Updated: 28 April
Dear users and customers, we are glad to announce a first release for a major update of Rohos Logon Key for Windows. Now Rohos Logon Key automatically detects Active Directory environment and uses Active Directory storage to keep domain-wide settings and list of authentication keys and devices. We have completely refactored Rohos Remote Config utility and USB Key manager.
What’s new in Rohos management Tools
Added Active Directory Application Partition support. This brings centralized domain-wide settings management and authentication media access list.
The list of changes:
- Rohos Remote Config now automatically creates and manage Rohos partition (database) in Active Directory.
- Now you can change any Rohos Logon Key settings across the domain and it will by applied immediately on next authentication attempt on a workstation.
- Rohos Remote Config displayes the list of allowed authentication devices by serial number and assigned user name and allows to remove or block the key from the list thus preventing any further authentication by using this device.
- Rohos Key Manager allows to setup authentication key and automatically save it’s serial number and user name into the list of allowed Keys located in rohos database in Active Directory.
Domain-wide settings includes: the type of 2-factor authentication policy (all users, by group membership, by IP address) the type of allowed authentication media, Emergency logon Q/A, Rohos Logon settings , etc.
What’s new in Rohos Logon Key:
Rohos Logon automatically detects Active Directory during install and uses it’s settings from the domain:
- Each time during user authentication procedure Rohos reads it’s setting from the Active Directory.
- On each 2 factor authentication authentication attempt Rohos verifies authentication media serial number or device id by using the list of allowed devices from the Active Directory database.
These changes do not affects Rohos functionality when installed on a standalone PC with Windows 7/8/10.
Application Partition (database)
Rohos takes advantage of the data storage technology offered by MS Active Directory by using an Application Partition to store all its user data and domain-wide settings. Windows Server hosts this database and also uses this method to store entire AD catalog data.
The first installation of Rohos Managements Tools on a Domain Controller in your enterprise will automatically create this partition. Rohos does not add or change any schema properties on the “user” or other built-in objects in Active Directory. All Rohos data is stored separately in the Rohos Application Partition only. Importing the Rohos schema elements will have no impact on existing objects and replication settings since these objects are not affected.
Rohos partition’s name is: “DC=Rohos,DC=Com”. You can browse and change the partition content with the ADExplorer utility provided by Microsoft.
Please note, uninstalling Rohos does not remove the Rohos data partition. You can delete it only manually by using MS provided ntdsutil.exe utility.
Rohos Remote Config utility
When you first start the Rohos Remote Config, the application will automatically connect to the Active Directory instance on the local machine and prompts to create Rohos Application Partition (database) and store default Rohos settings.
Please note you need to have Domain Administration and Domain Schema Admins permissions in order to run Rohos Remote Config for the first time.
- Windows 2008 R2 / 2012 / 2016 Domain Controller
- Domain Administrator and Domain Schema Administrator permissions in order to run Rohos Remote Config for the first time.
Just in case of any issues please click on Troubleshooting button and send us all log files.
The list of 2-factor authentication media support
Currently there is a full support for the following devices:
- USB flash drive
- PKCS#11 compliant HSM tokens like iKey, eToken etc.
- MiFare RFID tags
- Yubikey by public identity
We are working to add other devices and One-Time-Password technology support for Active Directory.
How to start with Rohos Management Tools
- Download and Install it on a Windows Server domain controller.
- Open Rohos Remote Config utility and create Rohos database in Active Directory.
Note: Ensure that your Administration account has a Domain Schema Administrator permissions.
- Set up settings :
- Choose the type of authentication media that will be allowed on workstations.
- Choose 2FA policy : For everyone, by group membership, for Remote Desktop connections or mix.
- Create user group and enter it in “2FA user group name” field if you wish to apply 2FA for this group of users
- Enter “2FA filter for Remote Desktop login” if you wish to apply 2FA only by IP filter. Example of filter: “192.168.,192.56.”
- Enter “1FA filter for Remote Desktop login” if you wish to disable 2FA by IP filter.
- Setup Emergency logon if you need to provide a recovery way for Windows Logon in case of authentication media lost.
- Click “Save Settings” to save new settings and apply it for all workstations when Rohos Logon Key is installed.
- Click on “Rohos Key Manager” to start creating authentication keys.
2FA by using OTP on Active Directory workstations
We have added experimental support for Google Authenticator for Domain workstations with centralized 2FA setup.
Choose Google Authenticator as authentication means in Rohos Remote Config utility , setup 2FA user in Rohos Logon Key > Setup Authentication Key. Done!
Download betta versions: