This is the list of users who have recently accessed akiosk computer and who can be identified and authenticated only by theirfingerprints. This provides fast access to a shared kiosk computer.Kiosk users in the identification list can log on or unlock a computer and log onto a program only with fingerprints. They do not need to specify their usernames and domain names. DigitalPersona Pro Kiosk determines a user’s identityby comparing the fingerprint to the fingerprints of the users in the identificationlist.For security and performance reasons, the identification list contains a limitednumber of user accounts. The number of users kept in the identification list iscontrolled by the administrator using a GPO setting, and can be up to onehundred users. Once the identification list is full, the least recently used username is removed from the list when another new user is added.When there are several DigitalPersona Pro Servers on a domain, theidentification list is replicated among the domain controllers. Pro Servers keepsthe identification list current. The identification list is replicated by Windowsand made available to other Pro Servers on the domain. Pro Kiosk caches theidentification list and requests an updated file from Pro Server. This is how userscan move to other kiosk computers and be identified while they are on the kioskidentification list.If the user name is not in the identification list, the user must provide a username, domain and fingerprint. After the user provides the account informationand successfully accesses the kiosk, the user is added to the identification list.Users might not be identified when they are new users, or not recent users of akiosk computer, or because the administrator has not allowed them to access thekiosk.DigitalPersona Pro for Active Directory Administrator Guide207

Chapter 12 - DigitalPersona Pro KioskOverviewHow Pro Kiosk WorksBefore a user can begin using a kiosk computer, DigitalPersona Pro Kioskchecks for the following requirements:• Is the user name on the identification list?• Does the user have a enrolled fingerprint on file?To access the kiosk, either to log on, unlock or access a password-protectedprogram, a user does the following:1 The user provides a fingerprint. Pro Kiosk checks if the fingerprint belongsto a user in the identification list. If yes, the fingerprint authenticationprocess is performed and the user is granted access. If no, Pro Kiosk promptsthe user for the account information.2 When the user provides a user name, domain name and a fingerprint, thefingerprint authentication process is performed and if successful, the user isgranted access to the kiosk and added to the identification list. Theadministrator can determine the group of users that are eligible to be added toa kiosk’s identification list.The next time the user provides a fingerprint to access a kiosk computer orprogram, the user name is in the identification list, and the user is authenticatedby a fingerprint only and granted access. In environments where many usersaccess the same computer in a short amount of time, users may be pushed out ofthe list more often.If a user does not have enrolled fingerprints, the user is prompted for apassword. After password authentication is successfully completed, Pro Kioskchecks if the user is eligible for the identification list. If yes, the user is added tothe identification list and the Fingerprint Enrollment Wizard launches.• On most versions of Windows, if you have not enrolled fingerprints yet, theFingerprint Enrollment Wizard launches automatically after logging on orunlocking the computer.• On Windows Vista, click the balloon that displays near the notification areato enroll your fingerprints, or click the Fingerprint Reader icon and selectFingerprint Enrollment to launch the Fingerprint Enrollment Wizard.DigitalPersona Pro for Active Directory Administrator Guide208

Chapter 12 - DigitalPersona Pro KioskOverviewAdministrators can require attended fingerprint enrollment (see “AttendedFingerprint Enrollment” on page 114) so that users’ fingerprints are enrolledbefore accessing the kiosk for the first time.DigitalPersona Pro for Active Directory Administrator Guide209

Chapter 12 - DigitalPersona Pro KioskOverviewComparing Pro Workstation and Pro KioskThe section describes the similarities and differences between DigitalPersonaPro Workstation and DigitalPersona Pro Kiosk. Both DigitalPersona Pro Kioskand DigitalPersona Pro Workstation include the following One Touchapplications:• One Touch Logon• One Touch Unlock• One Touch SignOnLike DigitalPersona Pro Workstation, Pro Kiosk also includes options forallowing users to run the Fingerprint Enrollment Wizard or administrators canimplement attended fingerprint enrollment. Pro Kiosk uses the same fingerprintinformation and One Touch SignOn logon data as DigitalPersona ProWorkstation. DigitalPersona Pro Kiosk requires DigitalPersona Pro ServerVersion 4.0 or higher running on a domain controller. DigitalPersona ProWorkstation Version 4.0 or higher and Pro Kiosk 4.0 or higher are compatible,i.e. they can be installed on computers on the same domain and use the sameDigitalPersona Pro Server.When comparing Pro Kiosk to Pro Workstation, Pro Kiosk differs in thefollowing ways:• One Touch Logon is always installed when Pro Kiosk is installed on acomputer. In the Pro Workstation installation, One Touch Logon is an optionwhen performing custom installations.• The identification list is shared among designated kiosk computers on thedomain or in the same Organizational Unit (OU). This enables recent users tomove from computer to computer in a kiosk and use their fingerprints forlogon. For Pro Workstation, the user identification list is cached locally andnot shared with any other computer.• Multi-credential logon is not available on kiosk computers even if it isconfigured in the DigitalPersona Pro GPO in Active Directory.• A specified Shared Account is always used for Windows logon that isindependent of the user account being authenticated. This affects accountprofile and user preferences.DigitalPersona Pro for Active Directory Administrator Guide210

Chapter 12 - DigitalPersona Pro KioskOverview• Any kiosk user can unlock a kiosk computer. For example, a user may log onand lock the kiosk computer. Then, a second user can unlock it withoutperforming log off and log on.• The name of the last user is not shown in Logon or Unlock dialogs regardlessof security settings• A kiosk user can enroll fingerprints, regardless of which user account waslogged on to the kiosk, without logging on to Windows. The administratormust have allowed permissions for the user to enroll and delete fingerprints.• Pro Kiosk does not include Quick Links or One Touch Internet or the OneTouch Menu.Using One Touch SignOn with Pro KioskOne Touch SignOn (OTS) provides fingerprint logon to password-protectedprograms. If you created OTS templates using DigitalPersona Pro Version 3.2 orhigher, they are compatible with Pro Kiosk and can be used for kiosk users. Ifyou have OTS templates from versions earlier than DigitalPersona Pro Version3.2, you can use the OTS Administration tool to perform a conversion.With Pro Kiosk, One Touch SignOn includes the following differences whencompared to Pro Workstation implementations:• OTS templates must be deployed to the Shared Account instead of useraccounts.• Kiosk users do not need to log on to Windows to use fingerprint-enabledprograms. Their identity is verified each time they log on to the program. Forkiosk users, the OTS logon data is never cached locally.DigitalPersona Pro for Active Directory Administrator Guide211

Chapter 12 - DigitalPersona Pro KioskLogging On to WindowsLogging On to WindowsOne Touch Logon allows you to log on to Windows with any enrolledfingerprint as an alternative to your Windows credentials. Windows credentialsare information used to gain access to Windows accounts, such as a password.One Touch Logon guides you through providing the credentials required forlogging on to Windows. When your identity is verified by your fingerprint orWindows credentials, you are logged on to a Shared Account, which has beenconfigured by your administrator.All kiosk users share the same session. If your computer becomes locked, anykiosk user will be able to unlock it, view the desktop, and run programs. Youalso have the option to not share the kiosk session to log on to your accountinstead of the Shared Account, although this is recommended for administratorsonly.To log on using only your fingerprint, you must have a enrolled fingerprint andmust have recently used a kiosk computer. If your identity cannot be verified,you will be prompted to provide your user name and domain as well as afingerprint to log on.Using One Touch LogonOne Touch Logon displays a customized Welcome dialog box or screen, whichis similar to the standard Windows dialog box. When you touch the fingerprintreader, One Touch Logon attempts to identify you using your fingerprint. If youare not identified, touch the fingerprint reader again to provide a better qualityscan. Refer to “Proper Fingerprint Reader Usage” on page 205 for details.You will not be identified if you are a new user and may not be identified if youare not a recent user of the kiosk. In this case, press Ctrl+Alt+Delete andspecify your user name and domain, and then touch the fingerprint reader ortype your password. You will be added to the identification list after successfulauthentication.Leave the Share the kiosk session check box checked to allow other kiosk usersto unlock the computer. Only administrators may need to uncheck this option.When this check box is not checked, Pro Kiosk features are not available.DigitalPersona Pro for Active Directory Administrator Guide212

Chapter 12 - DigitalPersona Pro KioskLogging On to WindowsIf you are a new user without any enrolled fingerprints, you can log on byproviding your name, domain and password.• In most versions of Windows, the Fingerprint Enrollment Wizard will launchautomatically after you logon.• In Windows Vista, click the balloon that displays near the notification area toenroll your fingerprints, or click the Fingerprint Reader icon and selectFingerprint Enrollment to launch the Fingerprint Enrollment Wizard.You must enroll fingerprints before you can log on using the fingerprint reader.NoteThe user name for the Windows shared account that Pro Kiosk uses cannot beused to log on to a kiosk session. All Kiosk users must use their own Windowsuser name to log on.Logging on to Windows without KioskTo log on the a computer without using a kiosk session, uncheck the Share thekiosk session check box. This check box is only enabled when the kioskcomputer is logging onto the domain. For local logon, it is disabled.The designated Shared Account for the kiosk is not used and several Pro Kioskfeatures are not available. In this case, the user name is not added to the kioskidentification list and One Touch SignOn to programs is disabled.This feature is intended for administrators who might need to access a computerwithout kiosk features enabled for administrative purposes. Non-administratorscan be prohibited from logging on to the computer outside of a kiosk session byenabling the appropriate setting in the controlling GPO. See “Prevent users fromlogging on outside of a Kiosk session.” on page 100.NoteIf you lock the computer outside of a kiosk session, other kiosk users will not beable to unlock it, so be sure to log out of a local session on any kioskworkstation.DigitalPersona Pro for Active Directory Administrator Guide213

Chapter 12 - DigitalPersona Pro KioskLogging On to WindowsAutomatic logon using the Shared Kiosk AccountKiosk can be configured to automatically logon to the Share Kiosk accountwhen Windows starts or restarts. The Log On to Windows dialog box is notdisplayed.The automatic logon setting will allow any user to access a Windows sessionwithout interactive authentication when the Kiosk computer is restarted.This option is controlled by the Allow automatic logon using Shared KioskAccount setting described on page 100.Using One Touch UnlockTo lock your computer, double-click the fingerprint reader icon or click LockComputer on the fingerprint reader icon context menu. The reader icon islocated in the notification area on the taskbar.When your computer is locked, One Touch Unlock replaces the standardWindows Computer Locked dialog box. One Touch Unlock guides you throughproviding the required credentials to unlock your computer.Recent users of a kiosk can unlock any kiosk computer by providing an enrolledfingerprint. To unlock the computer, touch the reader with an enrolledfingerprint. If you are not identified, touch the fingerprint reader again toprovide a better quality scan.You cannot be identified if you are a new user or you are not a recent user of thekiosk. In this case, press Ctrl+Alt+Delete and specify your user name anddomain, and then touch the fingerprint reader or type your password. Theprevious user account name is not displayed in the One Touch Unlock dialogbox. You will be added to the identification list after successful authentication.If you do not have any enrolled fingerprints, you can unlock the computer byproviding your name, domain and password and then the Fingerprint EnrollmentWizard will launch. You must enroll fingerprints before you can unlock thekiosk computer with your fingerprint.DigitalPersona Pro for Active Directory Administrator Guide214

Chapter 12 - DigitalPersona Pro KioskLogging On to WindowsChanging Your PasswordThe process of changing your Windows password on a computer withDigitalPersona Pro Kiosk installed is similar to doing so on a computer withoutPro Kiosk installed.To change your Windows password:1 Press Ctrl+Alt+Delete to display the Windows Security dialog box.2 Click the Change Password button.In Windows Vista, click Change a password and select your tile.3 Touch the reader with a enrolled fingerprint. If your identity is verified, OneTouch Logon provides the current password in the Old Password text box.Or type your current password in the Old Password text box.4 Type a new password in the New Password text box and then type it again inthe Confirm New Password text box.5 Click OK to change your current password to the new one you specified.User Account ControlOn Windows Vista, the fingerprint of someone with administrator privileges onthe computer can be used, instead of their user name and password, to give astandard user permission to perform an activity that is restricted by UserAccount Control.When the User Account Control dialog displays, a local administrator with anenrolled fingerprint can use their fingerprint to permit the activity.DigitalPersona Pro for Active Directory Administrator Guide215

Chapter 12 - DigitalPersona Pro KioskLogging On to Password-Protected ProgramsLogging On to Password-Protected ProgramsDigitalPersona Pro Kiosk lets a kiosk user log on to password-protectedprograms, either Windows or Web-based programs, with any enrolledfingerprint. As an administrator, you must enable this feature for specificprograms by configuring fingerprint logons for them. Password-protectedprograms that are fingerprint-enabled display a DigitalPersona fingerprint logonicon in the upper left corner of the screen. You also can create fingerprint logonsthat include fingerprint-enabled screens for changing your password.Refer to the topic “One Touch SignOn Administration Tool” on page 117 formore information about creating fingerprint logons using OTS templates.Users are prompted for account data the first time they log on. Then, onsubsequent logons, they only need to launch the program, and touch the readerwith any enrolled finger. DigitalPersona Pro Kiosk automatically enters the username, domain and password and any other necessary account data in theappropriate logon screen text boxes and, if configured, submits the account data.Fingerprint logons may also be used to prevent users from typing their username and password so that they must always provide a fingerprint to log on tothe program.Using Fingerprint Logons for ProgramsTo log on to a fingerprint-enabled logon screen1 Open the logon screen of the program.2 The logon screen displays a DigitalPersona fingerprint logon icon in theupper left corner of the screen, indicating that you can touch the reader withany enrolled finger to log on.3 Touch the fingerprint reader. You must be a recent user of the kiosk to log onwith a fingerprint. If required, type your user name and domain and thentouch the fingerprint reader again to log on.4 If the system determines that account data is required, the Enter AccountData dialog box displays. Type the required data in the fields. Then click OKto log on. Next time you log on, the system will provide this account data foryou.DigitalPersona Pro for Active Directory Administrator Guide216

Chapter 12 - DigitalPersona Pro KioskLogging On to Password-Protected ProgramsNoteIf you specified additional account data for the program, you are prompted tochoose the data that you want to use to log on.Users can add, change or remove account data for fingerprint logons forprograms using the Fingerprint Logon Manager. However, they cannot deletethe fingerprint logons created by administrators.To access the Fingerprint Logon Manager, click the fingerprint reader icon andselect Fingerprint Logon Manager.Adding Account DataUsers may add additional sets of account data for a program. In this case, whenlogging on to the program using DigitalPersona Pro Kiosk, users will beprompted to choose the account data to use.To add additional account data to the fingerprint logon for a program:1 Click the fingerprint reader icon and select Fingerprint Logon Manager.2 In the Verify Your Identity dialog box, touch the reader with an enrolledfinger.If your identity is not verified, type your user name and touch the readeragain.3 In the Fingerprint Logon Manager, click the Add button to display the AddFingerprint Logon dialog box.4 In the Logon Title text box, the title uniquely identifies the logon screen inthe Fingerprint Logon Manager. You can type a different title in the text box.5 DigitalPersona Pro Kiosk determines logon fields and displays them in theLogon Information area. Type the appropriate account data in thecorresponding text box for each field required for logon. For example, in thePassword text box, you would type the password used to access the program.6 Click OK to save the account data.7 The Verify Your Identify dialog box displays. Touch the fingerprint reader toverify your identity.DigitalPersona Pro for Active Directory Administrator Guide217

Chapter 12 - DigitalPersona Pro KioskLogging On to Password-Protected ProgramsChanging Account DataTo modify the account data entered by a fingerprint logon1 Click the fingerprint reader icon and select Fingerprint Logon Manager.2 In the Verify Your Identity dialog box, touch the reader with an enrolledfinger.If your identity is not verified, type your user name and touch the readeragain.3 In the Fingerprint Logon Manager, select the account and then click Change.4 In the Edit Fingerprint Logon dialog box, edit your existing account data inthe text boxes and click OK. You can also change the fingerprint logon title.5 The Verify Your Identify dialog box displays. Touch the fingerprint reader toverify your identity.Removing Account DataTo remove the account data of a fingerprint logon1 Click the fingerprint reader icon and select Fingerprint Logon Manager.2 Touch the reader with an enrolled finger. If your identity is not verified, clickthe Provide your account information hyperlink. In the next dialog box,type your Windows user name and domain and touch the reader again.3 Select the title of the fingerprint logon in the list on the Fingerprint LogonManager and click Remove.4 The Verify Your Identify dialog box displays. Touch the fingerprint readerto verify your identity.You can delete the account data of a fingerprint logon created by youradministrator, but you cannot delete the actual fingerprint logon.DigitalPersona Pro for Active Directory Administrator Guide218

Chapter 12 - DigitalPersona Pro KioskSwitching Users on Pro Kiosk ComputersSwitching Users on Pro Kiosk ComputersYou can log on, unlock or gain access to a fingerprint-enabled program on akiosk computer by using your fingerprint. After your work is finished, you cando one of the following:• Close the fingerprint-enabled programs and leave the kiosk computerunlocked. The next user can approach the kiosk computer and provide anenrolled fingerprint to gain access to the password-protected program.• Close the programs and lock the kiosk computer. The next user canapproach the kiosk computer and provide an enrolled fingerprint to unlockthe computer. Then the user can launch a fingerprint-enabled program andtouch the reader again to access the program.• Close the programs and log off from the kiosk computer. The next usercan approach the kiosk computer and provide an enrolled fingerprint to logon to the computer. The user is logged into the Shared Account for the kiosk.Fingerprint Reader Icon and MenuDigitalPersona Pro Kiosk displays a fingerprint reader icon in the notificationarea on the taskbar that shows whether the reader is ready for use. In addition, itprovides convenient access to various functions on its context menu.Indicates the readeris connected and thedriver is installedIndicates the readeris disconnected or thedriver is not installedFingerprint Reader StatusWhen the reader is ready to scan fingerprints, the reader icon appears normally.Otherwise, a red X displays over the reader icon.Fingerprint Reader Icon Context MenuClick the fingerprint reader icon to open its context menu. On it, several featuresare available:DigitalPersona Pro for Active Directory Administrator Guide219

Chapter 12 - DigitalPersona Pro KioskUsing the Start MenuLock Computer. Locks your computer. Double-clicking the reader icon alsolocks your computer.Fingerprint Enrollment. Launches the Fingerprint Enrollment Wizard, whichguides you through the process of enrolling your fingerprints.Fingerprint Logon Manager. Opens the Fingerprint Logon Manager.Help. Launches DigitalPersona Pro Kiosk Help.Using the Start Menu• You can access DigitalPersona Pro Kiosk and Kiosk Help from the Startmenu. On the Start menu, point to All Programs, point to DigitalPersona ProKiosk and then click the menu item that corresponds to the task you want toperform.DigitalPersona Pro for Active Directory Administrator Guide220

Part Five: AppendicesPart Five of the DigitalPersona Pro for AD Administrator Guide includes thefollowing appendices:Chapter Title Purpose Page13 - Planning &DeploymentProvides guidelines for planning andimplementing the deployment of DigitalPersonaPro.22314 - Fingerprint Reader Useand Maintenance Guidefor Optical Readers15 - Fingerprint Reader Useand Maintenance Guidefor Swipe ReadersProvides instructions for the use andmaintenance of optical readers.Provides instructions for the use andmaintenance of swipe readers.23924116 - DigitalPersona ProSettingsAn alphabetical list of all DigitalPersona Prosettings with references to Active Directorylocation and page number where they aredescribed.24317 - Troubleshooting Provides assistance in troubleshooting softwareand hardware issues.24818 - CustomizingWorkstation19 - Installing HighEncryptionDetails registry settings that can be used tocustomize DigitalPersona Pro Workstation.Instructions for installing 128-bit HighEncryption for older Windows 2000 machines.25625920 - Fingerprint ReaderRegulatory InformationIncludes regulatory information for theDigitalPersona U.are.U Fingerprint Reader.21 - Pro ID Server Instructions for the installation and use of theDigitalPersona Pro ID Server Add-on module.22 - Kiosk Unlock Scripting Instructions for using the Pro Kiosk UnlockScripting feature.26026226623 - Fingerprint LogonRetrainingProcedure for retraining logons for use withFireFox.DigitalPersona Pro for Active Directory Administrator Guide 221

ChapterDigitalPersona Pro for Active Directory Administrator Guide222

Planning & Deployment 13OverviewDigitalPersona Pro for Active Directory is a scalable solution that can providebiometric authentication and Single SignOn for a large enterprise, with multipledomains and a hundred thousand geographically dispersed workstations, amedium-sized local network, or a small office network.Whatever the size of the deployment, it is critical to spend some time designingan implementation that will meet your organization’s needs, provide astraightforward deployment plan, and allow you to allocate the necessaryhardware and personnel resources.In designing your DigitalPersona Pro system, you will want to take into accountmany factors, including your security needs, performance requirements, levelsof administration, and the amount of control that you want to allow the end userto have with certain features like One Touch SignOn, One Touch Internet andfingerprint enrollment.We have made deploying DigitalPersona Pro as simple and straightforward aspossible. However, a comprehensive design, a well-formed deployment plan,and a deployment staff with solid Active Directory experience will help toensure a successful implementation.Deploying DigitalPersona Pro includes settings to configure the way thatauthentication operates in your specific environment. From variouscombinations of multi-factor authorization to fingerprint-only logon, the level ofsecurity that you require is configurable, and quite easily implemented throughstandard Active Directory administration tools.Administrative controls and utilities are also available through a complete set ofDigitalPersona Pro Administrative Tools included with DigitalPersona ProServer.In the following text, the term “users” refers to those who will be enrolling andauthenticating their fingerprints through DigitalPersona Pro Server, and is notnecessarily the same as the number of Active Directory users.The information provided in this chapter is not intended to take the place of theservices of a professional systems architect or analyst, and should not beconstrued as advice or recommendations addressing your specific situation.DigitalPersona Pro for Active Directory Administrator Guide 223

Chapter 13 - Planning & DeploymentOverviewEvaluation SupportDuring evaluation of DigitalPersona Pro for Active Directory, support isavailable through our Sales Engineering Team at:1-650-474-4042Technical SupportAskPersona.com (http://askpersona.com) is a Pro Knowledge Portal providinganswers to many frequently asked questions about Pro Server, Workstation andKiosk.DigitalPersona Maintenance and Support customers will find additionalinformation about technical support resources to them in their Maintenance andSupport confirmation email.Professional ServicesDigitalPersona Professional Services can discuss options ranging from initialonsite consulting to completely outsourcing all or part of the design, deploymentand installation process as well as customizing the software.For Professional Services, please contact your DigitalPersona Account Manageror product Reseller.DigitalPersona Pro for Active Directory Administrator Guide224

Chapter 13 - Planning & DeploymentPlanningPlanningAlthough the actual steps in a design process will vary from company tocompany, the design for your DigitalPersona Pro solution should take intoaccount at least the elements described in this chapter. Additional steps andconsiderations may be required for your specific organization.Planning Overview1 Select an Installation Scenario.2 Determine Required Software & Hardware.3 Identify Needed Licenses.4 Select Configuration Options.5 List OTS Templates.6 Create Deployment Plan.Select an Installation ScenarioDigitalPersona Pro for Active Directory is designed with built-in flexibility toenable delivery of biometric authentication and Single SignOn in the followingscenarios:• Enterprise level, server supported authentication• Workstation Only installationIt is also possible to create a solution utilizing a combination of both scenarios.Enterprise level with Pro Server SupportFor optimal enterprise-wide deployment, DigitalPersona Pro Workstation and/orKiosk are installed on a network computer connected to a domain controller thathas DigitalPersona Pro Server installed. Computers such as laptops can beperiodically connected to, and disconnected from, the network.DigitalPersona Pro for Active Directory Administrator Guide225

Chapter 13 - Planning & DeploymentPlanningDigitalPersona Pro Server offers the following capabilities• Installed on a secure Active Directory Domain Controller• Centralized User Administration• Centralized Credential & Application Data Storage• Secure Server AuthenticationDigitalPersona Pro Workstation/Kiosk• One Touch Logon• One Touch SignOn Applications• One Touch Internet (Workstation only)Using a DigitalPersona Pro Workstation with Pro Server support is the mostcomprehensive deployment of DigitalPersona Pro because you can takeadvantage of both the Workstation and Server features of DigitalPersona Pro forActive Directory.In addition to the One Touch applications for the Workstation, this deploymentallows you to manage DigitalPersona Pro with Active Directory administrationtools, and provides secure data storage and user roaming features.DigitalPersona Pro Kiosk requires the availability of a DigitalPersona ProServer in order to function.Workstation Only InstallationDigitalPersona Pro Workstation can be installed on computers connected to anActive Directory domain without DigitalPersona Pro Server support or on astandalone computer configured to perform authentication locally. With eitherof these configurations, you have all the features provided by the DigitalPersonaDigitalPersona Pro for Active Directory Administrator Guide226

Chapter 13 - Planning & DeploymentPlanningPro Workstation software as described in “DigitalPersona Pro Workstation” onpage 24.The table below compares the features available for DigitalPersona ProWorkstations with and without Pro Server support:Table 13-1. Feature ComparisonDeployment ScenarioDigitalPersona Pro FeaturesCentralized User AdministrationCentralized User CredentialData StorageSecure Server AuthenticationOne Touch SignOn andOne Touch InternetSecure Windows LogonWorkstation AdministrationWorkstation with Pro Server support X X X X X XWorkstation without Pro ServersupportX X XDigitalPersona Pro Workstation can be installed on a computer that is notconnected to an Active Directory domain, or not administered with an ActiveDirectory GPO. The Workstation can then be administered locally through theMicrosoft Management Console (MMC), providing the same functionality aslisted above for Workstations without Pro Server support.DigitalPersona Pro for Active Directory Administrator Guide227

Chapter 13 - Planning & DeploymentPlanningDetermine Required Software & HardwareServer softwareDigitalPersona Pro Server has been fully performance tested and shown to beable to support the authentication of up to 3,000 users within a 10 minute period,per Server processor.DigitalPersona Pro Server must be installed on a domain controller serving theusers that will be using it for authentication. Additionally, a Failover/BackupPro Server is recommended for each Pro Server installed. Also, if you havemultiple sites, we recommend a Pro Server and a Failover/Backup server at eachsite.After analyzing your network configuration and bandwidth limitations, you maywant to add additional servers for backup/failover, or arrange for additionalservers on a domain or site basis to compensate for potential bandwidthbottlenecks.Use the worksheet below to assist you in determining the number ofDigitalPersona Pro servers that you will require.A. Total number of users _____ /3,000 = Base Minimum Server/Processors_________B. Backup/Failover Servers (Recommended) _______C. Additional Servers per network analysis ________Total Servers (A + B + C) = _______Workstation softwareThe Pro Server software package includes a copy of DigitalPersona ProWorkstation. You will need to distribute copies of DigitalPersona ProWorkstation software to each computer that will be using biometricauthentication and authorization. This includes laptops and notebooks that willbe connected to the network as well as any offsite computers that may connectto the network.Total Workstations = _______DigitalPersona Pro for Active Directory Administrator Guide228

Chapter 13 - Planning & DeploymentPlanningKiosk softwareThe Pro Server software package includes a copy of DigitalPersona Pro Kiosk.You will need to distribute copies of DigitalPersona Pro Kiosk software for eachcomputer that will be used as a kiosk.Total Kiosks = _______Fingerprint ReadersFor each workstation, you will need one U.are.U Fingerprint Reader.Certain notebooks with a supported built-in swipe reader can be used withDigitalPersona Pro. A list of supported built-in swipe readers can be found at:http://www.digitalpersona.com/notebooks.Total U.are.U Fingerprint Readers = _______Identify Needed LicensesWhen deploying DigitalPersona Pro Server, a User Authentication License(UAL) is required covering each user that will be enrolling their fingerprints andusing them for authentication through the server.The licenses are bound to the domain, so each license issued covers the users forthat specific domain. In other words, a DigitalPersona Pro User AuthenticationLicense provides a license for the users in a single domain. Additional UALscan be purchased for a domain as the number of users increases.Use the following table to identify the number of users to include in eachrequested UAL.Number of user licenses neededDomain NameNumber of UsersDigitalPersona Pro for Active Directory Administrator Guide229

Chapter 13 - Planning & DeploymentPlanningDomain NameNumber of UsersTotal Number of user licensesneededSelect Configuration OptionsWhile many of the configuration options can be determined as part of yourinitial testing or pilot and may be adjusted during and after rollout, there are afew options that should definitely be part of your planning.Windows Logon Policies - DigitalPersona Pro policies work in conjunctionwith standard Windows policies.Logon policies can be configured at the Server level or the Workstation level byadding the appropriate DigitalPersona Pro Administrative Template to thecontrolling GPO.Attended Fingerprint Enrollment - When implemented, all users must enrolltheir fingerprint in the presence of a designated person or group.Custom Workstation InstallationThe default “Complete” Workstation installation includes the One Touch Logonand One Touch Internet features.By using a “Custom” installation, you can select to not install One Touch Logonand/or One Touch Internet. They can also be added to, or removed from aparticular workstation through the Add or Remove Programs tool in the ControlPanel.• One Touch Logon - One Touch Logon provides the ability for a user to logon to their Windows account by simply touching a supported fingerprintreader.DigitalPersona Pro for Active Directory Administrator Guide230

Chapter 13 - Planning & DeploymentPlanning• One Touch Internet - This feature allows end users to create their ownfingerprint logons for programs and Web sites.Other policies and settings - See “Configuring Policies and Settings” on page80 for other policies and settings that you may want to consider as part of yourdesign.DigitalPersona Pro for Active Directory Administrator Guide231

Chapter 13 - Planning & DeploymentPlanningList OTS TemplatesFor each program or Web site that you want to allow users to sign on to withOne Touch SignOn, you will need to create an OTS template using the OneTouch SignOn Administration Tool. Time and resources to create thesetemplates should be part of your deployment plan.Create Deployment PlanBased on your system design, create a deployment plan. You can use thechecklist at the end of this chapter to make sure that you have covered the basicsthat have been discussed.DigitalPersona Pro for Active Directory Administrator Guide232

Chapter 13 - Planning & DeploymentDeploymentDeploymentFactors to ConsiderThere are a number of factors that you will want to make sure are considered asyou develop your Deployment Plan.Evaluation & TestingYou will probably want to test your proposed design on a single standaloneworkstation and/or in a small server-based pilot program before rolling out thefull implementation.WarningWhen moving from a standalone Workstation installation to a Pro Server basedenvironment, all Pro domain user data on the standalone computer is lost whenit first connects to a DigitalPersona Pro Server. Fingerprints must be enrolledagain and user account data for fingerprint logons must be provided again.Multi-credential Logon SettingsYou can configure logon settings that require more than one type of credential tolog on. Possible credentials for Windows logon include fingerprint, password orsmart card. The multi-credential logon settings are configured using the MulticredentialLogon to Windows settings in the DigitalPersona Pro AdministrativeTemplate, but can also be overridden on a per user basis in the Active DirectoryUsers and Computers tool.Note that DigitalPersona Pro does not provide any setting to control the use ofthe smart card for the Windows logon and will apply whatever Windowspolicies are in place for smart cards.For local area network users, allowing either the fingerprint or password to beused is recommended as a starting Windows logon setting. A simple way torequire two-factor authentication and increase security without compromisinguser convenience, is to require a fingerprint PIN in addition to a fingerprint. ThisDigitalPersona Pro for Active Directory Administrator Guide233

Chapter 13 - Planning & DeploymentDeploymentis the recommended setting for remote users. For more information onfingerprint PINs, see “Using Fingerprint PINs” on page 191.While users adapt to the new fingerprint policies, you might want to begin withmore flexible logon settings. For example, a policy may be set at the beginningof deployment that requires the user to use a fingerprint. If the user cancels outof the Fingerprint Enrollment Wizard, then the next time the user tries to log onto Windows, the user will be unable to log on. If users have not enrolled theirfingerprints, they will need to contact an administrator to enroll theirfingerprints. However, if you allow a fingerprint or a password to log on as partof an initial phase, users can continue working as they learn to adopt the newpolicies.If smart cards are deployed, in order to provide a more convenient logon processfor multi-credential logons, you can choose to allow the fingerprint to unlockthe smart card instead of requiring users to type the PIN for the smart card.All Multi-credential Logon to Windows settings are available as GPO settings.User-level settings are also available, which will override GPO settings, exceptfor the Fingerprint is allowed to unlock the smart card option, which is onlyavailable through the GPO.See also “Multi-credential Logon to Windows” on page 96 and “User Properties& Commands” on page 102.Fingerprint Enrollment OptionsYou can allow users to enroll their own fingerprints from their computers or youcan require that fingerprint enrollment is attended by a designated administratoror supervisor.With attended fingerprint enrollment, a designated user must be logged on tosupervise the fingerprint enrollment process of other users. You can also setpermissions so that the users cannot modify the enrolled fingerprints.For more information on using attended fingerprint enrollment, see “AttendedFingerprint Enrollment” on page 114.Fingerprint Enrollment statistics can be viewed and monitored with the UserQuery Tool, described in the topic “User Query Tool” on page 158.DigitalPersona Pro for Active Directory Administrator Guide234

Chapter 13 - Planning & DeploymentDeploymentImplementing Stronger Security Settings in StagesFor large enterprise deployments, you might want to implement less strictsecurity settings while users adopt the new process of enrolling fingerprints andusing fingerprints to log on. During this time, you can configure a settingallowing either a fingerprint or a password for logon to Windows. This allowsusers to enroll their fingerprints and to start using them, for example, over a twoweek period.Afterwards, you can transition to more strict settings such as makingfingerprints required for logon, or randomizing user passwords - whicheffectively blocks users from being able to use a password to logon to thenetwork and forces the use of fingerprints for logon. These and other securityrelatedsettings can be found in the DigitalPersona Pro AdministrativeTemplates and the Extended Server Policy Module.If you find that users have not enrolled fingerprints, you can either completeattended fingerprint enrollment with the users, or you can choose to extend theopen enrollment period. In this case, continue to inform the users that they willnot be able to log on if they do not enroll their fingerprints before a specific date.All users should take additional measures to decrease the likelihood ofunauthorized access to their computers. Suggestions in this manual are specificto DigitalPersona Pro only and do not represent a complete list of securitymeasures. All users should create secure passwords for Windows accounts andapplications.Refer to the Microsoft Web site for more information about securing yourcomputer from unauthorized access. The Microsoft Web site also contains moreinformation on creating secure passwords.Deploying One Touch SignOn TemplatesThe administrator for One Touch SignOn can decide how much control tomaintain over OTS templates for One Touch SignOn to Web sites and programs.• Templates can be created by an administrator and then deployed toWorkstations using DigitalPersona GPO settings.• The ability for users to make changes to OTS account data or create theirown OTS templates can be limited or completely disabled.DigitalPersona Pro for Active Directory Administrator Guide235

Chapter 13 - Planning & DeploymentDeploymentYou can also choose to allow some, or all, users to use the OTS AdministrationTool to create their own templates which can be stored on their workstation.Workstation Installation and Connecting the ReaderSmaller companies may want users to install the hardware. Larger companiesmay use a representative from the IT department to install the hardware. Toinstall software locally, the user must have administrative privileges on the localcomputer.End User educationDeployment will be most effective and flow more smoothly if you inform yourusers about the new user experience before DigitalPersona Pro Workstation orKiosk is actually installed on their computers.• Users need instructions on what to do when they view the DigitalPersona ProWelcome screen to log on to Windows and when the Fingerprint EnrollmentWizard launches. (See “One Touch Logon” on page 187 and “FingerprintEnrollment” on page 184.)• Encourage users to read the online help that is available in the DigitalPersonaPro folder on the Start/Programs menu, or by clicking the reader icon in thetaskbar notification area.• Let users know that their fingerprint images will not be stored. Instead, onlyspecific features of the fingerprints are obtained and stored. This data cannotbe reverted to actual fingerprint images.WarningMake sure that you do not enable restrictive logon settings based on fingerprintsuntil users have successfully enrolled fingerprints.Let users know that their fingerprint images will not be stored. Instead,fingerprints are converted into binary data and then stored. This data cannot bereverted to actual fingerprint images.DigitalPersona Pro for Active Directory Administrator Guide236

Chapter 13 - Planning & DeploymentDeployment Plan ChecklistDeployment Plan ChecklistThis checklist provides you with a series of basic steps relating specifically toDigitalPersona Pro which should be included in your overall deployment plan.1 Plan for the number of Pro Servers, Pro Workstations and Pro Kiosks to beinstalled in your deployment.In larger deployments, it is recommended to have enough servers installed toprovide service to the first set of users.Evaluate response time for user authentication to ensure that enough serversare installed as each set of users is added.Smaller organizations may decide to deploy all users at the same time.2 Determine the number of Pro Servers, Workstations, Kiosks and UserAuthentication Licenses (UALs) that you will need.Use the License Control Manager application (see page 110) to generate alicense request file and send it to DigitalPersona along with your purchaseorder.3 Deploy Pro Servers, which includes performing an Active Directory schemaextension, domain configuration and installation of the DigitalPersona ProServer software to support the first set of users.If your deployment includes Pro Kiosk, see “Configuring DigitalPersona ProServer for Pro Kiosk” on page 50 for additional setup instructions.4 Test the DigitalPersona Pro Workstation or Kiosk deployment on a singlecomputer and set the options that the end users will use.Test the GPO settings in Active Directory and confirm the intended effectsfor users.5 Inform and educate end users on the deployment process and the tasks thatyou want them to complete.6 If using Attended Fingerprint Enrollment, enroll user fingerprints from thetest DigitalPersona Pro Workstation and/or Kiosk. Attended enrollmentrequires a supervising user and the end user to be present to enroll the user’sDigitalPersona Pro for Active Directory Administrator Guide237

Chapter 13 - Planning & DeploymentDeployment Plan Checklistfingerprints. See “Attended Fingerprint Enrollment” on page 114 for moreinformation.7 Create and deploy One Touch SignOn templates for fingerprint logon to Websites and programs.8 For the initial installation of DigitalPersona Pro Workstations or Kiosks,keep the group size manageable. Users should be separated into sets either bydepartment or geography or some other grouping.The first set of users should be a small test group to make sure you haveimplemented settings as intended. Later, other sets of users can be added instages.9 Connect fingerprint readers to computers. Instruct users on which order tocomplete install, hardware connection, and fingerprint enrollment as needed.DigitalPersona Pro for Active Directory Administrator Guide238

Use and Maintenance Guide forOptical Fingerprint Readers14Achieving optimal fingerprint recognition accuracy depends on• Proper use of the fingerprint reader during fingerprint enrollment and userauthentication• Regular maintenance of the fingerprint readerWarningTo protect against the risk of bodily injury, fire, or damage to the fingerprintreader:• Do not rub the oval window with an abrasive material, including paper.• Do not poke the oval window coating with your fingernail or with any otheritem, such as a pen.• Do not submerge the fingerprint reader in liquid.• Do not spray liquid on the fingerprint reader or allow liquid to drip inside.• Do not use the fingerprint reader if it has incurred damage, such as a crackedor frayed cord or a broken connector.Using the Fingerprint ReaderFor comfort and reliability, it is recommended that you use the index finger ofeither hand.To ensure proper use of the fingerprint reader when enrolling your fingerprintsor when authenticating yourself using the fingerprint reader, perform thefollowing steps:1 Place the entire pad of your finger—not justthe tip or the side of your finger—in the centerof the oval window of the fingerprint reader, asshown in the picture on the right.Apply steady, even pressure on the ovalwindow. Do not roll or swipe your finger.DigitalPersona Pro for Active Directory Administrator Guide 239

Chapter 1 - Use and Maintenance Guide for Optical Fingerprint ReadersCleaning the Fingerprint Reader2 Hold your finger on the oval window until you see the light under thewindow blink. This indicates that the fingerprint reader has scanned yourfingerprint. (You may find that this process takes longer than normal whenyour skin is dry.)3 When the light blinks, lift your finger from the oval window. Depending onhow your fingerprint reader is configured, you may also hear a sound alongwith the blink of the light.If the fingerprint reader scans your fingerprint, as indicated by the blink, but theDigitalPersona software does not authenticate you after several attempts, tryreenrolling your fingerprint.Cleaning the Fingerprint ReaderThe condition of the fingerprint reader affects its ability to obtain a good qualityscan of a fingerprint. To maintain the fingerprint reader, the oval window shouldbe cleaned periodically as follows:Press the sticky side of a piece of adhesivecellophane tape across the oval window, andthen peel it away, as shown in the picture on theright.NoteDigitalPersona supports multiple types of fingerprint readers; however, duringfingerprint enrollment, you must use the same fingerprint reader for all requiredscans.The fingerprint reader is intended for home or office use only.DigitalPersona Pro for Active Directory Administrator Guide240

Use and Maintenance Guide forSwipe Readers15Achieving optimal fingerprint recognition accuracy depends on• Proper use of the fingerprint reader during fingerprint enrollment and userauthentication• Regular maintenance of the fingerprint readerWarningTo protect against the risk of bodily injury, fire, or damage to the fingerprintreader:• Do not submerge the fingerprint reader in liquid.• Do not spray liquid on the fingerprint reader or allow liquid to drip inside.• Do not use the fingerprint reader if it has incurred damage, such as a crackedor frayed cord or a broken connector.Using the Fingerprint ReaderFor comfort and reliability, it is recommended that you use the index finger ofeither hand.To ensure proper use of the fingerprint reader when enrolling your fingerprintsor when authenticating yourself using the fingerprint reader, perform thefollowing steps:1 Place the first knuckle of your index fingerover the horizontal sensor bar, as shown inthe picture on the right.2 Pull your finger straight toward you, usingmoderate pressure and speed. The pad ofyour finger should make full contact withthe sensor bar during the swipe and shouldremain centered (not too far left or too far right).DigitalPersona Pro for Active Directory Administrator Guide 241

Chapter 1 - Use and Maintenance Guide for Swipe ReadersCleaning the Fingerprint ReaderTo maintain full contact with the sensor bar, you should pull you whole armtoward you rather than flicking your finger.3 The DigitalPersona software will notify you if the scan was successful or ifyou need to swipe your finger again.If the DigitalPersona software does not authenticate you after several attempts,try reenrolling your fingerprint.Cleaning the Fingerprint ReaderThe condition of the fingerprint reader affects its ability to obtain a good qualityscan of a fingerprint.Occasionally, you may see amessage advising you to clean thefingerprint reader. If you do, simplywipe the sensor bar with a dry orslightly damp tissue or with a cottonswab, as shown in the picture above.NoteDigitalPersona supports multipletypes of fingerprint readers;however, during fingerprintenrollment, you must use the same fingerprint reader for all required scans.The fingerprint reader is intended for home or office use only.DigitalPersona Pro for Active Directory Administrator Guide242

DigitalPersona Pro Settings 16This chapter provides an alphabetical listing of the policies and settingsavailable in DigitalPersona Pro, Pro Workstation and Pro Kiosk, describeswhere they are located in Active Directory, and gives the page number in thisguide where they are defined.Legend: In the Location column of the following table, this legend is used.CC ... = “Computer Configuration/Policies/Administrative Templates/DigitalPersona Pro/” for Windows Server 2008, and “Computer Configuration/Administrative Templates/DigitalPersona Pro/” for all other supported Windowsversions.UC ... = “User Configuration/Policies/Administrative Templates/DigitalPersonaPro/” for Windows Server 2008, and “Computer Configuration/AdministrativeTemplates/DigitalPersona Pro/” for all other supported Windows versions.Setting Name Location PageAccount lockout durationAccount lockout thresholdAccount is locked out from use offingerprint credentialsAllow automatic software updatesAllow Fingerprint Data RedirectionAllow One Touch InternetAllow use of Kerberos authenticationto access DigitalPersona dataCC .. /DigitalPersona Pro Server/Fingerprint Verification LockoutCC .. /DigitalPersona Pro Server/Fingerprint Verification LockoutActive Directory Users and Computers/Users/[user name]/User Properties/DigitalPersona Pro tab(Basic Property)CC ... /DigitalPersona Pro Workstation/Workstation PropertiesCC .. /DigitalPersona [Workstation andKiosk]UC ... /DigitalPersona Pro Workstation/Workstation PropertiesCC .. /DigitalPersona Pro Server/SingleSign-on898910397939890Allow use of Single Sign-On CC .. /DigitalPersona Pro Workstation 94DigitalPersona Pro for Active Directory Administrator Guide 243

Chapter 16 - DigitalPersona Pro SettingsSetting Name Location PageAllow users to add account dataAllow users to delete account dataAllow users to edit account dataAutomated Site Coverage by BASLocator DNS SRV RecordsUC ... /DigitalPersona Pro [Workstationand Kiosk]/OTS/One Touch SignOnconfigurationUC ... /DigitalPersona Pro [Workstationand Kiosk]/OTS/One Touch SignOnconfigurationUC ... /DigitalPersona Pro [Workstationand Kiosk]/OTS/One Touch SignOnconfigurationCC .. /DigitalPersona Pro Server/BASLocator DNS Records99999987Cache user data on local computer CC ... /DigitalPersona Pro Workstation/ 95Do not compress Fingerprint Data forRedirectionUC ... /DigitalPersona Pro Workstation/ 95Dynamic Registration of BASLocator DNS RecordsEvent LoggingFalse Accept Rate Used inFingerprint VerificationFingerprint is allowed to unlock thesmart cardFingerprint RecognitionCC .. /DigitalPersona Pro Server/BASLocator DNS RecordsCC .. /DigitalPersona Pro [Server,Workstation and Kiosk]CC .. /DigitalPersona Pro [Server,Workstation and Kiosk]/FingerprintRecognitionCC ... /DigitalPersona Pro Workstation/Multi-credential logon to WindowsCC .. /DigitalPersona Pro [Workstation andKiosk]8584919791Kiosk Workstation Shared AccountSettingsCC .. /Kiosk Workstation Settings 100Maximum Number of EnrolledFingerprints Per UserCC .. /[Server, Workstation and Kiosk]/Fingerprint Recognition92Maximum Size of Identification List CC ... /DigitalPersona Pro Workstation 96Multi-credential logon to Windows CC ... /DigitalPersona Pro Workstation/ 96DigitalPersona Pro for Active Directory Administrator Guide244

Chapter 16 - DigitalPersona Pro SettingsSetting Name Location PagePassword is not allowed for logonPath to the container of templatesPIN is required when a fingerprint isprovidedPriority Set in BAS Locator DNSSRV RecordsRandomize user’s WindowspasswordRefresh Interval of BAS LocatorDNS RecordsRegister BAS Locator DNS SRVRecord for DomainReset account lockout counter afterShow clear text passwordsShow fingerprint icon on the taskbar.Show One Touch Menu uponfingerprint validationSites Covered by BAS Locator DNSSRV RecordsSize of the Identification List forKiosksCC ... /DigitalPersona Pro Workstation/Multi-credential logon to WindowsUC ... /DigitalPersona Pro [Workstationand Kiosk]/OTS/One Touch SignOnconfigurationCC ... /DigitalPersona Pro Workstation/Multi-credential logon to WindowsCC .. /DigitalPersona Pro Server/BASLocator DNS RecordsActive Directory Users and Computers/Users/[user name]/User Properties/DigitalPersona Pro tab(Extended Property)CC .. /DigitalPersona Pro Server/BASLocator DNS RecordsCC .. /DigitalPersona Pro Server/BASLocator DNS RecordsCC .. /DigitalPersona Pro Server/Fingerprint Verification LockoutUC ... /DigitalPersona Pro [Workstationand Kiosk]/OTS/One Touch SignOnconfigurationUC ... /DigitalPersona Pro Workstation/Workstation PropertiesUC ... /[Workstation and Kiosk]/Workstation PropertiesCC .. /DigitalPersona Pro Server/BASLocator DNS RecordsCC .. /DigitalPersona Pro Server/KioskServer setting979997861048588899998988790DigitalPersona Pro for Active Directory Administrator Guide245

Chapter 16 - DigitalPersona Pro SettingsSetting Name Location PageUse DigitalPersona Pro Server forauthenticationUC ... /DigitalPersona Pro Workstation/ 95User must provide a fingerprint tolog onUser must type a PIN whenproviding a fingerprint to log onUser provides only Windowscredentials to log onWeight Set in BAS Locator DNSSRV RecordsCC ... /DigitalPersona Pro Workstation/Multi-credential logon to WindowsActive Directory Users and Computers/Users/[user name]/User Properties/DigitalPersona Pro tab(Extended Property)Active Directory Users and Computers/Users/[user name]/User Properties/DigitalPersona Pro tab(Extended Property)Active Directory Users and Computers/Users/[user name]/User Properties/DigitalPersona Pro tab(Basic Property)CC .. /DigitalPersona Pro Server/BASLocator DNS Records9710410410386Kiosk-Specific SettingsAllow automatic logon using SharedKiosk AccountForce Authentication On ServerKiosk Workstation Shared AccountSettingsLogon/Unlock with Shared AccountCredentialsPrevent users from logging onoutside of a Kiosk session.CC .. /DigitalPersona Pro KioskWorkstation/Kiosk Workstation SettingCC .. /DigitalPersona Pro KioskWorkstation/Kiosk Workstation SettingCC .. /DigitalPersona Pro KioskWorkstation/Kiosk Workstation SettingCC .. /DigitalPersona Pro KioskWorkstation/Kiosk Workstation SettingCC .. /DigitalPersona Pro KioskWorkstation/Kiosk Workstation Setting100100100101100DigitalPersona Pro for Active Directory Administrator Guide246

Chapter 16 - DigitalPersona Pro SettingsSetting Name Location PageSize of the identification list forKiosksCC .. /Kiosk Server Settings 90DigitalPersona Pro for Active Directory Administrator Guide247

Troubleshooting 17This chapter includes the following troubleshooting guides:• Reader Troubleshooting• One Touch Logon Troubleshooting• One Touch Internet and OTS Troubleshooting• Miscellaneous Troubleshooting• Additional TroubleshootingReader TroubleshootingThis section contains reader troubleshooting tips for a variety of symptoms.Reader Does Not Light Up During Installation or RestartIf the reader does not light up during installation or restart after installation ofDigitalPersona Pro, try the following:• Ensure the reader is connected directly to a USB port on the computer—not aUSB hub.• Connect the reader to another USB port on the same computer.If neither step resolves the issue, try any of the options in the following threesections:Reinstall the USB DriverReinstalling the USB driver for the reader sometimes corrects the problem.To reinstall the USB driver for the reader1 In the Windows Device Manager, expand the Biometric item in the table.2 Right-click on the fingerprint reader device and click Uninstall.3 Unplug the reader.4 Locate the UsbDPFp.sys file (C:\Windows\System32\drivers) and delete it.DigitalPersona Pro for Active Directory Administrator Guide 248

Chapter 17 - TroubleshootingReader Troubleshooting5 Plug the reader in again. The installation wizard should automatically launch,locate the reader driver software and install it. If the wizard prompts you tolocate the driver, point to the DpDrv folder in the Windows root folder.6 Restart the computer.Test Ports with Second ReaderIf available, take a working reader from another computer and plug it in yourcomputer. If it works, the original reader may be faulty; if not, the USBcontroller may be configured improperly (see topic below).In addition, you can also try plugging the original reader in a USB port onanother computer to verify whether the reader is faulty or the computer onwhich you are trying to install it.Check USB Controller ConfigurationYour computer must be configured to use USB devices. This section guides youthrough the process of verifying this functionality.To check the USB controller configuration on your computer1 On the Start menu, point to Settings and click Control Panel. Then, clickSystem.2 Click the Hardware tab and then the Device Manager button to verify that“Universal Serial Bus controller” is listed as an entry.3 If the entry exists, click the plus sign (+) next to Universal Serial Buscontroller and verify that icons for USB Root Hub and USB Port arepresent.4 If none of the entries or icons are visible or if they have exclamation marks orred X’s through them, you must contact the manufacturer of your computerto acquire the necessary software to support USB devices.DigitalPersona Pro for Active Directory Administrator Guide249

Chapter 17 - TroubleshootingReader TroubleshootingReader Light Went Out When In UseIf the reader light is no longer lit after the reader has been in use for some time,try these steps to determine the source of the problem:• Unplug the reader and then plug it in again. Check the USB cable connectionto ensure a secure fit.• Connect the reader to a different USB port on your computer to verify thatthe first USB port is working properly.• Connect the reader to a different computer to see if the reader ismalfunctioning.If the reader functions on another USB port or computer, the first USB port isfaulty. If the reader works on another computer—but not on the first one—checkthe USB controller configuration, as described in “Check USB ControllerConfiguration” on page 249.Reader Does Not Blink When TouchedIf the reader light is on, but does not blink when touched, unplug the reader andthen plug it in again.If this does not correct the problem, clean the reader window.To clean the reader window, apply the sticky side of a piece of adhesivecellophane tape on the window and peel it away.Software Does Not Respond When Reader Is TouchedIf the reader light is on and it blinks when touched but the fingerprint is notscanned, unplug the reader and then plug it in again. If this does not correct theproblem, try cleaning the reader, as described in “Cleaning and Maintaining theReader” on page 205. If these steps do not correct the problem, try restartingyour computer.DigitalPersona Pro for Active Directory Administrator Guide250

Chapter 17 - TroubleshootingReader TroubleshootingReader Blinks ConstantlyIf the reader light blinks constantly, the reader window may need cleaning. Toclean the reader window, apply the sticky side of a piece of adhesive cellophanetape on the window and peel it away.DigitalPersona Pro for Active Directory Administrator Guide251

Chapter 17 - TroubleshootingOne Touch Logon TroubleshootingOne Touch Logon TroubleshootingIf logon seems particularly slow, it may be because the computer is spendingexcess time looking for the DNS server. In this case, you can speed upauthentication by manually specifying the preferred DNS IP address.To manually specify the preferred DNS IP address on a DigitalPersona Pro Workstation1 Locate the My Network Places icon on the desktop and click Properties onits context menu.2 On the Network Connections dialog box, locate the Local AreaConnection icon and click Properties on its context menu.3 Select Internet Protocol (TCP/IP) on the Local Area ConnectionProperties dialog box and then click the Properties button.4 Select the Use the following DNS server addresses radio button and typethe IP address of the DNS server in the Preferred DNS server text box.Specify the IP address of thepreferred DNS Server(s) tospeed up logon.5 Close all dialog boxes to save your changes.DigitalPersona Pro for Active Directory Administrator Guide252

Chapter 17 - TroubleshootingOne Touch Internet and OTS TroubleshootingOne Touch Internet and OTS TroubleshootingFollowing are issues you may encounter when using One Touch SignOn andOne Touch Internet:• Due to the design of a particular Web site or program, One Touch Internet orOne Touch SignOn may not be able to automatically create a fingerprintlogon.In the One Touch SignOn Administration Tool, use the Create LogonTemplate Manually or Create Change Password Screen Template Manuallyfeature for access to more powerful options in designing Logon or ChangePassword Screen templates.• A submit button may not be found when setting up a logon screen that uses anon-standard method for submitting forms. In this case, you will have tomanually submit logon data by clicking the submit button on the Web pageafter One Touch SignOn or One Touch Internet fills in the field values.• If a Quick Link is not working properly, ensure you have entered the Webpage title in the logon screen setup exactly as it appears on the Web page.Also, verify that the URL specified in the logon screen setup is correct. SomeWeb pages redirect users to a temporary URL that expires after one-time use.If the logon screen you set up with One Touch SignOn or One Touch Internetredirects users to temporary and unique URLs, for example, with Microsoft’sHotmail, you will have to manually type the URL in the logon profile insteadof using the URL that One Touch SignOn assigns by default.• At the end of the process for creating a fingerprint logon, a message displays,“The account data cannot be saved. If the problem persists, contact youradministrator."This message indicates that the maximum number of fingerprint logons hasbeen reached and you can no longer create fingerprint logons. Thismaximum is approximately 400 fingerprint logons for versions prior to 4.3and 1600 logons for versions 4.3 and above. The actual maximum may beless and will depend on the amount of information contained in eachfingerprint logon.You can delete old logons to free space for creating new ones, or the storagespace for fingerprint logons can be increased using the following procedure.DigitalPersona Pro for Active Directory Administrator Guide253

Chapter 17 - TroubleshootingMiscellaneous TroubleshootingMiscellaneous TroubleshootingHow do I increase the storage that is used for “Secrets”If you have run out of space used for storing “Secrets,” you will no longer beable to create fingerprint logons.To increase the storage space for Secrets, make the following change on thedomain controller where DigitalPersona Pro Server is installed. ADSI Edit, partof the Windows Server Support Tools must also be installed.1 Log on to the computer with an account that has rights to modify the ActiveDirectory schema.2 Navigate to %Program Files%\Support Tools, and then double-clickadsiedit.msc.3 Expand the Schema, and then clickCN=Schema,CN=Configuration,DC=domain_name,DC=com4 In the Details pane, right-click CN=dp-User-Private-Data, and then clickProperties.5 Double-click rangeUpper.6 Type a new appropriate upper range for the attribute. The recommendedvalue is 131072.7 Click OK, and then click OK again.Where is my license and other DigitalPersona information stored?Your DigitalPersona Pro license is stored in Active Directory. Your enrolledfingerprints and secrets are stored in Active Directory under the User objects.The location where OTS templates are stored is determined by a setting in theOTS Administration Tool and a corresponding GPO setting. It is a good idea tostore OTS templates on a network share (or preferably in the SYSVOL).DigitalPersona Pro for Active Directory Administrator Guide254

Chapter 17 - TroubleshootingAdditional TroubleshootingInstalling Citrix support after DigitalPersona Pro client installation.If Citrix was not present prior to installing DigitalPersona Pro Workstation orKiosk, files necessary to support Citrix will not be installed.To install Citrix support files, do one of the following -1 After Citrix installation, select DigitalPersona Pro Workstation or Kiosk inthe Windows Control Panel list of programs and run Repair.2 Or, perform the following procedure after Citrix installation:• Locate the DPICACnt.dll file in the "Misc\Citrix Support" folder of theDP Product package, and copy it to the folder on the client computerwhere the Citrix client components are located (i.e. for the ProgramNeighborhood client it might be the "Program Files\Citrix\ICA Client"folder).• In the Run box, using the regsvr32.exe program, register theDPICACnt.dll library. Example: regsvr32 .• If you have several Citrix clients installed on a computer, deploy theDPICACnt.dll library to the Citrix client folder for each client to be usedwith DigitalPersona Pro software.Resetting a fingerprint PINThese procedure applies to the scenario where multi-credential authentication isenabled and setup to use a PIN with the fingerprint, and a user forgets their PIN.To reset a fingerprint PIN (Pro 4.2 and higher) -1 On the server, in Active Directory Users and Computers, right-click on theuser and click Delete Fingerprint PIN.2 The user will be prompted to enter a new fingerprint PIN the next time thatthey log on.Additional TroubleshootingFor additional troubleshooting information see:http://www.digitalpersona.com/support.DigitalPersona Pro for Active Directory Administrator Guide255

Customizing Pro Workstation 18After installation of DigitalPersona Pro, administrators can override the defaultDigitalPersona Pro Properties settings in the Windows Registry for One TouchMenu content and Quick Actions.WarningEditing registry settings may damage your system. Before making changes,back up your data. Use the Last Known Good Configuration startup option ifyou encounter problems after making changes to the registry.Instructions in the next two sections are provided to configure the One TouchMenu and Quick Actions using the Windows Registry.NoteChanges made to the settings in the registry do not take precedence over localconfiguration by end users.One Touch Menu ContentEach of the commands on the One Touch menu may be removed through theWindows registry. New commands cannot be added. You can use the WindowsRegistry Editor to modify registry keys for the One Touch Menu, export the newsettings in a .reg file and import those settings on the target machines.To configure the One Touch Menu menu content1 Launch the Windows Registry Editor.2 In the Registry Editor, navigate to the following key:HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\Applications\One Touch Menu\ItemsDigitalPersona Pro for Active Directory Administrator Guide 256

Chapter 18 - Customizing Pro WorkstationQuick ActionsThis table shows the String Value Name for each One Touch Menu commandand the result of the command.String Value NameHelpOTIPropertiesQuick LinksResult of One Touch Menu commandDisplays the online Help file.(Create Fingerprint Logon) Displays the CreateFingerprint Logon dialog when clicked.Displays the Properties dialog.Displays Quick Links that you have created.3 To remove an item from the One Touch Menu, delete the String Value.Quick ActionsThe procedure for modifying Quick Actions settings is similar to the One TouchMenu registry configuration. Using the Windows Registry Editor, you canspecify the Quick Actions that correspond with a DigitalPersona Pro feature.To configure Quick Actions in the Windows Registry1 Launch the Windows Registry Editor.2 In the Registry Editor, navigate to the following registry key:HKEY_CURRENT_USER\SOFTWARE\DigitalPersona\Applications\OTAppSettings\QuickActionsDuring program installation, a single String Value (Default) is created. If anyof the Quick Link settings in the Properties dialog box have been changed,three more String Values will exist:Name Definition TypeF+CtrlDefines action to perform when the Control key ispressed in conjunction with use of an enrolledfingerprint.REG_SZDigitalPersona Pro for Active Directory Administrator Guide257

Chapter 18 - Customizing Pro WorkstationQuick ActionsName Definition TypeF+ShiftFingerDefines action to perform when the Shift key ispressed in conjunction with use of an enrolledfingerprint.Defines action to perform when no key is pressed inconjunction with use of an enrolled fingerprint.REG_SZREG_SZ3 You can assign a Quick Action to any of the three String Values by setting theValue data to any of the following values.ValueNoneOTILockWorkstationResultValidates fingerprint, but does not perform anyadditional action.Displays the Create Fingerprint Logon dialog.Locks the workstation.DigitalPersona Pro for Active Directory Administrator Guide258

Installing High Encryption 19If your domain controller is not high-encryption (128-bit) capable, installMicrosoft Windows 2000 High Encryption (128-bit) Capability which isavailable for download from Microsoft. Because high encryption capability isbuilt into Windows XP, Windows Server 2003 and above, and the latest servicepacks for Windows 2000, you do not need to install high encryption pack onthese operating systems.To install Microsoft Windows 2000 High Encryption (128-bit) Capability on yourdomain controller1 Double-click ENCPACK.exe to launch the installer.2 When prompted to continue with the installation of Microsoft Windows 2000high-encryption (128-bit) capability, click Yes.3 To finish the installation, restart the computer.DigitalPersona Pro for Active Directory Administrator Guide 259

Regulatory Information 20DigitalPersona U.are.U® Fingerprint Reader Regulatory InformationWarningTo protect against risk of fire, bodily injury, electric shock or damage to the equipment:• Do not immerse any part of this product in water or other liquid.• Do not spray liquid on this product or allow excess liquid to drip inside.• Do not use this product if it has sustained damage, such as damaged cord or plug• Disconnect this product before cleaning.Tested to comply with FCC Standards. For home or office use. Any changes ormodifications not expressly approved by DigitalPersona, Inc. could void yourauthority to operate this equipment. This device is rated as a commercialproduct for operation at +32°F (+0°C) to +104°F (+40°C).The U.are.U Fingerprint Reader has been tested and found to comply with thelimits for a Class B digital device under Part 15 of the Federal CommunicationsCommission (FCC) rules, and it is subject to the following conditions: a) It maynot cause harmful interference, and b) It must accept any interference received,including interference that may cause undesired operation.This device conforms to emission product standards EN55022(B) andEN50082-1 of the European Economic Community and AS/NZS 3548 Class Bof Australia and New Zealand.This digital apparatus does not exceed the Class B limits for radio noiseemission from digital apparatus as set out in the radio interference regulations ofthe Canadian Department of Communications.Le présent appareil numérique n'émet pas de bruits radioélectriques dépassantles limites applicables aux appareils numéri-ques de Classe B prescrites dans lerèglement sur le brouillage radioélectrique édicté par le Ministère desCommunications du Canada.This product has been tested to comply with International Standard IEC 60825-1:1993, A1:1997, A2:2001; IEC 60825-2:2000DigitalPersona Pro for Active Directory Administrator Guide 260

20 - Regulatory InformationCAUTION - USE OF CONTROLS OR ADJUSTMENTS ORPERFORMANCE OF PROCEDURES OTHER THAN THOSE SPECIFIEDHEREIN MAY RESULT IN HAZARDOUS RADIATION EXPOSURE.Attention - L'utilisation de contrôles et de réglages ou l'application deprocédures autres que ceux spécifiés dans le présentdocument peuvent entraînerune exposition à des radiations dangereuses.Achtung - Die hier nicht aufgeführte Verwendung von Steuerelementen,Anpassungen oder Ausführung von Vorgängen kann eine gefährlicheStrahlenbelastung verursachen.Precaución - La utilización de controles, ajustes o procedimientos distintos alos aquí especificados puede dar lugar a niveles de radiación peligrosos.Attenzione - L'utilizzo di controlli, aggiustamenti o di procedure diverse daquelle qui specificate puo' portare all'esposizione ad un livello di radiazionipericoloso.This product uses LEDs that are inherently Class 1.DigitalPersona Pro for Active Directory Administrator Guide261

DigitalPersona Pro ID Server 21The DigitalPersona Pro ID Server Add-On module is an optional componentthat may be added to an installation of DigitalPersona Pro Server.The ID Server is a fingerprint matching server, performing 1-to-many matching,which adds identification capabilities with the ability to perform high-speedsearches on a significant collection of enrolled fingerprints.The current recommended limits are 10,000 users with two fingerprints each, or20,000 fingerprint templates.Since the ID Server runs under the DigitalPersona Pro Server, it delivers thesame levels of security, scalability and services, including - .• Client workstations can automatically locate compatible Pro Servers• Load balancing of multiple Pro Servers based on weighting assigned througha GPO.• Fail over between servers• Installs on the domain controller for optimum securityUpon installation, all Active Directory users with enrolled fingerprints will beadded to the identification list.System RequirementsThe following system Pro ID Server requirements are in addition to thehardware and software requirements listed for DigitalPersona Pro Server onpage 31, since Pro Server is required to be installed and configured prior toinstalling the Pro ID Server Add-On module.Additional memory requirementsPro ID Server places the user collections containing all enrolled userfingerprints in memory during the identification operation, which substantialincreases the minimum memory requirements beyond those of theDigitalPersona Pro Server alone. The following minimum requirements are inaddition to the hardware and software requirements for Pro Server listed onpage 31.DigitalPersona Pro for Active Directory Administrator Guide 262

Chapter 21 - DigitalPersona Pro ID ServerSystem Requirements12 MB plus 37K per fingerprint template in the identification setFor example:Number of TemplatesMinimum Memory Required1,000 49 MB10,000 382 MB20,000 764** Note that the maximum number of fingerprint templates supported by Pro IDServer at this time is 20,000. So, if users are restricted to enrolling only twofingerprints, you can have a maximum of 10,000 users.Pro WorkstationThe Pro ID Server is compatible with all currently supported DigitalPersona ProWorkstation products as listed in the topic, Product Compatibility on page 32.Pro KioskAll currently supported versions of DigitalPersona Pro Kiosk client prior toversion 4.4 cannot operate in an environment served by a DigitalPersona ProServer that has had the ID Server Add-On module installed, and will need to bereplaced with the Pro Kiosk for ID Server client.Pro Kiosk for ID ServerThe Pro ID Server Add-On includes an ID Server-specific edition of the kioskclient, DigitalPersona Pro Kiosk for ID Server. This edition of the Kioskworkstation will not work in a Pro Server environment that does not have the IDServer Add-On Server installed.This ID Server-specific Kiosk workstation is functionally the same as thestandard Pro Kiosk edition, except that it no longer uses a local identificationlist, and therefore is not limited to the previous identification list size of 100users.DigitalPersona Pro for Active Directory Administrator Guide263

Chapter 21 - DigitalPersona Pro ID ServerInstallationAll Active Directory users who have an enrolled fingerprint will beautomatically added to the ID Server Identification List. However, specific userscan be excluded from the list (see page 264).Also, the identification of kiosk users is no longer tied to a specific OU(Organizational Unit) or site.Installation1 In the provided Pro ID Server software package (CD or downloaded file),navigate to and launch the Setup.exe file.2 Follow the on-screen instructions in the Installation Wizard.3 If you need help troubleshooting your installation, you can find additionalinformation in the support section of our website at: http://www.digitalpersona.com.ConfigurationWhen the DigitalPersona Pro ID Server Add-On module is added to an existingPro Server environment, all Active Directory users who have a previouslyenrolled fingerprint will be automatically added to the ID Server IdentificationList.Excluding users from the Identification ListYou can exclude individual users from the kiosk Identification List by enablingthe included GPO setting, and then restricting permissions for specific groups ofusers or computers.1 Ensure that the “Restrict identification to a specific list of users” setting isenabled. When it is disabled or not configured, the default is that all domainusers will be part of the identification list.)2 To create a list of restricted users and assign it to a kiosk, see the topic“Assigning Kiosk Permissions” on page 53.DigitalPersona Pro for Active Directory Administrator Guide264

Chapter 21 - DigitalPersona Pro ID ServerConfigurationID List generationDepending on the size of your organization, it could take up to 15 minutes tocreate the Identification List, or to ensure that a newly enrolled user will beidentified. During that time, the user can be authenticated, but not identified.Additional time may be needed depending on your AD replication cycle orwhen rebooting the domain controller.DigitalPersona Pro for Active Directory Administrator Guide265

Pro Kiosk Unlock Scripting 22OverviewDigitalPersona Pro, version 4.4 and above, provides a component thatadministrators can use to create scripts that will be run automatically when aDigitalPersona Pro Kiosk client workstation is unlocked.This capability workswith either the standard Pro Kiosk client or the Pro ID Server client.The script will be run each time that a Kiosk user unlocks a shared Kioskaccount which has been locked or password protected by someone else.The purpose of the script is to perform general cleanup activities and secure thedesktop. It can be used to close an application gracefully without the applicationleaks/problems that can happen when an application is simply terminated.• A script can be used to close multiple instances of the same application byreferring to its class name or multiple instances of the same application withthe same caption name.• A script can be used to perform an action on an application/window in aprotected desktop.NoteThis feature is provided through the WMI (Windows ManagementInstrumentation) interface, and may not handle every situation. Always testthoroughly prior to deployment.A sample script (SCHW455.vbs) is included in the Kiosk software package. Youcan change the name to reflect your specific use of the script. This sample filedemonstrates how to close or terminate applications such as Internet Explorer,Notepad, MSN, Quickbooks, etc.NoteUse the kiosk administration template (DigitalPersonaProWkstaKiosk) to set thelocation of the script file on the Pro Server.DigitalPersona Pro for Active Directory Administrator Guide 266

Chapter 22 - Pro Kiosk Unlock ScriptingInterface methodsInterface methodsThe script component provides the following interface methods:Close, CloseAll - These interface methods are used to close an applicationbased upon its caption and/or class name.• Interface Name: CloseAllParameters: [in] BSTR strWindowCaption.• Interface Name: CloseParameters: [in] BSTR strWindowClassname,[in] BSTR strWindowCaption,Command - This method will execute appropriate keyboard shortcut/hotkey forapplication window. Eg. “Ctrl+s” for Notepad to save the content of the file etc.• Interface Name: CommandParameters: [in] BSTR strWindowClassname,[in] BSTR strWindowCaption,[in] UINT uiNotifyCode,[in] UINT uiID,Application window information - The following two methods are used forgathering information from the application window; such as keyboard shortcutsfor menu items.• Interface Name: GetMenuStringByCommandParameters: [in] BSTR strWindowClassname,[in] BSTR strWindowCaption,[in] UINT menuID,[in] UINT subMenuID,[out, retval] BSTR* rv_MenuString,DigitalPersona Pro for Active Directory Administrator Guide267

Chapter 22 - Pro Kiosk Unlock ScriptingInterface methods• Interface Name: GetMenuIDByCommandParameters: [in] BSTR strWindowClassname,[in] BSTR strWindowCaption,[in] UINT menuID,[in] UINT subMenuID,[out, retval] BSTR* rv_MenuID,NoteSome Windows applications do not have a keyboard shortcut/hotkeys availablein their resource, so cannot be invoked by this script.DigitalPersona Pro for Active Directory Administrator Guide268

Fingerprint Logon Retraining 23OverviewFingerprint logons need to be “retrained” in order to work with the FireFoxbrowser only if your are upgrading from a version of the One Touch SignOnAdministration Tool prior to version 4.3.The OTS Administration Tool includes a Retraining Wizard that will guide youthrough the simple steps required to identify and retrain your Logon screen andChange Password screen templates.Show the Requires Retraining columnThe “Requires Retraining” column heading is hidden by default, but can bedisplayed by right-clicking anywhere in the column headers and selectingRequires Retraining.When the heading is visible, all templates with fingerprint logons requiringretraining will have an entry in that column such as Logon, Change Password orLogon/Change Password. This information tells you whether just the Logonscreen needs to be retrained, or just the Change Password screen or both.By viewing the list of templates in each of your containers, you can tell at aglance which fingerprint logons need retraining.Retrain your logonsThe easiest way to retrain a fingerprint logon for a Logon or Change Passwordscreen is to:1 Right click on the template that you want to retrain.DigitalPersona Pro for Active Directory Administrator Guide 269

Chapter 23 - Fingerprint Logon RetrainingOverview2 Select Retrain from the menu and select Logon Screen or ChangePassword Screen from the submenu.3 The OTS Logon Screen Wizard or Change Password Screen Wizarddisplays.4 Click Next to launch the program or Web site that the Logon screen orChange Password screen is associated with, and retrain it to be FireFoxcompatible.5 The wizard will retrain your template and display the Setup Complete page.Click Finish to close the wizard.DigitalPersona Pro for Active Directory Administrator Guide270

IndexSymbols_uareupro SRV RR 57DNS Console path 59modifying Priority and Weight settings 59.adm and .admx 43.dplif extension 111AAccount is locked out from use of fingerprintcredentials setting 103, 243account is locked out from use of fingerprintcredentials setting 105Account lockout duration setting 89, 243Account lockout threshold setting 89, 243Active Directory containers 55Biometric Authentication Serverscontainer 55Policies container 55Active Directory Domain ConfigurationWizard 41Active Directory Schema ExtensionWizard 39Active Directory, defined 10add fingerprint icon 154add license 112Add-0n Module, Pro ID Server 30Administration ToolsCleanup Wizard 163installation 109License Control Manager 110overview 108User Query Tool 158Administrative Templates & Snap-ins 11ADSI Edit Tool 106ADSI Edit Tool Installation 106Allow automatic logon using Shared KioskAccount 100Allow automatic logon using Shared KioskAccount setting 246Allow automatic software updatessetting 97, 243Allow Fingerprint Data Redirectionsetting 93, 243Allow OneTouch Internet setting 98, 243Allow use of Kerberos authenticationsetting 90, 243Allow use of Single Sign-On setting 94, 243Allow users to add account datasetting 153, 244Allow users to delete account datasetting 99, 153, 244Allow users to edit account datasetting 153, 244attended registrationusing 114Authentication Server Object Nameproperty 56authentication, defined 16auto login for Kiosk Shared Account 100Automated Site Coverage by BAS LocatorDNS SRV Records setting 87, 244automatic DNS registration 57Automatic logon using the Shared KioskAccount 214BBAS Locator setting 85Basic User Properties 102Biometric Authentication Serverscontainer 55Server Version Object Name 56Service Configuration Container Name 56CCache Domain User Data on Local Computersetting 95Cache User Credentials setting 95Cache user data on local computer setting 244cached credentialsdefined 190in One Touch Logon 189Change Password Screen Templatesautomatic 135DigitalPersona Pro for Active Directory Administrator Guide 271

IndexD - Emanual 140changes made during installation 55changing passwords 215changing your Windows password 204chapter overview 3checking template compatibility 156checklist, deployment plan 237choosing an account 156Citrix 24, 26Citrix Presentation ServerKiosk installation 75Workstation installation 70cleaning the reader 205Cleanup Wizard 163command line install, Workstation 65compatibility, of OTS templates 156configuration options 230configure domain 41configuringOUs for kiosks 52Pro Server GPO settings 51settings for Pro Kiosk 50configuring DNS dynamic registration 59Connect to this domain the next time you runLicense Control Manager 111connecting to a domain 110Containersdeleting 146editing 146containersmanaging 146conventionsnaming 6notation 6typographic 7Creating Change Password ScreenTemplates 135Creating OTS Templates 122Credentials Management 171Credentials, defined 16Ctrl+Alt+Delete 189custom installation of Pro Workstation 63Custom Workstation installation 230DDelete fingerprint PIN 105Delete Fingerprints command 105delete user credential data 106deleting enrolled fingerprints 203Deploying DigitalPersona Pro Server 36deploying OTS templates 149deployment factors 233Deployment Plan 232Deployment Plan Checklist 237deployment planning 223DigitalPersona icon 117, 139, 144DigitalPersona Pro for Active DirectorySDK 34DigitalPersona Pro ID Server Kiosk 27DigitalPersona Pro Kiosk 25DigitalPersona Pro Server 23DigitalPersona Pro Workstation 24DigitalPersonaProSvr.adm 43DigitalPersonaProWksta.adm 43, 44DigitalPersonaProWkstaKiosk.adm 80DNS Console path 59DNS Registration 57Do not compress Fingerprint Data forRedirection setting 244domain, configuring for Pro Server 41Dynamic DNS, defined 16Dynamic Registration of BAS Locator DNSRecords setting 85, 244EEnable sound feedback 202End-User education 236Enroll fingerprints command 105enrolling fingers 184event feedbackfingerprint prompt feedback 182fingerprint recognition feedback 182fingerprint scan acquisition feedback 182event logging 51DigitalPersona Pro for Active Directory Administrator Guide 272

IndexF - KEvent Logging setting 84, 244excluding users from the IdentificationList 264extend the Active Directory schema 39Extended Server Policy Module 30, 104Extended User Properties 103FFailed logon attempt lockout settings 89False Accept Rate Used in FingerprintVerification setting 244False Accept Rate User in FingerprintVerification setting 91FCC Standards 260feature comparison 38, 227feedback requested 9Field Catalog 120fingerprint credentialsdeleting 203enrolling 184fingerprint enrollmet, defined 17fingerprint icon 154fingerprint identification, defined 17Fingerprint is allowed to unlock the smart cardsetting 244fingerprint logon retraining 269fingerprint PIN, delete/reset 105fingerprint PIN, resetting 105, 255fingerprint PINs, changing 192fingerprint PINs, using 17, 191fingerprint prompt feedback 182Fingerprint readers 28fingerprint recognition feedback 182Fingerprint Recognition setting 244Fingerprint Recognition settings 91fingerprint scan acquisition feedback 182fingerprint template, defined 17fingerprint templatesdefined 16registration template 17Fingerprint Verification Lockout setting 89fingerprint verification, defined 17Fingerprint/Credentials Management 171Force Authentication On Server setting 246Force Authentication on Server setting 100Ggetting license information 111ghosting 21GPOimplementation guidelines 44Group Policy 12HHelp menu item 179, 181Hide Icon menu item 181High Encryption, installing 259IID Server Add-0n Module 30, 262identification list 189defined 18overview 207identification list size 51imaging 21implementation guidelines 44improving performance 59Increasing storage used for Secrets 254installation scenario 225installingAdministrative Templates 43, 46Microsoft Windows 2000 High Encryption(128-bit) Capability 259Pro Server 42Pro Workstation software 62Workstation Template locally 46installing Citrix support after DigitalPersonaPro client installation 255installing High Encryption 259installing license files 112Installing Pro Kiosk 73installing Pro Kiosk 75Kkey conceptsDigitalPersona Pro for Active Directory Administrator Guide 273

IndexL - Oauthentication 16cached credentials 190fingerprint enrollment 17fingerprint identification 17fingerprint templates 16fingerprint verification 17identification list 189Kiosk 25, 27kiosk computer, defined 18Kiosk Installation on Citrix PresentationServer 75kiosk permissions 53Kiosk Server Settings 90Kiosk settings 100Kiosk Unlock Scripting 266kiosk user, defined 19Kiosk Workstation Shared AccountSettings 100Kiosk Workstation Shared Account Settingssetting 244, 246kiosk, defined 18Kiosk-Specific Settings 246Llicenseinstalling 112UALs 113uninstalling 113view details 112License Control Manager 110license management event 173licensing model 110list of Administration Tools 108local installation of Pro Workstation 61Lock Computer menu item 180locked account 104locking a computer 194Log Events policy setting 84logging events 51logging on to kiosks 212logging on to programs 216Logon Screen Actions, manual selections 130Logon Screen Properties options 126Logon Screen Template, manual options 134Mmanual DNS registration 58Maximum Number of Enrolled FingerprintsPer User setting 92, 244Maximum Size of Identification Listsetting 96, 244Microsoft Windows 2000 High Encryption(128-bit) Capabilityinstalling 259modifyingDNS Priority setting 59Multi-credential logon settings 233Multi-credential Logon to Windowssetting 96Multi-credential logon to Windowssetting 244OOne Touch Internet 19, 24, 26One Touch Internet, defined 19One Touch Logon 24, 25Cached Credentials 189changing Windows password with 204Identification List 189overview 24, 25One Touch MenuHelp 179Properties 179Quick Links 178One Touch SignOn 19, 24, 25changing passwords 156creating templates manually 127deploying templates 149logging on 154overview 24, 25, 117settings 99, 152One Touch Unlock 194online help 9Organizational Units 13DigitalPersona Pro for Active Directory Administrator Guide 274

IndexP - QOTS Administration Toolcontainers 119Field Catalogs 120setup 118OTS Templatescreating automatic 122creating manual 127OTS templates 51PPassword is not allowed for logon 245Password is not allowed for logon setting 97Path to the container of templatessetting 99, 153, 245PIN is required when a fingerprint is providedsetting 97, 245Planning & Deployment 223planning overview 225Policies container 55policy settingsAccount Lockout 89False Accept Rate 91Log Events 84Max Size of Ident. List 96Maximum Number of Fingers... 92Multi-credential Logon 96Use Remote Authentication Server 95Prevent users from logging on outside of aKiosk session setting 100, 246Priority Set in BAS Locator DNS SRV Recordssetting 86, 245Pro ID Server Add-0n Module 30Pro Kiosksystem requirements 73Pro Kiosk for ID Server 263Pro Kiosk, installing 78Pro ServerActive Directory containers 55installation overview 36installing software 42overview 23published information 56uninstalling 59Pro Server GPO settingsidentification list size for kiosks 51logging kiosk events 51OTS templates 51Pro Workstationcustom installation 72installing 72locking 194system requirements 61Product Compatibility 32product components and modules 22Product GUID property 56Product Name 56Product Version High property 56Product Version Low property 56Product Version Number property 56Properties menu item 179property settingsCache User Credentials on theWorkstation 95providing multiple credentials 156published information 56Authentication Server Object Nameproperty 56keywords 56Product GUID property 56Product Name 56Product Version High property 56Product Version Low property 56Product Version Number 56Schema Version Number property 56Service Class GUID property 56Service Class Name property 56Service Principal Name property 56Vendor Name property 56Qquery users 158Quick Link 126Quick Links menu item 178DigitalPersona Pro for Active Directory Administrator Guide 275

IndexR - SRRandomize user’s Windows passwordsetting 245readercleaning 205touching 205troubleshooting 248reader icon, indicating connectivity status 180reader menuHelp 181Hide Icon 181Lock Computer 180Properties 181recommended skill set 8Refresh Interval of BAS Locator DNS Recordssetting 85, 245Register BAS Locator DNS SRV Record forDomain setting 88, 245registration template, defined 17registry settings, workstation 256Regulatory Information 260Related Products 34Remote Access 26remote access 24, 93remote installation of Pro Workstation 65removing Pro data 163required software & hardware 228Requires Retraining column 269requisite knowledge 8Reset account lockout counter aftersetting 89, 245reset Fingerprint PIN 192resetting a fingerprint PIN 255resetting the fingerprint PIN 105running an interactive query 159Running User Query Tool from the commandline 159SschemaActive Directory Schema ExtensionWizard 39details 36, 39extending 39Schema Version Number property 56scripting, Kiosk unlock 266, 269SDK 34Service Class GUID property 56Service Class Name property 56Service Configuration Container Name 56Service Principal Name property 56Service Resource Records 20_uareupro SRV RR 57adding manually 59format 57Service Version Object Name 56settingscategories 80settings, location 80Shared Accounts, specifying 52Show clear text passwordssetting 99, 153, 245Show fingerprint icon on the taskbarsetting 98, 245Show One Touch Menu upon fingerprintvalidation setting 98, 245Show Reader icon on the taskbar property 202Sites Covered by BAS Locator DNS SRVRecords setting 87, 245Size of the Identification List for Kioskssetting 90, 245Size of the identification list for Kioskssetting 247smart cards, using for logon 193specifying Shared Accounts 52start menu 220stronger security settings 235support 9during evaluation 224online help 9Professional Services 224readme file 9technical 224SVR RR 20DigitalPersona Pro for Active Directory Administrator Guide 276

IndexT - Wswipe readers 28system requirements 31Pro Kiosk 73Pro Workstation 61Ttemplate compatibility 156Templatesfinding 147templatesdeleting 149deploying 149editing 148finding fields in 148finding redundant 148managing 147setting container path to 150Terminal Services 93to remove user credential data 106to unlock a locked account 105touching the reader 205Transform files 66two-factor authentication 156typographic conventions 7UU.are.U Fingerprint Reader 229uninstallingPro Server 59Pro software remotely 65Pro Workstation 72uninstalling Pro Kiosk 78Unlock with Shared Account Credentialssetting 101, 246unlocking kiosks 214unlocking locked accounts 104upgrading from Previous Versions 36Use DigitalPersona Pro Server forauthentication setting 95, 246Use Remote Authentication Server policysetting 95User Authentication Licenses 113User Context Menu commands 105user credential data, remove 106User must provide a fingerprint to log onsetting 97, 104, 246User must type a PIN when providing afingerprint to log on setting 104, 246User PoliciesBasic 102User Properties 101, 102Extended 103User provides only Windows credentials to logon setting 246User Query Tool 158parameters 159run from script 162users, attended registration 114users, switching 219usingattended registration 114fingerprint PINs 17, 191One Touch Logon 212One Touch Unlock 214smart cards 193using Pro Cleanup Wizard 163VVendor Namepublished information property 56view license details 112WWeight Set in BAS Locator DNS SRV Recordssetting 86, 246Windows Administration Pack 101Windows Event Viewer 84Windows Logon Policies 230Windows Registry 256workstation only installation 226Workstation Properties settings 98Workstation User Properties 101DigitalPersona Pro for Active Directory Administrator Guide 277