Customer is working with generic system accounts that are used by multiple employees. As AAF is not able to enroll multiple otp-/uwf-tokens/cards this will not work with MFA, if it would work it would probably be a licensing issue.
We have also tested mapping different user credentials onto an existing account but as soon as there's for example two U2F devices linked, neither work for authentication.
We would propose to either enable AAF to link multiple credentials of the same kind or to have a distinguished Kiosk mode with a generic user that can be unlocked with different user credentials.
by: Hauke B. | over a year ago | Other
Comments
We have been looking into this scenario. I have a couple questions.
1. When you mention "generic system account", do you mean that "autoadmin" login is being used?
2. What process did you use in "mapping different user credentials onto an existing account"
3. Have you tried using the existing AA Linked credentials capability?
Troy
I would be interested in allowing any user to authenticate with their own credentials (using MFA) but then log them in locally to a shared Windows profile. This is necessary for sharing hardware devices on Windows that are locked to a specific Windows profile once the program is running
For us it would be important that you can configure multiple authenticators for a single windows account. Example: 10 employees use the same windows account but everyone shall be able use his own personal card to authenticate. Same with fingerprint. Right now it is just possible to configure 1 card /fingerprint per windows account.
Mathias, it sounds like your use case is very similar to mine.
Yes you are right ;)
Just wanted to make clear that some more users wait for this feature.
It's good to know that there are others interested in this too
Let me ask again - has anyone tried "linked accounts" ?
You could have a single common account that matches the local account. Then link the other user accounts to that account.
Each user would then enter the common user id and user their own card to login.
Regards,
Troy
But for this feature every user would still need an own windows account or am I wrong? With this windows account the user has to register his authentications and then we link it to a single common account right? If yes it would be a workaround maybe. But more effort for us to configure the personal windows accounts because they are not necessary for us.
Hi Troy,
Yes, we tried linking, that was what I meant by "mapping different user credentials", sorry for the misleading wording.
The idea also ties in with Secure Login as the desired use case would be a couple employees being able to unlock a machine with a shared account (for example a "store" user for store employees to unlock a storage machine with an always open application for inventory management) but being able to use their personal credentials for another application login (for example the store manager should have extra rights in their management software so he can see employee data).
And, like I said, when we tried to link multiple U2F credentials to the same user, we couldn't logon with either.
Also linking has to be done manually. If this could be generalized via a group for example, then there would be no need to link a lot of different authenticators manually.
All,
AA is a authentication product and as such we do everything we can to follow good security practices. With that said, we also try not to for security methodologies on clients.
Therefore we can have discussions about shared accounts which should be for all logical purposes forbidden by policy.
This item has a lot of votes on the "Ideas" portal so there is clearly interest (or some one is messing with the voting).
@Hauke and Mathias - Please create some detailed use cases for me to better understand the need. Email to me: Troy.Drewry@netiq.com
Thank You
Troy
I am awaiting detailed use cases.
Troy
Did you recognized this Email?
---------
Hi Troy,
as I am currently on parental leave, Kevin asked me to supply you with a use case or two for the Kiosk mode.
So basically a use case could be a industrial production company with a workshop where they have a PC that is running a to do list or queue for the people in the shop to use. As they frequently have external people, guests and so on in the shop, the machine should be secured, as all machines in their network. Still, the queue is a rudimentary tool without any multi user functionality.
In this case they have a windows user account called "queue-tool" that is always logged on to this machine. Every employee working in the shop should be able to log on to that machine and check the tool but should not need to remember additional credentials. Therefore they move up to the PC, present their (personal) company ID card for example, then AAF checks if they are allowed to (via a AD group for example) to unlock the "queue-tool" user and if they are, the machine is unlocked.
Another use case could be a warehouse and the corresponding inventory software or an optician store, where the users unlock the machines for fitting glasses or placing customer orders. In conjunction with SecureLogin there could also be the possibility to log on to SAP for example with the individual credentials while within the shared session.
I hope this helps you to prioritize the idea and maybe even implement it soon.
I will be back in the office on the 19th so if there's any urgent questions about this, please include Kevin and/or Daniel so they can relay the questions to me or point me towards my mailbox.
Thanks and best regards
Hauke
Both of these use cases can be done with a combination of things:
- put the workstation in "auto-admin" login mode
- use Desktop Automation Service (DAS) to control login and applications
- add AA to support badge login with cached PIN for many hours
- add SecureLogin where application login via SSO is needed
We can set up a demo of this if needed.
This doesn't sound like the most intuitive solution. I have to admit I am not that firm with SecureLogin. Can I specify what user account is used for "auto-admin" mode?
How much extra time will be needed for the individual steps here?
A "generic" out of the box solution directly included in AAF would make this easier for the customer and the integrator, I think.
Is there any information about Kiosk Mode with AAF?