NetIQ Client Login Extension 4.2 Administration Guide

NetIQ Client Login Extension
Administration Guide
September 2017
Legal Notice
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government
rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.
About this Book and the Library
The Client Login Extension Administrator Guide provides information about using the Client Login
Extension to provide password self-service functionality.
Intended Audience
This guide is intended for administrators, consultants, and network engineers who require a high-level
introduction to Identity Manager business solutions, technologies, and tools.
About this Book and the Library
3
4
About this Book and the Library
Contents
About this Book and the Library
About NetIQ Corporation
3
7
1 Understanding the Client Login Extension
9
2 System Requirements
11
Supported Client Login Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Supported Windows Client Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Supported Windows Server Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Supported Identity Manager Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Supported .NET Framework Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Supported NetIQ SecureLogin Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Supported NetIQ Self Service Password Reset Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Preliminary Tasks
13
Configuring NetIQ Self Service Password Reset (SSPR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring SSPR for the Client Login Extension Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring SSPR for Enabling Password Expiration Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Configuring Client Login Extension Configuration Utility
15
Enrolling Challenge Responses in SSPR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Localizing Client Login Extension Files for Other Languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5 Installing the Client Login Extension
21
6 Using Emergency Access
23
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring Emergency Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Using the Emergency Access Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7 Installing the Client Login Extension MSI File
25
Installing the Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using the Client Login Extension Installer Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
8 Using the Forgotten Password Feature
27
Configuring SSPR for Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Accessing the Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Troubleshooting the Forgotten Password feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Changing Password Through SSPR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Contents
5
9 Upgrading the Client Login Extension
31
10 Troubleshooting
33
Using Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Generating Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Connecting to the Internet on Windows 7 (32-bit) Through a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . 34
Logging into the Computer if Restricted Browser is Minimized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Accessing the Windows Input Method Editor on Non-English Computers . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6
Contents
About NetIQ Corporation
We are a global, enterprise software company, with a focus on the three persistent challenges in your
environment: Change, complexity and risk—and how we can help you control them.
Our Viewpoint
Adapting to change and managing complexity and risk are nothing new
In fact, of all the challenges you face, these are perhaps the most prominent variables that deny
you the control you need to securely measure, monitor, and manage your physical, virtual, and
cloud computing environments.
Enabling critical business services, better and faster
We believe that providing as much control as possible to IT organizations is the only way to
enable timelier and cost effective delivery of services. Persistent pressures like change and
complexity will only continue to increase as organizations continue to change and the
technologies needed to manage them become inherently more complex.
Our Philosophy
Selling intelligent solutions, not just software
In order to provide reliable control, we first make sure we understand the real-world scenarios in
which IT organizations like yours operate — day in and day out. That's the only way we can
develop practical, intelligent IT solutions that successfully yield proven, measurable results. And
that's so much more rewarding than simply selling software.
Driving your success is our passion
We place your success at the heart of how we do business. From product inception to
deployment, we understand that you need IT solutions that work well and integrate seamlessly
with your existing investments; you need ongoing support and training post-deployment; and you
need someone that is truly easy to work with — for a change. Ultimately, when you succeed, we
all succeed.
Our Solutions
 Identity & Access Governance
 Access Management
 Security Management
 Systems & Application Management
 Workload Management
 Service Management
About NetIQ Corporation
7
Contacting Sales Support
For questions about products, pricing, and capabilities, contact your local partner. If you cannot
contact your partner, contact our Sales Support team.
Worldwide:
www.netiq.com/about_netiq/officelocations.asp
United States and Canada:
1-888-323-6768
Email:
info@netiq.com
Web Site:
www.netiq.com
Contacting Technical Support
For specific product issues, contact our Technical Support team.
Worldwide:
www.netiq.com/support/contactinfo.asp
North and South America:
1-713-418-5555
Europe, Middle East, and Africa:
+353 (0) 91-782 677
Email:
support@netiq.com
Web Site:
www.netiq.com/support
Contacting Documentation Support
Our goal is to provide documentation that meets your needs. If you have suggestions for
improvements, click Add Comment at the bottom of any page in the HTML versions of the
documentation posted at www.netiq.com/documentation. You can also email DocumentationFeedback@netiq.com. We value your input and look forward to hearing from you.
Contacting the Online User Community
Qmunity, the NetIQ online community, is a collaborative network connecting you to your peers and
NetIQ experts. By providing more immediate information, useful links to helpful resources, and
access to NetIQ experts, Qmunity helps ensure you are mastering the knowledge you need to realize
the full potential of IT investments upon which you rely. For more information, visit http://
community.netiq.com.
8
About NetIQ Corporation
1
Understanding the Client Login
Extension
1
The Client Login Extension facilitates password self-service by adding a link to the Windows login
screen. When users click the Forgot Password link in their login client, the Client Login Extension
launches a restricted browser to access the Password Self-Service feature on the login clients. This
feature assists in reducing help desk calls from people who forget their passwords.
Credential Provider Support
Password recovery support is available for graphical authentication interfaces such as Credential
Provider for LDAP clients and Client for Open Enterprise Server. In the absence of these clients, the
password recovery support is provided by the default Microsoft Credential Provider implemented by
the Client Login Extension.
The Client Login Extension provides a credential provider filter component to filter out any existing
credential provider in the user system. If Client for Open Enterprise Server or SecureLogin credential
provider is present, then Client Login Extension filters the credential provider provided by the Client
Login Extension.
Desktop Automation Services
Password recovery support through the Client Login Extension tool is also available for locked
workstations and for workstations in which user operations are controlled by Desktop Automation
Services (DAS).
Configuring the Password Self-Service Feature
The Administrator runs the Client Login Extension Configuration Utility and provides registry entries
for the MSI file. The registry entries for the MSI file include a welcome note, text to be shown as a link,
URL of the target server, and other required options. The entered values are displayed as fields on
the restricted password self-service browser. The user who forgot the password should provide the
required values in the self-service browser and retrieve the forgotten password.
The Client Login Extension supports the Self Service Password Reset (SSPR) application. For
information on installing and configuring the SSPR application, see NetIQ Self Service Password
Reset 4.2 Administration Guide.
Running Configuration Utility of Client Login Extension configures the Client Login Extension MSI file,
which you then install on client workstations running the Client for Open Enterprise Server software,
NetIQ SecureLogin and Microsoft Credential Provider.
The Client Login Extension MSI files are available in a number of different languages. You must
configure the Client Login Extension file for each language, including English, before it can be used.
The Client Login Extension Configuration utility allows the system administrator to specify the
following configuration information for the Client Login Extension MSI file:
 You can set the URL for password self-service.
Understanding the Client Login Extension
9
 Specify a customized message for Emergency access page.
 For NetIQ SecureLogin versions 8.1, 8.5 or later, you can include text (such as “Forgotten
Password”) for the link to password self-services.
NOTE: The Client Login Extension works with NetIQ SecureLogin versions 8.1, 8.5 or later, NetIQ
Identity Manager and Client for Open Enterprise Server 2 SP4 or later. This utility does not work with
any application that alters Microsoft Credential Provider, except the Client for Open Enterprise Server
2 SP4 or later. The Client Login Extension has been tested for use on licensed NetIQ Identity
Manager 4.5 and later systems.
The remaining sections in this guide step you through installing and using the Client Login Extension
Configuration utility to configure the Client Login Extension MSI files. The instructions for using the
Client Login Extension MSI files are also included.
10
Understanding the Client Login Extension
2
System Requirements
2
Ensure that the following requirements are met by the system where you will install the Client Login
Extension.
 “Supported Client Login Programs” on page 11
 “Supported Windows Client Versions” on page 11
 “Supported Windows Server Versions” on page 11
 “Supported Browsers” on page 11
 “Supported Identity Manager Versions” on page 12
 “Supported .NET Framework Versions” on page 12
 “Supported NetIQ SecureLogin Versions” on page 12
 “Supported NetIQ Self Service Password Reset Versions” on page 12
Supported Client Login Programs
 Client for Open Enterprise Server 2 SP4
Supported Windows Client Versions
You can use the Client Login Extension with the following Windows version:
 Windows 10 (32-bit and 64-bit)
 Windows 8.1 (32-bit and 64-bit)
 Windows 7 SP1 (32-bit and 64-bit)
Supported Windows Server Versions
You can use the Client login Extension with the following Windows server:
 Windows 2016
 Windows 2012 R2
 Windows 2008 R2 SP 1
Supported Browsers
You can use the Client Login Extension in the following browser:
 Internet Explorer 11
System Requirements
11
Supported Identity Manager Versions
You can use the Client Login Extension with the following Identity Manager versions:
 Identity Manager 4.5.x and later
Supported .NET Framework Versions
You can use the Client Login Extension with the following .NET Framework versions:
 .NET 4.0 and later
Supported NetIQ SecureLogin Versions
You can use the Client Login Extension with the following SecureLogin versions:
 NetIQ SecureLogin 8.1, 8.5 and later
Supported NetIQ Self Service Password Reset
Versions
You can use the Client Login Extension with the following Self Service Password Reset versions:
 NetIQ Self Service Password Reset 4.1, 4.2.
12
System Requirements
3
Preliminary Tasks
3
Before running the NetIQ Client Login Extension, you must install Self Service Password Reset. For
the supported versions of Self Service Password Reset refer the “Supported NetIQ Self Service
Password Reset Versions” on page 12. If you are using Identity Manager (IDM) you require a working
Identity Manager application (for example, Identity Manager 4.5 or later) system and have the user
application configured correctly to enable the Password Self-Service feature. For information on
installing Identity Manager and the User Application, see the Identity Manager Setup Guide (https://
www.netiq.com/documentation/idm45/setup_guide/data/front.html).
Configuring NetIQ Self Service Password Reset
(SSPR)
You must configure the following settings in SSPR to enable the Challenge Response Force
Enrollment and the Password Expiration Notification features.
NOTE: SSPR integration features are only supported in the Active Directory environments.
 “Configuring SSPR for the Client Login Extension Integration” on page 13
 “Configuring SSPR for Enabling Password Expiration Warning” on page 13
Configuring SSPR for the Client Login Extension
Integration
Launch SSPR, in the Configuration Editor page, click Settings > Web Services > REST Services. For
information about configuring the settings for REST Services, refer Configuring External Web
Services with REST. You must configure all the settings that are available for REST Services.
Configuring SSPR for Enabling Password Expiration
Warning
Launch SSPR, in the Configuration Editor page, click LDAP > Active Directory > Allow
Authentication When Password Expired.
Preliminary Tasks
13
14
Preliminary Tasks
4
Configuring Client Login Extension
Configuration Utility
4
Using the Client Login Extension Configuration utility, you can configure the Client Login Extension
MSI files for installing the Extension. These MSI files are used to install the Client Login Extension on
Windows workstations.
The Client Login Extension MSI files are available in a number of different languages. You must
configure the Client Login Extension file for each language, including English, before it can be used.
The Client Login Extension Configuration utility is available in the <CD_ROOT>/CLE folder. Here,
CD_ROOT refers to the location where the Client Login Extension Installer files are extracted.
To configure the Client Login Extension Configuration Utility:
1 Double-click the ClientLoginExtensionConfigurationUtility.exe file, which is provided as
part of the Client Login Extension installer, to launch the utility.
2 Read the license agreement and click I Agree, if you agree.Then the Client Login Extension
Configuration Utility page appears.
NOTE: The License Agreement page appears only on the first launch of the Configuration Utility.
When you launch Configuration Utility for the second time, License agreement page does not
appear.
3 Path to Installer to Configure: Shows the path of the Client Login Extension installer file that is
being configured.
Click the Browse button and browse to the appropriate location where the Client Login Extension
Installer file is present. By default, the Browse button opens the CLE/Installer sub-folder.
Whenever this text box contains a path to a valid MSI file, the utility automatically opens the file,
populates the other controls with the information it contains, and enables the Configure Installer
button.
4 Welcome Text for Installer: Modify the information in the Welcome text or keep the information
as it is presented.
The information in the text box is displayed on the Welcome screen of the Client Login
Extension. The string [ProductName] displays as Client Login Extension 4.2.
5 Link URL: Specify the URL that the Client Login Extension- restricted browser uses to connect to
the SSPR Forgotten Password page. You can use either a DNS name or an IP address. An
example of a URL using a DNS name that links to the Forgotten Password page is:
https://<server>:<port>/sspr/public/ForgottenPassword
IMPORTANT: You must have a valid URL pointing to the SSPR’s Forgotten Password page;
otherwise, the client connection might fail and you might not be able to log in through the
workstation. For more information, see “Using Forgotten Password” on page 33.
6 Link Text: Specify the text to be displayed on the link to the restricted browser that the Client
Login Extension uses.
Configuring Client Login Extension Configuration Utility
15
The default text is Forgotten Password. The text for this button in Client for Open Enterprise
Server cannot be changed here.
7 (Optional) Enable SSPR Configurations: This option allows you to enable the configurations for
Self Service password Reset and Emergency Access.
If you select this option, Change Password through SSPR, Challenge Response, Emergency
Access and EA Custom Message options are enabled.
NOTE: To enable this feature, you must have already configured SSPR, as described in
“Configuring SSPR for the Client Login Extension Integration” on page 13 and “Configuring
SSPR for Enabling Password Expiration Warning” on page 13.
8 REST URI: Specify the URI that the Client Login Extension- restricted browser uses to connect to
the SSPR server by using the REST calls. You can use either a DNS name or an IP address. An
example of a URI using a DNS name is:
https://<server>:<port>/sspr/public/rest
9 (Optional) Change Password through SSPR: Select this option to enable users to change the
password through SSPR. If you do not select this option, the user can change the password
through the default Windows password change mechanism.
NOTE: Users can change the password by using SSPR or Windows password change
mechanism before or after logging in to the computer.
10 Password Policy Link Text: Specify the link that the Client Login Extension- restricted browser
uses to connect to the SSPR Password Policy page. The default text is Password Policy.
11 Challenge Response: Select the Force user for challenge response enrollment option to
prompt the users to answer their challenge responses before logging into the computer.
However, if you do not select this option, the user can bypass the Force user for challenge
responses prompt and proceed to log in. If you do not select this option, they can skip the
challenge response prompt and proceed to log in.
NOTE: If SSPR configurations is enabled for the users who have not yet enrolled in SSPR, they
will be prompted to answer their challenge questions regardless of the value of this
setting.
Force challenge response enrollment warning message: This option is enabled only if you
select Force user for challenge response enrollment. Specify the message that you want to
display when the user is prompted for force enrollment.
12 Emergency Access: Select the Enable Emergency Access option to enable the users with a
temporary access to the desktop when network is not available by providing the challenge
responses configured in SSPR. You can specify the other details for emergency access after you
enable the Enable Emergency Access option such as the following:
1. Maximum Retry Count: A numerical value that indicates the maximum number of attempts
a user is allowed for answering the challenge-response questions, before getting locked
out. After the maximum number of attempts are exhausted, the Emergency Access feature
is not accessible. The default number of attempts are 3.
If you have configured a higher number of challenge-response questions for the user,
specify a higher number for the retry attempts. This helps in a situation where the user
forgets some of the answers to the challenge-response questions.
16
Configuring Client Login Extension Configuration Utility
2. System Logout Time: A numerical value that indicates the number of minutes the user is
allowed to use the system in the Emergency Access mode. The time allocated for the
session should be configured to ensure that the user does not use the system in the
emergency access mode for extended durations. The default time allowed is 30 minutes.
When lockout is imminent, a warning is displayed on the system tray. After the session time
is exhausted, the user is automatically locked out of the system
3. System Logout Warn time: A numerical value that indicates the number of seconds the
User gets the warning before session expires. The default time allowed is 30 seconds.
4. Emergency Access Login Message: This message is displayed in system tray for the users
who logged into desktop.
13 EA Custom message: Type a message in the EA Challenge Response Dialog Message field. If
network is unavailable, the text that you mention in this setting is displayed when you click on
Forgotten password. This message gets displayed on all the Emergency Access dialog boxes.
14 Advance Settings: In the CLE/ Proxy settings option, you can enable the following settings:
 Enable CLE tile on the logon screen: You can specify the text that you want to display on
the CLE tile and also specify the path of the image that you want to set as a logo for that tile.
If you have enabled this setting, then the forgotten password link will be available only on
the CLE tile.
 Enable Proxy: In an environment where Internet is not directly accessible and the Client
Login Extension needs to access it, you need to connect the Client Login Extension to a
proxy server. To connect to the proxy server, select the Enable Proxy check-box and
provide the IP address and the port number of the proxy server in the Proxy Server text-box.
When you do not enable the proxy server, CLE retrieves information directly from SSPR
server and does not go through the proxy server.
In the Security Settings option, you can select the following settings:
 Allow URL redirection and forwarding: When you select this setting, the Configure button
gets enabled and you can add the list of sites that are available for whitelist.
NOTE: You can add only the secured web sites to the list. To configure CLE for the Google
captcha, you must update the URL Redirection list to with the URL https://www.google.com.
 Add site to trusted zone: When you select this setting, all the sites mentioned in the URL
redirection list and the site mentioned in Link URL are added to the Internet Explorer trusted
zones.
 Enable TLS 1.2: This setting is enabled by default.
15 After all of the information is in place, click Ok on the Advance Settings page.
16 Click Configure Installer to write the new configuration settings to the selected Client Login
Extension file.
17 Click OK to close the confirmation message.
The Client Login Extension Configuration utility remains open, allowing you to configure another
Client Login Extension MSI file in a different language. To do so, click the Browse button to the
right of the Path to the Installer to Configure option, select another language, and configure
another .msi file by following Step 5 through Step 17.
The localized Client Login Extension MSI files for the more common languages are delivered
with the configuration utility in the Installers folder. You must configure each localized installer
individually.
To localize the Client Login Extension MSI files for languages other than those delivered with the
Client Login Extension, see “Localizing Client Login Extension Files for Other Languages” on
page 18.
Configuring Client Login Extension Configuration Utility
17
18 Click Configure Installer.
19 To close the Client Login Extension Configuration utility window, click Exit.
Enrolling Challenge Responses in SSPR
To enroll Challenge Responses in SSPR,
1. Login to the SSPR server by using the domain username and password.
2. Select Setup Password Responses from the main menu and specify the challenge questions.
3. Save the password responses.
Localizing Client Login Extension Files for Other
Languages
To localize the Client Login Extension for languages other than those delivered with the Client Login
Extension Configuration utility, you can use Orca to directly edit the content of the MSI database
(IdentityManagerClientLoginExtension.msi).
Orca (Orca.exe) (http://msdn2.microsoft.com/en-us/library/aa370557.aspx) is a database table editor
used for creating and editing Windows Installer packages. It is available in the Windows SDK
Components for Windows Installer Developers (http://msdn2.microsoft.com/en-us/library/
aa370834.aspx).
The text to be localized for IdentityManagerClientLoginExtension.msi is located in the following
table:
Table 4-1 Text You Need to Localize
18
Table
Column
Control
Text
Dialog
Title
Directory
DefaultDir
Launch Condition
Description
Property
Value
Radio Button
Text
Registry
Value
Set LogFile, LinkURL, LinkText,
PasswordComplexityText, and
LoginExtDesc to the defaults for the
configuration utility.
Shortcut
Name
Name
Shortcut
Description
If not Null
UIText
Text
Put text after “|”
Configuring Client Login Extension Configuration Utility
Comments
Put text after “|”.
Only ProductName, Manufacturer,
ARPCONTACT, and
VSDVERSIONMSG.
WARNING: Translate only the user interface text. For example, do not translate text surrounded by
square brackets ([xxxx])or is in mixed case (XxxXxxXxx). Modifying these property names and
identifiers breaks the installer.
Use the following procedure to localize the Client Login Extension MSI file to a new language:
1 Copy IdentityManagerClientLoginExtension.msi to
IdentityManagerClientLoginExtension_xx.msi, where xx identifies the new language
(locale).
2 Open IdentityManagerClientLoginExtension_xx.msi in Orca.exe, edit the tables and
columns to insert the localized text, as listed in Table 4-1 on page 18, then save and close the
file.
3 Open IdentityManagerClientLoginExtension_xx.msi with the Client Login Extension
Configuration utility (ClientLoginExtensionConfigurationUtility.exe), review the default
values, make any modifications if needed, then click Configure Installer.
NOTE: Step 3 is required, even if the default values that you set in the Registry table do not need
modification. The Client Login Extension Configuration utility makes additional changes that enable
the Client Login Extension MSI file.
Configuring Client Login Extension Configuration Utility
19
20
Configuring Client Login Extension Configuration Utility
5
Installing the Client Login Extension
5
The NetIQ Client Login Extension interacts with NetIQ Identity Manager and NetIQ SecureLogin
applications for the user to log in to all the defined applications, and benefit from the password selfservice for the NetIQ, Microsoft, and LDAP clients. The service is also available for DAS-enabled
workstations.
However, availability of the service is based on the authentication interface of the clients.
Table 5-1 Password Self-Service Support for Clients
Authentication Interface During Operating
System Login
During Operating
System Lock
For DAS-Enabled
Workstations
Microsoft CP
Available
Available
Client for Open Enterprise Available
Server CP
Not available
Available
LDAP CP
Available
Available
Available
Available
You install the Client Login Extension, SecureLogin applications, Emergency Access on the systems
in which the password self-service feature is required.
NOTE: In order to set up the password self-service for Client for Open Enterprise Server, install Client
for Open Enterprise Server before installing the Client Login Extension. For other clients, you can
follow any installation sequence.
Prerequisites
You must configure Client Login Extension Configuration utility before installing the Client Login
Extension. For Steps to configure Client Login Extension Configuration utility, see Chapter 4,
“Configuring Client Login Extension Configuration Utility,” on page 15
To install the Client Login Extension:
1 From the CLE/Installer directory, run the appropriate windows installer based on platform and
language. Inside the folder CLE/Installer/x64 and CLE/Installer/x86, you can find the
following installers based on language:
 IdentityManagerClientLoginExtension_en (English--default)
 IdentityManagerClientLoginExtension_de (German)
 IdentityManagerClientLoginExtension_es (Spanish)
 IdentityManagerClientLoginExtension_fr (French)
 IdentityManagerClientLoginExtension_it (Italian)
 IdentityManagerClientLoginExtension_ja (Japanese)
 IdentityManagerClientLoginExtension_cs (Chinese Mandarin)
 IdentityManagerClientLoginExtension_ct (Chinese Traditional)
 IdentityManagerClientLoginExtension_pt (Brazilian Portuguese)
Installing the Client Login Extension
21
For instance, if you are using a 64-bit platform in English language, run the windows installer
IdentityManagerClientLoginExtension_en from the directory CLE/Installer/x64.
2 Read the information on the initial wizard pages, then click Next.
3 Follow the on screen prompts to install the Client Login Extension.
22
Installing the Client Login Extension
6
Using Emergency Access
6
The Emergency Access feature helps a user who has forgotten the directory password to access the
system. If a user forgets the login password to the directory, the Emergency Access feature uses the
challenge-response information from NetIQ SSPR (Self Service Password Reset) to validate, and
grant access to the user even if the user is not connected to the network. If the answers to the
challenge-response are correct, the user is allowed access to the workstation.
To use the Emergency Access feature, the user should be part of an ActiveDirectory domain.
When the user clicks the Forgotten Password link, the Credential Provider checks the SSPR server
availability. If the SSPR server is reachable, a Restricted Browser is displayed. If the SSPR server is
not reachable, a set of challenge-response questions are displayed. When all the questions are
answered, the user can login to the workstation for a specific time.
For more information, see Self Service Password Reset documentation (https://www.netiq.com/
documentation/self-service-password-reset/).
 “Prerequisites” on page 23
 “Configuring Emergency Access” on page 23
 “Using the Emergency Access Feature” on page 24
Prerequisites
 Ensure that the user is part of Active Directory domain.
 (Conditional) If you are using SecureLogin, VC++ Redistributable - Install this component if you
are on Windows 8 or Windows 2012 server, install. To download, go to Microsoft Download
Center (http://www.microsoft.com/en-in/download/details.aspx?id=30679). While downloading,
select the executable based on your platform. For instance, for a 64-bit platform select to
download vcredist_x64.exe.
NOTE: vcredist_arm.exe is not supported on SecureLogin.
 Ensure that SSPR is installed and the security questions information is setup for the user. For
information on configuring security questions information, see Configuring the Setup Security
Questions Module (https://www.netiq.com/documentation/self-service-password-reset-42/sspradminguide/data/b14go6pf.html)
 The user must log in to the online mode at least once before attempting to connect by using the
Emergency Access feature.
Logging in the online mode ensures that any changes to the challenge-response questions are
updated in the local cache.
Configuring Emergency Access
1 Login to the SSPR server using the domain username and password.
2 Select Setup Password Responses from Main Menu.
Using Emergency Access
23
3 Specify the challenge questions.
4 Save the password responses.
5 Click SSPR Configuration Editor > Settings > Web Services > REST Services > Allow Web
Services to Read Answers.
6 Select Enabled (True).
Using the Emergency Access Feature
1 Click Forgotten Password on the Windows logon page.
The Credential Provider checks the availability of the SSPR server. If the SSPR server is
reachable, a Restricted Browser window is launched. If the SSPR server is not reachable, the
challenge-response dialog is displayed.
2 If the challenge questions are answered, the user can log in using Emergency Access feature for
a specified time.
After expiry of the specified duration, the user is logged out automatically.
24
Using Emergency Access
7
Installing the Client Login Extension MSI
File
7
The following sections provide information to help you distribute the Client Login Extension MSI file to
users:
 “Installing the Extension” on page 25
 “Using the Client Login Extension Installer Command Line Options” on page 25
Installing the Extension
With the Client Login Extension MSI file configured, you can distribute the
IdentityManagerClientLoginExtension_xx.msi file (or its distribution name) to users or to a
distribution mechanism. The xx identifies the language (locale). You can choose the
IdentityManagerClientLoginExtension_xx.msi file from the location CLE\Installer\x64 or
CLE\Installer\x86 based on the platform.
1 Double-click the IdentityManagerClientLoginExtension_xx.msi file to launch the Client
Login Extension welcome page.
For startup options, you can use when launching the Client Login Extension MSI file, see “Using
the Client Login Extension Installer Command Line Options” on page 25.
The welcome message is the same text that you provided in the Client Login Extension
Configuration utility.
2 Click Next to start the installation.
3 After the Client Login Extension is installed, click Close.
Using the Client Login Extension Installer Command
Line Options
The Client Login Extension MSI file is a standard MSI installer. It can be used with any of the standard
Msiexec.exe command line options, which you can find at msdn (http://msdn2.microsoft.com/en-us/
library/aa367988.aspx). Some examples are shown below.
To install the Client Login Extension MSI file with no user interface, specify the following at the
command line:
msiexec /i IdentityManagerClientLoginExtension_en.msi /q
or
IdentityManagerClientLoginExtension_en.msi /q
To install with no user interface except for a modal dialog box displayed at the end, specify:
msiexec /i IdentityManagerClientLoginExtension_en.msi /qn+
or
Installing the Client Login Extension MSI File
25
IdentityManagerClientLoginExtension_en.msi /qn+
To uninstall with no user interface, specify:
msiexec /x IdentityManagerClientLoginExtension_en.msi /q
To uninstall with no user interface except for a model dialog box displayed at the end, specify:
msiexec /x IdentityManagerClientLoginExtension_en.msi /qn+
26
Installing the Client Login Extension MSI File
8
Using the Forgotten Password Feature
8
The following sections explain how to use the Forgotten Password feature in Client for Open
Enterprise Server:
 “Configuring SSPR for Forgotten Password” on page 27
 “Accessing the Forgotten Password” on page 27
 “Troubleshooting the Forgotten Password feature” on page 29
 “Changing Password Through SSPR” on page 29
Configuring SSPR for Forgotten Password
You can allow users to use challenge response or one time password during forgotten password
process. To use any of these verification methods, you need to configure the SSPR settings. For
more information about configuring forgotten password settings refer, Configuring Forgotten
Password Module (https://www.netiq.com/documentation/self-service-password-reset-42/sspradminguide/data/b1ggnqpg.html).
Client Login Extension now supports more secured hashing methods. The responses are stored in
PBKDF2WithHmacSHA512 hashing method. By default, SSPR 4.2 uses the
PBKDF2WithHmacSHA512 hashing method.
Accessing the Forgotten Password
You can access the forgotten password link after running the Client Login Extension MSI file on a
supported Windows version, or on workstations running the Client for Open Enterprise Server 2 SP4.
See Chapter 3, “Preliminary Tasks,” on page 13 to ensure that you have all the information in place
for Password Self-Service to work.
NOTE: The integration features of Self Service Password Reset are not supported in the Client for
Open Enterprise Server environment.
The users, who have Client for Open Enterprise Server running on their computer, need to perform
the following to access the forgotten password:
1 If you forget your password, click the Did you forget your password? link in Client for Open
Enterprise Server.
Clicking the Did you forget your password? link launches a restricted browser that can only go
to the URL designated in the Client Login Extension Configuration utility. The restricted browser
performs the following tasks:
 Verifies that the protocol is HTTPS
 Validates the hostname
 Verifies that the target Web site is operating in the Internet Explorer restricted sites zone
 Disables hotkeys
 Disables tabs
Using the Forgotten Password Feature
27
 Disables right-clicking
 Disables ActiveX
 Disables scripts
 Runs on its own process, separate from the Winlogon process.
2 After the restricted browser connects to the Forgotten Password page, you see the Identity
Manager Forgot Password dialog box. Type your login name, then click Submit.
What you see in the Identity Manager Forgot Password dialog box depends on how the system
administrator has set up the Forgotten Password option. You can see a hint, have your hint and
password sent as an e-mail to you, or you can be allowed to change your password. You can
also be provided with challenge questions.
For this example, the user is provided with a challenge question and hint.
3 Type your response to the questions, then click Submit.
The number of response questions and what they say is configurable by the system
administrator.
If you do not answer the questions correctly, you see a Challenge Response failed message and
are presented with the questions again.
4 After the response questions are answered correctly, you are presented with the password hint,
depending on how the system administrator has configured password self-service.
28
Using the Forgotten Password Feature
Use the hint to remember your password. If you still cannot remember your password, contact
your system administrator.
5 Close the browser window.
The users who do not have Client for Open Enterprise Server running on their computer are
redirected directly to the SSPR page where they require to answer the challenge responses to
retrieve their password. For more information about Forgotten Password feature in SSPR refer
Configuring Forgotten Password (https://www.netiq.com/documentation/self-service-password-reset42/sspr-adminguide/data/b1ggnqpg.html) in the SSPR Administration guide.
Troubleshooting the Forgotten Password feature
For information about troubleshooting Forgotten Password, see “Using Forgotten Password” on
page 33.
Changing Password Through SSPR
Client Login Extension facilitates changing the users’ domain passwords through SSPR. When a user
presses Ctrl-Alt-Del keys, he is presented with the Change a Password option using which he can
initiate password change.
If the Change password through SSPR option is enabled in the Client Login Extension Configuration
utility, the Client Login Extension routes the password change request to SSPR.
Using the Forgotten Password Feature
29
30
Using the Forgotten Password Feature
9
Upgrading the Client Login Extension
9
You can upgrade Client Login Extension from the versions 3.9 and 3.10 to 4.2. Perform Step 2 before
you upgrade Client Login Extension from the versions 3.9 and 3.10 to 4.2.
NOTE: For upgrading from older versions of Client Login Extension, such as 3.7 and 3.8, you need to
uninstall the older version of Client Login Extension and install Client Login Extension 4.2.
To upgrade Client Login Extension, perform the following:
1 Extract the downloaded Client Login Extension 4.2 installer file and run the
ClientLoginExtensionConfigurationUtility.exe executable to launch the Configuration
Utility.
2 Configure the required installer using the Client Login Extension Configuration Utility. For more
information, refer Chapter 4, “Configuring Client Login Extension Configuration Utility,” on
page 15
3 Run the appropriate Client Login Extension Installer based on language and platform from the
extracted folder CLE/Installer.
4 Follow the on-screen prompts and install Client Login Extension 4.2.
After installation of Client Login Extension 4.2, all the Client Login Extension installer files are
replaced with the latest Client Login Extension installer files. However, the older version of Client
Login Extension Configuration Utility installer files are not removed. You can remove the older
Client Login Configuration Utility installer file from the Control Panel, if required.
Upgrading the Client Login Extension
31
32
Upgrading the Client Login Extension
10
Troubleshooting
10
This chapter includes the following sections:
 “Using Forgotten Password” on page 33
 “Generating Log Files” on page 33
 “Connecting to the Internet on Windows 7 (32-bit) Through a Proxy Server” on page 34
 “Logging into the Computer if Restricted Browser is Minimized” on page 34
 “Accessing the Windows Input Method Editor on Non-English Computers” on page 34
Using Forgotten Password
Keep in mind the following information as you use the Forgotten Password feature:
 If your system administrator allows you to change your password through this process, it can
take up to 15 minutes or longer before all changes are in place throughout the network. Be
patient before contacting your system administrator.
 For those using Client for Open Enterprise Server and already logged in to the network, if you
right-click the tray icon of Client for Open Enterprise Server in the taskbar, select NetWare Login,
then select the Did you forget your password? link, the restricted browser is not launched. The
Client Login Extension applies only when you have not logged in.
 If the server running the Identity Manager User Application is down and you select the Did you
forget your password? link, you receive the message An error has occurred in red on the initial
page of the restricted browser. Contact your system administrator.
 If the server running the Identity Manager external WAR is down and you select the Did you
forget your password? link, you receive the message Page Not Found on the initial page of the
restricted browser. Contact your system administrator.
 If the URL to the Identity Manager Forgot Password page is incorrectly configured and you select
the Did you forget your password? link, you receive the message Page Not Found on the initial
page of the restricted browser. Contact your system administrator.
Generating Log Files
1 On the Windows Start menu, click Start > Run to display the Run dialog box.
2 Type regedit, then click OK to open the Registry Editor.
3 Browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Novell.
4 Create a new key PSS.
5 Create a new string value in the PSS folder and name the string value as LogDir.
6 Right-click LogDir and select Modify. The Edit String dialog box appears.
Value Data: Enter the directory name in which you want the log files to be created.
Example: C:\
7 Exit the Registry Editor.
Troubleshooting
33
8 The following log files will be generated in the specified directory:
 RestrictedBrowserDLL.log
 RestrictedBrowserEXE.log
 CLECredentialProviderdll.log
 NclePwmManager.log (If SSPR integration is enabled)
 eadebug.log (If EmergencyAccess is enabled)
Connecting to the Internet on Windows 7 (32-bit)
Through a Proxy Server
When you attempt to connect to the Internet on Windows 7 (32-bit) through a proxy server, you are
prompted for a security certificate. This is because Client Login Extension uses System profile along
with the Winlogon service. For more information about this issue, see (http://support.microsoft.com/
kb/2623724).
Logging into the Computer if Restricted Browser is
Minimized
If an instance of a restricted browser is running and minimized, you may not be able to login to the
computer. You can perform one of the following to overcome this issue:
 Use the keyboard shortcuts ALT+TAB to bring up the browser.
 Keep the restricted browser maximized by updating the registry settings.
Set the value of DWORD MaximizeWindow as 1 at
HKEY_LOCAL_MACHINE\SOFTWARE\NovellRestrictedBrowser to keep the restricted browser
window maximized
Accessing the Windows Input Method Editor on NonEnglish Computers
Windows Input Method Editor (IME) does not load if you access the SSPR Forgotten Password page
through Client Login Extension on a non-English computer. Without IME, you cannot enter text in
other languages except English. However, IME loads without errors when you access the SSPR
Forgotten Password page directly using the Web browser.
To workaround this issue, use the keyboard shortcuts ALT+SHIFT key to change the language when
the IME fails to load, and then press ALT+TILDE (~) to select any language.
34
Troubleshooting
Download PDF
Similar pages