Kiosk Mode - Full SSO

The full XA Single Sign-On (SSO) client supports several configurable workflow options to meet varying organizational needs and dependencies for providing a secure and enhanced clinical workflow experience. It offers a full suite of SSO-enabled applications from a local desktop.

Interactive Installation

Tip

ExactAccess client supports both 32-bit and 64-bit operating system. Choose the appropriate installation MSI for the operating system target:

for 32-bit clients: HealthCast ExactAccess Client.msi (not supported for Roaming Sessions installations)

for 64-bit clients: HealthCast ExactAccess Client x64.msi

Run the MSI

Adjust install directory if desired

Click Install

Confirm UAC if prompted

Client Configuration Tool will start when the install is complete

Select Change Mode button

Choose Kiosk Mode

Select Operation Tab

Choose Full SSO

Ensure that all appropriate server connectivity information is provided under each of the server tabs.

After UI configuration is complete, select Finish and reboot the workstation when prompted.

Installing the RapidIdentity Plug-in for Fingerprint

This process will install the components needed for the fingerprint plugin to interact with the RapidIdentity Client.

Required

Microsoft .NET Framework 3.5 is required to be installed on the system prior to running this install in order to support Biometrics.
When installing on 64-bit operating systems, the following install must be started from a 32-bit command prompt.

Installing from a 32-bit Command Prompt

Open a command prompt as administrator.
From the 64-bit command prompt, start the 32-bit version with the following command:
```
c:\Windows\SysWOW64\cmd.exe
```
Change to the directory containing the "RapidIdentity plug-in for Biometrics.msi" installation file.
Run the following command from the 32-bit command prompt:
```
msiexec/i "RapidIdentity plug-in for Biometrics.msi"
```

To continue with the Biometric Component, proceed with the following steps.

The RapidIdentity plug-in for Biometrics Installshield Wizard will open.
Click Next.
The next screen that populates is the Destination Folder.
Click Next to continue or select the folder in which the plug-in will be installed and then click Next.
Enter the MFA server address and click Next.
Click Install on the following screen to begin the installation.
Wait for the installation to complete successfully.
The InstallShield Wizard Complete screen will appear when installation is complete.
Click Finish.

The Biometric Component is now installed.

Installing the Redistribution Drivers Application

The next step is to run the Redistribution Drivers for the U.are.U SDK Components used in the SDK to interact with the fingerprint reader.

Notice

Before proceeding, ensure that a fingerprint reader is plugged in and ready to use.

Locate and open the U.are.U workstations folder and Right-Click on the setup.exe file and select Run as administrator.
Notice
The U.are.U_Windows_3.2.0.89.zip extracted the files needed and can be located in the following folders:
64 bit Workstations: U.are.U_Windows_3.2.0.89\RTE\x64
32 bit Workstations: U.are.U_Windows_3.2.0.89\RTE\x86
The InstallShield Wizard Welcome Screen will populate; click Next.
Read the License Agreement that appears, accept the terms of the agreement, and click Next.
The next screen that populates is the Destination Folder.
Click Next to continue or select the folder in which the plug-in will be installed and then click Next.
This generates the Setup Type window that includes a complete and a custom setup type.
Select Complete and click Next.
The program is now ready for installation.
Click Install to begin this process.
Wait for the installation to complete successfully.
The InstallShield Wizard Complete screen will appear when installation is complete.
Click Finish.
The system will need to be restarted to complete all of the updates to the workstation.
Click Yes to restart now.

The system will now restart for the configuration changes to take effect.

Command Line Installation

See Configuring KM Connectivity for details

Configuring KM Connectivity

Installation command line parameters for Kiosk Mode with full SSO configuration

From an administrative command prompt (or remote deployment package), execute the ExactAccess client install with the appropriate. Below are the minimum values that need to be configured.

Set kiosk mode: XA_MODE=KM
Set the servers: XA_PROX_AUTH=<name of server>
Set to use auditSERVER: XA_AUDIT_SRV=<name of server>
Set to use Deploy server: X_D_SRV=<name of server>
- Set workstation deployment group: X_D_GRPS=<groups to add workstation to in HCIDeploy>
Set the Kiosk Domain to validate users against: XA_KM_DOMAIN=<Domain>
Enable PIN Support: X_PSE=0 (by default, PIN support is DISABLED)
- -1 = Pin support DISABLED (value as: X_PSE=4294967295)
- 0 = Always prompt for PIN on every login (may also prompt for password if it is expired)
- Set PIN Minimum Length: X_PIN_LEN=<4, 5, or 6>
(optional) Disable remote auth for domain joined workstations if desired: X_RARL=0
Disable running configuration tool after install/upgrade: X_RUN_CONFIG=0
To enable Omnikey Proximity support: X_PROX_RT=SCARD
To use standard RFIDeas Proximity support: omit X_PROX_RT, or use: X_PROX_RT=USB

Command line deployment

Tip

ExactAccess client supports both 32-bit and 64-bit operating system. Choose the appropriate installation MSI for the operating system target:

for 32-bit clients: HealthCast ExactAccess Client.msi

for 64-bit clients: HealthCast ExactAccess Client x64.msi

msiexec /i "HealthCast ExactAccess Client.msi" XA_MODE=KM XA_PROX_AUTH=myServer XA_AUDIT_SRV=myServer X_D_SRV=myServer X_D_GRPS=Kiosk X_RARL=1 XA_KM_DOMAIN=HEALTHCAST X_PSE=0 X_PIN_LEN=5 X_RUN_CONFIG=0 /qn

Registry Settings

Sever Connection Properties

Parameter Name	Applicable Modes	Registry Keys Affected	Value	Setting Description
XA_SRV	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\Servers\INDY 0000: reg_sz	Valid Server NETBIOS or FQDN Name or IP address	Primary XA (SSO) server name
XA_AUDIT_SRV	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\AuditServerClient\Connection\INDY 0000: reg_sz	Valid Server NETBIOS or FQDN Name or IP address	auditSERVER name
XA_PRX_SRV	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient\Indy 0000: reg_sz	Valid Server NETBIOS or FQDN Name or IP address	Prox Card Server Name
X_D_SRV	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCIDeployClient\Indy 0000: reg_sz	Valid Server NETBIOS or FQDN Name or IP address	HCIDeploy server name
X_RA_SRV	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCCitrixSessionDirectory\INDY 0000: reg_sz	Valid Server NETBIOS or FQDN Name or IP address	Remote Authentication Server name
X_PREF_IPV4	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient PreferIPv4: reg_dword HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess PreferIPv4: reg_dword HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\AuditServerClient PreferIPv4: reg_dword HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCCitrixSessionDirectory PreferIPv4: reg_dword HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCIDeployClient PreferIPv4: reg_dword	1	Indicates that any TCP/IP communication prefers to use IPv4 when IPv6 is installed and available This setting will be ignored if the *_SRV setting(s) listed above contain a direct IPv6 address.

SSO Client Settings

Parameter Name	Applicable Modes	Registry Keys Affected	Value	Setting Description
X_SP	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\Servers\INDY Port: reg_dword	15001	Communications port for XA (SSO) server
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\Servers\INDY EnabledServerIDs: reg_sz	0000	Enabled Servers List. Comma delimited list of server identifiers 0000,0001,0002, etc.
XA_EC	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\SocketTransport\Indy Encryption: reg_sz	RIJNDAEL	Encryption Class: RIJNDAEL, RIJNDAEL128, RIJNDAEL256, BLOWFISH, BLOWFISH256, TWOFISH, SERPENT
XA_CC	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\SocketTransport\Indy Compression: reg_sz	VCLZIP	Compression Class: NONE, VCLZIP

Proxcard Client Settings

Parameter Name	Applicable Modes	Registry Keys Affected	Value	Setting Description
XA_PRX_SRV_PRT	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient\Indy Port: reg_dword	30000	Communications port for Proxcard Server
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient\Indy EnabledServerIDs: reg_sz	0000	Enabled Servers List. Comma delimited list of server identifiers 0000,0001,0002, etc.
	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\SocketTransport\Indy Encryption: reg_sz	RIJNDAEL	Encryption Class: RIJNDAEL, RIJNDAEL128, RIJNDAEL256, BLOWFISH, BLOWFISH256, TWOFISH, SERPENT
	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\SocketTransport\Indy Compression: reg_sz	VCLZIP	Compression Class: NONE, VCLZIP
X_PROX_RT	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient ReaderType: reg_sz	USB	ProxCard ReaderType USB - RFIdeas USB device support RFVC - RFIdeas Linux -> Citrix session support RFSerial - RFIdeas Reader Serial device support SCARD - OMNIKEY Reader support
X_PSE	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient\PIN PinPromptInMinutes: red_dword	4294967295	Specify enabling PIN Support. Users will be prompted to validate with pin: Set this to enabled (4294967295) or disabled (0)
X_PIN_LEN	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient\PIN MinPinLength: reg_dword	4	Specify the minimum PIN length a user must use when enrolling a PIN: 4, 5, or 6
X_ALLOW_PIN	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient\PIN AllowPinEnrollment: reg_dword	1	Set this to enable (1) or disable (0) PIN Self enrollment.
X_PSCL	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient ParityStripCountLeading: reg_dword	0	Parity Strip Count Leading bits
X_PSCT	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient ParityStripCountTrailing: reg_dword	0	Parity Strip Count Trailing bits
X_BBS	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient BlankBadgeScan: reg_dword	1	Blank Badge Scanning allowed - if this setting is disabled, enrollment of unassigned cards is disabled.
X_HPI	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient HardwarePollInterval: reg_dword	500	Hardware polling interval in milliseconds
X_TOUT	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient SupportTapoutUpdateTime: reg_dword	1	Rolling password save enabled
X_PSWT	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient ServiceStartupConnectionWaitTimeout: reg_dword	30	Service Startup Connection Wait Timeout in seconds
X_VBC	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient ValidBitCount: reg_sz		Valid Bit Count comma delimited list
X_PIBCM	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient InvalidBitCountMessage: reg_sz		Message to display to user when their card has an invalid bit count
X_PIFM	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient InvalidFacilityMessage: reg_sz		Message to display to user when their card has an invalid facility code
X_PIPM	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient InvalidParityMessage: reg_sz		Message to display to user when their card has an invalid parity calculation
X_PIRM	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient InvalidRangeMessage: reg_sz		Message to display to user when their card has an ID that is not in a valid range
X_PSEDM	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient SelfEnrollmentDisabledMessage: reg_sz		Message to display to user when prox card self enrollment has been disabled
X_PSDM	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient ServerDownMessage: reg_sz		Message to display to the user when the server cannot be contacted
X_PIN_AT	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient PIN_Auth_Title: reg_sz	AUTHENTICATION	Title of message to prompt user for PIN Authentication
X_PIN_ET	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient PIN_Enroll_Title: reg_sz	ENROLLMENT	Title of message to prompt user for PIN Enrollment
X_CPT	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient PIN_Change_Message: reg_sz	Change my PIN	Message to prompt user for manually changing their PIN
X_BMML	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient BadgeMsg_ManualLogin: reg_sz	Enter username and password	Message to prompt user for manual login when prox reader is not attached
X_BMUA	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient BadgeMsg_UnAuthenticated: reg_sz	Enter your password	Message to prompt user their badge is not authenticated and a password is required
X_BMUR	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient BadgeMsg_Unregistered: reg_sz	Enter username and password to register badge.	Message to prompt the user for badge enrollment (the card is not registered)
X_PX_RB	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient CardRequiredForLogin: reg_dword	0	Require Proxcard for Login enabled(1) or disabled(0)
		HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient HWGConfig: reg_sz		The full path and filename to an HWG+ formatted configuration file that will be used to configure the proximity card reader device. Warning Setting this file path overrides all other prox card device configuration settings as specified in the registry, as well as those that are built into the product. This includes Parity Strip count, Reader Beep, MessageValidForMS, and potentially ValidBitCount settings. Use caution when using this method to configure devices, and ensure proper operation before distribution.
X_PSWT		HKEY_LOCAL_MACHINE\Software\HealthCast\ProxCardClient ServcieStartupConnectionWaitTimeout: reg_dword	30	This setting indicates how long to wait during a startup phase to ignore server/network availability errors before reporting a problem to the HealthCast client.
		HKEY_LOCAL_MACHINE\Software\HealthCast\ProxCardClient ReaderBeepEnabled: reg_dword		Indicates if using a RFIdeas reader model that includes an internal speaker, that tapping a badge the reader will beep indicating the badge was read.
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient ConnectionTimeout: reg_dword	1	The time in seconds that the client will attempt to connect to the all of the configured servers before returning an error to the client for a connection failure.
	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient BeepSoundFile: reg_sz	<install folder path>\beep2.wav	The default WAV file that will play when a card is tapped, and the setting to play beep sound is enabled
X_BEEP	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ProxCardClient BeepSoundPlayOnBadgeTap: reg_dword	0	Beep sound is enabled to play when set to 1, disabled when set to 0

Audit Client Settings

Applicable Modes	Registry Keys Affected	Value	Setting Description
ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\AuditServerClient\Connection\INDY SocketPort: reg_dword	25000	Communications port for auditSERVER
ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\AuditServerClient\Connection\INDY EnabledServerIDs: reg_sz	0000	Enabled Servers List. Comma delimited list of server identifiers 0000,0001,0002, etc.
ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\AuditServerClient\Connection\INDY EncryptionClass: reg_sz	NONE	Encryption Class: RIJNDAEL, RIJNDAEL128, RIJNDAEL256, BLOWFISH, BLOWFISH256, TWOFISH, SERPENT
ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\AuditServerClient\Connection\INDY CompressionClass: reg_sz	VCLZIP	Compression Class: NONE, VCLZIP

Remote Authentication Settings

Parameter Name	Applicable Modes	Registry Keys Affected	Value	Setting Description
X_RA_PORT	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\AuditServerClient\Connection\INDY SocketPort: reg_dword	20000	Communications port for Remote Authentication
	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCCitrixSessionDirectory\INDY EnabledServerIDs: reg_sz		Enabled Servers List. Comma delimited list of server identifiers 0000,0001,0002, etc.
X_RAEC	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCCitrixSessionDirectory Encryption: reg_sz	NONE	Encryption Class: (Only if communicating with a server Advanced Communications port: 20001) RIJNDAEL, RIJNDAEL128, RIJNDAEL256, BLOWFISH, BLOWFISH256, TWOFISH, SERPENT If communicating with the Compatibility communication port: 20000, this setting MUST match the configuration on the server: RIJNDAEL, BLOWFISH
X_RACC	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCCitrixSessionDirectory Compression: reg_sz	VCLZIP	Compression Class: NONE, VCLZIP If communicating with the Compatibility communication port: 20000, this setting MUST match the configuration on the server: NONE, VCLZIP
X_RARL	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCCitrixSessionDirectory RemoteLogon: reg_dword	1	Remote Authentication Enabled (1) or Disabled (0)
X_RAID	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\HCCitrixSessionDirectory ID: reg_sz	EA12G54	Remote Authentication Shared Key for legacy communications If communicating with the Compatibility communication port: 20000, this setting MUST match the configuration on the server

Miscellaneous Settings

Parameter Name	Applicable Modes	Registry Keys Affected	Value	Setting Description
XA_N_BREQ	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\Identity Automation\XANotification BindingRequest: reg_sz	tcp://127.0.0.1:6226	The port specified 6226 can be adjusted if necessary. Note The Windows (or other) Firewall may also need to be adjusted to allow network communication on this port for proper communication on the local machine between the XA client and the Browser Plug-in. The port must match what is used in `XA_N_BRESP`.
XA_N_BRESP	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\Identity Automation\XANotification BindingResponse: reg_sz	tcp://localhost:6226	The port specified 6226 can be adjusted if necessary. Note The Windows (or other) firewall may also need to be adjusted to allow network communication on this port for proper communication on the local machine between the XA client and the Browser Plug-in. The port must match what is used in `XA_N_BREQ`.
XA_ALE	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess AutoLogoffEnabled: reg_dword	1	Enables (1) or Disables (0) idle session logoff. Logoff only occurs after the session has locked.
X_KM_AL_TIME	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess LogoffTimeLimit: reg_dword	600	The number of seconds the session can be idle (locked) before the session will be logged off.
X_KM_LTL	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess LockTimeLimit: reg_dword	300	The number of seconds a session can be idle before the session is automatically locked
X_PRA	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\PasswordReset URL: reg_sz		Password Reset URL to a web site than allows a user to reset their domain password (such as ADPWR)
X_ACT	SUM,KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\PasswordReset AutoCancelTime: reg_dword	120	The auto cancel time for inactivity of the password reset web display in seconds.
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess ShowXAStatusMessages: reg_dword	1	When Enabled (1) Allows XAUCM to display the status message during startup, show desktop, and shutdown. These status messages will not be shown when Disabled (0)
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess SkipLoadingAppList: reg_dword		When Enabled (1) Indicates that XA should not load the application list during login to improve performance. When Disabled (0), XA will load the users application list from the server. Tip This setting is required to be Disabled (0) if the user will launch SnapApp enabled applications (either Windows or Web) on the system where the setting is set. Also, if the ExactAccess Desktop will be displaying applications on the workstation, this setting must be Disabled (0) so the users authorized applications will be loaded for presentation. Not all workstations require this setting to be disabled - for instance, in a Published Application scenario, this setting can be enabled on the RSM server if the user will launch WebSSO or Windows SnapAPP applications on their local workstation and use published connectors for applications on the RSM server. This setting can also be Enabled (1) when using the Kiosk Mode Passthrough configuration, as the desktop presentation will be handled by an RSM or VDI desktop (remote session), so the local workstation does not need to retrieve the application list.
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess BeepBeforeLockEnabled: reg_dword		Enables (1) or Disables (0) a system beep during the about to lock countdown
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess LockBeepIntervalInSeconds: reg_dword		This value is how many seconds occur between each beep during the countdown before lock.
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess LockBeepStartTimeInSeconds: reg_dword		This value is how many seconds before lock does the beep notice start to occur. It also indicates when the visual status will indicate the system is about to lock.
	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess LockBeepIndex: reg_dword	32	May be one of the following values 0 - play sound associated with Default Beep sound in the Sound Scheme 16 - play sound associated with Critical Stop sound in the Sound Scheme 32 - play sound associated with Question sound in the Sound Scheme 48 - play sound associated with Exclamation sound in the Sound Scheme 64 - play sound associated with Asterisk sound in the Sound Scheme 4294967295 - use PC Speaker beep instead of scheme sound Tip Note that the user may not have a .WAV file associated with the Sound Scheme values listed. Verify with the Sound Scheme that each of the items identified is associated with a .WAV file. These values can be found under: HKEY_CURRENT_USER \AppEvents \Schemes \Apps \<Type> \.Current -- (Default) Where <Type> is one of the following values: .Default, SystemHand, SystemQuestion, SystemExclamation, SystemAsterisk
X_LDM	ALL	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess KMLockDisplayMode: reg_dword	5	Change how the user name is displayed in the Active User List, Privacy Shield, and the XA Desktop 0 - Full Name* 1 - Last Name only 2 - First Name Only 3 - Directory Service Name 4 - Initials Only 5 - First Name, Last Initial 6 - First Initial, Last Name 7 - "In use" only 8 - No user name display 9 - Full First Name and Full Last Name * 10 - Full First Name Only * 11 - Full Last Name Only * 12 - Full First Name, Last Initial * 13 - Full First Name Initial, Full Last Name * Warning * Full Name is the First + Last, or Display Name field, depending on how the server is configured. * - Full First Name and Full Last Name are not parsed from username properties, but are passed directly from the server. Warning In Passthrough configuration, only values 3,7,8 are valid. ** Optionally, in Kiosk Mode, The user name can be removed from the privacy shield with the PSLoginNameVisible setting (allowing the name to remain showing on the XA Desktop)
	ALL	HKLM\Software\HealthCast\ExactAccess\Override LogoffOnDesktopClose: reg_dword		Enables (1) or Disables (0) initiating logoff if the user closes the Application Desktop (not valid for Toolbar Desktop)
	ALL	HKLM\Software\HealthCast\ExactAccess\Override ShowDesktopOnLogoffCancel: reg_dword		Enables (1) or Disables (0) initiating re-launching the XA Application Desktop (not valid for Toolbar Desktop) if the user cancels logoff
	ALL	HKLM\Software\HealthCast\ExactAccess\Display DesktopStyle: reg_sz	hcgreen.vsf	The visual style file applied to change the look and feel of the XA Toolbar Desktop (not valid for Application Desktop).
XA_DSK_CLASS	ALL	HKLM\Software\HealthCast\ExactAccess\XAServerManager Desktop: reg_sz	AppDesktop.clsAppDesktop	AppDesktop.clsAppDesktop: also referred to as Application Desktop, launches an application window similar to a web page that lists the user's SSO enabled applications as well as "lock" and "logoff" buttons. NoDesk.clsNoDesk: also referred to a No Desktop, does not launch an XA Desktop when XA is started. xatbdesk.clsxatbdesk: also referred to as Toolbar Desktop allows for the XA Menu to appear as a popup/context menu from the XA Taskbar icon. Additionally, a secondary application can be launched that looks and acts like the standard Windows task/start bar in that it will display favorite applications and has a start button to display a popup menu of applications with a work space similar to Windows 10. HCCitrixDesk.clsDesktop is a specialized desktop presentation used when the same Citrix server publishes a full Windows desktop and the user should see an XA menu of SSO enabled applications. The same Citrix server may also be used to publish xa directly but have the nodesktop option so an xa desktop does not appear. Required When using the XATBDesk.clsXATBDesk class, it is necessary that the DESKTOP_SERVER.XML be registered with the XA server before it will function. See Registering application XML files in the ExactAccess Administrator.
	All	HKLM\Software\HealthCast\ExactAccess\XAServerManager ClientDSProgID	Note This setting must be manually updated after an installation on RSM to use the virtual channel class to retrieve the current XA user from the end point device. Using the Client Configuration tool may reset this value when saving settings. Warning This setting may not be set during the install or with a transform.	Class that determines where the user identification is retrieved from. NTClientDSUser.clsNTClientDSUser (SUM,RSM,VDI) hciVCCred.clshciVCCred (RSM ONLY) NTKMDSUser.clsNTKMDSUser (KIOSK ONLY)
X_ALA_CHK	ALL	HKLM\Software\HealthCast\ExactAccess\AutoLaunch CheckAccess: reg_dword	0	This setting determines whether an access check should be performed before the application is auto-launched. If the value is set to zero (0), the application will be launched and is not required to be registered in XA. The user logging in does not have to be granted access to launch the application. If the value is set to one (1), the application must be registered in XA and the user must belong to a role that has been granted access to the application.
X_ALA_PATH	ALL	HKLM\Software\HealthCast\ExactAccess\AutoLaunch Launch: reg_sz

Kiosk Mode Only Miscellaneous Settings

Parameter Name	Applicable Modes	Registry Keys Affected	Value	Setting Description
XA_KM_DOMAIN	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess LastDomainPrompt: reg_sz		The Default Domain a user will authenticate with when they provide a user name for authentication to Kiosk Mode. This will also select the configured domain by default when the domain drop down is configured for visibility or the domainlist registry keys have been configured.
X_KM_DOMVIS	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess isDomainDropdownVisible: reg_dword	0	Enable (1) or Disable (0) the domain drop down display on the Kiosk Mode password authentication dialog. If this setting is disabled, in place of the drop down, the LastDomainPrompt name will be shown to the user. If multiple domains are configured in the setting below, the domain drop down will become visible even when this setting is disabled
	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\domainlist 0001: reg_sz 0002: reg_sz etc.		A numbered list of custom domains that users can authenticate with when using the Kiosk Mode password authentication. If these keys are configured, it will override the X_KM_DOMVIS setting and force the drop down to be visible so that users may select the correct domain to authenticate against.
X_KM_DRVMAP	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess isXADriveMappingEnabled: reg_dword	0	Enables (1) or Disables (0) kiosk mode drive mapping lookup and processing.
X_KM_PRTMAP	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess isXAPrinterMappingEnabled: reg_dword	0	Enables (1) or Disables (0) kiosk mode printer mapping when using RUN AS connectors that require the default generic printers to be mapped into the users Windows profile for RUN AS to function and allow printing.
X_LUPE	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess LastUserPromptEnabled: reg_sz	0	Enables (1) or Disables (0) displaying the last user name on the password authentication dialog in kiosk mode when a user locks or logs off. This is similar to the Windows policy for standard mode to show previous users login names so a returning user does not need to provide it.
X_KM_SL	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess KMSupportsLock: reg_dword	1	Enables (1) or Disables (0) Kiosk Mode Locking operations. If lock is disabled, idle sessions will always be logged off.
X_PLOLE		HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess PerformLogoffOnLockEnabled: reg_dword	0	Enable (1) or Disable (0) kiosk mode to log off the current users session when the session is locked.
	KM	HKLM\Software\HealthCast\ExactAccess AutoSecureOnWindowsUnlock: reg_dword	0	Indicates weather to support securing the XA desktop in Locking Kiosk Mode (on Windows Unlock) if the Windows workstation is locked before timeout for sessoin lock is triggered. E.g. if Windows is unlocked and the lock timeout of XA is expired, the system will automatically switch to the privacy shield desktop. (This configuration needs to be disabled if using Secure Patient Desktop in conjunction with XA) Warning It is recommended that the Workstation Lock feature be disabled on workstations installed with Kiosk Mode so that the Windows-L key can be intercepted to cause a Kiosk Mode Lock instead. If this system policy has been configured, or Secure Patient Desktop is installed, this setting should remain Disabled (0)
	KM	HKLM\Software\HealthCast\ExactAccess\Override DisplayFont: reg_sz	Tahoma	Changes the font used to display the text on the HealthCast screen saver.
	KM	HKLM\Software\HealthCast\ExactAccess\Override ScreenSaverBackgroundColor: reg_dword	0	Changes the color of the background for the HealthCast screen saver. Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
	KM	HKLM\Software\HealthCast\ExactAccess\Override ScreenSaverFontColor: reg_sdword	16777215 (FFFFFF) - white	Changes the color of the text for the HealthCast screen saver. Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
	KM	HKLM\Software\HealthCast\ExactAccess\Override PrivacyShieldBackgroundColor: reg_dword		Changes the color of the text for the KM Privacy Shield. Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
X_DSSE	KM	HKLM\Software\HealthCast\ExactAccess\Display DisplayOnScreenSaverEnabled: reg_dword	0	Enables (1) or Disables (0) showing the informational bitmap on the screen saver.
X_SX	KM	HKLM\Software\HealthCast\ExactAccess\Display StartX: reg_dword	0	The X (horizontal) coordinate in pixels of where to start displaying the informational bitmap
X_SY	KM	HKLM\Software\HealthCast\ExactAccess\Display StartY: reg_dword	0	The Y (vertical) coordinate in pixels of where to start displaying the informational bitmap
X_NSX	KM	HKLM\Software\HealthCast\ExactAccess\Display NetStartX: reg_dword	65	The X (horizontal) coordinate in pixels of where to start displaying the network connectivity application.
X_NSY	KM	HKLM\Software\HealthCast\ExactAccess\Display NetStartY: reg_dword	961	The Y (vertical) coordinate in pixels of where to start displaying the network connectivity application.
X_SII	KM	HKLM\Software\HealthCast\ExactAccess\Display SysInfoImage: reg_sz		The background image to load which contains desired information. May be generated by Microsoft (SysInternals) BGInfo. Must contain the full path to the BMP image to display
X_UT	KM	HKLM\Software\HealthCast\ExactAccess\Display UseTransparency: reg_sz	0	Indicates that the image should be drawn transparent so that the configured background color of the privacy shield or screen saver is used instead of the background of the informational image configured.
	KM	HKLM\Software\HealthCast\ExactAccess\Display BioLoginFormStyle: reg_sz	carbon.vsf	The visual style file applied to change the look and feel of the biometric login dialog.
	KM	HKLM\Software\HealthCast\ExactAccess\Display ChangePINFontColor: reg_dword	16777215 (FFFFFF) - white	Changes the color of the text for the "change pin" prompt. Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
	KM	HKLM\Software\HealthCast\ExactAccess\Display ChangePINFontFace: reg_sz	Calibri	Specifies the font face name of the "change pin" prompt
	KM	HKLM\Software\HealthCast\ExactAccess\Display ChangePINFontSize: reg_dword	10	The size of the displayed font in font points.
X_EFC	KM	HKLM\Software\HealthCast\ExactAccess\Display ErrorFontColor: reg_dword	0	Changes the color of the text for the "error condition" prompt when a user enters an invalid PIN. Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
X_EFF	KM	HKLM\Software\HealthCast\ExactAccess\Display ErrorFontFace: reg_sz	Calibri	Specifies the font face name of the "error condition" prompt
X_EFS	KM	HKLM\Software\HealthCast\ExactAccess\Display ErrorFontSize: reg_dword	8	The size of the displayed font in font points.
X_LDFC	KM	HKLM\Software\HealthCast\ExactAccess\Display LoginDirectionsFontColor: reg_dword	16777215 (FFFFFF) - white	Changes the color of the text for the current "Login Directions". This text may prompt the user to tap a badge, enter their password, enter their user name, or enroll a card. Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
X_LDFF	KM	HKLM\Software\HealthCast\ExactAccess\Display LoginDirectionsFontFace: reg_sz	Calibri	Specifies the font face name of the "Login Directions" prompt
X_LDFS	KM	HKLM\Software\HealthCast\ExactAccess\Display LoginDirectionsFontSize: reg_dword	12	The size of the displayed font in font points.
X_LFPFC	KM	HKLM\Software\HealthCast\ExactAccess\Display LoginFieldPromptFontColor: reg_dword	16777215 (FFFFFF) - white	Changes the color of the text for the login field prompts such as "username", "password" and "domain". Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
X_LFPFF	KM	HKLM\Software\HealthCast\ExactAccess\Display LoginFieldPromptFontFace: reg_sz	Calibri	Specifies the font face name of the "login fields" prompt
X_LFPFS	KM	HKLM\Software\HealthCast\ExactAccess\Display LoginFieldPromptFontSize: reg_sz	10	The size of the displayed font in font points.
X_LFS	KM	HKLM\Software\HealthCast\ExactAccess\Display LoginFormStyle: reg_sz	light.vsf	Login Form Style file path - determines colors, fonts, and borders of input boxes and buttons on the login prompt
X_LOTIV	KM	HKLM\Software\HealthCast\ExactAccess\Display LogoffDisplayTimeImagesVisible: reg_dword	1	Enable (1) or Disable (0) the Logoff Display Time Images - determines if the images are displayed for auto-logoff
X_LOTV	KM	HKLM\Software\HealthCast\ExactAccess\Display LogoffDisplayTimeVisible: reg_dword	1	Enable (1) or Disable (0) displaying the current time remaining for the locked user session before it is automatically logged off.
X_LOPOST	KM	HKLM\Software\HealthCast\ExactAccess\Display PSAutoLogoffPostfix: reg_sz		Logoff Time Postfix text
X_ALOPX	KM	HKLM\Software\HealthCast\ExactAccess\Display PSAutoLogoffPosX: reg_dword	701	Auto Logoff dsiplay Position Absolute X (horzontal) position
X_ALOPY	KM	HKLM\Software\HealthCast\ExactAccess\Display PSAutoLogoffPosY: reg_dword	768	Auto Logoff dsiplay Position Absolute Y (vertical) position
X_LOPRE	KM	HKLM\Software\HealthCast\ExactAccess\Display PSAutoLogoffPrefix: reg_sz		Logoff Time Prefix text
X_ALV	KM	HKLM\Software\HealthCast\ExactAccess\Display PSAutoLogoffVisible: reg_dword		Enable (1) or Disable (0) displaying the user session information on the privacy shield.
X_LIFC	KM	HKLM\Software\HealthCast\ExactAccess\Display PSLoginNameFontColor: reg_dword	16777215 (FFFFFF) - white	Changes the color of the text for the Login name displayed on the privacy shield. Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
X_LIFF	KM	HKLM\Software\HealthCast\ExactAccess\Display PSLoginNameFontFace: reg_sz	Calibri	Specifies the font face name of the "Login name" display.
X_LIFS	KM	HKLM\Software\HealthCast\ExactAccess\Display PSLoginNameFontSize: reg_dword	24	The size of the displayed font in font points.
X_ALV	KM	HKLM\Software\HealthCast\ExactAccess\Display PSLoginNameVisible: reg_dword	1	Enable (1) or Disable (0) displaying the current users name on the privacy shield when the system is locked.
X_LOTFC	KM	HKLM\Software\HealthCast\ExactAccess\Display PSLogoffTimeFontColor: reg_dword	16777215 (FFFFFF) - white	Changes the color of the text for the count down timer (for autologoff) on the privacy shield. Color is specified in the following format: NBGR (none,blue,green,red values from left to right 00, BB, GG, RR)
X_LOTFF	KM	HKLM\Software\HealthCast\ExactAccess\Display PSLogoffTimeFontFace: reg_sz	Calibri	Specifies the font face name of the "autologoff time" display
X_LOTFS	KM	HKLM\Software\HealthCast\ExactAccess\Display PSLogoffTimeFontSize: reg_dword	28	The size of the displayed font in font points.
	KM	HKLM\SOFTWARE\HealthCast\eXpressAccess AutoStartScreenSaverOnTapOut: reg_dword	0	Enables (1) or Disables (0) automatically starting the configured WIndows screen saver when a user taps out of ExactAccess
X_ALTLE	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess\Override AlternateLoginEnabled: reg_dword	0	Elables (1) or Disables (0) Alternate Login Button - when using both biometric and standard username and password, allow a user to switch between the primary and secondary.
X_EASE	KM		0	Kiosk Mode Shell replacement allows for hiding the Windows desktop. 0 = Windows Desktop is enabled, 1 = Windows Desktop is hidden. Windows desktop is always enabled for administrative accounts. Warning See additional requirements for configuring this setting on Windows 10 systems in shell replacement.
XAD_ENABLED	KM		0	Kiosk Mode Operations Mode. 0=Full SSO operation, 1 = passthrough only operation. Setting this value to 1 on the command line adjusts several properties to enable passthrough operation.
X_PRMPT_ENC	KM	HKEY_LOCAL_MACHINE\SOFTWARE\HealthCast\ExactAccess PromptEncryptionClass: reg_sz	BLOWFISH	Encryption Class to use for in-memory Password storage can be: BLOWFISH RIJNDAEL

In this section:

HealthCast

Kiosk Mode - Full SSO

Interactive Installation

Tip

Installing the RapidIdentity Plug-in for Fingerprint

Required

Installing the Redistribution Drivers Application

Notice

Notice

Command Line Installation

Configuring KM Connectivity

Installation command line parameters for Kiosk Mode with full SSO configuration

Tip

Registry Settings

Warning

Note

Note

Tip

Tip

Warning

Warning

Required

Note

Warning

Warning

Warning

Search results