IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2

Planning for the Windows interactive logon experience

AccessAgent can be deployed on Windows workstations in GINA or GINA-less mode.

The following table shows the supported logon screen, desktop configuration, and whether two-factor authentication is supported when AccessAgent is deployed with or without GINA.

When AccessAgent is deployed with	Interactive logon with	Supported desktop configurations	Two-factor authentication support
GINA mode on	ESSO AccessAgent screen Windows Logon screen	Shared desktop Private desktop Personal desktop	Yes
GINA mode off	Windows Logon screen	Personal desktop Roaming desktop	No

Note: On Windows XP, Windows Server 2003, and on earlier Windows versions, the interactive logon settings are controlled by either the ESSO GINA or MSGINA authentication modules. On Windows Vista and later versions, the GINA-based logon architecture is replaced with a Credential Provider model.

In GINA mode, users log on to the Windows desktop through the ESSO AccessAgent screen with their ISAM ESSO credentials.
Users are logged into their Wallet, and automatically logged into Windows using their Windows credentials.
In GINA-less mode, users log on to the Windows desktop through the regular Windows Logon screen with their Active Directory credentials.
AccessAgent then uses the same credentials to log on the users to their cached Wallet and to IMS Server.

AccessAgent uses a module called ESSO Network Provider to capture the Active Directory credentials and to use these credentials to automatically log on the users to their Wallet.
Note: Active Directory password synchronization must be enabled for ESSO Network Provider to work properly.

MSGINA is not replaced and is still available when users click the Go to Windows to log on link in the ESSO AccessAgent screen.

The ESSO AccessAgent screen is required for shared desktop and private desktop configurations and when using two-factor authentication. ESSO GINA also provides self-service sign-up and password reset services on the ESSO AccessAgent screen.

Feedback