Technology Architecture Login Prompt Access

Login Prompt Access To Password Reset

Password reset for on-site, locked-out users:

P-Synch® can be configured with a secure kiosk account ( SKA (secure kiosk account)), implemented as a special user, user group and group policy object (GPO) in AD. (Configuration under NT domains and NDS environments is similar, but uses the native workstation policy mechanisms.)

Users who forget their passwords can log into AD from their own workstation with the SKA (secure kiosk account) account -- typically called "help" and with an easy-to-remember or blank password.

The GPO attached to this account replaces the default Windows shell with special binary, loaded from a UNC on the P-Synch server. This launches a kiosk-mode web browser on the user's workstation, at a URL that allows the user to perform a self-service password reset.

The GPO prevents the SKA (secure kiosk account) account from being abused:

• It cannot launch a "normal" desktop on workstations.
• It has no network privileges.
• It cannot connect to network shares.

The SKA (secure kiosk account) allows users of Windows / Active Directory domains with any Win32 workstation to access self-service password reset without installing client software.

The SKA (secure kiosk account) is easily deployed and centrally controlled and monitored.

Password reset for remote, locked-out users:

When users are off-site and not connected to the corporate network, they can use a telephony solution ( IVR (interactive voice response)) to reset a RAS or VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain credentials.

A locally-deployed secure kiosk account ( LSKA (local, secure kiosk account)) is available to assist mobile and off-site users who have forgotten the password they use to sign into their own workstation. The LSKA (local, secure kiosk account) establishes a temporary network connection, launches a locked-down web browser and allows the user to authenticate and issue a password reset that applies to their network password, both on network authentication services (e.g., Windows / Active Directory domain controllers) and on the local cache (i.e., the cached password used to authenticate the user when the workstation is disconnected).

Extending the login prompt GUI:

Instead of deploying an SKA (secure kiosk account) account, where users are required to type HELP to sign into the self-service user interface, Hitachi ID customers may elect to deploy a wrapper GINA (Graphical Identification and Authentication library) DLL to workstations, which extends the existing user interface of the workstation login subsystem ( GINA (Graphical Identification and Authentication library)) by adding a button that launches a locked-down kiosk-mode web browser.

The GINA (Graphical Identification and Authentication library) option has pros and cons: it is slightly more user friendly (press a button rather than typing help) and eliminates the password-less SKA (secure kiosk account) account. On the other hand, it requires a software footprint on every workstation, which must be validated against every computer image and operating system patch, to ensure interoperability.

© Hitachi ID Systems, Inc. 2008. All rights reserved.