Registry Settings
The management console configurations exists as registry setting at HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\AuthGINA. However, there are some settings which are not exposed on the management console due to some security reasons. Following are the registry settings that are not available on the management console:
Setting | Description | Accepted Values |
---|---|---|
UseProxy | Used to configure the proxy server to connect with STA via proxy. For example, Token Validation Proxy. Note: If you enable this setting, you must configure Proxy Server. |
1: Enable the proxy server 0 (Default): Proxy server is not used |
StripNetBIOS | Determines if a NETBIOS name (DOMAIN\USERNAME) is sent to STA as-is, or if the portion prefixing the username is removed (stripped). |
1: Strips the DOMAIN\ portion from the username when authenticating with STA 0 (Default): The agent will not sanitize the username |
IPAddressAPIUrl | Specifies the URL to get the public IP of the machine, to support network/IP based logon policies as configured in STA. | |
IPAddressFallbackAPIUrl | Specifies a Secondary URL (in case the URL mentioned in IPAddressAPIUrl fails), to get the public IP of the machine to support network/IP based logon policies as configured in STA. | |
EnableSSLCertCheck | Used to validate STA server certificate or Proxy server certificate (if used). |
1 (Default): The agent will validate the server certificate 0: The agent will not validate the server certificate |
ProxyServer | Used to configure the proxy server IP address or FQDN and its port number. Note: Must be used with setting ‘UseProxy’ or 'UseProxyForSPS'. |
'1.2.3.4:567' or 'host.domain.name:port' |
ExemptAdmins | Used to exclude the local and domain administrators from strong authentication (OTP). |
1 (Default): Local and Domain Administrators are exempted from strong authentication 0: All users musts use strong authentication |
ProxyPassword | Used to configure the proxy server password. WARNING: The agent uses the key file to encrypt and decrypt the proxy password during operation and thus assumes the password is propagated from the GPO in encrypted form (!). To set the password with the GPO, configure this setting in the client machine using the management console, and then retrieve its value from the registry. |
|
LocalUserOrGroup_Ex | Used to exclude the Local Groups from the STA authentication. When any group is added to this setting through GPO, DomainUserOrGroup_In needs to be set to “*”. |
COMPUTERNAME\groupname, COMPUTERNAME\group2: multiple values are separated by comma (,) %COMPUTERNAME%\groupname: In this case, when the GPO settings are pushed to the client machines, the variable (%COMPUTERNAME%) will be automatically set to the computer name of the respective client machine. [ ]: Default |
PrimaryServiceURL | Used to configure the Primary STA (or the Token Validation Proxy). |
> Protocol followed by IP address and port, for example, http://1.2.3.4:8080 > Protocol followed by FQDN and port, for example, https://server.domain.com |
WindowsPasswordCaching | If enabled, WLA will cache the Microsoft password on first successful user authentication until password expiration or change. Note: This configuration is not applicable for domain administrators. |
1: Users are prompted for OTP only 0 (Default): Users are prompted for OTP, then domain password |
EncryptionKeyFile | It is used to set the key file location. |
Default: C:\Program Files\SafeNet\Windows Logon\KeyFile\Agent.bsidkey |
GrIDsureTokens | Used to enable the GrIDsure authentication link in the login screen. NOTE: This setting is deprecated from v3.7.0 release. |
|
WrapCredentialProvider | Specify the GUID of the credential provider that the agent will use to wrap for the two-factor authentication. |
{GUID}: Its default value is {60b78e88-ead8-445c-9cfd-0b87f74ea6cd} for V2 Credential provider |
LogLevel | Used to configure the client side log level. | 1: Critical 2: Error 3: Warning (default) 4: Info 5: Debug |
PingPrimaryServiceAfterMinutes | Used to configure the time (in minutes) after which the agent will attempt to return to its Primary STA. | Default: 10 minutes |
AllowRDPWithoutOTP | Used to exclude the outgoing RDP (remote desktop) from STA authentication. |
1 (Default): STA authentication is not enforced for outgoing RDP 0: STA authentication is required for outgoing RDP |
DomainUserOrGroup_In | Used to include the Domain Groups for STA authentication. Note: If you define a group or multiple groups in this setting you must also set DomainUserOrGroup_Ex and LocalUserOrGroup_Ex with a value of ‘*’. |
[ ]: Not configured DomainName.com\Group Name: Only the provided group must use strong authentication *: All users must use strong authentication |
AllowNetworkPathWithoutOTP | Used to exclude STA authentication while accessing network resources over Windows Explorer. |
1: STA authentication is not enforced while accessing the network resource 0 (Default): STA authentication is required while accessing the network resource for outgoing Windows Explorer |
TileFilter | Used to configure the appearance of credential provider tiles during Windows Logon. |
0 (Default): All credential tiles presented to the user will enforce STA authentication. 1: Authentication can be performed using STA or third-party credentials, but the Microsoft credential tile is hidden. 2: Authentication can be performed with third-party or Microsoft credentials, but the STA credential tile is hidden. |
LocalUserOrGroup_In | Used to include the local users to use strong authentication (OTP). Note: If you define a group or multiple groups in this setting, you must also set DomainUserOrGroup_Ex with a value of ‘*’. |
[ ]: Not configured ComputerName\Group Name: Only the provided group must use strong authentication %COMPUTERNAME%\groupname: In this case, when the GPO settings are pushed to the client machines, the variable (%COMPUTERNAME%) will be automatically set to the computer name of the respective client machine |
ThirdPartyFilter | Some third-party credential provider software may conflict with the working of the agent. So, you can restrict their access with this registry key and only allow certain supported software to work with the agent. | 0 (Default): Allow all applications 1: Allow STA compliant applications |
InternetCallTimeOutInSeconds | Specifies the maximum timeout value for authentication requests sent to STA. |
Default: 10 seconds |
UseProxyForSPS | Used to connect to the Service Provider Server via proxy server. | |
NestedDomainGroups | Enable it to improve logon performance if domain groups are not nested inside local groups. |
1: Improves the agent performance when domain groups are not nested in local groups 0 (Default): Used when domain groups are nested in local groups |
OptionalSecondaryServiceURL | Used to configure the secondary (failover) STA (or the Token Validation Proxy). |
> Protocol followed by IP address and port, for example, http://1.2.3.4:8080 > Protocol followed by FQDN and port, for example, https://server.domain.com |
LogFile | Used to configure the client log file path. |
Default: C:\Program Files\SafeNet\Windows Logon\Log\AuthGINA-{date}.log |
DomainUserOrGroup_Ex | Used to exclude the Domain Groups from STA authentication. Note: When any group is added to this setting, then the DomainUserOrGroup_In entry remains empty. You need to set LocalUserOrGroup_In to “*”. |
[ ]: Not configured DomainName.com\Group Name: Only the provided group is excluded from strong authentication |
ProxyUser | Used to configure the proxy server username that is used to authenticate the defined proxy server. Note: Setting 'ProxyUser' assumes setting ‘ProxyServer’ and ‘Password’, and may also require setting 'UseProxyForSPS' (if applicable). |
|
StripUPN | Determines if a UPN (username@domain.com) is sent to STA as-is, or if the portion following the username is removed (stripped). |
1: Strips the @domain.com portion from the UPN when authenticating with STA 0 (Default): The agent will not sanitize the username |
CustomLogoBMP | Allows to set a custom image in the logon screen for compatible credential providers. The customization is not compatible with the Windows V2 credential provider. Note: The custom logo must be a bitmap (.bmp) of 110 x 110 pixels and must be available locally on the client. |
Example syntax: C:\Program Files\SafeNet\Windows Logon\customLogo.bmp |
AgentStatus | Used to enable or disable the agent. |
1 (Default): The agent will be enabled and displayed at logon 0: The agent will be disabled (remains installed and configured but is not used) |
EmergencyPassword | Used to enable or disable the emergency password feature. This is applicable when the Windows machine is unable to communicate with STA at the time of authentication. | 1 (Default): Emergency Password can be used for authentication 0: Emergency Password cannot be used |
DoNotFilter | Allows a view where third-party credential providers can also be displayed. By default, the agent filters out (do not display) other credential provider. | {GUID},{GUID},{GUID} |
CompatibleFilters | Prevents the management console from displaying an Incompatible Filter message. This setting can only be added in the registry if a third-party credential provider is compatible with the agent and can be wrapped successfully. For example, if SpecOps credential provider is installed on a client machine along with the agent, then the management console may display Incompatible Filter message. To exclude SpecOps Credential Filter, add its GUID to the CompatibleFilters list. To add multiple filters, use comma (,) for separation. |
{GUID},{GUID},{GUID} |
FilterProcess | Allows to exclude applications from applying the STA authentication. This setting can only be added in the registry when the agent is installed with default options. To exclude: > Outlook from using OTP to authenticate, add its
executable (outlook.exe) to the FilterProcess list. |
|
SetCachingToCurrentUser | Augments the secured storage of a user’s cached Microsoft password. This is mostly relevant for shared machine scenarios and is effective only when Enable Microsoft Password Caching is selected in the SafeNet Windows Logon Agent Manager > Policy tab. If it is set to 1, the password caching will not work in the following scenarios: > Access to a network path/resource > Outgoing RDP connections from a WLA protected machine > Run as a different user to access applications, such as command prompt For such cases, Microsoft password must be provided by the user. All other use cases supported for Microsoft password caching will function as expected. This setting will be applicable on next logon. |
Default: 0 |
ApplicationId | Specifies the Application ID fetched from the .agent file. | |
ApplicationName | Specifies the application name set in STA (fetched from the .agent file). | |
IssuerUrl | The URL used to get access token from STA, which is then used to fetch the authenticator list from STA. |