enterprise single sign-on. the holy grail of computing - …€¦ · enterprise single sign-on. the...

Technical Brief

Written by

Jackson Shaw Senior Director, Product Management Identity

and Access Management, Quest Software Inc.

Enterprise Single Sign-On. The Holy Grail of Computing

Enterprise Single Sign-On. The Holy Grail of Computing - Technical Brief 2

© 2009 Quest Software, Inc. ALL RIGHTS RESERVED.

This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Quest Software, Inc. (“Quest”).

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: [email protected]

Refer to our Web site for regional and international office information.

Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.

Updated—November 2009

http://www.quest.com/

mailto:[email protected]


Contents

Introduction .................................................................................................................................................................... 4

The Challenge ................................................................................................................................................................ 5

Active Directory: The Foundation for Enterprise Single Sign-On ................................................................................... 6

Quest One Identity Solution’s Layered Approach to Addressing the Challenges ........................................................... 7

Password Synchronization– A Traditional Approach ...................................................................................................... 8

Advantages of Password Synchronization ................................................................................................................. 8

Disadvantages of Password Synchronization ............................................................................................................. 8

Quest Password Manager Sync ................................................................................................................................. 8

Extending Active Directory’s Single Sign-on Benefits to Other Platforms and Applications ......................................... 10

Supporting Other Applications ..................................................................................................................................... 11

A Blended Solution to a Tough Challenge ................................................................................................................... 12

Protecting “High-Value” Passwords ............................................................................................................................. 13

Quest Privilege Manager for Unix: Effectively Protecting Unix “Root” Access .......................................................... 13

Quest SafeKeeping – Secure Management of Privileged Accounts ......................................................................... 13

Quest Defender: Solving the “Master Key” Problem ................................................................................................. 14

Summary ...................................................................................................................................................................... 15

About the Author .......................................................................................................................................................... 17

NOTES ......................................................................................................................................................................... 18


Introduction The number of identitiesi we have to remember continues to grow. Gone are the mainframe days when we each had to remember only one identity. Evolution to client/server applications and the Internet has dramatically increased the number of identities we have to remember. Because of this increase, we have seen the emergence of a common challenge: keeping track of all of our passwords and system identities. IT managers are also struggling and asking questions such as: How do I reduce the help desk costs associated with forgotten passwords? How do I get my staff members not to write down their passwords on stickies? How do I secure, control, and audit the passwords associated with privileged accounts?

The pursuit of enterprise single sign-on (SSO)ii for the enterprise was born out of the costs associated with having so many user IDs and passwords the operational, security, and efficiency costs are significant. In this document, we discuss the challenges mentioned above in detail, how the Quest One Identity Solution, a set of enabling technologies that simplifies identity and access management, approaches enterprise single sign-on and a unique solution that addresses nearly all facets of the challenges.

As enterprises become more complex and diverse, there has been a corresponding rise in the number of identities associated with any one individual. This causes identity and access management challenges.


The Challenge We all experience this challenge: too many identities, resulting in too many passwords and too many user IDs to remember.

Figure 1 - A typical enterprise environment

The productivity, security, compliance, and help desk costs related to this explosion of identities are significant. Some costs are easy to calculate and some are harder. The most definable cost to organizations is the help desk expense associated with helping end-users reset forgotten passwords on the myriad systems to which they have access. Many organizations also have multiple help desks: a Windows help desk, a Unix help desk, a mainframe help desk, and help desks for applications such as SAP or Siebel. The Unix, mainframe, and application help desks are typically more expensive for companies to maintain due to the expertise required. Typically, it is the Unix administrator, mainframe operations staff, or application specialists that are called upon for password resets for those systems. Most organizations can easily calculate this cost.

Not as easy to calculate, but potentially greater, are the invisible costs associated with the proliferation of identities. Many organizations do not have automated provisioning or de-provisioning systems. This means that identities of many end users are never deleted from all of the systems to which they had access. Other potential costs or security concerns include the propensity for end users to use a common password across systems, write down their passwords, or use passwords that are easy to guess. With multiple systems it is also difficult to have a common password security policy. With this proliferation of systems there is another side effect—a proliferation of administrative, privileged, and superuser identities. How can this be controlled and audited? Also it is difficult to calculate the lost productivity for end users who must enter their credentials multiple times per day or who are on the phone with the help desk resetting their passwords. The net result is that the efficiency of both our automated systems and our workers suffer.


Active Directory: The Foundation for Enterprise Single Sign-On Nearly all corporate end users begins their day by logging into a Windows desktop or laptop and authenticating to Active Directory. In the United States, Active Directory is the primary directory for over 75% of enterprises.iii The prevalence of Active Directory continues to increase globally. Since the launch of Active Directory with Windows 2000 Server, organizations have relied on it as the primary authentication for their end users. In fact, in most enterprise users must log on via Active Directory before they can access non-Windows hosted applications such as SAP, Siebel, and Oracle; mainframe or mid-range systems; and other client-server applications. Active Directory already provides extensive capabilities for enabling enterprise single sign-on and provides options for strong authentication via smart cards to further secure an organization’s environment.

Most end users do not realize that their access and authentication to nearly every Microsoft server, web, and other Microsoft-hosted applications (e.g., Exchange, SQL Server, SharePoint, and IIS) occurs transparently without their having to re-enter credentials. Active Directory enables true single sign-on—but only to Windows-based and Windows-hosted applications. In a Windows-only environment, this reduced or single sign-on capability is enabled through Microsoft’s use of the Kerberos security protocol.iv

It is logical to base any single sign-on effort around the users’ user IDs and passwords that they use when they log on to their Windows desktop each day.


Quest One Identity Solution’s Layered Approach to Addressing the Challenges Quest Software's Quest One Identity Solution leads the industry in innovation that helps organizations simplify identity and access management, including SSO for the enterprise. The Quest One approach, as described throughout the rest of this technical brief, calls for:

• Directory and identity consolidation based on Active Directory as the true “Holy Grail” of SSO • Enterprise single sign-on as the ideal solution for applications that cannot be directly integrated • Synchronization for situations where integration and enterprise single sign-on are not practical


Password Synchronization– A Traditional Approach Many organizations have taken to synchronizing users’ Active Directory passwords across systems to which end users must log on. Unfortunately, password synchronization does not actually solve all of the challenges that we have discussed thus far. In particular, it does not enable single sign-on. With password synchronization, users can have a single password that provides access to multiple systems they use, but they still must log on every time to each system.

Advantages of Password Synchronization • End-users have just one password to remember, so passwords are forgotten less often. This reduces

both help desk costs associated with forgotten passwords and the associated loss of productivity. • Administrators can more easily implement a consistent password policy across synchronized systems. • Password synchronization is a viable solution where security policy disallows enterprise single sign-on. • Generally no user workstation modification is required to implement password synchronization. • It is easier to extend to any given platform or application than enterprise single sign-on.

Disadvantages of Password Synchronization • End users have just one password to remember, which increases the chance it could be compromised

and allow unauthorized users to have access to all systems to which the password is synchronized. • Users must continue to log on to each system individually, resulting in inefficiency. • Not all systems easily support bi-directional password synchronization. • Implementation can be complex; agents are usually required on all target systems. • Password policies may not be compatible across all systems, which can lead to a “least secure” policy

(e.g., mainframe passwords are typically 8 characters maximum). • There is no support for advanced or strong authentication (e.g.,, smart cards, tokens, and one-time

passwords). • No directory or identity consolidation is enabled, so the number of directories is not reduced. • Password synchronization does not secure or audit administrative, privileged, or superuser identities.

To summarize, password synchronization does not provide true single sign-on, but it does offer enterprises a first step towards reducing help desk costs. It also offers the opportunity to provide a broad-based solution that would fit almost any company.

Quest Password Manager Sync Quest Password Manager, when coupled with synchronization, can improve a password synchronization solution by enabling end users to reset their own password and synchronize their passwords across multiple platforms. This helps to further reduce help desk costs and improve productivity.

Platforms and applications that are supported for password synchronization include:

• Digital Unix • Digital OpenVMS • HP-UX • IBM AIX


• IBM AS/400 (i Series) • IBM OS/390 • Sun Solaris • Linux • Novell Netware NDS 5.x and 6.x • IBM DB2 • IBM Directory Server • Lotus Domino • Microsoft IIS Web Server • Microsoft SQL Server • Netscape Directory Server • Oracle • SAP R/3 • Sybase SQL Server • IBM RACF • CA Top Secret • CA ACF2 • Microsoft Active Directory

Combining Quest Password Manager with synchronization provides both cross-platform password resets as well as classic password synchronization


Extending Active Directory’s Single Sign-on Benefits to Other Platforms and Applications Quest One Identity Solution enhances and extends the capabilities of Active Directory. This also extends to enterprise single sign-on. Our solutions require Active Directory and expect it will be the primary directory for user authentication. By utilizing Active Directory as the foundation for enterprise single sign-on, customers can benefit from the security and interoperability that Kerberos provides.

Quest One extends Active Directory’s benefits to other platforms and applications by providing integration software that leverages Active Directory’s Kerberos protocol. Platforms and applications that support Kerberos (e.g., Unix, Linux, Java, SAP, IBM DB2, Oracle, telnet, VMWare, and Apple OS X) can be integrated with Active Directory. This allows end users to have a true single sign-on experience that starts and ends with logging in to Active Directory. The experience is as seamless as it would be in a Windows-only environment: no additional log-on screens are presented.

In fact, one of the primary benefits of extending Active Directory to support other platforms and applications in this fashion is that end users’ Active Directory credentials can be used for authentication. This means that the directories that were previously used for authentication can now be consolidated into Active Directory. This in itself provides significant benefits: fewer directories to manage, fewer “moving parts,” and no requirement to synchronize those old directories, to name a few. In addition, through Group Policy it is possible to control password security policy settings such as maximum password age, minimum password length, requirements for password complexity, and smart card use. The security benefit of being able to automate the enforcement of a common password security policy across multiple platforms cannot be underestimated. Another benefit is realized when an Active Directory account is suspended or deleted; all access to any other platform that was extended through the use of Kerberos is automatically revoked. There is no need to de-provision accounts in those systems.

Quest Authentication Services' patented technology for Active Directory-based authentication delivers this functionality. From an enterprise single sign-on perspective, it is important that any solution that a customer purchases will include support for other platforms. Quest Authentication Services enables Unix and Linux clients or servers to fully participate in an enterprise single sign-on strategy. Other enterprise single sign-on products support only Windows clients. Today, a company is bound to have more than just Windows desktops. Quest Single Sign-on for Java provides the same capabilities and benefits for J2EE servers and Java-based applications. This is something that is also not typically available via other enterprise single sign-on solutions. These products also enable the use of Active Directory groups as a means to perform access control checks or authorization based on group membership.

Quest enables organizations to extend the use of Active Directory-based identities to non-Windows platforms without having to install cumbersome identity management frameworks or synchronization tools. Organizations continue to use Active Directory normally; it has just been extended to support additional platforms or applications.


Supporting Other Applications Unfortunately, support of Kerberos for authentication is not universal; many applications still do not support Kerberos. Quest’s Enterprise Single Sign-on product is the answer for these applications.

Quest Enterprise Single Sign-on frees users from having to remember passwords for their applications. Once authenticated to Windows via a password or two-factor authentication, a user's access rights for password-protected information resources are managed by Quest Enterprise Single Sign-on. No matter which technology is used, including the web, you can integrate access to new applications with a couple of clicks in a graphical user interface. This drastically reduces the numbers of calls due to forgotten passwords and the associated help desk costs.


A Blended Solution to a Tough Challenge Quest understands that customers want a single sign-on solution that supports many platforms and applications. Quest One’s products provide the most secure and broadest possible support of applications and platforms in the industry today. Quest One enables a true single sign-on experience that includes significant applications like SAP. They are the only extensive single sign-on solutions that support Linux and Unix desktops, Java web applications, and J2EE servers.

Quest One offers a comprehensive collection of solutions ranging from password synchronization to integration with Active Directory and enterprise single sign-on.

Once authenticated by Active Directory, end -user access rights for password-protected information resources can be managed by Quest Enterprise Single Sign-on. The software automatically recognizes password-protected applications and web sites, looks up the end users’ credentials stored in Active Directory, automatically fills in the prompts (users’ IDs and passwords) on the screen, and log the users in.

There are significant advantages to the Quest approach to enterprise single sign-on:

• Improves users’ productivity and decreases help desk costs • Supports the widest range of password protected applications and web sites • Supports Microsoft’s Windows 2000, XP, and Vista desktop clients; Unix and Linux desktop clients and

servers; and J2EE servers and applications • Utilizes Active Directory as the foundation for enterprise single sign-on; no additional directories or

databases are required • Enables the consolidation of Unix, Linux, NIS, and other directories with Active Directory, reducing the

number of directories that must be managed • Manages all enterprise single sign-on users via Active Directory Users and Computers (ADUC) and

Active Directory group membership • Integrates with Group Policy for easier administration and policy control • Integrates with Quest Defender and other leading two-factor authentication hardware and software tokens

for the strongest protection of an end users’ credentials • Easily integrates new applications or web sites


Protecting “High-Value” Passwords Most enterprises that implement password synchronization or enterprise single sign-on do not apply these practices to their “high value” passwords or identities.v In addition, neither of these practices control access to or audit the activities related to high value identities. In many companies, it is common for an administrative password (e.g., “root” on Unix or Linux) to be shared among trusted individuals. But how are activities audited? And who is using a high value identity and for what reason? It is becoming increasingly important for companies to prove who has access to a privileged account, why they are using that account, who granted them access, and what they use the account to do.

Another common problem is that of the “master key”: once a company has implemented single sign-on, how does it protect that one credential that is the master key to all systems and applications?

Quest Privilege Manager for Unix: Effectively Protecting Unix “Root” Access Quest Privilege Manager for Unix brings accountability and security to Unix by enabling system administrators to delegate users’ authority. The organization can then implement reasonable security controls without impacting the ability of users to perform their daily work.

With Privilege Manager, responsibility for adding accounts, fixing printer queues, and other routine job functions can safely be delegated to individuals or groups without disclosing the root password. This protects the full power of root (such as deleting critical files, modifying databases or file permissions, and reformatting disks) from potential misuse or abuse and an organization's valuable information is not compromised: Privilege Manager allows only authorized users to access files, directories, and third-party applications and accounts, such as financial records.

Privilege Manager can also record all Unix session activity, log all keystrokes, and display output for any user. This indelible audit trail, combined with the safe partitioning of root functionality, provides an extremely secure means of controlling the power of root. Organizations always know exactly what activity is being performed by the root account, as well as who did it and where and when it occurred.

Quest SafeKeeping – Secure Management of Privileged Accounts Administrative, privileged, or superuser passwords—no matter the platform, application or appliance for which they’re used—present a unique set of management challenges. These credentials are typically role-based and shared between several users, which can lead to mismanagement.

Although many organizations have procedural controls and policies governing the use of these credentials, monitoring can be costly and time-consuming when the number and range of systems is large. Often the procedures and policies are not followed.

Quest’s SafeKeeping delivers a solution to the management of the shared account credentials by providing a secure, automated mechanism for the request, authorization, release, and change of shared credentials. Once a shared account is managed by SafeKeeping-, a password change for the credentials on it is scheduled. The new password is selected in accordance with SafeKeeping’s user-defined strong password policies. A single individual will not know the password until it is issued following a successfully authorized release request.

All SafeKeeping’s actions are fully audited to ensure conformance with compliance requirements.


Quest Defender: Solving the “Master Key” Problem A common security concern with enterprise single sign-on projects is how to handle the “master key” problem. Once an organization implements single or reduced sign-on, a compromised user credential becomes a critical security concern. A compromised Active Directory user ID and password makes it possible for an unauthorized user to access any Windows or single sign-on integrated application or platform. Therefore, multi-factor authentication is essential. There are three universally recognized factors for authenticating individuals:

1. “Something you know,” such as a password or PIN

2. “Something you have,” such as a mobile phone, credit card, or hardware security token

3. “Something you are,” such as a fingerprint, a retinal scan, or other biometric

Most often, individuals are authenticated using the first method: “something you know,” which typically is a password. However, when an enterprise wants to protect privileged accounts or secure the passwords of enterprise single sign-on users, it is common to add a second factor—“something you have.” Common implementations of two-factor authentication use “something you know” (a password) as the first factor and “something you have” (a physical device of some nature) as the second factor.

Quest Defender provides a unified, vendor-neutral, and token-agnostic authentication infrastructure that can grow and adapt with the ever-changing requirements of the business. The biometric technology of Defender can supplement the one-time password. This provides a secure solution for a simple two-factor or complex three-factor authentication. Defender uniquely authenticates authorized users, grants access to important information and resources, and protects corporate assets from unauthorized use.

While other authentication solutions employ their own proprietary databases, Defender integrates seamlessly with Microsoft’s Active Directory and uses Active Directory as its data repository. This ensures that the proven business benefits of cost avoidance and cost reduction are maintained throughout the security infrastructure. One of the most important benefits of this integration is that the familiar Active Directory users and computers administration tool is used to manage the entire Defender environment. Because Defender is totally integrated with Microsoft Active Directory, all of the well-known Active Directory benefits, including scalability, replication, high availability, and automated backup, apply to Defender.

Existing Windows users are simply assigned Defender policies and tokens to become Defender users. To further ease administration, the Defender Token Self-Registration Service enables Windows users to assign their own tokens. The installation of Defender does not affect the functionality of Windows; domain policies and log-ins, for example, remain under the control of Windows. Two-factor authentication for Windows log-ins can be optionally enabled by means of the Defender Desktop Login component.

End users who use BlackBerries, iPaqs, or Pocket PCs can use these devices as their “second” factor. Defender soft tokens are available for these devices and for use with standalone laptops or desktops.

Quest One also supports the use of smart cards for credential security with Defender and other Quest One products, including Quest Authentication Services.


Summary Quest One Identity Solution provides a unique solution that enables customers to truly achieve secure enterprise single sign-on within their heterogeneous environment. It is now possible to leverage an Active Directory user ID and password to access all enterprise applications, systems, and servers, even in an environment that includes Windows, Unix, Linux, Java, Apple Mac OS X, and mainframes. All aspects of the Quest One solution are managed from within Windows and Active Directory using the native tools that you have come to know and rely on over the years. There is no need to deploy new directories or databases.

You can also protect the single “key to your kingdom” by deploying and integrating strong two-factor authentication using Quest Defender. High value administrative and application passwords can be protected by Quest Privilege Manager for Unix or Quest SafeKeeping.

Quest One’s solutions for enterprise single sign-on offer the broadest, most secure, and most deeply integrated solution with Active Directory available on the market today.


About the Author Jackson Shaw joined Quest Software as part of its acquisition of Vintela. Shaw oversees product direction, strategy, and go-to-market activities for all Identity and Access Management products.

With more than 15 years of experience, Shaw was a key member of the identity and access management marketing team for the Windows server marketing group at Microsoft. He was responsible for product planning and marketing for Microsoft's identity and access management products, including Active Directory and Microsoft Identity Integration Server (MIIS) 2003.

Before joining Microsoft in 1999, Shaw served as vice president of sales for Toronto-based ZoomIT Corp., a pioneer in the development of metadirectory products. He was also a member of the management team that successfully oversaw the company’s acquisition by Microsoft in 1999.

Before joining ZoomIT, Shaw held IT management roles at the International Development Research Centre, a Canadian corporation created to help developing countries find long-term solutions to social, economic, and environmental problems.

Shaw has been involved in directory, meta-directory, and security initiatives since 1988. He studied computer science and management information systems at the University of Ottawa. He is a member of the Association for Computing Machinery.


NOTES

i The term identity is used when referencing how a person is uniquely “identified” to a computer system. Generally this identification is through the combination of a user ID and a password or a smartcard and PIN.

ii Enterprise single sign-on is the ability for a user to enter a user ID and password just once to log on to multiple applications within an enterprise, whereas web or federated single sign-on is cross-enterprise focused.

iii Bob Muglia, Sr. Vice-President – Server and Tools Business, Microsoft; ITForum 2005 Keynote presentation.

iv Kerberos, created by MIT, is a network authentication and authorization protocol. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identities, they can also encrypt all of their communications to ensure privacy and data integrity as they go about their business.

v A “high value” password is defined as the password to a network, application (e.g., SAP, PeopleSoft, or Siebel), database (e.g., Oracle or SQL), or system (e.g., Windows, Unix, or Linux) identity that, if lost, could result in a significant security compromise or financial loss to an enterprise.

5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | E-MAIL [email protected]

If you are located outside North America, you can find your local office information on our Web site

Technical Brief

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software

creates and supports smart systems management products—helping our customers solve

everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

PHONE 800.306.9329 (United States and Canada)

If you are located outside North America, you can find your

local office information on our Web site.

E-MAIL [email protected]

MAIL Quest Software, Inc.

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656

USA

WEB SITE www.quest.com

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who

have purchased a commercial version and have a valid maintenance contract.

Quest Support provides around-the-clock coverage with SupportLink, our Web self-service.

Visit SupportLink at https://support.quest.com.

SupportLink gives users of Quest Software products the ability to:

• Search Quest’s online Knowledgebase

• Download the latest releases, documentation, and patches for Quest products

• Log support cases

• Manage existing support cases

View the Global Support Guide for a detailed explanation of support programs, online services,

contact information, and policies and procedures.

© 2009 Quest Software, Inc. ALL RIGHTS RESERVED

Quest Software and ESSO are a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. TBW-ESSO-HolyGrail-US-AG-20091124

enterprise single sign-on. the holy grail of computing - …€¦ · enterprise single sign-on. the...

Documents