Credential Provider

Pointsharp Credential Provider offers 2-factor authentication for Remote Desktop and enables FIDO-based authentication using YubiKey for Windows desktop logon.

Prerequisites

The Pointsharp Credential Provider needs Microsoft Visual C++ Redistributable (x64). This is automatically downloaded during installation. If the server does not have internet access during installation, it needs to be manually downloaded and installed prior to installation of the Credential Provider.

The Credential Provider also needs a Pointsharp ID Server installed and configured with an authentication method to be used with the Credential Provider.

Make sure that you have local administrator access to the server on which you intend to install the credential provider. This is necessary in case you make a configuration error or the computer loses contact with the server, in which case you will need to log on to the ID Server without the Credential Provider to check the configuration or network settings.

Installation

  1. Run the installer.

  2. Select installation destination.

  3. Accept license terms.

  4. The installer downloads prerequisite software. Agree and click Install.

The files are:

  • AMCredentialProvider.reg - Credential Provider

  • AMCredentialProviderLang.reg - Language support

  • IDServerInterface.reg - Access to ID server

ID Server connection

  1. Edit IDServerInterface.reg - Access to ID server.

  2. Modify the value 'WebServicesHostList'. Set ID Server IP/host.

    "WebServicesHostList"="127.0.0.1" (ID server)

  3. Double-click the file to insert the updated configuration into the Registry Settings on the server.

Test the ID Server connection

Test logging in to the server. If it doesn’t work, try running this directly from the server using the Credential Provider to rule out any access issues.

  1. Navigate to 'IDServerInterface' subfolder.

  2. Execute IDServerInterfaceTest.exe from the command prompt.

Example 1. When IP/host could not be reached

IDServerInterface connection test

Configuration:

Url: http://127.0.0.1/api/an

[wsUrl http://127.0.0.1/api/an] HTTP InternalServerError

Example 2. Part of example reply when connection is OK

IDServerInterface connection test

Configuration:

Url: http://127.0.0.1/api/an

PSID server response:

Message: Pointsharp ID rejected user unknownuser.

Reply Code: Reject

Event Code: AUTHN_UNKNOWN_USER

Please check Web Service Logs in Pointsharp ID for more information and to see that the Credential Provider is able to communicate with PSID Server.

SystemLog: C:\Program Files\Pointsharp\AMCredentialProvider\audit.log

Credential Provider

Make sure to have Authentication Method(s) on ID server.

  1. Go to the installation folder. Default this is C:\Program Files\Pointsharp\Credential Provider.

  2. Locate the file AMCredentialProvider.reg.

  3. Open with Notepad using elevated rights.

  4. Modify the following values depending on scenario:

    • WebServicesMethodLocal= Enables the credential provider for local logins as well. Be careful with this setting, this is usually not the default setup. Normally you only use the WebServicesMethodRemote. Enter the same method as configured in Pointsharp ID Server Admin GUI in tab Authentication. The name is case-sensitive.

    • WebServicesMethodUnlock= This method is used when you want to unlock a locked session, e.g. reset password. Typically, this would be the same as for the WebServicesMethodRemote. However, there is an option to use a different method if required. Enter the same method as configured in Pointsharp ID Server Admin GUI in tab Authentication. The name is case-sensitive.

    • WebServicesMethodRemote= This is the default choice and should be the primary choice. If you configure a method here, it will be enabled for RDP sessions to the server, while still allowing local logins on the server as an administrator (or, in the case of a virtual server, login via the virtual). This method should therefore be used by default. In most cases, the same method is also configured for WebServicesMethodUnlock. Enter the same method as configured in Pointsharp ID Server Admin GUI in tab Authentication. The name is case-sensitive.

  5. To enable webauthn/FIDO, modify:

    • WebServicesMethodFIDO= Method

    • WebAuthnOriginURL= https://company.net

      Set WebAuthOriginURL in the Credential provider to match the Relying Party Id configured in PSID Admin GUI > Tokens > FIDO

How to 'hide' default/inbuild providers

  1. Edit AMCredentialProvider.reg

  2. Navigate to section Enable Windows Credential Providers or 3rd part Credential Providers.

  3. Set all "{GUID}"="1" to "0". The providers set to "0" will not be shown.

Make sure that the Pointsharp Credential Providers work as intended before disabling inbuilt providers!

Additional info

TxInputPassword= Password

TxInputPasswordNew= New Password

TxInputPasswordConfirm= Confirm Password

TxInputOTP= One-Time password

TxInputFIDOPin= Security Key PIN

TxButtonSubmit= Submit

Apply the configurations

  1. After configuration of these values, save and close the IDServerInterface.reg and AMCredentialProvider.reg.

  2. Double-click the files to insert the updated configuration into the Registry Settings on the server.

  3. Accept the warning prompts.

You can also manually configure these settings directly in the Registry. The path is: HKEY_LOCAL_MACHINE\SOFTWARE\Pointsharp\AMCredentialProvider