Credential Provider

Pointsharp Credential Provider offers 2-factor authentication for Remote Desktop.

Prerequisites

The Pointsharp Credential Provider needs Microsoft Visual C++ Redistributable (x64). This is automatically downloaded during installation. If the server does not have internet access during installation, it needs to be manually downloaded and installed prior to installation of the Credential Provider.

The Credential Provider also needs a Pointsharp ID Server installed and configured with an authentication method to be used with the Credential Provider.

Make sure you have local administrator access to the server you intend to install the Credential Provider on. This is needed in case you configure something wrong, or the computer loses contact with the Pointsharp ID Server and you need to logon to the server without the Credential Provider and check configuration or network settings.

Installation

Start the Pointsharp Credential Provider.
Select installation destination.
Accept license terms.
The installer downloads prerequisite software. Agree and click Install.

Configuration steps

Go to the installation folder. Default this is: C:\Program Files\PointSharp\Credential Provider.
Locate a file named CredentialProvider.req.
Open with Notepad using elevated rights.
Configure the desired values.
After configuration of these values, save and close the CredentialProvider.req.
Double-click the file to insert the updated configuration into the Registry Settings on the server.
Accept the warning prompts.

You can also manually configure these settings directly in the Registry. The path is:

HKEY_LOCAL_MACHINE\SOFTWARE\PointSharp\CredentialProvider

Configurable values

SystemLog: Enter the path to store log files. For example: C:\\Program Files\\PointSharp\\CredentialProvider.log
WebServicesURL: Enter the path to the Pointsharp ID Server – replace “localhost”. Example: http://ps-server.local.net/api/an
WebServicesMethodLocal: This is only used when you want the Credential Provider to be used even on local logins. Be careful with this setting. Normally you only use the “WebServicesMethodRemote”. Enter the authentication method configured in Pointsharp ID Admin GUI under the tab “Authentication”. The name is case-sensitive.
WebServicesMethodRemote: This is used when you want the Credential Provider to be used for remote logins and is the standard choice. Enter the authentication method configured in Pointsharp ID Admin GUI under the tab “Authentication”. The name is case-sensitive.
WebServicesMethodUnlock: This is used when you want the Credential Provider to be used for unlocking a locked session. Enter the authentication method configured in Pointsharp ID Admin GUI under the tab “Authentication”. The name is case-sensitive.
WebServicesUserId: Enter username needed for WebServices if this is configured on the IIS on the Pointsharp ID Server. Leave as is if not used.
WebServicesPassword: Enter password needed for WebServices if this is configured on the IIS on the Pointsharp ID server. Leave as is if not used.
WebServicesDomain: Enter the domain needed for WebServices if this is configured on the IIS on the Pointsharp ID server. Leave as is if not used.
IP4ExcludeRemote: Here you can enter IP-ranges that should not demand the Credential Provider – for example internal IP-ranges. This feature is not recommended for production purposes since the IP range can be spoofed.
SSL & TLS support: At the bottom of the file you have the option to enable or disable SSL and TLS protocols.

Installation completed / Troubleshooting

The installation and configuration is now completed. You will now be prompted for an OTP when logging in.

credential provider otp

If you get authentication messages this can be due following reasons:

Missing user in PSID
Not correct authentication method in PSID Admin
Missing mobile attribute if SMS is used.

Please check Web Service Logs in Pointsharp ID for more information and to see that the Credential Provider is able to communicate with PSID Server.