XyLoc Windows7 Client Release Notes
Support Information:
Ensure Technologies Technical Support is available to provide any needed assistance. Please contact us at (734) 547-1631 or at
[email protected]
.Requirements:
Microsoft .NET Framework 3.5 (for new Low Battery Warning message) Basic RAM and CPU Requirements for Windows 7 OS
~100 MB disk space Available USB port
Local Administrator privileges for installation.
If using in conjunction with the XSS then the appropriate TCP ports for XSS communication must be allowed through the firewall (if firewall is enabled):
• Client Server: 5102 • Server Client: 3510
Compatibility:
The XyLoc Windows 7 client has been tested to be compatible with both 32-bit and 64-bit versions of Windows 7. Has not been tested with Windows 7 “Starter” edition.
XSS Compatibility: The XyLoc client for Windows 7 version 9.3.7 can be used as a Solo, or in an enterprise environment in conjunction with the XyLoc Security Server (XSS).
• NOTE: If used with the XSS, this version requires XSS version 5.1.2 or later.
Auto Logon: The XyLoc Credential Provider will read the login credentials from the registry values at “HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon”. Those values are as follows:
• “DefaultUserName” = desired username
o Also supports the “domain\username” format as of 9.3.7
o IMPORTANT: The username name put in the registry must match the kiosk name defined in XyLoc configuration exactly, including case sensitivity.
• “DefaultPassword” = desired user password
• “DefaultDomainName” = domain name (or local machine name if no domain is used) • “enableAutoLogon” = (dword) 1 for “enable” and 0 for “disable”.
In Addition, in version 9.3.0.8, the Credential Provider filtering was disabled. However, in order for AutoLogon to work properly, the Filter must be re-enabled (if it has not been already):
• HKLM\Software\Ensure Technologies\Gina
o Name: “filterEnabled” o Value: 1
NOTE: Password Override must be allowed in the user’s XyLoc settings, at least for logon, in order for the Auto Logon to work.
Fingerprint Support:
• The 32-bit XyLoc client supports fingerprint authenticationwith the following readers:
o Digital Persona “UareU” 4000 series readers.
o Authentec AES3400, 3500, and 4000 series readers. o All UPEK sensors (according to UPEK documentation)
NOTE: Not all of the UPEK sensors have been tested by Ensure. Support is based on UPEK SDK documentation.
Ensure has specifically tested UPEK TSC2 TouchChip® sensor with Cherry Keyboard Model SPOS
• In 64-bit, only UPEK models are supported
XyLoc AIT: The On Demand scripting for Application Integration tool will only support 32-bit applications, even on the x64 client.
General Windows 7 Client Notes:
*NEW* Fail Safe Override option: This would allow any AD user to unlock a locked kiosk account via an override with a valid AD account in the event of an issue.
Requires that the Kiosk login credentials be defined in the registry (as the cached credentials will not be relied on just in case they are the reason for the problem.
• “HKLM\Software\Ensure Technologies\Gina”
o “autoLogonDomainName” = Domain
o “autoLogonPassword” = Generic Kiosk Account Password o “autoLogonUserName” = Generic Kiosk Account Name
When enabled, when “override” is selected, their credentials are validated against Active Directory and if successful, the system will unlock into the kiosk specified above.
• Option is also Registry enabled: “HKLM\Software\Ensure Technologies\Gina”
o Name: “EnableFailsafeKioskOverride o Value: 0 = off (default) / 1 = on
NOTE: A reboot is required.
*NEW* XyLoc Status and Lock Button pop-up: The XyLoc Status monitor pop-up message and the Lock Button image that appear in the system tray can be configured to be displayed constant if desired. This is done by editing the “etiXyLoc.ini” file in C:\ProgramData\Ensure Technologies\XyLoc.
“0” = Off (not displayed) “1” = On (displayed constant)
*NEW* Kiosk vs. Unique Logins: XyLoc has always supported both a generic shared login (Kiosk) as well as Unique logins. However, there are a number of rules related to authentication that are different for each. In order make sure that those are applied properly we have added a new setting at the workstation level to clearly define whether a workstation is setup for Kiosk or setup for Unique users.
This is defined in the registry under “HKLM\Software\Ensure Technologies\XyLoc – Serial Version (Multi key)\”
• Name: “computerAccountType” • Value:
o 0 = Undefined o 1 = Kiosk Account o 2 = Unique Accounts
Lock Delay: The default user lock delay for Solo has been set to 5 seconds “Tap-In” Solutions: XyLoc supports two different “tap-in” style solutions.
One is using standard XyLoc badges which provides support for a “tap-in” style authentication but maintains walk away security support using active RF (see AppNote 530-0200-023 “Description of ‘Tap-in’ option with standard XyLoc client” for more details on how to setup and use this feature).
The second is using actual Passive Proximity (i.e. HID) cards with an RF Ideas PCProx reader. NOTE: This is true passive support for those that may want to use already deployed passive prox badge, but since no Active Proximity is used, it does not offer automatic walk-away security.
Custom Logo: XyLoc can display a customized logo/image at Login or Unlock screens The logo bitmap is in a separate resource (LogoRes.dll), so the logo is independent
from the main code.
A custom resource dll with a customized logo bitmap can be used in place of the default, or Ensure can create one for a customer as a service
Remote Desktop: The following must be considered when using Remote Desktop to gain access to a XyLoc protected workstation.
When logging in remotely, the XyLoc client will be in a Password Override mode. However, when the “Lock in Password Override” timer expires, the lock request is ignored and XyLocIcon is informed to continue displaying the password Override dialog. The host workstation does not lock.
During RDP session, remote Ctrl+Alt+End sequence is ignored and PC is not locked. Remote Disconnect is required after session is complete. Access to the host
machine is denied as long as an active Remote session is in place.
Fast User Switching: The XyLoc now supports Fast User Switching in Windows 7. The workstation environment must be setup for Fast User Switching.
• In the registry go to
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
• Set the value for “HideFastUserSwitching” to “0”
XyLoc users must be setup for “Unique” logins
Windows Firewall: If using the XyLoc Security Server software (XSS) the communication to the XyLoc client will be blocked by the firewall, if enabled. An exception must be created for TCP Port 3510, or the firewall must be disabled for communication to be restored.
Credential Providers: XyLoc is no longer required to be the only credential providers. If other Credentials Providers are desired, they can still be accessed from their respective “tiles” at the login screen. Once logged in through XyLoc, however, only the XyLoc tile will display at the “Locked” screen.
An administrative override for login only is also supported by clicking on “Action” at the top of the Credential Provider screen and then clicking on “Administrator Override”.
Additional requirements for Kiosk: It is highly recommended that Auto Logon be used on machines that are being used in a Kiosk setup. However, if Auto Logon is not desired, the credential values in the registry are still required in order for all the functionality of the Kiosk accounts to work properly (specifically Password Overrides and unlocks within Grace Period). The Auto Logon credentials must be set in the registry, however the
“enableAutoLogon” value does not have to be enabled.
Non-XyLoc user overrides: Since other Credential Provider tiles are available, a user that is not a XyLoc user (i.e. is not assigned a badge) can click on the appropriate tile and login. Also, for convenience, the XyLoc Credential Provider also has support for this action. Click on the “Action” menu option at the top of the Credential Provider and then click “Administrator Override” (please note that the user does not actually have to be an Administrator account in order to successfully override).
When either of these types of logins are performed, the XyLoc client is completely overridden. There is no tracking of badges being performed and if the user manually locks the desktop the XyLoc Credential Provider will not be displayed. Only the standard Microsoft login is available to unlock again.
To return to normal XyLoc behavior, the non-XyLoc user must logout or reboot. Web Application Scripting with Application Integration: The add-on used in Internet
Explorer for the Web Scripting to trigger an On Demand script does not work unless the IE8 setting in the Security Options for “Protected Mode” is turned off.
Screen Saver: In the normal Windows Screen Saver options, there is a setting for “On resume, display logon screen”. If this option is enabled, when the screen saver timer expires, the system will lock and the XyLoc Credential Provider will be displayed for the user to unlock, even if there is no actual screen saver defined. This is recorded as a Manual Lock in the XyLoc event logs.
Installation Notes:
The installation package has changed from the XyLoc client release for Windows XP. The following are some specific items to note with this package:
• Make sure to accept the driver from “Ensure Technologies” if prompted.
• On a new installation, the user will be prompted for user data to populate at least one
user in the local database. This was true of the XP version as well, but was prompted in individual dialog boxes for each instead of all at once.
o All fields except the XSS Address are required.
• After the reboot at first login, the client will request the password and the “Domain” name,
even if it is a local account and even if just set to Select Username for the login authentication. This is to obtain the necessary Windows/Domain credentials to pass on for future logins. This will only occur once at the first login attempt.
o If a domain name is not entered, the client will use whatever was the previous login’s domain name (or local machine name if a local account).
o If using with an XSS-SQL, make sure to include the domain name in the XSS record for that user as well.
• When the software is uninstalled, the hardware drivers and local database files are not
Known Issues:
The XyLoc client for Windows 7 has the following known issues:
• RDP: After a user connects remotely to a XyLoc workstation they must reboot the
workstation when they are finished.
o When a RDP connection is established to a locked XyLoc workstation another instance of the Credential Provider is instantiated and is in communication with the XyLoc service. The service does not handle multiple Credential Providers communicating simultaneously and becomes unstable. As a result, a local user on the XyLoc workstation could have difficulty unlocking and/or logging in through the XyLoc Credential Provider.
• Hibernate/Sleep: The XyLoc client has some issues periodically with Hibernate and
Sleep power saving options.
o LED on the lock always comes on Green instead of Red when the system first wakes up and is still locked. Normally the lock LED should be red when the system is locked and only turn green when unlocked.
o The icon program at times reports the wrong system state, however functionality seems to be as it should be with regards to locking and unlocking and tracking badges.
o Very intermittently the Credential Provider will not display any keys to unlock.
Putting the computer into “Sleep” mode again and then waking it back up corrected that issue when it occurred.
• Start Menu: XyLoc program menu does not appear in “All Programs” in the Start Menu,
however both the Configuration Manager and the XyLoc AIT utilities can be opened through their respective icons in the Windows “systray”.
o If the icons are not available for some reason, both programs are located in the XyLoc directory (C:\Program Files\Ensure Technologies\XyLoc\) as well and could be opened manually from there:
Configuration manager: “xylocconfig.exe” XyLoc AIT Utility: “XyLoc AI Tool.exe”
In addition the x64 version of the XyLoc client for Windows 7 has the following additional issues:
• Driver Installation: The Windows Driver signing testing has not yet been completed.
This causes a confirmation box to appear during the driver installation that the person installing must click through to complete the install. This prevents a truly “silent” installation of the client.
• Application Integration: For “On Demand” scripts, only 32-bit applications are
Enhancements:
XyLoc version 9.3.0.15 x32 / x64:
1) Change password synchronization to be done in the Credential Provider instead of the XyLoc service to address timing condition where password sometimes did not synchronize fast enough.
a. Authentication and unlock were done at the same time and then client service would synchronize the database with the user’s password after successful unlock.
b. Changed so the Credential Provider authenticates the user, changes password in database on successful authentication, then sends the unlock request.
2) Fixed a bug that could cause the client to intermittently stop doing lookups for a while when using “Must Enter Password”.
XyLoc version 9.3.0.13 x32 / x64:
1) Re-enabled the Credential Provider Filtering to filter out other credential providers
a. This was previously disabled by default, but found in some cases user had to authenticate twice. Once to XyLoc and then to Windows behind it.
b. Also this filtering causes issues with Autologon as well as the “Fail-Safe” override feature
c. Can be disabled in the registry if needed.
2) Enhanced the Active Tap-in algorithms to make more responsive to the tap action
3) Added support for a “tap-over” action.
a. When a system is already unlocked to a badge, another user can tap their badge to “tap-in” and it will force a change of user (for use in a Kiosk environment primarily) 4) Added ability to disable the “Administrator Override” feature via the registry.
a. Location: HKLM\Software\Ensure Technologies\Gina b. Name: “DisableOverride”
c. Value: 1 = “Administrator Override” Disabled 0 = “Administrator Override” Enabled
5) Fixed a bug with “Fail Safe Override” feature where only one un-badged user could override on a particular workstation.
6)
Fixed a bug that caused excessive badge lookups to the XSS when using the Passive Prox (HID) badge support.
7) Fixed a bug where the legacy “XL-U” USB Lock version was detected incorrectly
a. For the newer “XL-U2” this was not an issue
8) Fixed an issue with ETWSS API where the password could be provided incorrectly in a Kiosk.
9) Added some additional debug logging
10) Removed some extraneous information in the debug logging
2) Added Account Type definition to clearly define Kiosk vs. Unique Logins for a given workstation.
This is defined in the registry under “HKLM\Software\Ensure Technologies\XyLoc – Serial Version (Multi key)\”
• Name: “computerAccountType” • Value:
o 0 = Undefined o 1 = Kiosk Account o 2 = Unique Accounts
3) Added a Fail Safe Override option to be able to allow any AD user to unlock a locked kiosk account via an override in the event of an issue.
Requires that the Kiosk login credentials be defined in the registry (as the cached credentials will not be relied on just in case they are the reason for the problem.
• “HKLM\Software\Ensure Technologies\Gina”
o “autoLogonDomainName” = Domain
o “autoLogonPassword” = Generic Kiosk Account Password o “autoLogonUserName” = Generic Kiosk Account Name
When enabled, when “override” is selected, their credentials are validated against Active Directory and if successful, the system will unlock into the kiosk specified above.
• Option is also Registry enabled: “HKLM\Software\Ensure Technologies\Gina”
o Name: “EnableFailsafeKioskOverride o Value: 0 = off (default) / 1 = on
• NOTE: A reboot is required.
4) Removed the parenthesis on the personal names of Kiosk users when used with the AD version of the XSS.
5) Enhanced the Gina list box sorting algorithm to prevent names from “bouncing” around on the screen.
6) Added option for “Rapid Fingerprint” authentication (64-bit version ONLY)
This is only supported with the UPEK fingerprint readers and that is the only version supported in the 64-bit client.
This feature only requires the user to put the fingerprint down on the reader and that fingerprint is compared against the images that are assigned to any badges within their unlock range (that would appear on the unlock list box)
This allows a rapid two-factor authentication while only requiring on action by the user.
NOTE: User must already have enrolled a fingerprint and must be using a XyLoc badge.
7) Modifications to Stationary Key Algorithm:
Found that the Stationary Key feature was not working properly with the newer XL-U2 USB locks due to the fact they only have one antenna vs. two in the previous XL-U USB locks and so a change to the algorithm was required
8) Implemented a new stand-alone low battery warning message.
Previously message appeared on the XyLoc status pop-up from the XyLoc icon, however it was reported that users were not seeing it there.
Changed to a stand-alone pop-up message that the user must click “OK” on to confirm they saw the message.
9) Fixed an issue with the unlock process where the system would cycle through the unlock-lock-unlock screens.
10) Added option to Logoff (instead of lock) on the One Session feature added in 9.2.8. Previously, when a user would authenticate on a new machine, the machine they
were using previously would lock.
With this change, the system can be configured to completely logoff instead of just lock (used for those that are using Unique AD logins to the PC, but still want to share the workstations between users).
NOTE: This setting works in conjunction with the One Session feature that has to already be enabled at the XSS. This modification only changes the behavior of the client if the One Session feature is enabled.
Registry configurable: “HKLM\Software\Ensure Technologies\XyLoc – Serial Version (Multi key)\”
• Name: “OneSessionLogoff” • Type: DWORD
• Value: 0 = off / 1 = on
11) Added new “Smooth Hands Free Switching” feature.
With this enabled, if set to Hands-Free Unlock, when there are multiple badges in the area the XyLoc client will just smoothly switch to the next available badge in range when a user leaves range.
If no badges are in range, then the system will lock as always.
This is for customers that aren’t really concerned about which particular user is in use of the workstation, but still want to make sure that only authorized users are able to use it.
Registry configurable: “HKLM\Software\Ensure Technologies\XyLoc – Serial Version (Multi key)\”
• Name: “UseSmoothHandsFreeSwitching” • Type: DWORD
• Value: 0 = off / 1 = on
12) Added the option to run the AI Auto Launch script at every unlock event, instead of just at a change of user.
Registry configurable: “HKLM\Software\Ensure Technologies\XyLoc – Serial Version (Multi key)\”
• Name: “AlwaysRunUnlockScript” • Type: DWORD
• Value: 0 = off / 1 = on
13) Added option to allow a user with an expired password in Active Directory to continue to authenticate and unlock in a Kiosk
Had customers where the user needed to be able to get into the desktop in order to reset their password but couldn’t because their AD password had expired.
Registry configurable: “HKLM\Software\Ensure Technologies\XyLoc – Serial Version (Multi key)\”
• Name: “IgnoreExpiredPasswords” • Type: DWORD
• Value: 0 = off / 1 = on (meaning if enabled, a user with an expired
password can still unlock. If disabled, then the authentication will fail and user cannot unlock)
14) Added ability to launch a file or URL from the Gina
• Name: “URLButtonString”
o Type: String
o Value: Desired text for the button
a. NOTE: Button on the Credential Provider is hidden unless a string is specified here
• Name: “URLAddrString”
o Type: String
o Value: URL or path to desired file (including filename).
Example use cases would be putting in a URL for a third party Self-Service Password Reset (SSPR) page or to put in a path to a video to display on-demand at a locked desktop
15) Fixed issue in XyLoc Configuration manager for viewing local User Audit Logs
16) Enhanced support for Passive Prox (HID).
17) Misc. Lock and Badge tracking algorithm fixes to improve lock/unlock behavior
XyLoc version 9.2.8 x86 / x64:
1) Fixed a bug where the client would attempt multiple spurious authentication attempts on a failed password override by a kiosk user which in turn could, in some cases, cause the AD account to get locked out.
XyLoc version 9.2.6 x32 / XyLoc version 9.2.6 x64:
1) Added a “One Session” feature
a. NOTE: This feature requires an XSS version 5.0.3 or later.
b. No configuration changes are made at the client to enable. This feature is enabled or disabled from the XSS.
c. If enabled, when a user unlocks a computer it will send a notification to the XSS and the XSS will then lock any other computers that user has still unlocked and the grace period will be cancelled. This is to prevent the other computer from simply unlocking again if the user is still in proximity.
2) Added a “System-wide” Two Factor grace period timer.
a. NOTE: This feature also requires the XSS, version 5.0.3 or later and is also enabled/disabled from the XSS. No configuration has to be done at the client. b. When enabled, there will be a defined time period on the XSS for the timer. When a
user authenticates with their password or fingerprint (2-factor) then the authentication method for that user will change to Select Username for that period of time and so as their record is downloaded to each ensuing workstation the user will not have to enter their 2nd factor again. After that time expires it will revert back to “Must Enter Password” and for the next authentication attempt.
i. Requires Must Enter Password to be used otherwise there is no 2nd factor to begin with and thus no need for a grace period.
ii. Will change for both Login and Unlock.
c. Feature uses the standard user lookups that are done all the time, but those are not always immediate as there is a built in “black-out” period for lookups for the same badge from the same machine. The default on this is 5 minutes so there could be a small delay of that time in getting the update. If a user were to try to authenticate a second time within that time period, it is possible that they might have to use their 2nd factor a couple of times before the clients get the notification.
3) Support for Passive Prox (i.e. HID) cards and readers.
a. To enable this feature:
i. In the Host settings on the XSS and the client side configuration manager set the XyLoc lock port to “HID-USB”.
ii. In HKLM\SOFTWARE\Ensure Technologies\XyLoc - Serial Version (Multi key)
1. Value: HIDReaderPresent 2. Type: DWORD
3. Data: 1 (default = 0)
b. To ensure easy switching between accounts with the passive system, which allows one tap on the passive reader to switch between kiosk users:
i. In HKLM\SOFTWARE\Ensure Technologies\XyLoc - Serial Version (Multi key)
1. Value: HIDForceLogoff 2. Type: DWORD
3. Data: 1 (default = 1)
c. For easier use when tapping, also set the following value. This will set the Credential Provider so that when a tap occurs, the user doesn’t also have to select his/her name on the screen.
i. In HKLM\Software\Ensure Technologies\XyLoc – Serial Version (Multi key) 1. Value: IsUsingTapLockorHID
2. Type: DWORD 3. Value: 1 (enabled) 4) Added the “Active Tap-in” feature.
a. Works similar to using a passive prox (i.e HID) card where a user has to bring their XyLoc badge right up to a reader to unlock, but uses the standard XyLoc active proximity badges.
b. Normal XyLoc unlock range is used for the “walk-away” lock threshold.
c. For easier use when tapping, also set the following value. This will set the Credential Provider so that when a tap occurs, the user doesn’t also have to select his/her name on the screen.
i. In HKLM\Software\Ensure Technologies\XyLoc – Serial Version (Multi key) 1. Value: IsUsingTapLockorHID
2. Type: DWORD 3. Value: 1 (enabled)
d. Please see Ensure AppNote AN023 for detailed description of this feature and how to enable.
5) A splash screen can now be enabled to hide the user’s desktop during the application logoff script at a change of user.
a. This would be used to protect potentially sensitive data visible on the screen during the brief period where the system is changing users and closing the previous user’s applications
b. To enable this feature create/modify the following registry value: i. Value: ShowSplashDuration
ii. Type: DWORD iii. Data: 1 (default = 0)
6) Added some additional algorithms to account for when a key’s signal is lost entirely while still “in range” vs. when a key’s signal just drops below the lock threshold normally.
b. Found that there were cases where, due to possible RF packet collisions with multiple badges, as well as possible interference from a potentially unknown source, at times individual packets or series of packets from a badge were lost even though the user was still in proximity of the workstation. This caused a lock event to trigger and the system to lock. Then within a second or two following the packets were picked up again and the system would unlock.
c. Change the algorithm to better account for dropped packets specifically so as to not also cause an increase in the normal walk-away range when the key packets are still received and out of range.
7) Modified the Range Refinement utility in the Configuration Manager to allow more flexibility on range settings.
a. Previously the slider had a minimum setting of “6” for the Lock range and “2” for the unlock range.
b. It also enforced a minimum hysteresis value of 2 (value between lock and unlock). c. Restrictions have been removed except that the Lock still cannot be set lower than
the unlock range.
8) Added ability to display a customized logo/image at Login or Unlock screens (as has been available in XP version)
9) Fixed an issue with lock algorithm that caused the Stationary Key feature to not work properly when using the XL-U2 USB.
10) Fixed an issue where the UPEK Fingerprint sensors were not working properly with XyLoc.
11) Fixed an issue with the Application Integration logoff timer not working on Win7 x64. 12) Fixed an issue with Application Integration Credential reset utility not having proper
elevated rights to write the credentials to the local database.
13) Fixed an issue with the computer locking or logging off while the service was stopped. a. User would not be able to re-authenticate because the XyLoc service was stopped. b. Added code to the Credential Provider to properly start the service in this scenario.
XyLoc version 9.1.0 x32 Build35 / XyLoc version 9.1.0 x64 Build17:
1) Added support for x64 versions of Windows 7
2) Fixed an issue with Forced Logoffs being halted when an open application required some sort of confirmation from the user to close.
3) Fixed an issue with logging via a Password Override with an account that was assigned a non-existent badge ID
4) Fixed an intermittent issue with a Unique AD account not being able to logon
5) Modified the ETAITReset.exe utility (utility to reset the AI credentials accessed from the AI icon in the systray) to not require Administrator credentials when UAC is enabled.
6) Added ability for a “Forced Logoff” on the locked workstation Credential Provider via the menu option at the top.
a. This is to allow an Administrator to forcibly logoff the current user in an emergency situation.
7) Fixed various timing conditions that caused the XyLoc Service and Credential Provider to become unstable when a user quickly locked and unlocked the workstation.
8) Fixed an issue with Hiberation where the workstation would be unlocked, but the service would still believe it to be locked.
a. XyLocIcon detects the condition and will issue a manual lock so a user can unlock through the XyLoc CP and get the CP and Service back into sync.
9) Fixed issues with Auto Logon
a. Found that on some machines, intermittently, the Auto Logon would fail.
b. Also found that in some of these instances, the XyLoc CP was unresponsive after this failure.
c. These were a result of a timing condition at the first login following a system boot, where the CP was attempting to logon before the service was ready to accept the login credentials.
d. A timer was added so that the first login following a system boot is delayed for a set period of time to allow the service to initiate fully.
i. The default is 30 seconds but can be overridden via a registry setting: 1. Location: [HKLM\Software\Ensure Technologies\Gina] 2. Value: “waitTime4FirstLogonSec”
3. Type: DWORD
4. Data: Number of Seconds (in Decimal)
XyLoc version 9.1.0 Build29:
1) Modified how Auto Logon credentials are defined (see “Auto Logon” notes under “General Windows 7 Notes” section above).
a. Previously these values were stored in the Ensure Technologies\Gina\ key.
b. Reading them from Winlogon is consistent with standard Windows functionality and also allows the values to persist after removal (and reinstall later if done) of the XyLoc client.
2) Fixed various issues that caused the system to not unlock properly “Hands Free” during the “Unlock to Key Only” grace period time.
a. User had to re-authenticate by either selecting their name and, if set to “Must Enter Password, re-entering their password at each unlock regardless of time.
3) Fixed an issue in the install package that caused an installation failure if the user hit the <Enter> key (instead of clicking “OK”) after populating the user information (if prompted by an installation dialog).
4) Fixed an issue where the XyLoc client would not perform key lookups after a manual lock. 5) Fixed additional interoperability issues with XyLoc AIT (Application Integration) and Windows
UAC.
6) Addressed issues when using the XyLoc v910 client in conjunction with a 4.x version of the XSS-AD that could prevent the user from being able to logon.
NOTE: Fixes to issues requires that some or all of the Auto Logon values are populated in the Winlogon registry.
a. Values located in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ b. For Unique accounts:
i. “DefaultDomainName” value must be populated with the proper Domain Name.
c. For Kiosk Accounts:
i. “DefaultDomainName” value must be populated with the proper Domain Name.
ii. “DefaultUserName” value must be populated with the Kiosk network account name.
iii. “DefaultPassword” value must be populated with the Kiosk network account password.
1. This value may not be already created if Auto Logon is not being currently used. This must be created as a “String Value” for full kiosk functionality.
d. NOTE: If using XSS-SQL or as a Solo, then only the “DefaultDomainName” value is necessary, and then only if logging into a domain.
7) Addressed issues that could prevent a Unique account user from logging back in after a password change.
XyLoc version 9.1.0 Build17:
1) Addressed additional issues with Forced Logoffs 2) Fixed issues related to using UPEK fingerprint readers
3) Fixed issues in installation of the client when installing over top of a previous install.
XyLoc version 9.1.0 Build 2:
1) Modified the client to support User Account Control (UAC). 2) Fixed issues found related to performing a Forced Logoff
XyLoc version 9.1.0 for Windows 7 includes the following additional enhancements from the previous production Windows XP release (9.0.0):
1) Windows Password Reset utility:
a. From the Credential Provider, via the menu at the top left hand side, a user can reset their Windows or Domain account password.
b. Password reset capability is available even in a kiosk account. The user simply has to provide the utility with their unique Domain username.
