MSFN Forum: Can a GINA STUB fulfil my requirement? - MSFN Forum

Jump to content



Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Can a GINA STUB fulfil my requirement? Can a GINA STUB fulfil my requirement? Rate Topic: -----

#1 User is offline   touchring 

  • Group: Members
  • Posts: 5
  • Joined: 07-March 10
  • OS:Server 2008 x86
  • Country: Country Flag

Posted 15 March 2010 - 10:06 AM

Firstly, I'm not sure if this is the right place to post my question. :)

I need to implement 2 factor authentication for my Windows logon and would like to know if a GINA STUB can fulfill my requirement or do I need to write the entire GINA DLL? I read there are risks in implementing the whole GINA so I will like to avoid that.

The flow:

1. Initial Authentication:
The user enters the username and password on the logon screen, the logon credentials are then used to authenticate against a remote authentication server.

--------------------------------------------------------------------------
"Please enter your Username and domain password"

USERNAME: [ ]
PASSWORD: [ ]
--------------------------------------------------------------------------

Alternatively, the credentials can also be used to logon to Windows or AD (as in the usual process), but I should be able to intercept and prevent the user from actually logging in whether or not the credentials have been successfully authenticated - this is because another set of logon credentials (2nd factor) must be submitted before finally allowing access.

2. 2nd Factor:
If the first authentication fails, the user is presented with the failure message returned by the remote authentication server, and the first logon screen is presented again.

On success, an OTP or one-time-pass-word will be sent to the user, and the user is then presented with another logon screen which looks like the following. The user enters the username and OTP.

--------------------------------------------------------------------------
"Please enter the OTP which you have received"

USERNAME: [ ]
OTP: [ ]
--------------------------------------------------------------------------

The logon credentials will then be submitted to the authentication server again. If the OTP is correct, the user will be allowed to logon to the machine for real and i should be able to log this event.

If OTP authentication fails, the user is presented with the failure message returned by the remote authentication server, and the following logon screen is presented:

--------------------------------------------------------------------------
"Sorry, you have enter the wrong OTP, please enter the OTP again or enter your domain password to generate another OTP"

USERNAME: [ ]
OTP/PASSWORD: [ ]
--------------------------------------------------------------------------


Note: Yes, I know that Windows 2008 and Vista uses a the new CP method, but I'll need to implement GINA for Windows 2003 Servers. I thought I'll implement CP after that, hopefully I can reuse as much of the code as possible.


Any suggestions you be much appreciated. :)

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users



All trademarks mentioned on this page are the property of their respective owners
Copyright © 2001 - 2011 msfn.org
Privacy Policy