Skip to content

Excalibur Enterprise - FAQ

Introduction

What is Excalibur and what is it for?

Excalibur replaces passwords with your smartphone. Thus it becomes your universal digital key that allows a simple, but strong Multi-factor authentication and authorization of events in your company’s existing IT infrastructure.

What is an authentication factor?

The aim of Multi-factor authentication is to clearly verify an identity of a user by means of various mutually independent information (factors) that identifies a user. These information are called authentication factors and their best-known examples are e.g. password or PIN. There are several types of authentication factors, usually divided by means and form of user identification, and these are:

  • Knowledge factors (something only a user knows) - password, PIN, pattern lock, and so on.
  • Possession factors (something only a user owns) - smartphone, phone number, smart card / credit card, USB token, MAC address of a device and so on.
  • Inherence factors (or also identity factors - who a user is, or simply biometrics) - fingerprint, iris, facial features, voice features and so on.
  • Contextual factors (what and how is a current user environment) - proximity, geographic location, time, date, the day of the week, IP address and mask, and so on.

Excalibur can combine all kinds of factors and thus provide Massive Multi-factor Authentication (MMFA), or simply - Multi-factor authentication, conveniently via a smartphone application. Excalibur currently supports the following factors: PIN, fingerprint, facial recognition, geolocation, smartphone verification, time and day of the week and IP address of your computer and phone.

Your administrator might optionally combine authentication factors into security policy rules that could be specific to each operation, as well as organizational units, and even individual users and systems in which Excalibur is used. Because administrator might change the rules of security policies at any time, always follow the instructions during the login process in the Excalibur mobile application. If there will be some new authentication factors added to the security policy rules, on the next login you will be firstly prompted to set the new factors and from then on, you will use them for verification.

What is OTP?

One-Time Password (OTP) is a single-use (pseudo) random password or code. Uniqueness and validity of an OTP for a single operation are properties that address corresponding problems of static passwords (their immutability among numerous verifications). For additional security, OTPs might be further restricted - e.g. linked to specific operation details or to have a short expiration (validity) span. Therefore, OTPs in various forms are often utilized as an additional identity verification measure (authentication factor). Excalibur utilizes OTP principle and properties for 2 different purposes:

  • offline login, in which case a short expiration OTP is issued to a successfully authenticated user for offline login using Excalibur (user enters this OTP into a full-screen Excalibur login screen).

  • dynamic login password, when allowed by administrator, Excalibur automatically changes the user's Active Directory (AD) password in a background after each successful domain login for a long random sequence, which Excalibur will automatically use only once and then change again for the next login. The user never comes into a contact with this random sequence - doesn’t know it, nor uses it anywhere. The same applies to the user's old password, which the user doesn’t have to remember anymore.

What can Excalibur authenticate?

Excalibur replaces outdated authentication systems based on names and passwords, as well as systems offering impractical methods of two and Multi-factor authentication. Excalibur offers native integrations into Windows and OSX. Other systems could be integrated via standard interfaces and protocols.

Currently, Excalibur can be used to log a user into Windows which is in a domain (Active Directory), into web applications through native integrations or SAML, Citrix NetScaler and Storefront, but also for authentication and authorization through RADIUS and Kerberos protocols. All these methods require appropriate integration / installation and configuration of Excalibur components.

In addition to the above, Excalibur integrates McAfee Drive Encryption, where Excalibur is currently the only solution that enables Multi-factor authentication for disk encryption authentication.

Installation

What do I need to start using Excalibur?

If you are an end-user, to start using Excalibur you need an Excalibur mobile application that you need to initialize (register) for use with Excalibur in your company. After successful initialization (registration), you can sign with Excalibur to all systems your company supports.

If you are unsure or you don’t have Excalibur mobile application installed, please see:

How do I know if I have Excalibur installed on your devices?

How to install Excalibur on smartphone?

Also, all Excalibur components must be installed and configured for you by your system administrator in all environments and applications (Windows, VPN, web applications, etc.) where you want to log in with Excalibur.

See also:

How do I know if my company supports registration through Excalibur?

How to register?

If you are an administrator, to use Excalibur you need to install and configure the following Excalibur components:

  • Server - is an Excalibur component that runs within your company and is responsible for all operations Excalibur performs, from registration, authentication of operating system login, all the way to actions authorization. This component is installed and configured by a designated system administrator.

  • Client environment (client) - is a component (a set of components or simply an integration), which is a part of infrastructure within your company that allows a variety of authentication / authorization actions by Excalibur. From an end-user perspective, it might be e.g. in case of domain login the Excalibur login screen on the user's computer.

  • Mobile application (token) - is a component that becomes a user's personal hardware token and replaces conventional hardware tokens such as a smart card / credit card, USB token, and so on. From a moment of initialization of user's identity becomes linked to a specific smartphone and stored in a secure storage of that smartphone. In case of centralized business smartphones administration via Mobile Device Management (MDM) solution, we recommend to automatically distribute this component to employees phones, so that they won’t need to install the mobile application themselves.

If you want to try or start using Excalibur, please contact us at xclbr@xclbr.com

How do I know whether my company supports Excalibur login?

If the Excalibur client is available for you, then in case of a domain login you should see the Excalibur login screen - either in full-screen mode with Excalibur’s and your company’s branding instead of the standard Windows login screen - usually with a username and password (alternatively with fingerprint / SmartCard / Windows Hello login, depending on your company security policies), or a large login QR code in  a corner of the standard Windows login screen.

Thus, if you can see the Excalibur login screen, your company supports Excalibur login.

To start using Excalibur you need the Excalibur mobile application, which you'll have to initialize - register to use the Excalibur. It could be done via self-registration. If your company manages business phones centrally (remotely) using Mobile Device Management (MDM), another indication of an Excalibur support is that you can find Excalibur mobile application already automatically installed on your business phone.

If you have any doubts about the availability of the Excalibur in your company, please contact your system administrator, who can install all necessary components either locally or remotely.

See also:

How do I know if I have Excalibur installed on your devices?

How to install Excalibur on a smartphone?

How to install Excalibur to your computer?

How to register?

How do I know if I have Excalibur installed on my devices

If you have Excalibur (client) installed on your computer, you should see the Excalibur login screen - for more details please see: How do I know whether my company supports Excalibur login?

On your Windows computer, you can check installed programs, among which you should see Excalibur Enterprise. Open the Control Panel, select category Programs and then select Programs and Features. From Windows 8 above, applications could be found in Settings > Apps, under which you can find Apps and Features as the main tab, which lists all installed applications and also offers a search. Apps could be also searched directly in the Windows Explorer search.

On a smartphone, you can find Excalibur among installed applications either in Settings under Apps or Applications or under Installed Apps in a respective official app store according to your platform.

See also:

How do I know if my company supports registration through Excalibur?

How to install Excalibur on a smartphone?

How to install Excalibur to your computer?

How do I install Excalibur on my smartphone?

Excalibur mobile application will be installed automatically if your company manages business phones centrally (remotely) using Mobile Device Management (MDM). Otherwise, please install it yourself from a respective official app store for your platform (Android or iOS), just search for the application Excalibur Enterprise and install it.

The mobile application can ask for runtime permissions necessary for its proper functioning according to your company’s security policy rules, such as access to a camera (scanning the QR code), receiving a location (geolocation as an authentication factor) and so on. In the ideal scenario, it is necessary to allow these permissions only before the first execution of the operation which requires them. However, you might be prompted to allow these permissions (again) if you rejected them in the first place, withdrawn them in application settings, deleted (cleared) application data, reinstalls the application, transferred your identity to a new phone, or if a need for a new permissions from updating the application or your phone’s OS.

In addition to runtime permissions, you may be entitled to invite applications to enable some services on your phone, such as obtaining a position with high accuracy or asked to update some components such as the OS PlayServices in the case of Android OS.

See also:

How do I know if I have Excalibur installed on your devices?

How to register?

How do I install Excalibur to my computer?

Client interface (Excalibur Client) user does not install itself. If you can not see Excalibur full-screen login screen or registration QR code in the corner of the standard login screen, contact your system administrator, who can install Excalibur remotely or locally from the installation package.

See also:

How do I know if I have Excalibur installed on your devices?

Usage

How do I register?

To use Excalibur in your company you need to register. By registering you pair your corporate identity with an Excalibur Enterprise mobile application in your smartphone, in other words, initialize it for use in your company. 

If you are not sure / do not have the Excalibur mobile application installed, please see:

How do I know if I have Excalibur installed on your devices?

How to install Excalibur on a smartphone?

The registration of Excalibur is available from the full-screen mode of the Excalibur login screen on your computer. If you see only registration QR code in the corner of the standard login screen, clicking on it will open full-screen mode. In it to start self-registration, click on "Register" and enter your current username and password to verify your identity. Then registration QR code appears which you need to scan with Excalibur mobile application to proceed with registration.

In the mobile application you will be asked to provide all authentication factors according to your company's security policy required for registration. After successful registration in your Excalibur mobile application, your company name will be added to the "Settings". If the connection on your phone is working and Excalibur server is available, then the connection indicator (right of the company name) should be green.

How do I log into a computer, web, or RDP?

For logging in a registered user, simply scan the QR code by your phone with the initialized Excalibur mobile application and then provide all authentication factors that the application will require based on company security policies for login. Verification of factors may require enabling verification related services such as permission to turn on location or position acquisition.

Your mobile application informs you about successful login. If an error occurs, click on "More info" for more information. This will open a help with a description of the error.

How do I log in without an internet connection?

The administrator has the option to enable offline Excalibur login security policy. If you have enabled offline login and your computer or phone is having issues with an Internet connection or Internet connection is currently not available, Excalibur will allow you to log in using offline One-Time Password (OTP).

Authentication begins with a standard QR code scan using Excalibur mobile application and verification of all required authentication factors. Security policy rules for offline log may (or may not) be different from those for online login - there can be multiple authentication factors or restrictions when and where it is possible to perform offline login. After successful verification of authentication factors, there is a different procedure - instead of automatic login, mobile application will generate OTP which you have to manually rewrite to the box under QR code in Excalibur full-screen mode login screen on the computer and press "ENTER". If you see only registration QR code in the corner of the standard login screen, clicking on it will open Excalibur full-screen mode login screen.

Offline login has several limitations. The main limitation is that the first offline login is possible to realize only after the first successful online login. Therefore, please try online login immediately after successful registration with a stable Internet connection of phone and computer. OTP has a limited validity and is valid only for one offline login to your account. OTP validity timer is shown in the Excalibur mobile application. In the mobile application, you will not see your current online session (connection) immediately after logging in, as is the case with online login, but only after the computer and the phone connect to the Internet and synchronize their status with the company Excalibur server.

How do I log out / lock a computer?

Active session (login) can be locked or terminated remotely from a mobile application. The session is created by logging in to your computer and expires by signing out or by computer shutdown. For online login, the session on your phone appears immediately after a successful login. For offline login, a session appears after your computer and phone connect and synchronize with your company Excalibur server. For a quick overview and access, your active sessions appear in the notification.

You can lock an active session manually from the computer Start menu. After starting your session again you can return to your work, just as you left it before locking. Ending a session will cause logging off from your computer, which means that your open programs will be closed and unsaved changes will be lost as well as the manual log off or shutdown from the computer Start menu.

The bottom of the Excalibur mobile application main screen displays cards with all your active and locked sessions. On the right side of each card with notification there is the icon (button) to lock or cancel the active session. Your choice will then be to confirm or cancel the confirmation dialogue. If the session is still active, the offer will be two choices - logout or lock, and if you select logout you will be asked for confirmation of this action.  

Sessions notification (Android) gives you quick access to your sessions - clicking on the notification will open the main application screen, from where you can control individual sessions.

How do I change a computer password?

Excalibur can work with passwords in one of two modes - with static and dynamic password. This setting selects your system administrator.

In the case of a static password, your original password preserves - it will be still possible to log in manually in exceptional cases. When you first log in with Excalibur and also each time you change your password, Excalibur will ask you to enter it. If your company has a security policy to have password expiration - after the period during which it must change, Excalibur asks you to set a new password.

In the case of a dynamic password, Excalibur takes full control over the management of your passwords and automatically changes it to a random long sequence (without user intervention) in the background which then automatically applies only the next time you log in and repeats the process. In this case, the user no longer uses his original password (user does not need to remember it anymore), the entire process is done automatically by Excalibur. Manual change of password by users or password expiration is in this case prohibited.

How do I change my PIN or another factor?

You can change your PIN or other authentication factors in the Excalibur mobile application. On the main screen, tap on "Settings" > "Company", select the company for which you are initialized and select "Reset PIN". Excalibur will ask you to enter your old (current) authentication factors according to your company security policies and it will ask for a new one after successful verification.

What to do if I forgot my phone and I need to login?

If you have forgotten your phone or for some reason, it is not available / functional, in the full-screen mode of your Excalibur login screen, select "Forgotten phone". If you can see only the login QR code in the corner of the standard login screen, clicking on it will open Excalibur full-screen mode login screen. Then enter your login name, your Excalibur PIN and the reason why you can not use your phone and how long it will not be available, and then press the "Login". Your manager / administrator will be contacted and asked to confirm or reject your request. Such authorization may be one-time or allowed to login for the next hour or the whole day.

The ability to login without a mobile phone with Excalibur may be prohibited by the administrator under the company security policies.

What to do if I lost / factory reset my phone?

In the event of a lost or stolen phone first contact your system administrator to disable your account to prevented login with this phone. Then, as in the case of resetting the phone to factory settings, application reinstall or its data erase, perform a new registration. For more information on registration or how to install the Excalibur mobile application, please see:          

How do I register?

How to install Excalibur on a smartphone?

As soon as you re-register (on another phone), the original registration will automatically become invalid - Excalibur will deregister (deinitialize) your original phone and  you will only be able to login with the currently registered phone. Your Excalibur identity is always bound to only the currently registered phone.

What is an Excalibur Dashboard?

Excalibur Dashboard is a User management console where every User registered to Excalibur may see his / hers own Actions and Sessions. On the top of that Excalibur Administrator may use Dashboard for monitoring purposes, to view User's activity, set rules and security policies for Users, set geofences and many more.

For detailed information about Dashboard please see Excalibur Administrator Dashboard Manual or Excalibur User Dashboard Manual documents.

How to change language in application?

To change language, open Excalibur application and click on settings (gear wheel icon). By clicking on the Language button, the settings window will open. You may change language from the list of supported languages (currently Slovak and English).

Does the application collect data on background?

No. Application doesn’t execute any process to collect any data on the background. All data such as position, biometry, PIN are inserted by the user if they are required for user’s authentication. Application doesn’t store this data.

What “Run in the background” mean?

Application has an option: Running on the background. If this option is enabled, the application is launched more quickly than is disabled.  

What to do when Excalibur CPUI was not loaded properly?

In case that Excalibur CPUI was not loaded properly from suspend, try suspend PC Client and resume it again. Excalibur CPUI should be loaded properly. If the problem with Excalibur CPUI still persists, contact the administrator please.

What is the Excalibur PAM?

Excalibur PAM (Privileged Access Management) provides web-based zero-trust access to Enterprise resources. Zero-trust means the client machine doesn’t need to be trusted as nothing is installed on it and all access from it goes via browser or native client utilizing a well-known protocol such as RDP. The client machine doesn’t get access to the internal network.

For further information read: Excalibur PAM Manual

Are Excalibur PAM sessions recorded?

Yes, Excalibur PAM considers all sessions “privileged” and by default recorded. Every action taken by the user is cryptographically signed to certify it was performed by the authenticated user. The effect of this is that there is continuous matching of every user action (as every user action and user PAM session is recorded and cryptographically signed) to strongly multi-factor authenticated identity. With no way to delegate access or claim it was some other user.

Can I transfer files via PAM?

Excalibur PAM provides an option to upload files from client to target or download files from target. The files can be transferred via RDP or SSH session. For further information about files transfer, read the PAM manual please.

For further information read: Excalibur PAM Manual

Facade runs but doesn’t connect

Facade starts under gMSA and sometimes is launched earlier than Active Directory. SCM tries to launch service, but can’t verify service account (event viewer shows that account has not been found) and doesn’t allow it. To resolve this problem, reboot the facade.

How to check client port listening

Excalibur Client should be listening on port 6000. If you have problem with connection to server, please check the port with following commands in PowerShell command prompt.

Test-NetConnection -Port 6000 -ComputerName 127.0.0.1

Get-Process -Id (Get-NetTCPConnection -LocalPort 6000).OwningProcess

How to disable Windows Hello Biometrics in Settings

Open the Settings menu (or simply type Windows key + I). Go to Accounts > Sign-in options and disable Windows Hello.

How to disable Windows Hello Biometrics in Local Group Policy Editor

Attention

The Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

  1. Open the Local Group Policy Editor.
  2. In the left panel of Local Group Policy Editor, navigate to the location: Computer Configuration > Windows Components > Biometrics.
  3. In the right panel of Biometrics in Local Group Policy Editor, double click/tap on the Allow the use of biometrics policy to edit it.
  4. To Disable Use of Windows Hello Biometrics, select (dot) Disabled, click/tap on OK.
  5. When finished, you can close the Local Group Policy Editor.

How to disable Autologon after update or restart in Settings

Open the Settings menu (or simply type Windows key + I). Go to Accounts > Sign-in options and disable it as is shown on image.

How to disable Autologon after update and reboot in Local Group Policy Editor

If You do not see option in Settings, use the Local Group Policy Editor.

Attention

The Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

  1. Open the Local Group Policy Editor.
  2. In the left panel of Local Group Policy Editor, navigate to the location : Computer Configuration > Windows Components > Windows Logon Options.
  3. In the right panel of Windows Logon Options in Local Group Policy Editor, double click/tap on the Sign-in and lock last interactive user automatically after a system-initiated restart policy to edit it.
  4. To Disable Use of Autologon after update and reboot, select (dot) Disabled, click/tap on OK.
  5. When finished, you can close the Local Group Policy Editor.
  6. Restart computer to apply settings.

How to disable Automatically signing in and locking last interactive user after a restart or cold boot

Attention

The Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

  1. Open the Local Group Policy Editor.
  2. In the left panel of Local Group Policy Editor, navigate to the location : Computer Configuration > Windows Components > Windows Logon Options.
  3. In the right panel of Windows Logon Options in Local Group Policy Editor, double click/tap on the Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot policy to edit it.
  4. To Disable Use of Autologon after update and reboot, select (dot) Disabled, click/tap on OK.
  5. When finished, you can close the Local Group Policy Editor.
  6. Restart computer to apply settings.

How to enable required password after sleep

Open the Settings menu (or simply type Windows key + I). Go to Accounts > Sign-in options and set : When PC wakes up from sleep.

How to enable required password after sleep in Local Group Policy Editor

Attention

The Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

  1. Open the Local Group Policy Editor.
  2. In the left panel, navigate to Computer Configuration > Administrative Templates > System > ** Power Management** > **Sleep Setting**s.
  3. in the right panel, you’ll see two policies labeled Require a Password when the computer wakes (plugged in) and Require a Password when the computer wakes (on battery). Double-click on them to modify and set the policies to Enabled.
  4. Restart your Computer

Which locations can I group? Must be geofence in the Group?

Administrator may group only geofences which were created in the Geofences section. Home and Temporary location is not possible to group. Geofence does not have to be in a group but if you want to define more geofences, is better to add geofence to the group.

For further information read: Excalibur Administrator Dashboard Manual

Which rules of policy are used if I set multiple rules for action?

IIf the administrator sets multiple rules with the OR operator, then rules that are met as first, are used. For example:

If Authentication action has rules:

  1. Factors: PIN/Biometry, Day: Monday, Verification: Peer
  2. Factors: PIN/Biometry

Then second rules are used as first.

For further information read: Excalibur Security Policies Management

I miss session on token when I am logged in manually

Excalibur stores sessions in two ways. Online, OTP and Tokenless logins are processed continuously during a day. User sees a session on the token. Manual logins are delayed and processed in night mode between 3:00-4:00 am. Due to this reason, user does not see a session on token after manual login. After the next successful online login, the session is displayed on token. If you wish to process a manual session at another time, launch the night mode.

For further information read: Excalibur Administrator Dashboard Manual

I see the same sessions on token

Sometime may happen that a token displays the same sessions with an online or lock indicator. It can indicate that sessions were not correctly processed. Excalibur automatically closes expired sessions after seven days or you can try launch the night mode. If night mode does not help, wait a few days that Excalibur closes invalid sessions.

For further information read: Excalibur Administrator Dashboard Manual

I am trying to set location but Excalibur blocks my attempt

If Excalibur blocks your attempt to create location or geofence, please check your Security policy. By default, Default policy has disabled rules for Set geofence policy. Privileged persons such as Manager or Administrator may have option to set geofence for anoter users. User can setup only 2 Home locations.

For further information read:

Excalibur Administrator Dashboard Manual

Excalibur Security Policies Management

Unsuccessful Tokenless login on local account

Excalibur works with unique AD attributes in the user's account such as email, name. In case that local accounts on PC's were created with the same name but different passwords, Excalibur can't determine the account, because it misses the email attribute

Unsuccessful login to Dashboard

Login to the dashboard is allowed with online token only. After scanning the login QR, you are informed that login to the dashboard with OTP code is not supported. If you perform online login /Token shows successfully logged/ And you still are not logged into Dashboard, please refresh the webpage on your browser.

Why do I have to enable GPS / device location?

Excalibur evaluates Location as one of authentication factors for all actions, whereby no collecting of location is performed in the background.

Why Excalibur asks me to reset Factors?

Excalibur may ask you to reset your factors when you add a new fingerprint in your mobile phone. Some Excalibur app updates include security improvements which require resetting factors.

Excalibur Token shows that device is rooted

In case that your device is rooted, the Excalibur Token informs you about it. Data in your device can be corrupted. Due security reasons, please change your device. If device is rooted, the Excalibur Token restrics some functionalities. For more information read Excalibur User Manual

Excalibur Token shows that device has mocked location

Excalibur may use a location as a one of the security factors. Due this fact, Excalibur Token detects the validity of your location. If location is mocked, the Excalibur Token restrics some functionalities. For more information read Excalibur User Manual

Why the Default User group does not contain the Default Computer group?

The Default groups collect all registered users/computers in the Company. To associate a Default policy is necessary to collect users/computers to the Default group. Access of all users to the all computers/PAM resources is not desirable. Due this fact the Default User group does not contain the Default Computer group.

Can I try a demo version?

Excalibur does not have a public demo. If you are an interested customer, please contact us via form on our website

Why I should to enable sending logs from Excalibur Token?

Based on Token logs, Administrator may troubleshoot problems which occurred on the Token during execution of any action. User has option to enable/disable sending of logs at any time.

Further materials

Excalibur Administrator Dashboard Manual

Excalibur User Dashboard Manual

Excalibur User Manual