Veri-Sys IDenium for AD is a fully-functional biometric identification system tightly integrated with the Microsoft Active Directory (AD) service. IDenium for AD supporting Windows NT/2000/XP allows users registered in one domain getting biometrically identified with their unique fingerprints while accessing the shared network resources in the other domain according to their access rights.

Architecture

IDenium provides centralized storage, reliable data protection and transfer of personal user identification information by means of the AD services. User management is also centralized and can be performed using standard Active Directory Users and Computers Microsoft Management Console (ADUC MMC).

The integration is performed by way of adding tabs and objects to the existing interface of ADUC MMC allowing administrators to use the same interface but with added biometric functionality. In other words, AD is extended to incorporate a fingerprint credential in each user record by way of enhancing the AD scheme and registering IDenium components in the root domain of the AD service via the management console.

Advantages

• Reliable identity authentication in multiple domains - in Windows Active Directory environment
• Facilitated domain-wide security control and password management for networked workstations
• Secured access to shared PCs
• Fault-tolerance, increased robustness and scalability thanks to integration with AD and distributed authentication architecture
• Setting security features at the domain level
• Reduction of user administration by self-enrollment of IDenium users
• Detailed and extensive documentation for all IDenium components

Target Audience

IDenium for AD bundles applications to be installed on both client and administrative workstations. Therefore, its target audience includes end users and system administrators of middle and large companies and enterprises. IDenium is applicable only for organizations where User Management is performed by means of the AD service.

Specific IDenium Notions

• Script is a recorded sequence of user actions created in order to simplify interaction with application windows and performance of user daily tasks.
• Person is an extended user account allowing uniquely identifying one user, and one only. Strong user identification based on the person is achieved through digital templates of unique biometric features that characterized a user. In IDenium, the Authenteon user person is identical to the user account in Active Directory.
• Authenteon user account includes user and system information used to log on to the operating system under the appropriate user account. Authenteon user accounts are stored in the Authenteon database. Each Authenteon user can have several user accounts.

IDenium Components

IDenium for AD is based on the client-server architecture.

The client part of IDenium consists of the following components:

• Veri-Sys Windows Logon – user verification at logon to the OS and applications, unlocking PCs with fingerprints.
• Veri-Sys Password Vault - simplifies user interaction with secured applications by replacing alphanumeric passwords with biometric identifiers by way of recording and executing scripts for a particular application.
• Veri-Sys Admin Pack - allows creating new users and enrolling their fingerprint templates centrally, on the only administrator workstation.

The server part of IDenium includes the following components:

• Veri-Sys Synchronization Agent - enables synchronization of user account data between the AD service and the Authenteon Server database.
• Veri-Sys Authenteon Server - receives client requests, processes them, generates reply packages containing user identification details and returns the required user identifiers to access the secured resources. Available in two editions: Authenteon Server for Linux and Authenteon Server for Windows. It houses the core algorithms to manage fingerprint verification.

In IDenium, administrators and users can do the following:

• Add new user accounts in AD using ADUC MMC
• Change user accounts in AD
• Delete user accounts in AD
• Change his/her own fingerprint template or account password
• Enroll their fingerprint templates and passwords of IDenium person
• Change their fingerprint templates and passwords of IDenium persons
• Create and execute Password Vault scripts
• Log on to the operating system and secured applications
• Lock and unlock their computers biometrically

In the above cases, IDenium automatically updates the relevant information in the Authenteon database.

DB Replication and Synchronization

Data replication between all the Authenteon servers is performed by means of the Active Directory service tools. So, a user having a user account in a domain of one network can gain access to network resources located in another domain.

The synchronization between the Authenteon Server database and AD service is performed by the Ver-Sys Synchronization Agent that reads information from the domain AD service every 2 minutes. It means that all the changes made in a user name or password in AD are automatically stored in the Authenteon database. For example, an Authenteon user is created automatically when the administrator adds a new user in Active Directory by way of by copying the user name and password from the user account in Active Directory.

Caching in IDenium

The cache mode in IDenium allows continuing working with the protected resources in case the Authenteon Server is inaccessible. With the credentials cache mode enabled, after the user work session is successfully established, user confidential data (user names and passwords, Password Vault scripts, etc.) are placed in a cache on the local hard disk. When the Authenteon Server becomes unavailable, the user credentials, stored in the cache on the user’s local computer, are used to access to the protected resources. The cache mode is enabled via ADUC MMC.