https://kb.swivelsecure.com/w/index.php?title=Microsoft_Windows_GINA_login&feed=atom&action=historyMicrosoft Windows GINA login - Revision history2024-03-28T11:00:25ZRevision history for this page on the wikiMediaWiki 1.28.0https://kb.swivelsecure.com/w/index.php?title=Microsoft_Windows_GINA_login&diff=2479&oldid=prevAdmin: 1 revision imported2017-05-11T12:52:16Z<p>1 revision imported</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<tr style='vertical-align: top;' lang='en'>
<td colspan='1' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='1' style="background-color: white; color:black; text-align: center;">Revision as of 12:52, 11 May 2017</td>
</tr><tr><td colspan='2' style='text-align: center;' lang='en'><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>Adminhttps://kb.swivelsecure.com/w/index.php?title=Microsoft_Windows_GINA_login&diff=2478&oldid=prevMtura: /* Error Messages */2015-10-13T14:31:56Z<p><span dir="auto"><span class="autocomment">Error Messages</span></span></p>
<p><b>New page</b></p><div>{{template:default}}<br />
<br />
[[Category:OS Login]]<br />
[[Category:Integration]]<br />
[[Category:Desktop]]<br />
[[Category:microsoft|G]]<br />
<br />
= Introduction =<br />
<br />
Windows GINA (graphical identification and authentication) is the login for Windows 2000 Server, 2003 Server and XP. Also available is the [[Windows GINA login User Guide]].<br />
<br />
The Winlogon GINA has been replaced in Vista, 2008 Server, Windows 7 and Windows 8, by the Windows Credential Provider, See [[Microsoft Windows Credential Provider Integration]]<br />
<br />
The PINsafe GINA supports the use of Dual Channel (in advance, not on-demand) and Single Channel authentication for Terminal Services using Windows 2000 and 2003 server. It does not support an offline authentication mode, whereas the Windows Credential provider does, thus the PINsafe GINA should only be used for networked machines or for Terminal Services.<br />
<br />
This version of the PINsafe GINA supersedes an earlier version which would overwrite the AD password. The current version of the PINsafe GINA does not overwrite the AD password.<br />
<br />
<br />
= Prerequisites =<br />
<br />
PINsafe 3.x<br />
<br />
Recommended platform is Windows 2003 with Microsoft.Net Framework 2 and Terminal Services<br />
<br />
A separate PINsafe GINA license is not required, but the users authenticating to PINsafe must be licensed.<br />
<br />
Microsoft Visual C++ 2010 SP1 redistributable. For the 32-bit version of the GINA, [https://kb.swivelsecure.com/wiki/images/8/82/Vcredist_x86.zip the x86 redistributable] is required. For the 64-bit version, '''both''' the x86 redistributable '''and''' [https://kb.swivelsecure.com/wiki/images/a/a3/Vcredist_x64.zip the x64 redistributable] are required. These must be installed before the GINA, as they are required by the installer.<br />
<br />
[https://kb.swivelsecure.com/wiki/images/1/10/PINsafeGINA32Setup.zip PINsafe GINA 32 bit software]<br />
<br />
[https://kb.swivelsecure.com/wiki/images/5/5e/PINsafeGINA64Setup.zip PINsafe GINA 64 bit software]<br />
<br />
NOTE: the latest version is version 3.6.1. This adds support for dual-channel message on-demand and allowing unknown users to authenticate without Swivel credentials.<br />
<br />
<br />
= Baseline =<br />
<br />
<br />
= Architecture =<br />
<br />
The 64-bit GINA is the same as the (32-bit) Terminal Services GINA, except built for 64-bit operating systems.<br />
<br />
<br />
= Swivel Configuration =<br />
<br />
== Configure a Swivel Agent ==<br />
<br />
1. On the Swivel Management Console select Server/Agent<br />
<br />
2. Enter a name for the Agent<br />
<br />
3. Enter the GINA IP address. You can limit the Agent IP to an IP address range like: 192.168.0.0/255.255.0.0 where the mask of 255 requires an exact match and 0 allows any value, so the previous example would allow any Agent in the range 192.168, or you can use an individual IP address for the Credential Provider.<br />
<br />
4. Enter the shared secret used above on the GINA<br />
<br />
5. Enter a group, (Note in this instance ANY is not a valid group and will cause authentication to fail)<br />
<br />
6. Click on Apply to save changes<br />
<br />
<br />
[[Image:PINsafe 37 Server Agents.JPG]]<br />
<br />
<br />
'''Configure Single Channel Access'''<br />
<br />
1. On the PINsafe Management Console select Server/Single Channel<br />
<br />
2. Ensure ‘Allow session request by username’ is set to YES<br />
<br />
[[Image:PINsafe 37 Server Single Channel.JPG]]<br />
<br />
<br />
== Create a Third Party Authentication ==<br />
<br />
A third party authentication must be created with an Identifier of WindowsGINA.<br />
<br />
1. On the PINsafe Management Console select Server/Third Party Authentication<br />
<br />
2. For the Identifier Name enter: WindowsGINA<br />
<br />
3. For the Class enter: com.swiveltechnologies.pinsafe.server.thirdparty.WindowsGINA<br />
<br />
4. For the License Key, leave this empty as it is not required<br />
<br />
5. For the Group select a group of users<br />
<br />
6. Click Apply to save the settings<br />
<br />
[[Image:Windows Credential Provider WindowsGINA Identifier.jpg]]<br />
<br />
Note that this creates a GINA menu item, but there are no configurable options, so is not selectable.<br />
<br />
<br />
= Terminal Services GINA Integration =<br />
<br />
The PINsafe GINA Configuration utility provides a convenient means of configuring the installed PINsafe GINA.<br />
<br />
Microsoft.Net 2 is only required for the configuration application. The GINA will work without .Net 2, but you will have to configure it manually. If your system does not meet the requirements, when you click "Next", you will see a dialog showing what components are missing. You can still install, but with the provisos mentioned above.<br />
<br />
Install the GINA software on the Windows Terminal Server.<br />
<br />
<br />
== Terminal Services GINA Installation ==<br />
<br />
Start the PINsafe installation Wizard<br />
<br />
[[Image:PINsafe GINA Setup Wizard.jpg]]<br />
<br />
<br />
The system summary will report on any requirements which are not met, in this example .Net<br />
<br />
[[Image:PINsafe GINA Setup Wizard System Information.jpg]]<br />
<br />
<br />
The PINsafe GINA may optionally be installed without .Net, the PINsafe GINA configuration utility requires .Net to install, but may be configured manually<br />
<br />
[[Image:PINsafe GINA Setup Wizard without .NET.jpg]]<br />
<br />
<br />
Select the install directory<br />
<br />
[[Image:PINsafe GINA Setup Wizard destination.jpg]]<br />
<br />
<br />
Select the Start Program files group<br />
<br />
[[Image:PINsafe GINA Setup Wizard Program Folder.jpg]]<br />
<br />
<br />
Check the installation details<br />
<br />
[[Image:PINsafe GINA Setup Wizard Installation Summary.jpg]]<br />
<br />
<br />
The PINsafe GINA installation reports when it is complete and allows the configuration utility to be run<br />
<br />
[[Image:PINsafe GINA Setup Wizard Installation succesful.jpg]]<br />
<br />
<br />
== Terminal Services GINA Configuration ==<br />
<br />
<br />
=== Server Settings ===<br />
<br />
[[Image:GINAConfigSwivel.PNG]]<br />
<br />
'''Server''' The IP address or hostname of the PINsafe server to use for authentication.<br />
<br />
'''Port''' The TCP/IP port used by the PINsafe server. Commonly "8080" or "8443" if SSL is enabled.<br />
<br />
'''Context''' The web application context used by the PINsafe server. Commonly "pinsafe" for standard installations.<br />
<br />
'''Secret''' The shared secret configured for the GINA agent.<br />
<br />
'''Confirm Secret''' Repeat the shared secret to ensure it has been entered correctly.<br />
<br />
SSL<br />
<br />
'''Use SSL''' Enable the use of SSL when communication with the PINsafe server. In order to use this option SSL must have been configured on the PINsafe server with an appropriate certificate.<br />
<br />
'''Allow self-signed SSL certificates''' Accept an SSL certificate from the PINsafe server that has not been signed by a recognised certificate authority.<br />
<br />
<br />
=== Authentication Settings ===<br />
<br />
[[Image:GINAConfigAuth.PNG]]<br />
<br />
'''Always''' Selecting this mode enables PINsafe authentication for local and remote logins.<br />
<br />
'''Remote Only''' Selecting this mode enables PINsafe authentication for remote logins only. Local logins continue to only require a standard Windows username and password combination.<br />
<br />
'''Never''' Selecting this mode disables the use of PINsafe authentication by the GINA.<br />
<br />
<br />
Authentication Options<br />
<br />
'''Allow standard login when PINsafe is unavailable''' When enabled this option temporarily disables PINsafe authentication if the GINA determines that the PINsafe server is not available for authentication.<br />
<br />
'''Allow unknown users without OTC''' When enabled, if a user is not known to PINsafe, they are not required to enter a one-time code to authenticate. There is no visible indication that the user is not known to PINsafe.<br />
<br />
'''Show TURing images''' Enable the ability for users to request a single-channel TURing image from the PINsafe server.<br />
<br />
'''Use local TURing if PINsafe unavailable''' When enabled, if the GINA is unable to connect to PINsafe, it will display a locally-generated TURing image to users who have previously authenticated to this computer. Users who have not previously authenticated on-line will not be able to authenticate.<br />
<br />
'''Show Message Request''' When enabled, a button is shown to request a new security string to be sent to the user's designated transport (email or SMS). This cannot be selected together with TURing: disable TURing to use this option.<br />
<br />
<br />
=== Advanced Settings ===<br />
<br />
[[Image:GINAConfigAdv.PNG]]<br />
<br />
'''Lockout after # failures''' The number of authentication failures before a user is locked out. This only applies to local authentication: Swivel authentication is managed by policies on the Swivel Server.<br />
<br />
'''Session timeout''' The length of time to wait before closing the login dialog.<br />
<br />
'''Num. security strings to cache''' The number of security strings to request from the Swivel server for local authentication.<br />
<br />
'''Generate new strings when # remain''' Controls the minimum number of cached local security strings.<br />
<br />
<p><b class="runinhead">Custom logos</b> This allows you to re-brand the GINA with your own logos.<br />
The large logo is displayed when the GINA is first displayed, and must be 413 by 88 pixels.<br />
The small logo is displayed at the top of the login screen, and must be 413 by 72 pixels.</p><br />
<br />
<br />
= ChangePIN =<br />
<br />
Users may change their PIN using the Change Password option, or if automatically directed at login time.<br />
<br />
Remember that to use ChangePIN, a user does not enter their PIN, but uses an OTC and generates a OTC for which they want the new PIN to be. Dual channel and mobile Phone Clients may be used with the ChangePIN as well as the TURing image.<br />
<br />
<br />
== User Requested ChangePIN using Change Password ==<br />
<br />
From the Windows menu select Ctrl-Alt-Delete<br />
<br />
<br />
[[Image:PINsafe GINA lock computer.jpg]]<br />
<br />
<br />
The user may change their PIN and or password. To ChangePIN, password details can be left blank.<br />
<br />
[[Image:PINsafe GINA login changepin.jpg]]<br />
<br />
<br />
ChangePIN using dual channel or mobile phone client<br />
<br />
[[Image:PINsafe GINA login changepin dual channel.jpg]]<br />
<br />
<br />
ChangePIN using TURing<br />
<br />
[[Image:PINsafe GINA login changepin single channel.jpg]]<br />
<br />
<br />
ChangePIN successful<br />
<br />
[[Image:PINsafe GINA login changepin successful.jpg]]<br />
<br />
<br />
== ChangePIN redirect at login ==<br />
<br />
Where the user is required to ChangePIN the user is redirected at login.<br />
<br />
[[Image:PINsafe GINA login changepin changepin required.jpg]]<br />
<br />
<br />
[[Image:PINsafe GINA login changepin required.jpg]]<br />
<br />
<br />
ChangePIN using dual channel or mobile phone client<br />
<br />
[[Image:PINsafe GINA login changepin required dual channel.jpg]]<br />
<br />
<br />
ChangePIN using TURing<br />
<br />
[[Image:PINsafe GINA login changepin required single channel.jpg]]<br />
<br />
<br />
ChangePIN successful<br />
<br />
[[Image:PINsafe GINA login changepin successful.jpg]]<br />
<br />
<br />
= Additional Installation Options =<br />
<br />
<br />
= Verifying the Installation =<br />
<br />
When a user logs out they should be prompted for PINsafe authentication<br />
<br />
[[Image:PINsafe GINA login.jpg]]<br />
<br />
<br />
A user may use dual channel authentication to login by entering AD password and One Time Code.<br />
<br />
[[Image:PINsafe GINA login dual channel.jpg]]<br />
<br />
<br />
A user can also authenticate using single channel by generating a TURing image.<br />
<br />
[[Image:PINsafe GINA login TURing.jpg]]<br />
<br />
<br />
Standard authentication when the PINsafe server cannot be contacted.<br />
<br />
[[Image:PINsafe GINA Username Password.jpg]]<br />
<br />
<br />
= Uninstalling the PINsafe Integration =<br />
<br />
To uninstall the PINsafe GINA select Start, Programs, PINsafe GINA, PINsafe GINA Uninstaller or Start, Control panel, Add or Remove Programs, select PINsafe GINA then remove.<br />
<br />
Follow the instructions to remove the PINsafe installation.<br />
<br />
<br />
= Troubleshooting =<br />
<br />
'''PINsafe login options not displayed'''<br />
<br />
If the "Allow standard login when PINsafe is unavailable" is enabled then the GINA will only display PINsafe login options if it is able to contact the PINsafe server. If PINsafe options are not displayed check the server settings and connectivity to the PINsafe server.<br />
<br />
<br />
'''Manually configuring the PINsafe GINA'''<br />
<br />
If it is not possible to use the configuration utility the PINsafe GINA settings may be edited manually in the registry. The following values found within the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowNT\CurrentVersion\WinLogon" key are used by the GINA: <br />
<br />
PINsafeServer <br />
<br />
PINsafePort <br />
<br />
PINsafeContext <br />
<br />
PINsafeSecret <br />
<br />
PINsafeProtocol <br />
<br />
PINsafeLoginSelect <br />
<br />
PINsafeShowTURing <br />
<br />
PINsafeAllowDefaultLogin <br />
<br />
PINsafeAllowSelfCert <br />
<br />
<br />
'''Disabling the PINsafe GINA'''<br />
<br />
If the PINsafe GINA fails to load correctly it can be disabled using the following process: <br />
<br />
Using the F8 boot menu start Windows in safe mode<br />
<br />
Using regedit.exe remove the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowNT\CurrentVersion\WinLogon\ginadll" registry value <br />
<br />
Reboot Windows <br />
<br />
Following this process the standard Windows GINA should be restored allowing access.<br />
<br />
<br />
== Error Messages ==<br />
<br />
'''The one-time code is incorrect. Please retype your one-time code'''<br />
<br />
The One Time Code is incorrect<br />
<br />
[[Image:PINsafe GINA login incorrect OTC.jpg]]<br />
<br />
<br />
'''The password is incorrect. Please retype your password. Letters in passwords must be typed using the correct case.'''<br />
<br />
The Active Directory Password is incorrect<br />
<br />
[[Image:PINsafe GINA login incorrect password.jpg]]<br />
<br />
<br />
'''The system could not log you on. Make sure your username and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.'''<br />
<br />
The PINsafe account may be locked contact the PINsafe system Administrator<br />
<br />
[[Image:PINsafe GINA login failed due to locked account.jpg]]<br />
<br />
<br />
To recover a locked system protected by PINsafe see [[PINsafe GINA]]<br />
<br />
<br />
'''Installing without Microsoft.Net Framework 2.0'''<br />
<br />
The GINA itself does not require the .Net Framework - only the configuration utility. Therefore, if you are unwilling to install Microsoft.Net 2.0, you can ignore the warning about this being missing and install GINA anyway. However, you will have to configure the application manually, as described below.<br />
<br />
<br />
'''Unable to find a runtime of the runtime to run this application'''<br />
<br />
The PINsafe configuration utility is being un without the .Net version 2.0<br />
<br />
[[Image:PINsafe GINA configuration Utility .Net missing.jpg]]<br />
<br />
<br />
'''FLUSHING_IMAGE_CACHE, ClientAbortException: java.net.SocketException: Connection reset'''<br />
<br />
This error message can be seen in the PINsafe log when a Windows login is attempting to use an animated gif. Turn off animated gifs and switch to 'Static', on Swivel - This is set under Server > Single Channel > Image Rendering. <br />
<br />
<br />
'''The third party class could not be found'''<br />
<br />
This error can also be created when the Swivel Administration console Server/Agents, Group is set to Any. A group should be specified.<br />
<br />
= Known Issues and Limitations =<br />
<br />
Installation on a Windows 2003 server without Terminal Services, will only provide administrator logon, and only 3 simultaneous logins (including the console session).<br />
<br />
Installation on Windows XP will work, but only one user can log on at a time, and then only if no-one is logged on directly to the machine.<br />
<br />
There is a usability issue with Windows 2000: it takes about 20 seconds to display a TURing image. For this reason, we are not supporting Windows 2000 in this release, and recommend that if you absolutely have to use it, you should use Dual Channel only.<br />
<br />
The following are not supported for Single Channel Authentication when using the Windows GINA:<br />
*BUTton<br />
*PATtern<br />
*Animated Gifs<br />
<br />
Dual channel on-demand is not supported.<br />
<br />
The Windows GINA menu item is present, but there are no configurable options, so is not selectable.<br />
<br />
<br />
= Additional Information =</div>Mtura