3.2 Configuring Optional Settings

The following table describes the optional settings that you can do for Windows Client.

Setting

Description

disable_1N: true

To disable the automatic detection of username for Card and PKI methods. For more information, see Disabling 1:N

disable_local_accounts: true

In a non-DNS mode, it is recommended to disable the local accounts. For more information, see Disabling the Local Accounts.

tenant_name

If you use Multitenancy, you must point Windows Client to a specific tenant. For more information, see Configuration Settings for Multitenancy.

event_name: <CustomEventName>

If you want to use DNS and non-DNS based machines, you can use a custom event for the specific machines. For more information, see Selecting an Event.

card.timeout: X

To change a default Card waiting timeout. For more information, see Configuring Timeout for Card Waiting.

card.fail_on_timeout: true

To configure the login failure after the Card waiting timeout. For more information, see Enabling Login Failure After Card Timeout.

logo_path: C:\\dir\\filename.png

To customize a logo for Windows Client. For more information, see Customizing a Logo.

verifyServerCertificate: true

To configure the verification of server certificates for LDAP connection. For more information, see Configuring to Verify Server Certificates.

force_offline_enabled: true

To force offline login manually for users. For more information, see Configuring to Force Offline Login Manually.

forceCachedLogon: true

To configure the cached login for client unlock. For more information, see Configuring the Enforced Cached Login.

sso_aaf_required: true

To configure single sign-on for Citrix and Remote Desktop. For more information, see Configuring Single Sign-on Support for Citrix and Remote Desktop.

endpoint_name

To edit the name of an endpoint. For more information, see Changing an Endpoint Name.

authentication_agent_enabled = true

To enable Authentication Agent chain in the Windows Client. For more information, see Configuring to Enable the Authentication Agent Chain.

  • credprov_chaining_clsid

  • credprov_chaining_enabled

  • credprov_chaining_password_field

  • credprov_chaining_username_field

To integrate Advanced Authentication with the Sophos SafeGuard. For more information, see Configuring Integration with Sophos SafeGuard 8.

  • credprov_chaining_clsid

  • credprov_chaining_enabled

  • credprov_chaining_dump_fields

  • credprov_chaining_password_field

  • credprov_chaining_username_field

To configure the credential provider chaining. For more information, see Configuring the Credential Provider Chaining.

You can configure the following settings in the registry:

3.2.1 Disabling 1:N

You can disable the 1:N feature that allows you to detect the user name automatically while authenticating with the Card and PKI methods.

To disable the 1:N feature, perform the following steps:

  1. Open the file C:\Program Data\NetIQ\Windows Client\config.properties. If the file does not exist, create a new file.

  2. Add the line disable_1N: true to the config.properties file.

  3. Save the config.properties file and restart the Windows operating system.

3.2.2 Disabling the Local Accounts

It is recommended to disable local accounts for the non-DNS mode to ensure security.

To disable the local accounts, perform the following steps:

  1. Open the file C:\Program Data\NetIQ\Windows Client\config.properties. If the file does not exist, create a new file.

  2. Add a parameter disable_local_accounts: true to the config.properties file.

If you do not disable the local accounts for a non-DNS mode, it is possible to unlock the operating system and change the password using a local account with password authentication (one factor). This can lead to security issues.

3.2.3 Configuration Settings for Multitenancy

If the Multi-tenancy option is enabled, you must add the parameter tenant_name with a tenant name as the value in the configuration file: C:\ProgramData\NetIQ\Windows Client\config.properties.

For example, specify tenant_name=TOP for the top tenant in the file. If the configuration file does not exist, you must create it.

NOTE:If you do not add the parameter tenant_name, you might get an error Tenant not found.

3.2.4 Selecting an Event

By default, Windows Client uses the Windows logon event for authentication. However, in some scenarios you must create a separate custom event. For example, when the predefined event is used for DNS based workstations, you can create a custom event with the type as Generic for the non-DNS based workstations. You must point these non-DNS based workstations to the custom event using the event_name: <CustomEventName> parameter in the configuration file:

C:\ProgramData\NetIQ\Windows Client\config.properties

3.2.5 Configuring Timeout for Card Waiting

You can configure the time for which the card waiting dialog is displayed, when the user authenticates using the card method. If the user does not present the card for the specified timeout period, the Hardware timeout message is displayed and the card waiting dialog is closed. The user login selection screen is displayed.

By default, the card timeout is 60 seconds.

To configure the timeout for card waiting, perform the following steps:

  1. Open the configuration file C:\ProgramData\NetIQ\Windows Client\config.properties. If the file does not exist, create a new file.

  2. Specify card.timeout: X in the config.properties file. X is the timeout value in seconds.

  3. Save the configuration file.

  4. Restart the Windows operating system.

3.2.6 Enabling Login Failure After Card Timeout

By default, the card timeout is not considered as a login failure. However, you can configure the card timeout as a login failure.

To enable login failure during card timeout, perform the following steps:

  1. Open the file C:\ProgramData\NetIQ\Windows Client\config.properties. If the file does not exist, create a new file.

  2. Specify card.fail_on_timeout: true in the config.properties file.

  3. Save the configuration file.

  4. Restart the Windows operating system.

3.2.7 Configuring Automatic Login

To enable the Windows operating system to perform an automatic login, perform the following steps:

  1. Go to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

  2. In the registry key, it is mandatory to set the following parameters:

    • DefaultDomainName

    • DefaultPassword

    • DefaultUserName

For more information about how to enable automatic login on Windows, see the Microsoft Support link.

3.2.8 Customizing a Logo

You can customize the logo of Windows Client according to your requirement. The format of the logo must meet the following requirements:

  • Image format: png, jpg, gif

  • Resolution: 400x400px

  • Maximum file size: 100Kb

To customize the logo, perform the following steps:

  1. Open the configuration file C:\ProgramData\NetIQ\Windows Client\config.properties. If the file does not exist, create a new file.

  2. Specify logo_path: C:\\dir\\filename.png in the config.properties file.

    You cannot use the logo from shared folders.

  3. Save the configuration file.

  4. Restart the Windows operating system.

3.2.9 Configuring to Verify Server Certificates

This option allows you to ensure a secure connection between a workstation and Advanced Authentication servers with a valid self-signed SSL certificate. This helps to prevent attacks on the connection and ensure safe authentication.

The option for verification of server certificates is disabled by default. You must import the trusted certificates to the Local Computer\Trusted Root Certification Authorities folder.

To enable verification of the server certificates, perform the following steps:

  1. Open the configuration file C:\ProgramData\NetIQ\Windows Client\config.properties.

    If the file does not exist, create a new file.

  2. Specify verifyServerCertificate: true (default value is false) in the config.properties file.

  3. Restart the Windows operating system.

NOTE:You must upload the SSL certificate in the Administration portal > Server Options. The SSL certificate provides high level of encryption, security, and trust. For more information about how to upload the SSL certificate, see Uploading the SSL Certificate.

3.2.10 Configuring to Force Offline Login Manually

In scenarios where the network connection is slow or unstable, you can allow users to perform an offline login manually. This saves the user’s time for the login process.

To allow users to force offline login manually, perform the following steps:

  1. Open the configuration file C:\ProgramData\NetIQ\Windows Client\config.properties. If the file does not exist, create a new file.

  2. Specify force_offline_enabled: true (default value is false) in the config.properties file.

  3. Save the configuration file.

  4. Restart the Windows operating system.

When you set the parameter to true, an Offline logon check box appears on the user’s login screen. If a user selects Offline logon, Windows Client does not try to reach an Advanced Authentication server but goes directly to cache.

You can also set the offline login as a default value by specifying force_offline_default: true in the config.properties file. This enables the Offline logon check box to be selected by default on the user’s login screen.

NOTE:Before you force offline login, a user must have logged into the workstation once (with online login) to cache the authenticators.

IMPORTANT:The force offline login method has been introduced as a temporary workaround. It is recommended to use the Configuring the Enforced Cached Login method.

3.2.11 Configuring the Enforced Cached Login

When the network connection is slow or unstable, the client login or unlock process can take several minutes. A solution to this is to enforce the cached login. The Client connects to Advanced Authentication server to validate the credentials in the background after the cached login. By default, the enforced cached login is not used and the Client will always try to connect to Advanced Authentication server to validate the credentials.

Perform the following steps to allow users to use the enforced cached login:

  1. Open the configuration file \ProgramData\NetIQ\Windows Client\config.properties. If the file does not exist, create a new file.

  2. Specify forceCachedLogon: true (default value is false) in the config.properties file.

  3. Save the configuration file.

  4. Restart the Windows operating system.

NOTE:The enforced cached login method is preferred over the Configuring to Force Offline Login Manually method.

3.2.12 Configuring Single Sign-on Support for Citrix and Remote Desktop

You can configure the Windows Client to use the Single Sign-on (SSO) feature for establishing a connection to a Citrix and a Remote Desktop server. Therefore, when the users are authenticated to the Windows domain, they are not prompted for credentials to connect to the terminal servers such as Citrix StoreFront and Remote Desktop Connection. This prevents users from specifying the credentials again when they login to terminal servers such as Remote Desktop or Citrix StoreFront, after they have performed the authentication to Microsoft Windows. To achieve this, you must install the Advanced Authentication Windows Client on the terminal server.

NOTE:When SSO for Remote Desktop is enabled, the Interactive logon: Smart card removal behavior policy is ignored. You need to disable SSO to make this policy to work.

The SSO feature is enabled by default for accessing the terminal servers. By default, SSO feature works irrespective of the Advanced Authentication Windows Client installation on the terminal client.

To enable SSO only when the Advanced Authentication Windows Client is installed on the terminal client, perform the following steps:

  1. Open the config.properties at C:\ProgramData\NetIQ\Windows Client path.

    If the file does not exist, create a new file.

  2. In the config.properties file, specify sso_aaf_required: true (default value is false).

  3. Save the configuration file.

  4. Restart the Windows operating system.

To disable the SSO feature, perform the following steps:

  1. Open the config.properties at C:\ProgramData\NetIQ\Windows Client path.

    If the file does not exist, create a new file.

  2. In the config.properties file, specify sso_logon_enabled: false.

  3. Save the configuration file.

  4. Restart the Windows operating system.

3.2.13 Customizing the Login Page Background Screen

You can customize the background image of the login page in Windows 7 and later versions as per your requirement.

The default image is set as background on the login page of the Windows Client.

To change the background image, perform the following steps:

  1. Click Start and specify regedit in the Run command prompt.

    The User Account Control (UAC) prompt is displayed.

  2. Click YES to navigate to the Background directory.

    NOTE:The Background directory is located in the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI directory.

  3. Set OEMBackground entry to 1.

    NOTE:If the OEMBackground entry does not exist, create an entry and set the value to 1.

  4. Navigate to the C:\Windows\System32\Oobe directory and create a directory as info.

  5. Create a directory backgrounds in info.

  6. Insert the preferred background image in the backgrounds directory and rename the image as backgrounddefault.jpg.

  7. Click Start and specify GPEDIT.MSC in the Run command prompt.

    The Local Group Policy Editor prompt is displayed.

  8. Navigate to the Local Computer Policy\Administrative Templates\System\Logon directory.

  9. Enable Always use custom logon background setting.

3.2.14 Changing an Endpoint Name

You can edit the name of an endpoint based on your requirement.

To change an endpoint name, perform the following steps:

  1. Open the configuration file C:\ProgramData\NetIQ\Windows Client\config.properties. If the file does not exist, create a new file.

  2. Specify endpoint_name: <endpoint name> in the config.properties file. For example, endpoint name can be computer 1.

  3. Save the configuration file.

  4. Restart the Windows operating system.

3.2.15 Configuring to Enable the Authentication Agent Chain

The Authentication Agent allows you to authenticate on one computer where all the devices required for authentication are connected. This helps to get authorized access to another computer or z/OS mainframe, where one of the following condition is true:

  • It is not possible to redirect the authentication devices.

  • It does not support devices that are used for authentication.

The Authentication Agent can be installed only on the Windows computer.

You must select Authentication Agent in the Chains list of Windows Client to initiate the authentication process on another Windows computer where the Authentication Agent is installed.

To enable the Authentication Agent chain on the Windows Client, perform the following steps:

  1. Navigate to C:\ProgramData\NetIQ\Windows Client path and open the file config.properties.

    If the configuration file does not exist, you must create it.

  2. Specify authentication_agent_enabled = true in the configuration file.

  3. Click Save.

  4. Restart your computer.

An Example of Using the Authentication Agent

This scenario describes how you can perform authentication on one Windows computer and auto-sign in to another Windows computer using the Authentication Agent.

Thomas uses two Windows computers simultaneously. However, the devices required for authentication such as FIDO U2F token and card reader are connected to one Windows computer. He cannot get authenticated to the other computer because there are no authentication devices connected to this computer and cannot redirect the devices. In this case, Thomas can use Authentication Agent to perform authentication on one Windows computer and get seamless access to another Windows computer without the authentication devices.

Consider the following setup:

  • Windows A is a computer with the Authentication Agent installed and is connected with the devices used for authentication such as FIDO U2F token and card reader.

  • Windows B is computer without the authentication devices and the Authentication Agent chain is enabled using the config.properties file.

The following sequence describes the authentication process using the Authentication Agent:

  1. Specify user name and select the Authentication Agent chain in Windows B computer.

  2. The Authentication Agent on Windows A computer launches a restricted browser.

  3. Select the preferred chain to log in to Windows B in the restricted browser.

  4. Perform the authentication using the FIDO U2F token and card reader in the restricted browser.

    Thomas is logged in to Windows B computer automatically.

3.2.16 Configuring Integration with Sophos SafeGuard 8

This section provides the configuration information on integrating Advanced Authentication with Sophos SafeGuard 8 easy solution. Therefore, when the users are authenticated to Windows Client, they are not prompted for credentials to connect to the Sophos SafeGuard.

With this integration, Advanced Authentication is set as primary credential provider in the Windows Client. The Advanced Authentication server validates the user provided credentials and transmits the credentials to the Sophos credential provider to allow Single sign-on to the Sophos SafeGuard.

To integrate Advanced Authentication with the Sophos SafeGuard 8, perform the following steps:

  1. Navigate to the path C:\ProgramData\NetIQ\Windows Client and open the file config.properties.

  2. Specify the following parameters with corresponding values in the configuration file:

    • credprov_chaining_clsid: {5CDFA681-61C8-423d-999E-32EA10C5F7ED}

    • credprov_chaining_enabled: True

    • credprov_chaining_password_field: 9

    • credprov_chaining_username_field: 8

  3. Save the configuration.

  4. Log out and log in again.

3.2.17 Configuring the Credential Provider Chaining

This option allows you to integrate Advanced Authentication with any other credential provider in Windows Client. Therefore, when users are authenticated to Windows Client, they are not prompted for credentials to connect to other credential provider installed in the workstation.

To integrate Advanced Authentication with other credential provider, perform the following steps:

  1. Enable the debug logs for Windows Client.

    For more information about debugging the logs of Windows Client, see Debugging Logs for Advanced Authentication.

  2. Navigate to the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\ and search for the CLSID of the preferred credential provider with which you want to integrate Advanced Authentication.

    Ensure to copy the CLSID for further use.

  3. Navigate to the path C:\ProgramData\NetIQ\Windows Client\ and open the file config.properties.

  4. Specify the following parameters in the configuration file:

    • credprov_chaining_clsid: <CLSID>

    • credprov_chaining_enabled: True

    • credprov_chaining_dump_fields: True

    • credprov_chaining_password_field: 0

    • credprov_chaining_username_field: 0

    For example: The CLSID of Sophos SafeGuard is 5CDFA681-61C8-423d-999E-32EA10C5F7ED. Therefore, set the CLSID parameter as follows:

    credprov_chaining_clsid: {5CDFA681-61C8-423d-999E-32EA10C5F7ED}

  5. Log out and log in again.

  6. Navigate to the path C:\ProgramData\NetIQ\Windows Client\Logging\Logs then search for the parameter CpChaining::dumpFields in the logs file.

  7. Search for the fields that contain the label for the user name and password fields. Set the ID of these fields to the following parameters in the configuration file:

    • credprov_chaining_password_field:

    • credprov_chaining_username_field:

    For example: Consider the Sophos SafeGuard 8 login form contains the user name and password fields. The ID of these fields are 8 and 9 respectively. Therefore, the parameters are set as follows:

    • credprov_chaining_password_field: 9

    • credprov_chaining_username_field: 8

    For more information, see Configuring Integration with Sophos SafeGuard 8.

  8. Save the changes in the configuration file.

    NOTE:There may be more than one field that contain labels such as username and password. Here, you must use different fields and test the log in process.

  9. Log out and log in again.

    After providing the credentials, if you are able to sign in to the credential provider automatically, remove the parameter credprov_chaining_dump_fields: True from the configuration file.

    NOTE:While searching the labels, ensure to examine the label type. You can use a label with one of the following value that indicates the label type:

    • 0 - invalid

    • 1 - large text (label)

    • 2 - small text (label)

    • 3 - command link

    • 4 - edit box

    • 5 - password box

    • 6 - tile image

    • 7 - check box

    • 8 - combo box

    • 9 - submit button