MED-V 1.0: Guidelines for GINA-Chaining Inside MED-V Workspaces
NOTE: Officially, GINA chaining is officially not supported inside the MED-V workspace. The following information can be used for a case where the use of a custom GINA in addition to the MED-V GINA is mandatory and a workaround is needed.
Prior to Windows Vista, Microsoft used the graphical identification and authentication (GINA) module system to provide secure authentication and interactive logon services. The Microsoft GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of the Winlogon.exe process. Winlogon can be configured to use a different GINA, providing for non-standard authentication methods such as smart card readers or identification based on biometrics, or to provide an alternate visual interface to the default GINA.
GINA Chaining was a widely used practice with Windows 2000 and Windows XP by 3rd party vendors but not one for which we normally provide any guidelines (or support). Vendors have implemented chaining in different ways, generally by storing the old GINA in another location (usually OriginalGinaDll,) then later calling it from within their custom GINA and passing through the credentials. The MED-V GINA acts in this fashion as well.
Generally, the MED-V GINA does forward calls to the GINA listed under OriginalGinaDll (beneath the Winlogon registry key). If this value does not exist, then the chaining is performed to MSGINA. However, there are some calls that we do not forward (e.g. calls related to locking, which MED-V handles). It is hard to diagnose the issue without knowing exactly what the other GINA is requiring (e.g. what is it expecting that does not happen? Should the additional 3rd party GINA display a window prior to the login? Post login? While the workstation is locked? Etc.). For instance, the Checkpoint VPN GINA hooks the login window to detect when the user presses the OK button. Since MED-V uses auto-login, the OK button is never pressed and so Checkpoint does not detect the login. Additionally, it should be noted that the use of these types of configuration have not been tested, and every GINA replacement has quirks of its own.
1. Create the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\OriginalGinadll “<Path>\Ginaname.dll” and test the logon process again.
2. If this doesn’t work, contact the 3rd party vendor to find out how their GINA hooks the login window.