Authenticating to Imprivata Enterprise Access Management via Password

When you first install the Imprivata agent, all users are authorized for password authentication. The default username and password are the user's current user directory credentials.

You can disallow password authentication for some or all users via user policy; however, all enabled users must have at least one authentication method. Password authentication is often used as a second factor for two-factor authentication.

There is no separate enrollment step for password authentication. All users automatically enroll the first time they log into Windows after installing the Imprivata agent.

User authentication via password is similar to Windows authentication, except that the user is prompted with the Imprivata login screen instead of the Windows login screen.

Desktop Authentication via Password is Never Disabled

Username and password access to Imprivata Enterprise Access Management is never disabled, regardless of Imprivata license status. For more information about disabled users, see Configuring Users Not Imported, Enabled, or Enrolled in Enterprise Access Management.

Imprivata Self-Service for Password Management

The Imprivata Enterprise Access Management self-service web application lets users securely identify themselves and reset their primary password if they have forgotten their primary password or lost an authentication device.

See Imprivata Self-Service Password Reset.

Kerberos Authentication for Microsoft Active Directory Passwords

Enterprise Access Management supports the choice between native username/password authentication with or without Kerberos for Microsoft Active Directory (AD) environments. Kerberos mode offers enhanced authentication speed and additional encryption for password users in Enterprise Access Management. To establish Kerberos trust between Active Directory and Enterprise Access Management, generate a Kerberos keytab file and upload it to the Imprivata appliance.

See Managing System Settings for information about enabling Kerberos network authentication protocol when authenticating via password.

Imprivata does not have a Kerberos trust relationship with an Active Directory server until you generate and upload a keytab file.

Review the follow prerequisites before you begin:

  • Verify that Kerberos is configured and enabled in your Windows environment. This topic details how to configure Enterprise Access Management for Kerberos authentication and assumes that the Kerberos deployment is running normally.

  • The Imprivata keytab utility (keytab utility), which you use to create and upload a keytab file to an appliance, uses ktpass to create and upload a keytab file to an appliance. The keytab utility is installed with the Imprivata agent.

    Ktpass is part of the Microsoft Windows Server resource kit. Beginning with Windows Server 2008, the resource kit tools are installed as part of the server role installation.

  • The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

    For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  • The Service Principal Name (SPN) of the appliance that the keytab utility registers with Active Directory is case-sensitive.

    The hostname and the domain name that appear in the Imprivata Appliance Console of this appliance must contain all lowercase letters.

  • If the Imprivata enterprise includes more than one domain that share a trust relationship, for example a parent company (company.com) and two subdomains (us.company.com and eu.company.com), make sure that at least one appliance is placed in company.com.

    Upload the keytab file to this appliance. Uploading to the appliance that is in the second-level domain (SLD) ensures that the keytab file is valid for all domains.

Complete the following for each appliance in the enterprise to enable time synchronization.

  1. In the Imprivata Appliance Console, go to Network > NTP.

  2. Enter the IP address for one or more NTP servers.

  3. Click Save.

The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  1. Log into the endpoint computer.
  2. Open the registry editor and go to the ISXAgent registry key:

    • 64–bit — HKLM\SOFTWARE\SSOProvider\ISXAgent

  3. Use the IPTXPrimServer value to confirm that the agent's primary appliance is in the same Active Directory domain as the endpoint computer.

Creating and uploading a keytab file establishes a Kerberos trust relationship between Enterprise Access Management and Microsoft Active Directory. You use the Imprivata key tab utility, which is installed with the Imprivata agent, to create and upload a keytab file. After the keytab file is uploaded to the appliance, it is propagated to all other appliances in the enterprise.

NOTE: Obtain the administrator user credentials of the appliance to which you are uploading the keytab file. The Imprivata keytab utility requires these credentials to upload the keytab file.

  1. As a domain administrator, log into an endpoint computer to which the Imprivata agent is installed and open a command prompt.

  2. At the command prompt, type the following and press Enter:
    cd \Program Files (x86)\Imprivata\OneSign Agent\x64

  3. Type ISXKerbUtil and press Enter. The utility returns the names of the following:

    • The domain.

    • The domain controller.

    • The appliance host name in the Service Principal Name (SPN) format.

  4. Using the User Principal Name (UPN) format, type the username of the domain account that has Super Administrator rights in the Admin Console and press Enter.

    Example: username@example.com

  5. Enter the password of the domain account, with the Super Administrator rights you provided above, and press Enter.

  6. Enter a password that meets the Active Directory complexity requirements and press Enter. The utility does the following:

    • Creates a domain user account named ssoKerberos.

    • Sets the password.

    • Creates and uploads the keytab file to the appliance.

    NOTE: If the Imprivata keytab utility detects that a domain user account is already mapped to the SPN, it updates the domain account with the password you entered. If the utility detects that multiple domain user accounts are mapped to the SPN, the utility detects which user it previously created and updates it with the password you entered; the remaining users are removed from the SPN.

The Imprivata keytab utility creates the keytab file with all of the supported cryptographic types supported by Windows Server.

NOTE: Only 1 keytab file is allowed per Imprivata enterprise.

  1. In the Imprivata Admin Console, go to the Users menu > Directories page.

  2. Click the name of the domain from which you created the keytab file.

  3. Go to Kerberos authentication and click 5 keytab files.

  4. Verify that the keys are using the following cryptographic types:

      • DES cbc mode with CRC-32

      • DES cbc mode with RSA-MD5

      • ArcFour with HMAC/md5

      • AES-256 CTS mode with 96-bit SHA-1 HMAC

      • AES-128 CTS mode with 96-bit SHA-1 HMAC