Skip to main content
Skip table of contents

Windows Credential Provider

This document explains how to implement Monosign with Microsoft Windows MFA.

Monofor has no responsibility to do Microsoft Windows OS configurations. If you need support please contact Microsoft Support Services.

đź“‘ Instructions

This documentation contains 6 main steps for integration.

  1. Creating an Application on Monosign

  2. Configuration for Microsoft Windows

  3. Assign a user to the Microsoft Windows application

  4. Sign In Test

  5. Troubleshooting

  6. Uninstall

1- Creating an Application on Monosign

Create application on Monosign and configure your access policy. Once you create, click “Keys” and add a new Access Key for Rest API Key for access.

This information will be necessary during the configuration of the Microsoft Windows application.

Property

Value

Options

Key Type

Rest API

Rest API, OAuth 2.0, JWT, OIDC/OpenID, SAML, RADIUS, Access Gateway, LDAP, AuthN/Z Server

Expiration

Lifetime

Lifetime or Specific Date/Time - By Default Lifetime is Enabled.

Configuration details for the Microsoft Windows application are provided as follows:

image-20240910-095001.png

To ensure that the application has access to user groups, follow these steps:

  1. If the application hasn't been configured yet, click the “Edit” option for the application.

  2. In the application settings, navigate to the “Source, Provider, and Profile” tab.

  3. Configure the “User Access Type“ and “User Group Access Type” as “Only Assigned Users.”

Configuring this setting will allow the application to access by user groups when users sign in.

Property

Description

Options

User Access Type

Defines which Users will access to this application.

Only Assigned Users
All Users

User Group Access Type

Defines application’s user group access

Only Assigned Users
Assigned Users and Defined Sources
All Users

Profile Access Type

Defines Application’s user’s profile access

Restricted - Only restricted user profile attributes
All - All user profile attributes

2- Configuration for Microsoft Windows

Microsoft Windows MFA is working with Credential Provider. To enable this feature you need to change some registry configurations on your windows machine.

You can download latest version here Monosign Credential Provider

Unzip downloaded file. This zip file contains below files.

image-20240910-095926.png

Credential Provider File

Microsoft Windows MFA will work after CP-Install.reg file applied to windows machine. Before applying to registry file it needs to be updated with application key details which has already created on in 1st Step.

You need to change below values in the CP-Install.reg files than save.

image-20240910-102029.png

Explanation of the values.

Key

Type

Value

Description

BaseUrl

String Value

Account Address Url
Example: account.your-domain.com

 

Key

String Value

Application-Api-Key

 

Secret

String Value

Application-Secret-Key

 

DisableMFA

String Value

false

This option should only be set true if you don’t want to use it on Monopam Gateway machine.

NoInternet

String Value

false

If internet is not connected, disable MFA

NoInternetExpiration

String Value

1440

User can use without MFA if internet is not connected in … minutes

Please add your Rest API settings to the application. The following information is needed for your configuration.

Change below values in CP-Install.reg file.

Property

Value

BaseURL

account.monofor.com

Key

1e11a3b1-3d41-4634-804d-bee91538a912

Secret

baefdcc1-13b2-430e-a8c3-6ac60bc4ef61

After editing the file it should look like in the below

CODE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{8D59B60C-7177-4A69-BDB2-D451B08D7751}]
@="MonoSign Credential Provider"
"BaseUrl"="account.monofor.com"
"ApiUrl"="/api"
"BoardingUrl"="/boarding"
"Key"="1e11a3b1-3d41-4634-804d-bee91538a912"
"Secret"="baefdcc1-13b2-430e-a8c3-6ac60bc4ef61"
"SSL"="true"
"NoInternet"="true"
"NoInternetExpiration"="1440"
"FallbackMethod"="mobile"
"MonoPamApiUrl"=""
"MonoPamApiKey"=""
"MonoPamSSL"="true"
"MonoPamMFA"="false"
"DisableMFA"="false"

BaseURL format must be FQDN. Please don’t add prepend https:// or http:// to BaseURL.

Copy this files to under C:\Windows\System32

CODE
MonoSignBrowser.dll
MonoSignCredential.dll
MonoSignCredentialFilter.dll
MonoSignCredentialSSP.dll

Please apply this registry file to enable Microsoft Windows MFA.

Additional Options

If “Enabled” value is set to “true” under this registry, all credential options will be filtered and only MonoSign and Windows Live options will be available for users, otherwise all sign-in options will be listed without any filtering. The default value for this option is “false“.

image-20240910-131904.png

If “RdpOnly” value is set to “true”, MonoSign Credential Provider will be enabled if only the session is an RDP login, otherwise it will be enabled both local (interactive) logins and RDP logins. The default value for this option is “false”.

image-20240910-131956.png

Now, go back to Monosign and give access to your users and try login.

3- Assign a user to the Microsoft Windows application

Please follow below instructions on how to assign a user to the Microsoft Windows application. In this example john.smith will assign to the application access.

4- Sign In Test

Now try login Windows machine via console or RDP. Click Monosign on the UI.

image-20240910-123830.png

As shown in the above image there are two user will login. One of is normal windows login and another one which profile picture is Monosign is used for Monosign MFA login. Click this user or Switch User button to login windows machine.

image-20240910-124258.png

Type Username and password then MFA window will pop-up.

image-20240910-125717.png

Now approve notification from Monofor Identity on your mobile phone.

If user enabled another MFA provider this pop-up shows specific MFA operations

For Example: User enabled Google Authenticator then user must provide 6 digit code from Google Authenticator.

image-20240910-130538.png

5- Troubleshooting

Monosign Credential Provider changed registry settings. There two location under the Registry when applied CP-Install.reg file. check Registry Editor below two locations. Check this two locations and verify all changes applied correctly.

CODE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{8D59B60C-7177-4A69-BDB2-D451B08D7751}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{5F01FE0F-A8CD-4DBC-BD49-8A526A370AE2}

Monosign Credential Provider logs all login request. If somethings happen while login to Windows Machine all logs can be find under the C:\Windows\Temp folder.

Collect below logs and send them to Monofor Support Team.

CODE
MONOSIGN-CREDENTIAL-PROVIDER.log
MONOSIGN-CREDENTIAL-PROVIDER-FILTER.log
MONOSIGN-CREDENTIAL-PROVIDER-WEB.log

For temporary disable it can be uninstall Monosign Credential Provider on Windows machine.

6- Uninstall

Uninstall Monosign Credential Provider needs to run CP-Uninstall.reg file on target Windows machine locally or remotely.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.