SecureLogin supports ActivClient 6.x and 7.x, and Microsoft BaseCSP MiniDriver only. ActiveClient 6.2 is supported on 32-bit and 64-bit system on all platforms.
To enable smart card support with SecureLogin, the Use smart card option must be selected during installation, regardless of the administrator’s intended preferences for setting the SecureLogin security preference Require smart card is present for SSO and administration operations.
IMPORTANT:Contact NetIQ Support for information about other cryptographic service providers.
See Installing SecureLogin for Smart Cards for more information about enabling smart card support during installation and deployment.
NOTE:When you use eDirectory to create a certificate for a smart card user, ensure that the key usage options Digital Signature and Key Encipherment are selected.
SecureLogin allows a user to alternate their log in method by using smart card.
However, a user can only log in by using a smart card to access the SecureLogin credentials only if the smart card option is selected during installation.
If the smart card option is not selected during installation, a user attempting to access SecureLogin on the workstation is forced to log in with his or her username and network password.
SecureLogin uses the AAVerify script command to enforce strong security for applications that cannot provide such a mechanism natively. AAVerify can also be implemented to provide user authentication to applications that have no existing authentication interface. Use this command in conjunction with NetIQ Advanced Authentication Framework or NetIQ Modular Authentication Services (NMAS) to force users to log in to the configured application with a smartcard.
For details of the AAVerify application definition command, see the NetIQ SecureLogin 9.0 Application Definition Guide.
The existing version of the AAVerify command relies on NMAS. Any NMAS supported method, such as smartcard, can be deployed in the backend to process any re-authentication requests. In Active Directory environments, this support is provided by NetIQ Advanced Authentication Framework.
The AAVerify command provides a secure method to re-authenticate users. Thus proving the users identity before injecting the SecureLogin credentials into sensitive applications.
To process the reauthentication request, the AAVerify command takes the method by which users are currently logged in and their directory connectivity status.
If users have logged in with a username and password, they are prompted to reauthenticate by using the password, regardless of whether they are offline or online.
If users have logged in with a smart card, they are prompted to reauthenticate by using the original smart card PIN, regardless of whether they are offline or online.
AAVerify is independent of NMAS and can be used to enforce strong re-authentication by using a smart card and PIN or password without installing NMAS.
This command caters to a mixed environment where one of the following conditions exists:
A user logs in to a number of workstations by using a combination of both smart card or password authentication
Several users log in to one workstation by using smart card or password authentication.
?IsPin is a new SecureLogin variable available in the Microsoft Active Directory mode only.
This variable is automatically generated when a user logs in. It stores the information based on whether the user has logged in to the workstation by using a smart card and PIN or a password.
When the ?IsPin variable is called from an application definition, it indicates the following:
If the returned value is true, the user has logged in by using a smart card, and only the PIN value is passed through to SecureLogin.
If the returned value is false, the user has logged in with a password.
NOTE:The ?IsPin variable is updated only at a login and is not updated at a screen unlock.
Use smart card option is normally based on your preference to have the SecureLogin users utilize a smart card to store the single sign-on data or to encrypt their user’s directory data by using a PKI.
If you decide to allow users to log in to their workstations by using a smart card and reauthenticate against their smart card, then Use smart card option must be selected during the installation regardless of the option set for Require smart card is present for SSO and administration operations.
NOTE:It is recommended to use a smart card configuration policy to lock the screen on card removal to ensure that the smart card belongs to the currently logged-in user.
The following application definition shows how to call the AAVerify command based on the login method. It uses the Notepad application. After the Notepad application is started, AAVerify is invoked to prompt the user to reauthenticate, using the login method for the workstation.
Dialog Class Notepad EndDialog OnException AAVerifyFailed Call AAVerifyFailed OnException AAVerifyCancelled Call AAVerifyCancelled If ?isPin Eq "true" AAVerify -method "smartcard" ?result Else AAVerify -method "password" ?result EndIf ClearException AAVerifyFailed ClearException AAVerifyCancelled Type $username Type \n Type $password Type \n Sub AAVerifyFailed MessageBox "Reauthentication failed." EndScript EndSub Sub AAVerifyCancelled MessageBox "Reauthentication cancelled." EndScript EndSub ## EndSection: "Login Window"
If the new AAVerify command is used to reauthenticate a Web browser-based application or if the Prompt for device authentication for this device option is enabled for Web applications, then the predefined application definition for the Web browser must be applied for that particular user to avoid confusion when prompting for reauthentication.
The use of multiple passwords places high maintenance overheads on large enterprises. This results in significant cost where users use and manage multiple logins. The calls to helpdesk to reset forgotten password, providing all password when a new employee joins, or deleting the logins when an employee quits can be high in cost.
A one time password (OTP) reduces the cost, particularly with regard to calls to the help desk to reset a forgotten password, or to ensure that all passwords are provisioned when a new user starts, or deleted when existing user leaves the organization.
SecureLogin integrates with ActivIdentity’s one time password authentication functionality and provides you access to the GenerateOTP application definition command, which can be used to generate synchronous authentication and asynchronous authentication soft token support for smart card user authentication.
If you are using One Time Password capability on 32-bit applications running on 64-bit operating system in the Active Client 7.x environment, set the following registry keys:
|
Location |
Type |
Name |
|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\ Protocom\SecureLogin\Security\ |
String |
StorageDeviceInterfaceLibraryPKCS11-Wow64 |
|
Set to: |
Explanation |
|---|---|
|
C:\Program Files (x86)\HID Global\ActivClient\acpkcs211.dll |
Path to ActivClient |
|
Location |
Type |
Name |
|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\ Protocom\SecureLogin\Security\ |
String |
StorageDeviceInterfaceLibraryPKCS11-2 |
|
Set to: |
Explanation |
|---|---|
|
C:\Program Files\HID Global\ActivClient\acpkcs211.dll |
Path to ActivClient |
|
Location |
Type |
Name |
|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\ Protocom\SecureLogin\Security\ |
String |
StorageDeviceInterfaceLibraryPKCS11 |
|
Set to: |
Explanation |
|---|---|
|
C:\Program Files\HID Global\ActivClient\acpkcs211.dll |
Path to ActivClient |
ActivIdentity’s Smart Card Password Login (SCPL) provides smart card-based Windows login that is not PKI-based. SCPL, when used in conjunction with SecureLogin, stores and manages a user’s Windows login and SecureLogin credentials. It provides efficient network login by allowing a user to simply insert their smart card and enter their PIN.
You can configure SecureLogin to reauthenticate an application using the SecureLogin Administrative Management Utility or application definition wizard. To use this, enable Prompt for device re-authentication for this application and configure the Re-authentication method.
IMPORTANT:Basecsp.dll supports only smart card authentication. It does not support smart card re-authentication even in Kiosk mode. To allow re-authentication, use acpkcs.dll.
For more information, see Section 11.0, Reauthenticating Applications.