windows client installation guide - fastpasscorp · windows client installation guide status: final...

FastPass Password Manager Version 3.4.2

Windows Client Installation Guide


Status: Final of 46

Date: October 05, 2012

Document Title Windows Client Installation Guide

Document Classification Public

Document Revision H

Document Status Final

Document Date October 05, 2012

The specifications and information in this document are subject to change without notice. Companies, names, and data

used in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any

means, in whole or in part, for any reason, without the express written permission of FastPassCorp A/S.

© 2004 - 2012 FastPassCorp A/S. All rights reserved. Lyngby Hovedgade 98, 2800 Kongens Lyngby, Denmark.

http://www.fastpasscorp.com/.

FastPass Password Manager is a trademark of FastPassCorp A/S. All further trademarks are the property of their respective

owners.

Limited Warranty

No guarantee is given for the correctness of the information contained in this document. Please send any comments or

corrections to [email protected].


Status: Final of 46


Table of Contents 1. Introduction ..................................................................................................................................................................... 5

1.1 Purpose ................................................................................................................................................................... 5

1.2 Audience ................................................................................................................................................................. 5

1.3 References .............................................................................................................................................................. 5

1.4 Terms ...................................................................................................................................................................... 5

2. About FastPass Password Manager ................................................................................................................................. 6

2.1 The architecture of FastPass Password Manager ................................................................................................... 7

3. About the Password Manager Windows Client ............................................................................................................... 9

3.1 Vital changes in version 3.4.2.1 .............................................................................................................................. 9

3.2 Vital changes in 3.4.2.4 ......................................................................................................................................... 10

3.3 The architecture of Password Manager Windows Client ..................................................................................... 10

3.3.1 Windows XP ...................................................................................................................................................... 10

3.3.2 Windows Vista and Windows 7 ........................................................................................................................ 12

3.4 Launch Window .................................................................................................................................................... 13

3.5 Launch Link ........................................................................................................................................................... 14

3.6 Functional description .......................................................................................................................................... 14

3.7 Enrollment Enforcement feature .......................................................................................................................... 14

3.7.1 Flow of information .......................................................................................................................................... 15

3.7.2 User Interfaces of the Enrollment Enforcement Client .................................................................................... 15

3.7.3 Parameter tweaking ......................................................................................................................................... 17

4. Displaying Custom messages after password reset – HelpPanel Feature ..................................................................... 19

5. Using Windows Client with IIS Client Certificate Mapping ............................................................................................ 20

5.1 Configuring the Windows Client ........................................................................................................................... 20

6. Windows Client only access .......................................................................................................................................... 21

7. Security measures inside Windows Client ..................................................................................................................... 22

7.1 Url restrictions ...................................................................................................................................................... 22

7.2 Keyboard restrictions ............................................................................................................................................ 22

7.3 Process restrictions ............................................................................................................................................... 22

8. Installing the Password Manager Windows Client ........................................................................................................ 24

8.1 Supported Platforms ............................................................................................................................................. 24

8.2 Pre-requirements.................................................................................................................................................. 24

8.3 Administrative privileges required ....................................................................................................................... 25

8.4 Installation using GUI ............................................................................................................................................ 25


Status: Final of 46


8.5 Installation using Command Line options ............................................................................................................. 27

8.6 Installation using XML Configuration file .............................................................................................................. 29

8.7 Post installation configuration .............................................................................................................................. 29

8.8 Running the Windows Client in a Terminal Services/Citrix environment ............................................................. 30

8.8.1 Installing ........................................................................................................................................................... 30

8.8.2 Setting up Citrix GINA component ................................................................................................................... 31

9. Upgrading the Windows Client ...................................................................................................................................... 33

10. Setting up the for Remote Password Reset ................................................................................................................... 34

10.1 How it works ......................................................................................................................................................... 34

10.2 Preparing the Server ............................................................................................................................................. 34

10.3 Preparing the Client .............................................................................................................................................. 36

10.3.1 Config changes ............................................................................................................................................. 36

10.3.2 Creating a script ........................................................................................................................................... 36

11. Customizing the splash screen ...................................................................................................................................... 37

12. Uninstalling the Password Manager Windows Client ................................................................................................... 38

12.1 Uninstalling from a Windows XP machine ............................................................................................................ 38

12.2 Uninstalling from a Windows 7/Windows Vista machine .................................................................................... 38

13. Appendices .................................................................................................................................................................... 39

13.1 Appendix A: Custom Windows Client Layout Settings for Launch Panel .............................................................. 39

13.2 Appendix B: Custom Windows Client Layout Settings for Launch Text ................................................................ 44


Status: Final of 46


1. Introduction

This document is covering FastPass Password Manager version 3.4.2.3 , please note that there has been changes in the

installer parameters in version 3.4.1. This document also describes the Changes in behavior introduced in version 3.4.2.1 of

the Windows Client.

1.1 Purpose

The purpose of this document is to describe how to install the Password Manager Windows Client in a FastPass Password

Manager implementation including all configuration aspects.

1.2 Audience

The intended audience of this document is personnel responsible for administration of the Password Manager solution.

1.3 References

This document references the following documents:

None.

1.4 Terms

The following technical and product specific terms are used without further explanation throughout the document.


Status: Final of 46


2. About FastPass Password Manager

FastPass Password Manager is a secure web-based solution offering self-service password operations to end-users.

Users are required to remember many more complex passwords on more systems than ever before. Research (Gartner)

suggests that 20-50% of all calls to Help Desks are related to forgotten passwords.

Built to use Active Directory as the authoritative repository, FastPass is capable of delivering almost instant ROI by

deploying in just a few hours utilizing your existing Microsoft Windows Server environment.

Introduce Self-Service

Users only need a web browser to access FastPass whether on the corporate intranet or across the internet. In addition an

easily integrated deployment via SharePoint Portal or the SAP Portal gives a secure single point of entry to all applications

and supports anonymous access for users who have forgotten their passwords.

FastPass enables self-service enrollment and password resets utilizing the same Web UI and saving directly into Active

Directory technology. Captured password resets can be synchronized across multiple platforms using either FastPassCorp

connector technology or other synchronization tools available in your organization (for instance Microsoft ILM2007/2)

FastPass helps reducing the workload in the Help Desk, Increase end-user productivity and Strengthen Security

A Password Management solution from FastPassCorp will save you both time and money and at the same time increase

end-user productivity (fast password retrieval), enhance service to a 24/7/365 password self-service and strengthen

security through a secure password reset process and enable stronger password policies to be enforced with no additional

support cost in the Help-desk.

For Executives:

• Reduce workload in Help-desk • Make it possible for your employees to access systems even when the Help Desk is closed

• Enhance security

• Leverage past investments in Windows Server and Active Directory

• Typically ROI within 3-6 months

For Help Desk Managers:

• Remove 20-50% of calls to help desk • Enhance logging and reporting

• Significantly lower total cost per forgotten password

• Increase employee satisfaction

• Easy implementation (from few hours to few days depending on complexity)

• Easy roll-out using automated enrollment services

For Employees:

• Extremely fast solution to a forgotten password situation • Access to systems 24/7/365

• No need to involve other people (Help-desk, colleges etc.)

• No barrier to comply with strict password security policies


Status: Final of 46


• Simple to use

2.1 The architecture of FastPass Password Manager

The following describes and illustrates the architecture of FastPass Password Manager.

From a user perspective the Password Manager is offering web based self-service features to maintain passwords in the

enterprise. This is what is illustrated below.

Logically the Password Manager Server is built of multiple sub components each offering its own set of functions for the

total solution. The main components are listed in the table below:

Component Description

Backend Server Implement the control of all end-user transactions, communication to the

Gateway Server, scheduled discovery of users in the domain infrastructure,

control and coordination of password synchronizations, invitations of users etc.

Client Server Implements the Web-interface for the end-users and communicates with the

Backend Server.

Gateway Server Implements access to the domain infrastructure and other Password Sync target

systems.

All three main components are by default installed on the Password Manager Server and are directly configured to operate

together. A full implementation can be built on additional Client Servers and Gateway Servers. This is shown in the

illustration:


Status: Final of 46


The solution is designed in a Service Oriented Architecture. All main components are implemented as web services running

on Microsoft Internet Information Server (IIS) and communications are using SOAP over HTTPS.


Status: Final of 46


3. About the Password Manager Windows Client

The Password Manager Windows Client is a component that integrates with the login interfaces on different Windows

Workstation platforms and makes it possible for users to access the Password Manager solution to reset their password or

to unlock their account without being authenticated to the domain.

Windows XP integration is shown in Figure 1.

Figure 1 The Password Manager Windows Client login integration on Windows XP

Windows Vista/Windows 7 default integration is shown in Figure 2. Please note that the Graphics in the upper right corner

can be removed leaving only the text under the password field.

Figure 2 The Password Manager Windows Client login integration on Windows Vista/Windows 7

The tight integration into the login interfaces helps eliminate the need for end-user education. The solution to a “forgotten

password problem” sits directly in front of the end-user.

3.1 Vital changes in version 3.4.2.1


Status: Final of 46


The “Login Integration” feature from older versions has been removed and a new has been created instead, offering better

functionality and nearly the same design.

3.2 Vital changes in 3.4.2.4

FastPass Windows Client now works even if the user has locked the computer, however this integration differ from

Windows XP to Vista/Windows 7.

• Win 7: Then end-user simply activates the FastPass. The Windows Client Gui starts, the user can reset the

password, return to the login screen, logon and continue working

• XP: If the machine is in the locked state and the user clicks the Forgotten Password button the user will be asked if

the current logon should be terminated. (by default members of the administrators group cannot be unlocked this

can be changed – look at the configuration description regarding this later)

A change has been made in this version to the way the credential provider integration is done, the new way secures easier

integration to other credential providers such as Novell etc. In previous version an icon where displayed at the Switch user

screen this has now been removed be default. Instead a clickable bitmap is placed in the upper right corner on the desktop

– details and screenshots can be seen below.

3.3 The architecture of Password Manager Windows Client

The Password Manager Windows Client integrations to the login interfaces are implemented in the best possible way

allowed by the client operating systems.

3.3.1 Windows XP

On Windows XP systems the Password Manager Windows Client is implemented as a GINA extension.

What is a GINA?

When you initially press Ctrl+Alt+Del on a Windows NT system, a logon screen appears. This module is called a GINA

(Graphical Identification and Authentication). GINA is designed for securing your IT environment, so you must log on before

you can do anything else.

The two types of GINAs

• GINA filter: Adds some additional capabilities to Windows XP, but it does not authenticate the user. You can have

multiple GINA filters, as long as each GINA filter can chain to the next GINA filter. There are a number of GINA

filters, such as the Password Manager Windows Client FastPassGINA.DLL, that are available.

• GINA authenticator: Handles the user authentication. It must be the last GINA called. Most people use one of two

GINA authenticators - the Microsoft MSGINA.DLL or the Novell NWGINA.DLL.

Chaining GINAs

Unfortunately, Microsoft does not have a standard for where to store the name of the next GINA in the chain. Most third-

parties chaining GINAs store the next GINA to chain to in the registry. This means that if another third-party GINA is

installed, they can potentially break the GINA chain.

• Windows XP loads the GINA that is indicated by this Registry value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

• If this value is not present, Windows NT loads Microsoft's GINA, MSGINA.DLL.


Status: Final of 46


• If the Password Manager Windows Client is in use, the value will be:

<SystemRootDrive>:\WINDOWS\System32\FastPassGINA.dll

• Password Manager Windows Client FastPassGINA.DLL loads the next GINA from the registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\HookGINA.

• If this registry value does not exist, then it loads the Microsoft's MSGINA.DLL.

Unlock functionality

If a user is locked on an XP machine and the user activates the Forgot Password Button, FastPass will need force a logoff of

the current user before being able to run. After activating the button FastPass will present the following dialog to the and-

user.

Figure 3 Asking the user the current user should be logged off in under Windows XP

By default the end user can unlock a user who is not in the Administrators group on the machine. This group can also be set

differently by setting the group in the following registry value.

HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\ProtectGroup (String)

FastPass will then check if the logged in user is a member of the mentioned group and only allow the forced logoff off users

not being a member of that group

What does the Password Manager Windows Client GINA do?

The Password Manager Windows Client FastPassGINA.DLL provides the following functions:

1. Supports the Ctrl+Alt+Del handling by a Password Manager Windows Client host

Security and FastPassGINA.DLL

Some customers have expressed concern that FastPassGINA.DLL opens a security hole into Windows XP. This is not the

case. FastPassGINA.DLL does not authenticate the user. FastPassGINA is present only to provide its listed capabilities.

Logging on and authenticating the users is the responsibility of the GINA that FPGINA chains to. If FastPassGINA does not

chain to a GINA that can authenticate you with Windows XP, it is impossible to log on to Windows XP.

Third-party GINAs

FastPassCorp has tested Password Manager Windows Client with a number of third-party GINAs that support GINA chaining

correct. If any conflict occurs between Password Manager Windows Client and any third-party GINA, please report this to

FastPassCorp technical support and the third party company's technical support.

If the Password Manager Windows Client GINA is not loading

If you can boot in to Windows XP, but the Password Manager Windows Client GINA is not loading, it is recommended that

you re-install Password Manager Windows Client. If you are loading several different programs that provide GINA

extensions, you may need to load the applications in a particular order so that the various GINAs chain properly.

Please Notice!

The GINA extension is implemented as a GINA chaining meaning that it will respect other GINA extensions, During

installation the Password Manager Windows Client hooks itself in the first position and chains the previously first GINA


Status: Final of 46


extension as the next.

3.3.2 Windows Vista and Windows 7

On Windows Vista and 7 systems the Password Manager Windows Client is implemented as a Credential Provider that

allows the opening of the Windows Client Internet Browser style interface that connects to the Password Manager Server.

The overall design of the Vista logon system is shown in Figure 3. The extension provided to allow kiosk-mode access is a

Credential Provider (CP).

Figure 4 Overall Design of the Vista Logon System

As a difference to the old-style GINA extension method that is used on the Windows XP system, the Credential Provider

method, is offering a per-provider user prompting behavior. This Credential Provider architecture requires each provider to

enumerate its UI elements. For example, in a given scenario, a provider might indicate to LogonUI that it requires two edit

boxes, two captions, a checkbox, and a bitmap. In turn, LogonUI renders those controls on behalf of the credential provider.

A consequence of the change to the Credential Provider model is that absolutely no unintended relation exists between the

different credential providers, meaning that the rate of occurrence of problems caused by conflicting products has gone

significantly down.

Usability on Windows Vista and windows 7

In Windows Vista systems the integration accessible to the end-user is as shown in Figure 5.


Status: Final of 46


Figure 5 The default Windows Vista/Windows 7 login screen

3.4 Launch Window

The launch windows is by default showed in Windows 7/Vista can be disabled. By default the windows is displayed in the

login and Switch user window.

Figure 6 The “Launch window”

Disabling the Window can be done by setting the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\LaunchPanelFeatureEnabled

DWORD32 value data= 1|0 (0 will disable it)

Or by choosing another LI value when installing.

Disabling that functionality will enable an icon to appear if the Switch user Window


Status: Final of 46


3.5 Launch Link

The launch Link can be used instead of the Launch window; however both cannot be enabled at the same time. The Link

works as the Launch Window.

Figure 7 The “Launch Link”

You can enable the Launch Link by setting the following registry value to 1 (and disabling the LaunchPanelFeatureEnabled

above ):

HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\LaunchLinkFeatureEnabled

DWORD32 value data= 1|0 (0 will disable it)

How to customize different Lay outs please look in Appendix A page 31

Please Notice!

On the Windows Vista platform there is no problem chaining to other Vista UI integrations. Every authentication

provider runs in its absolute own environment.

3.6 Functional description

Under the installation of the Windows Client the installation will create a local user called FPKioskUser, initialize it and

disable the account. When a User activates the Windows Client from the Login screen the following will happen:

• The FpKioskUser will be enabled

• The UserInit setting in the registry will be set to FPKioskInit

• A Login as the local user will be started

• FPKioskInit.exe will be started

• PMWindowsClient.exe will be started

When the session is over this will happen:

• PmWindowsClient will exit starting the logoff process

• FPKioskInit will exit

• The FPKioskUser will be disabled

• The session will end displaying the login picture again

3.7 Enrollment Enforcement feature

As of version 3.4.2 (patch 5) the Password Manager Windows Client contains a new Enrollment Enforcement feature which

is designed to help getting more users registered into the FastPass solution.

The feature is installed together with and shares both configuration and code with the Password Manager Windows Client.


Status: Final of 46


The feature runs on PC’s in the user session and is primarily visible by an icon in the Notification area (typically the lower

right corner). The icon represents the Enrollment Enforcement Client which is automatically started when a user logs on to

the PC. The client is responsible of checking the enrollment status in Password Manager and for executing configured

actions if required.

3.7.1 Flow of information

When a user logs on to Windows using a domain account the Enrollment Enforcement Client tries to get hold of the users

enrollment status by sending a web service request to the FastPass Client which forwards this to the FastPass Server.

The FastPass Server uses the following logic to determine the enrollment status:

1. Is the domain information contained in the request unknown then return “UserRepositoryNotFound”.

2. Is the user account for the request unknown then return “UserNotFound”.

3. Is the user account enrolled then return “UserIsEnrolled”.

4. Is the user account locked in Password Manager then return “UserIsLocked”.

5. Isn’t the user allowed to enroll then return “UserCannotEnroll”. The checking of whether the user is allowed to

enroll is based on the configuration of Authentication Profiles for the “Enroll User” operation.

6. Isn’t the user invited to enroll then return “UserCanEnroll”. The checking of whether the user is invited is based on

the configuration of Enroll Profiles.

7. If the user is invited to enroll then return “UserMustEnroll”.

The enrollment status isn’t the only information returned to the Enrollment Enforcement Client. The following data is

delivered together with the enrollment status:

• OperationStatus

Contains information of whether the request executed successfully (or failed).

• OperationStatusDetail

optionally contains error details.

• UserEnrollmentStatus

The enrollment status:

• UserEnrollmentEnforcementMethod

Contains information about which method that shall be executed by the Enrollment Enforcement Client as result of

the operation.

Possible values: None, Window and FullScreen.

• UserEnrollmentStatusCheckInterval

Contains information about at which interval to check the enrollment status.

• UserEnrollmentEnforcementGracePeriod

Contains information about for how long time the user can postpone when the enrollment status is

“UserMustEnroll”.

Various customizations can be made on the server side to manipulate the above flow but before looking into this lets first

take a look at the user interfaces for the Enrollment Enforcement Client.

3.7.2 User Interfaces of the Enrollment Enforcement Client

The screenshots shown in the following section is what can be shown to the user if the UserEnrollmentEnforcementMethod

returned by the server is “Window”.

Notice that some of the screenshots contains a “Close” button. This button is only shown if the screenshot is taken from a

window shown after clicking the icon in the notification area.


Status: Final of 46


The first screenshot illustrates the interface shown to an end user if the enrollment status returned by the server is

“UserIsEnrolled”.

The text shown in the screenshot is as in all other screenshots the default text delivered with the product but everything is

fully customizable so any description can be shown.

As the identified enrollment status is “UserIsEnrolled” all options are shown but also a button allowing to just closing the

window.

Clicking the “Postpone” button will cause the window to close and not be redisplayed before the selected time value

expires.

Clicking the “Enroll Now” button will cause the “FullScreen” method to be called which is the same interface as also

available directly from the Windows login interface.

The next screenshot illustrates the interface shown to an end user if the enrollment status returned by the server is

“UserCanEnroll”.

As the status here is “UserCanEnroll” the window does not contain a “Close” button. The reason is that although the user

isn’t forced to enroll we still want him/her to enroll so the provided options are to postpone and to enroll now.


Status: Final of 46


The next screenshot illustrates the interface shown to an end user if the enrollment status returned by the server is

“UserMustEnroll”.

As the status is “UserMustEnroll” no other options them enroll now is given.

If the returned enrollment status is “UserRepositoryNotFound”, “UserNotFound” or “UserCannotEnroll” then the icon in the

notification area is hidden but checking continues at configured intervals.

If the user isn’t logged on with a domain account the application closes.

3.7.3 Parameter tweaking

As mentioned earlier the FastPass Server offers some options for tweaking of the flow. In the current version all tweaking

parameters are global (same for the all organizations defined on a server and same for all users). This will be changed in

future versions.

All parameters can be defined in the Registry under “HKLM\SOFTWARE\FastPassCorp\Password Manager”.

The following list contains the tweaking parameters related to the “UserEnrollmentStatusCheckInterval” return value:

• UserEnrollmentStatusCheckInterval_Default

• UserEnrollmentStatusCheckInterval_UserCanEnroll

• UserEnrollmentStatusCheckInterval_UserCannotEnroll

• UserEnrollmentStatusCheckInterval_UserIsEnrolled

• UserEnrollmentStatusCheckInterval_UserIsLocked

• UserEnrollmentStatusCheckInterval_UserMustEnroll

• UserEnrollmentStatusCheckInterval_UserNotFound

• UserEnrollmentStatusCheckInterval_UserRepositoryNotFound

The timing variables are used to limit the number of server requests. The default value of all parameters is 1440 which

refers to the number of minutes between checking. The values can be customized by creating a REG_DWORD value named

as listed. Be careful of not lowing the value too much as this will increase the traffic against your FastPass environment.

To allow for a more flexible enforcement the parameter “UserEnrollmentEnforcementGracePeriod_UserMustEnroll” can be

used to define the number of days that a user can be allowed to postpone before she/he is eventually forced to enroll. The

value is only returned to the Enrollment Enforcement Client is the FastPass Server identifies the enrollment status as


Status: Final of 46


“UserMustEnroll” and the Enrollment Enforcement Client stores the time of when it sees this status for the first time for the

specific user and following that it only allows the user to postpone her/his enrollment until the grace period expires. Notice

that the timestamp is only stored on the PC so if the user logs on to different PC they will all allow her/him a different grace

period.

By default the FastPass Server returns “FullScreen” as the value of the “UserEnrollmentEnforcementMethod” return value

when the enrollment status is “UserMustEnroll” and “Window” when the enrollment status is “UserCanEnroll”. To tweak

this behavior the following parameters can be defined as REG_SZ:

• UserEnrollmentEnforcementMethod_UserCanEnroll

• UserEnrollmentEnforcementMethod_UserCannotEnroll

• UserEnrollmentEnforcementMethod_UserIsEnrolled

• UserEnrollmentEnforcementMethod_UserIsLocked

• UserEnrollmentEnforcementMethod_UserMustEnroll

By default the FastPass Server uses Authentication Profiles and Enrollment Profiles as describe earlier. If this logic isn’t

desired the following parameters can be used.

• UserEnrollmentEnforcementAllowPostpone_UserCanEnroll

If set to “False” the returned enrollment status will be switched to “UserMustEnroll”.

• UserEnrollmentEnforcementAllowPostpone_UserMustEnroll

If set to “True” the returned enrollment status will be switched to “UserCanEnroll”.


Status: Final of 46


4. Displaying Custom messages after password reset – HelpPanel Feature

In some cases there is a need for displaying certain information after a user has done a password reset in the Windows

Client. This feature will display such a message as a bitmap. This feature is only available on Windows 7 machines.

To enable this feature a registry value must be set on the client machine along with a folder with the images.

Create a 32 bit DWORD registry value named:

HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\HelpPanelFeatureEnabled

Setting the value data to 1

The folder called HelpImages must be created under <INSTALLPATH>\FastPassWindowsClient\. The folder must contain

images for the possible languages the installation has. Naming convention <LANG>.bmp the <LANG> key value can be seen

in the LANGUAGE parameter for the installer.

The default language is English (EN.bmp) which has to be present.

The dimensions of the bmp images must be W X H,250 X 500 pixels.


Status: Final of 46


5. Using Windows Client with IIS Client Certificate Mapping

Using Windows Client with Client Certificates tightens security to the FastPass solution permitting only clients with a proper

certificate to access the solution. Certificate wise this is all handled by IIS on the server part. Please refer to the following

documentation:

http://www.iis.net/configreference/system.webserver/security/authentication/iisclientcertificatemappingauthentication

The Certificate mapping needs to be assigned on the website FastPass client resides on (Standalone/DMZ Client).

5.1 Configuring the Windows Client

The Windows Client must be able to send the client license to the server, in order to get access. The Clients will load the

license from password protected PFX certificate file and also add it to the current users certificate store, if not already

present. This configuration is done in the like this in the PMWindowsClient-config.xml file.: <url target="https://<TARGETSERVER>/FastPassClient/Default.aspx" timeout="60" clientcertificatepath="c:\certificates\UserCert.pfx" clientcertificatepassword="M3x1AaUFJjmszSJ0gf9sv8pw==" />

The clientcertificatepath tells the client the path and filename of the pfx certificate file.

The clientcertificatepassword tells the client the password to the pfx file. Please notice that the password is encrypted. To

encrypt your password please contact FastPass support to get the application that will let you encrypt your password or

event create your own encryption(can be created using .Net).

When using this feature it is also necessary to set the HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows

Client\DisableLowercaseConfig(REG_SZ) registry value on the client machine. Value data must be True.

The website address the clients accesses must reside in the users(and the local fpkioskuser account) Intranet or Trusted

Zone. This can be achieved using GPO to distribute the settings.

If the client has more than one certificate suited to be sent to the server Windows presents a choice between certificates.

This must be avoided. To avoid this, limit the trusted CA’s on the webserver(as the client will only find certificates the server

trusts as suitable.) .


Status: Final of 46


6. Windows Client only access

To avoid browser/mobile clients to access the FastPass solution the client can be setup to limit the access to the site. This

feature is normally used to limit the access to the FastPass Client when accessing the solution from the Internet. To limit the

access add the following REG_SZ value to the registry:

HKLM\Software\FastPassCorp\Password Manager\SelfServiceClientRestrictionClientType

Value data: WindowsClient;Browser;MobileClient

The above value data will restrict all clients ; is the delimiter.

When set the Client restricts access for all other clients than the one mentioned. Eg. Setting the value to WindowsClient will

only permit Windows Client client to access the website. If it is set the feature will send a 404 http status code to all other

clients.

Furthermore it is possible to limit access to the client by domain, this feature only targets the Windows Client – pre-req is

that the SelfServiceClientRestrictionClienType setting must be set to WindowsClient. Limiting by domain is easy simply add

the REG_SZ value:

HKLM\Software\FastPassCorp\Password Manager\SelfServiceClientRestrictionClientDomain

Setting the netbios name of the domain, multiple can be added, separating by ; eg:

DomainA;domainB

Status: Final of 46


7. Security measures inside Windows Client

7.1 Url restrictions

By default Windows Client will only let the web-part get web pages from pages that hold the /FastPassClient/ part amongst

other. The intention is to prevent any visits on malicious web pages. The Pages allowed in the Windows Client are controlled

in the PMWindowsClient-config.xml file in the following section.

<urlrestrictions>























</urlrestrictions>

Use the rules to customize the usage in the specific environment.

7.2 Keyboard restrictions

The Windows Key and the Print Screen keys will not work while having the Windows Client open. Normally to further

modifications of the key restrictions are needed, however if you expect to change these settings please contact FastPass

support for further documentation regarding this.

7.3 Process restrictions

To make sure that no other processes are launched while having the Windows Client open process restrictions are in place.

The way this works depends on the architecture.

• XP. The FastPassGina.dll controls the processes run until the Windows Client itself has started. When the client has

started it takes over the monitoring while the Gina part controls that the Windows Client is still running. If the Gina

detects that the Windows Client is not alive (it will monitor heartbeats sent by the process) it will terminate the

session and logoff.

• Vista/Windows 7: The FPKioskInit controls the processes run until the Windows Client itself has started. When the

client has started it takes over the monitoring while the FPKioskInit part controls that the Windows Client is still

running. If the FPKioskInit detects that the Windows Client is not alive (it will monitor heartbeats sent by the

process) it will terminate the session and logoff.

When the VPN feature in enabled other processes has to be allowed to run – this can be specified in a special section so the

process names are only allowed in the specific state of the Windows Client. Process restriction can also be customized using

the configuration parameters below. There might be certain process that has to be allowed in a specific environment.


Status: Final of 46


<processrestrictions> <processrestriction type="allow" state="always" action="log" matchmethod="equals" executable="C:\Program Files (x86)\FastPassCorp\FastPassWindowsClient\PMWindowsClient.exe" /> <processrestriction type="allow" state="always" action="log" matchmethod="equals" executable="C:\Program Files\FastPassCorp\FastPassWindowsClient\PMWindowsClient.exe" /> <processrestriction type="allow" state="always" action="log" matchmethod="equals" executable="C:\Windows\System32\FastPassKioskInit.exe" /> <processrestriction type="allow" state="always" action="log" matchmethod="regexp" executable="^.:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\" /> <processrestriction type="allow" state="always" action="log" matchmethod="regexp" executable="^.:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\" /> <processrestriction type="allow" state="always" action="log" matchmethod="regexp" executable="^.:\\Windows\\System32\\conhost.exe$" /> <processrestriction type="allow" state="always" action="log" matchmethod="regexp" executable="^.:\\windows\\System32\\taskhost.exe$" /> <processrestriction type="allow" state="always" action="log" matchmethod="equals" executable="C:\Program Files\FastPassCorp\FastPassWindowsClient\PMWindowsClient.exe" /> <processrestriction type="allow" state="vpnopening" action="log" matchmethod="endswith" executable="cmd.exe" /> <processrestriction type="allow" state="vpnclosing" action="log" matchmethod="endswith" executable="cmd.exe" /> </processrestrictions> <processrestrictionactionstartupchecks>10</processrestrictionactionstartupchecks> <processrestrictionactionstartup>log</processrestrictionactionstartup> <processrestrictionaction>kill</processrestrictionaction> <processrestrictioncheckinterval>500</processrestrictioncheckinterval>

Processes not listed as allowed will be killed within 500ms by default.

Please Notice!

The C level part, Gina on XP and Credential Provider on Windows7/Vista, part can only accept “EQUALS” rules. You will

need to add different paths to make sure that the C level part will not kill and exit the session itself.


Status: Final of 46


8. Installing the Password Manager Windows Client

The Password Manager Windows Client is distributed in a single MSI installer package for all the supported platforms and it

can be installed silently by specifying options on the command line or in a configuration file.

On Windows XP a reboot of the machine is needed after the installation before the “Forgot Password” button will be

displayed in the Login dialog but there is no other reason to perform the reboot directly after the installation so typically

this reboot can be postponed.

In Windows Vista/Windows 7 reboot is not required.

8.1 Supported Platforms

The Password Manager Windows Client is supported on the following Windows Operating Systems.

Operating Systems Limitations

Windows XP Professional 32 bit None

Windows XP Professional 64 bit None

Windows Vista Business 32 bit None

Windows Vista Business 64 bit None

Windows Vista Enterprise 32 bit None

Windows Vista Enterprise 64 bit None

Windows Vista Ultimate 32 bit None

Windows Vista Ultimate 64 bit None

Windows 7 32 bit None

Windows 7 64 bit None

For operation in Terminal Services environment the following platforms are supported:

Operating Systems Limitations

Windows Server 2003 family 32 bit None

Windows Server 2003 family 64 bit None

Windows Server 2008 family 32 bit Versions 3.4.1.0 and before:None/3.4.2.0 version with the “Launch

Window disabled”

Windows Server 2008 family 64 bit Versions 3.4.1.0 and before:None/3.4.2.0 version with the “Launch

Window disabled”

8.2 Pre-requirements

The Password Manager Windows Client has the following pre-requirements for installation on any of the supported

platforms.

Operating Systems Comments

Microsoft .NET v3.5 SP1 Higher versions like v4.0 includes the v3.5 SP1 and installation of

these as alternatives are therefore also supported.


Status: Final of 46


8.3 Administrative privileges required

When you are trying to install FastPass Windows Client sometimes you will meet this message.

What you need to do is to run this from a command prompt with Administrattive privileges.

To achieve this:

Click on your start menu on the PC and in the search menu type cmd.exe � right click the cmd.exe and choose to Run as

Administrator. You might be prompted to give credentials and password.

You will now have to place the commandline where the FastPass Windows Client.msi is residing.

8.4 Installation using GUI

The Password Manager Windows Client can be installed in GUI mode which is described and illustrated in the following.

To start the installation you must be logged on as a user with administrative privileges and the start the installer program,

by default named as “FastPassWindowsClient.msi”. This will bring up the InstallShield Wizard program.

Click the “Next” button to continue and the “End User License Agreement” screen will be shown.


Status: Final of 46


Click the “Next” button to accept and to continue and the user specification screen will be shown.

Type in User and Organization information and click the “Next” button to continue and the Installation destination selection

screen will be shown.

Click the “Browse” button to specify an alternative installation destination and eventually click the “Next” button to

proceed. This will bring you to the “Installation Confirmation” screen, which is the last chance to cancel before the actual

installation will be performed.


Status: Final of 46


Click the “Install” button to proceed. This will initiate the installation process and bring up the “Installation Progress”

screen.

On successful completion the wizard automatically shifts to the “Finish” screen.

Click the “Finish” button. This will close the InstallShield Wizard.

8.5 Installation using Command Line options

The Password Manager Windows Client can be installed in silent mode and configured to access a specific Password

Manager server using a command line options. Supported options:

• KIOSKACCOUNT=”fpkioskuser” (Default)

Unprivileged account used by the solution.

• LI=[2|1|0] (Default setting is 1)

o 2 - Launch Link

o 1 – Launch Window

o 0 – Only the icon at the “Switch User” panel is shown

o Note and the LI feature is only present on Windows Vista, Windows 7 and Windows Server 2008, but

causes no issues when the parameter is used under XP


Status: Final of 46


• IE=[1|0] (Default setting is 0)

Internet Explorer initialization for the KIOSKACCOUNT. (If a proxy is specified in the configuration file for Fa then

this setting must be set to one when installing)

• SERVER=”selfservice.mydomain.local”

Server to be accessed.

• SERVERURL=”https://selfservice.mydomain.local/FastPassClient/Default.aspx”

Full specification of the URL to be accessed.

• LANGUAGE= [da|de|en|es|fr|nl|no|sv|pt|it]

Default Language to be used if the system language settings isn’t supported by the Windows Client.

Value Language

da Danish

de German

en English

Fr French

nl Dutch

no Norwegian

sp Spanish

sv Swedish

pt Portuguese

it Italian

• FORCELANGUAGE=[0|1]

Forces the use of a specific language (value of LANGUAGE or “en”) instead of defaulting to the system settings.

• ID=[GUID]

Sets the design on the Windows Client(Please take a look at the appendix regarding the different designs. And the

corresponding ID values.)

• ECC=[0|1]

Wheather the Enforcement Client should also be installed, this is enabled(1) by default.

The syntax for this is as shown in the following.

<MSIFILE> /quiet SERVERURL=”https://<server>/FastPassClient/Default.aspx” IE=1

Where <MSIFILE> shall be replaced with the filename of the installer which by default is FastPassWindowsClient.msi.

Supported MSI parameters for control of booting:

• /forcerestart

• /norestart

If no boot parameters are specified UI installations will prompt the user to restart and silent installations will complete

without prompting or booting.

Please Notice!

When installing using the “/quiet” option the installation is done into the path %ProgramFiles%\FastPassCorp, so

typically “C:\Program Files\FastPassCorp”.

Status: Final of 46


8.6 Installation using XML Configuration file

The Password Manager Windows Client can be installed in silent mode and fully configured using a command line option

where a XML configuration file is pointed to.

The syntax for this is as shown in the following.

<MSIFILE> /quiet CONFIGFILE="PMWindowsClient-config.xml"

Or

<MSIFILE> /quiet CONFIGFILE="\\ComputerName\SharedFolder\PMWindowsClient-config.xml"

In most installations the proxy settings is not needed since this is already available from the machine default settings and

then this whole section can be left out but if you have the same proxy all over then you can also enter this here.

Please Notice!

When installing using the “/quiet” option the installation is done into the path %ProgramFiles%\FastPassCorp, so

typically “C:\Program Files\FastPassCorp”.

8.7 Post installation configuration

The Password Manager Windows Client can also be configured after installation.

This is done by editing the configuration file found under the following path.

<INSTALLDIR>\FastPassCorp\Configuration\FastPassWindowsClient\PMWindowsClient-config.xml

Where <INSTALLDIR> shall be replaced with the selected installation directory typically “C:\Program Files”.

The configuration file could be looking similar to what is shown in the following.

<?xml version="1.0" encoding="utf-8" ?> <config> <formTitle>Password Manager Client</formTitle> <buttonTitle>Exit</buttonTitle> <language>en</language> <records> <record>  <conditions> <pings>    </pings> <networks>   </networks> <defaultGateways>   </defaultGateways> <dnsSuffixes>

Status: Final of 46


  </dnsSuffixes> <dnsServers>   </dnsServers> <dhcpServers>  </dhcpServers> </conditions> <urls timeout="20">          <url target="https://passwordmanager/FastPassClient/Default.aspx"/> </urls> </record> </records> </config>

Please Notice!

The number of supported languages is continuously expanding and further more this can be controlled by the Password

Manager Server configuration. Read the Installation Guide for the Password Manager Server to see the newest list of

supported languages and read the Administrators Guide for information on how to customize language behavior.

8.8 Running the Windows Client in a Terminal Services/Citrix environment

Windows Client is fully compatible running in a Terminal Service/Citrix environment. From version 3.4.2.0 running with

Terminal Services/Citrix running under Windows Server 2008 is only advised not using Launch Window feature. Disabling

that is done setting a registry parameter – please check the Windows 7 section where this is described in detail.

The windows client supports operating in a Terminal Services and/or Citrix environment; however there is some limitation

and settings that needs to be set to ensure secure operation.

8.8.1 Installing

Please install the Windows client as described above but after the installation the following has to be done.

1. Edit the local user en the Terminal Services server called FPKioskUser and allow the user to logon to Terminal

Services (Validate this by logging in as the user)

2. Change the user settings


Status: Final of 46


This will ensure that the FPKioskUser is able to login and that sessions will not pile up. (The Windows Client itself will also

detect lost sessions and end the session on detect)

8.8.2 Setting up Citrix GINA component

The following refers to a system where there are no other thirdparty GINA’s than Citrix.

If the registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\ctxGINADLL

If set please contact FastPass Support to analyze the Ginas before installing the Windows Client. If the Windows Client is

installed before Citrix Presentation Server the software should work without changes – but if the Windows Client is installed

on a system where the Citrix installation is already present changes will have to be made to the registry.

Before installing:

Validate that the key:

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\GINADLL is either set to ctxGINA.dll or MSGina.dll.

After installing

After installing the Windows Client, do not reboot until the following Registry changes is done. Set the following values:

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\GINADLL = ctxGINA.dll

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\ctxGINADLL = FastPassGina.dll

Then set the FastPass Keys:

HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\HookGINA=msgina.dll

Now reboot the system.

NOTE: If Ctxgina.dll is not the primary GinaDll set in HKLM\Software\Microsoft\Windows NT\Current

Version\Winlogon\GINADLL , the following Citrix-specific functionality is unavailable:

1. Users cannot log on with UPN user names; for example, [email protected].

2. Users cannot log on with a password that is longer than 15 characters.

3. Citrix Auto Client Reconnect fails.

4. Clients configured with "User Specified Credentials" fail


Status: Final of 46


After the steps above has been completed test that the Gina is showing correct on the Console and via RDP (NOT ICA).

Finally there is an option on the ICA-tcp connection in the ‘Terminal Service Configuration’ Management Console default set

to ‘Use standard Windows logon interface’. Make sure that this option is not selected.


Status: Final of 46


9. Upgrading the Windows Client

From version 3.4.2.3 the FastPass Windows Client can be updated by installing over the current version. But there are some

things to pay attention to.

1. The configuration file will not be updated by FastPass, some versions add important features and defaults to

FastPass therefore we recommend to get create a new configuration file and install using the CONFIGFILE

parameter. This will ensure that the current config file gets overwritten.

2. On Windows 7 the integration has changed – please check the section regarding this in this document.

3. Reinstalling on XP will not destroy chaining to other Ginas, FastPass will leave the chain as it was found.

4. FastPass will from now on have a new Product Code for each version – which will let you install over a previous

version without uninstalling and rebooting.

5. When using this option uninstalling the old version is not advised unless the application is not to be used at all.


Status: Final of 46


10. Setting up the for Remote Password Reset

With this feature a user is able to reset the password, and get the local machines cached password updated, from

anywhere. To use this feature a VPN connection and script must be setup for use with Windows Client.

10.1 How it works

Basically the VPN can be started up either:

1. As soon as the Windows Client starts (FullVPN)

2. Right after the user has reset the password (VPN)

Here are overall steps in the communication:

1. When the Windows Client starts it will open up the web-page and display it to the user

2. Once the user activates the Exit button, and the feature is enabled in the PMWindowsClient config file, the

credentials are fetched from Password Manager.

3. When the user activates the exit button, Windows Client will contact the Password Manager server if the

usevpnconnection feature is set to true in Windows Client config.

4. If and only if a password reset has been successfully carried out the VPN script specified in the config is called

5. If the connection succeeds and Windows Client can connect to a domain controller the Password Cache is updated

6. The close VPN script is called

7. Windows Client exits

Windows Client will call the script – the script itself will have to be changed to fit the customers VPN software. Example

scripts are found in the VPN folder under the FastPassWindowsClient folder.

10.2 Preparing the Server

On the server side the vpn setup can be enabled by opening the administration client clicking the Feature settings-

>Windows Client icon(if not present the feature might be missing in your License). When opening the following screen

appears:


Status: Final of 46


By default the “settings for local Connections” is enabled. This will let Windows Client update the locally cached password

on the Lan and not wait for the user to login manually.

To enable the VPN feature we will have to adjust the settings for “Settings for Remote Connections”

Basic settings:

• Profile Name: this name is relayed to the Windows Client and will be available in the VPNScript as an environment

variable

• Credential mode

o User Credentials (The users username and password) (cannot be used with the FullVPN feature)

o Specific Password (The users username and the specified password)

o Specific Credentials(The specified username and password)

• UserName: Is only used when the specific credentials are used


Status: Final of 46


• Password: : Is only used when the “specific credentials” or “specific password” is used

VPN Opening Settings

• VPN Open Script: The name of the script/executable to be called - has to be residing in the

FastPassWindowsClient\VPN folder

• Delay before open: Sets the number of seconds to wait before calling the script

• Open operation timeout: Specifies how long time to wait the vpn open operation to complete

• Delays after open: Specifies how long to wait before moving to the Update operation.

Update Operation Settings

• Delay before update: Sets the number of seconds to wait before attempting the operation

• Number of update retries: How many times to retry the operation if it fails

• Delay between retires: Specifies how long time to wait before making a retry operation

• Delays after update: Specifies how long to wait before moving to the close operation.

VPN Closing Settings

• VPN Close Script: The name of the script/executable to be called - has to be residing in the

FastPassWindowsClient\VPN folder

• Delay before close: Sets the number of seconds to wait before calling the script

• Close operation timeout: Specifies how long time to wait for the vpn close operation to complete

• Delays after Close: Specifies how long to wait before exiting.

10.3 Preparing the Client

10.3.1 Config changes

There is a few things to prepare on the Windows Client. In the PMWindowsClient.config.xml file you will have to enable the

vpn feature by setting the usevpnconnection to true like this:

<uservpnconnection>true</usevpnconnection>

10.3.2 Creating a script

You can use the examples placed on the FastPassClient\vpn folder.

The Windows Client will make the credential information available to the Windows Client selected vpn script by creating the

following environment variables:

• VpnProfile

• VpnUsername

• VpnPassword


Status: Final of 46


11. Customizing the splash screen

It is possible to customize some of the images in the windowsclient, providing a known look and feel to the users.

The background color can be set using the following registry key: HKLM\SOFTWARE\FastPassCorp\Windows

Client\CustomBackgroundColor (String)

Colors are defined in HTML so eg. #FFFFFF or White are valid values.

The splash image can be set using this key: HKLM\SOFTWARE\FastPassCorp\Windows Client\CustomImage (String)

The value should be the complete string to a jpg file (please ensure that the jpg file will be readable for the fpkioskuser)


Status: Final of 46


12. Uninstalling the Password Manager Windows Client

The Password Manager Windows Client is uninstalled from the Control Panel. The following sections describe how this is

done in Windows XP and in Windows Vista.

12.1 Uninstalling from a Windows XP machine

To uninstall the Password Manager Windows Client from a Windows XP machine you must be logged in as a user with

administrative rights.

Open the “Add/Remove Programs” from the “Control Panel”.

Select the “FastPass Windows Client” and select the “Uninstall” button at the top of the program list.

The uninstall will be performed and the “Programs and Features” program will be shown again.

12.2 Uninstalling from a Windows 7/Windows Vista machine

To uninstall the Password Manager Windows Client from a Windows Vista machine you must be logged in as a user with

administrative rights.

Open the “Programs and Features” program from the “Control Panel”.

Select the “FastPass Windows Client” and select the “Uninstall” button at the top of the program list.

Click the “Yes” button to accept that uninstall shall be performed.

Windows UAC will prompt you to warn about the action and you shall select ”Allow” for the uninstall to be performed.

The uninstall will be performed and the “Programs and Features” program will be shown again.


Status: Final of 46


13. Appendices

13.1 Appendix A: Custom Windows Client Layout Settings for Launch Panel

In FastPass Windows Client you can choose between different FastPass Windows Client Layouts. The layouts affects how

the icons displayed on the login screen looks. The different designs can be seen below along with their design ID’s

The design can be choosen by either setting the design ID at installation time (as described in the installation parameter

section) or setting the design ID in a registry key as described beow.

Go to your Windows Client PC and go to the Run Menu.

Type Regedit and place you under the following posistion.:

HKLM\Software\FastPassCorp\Windows Client\ProductID

Create a new String Value and name it ProductID � right Click the new String Value and choose Modify.


Status: Final of 46


Design ID: 03BC0A20-9BB9-4464-96D3-29FA163D3EF0


Status: Final of 46


Design ID:03BC0A20-9BB9-4464-96D3-29FA163D3EF1



Status: Final of 46





Status: Final of 46



You can also have layout to a Link Text instead of an Icon in the right corner.

Please go to the section 3.5 to see how to configure this.

13.2 Appendix B: Custom Windows Client Layout Settings for Launch Text

As the Launch Panel the Launch Text can also be customized, please take a look at the below description.


Status: Final of 46


To Change the Text Link Color you have to go to HKLM\Software\FastPassCorp\Windows Client

Insert the following 3 REG_DWORDS

• LaunchLinkTextColorB � Insert value between 1 and 255

• LaunchLinkTextColorG �Insert value between 1 and 255

• LaunchLinkTextColorR �Insert value between 1 and 255


Status: Final of 46


Go to a Paint Program and choose your color insert the values.

Example

• LaunchLinkTextColorB � 40

• LaunchLinkTextColorG �225

• LaunchLinkTextColorR � 50

Text Link will be same as in the Paint Program shown above � Green

windows client installation guide - fastpasscorp · windows client installation guide status: final...

Documents