MFA Guides

Configuring RapidIdentity MFA Windows Client Shared Workstation

RapidIdentity MFA Windows Client Shared Workstation is configured using policies from RapidIdentity Server and can also be configured through the Windows Registry. To enable RapidIdentity MFA Windows Client Shared Workstation and its features, it is necessary to add these settings to the Windows Registry manually or manage available policies through RapidIdentity Server Policies. These settings should only be used by seasoned administrators who are experienced in manipulating Windows Registry values.

Follow these steps to configure RapidIdentity MFA Windows Client Shared Workstation:

  1. From the Windows Start Menu, type regedit and open the Registry Editor.

    edit_2.png
  2. Navigate to HKEY_LOCAL_MACHINE | SOFTWARE | Foray.

    edit_dword_2.png
  3. Add the following values, as desired, one at a time.

Value Name

Value Type

Value

Description

Example

SharedWorkstation

String

True

This setting must be enabled before any of the other shared workstation related settings and is the only mandatory string for RapidIdentity MFA Windows Client Shared Workstation.

sharedworkstation.png

SWBypass

String

True

This string is designed to allow users to bypass the windows shade by clicking Guest Logon.Serious consideration should be given to enabling this setting. Its primary use is for systems that are secured behind multiple layers of physical access and for which the inability to access the SWE may result in a catastrophic mishap.

edit_2.png

SWGenLogin

String

True

This string is designed to allow users to authenticate to Shared Workstation using a username and password and the password may be the RapidIdentity MFA Windows Client or a non-Active Directory password.

edit_string_4.png

SWEALogin

String

True

This string is designed to allow users to authenticate to Shared Workstation using Emergency Access

swelogi.png

SWCitrixInstantConnect

String

True

This string is designed to enable InstantConnect on Shared Workstation on which the Citrix Online Plug-in is installed.

swcitrixinstantconnect.png

SWCitrixQLaunchParams

String

True

This string is designed to pass the parameters that would normally be used to automatically launch a Citrix Published Application or Published Desktop using the PNAgent.exe /QLaunch command. The parameters are in the exact same format, i.e. “MyFarm:Published Desktop”.

swcitrixqlaunchparams.png

SWVMwareInstantConnect

String

True

This string is designed to enable InstantConnect on Shared Workstation on which the VMware View is installed.

swvmwarinstantconnect.png

SWInactivityTime

DWORD, hexadecimal

Integer (minutes)

This value defines the number of minutes that a Shared Workstation may be left inactive prior to locking the workstation and returning the screen to the “Present Card” dialog. The value may be set from any value equal to or greater than “1”.

swinactivity_timer.png

SWInstantConnectLockOnExit

String

True

This string is designed to automatically lock a Shared Workstation with InstantConnect configured for either VMware View or Citrix Online Plugin (XenDesktop Only) when the user logs out of the VM desktop or the Citrix Published Desktop.

swinstantconnectlockonexit.png

SWBackAlpha

DWORD, hexadecimal

Integer, 0-255

This value defines the transparency of the window shade. The value should be set between 0 = fully transparent and 255 = no transparency. By default, the value is 255 when not configured.

edit_dword_swblackalpha.png

SWBackColor

DWORD, hexadecimal

0 (default)

This value defines the color of the window shade. The value must be set to an RGB value of your desired color. By default, the value is black when not configured.

swbaclcolor.png

SWBackImage

String

The file path for the image

This value defines a custom background image that is displayed when a Shared Workstation is locked. The value must be set to the path of the image file that you wish to use. If spaces are present in the path to your file, do not use quotation marks. Supported image file format is .png.

swbackimage.png

SWIdleAnimTimer

DWORD, hexadecimal

Integer

This value defines the number of minutes to wait before the RapidIdentity MFA Windows Client logon dialog begins to animate. The value may be set from any value equal to or greater than “1”, for an idle period of 1 to X minutes.

swideareatimer.png

SWDelayOnLaunch

DWORD, hexadecimal

Integer

This value defines the number of seconds that Shared Work dependent DLLs are delayed upon initial logon. This is useful to provide administrators the ability to perform administrative tasks on a shared workstation before the window shade is triggered. The value must be set to a number greater than or equal to 1. The default value is zero, meaning there is no delay.

swdelayonlaunch.png

SWPINPolicyRule

DWORD, hexadecimal

0, 1, or 2

This value defines the PIN use policy within Shared or non-Shared Workstations to enforce and/or override users’ PIN policies. This is useful in organizations with varied PIN policies or for organizations that desire to have a different PIN policy for Shared Workstation. Since Logoff is not used in Shared Workstation, users with a PIN Policy of “Do not require PINonunlock” will not be required to enter their PIN when locking and unlocking the window shade.

The value may be set to “0” to use the user’s standard PIN policy, “1” to never require a PIN, or “2” to always require a PIN.

swpinpolicyrule.png

SWCardBehaviorOverride

DWORD, hexadecimal

-1, 0, 1, 2, 3, or 4

This value provides an override for card removal behavior on a Shared Workstation. There are 6 possible values.

  • -1: Use default card removal policy for the workstation

  • 0: Do nothing on removal

  • 1: Lock Shared Workstation on card removal

  • 2: Logoff Shared Workstation user on card removal

  • 3: Lock Shared Workstation on card tap

  • 4: Logoff Shared Workstation on card tap.

SWCardBehaviorOverride.png

SWCloseAllWindowsOnLogoff

String

True

This string is designed to close all applications opened and terminate all new processes launched by the prior user during prior logon session by Secured Applications upon a logoff event.

SWCloseAllWindowsOnLogoff.png

SWLoginAllWindowsOnLogon

String

True

This setting will attempt to logon to all open applications simultaneously upon unlock of shared workstation, rather than waiting for each application logon dialog to come into focus.

SWLoginAllWindowsOnLogon.png

SWLaunchOnLogon

Multi-String value

The executable file

This setting will launch one or more applications or processes upon successful authentication to RapidIdentity MFA Windows Client Shared Workstation. This is a multi-string setting so multiple applications may be configured. Multiple executables are defined on separate lines. If there is a space in the path, the path must be contained within quotation marks.

SWLaunchOnLogon.png

SWLockOnOSLock

String

True

This string is designed to automatically lock Shared Workstation when the operating itself locks. This is necessary for environments where the Windows desktop may lock and to ensure the Shared Workstation screen will lock. For example, if the generic user account is a well-known username or easy password, then unlocking Windows may not be secure. Enabling this setting will cause the Shared Workstation screen to automatically come up. If not enabled (which is the default), locking Windows does nothing to the Shared Workstation state.

SWLockOnOSLock.png

SWIdleAnimType

DWORD, hexadecimal

0, 1

This value provides an override for how the Shared Workstation prompt behaves when the Idle Timer (SWIdleAnimTime) is hit. By default, the prompt will float around the screen. The default value of "0" is for float and the value of "1" is for hide.

swidleanimtype.png

SWAlwaysOnTop

String

False

This string is designed to specify whether or not the Shared Workstation prompt is always on top of all other windows, which is the default behavior. However, in some environments, it might be useful to allow other applications to appear in front of the Shared Workstation screen. To disable the Always on Top setting and allow other windows to potentially appear on top of the Shared Workstation prompt set this value to False.

SWAlwaysOnTop.png

SWWaitOnSync

String

True

This string is designed to force Shared Workstation to complete a sync before launching InstantConnect. By default, Shared Workstation favors speed over accuracy in starting the InstantConnect connection. However, in environments when Windows passwords may be changing regularly, it may be desired to always ensure the latest passwords are synced down before attempting a launch that may require that.

To force the sync before attempting to launch any InstantConnect connection, set this value to True.

swwaitonsync.png

SWEnforceUserMatch

String

True

This string is designed to force Shared Workstation to enforce 2-step authentication by requiring that the only user who can unlock Shared Workstation is the same user who logged onto Windows. This is useful for certain environments where enforcing two-factor authentication cannot be accomplished by more traditional methods. To force the Shared Workstation to only accept the credentials of the user who logged onto Windows set this value to True.

SWEnforceUserMatch.png

SWPinComplexityRule

DWORD, hexadecimal

Integer

This value defines the PIN complexity policy within Shared Workstation and may also be used on non-Shared Workstation systems to enforce and/or override users’ PIN policies. In order to calculate the appropriate value to enter, convert the appropriate bit-flag for this value. If bit zero is the least-significant bit, then in order of processing is as follows.

  1. Bit 0: No More Than 3 Repeated Character

  2. Bit 1: No More Than 3 Consecutive Characters

  3. Bit 2: Must Contain Alpha And Numeric Characters 

  4. Bit 3: Must Contain Special CharactersBit

  5. Bit 4: Must Only Contain Numeric Characters

  6. Bit 5: Use Windows Password As PIN

  7. Bit 6: Enable Risk-Based PIN Policy

For example, in order to enforce Windows Password As PIN on this system, the DWORD value should be set to: 20 (Hexadecimal) or 32 (Decimal). A value of 0 indicates that no complexity policy should be enforced. The default value of -1 indicates to use the user's complexity policy defined by the user's authentication set.

SWPinComplexityRule.png

SWDefaultMethod

DWORD, hexadecimal

2, 3, 4, 6, 8, 9, 10, 11

This value provides an override for the default tile that is selected when the Shared Workstation screen first comes up. By default, the prompt will show all available methods.

The following values correspond to each tile:

  • Active Directory / Windows = 2

  • Emergency Access = 3

  • Smartcard (Contact/PKI) = 4

  • RFID (Contactless cards) = 6

  • Fingerprint = 8

  • Magstripe/Barcode = 9

  • One-Time Password (OTP) = 10

  • PingMe = 11

Any other value results in the default behavior of showing all tiles. The user will still have the option of clicking cancel or hitting ESC to return to the full list of tiles available on the machine.

SWDefaultMethod.png

SWDefaultDomain

String

The RapidIdentity MFA Windows Client domain name

This string forces Shared Workstation to use the domain name supplied in the setting whenever a domain is not entered. It will also default to showing this domain in the username field for certain tiles. The value should be set to the desired domain name.

SWDefaultDomain.png

SWKillAllWindowsOnLogoff

String

True

This string is designed to work similar to SWCloseAllWindowsOnLogoff and close all applications opened and terminate all new processes launched by the prior user during prior logon session by Secured Applications upon a logoff event. However, with Closing windows as opposed to Killing windows, sometimes the window may have a prompt before allowing it to close gracefully. With this setting set, even if a prompt appears before closing, this forcefully kills the window to ensure it closes.

SWKillAllWindowsOnLogoff.png

SWSkipAppWindowsOnLogoff

Multi-String value

The executable file path

This setting works in conjunction with SWCloseAllWindowsOnLogoff and SWKillAllWindowsOnLogoff to specify certain windows or applications that should not be closed or killed. This is a multi-string setting so multiple applications may be configured.

SWSkipAppWindowsOnLogoff.png

SWRdpInstantConnect

String

True

This string is designed to enable InstantConnect on Shared Workstation on which the user is expected to automatically connect to an RDP session, such as Remote Desktop Services, and must be used in conjunction with SWRdpServer.The authentication occurs with the user's Active Directory or Windows credentials.

SWRdpInstantConnect.png

SWRdpServer

String

The server name

This string sets the server name that Instant Connect will connect to when used in conjunction with SWRdpInstantConnect.The server name should be the same value as would normally be entered into a standard RDP connection.

SWRdpServer.png