Configuration

This article describes new functionality and various configuration changes that can be made.

Passive Authentication Device to Support Narrator Workflow

To support the embedded Narrator automatic arrival functionality, you will need to configure the HCILoginDeviceNET.ProxCardPassive program ID in the Epic back-end system. This must be configured in the correct authentication context for the Narrator in Hyperspace Authentication Administration.

This device implements Epic's Passive Mode functionality, allowing it to return a user that taps their proximity card to arrive for events in Narrator. Any users that have their proximity card enrolled can tap their proximity card to arrive for the Narrator event. When the Narrator workflow is closed, Hyperspace will return to its normal proximity card authentication workflow.

Setting Up Passive Authentication Device in Hyperspace for Narrator Support

To set up the Passive Authentication Device, follow the directions in Configuring Identity Automation Authentication Devices in Epic Hyperspace, following the instructions with HCILoginDeviceNET.ProxCardPassive device as noted.

SecureActive Setting Configuration

The SecureActive setting can be configured per user session to remote kiosk on a terminal server. Organizations hosting remote kiosk on Citrix XenApp servers use the setting located in the HKLM registry, which applies to all users. The following setting can be applied to override the value for specific users. Use a User Group Policy to set the following setting for each user that will be using the Citrix server where the value needs to be overridden.

User Registry Configuration

To configure SecureActive Setting to run per user session on the terminal server's “current user” session, add the notification registry key to a remote kiosk on a terminal server:

[HKEY_CURRENT_USER\SOFTWARE\HealthCast\ExactAccess\
TFA Settings]"SecureActive"="False"

Manual Login Screen Display

The Primary Authentication Device allows the user to tap in or enter the username and password to login. The manual login screen is displayed when a user is not logged into the device. The "tap your badge" screen is displayed when a user is logged into the device.

No configuration is needed for this feature.

Note: This is represented in Epic 2018. This feature does not apply to versions prior to 2018.

Setting Up Primary Authentication Device in Hyperspace for User Login

To set up, follow the directions in Configuring Identity Automation Authentication Devices in Epic Hyperspace, following the instructions with HCILoginDeviceNET.ProxCard device as noted.

Configuring Identity Automation Authentication Devices in Epic Hyperspace

To create and configure Identity Automation's authentication devices in Hyperspace please have your Hyperspace and Desktop TS-user follow the directions in the "3rd Party Authentication Setup" section in the "Authentication Setup and Support Guide".  This Guide is maintained and supported by Epic and has directions on setting up a 3rd party authentication device E0G record and configuring it in Authentication Administration to allow Hyperspace to use an authentication device.

While using the guide, use the following Identity Automation ProgIDs to configure:

• Use HCILoginDeviceNET.ProxCard if setting up a primary authentication device.
• Important: Epic's Default Login (0) device should be added to the Primary Device setting after the HCILoginDeviceNET.ProxCard device.
• Note: HCILoginDeviceNET.ProxCardPassive is only supported in the Narrator workflow. Use Epic's documentation for the context this should be configured. In addition, this device requires that the HCILoginDeviceNET.ProxCard device has been configured for primary authentication.
• Use HCILoginDeviceNET.ProxCardPassive if setting up a passive authentication device

Important: The Pause Form must be turned off to allow users to tap in. Use the following command to run in the Epic Operational Database to complete this task:

d ^%ZeUSTBL > Security > Login Settings > Client Login Settings >
Always show pause form on secure? No

Contact your Epic Client Systems – Hyperspace and Desktop TS for detailed instructions and more information about adding authentication devices.

Debugging ExactAccess Credential Passthrough Issues

The following are typical issues to look at when Hyperspace is not logged in:

• Any version of Hyperspace
  1. Is a Citrix server that has the plugin installed being hit?
     1. On an endpoint device, open the Citrix connection manger to see what Citrix server you're connected to?
        1. If not correct, look at the pubLauncherSF.exe settings.
• Was Citrix installed or reinstalled after installing the plugin?
  1. If yes, then use the instructions in the known issues section on how to reapply the virtual channel settings.
• Hyperspace 2017
  1. Is a login device configuration being used?
     1. If yes, is the login device being loaded?
        1. Turn on Epic logging and look for a line that looks like the following in the log file:
           • EDAuthentication.BridgeAuthenticate: Looking at 10002: HCILoginDevice.ProxCard2
           • If this type of line is not present, Hyperspace is not loading our login device.
           • Check that the workstation that you are connecting from is configured to use the Primary Authentication Device.
     2. If hciepicsessionmgr.exe is not being started when the Hyperspace process is started?
        1. Test on the Citrix server using task manager to see if hciepicsessionmgr.exe is started. It should start and close. If it doesn’t, then TFA_AIE=1 setting was not applied at install.
           Note: This is not supported in 2018.
• Hyperspace 2018
  1. When Hyperspace is started, is a log file created in the following location and format? C:\Temp\Logs\${CLIENTNAME}_${USER NAME}_log.txt
     1. If no log file has been created, this indicates that Hyperspace has not been configured correctly to load the plugin.
     2. To debug, you will need to enable Hyperspace logging. This will require help from your Epic TS to enable logging and decrypt the log file.
     3. After generating a log file and decrypting it, search the log file for the following to see if Hyperspace is loading the plugin:
        1. If text EDAuthentication.Initialize -- Device List and HCILoginDeviceNET.ProxCard are on the same line, this shows that the plugin was an available device.
        2. If text EDAuthentication.BridgeAuthenticate -- Looking at and HCILoginDeviceNET.ProxCard is on the same line, this shows that the plugin was called.
     4. If you don't see any of the above text in the log file, the Prog ID has not been configured correctly in the authentication device's E0G record.
     5. If you only see the first set of text, the workstation login context has not been configured correctly in Hyperspace Authentication Administration.

Configuring Epic to use EPCS Authentication

Note: Contact your Epic Client Systems – Hyperspace and Desktop TS for detailed instructions and more information about adding authentication devices.

Creating the EPCS Authentication Device

To configure Epic to use EPCS authentication, first create the EPCS authentication device.

1. Open a text session and access Chronicles (d ^e).
2. Access the E0G Master file by typing E0G and pressing enter.
3. Navigate to “Enter Data”.
4. Navigate to “Create/Edit Device”.
5. To see the current list of devices type “?”, then “Yes”. Then press enter twice. This will bring up a list of devices, along with the device ID they utilize.
   Note: It may be necessary to press enter a few times until all of the devices can be seen. Select a Device ID that is not being used and is greater than 10,000.
6. Enter the chosen Device ID and a Record Name: Identity Automation Security Authentication.
   Note: This is the name that will display in Hyperspace.
7. Tab down to "Device Type" and enter "Login Device" (excluding the quotation marks).
   Note: This field only appears in Epic 2018 and newer.
8. Press enter and type “Desktop” (excluding the quotation marks) in the “Platforms:” field and hit enter twice.
9. Enter the ProgID for the authentication devices needed.
   Note: The PingMe token prog id is RIPingMe.RIToken, and the Fingerprint prog id is RIBiometric.riBio.
10. Press Enter and quit out of the record and Chronicles.

The EPCS authentication device is now created.