Skip to main content

Helping Mobile Users - Hitachi ID Password Manager

The Challenge

Traveling users typically log into their workstations using cached Active Directory passwords. If they forget the cached password, technical support may be expensive, insecure or simply impossible:

  1. Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC can re-authenticate to the AD domain and cache the user's newly reset password.
  2. Insecure: alternately, the help desk can give the traveling user the login ID and password of an alternate login ID, which is defined on the user's PC (not a domain account), whose security will henceforth be compromised.
  3. Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offer an alternate, local user ID.

While the frequency of password reset incidents for traveling users is typically low, the cost per incident is much higher than for network-attached users.

The Hitachi ID Password Manager Solution

When users are off-site and not connected to the corporate network, they can use a telephony solution IVR to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords.

A LSKA, GINA extension service or credential provider are available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. These solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Password Manager with something other than their domain or VPN password. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation (via ActiveX). Password Manager software installed on a user's Windows laptop enables password reset while away from the office, as follows:

  • The user's PC is not physically attached to any network -- the user may be at an airport, coffee shop, etc.

  • The user is faced with a login screen to which he does not know the password.

  • The user's (forgotten) AD password is cached on the PC, to allow logins while away from the corporate network.

  • If the LSKA is deployed, The user signs into his workstation with the user name "help" and no password.

  • If the GINA extension service or Credential Provider is deployed, the user presses a button on the Windows login screen with a label such as "I forgot my password."

  • The Password Manager client software service is started and detects (a) that there is no physical network connection but also (b) the PC has a wireless network adapter.

  • Password Manager scans for available WiFi hot-spots and asks the user to select one. They are ordered by signal strength, so the user normally chooses the first one (nearest AP; often public).

  • The user's web browser is launched and the user may have to register, pay or accept the terms of use of the network provider.

  • Once the user's PC is on the Internet, Password Manager will launch a temporary VPN connection to the corporate network.

  • Password Manager will launch a kiosk-mode web browser to the password reset web portal. Since the browser is in kiosk mode, the user cannot navigate to any other URL.

  • The user will perform a password reset in this web browser session. This will include self-identification, some form of non-password authentication (e.g., CAPTCHA + security questions + mobile phone SMS PIN) and selection of a new password.

  • Password Manager will use an ActiveX to re-authenticate the user's PC to the domain, over the VPN. This has the desirable side-effect of updating the cached password on the user's PC.

  • The user closes the kiosk-mode web browser. This also disconnects the VPN and terminates the WiFi session.

  • The user is able to sign into his PC with his new password, which has been applied both at work and to the local cache.

Please note that the WiFi elements in the above sequence are optional. The user may be at work, or at home with a wired Internet connection, or using an AirCard (cell modem), or in a hotel with a wired connection. All of these alternatives also work essentially as described above.


Watch a Movie

Self Service Anywhere™


Play movie

Content:

  • A user forgot his primary Windows login password.
  • The user is away from the office and the corporate AD password is cached locally.
  • The video shows how the user can reset the forgotten password -- from the PC login screen, over WiFi+VPN and get back to work.

Key concepts:

  • Users are increasingly mobile.
  • Mobile users sign into their corporate laptops with cached domain credentials.
  • If a user forgets his Windows password while away from the corporate network, the IT help desk cannot help him, as they cannot access the cached password.
  • Using Self-Service, Anywhere, Password Manager allows mobile users to reset forgotten passwords even while away, enabling them to get back to work before they return to the office.
  • Without this technology, a remote user who forgot his password cannot user his PC until he returns -- a major business interruption.

Mobile user unlocks Windows XP password with GINA service


Play movie

Content:

  • User locks out Windows login password.
  • User presses a "help" button to access self-service.
  • A temporary VPN tunnel is established.
  • A kiosk-mode web browser is launched.
  • User enters his network login ID.
  • User answers security questions.
  • User chooses a new password.
  • ActiveX updates locally cached password.
  • Web browser and VPN are closed.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset from a locked out Windows XP PC.
  • SSPR is available even away from the corporate office.
  • SSPR impacts locally cached credentials, not just on AD DCs.
  • GINA DLL is not altered.

Mobile user unlocks Windows 7 password with Credential Provider


Play movie

Content:

  • User locks out Windows login password.
  • User presses a "help" button to access self-service.
  • A temporary VPN tunnel is established.
  • A kiosk-mode web browser is launched.
  • User enters his network login ID.
  • User answers security questions.
  • User chooses a new password.
  • ActiveX updates locally cached password.
  • Web browser and VPN are closed.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset from a locked out Windows 7 PC.
  • SSPR is available even away from the corporate office.
  • SSPR impacts locally cached credentials, not just on AD DCs.

page top page top