Aloaha Smartlogin contains a Credential Provider for Windows Vista/7/8/2008/2012 and a Gina for older windows. It supports many different ways to logon a user to the windows session.

Active Directory is supported but NOT required!

The most popular way of using Aloaha Smartlogin without Active directory is with “any Smartcard natively supported by Windows or 3rd party middleware” as explained in http://blog.aloaha.com/2012/08/13/what-are-softtoken-in-aloaha-smartlogin/

Now we introduced new registry settings to allow the user to maintain one central, server based CredentialStore.

If you point the Registry Key: ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\ForcedCredentialStore” to a share in your network Aloaha will copy automatically all files from that network store to the local machines credential store (<installdir>\CredentialStore) whenever the user logs on.

Many important settings are saved in the local file UserPass.ini. If you point ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\MasterUserPassIni” to a file this file will be automatically copied to the file defined in ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\UserPassIni” (Usually <installdir>\UserPass.ini)

Please dot not hesitate to contact us at info@aloaha.com in case you need further and personal assistance.

Some weeks ago we explained how to disable unwanted Credential Providers completly.

http://blog.aloaha.com/2012/08/20/how-to-hide-credential-providers-from-the-windows-logon-user-interface-using-windows-group-policy/

Aloaha Credential Provider Filter

In some cases Credential Providers should be hidden from the Logon User Interface BUT still usable from within the session. For example somone might not want to see the Username/Password Tile during logon but obviously still requires it when mounting a network drive or connecting via RDP to another machine. In those case you cannot hide/disable the providers via windows group policy but a Credential Provider Filter is required.

Aloaha Smartlogin comes with an integrated Credential Provider Filter to be able to hide Tiles from the Windows Logon Interface WITHOUT removing its functionality inside the session.

To activate the Aloaha Credential Provider Filter you need to open the file UserPass.ini in the installation folder. In the section CredentialProviders you can configure different filter for different provider. To enable a filter please set it to 1. Below the section to disable ALL non Aloaha Provider:

[CredentialProviders]
25CBB996-92ED-457e-B28C-4774084BD562=1
3dd6bec0-8193-4ffe-ae25-e08e39ea4063=1
503739d0-4c5e-4cfd-b3ba-d881334f0df2=1
6f45dc1e-5384-457a-bc13-2cd81b0d28ed=1
8bf9a910-a8ff-457f-999f-a5ca10b4a885=1
94596c7e-3744-41ce-893e-bbf09122f76a=1
AC3AC249-E820-4343-A65B-377AC634DC09=1
e74e57b0-6c6d-44d5-9cda-fb2df5ed7435=1
F8A0B131-5F68-486c-8040-7E8FC3C85BB6=1

You can digitally sign documents by using Microsoft Excel 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010. You can also add a signature line or signature stamp by using Excel 2010, Microsoft InfoPath 2010, and Word 2010. Microsoft Office 2010 includes support for XAdES (XML Advanced Electronic Signatures), which is a set of extensions to the XML-DSig standard. This was first supported in the 2007 Microsoft Office system.

Also, if XAdES is used for the digital signature in Office 2010, the digital signature would not be compatible with the 2007 Office system unless you configure the Group Policy setting, Do not include XAdES reference object in the manifest, and set it to Disabled. For more information about the digital signature Group Policy settings, see Configure digital signatures later in this article.

If you need digital signatures created in Office 2010 to be compatible with Office 2003 and earlier versions, you can configure the Group Policy setting, Legacy format signatures, and set it to Enabled. This Group Policy setting is located under User Configuration\Administrative Templates\(ADM\ADMX)\Microsoft Office 2010\Signing. After this setting is set to Enabled, the Office 2010 applications use the Office 2003 binary format to apply digital signatures to Office 97–2003 binary documents created in Office 2010.

Time stamp digital signatures

The ability with Office 2010 to add a time stamp to a digital signature allows for helping to extend the lifespan of a digital signature. For example, if a revoked certificate has previously been used for the creation of the digital signature, which contains a time stamp from a trusted time stamp server, the digital signature could still be considered valid if the time stamp occurred before the revocation of the certificate. To use the time stamp functionality with digital signatures, you must complete the following:

1. Set up a time stamp server that is compliant with RFC 3161 such as the Aloaha TSA
2. Use the Group Policy setting, Specify server name, to enter the location of the time stamp server on the network.
3. You can also configure additional time stamp parameters by configuring one or more of the following Group Policy settings:
4. Configure time stamping hashing algorithm
5. Set timestamp server timeout

Please have a look at http://blogs.technet.com/b/office2010/archive/2009/12/08/digital-signitures-in-office-2010.aspx?PageIndex=3 

If you get the error: “timestamp server is not available” you will have invalid entries in your system policy. Just search the registry for tsa.aspx to locate them! Often a simple machine restart is also enough! GPUPDATE /force seems NOT to be enough for the cleanup!

If you do not configure and enable Configure time stamping hashing algorithm, the default value of SHA1 will be used. If you do not configure and enable Set timestamp server timeout, the default time that Office 2010 will wait for the time stamp server to respond to a request is 5 seconds.

Configure digital signatures

In addition to the Group Policy settings for configuring time stamp related–settings, there are other Group Policy settings to configure how digital signatures are configured and controlled in an organization.

The Aloaha Time Stamping Authority now supports also Authenticode Stamps. Based on the request it detects automatically if it has to issue a RFC 3161 or Authenticode timestamp token.

A live Authority is reachable on: http://card.aloaha.com:8081/tsa.aspx

Authenticode AND RFC 3161 Token are both issued via the above URL.

The product can be installed from http://www.aloaha.com/download/tsa.zip

A license key can be requested from info@aloaha.com

The Aloaha Time Stamping Authority can be run as a plugin in your local web server OR as a standalone product with inbuilt webserver.

In case you run the stand alone TSA please have a look at the internal Web Server Registry settings on: http://blog.aloaha.com/2012/10/15/aloaha-webserver-registry-settings/

The TSA settings are configured in: HKEY_CURRENT_USER\Software\Aloaha\TSA

PFX_Path defines the path to the PFX to be used. This key is ONLY used if UseCertfromStore is set to 0

UseCertfromStore defines if the TSA uses a time stamping certificate from the users current user store of the PFX file defined in PFX_Path. 

PFX_Serial does not need to be set if a PFX is being used. Aloaha will set it automatically. It contains the certificate serialnumber

PFX_Serial should be set if a certificate is used from the current user store and the current user store contains several time stamping certificates. It it is NOT set Aloaha will use the first Time Stamping enabled certificate found in the store.

TSACount contains the number of time stamping tokens issued. The start value is set automatically and is built from the date and time of the local machine.

TSA_OID_ASN contains the OID used in the issued time stamping token. If not set Aloaha will set it to its default value.

UseMachineStore defines if the Current User Store or Local Machine store is used. Default is 0. If you set this to 1 the Local Machine Store is used. This setting is only for the expierenced user!

SNTPServer contains the NTP Server to be contacted to synchronize the local machine clock

NTPPollingTime defines the time in minutes between every NTP Sync

The Aloaha Webserver is configured in HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Aloaha\WebServer and HKEY_CURRENT_USER\Software\Aloaha\WebServer

HKLM Settings are being used when HKCU do not exist OR when the service is running under the local system account

If LocalHostOnly is set access to the Web Server is ONLY possible from the local machine

Port defines the TCP/IP Port the server is listening on

RootPath defines the physical root path of the Webserver on your machine.

Independently-Verifiable and Long-Lasting Proof of Electronic Record Authenticity

The Aloaha Time-Stamping Authority is a cryptographic time stamping service that enables organizations or individuals to apply tamper-evident digital “Seals” to all forms of digital information. It provides long-term and independent proof that the information existed at a particular point in time and has not been altered since.

Actually time stamping authorities are also called electronic notaries.

The Aloaha Time Stamping Authority can be deployed on any Windows Machine in the enterprise or in the cloud and provides an ideal solution to the challenges of intellectual property protection, digital evidence protection, and proving the authenticity of electronic records and files.

The Aloaha Time Stamping Authority can be used to meet a broad range of data integrity objectives, including safeguarding critical documents against tampering and alteration, proving the authenticity of records, protecting digitally based intellectual property, preserving digital evidence, demonstrating regulatory compliance, and ensuring litigation readiness.

Built on the RFC 3161 and Authenticode digital time stamping standard the Aloaha Service enables organizations to protect the integrity and prove the authenticity of any form of digital data, including electronic documents and records, spreadsheets, web pages or other digital evidence, electronic health records, emails, photographs, scanned images, audio, video, source code, engineering and CAD diagrams, X-rays, audit logs, and more.

Aloaha offers a wide variety of ways for organizations to use or integrate the Aloaha Service. With easy-to-use desktop products, integrations into commercially-available electronic content management (ECM) systems, scriptable interfaces, and a variety of software development kits organizations of all sizes and industries can easily and cost-effectively use Aloaha to protect their critical digital information, no matter its format or where it resides.

To try it out just download the installer from:

http://www.aloaha.com/download/tsa.zip and request an evaluation key from info@aloaha.com.

A free time stamping certificate with the right OID is included and preconfigured in the setup! If you need a different one please let us know!

Once the Aloaha Time Stamping Authority is installed, licensed and configured time stamps can be requested via:

• Automation compatible COM Interface

• HTTP POST request to the internal web server
(example URL for POST request: http://card.aloaha.com:8081/tsa.aspx)

• via Web Services
(example Web Service: http://card.aloaha.com:8081/default.asmx)

Authenticode AND RFC 3161 requests are served via the same URL!

Please contact info@aloaha.com for further information!

Aloaha just released a stand alone Web Server with asp.net support. Just start the AloahaWeb.exe from https://dl.dropbox.com/u/20338532/neverdelete/WebServer/AloahaWeb.exe and give it a go.

The Aloaha Web Server is a free, light-weight and redistributable web server that can host ASP.NET 3.5, 3.0, 2.0 and 1.1 applications and static HTML sites. Whenever your customers need an alternative to IIS — Aloaha Web Server is the answer. Aloaha Web Server runs on all flavors of Windows XP including Windows XP Home, Windows Vista/7/8, Windows 2000 and Windows 2003/8 Server.

Aloaha created the web server for ASP.NET developers who want to create easily installable ASP.NET applications that do not require IIS .

By far the most important feature of the Aloaha Web Server is tje ability for Visual Studio developers to include this very compact, yet very powerful ASP.NET web server into their applications’ setup packages in just a matter of minutes.

Aloaha Web Server fully supports all ASP.NET features and is capable of running applications, as long as applications are not dependent on features specific to IIS, like IIS server variables.

Please try with .aspx files to see how good we support ASP.NET

For further questions or suggestions please contact info@aloaha.com

In case you require to run the WebServer as a Windows Service please install http://www.aloaha.com/download/tsa.zip. No Licensing requirement when running this package as web server only!

A demo Server is online at http://card.aloaha.com:8081. In case you want to use its demo web service (Time Stamping Authority) please reference http://card.aloaha.com:8081/default.asmx.

Please note that this stand alone Webserver is also commercially available as .NET component. Just drag and drop it into your .NET Project to add Web Server and Web Service funktionality to your your own products. Please contact info@aloaha.com for further information! An evaluation version (license key required) is available at: https://dl.dropboxusercontent.com/u/20338532/neverdelete/WebServer/AloahaWebClass.zip

Run your own Timestamping Server

There are two ways of operating the Aloaha timestamping Authority. You can either integrate our COM Interface into your IIS so that your IIS starts serving the timestamp token

or

you just install our ready to go package http://www.aloaha.com/download/tsa.zip. Once installed it will right away serving on Port 8081. For example http://<your host>:8081/tsa.aspx. Please note that the stand alone package does NOT require any local web server running since it comes with its own tiny web server.

It is always suggested to start with Timestamping Application from http://www.aloaha.com/download/tsa.zip. Should you decide to to the manual and more time consuming way please follow the steps below.

To integrate your own timestamping Authority in IIS you need:

• Aloaha Cardconnector (http://www.aloaha.com/download/cardconnector.zip)
• Web Server on Windows Machine (ideally with ASP or ASP.NET support)
• Enabled POST Verb support in Web Server (in modern IIS deaktivated per default!)

After you installed and licensed (please note that the TSA needs a special license) the Aloaha Cardconnector you need to configure your web server. Even though PHP, etc will work we can only give support for ASP and ASP.NET

To configure your webserver please make sure that:

1. It supports the POST Verb (as mentioned above modern IIS have this feature deactivated per default)
2. You configure a Web Application and enable 32 Bit support
3. You configure the above Web Application to run as User X. User X must have access to the Time Stamping Certificate in your certificate store.
4. set HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Aloaha\TSA\UseCertfromStore to 1 so that Aloaha uses the best TSA Certificate in the current User Store of User X
5. Logon as User X in case you are going to use a software certificate. Import that certificate into the Current User Store of User X.
6. Logon as User X in case you are going to use a HSM Module. Configure the HSM that it maps the certificate into the Current User Store of User X

Now configure your ASP or ASP.NET Application.

ASP

Use a script similar to: http://card.aloaha.com/AloahaTSA/tsa.txt

ASP.NET

Use Code similar to:

http://card.aloaha.com/tsa/tsa.aspx.txt and http://card.aloaha.com/tsa/tsa.aspx.vb.txt

Please note that the core module is 32 Bit. It is essential that your enable 32 Bit support for your ASP/ASP.NET application. Furthermore the Application User requires access to the Current User Store holding the certificate or certificate reference of the Time Stamping Certificate!

It is also possible to use directly PFX files. In case you have questions or in case you need assistance to configure your TSA please do not hesitate to contact info@aloaha.com

In case you require a ready configured package without the requirement to write scripts, configure web server, etc. please install http://www.aloaha.com/download/tsa.zip. I license can be requested at info@aloaha.com

Our TSA Web Service is online at http://card.aloaha.com:8081/default.asmx

The normal POST URL is: http://card.aloaha.com:8081/tsa.aspx

The timestamp token archive can be found on: http://card.aloaha.com:8081/archive

In Aloaha there are several Timestamping Authorities pre-configured. The reason is that we make sure that the listed Authorities are RFC compliant before we add them to the pre-configured list.

Nevertheless it is possible for the user to add his own Authority. All what needs to be done is to edit tsa.ini and TSA.txt with the additional Authority. After that the user needs to open the Aloaha TSA settings and type blind the word aloaha into the TSA dropdown list.