Aloaha Smartlogin contains a Credential Provider for Windows Vista/7/8/2008/2012 and a Gina for older windows. It supports many different ways to logon a user to the windows session.

Active Directory is supported but NOT required!

The most popular way of using Aloaha Smartlogin without Active directory is with “any Smartcard natively supported by Windows or 3rd party middleware” as explained in http://blog.aloaha.com/2012/08/13/what-are-softtoken-in-aloaha-smartlogin/

Now we introduced new registry settings to allow the user to maintain one central, server based CredentialStore.

If you point the Registry Key: ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\ForcedCredentialStore” to a share in your network Aloaha will copy automatically all files from that network store to the local machines credential store (<installdir>\CredentialStore) whenever the user logs on.

Many important settings are saved in the local file UserPass.ini. If you point ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\MasterUserPassIni” to a file this file will be automatically copied to the file defined in ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\UserPassIni” (Usually <installdir>\UserPass.ini)

Please dot not hesitate to contact us at info@aloaha.com in case you need further and personal assistance.

After installation of Aloaha Smart Login, several credential providers are available to logon from the Windows logon user interface. This article explains how to hide certain credential providers from the Windows logon user interface via group policy. If you want to configure Aloaha to hide automatically other credential provider please have a look at: http://blog.aloaha.com/2012/08/14/aloaha-smartlogin-ini-settings/

This way, you can ensure that only the Aloaha credential provider is available for logon.

What To Do

To hide the Microsoft Windows 7 default credential providers after installation of Aloaha, a Windows Group Policy setting has to be configured, using either the local group policy editor (gpedit.msc) or the group policy management console (gpmc.msc).

Modify an existing group policy or create a new one and navigate to the “Exclude credential providers” setting:
Computer Configuration | Policies | Administrative Templates | System | Logon | Exclude credential providers.
Open the properties of the group policy setting, set the policy to “Enabled”
Use the “Exclude the following credential providers” field to exclude specific credential providers. Enter the comma separated-CLSIDs for multiple credential providers to be excluded from use during the authentication process.
If you just want to hide a certain credential provider, the following is a list of default Windows 7 credential providers CLSIDs:

Credential Provider,CLSID

• GenericProvider, {25CBB996-92ED-457e-B28C-4774084BD562}
• NPProvider, {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
• VaultCredProvider, {503739d0-4c5e-4cfd-b3ba-d881334f0df2}
• PasswordProvider, {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
• Password Provider\LogonPasswordReset, {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
• Smartcard Credential Provider, {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
• Smartcard Pin Provider, {94596c7e-3744-41ce-893e-bbf09122f76a}
• WinBio Credential Provider, {AC3AC249-E820-4343-A65B-377AC634DC09}
• CertCredProvider, {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

On a system with Aloaha installed, all other credential providers may be hidden using the following string:
{25CBB996-92ED-457e-B28C-4774084BD562},{3dd6bec0-8193-4ffe-ae25-e08e39ea4063},{503739d0-4c5e-4cfd-b3ba-d881334f0df2},{6f45dc1e-5384-457a-bc13-2cd81b0d28ed},{8841d728-1a76-4682-bb6f-a9ea53b4b3ba},{8bf9a910-a8ff-457f-999f-a5ca10b4a885},{94596c7e-3744-41ce-893e-bbf09122f76a},{AC3AC249-E820-4343-A65B-377AC634DC09},{e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

After applying the setting, only the Aloaha credential provider is shown during the authentication process.

To check for additionally installed 3rd party credential providers, open up the registry on the Windows 7 machine and browse to following location: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]. Check for any 3rd party credential provider you want to hide and write down the providers CLSID. Configure the CLSID in the above mentioned group policy to hide the 3rd party credential provider.

Note:

Hiding credential providers via group policy also applies to UAC and RunAs authentication dialog boxes.
Make sure you unhide the hidden credential providers again if you plan to remove Aloaha from your system. If you leave them hidden, following removal of Aloaha, the Windows Logon User Interface does not provide you with a credential provider to authenticate, and the Windows credential providers remain hidden.
Hiding credential providers via group policy also applies to UAC and RunAs authentication dialog boxes.

If you need more information or guidance, then please contact technical support at info@aloaha.com

The new Aloaha Smartlogin has been released today. It can be downloaded from http://www.aloaha.com/download/smartlogin.zip

Evaluation Keys can be requested from info@aloaha.com

Aloaha Smart Login

Our new version supports a broad range of Logon Token:

• Plain USB Memory Stick. Username/Password is saved encrypted on any plain USB Memory Token. This feature is currently freeware and does not require any domain.
  http://blog.aloaha.com/2012/08/12/use-plain-usb-memory-stick-as-windows-logon-token/
  video: http://blog.aloaha.com/2012/07/25/windows-logon-with-plain-usb-memory-stick/ 
• I2C Memory Card. Username and Password are written encrypted to the Memory Card. This mode does NOT require any domain or middleware installed and furthermore i2c cards are very cheap!
• PKCS#11 Token. The Username and Password can be saved in a protected field on your PIN protected PKCS #11 Smartcard or Token. The machine is not required to be member of any domain!
  http://blog.aloaha.com/2012/08/12/how-do-i-save-my-logon-credentials-to-a-pkcs11-token/
  video: http://blog.aloaha.com/2012/07/26/windows-logon-via-credentials-saved-encrypted-on-pkcs-11-token/
• Any Smartcard natively supported by Windows or 3rd party middleware. We call this also Encrytion Token since Username and Password will be encrypted with the certificate on the card but saved locally (or on a share/URL) as encypted softtoken. To logon the user needs the PIN, the smartcard and the softtoken has to be reachable. This methods works without any domain controller!
  http://blog.aloaha.com/2012/08/13/what-are-softtoken-in-aloaha-smartlogin/ 
  video: http://blog.aloaha.com/2012/07/28/windows-logon-via-any-smartcard/ 
• PKI/Kerberos Logon with Windows or 3rd Party supported smartcard as above but in this new mode NO Username or Password is being saved anywhere. The logon is a pure Kerberos Logon. That implies also that a Domain Controller and a Domain Certificate is required!
  video: http://blog.aloaha.com/2012/07/29/windows-logon-via-any-smartcard-and-kerberos/

Requirements

1. Windows XP 32 bit
2. Windows Vista or higher (32 and 64 bit)
3. “Smart Card” Service running (SCardSvr)
4. .NET 3.5 or higher installed
5. Logon Token. For example USB Memory Key, Smartcard, Memorycard, Mobile.

Special Features:

Licensing

• The use of Plain USB Stick token is freeware
• For licensed user of the Aloaha Middleware (Aloaha Cardconnector) Smartlogin is freeware
• Licenses for Smartlogin can be purchased on http://www.aloaha.com/shop-en/aloaha-smart-login.php

The Aloaha Smartlogin GINA supports a broad range of logon token. For example Memory Sticks, Memory Cards (i2c), PKI Smartcards and also PKCS11 Token.

Depending on the token detected the Aloaha GINA will look different.

On http://blog.aloaha.com/2012/08/14/aloaha-smart-login-gina/ we explained already PKI/Kerberos Cards.

Here we will explain the GINA for all NON PKI or Kerberos Smartcards.

Per default the screen will look like:

Aloaha SmartLogin Gina any Token

In case the Domain/Username field is empty Aloaha will guess the Domain/Username automatically. With many tokens that is possible since the token itself contains the Username.

For that reason we made it easy to disable the Username Field completly. Just open the <installdir>\Userpass.ini and edit the required entries as shown below:

[Generic]
DisableUserName=1
EnableUserName=0
AllowUP=1

After a reboot the result looks like:

Aloaha Smart Login Gina no Username

The idea of Aloaha Smartlogin is to support all types of Logon Tokens. For example Memory Sticks, Memory (i2c) Smartcards, PKI Smartcards, Mobiles, etc.

Depending on the type of card used the Aloaha GINA Logon Screen will look different.

PKI or Kerberos Smartcards are Smartcards which are supported by Windows. Either native or via 3rd Party Smartcard Middleware or Minidriver.

For Aloaha to be able decide to treat a smartcard as PKI card or just as Encryption token it requires an entry in the <Installdir>UserPass.ini.

The Middleware- or Smartcard Name has to be set in the Kerberos Section as shown below. The example enables Safenet and Aloaha Smartcard as PKI Token.

PLEASE NOTE: PKI Token can be ONLY used for Domain Users! It is not possible to use them for stand alone machines!

[Kerberos]
aloaha_3BDB18FFC080B1FE751F035A43372E352052455620416F=1
Aloaha Cryptographic Provider=1
Datakey M 330=1
eToken Base Cryptographic Provider=1

A number of tokens is hardcoded as PKI Token in Aloaha. Should you whish to add another token please contact info@aloaha.com

As soon Aloaha detects as PKI Token the Logon GINA will look like:

Aloaha GINA PKI Card Logon

One of the many supported logon token in Aloaha Smartlogn are plain memory sticks or cards (uSD). It is a very cheap and easy solution to use very complex windows passwords without having to remember them and thus adding extra security to your IT environment.

The Username, Domain and Password are encrypted with a second, user choosen PIN or password and saved on the stick. During the windows logon Aloaha will decrypt those credentials to use them.

USB Stick as Logon Token

To create the token please choose the stick (drive letter) to be used, enter your windows credentials and chosse a new password to encrypt those credentials. With save you save those to the stick and with validate you can validate them.

The USB Memory Stick solution is currently freeware and can be installed from http://www.aloaha.com/download/smartlogon.zip

Es wird sehr bald eine neue Edition des Aloaha SmartLogins geben.

In der neuen Version koennen Sie sich nun mit folgenden Medien an Ihren Rechner anmelden:

1. beliebige Smartcard                (http://blog.aloaha.com/2012/07/28/windows-logon-via-any-smartcard/)
2. Kerberos Token                         (http://blog.aloaha.com/2012/07/29/windows-logon-via-any-smartcard-and-kerberos/)
3. Secure SIM                                  (http://blog.aloaha.com/wp-content/uploads/2013/02/Aloaha_secureSIM_M2M.pdf)
4. Secure uSD
5. Handy/Mobile
6. PKCS #11 Token                          (http://blog.aloaha.com/2012/07/26/windows-logon-via-credentials-saved-encrypted-on-pkcs-11-token/)
7. USB Speicherstick                      (http://blog.aloaha.com/2012/07/25/windows-logon-with-plain-usb-memory-stick/)
8. i2c Memory Card
9. CTAPI
10. Benutzer definiert via Plugin Interface

Active Directory ist NICHT erforderlich!

Bitte kontaktieren Sie info@aloaha.com fuer weitere Informationen!

Aloaha accesses per default the connected Smart Card Reader via the Windows PC/SC or CCID driver. In some cases it might be required to use the reader via CT-API. For example in cases that no PC/SC or CCID driver exists. That is the case for most health terminals used in the german health system.

To be able to use CT-API it is required that a recent version of the Aloaha Smartcard Connector is installed. If you find the file AloahaCSPPlugin.exe in <common files>\Aloaha your Version is recent enough to be switched to CT-API.

To activate CT-API there have to be entries in the file CTAPIINI.ini in <program files>\wrocklage and entries in the registry.

CTAPIINI.ini:

[Settings]
activated=1
CTAPI=c:\windows\system32\ct8751.dll
[HID OMNIKEY 8751 e-Health LAN]
port=1
Units=01,02,03,04,40,50

Please note the the settings section is required. The rest Aloaha will try to fill in automatically.

Once the above seetings are done you you re-logged on into your machine you will see your CT-API eHealth Terminal in the Aloaha Systray as shown below:

Aloaha System Tray with e-Health Terminal

Even though any CTAPI Reader should work currently ONLY the ORGA 6041 eGK and OMNIKEY 8751 eHealth terminals have been accredited to work perfectly with Aloaha. More will follow on request!

Windows Logon with e-Health Terminal

Obviously the Aloaha Smartlogon does support Windows Logon via CTAPI based Smartcard Reader. That means that it is possible to use a HID 8751 or Orga 6041 eHealth Terminal to logon to with the german HBA (Health Professional Card).

Per default the e-Health Terminal is NOT connected to the Windows Logon Credentials Provider. To activate that you need to create the following entry in our CTAPIini.ini in your installation folder:

[Settings]
CTAPIAsSystem=1

After you create the key and set your credentials via Aloaha GUI you can logon via the Aloaha Tile as shown below:

Aloaha Windows Logon

You can download the Aloaha Middleware/Credential Provider from http://www.aloaha.com/download/credentialprovider.zip

Please make sure to request an evaluation key from info@aloaha.com

German cutomer should also read: http://blog.aloaha.com/2012/01/03/wie-richte-ich-mein-ehealth-terminal-ein-um-mich-mit-meinem-hba-oder-smc-karte-an-windows-anzumelden/

Aloaha Smartlogin is the ideal solution logon with your smartcard to Windows XP or 7.

Plain USB Memory Sticks are supported for people without smartcards. Logon with Plain USB Memory Sticks is freeware for private use!

Aloaha Smartlogin 4 USB Memory can be downloaded from http://www.aloaha.com/download/smartlogin.zip

A short usage video can be found on:

All Aloaha products are now natively supporting the OpenPGP Cards (v2.0) and GPF Crypto Stick

To use your OpenPGP Card in Windows does not require any non Aloaha Software anymore!

Many thanks to Achim & Jan!

More on http://www.privacyfoundation.de/aktuelles/detail/zurueck/akutelles/artikel/crypto-stick-in-kommerzieller-software-integriert/