You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Remote Access > VPN Tunneling > Credential Provider for Windows Vista and Later

Credential Provider for Windows Vista and Later

In releases prior to Windows Vista, the customization of interactive user logon was done by creating a custom GINA. Users entered their authentication credentials in the logon UI and GINA passed this information to Winlogon for authentication. However, because GINAs do more than pass authentication information, they are typically difficult to implement.

Windows Vista introduced a new authentication model where the logon UI and Winlogon talk directly with each other. A credential provider is a module that plugs into the logon UI and describes the credential information required for the login UI to render and to communicate with an external authentication provider. After the credential provider gathers the credential information, it passes the final credentials to Winlogon.

There are two basic types of credential providers: standard authentication and Pre-Logon Access Providers (PLAP). Standard authentication includes password-based or certificate-based credentials. A PLAP is a special type of credential provider that allows users to make a network connection before logging in to their system. Another difference between these two types of providers is timeout. PLAP credentials have no timeout where standard credentials typically have a 120 second timeout.

The VPN tunneling credential provider is a PLAP provider. This provider is visible only if the system is configured as part of a domain. The VPN tunneling provider creates a network connection. If the user’s credentials are the same as the domain credential (SSO) then the credential information is entered only once. If the user’s credentials are not the same as the domain credentials, the users selects another credential provider for domain authentication.

After a user logs in through VPN tunneling credential providers, the user has 5 minutes to log in to Vista either through single sign-on or through another credential provider. After the user logs into Vista, VPN tunneling attaches to the tunnel. If the user does not log in to Vista within 5 minutes, the VPN tunneling tunnel is disconnected.

To install the VPN tunneling credential provider,

  1. Make sure your client user is part of a Windows domain.
  2. In the Admin console, go to User Roles > VPN tunneling and select the Require VPN tunneling to start when logging into Windows option.
  3. When installing VPN tunneling on the client system (running Windows Vista), you are prompted by the GINA/Credential Provider window to configure the GINA/Credential Provider authentication. Click OK.
  4. Once the VPN tunnel is established on the client system, open the VPN tunneling window. Go to the Advanced View and select the Information tab. In the Results section, ensure that the GINA/Credential Provider plug-in is configured. You should see something similar to GINA Plug-In: Configured.

To use credential provider:

  1. Log out of Windows and press Ctrl+Alt+Delete.

    You should see the Network logon icon. If you see only the Windows user standard tiles, click the Switch user option under the standard Windows credential tiles to see the Network logon icon.

  1. Click the Network login icon and then click the Connect Secure logon icon.
  2. Enter your Windows domain credential and click the right arrow button. For your username, use the format domain\username or user@domain.

    VPN tunneling signs the user in to the default URL and proxy server in config.ini.

    Note: If your Connect Secure credential is not the same as your Windows domain credential, an alert box appears. Click OK and enter your Connect Secure credentials in the login window that appears. The window also contains an option button to launch another window to enter a URL, proxy server, and so forth.

    VPN tunneling credential provider supports the following authentication provider: local authentication, LDAP, RADIUS (UN/PWD only), NIS, ADS and Dial-up connection. In additional, smart card credential provider supports certificate login.