Home > MED-V, Win7 > MED-V 1.0: Guidelines for GINA-Chaining Inside MED-V Workspaces

MED-V 1.0: Guidelines for GINA-Chaining Inside MED-V Workspaces


NOTE: Officially, GINA chaining is officially not supported inside the MED-V workspace. The following information can be used for a case where the use of a custom GINA in addition to the MED-V GINA is mandatory and a workaround is needed.

Prior to Windows Vista, Microsoft used the graphical identification and authentication (GINA) module system to provide secure authentication and interactive logon services. The Microsoft GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of the Winlogon.exe process. Winlogon can be configured to use a different GINA, providing for non-standard authentication methods such as smart card readers or identification based on biometrics, or to provide an alternate visual interface to the default GINA.

GINA Chaining was a widely used practice with Windows 2000 and Windows XP by 3rd party vendors but not one for which we normally provide any guidelines (or support).  Vendors have implemented chaining in different ways, generally by storing the old GINA in another location (usually OriginalGinaDll,) then later calling it from within their custom GINA and passing through the credentials.  The MED-V GINA acts in this fashion as well.

Generally, the MED-V GINA does forward calls to the GINA listed under OriginalGinaDll (beneath the Winlogon registry key). If this value does not exist, then the chaining is performed to MSGINA. However, there are some calls that we do not forward (e.g. calls related to locking, which MED-V handles). It is hard to diagnose the issue without knowing exactly what the other GINA is requiring (e.g. what is it expecting that does not happen? Should the additional 3rd party GINA display a window prior to the login? Post login? While the workstation is locked? Etc.).   For instance, the Checkpoint VPN GINA hooks the login window to detect when the user presses the OK button. Since MED-V uses auto-login, the OK button is never pressed and so Checkpoint does not detect the login.  Additionally, it should be noted that the use of these types of configuration have not been tested, and every GINA replacement has quirks of its own.

1. Create the  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\OriginalGinadll “<Path>\Ginaname.dll” and test the logon process again.

2. If this doesn’t work, contact the 3rd party vendor to find out how their GINA hooks the login window.

Categories: MED-V, Win7 Tags: , , , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: