inWebo Windows Logon is a new feature that currently has “external beta” status. If you wish to try this new feature, please contact our sales department.

inWebo Windows Logon allows a user to open a Windows session using a mobile Authenticator app. The administration of this feature is done from the inWebo Console V2, and is managed as a connector in a given service.

Prerequisites

  • inWebo

    • The inWebo Windows Logon option has to be activated with a maximum number of workstations defined (Please contact our sales department if you want this option to be enabled on your service)

    • Download the inWebo Windows Logon installer - available here

  • inWebo user account

    • Users should have an ‘ACTIVE’ status: during inWebo Windows Logon sign-in, users cannot enroll themselves (activate a first device). This means that users should have at least one active device to be used for authentication through inWebo MFA. Users without an active device attempting to sign into inWebo Windows Logon will receive an authentication failed response from inWebo.

    • The inWebo user’s login should match the Windows username (more info)

    • All users must have a smartphone running inWebo Authenticator.

  • Windows user account

    • Users will open a session using the following:

      • a local account

      • a domain account

    • The account must have a password defined.

Not supported

See Current limitations

  • Workstations and Servers

    • Workstations should be running Windows 10 20H2 or later, or Windows 11.

    • All workstations should be able to communicate with inWebo on TCP port 443.

    • Installation of Microsoft Visual Studio C++ Redistributable is required (The package is already included in the standard Windows OS installations)

    • Servers are supported if running Windows Server 2016, 2019 or 2022

  • Supported authentication methods

    • Push notifications to inWebo Authenticator app

The offline mode is supported from inWebo Authenticator version 6.22 and later. For standard mode, all inWebo Authenticator versions are supported.

Security Recommendations

  • The inWebo Windows Logon feature protects the session opening. In order to fully protect the workstation, we recommend to protect the data located on the workstation by using a hard drive encryption mechanism.

  • The offline “Scratch Codes” are located in inWebo Authenticator on the user’s phone. In order to protect these codes we recommend activating the lock feature on users’ phones.

  • For more information about credential providers in Windows and to hide other credential providers, please refer to the Microsoft documentation → Credential Provider in Windows

Configuration

Here are the basic configuration steps:

Activating the feature

  • Go to the administration console > Service Parameters tab.

  • Check that the Windows Logon parameter is set to Yes.

If you do not see the Windows Logon parameter, it means that the option is not activated for your service. Please contact our sales department if you want this option to be enabled on your service.

Setting up the connector

inWebo Windows Logon is managed as a connector from the administration console V2 (know more about administration console v2).

Deleting a connector

When deleting a connector, make sure to delete all workstations within this connector prior to deleting it. Deleting a connector without deleting workstations may prevent any new initialization of these workstations.

See Known issues

  1. Log in to the admin console V2.

  2. Go to the “Windows Logon” section.

  3. Click on + Add connector.

  4. Provide a connector name and click on + Add.

  5. Click on Edit to display the connector’s parameters.

At creation, the connector automatically contains a connector alias and an AES key:

  • the connector alias identifies the connector,

  • the AES key is a security item that will be used to activate the feature on a workstation.

About Login type setting

You can select ‘login’ or ‘login2’. The selected login must match the users Windows login.

  • The default value is ‘Login’.

  • ‘login2’ can be used when the login used for Windows sign-in differs from the inWebo login.

Offline mode parameters

You will soon be able to configure the offline mode parameters. In the meantime, the default values are used.

  • Number of scratch codes → By default, 20 scratch codes may be generated per user:

    • 15 scratch codes in the user's details from the admin console

    • 5 scratch codes in the user's Authenticator application.

When 3 scratch codes are consumed, and the user performs an online session opening, the user's full set of scratch codes is renewed.

  • Validity of scratch codes → the validity period of a scratch code is 90 days.

  • Scratch code renew frequency → the user's full set of scratch codes is renewed every 30 days.

Deploying inWebo Windows Logon

To deploy inWebo Windows Logon on the workstations, inWebo supports:

Manual installation
  • On a workstation, open a session with an administrator account.

  • Download the Microsoft Installer (MSI) file. This MSI package is installing both the credential provider and the inWebo service.

  • Launch the installer and follow the instructions. 

  • Copy and paste the ConnectorAlias and the AES key of the connector into the corresponding fields. These keys can be retrieved from your inWebo console, in your Windows Logon connector settings.

Silent installation

The inWebo Windows Logon installer can be run silently from the command line. Run the following commands with admin privileges:

msiexec /i InWeboWindowsLogon.msi /qn AES=[my_AES_key] ALIAS=[my_connector_alias]

where:

Setting

Description

AES

The AES key that activates the inWebo Windows Logon feature on a workstation. It can be found in the connector settings, on the inWebo admin console.

ALIAS

The connector alias that identifies the connector. It can be found in the connector settings, on the inWebo admin console.

Automated deployment

Once you are ready to deploy on a large scale, we recommend you automate the installation and the configuration of the appsettings file via GPO.

If you wish, you can create distinct connectors to manage different pools of workstations. Each connector will have its own AES key for the workstation init, so that initiating a workstation will be possible only with the associated connector.

We recommend that you disable the existing Windows credential providers only after making sure the feature responds to your needs and use cases, and if you have checked that your support procedures are up and running.

Accessing the configuration file (appsettings)

A configuration file ‘appsettings.json’ is automatically created by the installer. However you may need to update it manually.

Go to the folder c:\Programs\InWebo\WindowsLogon and open the ‘appsettings.json’ file.

From the appsetting.json file, you can edit the ConnectorAlias and the AES key (run as an administrator).

This is what the appsetting.json file looks like.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "HttpClientConfig": {
    "ConnectorAlias": "1td4d5af-e5f4-4518-aie2-88fef8e3827a",
    "BaseURI": "https://kiwi.myinwebo.com/auth/v2/anonymous/sesame/"
  },
  "Aes": "JLlUV0CNNfrf1j9U3khjE/GzLjykk9Buyy8J/e019/=A"
}
CODE

Managing workstations

  • From the inWebo admin console V2, go to the “Windows Logon” section. 

  • Go to the connector and click on “Workstations”. You will get the activated workstations list for this connector.  

  • Click on the details arrow on the right. You will see the workstation name, its uuid, the user that initiated the workstation, and also creation and validity dates.

The following actions can be performed:

  • Locking a workstation → this will prevent users from opening a session on this workstation, or re-initializing the feature. The lock is useful when the workstation has been lost, stolen, or compromised.

  • Unlocking a workstation.

  • Deleting a workstation → this removes the workstation from the list. It will need to be re-initiated.

Deleting a connector

When deleting a connector, make sure to delete all workstations within this connector prior to deleting it. Deleting a connector without deleting workstations may prevent any new initialization of these workstations.

See Known issues below

Standard use-case

Here is the scenario of a standard authentication. A “Standard authentication” means that the user’s workstation has internet access. Thus, the user is able to receive a notification on Authenticator application and authenticate.

If the inWebo Windows Logon feature is activated and configured in the admin console, the feature activation on the user’s workstation is done automatically and silently at first opening of a windows session with a valid authentication.

  1. The user enters the Windows credential. In this example, the user Bob White selects inWebo MFA (the inWebo credential provider) from the sign-in options. He should enter his Windows password.

  2. The user receives a notification on inWebo Authenticator application to authenticates. In this example, Bob authenticates via his mobile Authenticator application.

  3. Once authenticated, the session is opened.

Login as a domain user

  • If the domain is already selected, you can login using your samAccountname.
    Example: the user enters “bob.white” to log in as bob.white in the Acme domain

  • If the domain is not selected, the user can specify the domain using the DOMAIN\user syntax
    Example: the user enters ACME\bob.white

The UPN syntax bob.white@acme.com is not yet supported.

Specific use-cases

Offline use-case

The offline mode can be used when a user does not have access to internet (airplane mode for example). In this case, the user has two options to access their Windows session: generate a code with their own Authenticator mobile app or request a code from the administrator/help desk.

How does the user generate a code with their own Authenticator mobile app?

Prerequisite → the user should have enrolled the mobile device they planned to use.

The offline mode is supported from inWebo Authenticator version 6.20 and later. For standard mode, all inWebo Authenticator versions are supported.

  • The user launches the Authenticator application from their trusted mobile device.

  • The user goes to “My workstations” section.

  • If the user has several workstations, there is a list of the user’s workstations. In the list, the user should find the workstation that they would like to use to access their Windows session and click on Select.

  • The user clicks on Reveal code. This reveals a code to be used to unlock the workstation. A revealed code can be used once and during its validity period.

How to provide a code to the user?
  • Go to the admin console V2 > Users Management tab > Users section

  • Find the user you need to provide the code to. Click on Edit.

  • In the Workstations section, there is a list of the user’s workstations. In the list, find the workstation that the user would like to use to access their Windows session.

  • Click on Reveal code. This reveals a code to be provided to the user. A revealed code can be used once and during its validity period.

To access their Windows session while being offline:

  1. From the Windows login portal, the user click on “I forgot my device / I am offline”.

  2. Bob enters a scratch code and his Windows password.

  3. The Windows session is open.

“I forgot my phone” use-case

This specific use-case refers to the situation where the user does not have their phone. Note that the behavior is almost the same as the “Offline mode” use case. The difference is that the user cannot generate a code with their own Authenticator mobile app because we assume that they do not have a phone. In this case, the only option for the user to access their Windows session is to request a code from their administrator/helpdesk.

How to provide a code to the user?
  • Go to the admin console V2 > Users Management tab > Users section

  • Find the user you need to provide the code to. Click on Edit.

  • In the Workstations section, there is a list of the user’s workstations. In the list, find the workstation that the user would like to use to access their Windows session.

  • Click on Reveal code. This reveals a code to be provided to the user. A revealed code can be used once and during its validity period.

You can configure the code settings in the Windows Logon connector parameters (see “Offline mode parameters” section above).

To access their Windows session without a phone:

  1. From the Windows login portal, the user clicks on “I forgot my device / I am offline”.

  2. Bob enters a scratch code and his Windows password.

  3. The Windows session is open.

Current limitations

The current delivery does not support the following cases:

  • The credential provider is in English only. Other languages will be supported later.

  • Microsoft accounts are not supported. In case of a Microsoft account, inWebo MFA is not applied. The behavior is the following: the user enters the Windows password and then the session opens.

  • Only for local Windows accounts → the following security policy settings (Windows10) are not supported:

  • Password management:

    • Expired password: The change of password at log in or by “Ctrl Alt Supp” shortcut is not supported when the Windows Credential Provider is not active. Therefore the user cannot modify an expired password, the administrator has to reset it.

    • When creating a user, the option “User must change password at next logon” is not supported.

    • How to modify or reset a password?

      • For local accounts, the user can change its password via Parameters, Accounts, Sign-in options, Password - modify

      • For domain account, the user cannot modify its password

      • The administrator can reset the user password, without selecting “User must change password at next logon”.

  • In offline or ‘forgot my phone’ case, the scratch code will open the session only once. Later on the user will be able to define a temporary PIN

  • Offline mode parameters such as the number of scratch codes, their validity and renew frequency are not yet customizable by the administrators

Known issues

These identified known issues will be fixed and will be removed from this list as soon as they are fixed.

  • Minor cosmetic issues in the credential administration

  • Deleting a connector does not automatically delete the included workstations. A fix for this behavior will be available soon.

  • Installation on Windows10 21H1 requires the installation of Microsoft Visual Studio C++ redistributable

Troubleshooting

On the workstation

  • How to see the version number of the inWebo credential provider? Windows, Settings, Apps, click on “inWebo Windows Logon” and you can see the version

  • Make sure the local service is started: start Services, see inWeboWindowsLogonAuthenticator in the list, you can see its status and you can start it or stop it manually.

  • Local logs: go to the event viewer, applications. You will see the logs associated with the inWebo service.

  • If the installation seems to be fine, but the credential provider is not visible, please check the Windows version. If the version is Windows10 21H1, please be aware that this specific Windows version does not include by default the Microsoft Visual Studio C++ redistributable component. This component is required (See Prerequisites).

Audit

  • The logs about connector management are visible in the inWebo audit, service management section.

  • The logs about workstation management are visible in the inWebo audit, section Workstation management.

  • The user authentications are visible just as normal authentications.