Rohos software in Turkish language

Rohos Logon Key and Rohos Mini Drive available in Turkish language:

Rohos Logon Key USB belle?inizi aç?l??ta PC nize eri?ebilmek için benzersiz bir anahtar haline getiriyor.Rohos Logon Key herhangi bir USB sürücünüzü PC niz için bir güvenlik arac?na dönü?türüyor ve Windows a eklenerek daha güvenli bir eri?im sa?l?yor. Ayr?ca Rohos Logon Key cihaz?n?z? takt???n?zda otomatik olarak Windows un kilitten ç?kar?r.Rohos Logon Key iki a?amal? bir güvenlik sa?lar, USB belek ve PIN kodu. Windows ise Güvenli Modda korunmaktad?r.Acil durum eri?imi USB bellek kayboldu?unda veya hasar gördü?ünde PC nize ula?abilmeniz için yard?m eder.

Read more

Rohos Logon Key free version for press

Here you can find some necessary information about Rohos Logon Key Fee version.


Logo

Dialog windows (screenshots):


Rohos Logon Key Free main window


Setup key window

Troubleshooting

Faced with the bug, unknown program behavior or any issues?
We will be glad to support and resolve the issue, but we need log files of the program:
C:\program files\rohos\ *.log

Error strings
What does an error mean?
“USB Key was not configured for this computer, it will be ignored”
You may see it in the following cases:

  1. The USB key was not configured for this computer, i.e. it does not have a valid logon profile for this PC (no login profile with the local computer name or “”).
    Domain field in login profile should contain: computer name where you log in, (blank line) or \\ domain name- only if Rohos welcome screen gina.dll is used.
    To resolve this error:
    – Install USB Keys Management utility and set up profile accordingly
  2. This is a ‘stranger’ USB Key and it is ignored by Rohos logon because the computer owner already has configured its USB flash drive for this computer.
    By default Rohos bounds up to the first configured USB Key. Even USB Keys that was configured with a USB Key Management utility will be ignored.
    The following registry value enables this security option:
    HKEY_LOCAL_MACHINE\SOFTWARE\Rohos – CheckUSBserial=1
    To resolve this error:
    – Clear the CheckUSBserial value or setup this USB flash drive on the local computer using Rohos Logon Key main window.
  3. USB Key was created by simple Rohos files copy operation into another USB flash drive.
    To resolve this error:
    – Set up USB Key over again

Demo Key. Key registration is required
It means that USB Key setup has been made using USB Key Management utility without license keys
To resolve this error:
– Add license keys to USB Key Management utility

Your Rohos license does not support this feature. Please upgrade your license.
Usually it means that the USB Key contains several login profiles and personal license is used.
To resolve this error:
– Purchase a PRO license or have only a single login profile on the USB Key (clear it and re-configure again).
The benefits of PRO license:

  • Use a single USB Key to log in into multiple computers/user accounts.
  • You can log in into Remote Desktop login by USB flash drive.
  • Support for Novel Client for Windows
  • Support for Windows Domain, Active Directory.

Registry keys


Rohos Logon Key uses Windows registry to store all program options.

Please note that only MSI and RW Server version installation packages set restricted access rights to Rohos registry values, thus preventing users from modifying program settings using Windows registry editor or Rohos window. The full access is granted only to Administrators group and SYSTEM.

HKEY_LOCAL_MACHINE\SOFTWARE\Rohos

Key’s name

Description and Definition (DWORD or string)

CheckUSBserial

1- bound up the program to the last configured USB key. By default 1 is after the first USB key was configured

DisableLog

1 – disables log files

0 – (by default) enables logging

DisableRohosShutdown

1 – disables Rohos shutdown dialog

0 – (by default) enables it

LockUSBKey

1 – disables USB login key for user

0 – (by default) enables

all – disables all connected USB flash drives.

LogonType

Do not modify. SeeChapter 3.3Logon model, MSI option Logon Type (seeChapter 4.8))

RohosPath

Actual path to the program. Do not modify

USB_Only_login

0 – (by default) enables manual password entry

1 – disable login without USB key for all users. Allows to log in only by USB key.

2 – disable login without USB key for listed users. Other ones can login without USB keys.

3 – disable login without USB key for rohos user group in active directory

4 – disable login without USB key for users came through RDC

5 – disable login without USB key for users came through RDC outside LAN

USB_Key_remove_behaviour

0 – (by default) no reaction.

1 – locks Windows desktop after USB Key withdrawal from USB port.

2 – log off after removing of USB key

3 – turn off the computer

4 – Hibernate conputer

5 – activate screensaver

6 – switch user

>50 – means time interval in seconds during which user can work without USB Key (see keyless mode feature)

USBLoginPicture

The USB Key icon on the login desktop.

(by default) green USB device

Full Path to gif/jpg/bmp/png file. Max 150*150 pics.

DisableSafeMode

1 – disables the operation of the program in Safe Mode.

HeaderTextColor

(RGB) the color of the texts on the welcome screen.

NoTextLabels

Disables defined texts on the welcome screen (clock, date).

DisableUSBatRDP

1 – allows using the access to Remote Desktop typing in the password. (even if USB_Only_login=1)

DisableTimeLimits

1 – Disables working time counter – to calculate the amount of time spent on the PC during a day/week, and to display it in the shutdown/logoff window

0 – (by default) enables.

USBKeyDllName Determines the type of USB key:



nothing- USB Flash drive

rohos_btkey.dll – bluetooth key,
rohos_mifare.dll – MiFare 1K RFID
rohos_ed-fs-2044.dll – RFID readers. Easyident/Addimat
rohos_cr10mw.dll – RFID CR10MW
rohos_vson.dll – PC Lock USB dongle
rohos_jcardv2.dll – JCard V2M
rohos_otp.dll – Google Authenticator
rohos_phone.dll – Mobile phone (Android/iOs)
rohos_swk.dll – Swekey
rohos_ybk.dll – Yubikey
rohos_pkcs.dll – USB key of PKCS standard

USBKeyPkcs11

Determines the type of PKCS key

etpkcs11.dll – Aladdin eToken PRO
aseCardCryptoCSP.dll – Athena USB Cryptocard,
HiCOSPKCS11.dll – Futako HiToken V22
rtpkcs11.dll – Activ ruToken
utpkcs11.dll – uaToken
k1pk112.dll – iKey 10xx
dkck232.dll – iKey 20xx
aetpkss1.dll – iKey 30xx
sadaptor.dll – Crypto Identity 5
ep1pk111.dll – ePass 1000
ep2pk11.dll – ePass 2000
ngp11v211.dll – ePass 2000 FT12
eps2003csp11.dll – ePass 2003
pkcs_marx.dll – CrypToken
senselock_token.dll – trueToken (Senselock)
ST2pkcs11v10 – Securetoken ST2
st3csp11.dll – Securetoken ST3

The following values are only used in Rohos welcome screen (gina.dll) (see Chapter 3.3) logon model:

LoginPicture

Background picture for login screen.

CtrlAltDel

What happens when user presses CAD:

1 – Opens typical WinNT style security dialog.

2 – Locks workstation

0 – (by default) opens Task Manager in Windows XP, or CAD dialog in Win2000

DisableAdminUnlock

1 – Disables Administrator to unlock user session.

0 – (by default)

DisableTypicalLogin

1 – Disables typical login dialog, where user name, password and domain can be entered.

0 – (by default)

WelcomeScreenHelp

Help string that is displayed on right-bottom of the login screen.

0 – turns off this help.

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon :

 

LegalNoticeCaption – Login screen caption with big font. (Welcome to Windows€ by default);

LegalNoticeText2 – Login screen notice text with smaller font. (none by default)

Rohos Logon Key Internals

  1. Rohos Logon Key components:
    • Welcome.exe – Rohos Center (Control Panel), install/uninstall routines, login screen component;
    • Rohos_ui.dll – GINA module that replaces or makes a proxy layer;
    • Rohos_obj.dll – remote login component that integrates into Remote Desktop Application;
    • Rohos_cp.dll – Rohos credential provider for Windows Vista.
    • Ntserv.exe – welcome-screen service (used in Windows XP\Vista welcome screen + Rohos authentication method, see Chapter 3.3)
    • cximagecrt.dll – image processing library.
  2. USB Key profiles

    Rohos Logon Key stores all passwords information in the \_rohos\roh.roh file.
    This file in encrypted with AES encryption algorithm with a default password or PIN code if it is used.

USB Key protection

  • USB Key cannot be duplicated. Rohos prevents Key duplicate. Key logon profile is bound up with a USB flash drive serial number.
  • USB Key originality can be protected by PIN that is used for encrypting profiles.
  • USB Key that was created by USB Manager Tool cannot be modified on home computer (for example, Logon profiles cannot be cleared or modified by user using Rohos Logon Key program)

Installing Rohos Logon Key , MSI package and command line options

To install Rohos Logon Key on network workstations you can use MSI package or EXE setup package with command line support.

Rohos Logon Key setup command line options:

rohos_welcome.exe  /VERYSILENT /usbkeyremoval=2 /regkey=XXXXXXXXXXXXX /usbdev=rohos_pkcs.dll /onlyusbkeylogin=3 /disableui=1 /admode=2

regkey – license key
usbkeyremoval = 2 – logoff after authentication key unplug (default value is 0)
usbdev – the type of authentication key (default is “USB flash drive” )
onlyusbkeylogin =3 – Choose a 2-factor authentication policy options (USB_KEY_LOGIN_ONLY). Default is “0”.
disableui=1 – disable access to Rohos Logon main window and doesnt creates Rohos Logon shortcuts in Start menu (default is 0)

admode=2 – explicitly prevent Rohos to switch to “network mode” even on domain joined workstations. This will allow to set a custom settings for the specific workstations (default is 0);

XXXXXXXXXXXXX – license key

Rohos Logon Key MSI:

  • It is specially designed, so you can set up program settings during installation. MSI package public options (see Chapter 4.9) can be changed using msiexec command line or MST file
  • It sets up restricted access rights to registry settings installed by Rohos Logon Key. This prevents users from change of program settings via Windows registry or Rohos Center.
  • It does not install program shortcuts into Start menu;

MSI package options

Options that can be changed via command line (in msiexec.exe):

  • LOGON_CAPTION=”Welcome to the company”
    (by default =”Welcome to windows”)
    Welcome screen caption text (big one)
  • LOGON_TEXT=” ”
    (by default =””)
    Welcome screen text notice (small text under the clock)
  • DISABLE_LOG=1
    (by default =0)
    Turns off all LOG files that can be produced by Rohos Logon Key program.
  • USB_KEY_LOGIN_ONLY=1
    (by default =0). Choose a 2-factor authentication policy options:
    1- Forces ALL users to log in with USB Key only.
    2- For a listed users
    3- For ‘rohos’ user group in Active Directory
    4- For Remote Desktop login
    5- For Remote Desktop login with IP filter
  • USB_REMOVAL=1
    (by default =0)
    1- Locks computer upon USB stick withdrawal.
    2- Log off
    3 – Shutdown computer
    4 – Hibernate
    5 – Screensaver
    6 – Switch user
  • If this value is >50, it means keyless mode – time interval in seconds during which user can work without USB Key
    (see keyless mode feature)

(This option replaces the same settings from Rohos )

  • DISABLE_CENTER=1
    (by default =0)
    Disables to open Rohos main window. Note: Users cannot change program settings because program registry (HKLM\Software\Rohos) are intended for reading only for users.
  • REG_NUMBER=””
    (by default =0)
    Rohos Logon Key registration number (license)
  • USB_KEY_DLL=””

by default = USB flash drive.
Determines the type of USB key or technology, used as an authentication key.

Possible values:

empty – USB Flash drive

rohos_mifare.dll – MiFare 1K RFID
rohos_ed-fs-2044.dll – RFID readers. Easyident/Addimat
rohos_jcardv2.dll – JCard V2M
rohos_otp.dll – Google Authenticator or OTP tokens, YubiKey
rohos_phone.dll – Mobile phone (Android/iOs)
rohos_ybk.dll – Yubikey ID or OTP authentication
rohos_pkcs – any installed #PKCS11 comatible token.

Supported PKCS#11 tokens:

etpkcs11.dll – Alladdin eToken PRO
aseCardCryptoCSP.dll – Athena USB Cryptocard
HiCOSPKCS11.dll – FUTAKO HiToken v22
rtpkcs11.dll – Aktiv ruToken
utpkcs11.dll – uaToken
k1pk112.dll – iKey 20xx
aetpkss1.dll – iKey 30xx
sadaptor.dll – Crypto Identity 5
ep1pk111.dll – ePass 1000
ep2pk11.dll – ePass 2000
ngp11v211.dll – ePass 2000 FT12
eps2003csp11.dll – ePass 2003
pkcs_marx.dll – CrypToken


For example, command line could be (silent install):
msiexec.exe /qr /i  c:\rohos_welcome.msi LOGON_CAPTION=”Welcome to the company” USB_KEY_LOGIN_ONLY=3 USB_REMOVAL=1
for uninstall:
msiexec.exe /qr /uninstall c:\rohos_welcome.msi

It is possible to use Orca database table editor application to modify the MSI file and create MST transform files:

orca

When you launch MSI file in cmd shell command prompt, you need to run it as administrator. Example of MST file using command line:

msiexec.exe /i rohos_welcome.msi /qn  TRANSFORMS=rohos.mst

cmd

Or install MSI with MST via group policies.

Customize login window

Elements that can be customized on the login screen

Welcome screen (login screen) can be customized with a custom text messages and USB key picture . You can do it in the following ways:

  • Using Rohos Center (Configure options link)
  • MSI options (during installations)
  • Modifying Rohos registry values.

Configure options dialog box.

Using of different authentication models

Rohos Logon Key supports various Windows logon configurations. It allows using it both on the personal computer/laptop and on the corporate workstation joined to Windows/Novell network. The program integrates into any Windows logon configuration by using one of the Logon model listed below:

Picture 1

User can manually choose Logon model Logon model supported by Rohos:

  • Rohos welcome screen (gina.dll)
  • Windows XP/Vista welcome screen + Rohos
  • Windows native authentication (msgina.dll)
  • Rohos Credential Provider Windows Vista/7/8

The program automatically determines the best Logon model when you are installing it. This choice depends on the Windows version and login screen settings (for example fast user switching used, typical login dialog box used, custom Gina installed, etc.).

However, user can always choose specified Logon model manually by using: MSI installation package option or Rohos options dialog box.

Rohos welcome screen (gina.dll)

This method is based on the MsGINA.dll replacement. It totally replaces the Windows authentication and identification module (gina.dll) by a customized version of the authentication module (rohos_ui.dll).

Drawbacks:

  • It disables fast user switching in Windows XP.

Choose this method only if you want to:

  • See the users list in the welcome screen in Windows 2000;
  • Use your own background image in the welcome screen;
  • Use bigger (up to 90*90 pics) user icons on the login screen;
  • Use enhanced system security dialog box called by Ctrl+Alt+Del with network security function (shared resource/connections);

Rohos welcome screen 1

Windows XP/Vista welcome screen and Rohos

This method is recommended for Windows XP/Vista home computers. It does not disable fast user switching feature

Drawbacks:

  • Password expiration/renewal function with USB Key update is not supported;


Windows XP / Vista welcome screen + Rohos

Windows native authentication (msgina.dll)

This is the best Logon model for:

  • Windows 2000/2003 Server (if you plan to use remote desktop access by USB Key)
  • Windows 2000/XP workstations joined to Windows Active Directory (Windows Domain) or Novell network.

Rohos Logon Key does not replace the module GINA.dll. The security policies remain unaltered. As a result the computer run will be just as stable and secure as before Rohos has been installed. Rohos supports integration with msgina.dll, nwgina.dll, ctxgina.dll.

It is highly recommended to use this method in the following cases:

  • On a Terminal Server computer to access to Remote Desktop via USB flash drive;
  • If you use password expiration/renewal security policies;
  • On workstations joined to Active Directory/ Novell networks.

Windows native authentication + Rohos (in this case Novell Login)

Novell Client notice:


  • Rohos Logon Key enters user name and password into User Name and Password appropriate fields of Novell Login dialog box automatically;
  • Password renewal\change is not supported (for Rohos Logon Key version 2.0)

Rohos Credential Provider

It is a special component for Windows Vista, which implements a new user authentication method. Users see this component in the form of a user icon on the Windows logon screen. Rohos Credential Provider appears on the Windows logon screen in the form of an icon of a USB key.

Welcome screen in Windows Vista/Seven via Rohos Credential Provider

Connect a configured USB drive, and the component will read from it a list of logon profiles (user credentials) for authorization in the system. If necessary, it will also request a PIN code from the USB drive (two-factor authentication). These profiles are then passed to the local security system for authentication. Rohos Credential Provider will be automatically registered on the system following installation (on computers running Windows Vista).

Note: On installation, the program automatically selects an appropriate Logon Model.

Learn more about on our website: http://www.rohos.com/welcome-screen/rohos_credential_provider.htm

Using of Rohos Logon Key in Active Directory

There are two ways of Rohos Logon Key application working: as standalone application and as database client in Active directory. In this article we’ll describe the second case, where the Rohos logon Key is connected to a database and reads all its settings from a centralized storage.


Before you start

1. Choose the type of Authentication Keys (your Hardware Security Module). Ensure that it could be used in AD environment with centralized Key management.

2. Choose the type of 2-factor authentication (2FA) policy you want to apply for user account:

  • By Rohos AD group members : all users included into Rohos AD group will be required to use authentication keys for login.
  • For Remote desktop users: only remote users must use the USB keys or OTP.

3. Choose do you need to automatically lock workstation when authentication key is unplugged from USB port.

Creating Rohos AD group

For example, we can create a domain with DNS-name AMP.local and NetBIOS-name AMP. Let’s assume, a user with name Admin1 must log in only by USB key, the authentication only by the password is forbidden for him. We have to create create a new group with a special name, 2F_users for example and add user Admin1 there. So, this user will be a member of two groups in the same time: Domain users and 2F_users.

Note: You can chose another name for the group wit 2-factor authentication.


Creating USB Keys

  1. Install Rohos Management Tools on any domain controller;
  2. Launch Rohos Remote configuration utility and create a database for Rohos applicaiton;
  3. Use USB Key Manager utility to setup authentication keys for all users.

After all the keys were created click Refresh all in Rohos Remote config utility and you will see all the keys, created in the database. To delete or block a key, use “-” or “Block” button.

Read more about the Rohos Managemant tools>>>


Using of the same key for the authentication on several computers.

Considering, that in a domain may be many computers, and many users may work on different machines, it is necessary to provide the autorisation with the same key on all domain computers.

Creating of all the keys in USB Key manager application from Rohos Management tools package(freeware).

Connect an USB drive or smart card. In main window of USB Key manager we can see the list of profiles, written on current USB key. Click Add logon profile button.

To edit the profile, select it and press Edit button. If this key was created before in Rohos Logon Key application, the password will be encrypted. This profile is not suitable for the authentication on domain computers. Click in * button at the right, to show the password. You must change it to non-encrypted in both fields ond click OK.

If you are working not in a domain, but in a workgroup, you can leave the Domain field blank. Now the key will be suitable to all the PC, where this combination of login and password is present.

You may not enter the password, so, a user will be forced to input it manually during the authentication, along with his USB key. The key can help to identify the user, even if he changes his password.

In case of OTP, you have to install Rohos Logon Key application on Domain controler and create the OTP there for all the users.

Now is existing a new technology to register multiple user accounts with Google Authenticator. Read more…

Note: If you use Flash drives as USB keys, you can configure the keys on a domain workstation as well. Launch Rohos Remote config applicaiton ans check if the settings were synchronized with database. After this launch USB key management tool and create the keys.

Installing Rohos Logon Key application

Now you can install Rohos Logon Key application as usual. Fter the insatllation, Rohos Logon Key application will automatically find the Active Directory database, if this computer is connected to a domain. If not, the application will work as standalone program.

Download Rohos Logon Key ordinary version


Rohos Licenses for domain computers

  • Pro license – for each domain workstation.
  • Server license – for terminal servers, RDC on Windows 2003, 2008, 2012.

Rohos Logon Key for MAC support

How to install and use Rohos Logon for MAC application:

Articles and news

 

Rohos Face logon support

How to install and use Rohos Face Logon application:

Articles and news

Rohos Disk support

How to install and use Rohos Disk application:

Rohos Disk Encryption use cases:

Articles, reviews and data security solutions:

Rohos Logon Key support

  • Knowledge base – articles related to data security and Rohos programs

How to install and use Rohos Logon key application:

Using of different devices and technologies with Rohos Logon Key:

Access control tutorials

Technical Information for administrators: