UniOTP Credential Provider Agent

From SecuTech Wiki
Jump to: navigation, search


This document details how to install and use the UniOTP Windows Logon Agent, intended for end users who want to use UniOTP authentication to log onto their system. The UniOTP Windows Logon Agent is used to integrate the UniOTP dynamic password authentication system with Windows. There are two versions of the UniOTP Windows Agent: GINA (Windows 2000, XP); and Credential Provider (Windows Vista, 7, Windows Server 2008). Both use two different Windows logon architecture models. This document covers the installation and usage of the Credential Provider agent.

Note: UniOTP MGS Win Logon currently does not work with Windows 7 Home Premium and Pro.

Installation

Preparation

Before implementing the UniOTP Windows Logon Agent, please verify the following requirements:

  • The UniOTP authentication server is already configured and running.
  • The administrator has and is already using an active account for the agent on the server
  • The aforementioned account has been bound to the UniOTP device used.

UniOTP Windows Logon Agent Installation

1. Once the UniOTP Windows Distributable Package has been downloaded and installed, find the installation file setup.exe inside the package and double-click it to launch the installation process.

2. Click on Next in the InstallShield Wizard welcome screen.

installation wizard initial screen

3. Input your User Name and Company Name and click on Next.

inputting user and company name

4. Select Complete and click on Next.

selecting installation type

5. Click on Install to begin the installation of the PKI package. After verifying the InstallShield Wizard has completed successfully then click Finish. Once the installation completed, the User Management Tool UniOTPManager will open automatically.

UniOTPManager main window

6. Important: It is strongly advised that a user account is added for this machine at this point. A new user account must be created before exiting this tool. If a functioning user account is not configured and added on the computer, users will not be able to log into the machine. Uninstall the UniOTP Windows Logon Agent immediately if any unresolvable errors appear in the following steps.

'it is dangerous if you do not add a UniOTP account for this computer' message

7. In the UniOTPManager window, click Add to add a UniOTP account to be authenticated with on the computer.

adding new account

8. Under the Add Account window, in the fields:

  • Account, input a valid UniOTP account name;
  • Auth Server, input the IP address of the UniOTP authentication server;
  • Port, input the service port of the above server (default is 1812);
  • Share, input the shared key (used by the UniOTP authentication server);
  • and Max Wait Time, input the number of seconds the computer should wait for the server response.

9. After the account has been added, and any other additional modifications made, click Apply. The Apply button must be clicked to submit and apply user information.

UniOTPManager new account and authentication server added

10. The dialog box below will appear if updating account information was successful.

'update account information successfully' message

11. After successfully installing the UniOTP Windows Authentication Agent and adding a new user, performing a two-factor user logon can be done to ensure all processes are functioning correctly. Choose a user in the account list then click Test to perform an authentication test.

authentication test on a user account

12. Input the OTP password generated from the corresponding OTP device (If the authentication method is set to OTP+PIN, input the PIN directly after the OTP password in the same field), then click OK. If the password entered is correct, the following dialog will be displayed.

'authenticated successfully' message

If the password entered is incorrect, the following dialog will instead be displayed.

'authentication failed' message

13. A popup message indicating the result of the UniOTP authentication test will appear. If unsuccessful, refer to the displayed message to solve the error. Do not log off, switch user, lock, shutdown, reboot, or otherwise interact with Windows user credentials until successfully completing the authentication test. If an encountered error cannot be resolved, please uninstall the UniOTP Windows Logon Agent immediately. Failure to do so will result in the user being unable to log back into Windows. It is recommended to uninstall the UniOTP Windows Logon Agent until the error, if present, has been identified and rectified.

14. After verifying the two-factor authentication test has completed successful, the user account is now secured with UniOTP authentication. All user accounts identified with UniOTP require the corresponding OTP to successfully authenticate with the user account. To add additional users, repeat the above steps from step 7.


Usage

Windows user select screen

1. In the Windows login screen, select a user to log into with.

Windows user login screen

2. In the password field, input the Windows password for the user account to log onto Windows.

3. In the UniOTP Account drop-down list, select the corresponding UniOTP account. In the OTP[PIN] password field, input the generated one-time password (if the authentication method is set to OTP+PIN, by default, input your dynamic password followed by your PIN immediately afterwards in the field. Refer to your administrator as to how OTP+PIN authentication is set up).

4. Press Enter or click the arrow button to authenticate.

If the OTP[PIN] password entered is incorrect, the following error will appear.

'error code 13' message

If the OTP[PIN] entered is correct, but the Windows user account password is incorrect, the following error message will appear.

'incorrect password or username' message

If authentication was successful, the Windows user account is secured with UniOTP dynamic password authentication.

Important Remarks

  1. After installing the UniOTP Windows Authentication Agent, if none of the UniOTP user accounts pass the authentication test, uninstall the UniOTP Windows Authentication Agent without delay, otherwise no user account on the computer will be able to log in.
  2. If authentication has failed numerous times in succession (, more than five consecutive attempts, refer to the administrator to inspect configuration settings), wait ten minutes before attempting to authenticate again. If authentication is still unsuccessful, refer to the administrator to repair your device.
  3. Do not modify or delete the "%SYSTEMROOT%\secuagt_cp.conf" file as this is the configuration file for the UniOTP Windows Authentication Agent. Deletion or modification of this file may result in a locked operating system.