Rohos Logon Key v3.4 with Active Directory support

Updated: 28 April

Dear users and customers,  we are glad to announce a first release for a major update of Rohos Logon Key for Windows. Now Rohos Logon Key automatically detects Active Directory environment and uses Active Directory storage to keep domain-wide settings and list of authentication keys and devices. We have completely refactored Rohos Remote Config utility and USB Key manager.

What’s new in Rohos management Tools

Added Active Directory Application Partition support. This brings centralized domain-wide settings management and authentication media access list.

The list of changes:

  • Rohos Remote Config now automatically creates and manage Rohos partition (database) in Active Directory.
  • Now you can change any Rohos Logon Key settings across the domain and it will by applied immediately on next authentication attempt on a workstation.
  • Rohos Remote Config displayes the list of allowed authentication devices by serial number and assigned user name and allows to remove or block the key from the list thus preventing any further authentication by using this device.
  • Rohos Key Manager allows to setup authentication key and automatically save it’s serial number and user name into the list of allowed Keys located in rohos database in Active Directory.

Domain-wide settings includes: the type of 2-factor authentication policy (all users, by group membership, by IP address) the type of allowed authentication media, Emergency logon Q/A, Rohos Logon settings , etc.

What’s new in Rohos Logon Key:

Rohos Logon automatically detects Active Directory during install and uses it’s settings from the domain:

  • Each time during user authentication procedure Rohos reads it’s setting from the Active Directory.
  • On each 2 factor authentication authentication attempt Rohos verifies authentication media serial number or device id by using the list of allowed devices from the Active Directory database.

These changes do not affects Rohos functionality when installed on a standalone PC with Windows 7/8/10.

Application Partition (database)

Rohos takes advantage of the data storage technology offered by MS Active Directory by using an Application Partition to store all its user data and domain-wide settings.  Windows Server hosts this database and also uses this method to store entire AD catalog data.

The first installation of Rohos Managements Tools on a Domain Controller in your enterprise will automatically create this partition. Rohos does not add or change any schema properties on the “user” or other built-in objects in Active Directory.  All Rohos data is stored separately in the Rohos Application Partition only.  Importing the Rohos schema elements will have no impact on existing objects and replication settings since these objects are not affected.

Rohos partition’s name is: “DC=Rohos,DC=Com”. You can browse and change the partition content with the ADExplorer utility provided by Microsoft.

Please note, uninstalling Rohos does not remove the Rohos data partition.  You can delete it only manually by using MS provided ntdsutil.exe utility.

Rohos Remote Config utility

When you first start the Rohos Remote Config, the application will automatically connect to the Active Directory instance on the local machine and prompts to create Rohos Application Partition (database) and store default Rohos settings.

Please note you need to have Domain Administration and Domain Schema Admins permissions in order to run Rohos Remote Config for the first time.

System requirements:

  • Windows 2008 R2 / 2012 / 2016 Domain Controller
  • Domain Administrator and Domain Schema Administrator permissions in order to run Rohos Remote Config for the first time.


Just in case of any issues please click on Troubleshooting button and send us all log files.

The list of 2-factor authentication media support

Currently there is a full support for the following devices:

We are working to add other devices and One-Time-Password technology support for Active Directory.

How to start with Rohos Management Tools

  1. Download and Install it on a Windows Server domain controller.
  2. Open Rohos Remote Config utility and create Rohos database in Active Directory.
    Note: Ensure that your Administration account has a Domain Schema Administrator permissions.
  3. Set up settings :
    1. Choose the type of authentication media that will be allowed on workstations.
    2. Choose 2FA policy : For everyone, by group membership, for Remote Desktop connections or mix.
    3. Create user group and enter it in “2FA user group name” field if you wish to apply 2FA for this group of users
    4. Enter “2FA filter for Remote Desktop login” if you wish to apply 2FA only by IP filter. Example of filter: “192.168.,192.56.”
    5. Enter “1FA filter for Remote Desktop login” if you wish to disable 2FA by IP filter.
    6. Setup Emergency logon if you need to provide a recovery way for Windows Logon in case of authentication media lost.
  4. Click “Save Settings” to save new settings and apply it for all workstations when Rohos Logon Key is installed.
  5. Click on “Rohos Key Manager” to start creating authentication keys.
  6. Done.

2FA by using OTP on Active Directory workstations

We have added experimental support for Google Authenticator for Domain workstations with centralized 2FA setup.

Choose Google Authenticator as authentication means in Rohos Remote Config utility , setup 2FA user in Rohos Logon Key > Setup Authentication Key. Done!


Download betta versions:

Rohos Logon Key>

Rohos Management Tools>


Rohos Logon Key 3.3

We are happy to announce Rohos Logon Key v.3.3 with many improvements and one nice feature.

In Version 3.3:

  • New look and options
  • 2-factor Authentication Setup and Emergency Logon improvements;
  • Improved support for Remote Desktop,
  • IP filter, error-free determination of your IP address. You can write several IP-addresses, (no spaces, comma is delimiter)
  • Improved support for OTP.
  • Support for https SMS gateway.

Read more

Protecting your computer and data with ruToken

Authenticating for Windows and accessing a secret disk with a ruToken key.

User authentication and identification on Windows with USB keys.In short: now the popular ruToken identification device can be used in Rohos Logon Key and Rohos Disk as the one key needed to log in to Windows and your protected data. Rohos Logon Key works fully on Windows Vista/7 and also supports authorization for remote desktops using a ruToken. User authentication and identification with USB keys.

The ruToken device has been developed by the Russian company Aktiv, which produces a family of identification devices for user device-based authorization when accessing IT resources and protected electronic data. Read more

Rohos Logon Key v.3.1

Rohos Logon Key v 3.1 allows you to implement a two-factor authentication policy, based on a user list or user groups in Active Directory. This allows you to verify two-factor authentication and apply it step by step. New features:

  • Improved option Allow login only using a USB key
  • Added function Check Key Serial Number. It restricts the keys allowed for login.
  • Configurable messages for users have been added: in the login window, in the Rohos Logon Key main program window, and in the key settings window.
  • Added Users and Keys dialog box for viewing and managing the list of created keys and users.
  • Changed licensing policy: a Server License for Windows terminal service has been added. Now the license covers the computer. The RFID token license has been withdrawn.
  • The Rohos Management Tools program suite is now provided free of charge.

Read more

Addimat USB2 Waiter Lock

We would like to turn your attention to one more device designed for secure user authentication on Windows and compatible with Rohos Logon Key. This is the RFID tag from the Swiss company Addimat.

It was originally designed for identifying wait staff in pizzerias, restaurants, and cafés. It consists of an RFID reader with a round magnetic opening and a set of matching cylindrical keys. Each key has a rugged and waterproof body. Woven into the body of the key is an individual 48-byte serial number and a PIN code, which in some models can be reprogrammed.


Read more

Rutoken micro, a tiny identification device

To put it simply: if you are the owner of a laptop computer and are concerned about protecting confidential data, then consider the micro version of a key device for IT security. Here you’ll learn about the Rutoken micro USB token from Russia and what the main advantages of its miniature design are.


Read more

Secure Terminal Server authentication by using Google Authenticator or SMS


New Rohos Logon Key v3.2 allows to secure your Terminal Server by adding strong 2-factor authentication policy for remote desktop connection. In order to login users needs to provide regular login and One-Time-Password code. Also we have simplified licensing for Windows Terminal server by introducing “Rohos Logon Key Server license” that allows unlimited use of Rohos Logon on a single Terminal Server.

2-factor authentication variety:

  • By using a smartphone with Google Authenticator application;
  • When One-Time-Password is delivered to any mobile phone by SMS;
  • By using a hardware OTP generator like Yubikey;
  • Each user account can be configured with any type of 2-factor authentication mean;

Read more

Automatically logon in Windows 8

Sometimes is necessary to provide a user the automatically logon in Windows without using of any key and password. Administrator’s account, however, must be protected with a password and hardware key.

Windows 8 allows you to login without writing a password, although it was assigned.

For example, we’ve created a user account User321, and assigned a password for it. For administrative purposes we have got an Admin with his own password on the same machine.

Run please Rohos Logon Key application and create a key for Admin:

Read more

How to setup a key for each user on MAC OS X 10.9. Step-by-step manual.

To use a hardware key instead of a password for each user do the following:

  • Install Rohos Logon Key application on your MAC:

Read more

Using of Aladdin(SafeNet) e-token PRO with Rohos Logon Key.

Electronic USB-keys and smartcards eToken are compact devices, designed to provide the data security for corporate clients and private users. Like an ordinary computer, eToken contains a microprocessor and memory modules, works under his own operating system, executes his applications and stores Your information.

To use an e-token in your system, you should install a driver and configuration tool from its manufacturer. Download it from . Now actual is eToken PKI Client 5.1 SP1 for Microsoft Windows XP, Vista, 7, Server 2003, Server 2008 .  Restart the computer to let it working.

Launch eToken Properties application from Start menu. Connect eTocken to USB port. Read more

Rohos Logon Key 3.0 with OATH support

Let us present you a new version of  Rohos Logon Key program – Rohos Logon Key 3.0 with OATH support. Now you can use popular Google Authenticator and Yubikey H-OTP for 2-factor Windows login.

Rohos Logon Key  will prevent your computer from illegal intrusion into the personal data stored in your PC. Log in to your Windows with the help of 2-factor authentication by using various tokens and electronic keys. Believe it or not, the program changes an ordinary USB flash drive into powerful, two factor tool protecting your computer and notebook.
Read more

Windows 8, Yubikey and 2-factor authentication renewal

We updated Rohos Logon Key 2.9 with a few new options including Windows 8 support.

Rohos Logon Key allows to access Windows computer or Remote Desktop session by using a USB Key and optional password. With this release we allows all of the customers update for free before we switch to version 3.

Read more

Rohos Logon Key v. 2.9 improvements for Windows 7

Dear users and customers, we are happy to announce a few improvements in Rohos Logon Key. New features affects “Allow login only by USB Key” feature specially when using Rohos Logon in corporate network or Windows Remote Desktop services.

What’s new:

1. When you use “Allow to login only by USB Key” feature, you may define a set of users that will be able still to login by a regular password (without USB Key). Please note:
– Current user name is added to this list automatically by default .
– We recommend to set it to Terminal Server administrator user name
– If it is blank: regular password based login will be disabled for any user (ensure that you have defined Emergency Login or have a valid USB Key)
– Rohos Icon in Credentials Prompt dialog box allows any user name credential to be entered manually.

2. On the Windows 7/2008 logon screen you have Rohos logon icon.

Now it contains User name and password fields. This is designed specially for network Admins to be able to access computer in a regular way locally or via Remote Desktop.

3. User Account Control credentials prompt with Rohos icon. Now you can regular use here User Name and password. Please note – this credentials prompt accepts USB Key or any user name and password entered manually.

4. On Windows 7/ 2008 Rohos logon key creates “Rohos Logon Key (User)” shortcut that allows regular users to setup and manage USB Key for Windows authentication.

5. USB key redirection into Remote Desktop

Rohos Logon Key allows to setup redirected USB flash drive as a Login Key for Windows Remote Desktop.

On the screenshot “\\tsclient\G” is a USB flash drive connected to client PC. After setting up this USB drive it will contain also portable Rohos components to login into Remote Desktop from any PC with this Key (without installing Rohos on it)

A few notes about Windows Remote Desktop services support

Today In most configurations “Network Level Authentication” option is used on a Windows Terminal Server (TS). It  means after providing credentials in the MS Remote Desktop Connection user login straight into Remote Desktop (without entering credentials at login screen).

In this case you need to use “Allow to login only by USB Key” option in Rohos Logon Key (installed on TS). So NLA will be used anyway but in addition require USB Key in Terminal Server login screen. This will enforce 2-factor authentication principle : Remote Desktop users will be able to provide credentials at RDC and USB Key will be verified also.

If you are Network Administrator you will be able to login into TS by using regular username/password .

Remote Desktop connection passthrough

On Windows 7 / Windows 2008 R2 rohos credential provider support passthrough authentication for Remote Desktop login (based on NLA – Network Level Authentication). Once credentials are authenticated via NLA it will be used by Rohos.

To enable this feature: Open Rohos Logon Key > Options > More > and enable “Enable authentication filter”.

Windows 7 / 2008 logon screen editor

Now Rohos Logon allows to edit logon screen picture (background) and user icons.

The list of options you can customize on Windows 7 logon screen by Rohos:

  • Hide Rohos Logon Key icon
  • Change the picture of Rohos Logon Key icon
  • Hide any user icon or just a single icon
  • Change background picture of logon screen

Download Rohos Logon Key release with this improvements.

Rohos Logon Key v. 2.9 with RFID reader easyident FS-2044 support

Tesline-Service SRL encourages new technologies. Now Rohos Logon Key allows to use a various of easyident RFID tags for Windows logon. Thanks to We have got a sample of easyident FS-2044 RFID reader, produced by FS Fertigungsservice (Germany).

This RFID can read and write a few types of Tags produced by the company, including one handy Hitag bracelet EM4100. RFID tag EM4100 is a read-only RFID tag with a 40 bit unique ID which is read automatically by RFID reader FS-2044.

This space-saving device with dimensions 91 x 91 x 14 mm is very compact. Easy to install, you only need to setup the drivers for Windows from the official web site. We have successfully integrated this device with Rohos Logon Key v.2.8. The easyident FS-2044 is one in a multiple devices that can be use in Rohos Logon Key for secure login your Windows computer.

Read more

Credentials Prompt of RDP 6.0 and login with USB Key

Microsoft Remote Desktop Connection 6.0 (on Windows Vista\Seven) by default makes it mandatory for the user to enter user name and password before RDP client can establish connection to the WinSeven/2008 remote server (“ Enter your credentials for <server>. These credentials will be used when you connect to the remote computer” ). This is called “ Network Level Authentication“. If you are going to use USB key you can skip this prompt or disable it.

Read more

Rohos Logon Key v.2.7 for Windows Seven

Windows Seven support for Rohos.

Rohos Logon Key v.2.7. offers two-factor authentication solution for Windows Seven based on various USB tokens and authentication devices. By using a strong and secured password stored on a USB token you can improve your computer security.

What’s new in Rohos Logon Key 2.7:

  • Updated installer:
    – Now Setup package copy correct help file according to installation language
    + Added Japanese and Chinese languages
  • Supports new USB tokens and authentication devices:
    + Touchatag RFID proximity tags (former TikiTag).  Wireless tags for Windows logon.
    + Swekey OTP token (Offline + Online validation, see Options link )
    + Securetoken ST2, ST3 (PKCS11 based tokens). ST3 has an auto-install feature.
    + Senselock trueToken EL (ultra-small PKCS11 based token)
  • Improved Windows Vista/Seven support
    – fixed Rohos Logon Credential icon in Vista UAC dialog. Now USB tokens with PIN code can be used to get credentials for any elevation.
    – fixed Windows Remote Desktop support.
  • Major improvements in  ‘Bluetooth logon’ feature.

Read more…

Rohos Logon Key v.1.7.2 for Mac OS X

Tesline-Service Announces Rohos Logon Key v.1.7.2 for Mac

Chisinau, May 05, 2009 – Tesline-Service SRL today announced that its Rohos Logon Key authentication solution for Mac OS® X Tiger and Mac OS® X Leopard now supports two-factor authentication with any USB flash drive and PIN code.

Mac OS X security benefits:

  • Access your Mac with hardware USB key
  • The Mac is protected but you don’t need to enter your password manually each time you unlock your Mac
  • Automatically lock your MAC screen when USB Key is unplugged
  • Unlocking your MAC with a USB token is fully automatic and fast!
  • PIN code option offers two-factor authentication

Read more

Rohos Logon Key v.2.7 beta: Senselock, Swekey, Touchatag, Securetoken

(updated 30 June)

Rohos Logon Key v.2.7. – two-factor authentication solution for Windows now supports the new types of USB tokens and authentication devices, improved Windows Seven support.

What’s new list:

1. Updated installer:

– Now Setup package copy correct help file according to installation language.
+ Added Japanese and Chinese languages UI

2. New USB tokens:

+ Touchatag RFID reader and proximity tags (former TikiTag).  Wireless tags for Windows logon.
+ Swekey OTP token (Offline + online OTP validation, see ‘Token options’ link in Rohos Logon Options)
+ Securetoken ST2, ST3 ( PKCS11 based tokens). ST3 is a driverless token and has an auto-install feature.
+ Senselock trueToken  (ultra-small PKCS11 based token). Software protection token adopted for authentication purposes.

3. fixed Rohos Logon Credential icon in Vista UAC dialog. Now USB tokens with PIN code can be used to get credentials for any elevation. See screen shots below. Also improved Remote Desktop support.

4. Major Improvements in  ‘Bluetooth logon’ feature.

  • Now Rohos Logon supports WidComm Bluetooth stack, thus supporting more Laptops.
  • Improved compatibility with Nokia PC Suite. Now rohos support remembered and paired bluetooth devices and correctly detect when the BT device is our of the range.

Download beta (2Mb)

Read more

Touchatag – wireless tag for Windows and Mac logon

Touchatag (former TikiTag) – technology that enable to connect the real world objects with a computer and Internet. The project was launched in 2008 by the Alcatel-lucent. The technology is based on RFID tags reader + tags + program on the local computer + Web service.

With the help of such technology interesting ideas could be brought into life, such as:

  • E-pass (access control) – give tags to users, and upon the tags being brought to USB reader the logging into Windows / Mac or Web site is performed automatically. For example, you can “stick” tikitag on your mom’s notebook – come up to the computer and the mail opens. To “stick” it on a child’s toy – run it over the reader – and the game is launched.
  • E-catalog of goods (logistics) – to all things (book / folder / item) could be stuck or sewed in the RFID tag. Run it over the reader and the thing is registered.
  • Location is not important: Touchatag – is a centralized technology (there is a Web server), so all Usage Examples that are set up on one computer work on all computers where there is USB reader tikitag.

TouchaTag RFID tags are supported in Rohos Logon Key v.2.7 and Rohos Logon Key for Mac v.1.7 – in order to provide the solution for Windows / Mac authentication  by using RFID tags.

Read more