Configuring Integrated RunAs

Applications that support Integrated Windows Authentication (IWA) typically do not have native login screens. As a result, you cannot create an Imprivata SSO profile for these types of applications and deploy it to users of shared kiosk workstations.

Imprivata OneSign Integrated RunAs provides an alternative to an SSO profile, and as such, lets you extend Imprivata SSO to applications that use IWA.

Beginning with Imprivata OneSign 6.2, the ISXRunAs command line utility (ISXRunAs.exe) is installed with the Imprivata agent. This utility lets you configure a custom shortcut that lets an authenticated user:

  • Launch and run an IWA enabled application under their user profile, instead of the local (generic) Windows user on the shared workstation.

  • Access network resources, such as mapped drives and network printers, from within the application.

Requirements

Imprivata OneSign Integrated RunAs is included with the Imprivata OneSign Single Sign–on (SSO) license. In addition to being licensed for SSO:

  • Users must be a member of the Microsoft Active Directory (AD) domain that is synchronized with the appliance.

  • The domain in which the Imprivata OneSign users are members must have a trust relationship with the endpoints domain.

  • Non–AD users, including those that are part of an Imprivata Directory, are not supported.

Before You Begin

Verify that IWA is functioning normally in your Windows environment, independent of Imprivata, before you begin.

Support for IWA extends to an environment and applications that are already configured to support IWA.

The following functionality is not supported:

  • Published applications and desktops.

  • Microsoft Universal Windows Platform applications on shared kiosk workstations.

    By design, these applications can run under the generic Windows user only.

Before you begin, consider the following:

  • The Imprivata Chrome Extension is required and must be enabled.

  • All path parameters in the custom shortcut must be enclosed in quotes, including those that do not include spaces.

    For more information, see the provided examples.

  • Applications open in a normal window.

    The custom shortcut cannot be configured to minimize or maximize the application window.

  • All applications should be opened using the custom shortcut only.

    This prevents unexpected application behavior that can result from the user first opening the application from the Start menu, for example, and then from the desktop.

  • APG custom logoff sequences for web based applications may be overridden.

    All open IWA applications are closed on user switch or logout. If an APG-profiled web application is sharing the same web browser session with one of those applications, it is also closed.

  • Either the Microsoft Outlook Web App or Microsoft Office 365 are the recommend Outlook deployment options on shared kiosk workstations.

    If Microsoft Outlook is deployed as a thick client application:

    • The profile for each authenticated user is loaded. This can result in degraded performance.

    • Users must complete the Outlook setup wizard on each workstation.

  • By default, Windows does not remove user profiles on user switch or logout. This can become memory intensive, and over time, can result in degraded performance on the workstation. It is best practice to periodically remove these profiles.

About the ISXRunAs Utility

The ISXRunAs utility is a command line tool that is installed with the Imprivata agent. The default location of the utility is:

  • 64–bit — C:\Program Files (x86)\Imprivata\OneSign Agent

This utility lets you configure custom shortcuts that let an authenticated user:

  • Launch and run an IWA enabled application under their user profile, instead of the local (generic) Windows user on the shared workstation.

  • Access network resources, such as mapped drives and network printers, from within the application.

The following describes the syntax for this command:

ISXRunAs [/noprofile | /profile | /netonly] program [optional program parameters]

Parameter Description
/noprofile

Specifies that the user's profile should not be loaded when the application is launched.

The application runs under the authenticated user, but the default user profile is loaded to the application.
/profile

This is the default parameter.

Specifies that the user's profile should be loaded when the application is launched.

The application runs under the authenticated user.
/netonly

The application runs as the generic Windows user.

However, the token of the authenticated user is used to access network resources, such as printers or network shares.
program

The full path to the application executable.

This path can also include optional parameters that are specific to the application.

NOTE: Valid usage of the profile parameters is determined by the application. For example — if an application is designed to require the user's profile, it cannot be launched in /noprofile or /netonly mode.

Deploy a Custom Shortcut to Workstations

A custom shortcut can be deployed to:

  • A single workstation manually

  • Multiple workstations through a group policy object (GPO)

The same shortcut can be deployed to single–user computers and shared kiosk workstations. Consider the following behavior:

  • Single–user computer — The application launches normally as the local Windows user.

  • Shared kiosk workstation — Non–AD users and users without an SSO license continue to have access to the application, but it runs under generic Windows user. Subsequent behavior is application specific. For example, some applications may launch and immediately exit, while others may display a warning message or prompt for credentials.

To configure a shortcut on a single endpoint:

  1. Go to the following location:

    • 64–bit — C:\Program Files (x86)\Imprivata\OneSign Agent

  2. Right–click ISXRunAs.exe, and select Send to > Desktop (create shortcut).

  3. Go to the desktop, and right–click ISXRunAs - Shortcut.

  4. Update the Target field to include the additional ISXRunAs usage parameters.

  5. Click OK.

Examples

As detailed in the following examples, all path parameters must be enclosed in quotes, including those that do not include spaces.

Start Notepad with the Default Profile Flag

"C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" "C:\notepad.exe"

Start Notepad with the No Profile Flag

"C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /noprofile "C:\notepad.exe"

Start Notepad with the Net Only Flag and Pass Additional Program Parameters

"C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /netonly "C:\notepad.exe" "C:\open file.txt" -showwindow

Start Google Chrome in Incognito Mode

"C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /netonly "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://ad.demo.local/owa"

Start Internet Explorer in Private Mode

"C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /netonly "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https://ad.demo.local/owa" -private

Configuring a GPO lets you distribute a custom shortcut to all of the required workstations.

For example – you can apply a GPO to a group of computers in Active Directory. Each time a user logs into the workstation, the shortcut is created automatically.

To configure a GPO:

  1. From the domain controller, open the Group Policy Management console.

  2. In the console tree, locate the organizational unit (OU) that includes the computers on which the shortcut is required.

  3. Right–click the OU, click Create a GPO in this domain, and Link it here, and name the GPO.

  4. Right–click the new GPO, and click Edit to open the Group Policy Management Editor.

  5. Go to Computer Configuration > Preferences > Windows Settings > Shortcuts.

  6. Right–click Shortcut, and select New Shortcut.
  7. Complete the following:

    • From the Action list, select Update, and then specify the name of the shortcut.

    • From the Location list, select All Users Desktops.

    • In the Target path field, enter the path to the ISXRunAs utility.

    • In the Arguments field, enter the ISXRunAs usage parameters.

    • In the Icon file path field, browse to the icon that should be used for the shortcut .

      If this location is not specified, the shortcut appears with the Imprivata icon.

  8. Click OK.

NOTE: Be sure that the target path and arguments are entered with the correct syntax. For more information, see the provided examples.

Drive mapping requires an Imprivata OneSign procedure code. To map a network drive:

  • Configure a procedure code to use ISXRunAs to map the drive at user login/desktop unlock.

  • Enable the procedure code in the computer policy that is governing your endpoints.

Using ISXRunAs to map the drive ensures that it remains available, under the context of the authenticated user, for the duration of their session.

Configure the Procedure Code

To configure the procedure code:

  1. In the Imprivata Admin Console, open the gear icon menu, and click Extensions.

  2. Go to the Procedure code section, and click View/Edit.

  3. Click Add, and enter a name for the procedure code.

  4. Click Click here to choose an event, and select the User Login session event.

  5. Click Or > Click here to choose an event, and then select the Desktop Unlocked session event.

  6. Type the following command in the text field:

    Syntax

    "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" cmd.exe /C "net use <network_drive_to_map>"

    Example

    "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" cmd.exe /C "net use z: \\exampledrive"

  7. Go to The code will be section, and select Written to a file extension of, and type BAT in the field.

  8. Save the procedure code.

Enable the Procedure Code

To assign the procedure code:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. Locate the required computer policy, and click its name to edit it.

  3. Go to the Extensions tab, and select Enable Procedure Code Extension Object?

  4. Click Enable, and save the computer policy.

Reporting

You can use the User Activity, Computer Activity, and Application Activity reports to determine which applications have been launched using ISXRunAs.

NOTE: For more information about managing reports, see Using Reporting Tools.

Troubleshooting

Symptom

Running the desktop shortcut does not work.

Solution

Be sure that the target path of the shortcut is configured with the proper syntax. For more information, see the provided examples.