Network Connect Credential Provider for Windows Vista and Later

In releases prior to Windows Vista, the customization of interactive user logon was done by creating a custom GINA. Users entered their authentication credentials in the logon UI and GINA passed this information to Winlogon for authentication. However, because GINAs do more than pass authentication information, they are typically difficult to implement.

Windows Vista introduces a new authentication model where the logon UI and Winlogon talk directly with each other. A credential provider is a module that plugs into the logon UI and describes the credential information required for the login UI to render and to communicate with an external authentication provider. After the credential provider gathers the credential information, it passes the final credentials to Winlogon.

There are two basic types of credential providers: standard authentication and Pre-Logon Access Providers (PLAP). Standard authentication includes password-based or certificate-based credentials. A PLAP is a special type of credential provider that allows users to make a network connection before logging in to their system. Another difference between these two types of providers is timeout. PLAP credentials have no timeout where standard credentials typically have a 120 second timeout.

The Network Connect credential provider is a PLAP provider. This provider is visible only if the system is configured as part of a domain. The Network Connect provider creates a network connection. If the user’s credentials are the same as the domain credential (SSO) then the credential information is entered only once. If the user’s credentials are not the same as the domain credentials, the users selects another credential provider for domain authentication.

After a user logs in to the SA Series Appliance through Network Connect Credential Providers, the user has 5 minutes to log in to Vista either through single sign-on or through another Credential Provider. After the user logs into Vista, Network Connect attaches to the tunnel. If the user does not log in to Vista within 5 minutes, the Network Connect tunnel is disconnected.

To install the Network Connect credential provider,

1. Make sure your client user is part of a Windows domain.
2. In the Admin console, go to User Roles > Network Connect and select the Require NC to start when logging into Windows option.
3. When installing Network Connect on the client system (running Windows Vista), you are prompted by the GINA/Credential Provider window to configure the GINA/Credential Provider authentication. Click OK.
4. Once the Network Connect tunnel is established on the client system, open the Network Connect window. Go to the Advanced View and select the Information tab. In the Results section, ensure that the GINA/Credential Provider plug-in is configured. You should see something similar to GINA Plug-In: Configured.

To use credential provider:

1. Log out of Windows and press Ctrl+Alt+Delete.

   You should see the Network logon icon. If you see only the Windows user standard tiles, click the Switch user option under the standard Windows credential tiles to see the Network logon icon.

2. Click the Network login icon and then click the SA Series Appliance logon icon.
3. Enter your Windows domain credential and click the right arrow button. For your username, use the format domain\username or user@domain.

   Network Connect signs the user in to the default URL and proxy server in config.ini.

   Note: If your SA Series credential is not the same as your Windows domain credential, an alert box appears. Click OK and enter your SA Series credentials in the Network Connect login window that appears. The Network Connect window also contains an option button to launch another window to enter a URL, proxy server, and so forth.

There are a few things to note about the Network Connect credential provider on Vista:

• On Windows XP, GINA appears prior to the Windows logon window. On Windows Vista, you enter the Windows domain credential on the SA Series Appliance logon icon. The Network Connect window appears and establishes the Network Connect PLAP connection while logging in to the Windows desktop.
• Network Connect credential provider supports the following authentication provider: local authentication, LDAP, RADIUS (UN/PWD only), NIS, ADS and Dial-up connection. In additional, smart card credential provider supports certificate login.