Introduction
The LogonBox Credential Provider provides Desktop Integration for Windows 10 and Windows 11. It may also work on Windows 8 and 7.
Pre-requisite
You must have the Windows Desktop feature installed, which should already be available on a newly deployed system.
If this is not installed, navigate to Updates, Features & Licensing->Authentication and download the Windows Desktop feature.
Accept the prompt and restart the LogonBox service once downloaded with the power icon at bottom right.
Downloads
Microsoft Installer packages are available which also provide support for unattended installs. No reboot is required before the logon dialogue will show the account action options.
You can find downloads for the provider in the Downloads link at the top right of the LogonBox web UI, in the Windows Desktop Integration section.
Installation
Run the installer on your machine (with admin rights) which will start the install wizard. Click Next on the first
screen.
This will install the prerequisite Visual C++ redistributable if required (if the pre-requisite is already installed, the installer will start with the following step), click Next.
Click Next to start the main setup.
Accept the default directory, or alter it if preferred and click Next.
At this point you will need a registration key.
Log on as the admin account to your LogonBox server and navigate to Authentication Flows->Authentication Options->Credential Provider.
Copy the Registration Key.
Back in the installer, type in the IP address or hostname of your LogonBox server.
If you don't yet have a signed certificate you can choose to allow unsigned certificates.
Paste in the
Click Next, then Install to start the file copy.
The install files should now be extracted. Click Finish to complete the installation.
Altering the Credential Provider text prompts
It is possible to quickly alter the text that users are prompted for on their login screens for unlocking their accounts, resetting their passwords or logging on.
This can be done from the LogonBox web UI. Navigate to Authentication Flows->Authentication Options->Credential Provider.
Here you have options to change the Reset Text and Unlock Text, as well as other items relating to the Windows Desktop feature (see Desktop Multifactor Authentication) or LogonBox VPN connection.
As you have entered the Registration Key in the client, we recommend you turn on the Enforce API Security option here and Apply the changes.
Automatic Profile Completion on Login
When a user logs on to Windows, if they are missing some information required for a self-service password reset, they will be prompted to complete this information before logging on to the desktop.
This way you can ensure that your users get enrolled to use the system.
Extra options
There are some extra settings in Authentication Flows->Authentication Options->Windows Login.
Here you have options for:
Allow Networkless login -If you are using Desktop MFA, should a user be able to log in with only username/password if the LogonBox server is unavailable.
Reset cached credentials - reset any locally cached credentials if your computer is not on the company network (requires a special version of the client, please contact us for more information).
Silent install options
The Windows login client can also be installed from the command line allowing you to push this out via a group policy update, to install the client specify the LogonBox hostname (note this must be done with admin privileges):
For the Executable
LogonBox+Credential+Provider.msi /qb LOGONBOX_URL=<hostname> REGISTRATION_KEY=<key>
Replace <hostname> with your own hostname or IP i.e. test.logonbox.com. (Note that this is a host only and not a URL as the parameter seems to imply.
Replace <key> with the registration key.
Additional command line options can be found by running the exe with the /h switch like so, LogonBox+Credential+Provider.msi /h.
For the MSI
LogonBox+Credential+Provider.msi /qb LOGONBOX_URL=<hostname> REGISTRATION_KEY=<key>
Replace <hostname> with your own hostname or IP i.e. test.logonbox.com. (Note that this is a host only and not a URL as the parameter seems to imply.
Replace <key> with the registration key.
Additional command line options can be found by running the msi with the /? switch like so, LogonBox+Credential+Provider.msi.msi /?.
Creating a transforms file for the MSI
For deploying silent installs via a GPO, you need a transforms file (MST) to pass the LOGONBOX_URL parameter.
Here is an example using the tool called Orca.
Run Orca and go to File->Open and open the Credentials Provider MSI file.
Select the Transform->New Transform menu.
Select the Property table.
Right click in the main window and select Add Row.
For the Property, add LOGONBOX_URL.
For the Value, add <hostname>
(replacing <hostname> with your own server's hostname)
Right click in the main window and Add Row again.
For the Property, add REGISTRATION_KEY.
For the Value, add <key>
(replacing <key> with your own server's registration key)
Now you can click Transform->Generate Transform and save out your MST file which can be used in a GPO.
Alternatively, you could select File->Save Transformed As and write out a new version of the MSI with this transform applied.
Advanced Registry Settings
The LogonBox Desktop Credentials Provider stores its settings in the Windows Registry, in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\LogonBox\Credential Provider.
This section runs through what each setting does and also documents some advanced features/troubleshooting items that you may wish to set.
General:
OtherUserText (String Value) - Controlled from web UI setting Other User Text. Sets the text in the small tile on the left-hand side, defaults to 'Log in with LogonBox'. Note this is synchronized with the server and will be overwritten if status checks are performed.
StartVPNText (String Value) - Controlled from web UI setting VPN Connection Text, defaults to 'Start VPN Connection'. Requires the LogonBox VPN client to be installed.
ResetPasswordText (String Value) - Controlled from web UI setting Reset Text, defaults to 'Reset Password'.
AccountUnlockText (String Value) - Controlled from web UI setting Unlock Text, defaults to 'Unlock Account'.
AllowNetworklessLogin (DWORD Value) - Controlled from web UI setting Allow Networkless Login. If enabled, a user can login with password only, although if MFA is presented it will have to be completed.
InstallDir (String Value) - The install directory of the Credentials Provider.
Version (String Value) - The version of the Credentials Provider.
IsLogonBoxDirectory (DWORD Value) - You may see this setting, it's set by the installer to differentiate between products, do not alter.
Url (String Value) - The hostname or URL to the LogonBox server as set in the installer.
Networking / troubleshooting. Set value to 1 to turn option on:
DisableStateCheck (DWORD Value) - Disables the initial check when a credential tile is selected. This check validates the current setup and shows or hide links based on license type. It is recommended to disable this check if you have very large numbers of Credential Providers deployed.
DisableMFA (DWORD Value) - Don't attempt MFA checks or present user with MFA after user provides their password.
NetworkRetryPeriod (DWORD Value) - The number of milliseconds to wait between network retries, defaults to '1000'.
NetworkRetryAttempts (DWORD Value) - The number of times to attempt a network call, defaults to '3'.
NetworkTimeout (DWORD Value) - The number of milliseconds before a network call times out, defaults to '5000'.
Debug (DWORD Value) - Set to '1' to turn on debug logging, this will generate log files in C:\Program Files\LogonBox\Credential Provider\Logs.
UI appearance:
DisableDPIAwareness (DWORD Value) - Cancel any DPI awareness setup in the credential wizard.
DisableHardwareAcceleration (DWORD Value) - Disable hardware acceleration in the credential wizard.
OverrideDPI (DWORD Value) - If you want to override the DPI used by the credential provider you can do so with this value, defaults to '144' without this setting.
BackgroundColor (String Value) - The brand background color used by the server (cached during credential wizard startup), in hex format #112233 etc.
ForegroundColor (String Value) - The brand foreground color used by the server (cached during credential wizard startup), in hex format #112233 etc.
DisableBranding (DWORD Value) - Stop any branding from being applied to the client.
Note that you can also add your own logo that will appear in the header of an MFA prompt by adding a file called brand.png to the C:\Program Files\LogonBox\Credential Provider directory.
