Preparation

Enable Agent Registration

The DualShield Windows Logon Agent is a DualShield authentication agent. For an authentication agent to be able to connect to the authentication server, the agent must be registered in your authentication server.

For security purpose, the agent registration function is disabled by default. You need to enable the Agent Auto Registration function in your DualShield authentication server.

In the DualShield Management Console, select “Authentication | Agents” and press the “Auto Registration” button on the toolbar:

You may want to enable the “Check IP” option for extra security. If this option is enabled, then in the “IP Address” field you must enter the IP address of the machine where the Windows Logon Agent is to be installed.

Create Logon Procedure

The Logon Procedure will dictate the Authentication methods used to log on to windows.  For this example we will simply use One-Time Password.

Go To Authentication>Logon Procedure


Click Create at the top.

Make sure Type is set to Windows

Click on the drop down arrow next to the newly created Logon Procedure and choose Logon Steps from the menu

Select One-Time Password as the authenticator

Create Application

Go to Authentication>Applications


Click Create at the top

Bind the Realm you wish to use for this application and select the Logon Procedure you created in the previous step.

Installation

To install the DualShield Windows Logon Agent, launch the installer SetupDSAgent.xxxx.exe and go through the following steps:

  1. Welcome
  2. License Agreement
  3. Installation Path
  4. Install Gina or Credential Provider
  5. Import Agent Configure File
  6. Installing
  7. Connect to Authentication Server
  8. Installation Completed

Step 1: Welcome

Step 2:  License Agreement

Step 3: Installation Path

Step 4: Install GINA or Credential Provider

Enable the option: “Enable multi-factor authentication o this machine” only if you wish to protect the server machine on which the Windows Logon Agent is being installed. Otherwise, do not check this option.

Enable the option: “Protect local computer logon with multi-factor authentication" only if the server machine on which the Windows Logon Agent is being installed is a terminal server and you want to add two-factor authentication to the logon to the local machine.

Step 5: Agent Registration

Check the FQDN and Port number of your DualShield Server. Change them if necessary. The default port of DualShield server is 8071.

Step 6: Installing...

Step 7: Connect to Authentication Server

Upon the successful installation, the installer launches the DualShield Windows Logon Manager which enables you to connect the agent to the authentication server.

In the “Application” field, it displays “Click here to select”.

At this point, the agent has been successfully installed and registered with the DualShield server. It is waiting for an application to be published on this agent.

Log back into the Management Console and go to Authentication>Agents

You will find the newly installed Windows Logon Agent:


Click on the drop down arrow to the right of the new windows logon agent and select the Application you created, in the preparation steps.

Click Save.

Finish Installation

Switch back to Windows Logon Manager on the Agent Machine, Click the "Application" dropdown list and select the application to be connected.

Select "File | Save" or click the save button   in the toolbar to save the settings.

Finally, select "File | Exit" to exit the Windows Logon Manager.

Step 8: Installation Completed

Once the sever is rebooted, the Windows Logon page will be replaced by Deepnet's Logon Screen

If a user is not required to logon with two-factor authentication, the Authenticator field will be disabled and the user can continue to logon as usual by entering only the user name and AD password.

To enable users with two-factor authentication, please refer to the Windows Logon Administration Guide.