Windows Logon

Windows LOGON

    Setup 

Create company Application

In the “Applications” section you can see all the protected services that have been added to Ironchip and their features. To add a service click on “New Application”, which will open a new window.

In the new window you will have to choose the new service, it can be one of those that appear in the list or a customized service, for which you will click on Custom Application. A new window will open.

In this window you will have to enter the data of the new service, if you have chosen one from the list the name will be predefined, otherwise you will have to enter it. In addition, the type of integration is API Key and the security requirements. The latter can be of two types which will be used to access the selected service:

• Personal device.
• Personal device + secure zone.

When all the fields are filled in, click on Add Service and the service will be displayed in the corresponding section.

Important: Save the API key that is returned when creating a service. This information will only appear this time, so you will have to download it and enter it later when downloading the plugin.

Give access to users

To add a user to a service, start from the “Applications” section, select the service to which you want to add one or more users. Once in the information page on a service, click on Add User in the “Users with access to …” card.

In the opened window select the user(s) you want to add and click on Continue.

The next step is to configure access to the service. To do this, the following steps must be followed:

The user name should be the same as the one with which one logs in to windows without including the domain and without including the email address.

1. Verify the username and security requirements, the first one is modified by clicking on the pencil icon. Click on Continue.
2. Select the personal device to be used for the authentication process. Click on Continue.
3. Select the secure zones both personal and shared that will be used to access the selected service. Click Continue.
4. Verify all the configurations previously selected and click Add Access.

The user will have been added to the service with the selected configuration. This can be changed at any time.

Windows logon plugin installation

The Ironchip Windows Logon agent can be found in the “Plugins” section of the Ironchip Location Based Authentication administration panel.

After downloading the plugin you will proceed to install it.

Click Next, on the next screen you will accept the terms of use, and click Next again.

Once on the next screen, the first option will install the Ironchip Windows Logon service, it is possible to choose some installation options by clicking on the drop-down to the left of the service name.

In the second option, we will install the Ironchip Windows Authenticator, a desktop authentication application, in the drop-down to the left of the service name we will find different installation preference options, the same as those found in the previous option.

If we install this second option, we can use the same device to authenticate us. It will also allow us to use an external device on which we can carry our credentials and make use of them at the time of authentication.

If you have any doubts about the moment of your choice, you can reset to the default values with the Reset button, if you are satisfied with your choice, click on the Next button.

In the next screen, you select the environment to which the application is pointing, by default the production environment is set, so it would only be necessary to click on the Next button, in case you need to make any changes in this step to our technical team will provide you with this information.

In the next screen, enter the API KEY obtained when creating the service, in the Ironchip API Key parameter and then click on the Next button.

Once in the following screen and with all the parameters configured correctly, click on the Install button.

If everything has been configured correctly and the installation has been successful, you will see the following screen. Finally, to finish the installation, click on the Finish button.

Important: There is the possibility to make the changes that you consider necessary for the correct functioning of the service, you can do this by returning to the installer, clicking on the Next button, and on the second screen choosing the option Change.

Authentication

To authenticate to Windows, enter your username and password as usual. The user will receive a notification of the created service and will authorize access to it.

This authentication process will take a few seconds. When finished, you can see that the user has been successfully authorized.

 

 

    Massive distribution

Massive installation of Windows Logon through GPOs.

With the tool called Orca, we have to generate a .mst file from the .msi installer.

Download the tool for editing .MSI files (Orca).

Download Windows components

Download the installer or file with an .MSI extension that you want to transform.

Open the downloaded file by right-clicking and choosing the option Edit with Orca.

Once inside the tool, from the Transform tab, choose New transformation.

Once inside, navigate to the Properties option.

There we can edit all the options we consider necessary: for example, if we are working in a different environment than the production environment, we modify the IRONCHIP_HOST section and set the correct environment.

It will also be necessary to add a new row where we will place the corresponding API KEY. For this, we double-click on one of the blank zones, first we place the Property: IRONCHIP_APIKEY, and click OK.

A message will appear indicating that the column has been modified successfully, click OK to continue.

Then we will place the value for this property, there in Value, and we place the API KEY generated in our application in the Ironchip management panel.

Click on OK.

Once you have done the above steps, you will have the new property value you have created on the screen.

To continue we must go again to the Transform tab and choose the option Generate Transformation.

We must name the file and Save the changes.

We can then verify that the file with the .mst extension has been created in the chosen location.

Generate Group Policy (GPO). 

Note: It is necessary to create a shared folder with the users/computers that are going to be involved in the group policy, inside it we must put the .msi installer as well as the .mst file that we just generated in the previous steps with orca.

On our server, in the tools tab select Group Policy Management.

In the screen that opens we must expand our domain node and in the Domains folder choose the option to Create a GPO on this domain and anchor it here.

In the next window we will give a name to the group policy that is being created, it is advisable to give a name to the group policy according to the action to be performed.

Then click OK to continue.

Once the policy has been generated, click on the name of the policy and right-click on it to display a list of actions where you can choose Edit.

Within the Policy Editor go to Computer Configuration > Policies > Software Setting > Software installation. Right-click on Software installation, and select New > Package.

In the next window it is important that we select the .msi file from the shared folder we generated at the beginning of the configuration.

Then click Open.

In the next window, select the Advanced option and click OK.

A new window of the policy properties will open where we select the option Assigned (we must select it even if it is already checked), this will enable the option Install this application at login which we must also check.

We go to the Modifications tab, where we click on the Add button.

In this screen we must choose the .mst file generated before, remember to choose it from the shared folder, the same one used when choosing the .msi file before.

Then click Open.

Now we will see the path from where the file has been selected, the next thing to do is to press OK.

Close the Group Policy Management window and open a Windows command console.

In the console we must enter the command gpupdate /force. The server will inform that it will not be able to apply the installation policy without rebooting and will offer to reboot. Type in the command line Y, and press the Enter key. The system will reboot 1 minute after entering the command. Or simply reboot the server via the Start menu.

After this, we will see the application installed on all the machines that were included in the GPO.

Note: This step must be done on all devices participating in the policy, clients, and server.

White List Users by GPO

If we wish to add a Whitelist of Users when we make a distribution by means of a Group Policy (GPO), it is possible, to do so follow the steps below:

1. On our server, in the tools tab select Group Policy Management.

1. In the screen that opens we must expand our domain node and in the Domains folder choose the option Create a GPO on this domain and anchor it here.

1. Once the group policy is created, either a new one or the same one that will be used to distribute the application to a specific group of users that we have previously added to a group, as described here:

Windows Logon by GPO distribution section.

1. To continue adding the Whitelist we must from the Edit tab of the GPO we have created, in the Computer Settings area choose the Windows Settings folder, and right click on the Registry option, choose the New option.

1. In the window that pops up, we must enter the data as shown in the image: In the General tab:

   • Action: Update.
   • Hive: HKEY_LOCAL_MACHINE.
   • Key Path: SOFTWARE\Ironchip\Logon
   • Value name: WhitelistUsers.
   • Value type: REG_MULTI_SZ
   • Value data: DOMAIN\Username, Important, as written by the user in the Ironchip Logon prompt. In each line must be a user, in case you want to add multiple users, one for each line.

   Regular expressions (RegEx) must be used in this field, allowing us to use expressions for:

   a) Add user:

   IRONCHIP\\username

   and more specifically, in case we want to minimize errors due to the use of case sensitive we should add at the beginning:

   (?i)IRONCHIP\\username

   b) Users without depending on a Domain:

   .*\\username

   Using the expression to avoid case sensitive errors:

   (?i).*\\username

   c) Exclude from a domain:

   (IRONCHIP\\.*)

Once the values have been entered correctly and as specified, press Apply and then OK.

    Ironchip as unique login method

Authentication only with Ironchip Windows Logon.

1. Go to Edit Group Policy.

1. Select the Administrative Templates folder.

1. Then select the System folder.

1. Choose the Logon folder, here choose the option Exclude credential providers.

1. This option will be set to (Not configured), we must select (Enabled).

1. Then in the text field Exclude the following credential providers:

We must place the GUID of the credential provider with the name: PasswordProvider.

1. Then click on Apply followed by Accept and the authentication will be enabled only with Ironchip Windows Logon.

Windows Logon as the only authentication method distributed by GPO.

On our server, in the tools tab select Group Policy Management.

In the screen that opens we must expand our domain node and in the Domains folder choose the option to Create a GPO on this domain and anchor it here.

In the next window, we will give a name to the group policy that is being created, it is advisable to give a name to the group policy according to the action to be performed.

Then click OK to continue.

Once the policy has been generated, click on the name of the policy and right-click on it to display a list of actions where you can choose Edit.

Select the Policies folder, and inside select the Administrative Templates folder.

Then select the System folder.

Choose the Logon folder, here choose the option Exclude credential providers.

This option will be set to (Not configured), we must select (Enabled).

Then in the text field Exclude the following credential providers:

We must place the GUID of the credential provider with the name: PasswordProvider.

Note: In this link, you will find how to locate the GUIDs of your credential providers:

Credential provider section in this documentation

Then click Apply followed by OK and authentication with Ironchip Windows Logon only will be enabled.

Close the Group Policy Management window and open a Windows command console.

In the console, we must enter the command gpupdate /force. The server will inform that it will not be able to apply the installation policy without rebooting and will offer to reboot. Type in the command line “Y “, and press the “Enter “ key. The system will reboot 1 minute after entering the command. Or simply reboot the server via the Start menu.

After this, we will see the application installed on all the machines that were included in the GPO.

Note: This step must be done on all devices participating in the policy, clients, and server.

This will be the result of the process completed: