The AuthAnvil Two Factor Auth Windows Credential Provider offers companies the ability to add strong two-factor authentication to Microsoft’s Windows client and server operating systems. It provides a simple and consistent logon experience no matter if they logon at the local desktop or through a terminal session. And it offers identity assurance by requiring users to provide their AuthAnvil Two Factor Auth passcode during the logon process.
Note: This installation guide is only compatible with this installer.
The AuthAnvil Two Factor Auth Windows Credential Provider is available for the following platforms:
- Windows Server 2008, 2008 R2, 2012, 2012 Essentials, 2012 R2
- Small Business Server 2008, 2011
- Small Business Server Essentials 2011
- Essential Business Server 2008
- Vista, Windows 7 and Windows 8, Windows 8.1
- Windows 2008, 2008 R2 and 2012 Terminal Server
- Windows Server 2008 R2 Core
- Hyper-V Server 2008
Note: This agent does not support Windows 10.
Note: As of April 2014 Windows XP is no longer being supported.
Note: As of July 2015 Server 2003 is no longer being supported.
The following software must be installed before the Windows Credential Provider can be installed.
NoteE: These must be installed manually on 64-bit machines before installing the Windows Credential Provider as there is no prerequisite checking available. Installing the Windows Credential Provider without the prerequisites installed will leave the machine unable to successfully log in, and require the Credential Provider to be removed using the Emergency Uninstall Procedure
- .NET Framework 2.0 or later (Not required for Server Core and Hyper-V)
- Microsoft Visual C++ 2008 Runtimes (MSVC++ 9.0)
Scorpion Software offers two different agents for Windows Logon. These include:
- Windows Logon Agent – Sometimes called a GINA extension. Provides strong authentication for Windows Server 2003 systems. This is available in the AAWinLogon.exe installation file.
- Windows Logon Credential Provider – Sometimes called a cred provider. Provides strong authentication for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2012 and Windows Server 2012 Essentials. This is available in the AAWinLogonCP.exe installation file.
The installers of these agents provide installation for both 32bit and 64bit CPU targets.
Note: When installing the GINA on Windows Server 2003, a reboot will be required. This is not the case for the credential provider on Windows Vista, Windows 7 or Windows Server 2008.
The following steps should be used to install the Windows Credential Provider:
- Download the appropriate agent
- Run the installer.
- Click Next.
- Review the license agreement and when satisfied enable the I Agree checkbox and click Next.
- Enter the AuthAnvil Two Factor Auth Web Service URL. The installer default is http://localhost/authanvil/SAS.asmx. Use a Fully Qualified Domain Name (FQDN) address with SSL if possible. ie. https://authserver/authanvil/SAS.asmx.
Note: The SSL certificate of the AuthAnvil Two Factor Auth SAS MUST be trusted by the target system where the agent is being installed.
- Enter the AuthAnvil Two Factor Auth Site ID. This will typically be set to 1 unless your AuthAnvil Two Factor Auth server is not on premise and is being hosted in the cloud by a managed service provider (MSP).
- Click Next.
- Accept the default Override Group (Two Factor AuthOverride), or enter your own. Please note you will need to create this universal Security Group in Active Directory if it does not already exist.
- Enter an Override Password and confirm.
Note: If you leave the Override Password blank, this override feature will be disabled and you will not be able to use it.
- Click Next.
- When the installation completes, it will ask to reboot on Windows Server 2003 systems. You should do this immediately.
Uninstalling the Windows Logon Agent
You can uninstall the agent by the start menu or Add/Remove Programs in the control panel.
Note: For Windows XP and Windows Server 2003 systems, the installer will ask to restart the system after uninstall. So be certain that a system restart will not affect any other network resources or staff prior to doing so.
During installation the wizard offers four separate configuration options that get stored in the registry:
- AuthAnvil Two Factor Auth SAS URL – The fully qualified path to the AuthAnvil Two Factor Auth Web Service. ie: https://authserver/authanvil/SAS.asmx
- AuthAnvil Two Factor Auth SAS Site ID – The site number of the AuthAnvil Two Factor Auth SAS. Typically set to 1.
- Active Directory Override Group – The Active Directory Security Group that can override the need to provide an AuthAnvil Two Factor Auth passcode during login.
Global Password Override – The local machine master password that overrides the need for an AuthAnvil Two Factor Auth passcode during login.
The AuthAnvil Two Factor Auth Override Group
By default the Windows Credential Provider enforces strong authentication on all accounts. This means that every account that is presented with the Logon dialog box, where our agent is installed, must present their AuthAnvil Two Factor Auth passcode along with their Windows logon credentials.
There may be times when this isn’t desirable for all accounts. In such a case, it is possible to assign a user to a Local or Active Directory Security Group which our agent will honor. If someone is a member of that group, they will not be required to enter their AuthAnvil Two Factor Auth passcode. They can leave that field blank.
During installation the Active Directory Override Group is defined by the by the person running the installer. It is the responsibility of the Local or Domain administrator to create this Security Group and assign users as required by their corporate security policy if you wish to use this feature.
The AuthAnvil Two Factor Auth Override Password
There are times when it may be required to bypass AuthAnvil Two Factor Auth to log in. Some examples may include:
- Times when the AuthAnvil Two Factor Auth Web Service is not accessible
- Times when an AuthAnvil Two Factor Auth token is not present and an immediate login is required
- Times when an administrator’s token is locked and they need access to the server
When this occurs, it is possible to override the requirement to present an AuthAnvil Two Factor Auth passcode and use an override password. This should only be used in extreme situations. The misuse of this password could completely bypass AuthAnvil Two Factor Auth, rendering its purpose moot. This password should be known by the least number of people as possible, and should immediately be changed if used.
If you leave it blank during the installation, this feature is made unavailable to all users and administrators.
Note: If an Override Password is not configured, the only way to login is by using a valid AuthAnvil Two Factor Auth passcode, or be a member of a configured AuthAnvil Two Factor Auth Override Group. You may want to configure this group prior to restarting the system or logging off.
Enabling offline caching mode
The Windows Credential Provider has the ability to work in an offline caching mode, offering strong authentication when the server or workstation is disconnected from the AuthAnvil Two Factor Auth server. A perfect usage scenario would be laptops used in the field that may not yet have an established network connection.
With offline caching mode enabled, AuthAnvil Two Factor Auth servers will deliver a hashed list of the next n passcodes, where n is defined by the AuthAnvil Two Factor Auth SAS. By default the number of returned passcodes is 25, and can be override using the web.config in the authanvil webservice. While offline, the Windows Credential Provider will authenticate to this list, and warn the user to reconnect to an AuthAnvil Two Factor Auth server when there are less than 5 passcodes remaining.
To enable offline caching, you need to either use the silent mode command line switch (see Appendix B) or you can use the AuthAnvil Two Factor Auth Logon Configuration tool in the Control Panel (see Changing Settings After Installation). If you have decided not to install the AuthAnvil Two Factor Auth Logon Configuration tool, you can manually edit the setting in the Registry by following these steps:
- Start regedit
- Open the HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Software\AuthAnvilLogon hive.
- Edit the CacheCredentials value and change it to 1.
- Close regedit
Note: There are a few considerations you should be aware of when using the offline caching mode:
- In complex environments where AuthAnvil Two Factor Auth credentials may be used for logging into many different systems, you may want to increase the number of passcodes that are cached to ensure synchronization is maintained between the online and offline systems.
- Offline caching mode was designed to work with Standard Users who have tokens assigned to their account. Although it will work with grouped, it will only cache the last member of the group who logged in. So in cases where a different grouped user may log in, the hashed passcode list will never match, and therefore will never be able to authenticate offline to any other grouped user member.
- Offline caching mode will not work with proxied users. When an AuthAnvil Two Factor Auth server authenticates a proxied user, the server that the authentication is delegated to only returns a true/false. It does not return the list of authentication hashes that offline caching mode requires.
- This feature is only available on AuthAnvil Two Factor Auth servers running AuthAnvil Two Factor Auth v3.x or newer.
Changing Settings after Installation
If you need to change the AuthAnvil Two Factor Auth configuration settings or the override password, you can do this using the AuthAnvil Two Factor Auth Logon Configuration tool installed to the Control Panel.
If during installation you chose not to install this tool, you will be forced to manually edit the registry to update settings. Please open a case in the Customer Portal if you need help with this.
Note: If you have configured an installation password, you will need to enter this credential to access this tool from the Control Panel.
The Credential Provider also has a few settings that are not currently exposed through the UI, and cannot be set at install time. These settings must be set by editing the registry, so the standard warnings about editing the registry apply.
Toggle Override Group Behavior: The Override Group behavior can be toggled between the default behavior of allowing the members of the Override Group to log on without a token, and allowing everybody to log on without a token *except* for the members of the Override Group.
To change this, set the key HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Software\AuthAnvilLogon\OverrideGroupRequires2FA to 0 for the default behavior, or to 1 to force members of the Override Group to log on using a token.
Note: If the Override Group does not exist on the local computer or in Active Directory (if domain joined), toggling this function will have no effect.
Do not show tiles for remote sessions (only on Vista, Win 7, Server 2008 and 2008 R2): The Credential Provider can be set to not show the user tiles for remote sessions on the Windows console and Terminal Server Login screens. This protects users’ privacy by not allowing a terminal services user to know what other users are logged into the system.
To activate this, create a REG_DWORD key of HideRemoteSessions under the HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Software\AuthAnvilLogon registry hive and set it to 1. Delete the key or set it to 0 to revert to the default Credential Provider behavior.