Session Logon Settings and Related Advanced Settings

• Session Logon

  When integrating with an Authentication provider, the AP must provide user name, domain and password/passcode to let the user automatically bypass the Session Logon screen. As all the 3 data items are provided, real Windows authentication will happen, and the logged-in user's identity is used in the different operations.

  If no AP is used, then the users must manually enter their user name and password/passcode; optionally, they can select a domain, if necessary. By default, the domain marked as 'default' will be selected on the Session Logon screen.

  Depending on the specific AP and its configuration, it is possible that only domain and user name is provided by the AP. In such a case, the Session Logon screen will not be automatically bypassed, but the user will have the chance to enter the password/passcode manually, and click the Login button.

• Bypass Session Logon (no authentication)

  Select this option only if using an AP. This option does not require a password/passcode from the AP, hence it simply requires / uses the domain and the user name.

  This implies that no Windows authentication will happen, so the pre-set service accounts will be used in the different operations.

  There are some system and connector options when the user's email address or other attributes (like the user's home directory) is fetched from Active Directory, based on the domain and the user name.

• Bypass Session Logon (authenticate user)

  Select this option only if using an AP. The behavior is somewhat similar to the Bypass Session Logon (no authentication). The similarity is that the AP might or might not pass on the user's password or a valid passcode to the ShareScan Manager. However, the difference is that ShareScan will authenticate users - to achieve this, it needs a password or a valid passcode - and challenges them at the MFP for their password when logging into ShareScan for the first time. If the Windows authentication was successful with this password, then ShareScan saves this password (in encrypted form) and uses it whenever the user logs in via the AP. When Session logon is configured with Microsoft Entra ID, a valid passcode is always prompted when logging into ShareScan and not only for the first time, and ShareScan does not save the passcode, which the authentication was successful with, as it is valid only for a short time.

When this setting is chosen, the manual entry of the user name and domain fields are disabled on the Session Logon screen, displayed on the MFP, but the password/passcode field can be edited. This is meaningful (and strongly recommended) to check when ShareScan is integrated with an Authentication system, because these systems provide the username and other data without manual entry.

When integrating with such systems, leaving this setting cleared may lead to a security issue in certain cases, depending on the configuration.

If Session logon mode is set to Bypass session logon (authenticate user) or to Bypass session logon (no authentication), the username and the domain fields are automatically disabled (not necessary to check this setting).

The Logout button will be hidden on the MFP screens (Main screen, Redirect screen) if this setting is chosen. It is recommended to select this setting when ShareScan is integrated with an External Authentication system.

Hiding the Logout button prevents the users to log out from ShareScan by hitting the Logout button (it could appear on the Main screen or on the Redirect screen). This is useful when we want to force the users to use the card swipe or the hardware logout button to log out from the External Authentication system on the MFP device.

This is a setting for ScanStation only. When this setting is enabled (checked) a Lock button will be shown on the ShareScan Session Logon screen. If the user clicks this button, the Cost Recovery session will be terminated (the AP / CR server will be notified) and a lock cover screen is displayed on the ScanStation application, blocking any access to ShareScan until the user unlocks (logs in into) the Cost Recovery system.

If configured in a certain way, the AP is able to send a 'user ID' instead of the user name (domain user account name). This setting must be checked if we want to use that type of integration.

Supported only on certain platforms like KonicaMinolta, Xerox, Ricoh and HP.

The setting plays a role only for the workflows when 'Bypass redirect screen' and 'Logoff automatically' settings of the connector settings are both enabled.

It is reasonable to have these two settings enabled when we want to allow the users to execute only one scanning workflow (that one, one connector usage) in a session.

The behavior controlled by this setting is as follows:

When AutoQuitShareScanOnAutoLogout is set to:

• True: After the UI phase of the workflow is completed, the MFP will switch back to its main screen (on the supported platforms, see above).
• False: After the UI phase of the workflow is completed, the user will be logged out (from ShareScan) and put back on the ShareScan Session Logon screen.

Supported only on certain platforms like KonicaMinolta, Xerox, Ricoh and HP.

Enables (true) or disables (false) closing/leaving the ShareScan application on the MFP when the user logs out manually by clicking the Logout button on the ShareScan Main screen or Redirect screen.

Product ID of the application to switch to, when AutoQuitShareScanOnAutoLogout or AutoQuitShareScanOnLogoff is used.

For example, if Equitrac PCC is the authentication client on the Ricoh device, then the Application ID of PCC should be set for this setting.

Not supported when Session Logon service is configured with Microsoft Entra ID type.

If domain information is unavailable, Session Logon attempts to retrieve it from the credential cache. Default value is false.

It is possible to use this setting in conjunction with Session Logon mode Bypass session logon (authenticate user), in cases when the integrating AP or DAP is not providing a domain name.

When this setting is true, ShareScan uses only the user name (as a key) to store/fetch the corresponding password and it stores/fetches the domain name as well.

If set, the home directory location specified in this setting will be used in some of the Connectors as the home folder of the logged in user, ignoring the actual LDAP query result. (That is, the home folder will be the same for all users - this is useful in some special scenarios).

Use Secure LDAP (LDAPS) for LDAP operations. It can be true or false. Default value is false.

Locking ScanStation along with the device when the Lock button is pressed on Session logon or Main screens.

If set to:

• True: a Cost Recovery Lock message will be sent to the Cost Recovery server when the user presses the Lock button. This terminates the Cost Recovery session, the MFP will be locked, preventing the user to perform any other operation on the MFP.
• False: no Lock message will be sent from the ScanStation, which is useful if we want to let the user perform other operations (like copy) on the MFP.