Some weeks ago we explained how to disable unwanted Credential Providers completly.

http://blog.aloaha.com/2012/08/20/how-to-hide-credential-providers-from-the-windows-logon-user-interface-using-windows-group-policy/

Aloaha Credential Provider Filter

In some cases Credential Providers should be hidden from the Logon User Interface BUT still usable from within the session. For example somone might not want to see the Username/Password Tile during logon but obviously still requires it when mounting a network drive or connecting via RDP to another machine. In those case you cannot hide/disable the providers via windows group policy but a Credential Provider Filter is required.

Aloaha Smartlogin comes with an integrated Credential Provider Filter to be able to hide Tiles from the Windows Logon Interface WITHOUT removing its functionality inside the session.

To activate the Aloaha Credential Provider Filter you need to open the file UserPass.ini in the installation folder. In the section CredentialProviders you can configure different filter for different provider. To enable a filter please set it to 1. Below the section to disable ALL non Aloaha Provider:

[CredentialProviders]
25CBB996-92ED-457e-B28C-4774084BD562=1
3dd6bec0-8193-4ffe-ae25-e08e39ea4063=1
503739d0-4c5e-4cfd-b3ba-d881334f0df2=1
6f45dc1e-5384-457a-bc13-2cd81b0d28ed=1
8bf9a910-a8ff-457f-999f-a5ca10b4a885=1
94596c7e-3744-41ce-893e-bbf09122f76a=1
AC3AC249-E820-4343-A65B-377AC634DC09=1
e74e57b0-6c6d-44d5-9cda-fb2df5ed7435=1
F8A0B131-5F68-486c-8040-7E8FC3C85BB6=1

After installation of Aloaha Smart Login, several credential providers are available to logon from the Windows logon user interface. This article explains how to hide certain credential providers from the Windows logon user interface via group policy. If you want to configure Aloaha to hide automatically other credential provider please have a look at: http://blog.aloaha.com/2012/08/14/aloaha-smartlogin-ini-settings/

This way, you can ensure that only the Aloaha credential provider is available for logon.

What To Do

To hide the Microsoft Windows 7 default credential providers after installation of Aloaha, a Windows Group Policy setting has to be configured, using either the local group policy editor (gpedit.msc) or the group policy management console (gpmc.msc).

Modify an existing group policy or create a new one and navigate to the “Exclude credential providers” setting:
Computer Configuration | Policies | Administrative Templates | System | Logon | Exclude credential providers.
Open the properties of the group policy setting, set the policy to “Enabled”
Use the “Exclude the following credential providers” field to exclude specific credential providers. Enter the comma separated-CLSIDs for multiple credential providers to be excluded from use during the authentication process.
If you just want to hide a certain credential provider, the following is a list of default Windows 7 credential providers CLSIDs:

Credential Provider,CLSID

• GenericProvider, {25CBB996-92ED-457e-B28C-4774084BD562}
• NPProvider, {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
• VaultCredProvider, {503739d0-4c5e-4cfd-b3ba-d881334f0df2}
• PasswordProvider, {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
• Password Provider\LogonPasswordReset, {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
• Smartcard Credential Provider, {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
• Smartcard Pin Provider, {94596c7e-3744-41ce-893e-bbf09122f76a}
• WinBio Credential Provider, {AC3AC249-E820-4343-A65B-377AC634DC09}
• CertCredProvider, {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

On a system with Aloaha installed, all other credential providers may be hidden using the following string:
{25CBB996-92ED-457e-B28C-4774084BD562},{3dd6bec0-8193-4ffe-ae25-e08e39ea4063},{503739d0-4c5e-4cfd-b3ba-d881334f0df2},{6f45dc1e-5384-457a-bc13-2cd81b0d28ed},{8841d728-1a76-4682-bb6f-a9ea53b4b3ba},{8bf9a910-a8ff-457f-999f-a5ca10b4a885},{94596c7e-3744-41ce-893e-bbf09122f76a},{AC3AC249-E820-4343-A65B-377AC634DC09},{e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

After applying the setting, only the Aloaha credential provider is shown during the authentication process.

To check for additionally installed 3rd party credential providers, open up the registry on the Windows 7 machine and browse to following location: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]. Check for any 3rd party credential provider you want to hide and write down the providers CLSID. Configure the CLSID in the above mentioned group policy to hide the 3rd party credential provider.

Note:

Hiding credential providers via group policy also applies to UAC and RunAs authentication dialog boxes.
Make sure you unhide the hidden credential providers again if you plan to remove Aloaha from your system. If you leave them hidden, following removal of Aloaha, the Windows Logon User Interface does not provide you with a credential provider to authenticate, and the Windows credential providers remain hidden.
Hiding credential providers via group policy also applies to UAC and RunAs authentication dialog boxes.

If you need more information or guidance, then please contact technical support at info@aloaha.com

The new Aloaha Smartlogin has been released today. It can be downloaded from http://www.aloaha.com/download/smartlogin.zip

Evaluation Keys can be requested from info@aloaha.com

Aloaha Smart Login

Our new version supports a broad range of Logon Token:

• Plain USB Memory Stick. Username/Password is saved encrypted on any plain USB Memory Token. This feature is currently freeware and does not require any domain.
  http://blog.aloaha.com/2012/08/12/use-plain-usb-memory-stick-as-windows-logon-token/
  video: http://blog.aloaha.com/2012/07/25/windows-logon-with-plain-usb-memory-stick/ 
• I2C Memory Card. Username and Password are written encrypted to the Memory Card. This mode does NOT require any domain or middleware installed and furthermore i2c cards are very cheap!
• PKCS#11 Token. The Username and Password can be saved in a protected field on your PIN protected PKCS #11 Smartcard or Token. The machine is not required to be member of any domain!
  http://blog.aloaha.com/2012/08/12/how-do-i-save-my-logon-credentials-to-a-pkcs11-token/
  video: http://blog.aloaha.com/2012/07/26/windows-logon-via-credentials-saved-encrypted-on-pkcs-11-token/
• Any Smartcard natively supported by Windows or 3rd party middleware. We call this also Encrytion Token since Username and Password will be encrypted with the certificate on the card but saved locally (or on a share/URL) as encypted softtoken. To logon the user needs the PIN, the smartcard and the softtoken has to be reachable. This methods works without any domain controller!
  http://blog.aloaha.com/2012/08/13/what-are-softtoken-in-aloaha-smartlogin/ 
  video: http://blog.aloaha.com/2012/07/28/windows-logon-via-any-smartcard/ 
• PKI/Kerberos Logon with Windows or 3rd Party supported smartcard as above but in this new mode NO Username or Password is being saved anywhere. The logon is a pure Kerberos Logon. That implies also that a Domain Controller and a Domain Certificate is required!
  video: http://blog.aloaha.com/2012/07/29/windows-logon-via-any-smartcard-and-kerberos/

Requirements

1. Windows XP 32 bit
2. Windows Vista or higher (32 and 64 bit)
3. “Smart Card” Service running (SCardSvr)
4. .NET 3.5 or higher installed
5. Logon Token. For example USB Memory Key, Smartcard, Memorycard, Mobile.

Special Features:

Licensing

• The use of Plain USB Stick token is freeware
• For licensed user of the Aloaha Middleware (Aloaha Cardconnector) Smartlogin is freeware
• Licenses for Smartlogin can be purchased on http://www.aloaha.com/shop-en/aloaha-smart-login.php

The Aloaha Credential Provider supports a broad range of security token. Depending on the token the tile itself looks different.

PKI/Kerberos Cards are cards which are nativly supported by windows or via 3rd party smartcard middleware. Furthermore the machine has to be a member of a domain.

For Aloaha to detect a card as PKI/Kerberos Card it has to be registered as such in <installdir>Userpass.ini

[Kerberos]
aloaha_3BDB18FFC080B1FE751F035A43372E352052455620416F=1
Aloaha Cryptographic Provider=1
Datakey M 330=1
eToken Base Cryptographic Provider=1

The Smartcard Name or the Middleware Name has to be set to 1 for Aloaha to detect the token as supported PKI Token.

Once Aloaha detects a card as PKI Token the tile looks like below:

Aloaha Credential Provider PKI Tile

For all other logon token the tile looks generic like:

Aloaha Credential Provider Generic Tile

In some cases the Username is NOT required since the token itself contains already the username. In that case the field can be just left blank. It is also possible to hide the Username field if in <installdir>Userpass.ini the following keys are set:

[Generic]
DisableUserName=1
EnableUserName=0

After a reboot the tile will look like:

Aloaha Credential Provider Tile without Username

The Aloaha Smart Login Supports a broad range of Logon Tokens. For example memory cards or sticks, PKI or Kerberos Smartcards, PKCS11 token, etc.

For that reason it is not really required that Windows shows all logon tiles as below:

Windows Logon TIles

During the start of the Aloaha Service it checks some settings in <installdir>Userpass.ini. If you set AllowUP=0 the Aloaha Service will disable ALL other Credential Tiles:

[Generic]
AllowUP=0

The result will look like:

Aloaha Credential Tile only

One of the many supported logon token in Aloaha Smartlogn are plain memory sticks or cards (uSD). It is a very cheap and easy solution to use very complex windows passwords without having to remember them and thus adding extra security to your IT environment.

The Username, Domain and Password are encrypted with a second, user choosen PIN or password and saved on the stick. During the windows logon Aloaha will decrypt those credentials to use them.

USB Stick as Logon Token

To create the token please choose the stick (drive letter) to be used, enter your windows credentials and chosse a new password to encrypt those credentials. With save you save those to the stick and with validate you can validate them.

The USB Memory Stick solution is currently freeware and can be installed from http://www.aloaha.com/download/smartlogon.zip

Es wird sehr bald eine neue Edition des Aloaha SmartLogins geben.

In der neuen Version koennen Sie sich nun mit folgenden Medien an Ihren Rechner anmelden:

1. beliebige Smartcard                (http://blog.aloaha.com/2012/07/28/windows-logon-via-any-smartcard/)
2. Kerberos Token                         (http://blog.aloaha.com/2012/07/29/windows-logon-via-any-smartcard-and-kerberos/)
3. Secure SIM                                  (http://blog.aloaha.com/wp-content/uploads/2013/02/Aloaha_secureSIM_M2M.pdf)
4. Secure uSD
5. Handy/Mobile
6. PKCS #11 Token                          (http://blog.aloaha.com/2012/07/26/windows-logon-via-credentials-saved-encrypted-on-pkcs-11-token/)
7. USB Speicherstick                      (http://blog.aloaha.com/2012/07/25/windows-logon-with-plain-usb-memory-stick/)
8. i2c Memory Card
9. CTAPI
10. Benutzer definiert via Plugin Interface

Active Directory ist NICHT erforderlich!

Bitte kontaktieren Sie info@aloaha.com fuer weitere Informationen!

Aloaha Smartlogin is the ideal solution logon with your smartcard to Windows XP or 7.

Plain USB Memory Sticks are supported for people without smartcards. Logon with Plain USB Memory Sticks is freeware for private use!

Aloaha Smartlogin 4 USB Memory can be downloaded from http://www.aloaha.com/download/smartlogin.zip

A short usage video can be found on:

All Aloaha products are now natively supporting the OpenPGP Cards (v2.0) and GPF Crypto Stick

To use your OpenPGP Card in Windows does not require any non Aloaha Software anymore!

Many thanks to Achim & Jan!

More on http://www.privacyfoundation.de/aktuelles/detail/zurueck/akutelles/artikel/crypto-stick-in-kommerzieller-software-integriert/