• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Access Manager
  • Download evaluation
  • Releases
  • CCC
• Solutions
  • Security / GRC
  • Reducing IT support cost
  • Improve user service
• Support
  • Shipping products
  • Supported versions
  • Portal login
  • Report problem
• Services
  • Solution delivery
  • Methodology
  • Education
  • Upgrades
  • AdMax Program
  • Hitachi ID Systems-Managed IAM
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Channel Partners
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Online partner application

Technology Helping mobile users

Helping mobile users

The Challenge

Traveling users typically log into their workstations using cached Active Directory passwords. If they forget the cached password, technical support may be expensive, insecure or simply impossible:

1. Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC can re-authenticate to the AD domain and cache the user's newly reset password.
2. Insecure: alternately, the help desk can give the traveling user the login ID and password of an alternate login ID, which is defined on the user's PC (not a domain account), whose security will henceforth be compromised.
3. Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offer an alternate, local user ID.

While the frequency of password reset incidents for traveling users is typically low, the cost per incident is much higher than for network-attached users.

The Hitachi ID Password Manager (formerly P-Synch) Solution

When users are off-site and not connected to the corporate network, they can use a telephony solution IVR to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords.

A LSKA, GINA extension service or credential provider are available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. These solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Password Manager with something other than their domain or VPN password. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation (via ActiveX). Password Manager software installed on a user's Windows laptop enables password reset while away from the office, as follows:

• The user's PC is not physically attached to any network -- the user may be at an airport, coffee shop, etc.

• The user is faced with a login screen to which he does not know the password.

• The user's (forgotten) AD password is cached on the PC, to allow logins while away from the corporate network.

• If the LSKA is deployed, The user signs into his workstation with the user name "help" and no password.

• If the GINA extension service or Credential Provider is deployed, the user presses a button on the Windows login screen with a label such as "I forgot my password."

• The Password Manager client software service is started and detects (a) that there is no physical network connection but also (b) the PC has a wireless network adapter.

• Password Manager scans for available WiFi hot-spots and prompts the user to select one. They are ordered by signal strength, so the user normally chooses the first one (nearest AP; often public).

• The user's web browser is launched and the user may have to register, pay or accept the terms of use of the network provider.

• Once the user's PC is on the Internet, Password Manager will launch a temporary VPN connection to the corporate network.

• Password Manager will launch a kiosk-mode web browser to the password reset web portal. Since the browser is in kiosk mode, the user cannot navigate to any other URL.

• The user will perform a password reset in this web browser session. This will include self-identification, some form of non-password authentication (e.g., CAPTCHA + security questions + mobile phone SMS PIN) and selection of a new password.

• Password Manager will use an ActiveX to re-authenticate the user's PC to the domain, over the VPN. This has the desirable side-effect of updating the cached password on the user's PC.

• The user closes the kiosk-mode web browser. This also disconnects the VPN and terminates the WiFi session.

• The user is able to sign into his PC with his new password, which has been applied both at work and to the local cache.

Please note that the WiFi elements in the above sequence are optional. The user may be at work, or at home with a wired Internet connection, or using an AirCard (cell modem), or in a hotel with a wired connection. All of these alternatives also work essentially as described above.

© Hitachi ID Systems, Inc. . All rights reserved.