The Client for OES Credential Provider provides tiles that allow credential gathering for network and local workstation logon.
Because it is not possible to provide a logon tile that represents each individual user in an eDirectory tree, only two logon tiles are displayed on the desktop.
Figure 3-6 Windows Welcome Screen When the Client is Installed
The first logon tile represents the last user who successfully logged on interactively. This tile is provided as a convenience for the single-user workstation, because it allows a user to log on interactively by simply entering his or her password.
The second logon tile allows the user to specify all necessary local and network credential information. This lets any eDirectory user log on interactively.
Figure 3-7 Network Logon Screen
Each logon tile also allows the user to log in to only the local machine and bypass the network logon (using the Computer Only Logon option). The Network logon tile also provides a link (Show Advanced Options) that allows users to interact with the Advanced Options dialog box, which lets users specify the eDirectory tree, context, and server they want to log in to.
Figure 3-8 Advanced Options Dialog Box
When the Client for Open Enterprise Server is enabled with Advanced Authentication, the Client for OES Credential Provider provides the logon tile to allow the user to log on interactively by simply entering the eDirectory user name.
The logon tile provides an option Computer Only Logon to log in only to the local machine and bypasses the network logon. It also provides a link, Show Advanced Options that allows users to interact with the Advanced Options dialog box. The Advanced Authentication tab in the dialog box allows the user to specify the Advanced Authentication username, Repository, and server information.
Next, the Credential Provider provides an interface to specify the information for Advanced Authentication logon based on the authentication method configured for the user.
Upon successful Advanced Authentication logon, the eDirectory and Windows logon proceeds transparently.
If the eDirectory password or the Windows account name or password stored by Advanced Authentication is no longer correct or if it has never been stored, the user will be prompted to provide the current credentials.
NOTE:If you want to use Advanced Authentication Credential Provider instead of using Client for OES Credential Provider for the logon experience, you must change the following parameters in the Client Properties > Advanced Login.
Client Logon: Set this parameter to Off.
Login With Third-Party Credential Provider: Set this parameter to On.
The Credential Provider supports locking and unlocking the Windows workstation. When the workstation is locked, a logon tile is displayed that represents the locked user's account. The user is required to enter the network and workstation passwords to unlock the workstation.
Figure 3-9 Unlock Computer Screen
If the Client for Open Enterprise Server is enabled with Advanced Authentication, the locked user account is represented by a logon tile. To unlock, the user is required to perform the Advanced Authentication logon based on the Advanced Authentication method configured. An Advanced Authentication logon proceeds using the same Advanced Authentication user which logged this user into eDirectory and the workstation will be unlocked using the Windows account credentials retrieved from that successful Advanced Authentication logon.
The Credential Provider supports fast user switching. Fast user switching allows two or more users to be logged into the workstation simultaneously. It also allows a user to switch to a different user account without closing programs and files. When a user chooses to switch users (by clicking the Start button, clicking the arrow next to the lock button, then clicking Switch User), the Credential Provider displays a tile representing each logged-in user. It also displays the generic Network Logon tile that allows a new user to log on interactively.
Figure 3-10 Switch User Screen
To switch to a new user:
Click the Start button, then click the arrow next to the lock button.
Click Switch User.
Click the Network Login tile.
Specify the credentials for a new user logon (either to eDirectory and Windows, or to Windows only by selecting the Computer Only Logon link), then click the right-arrow button.
NOTE:When logging in to a Windows workstation using the Client for OES Credential Provider, OES connections made during the login will persist only if you are not currently logged in to the workstation. If your Windows 7 account is already logged in, you will be restored to that existing session when you log back in to the workstation. This applies to both Fast User Switching and connecting via Remote Desktop Connection.
On Windows Server 2012, specifically once Terminal Services has been installed, the Credential Provider switches to a mode in which the previous logged-on user is not displayed, nor are currently logged-on users displayed. This is intended to match Microsoft default credential provider behavior, which exhibits these same behaviors once Terminal Services is installed on Windows Server 2012.
Even though existing logged-on user sessions are not enumerated as visible tiles, it is still possible to re-connect with existing logged-on user sessions by specifying login information which ultimately matches the Windows account of the existing logged-on user session. (And, in the case of Windows Terminal Service Remote Applications, must also match the same TS RemoteApp as the current logon session is running.)
However, this behavior is entirely dependent upon the Windows Server 2012 policy Restrict Terminal Services users to a single remote session. If users are not restricted to a single session, logging on with the Windows credentials of an existing logged-on session will still create an additional logon session instead of re-connecting to the existing logged-on user session.
Figure 3-11 Client for OES Credential Provider with Terminal Services Enabled