Setting up DigitalPersona LDS for Use with DigitalPersona Kiosk (Optional)

If your environment will include installations of DigitalPersona LDS Kiosk, you will need to specifically configure the DigitalPersona LDS Server for use with the DigitalPersona LDS Kiosk component.

After completing the procedures described in the preceding pages, follow these instructions for setting up and configuring the DigitalPersona LDS Server and environment for use with DigitalPersona LDS Kiosk.

  1. (Optionally) Create an OU for each kiosk and assign computers to the kiosk OU. See Creating the OU for the Kiosk.

    By default, all computers in the AD domain are treated as a single kiosk. You may want to set up multiple, separate kiosks by using OUs

  2. Create a Shared Account in Active Directory and specify the account information either by GPO or on individual kiosk computers. See Kiosk Shared Account Settings and Adding Shared Account Settings Using GPO.

  3. Install DigitalPersona Kiosk on kiosk computers (see Kiosk installation).

  4. Enroll user credentials.

    By default, DigitalPersona users are not allowed to enroll their own credentials, as user creation and credential enrollment are handled centrally through the DigitalPersona Attended Enrollment component. See Attended Enrollment.

Configuring Kiosk GPO Settings

Kiosk Shared Account Settings

At the kiosk level, whether it is the domain or an OU, you must specify the kiosk Shared Account information. For more information, see Specifying a Shared Account for the Kiosk

Creating the OU for the Kiosk

When you install DigitalPersona LDS Server and DigitalPersona LDS Kiosk, the entire domain is considered as one kiosk unless you complete further configuration.

To create multiple kiosks in a domain, or to limit the usage of the kiosk to specific computers only, you should create an organizational unit (OU) for each kiosk and then assign computers to the OU. You might create several kiosks where each kiosk is associated with its own OU. If computers in the same OU are geographically located in different sites, each OU per site is a kiosk.

Specifying a Shared Account for the Kiosk

DigitalPersona LDS Kiosk requires an account, known as the Shared Account, that is specified on every kiosk computer. Account information includes the user name, domain name and password for an Active Directory account. You should have one Shared Account per kiosk with a Password never expires setting.

You can configure the Kiosk Shared Account by supplying the kiosk Shared Account information through GPO settings, as described below.

If the Kiosk Shared Account information is distributed through Group Policies settings, all computers that belong to the selected object level in Active Directory, such as OU, Domain, or Site, receive the kiosk Shared Account settings.

DigitalPersona LDS Kiosk automatically assigns the “Impersonate a client after authentication” user right to the kiosk Shared Account. This right allows programs that run on behalf of that user to impersonate a client. This right allows DigitalPersona LDS Kiosk to authenticate multiple users while using only one logon session for the Shared Account.

Adding Shared Account Settings Using GPO

The Kiosk Shared Account setting is are provided as part of the GPMC Extensions component of the DigitalPersona LDS Administration Tools, a separate installation available in your product package.

This setting is located at Computer Configuration/Policies/Software Settings/DigitalPersona Client/Kiosk Administration.

You can use the Group Policy Editor to modify DigitalPersona settings. For the Kiosk Shared Account Settings, at the OU level for the kiosk, open the Kiosk Administration node and double-click Kiosk Shared Account Settings.

Specify the following values:

  • Kiosk Shared Account user name

  • Kiosk Shared Account NetBIOS domain name

  • Kiosk Shared Account password

The Shared Account information will be enabled for all computers in the OU.

Password Manager Admin Tool Settings

If you plan on using managed logons with DigitalPersona LDS Kiosk, the templates created in the Password Manager Admin Tool must be accessible by the Shared Accounts that are used to access the kiosks. Make sure that the templates are available through GPO settings to the kiosk Shared Account rather than kiosk user accounts.

The Password Manager logon functionality is the same as in DigitalPersona LDS Workstation except that kiosk users cannot create their own personal logons, but can use managed logons created by the administrator. For more information, on the Password Manager GPO settings, see Policies and Settings. For additional information on managed logons, see Creating Managed Logons.

Version 4.1 Security Improvements

Beginning with the DigitalPersona 4.1 release, the following security improvements have been implemented.

  1. A Kiosk Shared Account password, even though obfuscated, is never sent from the Kiosk client computer through the GPO channel. It is stored on the DigitalPersona Server and is protected by the DigitalPersona Server’s 2,048 bit RSA encryption key. The password is delivered from the DigitalPersona Server to the Kiosk client via a special secure channel established between the DigitalPersona client and server components, so it can not be intercepted, unlike using a GPO setting.

  2. An option to allow automatically randomizing the Kiosk Shared Account password has been added , which provides the highest security and addresses possible password expiration cases. See Randomize Kiosk Shared Account password for details.