CP - Overview

Windows Credential provider allows users use Veridium authentication methods in Windows logon / unlock scenarios. This is beneficial for both physical machines e.g. laptops as well as virtual desktops (VDI).
Following chapters shows how  to setup, configure, authenticate and troubleshoot the Windows Credential Provider.

Architecture

Credential provider is a software installed on Windows client machine allowing to use Veridium authentication methods to logon to windows environment.
Prerequisites:

  • Client computer must be joined to Active directory domain

  • Veridium RA/EP software must be installed and configured.

  • Certificate based authentication must be configured on Active directory domain.

Network communication schema

Windows credential Provider requires following connections:

image-20230311-095025.png


  1. Credential Provider -> VeridiumEP. To test:

    1. Start cmd.exe as administrator

    2. Start CMD in a context of Local computer:

      	psexec -i -s cmd.exe
      


      (psexec might be downloaded here https://docs.microsoft.com/en-us/sysinternals/downloads/pstools)
      Execute (in the computer system context):

    3. execute command

      whoami
      


      expected answer is:

      nt authority\system
      
    4. Start browser by following command:
      explorer "<https://<VeridiumEP> Server FQDN>/BopsEnroll/BopsEnroll.svc/Test"

    5. User will be prompted to enter username / password. If so, enter your domain credentials

    6. You will see resulting message "DEV\\milos is logged on."This is a confirmation that Credential Provider can reach Veridium EP server.
      In case you see any error, go to EP server and search for IIS logs. Default path is:
      C:\inetpub\logs\LogFiles\W3SVC1
      Open latest file modified, go to end of the file:
      2022-02-19 17:53:53 W3SVC1 WinSrvMilos2 192.168.3.128 GET /BopsEnroll/BopsEnroll.svc/Test - 443 DEV\milos 192.168.3.128 Mozilla/5.0+… - 200 0 0 110
      The most important is resulting code. 200 0 means all OK.
      There are following codes available: Refer to https://httpstatuses.com/ or https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

  2. Credential Provider -> VeridiumID server: test URL:

    1. Start cmd.exe as administrator

    2. Start CMD in a context of Local computer:
      psexec -i -s cmd.exe
      (psexec might be downloaded here https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) Execute (in the computer system context):

    3. Execute command:
      whoami
      expected answer is:
      nt authority\system

    4. Start browser by following command:
      explorer "<https://<VeridiumIS> Server FQDN>/websec/rest/health/metrics"

    5. Resulting message contains Metrics information:

  3. image-20230311-103616.png

    Credential Provider -> VeridiumRA. Test URL is: <https://<RA> server FQDN>/RaWebApp/Status/Default.aspx
    open new browser window and try URL. Response should look like this:

image-20230311-103701.png

in case there is not possible to reach VeridiumRA server from client, check Firewall rules, proxy settings, etc.