T l Access Manager for Enterprise Single Sign-On

Tivoli® Access Manager for Enterprise Single Sign-On

Troubleshooting and Support Guide

Version 8.1

GC23-9693-00

��

Note Before using this information and the product it supports, read the information in “Notices” on page 69.

Edition notice

Note: This edition applies to version 8.1 of IBM Tivoli Access Manager for Enterprise Single Sign-On, (product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in new editions. This edition applies to version 8.1 of IBM Tivoli Access Manager for Enterprise Single Sign-On, (product number 5724–V67)and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2002, 2009. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents

About this publication . . . . . . . . v Intended audience . . . . . . . . . . . . v What this publication contains . . . . . . . . v Publications . . . . . . . . . . . . . . vi

Tivoli Access Manager for Enterprise Single Sign-On library . . . . . . . . . . . . vi Accessing terminology online . . . . . . . vii Accessing publications online . . . . . . . vii Ordering publications . . . . . . . . . . vii

Accessibility . . . . . . . . . . . . . . vii Tivoli technical training . . . . . . . . . . viii Tivoli user groups . . . . . . . . . . . . viii Support information . . . . . . . . . . . viii Conventions used in this publication . . . . . viii

Typeface conventions . . . . . . . . . . viii Operating system-dependent variables and paths ix Margin icons . . . . . . . . . . . . . ix

Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On . . . . . 1 Tivoli Access Manager for Enterprise Single Sign-On features . . . . . . . . . . . . . . . . 1 Product components . . . . . . . . . . . . 4 Authentication factors . . . . . . . . . . . 5

TAM E-SSO Password . . . . . . . . . . 5 Secrets . . . . . . . . . . . . . . . 6 Second authentication factors . . . . . . . . 6 Presence detectors . . . . . . . . . . . 8

Tivoli Access Manager for Enterprise Single Sign-On usage . . . . . . . . . . . . . . . . . 9

Personal workstation configuration . . . . . . 9 Shared workstation configuration . . . . . . 9

Tivoli Access Manager for Enterprise Single Sign-On program icons . . . . . . . . . . . . . 11 Policies, certificates, and other product concepts . . 12

Credentials . . . . . . . . . . . . . 12 Enterprise identity . . . . . . . . . . . 12 Enterprise applications . . . . . . . . . 12 Personal applications . . . . . . . . . . 13 User, system, and machine policies . . . . . 13

Chapter 2. IMS Server troubleshooting 17 Troubleshooting an IMS Server installation . . . . 17

Creating a profile . . . . . . . . . . . 17 Deleting a profile . . . . . . . . . . . 18 Increasing the timeout period for WebSphere Application Server SOAP connection . . . . . 18

Connection settings cannot be verified . . . . . 18 Authentication factor cannot be registered . . . . 19 SQL authentication not enabled . . . . . . . . 19 Default password for Sa not changed . . . . . . 19 Incorrect database configuration . . . . . . . 19 Checking the installed version of the IMS Server . . 20 CA certificate does not include basic constraints extension . . . . . . . . . . . . . . . 20

IMS Server cannot issue a certificate for an application . . . . . . . . . . . . . . 21 AccessAdmin logon problems . . . . . . . . 21 Form-based login to AccessAdmin is not working 21 Increasing the MaxTokenSize registry value to register with the IMS Server . . . . . . . . . 22 Search and get attributes do not work . . . . . 23 Automatic sign-on does not work properly for Microsoft GINA . . . . . . . . . . . . . 23 Back button does not work for AccessAdmin, AccessAssistant, and Web Workplace . . . . . . 24 AccessAssistant and Web Workplace crashes when CRL checking is turned on . . . . . . . . . 24 Opening ports in firewalls . . . . . . . . . 24 Using Ntdnutil.exe to modify the LDAP policy for Active Directory . . . . . . . . . . . . . 26 Cannot test existing profile in Web Workplace . . . 27

Chapter 3. AccessAgent troubleshooting . . . . . . . . . . . 29 AccessAgent installation failure . . . . . . . . 30 Corrupt AccessAgent installation file . . . . . . 30 Installer cannot find the IMS Server . . . . . . 30 Installing EnGINA on Citrix servers . . . . . . 30 AccessAgent is installed before Mozilla Firefox . . 31 No AccessAgent logon user interface . . . . . . 31 Automatic sign-on does not work properly for Microsoft GINA . . . . . . . . . . . . . 31 Cannot return to EnGINA from Microsoft GINA . . 32 GINA conflict with ThinkPad fingerprint software 32 Cannot capture logon credentials in Mozilla Firefox pop-up window . . . . . . . . . . . . . 32 Disabling the single sign-on feature of Mozilla Firefox . . . . . . . . . . . . . . . . 33 Logon to Citrix Server is slow . . . . . . . . 33 Antivirus software might interfere with AccessAgent or IMS Server . . . . . . . . . . . . . 33 Viewing AccessAgent logs and increasing the log level . . . . . . . . . . . . . . . . . 34 Synchronizing with the IMS Server . . . . . . 35 Failed synchronization between the IMS Server and AccessAgent Wallets . . . . . . . . . . . 35 Connecting to the IMS Server . . . . . . . . 35 Downloading the IMS Server certificate . . . . . 36 Auto-admin logon using a domain account . . . . 36 AccessAgent does not display the correct domain . 36 Application .DLL conflicts with AccessAgent . . . 37 Console application support is disabled . . . . . 37 Conflict with another application . . . . . . . 38 Application is slower when automatic sign-on is enabled . . . . . . . . . . . . . . . . 38 Personal firewalls on private desktops . . . . . 38 Security logs are full . . . . . . . . . . . 39 Spontaneous termination of sync.exe . . . . . . 39

© Copyright IBM Corp. 2002, 2009 iii

Disabling Tivoli Access Manager for Enterprise Single Sign-On credential provider . . . . . . 40 Signing up with AccessAgent if Active Directory password has expired . . . . . . . . . . . 40 Incorrect icons after AccessAgent upgrade . . . . 40 No Windows Administrator privileges . . . . . 41 Not enough disk space . . . . . . . . . . 41 A module cannot be registered . . . . . . . . 41 No encryption pack . . . . . . . . . . . 41 No network connection . . . . . . . . . . 41 RDP session terminates without warning . . . . 42

Chapter 4. AccessStudio troubleshooting . . . . . . . . . . . 43 Modification to Winlogon AccessProfile does not take effect . . . . . . . . . . . . . . . 43 Missing labels in state engine view of AccessStudio 43 Cannot capture credentials from a Java control . . 43

Chapter 5. Authentication factor, Wallet, and password troubleshooting . . . . 45 RFID card detection problem . . . . . . . . 45 Cannot unlock computer with RFID card . . . . 46 Lost RFID card . . . . . . . . . . . . . 46 Cannot log on to Wallet using RFID card . . . . 46 Cannot register an RFID card . . . . . . . . 47 Smart card not detected after serving as an RDP client . . . . . . . . . . . . . . . . 47 Lost smart card . . . . . . . . . . . . . 47 Cannot unlock computer with Active Proximity Badge . . . . . . . . . . . . . . . . 48 Lost Active Proximity Badge . . . . . . . . . 48 Cannot log on to Wallet using Active Proximity Badge . . . . . . . . . . . . . . . . 48 Cannot register an Active Proximity Badge . . . . 49 Windows password is not auto-injected during a change password retry in Microsoft Windows Vista . 50 System does not accept authorization code . . . . 50 System does not accept TAM E-SSO Password . . . 50 Forgotten password . . . . . . . . . . . 51 System does not accept secret . . . . . . . . 51 Forgotten secret . . . . . . . . . . . . . 51 Password entries do not match . . . . . . . . 51 Incorrect password length . . . . . . . . . 51 No network connection during change password . . 52 Problems downloading the machine Wallet . . . . 52

Refreshing the machine Wallet . . . . . . . 52 Including the all_sync_data.xml file in the installation package . . . . . . . . . . . 53

Cannot log on to cached Wallets . . . . . . . 53 Cannot log on to Wallet after an AccessAgent installation . . . . . . . . . . . . . . 53 Incorrect Windows user account . . . . . . . 54 Wallet has been locked . . . . . . . . . . 54 Validity period of temporary access to Wallet has expired . . . . . . . . . . . . . . . . 54

Cannot use existing cached Wallet on the same machine . . . . . . . . . . . . . . . 54 Cannot use shared cached Wallet . . . . . . . 55 TAM E-SSO Password not synchronized with enterprise directory password . . . . . . . . 55

Chapter 6. Other issues . . . . . . . 57 Unable to verify credentials . . . . . . . . . 57 Failure to connect to named instance of SQL Server 2000 database . . . . . . . . . . . . . . 57 Error message when installing MOM 2005 . . . . 58 DCOM disabled error message when installing MOM Agent . . . . . . . . . . . . . . 58 Performance data not available in MOM reports . . 58 Error message when installing MOM Reporting . . 59 Internet Explorer is set to offline . . . . . . . 59 Internet Explorer might crash if launched from the credential provider in Microsoft Windows Vista . . 59

Chapter 7. Deployment and configuration tips . . . . . . . . . . 61 Switching to another IMS server . . . . . . . 61

Switching to another IMS server on the client machine . . . . . . . . . . . . . . 61 Switching to a different IMS Server if you already have the Cryptoboxes backed up . . . 62

Copying AccessProfiles between IMS Servers . . . 62 Deleting a user without revoking . . . . . . . 63 Promoting a user to Administrator role . . . . . 63 Specifying the IMS Server database user account . . 64 Configuring the ADAM Server . . . . . . . . 64

Installing certificates . . . . . . . . . . 64 Using the certificate with the ADAM service . . 64 Verifying that SSL is working with the ADAM Server . . . . . . . . . . . . . . . 65 Running ADAM service with a domain user account . . . . . . . . . . . . . . . 65 Importing the root CA certificate into the WebSphere Application Server trust store . . . 66

Using machine group tags . . . . . . . . . 66 Improving AccessAgent performance . . . . . . 67 Checking whether a cached Wallet is copy protected 67 Enabling RFID readers for AccessAgent running in VMware . . . . . . . . . . . . . . . 67 Uninstalling AccessAgent in private desktops . . . 67 Private desktop with Websense Internet content filtering services . . . . . . . . . . . . . 68

Notices . . . . . . . . . . . . . . 69 Trademarks . . . . . . . . . . . . . . 71

Glossary . . . . . . . . . . . . . . 73

Index . . . . . . . . . . . . . . . 79

iv Access Manager for Enterprise Single Sign-On: Troubleshooting and Support Guide

About this publication

The IBM® Tivoli® Access Manager for Enterprise Single Sign-On provides sign-on and sign-off automation, authentication management, and user tracking to provide a seamless path to strong digital identity. The IBM Tivoli Access Manager for Enterprise Single Sign-On Troubleshooting and Support Guide provides information about troubleshooting the different components of the product.

Intended audience This publication is for users who might have encountered problems using any of the Tivoli Access Manager for Enterprise Single Sign-On components, or users who require additional support, such as configuration tips.

This publication is for Administrators and help desk officers who need to perform the following tasks: v Resolution of issues, such as logon problems, connection problems with the IMS

Server, and issuing authentication factors v System performance improvement, such as removing unused AccessProfiles and

turning off AccessAdmin authentication for testing purposes

Readers need to be familiar with the following topics: v Installing Tivoli Access Manager for Enterprise Single Sign-On components v Information specific to the organization (for example, types of applications used

by the organization, and authentication factors)

What this publication contains This publication contains the following sections: v Chapter 1, "About Tivoli Access Manager for Enterprise Single Sign-On"

Provides an overview of the Tivoli Access Manager for Enterprise Single Sign-On system and its main product components.

v Chapter 2, "IMS Server troubleshooting" Provides troubleshooting tips related to the IMS Server component."

v Chapter 3, "AccessAgent troubleshooting" Provides troubleshooting tips related to the AccessAgent component.

v Chapter 4, "AccessStudio troubleshooting" Provides troubleshooting tips related to the AccessStudio component.

v Chapter 5, "Authentication factor, Wallet, and password troubleshooting" Provides troubleshooting tips related to authentication factors and passwords.

v Chapter 6, "Other issues" Contains other encountered troubleshooting tips and their solutions.

v Chapter 7, "Deployment and configuration tips" Contains additional tips that might be useful to professional services.

© Copyright IBM Corp. 2002, 2009 v

Publications This section lists publications in the Tivoli Access Manager for Enterprise Single Sign-On library. The section also describes how to access Tivoli publications online and how to order Tivoli publications.

Tivoli Access Manager for Enterprise Single Sign-On library The following documents are available in the Tivoli Access Manager for Enterprise Single Sign-On library: v IBM Tivoli Access Manager for Enterprise Single Sign-On Quick Start Guide,

CF2B1ML Provides steps that summarize major installation and configuration tasks for Tivoli Access Manager for Enterprise Single Sign-On.

v IBM Tivoli Access Manager for Enterprise Single Sign-On User Guide, SC23-9950 Provides information about setting up and understanding the main functionalities of the product.

v IBM Tivoli Access Manager for Enterprise Single Sign-On Administrator Guide, SC23-9951 Provides the procedures for setting up, administering, and testing the product and its components. It covers the functionality and setup options of the product, including internal implementation details.

v IBM Tivoli Access Manager for Enterprise Single Sign-On Deployment Guide, SC23-9952 Describes how to deploy and test IBM Tivoli Access Manager for Enterprise Single Sign-On, including other components or external tools.

v IBM Tivoli Access Manager for Enterprise Single Sign-On Help Desk Guide, SC23-9953 Provides information about providing Help desk services to users.

v IBM Tivoli Access Manager for Enterprise Single Sign-On Context Management Integration Guide, SC23-9954 Provides information for installing, configuring, and testing the Context Management integrated solution in each client workstation.

v IBM Tivoli Access Manager for Enterprise Single Sign-On AccessStudio Guide, SC23-9956 Provides information about setting up and maintaining AccessProfiles using AccessStudio.

v IBM Tivoli Access Manager for Enterprise Single Sign-On Provisioning Integration Guide, SC23-9957 Provides information for configuring, managing, and troubleshooting the provisioning integration solutions for the product.

v IBM Tivoli Access Manager for Enterprise Single Sign-On Installation Guide, GI11-9309 Provides information about installing the different product components.

v IBM Tivoli Access Manager for Enterprise Single Sign-On Setup Guide, GC23-9692 Provides information about configuring the different components of the product.

v IBM Tivoli Access Manager for Enterprise Single Sign-On Troubleshooting and Support Guide, GC23-9693 Provides information about troubleshooting the different components of the product.

vi Access Manager for Enterprise Single Sign-On: Troubleshooting and Support Guide

v IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition Guide, SC23-9694 Provides information about the policies that can be set for the product. The policies can be set using either AccessAdmin or by updating registry entries.

Accessing terminology online The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available at the following Tivoli software library Web site:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology Web site at the following Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications online IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli Information Center Web site at http://www.ibm.com/tivoli/documentation.

Note: If you print PDF documents on other than letter-sized paper, set the option in the File → Print window that allows Adobe Reader to print letter-sized pages on your local paper.

Ordering publications You can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.

You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

Accessibility Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully.

For additional information, see the Accessibility Appendix in the IBM Tivoli Access Manager for Enterprise Single Sign-On User Guide.

About this publication vii

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/tivoli/documentation

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

Tivoli technical training For Tivoli technical training information, See the following IBM Tivoli Education Web site at http://www.ibm.com/software/tivoli/education.

Tivoli user groups Tivoli user groups are independent, user-run membership organizations that provide Tivoli users with information to assist them in the implementation of Tivoli Software solutions. Through these groups, members can share information and learn from the knowledge and experience of other Tivoli users. Tivoli user groups include the following members and groups: v 23,000+ members v 144+ groups

Access the link for the Tivoli Users Group at www.tivoli-ug.org.

Support information If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need:

Online Go to the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.

IBM Support Assistant The IBM Support Assistant is a free local software serviceability workbench that helps you resolve questions and problems with IBM software products. The IBM Support Assistant provides quick access to support-related information and serviceability tools for problem determination. To install the IBM Support Assistant software, go to http://www.ibm.com/software/support/isa.

Troubleshooting Guide For more information about resolving problems, see the IBM Tivoli Access Manager for Enterprise Single Sign-On Troubleshooting and Support Guide.

Conventions used in this publication This publication uses several conventions for special terms and actions, operating system-dependent commands and paths, and margin graphics.

Typeface conventions This publication uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of publications, diskettes, and CDs)

viii Access Manager for Enterprise Single Sign-On: Troubleshooting and Support Guide

http://www.ibm.com/software/tivoli/education

http://www.tivoli-ug.org

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/isa

v Words defined in text (example: a nonswitched line is called a point-to-point line)

v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in a workspace that contains data.

v Variables and values you must provide: ... where myname represents....

Monospace

v Examples and code examples v File names, programming keywords, and other elements that are difficult

to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options

Operating system-dependent variables and paths This publication uses the UNIX convention for specifying environment variables and for directory notation.

When using the Windows command line, replace $variable with % variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in the Windows and UNIX environments. For example, %TEMP% in Windows environments is equivalent to $TMPDIR in UNIX environments.

Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.

Margin icons

Many procedures in this publication include icons in the left margin. These icons provide context for performing a step in a procedure. For example, if you have to perform a step in a procedure by double-clicking a policy region icon, that icon is displayed in the left margin next to the step.

About this publication ix

x Access Manager for Enterprise Single Sign-On: Troubleshooting and Support Guide

Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On

IBM Tivoli Access Manager for Enterprise Single Sign-On automates access to corporate information, strengthens security, and enforces compliance at the enterprise endpoints.

With Tivoli Access Manager for Enterprise Single Sign-On, you can: v Efficiently manage business risks. v Achieve regulatory compliance. v Decrease IT costs. v Increase user efficiency.

Security compromises occur due to weak passwords. To counter such threats, enterprises must strengthen access control systems. Passwords are not only the weakest link in the security chain, they are also expensive to support.

Passwords create a security challenge and a management problem. To reduce password management costs, enterprises might consider conventional single sign-on solutions.

Conventional single sign-on reduces password management costs. It also can increase the vulnerability of an organization by replacing multiple application passwords with a single password to the single sign-on server.

Weak application passwords and conventional single sign-on are not the right solutions for the enterprise. These solutions simplify access, but weaken security. Enterprises need an enterprise access security solution that simplifies, strengthens, and tracks access for all digital and physical assets.

See the following topics for more information. v “Tivoli Access Manager for Enterprise Single Sign-On features” v “Product components” on page 4 v “Authentication factors” on page 5 v “Tivoli Access Manager for Enterprise Single Sign-On usage” on page 9 v “Tivoli Access Manager for Enterprise Single Sign-On program icons” on page 11 v “Policies, certificates, and other product concepts” on page 12

Tivoli Access Manager for Enterprise Single Sign-On features Tivoli Access Manager for Enterprise Single Sign-On delivers the following capabilities, without changing the existing IT infrastructure.

Enterprise Single Sign-On with workflow automation

You have quick access to all corporate applications such as Web, desktop, generic computer terminals, legacy applications, and network resources with the use of a single, strong password on personal and shared workstations.

This feature:

© Copyright IBM Corp. 2002, 2009 1

v helps enterprises increase employee productivity. v lowers IT Help desk costs. v improves security levels by eliminating passwords and the effort of managing

complex password policies.

Tivoli Access Manager for Enterprise Single Sign-On uses single sign-on and workflow automation on shared and personal workstations. You can automate the entire access workflow, such as application login, drive mapping, application launch, single sign-on, navigation to preferred screens, multistep logon, and so on.

Single Sign-Off and configurable desktop protection policies ensure protection of confidential corporate applications from unauthorized access. If you walk away from a workstation without logging out, Tivoli Access Manager for Enterprise Single Sign-On can be configured to enforce inactivity timeout policies. Examples of timeout policies are configurable screen locks, application logout policies, and graceful logoffs.

Strong authentication for all user groups

Tivoli Access Manager for Enterprise Single Sign-On provides strong authentication for all user groups (inside and outside the corporate perimeter). This feature prevents unauthorized access to confidential corporate information and IT networks.

The solution uses multi-factor authentication devices, such as smart cards, building access badges, proximity cards, mobile devices, photo badges, biometrics, and one time password (OTP) tokens.

In addition to comprehensive support for authentication devices, Tivoli Access Manager for Enterprise Single Sign-On focuses on using existing identification devices and technologies for authentication.

Tivoli Access Manager for Enterprise Single Sign-On also provides iTag, a patent-pending technology that can convert any photo badge or personal object into a proximity device, which can be used for strong authentication.

Comprehensive session management capability

As organizations deploy more shared workstations and kiosks, more users can roam and access information from anywhere without accessing their personal computers. Shared and roaming scenarios pose severe security threats.

When you walk away without logging off from workstations or share a generic logon, you risk exposing confidential information to unauthorized access. Any attempt to tighten security, enforce unique user logon, and comply with regulations leads being locked out of workstations, which results in efficiency losses.

Organizations can increase user convenience and improve information security through session management or fast user switching capabilities, depending on the access needs user groups. You can quickly sign on and sign off to shared workstations without using the Windows domain login process. You can easily resume your work from where you left off.

2 Access Manager for Enterprise Single Sign-On: Troubleshooting and Support Guide

You can maintain multiple unique user desktops on the same workstation by switching from one private desktop to another. This feature preserves your applications, documents, and network drive mappings, including those belonging to other users sharing the workstation.

If you walk away from a session without logging out, you can set Tivoli Access Manager for Enterprise Single Sign-On to enforce inactivity timeout policies. It also supports hybrid desktops where organizations combine different session management capabilities to meet the needs of your user community.

User-centric access tracking for audit and compliance reporting

The audit and compliance reporting feature assists organizations with data consolidation, user-centric audit log generation, security, and tamper-evident audit capabilities across all endpoints (for example, personal or shared workstations, Citrix, Windows Terminal Services, or Web browsers).

Combined with strong authentication capabilities, the user-centric audit logs ensure secure access to confidential corporate information and accountability at all times. The logs provide the meta-information that can guide compliance and IT Administrators to a more detailed analysis – by user, by application, or by endpoint.

The information is collated in a central relational database. These logs facilitate real-time monitoring and separate reporting with third-party reporting tools.

Your organization can also use the endpoint automation framework to audit custom access events for any application without modifying the application or using the native audit functionality.

Secure remote access for easy, secure access anywhere, anytime

Secure Remote Access provides Web browser-based single sign-on to all applications such as legacy, desktop, and Web applications from outside the firewall.

Your organization can effectively and quickly enable secure remote access for the mobile workforce without installing any desktop software and modifying application servers.

Remote workers require only one password and an optional second authentication factor to access corporate information from remote offices, home computers, and mobile devices. When granted access, you can single sign-on to corporate applications by clicking the application links available in the Tivoli Access Manager for Enterprise Single Sign-On portal. Access can be further protected through a Secure Sockets Layer (SSL) Virtual Private Network (VPN).

Integration with user provisioning technologies

Tivoli Access Manager for Enterprise Single Sign-On combines with user provisioning technologies to provide end-to-end identity lifecycle management.

Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 3

New employees, partners, or contractors get fast and easy access to corporate information after being provisioned. When provisioned, you can use single sign-on to access all your applications on shared and personal workstations with one password.

You do not have to register each user name and password, as all your credentials are automatically provisioned.

Use of Federal Information Processing Standards

A new installation of Tivoli Access Manager for Enterprise Single Sign-On version 8.1 uses FIPS 140-2 compliant cryptographic algorithms using FIPS compliant security providers such as GSKit and IBMJCEFIPS. Client workstations running on Microsoft Windows XP must at least have Service Pack 3 applied for FIPS 140-2 compliance.

Important: Non-FIPS compliant algorithms are used in version 8.1 only when it has been upgraded from version 8.0 or 8.0.1.

Product components This topic describes the main components of Tivoli Access Manager for Enterprise Single Sign-On.

Table 1 describes each component. A typical installation uses some of these components.

Table 1. Product components

Component Description

AccessAgent The client software that manages user identity, enables sign-on and sign-off automation, manages sessions, and manages authentication.

AccessAdmin The management console that Administrators and the Help desk officers use to administer the IMS Server, to manage users, and to manage policies.

AccessAssistant The Web-based interface that provides password self-help. Use AccessAssistant to obtain the latest credentials and to log on to applications. Use the Web automatic sign-on feature to log on to enterprise Web applications by clicking links instead of entering passwords.

AccessStudio The interface used for creating AccessProfiles that enables sign on or sign-off automation and fortified passwords.

IMS Bridge The IMS Service Modules that enable applications to use the IMS Server as an authentication server.

IMS Connector Add on modules to the IMS Server that extend its capabilities with interfaces to other applications.

IMS Server The integrated management system that provides a central point of secure access administration for an enterprise. It enables centralized management of user identities, AccessProfiles, and authentication policies. It also provides loss management, certificate management, and audit management for the enterprise.


Table 1. Product components (continued)

Component Description

IMS Service Module Add-on modules that extend the basic services provided by the IMS Server, such as user management, policy management, and certificate issuance.

Web Workplace The Web-based interface for logging on to enterprise Web applications by clicking links without entering the passwords for individual applications. It can be integrated with your existing portal or SSL VPN.

Note: Antivirus software can interfere with AccessAgent or the IMS Server. For more information, see the IBM Tivoli Access Manager for Enterprise Single Sign-On Troubleshooting and Support Guide.

Authentication factors Authentication factors come in different forms and functions. Except for password and fingerprint, you can access systems and applications with a device that works like a key.

Smart cards and RFID cards, for example, are about the same size as credit cards, and can be easily attached to key rings.

See the following topics for more information. v “TAM E-SSO Password” v “Secrets” on page 6 v “Second authentication factors” on page 6 v “Presence detectors” on page 8

TAM E-SSO Password The TAM E-SSO Password secures access to your Wallet. The length of the password ranges from six to 20 characters, depending on the preference of your organization. When you sign up with AccessAgent, you must specify a password. You can use the enterprise directory password as your password.

Signing up with AccessAgent entails registering with the IMS Server and creating a Wallet. All application credentials are stored in your Wallet. Signing up ensures that your credentials are backed up on the server and are retrievable when needed.

You can associate your Wallet with a second authentication factor (such as a smart card, Active Proximity Badge, RFID card, and other devices). The second authentication factor reinforces your password and protects the contents of your Wallet.

Use the following guidelines for specifying a TAM E-SSO Password: v Choose a password that is lengthy, unique, and a combination of upper and

lowercase letters and numbers. v Do not use any of these as passwords: dictionary words, the name of your pet,

the name of your spouse or friend, or important dates (for example, a birth date or an anniversary date).

v Never tell anyone your password, not even to the Help desk officer or Administrator.


v Never write down your password. v Change your password as often as possible.

AccessAgent locks your Wallet after you attempt to log on five times with an incorrect password. The number of allowed attempts is set by your organization.

Secrets You might be asked to enter a secret after signing up for your Wallet, depending on the preference of your organization. It is like specifying hints in case you forget the password for a Web e-mail account.

The secret is something that: v you would not forget, even if you do not use the secret for a long time. v is not likely to change.

Note: You can use all the characters in the ISO Latin-1 character set in creating secrets, except for the following characters: v µ v ß

When you sign up, you must select one or more questions from a list and provide answers. If the self-service feature is enabled, you might need to specify more than one secret.

In case you forget your password, you can use the secret to set a new password. You can also use the secret and an authorization code to gain temporary access to your cached Wallet. The Help desk officer gives you the authorization code.

Second authentication factors The TAM E-SSO Password can be fortified by a second authentication factor. The combination of the password and an RFID, for example, strengthens security because both authentication factors must be present to access your computer.

Based on the security policy of your organization, you might be required to use one of the following authentication factors.

Important: The USB Key as an authentication factor is no longer supported.

ActiveCode

ActiveCodes are short-term authentication codes controlled by the system.

ActiveCodes enhance the security of traditional password-based authentication for applications. ActiveCodes are random passwords that can only be used one time by an authorized user. Combined with alternative channels and devices, ActiveCodes provide effective second-factor authentication.

There are two types of ActiveCodes: v Mobile ActiveCode

A Mobile ActiveCode is a randomly generated, event-based one-time password (OTP). The Mobile ActiveCode is generated on the IMS Server and delivered through a secure second channel, such as short message service (SMS) on mobile phones. It is used for strong authentication.


v Unified ActiveCode

The Unified ActiveCode is a predictive one-time password used for strong authentication. The Unified ActiveCode generator is built into AccessAgent.

Smart card

A smart card is a pocket-sized card that has an embedded microprocessor. Smart cards can do cryptographic operations, and are used to store and process the digital credentials of the users securely.

A smart card can be used as an authentication factor. The product provides certificate-based strong authentication when you access your Credential Wallet using a smart card.

Important: The smart card PIN is not related to the TAM E-SSO password. The product does not manage the smart card PIN.

Radio Frequency Identification (RFID) card

The RFID card is an electronic device that uses radio frequency signals to read stored identification information. RFID works on the concept of proximity. Tap the RFID card on the RFID reader to gain access to your credentials.

The RFID reader is an additional hardware you need to install on every machine using the RFID Card for authentication. The RFID Card does not have any storage capacity.

An RFID card can also be used for unified access, so you can access a computer and have access to doors or elevators.

Note: Tivoli Access Manager for Enterprise Single Sign-On has a Service Provider Interface (SPI) for devices that contain serial numbers, like RFID. The SPI makes it easier for vendors to integrate any device with serial numbers and use it as a second factor in AccessAgent. For more information, see the IBM Tivoli Access Manager for Enterprise Single Sign-On Serial ID SPI Guide at the Tivoli Access Manager for Enterprise Single Sign-On information center.

Active Proximity Badge

The Active Proximity Badge works almost the same way as a typical RFID card. The Active Proximity Badge has an RFID, and works with a proximity reader. However, the Active Proximity Badge differs from an RFID card in the proximity range.

With a typical RFID card, your card must be close to the reader. With an Active Proximity Badge, your organization can set the distance for detection. For example, your Active Proximity Badge can be 2 m. away from the reader, and it is detected from that distance.

Fingerprint identification

The Fingerprint Identification system recognizes your fingerprint as an authentication factor. The fingerprint reader translates your fingerprint into encrypted codes, which logs you on to AccessAgent.




Tivoli Access Manager for Enterprise Single Sign-On 8.1 supports the following biometric service provider and fingerprint readers: v BIO-key Biometric Service Provider (BSP) 1.9_262 v DigitalPersona 3.2.0 v UPEK 2.0 and UPEK 3.0

The BIO-key Biometric Service Provider (BSP) is a biometric middleware. This is used so that the product can work with any fingerprint reader that is already supported by BIO-key. See BIO-key's list of supported devices.

Note: The integration with BIO-key BSP does not support DigitalPersona in this release.

Presence detectors A presence detector is a device that detects your presence in its vicinity. When affixed to a computer, the device can notify AccessAgent when you are in front of the computer or when you move away. This feature eliminates your effort of manually locking the computer when you leave the computer for a short time.

Sonar device

The sonar-based presence detector is used to lock a workstation immediately when you walk away without waiting for the desktop inactivity timeout. The device uses 40 kHz ultrasonic sound waves (frequency too high for people to hear). It can detect from a range of five in. to five feet. You can move in the zone without triggering a walk-away event.

The device is attached to the USB port of your computer and is configured by the system as a keyboard. When you move away from the computer, the device sends keystrokes to your computer. When you approach the computer, the device can send a different set of keystrokes to your computer.

You can set AccessAgent to intercept these keystrokes and perform appropriate actions (for example, to lock the computer). The sonar can be combined with building badges (for example, RFID cards) to create a foolproof solution.

The sonar device is not used with Active Proximity Badge since the Active Proximity Badge is also a presence detector.

Any other supported authentication factors can be used with the pcProx-Sonar, such as: v Password only v RFID v Fingerprint v Smart card

The behavior of a sonar-based presence detector can be configured to be like an Active Proximity Badge. However, sonar-based presence detectors cannot store a unique ID to identify a user.


http://www.bio-key.com/fingerprintbiometrics/supported_devices.asp

Active Proximity Badge as both second factor and presence detector

The Active Proximity Badge is both a second factor and a presence detector. It can detect your presence, and you can set AccessAgent to perform specific actions.

Note: The presence detector policies (for example, pid_presence_detector_enabled) are not applicable to Active Proximity Badge.

Tivoli Access Manager for Enterprise Single Sign-On usage Tivoli Access Manager for Enterprise Single Sign-On supports two main usage configurations – personal workstation and shared workstation.

For policy settings based on usage configuration, see the IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition Guide.

Personal workstation configuration The personal workstation configuration is more applicable for organizations where users are assigned their own workstations. The smart card is the common authentication factor for this type of usage configuration. The setup procedure and workflow are the same, regardless of the selected authentication factor.

You sign up from EnGINA, desktop, or a locked computer at startup, and use the appropriate authentication factor.

You can also sign up without an authentication factor and register later. For example, you can sign up without the smart card and log on to AccessAgent later with the TAM E-SSO Password, provided it is set in your authentication policy.

To lock the computer, remove or tap your authentication factor. To unlock the computer, reinsert or tap your authentication factor.

Shared workstation configuration The shared workstation configuration is for organizations where users share common workstations. This usage configuration requires efficient switching between users.

Authentication factors (except the smart card for private and roaming desktops) are used for this type of usage configuration.

Tivoli Access Manager for Enterprise Single Sign-On supports fast user switching through the following desktop schemes or modes. v “Shared desktops” v “Private desktops” on page 10 v “Roaming desktops” on page 11

Note: These schemes do not use the Windows XP Fast User Switching feature.

Shared desktops

Shared desktops allow multiple users to share a generic Windows desktop. Switching of users can be done quickly and efficiently.


Without shared desktops, switching from User A to User B, causes the applications of User A to be lost. User A must launch the applications again. Set up AccessProfiles to automatically log off enterprise applications when user switching occurs.

RFID, fingerprint readers, and smart cards are the authentication factor for this usage configuration.

With shared desktops, you can access a workstation by signing up (for example, from EnGINA, desktop, or a locked computer) and tapping your RFID card. You can also sign up without your RFID card and register later when the cards are already available. After completing the sign-up process, you can then log on to AccessAgent.

When another user taps an RFID card in your desktop, switching is invoked, either from the desktop or from the locked computer screen.

After the new user supplies a valid password, AccessAgent unlocks your computer (if locked), logs you off, and then logs on the new user to the Wallet. If the new user logged on to other computers with the same RFID and Password in a set time range during the day, the new user might not be required to enter a password.

Private desktops

Private desktops allow you to have your own Windows desktop in a workstation. When a previous user returns to the workstation and unlocks it, AccessAgent switches to the desktop session of the previous user and resumes the last task.

Your existing desktop might have to be logged off if the workstation runs out of resources such as, memory, so that another user can log on. If you log on to another workstation, restart the application.

To manage multiple desktops on a single workstation, the private desktop scheme uses the Local User Session Management feature of AccessAgent that uses a component called Desktop Manager.

Logging on from the EnGINA welcome screen is not supported by Local User Session Management. Workstations are configured to automatically log on to a generic Windows account upon startup, and then the computer is locked.

Note: This generic Windows account must not be a registered user. Use a local computer account.

All your users will log on to the workstation from the locked screen. All users must tap their RFID cards when they sign up. They can also sign up without the RFID cards and register these second factors later. After completing the sign-up process, you can then log on to AccessAgent.

Note: You are not logged on to AccessAgent if you are using an auto-admin account.

When another user taps the RFID card to switch to another desktop, the current user logs on (if without an existing invisible session) or unlocks the workstation (if with an existing invisible session).

The following Wallet authentication options are supported:


v Password v RFID+Password v Smart card v Active Proximity Badge+Password v Fingerprint

If you log on to Windows sessions using your own Active Directory credentials, Local User Session Management requires that synchronization of password and Active Directory password must be enabled.

For deployments where smart card logon to Windows is enabled and smart card logon is enforced, disable Active Directory password synchronization.

Roaming desktops

Roaming desktops have your Windows desktops "roam" to any access point, from workstation to workstation. You can disconnect from a desktop or application session at one client, log on to another client, and continue a desktop or application session at a new client. Roaming desktops give you the ability to access and preserve your desktops, regardless of which computers you use.

This scheme requires Terminal Server or Citrix. This setup is especially useful for a shared workstation environment, where you can roam from one workstation to another, depending on your current location.

Tivoli Access Manager for Enterprise Single Sign-On program icons The following icons are used in Tivoli Access Manager for Enterprise Single Sign-On.

Application icons

Icon Description

This icon represents AccessAgent on the desktop.

This icon represents the IMS Server on the desktop.

Notification area icons

Icon Description

No one is logged on to AccessAgent.

AccessAgent is operating normally.

When the icon is flashing, AccessAgent is:

v synchronizing an authentication factor with the IMS Server

v logging on the user

Single sign-on or automatic sign-on is currently disabled.


Policies, certificates, and other product concepts Use this topic to learn more about some of the common terms used by the product.

Tivoli Access Manager for Enterprise Single Sign-On incrementally moves enterprise access from password authentication to strong digital identity-based authentication in the following manner: v Provide sign-on and sign-off automation to enterprise applications v Fortify sign-on by using authentication management v Provide seamless transition from passwords to certificates

See the following sections for definitions of some terms used in Tivoli Access Manager for Enterprise Single Sign-On. v “Credentials” v “Enterprise identity” v “Enterprise applications” v “Personal applications” on page 13 v “User, system, and machine policies” on page 13

Credentials Credentials refer to user names, passwords, certificates, and any other information required for authentication. An authentication factor can serve as a credential. In Tivoli Access Manager for Enterprise Single Sign-On, credentials are stored and secured in your Wallet.

Enterprise identity In an enterprise, you have multiple user accounts for different types of applications such as e-mail, portal, human resources system, and Web access. One of these identities is used to authenticate users, and provide access to the enterprise network.

For example, you might be required to log on to Windows and access the network by entering your user name and password. This feature is also called an enterprise identity.

The solution that an enterprise uses for identity management must be identified. The solution verifies the identities of users logging on with Tivoli Access Manager for Enterprise Single Sign-On keys. The solution also links the IMS Server with the enterprise directory that manages your users.

This policy is set before deployment and sets the foundations of how the system works. You can change the policy later using AccessAdmin. The enterprise identity binding must be a system or application that the enterprise identifies as a long-term investment. The system or application must not be changed, removed, or replaced soon.

Enterprise applications The enterprise must select the applications to include in the enterprise application list.

Enterprise applications are specific to the business of an enterprise and controlled by an Administrator.


See this list for some characteristics of an enterprise application: v Managed through the IMS Server by the information technology department of

the enterprise v Passwords are grouped by authenticating directories v Audit logs are generated and stored in the IMS Server v User accounts are pre-created v User account entries cannot be deleted in AccessAgent v Passwords can be fortified v Password entries cannot be set to Never in AccessAgent

Examples of enterprise applications are: v Microsoft Windows v Active Directory v SAP v PeopleSoft v Oracle v Novell

Enterprise applications can be added or removed after deployment. However, these applications are implemented in a global policy, which means all users have access to the same enterprise applications.

Personal applications The enterprise must specify whether the users can use AccessAgent and Tivoli Access Manager for Enterprise Single Sign-On keys for personal applications.

Personal applications are applications that users can specify if they want AccessAgent to store and enter their user names and passwords. Some examples of personal applications are IBM Lotus Notes®, IBM Lotus® Sametime® Connect, and online banking sites.

This policy is implemented as a global policy, where users are allowed or not allowed to use AccessAgent with personal applications. You cannot grant or deny access to specific users.

User, system, and machine policies Tivoli Access Manager for Enterprise Single Sign-On uses policies to control the behavior of the product components.

These policies are configurable through various means, so the product can meet specific organizational requirements. Policies have different visibilities and scopes, and are managed by different roles.

Policies might be applicable system-wide, or only to certain groups of users or machines. The applicability of a policy is determined by the policy scope such as the system, user, or machine. v System: Policy is system-wide v User: Policy affects only a specific user v Machine: Policy affects only a specific machine


System, machine, and user policies can be configured using AccessAdmin. Changes to these policies are propagated to clients the next time AccessAgent synchronizes with the IMS Server (for example, in 30 minutes).

Note: Not all user policies are updated in real time. Some policies require the machine to be restarted for the changes to take effect.

The IMS Server applies machine policies to machines after they join the IMS Server, which are then automatically synchronized with AccessAgent.

There can be several machine policy templates defined in the IMS Server. One of these templates is set as the default.

Through AccessAdmin, system policies and machine policies can be modified by an Administrator. However, a Help desk officer can only view system and machine policies. User policies can be modified by either an Administrator or a Help desk officer.

A policy might be defined for different scopes. For example, the desktop inactivity policy might define the desktop inactivity time out duration for one machine or for the entire system. If this policy is defined for both scopes, a priority is defined, in case the time-out value is different for the machine and for the entire system.

If the policy priority is "machine", only the machine policy would be effective. A command-line tool (CLT) allows Administrators to view and set policy priorities. For more information, see IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition Guide.

Policies might be dependent on other policies. For example, the hot key action policy is only effective if the hot key is enabled. If the latter is disabled, the setting for the hot key action policy does not affect users.

Some groups of policies have overlapping scopes. For example, these policies have a system scope, but the range of entities that they affect are different: v Wallet inject password entry option default policy

(pid_wallet_inject_pwd_entry_option_default ) This policy defines the default password entry option for all authentication services and applications.

v Authentication inject password entry option default policy (pid_auth_inject_pwd_entry_option_default)

This policy defines the default password entry option for a specific authentication service.

v Application inject password entry option default policy (pid_app_inject_pwd_entry_option_default) This policy defines the default password entry option for a specific application.

In general, application-specific policies override authentication service-specific policies, which in turn, override general Wallet policies. In this case, the Wallet inject password entry option default policy (pid_wallet_inject_pwd_entry_option_default) is used when the other two policies are not defined for a particular authentication service or application.

However, if the Authentication service inject password entry option default policy (pid_auth_inject_pwd_entry_option_default) is defined for an authentication


service, it overrides the Wallet inject password entry option default policy (pid_wallet_inject_pwd_entry_option_default) when a default password entry option is needed for the authentication service.

Similarly, if the Application inject password entry option default policy (pid_app_inject_pwd_entry_option_default) is defined for a particular application, it overrides the other two policies.

User-specific policies generally override system-wide policies, but this setting also depends on the current policy priority. If a policy has both user and system scopes, for example, the Authentication accounts maximum policy (pid_auth_accounts_max), the user scope setting is always effective if it is defined. If the user scope setting is not defined for a particular user, the system scope setting becomes effective.


Chapter 2. IMS Server troubleshooting

Use these topics to troubleshoot problems related to the IMS Server. v “Troubleshooting an IMS Server installation” v “Connection settings cannot be verified” on page 18 v “Authentication factor cannot be registered” on page 19 v “SQL authentication not enabled” on page 19 v “Default password for Sa not changed” on page 19 v “Incorrect database configuration” on page 19 v “Checking the installed version of the IMS Server” on page 20 v “CA certificate does not include basic constraints extension” on page 20 v “IMS Server cannot issue a certificate for an application” on page 21 v “AccessAdmin logon problems” on page 21 v “Form-based login to AccessAdmin is not working” on page 21 v “Increasing the MaxTokenSize registry value to register with the IMS Server” on

page 22 v “Search and get attributes do not work” on page 23 v “Automatic sign-on does not work properly for Microsoft GINA” on page 23 v “Back button does not work for AccessAdmin, AccessAssistant, and Web

Workplace” on page 24 v “AccessAssistant and Web Workplace crashes when CRL checking is turned on”

on page 24 v “Opening ports in firewalls” on page 24 v “Using Ntdnutil.exe to modify the LDAP policy for Active Directory” on page

26 v “Cannot test existing profile in Web Workplace” on page 27

Troubleshooting an IMS Server installation One of the possible reasons for an unsuccessful IMS Server installation might be an inappropriate profile that you used during the installation. In such a case, you can create or delete profiles when required. Review the installation log before you create or delete a profile.

See the following procedures for more information. v “Creating a profile” v “Deleting a profile” on page 18 v “Increasing the timeout period for WebSphere Application Server SOAP

connection” on page 18

Creating a profile If the reason for an unsuccessful or faulty IMS Server installation is an incorrect profile, you can create and use a different profile.

About this task

The following procedure describes how to create a profile.


Procedure 1. Stop the WebSphere® Application Server in your current profile. 2. Select Start > All Programs > IBM WebSphere > Application Server V7.0 >

Profile Management Tool. 3. Click Launch Profile Management Tool. 4. Click Create. 5. Select Application Server and click Next. 6. Select Advanced profile creation and click Next. 7. In the Profile Name and Location window, retain the default values. 8. Click Next. 9. Specify the user credentials. 10. Click Next. 11. In the windows that follow, accept and retain all the default values until you

see the Profile Creation Summary window. 12. In the Profile Creation Summary window, review the information and click

Create. 13. Install the IMS Server. 14. Ensure that the port numbers are correct during the installation.

Deleting a profile If the reason for an unsuccessful or faulty IMS Server installation is an incorrect profile, you can delete the profile.

About this task

To delete a profile, see http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tpro_removeprofile.html.

Increasing the timeout period for WebSphere Application Server SOAP connection

Increase the timeout period as a safety measure for the availability of the SOAP connection when you configure the IBM HTTP Server on your computer.

About this task

This procedure is an optional step for configuring IBM HTTP Server on your computer. Perform this step before you start the configuration process.

In the WebSphere Application Server profile root/properties/soap.client.props file, set the value for com.ibm.SOAP.requestTimeout to 6000 seconds.

The default timeout period is 3 minutes.

Connection settings cannot be verified Use this topic as reference to resolve connection settings that cannot be verified.

If you encounter this message, it means that the database is not set up correctly. Connection Failed! The connection settings could not be verified. Try again.


http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tpro_removeprofile.html

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tpro_removeprofile.html

Check that there is a TCP listener at the database port you specified in the database configuration screen. Use the command netstat -a -p tcp and see that there is a <hostname>:1433 entry in the output.

Authentication factor cannot be registered There are several possible reasons why you cannot register an authentication factor. Use this topic to find out the cause of the registration failure. v The server name cannot be resolved because it might not be updated to the

DNS. v You are using an Internet proxy that requires authentication. If AccessAgent

does not prompt you to authenticate to the proxy, the authentication fails. Proxy servers typically cache sessions. The problem can be solved by authenticating separately to the proxy server.

v The IMS Server might not be available.

To verify that the IMS Server is available, go to https://web server name/admin. The web server name is the name of the web server that fronts the WebSphere Application Server. The IMS Server is available if you do not receive any prompts on untrusted SSL certificates when you access its page.

SQL authentication not enabled Use this procedure if you are prompted to enable SQL authentication.

Procedure 1. Open the Enterprise Manager of the SQL Server. 2. Select Tools > SQL Server Configuration Properties. 3. Click the Security tab. 4. Select SQL Server and Windows Authentication.

Default password for Sa not changed Use this topic as reference if the default password for Sa is not changed.

About this task

Follow this procedure if you want to change the default password for Sa.

Procedure 1. Open the Enterprise Manager of the SQL Server. 2. Select the Security folder in the panel. 3. Click Logins. 4. Right-click the Sa icon and select Properties. 5. Change the Sa password.

Incorrect database configuration If you receive errors during your IMS Server data sources configuration, the database might not have the correct configuration.

Chapter 2. IMS Server troubleshooting 19

About this task

As a database user, you must have public, db_owner rights for the IMS Server database. Your user account must not be a DB Administrator account.

Procedure 1. Open the Enterprise Manager of the SQL Server. 2. Select DB Server > Security > Logins. 3. Right-click DB login and select Properties. 4. Click the Server Roles tab. 5. Make sure that the System Administrators and Database Creators roles are

cleared.

What to do next

Proceed with the IMS Server installation.

Checking the installed version of the IMS Server Use AccessAdmin to check the installed version of the IMS Server.

The subject fields of the IMS Server certificates cannot contain the "_" character because this might cause problems at deployments that use certificate authentication for applications.

From the AccessAdmin navigation panel, select System > Status to view the system status such as the server availability and version number.

The page also displays license information and the real-time IMS Server system logs. By default, the logs are set to auto-update. You can start and stop the auto-update to copy the log. Click Stop auto-update to discontinue the updates to the system logs.

CA certificate does not include basic constraints extension Use this topic as reference on the necessary action if the CA certificate does not include basic constraints extension.

If you encounter the following message, it is because one or more certificates in the chain of trust might have expired. javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: CA certificate does not include basic constraints extension

Check the certificates and ensure that they are have not yet expired or that the validity period does not start on a future date.

If the certificate has expired, you can: v ask the Administrator to reissue the certificate, which might require importing

the certificate again OR v import the actual trusted certificate that the server is using instead of the issuer

certificate.


IMS Server cannot issue a certificate for an application Use this topic as reference on the cause and required action if the IMS Server cannot issue a certificate for an application.

Subject fields of the IMS Server certificates cannot contain the "_" character because this might cause problems at deployments that use certificate authentication for applications. Due to this limitation, the IMS Server cannot issue SCR or CAPI certificates for an authentication service with ID that contains the "_" character.

To resolve this problem, remove all "_" characters from the IDs of authentication services that use certificate authentication.

AccessAdmin logon problems Use this topic as reference if you have AccessAdmin logon problems.

About this task

If you are unable to logon to AccessAdmin, it can be caused by different reasons. Check for the possible causes and their solutions.

Procedure 1. Make sure that you have an Administrator or Help desk role. 2. Password logon is also available if form based logon is enabled or

AccessAdmin is accessed from a local machine. 3. Make sure that the machine Wallet has been downloaded properly.

See “Problems downloading the machine Wallet” on page 52. 4. Make sure that the DNS name of the Web Server does not contain the "_"

character. See “Problems downloading the machine Wallet” on page 52.

5. Make sure that the URL of AccessAdmin is the same URL specified during the IMS Server data sources and certificates configuration. To check the setting, go to the IMS Server page and double-click the lock icon to view the SSL certificate. The SSL certificate must list the exact host name to use.

6. If you are using Windows 2003 and the home page of Internet Explorer starts up with the page res://../hardAdmin.htm, the Advanced Security Option might be enabled. To set the home page to res://../softAdmin.htm, select Control Panel > Add/Remove programs > Add/remove Windows components. Remove the Internet Explorer Enhanced Security Configuration.

Form-based login to AccessAdmin is not working Use this topic as reference if the form-based login is not working for AccessAdmin.

About this task

The Allow form-based login to AccessAdmin from remote machine option is disabled by default. If form-based logon is disabled, the user cannot log on to


AccessAdmin. Use this procedure to enable the Allow form-based login to AccessAdmin from remote machine option to make a form-based logon in any local machine and cluster IP.

Note: If the form-based login is not working from the local IMS Server machine, then try using the URL https://localhost/admin from the IMS Server machine instead of the DNS domain name.

Procedure 1. Open the IMS Configuration Utility. 2. Select AccessAdmin > Login. 3. Select true from the Allow form-based login to AccessAdmin from remote

machine list. 4. Click Update.

Increasing the MaxTokenSize registry value to register with the IMS Server

Use this topic as reference on how to increase the MaxTokenSize registry value to register with the IMS Server.

User registration with the IMS Server can sometimes fail when a user is a member of several groups, which cannot be accommodated by the default settings of the MaxTokenSize registry value.

For example, if a user cannot register successfully with the IMS Server, the stderr.log displays the following details: encentuate.ims.userstoreproxy.multidomain.SingleForestAdsiConnector verifyPasswordInDomain WARNING: Failed to verify account with user name ’user’ in domain ’exampledomain.com’. ADSI error code: 0x8007000e

According to Microsoft, the IMS Server verifies the user password with an internal authentication that uses the credentials of the current users. Transports, such as a remote procedure call (RPC) and HTTP rely on the MaxTokenSize value allocating buffers for authentication.

In Microsoft Windows Server 2003, the default MaxTokenSize value is 12,000 bytes. If a user is a member of many groups, the buffer that is determined by the MaxTokenSize value might not be large enough. As a result, users cannot authenticate, and they might receive an out of memory error message.

To resolve this problem, increase the MaxTokenSize registry value for the domain controllers and IMS Servers. Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Entry: MaxTokenSize Data type: REG_DWORD Value (Decimal): 65535

Test the solution and verify if any more out of memory error messages are encountered.

Decimal value 65535 is the maximum allowed token size. To research the correct token size for your organization, consider using the Tokens application. For more information, see Tokens.


http://go.microsoft.com/fwlink/?LinkId=111047

See the Microsoft Knowledgebase article on how to use Group Policy to add the MaxTokenSize registry entry for multiple computers on a domain controller running Windows Server 2003: How to use Group Policy to add the MaxTokenSize registry entry to multiple computers.

Search and get attributes do not work Use this topic as reference when the Search and Getattributes do not work.

Search refers to the search option (using Active Directory attributes) in AccessAdmin > Search Users > Search. Getattributes refers to the user attributes that cannot be edited when the search shows the profile of the user.

If the Search and Getattributes in AccessAdmin do not work, verify that the Active Directory connector is properly configured in the IMS Configuration Utility. The default connector must specify the Application Connector being used.

The Search and Getattributes functions match a user attribute retrieved from the Active Directory to a unique IMSID attribute present in the IMS Server database. The Active Directory attribute is specified in the LDAP Active Directory User ID attribute and the IMSID attribute is specified in the IMS Server attribute name—both in the IMS Configuration Utility.

The corresponding values of these attributes must be the same for the IMS Server to do the mapping correctly. In most deployments, the value for this attribute is the same as the registration or bind attribute.

Automatic sign-on does not work properly for Microsoft GINA Use this topic as reference when automatic sign-on does not work properly for Microsoft GINA.

For IMS Server versions between 3.1.1.6 and 3.1.7.1, the domain name must be regenerated for the authentication service representing the Windows credentials.

When you configure an enterprise directory for an Active Directory server, the IMS Server automatically generates authentication services, one for each Active Directory domain.

To view the auto-generated authentication services in the IMS Configuration Utility, click Authentication Services and select the authentication service from the list.

For an authentication service representing an Active Directory domain, two domain names are included in the Server locators to be used during injection: v DNS domain name (for example, test.ibm.com) v NETBIOS domain name (for example, ibm_test)

To perform automatic sign-on at Microsoft GINA, ensure that the NETBIOS domain is the first item in the list.


http://support.microsoft.com/kb/938118/en-us

http://support.microsoft.com/kb/938118/en-us

Back button does not work for AccessAdmin, AccessAssistant, and Web Workplace

Use this topic as reference if you encounter problems with the Back button in a Web browser.

The Back button in a Web browser cannot be used when accessing AccessAdmin, AccessAssistant, and Web Workplace. AccessAssistant and Web Workplace are designed this way for security reasons, whereas AccessAdmin is designed this way due to certain implementation constraints.

AccessAssistant and Web Workplace crashes when CRL checking is turned on

Use this topic as reference, if AccessAssistant and Web Workplace crashes when CRL is turned on.

About this task

See this topic if AccessAssistant and Web Workplace crashes. To avoid this problem, edit the IHS config settings and modify https to http. Since AccessAssistant and Web Workplace and the IMS Server reside on the same server, you can use http instead of https.

When CRL is turned on, AccessAssistant and Web Workplace application crashes and displays a feedback page.

What to do next

Restart the IMS Server.

Opening ports in firewalls Use this topic if your deployment uses multiple Active Directory domains that are deployed in separate network zones with firewall. Determine the ports that must be opened so that Tivoli Access Manager for Enterprise Single Sign-On can work properly. It is assumed that you are using an ADSI enterprise directory (the default connection to Active Directory) and there is password synchronization between Tivoli Access Manager for Enterprise Single Sign-On and Active Directory.

Tivoli Access Manager for Enterprise Single Sign-On and Active Directory communications

There are three sets of communications: 1. Windows desktop to Active Directory domain controller

This is the normal domain authentication and password management that occurs whether AccessAgent is installed. When AccessAgent is installed, it communicates to the local operating system, which then communicates to the domain controller. Tivoli Access Manager for Enterprise Single Sign-On does not introduce additional communications directly with the domain controller.

2. AccessAgent to IMS Server through the Web Server


AccessAgent communicates frequently with the IMS Server, such as fetching machine Wallet updates (for example, system policy) and user Wallet updates (for example, user credentials) from the IMS Server, and sending user Wallet updates and audit logs to the IMS Server. This communication uses SOAP over HTTPS.

3. IMS Server to Active Directory Domain Controller The IMS Server needs to communicate with the AD Domain Controllers for a number of things, including: v Verification of user credentials during enterprise directory configuration, user

registration, and user login v Fetching netbios name for DNS domain name v Conversion of UPN (if provided by user) to SAM account name v Fetching of user AD attributes during user registration and user search by

LDAP attribute on AccessAdmin v Fetching of machine AD attributes during machine registration v Changing of password through AccessAssistant

The third option uses a combination of protocols to share information. The primary communication is through ADSI calls, which uses the Windows RPC mechanism to determine the appropriate ports used by the Active Directory central services. The ADSI interface can use other protocols for data access. Tivoli Access Manager for Enterprise Single Sign-On uses ADSI by using LDAP for data lookup.

Kerberos or NTLM (NT LAN Manager) is used to verify credentials (bind or not) such as user authentication and depending on whatever the Windowsdomains are set up to use in the customer environment.

These protocols are secure and passwords are not sent in clear through the channel. When a password is changed on Active Directory, another secure protocol (SAMR for NTLM or KPASSWD for Kerberos) is used. The LDAP protocol is used to access data on the Active Directory server. However, note that the user or machine Active Directory attributes is passed in clear when fetched.

See this Microsoft Help and Support article that details the common Windows Server services and their ports: Service overview and network port requirements for the Windows Server system.

AccessAgent and Active Directory ports

AccessAgent does not make direct connections other than to communicate over the SOAP port to the IMS Server. It does not need any port openings to an Active Directory on the other side of a firewall because AccessAgent uses Windows to communicate to the local services for any Active Directory-based authentication.

AccessAgent and Web Server ports

AccessAgent connects to the IMS Server to share Wallets and log records. There are two ports to open, the cleartext and secured ports, which have been configured during the Web Server installation. These ports can be found in C:\Program Files\Encentuate\SetupHlp.ini, or check the registry keys in HKLM\Software\Encentuate\IMSService\DefaultIMSSettings.


http://support.microsoft.com/kb/832017


IMS Server and Active Directory ports

The main communications with Active Directory from the IMS Server are: 1. Doing the schema lookup 2. Verifying a user when they first register through AccessAgent

The IMS Server uses a combination of LDAP and ADSI calls to communicate to Active Directory.

The LDAP calls are to the LDAP port that communicates with the Active Directory (normally 389). You cannot configure the IMS Server to use LDAP/S (686).

The ADSI calls use Windows RPC to talk to the Active Directory. The communication involves two steps: 1. Connection to the RPC endpoint mapper (RPCSS) on known port 135 2. This service returns the port numbers for the RPC services required

RPC uses the random port range (1024+) for the ports it manages. This range can be restricted.

There are two services that the IMS Server might use: the Local Security Authority (LSA) RPC and the Net Logon RPC. These services can be tied to specific ports by using specific registry settings: v Local Security Authority (LSA) RPC port are stored in the TCP/IP Port entry in

the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters v Net Logon RPC port is stored in the DCTcpipPort entry in the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

These settings are discussed in the TechNet article: Restricting Active Directory replication traffic and client RPC traffic to a specific port.

There is also the need to allow Kerberos or NTLM communication between the IMS Server and the Active Directory domain controllers.

For the IMS Server and the Active Directory, open the following ports in the firewall:

Function Port Comments

LDAP 389 UDP and TCP

RPCSS 135 TCP only

AD LSA and Net Logon

1024+ TCP only. Check two registry settings on the Active Directory server to see if specific ports have been set.

Kerberos or NTLM

Depends on what is configured in the environment. By default, Kerberos uses both 88/UDP and 88/TCP.

Important: Check your settings with the domain or network Administrators.

Using Ntdnutil.exe to modify the LDAP policy for Active Directory Use this topic as reference for using Ntdnutil.exe to modify the LDAP policy for Active Directory.


http://support.microsoft.com/?kbID=224196

http://support.microsoft.com/?kbID=224196

If a machine registered on the IMS Server has exceeded the number of objects that Active Directory can return in a single search, use Ntdnutil.exe to modify the LDAP policy for Active Directory.

See this example:

A machine is registered on the IMS Server with no Active Directory groups but it belongs to at least one group. When checking the stdout.log, this information is displayed: encentuate.ims.userstoreproxy.multidomain.MultiForestAdsiConnector getMachineGroups WARNING: Unable to find machine groups for machine DN: CN=CommonName,OU=OU.AA Country,OU=people,OU=users,OU=AA OnLine,OU=COUNTRY,DC=dc1,DC=dc2,DC=dc3,DC=dc4, Error code:CONNECTOR_FAILED, Cause: ADSI Error Code 0x80072023, LDAP_SIZELIMIT_EXCEEDED, Exceeded size limit.

This information is displayed if a limit has been set on the number of objects that Active Directory can return in a single search. Increase the limit by increasing the LDAP policy MaxPageSize.

Use the Ntdnutil.exe to modify the LDAP policy for Active Directory in Windows 2000 and 2003 Server. See this Microsoft Knowledge base article for more information: How to view and set LDAP policy in Active Directory by using Ntdsutil.exe.

Cannot test existing profile in Web Workplace Use this topic as reference if you are unable to test the existing profile in Web Workplace.

When you log on to AccessAssistant and Web Workplace as an Administrator user and select Manage Access Profiles > Test to test the existing profile, you are prompted to enter the credentials for the application. If you enter the correct credentials but still prompted with the message, "Web Workplace was unable to retrieve password for logon"

the Display personal authentication services in AccessAssistant and WebWorkplace policy might be disabled.

Personal authentication service can only be tested if you set the Display personal authentication services in AccessAssistant and Web Workplace policy in AccessAdmin to Yes.




Chapter 3. AccessAgent troubleshooting

Use these topics to troubleshoot problems related to AccessAgent. v “AccessAgent installation failure” on page 30 v “Corrupt AccessAgent installation file” on page 30 v “Installer cannot find the IMS Server” on page 30 v “Installing EnGINA on Citrix servers” on page 30 v “AccessAgent is installed before Mozilla Firefox” on page 31 v “No AccessAgent logon user interface” on page 31 v “Automatic sign-on does not work properly for Microsoft GINA” on page 23 v “Cannot return to EnGINA from Microsoft GINA” on page 32 v “GINA conflict with ThinkPad fingerprint software” on page 32 v “Cannot capture logon credentials in Mozilla Firefox pop-up window” on page

32 v “Disabling the single sign-on feature of Mozilla Firefox” on page 33 v “Logon to Citrix Server is slow” on page 33 v “Antivirus software might interfere with AccessAgent or IMS Server” on page 33 v “Viewing AccessAgent logs and increasing the log level” on page 34 v “Synchronizing with the IMS Server” on page 35 v “Failed synchronization between the IMS Server and AccessAgent Wallets” on

page 35 v “Connecting to the IMS Server” on page 35 v “Downloading the IMS Server certificate” on page 36 v “Auto-admin logon using a domain account” on page 36 v “AccessAgent does not display the correct domain” on page 36 v “Application .DLL conflicts with AccessAgent” on page 37 v “Console application support is disabled” on page 37 v “Conflict with another application” on page 38 v “Application is slower when automatic sign-on is enabled” on page 38 v “Personal firewalls on private desktops” on page 38 v “Security logs are full” on page 39 v “Spontaneous termination of sync.exe” on page 39 v “Disabling Tivoli Access Manager for Enterprise Single Sign-On credential

provider” on page 40 v “Signing up with AccessAgent if Active Directory password has expired” on

page 40 v “Incorrect icons after AccessAgent upgrade” on page 40 v “No Windows Administrator privileges” on page 41 v “Not enough disk space” on page 41 v “A module cannot be registered” on page 41 v “No encryption pack” on page 41 v “No network connection” on page 41 v “RDP session terminates without warning” on page 42


AccessAgent installation failure Use this topic as reference if AccessAgent is not installed successfully.

If AccessAgent fails to install, check for the following: v Windows Scripting Host 5.6 and above must be installed. v WMI has to be functional.

To verify WMI: 1. Select Computer Management > Services and Applications > WMI Control. 2. Right-click Properties. The message Successfully Connected to: <local

computer> prompts if the AccessAgent is not installed successfully.

Corrupt AccessAgent installation file Use this topic as reference if the AccessAgent installation file is corrupted.

If the AccessAgent installation file is not downloaded properly from the Internet, request the user to download the file again. If the problem persists, verify if the file on the Internet is corrupted, and replace the file if necessary.

Installer cannot find the IMS Server There are two possible reasons why the installer cannot find the IMS Server. Use this topic to find out the reasons and actions required.

The installer cannot locate the IMS Server if: v The server information provided is incorrect.

The installer tries to automatically connect to the IMS Server during the installation. If a connection cannot be established, you are prompted to enter the location of the Web server that fronts the IMS Server. Enter the location of the Web Server but make sure that the information entered is correct.

v A network connection cannot be detected. To verify whether the computer has a connection to the IMS Server or network, enter the AccessAdmin URL in your browser window. If the IMS Server page cannot be displayed, the connection is not established.

Installing EnGINA on Citrix servers Use this topic as reference when installing EnGINA on Citrix servers.

If AccessAgent versions 3.5 and below are previously installed without EnGINA, EnGINA is not included on the subsequent installations of AccessAgent even if the EnginaEnabled flag is set to 1 in SetupHlp.ini.

Follow these steps to fix the problem: 1. Uninstall AccessAgent. 2. Remove the registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\

ActiveGinaAtUninstall]

If AccessAgent is installed without EnGINA, and you later decide to manually enable EnGINA by setting the GinaDLL registry entry, reinstate the GinaDLL registry


entry before you uninstall AccessAgent. Otherwise, the GINA might not be set properly when another AccessAgent is installed.

AccessAgent is installed before Mozilla Firefox Use this topic as reference if you installed AccessAgent before Mozilla Firefox.

Mozilla Firefox is typically installed before AccessAgent to make single sign-on work.

Go to Program Files\Encentuate and run the following batch script to enable Mozilla Firefox support if AccessAgent is installed before Mozilla Firefox. InstallFirefoxXPCOM.vbs

No AccessAgent logon user interface Use this topic if the EnGINA logon does not appear during startup.

About this task

Upon startup, the following error message appears instead of the EnGINA logon: User Interface FailureThe Logon User Interface DLL xxx.dll failed to load...

Either EnGINA is not properly installed or the Winlogon GINA registry entry is not set correctly after AccessAgent is uninstalled. See the procedure to resolve the problem.

Procedure 1. Restart the computer. 2. Before Windows starts up, press F8 to boot up in Safe Mode. 3. Log on as an Administrator. 4. Modify the Windows registry value: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows NT\CurrentVersion\Winlogon]"GinaDLL" to msgina.dll. If the value is engina.dll, EnGINA is not installed properly and cannot load.

5. Restart the computer. The default Windows Logon prompt is displayed on startup.

6. To use EnGINA again after fixing the problem, change the value to engina.dll.

Automatic sign-on does not work properly for Microsoft GINA Use this topic as reference when automatic sign-on does not work properly for Microsoft GINA.

For IMS Server versions between 3.1.1.6 and 3.1.7.1, the domain name must be regenerated for the authentication service representing the Windows credentials.

When you configure an enterprise directory for an Active Directory server, the IMS Server automatically generates authentication services, one for each Active Directory domain.

To view the auto-generated authentication services in the IMS Configuration Utility, click Authentication Services and select the authentication service from the list.

Chapter 3. AccessAgent troubleshooting 31

For an authentication service representing an Active Directory domain, two domain names are included in the Server locators to be used during injection: v DNS domain name (for example, test.ibm.com) v NETBIOS domain name (for example, ibm_test)

To perform automatic sign-on at Microsoft GINA, ensure that the NETBIOS domain is the first item in the list.

Cannot return to EnGINA from Microsoft GINA Use this topic as reference if you cannot return to EnGINA logon from Microsoft Windows GINA.

You cannot return to EnGINA from Windows GINA by clicking the Cancel button if the following domain group policy is set to Enabled:

[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options]"Disable CTRL+ALT+DEL requirement for logon"

To fix this problem, set the value to Disabled or Not Defined.

GINA conflict with ThinkPad fingerprint software Use this topic as reference if you are using an IBM ThinkPad PC and you cannot see EnGINA during startup.

Symptoms for GINA conflict

On a ThinkPad PC with a built-in fingerprint reader, EnGINA is not displayed during startup. Instead, the system crashes.

Cause for GINA conflict

The ThinkPad ThinkVantage fingerprint GINA (vrlogin.dll) conflicts with EnGINA.

Resolution for GINA conflict 1. Disable the ThinkVantage fingerprint GINA before installing AccessAgent.

Select Start > ThinkVantage fingerprint > Control Center

2. If AccessAgent is already installed, make sure that the registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate]"PrevGINA" is set to blank.

Cannot capture logon credentials in Mozilla Firefox pop-up window Use this topic as reference if AccessAgent cannot capture the logon credentials in the Mozilla Firefox pop-up window.

In some Web page authentication, you are prompted to enter your user name and password in a pop-up window. If you are using Mozilla Firefox, AccessAgent cannot capture your input and detect the action trigger in the pop-up window.

Follow this steps to capture your logon credentials: 1. Use the Window is activated trigger to detect the basic authentication window

pop-up event.


2. Under this trigger, use the Advanced Actions > Show a dialog to capture logon credentials.

Disabling the single sign-on feature of Mozilla Firefox Use this topic as reference to disable the single sign-on feature of Mozilla Firefox.

In Mozilla Firefox, there is a Remember passwords for sites option that is enabled by default. This feature captures your password so that the next time you log on to a particular Web site, your password is automatically entered. The problem is when AccessAgent captures your logon credentials, Mozilla Firefox also prompts you with a form to save the password.

During the AccessAgent installation, the installer automatically disables the Remember passwords for sites option in Mozilla Firefox. However, if you have not yet logged on to Windows desktop and have not yet used Mozilla Firefox before, you have to manually disable this option.

To disable the Remember passwords for sites option: 1. Launch the Mozilla Firefox. 2. Select Tools > Options > Security > Passwords. 3. Clear the Remember passwords for sites check box.

Alternatively, you can go to your Program Files\Encentuate folder and then double-click InstallFirefoxXpCom.vbs.

Logon to Citrix Server is slow Use this topic as reference if logon to Citrix server is becoming slow because of the clean-up activity on cached Wallets.

Follow these steps if logon to Citrix Server is slow: 1. Make sure that the following policies are disabled: v pid_wallet_cleanup_on_caching_enabled

v pid_wallet_cache_max_inactivity_days

v pid_wallet_cache_max

2. Set SOCIPruner.exe to run periodically during a server downtime so that cached Wallets are cleaned up on a regular basis.

Antivirus software might interfere with AccessAgent or IMS Server Use this topic as reference if the antivirus software interferes with AccessAgent or the IMS Server.

About this task

The antivirus software might affect the following: v Slower AccessAgent performance (on user PC, terminal server, or Citrix server) v AccessAgent startup failure (on user PC, terminal server, or Citrix server) v Intermittent AccessAgent logon failure (on terminal server or Citrix server) v Slower IMS Server performance


To resolve these problems, store the frequently changing Tivoli Access Manager Enterprise Singles sfolders (C:\Program Files\Encentuate\logs for AccessAgent, and C:\Encentuate for IMS Server) in the antivirus software's exclusion list.

For users with McAfee antivirus installed, refer to the next procedure.

Procedure 1. Open the antivirus scanner's property pages. 2. On the Detection tab, under What not to scan, use the exclusions feature. 3. Click Exclusions to open the Set Exclusions dialog box. 4. Add files, folders, or drives or edit an item in the list. 5. To add an item, click Add to open the Add Exclusion Item dialog box. 6. Under What to exclude, select the folder using By name/location. 7. Under When to exclude, specify all options. 8. Click OK to save these settings and return to the Set Exclusions dialog box. 9. Click OK to save these settings and return to the Detection tab. 10. Click Apply to save these settings.

Note: If this solution does not work, upgrade to the latest version of the antivirus software. If the problem persists after the upgrade, uninstall the antivirus software for troubleshooting or as a temporary solution.

Viewing AccessAgent logs and increasing the log level Use this topic as reference if you want to view the AccessAgent logs or increase the AccessAgent log level.

Viewing AccessAgent logs

When troubleshooting AccessAgent problems, it is useful to view the log files in the C:\Program Files\Encentuate\logs folder. .XML files indicate communications with the IMS Server and are useful for troubleshooting failure due to AccessAgent and IMS Server interaction.

AccessAgent.log logs internal AccessAgent processes and are useful for troubleshooting internal AccessAgent failures. The aa_observer.log logs the observation of applications for automatic sign-on.

For installation problems, the AccessAgent installer logs can be found in C:\AAInstaller.log.

When reporting a bug, it is useful to include a .zip file that contains the entire C:\Program Files\Encentuate\logs folder. Provide the approximate local times when the events occurred.

Increasing the AccessAgent log level

When troubleshooting AccessAgent problems, it is useful to increase the log level so that more debugging information can be produced.

The log level is specified by the machine policy pid_log_level, which can be set through the registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\DeploymentOptions]"LogLevel".


Log level 3 is typically enough for most debugging purposes. If more detailed logs are required, the log level can be set to 4.

Synchronizing with the IMS Server Use this topic as reference on synchronizing AccessAgent with the IMS Server.

AccessAgent synchronizes periodically with the IMS Server according to the frequency specified by pid_wallet_sync_mins.

It is sometimes useful to manually invoke synchronization so that the latest policies or AccessProfiles can be downloaded. This is especially useful during troubleshooting or demonstrations.

Follow these steps to enable the manual synchronization: 1. Right-click the option for Synchronize with IMS. 2. Set the machine policy pid_wallet_manual_sync_enabled to 1.

This can also be set through the registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\Temp]"WalletManualSyncEnabled".

Failed synchronization between the IMS Server and AccessAgent Wallets

Use this topic as reference if the Wallet credentials stored in AccessAgent and the IMS Server does not match.

If after a successful synchronization between AccessAgent and the IMS Server, the Wallet credentials stored in AccessAgent and the IMS Server still do not match, the IMS Server and Database Server might be using different time zones.

Data synchronization between AccessAgent and the IMS Server is dependent on time-stamping.

To resolve the issue, make sure that the IMS Server and Database Server use the same time zone.

Connecting to the IMS Server Use this topic as reference if AccessAgent cannot connect to the IMS Server.

If AccessAgent cannot connect to the IMS Server, it cannot perform certain operations such as: v Logging on to AccessAgent when there is no existing cached Wallet for the user v Changing a TAM E-SSO password v Registering a second factor v Signing up users

The following situations can prevent AccessAgent from connecting to the IMS Server: v The client machine is not on the network.


v The client machine has no network connectivity (or lost connectivity) to the IMS Server. No connectivity can be due to an intervening firewall between the client machine and the IMS Server, or due to some network configuration issues, such as DNS problems.

v The client machine has a personal firewall or anti-spyware that is blocking traffic from AccessAgent.

Note: To allow AccessAgent to contact the IMS Server while the computer is locked, the personal firewall or anti-spyware must be set to not block traffic from winlogon.exe.

v The client machine does not have the IMS Server certificates installed possibly because the client machine is offline during AccessAgent installation.

v AccessAgent registry settings are either corrupted or not configured correctly (for example, AccessAgent is pointing to the wrong IMS Server).

Downloading the IMS Server certificate Use this topic as reference for downloading the IMS Server certificate.

About this task

If configured properly, the AccessAgent installer can download the IMS Server certificate to the client PC.

The IMS Server certificate download might fail if the client PC is offline or if the IMS Server is not available at that time. The server certificate can be downloaded after installation through any of these methods.

Procedure v Select Start > All Programs > AccessAgent > Set IMS Server Location

v Run C:\Program Files\Encentuate\SetupCertDlg.exe.

Auto-admin logon using a domain account AccessAgent is logged off if you are using an auto-admin account in a private desktop scenario.

AccessAgent does not display the correct domain Use this topic if the AccessAgent logon interface (EnGINA) does not display the correct value in the Domain field.

AccessAgent does not display the correct domain in some installations of the IMS Server. v For IMS Server version 2.x

When you log on, AccessAgent shows the display name of the authentication service specified by pid_bind_auth_list in the Domain field. Use AccessStudio or the IMS Configuration Utility to modify the display name of the appropriate authentication service.

v For IMS Server version 3.x and above

The policy pid_bind_edir_list replaces pid_bind_auth_list. AccessAgent shows the domains specified in the enterprise directory listed in pid_bind_edir_list.


Application .DLL conflicts with AccessAgent Use this topic as reference if the application .DLL conflicts with AccessAgent.

About this task

Some Microsoft .DLL files are used by AccessAgent when observing applications. If the .DLL versions conflict with those .DLL files used by an application, the application might not work properly.

A fix for the problem is to use the .DLL redirection configuration suggested by Microsoft: Dynamic-Link Library Redirection.

Another possible fix is to replace the .DLL carried by the application with a DLL compatible with AccessAgent. However, the application must also be compatible with the same .DLL.

Follow these steps to check for application .DLL conflicts.

Procedure 1. Select Start > Run then type cmd to launch the command prompt. 2. Type net stop obsservice in the command prompt. 3. Launch the application and check if the application is working properly.

What to do next

You can check the application folder to see if it is carrying any Microsoft .DLL files, which are usually named ms*.dll (for example, msvcr70.dll, msvcp70.dll).

Console application support is disabled When you install AccessAgent version 8.1 with default settings, console application support is disabled. Use this topic for the procedures on enabling console application support.

Console application support is disabled because ConsoleHookLoader.dll might cause an application to hang or crash. If you need to enable console application support you can enable it: v using SetupHlp.ini or v running InstallConsoleSupport.vbs.

Enable console application support in SetupHlp.ini

You can enable console application support in SetupHlp.ini during the AccessAgent installation. 1. In the AccessAgent installer, open the Config folder. 2. Double-click SetupHlp.ini to open the configuration settings file. 3. Under the Setup time only options category, set the value of

ConsoleAppSupportEnabled to 1.

Run InstallConsoleSupport.vbs

InstallConsoleSupport.vbs is automatically installed in the AccessAgent installation directory by the AccessAgent installer.


http://msdn2.microsoft.com/en-us/library/ms682600.aspx

If you have already installed AccessAgent and you want to enable console application support, you can run the InstallConsoleSupport.vbs.

Note: You must have Administrator rights on the machine to successfully run InstallConsoleSupport.vbs.

When you run InstallConsoleSupport.vbs, the VBscript changes some internal Windows registry setting rather than set ConsoleAppSupportEnabled. You need to restart the machine for the changes to take effect.

Conflict with another application Use this topic as reference if AccessAgent has conflicts with another application.

If the you see a message that says: AccessAgent's setup detected a conflict with an application and it is recommended that the application be uninstalled, exit from the AccessAgent setup, and uninstall the application that causes the conflict.

Make sure that the application is no longer used before uninstalling the application. After the application is uninstalled, run the AccessAgent setup again.

Note: AccessAgent might not work properly if you ignore the message prompt and continue with the installation.

Application is slower when automatic sign-on is enabled Use this topic as reference if your application is running slow when automatic sign-on is enabled.

Some applications might respond slower when automatic sign-on is enabled, or there might be a noticeable delay before credentials are auto-filled or auto-captured.

This might be due to the use of an inefficient signature comparison in the AccessProfile for the affected application.

If a signature where @title is the only predicate checked for the top-level window (for example, /child::wnd[@title="Logon"]), AccessAgent retrieves the title of each top-level window using Windows messages.

For some applications, many hidden top-level windows might be created during logon and might take at least 0.5 seconds to respond to Windows messages. The response time in fetching the title of each window adds to the delay.

For such cases, use more specific signatures to reduce the number of matching windows. For example, the @class_name predicate can be used in the signature to filter only windows of a certain class so that the title is fetched for fewer windows (fetching of the class name does not require Windows messaging).

Personal firewalls on private desktops Use this topic as reference if you encounter problems with AccessAgent because of the personal firewalls on your private desktop.


For AccessAgent installations on private desktops, personal firewalls can prevent users from logging on, and can cause slower Windows desktop performance. If you press Ctrl + Alt + Del, the lock screen for private desktop might not appear and the computer might hang.

To resolve the problem: v Make sure that the personal firewall is configured properly before AccessAgent

is installed. v Set up the personal firewall to include AccessAgent components in the trust list. v See your personal firewall documentation on including applications or

components into the trust list.

Security logs are full Use this topic as reference if you encounter problems because the security logs are full.

If the security logs are full, problems can occur if you RDP to a private desktop machine or when you start up shared workstations (shared desktop, private desktop, roaming desktop).

This problem is encountered if the auto-admin logon account is not an Administrator account. This is a limitation that Windows imposes during logon and unlock.

For more information on the configurations for private and roaming desktop modes, see the IBM Tivoli Access Manager for Enterprise Single Sign-On Deployment Guide.

Spontaneous termination of sync.exe Use this topic are reference if the sync.exe program terminates in your machine.

Symptoms for termination of sync.exe 1. After the first reboot, EnGINA does not show up. Instead, it bypasses to

Microsoft GINA. 2. When logged on to Windows, the PC appears to be slow. Stopping ObsService

restores the computer to its original speed. 3. Sync.exe does not show up in Task Manager. 4. After starting sync.exe manually, it shuts down within milliseconds.

Possible cause for termination of sync.exe

Anti-spyware, such as LanDesk software monitoring tool (SoftMon.exe) might have identified the process sync.exe to be spyware or malware. The anti-spyware shuts down the process when it is detected. It appears in the AccessAgent logs as if sync.exe is crashing at different instances.

Resolution for termination of sync.exe

Add sync.exe to the LanDesk software monitoring tool exclusion list. After making the settings, LanDesk ignores sync.exe and does not shut down the process. Add sync.exe to other anti-spyware products exclusion lists.


Disabling Tivoli Access Manager for Enterprise Single Sign-On credential provider

The Tivoli Access Manager for Enterprise Single Sign-On credential provider does not support other third-party credential providers in Microsoft Windows Vista.

About this task

Use this procedure to disable the Tivoli Access Manager for Enterprise Single Sign-On credential provider after installing AccessAgent on Microsoft Windows Vista.

Procedure 1. Rename the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\

Authentication\Credential Provider Filters\{9B7B5755-665B-4796-9875-47029E4F2972} to disable the credential provider filter (EncCPFilter).

2. Rename the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{9B7B5755-665B-4796-9875-47029E4F2972} to disable the credential provider (EncPasswordCredProvider).

3. Log off from Windows.

Signing up with AccessAgent if Active Directory password has expired Use this procedure to sign up with AccessAgent even if your Active Directory password has expired.

About this task

The sign-up workflow is similar to an existing user logging on to AccessAgent.

Procedure 1. Bypass the EnGINA logon screen, and log on using MS GINA. 2. Change the Active Directory password. 3. Log on to AccessAgent from the EnGINA logon screen.

Incorrect icons after AccessAgent upgrade Use this topic as reference if the program icons are not updated after an AccessAgent upgrade.

When you upgrade from an older version of AccessAgent to AccessAgent 8.0, the program icons are not updated and still displays the icons used in the previous version of the AccessAgent.

This is a Microsoft Windows icon cache problem. For Windows 2000, the system caches the older icons and reuses them during an AccessAgent upgrade.

A fix for the problem is to rebuild the Windows icon cache. See Microsoft KB 199152: Desktop Icons Do Not Display Correctly in Windows NT 4.0.


http://support.microsoft.com/kb/Q199152

No Windows Administrator privileges

You must have Windows Administrator privileges to install AccessAgent. If you do not have Administrator privileges, contact the Administrator to install the AccessAgent.

Not enough disk space Use this topic as reference if you cannot install AccessAgent due to insufficient disk space.

AccessAgent cannot be installed in your computer if it does not have enough free disk space. The computer must have at least 32 MB of free hard disk space. You can empty the Recycle Bin, and delete unwanted files to increase the free hard disk space.

A module cannot be registered Use this topic as reference if you encounter a module-related problem during the AccessAgent installation.

If you are prompted with the message The system encountered a problem while registering a module (Error 1904), click Ignore to continue the installation. Error in registering a module is a documented Microsoft Windows problem and is not critical. If the problem persists, uninstall and install AccessAgent again.

No encryption pack Use this topic as reference if your computer does not have an encryption pack.

If you are installing AccessAgent on Windows 2000, the computer must have a High Encryption Pack installed to ensure the security of the Wallet contents.

To check if the computer has Enhanced CSP, select Help > About Internet Explorer in Internet Explorer. If the High Encryption Pack is installed, Cipher Strength: 128-bit is displayed.

A High Encryption Pack can be downloaded from the Microsoft site:

Windows 2000 High Encryption Pack (128-bit).

No network connection Use this topic as reference if you encounter problems with AccessAgent due to lack of network connection.

A network connection is required to install AccessAgent, to sign-up, or to change the password. If the system does not detect a network connection while installing AccessAgent, a dialog box is displayed. Make sure that the network settings are correct and try again.


http://www.microsoft.com/downloads/details.aspx?FamilyID=c10925a0-ac66-4c44-b5c3-9dcab4da1c63&DisplayLang=en

RDP session terminates without warning Use this topic as reference if your remote desktop session terminates without warning.

To create a remote desktop connection to a private desktop: v the default desktop user must have RDP rights v the Administrator user of the private desktop must have RDP rights on that

machine so that other users can connect to that machine

Otherwise, the RDP session terminates without allowing access to the given machine.


Chapter 4. AccessStudio troubleshooting

Use these topics to troubleshoot problems related to AccessStudio. v “Modification to Winlogon AccessProfile does not take effect” v “Missing labels in state engine view of AccessStudio” v “Cannot capture credentials from a Java control”

Modification to Winlogon AccessProfile does not take effect Use this topic as reference if modification to Winlogon AccessProfile does not take effect.

The latest AccessProfile of an application is loaded when the application process starts. Since the Winlogon process is only started on machine startup, restart the machine for the new Winlogon AccessProfile to take effect.

Missing labels in state engine view of AccessStudio Use this topic as reference if there are missing labels in the state engine view of the AccessStudio.

In some Windows 2000 machines, the state engine view of AccessStudio might show a graph with the states and connections but without any labels. The names of the states, triggers, and actions appear to be missing.

This problem happens because the Arial font is not supported in the machine where AccessStudio is installed. Install the Arial font to resolve this issue.

Cannot capture credentials from a Java control Use this topic as reference if the credentials from a Java control cannot be captured.

When the capture action for Java controls under a Key is pressed on a window trigger is executed but fails, edit it in the AccessStudio States tab. 1. In the AccessStudio States tab, create a Fires immediately trigger following the

Key is pressed on a window trigger. 2. Cut the Capture credentials and Save credentials action, from the Key is

pressed on a window trigger, then paste it on the Fires immediately trigger.


Chapter 5. Authentication factor, Wallet, and password troubleshooting

Use these topics to troubleshoot problems related to authentication factors, Wallet, and passwords. v “RFID card detection problem” v “Cannot unlock computer with RFID card” on page 46 v “Lost RFID card” on page 46 v “Cannot log on to Wallet using RFID card” on page 46 v “Cannot register an RFID card” on page 47 v “Smart card not detected after serving as an RDP client” on page 47 v “Lost smart card” on page 47 v “Cannot unlock computer with Active Proximity Badge” on page 48 v “Lost Active Proximity Badge” on page 48 v “Cannot log on to Wallet using Active Proximity Badge” on page 48 v “Cannot register an Active Proximity Badge” on page 49 v “Windows password is not auto-injected during a change password retry in

Microsoft Windows Vista” on page 50 v “System does not accept authorization code” on page 50 v “System does not accept TAM E-SSO Password” on page 50 v “Forgotten password” on page 51 v “System does not accept secret” on page 51 v “Forgotten secret” on page 51 v “Password entries do not match” on page 51 v “Incorrect password length” on page 51 v “No network connection during change password” on page 52 v “Problems downloading the machine Wallet” on page 52 v “Cannot log on to cached Wallets” on page 53 v “Cannot log on to Wallet after an AccessAgent installation” on page 53 v “Incorrect Windows user account” on page 54 v “Wallet has been locked” on page 54 v “Validity period of temporary access to Wallet has expired” on page 54 v “Cannot use existing cached Wallet on the same machine” on page 54 v “Cannot use shared cached Wallet” on page 55 v “TAM E-SSO Password not synchronized with enterprise directory password”

on page 55

RFID card detection problem Use this topic as reference if you have an RFID card detection problem.

If you are using an RFID reader, you might encounter card reader issues when you put the machine on standby or hibernation mode, and then resume the machine from that state. The RFID reader might not be able to read the RFID card. This is a recurring issue caused by some problems with the RFID reader drivers.


To avoid card reader issues, insert the RFID reader in your computer before starting up. If the device is not detected upon startup, restart your computer. Do not unplug and insert the RFID reader while AccessAgent is running.

Note: AccessAgent cannot detect the RDR-60P2AKP RFID reader if you insert it while AccessAgent is running.

Cannot unlock computer with RFID card Use this topic as reference if you cannot unlock the computer using an RFID card.

If you are trying to unlock the computer using an RFID card but you are prompted that the password cannot be validated, tap the RFID card on the reader and enter the password again.

If the problem persists, unlock the computer using the Windows user name and password. Select Go to Windows to unlock in the navigation panel of the Unlock This Computer window.

Once you are logged on through Windows, you can reset the password.

Lost RFID card Use this topic as reference if lost your RFID card.

If you lost the RFID card, request for a new RFID card and an authorization code. The authorization code is required to associate the Wallet with the new RFID card and to obtain temporary access to the Wallet in case a new RFID card is not readily available.

If you cannot connect to the IMS Server, provide the Help desk the request code displayed on the AccessAgent reset password screen so that Help desk can issue you an authorization code for offline access, which does not require IMS Server connectivity.

Cannot log on to Wallet using RFID card Use this topic as reference if you are unable to log on to a Wallet using an RFID card.

These are the possible reasons for the Wallet logon failure: v Incorrect password

You might have entered an incorrect password. Enter the password again. Make sure that the Caps Lock key is not active and that the letters are entered in the correct case. If you have forgotten the password, request for an authorization code so that you can reset the password.

v Damaged or corrupted RFID card or reader

If the RFID card or reader is damaged or corrupted, request for a replacement. v Unable to detect the RFID card

There might be a timeout for detecting the RFID card. Tap the RFID card on the reader again. If the problem persists, restart the computer. If the problem is not resolved, the RFID card might be damaged or corrupted. Replace the RFID card with a new one.


Cannot register an RFID card Use this topic as reference if you cannot register the RFID card with the IMS Server.

You cannot register an RFID card if the card is already registered or has been revoked. v RFID card is already registered

A message is displayed if you try to register an RFID card that has already been registered with the IMS Server. The RFID card has probably been used by another user, but has not been revoked from the IMS Server. Return the RFID card and request for a new RFID card.

v RFID card has been revoked

An RFID card is revoked when it is reported lost. If you fin the lost RFID card and try to log on, the system displays a message that the RFID card has been revoked. To reuse a revoked RFID card, request for an authorization code and register again the revoked RFID card. The registration includes the associating the RFID card with the Wallet.

Smart card not detected after serving as an RDP client Use this topic as reference if the smart card is not detected after serving as an RDP client.

When a machine serves as a remote client, it is locked from use. After you close the RDP connection and want to unlock the remote client, your smart card might not be recognized.

In such a situation, you must logon to Windows either using your password at EnGINA or using your password (or smart card) along with PIN in MSGINA. AccessAgent can then recognize your smart card.

Lost smart card Use this topic as reference is you lost the smart card.

If you lost the smart card:

1. Request for a new smart card and an authorization code. The authorization code is required to associate the Wallet with a new smart card and to obtain temporary access to the Wallet in case the new smart card is not readily available.

2. Register the new smart card.

Note: You have to provide your TAM E-SSO Password to register the smart card.

If you forgot your TAM E-SSO Password, you can reset the password. Once you have obtained the authorization code, you can do a password reset by clicking Reset Password in AccessAgent. You must enter the secret answers to the secret questions to do the password reset.

Chapter 5. Authentication factor, Wallet, and password troubleshooting 47

This scenario is only applicable when: v The desktop is open. v The desktop is locked. v The user is logged off from the desktop.

Note:

1. If you cannot connect to the IMS Server, provide the Help desk the request code displayed on the AccessAgent reset password screen so that Help desk can issue you an authorization code for offline access, which does not require IMS Server connectivity.

2. If Tivoli Access Manager for Enterprise Single Sign-On is configured to use self-service secrets for bypassing the use of smart cards for log on, you do not need to enter an authorization code.

3. If Tivoli Access Manager for Enterprise Single Sign-On is configured to use system-defined secrets, then you do not need to provide answers to secret questions.

Cannot unlock computer with Active Proximity Badge Use this topic as reference if you cannot unlock the computer using an Active Proximity Badge.

If you are trying to unlock the computer using an Active Proximity Badge and is prompted that the password cannot be validated, switch the Active Proximity Badge off and then on, and select it from the list.

When prompted, enter the password again. If the problem persists, unlock the computer using the Windows user name and password. Select Go to Windows to unlock in the navigation panel of the Unlock This Computer window.

Once you are logged on through Windows, reset the password.

Lost Active Proximity Badge Use this topic as reference if you lost an Active Proximity Badge.

If you lost the Active Proximity Badge, request for a new badge and an authorization code. The authorization code is required to associate the Wallet with the new Active Proximity Badge and to obtain temporary access to the Wallet in case the Active Proximity Badge is not readily available.

If you cannot connect to the IMS Server, provide the Help desk the request code displayed on the AccessAgent reset password screen so that Help desk can issue you an authorization code for offline access, which does not require IMS Server connectivity.

Cannot log on to Wallet using Active Proximity Badge Use this topic as reference if you are unable to log on to a Wallet using an Active Proximity Badge.

These are the possible reasons for the Wallet logon failure: v Incorrect password


You might have entered an incorrect password. Enter the password again. Make sure that the Caps Lock key is not active and that the letters are entered in the correct case. If you have forgotten the password, request for an authorization code so that you can reset the password.

v Damaged or corrupted Active Proximity Badge or reader

If the Active Proximity Badge is damaged or corrupted, request for a replacement.

v Unable to detect the Active Proximity Badge

There might be a timeout for detecting the Active Proximity Badge, or the card has been switched on for nine hours and it automatically switched off. Switch off the badge and then on. If the problem persists, restart the computer. A substantial reduction on battery power might also be the reason why the Active Proximity Badge cannot be detected. In this case, replace the battery. If the problem is not resolved, the Active Proximity Badge might be damaged or corrupted. Replace the Active Proximity Badge with a new one.

Cannot register an Active Proximity Badge Use this topic as reference if you cannot register the Active Proximity Badge with the IMS Server.

If you are unsuccessful in registering an Active Proximity Badge, one of the following scenarios can apply: v Active Proximity Badge is already registered

If an Active Proximity Badge is already registered with the IMS Server, a message is displayed. The Active Proximity Badge has probably been used by another user, but has not been revoked from the IMS Server. Return the Active Proximity Badge and request for a new Active Proximity Badge.

v Active Proximity Card has been revoked

An Active Proximity Badge must be revoked when it is reported as lost. If you find the lost Active Proximity Badge and try to log on, a message is displayed that the Active Proximity Badge has been revoked. To use a revoked Active Proximity Badge, request for an authorization code, and then register the new Active Proximity Badge again to associate it with the Wallet.

v Cannot detect Active Proximity Badge

The incorrect placement of the reader and badge can affect the signal. The reader and badge must be at the same level, if the reader is mounted on the monitor, the badge must be placed on the upper part of the body. Distance is not an issue. Some elements may affect the radio frequency signal (such as the desk, body, keyboard, etc.). Even the arm passing in front of the reader can cause the signal to drop slightly. You can review the badge positioning demo at the following URL: http://www.ensuretech.com/support/documentation/movies/lockpositionlowres.mpg.


http://www.ensuretech.com/support/documentation/movies/lockpositionlowres.mpg

http://www.ensuretech.com/support/documentation/movies/lockpositionlowres.mpg

Windows password is not auto-injected during a change password retry in Microsoft Windows Vista

Use this topic as reference if the Windows password is not auto-injected during a change password retry in Microsoft Windows Vista.

Windows password is not auto-injected if: v you are using a workstation running on Microsoft Windows Vista and with

personal workstation configuration v your Wallet is not cached v you attempt a change password retry

The resolve this problem, cancel the change password screen and try to change the password again.

System does not accept authorization code Use this topic as reference if the system does not accept the authorization code.

An authorization code is issued by a Help desk officer to a user. You can use the authorization code to temporarily log on to AccessAgent without a second authentication factor, or to reset a password.

If the system does not accept your authorization code, it can be because: v You did not enter the correct authorization code.

Make sure that the characters are entered in the correct order. v You do not have the correct authorization code.

An incorrect authorization code might have been communicated to you, or it might be incomplete (some characters missing). Depending on the authorization code validity, request for a new authorization code.

System does not accept TAM E-SSO Password Use this topic as reference if the system does not accept the TAM E-SSO password you provided.

The TAM E-SSO Password is used to authenticate the identity of the user prior to giving the user access to the system.

If the system does not accept your password, it can be because: v You did not enter the correct password.

If you have forgotten the password, request for an authorization code from the Help desk so that you can reset the password. You can also refer the user to the IBM Tivoli Access Manager for Enterprise Single Sign-On User Guide for more information.

v You did not enter the password in the correct case.

Check if the Caps Lock key is not active, and that the letters are entered in the correct case.


Forgotten password Use this topic as reference if you have forgotten your TAM E-SSO password.

To reset a password, you need: v an authorization code from the Help desk officer or Administrator v secret v new password

System does not accept secret Use this topic as reference if the system does not accept your secret.

Secret is used to help you reset password in case you forgot your password. Registering a secret involves selecting one or more questions from a list, and then providing answers to these questions. If the system does not accept your secret, you might have entered an incorrect secret. Enter the secret again. If the problem persists, sign up for a new Wallet.

Forgotten secret Use this topic as reference if you forgot your secret.

The secret is used to retrieve the Windows user name and password and to retrieve the contents of the user Wallet. If you cannot remember the secret, you cannot access all the user credentials stored in the Wallet. You have to sign up for another Wallet.

Password entries do not match Use this topic as reference if you are prompted with an entries do not match message.

If you are prompted with a message while trying to change password that the entries in the New password and Confirm password do not match, enter the new password again in the New password field and make sure to enter the same password in the Confirm password field.

Incorrect password length Use this topic as reference if you are prompted with an incorrect password length message.

Password length is configurable by the Administrator. The password length can range from 6 to 20 characters, depending on the preference of the organization.

If you are trying to change password and the new password is less than the minimum number of required characters, you are prompted to enter a password within the required length. Enter a new password that complies with the password length policy.


No network connection during change password

You cannot change password if there is no network connection detected. Make sure you have a network connection before you try changing the password again.

Problems downloading the machine Wallet Use this topic as reference if you encounter problems in downloading the machine Wallet. When a machine starts up with a missing machine Wallet, AccessAgent attempts to create the machine Wallet by downloading the latest policies and AccessProfiles from the current IMS Server.

Problems occur if the IMS Server is inaccessible or if AccessAgent cannot successfully download the policies and AccessProfiles from the IMS Server.

If the IMS Server is not accessible, AccessAgent uses the policies and AccessProfiles specified in this file: C:\Program Files\Encentuate\all_sync_data.xml.

To confirm whether the machine Wallet is downloaded properly: 1. Run AccessStudio. 2. Load AccessProfiles from AccessAgent. 3. Click sso_site_web_ims_admin under AccessProfiles

The machine Wallet is correct if the @domain field on the right panel is set to the IMS Server name. The machine Wallet is not downloaded properly if the @domain field is $hostname.

If AccessAgent cannot successfully download the policies and AccessProfiles from the IMS Server despite several manual synchronization attempts, you can edit the policies and AccessProfiles directly in the all_sync_data.xml file.

To refresh the machine Wallet see “Refreshing the machine Wallet.”

For some deployments, a workstation can only connect to the network after a user logs on to Windows.

Since AccessAgent needs to download system data from the IMS Server during the first startup after installation, other workstations are unsuccessful in connecting at that time. For this reason, AccessAgent is inaccessible on first startup.

A workaround is for the first user to bypass EnGINA and log on to Windows directly. After that, subsequent users can log on normally through EnGINA. An alternative is to include the latest IMS Server all_sync_data.xml file in the installation package.

For more information, see “Including the all_sync_data.xml file in the installation package” on page 53.

Refreshing the machine Wallet Follow this procedure to refresh the machine Wallet.


Procedure 1. Log off from AccessAgent (if you are logged on). 2. Kill the AccessAgent processes: AATray.exe, DataProvider.exe, and Sync.exe. 3. Stop the SOCIAccess service using net stop sociaccess. The SOCIAccess service

automatically replaces any deleted machine Wallet file. 4. Delete the machine Wallet. 5. Restart the machine.

Including the all_sync_data.xml file in the installation package An alternative procedure to download the machine Wallet is to include the all_sync_data.xml file in the installation package.

Procedure 1. Launch AccessStudio. 2. Select Tools > Backup System Data from IMS to File. 3. Click Backup. 4. Save all_sync_data.xml in the Config folder of the AccessAgent installer

package.

Cannot log on to cached Wallets Use this topic as reference if you cannot log on to cached Wallets.

If you can log on to AccessAgent when the IMS Server is online, but cannot log on to cached Wallets while the IMS Server is offline, the cached Wallets may be corrupted. For such cases, delete all cached user Wallets and try logging on again.

Enable the AccessAgent right-click option for Delete user Wallets by setting the machine policy pid_wallet_delete_enabled to 1, which can be set through the registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\Temp]"WalletDeleteEnabled".

Note: The menu item is only available when no users are logged on to AccessAgent. The user Wallets are deleted, not the machine Wallet. If this feature is used on a Citrix or Terminal Server or a workstation with Local User Session Management (LUSM) enabled, ensure that one desktop session is running while deleting the Wallets. If multiple sessions are running, AccessAgent may not function properly in the other sessions.

Cannot log on to Wallet after an AccessAgent installation Use this topic as reference if you cannot log on to Wallet after you installed AccessAgent.

If you are using a version of AccessAgent before 3.3.1.4, there is a bug that prevents users from logging on if the machine Wallet is larger than 2 MB. This can happen if there is a large number of AccessProfiles.

When you attempt to log on to AccessAgent, you are prompted with the message: You do not have a Wallet stored on this computer. However, you cannot download your Wallet from IMS Server because network connectivity is currently unavailable. Please try again later.


To resolve this problem, you can: v upgrade to AccessAgent version 3.3.1.4 or above v reduce the number of AccessProfiles so the machine Wallet is less than 2 MB in

size

Note: Failure to log on to AccessAgent can also be due to any of the problems listed in “Connecting to the IMS Server” on page 35.

Incorrect Windows user account Use this topic as reference if you are prompted that you are using an incorrect Windows user account.

Before signing up for a Wallet, you must first enter the Windows user name and password to store these credentials in the Wallet. The user name and password are verified with Windows. If the entered credentials do not match with the stored credentials, an error message is displayed.

Enter the credentials again but make sure to: v enter the correct user name and password v check if the Caps Lock key is not active v check if the characters are entered in the correct case

Wallet has been locked Use this topic as reference if your Wallet has been locked.

The Wallet is locked after a predefined number of unsuccessful attempts to log on due to incorrect password. The number of allowed failed logon attempts can be configured by the Administrator.

Validity period of temporary access to Wallet has expired Use this topic as reference if your temporary access to Wallet has expired.

If you are given temporary access to the Wallet, the access is only valid for a predefined time. When the validity of the temporary access expires, you can no longer use the Wallet. Request for a new authorization code so that you can access the Wallet.

Cannot use existing cached Wallet on the same machine Use this topic as reference if you cannot use an existing cached Wallet on the same machine.

If you cannot use the copy-protected cached Wallet on the same machine, it can be caused by a WMI service malfunction on the machine or a change in the machine hardware (for example, BIOS or motherboard), which might have a different hardware identification.

If you encounter this issue: v For a WMI service malfunction, fix the WMI service on the machine. v For hardware changes, no action is required. A new Wallet is cached

automatically.


Cannot use shared cached Wallet Use this topic as reference if you cannot use a shared cached Wallet.

A shared cached Wallet cannot be used if copy protection is enabled. Disable the policy for shared Wallet deployment.

For more information, see pid_wallet_cache_security_enabled in the IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition Guide.

TAM E-SSO Password not synchronized with enterprise directory password

Use this information as reference if the TAM E-SSO Password and enterprise directory password are not synchronized.

Expected behavior 1. As an Administrator, set the Synchronize user password with the password in

the enterprise directory to Yes in the IMS Configuration Utility. 2. The TAM E-SSO Password of the user is synchronized with the enterprise

directory password. 3. The user changes the enterprise directory password. 4. The user can use the new password as the TAM E-SSO Password.

Current behavior 1. The user changes the enterprise directory password. 2. The user cannot log on to AccessAgent using the new enterprise directory

password. However, the user can use the old enterprise directory password to log on to AccessAgent.

This behavior means that the TAM E-SSO Password and the enterprise directory password are not synchronized.

This problem occurs if the enterprise directory is not the Active Directory. Password synchronization is only supported if the enterprise directory is the Active Directory.

If the enterprise directory is not the Active Directory, the password synchronization feature must be disabled. Changes to the enterprise directory password and changes to the TAM E-SSO Password do not affect each other.


Chapter 6. Other issues

See these topics to troubleshoot other problems not specifically related to Tivoli Access Manager for Enterprise Single Sign-On components. v “Unable to verify credentials” v “Failure to connect to named instance of SQL Server 2000 database” v “Error message when installing MOM 2005” on page 58 v “DCOM disabled error message when installing MOM Agent” on page 58 v “Performance data not available in MOM reports” on page 58 v “Error message when installing MOM Reporting” on page 59 v “Internet Explorer is set to offline” on page 59 v “Internet Explorer might crash if launched from the credential provider in

Microsoft Windows Vista” on page 59

Unable to verify credentials Use this topic as reference if the credentials cannot be verified.

If you are configuring the ADSI Connector and are prompted that the credentials cannot be verified, it is because the computer has not joined the domain. Verify that the computer has joined the domain.

Failure to connect to named instance of SQL Server 2000 database Use this topic as reference if you are unable to connect to a named instance of SQL Server 2000 database.

If you are upgrading from an IMS Server version earlier than 3.3.1.4, the upgrade might fail if the IMS Server database is a named instance of a SQL Server 2000 database.

If you encounter the following message: There was a problem uploading all_storage_templates.xml., this is because the Microsoft SQL Server 2000 JDBC driver used prior to IMS Server version 3.3.1.4 ignored the database port number field if a named instance is used. This prevents the IMS Server from connecting to the database.

In the SQL Server 2005, the JDBC driver used in IMS Server version 3.3.1.4 and above, the port number field is not ignored and database connection would fail if the port number is wrong.

To fix this problem during an IMS Server upgrade, modify the IMS Server configuration file to correct the port number: v Provide the correct port number in the following keys in the ims.xml file (found

in <IMS Installation Folder>\ims\config): ds.ims.rdb.uri and ds.ims_log.rdb.uri. For example, if the correct port number is 1074, replace jdbc:microsoft:sqlserver://serverName\instanceName:1433 with jdbc:microsoft:sqlserver://serverName\instanceName:1074.


Note: You can find the port number that the instance is running on by clicking on Start > All Programs > Microsoft SQL Server > Server Network Utility. Choose TCP/IP. Click Properties. Right-click on database server and select Properties.

v For a fresh IMS Server installation, make sure that the specified port number in the installation wizard is correct.

Error message when installing MOM 2005 Use this topic as reference if you encounter an error message when you install MOM 2005.

If you are prompted with the message, Microsoft SQL Server 2000 SP3a or above required when you install MOM 2005, see Microsoft KB 902803: You receive a "Microsoft SQL Server 2000 SP3a or above required" error message when you try to install MOM 2005.

DCOM disabled error message when installing MOM Agent Use this topic as reference if you encounter an error message when installing MOM Agent.

About this task

If you are prompted with the message The MOM Server detected that DCOM was disabled on the remote computer, enable DCOM on the remote computer.

Procedure 1. Open the Component Services. Select Start > Run then enter dcomcnfg. 2. Select Console Root > Component Services > My Computer. 3. Right-click on My Computer and select Properties. 4. In the My Computer Properties dialog, select the Default Properties tab. 5. Make sure the Enable Distributed COM on this computer option is selected.

Performance data not available in MOM reports Use this topic as reference if performance data are not documented in the MOM reports.

About this task

Follow these steps to include performance data in MOM reports.

Procedure 1. Open the MOM Administrator console. 2. Select Console Root > Microsoft Operations Manager (SERVER_NAME) >

Administration > Computers > Agent-managed Computers. 3. Right-click on the computer with MOM agent installed, then select Run

Attribute Discovery Now.


http://support.microsoft.com/kb/902803/enus?spid=2548



Error message when installing MOM Reporting Use this topic if you encounter an error message when you install the MOM Reporting tool.

If you are prompted with the message Failed to create data source for data warehouse when you install MOM Reporting, see Microsoft KB 555533: "Failed to create data source for data warehouse" error when you are installing MOM Reporting.

Internet Explorer is set to offline Use this topic as reference if your Internet Explorer is offline.

If you launch an Internet Explorer window and you see a network connection-related message, Internet Explorer might be set to offline mode.

Check if the Internet Explorer is offline by selecting the File menu from the Internet Explorer. If the Work Offline option is selected, you cannot connect to the Internet. Clear the Work Offline option to connect to the Internet and use the Internet Explorer.

Internet Explorer might crash if launched from the credential provider in Microsoft Windows Vista

Use this topic as reference if the Internet Explorer crashed.

About this task

The Internet Explorer might crash if you launch it from the credential provider in Microsoft Windows Vista. The crash is caused by a Yahoo toolbar plug-in. Uninstall the Yahoo toolbar plug-in to prevent the Internet Explorer from crashing.

Chapter 6. Other issues 59

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b555533



Chapter 7. Deployment and configuration tips

See these topics for additional tips that might be useful to professional services. v “Switching to another IMS server” v “Copying AccessProfiles between IMS Servers” on page 62 v “Deleting a user without revoking” on page 63 v “Promoting a user to Administrator role” on page 63 v “Specifying the IMS Server database user account” on page 64 v “Configuring the ADAM Server” on page 64 v “Using machine group tags” on page 66 v

v “Improving AccessAgent performance” on page 67 v “Checking whether a cached Wallet is copy protected” on page 67 v “Enabling RFID readers for AccessAgent running in VMware” on page 67 v “Uninstalling AccessAgent in private desktops” on page 67 v “Private desktop with Websense Internet content filtering services” on page 68

Switching to another IMS server Use this topic as reference if you want to switch to another IMS™ server on a client machine or to a different IMS server.

Switching to another IMS server on the client machine Before you begin

Back up the existing Crytoboxes folder to another location to switch back to the original IMS Server.

About this task

If you want to switch to another IMS server on the client machine, perform the following procedure

Procedure 1. Set the machine policy pid_ims_server_name by editing the registry value

[HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\IMSService\DefaultIMSService]"ImsServerName".

2. Download the IMS Server certificate by running C:\Program Files\Encentuate\SetupCertDlg.exe.

3. Log off from AccessAgent (if you are logged on). 4. Kill these AccessAgent processes: v AATray.exe

v DataProvider.exe

v Sync.exe

5. Stop the SOCIAccess service using net stop sociaccess. 6. Delete the entire C:\Program Files\Encentuate\Cryptoboxes folder.


Note: B 7. Restart the machine.

Note: If a machine Wallet is missing and you restart the machine, AccessAgent recreates the machine Wallet by downloading the latest policies and AccessProfiles from the current IMS Server.

Switching to a different IMS Server if you already have the Cryptoboxes backed up

Before you begin

Back up the existing Crytoboxes folder to another location to switch back to the original IMS Server.

About this task

If you want to switch to a different IMS Server, perform the following procedure.

Procedure 1. Log off from AccessAgent (if you are logged on). 2. Kill these AccessAgent processes: v AATray.exe

v DataProvider.exe

v Sync.exe

3. Stop the SOCIAccess service using net stop sociaccess). 4. Restore the Cryptoboxes folder for the IMS Server. 5. Start the SOCIAccess service using net start sociaccess). 6. Run C:\Program Files\Encentuate\AATray.exe.

Copying AccessProfiles between IMS Servers Use this topic as reference if you want to copy all AccessProfiles from one IMS Server to another to save time and effort in deployment.

Before you begin

Set the machine policy pid_ims_server_name to the IMS Server where you want to copy the AccessProfiles. For more information on the policy, see the IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition Guide.

Procedure 1. Run AccessStudio. 2. Click Download from IMS Server. 3. Save to a file (.EAS) and exit from AccessStudio. 4. Set the machine policy pid_ims_server_name to the target IMS Server. 5. Run AccessStudio. 6. Open the saved file. 7. Click Upload All to IMS Server.


Deleting a user without revoking Use this topic as reference if you want to delete a user without revoking the user name.

About this task

When a user is revoked through AccessAdmin, the user name can no longer be used. If you want to reuse a user name, delete the user without revoking the user name.

Procedure 1. In AccessAdmin, display the user profile you want to delete. 2. Modify the user name (for example, deleteduser94). 3. Click Update. 4. (Optional) Revoke the renamed user. 5. Remove the cached Wallets of the original user that can be stored in the client

PC hard disks.

What to do next

If you want to enable the Delete User button in AccessAdmin, use the IMS Configuration Utility.

In the IMS Configuration Utility, select Advanced Settings > AccessAdmin > User Interface > Delete User Button.

Important: After performing this task, restart the IMS service to enable the Delete User button.

Promoting a user to Administrator role When a new user is registered, the user is not automatically assigned an Administrator or Help desk role unless the user profile is previously configured during the IMS Server installation. Only an Administrator can promote a user to an Administrator role using AccessAdmin. Use this topic as reference for promoting a user to Administrator role.

If there are no more Administrators in the IMS database (for example, the only Administrator has left the company and no one knows the password), you can promote a user to an Administrator role directly through the database. You must have database Administrator rights to change the user role in the database.

Follow this procedure to promote a user to Administrator role: 1. Launch the database management user interface. 2. Open the IMSIdentityUniqueAttribute table to read off the imsID that refers

to the target user. 3. Open the IMSIdentityRole table and set the roleID to 6 for the imsID

identified earlier. The roleID of 6 is defined for ImsAdmin in the IMSRole table.

Chapter 7. Deployment and configuration tips 63

Specifying the IMS Server database user account Use this topic as reference if you encounter a problem related to the IMS Server database user account.

Installation fails if you specify the SA account as the IMS Server database user account. The IMS Server database user account must be different from the SA account.

Configuring the ADAM Server Use this topic as reference for tips on configuring ADAM so that the LDAP connector can connect to it using SSL.

See these topics for more information. v “Installing certificates” v “Using the certificate with the ADAM service” v “Verifying that SSL is working with the ADAM Server” on page 65 v “Running ADAM service with a domain user account” on page 65 v “Importing the root CA certificate into the WebSphere Application Server trust

store” on page 66

Check the ADAM Step-by-Step Guide from the Microsoft Download Center for the detailed configuration instructions.

Installing certificates To create a certificate, you have to install IIS and a Certificate Authority.

Before you begin

IIS must be installed before or at the same time as you install the certificate services.

For information on installing IIS, see Microsoft documentation or go to their website at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/iiiisin2.mspx?mfr=true.

Procedure 1. Select Start > Control Panel > Add/Remove programs > Add/Remove

Windows Components

2. Select the Certificate services check box.

What to do next

When the installation is complete, request a certificate from the following URL using Internet Explorer: http://localhost/certsrv.

Using the certificate with the ADAM service To configure the ADAM service to use the certificate, place the certificate in the ADAM service personal store.


http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/iiiisin2.mspx?mfr=true

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/iiiisin2.mspx?mfr=true

Procedure 1. Click Start > Run, and enter mmc to launch the Microsoft Management

Console. 2. Click File > Add/Remove snap-in. 3. Click Add... and select Certificates. 4. Select Service account. 5. Select Local computer. 6. Select your ADAM instance service. 7. Add a new Certificate snap-in. Select My user account instead of Service

account. 8. Click Close and OK. 9. Open the Personal folder under the Certificates - Current user tree. 10. Select the certificate and copy it into the same location under Certificates -

adam instance name. 11. Give the ADAM service account read permissions to the key under

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.

Important: If these permissions are not set correctly, you get an error in the event log: Schannel ID: 36870 - A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x6.

12. Restart your ADAM instance.

Verifying that SSL is working with the ADAM Server Procedure 1. Run the ADAM Tools Command Prompt from your ADAM program group. 2. Type ldp and press Enter. 3. Select Connection > Connect.... 4. Type the fully-qualified DNS name of your server in the Server field (localhost

is not working as the DNS name is checked against the certificate). 5. Enter the SSL port of your ADAM installation (for example, 636 or 50001, or

the port you chose during the installation of ADAM). 6. Select the SSL check box and click OK. If the installation is successful, the

system displays text in the right window.

What to do next

You can now bind using the Connection > bind...functionality.

Running ADAM service with a domain user account To use a non-administrative domain user account (for example, domainUser1) as the ADAM service account, perform the following procedure.

Procedure 1. Log on to Windows as domainUser1 when requesting a server authentication

certificate. 2. In the certificate request page, select the private key exportable. 3. After installing the generated certificate into the domainUser1 personal

certificate store, open Certificates.


4. Export the certificate with a private key. 5. Log on to Windows as Administrator and use Certificates

6. Import the certificate into the ADAM service instance personal certificate store. 7. When granting domainUser1 read permission on private keys in C:\Documents

and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys, set individual permission for each file as the permission on folder MachineKeys is not inherited.

Importing the root CA certificate into the WebSphere Application Server trust store

For the IMS Server to recognize the ADAM server when establishing an SSL connection, import the root CA certificate for signing an ADAM server certificate into the WebSphere Application Server trust store.

The import can be done by executing the following steps: 1. Login to the WebSphere Integrated Solution Console. 2. Select Security > SSL Certificate and key management. 3. Click Key stores and certificates on the right panel. 4. Click NodeDefaultTrustStore. 5. Click Signer certificates. 6. Click Add. 7. Fill in the input fields. 8. Click OK. 9. Save the changes. 10. Restart the WebSphere Application Server.

Using machine group tags At some customer sites, machines might not be organized into Active Directory security groups, and there might not be specific naming conventions for machines. Use this topic as reference on using machine group tags.

For example, during deployments, there is no way to determine which workstations are shared workstations or personal workstations.

If a deployment can be set up to use machine group tags, it is possible to prepare different installation packages (one for personal workstations, one for shared desktops, one for private desktops, etc.) and use the appropriate one to install on each workstation.

It is also possible to use WMI scripts to push out the machine group tag through Active Directory GPO, so that MPTs can be assigned accordingly.

Set the machine policy template assignment criteria so that the system can automatically assign the correct policy template to each machine during deployment.

Use the registry setting MachineTag in the DeploymentOptions.reg file to allow machines to be grouped according to which machine policy templates should be assigned to the machines.


If a machine has not been registered, it will register itself with the IMS Server with the machine group tag as one of the attributes. The machine policy templates assignment criteria of the IMS Server can include machine group tag as an attribute value to be matched. In this way, the machine group tag can determine how machine policy templates are assigned.

After a machine has been registered, the machine group tag can still be modified by AD GPO or any other registry value push mechanism.

AccessAgent would detect that the machine group tag's value has changed, and would reregister itself with the IMS Server. If it matches another machine policy template's assignment criteria, that new machine policy template would be assigned to it.

For more information on the policy pid_machine_tag, see IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition Guide.

Improving AccessAgent performance Use this topic as reference for improving the performance of AccessAgent.

The AccessProfiles can become large data objects when they are parsed using the AccessAgent DataProvider process and can slow down the AccessAgent performance. These data objects must be kept in memory. As such, removing unused AccessProfiles can speed up the AccessAgent performance. To remove unused data objects, right-click the unused AccessProfile and click Delete.

Checking whether a cached Wallet is copy protected Use this topic as reference for checking if a cached Wallet is copy protected.

To check if a cached Wallet is copy protected, open the Cryptobox file using a hex editor. Check the 29~32 bytes from the beginning; "01 00 00 EF" indicates the Wallet is copy-protected.

Enabling RFID readers for AccessAgent running in VMware Use this topic as reference for RFID readers for AccessAgent running in VMware.

Since the RFID reader is a Human Interface Device (HID), you have to add the line usb.generic.allowHID = "TRUE" in the VMware image VMX file to enable the RFID readers for AccessAgent running VMware.

Uninstalling AccessAgent in private desktops Use this topic as reference for uninstalling AccessAgent in private desktops.

To perform certain administrative actions, such as installing and uninstalling applications, usually the local Administrator account must be running in the Default desktop, which applies to private desktop mode assigned to the first logged on user. Default desktop refers to the desktop that is created and logged on using the generic Windows account when the machine starts up.

However, for private desktops, the auto-admin logon account might not have Administrator rights.


Note: Be sure to uninstall AccessAgent using either of the mentioned methods. The installer might hang if you attempt to uninstall AccessAgent in a private desktop environment without performing the tasks prior to uninstallation.

To uninstall AccessAgent in a private desktop, do either of the following: v Restart the machine, press and hold the Shift key until Microsoft GINA appears,

then log on manually as Administrator. v Connect to the machine through remote desktop (RDP) and log on as

Administrator.

Important: The second method is only applicable to AccessAgent 3.6 and higher versions.

If you are uninstalling AccessAgent from a private desktop, the uninstallation must be performed on either of the following desktops: v On the default desktop, which is the Administrator desktop. v On a non-default Administrator desktop, but IMS Server location must be set in

the setuphlp.ini file. For more information, contact your Administrator.

Private desktop with Websense Internet content filtering services For deployments using Internet content filtering services (for example, Websense), a set of commands in an Internet router prompts to check with the filtering service and database before permitting any Web traffic to pass.

Filtering is based on Active Directory groups; there are a few physician office VLANs filtered based on IP range.

The machines pass the credentials of the generic login account to Websense for filtering purposes, rather than the account of the user that is using the Internet Explorer on the machine.

Users who cannot be identified through transparent authentication (or users sharing a computer, such as in a Windows Terminal Services) are filtered by workstation or network policies, or by the Global policy.

Users on shared machines cannot be filtered by policies assigned to directory objects. Websense is only identifying the first user to logon to the workstation and not recognizing any subsequent logons.

To resolve the issues, use one of the supported proxy servers that authenticate users (for example, Microsoft ISA Server, Microsoft Proxy Server).

For more information, go to the following Web site: Can Websense function in a Terminal Server / Citrix Server / Thin Client environment?.


http://www.websense.com/SupportPortal/SupportKBs/1223.aspx

http://www.websense.com/SupportPortal/SupportKBs/1223.aspx

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.

If you are viewing this information softcopy, the photographs and color illustrations may not appear.


Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information (www.ibm.com/legal/copytrade.shtml).

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, or service names may be trademarks or service marks of others.

Notices 71

http://www.ibm.com/legal/copytrade.shtml

Glossary

AccessAdmin. The management used by individuals with the Administrator Role and/or the Help desk Role to administer IMS Server, and to manage users and policies.

AccessAgent. AccessAgent, or AA, is the client software that manages the user's identity, enabling sign-on/sign-off automation and authentication management.

AccessAssistant. The Web-based interface used to provide password self-help for users to obtain the latest credentials to logon to their applications.

AccessProfiles. Short, structured XML files that enable single sign-on or sign-off automation for applications. AccessStudio can be used to generate AccessProfiles.

AccessStudio. The interface used to create AccessProfiles required to support end-point automation, including single sign-on, single sign-off, and customizable audit tracking.

action. An act that can be performed in response to a trigger. For example, automatic filling of user name and password details as soon as a sign-on window displays. See also Trigger.

ActiveCode. Short-lived authentication codes that are controlled by Tivoli Access Manager for Enterprise Single Sign-On system. There are two types of ActiveCodes: random ActiveCodes and predictive ActiveCodes.

The generation of ActiveCodes can be triggered in one of two ways: time-based (for example, every minute or every day) or event-based (for example, pressing a button).

Combined with alternative channels or devices, ActiveCodes provide effective second-factor authentication.

Active Proximity Badge. Similar to an RFID card, but differs in its ability to be detected by a proximity reader from a considerably longer distance (such as two meters away).

AD. Microsoft Active Directory

AD GPO. Active Directory Group Policy Object.

ADAM. Active Directory Application Mode

Administrator role. A role gives users the ability to use AccessAdmin to manage users, policies, and the IMS Server. The role is one of three Tivoli Access

Manager for Enterprise Single Sign-On Predefined Roles within the Tivoli Access Manager for Enterprise Single Sign-On system.

ADSI. Active Directory Service Interfaces

application. In AccessStudio, it refers to the system that provides the user interface for reading or entering the authentication credentials.

ARFID (Active RFID). ARFID is both a second factor and a presence detector. It can detect the presence of a user, and AccessAgent can be configured to perform specific actions.

authentication factor. The different devices, biometrics, or secrets required as credentials for validating digital identities (for example, passwords, smart card, RFID, biometrics, and one-time password tokens).

authentication service. Verifies the validity of an account; Applications authenticate against their own user store or against a corporate directory.

authorization code. An alphanumeric code generated by an IBM Help desk user for administrative functions, such as password resets or authentication factors for the Wallet; might be used one or more times based on policy.

auto-capture. A function that allows the system to remember user credentials (such as user names and passwords) for different applications. These credentials are captured as they are being used for the first time, and then stored and secured in the Wallet for future use.

auto-inject. A function that allows the system to automatically enter user credentials (such as user names and passwords) for different applications, through logon automation.

biometrics. The identification of a user based on a physical characteristic of the user, such as a fingerprint, iris, face, voice or handwriting.

CAPI. Microsoft Cryptography API

certificate authority (CA). A trusted third-party organization or company that issues the digital certificates. The certificate authority typically verifies the identity of the individuals who are granted the unique certificate.

CLT. Command Line Tool


control. Any field on a screen. Examples are a user name text box or an OK button on a Web page.

conventional single sign-on. Refers to Web-based single sign-on systems and typically requires server-side integration, with a centralized architecture.

credentials. See user names, passwords, certificates, and any other information that is required for authentication. An authentication factor can serve as a credential. In Tivoli Access Manager for Enterprise Single Sign-On , credentials are stored and secured in the Wallet.

CSV file. A comma-separated value text file, commonly used to exchange files between database systems that use different formats.

DB. Database

Desktop Manager. Manages concurrent user desktops on a single workstation

directory. A structured repository of information on people and resources within an organization, facilitating management and communication.

DLL. Dynamic Link Library

DNS. Domain Name System. The distributed database system that maps domain names to IP addresses

EnGINA. Tivoli Access Manager for Enterprise Single Sign-On GINA, which replaces the Microsoft GINA. EnGINA provides a user interface that is tightly integrated with authentication factors and provide password resets and second factor bypass options.

Enterprise Access Security (EAS). A technology that enables enterprises to simplify, strengthen and track access to digital assets and physical infrastructure.

Simplifying access means time-to-information, user productivity, and convenience. Strengthening access allows stronger security and better risk management. Tracking access enables compliance.

EAS solutions are a new generation of identity management security products that reflect the convergence of logon or logoff automation, authentication management, centralized user access administration, the unification of logical (information), and physical (building) access control systems.

Enterprise Single Sign-On (E-SSO). A mechanism that allows users to log on to all applications deployed in the enterprise by entering a user ID and other credentials (such as a password). Many E-SSO products use sign-on automation technologies to achieve SSO—users logon to the sign-on automation system and the system logs on the user to all other applications.

FIPS. Federal Information Processing Standard. A standard produced by the National Institute of Standards and Technology when national and international standards are nonexistent or inadequate to satisfy the U.S. government requirements.

fortified password. An application password that is automatically changed by the system and not the user. In Tivoli Access Manager for Enterprise Single Sign-On , passwords might be fortified with Tivoli Access Manager for Enterprise Single Sign-On ActiveCodes.

GINA. Graphical Identification and Authentication

GPO. Group Policy Object of Active Directory. A collection of group policy settings. Group policy objects are the documents created by the group policy snap-in. Group policy objects are stored at the domain level, and affect users and computers contained in sites, domains, and organizational units.

Help desk role. A role that gives its owner the ability to manage certain groups of Tivoli Access Manager for Enterprise Single Sign-On Users (for example, perform password resets, issue authorization codes, and revoke access rights of users). This role is one of three Predefined Roles within the Tivoli Access Manager for Enterprise Single Sign-On system.

HID. Human Interface Device. An RFID reader is an example of an HID.

hybrid desktop. A term used to describe how organizations combine different session management capabilities to meet the needs of the user community.

IIS. Microsoft Internet Information Server

IMS Bridge. For extending functionalities of third party programs, allowing them to communicate with IMS Server.

IMS Configuration Utility. A utility of the IMS Server that allows Administrators to manage lower-level configuration settings for the IMS Server.

IMS Connector. Add-ons to the IMS Server that enable the IMS Server to interface with other applications as a client, extending the capability of the IMS Server. Examples include IMS Connectors for password change.

IMS Server. An integrated management system that provides a central point of secure access administration for an enterprise. It enables centralized management of user identities, AccessProfiles, authentication policies, provides loss management, certificate management, and audit management for the enterprise.

IMS Server Certificate. Used in Tivoli Access Manager for Enterprise Single Sign-On. the IMS Server Certificate is used to identify an IMS Server.


IMS Service Modules. Add-on modules that extend the basic services provided by the IMS Server (for example, user management, policy management, and certificate issuance).

IMSID. The 4-byte subsystem identification used by a given IMS job. For the shared-queues and data-sharing environment, each IMSID in the group must be unique; in other cases, each IMSID might not have to be unique.

iTag. A patent-pending technology that can convert any photo badge or personal object into a proximity device, which can be used for strong authentication

ITAM (IBM Tivoli Access Manager). An integrated solution that provides a wide range of authorization and management solutions. This product can be used on various operating systems platforms such as Unix (AIX®, Solaris, HP-UX), Linux, and Windows.

LDAP. Lightweight Directory Access Protocol

LUSM. Local User Session Management. A method for managing multiple desktops on a single workstation.

Mobile ActiveCode (MAC). A one-time password that is randomly generated, event-based, and delivered through a secure second channel (for example, SMS on mobile phones).

NetBIOS. A standard interface to networks and personal computers that is used on local area networks to provide message, print-server, and file-server functions. Application programs that use NetBIOS do not have to handle the details of LAN data link control (DLC) protocols.

One-Time Password (OTP). A one-use password generated for an authentication event (for example, password reset), sometimes communicated between the client and the server through a secure channel (for example, mobile phones).

password. A sequence of characters used to determine that a user requesting access to a system is the appropriate user.

personal applications. Windows and Web-based applications that AccessAgent can store and enter credentials. Some enterprises might not allow the use of a Tivoli Access Manager for Enterprise Single Sign-On Key with personal applications. Password fortification also does not happen for personal applications.

Some examples of personal applications are Web-based mail sites such as Company Mail, Internet banking sites, Online shopping sites, chat or instant messaging programs and the like.

Personal Identification Number (PIN). A password, typically of digits, entered through a telephone keypad or automatic teller machine.

policy. Governs the operation of Tivoli Access Manager for Enterprise Single Sign-On Enterprise, comprising of two main sets: machine policies (managed through Windows GPO) and IMS-managed policies (managed through AccessAdmin).

Policy ID. Each policy is identified by its policy ID with pid in the prefix (for example, pid_Wallet_authentication_option).

policy template. A predefined policy form that helps users define a policy by providing the fixed policy elements that cannot be changed and the variable policy elements that can be changed.

presence detector. When affixed to a computer, this device detects when a person moves away from it, thus eliminating the need to manually lock the computer upon leaving it for a short time.

private desktop. Under this desktop scheme, users have their own Windows desktops in a workstation. When a previous user returns to the workstation and unlocks it, AccessAgent switches to the desktop session of the previous user and resumes the last task.

private key. An encryption or decryption key that is kept secret by its owner. It is one of a pair of two keys used for encryption and decryption in public key cryptography.

Radio Frequency Identification (RFID). A wireless technology that transmits product serial numbers from tags to a scanner, without human intervention.

random passwords. Generated passwords used to increase authentication security between clients and servers. Random password change is the process of modifying access codes between a client and a server using a random sequence of characters. This change can only happen when the client and the server are sharing a secured session as the random sequence has to be communicated between the two parties. The new random password can then be used to re-establish a secured session the next time the client needs to access the server.

RDP. Remote Desktop Protocol

register. Signing up for a Tivoli Access Manager for Enterprise Single Sign-On account, and registering a second factor (for example, smart card, RFID) with the IMS Server.

registry. Machine policies are typically configured in AccessAdmin, but can also be configured using the Windows registry when necessary. This configuration is especially true if the pid_machine_policy_override_enabled policy is set to Yes, which means Administrators must use the Windows registry to modify machine policies.

Glossary 75

reset. Refers to resetting the authentication factors for an Wallet (offline or online). Offline resets allow a user to reset his Wallet while offline.

revoke. Refers to removing access to a Tivoli Access Manager for Enterprise Single Sign-On Key so it can no longer be used as an authentication factor for a Wallet.

roaming desktops. Under this desktop scheme, a user can disconnect from a desktop or application session at one client, log on to another client, and continue a desktop or application session at that new client.

RPC. Remote Procedure Call. A protocol that allows a program on a client computer to run a program on a server.

scope. A reference to the applicability of a policy, be it at the system, user, or machine level.

secret. Information known only to the user.

secret question. A question where the answer is known only to the user. As part of Tivoli Access Manager for Enterprise Single Sign-On's Knowledge-based authentication, users are asked a number of secret questions.

Secure Remote Access. The solution that provides Web browser-based single sign-on to all applications (for example, legacy, desktop, and Web) from outside the firewall.

security officer. An officer that defines the identity Wallet security policies and other application policies.

serial number. A unique number embedded in the Tivoli Access Manager for Enterprise Single Sign-On Keys, which is unique to each Key and cannot be changed.

server locator. Used to group a related set of Web applications that require authentication by the same authentication service. In AccessStudio server locators are used to identify the authentication service with which an application screen is associated.

Service Provider Interface (SPI). Designed for devices that contain serial numbers, like RFID, the SPI makes it easier for vendors to integrate any device with serial numbers and use it as a second factor in AccessAgent.

session. A logical or virtual connection between two stations, software programs, or devices on a network that allows the two elements to communicate and exchange data.

shared desktops. Under this desktop scheme, multiple users share a generic Windows desktop. Switching of users can be done quickly and efficiently.

sign-up. Requesting for an account with the IMS Server. As part of the process, users are issued an

Wallet. They can subsequently register one or more second factors with the IMS Server.

signature. Unique identification information for any application, window, or field.

single sign-on. A capability that allows a user to enter a user ID and password to access multiple applications.

smart card. A smart card is a pocket-sized card which is built to handle data using a network of embedded circuits. Smart cards can receive input from applications, and can also send out information (such as logon information).

SOAP. Simple Object Access Protocol

SSL. Secure Sockets Layer

states. Refers to Advanced AccessProfiles in AccessStudio. See Advanced AccessProfiles.

strong authentication. A solution that utilizes multi-factor authentication devices (such as smart cards) to prevent unauthorized access to confidential corporate information and IT networks, both inside and outside the corporate perimeter.

strong digital identity. An online persona that is difficult to impersonate, possibly secured by private keys on a smart card. These identities typically have to be supported by physicalized authentication factors.

TAM E-SSO Password. The password that secures access to your Wallet. The length of the password ranges from six to 20 characters, depending on the preference of your organization. The assumption is that only the authentic user will have the passwords to access their accounts.

token. A small, highly portable hardware device that the owner carries to authorize access to digital systems and, or physical assets.

trigger. Events that cause transitions between states in a states engine, for example, the loading of a Web page or the appearance of window on the desktop.

TTY. Terminal emulator, terminal application. A program that emulates a video terminal within some other display architecture. Though typically synonymous with a command line shell or text terminal, the term terminal covers all remote terminals, including graphical interfaces. A terminal emulator inside a graphical user interface is often called a terminal window.

User role. A role that is required to use AccessAgent for sign-on automation. This is one of the three Tivoli Access Manager for Enterprise Single Sign-On Predefined Roles within the Tivoli Access Manager for Enterprise Single Sign-On system.


Virtual Private Network (VPN). An extension of a company intranet over the existing framework of either a public or private network. A VPN ensures that the data that is sent between the two endpoints of its connection remains secure.

Wallet. An identity Wallet that stores a user's access credentials and related information (including user IDs, passwords, certificates, encryption keys), each acting as the user's personal meta-directory.

Web Workplace. An identity Wallet that stores a user's access credentials and related information (including user IDs, passwords, certificates, encryption keys), each acting as the user's personal meta-directory.A web-based interface that provides the ability to log on to enterprise Web applications by clicking links without entering the passwords for individual applications. This interface can be integrated with the existing portal or SSL VPN of the customer.

Glossary 77

Index

AAccessAdmin

Back button not working 24 cluster hostname not working 21 deleting users 63 troubleshooting 21, 24

AccessAgentAccessAgent installation file is

corrupt 30 application .DLL files 37 application conflicts 38 applications running slower 38 auto-admin logon 36 console application support

disabled 37 disk space 41 domain incorrect 36 enabling RFID readers in

VMWare 67 encryption pack 41 EnGINA crashes 32 EnGINA installation on Citrix

servers 30 icons incorrect 40 IMS Server cannot be found 30 IMS Server certificate download 36 IMS Server connection 35 installation failure 30 installation privileges 41 installed before Mozilla Firefox 31 logon user interface missing 31 logs and log levels 34 module registration 41 Mozilla Firefox single sign-on

feature 33 network connection 41 performance improvement 67 personal firewalls 39 security logs 39 signing up 40 sync.exe termination 39 synchronization with the IMS

Server 35 Tivoli Access Manager for Enterprise

Single Sign-On credential provider (in Microsoft Vista) 40

troubleshooting 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 52, 59

uninstalling in private desktops 67 Wallet copy protection 67 Wallet logon failure 53 Winlogon desktop crashes (in

Microsoft Vista) 59 AccessAssistant and Web Workplace

Back button not working 24 crashes 24 troubleshooting 24

accessibility vii AccessStudio

AccessProfile for Windows logon 43 applications running slower 38

AccessStudio (continued)capture credentials 43 labels missing in state engine

view 43 troubleshooting 38, 43

Active Directorysearch and get attributes problem 23 signing up with expired

password 40 Active Proximity Badges

logging on to Wallet 48 lost badges 48 registration problems 49 unlock computer 48

ADAM Serversetup 64

ADSI Connector 57 authorization code problems 50

Bbooks

See publications

Ccertificates

basic constraints extension 20 not issued for an application 21

Citrix Serverslow logon 33

conventionstypeface viii

credentials 12

Ddirectory names, notation ix

Eeducation

See Tivoli technical training EnGINA

returning from MS GINA 32 EnGINA crashes 32 enterprise applications 12 enterprise identity 12 environment variables, notation ix

IIBM HTTP Server

setup 18 icons

margin ix IMS Server

AccessProfiles 62 automatic sign-on problems 23, 31

IMS Server (continued)database user account 64 existing profile in Web Workplace 27 installation 18 installation failure 18, 19, 20 LDAP MaxPageSize policy 27 machine group tags 66 port opening in firewalls 24 registration problems 22 switching to another IMS Server 61 troubleshooting 18, 19, 20, 21, 22, 23,

24, 27, 31, 33, 35, 57, 58 profiles 17, 18

user roles 63 Wallet synchronization 35

IMS Server installationprofiles 17, 18

Internet explorer problems 59

Llogon credentials 32

Mmanuals

See publications margin icons ix Microsoft Operations Manager

MOM 2005 installation 58 MOM Agent installation 58 performance data 58 reporting installation 59

Nnotation

environment variables ix path names ix typeface ix

Oonline publications

accessing vii ordering publications vii

Ppassword problems 50, 51, 52, 55

Windows password not auto-injected 50

password synchronization 55 path names, notation ix personal applications 13 personal workstations

about 9 policies 13


private desktopdeployment tips 68

private desktopsabout 10

publications vi accessing online vii ordering vii

RRDP session termination 42 RFID

detection problems 45 enabling readers for AccessAgent

running in VMWare 67 logging on to Wallet 46 lost card 46 registration problems 47 unlock computer 46

roaming desktopsabout 11

Sshared desktops

about 9 smart cards

detection problems 47 SQL Server 2000 57

TTivoli Access Manager for Enterprise

Single Sign-On 1 authentication factors 5 concepts 12 features 1 product components 4 program icons 11 usage configurations 9

Tivoli Information Center vii Tivoli technical training viii Tivoli user groups viii training, Tivoli technical viii troubleshooting

smart card-related problems 47 typeface conventions viii

Uusage workflows

privatecontent filtering 68 uninstalling AccessAgent 67

user groups, Tivoli viii

Vvariables, notation for ix

WWallet-related problems 51, 52, 53, 54,

55


��

Printed in USA

GC23-9693-00

T l Access Manager for Enterprise Single Sign-On

Documents

Transcript of T l Access Manager for Enterprise Single Sign-On