Credential Provider

Pointsharp Credential Provider offers 2-factor authentication for Remote Desktop and enables FIDO-based authentication using YubiKey for Windows desktop logon.

Prerequisites

The Pointsharp Credential Provider needs Microsoft Visual C++ Redistributable (x64). This is automatically downloaded during installation. If the server does not have internet access during installation, it needs to be manually downloaded and installed prior to installation of the Credential Provider.

The Credential Provider also needs a Pointsharp ID Server installed and configured with an authentication method to be used with the Credential Provider.

Make sure that you have local administrator access to the server on which you intend to install the credential provider. This is necessary in case you make a configuration error or the computer loses contact with the server, in which case you will need to log on to the ID Server without the Credential Provider to check the configuration or network settings.

Installation

Run the installer.
Select installation destination.
Accept license terms.
The installer downloads prerequisite software. Agree and click Install.

The files are:

AMCredentialProvider.reg - Credential Provider
AMCredentialProviderLang.reg - Language support
IDServerInterface.reg - Access to ID server

ID Server connection

Edit IDServerInterface.reg - Access to ID server.
Modify the value 'WebServicesHostList'. Set ID Server IP/host.

"WebServicesHostList"="127.0.0.1" (ID server)
Test the ID Server connection.
1. Navigate to 'IDServerInterface' subfolder.
2. Execute IDServerInterfaceTest.exe from the command prompt.

Example 1. When IP/host could not be reached

IDServerInterface connection test

Configuration:

Url: http://127.0.0.1/api/an

[wsUrl http://127.0.0.1/api/an] HTTP InternalServerError

Example 2. Part of example reply when connection is OK

IDServerInterface connection test

Configuration:

Url: http://127.0.0.1/api/an

PSID server response:

Message: Pointsharp ID rejected user unknownuser.

Reply Code: Reject

Event Code: AUTHN_UNKNOWN_USER

Credential Provider

Make sure to have an Authentication Method(s) on ID server.

Go to the installation folder. Default this is: C:\Program Files\Pointsharp\AMCredential Provider.
Locate the file AMCredentialProvider.reg.
Open with Notepad using elevated rights.
Modify the following values depending on scenario:
- "WebServicesMethodLocal"="Empty or desired Method"
- "WebServicesMethodUnlock"="Empty or desired Method"
- "WebServicesMethodRemote"="Empty or desired Method"
To enable webauthn/FIDO, modify:
- "WebServicesMethodFIDO"="Method"
- "WebAuthnOriginURL"="https://company.net"
  
  Set WebAuthOriginURL in the Credential provider to match the Relying Party Id configured in PSID Admin GUI > Tokens > FIDO

How to 'hide' default/inbuild providers

Edit AMCredentialProvider.reg
Navigate to section Enable Windows Credential Providers or 3rd part Credential Providers.
Set all "{GUID}"="1" to "0". The providers set to "0" will not be shown.

Make sure that the Pointsharp Credential Providers work as intended before disabling inbuilt providers!

Additional info

"TxInputPassword"="Password"
"TxInputPasswordNew"="New Password"
"TxInputPasswordConfirm"="Confirm Password"
"TxInputOTP"="One-Time password"
"TxInputFIDOPin"="Security Key PIN"
"TxButtonSubmit"="Submit"

Apply the configuration

After configuration of these values, save and close the AMCredentialProvider.reg.
Double-click the file to insert the updated configuration into the Registry Settings on the server.
Accept the warning prompts.

You can also manually configure these settings directly in the Registry. The path is:

HKEY_LOCAL_MACHINE\SOFTWARE\Pointsharp\AMCredentialProvider

Please check Web Service Logs in Pointsharp ID for more information and to see that the Credential Provider is able to communicate with PSID Server.

SystemLog: C:\\Program Files\\Pointsharp\\AMCredentialProvider\\audit.log