Enable Agent Registration
The DualShield Windows Logon Agent is a DualShield authentication agent. For an authentication agent to be able to connect to the authentication server, the agent must be registered in your authentication server.
For security purpose, the agent registration function is disabled by default. You need to enable the Agent Auto Registration function in your DualShield authentication server.
In the DualShield Management Console, select “Authentication | Agents” and press the “Auto Registration” button on the toolbar:
You may want to enable the “Check IP” option for extra security. If this option is enabled, then in the “IP Address” field you must enter the IP address of the machine where the Windows Logon Agent is to be installed.
Create Logon Procedure
The Logon Procedure will dictate the Authentication methods used to log on to windows. For this example we will simply use One-Time Password.
Go To Authentication>Logon Procedure
Click Create at the top.
Make sure Type is set to Windows
Click on the drop down arrow next to the newly created Logon Procedure and choose Logon Steps from the menu
Select One-Time Password as the authenticator
Go to Authentication>Applications
Click Create at the top
Bind the Realm you wish to use for this application and select the Logon Procedure you created in the previous step.
To install the DualShield Windows Logon Agent, launch the installer SetupDSAgent.xxxx.exe and go through the following steps:
- License Agreement
- Installation Path
- Install Gina or Credential Provider
- Import Agent Configure File
- Connect to Authentication Server
- Installation Completed
Step 1: Welcome
Step 2: License Agreement
Step 3: Installation Path
Step 4: Install GINA or Credential Provider
Enable the option: “Enable multi-factor authentication o this machine” only if you wish to protect the server machine on which the Windows Logon Agent is being installed. Otherwise, do not check this option.
Enable the option: “Protect local computer logon with multi-factor authentication" only if the server machine on which the Windows Logon Agent is being installed is a terminal server and you want to add two-factor authentication to the logon to the local machine.
Step 5: Agent Registration
Check the FQDN and Port number of your DualShield Server. Change them if necessary. The default port of DualShield server is 8071.
Step 6: Installing...
Step 7: Connect to Authentication Server
Upon the successful installation, the installer launches the DualShield Windows Logon Manager which enables you to connect the agent to the authentication server.
In the “Application” field, it displays “Click here to select”.
At this point, the agent has been successfully installed and registered with the DualShield server. It is waiting for an application to be published on this agent.
Log back into the Management Console and go to Authentication>Agents
You will find the newly installed Windows Logon Agent:
Click on the drop down arrow to the right of the new windows logon agent and select the Application you created, in the preparation steps.
Switch back to Windows Logon Manager on the Agent Machine, Click the "Application" dropdown list and select the application to be connected.
Select "File | Save" or click the save buttonin the toolbar to save the settings.
Finally, select "File | Exit" to exit the Windows Logon Manager.
Step 8: Installation Completed
Once the sever is rebooted, the Windows Logon page will be replaced by Deepnet's Logon Screen
If a user is not required to logon with two-factor authentication, the Authenticator field will be disabled and the user can continue to logon as usual by entering only the user name and AD password.
To enable users with two-factor authentication, please refer to the Windows Logon Administration Guide.