Aloaha Smartlogin contains a Credential Provider for Windows Vista/7/8/2008/2012 and a Gina for older windows. It supports many different ways to logon a user to the windows session.

Active Directory is supported but NOT required!

The most popular way of using Aloaha Smartlogin without Active directory is with “any Smartcard natively supported by Windows or 3rd party middleware” as explained in http://blog.aloaha.com/2012/08/13/what-are-softtoken-in-aloaha-smartlogin/

Now we introduced new registry settings to allow the user to maintain one central, server based CredentialStore.

If you point the Registry Key: ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\ForcedCredentialStore” to a share in your network Aloaha will copy automatically all files from that network store to the local machines credential store (<installdir>\CredentialStore) whenever the user logs on.

Many important settings are saved in the local file UserPass.ini. If you point ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\MasterUserPassIni” to a file this file will be automatically copied to the file defined in ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\UserPassIni” (Usually <installdir>\UserPass.ini)

Please dot not hesitate to contact us at info@aloaha.com in case you need further and personal assistance.

The latest release of the Aloaha Smartcard Middleware Aloaha Smartcard Connector (http://www.aloaha.com/download/cardconnector.zip) now also supports the popular Muscle Applet.

Included in the Middleware is a Crypto Service Provider, PKCS #11 Module, Harddisk Encryption and a Password Safe.

As an add-on the user can use Aloahas Smartlogin for Smartcard based Windows Logon with or without Active Directory. (http://www.aloaha.com/download/smartlogin.zip)

With faster machines and even faster hard drives (SSD) holding large rainbow tables the average cracking time on a dual processor machine came down to just 15 minutes (according to OBJECTIF SÉCURITÉ).

Also a good german article: http://www.n-tv.de/technik/Passwoerter-werden-unsicherer-article10092261.html

A good english article: http://www.deloitte.com/view/en_GX/global/industries/technology-media-telecommunications/tmt-predictions-2013/tmt-predictions-2013-technology/9eb6f4efcbccb310VgnVCM1000003256f70aRCRD.htm

Having that in mind it is time to consider different logon mechanism with extreme large passwords or two factor authentication.

The Aloaha Smartlogin is one Credential Tile (or Gina on XP) hosting a large number of new authentication methods:

1. Traditional Smartcard Certificate Login via Kerberos (Active Directory required)
Any smartcard holding a certificate issued by the domain CA can be used as a two factor authentication token without even having to have or know a password. Obviously this works also via RDP

2. Smartcard Login via Credentials encrypted with the certificate of the Smartcard.
Basically Username, optional Domain and Password are encrypted with the certificate. This encrypted token is used to authenticate the user. Passwords can be chosen extremely long. The user just needs to remember the PIN of the Smartcard. Aloaha will then use the smartcard to decrypt the extreme long password to pass it to the machine for authentication.
This mode supports Active Directory but does NOT require it. It also works via RDP.
Since there are no requirements on the certificate this mode is suggested for e-Health Cards, ATM Cards, Company Cards, etc.

3. Credentials saved on a PKCS11 Token.
Even here the user can choose an extreme long password. He does not need to remember it since it is stored inside the PKCS11 token. The user only needs to type in the PIN of the token to enable Aloaha to read the extreme long password to pass it for authentication.
This mode supports Active Directory but does NOT require it.

4. Credentials saved on a plain memory card
In this mode it is possible to use very cheap i2c memory cards. Certificates or Active directory are not required since no RSA encryption is involved.
Passwords are NOT saved on the memory card but only a hash. This hash will be compared to the inputted passwords hash and only if they match a logon is granted. So even if someone manages to crack a password he would still need the matching card to get access to the machine.

5. Credentials saved on a plain USB Memory Stick or mobile phone.
This methods works similar to the PKCS11 mechanism BUT cannot be considered as secure as the methods 1-3. It will work ONLY at the console since RDP sessions are NOT supported. This mode is freeware and does not require any license.

6. Custom Plugins
The Aloaha Smartlogin supports custom plugins so that customer are able to create their own authentication mechanism.

The evaluation version can be download from http://www.aloaha.com/download/smartlogin.zip

Your evaluation key is: 8CAAEF6D4-C9D980551-03136DBC5-438EADB32-AC1567A23-2E1E2256E (two weeks from today)
More information can be found on http://www.aloaha.com/smartcard-software-en/aloaha-credential-provider.php and of course in our blog on http://blog.aloaha.com/category/aloaha-smartcard-software-en/aloaha-smart-login/

SecureSIM: Aloaha secureSIM

Some weeks ago we explained how to disable unwanted Credential Providers completly.

http://blog.aloaha.com/2012/08/20/how-to-hide-credential-providers-from-the-windows-logon-user-interface-using-windows-group-policy/

Aloaha Credential Provider Filter

In some cases Credential Providers should be hidden from the Logon User Interface BUT still usable from within the session. For example somone might not want to see the Username/Password Tile during logon but obviously still requires it when mounting a network drive or connecting via RDP to another machine. In those case you cannot hide/disable the providers via windows group policy but a Credential Provider Filter is required.

Aloaha Smartlogin comes with an integrated Credential Provider Filter to be able to hide Tiles from the Windows Logon Interface WITHOUT removing its functionality inside the session.

To activate the Aloaha Credential Provider Filter you need to open the file UserPass.ini in the installation folder. In the section CredentialProviders you can configure different filter for different provider. To enable a filter please set it to 1. Below the section to disable ALL non Aloaha Provider:

[CredentialProviders]
25CBB996-92ED-457e-B28C-4774084BD562=1
3dd6bec0-8193-4ffe-ae25-e08e39ea4063=1
503739d0-4c5e-4cfd-b3ba-d881334f0df2=1
6f45dc1e-5384-457a-bc13-2cd81b0d28ed=1
8bf9a910-a8ff-457f-999f-a5ca10b4a885=1
94596c7e-3744-41ce-893e-bbf09122f76a=1
AC3AC249-E820-4343-A65B-377AC634DC09=1
e74e57b0-6c6d-44d5-9cda-fb2df5ed7435=1
F8A0B131-5F68-486c-8040-7E8FC3C85BB6=1

With the Aloaha PDF Suite Server (http://www.aloaha.com/wi-software-en/aloaha-pdf-suite-server1.php) it is possible to print out PDF fully automatic and without user intervention. You just need to drop them into the dedicated hotfolder.

First setup the Aloaha PDF Suite to run non interactive. To do so right click on the grey system tray icon and disable Interactiv.

You could also run Aloaha as a windows service. Just remove the Aloaha Autostart/Startup shortcut and then open the service control center (services.msc). Now configure the PDF Suite Service to start automatically and start the service.

If you look into the Aloaha installation folder (usally <program files x86)\Wrocklage you find the subfolder autoprint. Every PDF dropped there will be printed to the configured printer. Please note that in the autoprint folder there are a couple of subfolders. Every folder is dedicated to a specific printer. So ideally you use those subfolders!

Man people whish to configure properties of the used Hardcopy printer. That can be done in hklm\software\aloaha\printer (globally) or hklm\software\aloaha\printer\<printer name> (per printer). Please note that the registry Hive on 64 Bit machines is: SOFTWARE\Wow6432Node\Aloaha

Settings can be configured directly in the registry as explained below OR just with the tool AutoPrintConfig (located in the installation folder)

Following settings are possible (please create values as DWord if they do not exist):

1. PaperSize
   1 to 68, DMPAPER (Win32 API DEVMODE data structure)
2. PaperLength
   in tenths of millimetres
3. PaperWidth
   in tenths of millimetres
4. Copies
   Number of copies
5. PrintQuality
   1 = high, 2 = medium, 3 = low, 4 = draft
6. Color
   1 = monochrome, 2 = color
7. Duplex
   1 = simplex, 2 = vertical duplex, 3 = horizontal duplex
8. Collate
   0 = no, 1 = yes
9. Bin
   1 to 15, DMBIN (Win32 API DEVMODE data structure)
10. MediaType
    1 = standard, 2 = transparency, 3 = glossy
11. Orientation
    1 = portrait, 2 = landscape
12. AutoRotateCenter
    1 = Rotate pages to fit on the output medium, and center on the page
13. PageScaling
    0 = None, 1 = Fit to paperm, 2 = Shrink large pages

Please contact info@aloaha.com for further information.

Die neue deutsche Gesundheitskarte eGK enthaelt Datensaetze, die von vielen Besitzern eingesehen werden moechten. Dieses ist mit dem Aloaha Cardconnector ganz einfach moeglich. Sie brauchen nur den Aloaha Smartcard Connector von http://www.aloaha.com/download/cardconnector.zip installieren und dann die Datei HealthDataTest.exe aus dem Installationsordner starten. Normalerweise der Ordner Wrocklage im “Programme Ordner”

Natuerlich koennen nicht nur die neuen eGKs betrachtet werden sondern auch die alten KVKs!

Eine Lizenz wird fuer das betrachten der Datensaetze NICHT benoetigt! Eine Lizenz wird nur dann erfordert wenn man das Schluesselmaterial der innovativen Karte fuer die Signierung oder Verschluesselung benutzen moechte.

Aloaha just released a stand alone Web Server with asp.net support. Just start the AloahaWeb.exe from https://dl.dropbox.com/u/20338532/neverdelete/WebServer/AloahaWeb.exe and give it a go.

The Aloaha Web Server is a free, light-weight and redistributable web server that can host ASP.NET 3.5, 3.0, 2.0 and 1.1 applications and static HTML sites. Whenever your customers need an alternative to IIS — Aloaha Web Server is the answer. Aloaha Web Server runs on all flavors of Windows XP including Windows XP Home, Windows Vista/7/8, Windows 2000 and Windows 2003/8 Server.

Aloaha created the web server for ASP.NET developers who want to create easily installable ASP.NET applications that do not require IIS .

By far the most important feature of the Aloaha Web Server is tje ability for Visual Studio developers to include this very compact, yet very powerful ASP.NET web server into their applications’ setup packages in just a matter of minutes.

Aloaha Web Server fully supports all ASP.NET features and is capable of running applications, as long as applications are not dependent on features specific to IIS, like IIS server variables.

Please try with .aspx files to see how good we support ASP.NET

For further questions or suggestions please contact info@aloaha.com

In case you require to run the WebServer as a Windows Service please install http://www.aloaha.com/download/tsa.zip. No Licensing requirement when running this package as web server only!

A demo Server is online at http://card.aloaha.com:8081. In case you want to use its demo web service (Time Stamping Authority) please reference http://card.aloaha.com:8081/default.asmx.

Please note that this stand alone Webserver is also commercially available as .NET component. Just drag and drop it into your .NET Project to add Web Server and Web Service funktionality to your your own products. Please contact info@aloaha.com for further information! An evaluation version (license key required) is available at: https://dl.dropboxusercontent.com/u/20338532/neverdelete/WebServer/AloahaWebClass.zip

The Aloaha Smartlogin GINA supports a broad range of logon token. For example Memory Sticks, Memory Cards (i2c), PKI Smartcards and also PKCS11 Token.

Depending on the token detected the Aloaha GINA will look different.

On http://blog.aloaha.com/2012/08/14/aloaha-smart-login-gina/ we explained already PKI/Kerberos Cards.

Here we will explain the GINA for all NON PKI or Kerberos Smartcards.

Per default the screen will look like:

Aloaha SmartLogin Gina any Token

In case the Domain/Username field is empty Aloaha will guess the Domain/Username automatically. With many tokens that is possible since the token itself contains the Username.

For that reason we made it easy to disable the Username Field completly. Just open the <installdir>\Userpass.ini and edit the required entries as shown below:

[Generic]
DisableUserName=1
EnableUserName=0
AllowUP=1

After a reboot the result looks like:

Aloaha Smart Login Gina no Username

The idea of Aloaha Smartlogin is to support all types of Logon Tokens. For example Memory Sticks, Memory (i2c) Smartcards, PKI Smartcards, Mobiles, etc.

Depending on the type of card used the Aloaha GINA Logon Screen will look different.

PKI or Kerberos Smartcards are Smartcards which are supported by Windows. Either native or via 3rd Party Smartcard Middleware or Minidriver.

For Aloaha to be able decide to treat a smartcard as PKI card or just as Encryption token it requires an entry in the <Installdir>UserPass.ini.

The Middleware- or Smartcard Name has to be set in the Kerberos Section as shown below. The example enables Safenet and Aloaha Smartcard as PKI Token.

PLEASE NOTE: PKI Token can be ONLY used for Domain Users! It is not possible to use them for stand alone machines!

[Kerberos]
aloaha_3BDB18FFC080B1FE751F035A43372E352052455620416F=1
Aloaha Cryptographic Provider=1
Datakey M 330=1
eToken Base Cryptographic Provider=1

A number of tokens is hardcoded as PKI Token in Aloaha. Should you whish to add another token please contact info@aloaha.com

As soon Aloaha detects as PKI Token the Logon GINA will look like:

Aloaha GINA PKI Card Logon

When Aloaha Smartlogin is used in PKI/Kerberos- or I2C Card Mode there is a grace period before the screen is locked after the card- or reader removal. This allows the User to quickly re-insert the card in case he removed it by accident.

Per default this grace period is 10 seconds. In case it should be longer it can be changed via registry key: LogOffTimeOut

Furthmore this grace period can be extended with a simple click on the botton at the right lower corner.

Aloaha Smartlogin can be downloaded from http://www.aloaha.com/download/smartlogin.zip

Aloaha Smart Login grace period screen