FDE SSO Troubleshooting
This procedure does not affect other GINAs of third party security software.
How Windows Log On Works
Winlogon, the Graphical Identification and Authentication (GINA), and network providers are the components of the interactive logon model. The interactive logon procedure is normally controlled by Winlogon, msgina.dll, and network providers. To change the interactive logon procedure, msgina.dll can be replaced with a customized GINA DLL.
Winlogon is a component of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a GINA, and any number of network providers. It creates the desktops for the window station, implements time-out operations, and provides a set of support functions for the GINA.
The Graphical Identification and Authentication (GINA) is a replaceable dynamically-linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on.
A default GINA library, MSGINA.DLL, is provided by Microsoft as part of the operating system, and offers the following features:
- Authentication against Windows domain servers with a supplied user name/password combination.
- Displaying of a legal notice to the user prior to presenting the logon prompt.
- Automatic Logon, allowing for a user name and password to be stored and used in place of an interactive logon prompt. Automatic logon can also be configured to execute only a certain number of times before reverting to interactive logon. In older versions of Windows NT, the password could only be stored in plain text in the registry; support for using the Local Security Authority's private storage capabilities was introduced in Windows NT 4.0 Workstation Service Pack 3 and Windows NT Server 3.51.
- "Security Options" dialog when the user is logged on, which provides options to shut down, log off, change the password, start the Task Manager, and lock the workstation.
How the FDE GINA interacts with Windows XP GINA
The FDE SSO setting records the Windows credentials at Windows logon and then uses this information to automatically logon in Windows as long as SSO is enabled. This information is updated, if passwords are changed.
The SSO information is stored in an encrypted file located here:
C:\Program Files\Pointsec\Pointsec for PC\SSO
The file is named
Note - SSO information can be erased by deleting this file.
The SSO information can never be read without first authenticating successfully in the Preboot.
SSO is handled by
How the SSO .DAT file is created
The SSO.DAT file is created by the FDE stub GINA (
pssogina.dll), or by the credential provider in Vista and later. The file stores the user name, password, domain and a flag with the current state of SSO, in an encrypted form. The file (SSO.DAT) is updated by the credential manager (
pcp.dll) during a Windows password change. The maintenance of the GINA chain and credential provider (registry values/files) is handled by the Pointsec service (
New Authentication Functionality in Windows Vista
GINAs Replaced with New Credential Providers
In previous releases, the customization of interactive user logon was done by creating a custom GINA. Despite the name, GINAs were responsible for more than simply gathering authentication information and rendering the UI to collect it. Because of this, custom GINAs were complex to create and usually required Microsoft Product Support Services (PSS) support for successful implementation. Often, using a custom GINA resulted in unintended side effects, such as preventing fast user switching (FUS) and smartcard logon. In Windows Vista, GINAs are replaced with a new modular Credential Provider model that is easier to program to.
Customer installed FDE, configured SSO in the pre-boot authentication screen, but the SSO does not work.
Steps to Perform
- Check if SSO is active
Look in the folder:
C:\Program Files\Pointsec\Points for PC\SSO\CPLA for user's Globally Unique Identifier (GUID).
Inside the CPLA* folder, for each user you will find its GUID file.
If there are no GUID files in this folder, it means that:
- Customer may think he is using SSO, but actually configured it wrongly and it is not activated.
- Pointsec PC \ FDE did not successfully create the SSO file.
*CPLA = Check Point Logon Agent that you use when unlocking the PC(WinKey+L).
Deleting this file, will disable the Check Point logon prompt on WinKey+L and then ALT+CTRL+DELETE
- Basic Troubleshooting
Check the following:
- Does the user have SSO enabled on the user account? And was the SSO kbox selected in PreBoot when logging in?
- Is the Pointsec GINA loaded as the first GINA?
The GinaDLL should say
pssogina.dll (Pointsec GINA).
Note - This applies only to Windows 2000/XP. Windows Vista does not use GINAs.
- If no, does the user have permission to write to
C:\Program Files\Pointsec\Pointsec for PC\SSO? Is there a .DAT file created in this location?
- If there is a .DAT file created and SSO still does not work, try to delete the .DAT file belonging to the user account for which SSO does not work. Reboot machine and make sure SSO is enabled. By removing the .DAT file in the SSO folder, Pointsec will now re-record the Windows Credentials.
- If the above does not work, run
CPInfoCollector.exe tool (found in the Pointsec installation folder) and send the resulting .CAB file to Check Point.
- Troubleshooting with the CPinfo Collector tool
The CPInfo Collector application (tool) is used to request specific information from a host. When executed on a PC, the application will automatically perform data extraction and tests. The output is stored in multiple files which are compressed into a cabinet (one file), which is then stored in a .CAB file under the name:
For example, in our case this would be:
- Ask the customer for:
CPInfoCollector_126.96.36.199 output. You will get a .CAB file. Open
pointsec_registry.txt, this is the Registry export of the Pointsec registry tree on the client's PC:
- Inside "pointsec_registry.txt", locate line 13 and examine it:
GINA order clearly shows that on this laptop, Winlogon is controlled in the following order: pssogina.dll>vrlogon.dll
pssogina.dll - "Pointsec for PC"\"FDE" GINA takes control of Windows' log on process
vrlogon.dll - Pointsec GINA transfer control to "ThinkPad Fingerprint software" GINA.
Windows GINA takes control from "ThinkPad fingerprint software" GINA and not from Pointsec GINA=no SSO chain between Pointsec to Windows, that is why Pointsec SSO does not work.
Completing the Procedure
There are three available workarounds to resolve this issue:
To add a compatible GINA:
- In the Registry Editor, go to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC
- Create a new string value named CompatibleGinas.
- The value data must be the name of the IBM Fingerprint GINA (
If the above does not work, try either of the following:
- Uninstall the fingerprint software from the system and reboot. This leaves only the Pointsec GINA (
pssogina.dll) on the system.
- Do not activate the fingerprint software. (Disabling will not work, as it reactivates itself.)
To verify the procedure in this document is working:
- Test that you can log on to windows smoothly.
- Make sure other 3rd-party security software functions flawlessly.
Appendix A - SSO in Mac OS X
Single Sign On (SSO) in the Mac-product currently implies username/password synchronization from Mac OS X to FDE/pre-boot. That is why when doing SSO to Mac OS X the FDE credentials are used, i.e., the password from pre-boot.
If the user changes password on the Mac, it will re-sync the password back to pre-boot. If the password has been changed centrally (e.g., when using an AD user on Mac and the admin changes a user's password) the next login in pre-boot will use the old password, but when SSO is tried to login to Mac OS X it will fail and the user must re-authenticate with new (centrally changed) password. Then this new password will be synced to FDE/pre-boot.
Appendix B - Modifying Pointsec GINA
Pointsec PC GINA operates as a stub GINA and has support for Dispatch version 1.3.
A stub GINA forwards all function calls to another GINA after completing itself. The previous GINA is the GINA that was present in the system before Pointsec PC was installed. Pointsec for PC stores this GINA in the registry under the value PrevGina. Pointsec PC also scans the registry for changes in the GinaDLL key and if a new GINA is installed, this GINA is added as Pointsec PC PrevGina.
Pointsec PC will by default try to be the first GINA to be called since Pointsec PC then will be able to perform SSO to the GINAs called after Pointsec PC. However, if you for some reason do not want Pointsec PC GINA as the first GINA, you can set UpdateSSO = 4 and set the preferred GINA order manually.
If you disable Pointsec PC GINA completely you will lose the following Pointsec PC functionality:
- Password Synchronization
- Smart Card support
All functions calls intercepted by Pointsec PC GINA is forwarded, except the call to WlxDisplaySASNotice which not is forwarded to previous GINA if SSO is activated for the user.
This can be a problem for GINAs that require this function to be executed.
The list of Registry values below describes Pointsec PC registry keys. All these registry values can be set by editing the precheck.txt file before installation.
The values below can be found under the
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec: UpdateSSO key. This value triggers the changes Pointsec makes to the SSO related registry values.
- 0 - Is the default value of the registry update and means that Pointsec only scans for SSO registry changes upon computer shutdown.
- 1 - Pointsec PC scans for SSO registry changes on a timer as soon as a user has logged on to the system.
- 4 - Pointsec PC does not scan for any SSO registry changes. This means that the user themselves can set the preferred load order of the GINAs.
If you want to add support for Pointsec PC SSO to other GINAs than the pre-approved GINAs, you should add them to this list. e.g.,
The pre-approved GINAs are:
SSODelay_MSGINA - Delay (in ms) before performing SSO to previous GINA.
- PrevGina - the GINA that Pointsec PC forwards the GINA function calls to. If this file cannot be found/loaded, it will instead load the msgina.dll, as a default. The PrevGina value does not contain the complete path, so if the GINA is placed in a different folder, than the path needs to be added to the environment path settings. If this is the case, the complete path needs to be added manually and you also need to set UpdateSSO=4.
- GinaOrder - this key is only used for internal usage during uninstall of Pointsec PC.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.