Windows7Authenticatorx

snakesailboatSecurity

Feb 23, 2014 (3 years and 3 months ago)

1,033 views

This document contains information proprietary to
Microsoft Health Solutions Group
. Any unauthorized use, reproduction, or disclosure of
this document or its contents is expressly prohibited except as
Microsoft

may otherwise agree in writing.

Printed copies of this document are considered
UNCONTROLLED
. Verify current revision before using.

MICROSOFT CORPORATIO
N

HEALTH SOLUTIONS GRO
UP

QUALITY SYSTEMS
WORK ITEM

DEVELOPMENT DESIGN S
PECIFICATION
FOR

VERGENCE
WINDOWS 7
/2008(R2)

AUTHENTICATOR

Joey Wang




Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

2

of
38

Feedback

Summary

................................
................................
................................
................................
................................
..............

4

Requirement

................................
................................
................................
................................
................................
........

4

Design for
End
-
user experience

................................
................................
................................
................................
........

5

User logon experience

................................
................................
................................
................................
................................
.

6

Smart card authentication experience

................................
................................
................................
................................
.......

7

Windows 7 multi
-
session (Fast User Switch) exper
ience

................................
................................
................................
..........

8

Windows 7 shared workstation experience

................................
................................
................................
...............................

9

Admin configuration experience

................................
................................
................................
................................
.................

9

Wrapped Credential Provider

................................
................................
................................
................................
................................
......

10

Shared Workstation

................................
................................
................................
................................
................................
.....................

10

BridgeWorks Configuration

................................
................................
................................
................................
................................
.........

11

Ctr
-
Alt
-
Del experience

................................
................................
................................
................................
................................
11

Way2Care use cases

................................
................................
................................
................................
................................
.
12

Architectural Design

................................
................................
................................
................................
........................

15

Componen
ts

................................
................................
................................
................................
................................
..............
16

Communication

................................
................................
................................
................................
................................
.........
17

Communication Security

................................
................................
................................
................................
...........................
18

Detailed design

................................
................................
................................
................................
................................
.

18

Components State Model

................................
................................
................................
................................
.........................
18

Identi
ty matching

................................
................................
................................
................................
................................
.......
20

Communication Address

................................
................................
................................
................................
...........................
20

Communication Contract

................................
................................
................................
................................
..........................
20

Badge initialization

................................
................................
................................
................................
................................
....
21

New BridgeWorks Functionality

................................
................................
................................
................................
................
21

Reauthentication Functionality

................................
................................
................................
................................
.................
21

Password Change Functionality

................................
................................
................................
................................
................
21

Login and Enrollment sequence

................................
................................
................................
................................
...............
21

Unlock private Wokstation sequence

................................
................................
................................
................................
.......
23

Remote login sequence

................................
................................
................................
................................
............................
25

Shared Workstation login sequence

................................
................................
................................
................................
........
28

Shared Workstation Unlock sequence

................................
................................
................................
................................
.....
30



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

3

of
38

Feedback

Smart card sequence

................................
................................
................................
................................
................................
32

Installer

................................
................................
................................
................................
................................
......................
34

Globalization

................................
................................
................................
................................
................................
.....

34

Policy Complia
nce

................................
................................
................................
................................
............................

34

Dependencies

................................
................................
................................
................................
................................
...

34

Discussion and Open issues

................................
................................
................................
................................
...........

34

Approval

................................
................................
................................
................................
................................
.............

34

Appendix A Vergence 4.5 SP2 Way2care Use cases

................................
................................
................................
..

34





Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

4

of
38

Feedback

SUMMARY

Ve
rgence 4.5

SP2 r
elease fell short
on several key features
for Windows 7
/2008(R2)

support
in comparison with
Windows XP workstation

support
. Some of the major shortcomings
in
the current Vergence
Windows 7
implementation
can be summarized as followings:

1.

Lack of password reset support in
the
private workstation mode.


2.

User’s AD credentials are not available

to the remote sessions in Citrix/RDS/VDI.

3.

Way2Care

does not provide consistent behavior, especially when screen saver is running.

4.

Smart card authentica
tion is disabled.

5.

Citrix/WTS published applications do not share context with local applications on 64bits Windows 7
workstation.

In addition to
above issues identified during the cross
-
functional review, the SP2 Windows 7 implementation has
following limi
tations:

6.

User desktop in the shared workstation mode is not adequately protected. The current Windows 7 shared
workstation model inherits the XP implementation which Authenticator.exe protects the desktop. This
protection is less secure than the true OS lo
cked workstation.

7.

User logon UX in shared workstation mode is inconsistent with Windows 7 UX. Again, this is due
to
the
fact that the current shared workstation model implementation simply inherits the XP implementation,
and hence it has XP
style
logon dia
log box.

T
he above limitations

are due to the inadequate design to account for the fundamental difference in Windows 7
OS from its predecessors.

However,
there are
other missing features in SP2 release that were due to lack of
qualification
, and hence
were not included
:

1.

Open desktop support in Windows 7.

2.

Virtual Windows 7 desktop (VDI).

3.

Smart card identification in 64bits Windows 7/2008(R2).

4.

Biometric authentication.

For detailed list of issues in Vergence 4.5 SP2 release, please refer to
Vergence SP2 issues
document
.


This docume
nt outlines the improved design for Vergence Windows 7 support.

This document does not apply to
XP. Vergence 4.5 SP3 will not make changes to XP implementation other than bug fixes.

This document will not
address the above not
-
tested features. Whether

some

of

these features are included in the SP3 scope or not is an
open question.

We start with high
-
level requirement and
description of how our solution work
s

from the end
-
user’s point of view.

These sections are designed primarily
for non
-
technical readers.

W
e will dive into more technical discussion of the
product design and implementation.

For non
-
technical readers, feel free to skip them.


R
EQUIREMENT



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

5

of
38

Feedback


Vergence 4.5 SP3 shall support the following environment:


1.

32 bits Windows XP SP3

(not focus of this document)
.

2.

WTS from both 64 and 32 bits Windows 2003

(Not focus of this document).

3.

WTS from Windows 2003R2

(not focused here).

4.

Windows 7/XP bassed thin
-
client device (specific brand to be determined)

5.

Both 64 and 32 bits Windows 7.

6.

RDS r
emote application and desktop from both 64 and 32 bits Windows 2008.

7.

RDS remote application and desktop from Windows 2008 R2.

8.

Puiblished application and desktop from Citrix XenApp 5.x and 6.0 on Windows 2008 and 2008R2.

9.

Virtual Windows
XP/
7 desktop in VDI
environment.


Vergence Windows 7 support is required to provide functional parity with Vergence XP support as much as
possible. In addition, Vergence shall support any new functionalities that come with Windows 7. Specifically, t
he
following
features
related to Authenticator
are required:

1.

Private workstation model. Due to the multi
-
session support in Windows 7

(Fast User Switch)
, Vergence
shall also support multiple users
sharing a single
workstation in private mode in a kiosk environment. That
is to s
ay, the traditional shared workstation mode may be replaced by the multi
-
session private
workstation mode.

2.

Shared workstation model. This is the same model as XP shared workstation model.

Comparing with
Windows 7 multi
-
session model, Vergence shared workst
ation model supports run
-
hot applications.

3.

Shared open desktop model. This is the same model as XP open desktop.

4.

Reauthentication, but not witnessing.

5.

Way2Care with proximity badge and smart card identification.

6.

User logon auditing, including both failed
and successful logons.

7.

Auth
-
factor and auth
-
type support.

8.

Password reset.

9.

Guest account.

What is not supported?

1.

Novell

2.

LDAP

3.

Bio
-
key

4.

Active proximity

5.

Machine grace period. Today, in addition to Way2Care’s enterprise grace period, we also provide a grace
per
iod that is limited to the current machine only. This functionality will be removed for simplicity of our
solution.

That means, unless Way2Care is enabled, an user no longer have grace period when returning to
the same machine.


DESIGN FOR END
-
USER EXPERI
ENCE



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

6

of
38

Feedback

Before we
discuss the

design from the technical point of view, let’s discuss what the end
-
user experience
shoud be
when
using our p
roduct in Windows 7 environment.
As much as we would like to

provide functional parity
between Windows 7 and XP, Window
s 7 and Window XP are fundamentially different OS and have different user
experience.

Vergence 4.5 SP3
Authenticator
will keep the current XP design and implementation. It only enhances Windows
7/2008(R2) implementation.

USER LOGON EXPERIENC
E

Since Windows

Vista, Microsoft has

replaced the GINA architecture

with
Credential Provider architecture

for better
user logon experience.

In XP logon case, a customized GINA DLL is loaded into
WinLogon process. The GINA DLL is responsible for
rendering the logon dialog box for the end
-
user. There can be only one GINA DLL
loaded by WinLogon. Therefore,
3
rd
-
party GINA vendors typically use a technique called “GINA
-
chaining” to call another GINA DL
L

(often, the
default MSGINA.dll) to display the actual logon dialog box. The customer GINA inserts itself in the middle of the
GINA
-
chain to modify the default user logon experience. That is exact what Sentillion

Gina

does for Vergence.

The Credential Pro
vider architecture
is quite different. It is a

plug
-
in model

where

multiple 3
rd
-
party Credential
Providers
can
be loaded

as plugins to extend user’s logon experience
. Each Credential Provider provides one or
more tiles for the end
-
user to choose from.
Whic
h Credential Provider
will be used by

the user
to
logon totally
depends on which tile the end
-
user chooses.

While Gina model allows customization of logon experience,
Credential Provider model extends the user logon experience.

Because there are multiple
Credential Providers may exist on the end
-
user’s machine, we want to make sure that
the

core functionalities of Vergence SSO and context management continue to work even if the end
-
user decides
to choose other Credential Provider tiles.

The Credential Prov
ider architecture does allow vendors to filter out other Credential Providers in the system to
force the end
-
user to use their very own Credential Provider. How
ever,
we decide not to

take
this approach
for the
following reasons (However, in certain cases s
uch smart card identification, it
may provide better workflow if
Windows Smart card Credential Provider

is filtered out
. See
Smart card authentication experience

section for
details):

1.

It is
inconsistent with th
e existing
Windows 7 user logon experience and Windows 7 Credential Provider
design philosophy.

2.

It can cause system instability when multiple vendors are doing exactly the same thing: filtering each
other out. In the end, the system has no Credential Provi
der available for user to logon.

3.

Interoperability between Credential Providers. Many vendors provide Credential Providers that wrap
other Credential Providers, very much like the Gina
-
chaining. If our Credential Provider filters out all other
Credential Pr
oviders, the other Credential Providers won’t be able to wrap our Credential Provider to
provide a combined solution to our customers.

Vergence Windows 7 solution has to deliver the core functionalities when our Cr
edential Provider is not chosen

by
the en
d
-
user. These core functionalities are:



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

7

of
38

Feedback

1.

Full SSO solution including passing on user’s AD credentials to BridgeWorks to sign on to the applications
that share the same user credentials as AD.

2.

Full context management functionalities.

3.

Full Way2Care functional
ities except a couple of minor corner cases that will be explicitly laid out next.

So what are the functionalities that won’t work if the end
-
user chooses other Credential Providers to logon?

1.

AD Password reset functionality. If user does not use our Creden
tial Provider, they won’t see the AD
password reset button on the logon UI. They have to select our Credential Provider for this functionality.

2.

Guest Logon. Again, users won’t see the guest logon button unless they choose our Credential Provider.

3.

Auth
-
type

will be password because we do not know which method the other C
redential Providers use to
log

user

on
. The Auth
-
factor will be one if the proximity badge
/smart card is not used, and two if the
badge is used.

4.

We can potentially audit logon success events,

but not logon failure events.

5.

In Way2Care case,

when the user taps the badge,

if user badge is not
enrolled, user will not see <badge
not enrolled> in user name field.

If user badge is enrolled, but not in the grace period
, user name field will
not be
populated with user’s logon id.

But if user logs in successfully, we will track his or her badge.

Of
course, we are doing this under the rug without user knowing it, so if there is concern
s
, we can disable
this.


Please note that Windows 7 logon UI is rend
ered by a process called LogonUI.exe, which in turn loads all the
registered Cred
ential Providers. LogonUI can have

two display modes. One is zoomed
-
out mode which end
-
users
see all the available tiles to choose from. The other is zoomed
-
in state where the

selected Credential Provider
fields are presented to the end
-
user. When Windows 7 is rebooted, the system automatically chooses the zoomed
-
in mode of the Credential Provider used for the last successful login. Therefore, after Vergence is just installed a
nd
rebooted, end
-
users will not be presented with Vergence Credential Provider. Instead, the last logged
-
on
Credential Provider will be selected automatically. In order for them to start using Vergence Credential Provider,
end
-
users have to explicitly choo
se it by clicking on Switch user
button
and clicking on Vergence Credential
Provider tile (Our tile has our logo, so users need to be trained to choose our tile by looking for our logo). As soon
as they select our Credential Provider, system will remember
it and select it automatically for the next reboot.

SMART CARD AUTHENTIC
ATION EXPERIENCE

Vergence 4.5 SP3 supports both smart card identification (e.g. NHS card) and smart card authentication (e.g. CAC).


Windows 7 native smart card support requires users
to manually click on switch user button and select smart card
tile to use smart card authentication unless users are at the zoomed
-
out state already, in which case, Windows
smart card tile will be automatically selected upon card insertion. Vergence Creden
tial Provider by default will
display the password logon UI. However, it would automatically switch to the smart card UI upon card insertion,
saving user from clicking on switch user button and selecting smart card tile all together.

Because Windows 7 auto
matically switches to Windows smart card tile when it is in the zoomed
-
out state
, it may
be desirable to filter out Windows

smart card Credential Provider
.

Here is how you do it:


[SAM
S
]



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

8

of
38

Feedback

CredentialProviderFilterCLSID=

{8bf9a910
-
a8ff
-
457f
-
999f
-
a5ca10b4a885}

This setting specifies

which Credential Providers are filtered out. The multiple Credential Pr
oviders are separated
by commas (For more more details, please
see Admin Configuration Experience

section).


W
INDOWS 7 MULTI
-
SESSION
(FAST USER SWITCH)
EXPERIENCE

One important
new
feature of Windows 7 is the fast user switch that allows multiple user sessions to run
simultaneously. Users can switch between their running sessions without having to log off other us
ers and logon to
their session. This fast user switch capability extends Vergence’s shared workstation model to allow complete
personalization of the user session
s
.

Therefore, many of our customers who traditionally configure shared
workstation mode to the
ir kiosk workstation may choose to deploy Windows 7 in private workstation mode

as long
as they do not need application
to
run hot in
-
between user changes.

I want to point out that private workstation
mode is more secure than the shared workstation mode si
nce users do not share the same windows session, and
hence less likely to see one another
’s context session.

Vergence 4.5 SP2 release supports the Windows 7 multi
-
session scenarios with some limitations:

1.

Session management. There is no session management i
n SP2 implementation. The number of sessions in
a workstation can be as many as users who used the workstation since the last reboot. When more and
more user
s

come to use this workstation, eventually, the workstation will run out of memory or CPU
cycle. In

addition, a
n

user can potentially leave a lot of context sessions on the vault running if he or she
has logged on to a lot of workstations. This consumes vault resource as well as workstation resource.

2.

Way2Care only allows the user in the active session t
o
unlock the workstation to
logon. When a
workstation is shared by multiple users
, it is expect any user can access the workstation by tapping their
badges regardless who was the last user who used and locked the workstation.


In SP3,

we will

1.

L
ogoff a
disconnected
session after
ClearContextTi
meout. This value is INFINITE by default, but customers
can con
figure this value to something finite.

2.

A
llow anyone to sign into a locked windows 7 workstation

by tapping his or her badges.

Here is the workflow
, assu
ming the Ctl
-
Alt
-
Del is disabled (see
Ctr
-
Alt
-
Del experience

for more details) and
Vergence Credential Provider is selected:

1.

User A locks workstation

2.

User B tap the badge. If the badge is

a.

Within EGP, user is logge
d on automatically.

b.

Outside of EGP, a new logon dialog box is displayed with user name filled in.

c.

Badge not enrolled, a new logon dialog box is displayed with <badge is not enrolled> at user
name field.

For complete use cases, see
Way2Care use cases
.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

9

of
38

Feedback

WINDOWS 7 SHARED WOR
KSTATION EXPERIENCE

Because of Windows 7’s fast user switch, many customers may configure Authenticator private workstation mode
for kiosk workstations. However, there is still a need for traditional sh
ared workstation model to support run
-
hot
applications between user switches.

Vergence 4.5 SP2 shared workstation model on Windows 7 has been inherited from XP implementation. There are
a few issues with this implementation:

1.

Inconsistent user experience:
our shared workstation logon dialog box is very much mimic of Windows XP
logon dialog box, a very different look and feel from Windows 7 user logon screen.

2.

Less secure. In the current shared workstation model, Authenticator.exe protects the screen when the

workstation is locked. Because Authenticator.exe is not running in a privileged account, it is prone to
various security attacks to compromise the desktop protection.

3.

Two separate code pathes for private and shared workstation implementation and two badge

monitors.
This one does not have direct end
-
user impact, but it causes various inconsistency in the current behavior
due to race condition, not mentioning
extra

code for us to maintain.

In SP3 release, shared workstation and private workstation work almos
t identical
ly.
Before we explain how shared
workstation mode working, I want to point out one feature about Credential Provider.

When LogonUI.exe loads all the registered Credential Providers, it enumerates all of them for tile information.
Credetential Pr
ovider can return a tile that is tagged as auto
-
logon tile. As we mentioned before, LogonUI.exe auto
selects the Credential Provider that was used for the last successful logon. However, if one of the tiles is tagged as
auto
-
logon tile, LogonUI.exe will se
lect this title instead. It will not try to display UI. Instead, it simply tries to get
user credentials directly. Our shared workstation model simply takes advantage of this auto
-
logon feature.
Because our Credential Provider returns the auto
-
logon tile,

LogonUI.exe will automatically select us regardless if
other Credential Providers were previously used or not.

When the workstation is first rebooted, Vergence Authenticator Credential Provider auto logon to
create
the
security account

session
, but immed
iately locks the workstation. Vergence Credential Provider presents users the
standard locked workstation tile with username field editable. Any user can type in his or her credentials, Vergence
Credential Provider internally authenticates the user and the
n return
s

the security account credentials
, ensuring
the workstation is unlocked and returns back to the security account session.

In order for shared workstation model to work, a security account has to be created. In addition,
it is
recommended
to disabl
e the switch user button when workstation is locked via Windows Group policy
Hide
FastUser
Switch
ing
=True. This group policy setting is not required, but

highly recommended because
,
if user
clicks on
the
switch user

button, user may

be logged on to his or her private Windows session
, not the security
account session
.

ADMIN CONFIGURATION
EXPERIENCE

A few new Authenticator configuration items are introduced in this release.
The following items are new to
Authenticator configuration:



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

10

of
38

Feedback

W
RAPPED CREDENTIAL PR
OVIDER

Although Vergence solution does not require nor recommend filtering out other Credential Providers in the
system, it may be desirable to filter out certain or all other Credential Providers in some cases. For example, in
order to

avoid possible confution, customers may not want their users to see too many selections of Credential
Providers tiles. Although not recommended, Windows 7 does allow Credential Provider vendors to filter out other
Credential Providers.

Vergence by defaul
t will wrap Windows password Credential Provider and Smart card Credential Provider to
provide password authentication and smart card authentication. However, Vergence allows customer
s

to specify
other 3
rd
-
party Credential Provider
s

to wrap (such as Biomet
ric Credential Provider). The following
settings provide
the customerization:

[SAMS
]

CredentialProviderCLSID = <guid of provider to wrap>. The CredentialProviderCLSID specifies a single CLSID to use
instead of what we have built into the product.

By defaul
t
, we
wrap

Password Credential P
rovider

unless
[
ETS_Xyloc
]
Identification=CAC, then we wrap both Password Credential Provider and Smart card Credential
Provider

and switch between them dynamically.


CredentialProviderType = Authentication type of the wrapp
ed Credential Provider.

CredentialProviderFilterCLSID = <guid of provider to be filtered out>, <

guid of provider to be filtered out …>

The CredentialProviderFilterCLSID specifies which CLSID
s

are to be filtered out.


If nothing is specified we will filter

out no providers.


There can be multiple entries (guids) as long as they are comma separated.

SHARED WORKSTATION

Shared Workstation model requires the security account to be created and configured. T
his account credentials
should be encrypted in Authentic
ator.ini file. For expreSSO, the account should be centra
l
l
y

configured and
securely downloaded to workstation.

Autologon security account can also be configured using the same registry key as XP:

HKLM
\
software
\
Microsoft
\
Windows NT
\
CurrentVersion
\
WinLogon
\
DefaultUserName, DefaultDomainName,
DefaultUserPassword. However, make sure AutoAdminLogon is set to false.

If the registry entries exist, they override Authenticator.ini settings.

In order for shared workstation model to work correctly, when the workstati
on is locked, users should not click on
switch user button. I
n Windows 7, Switch U
ser button
can be disabled by a group policy setting
HideFastUserSwitching=True.

We highl
y recommend this group policy to be

enabled.

Currently, password reset user credentia
ls are editable in expreSSO workstation policy Authentication section, but
it is only available for private workstation. Moving forward, it is required for both private and shared workstations.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

11

of
38

Feedback

BRIDGEWORKS CONFIGUR
ATION

BridgeWorks.ini should add
configuration

for the suffix that Authenticator uses to set user. For details see
New
BridgeWorks functionality

section.

Please note, three windows suffix must match (in some cases even case has to match):

1.

Authenticator.ini
suffix (default Windows)

2.

Advanced page Set initial user name suffix.

3.

User’s suffix entry in UMA.

4.

BridgeWorks.ini suffix.


CTR
-
ALT
-
D
EL EXPERIENCE

Unlike XP, Ctl
-
Alt
-
Del screen cannot be by
-
passed programmatically

in Windows 7
.
Therefore, users have to
manua
lly enter the key sequence to dismiss the screen.
By default, Ctl
-
Alt
-
Del screen is enabled.
For the best user
work flow
, we

highly

recommend customers to disable the

Ctl
-
Alt
-
Del screen by disabling “require Ctl
-
Alt
-
Del to
logon” group policy.


When Ctl
-
Al
t
-
Del screen is visible, the following issues may be present:

1.

Badge tap is ignored.

2.

In the shared workstation mode, it displays the security account’s name, not the authenticated user
name.

3.

When screen saver is on, Badge tap is ignored as well.





Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

12

of
38

Feedback

WAY2CARE
USE CASES


This is the Way2Care use cases for Vergene 4.5 SP3 release. For comparison, we also list the SP2 use
cases in
Appendix A
.

1.

At the logon dialog box, regardless if there exist running sessions or not (Windows

7 private mode may
have other sessions running already),

a)

When the badge is tapped, or smart card is inserted, if no further action is taken within a timeout, the
badge information will be cleared after a timeout. This means that after the timeout, the use
r name
or anything displayed in the user name field will be cleared. If the badge has not been enrolled, it can
no longer been enrolled.

If
other
CP
s are selected, no visible change, but the timeout is still enforced.

b)

If a badge is tapped and another badge

is tapped again within a timeout

(different timeout from
previous one)
, the second badge will be ignored. Once an RFID badge is tapped, there is a predefined
amount of time the reader will “hold” the ID before it is cleared and a new badge can be tapped.

For
the readers by RFIDeas, the LED indicator will go “green” when the badge is seen. During this time an
encounter with a different badge will not be seen until the reader LED reverts to “red”.

c)

When a badge is tapped, if the badge is not enrolled, <ba
dge not enrolled> will be displayed at the
user name field. If user types in user name and password, the badge will be enrolled automatically
after user is successfully logged on.

If other CPs are selected, no visible change, but enrollment will be
done au
tomatically.

d)

If the badge is enrolled, user name will be populated and user just has to type in password to login.
This is the same behavior if EGP is enabled, but grace period has expired, or user has not yet login
once. Login manually will start the EGP
timer after successfully logged in.

If other CPs are selected, no
user visible changes, but EGP timer will be started.

e)

If the badge is enrolled and user name is automatically populated, user can type in a different user
name and password to login. In this
case, if badge transfer is enabled, the badge will be re
-
enrolled as
the new user. Otherwise, user logs in with auth
-
factor of 1.

If other CPs are selected, no user visible
changes, but functionality is the same.

f)

If EGP is enabled, and badge is enrolled, t
apping will automatically log in the user if the badge is
within the grace period. The grace period is calculated from the last time user was authenticated. In
Windows 7 private workstation mode, the user session may be already running as
active
console
se
ssion

or disconnected session
. The tap will log the user on to the existing running session

regardless
if the session is currently active or not
.

This is different from SP2 that only active console session
works.

g)

If the user credentials in EGP blob is inva
lid, the EGP data on the vault shall be cleared.

h)

Optional:

if user logs on without taping badge at all, a configurable message will display to inform the
user that badge was not used, but he or she is allowed to access desktop.

In SP2, only shared mode
has

this feature. In SP3, we should have it or not have it for all.

i)

Note
: Whenever an user logs in, private or shared mode, user auth
-
factor should be set to 2 if the


Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

13

of
38

Feedback

card is used, and 1 if card is not used. User successful
/failed

login events should be audi
ted.

j)

Note
: If user is logged on manually, then lock the workstation, and unlock it using his or her badge,
a
uth
-
factor will be changed to 2.

k)

Note: If a private session is already running, unlock workstation will notify UA, but user credentials
will not be

passed on to UA into context. Therefore, if user has changed password somewhere else,
new password is not set into context.

2.

At the logged in workstation and a badge is tapped again, or smart card is removed.

a)

Tap the same badge id of the user (or remove th
e smart card) who is currently in the
active
console
session, the user session shall be logged off or locked, ignored based on the
encounter
configuration.
For the shared workstation,
workstation is always at
the console session
.

b)

Tap any other badges, even

if the badge belongs to a user who is currently logged in, but not at the
console session will be
(depending on configuration)

b.I.

no
-
op.

b.II.

Lock origina
l user, and log in the new user
.

b.III.

Logoff origina
l user, and log in the new user.

c)

A corner case: tap the same

badge that user logged on before, but if this badge is no longer enrolled,
or has been transferred to another user, this is the same as 2
-
a).

d)

Note1: if user manually logged on and then inserts the card later, no
-
op. Removing card
:
lock/logoff/no
-
op depen
ding on configuration
.

This is a different behavior from SP2.

e)

Note2: if user manually logged on, then tap the badge, same as 2
-
b).

3.

At locked workstation with user name in display (zoomed
-
in scenario on Windows 7, users may have to
manually drive to this st
ate, a badge may not bring users to the zoomed
-
in scenario), is in display, and a
badge is tapped or smart card is inserted:

a)

If the badge is for the user who logged in the console session:

a.I.

If EGP is not enabled or expired and not in the machine grace perio
d, do nothing. No error
message box either. User has to type in password to login. After user does login manually, re
-
start the EGP timer if EGP is enabled.

a.II.

If badge is within EGP grace period, or machine grace period, automatically unlock the desktop
for

the user. This should work regardless if there are other running sessions or not in Windows 7.
That is, the other running session should not interfere this behavior.

a.III.

If within EGP, but EGP credentials are invalid, clear the vault EGP data. The machine rem
ains
locked.

b)

If the badge is for a different user from who has the console session,

b.I.

N
ew user will be logged in

if it is within his EGP period (valid for both private and shared
desktop).

b.II.

New user will be presented a logon page with his or her name filled in if enrolled, but not within


Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

14

of
38

Feedback

EGP. If oth
er CPs are selected, logon page will be presented, but user name will not be filled in
.

b.III.

For Windows XP, if the badge is has user credentials, we w
ill try to log the user in. If the new user
is an admin, he or she can log out the previous user and log in. This is Windows behavior.

c)

If badge is not enrolled, logon page will be presented with user name field filled with <Badge not
enrolled
.

If other CPs
are selected, user name field will not be filled.

d)

Optional:
if the same user unlocks the workstation manually without tapping his or her badge, the
user is allowed to do so, but a message will be displayed to inform the user that badge was no
t used.
A new context change will reset user's auth
-
factor to 1.

e)

Note1: For smart card, if machine is locked while the card is still inserted, remove the card will be no
-
op.

4.

CTL
-
ALT
-
DEL screen. Badge tap
may

be ignored on Windows 7/XP.

5.

Windows 7 private wo
rkstation only: at selection of tiles (zoomed
-
out scenario), and a badge is tapped.

a)

If the badge EGP is enabled and within grace period, user of that badge will be logged into the
desktop.

b)

If EGP is expired or disabled, user will be taken to the zoomed
-
i
n tile of Vergence Credential provider
logon dialog box screen, NOT the locked workstation screen. User name field will be populated with
the badge owner’s user id or <badge not enrolled>.

c)

If badge is not enrolled, user will be taken to the zoomed in tile
that has <badge not enrolled> is filled
in the user name field. The badge will be enrolled after successful login manually.

d)

If EGP is enabled but expired, EGP timer should be started after user manually logs in.

6.

Screen saver is on and badge is tapped. Dis
miss screen saver and fall into the logic above. For instance, if
after screen saver is dismissed, we found that we are in 3
-
b case, then do whatever 3
-
b indicated.

7.

Vergence open desktop mode :

a)

When no one is logged on, a badge is tapped, the user is set i
nto context. If an application is
configured to auto
-
launch, this application will be started and automatically signed in as this user.

b)

When an user is logged in,

b.I.

If the same user taps his or her badge, user context is set to null (Log off). If the applic
ation is not
configured to run hot, it will be terminated, otherwise, it will be logged off, but remain running.

b.II.

If a different user taps his or her badge, Vergence can be configure to either do nothing, or log
off the previous user in the context, and log

on the new user, and restart the application
automatically as the new user.

8.

UAC prompt: Badges will not work for UAC prompt.

9.

Vergence re
-
authentication should work with badge.

Tap the badge should not lock the workstation.





Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

15

of
38

Feedback

ARCHITECTURAL DESIGN

Now we ar
e going into more technical discussion of the Authenticator design. For non
-
technical readers, feel free
to skip the rest of the document.

Apart from missing some key features, the current Windows 7 Authenticator design has a few issues:

1.

Two hardware event

managers per session. Both Credential Provider and Authenticator are monitoring
badge events and act independently. In some corner cases, they do not act in sync. For instance,
Credential Provider

may

just unlock the desktop but Authenticator immediately
lock
s

it
.

2.

Lack of screen saver notification. Screen s
aver start/stop notification
currently
is not

monitored. Thi
s
causes Authenticator mishandling

the screen saver use case
s
. Basically, when screen saver is running,
from the end
-
user’s point of view, it i
s the same as the locked workstation. But workstation is not locked
technically. Therefore, when badge is tapped, users expect workstation is unlocked, but our software
thought the desktop needs to be locked.

3.

Lack of state information. Currently, our software does not have the concept of state: workstation
locked/unlocked state, screen saver running state,
autologon state, etc.

Instead, there are many if
-
statement
s across the code base
try
ing to do

the right
th
ing
. This is not very manageable and error prone.

4.

Disabling other Credential Providers. This is not in

line with Windows 7 Credential Providers plugin
infrastructure.

5.

Unable to capture user’s AD c
redentials across all use cases, especially for remote logon

cases.

In light of above issues, we propose the improved design of Vergence Authenticator for Windows 7

that contains
the following components (in yellow, grey ones are system/other components outside the scope)
:


LogonUI
.
exe
Vergence Credential Provider
DLL
EventManager
.
exe
MPNotify
.
exe
Vergence Credential Manager
DLL
Load
Connect
Connect
Load
Vergence Credential Filter
Start
Load
Windows service
LocalSystem
Vergence RunAsUser Service
DLL
Connect
Load
BridgeWorks
Connect
Authenticator
.
exe
Connect
Connect

I will expla
in the functionality of each components next.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

16

of
38

Feedback

COMPONENTS

EventManager.exe



This is
the center piece of the Authenticator design. EventManager is
a standalone process
running in
each
WTS session
. It

is launched in WinLogon desktop where Credential provider

is. This process stay
s
running across the life span

of a session.
It starts running before user
s

see logon page.
There is one and only one
instance of Eventmanager per session. It is responsible f
or capturing all
system events. Logically, it is combinatio
n
of current SessionManager
, Credential Provider

and Authenticator identificator.
Instead of multiple components
monitoring system events, now we have one component responsible for all system events.

EventManager
registers

and monitors

the following event
s
:

1.

User logs on/off

2.

Workstation locked/unlocked

3.

Session disconnected/

reconnected

4.

Screen saver starts/stops

5.

Power management events

6.

Badge taps

7.

Smartcard inserted/removed

Because
EventManager is
running across the life span of a session, it is
also responsi
ble for storing user credential
cache
,
communicating to Way2Care server

and act
ing like the central hop of all communication channels
.

Event Manager is running as LocalSystem account with limited privileges (same as LogonUI.exe)
.

Because there is one Event

manager per session,
and
there
are
multiple sessions

per workstation
,
there are
multiple Event managers in Windows 7

workstation
. However,
there will be only one active one
--

we do not want
multiple event manager
s

monitoring and tracking badges. Therefore, Event Manager should disable badge tracking
and monitoring as soon as it receives Session disconnected notification.

Also, RFIDEA reader initialization should be done once
only
after reboot. Therefore, Event mana
ger should manage
an event object that is set after initialization code. Each instance of Event Manager should hold on to this object
reference to keep it in memory. Of course, after all the sessions are terminated, this

object will be purged from
memory

as well
.

Credential Provider/Credential Filter



these are
existing components that manage the user logon UX.
Credential
Provider wraps Password and Smart card Credential Provider to provide basic logon page.
Although it can retrieve
user cred
entials, it d
oes not do that
. Instead, its job is primarily display
ing

additional field
s
for password reset and
guest login. Here are the major responsibility of
our
Credential Provider:

1.

Wrap Password and Smart card Credential Provider to provide basic UI.

2.

Add Password

reset and guest logon links to logon UI.

3.

Set itself as Auto
-
logon tile when it has credentials from Way2Care, or shared workstation.

4.

Record auth
-
type and login events for auditing.

In shared workstation mode, however, Credential Provider does two
additional things:

1.

Always returns OS credentials to LogonUI.exe.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

17

of
38

Feedback

2.

Modifying the locked workstation user name field to make it editable for shared workstation.

Credential Filter is used to filter out other Credential Providers and is also responsible for ret
rieving
remote
credentials via UpdateRemoteCredential call.

Credential Provider/filter are running in the same session and Win
logon desktop as Event Manager. But their life
span is as short as the logon process itself.

Vergence Credential Manager DLL



thi
s is our implementation of Credential manager that is used to capture user
credentials during the logon process. It is noted that Credential Manager is notified with logon events whenever
LogonUser is called. So it is possible it gets notification not rela
ted to OS logon process. Credential Manager also is
responsible for returning logon script that locks the workstation. It is important that it only returns the logon script
for the shared workstation logon, not for any other LogonUser calls.

Credential Man
ager is loaded by MPNotify.exe which starts on demand whenever LogonUser is called. This process
is running in the same session as the caller of LogonUser with full LocalSystem privileges.

Vergence RunAsUser Dll



this module needs to be loaded into a Loca
lSystem account

with full privileges
,
presumably Vergence Locator. Its responsibility is to launch sbrowser as a configured user.

Authenticator


Authenticator process is running as OS user. This process is started by the shell from startup
group. Authenti
cator plays a very different roll in this design from its XP counterpart. It is a proxy to other
Vergence components such as Context Manager, expreSSO and Launchpad. Authenticator itself does not
authenticate user nor protect desktop. It probably should be

called Context agent.

Authenticator is running in the user session that may or may not be in the same session as Credential
Provider/Event Manager. We will talk more about how they communicate later.

BridgeWorks


BridgeWorks basically work the same
way
with one additional functionality: retrieve user credential
from EventManager if it is running in a Ctrix published application session and AD user credentials are not available
from the context. It however, does not need to set the password into context.
Instead, it keeps in memory as other
credentials from the context.

BridgeWorks is running in the user session that may or may not be in the same session as Credential
Provider/Event Manager. W
e will talk
e about how they communicate later.

COMMUNICATION

Let’s discuss how each component communicate
s with one another
.

Because Event Manager is launched by Credential Provider Filter, which is loaded by LogonUI.exe, Event Manager
and Credential Provider will always be running in the same session. Because Cred
ential Manager is always running
in the same session as the LogonUser call is made, Credential Manager will be running in the same session as well.
All three components are also running as LocalSystem account as well. How about Authenticator/BridgeWorks?
T
hese two compo
nents are running as the logged
-
on user account.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

18

of
38

Feedback

In
private workstation mode, when a use
r logs on to a workstation, i
f this user
has not previously logged on to this
workstation, the session where the user’s desktop is
displaying
would be the

same session as th
e initial logon
.

In
this case, all our components (with exception of RunAsUser DLL) are running in the same session.

User can lock
workstation and unlock workstation, as long as user does not click on switch user button, the user only se
es one
session.

In
shared workstation mode,
it works pretty much like the private workstation case above


user change is
performed on locked workstation screen, and

all the components are running in the same session as well.

Therefore, the communication b
etwee our components are limited the same session except RunAsUser Dll which
will be running in session 0.

However, there are two cases that Authenticator/BridgeWorks may end up in a different session as the rest of the
components.

1.

P
rivate workstation mode

that user was logged before. In this case, WTS will connect the active session to
the existing session and terminate the current WinLogon session.

When this happens, Authenticator
cannot communicate with the instance of Event Manager in the terminated Win
Logon session.
Luckily,
they do not need to communicate. What Authenticator/BridgeWorks need are user credentials. Si
nce this
is a private mode, user credentials are
already
set into context

when

the session was first created (note a
corner case here that
if user changed his or her password somewhere else, the new password won’t be
set into context).
The other thing Authenticator needs is the unlock workstation notification. In this case,
the original Event Manager will get notification and hence forward it

to Authenticator.

2.

Shared workstation mode where switch user is clicked. Whenever switch user is clicked, a new WinLogon
session is created. Therefore, we recommend customers to hide the switch user button by enabling
group policy HideFastUserSwitching =
True.

COMMUNICATION SECURI
TY

All user credentials are encrypted in an user blob using Authenticator’s internal encryption key.

D
ETAILED DESIGN

COMPONENTS STATE MOD
EL

The Event Manager and Credential Provider are implemented using State Pattern. The following diagram shows
more details about the internal structure/interface
of the main components. This diagram should not be
interpreted literally, but functions as a desi
gn guide. Some of the interfaces are preliminary and incomplete.
The
complete communication interface has yet to be worked out.
The fundamental design principle shown here is that
Event Manager and Credential Provider go through stages of states. There wil
l be well defined behavior in each of
these states. Each component also has well defined interface
(
Communuication contract
)
that other component
s
can call for service.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

19

of
38

Feedback

-
NPLogonNotify
-
NPPasswordChangeNotify
SentillionCredentialManager
MPNotify
.
exe
LogonUI
.
exe
+
SetUsageScenario
()
+
Advise
()
+
UnAdvise
()
+
GetCredentialCount
()
SentillionCredentialProvider
LoggedOutState
-
CLSID
-
Type
WrappedCredential
AutoLogonCredential
LockedState
CredUIState
-
CLSID
-
Type
SharedWrappedCredential
SharedAutoLogonCredential
AutoLogonState
-
CLSID
-
Type
WrappedLockedState
-
End
1
1
-
End
2
*
-
End
3
1
-
End
4
*
1
*
-
CLDID
:
int
-
AuthType
:
int
WrappedLoggedOutState
AutoLogonLockedState
1
*
+
GetUserBlob
()
+
SetUserBlob
()
+
OnScreenSaverStart
()
+
OnScreenSaverStop
()
+
UserAuthenticateNotify
()
+
DesktopCleanedNotify
()
+
ReportError
()
-
SessionLogon
-
SessionLogoff
-
SessionLocked
-
SessionUnlocked
-
ScreenSaverStart
-
ScreenSaverStop
-
SessionDisconnected
-
SessionReconnected
-
BadgeTap
-
SMInsert
-
SMRemoval
EventManager
-
OnBadgeTapped
SessionUnlockedState
SessionLockedState
SessionDisconnectedState
ScrnSaverUnlockState
ScrnSaverLockState
CredentialProvider
EventManager
CredentialManager
ReAuthState
OpenDesktopState
SENS
-
End
9
*
-
End
10
*
-
End
11
1
-
End
12
*
1
*
1
*



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

20

of
38

Feedback


IDENTITY
MATCHING

Event Manager gets following info from various components:

1.

Badge id


reads itself.

2.

Smartcard cert
--

reads itself

3.

Login errors and success code from Credential Provider

4.

User name and password from Credential Manager.

5.

User name and PIN from Creden
tial Manager.

6.

Badge enrollment info from Vault.

7.

User EGP data from Vault.

After getting the above data, Event Manager needs to tie things together to produce the following output:

1.

If badge/smart card is not enrolled, it needs to tie badge id and user crede
ntials to enroll the badge.
Because Badge id and user credentials came from two different sources, how Event manager tie them
together? If the two events happen within a timeout, we will tie them together. This is the same logic we
use for XP today with on
ly one difference: in XP, both badge id and user credentials are read within
Authenticator/GINA. That difference should not make the Event Manager less

reliable to identify the
match if Event manager knows the authentication happens from a Credential Provi
der. Event Manager
knows this because Event Manager knows it is in a locked state. Only Credential Provider is accessible by
the end
-
user, and hence the only possible source of authentication. This logic assumes that other
applications do not call LogonUse
r while the workstation is locked. That is a reasonable assumption.

2.

If badge/smart card is enrolle
d, it needs to inform

Credential Provider to auto
-
login (EGP data is available)
or display user name (without EGP data).

3.

Notify and s
end user credentials and
auth
-
factor/auth
-
type to authenticator.


COMMUNICATION ADDRES
S

We plan to use named pipe as the communication protocol. Because named pipe communication is global, we
should use dynamic address

to restrict the scope to within a session
:

1.

Pipe server generat
e a guid and save it in a memory mapped file. The mapped file is session scoped
can be
accessed within the session only. The name is
known to both server and client.

2.

The server create pipe server endpoint using the guid as its address.

3.

Client application opens the memory mapped file and read the guid.

4.

Client application connect to pipe server using the guid as address.


COMMUNICATION CONTRA
CT



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

21

of
38

Feedback

The communication interface is not yet finalized.

BADGE INITIALIZATION

Because RFIDEA reader won
’t return valid badge id during badge initialization, the badge initialization should be
done once only after reboot. Whenever Event Manager starts, it will try to create an event object. If the object was
created, it simply open it. Event Manager then ini
tialize the badge first and then signal the event. So if the event
object was already signaled when an instance of Event Manager starts, it won’t try to initialize it again.

It is important that Event Manager open
s

the event object and hold on to its refer
ence to keep it in memory. After
all sessions are logged off, the object reference count will go to zero and the object will be deleted.

NEW BRIDGEWORKS FUNC
TIONALITY

The only new functionality of BridgeWorks is to retrieve user credentials from the Event
Manager if all of the
followings are true:

1.

If it is launched in a published application session.

2.

If it gets user name from the context, but not password for Windows suffix. The Windows suffix is
configurable. It has to match what Authenticator has configur
ed.

3.

The user name in context matches the user name of the OS.

It should just add the user password in its internal credential cache, not set into context.

BridgeWorks has to share the same encryption key as Authenticator in order to decrypt the user creden
tials from
Event Manager.

REAUTHENTICATION FUN
CTIONALITY

Reauthentication dialog box will be implemented using CredUI Prompt.

Therefore, it goes through the same code
path as regular logon, simplify development.

PASSWORD CHANGE FUNC
TIONALITY

Password chang
e will be captured by Credential Manager as well (NPPasswordChangeNotify). For shared
workstation, Our Credential Provider should supply the SSO user’s name instead of OS user’s name. Changed
new
password shall be set into context afterwards.


LOGIN AND
E
NROLLMENT SEQUENCE

The following sequence represents user logs in with an
un
enrolled badge, triggers an automatic badge enrollment
process.
The diagram depicts a private workstation model.
The diagram illustrated how the login and enrollment
are accomplish
ed via series of inter
-
components communication.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

22

of
38

Feedback

CredentialProvider
EventManager
CredManager
Authenticator
Vault
System
SetUsageScenario
(
LOGON
)
Register
ListenEvents
SetLockState
Locked
BadgeEvent
GetUserBlob
NULL
Filter
()
Start EventManager
~
Filter
()
PromptUser
GetSerialization
NPLogonNotify
SetUserBlob
ReportError
ReportError
CacheCred
CacheError
CacheBadge
StartAuthenticator
GetUserBlob
Join
SetUser
SetPassword
LoginEvents
SwitchDesktop
Enroll
BadgeEvent
LsaLogonUser
WM
_
WTS
_
SESSION
_
LOGON
SetUnlockState
LockWorkstation
Filter
()
EventMgrStarted
?
No
Badge unenrolled
Register
UnRegister
Unlocked
RegisterWTSSessionMessage
/
SENS
WM
_
WTS
_
SESSION
_
LOCK
SetLockedState
Locked




Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

23

of
38

Feedback

UNLOCK PRIVATE WOKST
ATION SEQUENCE

The following sequence represents the same user who unlocks the workstation.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

24

of
38

Feedback

CredentialProvider
EventManager
CredManager
Authenticator
Vault
System
SetUsageScenario
(
UNLOCK
)
Register
Badge event
SetLocked
SetLocked
GetCredentialCount
Filter
()
~
Filter
()
GetUserBlob
UserBlob
EventMgrStarted
?
Yes
UserBlob
CredentialChanged
AutoLogon
=
true
GetSerialization
UserCredential
ReportError
ReportError
WM
_
WTS
_
SESSION
_
UNLOCK
LsaCallAuthPack
SetUnlocked
Unlocked
Do Nothing



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

25

of
38

Feedback

REMOTE LOGIN SEQUENC
E

The following sequence represents an user logs on to a remote server. The diagram shows how the remote
credentials are passed on to the Credential Provider to achieve auto
-
logon. In this case, Vergence Credential
Provider will be invoked regardle
ss if user

has explicitly chosen

it or not since it is auto
-
selected (auto
-
logon tile is
always auto
-
selected by the LoginUI.exe).



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

26

of
38

Feedback




Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

27

of
38

Feedback

System
CredentialFilter
CredProv
CredManager
AutoLogonCredential
Filter
()
EventMgrStarted
?
No
UpdateRemoteCredential
~
Filter
()
SetUsageScenario
CacheCred
GetCredentialCount
HasCred
?
Yes
new AutoLogonCredential
AutoLogon
=
true
GetCredentialAt
return AutoLogonCred
GetSerialization
LsaLogonUser
ReportError
NPLogonNotify
BridgeWorks
CreateSession
StartBridgeWorks
GetUserBlob
PubAppNoCredInCxt
?
Yes
Return UserBlob
CacheCred
EventManager
Start
RegisterWTSSessionMessage
/
SENS events
Listening
SetUserBlob
GetUserBlob
CacheCred
SetUserBlob
Message
2



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

28

of
38

Feedback

SHARED WORKSTATION L
OGIN SEQUENCE

The following sequence represents an

user logs on to a shared workstation for the very first time. The diagram
shows how the OS account session is created and then immediately locked, prompting users to enter their
credentials. Because Vergence Credential Provider enables auto
-
login tile, it

will be auto
-
selected by LogonUI.exe,
regardless if end
-
users have previously selected it or not. In the diagram, we included expreSSO for the purpose of
illustration that the same design works for both Vergence and expreSSO.

The key design aspects are

1.

Se
t auto
-
login using credentials from configuration. This forces Vergence Credential Provider being
selected automatically.

2.

Credential Manager returns a logon script to lock workstation immediately: RunDll.exe
user32.dll,LockWorkstation. The logic to identif
y that this is the OS account login, rather than other
LogonUser call from program requires more thoughts.

3.

Vergence Credential Provider changes the user name field as edit field to allow any user to sign in.

4.

After
the
user enters
his/her
credential
s
, Verge
nce Credential Provider internally authenticate
s

it by
calling LogonUser (in this case, Credential Manager should not return a logon script).

5.

Credential Manager gets credentials and send to Event Manager.

6.

Vergence Credential Provider returns OS user creden
tial back to LogonUI.exe.

7.

Authenticator retrieves SSO user credentials from Event Manager.




Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

29

of
38

Feedback

CredentialProvider
EventManager
CredManager
Authenticator
Vault
System
SetUsageScenario
Register
GetCredentialCount
SetLocked
SetLocked
Filter
()
~
Filter
()
EventMgrStarted
?
No
GetSerialization
OSUserCredential
WM
_
WTS
_
SESSION
_
UNLOCK
LsaCallAuthPack
SetUnlocked
GetOSUserCred
NPLogonNotify
(
OSUser
)
SetUsageScenario
(
UNLOCK
)
expreSSO
UserAuthenticateNotify
(
UserBlob
)
UserChangeMessage
DesktopCleanup
DesktopCleaned
ReportError
LoginEvent
SetUser
SetPassword
LogonScript
=
LockWksta
Start
Listen SENS
AutoLogon
=
true
LockWorkstation
SetUserFieldAsEditBox
LsaLogonUser
(
OSUser
)
User input cred
,
submit
LogonUser
?
Success
UserAuthNotify
Start
LogonScript
:
RunDll
,
User
32
.
dll
,
LockWosktation
Register
Start
GetSerialization
NPLogonNotify
(
SSOUser
)
LogonScript
:
none
SetUserBlob
CacheCred
CacheError
Return OSUser
return UserAuthNotify
return UserAuthNotify



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

30

of
38

Feedback

SHARED WORKSTATION U
NLOCK SEQUENCE

The following sequence represents an user unlock a shared workstation. The sequence is very similar
to private
workstation model. The major difference is that instead of return
ing

the authenticated user credentials back to
LogonUI.exe, it always returns the OS user credentials.

This is important because most of the code path are
identical between shared
and private workstation model. This design not only gives end
-
users consistent UI and
workflow, it also simplies the implementation and testing.




Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

31

of
38

Feedback

CredentialProvider
EventManager
CredManager
Authenticator
Vault
System
SetUsageScenario
(
UNLOCK
)
Register
Badge event
SetLocked
SetLocked
GetCredentialCount
Filter
()
~
Filter
()
GetUserBlob
UserBlob
EventMgrStarted
?
Yes
UserBlob
CredentialChanged
AutoLogon
=
true
GetSerialization
OSUserCredential
WM
_
WTS
_
SESSION
_
UNLOCK
LsaCallAuthPack
SetUnlocked
Do Nothing
Set Userfield as EditBox
LogonUser
?
Success
NPLogonNotify
SetUserBlob
UserAuthenticateNotify
expreSSO
UserAuthenticateNotify
(
UserBlob
)
UserChangeMessage
DesktopCleanup
DesktopCleaned
ReportError
LoginEvent
SetUser
SetPassword
CacheCred
Return UserAuthNotify
Return UserAuthNotify
UnlockNotify



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

32

of
38

Feedback

SMART CARD SEQUENCE

The following sequence represents an user unlock a shared wor
kstation using
a
smart card

authentication
. The
major difference
between password authentication and smart card authentication
is that Credential Manager
capture
s

user name and PIN, instead of user name and password. But user name and PIN are not sufficien
t
credentials. We also need certificate. The diagram shows that how Event Manager reads the cert directly and
match
es

it with user name and PIN. How to match them correctly requires more thoughts.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

33

of
38

Feedback


CredentialProvider
EventManager
CredManager
Authenticator
SmartCardCP
System
SetUsageScenario
RegisterSENSEvents
Register
SetLockedState
Locked
CardInserted
Filter
()
Start
GetSerialization
NPLogonNotify
(
SSOUser
)
LogonScript
:
None
ReadCert
CacheCred
SetUnlock
Listen Events
Load
(
EventMgr
)
Prompt
Submit
ReportError
UserAuthNotify
UserAuthNotify
(
UserBlob
)
UserAuthNotify returns
GetSerialization return OSUser Credential
WM
_
UNLOCK
_
MESSAGE
IsCardInserted
?
No
LoadPwdCP
UserBlob
(
SC Info
,
no EGP
)
GetUserBlobFromVault
CredentialChanged
SetUsageScenario
GotEGP
?
No
SetUserBlob
CacheError
LogonUser
UserAuthNotify returns
NPNotify returns sucess
UnlockNotify



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

34

of
38

Feedback


INSTALLER

The following components need to installed:

The following registry should be modified:


G
LOBALIZATION

If this component design replaces or changes an existing system, describe the existing system to set the stage for the new de
sign

POLICY COMPLIANCE

Refer
to the Check List above for Compliance Items


DEPENDENCIES

Description for each of the components and teams this feature/component depends on
, and also leveraged technologies


DISCUSSION AND
O
PEN ISSUES



1.

Biometrix support: No plan.

2.

Smart card
authentication: possibly test basic smart card support, leaving specific custom smart card
support (CAC, etc.) for future qualification.


A
PPROVAL


Title

Typed name

Signature

Date

Developer

Joey Wang



APPENDIX

A VERGENCE 4.5 SP2 W
AY2CARE USE CASES



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

35

of
38

Feedback


1.

At
the logon dialog box, regardless if there exist running sessions or not (Windows 7 private
mode may have other sessions running already),

a)

When the badge is tapped, or smart card is inserted, if no further action is taken within a
timeout, the badge informa
tion will be cleared after a timeout. This means that after the
timeout, the user name or anything displayed in the user name field will be cleared. If the
badge has not been enrolled, it can no longer been enrolled.

b)

If a badge is tapped and another badge
is tapped again within a timeout, the second badge
will be ignored. Once an RFID badge is tapped, there is a predefined amount of time the
reader will “hold” the ID before it is cleared and a new badge can be tapped. For the
readers by RFIDeas, the LED in
dicator will go “green” when the badge is seen. During this
time an encounter with a different badge will not be seen until the reader LED reverts to
“red”.

c)

When a badge is tapped, if the badge is not enrolled, <badge not enrolled> will be displayed
at
the user name field. If user types in user name and password, the badge will be enrolled
automatically after user is successfully logged on.

d)

If the badge is enrolled, user name will be populated and user just has to type in password
to login. This is the s
ame behavior if EGP is enabled, but grace period has expired, or user
has not yet login once. Login manually will start the EGP timer after successfully logged in.

e)

If the badge is enrolled and user name is automatically populated, user can type in a
different user name and password to login. In this case, if badge transfer is enabled, the
badge will be re
-
enrolled as the new user. Otherwise, user logs in with auth
-
fa
ctor of 1.

f)

If EGP is enabled, and badge is enrolled, tapping will automatically log in the user if the
badge is within the grace period. The grace period is calculated from the last time user was
authenticated. In Windows 7 private workstation mode, the us
er session may be already
running as console session. The tap will log the user on to the existing running console
session.

g)

If the user credentials in EGP blob is invalid, the EGP data on the vault shall be cleared.

h)

For shared mode, if user logs on without

taping badge at all, a configurable message will
display to inform the user that badge was not used, but he or she is allowed to access
desktop.

i)

Note 1: in Windows 7 private workstation mode, even if there are already logged in sessions
by this user or ot
her users, the login dialog box can still be presented. If the user session has
already been established previously, the user will be reconnected to the existing user
session. This is the behavior of Windows 7, it has nothing to do with our software.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

36

of
38

Feedback

j)

Note
2: Whenever an user logs in, private or shared mode, user auth
-
factor should be set to
2 if the card is used, and 1 if card is not used. User successful login events should be audited.
User failed attempts will be audited for shared workstation only. It is

a bug that we cannot
audit private workstation failed attempts yet.

k)

Note3: User credentials should be set into context for workstation logins. But for remote
desktop, user credentials are not set into context. This is currently a documented known
issue.

l)

N
ote4: If user is logged on manually, then lock the workstation, and unlock it using his or her
badge, auth
-
factor will be changed to 2 except for Win7 private mode. (This is a bug, will be
addressed later).

2.

At the logged in workstation and a badge is tappe
d again, or smart card is removed.

a)

Tap the same badge id of the user (or remove the smart card) who is currently in the
console session, the user session shall be logged off or locked, ignored based on the
configuration. For the shared workstation, the con
sole session user is the current SSO user.

b)

Tap any other badges, even if the badge belongs to a user who is currently logged in, but not
at the console session will be

b.I.

no
-
op.

b.II.

Lock original user, and log in the new user unless it is on private mode.

b.III.

Logo
ff original user, and log in the new user unless it is on private mode

c)

A corner case: tap the same badge that user logged on before, but if this badge is no longer
enrolled, or has been transferred to another user, this is the same as 2
-
a).

d)

Note1: if user

manually logged on and then inserts the card later, no
-
op. Removing card, no
-
op.

e)

Note2: if user manually logged on, then tap the badge, same as 2
-
b).

3.

At locked workstation with user name in display (zoomed
-
in scenario on Windows 7, users may
have to manua
lly drive to this state, a badge may not bring users to the zoomed
-
in scenario), is
in display, and a badge is tapped or smart card is inserted:

a)

If the badge is for the user who logged in the console session:

a.I.

If EGP is not enabled or expired and not in the

machine grace period, do nothing. No
error message box either. User has to type in password to login. After user does login
manually, re
-
start the EGP timer if EGP is enabled.

a.II.

If badge is within EGP grace period, or machine grace period, automatically un
lock the
desktop for the user. This should work regardless if there are other running sessions or
not in Windows 7. That is, the other running session should not interfere this behavior.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

37

of
38

Feedback

a.III.

If within EGP, but EGP credentials are invalid, clear the vault EGP d
ata. The
machine remains locked.

b)

If the badge is for a different user from who has the console session,

b.I.

For shared workstation, new user will be logged in if it is within his EGP period.

b.II.

For Windows 7 private workstation station, do nothing. No error mess
age box, do not
clear the user data on the vault either. We ignore the badge completely.

b.III.

For Windows XP, if the badge is has user credentials, we will try to log the user
in. If the new user is an admin, he or she can log out the previous user and log in.
This is
Windows behavior.

c)

If the badge is un
-
enrolled, do nothing.

d)

For shared mode, if the same user unlocks the workstation manually without tapping his or
her badge, the user is allowed to do so, but a message will be displayed to inform the user
that badge was not used. A new context change will reset user's auth
-
facto
r to 1.

e)

Note1: For smart card, if machine is locked while the card is still inserted, remove the card
will be no
-
op.

4.

CTL
-
ALT
-
DEL screen. Badge tap will be ignored on Windows 7/XP.

5.

Windows 7 private workstation only: at selection of tiles (zoomed
-
out scenar
io), and a badge is
tapped.

a)

If the badge EGP is enabled and within grace period, user of that badge will be logged into
the desktop.

b)

If EGP is expired or disabled, user will be taken to the zoomed
-
in tile of Vergence Credential
provider logon dialog box
screen, NOT the locked workstation screen. User name field will
be populated with the badge owner’s user id or <badge not enrolled>.

c)

If badge is not enrolled, user will be taken to the zoomed in tile that has <badge not
enrolled> is filled in the user name

field. The badge will be enrolled after successful login
manually.

d)

If EGP is enabled but expired, EGP timer should be started after user manually logs in.

6.

Screen saver is on and badge is tapped. Dismiss screen saver and fall into the logic above. For
ins
tance, if after screen saver is dismissed, we found that we are in 3
-
b case, then do whatever
3
-
b indicated.

7.

Vergence open desktop mode (XP only):

a)

When no one is logged on, a badge is tapped, the user is set into context. If an application is
configured to

auto
-
launch, this application will be started and automatically signed in as this
user.



Dev Design Spec for Windows 7 Authenticator

Procedure Template

Document Number

Effective Date

Revision

Page

Vergence

Windows 7
Authenticator

TBD

July 31, 2011

0.1

38

of
38

Feedback

b)

When an user is logged in,

b.I.

If the same user taps his or her badge, user context is set to null (Log off). If the
application is not configured to run hot, it will be
terminated, otherwise, it will be
logged off, but remain running.

b.II.

If a different user taps his or her badge, Vergence can be configure to either do nothing,
or log off the previous user in the context, and log on the new user, and restart the
application a
utomatically as the new user.

8.

UAC prompt: Badges will not work for UAC prompt.

9.

Vergence re
-
authentication should work with badge.