The current documentation refers to inWebo Windows Logon. This is a new feature that currently has “external beta” status. If you wish to try this new feature, please contact our sales department.

inWebo Windows Logon is a new feature that allows a user to open a Windows session using a mobile Authenticator app. The administration of this feature is done from the inWebo Console V2, and is managed as a connector in a given service.

Prerequisites

  • inWebo

    • The inWebo Windows Logon option has to be activated with a maximum number of workstations defined (Please contact our sales department if you want this option to be enabled on your service)

    • Download the inWebo Windows Logon installer - available on demand for now

  • Users

    • Users should have an ‘ACTIVE’ status: during inWebo Windows Logon sign-in, users cannot enroll themselves (activate a first device). This means that users should have at least one active device to be used for authentication through inWebo MFA. Users without an active device attempting to sign into inWebo Windows Logon will receive an authentication failed response from inWebo.

    • The inWebo user’s login should match the Windows username (more info)

    • All users must have a smartphone running inWebo Authenticator.

  • Workstations

    • Workstations should be running Windows 10 20H2 or later.

    • All workstations must have a local user account with a password OR all workstations must be located in a domain.

    • All workstations should be able to communicate with inWebo on TCP port 443.

  • Supported authentication methods

    • Push notifications from inWebo Authenticator app

The offline mode is supported from inWebo Authenticator version 6.20 and later. For standard mode, all inWebo Authenticator versions are supported.

Configuration

Here are the basic configuration steps:

Activating the feature

  • Go to the administration console > Service Parameters tab.

  • Check that the Windows Logon parameter is set to Yes.

If you do not see the Windows Logon parameter, it means that the option is not activated for your service. Please contact our sales department if you want this option to be enabled on your service.

Setting up the connector

inWebo Windows Logon is managed as a connector from the administration console V2 (know more about administration console v2).

  1. Log in to the admin console V2.

  2. Go to the “Windows Logon” section.

  3. Click on + Add connector.

  4. Provide a connector name and click on + Add.

  5. Click on Edit to display the connector’s parameters.

At creation, the connector automatically contains a connector alias and an AES key:

  • the connector alias identifies the connector,

  • the AES key is a security item that will be used to activate the feature on a workstation.

About Login type setting

You can select ‘login’ or ‘login2’. The selected login must match the users Windows login.

  • The default value is ‘Login’.

  • ‘login2’ can be used when the login used for Windows sign-in differs from the inWebo login.

Offline mode parameters

You will soon be able to configure the offline mode parameters. In the meantime, the default values are used.

  • Number of scratch codes → By default, 20 scratch codes may be generated per user:

    • 15 scratch codes in the user's details from the admin console

    • 5 scratch codes in the user's Authenticator application.

When 50% of the total scratch codes are consumed, the user's full set of scratch codes is renewed.

  • Validity of scratch codes → the validity period of a scratch code once it has been generated is 90 days.

  • Scratch code renew frequency → the user's full set of scratch codes is renewed is renewed every 30 days.

Deploying inWebo Windows Logon

To deploy inWebo Windows Logon on the workstations, inWebo supports:

Manual installation
  • On a workstation, open a session with an administrator account.

  • Download the Microsoft Installer (MSI) file. This MSI package is installing both the credential provider and the inWebo service.

  • Launch the installer and follow the instructions. 

  • Copy and paste the ConnectorAlias and the AES key of the connector into the corresponding fields. These keys can be retrieved from your inWebo console, in your Windows Logon connector settings.

The connector alias and AES Key are not properly entered in the appsetting file with the .MSI 2.0 - these values have to be filled-in the appsettings.json file manually.

Silent installation

The inWebo Windows Logon installer can be run silently from the command line. Run the following commands with admin privileges:

msiexec /i InWeboWindowsLogon.msi /qn AES=[my_AES_key] ALIAS=[my_connector_alias]

where:

Setting

Description

AES

The AES key that activates the inWebo Windows Logon feature on a workstation. It can be found in the connector settings, on the inWebo admin console.

ALIAS

The connector alias that identifies the connector. It can be found in the connector settings, on the inWebo admin console.

Automated deployment

Once you are ready to deploy on a large scale, we recommend you automate the installation and the configuration of the appsettings file via GPO.

If you wish, you can create distinct connectors to manage different pools of workstations. Each connector will have its own AES key for the workstation init, so that initiating a workstation will be possible only with the associated connector.

We recommend that you disable the existing Windows credential providers only after making sure the feature responds to your needs and use cases, and if you have checked that your support procedures are up and running.

Accessing the connector appsettings file

  • Go to the folder c:\Programs\InWebo\WindowsLogon.

  • Go to the Windows Logon directory and open the appsetting.json file.

This is what the appsetting.json file looks like.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "HttpClientConfig": {
    "ConnectorAlias": "1ed4d5af-e5f4-4518-aie2-88fef8e3827a",
    "BaseURI": "https://kiwi.myinwebo.com/auth/v2/anonymous/sesame/"
  },
  "Aes": "JLlUV0CNNfrf1j9U3khjE/GzLjykk9Buyy7J/e019/=A"
}
CODE

From the appstetting.json file, you can edit the ConnectorAlias and the AES key (run as an administrator)

Managing workstations

  • From the inWebo admin console V2, go to the “Windows Logon” section. 

  • Go to the connector and click on “Workstations”. You will get the activated workstations list for this connector.  

  • Click on the details arrow on the right. You will see the workstation name, its uuid, the user that initiated the workstation, and also creation and validity date.

The following actions can be performed:

  • Locking a workstation → this will prevent users from opening a session on this workstation, or re-initializing the feature. The lock is useful when the workstation has been lost, stolen, or compromised.

  • Unlocking a workstation.

  • Deleting a workstation → this removes the workstation from the list. It will need to be re-initiated.

Standard use-case

Here is the scenario of a standard authentication. A “Standard authentication” means that the user’s workstation has internet access. Thus, the user is able to receive a notification on Authenticator application and authenticate.

If the inWebo Windows Logon feature is activated and configured in the admin console, the feature activation on the user’s workstation is done automatically and silently at first opening of a windows session with a valid authentication.

  • The user enters the Windows credential. In this example, the user Bart selects inWebo MFA (the inWebo credential provider) from the connection options and enters his Windows Password.

  • The user authenticates via mobile Authenticator. In this example, Bart receives a notification and authenticates via mobile Authenticator.

  • Once authenticated, the session is opened.

Specific use-cases

Offline use-case

The offline mode can be used when a user does not have access to internet (airplane mode for example). In this case, the user has two options to access their Windows session: generate a code with their own Authenticator mobile app or request a code from the administrator/help desk.

To access their Windows session while being offline:

  • From the Windows login portal, the user click on “I forgot my device / I am offline”.

  • The user enters a scratch code and its Windows password.

How does the user generate a code with their own Authenticator mobile app?

Prerequisite → the user should have enrolled the mobile device they planned to use.

The offline mode is supported from inWebo Authenticator version 6.20 and later. For standard mode, all inWebo Authenticator versions are supported.

  • The user launches the Authenticator application from their trusted mobile device.

  • The user goes to “My workstations” section.

  • If the user has several workstations, there is a list of the user’s workstations. In the list, the user should find the workstation that they would like to use to access their Windows session and click on Select.

  • The user clicks on Reveal code. This reveals a code to be used to unlock the workstation. A revealed code can be used once and during its validity period.

How to provide a code to the user?
  • Go to the admin console V2 > Users Management tab > Users section

  • Find the user you need to provide the code to. Click on Edit.

  • In the Workstations section, there is a list of the user’s workstations. In the list, find the workstation that the user would like to use to access their Windows session.

  • Click on Reveal code. This reveals a code to be provided to the user. A revealed code can be used once and during its validity period.

  • The Windows session is open.

“I forgot my phone” use-case

This specific use-case refers to the situation where the user does not have their phone. Note that the behavior is almost the same as the “Offline mode” use case. The difference is that the user cannot generate a code with their own Authenticator mobile app because we assume that they do not have a phone. In this case, the only option for the user to access their Windows session is to request a code from their administrator/helpdesk.

To access their Windows session without a phone:

  • From the Windows login portal, the user clicks on “I forgot my device / I am offline”.

  • The user enters a scratch code and its Windows password.

How to provide a code to the user?
  • Go to the admin console V2 > Users Management tab > Users section

  • Find the user you need to provide the code to. Click on Edit.

  • In the Workstations section, there is a list of the user’s workstations. In the list, find the workstation that the user would like to use to access their Windows session.

  • Click on Reveal code. This reveals a code to be provided to the user. A revealed code can be used once and during its validity period.

You can configure the code settings in the Windows Logon connector parameters (see “Offline mode parameters” section above).

  • The Windows session is open.

Current limitations

The current delivery does not support the following cases:

  • The credential provider is in English only. Other languages will be supported later.

  • The Windows10 policy “Interactive logon: don’t display username at sign-in” is not supported. This policy may be in use to hide user information for shared and sensitive workstations.

  • Opening a session on Windows Server is not yet supported.

  • In offline or ‘forgot my phone’ case, the scratch code will open the session only once. Later on the user will be able to define a temporary PIN

  • Offline mode parameters such as the number of scratch codes, their validity and renew frequency are not yet customizable by the administrators

Known issues

These identified known issues will be fixed and will be removed from this list as soon as they are fixed.

  • Minor cosmetic issues in the credential administration

Troubleshooting

On the workstation

  • How to see the version number of the inWebo credential provider? Windows, Settings, Apps, click on “inWebo Windows Logon” and you can see the version

  • Make sure the local service is started: start Services, see inWeboWindowsLogonAuthenticator in the list, you can see its status and you can start it or stop it manually.

  • Local logs: go to the event viewer, applications. You will see the logs associated with the inWebo service.

Audit

  • The logs about connector management are visible in the inWebo audit, service management section.

  • The logs about workstation management are visible in the inWebo audit, section Workstation management.

  • The user authentications are visible just as normal authentications.