This needs to be updated before it is republihsed. Steps have to be verified using an EXE in place of an MSI
For organizations that use Group Policy to manage software distribution, you can deploy the AuthAnvil Two Factor Auth Windows Logon Agent and Credential Provider using Active Directory.
Note: You must be using Version 4.0 or newer of the agent to take advantage of this feature. To successfully use this installation method, the target system MUST have all pre-requisites installed beforehand. (ie: .NET 2.0 Framework, MSVC++ 9.0 runtimes and MSXML).
Note:As of April 8, 2014 Windows XP is no longer being supported. As of July 2015 Server 2003 will no longer be supported.
Note: For all Server 2008 / Windows Vista or newer server you will need use the Windows Credential provider in place of the Login agent. There is no MSI for the Credential provider you will need to useAAWinLogonCP.exe
You can download the latest Windows Credential provider here -http://www.scorpionsoft.com/support/media/2fa/v40/AAWinLogonCP.exe
Preparing for Deployment
To properly use software distribution policies, you must prepare an MSI configuration set using the AuthAnvil Two Factor Auth Windows Logon Deployment Kit, available in the Tools section of the Software Download site in the Customer Portal. You will need to:
- Set up a network share available to all domain based computers
- Configure the AuthAnvil Two Factor Auth installation INI for the MSI package
- Set up a Group Policy Object for the deployment
Setup the network share
To deploy using Active Directory, member workstations and servers need to be able to access a share as the machines SYSTEM account. The best way to do this is to create a new share and assign Domain Computers to the share, and ALSO assign it NTFS Read, Read and Execute, and List Folder Contents permissions for the shared folder. Once this is done, copy the MSI packages included in the deployment kit to the share.
Note: Make sure that all files in the share inherit this permission, or you will not be able to remotely deploy the MSI.
Configure the INI for the MSI package
As MSI packages distributed by Active Directory are not designed to use the standard silent mode installation options, you need to create a special INI file that the MSI will read during remote installation. This INI file needs to exist in the same shared directory as the underlying MSI file.
To aid in the setup and configuration of this INI file, within the deployment kit is a special application called LogonINIBuilder.exe, designed specifically to do this. Below is a screenshot of a typical configuration.
The options are the same settings as available in the silent mode installer, hold that to the BANNER variable. If you have been issued a digital fingerprint for your own banner, you will need to manually edit the INI file and add the line Banner=xxxxx, where xxxxx is the digital hash provided to you by Scorpion Software. If you store your aalogon.bmp file in the same directory as the INI and MSI files, during deployment the bmp will be copied to the target system and applied.
Once you have configured the settings for the INI the way you like it press the Create File button and select to store it in the same network share as the MSI file(s).
Note: If you do not have a secondary AuthAnvil Two Factor Auth server configured for redundancy, set the secondary SAS URL to be that of the first server.
Note 2: The installation password is not supported for deployments to command line systems. Any value set there will be ignored.
Set up the Group Policy Object
Before setting up the GPO, you need to consider how you will manage software distribution. One thing to consider is that there are different MSI packages for GINA based operating systems (Windows XP and Windows Server 2003 based systems) and Credential Provider based operating systems (Windows Vista, Windows 7 and Windows Server 2008). You should apply AAWinLogon.msi for GINA based systems, and AAWinLogonCP.msi for Credential Provider based systems. You are encouraged to separate such systems into their own Organizational Units (OUs), to make deployment easier to manage.
To begin, start Active Directory User and Computers and create a child OU under the current location where your workstations and/or servers are stored. As an example, customers with Small Business Server may decide to create a new OU called Two Factor Auth Protected Workstations GINA under MyBusiness->Computers->SBSComputers. Later when you are ready to deploy the software, you can then drag and drop the workstations you want to apply this policy to into that OU and force a gpupdate.
Once you have the target OU set up, you need to create and link a GPO to it.
To do this in Windows Server 2003 based systems, right click the OU and select Properties. Select the Group Policy tab and press the New button to create a new GPO, and give it a name. Then press the Edit button to start the Group Policy Object Editor tool.
On Windows Server 2008 based systems, open the Group Policy Management tool directly from Administrative Toolsand do the following:
- Right click the OU and select the menu option to Create and Link a GPO Here. Name the policy something easy for you to remember, like AuthAnvil Two Factor Auth Protection Policy.
- Right click on this new policy and select Edit from the popup menu.
Once the Group Policy Object Editor launches, expand Computer Configuration->Software Settings, then right click on Software installation and select to create a new Package.
Browse to the network share where the MSI package is located and select it. Click Open.
Select to Deploy Software using the Assigned method.
At this point the MSI will now be tied to the GPO and computers added to the OU this is assigned to will have the AuthAnvil Two Factor Auth Windows Logon Agent or Credential Provider deployed to it the next time it is rebooted.
NOTE: Active Directory Software Distribution Policies only run on boot up after the policy is applied. On GINA based systems (XP/2003), this means it will take two reboots before the agent will be applied, since the first reboot will install the agent, and the second one will actually load it. On Credential Provider based systems (Vista/2008/7), you will only need to log in and then log back out again after the first reboot to reload the Credential Provider.
It is recommended that you run gpupdate /force and reboot the computer twice when you want to accomplish this. If you wish to do this remotely, use psexec from the SysInternals PSTools package to do this on a machine basis.
ie: psexec ComputerName gpupdate /target:computer /force /boot
Uninstalling a Distributed Package
If you need to uninstall the agent, you can do this by editing the GPO and selecting to Remove the package.
Once prompted, select to Immediately uninstall the software from users and computers.
Once you press OK, the next time policy is updated for the target systems and it is rebooted, the agent will be uninstalled. On GINA based systems, a second reboot will be required to remove the protection scope of the AuthAnvil Two Factor Auth agent and properly reload the regular Windows Logon Agent. On Credential Provider based systems, you will only need to log in and then log back out again after the first reboot to reload Credential Provider.
- How do you install Windows Logon agents on Command Line only systems?
- Deploying Windows Logon agent with RMM Tools.
If you have any questions or need some help, we would be happy to assist. Open a case atkaseya.zendesk.com.