Skip to main content

Configuration and usage notes

Timeout

When the SKA is launched using the Change Password button, it automatically closes after two minutes if no activity takes place on the web page, which is default Windows behavior. The page can also be configured to close after a pre-determined amount of time regardless of activity using the Timeout option.In this case, the user is notified 30 seconds before the session is terminated.

Once countdown hits 0 it will wait for 2 minutes before it closes automatically. Clicking OK on the countdown prompt after it reaches 0 closes the SKA page immediately. Clicking OK when the countdown is still running closes the Login Assistant page after the remaining amount of time.

Credential provider and the help account

The Credential Provider add-on uses the help account to login and execute runurl to launch the SKA. When the Credential Provider is installed, it is recommended that you configure the help account with a random password and that you do not advertise the help account to users. In this setup, the help account should only be used by the Credential Provider add-on, and users should access Bravura Pass through the Credential Provider.

Connections over VPN

When using a VPN to connect to the instance, runurl will search for one of three HTML tags used to uniquely identify the Bravura Pass login page. The tags expected by runurl are:

  • A hidden <input> element with name="TRANSACTION" and value="F_LOGIN".

  • A hidden <input> element with name="TRANSACTION" and value="C_AUTHCHAIN_LOGIN".

  • A comment containing a GUID that was created specifically for runurl.exe to match:

    <!-- 81A84EBD-2CE5-4794-8341-E1828711FFBC -->

If runurl cannot identify any of these values, it will default to attempting a reconnection through other means.

When VPN connection credentials is changed, you can use skautil to update the encrypted VPN credential, the help account, and their cached password values kept in registry. This utility does not change the actual underlying password.

See skautil usage information .

Logging SKA remote connection failure

When the SKA remote connection fails, debugging information is provided in the SKA progress window which displays on the right bottom corner on the locked-down SKA page. By enabling a registry key called debugska, the debugging information also can be captured in a log file which is generated by using logutil. The following example demonstrates how to capture dubugging information:

Note

Ensure that you are comfortable and knowledgeable in the mechanics of the registry before you attempt to change any configuration settings. Contact support@bravurasecurity.com if in doubt.

  1. On the workstation where SKA is installed, create an entry in the Login Assistant registry key to enable SKA debug:

    HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\Login Assistant\Login Assistant\debugska

    Entry name debugska

    Value 1

    Data type REG_DWORD

  2. Copy the logutil program from the \<instance>\utils folder on the instance server to a folder on the workstation where SKA is installed.

  3. Run a command like the following to launch logutil to start logging:

    logutil -level 5 -instance "Login Assistant" -logfile log.txt

  4. Lock the workstation and then go to the user log on windows page.

  5. Click on the Change my password tile to launch SKA.

  6. Click the details >> button displaying on the progress window to browse error messages provided when remote connection fails.

  7. Exit the SKA page.

  8. Log back to the workstation as the user and stop logutil.

  9. Open the log file.

    Debugging information displayed in the progress window should also be available in the log file.

See logutil usage information.

Password propagation delays between DCs

The Local Reset Extension updates locally cached passwords on the end-user’s PC by re-authenticating to the domain using the new password. The Bravura Pass server will typically reset the user’s password on one domain controller ("DC1"), while the user’s PC will attempt to authenticate to another domain controller ("DC2"). This creates a risk that the new password has not yet propagated from DC1 to DC2, or to other "upstream" DCs such as the PDC Emulator , before the user’s PC attempts re-authentication.

While Bravura Pass always issues password resets to Active Directory before attempting the cache-refresh authentication, it is still possible for network congestion or other factors to result in the subsequent authentication attempt failing.

To mitigate the risk of timing-induced failures, Bravura Security recommends using Bravura Pass ’s sub-host plugin feature to dynamically control which domain controllers receive password resets. If this is not practical, other mitigation strategies may also be considered:

  1. Within Bravura Pass, explicitly target one of the DCs in the SSA site, or

  2. Use Bravura Pass to target the domain (rather than any particular DC), but assign the Bravura Pass server’s /32 subnet address to the SSA site, or to the best-connected Active Directory site on the network.

Disaster recovery

Enterprises should consider whether remote, end-user password reset scenarios should be part of disaster recovery (DR) planning. If required for DR, then multiple VPN end points should be used, in at least two different regions or physical locations. Furthermore, enterprise Active Directory architects should be consulted on suitable Active Directory site layout changes needed to leverage those end points.

In this section: