Safeguard Enterprise and nFront

Hi Michelle,

Thank you for visiting the SophosTalk Forums and posting your question here.

In order for the nFront GINA and the SGN DE sggina to work together, you will need to disable the SGN GINA chain repair. To do this, please read this KB article. How to disable the GINAchainrepair of the SGN client?

Not being familiar with the nFront GINA, I was wondering if you know if it needs to be the first GINA in the chain? Please contact nFront Security's Altus Networks for that information. If nFront does need to be first, based on your description it appears that way.

Please let the community know the registry path entry referencing the nFront GINA. The following is an older Utimaco KB article which is still relevant, but references the Cisco VPN software. Replace the information regarding Cisco with nFront and it should help get you where you need to be. If you are looking for steps on a mass deployment, I suggest that you contact your Account Manager to schedule someone from Professional Services to assist with your deployment of SGN DE.

Question
After installing Cisco VPN (or nFront) software the system shows a unknown GINA message on startup: " Unknown GINA: ‘‘‘‘CSGina.dll’’’’ should the Microsoft GINA (msgina.dll) be used instead?"

What needs to be done to solve this GINA conflict?

Answer
In order to solve this issue it is necessary to disable the GINA repair function of SafeGuard Enterprise and after that to apply changes to the registry which will change the current GINA chain in the system.

Step 1. Disable the SafeGuard GINA chain repair

  First of all, the "deactivate_ginachainrepair" XML-file (above) has to be signed with the company certificate.

   SGN MC -> Tools -> Options -> Company Certificate

   After browsing to this file  just click "OK" and the MC will create a new file which is called "deactivate_ginachainrepair_Signed".

  This new file can now be copied into the Import folder in the LocalCache of the SGN Client.

  C:\Documents and Settings\All Users\Application Data\Utimaco\SafeGuard Enterprise\import

Now the tool "SGMcmdintn.exe" has to be run in the command line (the XML-file should then disappear from the import folder) .

The GINAchainrepair is now disabled and logon to Windows without any message is possible again.

Step 2. Change the registry to

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GinaDLL"="CSGina.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Utimaco\SafeGuard Enterprise\Authentication]
"OriginalGina"="MSGina.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems\VPN Client]
"PreviousGinaPath"="SGGINA.DLL"

We ended up putting nFront first in the chain, it wanted to be last.  nFront support provided us with the correct registry edit for the install. 

HKLM/Software/Altus/PasswordFiltProtect/NextGina = sggina.dll

Thanks for the help!

Hi Michelle,

Thanks for the response! So what is the DLL name for this registry entry if you put nFront first in the chain?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GinaDLL"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GinaDLL"=Altusgina.dll

Thanks!

Following the steps outlined here allowed me to configure my Windows XP SP3 clients to launch Cisco VPN (v. 5.0.07.0290) at Windows logon.  After disabling the SafeGuard GINA chain repair, I found that I only had to change the first listed registry key: GinaDLL from sggina.dll to CSGina.dll.

I wrote a simple batch file to handle the whole thing.  It looks something like this:

copy deactivate_ginachainrepair_Signed.xml "C:\Documents and Settings\All Users\Application Data\Utimaco\SafeGuard Enterprise\Import"

SGMCmdIntn.exe -i deactivate_ginachainrepair_Signed.xml

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDll /d CSGina.dll /f

I'm using SGN 5.50.0.116.

Best Wishes,

Matt Bollinger