Technology Helping Mobile Users
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Helping Mobile Users - Hitachi ID Password Manager

The Challenge

Traveling users typically log into their workstations using cached Active Directory passwords. If they forget the cached password, technical support may be expensive, insecure or simply impossible:

  1. Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC can re-authenticate to the AD domain and cache the user's newly reset password.
  2. Insecure: alternately, the help desk can give the traveling user the login ID and password of an alternate login ID, which is defined on the user's PC (not a domain account), whose security will henceforth be compromised.
  3. Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offer an alternate, local user ID.

While the frequency of password reset incidents for traveling users is typically low, the cost per incident is much higher than for network-attached users.

The Hitachi ID Password Manager Solution

When users are off-site and not connected to the corporate network, they can use a telephony solution IVR to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords.

A LSKA, GINA extension service or credential provider are available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. These solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Password Manager with something other than their domain or VPN password. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation (via ActiveX). Password Manager software installed on a user's Windows laptop enables password reset while away from the office, as follows:

Please note that the WiFi elements in the above sequence are optional. The user may be at work, or at home with a wired Internet connection, or using an AirCard (cell modem), or in a hotel with a wired connection. All of these alternatives also work essentially as described above.


Watch a Movie

Self Service Anywhere™


Play movie

Content:

  • A user forgot his primary Windows login password.
  • The user is away from the office and the corporate AD password is cached locally.
  • The video shows how the user can reset the forgotten password -- from the PC login screen, over WiFi+VPN and get back to work.

Key concepts:

  • Users are increasingly mobile.
  • Mobile users sign into their corporate laptops with cached domain credentials.
  • If a user forgets his Windows password while away from the corporate network, the IT help desk cannot help him, as they cannot access the cached password.
  • Using Self-Service, Anywhere, Password Manager allows mobile users to reset forgotten passwords even while away, enabling them to get back to work before they return to the office.
  • Without this technology, a remote user who forgot his password cannot user his PC until he returns -- a major business interruption.

Mobile user unlocks Windows XP password with GINA service


Play movie

Content:

  • User locks out Windows login password.
  • User presses a "help" button to access self-service.
  • A temporary VPN tunnel is established.
  • A kiosk-mode web browser is launched.
  • User enters his network login ID.
  • User answers security questions.
  • User chooses a new password.
  • ActiveX updates locally cached password.
  • Web browser and VPN are closed.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset from a locked out Windows XP PC.
  • SSPR is available even away from the corporate office.
  • SSPR impacts locally cached credentials, not just on AD DCs.
  • GINA DLL is not altered.

Mobile user unlocks Windows 7 password with Credential Provider


Play movie

Content:

  • User locks out Windows login password.
  • User presses a "help" button to access self-service.
  • A temporary VPN tunnel is established.
  • A kiosk-mode web browser is launched.
  • User enters his network login ID.
  • User answers security questions.
  • User chooses a new password.
  • ActiveX updates locally cached password.
  • Web browser and VPN are closed.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset from a locked out Windows 7 PC.
  • SSPR is available even away from the corporate office.
  • SSPR impacts locally cached credentials, not just on AD DCs.