Setting up DigitalPersona AD for Use with DigitalPersona Kiosk (Optional)

Complete the following DigitalPersona AD Server and DigitalPersona AD Kiosk installation and configuration steps in the order shown below.

  1. Install the DigitalPersona AD Server.

    This includes performing Schema Extension, Domain Configuration and the Server installation.

    If previous versions of DigitalPersona AD Server were installed in the domain, you should run the Domain Configuration Wizard, but should not run the Schema Extension Wizard again in this case.

  2. Install the DigitalPersona AD Administration Tools.

    You do not need to install all of the included Administration Tools components. However, the GPMC Extensions component must be installed. See Administration Tools.

  3. Create an OU for each kiosk and assign computers to the kiosk OU. See Creating the OU for the Kiosk.

    By default, the entire domain is considered as one kiosk. You may want to set up multiple, separate kiosks.

  4. Assign kiosk permissions.

    By default, all domain users are allowed Kiosk permissions. You can restrict identification to specific groups or users by following the instructions in Identification List.

    Note: By design, AD Domain Administrator will have access even if not granted permission on an Identification List. However, you can change the permission for the Domain Administrator from Allow to Deny for any specific kiosk.

  5. Create a Shared Account in Active Directory and specify the account information either by GPO or on individual kiosk computers. See Kiosk Shared Account Settings and Adding Shared Account Settings Using GPO.

  6. Install DigitalPersona Kiosk on kiosk computers (see Kiosk installation).

  7. Enroll user credentials.

    By default, all domain users are allowed to enroll their own credentials. However, you can choose whether you want to supervise the credential enrollment process, or allow users to enroll credentials themselves when they first log on to or unlock a kiosk computer. See Attended Enrollment.

Configuring Kiosk GPO Settings

Perform Fingerprint Identification on Server

The Perform fingerprint identification on server GPO setting may be applied and enabled for DigitalPersona AD Kiosk clients that will be using fingerprint credentials. For further details, see Perform fingerprint identification on server.

Kiosk Shared Account Settings

At the kiosk level, whether it is the domain or an OU, you must specify the kiosk Shared Account information. For more information, see Specifying a Shared Account for the Kiosk

Creating the OU for the Kiosk

When you install DigitalPersona AD Server and DigitalPersona AD Kiosk, the entire domain is considered as one kiosk unless you complete further configuration.

To create multiple kiosks in a domain, or to limit the usage of the kiosk to specific computers only, you should create an organizational unit (OU) for each kiosk and then assign computers to the OU. You might create several kiosks where each kiosk is associated with its own OU. If computers in the same OU are geographically located in different sites, each OU per site is a kiosk.

Specifying a Shared Account for the Kiosk

DigitalPersona AD Kiosk requires an account, known as the Shared Account, that is specified on every kiosk computer. Account information includes the user name, domain name and password for an Active Directory account. You should have one Shared Account per kiosk with a Password never expires setting.

You can configure the Kiosk Shared Account by supplying the kiosk Shared Account information through GPO settings, as described below.

If the Kiosk Shared Account information is distributed through Group Policies settings, all computers that belong to the selected object level in Active Directory, such as OU, Domain, or Site, receive the kiosk Shared Account settings.

DigitalPersona AD Kiosk automatically assigns the “Impersonate a client after authentication” user right to the kiosk Shared Account. This right allows programs that run on behalf of that user to impersonate a client. This right allows DigitalPersona AD Kiosk to authenticate multiple users while using only one logon session for the Shared Account.

Adding Shared Account Settings Using GPO

The Kiosk Shared Account setting is are provided as part of the GPMC Extensions component of the DigitalPersona AD Administration Tools, a separate installation available in your product package.

You can use the Group Policy Editor to modify DigitalPersona settings. For the Kiosk Shared Account Settings, at the OU level for the kiosk, open the Kiosk Administration node and double-click Kiosk Shared Account Settings.

Specify the following values:

  • Kiosk Shared Account user name

  • Kiosk Shared Account NetBIOS domain name

  • Kiosk Shared Account password

The Shared Account information will be enabled for all computers in the OU.

Assigning Kiosk Permissions

In situations where additional security restrictions are necessary or desirable, you can modify the default permissions to allow or deny specific groups or users from using each kiosk. The default installation permits every domain user to use all kiosks in the domain and no additional configuration is necessary.

For an example of how to restrict identification, see Identification List.

Password Manager Admin Tool Settings

If you plan on using managed logons with DigitalPersona AD Kiosk, the templates created in the Password Manager Admin Tool must be accessible by the Shared Accounts that are used to access the kiosks. Make sure that the templates are available through GPO settings to the kiosk Shared Account rather than kiosk user accounts.

The Password Manager logon functionality is the same as in DigitalPersona AD Workstation except that kiosk users cannot create their own personal logons, but can use managed logons created by the administrator. For more information, on the Password Manager GPO settings, see Policies and Settings. For additional information on managed logons, see Creating Managed Logons.

Version 4.1 Security Improvements

Beginning with the DigitalPersona 4.1 release, the following security improvements have been implemented.

  1. A Kiosk Shared Account password, even though obfuscated, is never sent from the Kiosk client computer through the GPO channel. It is stored on the DigitalPersona Server and is protected by the DigitalPersona Server’s 2,048 bit RSA encryption key. The password is delivered from the DigitalPersona Server to the Kiosk client via a special secure channel established between the DigitalPersona client and server components, so it can not be intercepted, unlike using a GPO setting.

  2. An option to allow automatically randomizing the Kiosk Shared Account password has been added to the Kiosk Workstation Shared Account Settings setting, which provides the highest security and addresses possible password expiration cases. See Randomize Kiosk Shared Account password for details.