HID DigitalPersona Cookbook

Copyright

© 2020 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

This document may not be reproduced, disseminated or republished in any form without the prior written permission of HID Global Corporation.

Trademarks

HID DigitalPersona, HID GLOBAL, HID, the HID Brick logo and the Chain Design are trademarks or registered trademarks of HID Global, ASSA ABLOY AB, or its affiliate(s) in the US and other countries and may not be used without permission. All other trademarks, service marks, and product or service names are trademarks or registered trademarks of their respective owners.

Revision history

Contacts

For additional offices around the world, see www.hidglobal.com/contact/corporate-offices

Americas and Corporate

611 Center Ridge Drive
Austin, TX 78753
USA
Phone: +1 866 607 7339
Fax: +1 949 732 2120

Asia Pacific

19/F 625 King's Road
North Point, Island East
Hong Kong
Phone: +852 3160 9833
Fax: +852 3160 4809

Europe, Middle East and Africa (EMEA)

Haverhill Business Park Phoenix Road
Haverhill, Suffolk CB9 7AE
England
Phone: +44 (0) 1440 711 822
Fax: +44 (0) 1440 714 840

Brazil

Condomínio Business Center
Av. Ermano Marchetti, 1435
Galpão A2 - CEP 05038-001
Lapa - São Paulo / SP
Brazil
Phone: +55 11 5514-7100

HID Global Technical Support: www.hidglobal.com/support

Contents

1. Chapter 1: Introduction to the Cookbook

   1. Overview
   2. Resources

2. Chapter 2: Appetizers/Starters

   1. Single Server Test/Lab Test Platter - DigitalPersona AD flavor
   2. DigitalPersona LDS flavor

3. Chapter 3: Entrées

   1. GPOs for all Entrées and Specials
   2. Enterprise Business - DigitalPersona AD flavor
   3. Enterprise Business – DigitalPersona LDS flavor
   1. Digital Persona LDS Database Server on a member server
   2. DigitalPersona LDS Web Server on a member server
   3. DigitalPersona LDS on Amazon Web Services

4. Chapter 4: Specials

   1. Citrix
   1. Additional configuration
   2. OTP authentication for RADIUS VPN
   3. Secret sauce

5. Chapter 5: Side Orders

   1. Credential enrollment
   1. Attended Enrollment: Full client, AD flavor
   2. Software OTP
   3. Hardware OTP
   4. Push Soft OTP
   2. Terminal Server
   3. Client on Server (ConS)
   4. Beyond MFA
   5. Password Manager change screen templates
   6. Password Manager Single Sign-On (SSO)
   7. Kiosk
   1. Restricting Kiosk access

6. Chapter 6: Desserts

   1. No local cache
   2. Password Recovery Questions
   3. Report Server

Chapter 1: Introduction to the Cookbook

1.1 Overview

The HID DigitalPersona Solutions Cookbook is a series of recipes for cooking up solutions using the ingredients provided as part of the DigitalPersona solutions, products and components.

The recipes are presented in a format based on traditional restaurant offerings, allowing you to create the perfect meal, consisting of perhaps an appetizer, an entrée (main course), a selection of side dishes, and an optional dessert. (We leave the beverage choices to the IT professional doing the preparation and cooking.)

Just as quality ingredients are critical to creating great meals, the DigitalPersona suite of quality software components presents you with the tools that can be assemble into a tasty spread that meets each enterprise's needs.

The DigitalPersona solution, consists of a range of software, hardware and integration components.

One core component used in most environment's configurations is the Crossmatch DigitalPersona Server. It comes in two flavors, the DigitalPersona AD Server (leveraging Microsoft Active Directory), and the DigitalPersona LDS Server (leveraging Microsoft Lightweight Directory Services).

While both servers use Active Directory Group Policy Objects (GPOs) for server and client configuration, the AD Server uses Microsoft Active Directory for storage and the LDS Server uses Microsoft AD LDS for storage.

The workstation, or kiosk, client is run on endpoints, enabling MFA windows logon and unlock. Password Manager is a part of our complete meal, enabling MFA for websites and applications in the windows session.

Another core component is the DigitalPersona Web Components module, which provides a Web Administrator Console for web-based user management and a DigitalPersona Web Enrollment site for credential enrollment. It also includes the DigitalPersona Identity Server and STS (Secure Token Service), for implementing web-based multifactor federation or Office365 access.

Extended Microsoft consoles (ADUC and GPMC) are the primary means of management for the AD solution. The Web Administrator Console is the main management tool for the DigitalPersona LDS solution. It can be used for some management tasks when using the AD solution too.

The DigitalPersona solution also includes a well-stocked pantry; consisting of a documentation set including the following:

• AD Administrator Guide
• LDS Administrator Guide
• Client Guide
• SSO for Office 365 On Premise AD - LDS Solution Deployment Guide
• SSO for Office 365 On Premise - AD Solution Deployment Guide
• NetScaler RADIUS Authentication - Integration Guide

1.2 Resources

• Documentation: All of the above-mentioned documentation is available by selecting DigitalPersona from the All Brands dropdown menu at the following location: https://www.hidglobal.com/documents
• Patches: All patches can be found here: http://downloads.crossmatch.com.
• Upgrade Notes are found here: https://www.hidglobal.com/documents. If upgrading an existing setup, use the installation & configuration instructions from the current Upgrade Notes document instead of those in the Administrator Guide.

Chapter 2: Appetizers/Starters

2.1 Single Server Test/Lab Test Platter - DigitalPersona AD flavor

Provides Windows/AD logon and unlock, Password Manager and (optionally the DigitalPersona Web Administration Console), all on one server machine, with one client.

This could be by using VMs, or a VM for the Server and a physical machine for the client.

2.2 DigitalPersona LDS flavor

Note that LDS is used instead of AD only when: schema can't be extended, no software can be installed onto DCs, or when user who are not AD users are needed. One more machine is needed to test LDS than is needed for AD testing.

Chapter 3: Entrées

3.1 GPOs for all Entrées and Specials

3.2 Enterprise Business - DigitalPersona AD flavor

Choose a Small, Medium, or Large portion. Includes Windows/AD logon and lock/unlock, Password Manager (PM) and the DigitalPersona Web Administration Console. All DigitalPersona AD flavor.

3.3 Enterprise Business – DigitalPersona LDS flavor

There are a few deployment use-cases where the LDS flavor of DigitalPersona must be used instead of the AD flavor:

• If unable to extend the AD schema for DigitalPersona use.
• When DigitalPersona Server cannot be installed onto any DCs.
• When non-AD user accounts are needed.

Note that DigitalPersona AD leverages Microsoft management consoles (ADUC and GPMC) for administration, whereas DigitalPersona LDS does not. LDS management is by script and web console. Also, even with DigitalPersona LDS, most configuration is done via GPOs.

Separate member servers should be used for each of DigitalPersona authentication server, AD LDS server, and DigitalPersona web server. (Separate web servers in DigitalPersona AD from DCs too.)

3.3.1 DigitalPersona LDS Database Server on a member server

3.3.2 DigitalPersona LDS Web Server on a member server

Includes

• Creating a Certificate Authority
• Creating a certificate
• Exporting and then importing a certificate.

3.3.3 DigitalPersona LDS on Amazon Web Services

A delightful slice of the Crossmatch DigitalPersona platform, this is a low cost, cloud based, identity authentication as a service offering (IAaaS). Basically, the same as the "Enterprise Business - Digital Persona LDS flavor" recipe above, except all running off-premise, in the cloud.

To deploy, simply

Chapter 4: Specials

4.1 Citrix

Diagram: A simple diagram shows a Citrix server connected to AD, and a Citrix client connected to the Citrix server. The Citrix client also shows DP Workstation. An arrow points from the Citrix client to AD with the text "Fingerprint data redirection enabled by GPO, linked at domain level, with no inheritance blocked".

4.1.1 Additional configuration

4.2 OTP authentication for RADIUS VPN

Enhance an existing VPN solution by adding OTP to your existing password credential or replacing your password with OTP. DigitalPersona provides support for RADIUS VPN with OTP via the DigitalPersona NPS Plugin. Windows Server with the NPS Role is a prerequisite.

The OTP code itself is entered with the VPN credentials, or if using Push OTP the word "push" may need to be entered as part of the credentials - see the Syntax column in the table below.

4.3 Secret sauce

None of the other recipes in this cookbook a good fit for your needs? When your requirement goes beyond what a recipe can fulfill, get some quotes from your Sales representative on our Professional Services; let the identity exports artfully mix up a custom solution for you.

Chapter 5: Side Orders

5.1 Credential enrollment

Digital Persona provides two primary methods of credential enrollment: attended-enrollment and self-enrollment. There are two ways to do attended enrollment: through the DigitalPersona Workstation client, or through DigitalPersona Web Enrollment. The following table shows the availability and default status of the different types of enrollment.

5.1.1 Attended Enrollment: Full client, AD flavor

Out of the box with DigitalPersona AD, end users can self-enroll and manage all their own credentials. Generally, this is sufficient and preferred. For added control and security, the full Win32 client Attended Enrollment application can be used

Security officers, or enrollers, are people with an AD User who is a member of the Attended Enrollers group. An enroller launches the DigitalPersona Attended Enrollment application (custom optional install part of the Digital Persona AD Workstation client) either with a Run As, or logged on as the enroller. The end user enrolls just as they would self enroll, except the security officer is watching them, and then also authenticates/validates the enrollment when it's done.

It's possible to set up a hybrid where users in specific OUs can self enroll. Setup attended enrollment as per the Administrator Guide, then re-create the DigitalPersona allowed user self register/delete permission, but at a sub-OU of Users level instead of at the domain level.

Anyone can register their fingerprints and use a DigitalPersona license on a DigitalPersona workstation. Attended Enrollment effectively limits and controls DigitalPersona license use and allocation.

5.1.2 Software OTP

OTP is One Time Password. Out of the box you get support for soft-token OTPs. Soft Token OTP is done using the DigitalPersona app on iPhone and Android phones, available on the respective platform's app store - search for DigitalPersona.

5.1.3 Hardware OTP

Some Onetime Password (OTP) hardware tokens can be used as authentication factors in DigitalPersona. A Hardware Token OTP is configured first by importing a seed file obtained with purchase of the hard tokens; for a token to be enrolled by a user it must already be imported and in a pool of available tokens.

Make sure to choose known supported tokens, such as the Vasco Go 6, Feitian OTP c200, or Fortinet FTK-200.

5.1.4 Push Soft OTP

Add push notification to the out of the box Soft Token OTP feature, making it even quicker and easier. Instead of having to enter the code from the token into the authentication dialog, the user just okays the push on their phone!

5.2 Terminal Server

Reserved for future use.

5.3 Client on Server (ConS)

The DigitalPersona Client on Server feature enables an administrator to secure access to your DCs with DigitalPersona's multifactor authentication. Be sure to install the client only after server, and do not attempt credential management or other features beyond logon and unlock. ConS is available in the DigitalPersona AD flavor only.

5.4 Beyond MFA

Digital Persona closes the gaps in today's user authentication solutions. In addition to the traditional set of authentication factors - what you have, are and know (such as password, PIN, Fingerprints, PKI Smart Cards, (hard) token, phone with soft token app) - it offers authentication for the contextual risk factors of time, velocity, location and behavior (for example, IP address / geographic location, and biometric typing pattern. These factors cover what you do, where you are, and when you act. Choose the right level of protection for every application, every user and every system.

Physical and BIOS security are additional to MFA.

DigitalPersona offers controls over:

• Logon policy - Windows logon and windows un-lock policy
• Enhanced policy - Step-up, or Enhanced, policies for windows logon/unlock
• Session policy - W32 and websites within a Windows session
• Federation IDP (STS) policy, for application launch, portal access, and web administration.
• Backup accesses: Password recovery, and account access

The logon, session, and enhanced policies are covered in Section 3.1 GPOs for all Entrées and Specials under the OU level heading. The enhanced policy overrides and adds to or extends the logon policy in certain pre-defined situations. The logon, session, and enhanced, policies all work by arranging rows and columns of factors; each row is a set of one or more factors (columns) which all must be used. Users essentially pick on a row to use.

These policies should almost always be set at sub-OU level and not broader, so as to prevent locking yourself, or everyone, out of the domain. Child OUs can be made under production OUs were Computer accounts are, MFA policies linked to these OUs, Computers moved into them, and testing done, before wider adaption.

The DigitalPersona User Query Tool (UQT) reports on which Users have and have not enrolled which factors and features.

MFA can present a catch-22. With self-enrollment, policies should allow password alone initially, then after most user have enrolled, MFA can be enforced. With attended enrollment, MFA can be enforced initially, and users who can't get in can go through the attended enrollment process. An enrollment policy limits which factors user can enroll if they are self-enrolling. Attended enrollment can be configured to require security officer presence, and to require that any omitted factors be notated.

Two features override MFA for emergencies and special exceptions: Password recovery, and account access.

Password recovery allows the user to forget or loss their password, then use three pre-enrolled recovery question answer pairs to either reset their password, or just skip password and get it (can be disabled by GPO). With a password and something else MFA in place, the password recovery would just help get past the password, the something else is still needed.

Account access involves interaction with a domain admin type and allows bypass of MFA.

Note on client behavior with MFA enforced: We have two option how user can authenticate own credentials: 1) local cache or 2) remote DigitalPersonaCA Server. You lost the ability to use option #1 because you wiped out local cache when you uninstall beta version. So you only can use option #2. To use option #2 you would need connection with DigitalPersonaCA Serve located in our CM environment. Which mean you need both 1) internet access and 2) VPN connection to our internal network (you may use Direct Access instead of VPN). You still can use Windows Password but to use any other credential you need wait until you get connected to our internal network. It will be just fine if we allow just password to logon but recently we deploy MFA policy and you would be require to provide something else.

See PM SSO (Password Manager Single Sign-On) section also.

5.5 Password Manager change screen templates

Reserved for future use.

5.6 Password Manager Single Sign-On (SSO)

Password Manager is a feature of the DigitalPersona client. Managed Logons can be used to provide simple SSO to applications, resources and websites.

5.7 Kiosk

There are two DigitalPersona clients, Workstation and Kiosk. The workstation client is more common and generally used. The kiosk client is ideal for shared machines, such as in a medical exam room or on the factory floor, for example. Windows logoff and logon between users is eliminated and security is enforced at the application level.

The Kiosk client program logs onto Windows as a shared account, users authenticate as authorized users to logon and unlock Windows. Within Windows Password Manager is used to authenticate with the user's credentials into websites and applications. While only the fingerprint of the logged-on user can be used within the Workstation windows session, any authorized fingerprint may be used within the Kiosk windows session.

5.7.1 Restricting Kiosk access

The default Kiosk behavior is that any authorized user can access a kiosk machine.

If all that is needed for access to the kiosk is an AD username and password, then a user with no license can walk up to a kiosk, logon with AD username and password, take a DigitalPersona license from the license pool, and access the machine.

If you require fingerprint, for example, to access the kiosks, then the user would have to enroll their finger(s) before being able to try to use the kiosk. To limit / control who and how credentials are enrolled, attended enrollment must be used and self-enrollment disabled.

To control which users can use kiosks we have an AD privilege called "kiosk membership". By default, this is set to 'allowed' for users at the domain level and inherits down to OUs and then Users. To configure granular control of users able to access the DigitalPersona Kiosks, follow the recipe below.

5.8 ESPM

The DigitalPersona AD Extended Server Policy Module (ESPM) is a separately purchased and installed server module that adds additional per user policies configurable through the DigitalPersona Users and Computers snap-in, part of the DigitalPersona AD Administration Tools component.

This module provides additional user policies that may be used to manage the credential combinations used for Windows logon. They do not affect the use of DigitalPersona credentials for authentication when used with personal or managed logons to websites, applications and network resources, but only affect authentication when logging on to Windows.

5.9 Thin Clients

Reserved for future use.

5.10 VPN Support

There are various types of VPNs and ways DigitalPersona interacts with them. A Site to site or certificate-based VPN could be transparent to DigitalPersona. RADIUS could be enhanced with second, perhaps push, factor. Thick VPN client, assuming authentication after Windows logon, could be Digital Persona Password Manager enabled. SSL VPNs can be made to authenticate via DigitalPersona factors. Using DigitalPersona STS's proxy feature enables DigitalPersona client / server traffic over a limited VPN-like connection.

5.10.1 RADIUS

OTP authentication for RADIUS VPN is detailed in the Specials section.

5.10.2 Thick client VPN client

Method: User has cached credentials to enter Windows/AD credentials. Launches 32 or 64 bit VPN client. VPN client is Password Manager (PM) trained, so user is prompted for MFA credentials as per DigitalPersona configuration, DigitalPersona fills in VPN credentials. Assumes authentication after Windows logon.

DigitalPersona set-up: Train VPN page in Password Manager.

5.10.3 Site to site or certificate-based VPN

This type of VPN works not only with DigitalPersona, but with most other software platforms. Common use cases are laptops in police cars or sanitation trucks running DigitalPersona AD Workstation client, connecting to headquarters (AD and DNS and DigitalPersona server) as though they were hard-wired to the network.

Method: This Type of VPN is established from Corporate Firewall to External Firewalls. It is transparent to DigitalPersona.

DigitalPersona set-up: Nothing additional on DigitalPersona side.

5.10.4 SSL VPN

Method: User accesses SSL VPN webpage, authenticates with an option below.

DigitalPersona set-up, one of:

• Password Manager (PM) supports only publishing username and password.
• With Radius support OTP Only (6 Digit OTP or Push OTP)
• With ADFS Plugin support federation authentication using Fingerprint and OTP (email, SMS, Push OTP, OTP)
• With DigitalPersona STS, supports all factors i.e. Fingerprints, PKI Smart Cards, Contactless Writable Cards, OTP (Email, SMS, Push OTP, OTP) in addition also supports Behavior biometrics.

Chapter 6: Desserts

6.1 No local cache

Extra Secure configuration as this forces server authentication only. With no local cache setup, authentication requires network and server; there are significantly less vectors for offline attacks. With added security comes a loss of convenience and redundancy.

6.2 Password Recovery Questions

You may find your environment is too secure with DigitalPersona deployed. Users are having trouble getting in if they forgot a password or are missing a factor or reader that day. To provide a sort of backdoor to allow users to regain access to their account, use Recovery Questions, instead of a call to the help desk.

This optional feature is potentially less secure than just using strong multi-factors.

Computer / Polices / Software Settings / DigitalPersona Client / Security / Enrollment / Enrollment Policy
(Optional) Ensure "Self Password Recovery" is selected.

Computer / Polices / Admin templates / DigitalPersona Server / Credentials verification lockout / Allow users to unlock their Windows account using DigitalPersona Recovery Questions
(Optional) Configure whether or not users are allowed to unlock their Windows account using Digital Persona Recovery Questions.

Computer Configuration/Policies / Administrative Templates / DigitalPersona AD / General / Authentication devices / Recovery Credentials / Self Password Reset / Allow users to reset their Windows passwords
(Optional) Configure whether users are allowed to reset their Windows password using DigitalPersona Recovery Questions or the Forgot Password link on the Identity Provider (STS) page.

6.3 Report Server

Collates DigitalPersona data and provides both canned and customizable reports for regulatory and audit compliance. Events from DigitalPersona Servers, Web Components and Clients are consolidated, and reports viewed and managed in the DigitalPersona Reports web console. A Dedicated (or shared) SQL server machine is needed. Events are copied to a central server, which creates some network load.