Credential Provider Authentication for Ivanti Policy Secure Overview

When Microsoft introduced Windows Vista, it moved away from a login integration interface based on Graphical Identification and Authentication (GINA) in favor of credential provider authentication. Ivanti Secure Access Client credential provider integration enables connectivity to a network that is required for the user to log into the Windows domain. For example, the domain controller might reside behind a firewall and the endpoint uses credential provider login to connect to Ivanti Policy Secure prior to domain login. Ivanti Secure Access Client integrates with Microsoft credential providers to enable password-based login and smart card login. Ivanti Secure Access Client connections also support an option that allows a user to use either a smartcard or a password to log in. Credential provider login is supported on Windows 8.1 and later Windows platforms.

You can use the Ivanti Secure Access Client support for credential provider authentication to provide single sign-on capabilities. Ivanti Secure Access Client establishes a connection to the network and then uses the same credentials to log in to the Windows domain.

You enable credential provider support on a Ivanti Secure Access Client connection. After the connection has been downloaded to the endpoint through the normal Ivanti Secure Access Client distribution methods, Ivanti Secure Access Client annotates the credential provider tile that appears on the user login screen by adding a Ivanti icon in the lower right corner of the tile. When the user initiates the login process, Ivanti Secure Access Client establishes the connection.

A connection attempt to a Ivanti server fails if the connection uses Host Checker and Host Checker is installed in a non-default appdata folder. Host Checker is installed

Ivanti Secure Access Client supports the following credential provider types:

•user-at-credprov: The connection is established before the user login using credentials collected at the selected credential tile, which provides single-sign-on functionality. The connection is maintained as an active connection on the user's desktop. To enable user-at-credprov authentication, use the Ivanti Secure Access Client connection configuration shown in figure.

•machine-then-user-at-credprov: The connection is established using machine credentials when no user is logged in. When a user clicks a login tile and provides user credentials, the machine connection is disconnected and a new connection is established. When the user logs out, the user connection is disconnected and the machine connection is reestablished. In one typical machine-then-user-at-credprov implementation, the machine connection and the user connection are mapped to different VLANs. To enable machine-then-user-at-credprov authentication, use the Ivanti Secure Access Client connection configuration shown in figure.

 

Ivanti Secure Access Client credential provider support usage notes:

1.If the endpoint includes more than one Ivanti Secure Access Client Layer 2 connection, Windows determines which connection to use:

2.If a network cable is attached to the endpoint, Layer 2 wired connections are attempted, and then wireless connections. If more than one wireless network is available, the order is determined by the scan list specified as a Ivanti Secure Access Client connection option.

3.After all Layer 2 options are attempted, Ivanti Secure Access Client runs location awareness rules to find one or more eligible Layer 3 connections that are configured for credential provider login. If more than one Layer 3 connection is found, Ivanti Secure Access Client prompts the user to select a connection. A user can cancel the network connection attempt by clicking the cancel button.

4.After Ivanti Secure Access Client evaluates all configured connection options, Ivanti Secure Access Client returns control to Windows, which enables the user login operation.

5.For connections that use user credentials, you can configure the Ivanti Secure Access Client connection so that prompts are presented during the login process, for example, prompts for realm or role selection or a server certificate trust prompt. For connections that use machine credentials, Ivanti Secure Access Client prompts cause the connection to fail because there is no interface to allow a response to the prompts. You can suppress any potential realm and role choice by specifying a preferred realm and role for the connection.

If the Ivanti Secure Access Client connection is configured to use a list of Ivanti servers, the preferred roles and realms you specify must be applicable to all of those servers.

1.Ivanti Secure Access Client upgrade notifications and actions are disabled during credential provider login and postponed until the user connection is established. Host Checker remediation notifications are displayed.

2.To allow users to log in using either a smart card or a password, you can create different authentication realms for each use case and then specify the Preferred Smartcard Logon Realm and Preferred Password Logon Realm as part of the connection properties.

3.A credIf the client machine has non-default value for the %appdata% environment variable, then login usingHost Checker are enabled and client machine has non default value for %appdata% then login using GINA fails

appdata is a user environment variable as well. Here user modifies the appdata of user. Credential provider runs in system user context and no user is logged in that time. User appdata details are stored in HKEY_CURRENT_USER registry. Since no user is logged in current HKEY_CURRENT_USER will be of system user. So credential provider uses a logic to form the default appdata path of user. This logic will work when default path is modified.