Installation guide for BaroPAM solution for multi-layer authentication to enhance the security of information assets(Windows)
Index
1. Install BaroPAM
1.1 Preparation before installing BaroPAM
1.2 Install BaroPAM
1.3 Install vcredist
1.4 BaroPAM environment settings
2. BaroPAM application
2.1 BaroPAM application process
2.2 BaroPAM application screen
2.3 How to logon to Windows
2.4 BaroPAM Dubug
2.5 BaroPAM updating
3. BaroPAM resetting
3.1 BaroPAM environment resettings
3.2 How to disable BaroPAM
3.3 How to reuse BaroPAM
4. BaroPAM delete
4.1 BaroPAM delete
5. BaroPAM FAQ
6. About BaroPAM
1. Install BaroPAM
1.1 Preparation before installing BaroPAM
To use BaroPAM, you must set a password for your Windows user account or temporarily disable the password (reset the password after installing BaroPAM).
Make sure that your Windows user account and password are correct, and that you have the latest updates for Windows.
To install BaroPAM, you need to know "Version of Windows, system type, computer name". To do so, "Explorer -> This PC -> Right-click" and the following screen appears.
If you click "Properties(R)" on the screen above, a screen that provides system information such as "Windows version, system type, workgroup, computer name" appears.
Important) In order to prevent malfunction of BaroPAM, "Computer name" or "PC name" must be "used in combination of English letters, hyphens, and numbers" after checking whether Korean characters are included.
Check the "Version of Windows, system type, work group, computer name" on the screen above, and download the appropriate BaroPAM installation module.
The URL to download the BaroPAM installation module is as follows.
http://nuriapp.com/download/baropam_setup_x32.zip ==> Windows 7, 8, 10, 11 32bit http://nuriapp.com/download/baropam_setup_x64.zip ==> Windows 7, 8, 10, 11 64bit |
1.2 Install BaroPAM
Move to the directory where you downloaded the BaroPAM installation module and proceed with the installation of BaroPAM in the following order.
First, if you unzip the compressed BaroPAM installation file (baropam_setup_x64.zip), the following "baropam_setup_x64" directory is created, and the following files exist.
- BaroPAM logo image(size 354 X 354): BaroPAM.bmp - BaroPAM User Guide(Chinese): BaroPAM_Guide_Windows_cn.pdf - BaroPAM User Guide(English): BaroPAM_Guide_Windows_en.pdf - BaroPAM User Guide(Japanese): BaroPAM_Guide_Windows_jp.pdf - BaroPAM User Guide(Korean): BaroPAM_Guide_Windows_kr.pdf - BaroPAM Installer(Chinese): baropam_setup_x64_cn.exe - BaroPAM Installer(English): baropam_setup_x64_en.exe - BaroPAM Installer(Japanese): baropam_setup_x64_jp.exe - BaroPAM Installer(Korean): baropam_setup_x64_kr.exe - NTP Client Settings: ntpclient_setup.bat(time.windows.com is set) - Update URL configuration file: pam_baro_update.ini(http://nuriapp.com/update is set) - Registry registration file: register_x64.reg - Registry removal file: Unregister_x64.reg |
Second, To run the BaroPAM installation file, if you select the "baropam_setup_x64_en.exe" file and click the right mouse button, the screen to install BaroPAM does not appear and the "Windows PC protection" screen may appear as follows.
Clicking the "Do Not Run" button cancels the installation of BaroPAM.
After confirming the contents of the screen above, click "Additional Information" and the following screen will appear.
If you click the "Do run" button, the screen to install BaroPAM appears, and if you click the "Do not run" button, the installation of BaroPAM is canceled.
Third, if you click the "Do run" button, the screen to select the installation mode of BaroPAM appears. Select "Install for all users (recommended)" if you are installing for the first time or you are an administrator, and "Install for me only" if you need to configure the BaroPAM environment for each user after installing the administrator version.
Fourth, if you want to create an additional shortcut on the desktop as an additional action to be performed in the settings during BaroPAM installation, select an additional action and click the "Next" button.
Fifth, after checking the directory and shortcut folder to install BaroPAM on the computer, click the "Next" button. The progress of BaroPAM installation on the computer appears as follows.
Sixth, if the BaroPAM module installation is normally completed, the "Completing the BaroPAM Setup Wizard" screen appears as follows.
In the screen above, select "Microsoft Runtime Library" to install the package (vcredist) for the Windows process and "Launch BaroPAM Manager" to set the environment for BaroPAM, then click the "Finish" button at the bottom.
1.3 Install vcredist
First. When trying to run Microsoft Visual C++ down-configured programs in Windows 32bit and Windows 64bit environments, the necessary vcredist programs appear as follows: "Microsoft Visual C++ 2015-2019 Redistributable (x64) - …" installation screen.
If it is already installed, the following "Microsoft Visual C++ 2015-2019 Redistributable (x64) - …" installation modification screen appears.
In this case, since it is already installed, do not click the "Repair(R) or Uninstall(U)" button, but click the "Close(C)" button.
C++ programs developed with versions after Visual Studio 2005 must have Redistributable installed. If not installed, the following error message occurs when logging on to Windows, and BaroPAM is not applied.
Second, on the "Microsoft Visual C++ 2015-2019 Redistributable (x64) - …" installation screen, after checking the "MICROSOFT Software License Terms", select "Agree(A)" and click the "Install(I)" button to see the following The same "Installation Progress" screen appears.
Thirdly, when the installation of "Microsoft Visual C++ 2015-2019 Redistributable (x64) - …" is completed normally, the following "Setup Successful" screen appears.
After proceeding with the vcredist program installation, call "Launch BaroPAM Manager" to set the BaroPAM environment.
1.4 BaroPAM environment settings
If the BaroPAM module is installed normally, proceed with the BaroPAM environment setting in the following order to use BaroPAM.
First, the "BaroPAM Manager" screen appears, where you can configure BaroPAM for Windows.
▣Secure key
The secure key assigned to each information asset is a required input item, and you must enter the secure key granted upon request from the vendor.
If you enter an arbitrary "Secure key" not given by the vendor, you may be unable to log on to the information asset because an incorrect OTA key is given.
If the secure key set in the information asset and the secure key registered in the BaroPAM app, which is a OTA key generator, are different, the OTA key is different, so you may not be able to log on to Windows.
If you do not enter the secure key or it is out of range, the following message appears on the screen.
▣Cycle time(3~60 sec)
The Cycle time of the OTA key is a required input item and can be specified from a minimum of 3 seconds to a maximum of 60 seconds. If you do not enter the Cycle time or it is out of range, the following message appears on the screen.
If the cycle time of the OTA key and the cycle time of the OTA key specified in the BaroPAM app, which is a OTA key generator, are different, it may be impossible to log in because the OTA keys are different.
▣Emergency OTA key
The emergency OTA key can be set up to 5 8-digit numbers in case the OTA key generator BaroPAM app is unavailable or lost, and the emergency OTA key used when logging on to Windows is automatically deleted.
① Enter the emergency OTA key to be added as an 8-digit number.
② Click the "Add" button to add the emergency OTA key entered in ① to ③. If you want to delete the added emergency OTA key, double-click the emergency OTA key in ③ and it will be deleted in ③.
If you add more than 5 emergency OTA keys, the following message appears on the screen.
▣Server name
You must enter the same computer name as the "server name" registered in the BaroPAM app, a OTA key generator.
If BLE(Bluetooth Low Energy) is used, if the set server name and the server name registered in the BaroPAM app, which is a OTA key generator, are different, automatic logon of Windows and screen saver lock prevention/automatic lock/automatic unlock The function does not work normally
▣Username
Specifies the Username used to log on to Windows.
When using "Local user", "Workgroup\Username", when using "Microsoft Account", "MicrosoftAccount\MS Registration Account", and when using "Windows server", "Domain Name" must be specified to log on to Windows.
In the case of a local user, if the work group is "WORKGROUP" and the user name is "baropam", "WORKGROUP\baropam", in the case of a Microsoft account, if the MS registration account is "mc529@nurit.co.kr", "MicrosoftAccount\mc529@nurit.co kr", if the domain name is "nurit.co.kr" for Windows server, enter "nurit.co.kr".
Note) To check the workgroup, right-click the "Windows Start" image -> click "System" -> click "Advanced system settings" -> check "Workgroup" on the "System Properties" screen.
Note) Check Username, which is the Windows user account, in "Search Windows -> Enter 'netplwiz' -> Open".
▣Applying BLE
In order to minimize user's inconvenience, select "Applying BLE" when using the automatic log-in of the computer with a single touch in conjunction with the BaroPAM app and the function of preventing/auto-locking/auto-unlocking the screen saver.
If "Auto Login" is selected, it works with the BaroPAM app to automatically log in to the computer with a single touch and to prevent/auto-lock/auto-unlock the screen saver.
If you select "Screen Saver", you can use the function to prevent/auto-lock/auto-disable the computer's screen saver with a single touch in conjunction with the BaroPAM app.
Second, if you click the "Save" button to save the BaroPAM environment setting information, the following message appears.
If you select the "Yes" button, the settings in the "BaroPAM Manager" screen are saved, the "BaroPAM Manager" screen is closed, and the BaroPAM installation process proceeds.
If the "No" button is selected, the settings made on the "BaroPAM Manager" screen are not saved, the "BaroPAM Manager" screen is closed, and the BaroPAM installation process ends.
Third. If you click the "Yes" button on the above screen, the following "Registry Editor" screen appears to register BaroPAM in the Windows registry.
Fourth, after checking the contents of the "Registry Editor" screen, click the "Yes" button to register the BaroPAM registry, and the following "Registry Editor" screen appears.
Click the "OK" button on the screen above to complete BaroPAM's registry registration.
Fifth, after copying the module to the BaroPAM installation directory, the following message appears.
Click the "OK" button on the screen above to complete the installation of BaroPAM.
Note) After installing BaroPAM, do not reboot Windows, but use "Winkey+L" to test.
The details and format of the authentication log (pam_baro_auth.log) logged during Windows logon are as follows.
1) Logon success ① Using an emergency OTA key 2018.10.14 11:46:02-0537 : BAROPAM-PC : emergency authentication key : session opened for user root by (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroPAM Setup : emergency authentication key : session opened for user root by (local ip=1.234.83.169,Remote ip=0.0.0.0) ② Use a OTA key 2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : session opened for user root by (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroPAM Setup : authentication key : session opened for user root by (local ip=1.234.83.169,Remote ip=0.0.0.0) ③ Using BaroBLE 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Logon : authentication key : session opened for user root by (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Manager : BLE session opened for user root by (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Manager : ERP Application auto-login for user root by (local ip=1.234.83.169,Remote ip=0.0.0.0) 2) Logon failure ① Verification failed 2018.10.14 11:46:02-0537 : BAROPAM-PC : emergency authentication key : User root authentication failed (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : User root authentication failed (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroPAM Setup : User root authentication failed (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Manager : User root authentication failed (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Logon : User root authentication failed (local ip=1.234.83.169,Remote ip=0.0.0.0) ② There is no authentication key cycle time 2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : There is no cycle time for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroPAM Setup : There is no cycle time for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Manager : There is no cycle time for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Logon : There is no cycle time for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) ③ No verification code entered 2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : There is no verification code for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroPAM Setup : There is no verification code for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Manager : There is no verification code for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Logon : There is no verification code for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) ④ No verification key 2018.10.14 11:46:02-0537 : BAROPAM-PC : authentication key : There is no secure key for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroPAM Setup : There is no secure key for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Manager : There is no secure key for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Logon : There is no secure key for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) 3) Etc ① BLE session closed 2018.10.14 11:46:02-0537 : BAROPAM-PC : BaroBLE Manager : BLE session closed for user root (local ip=1.234.83.169,Remote ip=0.0.0.0) |
If the Windows time is different from the current time, the OTA key does not match because the OTA key does not match.
Recently, as a method of time synchronization (time server time synchronization) for servers/network equipment, the system time can be set to the current time in the administrator account using NTP (Network Time Protocol).
If you cannot log on to Windows, boot into safe mode as follows, move to the installation module directory, and click the "Unregister_x64.reg" file to release the BaroPAM information added to the Windows registry.
Windows safe mode, which is used when unable to log on to Windows, is a mode for diagnosing the operating system and has many functional limitations, such as using the minimum number of files and drivers. But thanks to this, it can help to solve the problem. (Refer to the Windows manual)
2. BaroPAM application
2.1 BaroPAM application process
2.2 BaroPAM application screen
2.3 How to logon to Windows
If Windows is currently logged on, press "Winkey+L" or turn on Windows to display the BaroPAM logon screen where you enter the following BaroPAM OTA key and Windows Username/Password.
When using "Local user", "Workgroup\Username", when using "Microsoft Account", "MicrosoftAccount\MS Registration Account", and when using "Windows server", "Domain Name" must be specified to log on to Windows.
In the case of a local user, if the work group is "WORKGROUP" and the user name is "baropam", "WORKGROUP\baropam", in the case of a Microsoft account, if the MS registration account is "mc529@nurit.co.kr", "MicrosoftAccount\mc529@nurit.co kr", if the domain name is "nurit.co.kr" for Windows server, enter "nurit.co.kr".
The "server name, secure key, cycle time" entered on the "BaroPAM Manager" screen must be entered identically on the "Register server information" screen of the "BaroPAM" app.
Download the BaroPAM App)
BaroPAM app can be used on Android 6.0 (Marshmalliw) API 23, iOS 13.0 or higher, and does not support landscape mode.
After installing the BaroPAM app, launch the BaroPAM app, click the "Verification Code" button on the menu selection screen, and enter the "Server name, Secure Key, Cycle time" entered in the "BaroPAM Manager" screen into the "Register server information" of the BaroPAM App. You must enter the same on the screen.
Message: The "OTA key" is incorrect because the date and time of the Android phone or iPhone are different from the current time.
Cause: This is caused by not using the time provided by the network for the Android or iPhone's date and time.
Action: For Android phones, go to "Settings" -> "General management" -> "Date and time" -> "Automatic date and time" and "Automatic time zone" -> "Allow"
For iPhone, go to "Settings" -> "Date & Time" -> "Set Automatically" -> "Allow"
Message: If you cannot log in because the one-time authentication key does not match.
Cause: BaroPAM is a time synchronization method, so the phone and Windows time must be the same.
Action: Make sure the time on your phone and Windows are correct.
Enter the Windows user account (Username), generate a OTA key in the "BaroPAM" app on the smartphone, enter the OTA key generated in "Verification code" and "Password" in Windows, then click "->" Alternatively, clicking the "Enter" button requests authentication to the BaroPAM module, and if verification is successful, the logon authentication policy of the Windows OS is activated.
In Windows, if the BaroPAM verification module fails to authenticate the entered OTA key, the following "Error" message appears on the BaroPAM logon screen.
2.4 BaroPAM Debug
To debug BaroPAM for Windows, create a file "c:\temp\baropam_trace.txt", then set "trace=on" as the file contents and save it.If you want to stop debugging, set "trace=off" or delete "baropam_trace.txt". When debugging is enabled, "c:\temp\BaroPAM_CP_buglog.txt" is created and a debugging message is left in the file.
baropam_trace.txt)
trace=on |
BaroPAM_CP_buglog.txt)
[16-07-2024 10:17:55](11332 | 13624)[Dll.cpp:238] Dll:DllMain [16-07-2024 10:17:55](11332 | 13624)[Dll.cpp:239] SYSTEM [16-07-2024 10:17:55](11332 | 13624)[Dll.cpp:244] Dll:DllMain - pass [16-07-2024 10:17:55](11332 | 13624)[Dll.cpp:181] CClassFactory::CreateInstance [16-07-2024 10:17:55](11332 | 13624)[Dll.cpp:184] Dll:Invoke IID_ICredentialProvider [16-07-2024 10:17:55](11332 | 13624)[CProvider.cpp:577] BaroPAM_CreateInstance [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1268] BaroPAM::runProcessBLE [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1258] BaroPAM::isBLELogin [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1119] BaroPAM::init_PAM [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1143] BaroPAM::init_PAM(**) - username[] GET_BAROPAM_CURR_HOME[C:\Program Files (x86)\BaroPAM\] [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1317] BaroPAM::IsExistProcess [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1321] ProcessName : BaroBLEManager.exe [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1340] 2 ProcessName : FALSE [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1236] BaroPAM::getBaroPAM_HOME [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1119] BaroPAM::init_PAM [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1143] BaroPAM::init_PAM(**) - username[] GET_BAROPAM_CURR_HOME[C:\Program Files (x86)\BaroPAM\] [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1236] BaroPAM::getBaroPAM_HOME [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1119] BaroPAM::init_PAM [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1143] BaroPAM::init_PAM(**) - username[] GET_BAROPAM_CURR_HOME[C:\Program Files (x86)\BaroPAM\] [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1298] Restart BaroBLE app [C:\Program Files (x86)\BaroPAM\BaroBLEManager\BaroBLEManager.exe] TYPE[] PORT[] [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1258] BaroPAM::isBLELogin [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1119] BaroPAM::init_PAM [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1143] BaroPAM::init_PAM(**) - username[] GET_BAROPAM_CURR_HOME[C:\Program Files (x86)\BaroPAM\] [16-07-2024 10:17:55](11332 | 13624)[CProvider.cpp:585] BaroPAM_CreateInstance [16-07-2024 10:17:55](11332 | 13624)[CProvider.cpp:61] CProvider::CProvider [16-07-2024 10:17:55](11332 | 13624)[Configuration.cpp:107] Configuration::Configuration [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1236] BaroPAM::getBaroPAM_HOME [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1119] BaroPAM::init_PAM [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1143] BaroPAM::init_PAM(**) - username[] GET_BAROPAM_CURR_HOME[C:\Program Files (x86)\BaroPAM\] [16-07-2024 10:17:55](11332 | 13624)[Configuration.cpp:73] GetWindowsVersion [16-07-2024 10:17:55](11332 | 13624)[Configuration.cpp:49] GetWindowsVersion [16-07-2024 10:17:55](11332 | 13624)[Configuration.cpp:66] GetWindowsVersion - End [16-07-2024 10:17:55](11332 | 13624)[Configuration.cpp:101] GetWindowsVersion - End [16-07-2024 10:17:55](11332 | 13624)[Configuration.cpp:153] Configuration - End [16-07-2024 10:17:55](11332 | 13624)[CProvider.cpp:592] BaroPAM_CreateInstance [16-07-2024 10:17:55](11332 | 13624)[CProvider.cpp:595] BaroPAM_CreateInstance [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1348] BaroPAM::IsRunBLE [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1317] BaroPAM::IsExistProcess [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1321] ProcessName : BaroBLEManager.exe [16-07-2024 10:17:55](11332 | 13624)[BaroPAM.cpp:1340] 2 ProcessName : TRUE [16-07-2024 10:17:55](11332 | 13624)[CProvider.cpp:599] BaroPAM_CreateInstance [16-07-2024 10:17:55](11332 | 13624)[CProvider.cpp:603] BaroPAM_CreateInstance Result: [16-07-2024 10:17:55](11332 | 13624)[CProvider.cpp:605] (int) 0 [16-07-2024 10:17:56](11332 | 13624)[Dll.cpp:238] Dll:DllMain [16-07-2024 10:17:56](11332 | 13624)[Dll.cpp:239] SYSTEM [16-07-2024 10:17:56](11332 | 13624)[Dll.cpp:244] Dll:DllMain - pass [16-07-2024 10:17:56](11332 | 13624)[Dll.cpp:181] CClassFactory::CreateInstance [16-07-2024 10:17:56](11332 | 13624)[Dll.cpp:188] Dll:Invoke IID_ICredentialProviderFilter [16-07-2024 10:17:56](11332 | 13624)[CCredentialProviderFilter.cpp:47] BaroPAMFilter_CreateInstance [16-07-2024 10:17:56](11332 | 13624)[CCredentialProviderFilter.cpp:103] CCredentialProviderFilter::CCredentialProviderFilter [16-07-2024 10:17:56](11332 | 13624)[CCredentialProviderFilter.cpp:105] CCredentialProviderFilter - End [16-07-2024 10:17:56](11332 | 13624)[CCredentialProviderFilter.cpp:58] (int) 0 [16-07-2024 10:17:56](11332 | 13624)[CCredentialProviderFilter.cpp:66] CCredentialProviderFilter::Filter: CPUS_LOGON ………… |
2.5 BaroPAM updating
First, click the "Start" button at the bottom right of Windows and click "BaroPAM Manager(for manager)" as follows.
Second, if you click "BaroPAM Manager(for manager)", the following "BaroPAM intro" screen appears.
Thirdly, after the "BaroPAM intro" screen lasts for 3 seconds, the "BaroPAM Certification" screen that authenticates to change the environment settings of BaroPAM for Windows appears as follows.
Enter the OTA key generated by the BaroPAM app in "Verification code:" and click the "Login" button. If the OTA key entered is incorrect, a message box at the bottom displays "Certification failed. Please re-enter your verification code." It is displayed, and the OTA key must be regenerated and entered in the BaroPAM app.
Fourth, when authentication of the OTA key is completed on the biometric authentication or "BaroPAM Certification" screen, the "BaroPAM Manager" screen appears where you can change the environment settings of BaroPAM for Windows as follows.
Fifth, if you click the "Update" button at the bottom of the "BaroPAM Manager" screen, the following message will appear if it is the latest version.
Sixth, if there are contents to be updated in BaroPAM, the update process proceeds as follows.
Seventh, after the update of BaroPAM has proceeded normally, in order to apply the update, you need to reboot Windows manually by pressing "Winkey+L" or if you need to reboot Windows.
3. BaroPAM resetting
3.1 BaroPAM environment resettings
If you need to reset the environment after installing BaroPAM, reset the BaroPAM environment in the following order.
First, click the "Start" button at the bottom right of Windows and click "BaroPAM Manager(for manager)" as follows.
Second, if you click "BaroPAM Manager", the following "BaroPAM intro" screen appears.
Thirdly, after the "BaroPAM intro" screen lasts for 3 seconds, the "BaroPAM Certification" screen that authenticates to change the environment settings of BaroPAM for Windows appears as follows.
Enter the OTA key generated by the BaroPAM app in "Verification code:" and click the "Login" button. If the OTA key entered is incorrect, a message box at the bottom displays "Certification failed. Please re-enter your verification code." It is displayed, and the OTA key must be regenerated and entered in the BaroPAM app.
Fourth, when authentication of the OTA key is completed on the biometric authentication or "BaroPAM Certification" screen, the "BaroPAM Manager" screen appears where you can change the environment settings of BaroPAM for Windows as follows.
▣Limit number(1~10 times)
Set the limited number of times (1~10) for the OTA key. If you do not enter the limit number or it is out of range, the following message appears on the screen.
▣Limit time(15~600 sec)
Set the time limit (15~600 sec) for the OTA key. If you do not enter the time limit or go out of range, the following message will appear on the screen.
The time limit is forcibly closing the logon screen of the remote visitor who tried to log on if the logon fails as many times as the limited number of times during the time limit when attempting to log on to Windows by connecting remotely.
▣Cycle time(3~60 sec)
The authentication cycle time of the OTA key is a required input item and can be specified from a minimum of 3 seconds to a maximum of 60 seconds. If you do not enter the authentication cycle time or it is out of range, the following message appears on the screen.
If the OTA key authentication cycle time and the OTA key generation cycle time specified in the BaroPAM app, which is a OTA key generator, are different, login may not be possible because the OTA keys are different.
▣Secure key
The secure key assigned to each information asset is a required input item, and you must enter the secure key granted upon request from the vendor.
If you enter an arbitrary "Secure key" not given by the vendor, you may be unable to log on to the information asset because an incorrect OTA key is given.
If the secure key set in the information asset and the secure key registered in the BaroPAM app, which is a OTA key generator, are different, the OTA key is different, so you may not be able to log on to Windows.
If you do not enter the secure key or it is out of range, the following message appears on the screen.
▣Will it prevent main-in-the-middle attacks?
If "Yes" is selected to prevent a man-in-the-middle attack, other users cannot log on to Windows during the authentication cycle time of the OTA key. If "No" is selected, the OTA key Regardless of the authentication cycle time, all users are allowed to log on to Windows.
▣Access control list
Select whether to allow (Allow) or exclude (Deny) 2nd authentication (additional authentication) during Windows logon.
If "Deny" is selected, only user accounts set in ACL (pam_baro_acl.ini) are allowed except for 2nd authentication (additional authentication), and user accounts that are not set are allowed.
When "Allow" is selected, only user accounts set in ACL (pam_baro_acl.ini) allow 2nd authentication (additional authentication), and user accounts that are not set are excluded.
▣Emergency OTA key
The emergency OTA key can be set up to 5 8-digit numbers in case the OTA key generator BaroPAM 앱 app is unavailable or lost, and the emergency OTA key used when logging on to Windows is automatically deleted.
① Enter the emergency OTA key to be added as an 8-digit number.
② Click the "Add" button to add the emergency OTA key entered in ① to ③. If you want to delete the added emergency OTA key, double-click the emergency OTA key in ③ and it will be deleted in ③.
If you add more than 5 emergency OTA keys, the following message appears on the screen.
▣ACL Username
Registers a user account that needs to allow (Allow) or exclude (Deny) 2nd authentication (additional authentication) when logging on to Windows.
④ Enter the user account to be added.
⑤ Click the "Add" button to add the user account entered in ④ to ⑥. If you want to delete the added user account, double-click the user account in ⑥ and it will be deleted in ⑥.
▣Server name
You must enter the same computer name as the "server name" registered in the BaroPAM app, a OTA key generator.
If BLE(Bluetooth Low Energy) is used, if the set server name and the server name registered in the BaroPAM app, which is a OTA key generator, are different, automatic logon of Windows and screen saver lock prevention/automatic lock/automatic unlock The function does not work normally
▣Username
Specifies the Username used to log on to Windows.
When using "Local user", "Workgroup\Username", when using "Microsoft Account", "MicrosoftAccount\MS Registration Account", and when using "Windows server", "Domain Name" must be specified to log on to Windows.
In the case of a local user, if the work group is "WORKGROUP" and the user name is "baropam", "WORKGROUP\baropam", in the case of a Microsoft account, if the MS registration account is "mc529@nurit.co.kr", "MicrosoftAccount\mc529@nurit.co kr", if the domain name is "nurit.co.kr" for Windows server, enter "nurit.co.kr".
Note) To check the workgroup, right-click the "Windows Start" image -> click "System(Y)" -> click "Advanced system settings" -> check "Workgroup" on the "System Properties" screen.
Note) Check Username, which is the Windows user account, in "Search Windows -> Enter 'netplwiz' -> Open".
▣Environment settings
Select whether to share and use BaroPAM environment settings without classifying them by user or by user (Username).
If "Share" is selected, BaroPAM's configuration file (pam_baro_auth.ini) is shared and used without classifying BaroPAM's environment settings by user.
If "Username" is selected, BaroPAM's environment settings are classified for each user, and the BaroPAM environment configuration file (pam_baro_auth.ini) is set for each user and used.
▣Applying BLE
In order to minimize user's inconvenience, select "Applying BLE" when using the automatic log-in of the computer with a single touch in conjunction with the BaroPAM app and the function of preventing/auto-locking/auto-unlocking the screen saver.
If "Auto Login" is selected, it works with the BaroPAM app to automatically log in to the computer with a single touch and to prevent/auto-lock/auto-unlock the screen saver.
If you select "Screen Saver", you can use the function to prevent/auto-lock/auto-disable the computer's screen saver with a single touch in conjunction with the BaroPAM app.
▣Application BLE Interconnection
In order to minimize the user's inconvenience, when using the application's automatic login function with a single touch in conjunction with the BaroPAM app, click "Application BLE Interconnection" at the bottom. Then, a screen for setting information to connected with the following application appears.
On the screen above, enter the system name, ID, and password (you do not need to enter it if you are not using it), which are information to be linked to the application.
▣HTTP Interconnection
BaroPAM requests authentication from a server that comprehensively manages authentication rather than directly authenticating from Windows. BaroPAM requests authentication via http/https using cURL (Client URL). Enter the URL to be called.
The URL to be called (e.g. http://1.23.456.789/baropam/web/result_curl.jsp) internally includes server name (hostname), user account (username), authentication cycle (cycle_time), one-time authentication key (auth_key), etc. The parameters are included and are called when logging in to Windows to perform authentication.
The functions of the buttons at the bottom of the "BaroPAM Manager" screen are as follows.
1. Save button
When the "Save" button is clicked, the validity of the input items is first checked and then saved in the BaroPAM configuration files (pam_baro_auth.ini, pam_baro_acl.ini, pam_baro_db.ini).
Click the "OK" button to close the "BaroPAM Manager" screen.
Note) After resetting the BaroPAM environment, do not reboot Windows, but use the shortcut "Winkey+L" to test.
2. Update button
When you click the "Update" button, if there are contents to be updated in BaroPAM, the update process proceeds as follows. (Refer to "2.4 BaroPAM updating")
3. Copy button
If you click the "Copy" button, a screen for setting the BaroPAM environment setting file (pam_baro_auth.ini) for each user is displayed by dividing the environment settings of BaroPAM by user. (Refer to "1.4 BaroPAM environment settings")
Note) Username related error message when clicking "Save" button
1. If you want to register (save) by entering the same Username as the administrator ID "You cannot save with the administrator's user ID." 2. If you do not have a user account in the Users\ directory, but you want to register (save) "There is no registered user account. Please register a user account first in the Windows settings" 3. If you misspell your username "This is an incorrectly entered 'Username' field. Must be entered as <Group>\<Username>." 4. If you have already registered a general user account and are trying to register again "I already have settings in my user account. Saving will delete any existing settings. Do you want to continue?" 5. When registration is complete "The setting information has been saved." |
4. Log View button
If you click the "Log View" button, a copy of the authentication log logged during Windows logon is displayed on the "Windows Notepad" screen as follows.
5. Remove button
When you click the "Remove" button, the first step is to remove the information registered in the registry about BaroPAM as follows. (Refer to "3.2 How to Disable BaroPAM")
6. Help button
Click the "Help" button and the BaroPAM User's Guide for Windows displays the following on the screen.
7. Close button
Click the "Close" button to close the "BaroPAM Manager" screen.
3.2 How to disable BaroPAM
If you do not use the BaroPAM module while BaroPAM is installed, proceed with the removal of BaroPAM in the following order.
1. How to use BaroPAM Manager
If you click the "Remove" button at the bottom of the "BaroPAM Manager" screen, the information registered in the registry about BaroPAM is removed as follows.
First, since you need to allow the registry editor to change the device, click the "Yes" button and the following "Registry Editor" screen appears.
Second, after checking the contents of the "Registry Editor" screen, click the "Yes" button to remove the BaroPAM registry, and the following "Registry Editor" screen appears.
Click the "OK" button on the screen above to complete BaroPAM's registry removal.
Thirdly, the following message appears after removing the module that exists in the BaroPAM installation directory.
Click the "OK" button on the screen above to complete the removal of BaroPAM.
2. How to use "Unregister_x64.reg" file
First, execute the "Unregister_x64.reg" file, which is the following BaroPAM removal registry file, in the BaroPAM installation module directory.
Unregister_x64.reg file)
Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{325D6690-E5AC-4570-B15A-19A622571036}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{325D6690-E5AC-4570-B15A-19A622571036}] [-HKEY_CLASSES_ROOT\CLSID\{325D6690-E5AC-4570-B15A-19A622571036}\InprocServer32] [-HKEY_CLASSES_ROOT\CLSID\{325D6690-E5AC-4570-B15A-19A622571036}] |
Second, if you run the "Unregister_x64.reg" file, which is the registry file for removing BaroPAM, the following "User Account Control" screen appears.
Thirdly, since you need to allow the registry editor to change the device, click the "Yes" button and the following "Registry Editor" screen will appear.
Fourth, after checking the contents of the "Registry Editor" screen, click the "Yes" button to remove the BaroPAM registry, and the following "Registry Editor" screen appears.
Click the "OK" button on the screen above to complete BaroPAM's registry removal.
Note) After removing BaroPAM, do not reboot Windows, but use "Winkey+L" to test.
3.3 How to reuse BaroPAM
If the BaroPAM module is reused while BaroPAM is installed, proceed with the reuse of BaroPAM in the following order.
1. How to use BaroPAM Manager
If you click the "Save" button at the bottom of the "BaroPAM Manager" screen, the first step is to remove the information registered in the BaroPAM registry as follows.
First, if you click the "Save" button at the bottom of the "BaroPAM Manager" screen, the following "Registry Editor" screen appears to register BaroPAM in the Windows registry.
Second, after checking the contents of the "Registry Editor" screen, click the "Yes" button to register the BaroPAM registry, and the following "Registry Editor" screen appears.
If you click the "OK" button on the screen above, the following message appears after BaroPAM's registration in the registry is completed.
Note) After registering the BaroPAM registry, do not reboot Windows, but use "Winkey+L" to test.
2. How to use "register_x64.reg" file
First, execute the "register_x64.reg" file, which is the registry registration file of BaroPAM, as follows in the BaroPAM installation module directory.
register_x64.reg file)
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{325D6690-E5AC-4570-B15A-19A622571036}] @="BaroPAMLogon" [HKEY_CLASSES_ROOT\CLSID\{325D6690-E5AC-4570-B15A-19A622571036}] @="BaroPAMLogon" [HKEY_CLASSES_ROOT\CLSID\{325D6690-E5AC-4570-B15A-19A622571036}\InprocServer32] @="C:\\Program Files (x86)\\baropam\\baropam_x64.dll" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{325D6690-E5AC-4570-B15A-19A622571036}] @="BaroPAMLogon" |
Second, if you execute the "register_x64.reg" file, which is a BaroPAM registry registration file, the following "User Account Control" screen appears.
Thirdly, since you need to allow the registry editor to change the device, click the "Yes" button and the following "Registry Editor" screen will appear.
Fourth, after checking the contents of the "Registry Editor" screen, click the "Yes" button to register the BaroPAM registry, and the following "Registry Editor" screen appears.
Click the "OK" button on the screen above to complete BaroPAM's registry registration.
Note) After reusing BaroPAM, do not reboot Windows, but use "Winkey+L" to test.
4. BaroPAM delete
In order to delete BaroPAM, you must first remove the information registered in the registry about BaroPAM, and then delete BaroPAM. (Refer to "3.2 How to Disable BaroPAM")
4.1 BaroPAM delete
First, if you register "Add or remove programs" in the search input item at the bottom left of Windows, the following screen appears.
Second, if you click "Add or remove programs" on the screen above, the following "Apps & features" screen appears.
Third, on the "App & features" screen, select "BaroPAM Manager" to delete as follows and click the "Uninstall" button to delete "BaroPAM".
5. BaroPAM FAQ
Message: After installing BaroPAM for Windows, the logon screen does not appear and malfunction occurs when logging on.
Cause: "Computer name" or "PC name" occurs because it contains Korean characters.
Action: Click "Explorer -> This PC -> Right-click -> Properties", check if "Computer Name" or "PC Name" contains Korean characters, and make sure to "use a combination of English letters, hyphens, and numbers" do.
Message: If you cannot log in because the OTA key does not match.
Cause: BaroPAM is a time synchronization method, so the time of the phone and Windows or Server must be the same.
Action: Check if the phone and Windows or Server time are correct.
Message: The "OTA key" is incorrect because the date and time of the Android phone or iPhone are different from the current time.
Cause: This is caused by not using the time provided by the network for the Android or iPhone's date and time.
Action: For Android phones, go to "Settings" -> "General management" -> "Date and time" -> "Automatic date and time" and "Automatic time zone" -> "Allow"
For iPhone, go to "Settings" -> "Date & Time" -> "Set Automatically" -> "Allow"
Message: A 30 second delay for the logon script process to complete
If you log on after deploying the Windows OS through a specific master image, the logon speed continues to take a long time.
Cause: On computers running Windows OS, the "Run logon scripts synchronously" group policy is enabled, so when trying to log on, the splash screen is displayed for 30 seconds. This is because the logon script then works with the user before the logon script process completes.
Action: As a workaround, changing the Timeout interval to less than 30 seconds improved logon speed.
1. Start -> Run -> Run regedit.msc Registry Editor
2. Go to the next path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. Create or modify the following values
Name : DelayedDesktopSwitchTimeout
Type : REG_DWORD
Value : 5
4. Check logon speed improvement after system restart.
Message: Even after deleting a Windows program, it is automatically reinstalled when the system is restarted.
Cause: This is because the image at the time of the last backup was loaded when Windows was restarted due to management programs such as PC automatic backup.
Presumed to be installed through user consent when a user downloads and executes a specific file on the Internet or through an update method after installing a program.
In reality, these installations are done by tricking or misleading users so that they don't see them properly.
When registered in the startup program folder, the file is repeatedly executed every time the system starts unless the file is removed.
Action: Find and remove files registered in the Startup folder (C:\Documents and Settings\(User Account)\Start Menu\Programs\Start program).
Message: Failed to open file "Filename"[error message]"
Cause: Occurs when Filename, an environment setting file, cannot be opened.
Action: After checking the error message, check if the configuration file exists and then reset it on the BaroPAM Setup screen.
Message: Invalid RATE_LIMIT option. Check pam_baro_auth.ini
Cause: Occurs when the RATE_LIMIT setting value among the contents of the pam_baro_auth.ini file, which is an environment setting file, is incorrectly set.
Action: Check the setting values ??of the limit count (1 < RATE_LIMIT < 100) and the limit time (1 < interval < 3600).
Reset after confirmation on the BaroPAM Setup screen.
Message: Invalid list of timestamps in RATE_LIMIT. Check pam_baro_auth.ini
Cause: Occurs when updated timestamps in the RATE_LIMIT option among the contents of the pam_baro_auth.ini file, an environment setting file, are incorrect.
Action: Check the updated timestamps in the RATE_LIMIT option of the pam_baro_auth.ini file, which is an environment setting file.
Message: Try to update RATE_LIMIT line.
Cause: The message displayed when you log in normally.
Action: No action
Message: Too many concurrent login attempts. Please try again.
Cause: Occurs when the DISALLOW_REUSE option (only one login is allowed within the OTA key generation cycle time) of the configuration file pam_baro_auth.ini file is set and login is retried within the OTA key generation cycle time after successful login.
Action: Login retry after one-time authentication key generation cycle time.
Message: Can't find ACL_TYPE[error message]
Cause: Occurs when there is no ACL_TYPE option or set value in pam_baro_auth.ini, an environment setting file.
Action: Check the ACL_TYPE option or setting value of the pam_baro_auth.ini file, which is an environment setting file.
Reset after confirmation on the BaroPAM Setup screen.
Message: Can't find ACL_FILE[error message]
Cause: Occurs when there is no ACL_FILE option or set value in pam_baro_auth.ini, an environment setting file.
Action: Check the ACL_FILE option or setting value of the pam_baro_auth.ini file, which is an environment setting file.
Reset after confirmation on the BaroPAM Setup screen.
Message: Invalid WINDOW_SIZE option in pam_baro_auth.ini
Cause: Occurs when the WINDOW_SIZE setting value (calibration time based on the current time) of the contents of the pam_baro_auth.ini file, which is an environment setting file, is incorrectly set.
Action: Based on the current time, check the set value of the one-time authentication key calibration time (1 < WINDOW_SIZE < 100).
Message: Trying to reuse a previously used time-based code.
Retry again in 30 seconds.
Warning! This might mean, you are currently subject to a man-in-the-middle attack.
Cause: The DISALLOW_REUSE option in the pam_baro_auth.ini file, an environment setting file, is an option in preparation for man-in-the-middle attacks.
A man-in-the-middle attack occurs when an unauthorized entity places itself between two communication systems and intercepts the passing of information that is currently in progress. In a nutshell, what could be called a modern wiretapping system.
Action: No action
Message: Failed to allocate memory when updating pam_baro_auth.ini
Cause: Occurs when memory allocation fails when updating the configuration file pam_baro_auth.ini.
Action: Technical support
Message: Can't find HOSTNAME[error message]
Cause: Occurs when there is no HOSTNAME option or set value in pam_baro_auth.ini, which is an environment setting file.
Action: Check the HOSTNAME option or setting value of the pam_baro_auth.ini file, which is an environment setting file.
Reset after confirmation on the BaroPAM Setup screen.
Message: Can't find SECURE_KEY[error message]
Cause: Occurs when there is no SECURE_KEY option or set value in pam_baro_auth.ini, an environment setting file.
Action: Check the SECURE_KEY option or setting value of the pam_baro_auth.ini file, which is an environment setting file.
Reset after confirmation on the BaroPAM Setup screen.
Message: Can't link DB [error message]
Cause: Occurs when there are no DB link options or setting values in the DB file, pam_baro_db.ini file.
Action: Check the DB link option or setting value of the pam_baro_db.ini file, which is a DB file.
Reset after confirmation on the BaroPAM Setup screen.
Message: Invalid verification code
Cause: Occurs when verification of the OTA key fails.
Action: Login retry.
6. About BaroPAM
Version 1.0 - Official Release - 2016.12.1
Copyright ⓒ Nurit corp. All rights reserved.
Company: Nurit Co., Ltd.
Registration Number: 258-87-00901
CEO: Jongil Lee
Tel: +8202-2665-0119(Technical support, sales inquiry)
email: mc529@nurit.co.kr
Address: #913, 15, Magokjungang 2-ro, Gangseo-gu, Seoul (Magok-dong, Magok Techno Tower 2)
'▶ BaroSolution > 가이드' 카테고리의 다른 글
Tomcat 콘솔에서 사용자 식별 및 인증을 위한 다계층 인증 솔루션인 BaroPAM 솔루션의 적용 가이드 (0) | 2023.08.17 |
---|---|
OpenVPN 환경에서 사용자 식별 및 인증을 위한 다계층 인증 솔루션인 BaroPAM 솔루션의 적용 가이드 (0) | 2023.08.09 |
BaroPAM Solution installation summary (Windows) (0) | 2023.08.02 |
NTP(Network Time Protocol) 설정 가이드 (0) | 2023.07.29 |
가볍고 가장 빠른 암호화 알고리즘을 위한 BaroCRYPT 솔루션의 API 가이드(Cubrid) (0) | 2023.06.21 |