Windows Logon app sharing
If you have multiple virtual servers, you can share the Windows Logon agent with child or delegated virtual servers. As a result, the users in each of these virtual servers can authenticate through the Windows Logon agent on a machine that is protected by the agent.
When the Windows Logon agent is a shared, and a user from the child virtual server tries to access a shared machine, the virtual server where the user resides and its logon policy controls the access and authentication to the shared machine.
Windows Logon app sharing works in both online and offline mode. However, the first time that users connect, they must be in online mode.
Windows Logon app sharing applies to logon agents that are configured on the Applications tab in STA. It does not apply to versions of the agent that are not configured on the Applications tab.
Realms for Windows Logon agent
There are two ways that SafeNet Trusted Access (STA) locates users who attempt to log in to virtual servers that are protected by a shared Windows Logon agent:
-
Realms: A realm, or domain, identifies the relationship between the user and the virtual server. It tells the system to direct the access request to a particular virtual server. A realm is defined by a realm identifier that users enter as part of their user ID. For example, in myuser@thalesgroup.com, thalesgroup.com is the realm. The system recognizes the realm as part of the user name. It uses the realm to determine which virtual server to use for finding the users in STA and for processing the access request.
Realms are enabled and defined at the application level, and are available only for the Windows Logon agent (application). A similar concept exists for authentication nodes.
-
Lookup order: If you don't use realms, then you don't need to enable realms or configure the realm identifier. Instead, STA looks for the user based on a lookup order. STA looks at the first virtual server in the list. If STA doesn't find the user there, then STA looks at the next virtual server, and so on down the list of virtual servers that the agent is shared with. The lookup order goes from the top to the bottom of the list on the Share page.
Share the Windows Logon agent
You download and deploy the Windows Logon agent from the parent or delegated virtual server. Sharing allows multiple virtual servers to use the same Windows Logon agent and to protect a machine that is shared by users in these virtual servers.
When you configure sharing, you can use realms to make it easier for STA to locate the user in the right virtual server.
Sharing is available only on STA virtual servers that are service providers.
-
On the STA Access Management console of the parent virtual server, add a Windows Logon application:
-
Select Applications.
-
Select the Add Application icon.
-
Select the Windows Logon application, enter the Display name, and select Add.
For information about how to install and configure the agent, refer to the documentation link on the Windows Logon application page.
After you select Install Package, the Share tab becomes available. The Share tab is available only on virtual servers that are service providers. On the Share tab, the Application Sharing section lists the virtual servers that the Windows Logon is shared with. At this point, only the current virtual server is included in the list.
-
-
On the Share tab, select Add Virtual Server.
The Application Sharing screen lists the child and delegated virtual servers for the current virtual server.
-
Select the virtual server to add, and then select Next.
-
To use realms, enter a unique Realm identifier for the virtual server. Don't include the symbol (@ or \) that separates the user name and the realm. For example, if the user name and realm is username@thalesgroup.com, the realm identifier is thalesgroup.com.
-
Select Save.
-
To use realms, configure the Realm Configuration options:
-
Turn on the toggle so that Realm configuration is enabled.
If the toggle is turned off and realm configuration is disabled, the user name search proceeds directly to the parent (root) virtual server.
-
If required, select Strip Realm from UserID.
The user ID that STA uses internally might not include the realm. In that case, the user name is only known to STA as user name not username.domain.com and you need to strip the realm. STA strips the realm and keeps only the user name part that STA recognizes for authentication.
-
Select a Username Format:
-
username@domain.com
-
domain.com\username
These are the format options that Windows supports. The format informs the system about where to find the realm in the user name that the user enters.
-
-
-
Select Save Configuration.
The parent virtual server is at the bottom of the list, and each virtual server that you share with is added to the top of the list when you add it.
After you share the Windows Logon agent with a virtual server, you can update the Realm identifier for a virtual server, or remove the application sharing from the virtual server.
Shared WLA in child virtual servers
After you share the Windows Logon agent, the agent shows up in the Applications list for the virtual servers that you shared it with. The Windows Logon application now exists within the child virtual server. The Windows Logon application is always assigned to all users. All that the child virtual server can do is see the Windows Logon application. However, the child virtual server can configure the logon policy that applies to the Windows Logon agent, which includes Windows logins from this agent.
Only the virtual server that shares the Windows Logon agent (the parent virtual server) can remove or edit the shared Windows Logon agent.
Logon policies for shared WLA
After you share the Windows Logon agent, the Global Logon Policy is automatically created in the virtual servers that you shared it with. The logon policy always applies to all users and all logon agents that are in the scope of the virtual server. You can edit the logon policy decision options.
-
On the STA Access Management console, select Policies, and then select the Logon tab.
-
At the top-right, select Edit.
-
Under Decision, edit the Authentication methods as needed, and then click Save.
Shared Windows Logon Agent in access logs
In the access logs, access requests appear for the virtual server where the user resides.
If STA does not find the user, the access log to identify the failed access request appears in the parent virtual server where the Windows Logon agent configured.
Shared Windows Logon agent in audit logs
The audit logs appear in the virtual server where sharing was configured (the parent virtual server). In the audit logs, the following entries are generated for actions that operators perform when sharing Windows Logon agent:
Operator action | Action Taken column | Object Type column | Object Title column |
---|---|---|---|
Share Windows Logon agent with a child or delegated virtual server | Add Sharing | Application | Application name (default is Windows Logon) |
Remove sharing for a virtual server | Remove Sharing | Application | Application name (default is Windows Logon) |
Edit realm for a virtual server | Update Realm Identifier | Application | Application name (default is Windows Logon) |
Edit realm configuration, including enable or disable | Update Realm Configuration | Application | Application name (default is Windows Logon) |