Frequently asked questions

Why are so many credential providers installed on my Windows?

There are many credential providers integrated in Microsoft Windows. Microsoft wants to provide a range of authentication methods to their users, even if they are not displayed. Since the Microsoft Account was introduced to use the same account for all your devices more credential providers are installed, like fingerprint or a picture password.

Also, some manufacturers of business PC solutions integrate their own credential providers in their OEM-Versions of Windows.

Which credential provider must be deactivated, to prevent password logon?

If you have a standard Windows installation, just switch off the “Microsoft Password Provider”. If your manufacturer has implemented its own credential provider, you may have to switch this one off too.

Which TCP-Port must be open for the online activation?

If you want the online activation to work, please open TCP-Port 2301 in both directions in your firewall. Please note, that a proxy still can cause trouble with the online activation, but you can enter it in the general settings.

How to enable 2-factor-authentication in safe mode too?

To enable the 2-factor-authentication in safe mode too, you must edit your Windows registry. Create a REG_DWORD with the name “ProhibitFallbacks” under
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Authentication\Credential Providers”.

You will find further information about this here*. Please be aware, you can’t use safe mode without network drivers if this option is set.
*https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/b943227f-0df6-4924-987e-78f6479d4ce2/boot-as-safe-mode-vista-never-call-custom-credential-provider?forum=windowssecurity

How to enable or disable the support for a special kind of SecurityToken?

To enable or disable support for a special kind of SecurityToken, you need the digitronic® Token Engine Manager. This program can be accessed via the programs list in your start menu in the folder “Token Engine” or you navigate to “C:\Program Files\Common Files\digitronic\Manager”.

It is possible to enable or disable different kinds of SecurityToken in the settings of digitronic® Token Engine Manager.

A standard installation with Secure Logon™ 2.0 installer uses MIFARE DESFire as supported Token.

Do I really need the old and a new password, when I change my password?

The old password has to be entered for security and confidentiality purpose. It is possible to configure Secure Logon™ 2.0 in a way, that this is not necessary and the password linked with the SecurityToken is used.

To configure Secure Logon™ 2.0 to this behaviour open the Windows registry and navigate to “HKEY_LOCAL_MACHINE\SOFTWARE\digitronic\SecureLogon2\CredentialProvider”. Create a REG_DWORD with the name “ChangePasswordWithTokenFlags” and a value of one.

If this key already exists you must XOR it with “0x1“.

This feature is available since credential provider version 1.0.5.427.

How to forbid users to open the Secure Logon™ 2.0 Manager, if they are not administrators?

If you do not want users to edit their SecurityToken when they are not part of the administrators group, set the following REG_DWORD. Please navigate in Windows registry to “HKEY_LOCAL_MACHINE\SOFTWARE\digitronic\SecureLogon2\Manager” and create a REG_DWORD with name “DisallowManagerUsageForUsers” and set the value to one.

This feature is available since Secure Logon™ 2.0 Manager 1.0.8.435.

How to disable SecurityToken initialization in Windows logon screen?

By default, each SecurityToken, which is supported to be initialized with digitronic® Token Engine, can also be initialized in Windows logon screen.

It is possible to disable this feature. You may want to do this, to prevent someone from creating a valid SecurityToken, by connecting an empty one. To prohibit initialization in logon screen open registry at: “HKEY_LOCAL_MACHINE\SOFTWARE\digitronic\SecureLogon2\CredentialProvider”. Create a REG_DWORD, name it “DisableTokenInitialization” and set its value “1”.

This feature is available since credential provider version 1.0.5.427.

Is it possible to prevent no PIN usage when the SecurityToken is initialized in the logon screen?

In case your users initialize their SecurityToken in Windows logon screen, it is possible to disable the option “no PIN protection”. To do this, open Windows registry and navigate to “HKEY_LOCAL_MACHINE\SOFTWARE\digitronic\SecureLogon2\CredentialProvider”. Then create a REG_DWORD with the value “1” and the name “TokenInitializationDisallowNullPIN”.

This feature is available since credential provider version 1.0.5.427.

How to prevent adding credentials during Windows logon?

If an initialized SecuredToken without any credentials linked to it is connected in Windows Logon screen, by default the possibility of linking is provided. You may want to prohibit this. This is possible by setting a REG_DWORD with the name “DisallowAddingCredentials” with the value “1” under “HKEY_LOCAL_MACHINE\SOFTWARE\digitronic\SecureLogon2\CredentialProvider”.

This feature is available since credential provider version 1.0.5.427.

How to deactivate an activated Secure Logon™ 2.0 licence?

If you want to deactivate an active Secure Logon™ 2.0 licence, you have to uninstall Secure Logon™ 2.0. At the end of this process, before the “completed dialogue” appears a pop up appears. This pop up will inform you about the automatic deactivation.

If the deactivation was successful everything is fine, if not a Deactivation Key or an error will be displayed. You will also find the result in your Windows eventlog under the point “Applications”.

When an automatic deactivation fails, the pop up and the eventlog display a deactivation key.

Please enter this deactivation key at https://www.digitronic.net/en/service/license-activation-deactivation, or send it via E-Mail to support@digitronic.net or vertrieb@digitronic.net, so a staff member of digitronic® can complete your deactivation.

Is it possible to use a smartcard inside a remote session?

Using Remote Desktop Connection to access a remote computer smartcards can be used inside the remote session if they have been connected to the client computer. For this you have to set up the remote connection settings to pass smartcards from the client computer through to the remote computer.

But a smartcard which is physically connected to the remote computer can not be used inside a remote sesson. The session management of the operation system will prevent access to directly connected devices for safety reasons.

If you really need to access a smartcard which is directly connected to the remote computer (e.g. for remote support) you should use other remote computing tools like TeamViewer to bypass the session management.