Credential Provider in Rohos Logon Key
This article describes a new Credential Provider for Windows Vista, available through the program Rohos Logon Key.
With this component, Rohos Logon Key makes it easy to add USB flash drive as a new means of hardware-based authentication.
The world of IT changes at high speed, and the Rohos Logon Key is kept up with the time. Now a new version, Rohos Logon Key 2.4, offers complete support for the new Windows Vista operating system.
A new component, Rohos Credential Provider, has been designed specially for Windows Vista. It blends into the Operating System logon screen.
With this component, Rohos Logon Key makes it easy to add USB Flash drive as a new means of hardware-based authentication.
Thus, the program works out the problem of "weak passwords" by moving to secure two-factor authentication on the basis of a physical USB key.
Rohos Credential Provider can be used both on individual PCs, and on computers connected to Windows Active Directory.
What is Rohos Credential Provider?
Credential Provider is a special component for Windows Vista, which implements a new user authentication method. Users see this component in the form of a user icon on the Windows logon screen.
Rohos Credential Provider appears on the Windows logon screen in the form of an icon of a USB key. Connect a configured USB drive, and the component will read from it a list of logon profiles (user credentials) for authorization in the system. If necessary, it will also request a PIN code from the USB drive (two-factor authentication).
These profiles are then passed to the local security system for authentication.
Rohos Credential Provider
Rohos Credential Provider will be automatically registered in the system following installation (on computers running Windows Vista).
Rohos Logon Key supports several methods of authentication for logon (so-called Logon Models), depending on the version of Windows. You can set the required method in the program's main window, through the 'Windows Logon Model', drop-down menu in the 'Rohos Options' dialog. You must restart the computer before a change in this setting can take effect.
Note: On installation, the program automatically selects an appropriate Logon Model.
By setting USB flash as the key for Windows, you can see how this component works. Turning USB flash drive into an logon key is not difficult, since this area is identical to that in earlier versions of Rohos.
Logging in is now easy: just connect a USB drive configured for login on this computer, and you will automatically be logged in to the system
Rohos Credential Provider automatically detects your USB drive and reads logon profile data from it. When you press the arrow button, the program scans all connected USB drives and searches for a valid USB Key.
to the top
The Option “Allow to log in only by using USB Key”
This option makes Windows login possible only by means of the USB drive; manual login with passwords becomes impossible both locally and for users of Remote Desktop.
Rohos Logon Key implements this option differently on various versions of Windows.
In Windows Vista Rohos disables existing Credential Provider. Thus, all user icons disappear, and only the Rohos Logon Key green icon remains active.
This function can be configured in the 'Rohos Options' dialog box (in the main program window), by selecting the checkbox 'Allow to log in only by using USB key'.
Note: Disabling the standart Credential Provider also affects the following Vista elements:
- In the User Account Control dialog (requesting the administrator's password) the administrator's icon will not be available. But it will be possible to take the password from the USB key (see: User Account Control)
Now whenever you log in, the logon screen will show only the Rohos icon. If the USB flash drive is lost or damaged, you will be able to log in only with the help of 'Emergency Logon' function or by Safe Mode.
Note: Safe Mode on default will also be blocked by the program and it will be impossible to enter it by a regular password entry.
to the top
Safe Mode support
When loading Windows Vista in Safe Mode, only the built-in Credential Provider will be available on the logon screen. Other providers do not work in Safe Mode. Rohos Logon Key integrates into the Safe Mode logon screen a special icon of the USB key which performs two tasks:
- Allows using the configured USB key for the login.
- Disables typing the password in case of using the option "Allow to log in only by using USB Key"
Safe Mode Support
to the top
Emergency Logon in the case of loss of the USB Drive
'Emergency Logon' provides login to Windows, if the USB key is lost or damaged.
To use this function, you must simply answer a few questions. Only you should know the answers to these questions - otherwise, access to your account would be open to everybody.
You can configure this function in the main window of the Rohos Logon Key program. (Configure USB drive -> Configure Emergency Logon). This will open a dialogue asking for answers to suggested questions (it is also possible to choose your own questions).
The Emergency Logon also works differently across different versions of Windows. In Windows Vista, clicking the 'Emergency Logon' link on the login screen will open a window. In this window you can first choose a user name, and then answer the questions.
After this you can:
* Choose a new password - if you want to set up a new password and then continue to use it.
* Leave it blank, to preserve your existing password
After restarting Windows, the login screen will show the user icons that were previously dormant (if you chose the 'allow to log in only by using USB key' option). Now you can log in under your name just by entering a simple password.
to the top
With Rohos Logon Key 2.4 it is possible to change your password by pressing the keys Ctrl + Alt + Del and selecting the option "Change Password". Once the password is set, it will be immediately saved onto the USB drive.
If your computer is connected to a Windows Active Directory, then the Update Password policy will be followed as usual. Users will be prompted to change their password on the logon screen.
The 'Other Credentials' button on the change password screen allows you to change a password using the standard credentials provider. Please note that this password will not be saved to the USB key.
If the option 'allow to log in only by using USB key' is set, users will be unable to set a password using the standard credentials provider in Windows Vista. The 'Other Credentials' button will not be shown.
to the top
Accessing the Windows Vista Remote Desktop with a USB key
The new version of Rohos Logon Key (2.4) makes it possible to access a Windows Vista Remote Desktop with the help of a USB key connected to your local computer.
NOTE: For this, the USB key must be correctly configured in the key management utility (the Domain field should contain the name of the terminal servers, or "\\Domain Name"
* The USB flash drive can be configured by the Network Administrator with the help of the USB key management utility which is included in Server versions of the program
* Several profiles can be stored on a single USB key
* With a USB key, a users can first access their local number, and then connect to a terminal session.
* The Emergency Logon function cannot be used with a Remote Desktop
* USB key removal behavior (such as automatic desktop locking and logoff, etc.) does not work on a Remote Desktop
to the top
Logon to a Windows Vista computer connected to a Windows Active Directory
Authorization by means of a USB key can also be used on computers connected to Windows Active Directory (Windows domain). For this it is necessary to install the Server version of the Rohos Logon Key program, and to correctly configure the USB key.
The MSI package can be installed on the users computer.
To enter a domain, the logon profile on the USB key should contain:
* User name
* Domain name (with the prefix '\\')
to the top
User Account Control
There is new function in Windows Vista - User Account Control (UAC). This function automatically limits the permissions of all the programs that the user is going to run.
If the user launches a program or carries out an action that requires full permissions and priveleges, then there appears a UAC dialog to allow this action or to request the administrative password. The icon of Rohos Logon Key is already integrated in this dialog.
User Account Control
The administrator's password for the requested action will be taken from the USB key.
USB key can be configured for two accounts:
- Regular User - login under regular user without administrative priveleges.
- Administrator - is used in the User Account Control and the request of the the administrative password.
Now increasing of the permissions works by one click on the button OK, without typing the administrative password each time.
This feature also works on the Remote Desktop.
Note: In case of using the option "Allow to log in only by using USB Key" the administrator's icon in the given dialog will be absent.
to the top
It is very important that the username and domain name be correctly written in the Logon profile if the user's connection is through a domain, since this is often a mistake in authorization
If such an error occurs, the welcome screen will show the user name and domain name, which caused the error. The parentheses contain the username, followed by the name of the computer or domain.
Furthermore, the Administrator can check any key in the USB Key Management utility, and can troubleshoot problems.
An activity log for Rohos Credential Provider can be found in the file "C:\Program Files\Rohos\credprov2.log"
For details of configuration and use of the program, consult the manual: http://www.rohos.com/RohosWelcomeUserGuide.pdf
to the top
Administrator's Guide: http://www.rohos.ru/RohosWelcomeUserGuide.pdf
Rohos Logon Key download: http://www.rohos.ru/rohos_welcome.exe
MSI package: http://www.rohos.ru/rohos_welcome.msi
The server version can be obtained on special request - write to us for details.