Imprivata: Thin Client Preventing New Users from Logging In

Scenario: User A logs into a session on a thin/zero client, then walks away for 10 minutes without disconnecting. Imprivata, configured to secure the idle workstation at that time, attempts to lock the machine. The box returns to the local login screen, but the username and domain are pre-populated, and new users cannot login over User A before manually signing them out of the local device. In other words, the device is behaving like an Imprivata Type 1 (Single-User) machine. Ostensibly, it looks like Imprivata is preventing new users from logging in.

As it turns outs, the problem here is not with Imprivata, but with the device’s configuration .ini file. To make matters stranger, it seems both Wyse ThinOS and Xenith Pro 2 devices interpret a proximity card tap differently from how they interpret a hotkey/idle lockdown trigger. This can result in badge taps working as expected, even if users can’t manually type their credentials. This problem may exist on devices beyond these, but I have only personally confirmed it on these two types so far. At any rate, the fix is thankfully quick and simple:

In your .ini (either wnos.ini for ThinOS or xen.ini for a Xenith device), simply add the following to the same line as your OneSignServer parameter:

OneSignServer=your.appliance’s.fqdn.here

EnableFUS=yes

FUS, in this case, is Fast User Switching. This is entirely separate from Imprivata’s own functionality that shares the name, so even if the thin device’s computer policy has FUS configured, you may still need to add it to the configuration .ini file.

Top of Page
Go Back



3 thoughts on “Imprivata: Thin Client Preventing New Users from Logging In

  1. Hi Vince Blake

    I saw the imprivata solution show below, do you know how it happen?

    The scenario is:
    Background, hospital, doctor using imprivata SSO solution do smart card logon, card has certificates inside.
    1. Doctor using eHealth card to login computer A with imprivata SSO solution, then put card on reader first, and the screen will inform user to input PIN
    2. After input PIN, remove the card, the desktop remain keep login
    3. Go another room, go computer B, put card on reader on Computer B, the computer B login directly without input PIN, everything going smoothly, at this time, computer B login and computer A logout out.
    4. if go back to computer A, then computer B will logout.

    The operation only input PIN at first time, do you know the reason?

    1. Check to see if you have a grace period configured for the PIN in the user’s Imprivata policy. If you want them to be prompted for a PIN every time they tap, the grace period should be set to zero. It sounds to me like the rest of the workflow is behaving correctly.

      And no, sorry I don’t know how to add support for other readers.

Leave a Reply

Your email address will not be published. Required fields are marked *