Pre-installation
You must complete the pre-installation process to ensure that you have the required installation and configuration files for an initial installation. Perform the following steps:
-
Log in to SafeNet Trusted Access (STA) as an operator.
-
On the STA console, in the top right-hand side corner, click the dropdown and select the required virtual server account.
-
Click the Applications tab.
-
Click Add Application (if no applications are added) or
(displayed next to Applications) to add an application. The Add Application window is displayed with a list of available applications.
-
Select Windows Logon (from the list of available applications). Enter a Display Name (any custom name can be used) and then click Add.
-
Navigate to the Windows Logon application that you created above.
-
Under Agent Setup > Language Selection, select your preferred language to be displayed for the agent from the LANGUAGE dropdown.
Select Custom to apply the language that is not listed in the dropdown. Edit the customized language file custom.json (downloaded from STA) and push it locally via MDM (GPO, Intune, or SCCM).
-
Click Next Step.
-
[Optional] Under Passwordless Setup, select the Allow passwordless authentication check box, to allow the agent to proceed with passwordless specific configurations and settings.
Now, under Passwordless Setup, the following passwordless specific configurations will be available:
-
Server Setup
-
Passwordless authentication settings
-
-
Under Server Setup, click Download Package, to download the SafeNet SCEP Adaptor installation package and configuration file.
The following components will be downloaded:
-
Installation file (SafeNet SCEP Adaptor)
-
Configuration file (Safenet_SCEP_Adaptor_Config_<date>.config file)
These downloaded files are used to install SafeNet SCEP Adaptor on the IIS server for secure communication between the SafeNet Agent for Windows Logon and SCEP endpoints.
We recommend to keep both the installation and configuration files in the same folder on the machine where SCEP service is configured.
-
-
Under Passwordless authentication settings, enter the details in the following fields:
-
SCEP SERVICE URL: Specifies the URL where the SCEP Adaptor is installed. For example, https://<FQDN>/certsrv/mscep/mscep.dll
where, <FQDN> is the Fully Qualified Domain Name (FQDN) of the machine where SafeNet SCEP Adaptor is installed.
-
CERTIFICATE AUTHORITY NAME: Specifies the Root CA that is configured during the deployment of AD CS.
-
ENROLLMENT WINDOW: Specifies the number of days in which the user can enroll for the logon certificate.
Default: 10
Range: 1-99 -
RENEWAL WINDOW: Specifies the number of days in which the user can re-enroll for the logon certificate.
Default: 21
Range: 1-99
-
-
Click Save And Continue.
Now, the configuration will be updated successfully.
-
Under Download and Deploy, click Install Package, to download the SafeNet Agent for Windows Logon installation package and configuration file. You can click HELP DOCUMENTATION to view the WLA documentation.
The following components will be downloaded:
-
Installation file (SafeNet Authentication Service Agent for Win 8-10-2012-2016 x64.msi)
-
Configuration file (.agent file)
Once the agent is successfully downloaded, the application Status will change to active on the STA console. You need to refresh the console page to view any change in the setup Status.
Ensure to keep both the installation and configuration files in the same folder.
-
-
Install the agent on the client machine using the downloaded files.
Ensure to upload the updated .agent file in the WLA management console.
Language Customization
For WLA v4.0.0 and earlier
Administrators can customize the language displayed in WLA locally using the ccl files present in the C:\Program Files\SafeNet\Windows Logon\Languages\en folder (provided in the downloaded package from STA). To achieve this, it is required to update the changes in the ccl files and then push the updated file using either SCCM, GPO, or Intune to the client machine.
Also, for Passwordless Windows Logon, to customize the SafeNet Desktop Logon Application, <InstallationDirectory>\Assets\local folder contains the language files, which are the JSON files that can be edited using any text editor. For more details, refer here.
For WLA v4.1.0
With the WLA v4.1.0 release, the ccl files (under C:\Program Files\SafeNet\Windows Logon\Languages\en) and the JSON files (under <InstallationDirectory>\Assets\local) through which the customized messages were displayed in WLA are discarded.
Now, a centrally managed language selection and customization is introduced. The entire WLA messages are now combined in JSON files under C:\Program Files\SafeNet\Windows Logon\Languages. In the Languages folder, there are different JSON files for each supported languages, for example, en.json.
While upgrading or installing the agent, ensure to take a backup of the ccl files. You need to manually edit the key values in the specific language JSON files to match the previous customization. For the detailed information on the key-value pairs, refer to this annexure.
To customize the WLA messages of the supported languages, perform the following steps on the STA management console:
-
On the left hand side bottom corner, click
. -
Under SETTINGS, click Language Customization. Enable the Language customization toggle button and next to Default language files pack, click Download.
If language customization is enabled, and customized language file is already uploaded, ensure to merge the WLA messages (available in the Default language files pack) in the customized language file and upload it again. For the WLA specific messages, refer the message key here.
-
Now, edit the downloaded sample language file as selected in the LANGUAGE dropdown in STA using any text editor. Perform the steps mentioned in thalesdocs.
-
Under Custom Language Files, click Upload Language File to upload the updated version of the language file.
Note
- Before uploading an updated version of a specific language file (for example, en.json), ensure to delete the existing version (if any).
- STA customization json file (custom.json) can only accommodate server supported html tags, that are, "strong", "b", "h1", "h2", "h3", "h4", "h5", "p", "i", "u", "br", "span", "label".
Enable Passwordless Login
To enable the passwordless authentication, enable the Passwordless Logon Policy on STA > Policies.
By default, the global logon policy applies to all the users of a tenant. However, the passwordless logon policy takes the precedence over global logon policy for the group/groups of users, if it is enabled for them.
Share an application
Sharing the WLA application allows multiple virtual servers to use the same agent and to protect a machine that is shared by users in these virtual servers. To learn how to configure this feature, click here.
-
The configuration of WLA application sharing feature can be done or changed at any point in the lifetime of the agent deployment.
-
WLA application sharing works in both online and offline mode.
To use this feature in offline mode, the user must have had logged on online at least once after it is configured.
-
This feature does not apply to versions of the agent that are not configured in the Applications tab.
Limitations
-
Under Username Format in STA, you can either select username@domain.com or domain.com\username. Accordingly, the user must enter the username in the selected format only while authenticating with WLA.
-
If you are configuring WLA application sharing with the realming option in STA, then
-
If username@domain.com format is used to determine the realm in STA, do not select the Strip realm from UPN option in the WLA management console.
-
If domain.com\username format is used to determine the realm in STA, do not select the Strip NetBIOS prefix option in the WLA management console.
-
