Support, help and instructions for abylon LOGON Business

Share page: || Newsletter: Subscribe Unsubscribe

Additional Info and Help Windows login with central administration

Questions and answers about the software abylon LOGON Business (FAQ's)

Windows login with hardware key and central administration

Reason:

The message "Access Denied (5)" is displayed, for example, if the remote creation of a Windows user on a connected workstation PC is prevented by the settings.

Workaround 1

Add the following value to the registry on the connected workstation PCs or change it accordingly.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System REG_DWORD = LocalAccountTokenFilterPolicy = 1

Workaround 2

Activate file and printer sharing on the connected workstation PCs.

This can be found under Control Panel > Network and Internet > Network and Sharing Center > Change advanced sharing settings

Workaround 3

The "Remote registration" service under Services must be started on the connected workstation PCs.

You can manage the service under Control Panel > Administrative Tools or Windows Tools > Services. There you can check whether the "Remote registration" service has been started. Otherwise, the service must be started and the start option changed to "start automatically".

Restart

In order for the changes to be applied, the PC must be restarted!

CardInit functions

With CardInit it is a function to store random data on certain smart cards. It is necessary, for example, if all the cards used have the same ID.

Question:

Create a keyfile for xxx smart card? Note: We cannot accept any guarantee for damage to the chip card. Please use a test card!

Please use a (test) smart card for the first test of the CardInit function, which is not actively needed. For the random ID, a separate application is created on the smart card, making the risks to existing data very low. Nevertheless, this step should be performed with some caution.

Error message:

Could not write RANDOM-DATA to CARD!

There are several reasons that lead to the failure of the "CardInit function":

  • Read-only protection on the card
  • Not supported card
  • Card reader problems
  • No blowfish encryption support
  • Not enough memory
  • ...or other!

Please contact abylonsoft support with any questions or problems with as much information as possible!
Unfortunately, it is difficult to guess the exact reason for the failure of CardInit. Therefore information about the used card (e.g. ATR), card reader, procedure, operating system etc. are necessary for a competent help.

Cause of identical IDs for different cards:

For the logon account, the software determines a unique ID from the smart card. This is often the ID of the chip card. If this ID is identical and no additional data can be determined, the following message is displayed:

The account for the ID: '***' already exists!

Workaround for cards with identical ID:

Screenshot: CardInit

For cards with identical IDs we offer the possibility to save an individual data set on the corresponding cards. To do this, it is best to start the settings on the server with admin rights. On the "Logon Settings" page, you will find the "CardInit" item in the icon bar (arrow down, see screenshot). Finally, a message dialog must be confirmed so that the random data can be written.

If you have any questions or problems, please contact our support with a detailed description (procedure, problems, card and card reader used, ...).

Windows 10

It is only possible to leave the logon lock screen under Windows 10. Just click the Cancel button. After that the Windows 10 login screen will be displayed.

In the abylon LOGON settings the Cancel switch on the page Logon Settings -> Login Behavior with the setting Allow switch to normal logon with abort (Esc) in logon mode" can be deactivated.

Under Windows 8 and older

Here it is NOT possible to exit the lock screen. If you press the Cancel button, our software displays the possibility to enter the login data.

Account management dialog: Checkbox or Pulldown

The checkbox Show account management on logon is displayed in the account management dialog at the bottom left. After deactivation, the dialog will no longer be displayed during logon and logon will be performed automatically with the last used user account (default).".

In the pull-down menu you can select the time when the Windows logon will be performed automatically. The last used user account (default) is also selected. The automatic Windows logon is deactivated if the time "0" has been set. In this case, the Windows logon is only performed after pressing the button Logon.

To display the account management dialog again, the icon Reset (red curl) must be pressed in the logon settings.

The synchronization of the logon account files restores them after the manual deletion. You should therefore first remove the locked file again in the abylon LOGON settings. Because after the first removal the logon account is locked. In order to learn a card again, this must be deleted first by a second time removal.

From next version 18 the difference between Blocked and Deleted Account file will be displayed more clearly in the settings dialog!

Procedure on the server: Final deletion of a locked logon account file with file extension IMK and file size 0 KB!

The account data on the server is stored in 2 folders:

In the working directory "C:\Users\Public\Documents\abylonsoft\apmLogon\DATA\LOGON" (or comparable) the program abylon LOGON Business makes all account changes and settings. From this directory the changes are copied into the release "C:\abylonsoft\LOGONACCOUNTS" (or comparable) with activated synchronization service. Only from this release folder the files are distributed to the clients.

If the locked null byte file is to be deleted, then first in the working directory under "Users\Public ...". The file can then be removed from the share.

Procedure on the client: If the setting "Synchronize account files created on the client with the server?" is enabled, the locked logon account files can be copied from the client back to the server!

In order to train an account on the client again, the 0 KB account file must also be permanently removed here. To do this, you should first deactivate the user synchronization service. Then the corresponding 0 KB file in the directory "C:\Users\Public\Documents\abylonsoft\apmLogon\DATA\LOGON" can be deleted. The logon account can then be newly created in the settings. After activating the user synchronization service, this new account is distributed to the server and the other connected clients.

Cause: Critical actions are only possible on the server!

If the synchronization mode is active, cards or accounts only can be deleted on the server and with admin rights. The corresponding icons are deactivated from the client.
The creation of logon accounts is not a security-critical action, so this is also possible on the client.

Cause: Password has expired

Screenshot: Active Directory User

In certain circumstances the Windows policies may specify that the password of the synchronization user expires. This should be checked in Active Directory user and Computer under LELogonUser_Sync User and changed if necessary (see screenshot).

This problem will be solved programmatically in one of the next versions!

FAQ abylon LOGON

Frequently asked questions about Windows login and the administration of the software abylon LOGON (various variants).

Solution option

The behavior of the logon dialog can be influenced via a registry entry. Under HKEY_LOCAL_MACHINE\SOFTWARE\abylon\ the REG_SZ value FWLOGONCALLOPT can be changed from SHOWDIALOG (default value) to SHOW or vice versa.

Modes for card monitoring

If you have problems with the card checking function or if memory is too large, you can adjust the mode for card monitoring via the registry:

  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\abylon\\defapm\FLAGS
  • REG_SZ value: FWSCARDPRESENTCARDCHKMODI
  • Value range: 1 - 8
    • 1: STANDARD CARD EVENT MONITORING (IsScardPresent) with "SCardGetStatusChange"
    • 2: like 1, except that in this case the function runs in a separate permanent thread runs!
    • 3: like 1, but in this case the function is executed once in a thread!
    • 4: like 2, but the thread is terminated and restarted in cycles.
    • 5: like 1, but all connected readers are checked here!
    • 6: CARD EVENT MONITORING via SCARDAPI (SCardConnect) - in a separate continuous thread.
    • 7: CARD EVENT MONITORING via SCARDAPI (SCardConnect) - in a separate thread that is executed once.
    • 8: CARD EVENT MONITORING via SCARDAPI (SCardConnect) (without thread)

If you have any questions or problems, please contact our support.

Set initial wait time

The timeout time can be set via the registry:

  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\abylon\\SETTINGS\GINALOGON
  • REG_DWORD value: INIT_TIMEOUT
  • Default value: 20

For values ??> 25, the service waits independently. This results in a difference of 5 (25 - 20), where 5x500 mSec = 2500 mSec is waited. For a value of 30, there is an additional wait time of 5000 mSec!

Stop card monitoring

Stop card monitoring before running the setup. This is done via the tray icon menu to the left of the clock (see screenshot). This will make the over-installation work properly.

Stop abylon LOGON card monitoring

Task Manager

Open the Windows Task Manager and search for the application LogonCardwathX64.exe under "Processes". Use the right mouse button menu to close the application via End Process. After that runs the setup without problems.

Workaround via a flag in the registry

In the Windows registry (for instructions, see the glossar), under \"HKLM\Software\abylon\\Flags\" the value REG_SZ \"ExecuteDotNetDirect\" must be changed from YES to NO!

With this change, the .NET framework will be started via an alternative call.

Here we distinguish 2 possibilities:

1.) Use abylon LOGON and abylon LOGON Business together:

A mixed use of abylon LOGON and abylon LOGON Business is not possible. The synchronization of the Logon accounts is primarily done via the client. The logon account data is compatible, but the simple logon version does not offer synchronization. For this reason abylon LOGON and abylon LOGON Business can NOT be used together!

2.) Different version numbers of abylon LOGON or abylon LOGON Business:

If the software abylon LOGON or abylon LOGON Business is used on several computers in the network, this is also possible with different version numbers. This is necessary for example to update step by step to a new version. However, the version step should not be too large (test required). To avoid problems, the same version should be installed on all computers.

One possible cause is faulty credential providers

.

The Credential Provider is responsible for the user login under Windows. Es gibt einige Programme, welche diese ergänzen oder ersetzen, wie auch die Software abylon LOGON. Errors or compatibility problems can therefore lead to unexpected and strange problems with the Windows login.

The easiest way to check is via the Windows registry. Hier werden alle eingetragenen Credential Provider unter folgendem Key gelistet:
HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\ Windows\CurrentVersion\ Authentication\Credential Providers

To troubleshoot, first identify all programs with credential providers and then disable or uninstall them one by one.

In our encyclopedia you can find a short description about Credential Provider.

Reason 1: The abylon LOGON software finds a suitable hardware key for the Windows login!

If in the Logon settings under Logon settings the item Do NOT allow account creation for new chip cards during Windows logon is deactivated, the abylon LOGON software offers the following option. New hardware keys can be learned during the Windows logon so that they can be used for the Windows logon in the future. The software goes through a loop for this process. If the cancel button is clicked at the wrong time, the software will not respond.

Workaround:

In this case, the potential hardware key (e.g. chip card, USB stick, memory card, CD) should be removed from the computer! After that, switching to the normal Windows login is possible without any problems.

Reason 2: Functionality changed in the settings!

In the basic setting in the Logon Settings under Login behavior the item Allow change to normal logon with abort (ESC) in login mode is activated. If this option is disabled, switching to the normal Windows login screen is prevented.

Reason 1: Windows user does not exist!

Previously, it was only possible to create logon accounts that already existed on Windows. From version 20.6, the software abylon LOGON Business takes over the creation of non-existing Windows users for them. Alternatively, the credentials can be saved without a successful credential check.

CAUTION
This option is NOT offered in abylon LOGON!

Reason 2: Login credentials specified incorrectly

.

Even on domain servers the syntax of username and domain is important. If a known Windows user is not accepted, this may be due to the input of username and domain.

On our test systems, the following entries were successful:

  1. User name: [LOGONNAME]
    (Without domain, e.g. "my.name")
    Domain: ANYCLIENT or [DOMAIN_NAME]
    (ATTENTION without dot and extension, e.g. "mycompany")
  2. User name: [ANMELDENAME]@[DOMAIN_NAME].[DOMAIN-EXTENSION]
    (e.g. mein.name@firma.com)
    Domain: ANYCLIENT or [DOMAIN_NAME]
    (ATTENTION without dot and extension, e.g. "mycompany")

Reason: Individual session of the RDP user!

In contrast to VNC, with RDP the user is logged in with his own session on the server and access to the card reader is not possible on the client. In this case, the card must be created directly on the server (without RDP) or the card reader must be connected to the client with RDP support. Alternatively, a remote VNC connection from the client to the server can be used.

Only under Windows 10!

If abylon LOGON is activated, the Windows lock window can only be leave under Windows 10. When pressing the Cancel button the "normal" Windows logon screen is displayed.

On older Windows operating systems a login window of abylon LOGON is displayed. Here the password of the locked user can be entered via the keyboard.

The card monitoring is only active if the user has logged in with a hardware key via abylon LOGON. With started card monitoring an appropriate icon (two blue, vertical bars) is indicated in the task bar. About this icon some functions of the software abylon LOGON can be called.

Restart computer

After the installation of the software abylon LOGON the card monitoring is NOT directly active. After learning a new logon account the computer should be restarted. This may also be necessary when changing settings!

INFO
Beginning with version 18, the reliability of card monitoring has been significantly increased once again by an additional service check.

Straightforward under Windows 10, we have observed that access to a smart card can take a very long time. This makes it look as if the software is hanging. This is because the operating system searches online for a driver for the card reader and/or the smart card. Windows often replaces the card reader manufacturer's driver with a standard driver from Microsoft. This can also lead to the described problems.
These problems can also occur under Windows 7 or 8, although less often.

Aid:

First of all you should check in the Windows Device Manager which drivers are entered in the card reader and the smartcards. In this case, a deactivation of the corresponding device (described below) may help.

Another option is to disable the automatic search for drivers. For this purpose we have created a registry patch. This patch can be downloaded under exclusion of a guarantee and liability under the following link.

Download Registry-Patch (at your own risk): Save target as

WARNING
Please execute this Regpatch only if you know what you are doing and have the necessary technical background. If possible, create a backup or a system restore point beforehand.

Possibility A: Settings

In the settings on the page Logon settings -> Login settings the item Do NOT allow account settings for new smart cards during Windows logon is activated. On certain systems this can lead to problems when learning the hardware key.

This setting item should be deactivated as a remedy. The setting only takes effect after the computer has logged off once. Our development team is currently looking for a solution to this problem.

Possibility B: Driver search

This phenomenon occurs because the Plug&Play functionality of Windows searches for drivers for the hardware key (e.g. RFID chip card or contact chip card) when inserting the card. This involves searching the computer and the Internet, which can take from several minutes to an hour. During this time, access to the hardware key by our software is not possible. Either the error message appears after a certain time or the software is blocked.

abylon LOGON blocked for device installation under Windows

Aid:

Even before you hang up the smart card, the device manager should be opened in the Control Panel:
Win 7: Start menu -> Control Panel -> System and Safety category. -> System section -> Device manager
Win 10: Start menu -> In text field Device manager enter and confirm
Then insert the smart card and wait until Windows has completed the driver installation. This action can take several minutes. If the smart card is installed by Windows, you should mark and deactivate it before the execution of abylon LOGON. The device manager shows under Smartcard the entry Unknown Smart card. Via the menu of the right mouse button it can be Deactivated. Usually the smartcard will be displayed as Generic directly after the activation. Now the software abylon LOGON can be used with the smartcard or the token as hardware key.

Change smartcard from unknown to generic in Windows device manager

If the smartcard is not displayed, the unknown devices may be hidden. In the menu under View the item Show hidden devices can be activated.

When creating a new logon account, the following dialog is displayed:

Enter logon credentials

As username and password the Windows account enters the login name and the assigned password.

Under Windows 10 it may be that the username must be specified in a special syntax:

  1. If it is an online account, the email address must be entered as user name. (for example UserName@DNSDomainName.com)
  2. If it is a domain user, the domain name and user name must be separated by a backslash (e.g. DOMAIN\UserName)

Info at Microsoft.

The Windows accounts are defined in the control panel under User accounts. An empty user account or an account without a password is not allowed!

under Domain / workgroup the following can be specified:

  1. Domain name
  2. Server name
  3. "ANYCLIENT" (without quotation marks)

Normally the host name should be there, so no customization is required.

A command line parameter can be used to personalize multiple processor chipcards in one go. Procedure:

  • Create a link to the file SALogon.exe or 64-bit SALogonx64.exe
  • link via right mouse button menu -> properties edit
  • under target the parameter /RESETACOS3 supplement
    complete string under target: "[PROGRAMMPFAD]\SALogonx64.exe" /RESETACOS3
  • execute link and insert the chip cards accordingly

Caution: This command line call is only available from version 15.30.3.

Procedure when using abylon LOGON with abylonsoft processor chipcards from ACOS:

  1. IMPORTANT! First close the settings window of the software abylon LOGON!
  2. Plug card reader (without card) into the USB port of the computer.
  3. Wait until the card reader driver is successfully installed and the device can be used! This may take a few minutes because the computer is searching online for a driver.
  4. Afterwards remove the card reader from the USB port (pull).
  5. Insert the processor chip card into the card reader and plug the card reader back into the USB port.
  6. Then Windows tries to install the smart card as a new device. In the status bar it is shown that a driver is searched for.
  7. Wait until the message appears: Driver for smartcard not found (also takes a few minutes)!
  8. Open the Windows Device Manager (Start -> Control Panel -> System -> Device Manager).
  9. Here the smartcard should be displayed with an exclamation mark (under Other / Other devices). Then right-click Select Smartcard and select Disable in the context menu that appears!
  10. Close device manager
  11. Finally the abylon LOGON Open settings with admin rights and create the logon account!

Important! If the creation of an abylon LOGON account with the processor chip card (smartcard) does not work, the smartcard must definitely be deactivated in the Windows device manager (as described above).
If the entry Smartcard with the exclamation mark is not displayed, the card reader should be removed from the USB port when the device manager is open and plugged back into the port with the smartcard inserted. The view in the device manager can be updated via an icon!

Yes in any case!

Even in safe mode, the Windows password must be entered.

In order to use a Windows password that is really secure against cracking, it should be as long as possible and contain numbers, uppercase letters, lowercase letters and also special characters. This can lead to the fact that the password is difficult to remember on the one hand and on the other hand has to be entered laboriously via the keyboard.

...And here comes the software abylon LOGON into play, which takes over the password input without you having to renounce the security.

In the basic version it is not possible to create a copy from a USB stick for security reasons.

But there are alternatives:

  1. SecureID:
    In order to still be able to log in to a lost or defective USB stick, the so-called SecureID is offered. This is a long string of characters that can be used for emergency logon. The SecureID can be created in the settings on the page Logon Accounts via the icon with the barcode (far right). To do this, the corresponding user must be selected in the list.
  2. A second USB stick:
    Another option is to create a second USB stick with the same credentials for Windows logon. This should be put away well and assigned with a PIN if possible for security reasons.

    With the software abylon LOGON there is no limit to the number of keys used. In principle, any number of keys can be configured for a Windows logon account!

  3. Secured mode:
    As last option there is always the possibility to log in to the secured mode.

    The possibility of logging on to the computer in secure mode does not pose a security risk if the Windows logon password is sufficiently secure (at least 12 characters, as well as the use of special characters, numbers, upper and lower case letters).

The SecureID is a so-called emergency password. This can be entered in the logon mask as an alternative to the Windows logon password if the chip card or USB stick is defective or lost.

The SecureID is determined during the setup of the Logon account or in the Setting dialog on the page Logon -> Accounts.

The SecureID is different for each Windows logon account and is structured as follows:

# + 48 characters + ## + 32 characters + #
(characters only numbers 0-9 or letters A-F; e.g. #01699A9534F683073795238AC7F12DA1950E0C3A08060202# #44D6D243E0AEF35FAFE4CB4A24087578#

NOTE: - Starting with version 8.3, both upper and lower case letters can be entered. In older versions the input is Case-Sensitive.
- The password scrambler should be deactivated for input!
- The SecureID should be stored in a secure place!
- The SecureIDs are different for encryption and Windows logon.

In About - Dialog the installed operating system is displayed wrong in the upper right corner. Due to different techniques between Windows XP and Vista the software abylon LOGON cannot be activated.

Aid:

  1. Open the Registry Editor by Start -> Run -> Regedit
  2. Change to the following path:
    HKLM\SOFTWARE\abylon\LOGON\
  3. Create a new key:
    named XP, VISTA, WINDOWS7 or WINDOWS8 according to your operating system
  4. Restart the computer

NOTE: This option is only available from version 7.3!

For using USB-Token with our software abylon LOGON the following criteria must be fulfilled:

  • The USB stick must be displayed as a drive in the File Explorer!
  • The USB stick may be displayed not as drive A: or B: in the File Explorer!

For using a CD/DVD with our software abylon LOGON the following criteria must be fulfilled:

  • The root directory (ROOT) of the CD or DVD must contain not only directories. A sufficient number of files in the root directory is required to create the account!

In general, the card reader connected to the client is recognized with the default settings during the Remote Desktop connection and can be used directly.

If the card reader should not be recognized, it can be activated when creating the remote desktop connection under Options -> Local Resources -> Local Devices. Another setting option can be found under Terminal Services Configuration -> Connections -> Properties -> Client Settings -> Connection Settings of User Preferences or correspondingly in Policies.

Following card readers were tested successfully: Card readers from Cherry, Cardman 2020 and comparable, and the Aladdin eToken (USB token)!

To use a USB stick, it must also be known during remote desktop login.

After configuring your system it may happen that after unlocking the computer the Task-Manager is displayed. To prevent this you can skip in the abylon SETTINGS on the page Logon -> Advanced under Login Behavior the option Should the security dialog (PREVIOUS REGISTRATION PRESS CTRL+ALT+ENTF) be skipped automatically? deactivate (no check mark).

The software abylon LOGON is NOT active in secure mode (without network). This is a protection from our side, so that you can deactivate the software abylon LOGON in an emergency, without having to reinstall your whole system.

Even in safe mode, you must enter your password for Windows logon, so that this cannot be exploited for an attack. In normal operation, you do not need to enter your password for the Windows logon, just plug in the medium (chip card, CD, USB stick) and the Windows logon takes place automatically. For this reason, you can use an extremely long password (at least 12 characters, including numbers, special characters, small and capital letters). The longer the password is, the harder it becomes for an attacker to crack the password. This makes your system much more secure than if you use no or a short password. Only with the appropriate medium (chip card, CD, USB-.Stick) the Windows login is possible.

NOTE: For domain networks access can be deactivated via the secured mode!

This problem occurs due to problems with the Aladdin CSP when resetting the certificate store in the system user context.

Thereby the learning of accounts for the Aladdin eToken is only possible in the settings dialog of abylon LOGON. However, this has no effect on the use of the Aladdin USB token with our software.

For monitoring the pulling and inserting of the smart card or the USB token, it is necessary to start a service. After the installation the program must be activated in the settings and the computer must be booted once. In order not to burden the system resources unnecessarily, this service will not be started even when logging in via the normal Windows logon mask.

NOTE: The service can also be started manually using the following command:
abylon ENTERPRISE: Program directory\APMService /cardcheck
oder
abylon LOGON: Program directory\SALService /cardcheck

Use the call "SALServiceX64" for 64-bit operating system versions!

The CT32-DLL is only required if our software is to be used with a memory chip card (e.g. health insurance card). In all other cases (e.g. EC cards), the presence of a CT32-DLL is NOT required.

If available, the CT32-DLL is installed during the driver installation of the card reader. Each card reader manufacturer delivers its own CT32 DLL, which also have different names. With our search functionality we offer a help to determine the CT32-DLL. Due to the large number of providers, however, a faultless determination cannot be guaranteed. In this case a manual selection of the file is also possible. As a rule, the CT32-DLL can be found in the Windows or Windows system directory. Here are some examples of providers:

  • PureSCT Cyberjack: CTRSCT32.DLL
  • SCM Microsystems (Older Chip Drive Models): CTAPIW32.DLL
  • SCM Microsystems (SCR3340): CTPCSC31.dll; port: 1; pin: 1
  • Kobil KAAN: CT32.DLL
  • Cherry card reader: none CT32-DLL

If the CT32-DLL search functionality did not produce a result and your card reader is not listed, please read the documentation of the card reader or ask the manufacturer if his product offers a CT32-DLL (CT-API).

In an operating system installation with default settings, a password without characters (blank password) and autologon can be set. These values are not allowed for our logon and lead to the password dialog not being displayed!

To solve this problem, assign a password to the corresponding user and deactivate the autologon!

After the correct uninstallation of abylon LOGON all settings made by the software in the registry will be reset to the value before the installation. In special cases, however, it can happen that the global settings are overwritten by the local settings. In this case you proceed as follows:

In the Policies:

  1. Open under Start -> Control Panel -> Administration the settings dialog Local Security Policy
  2. Switch to Path Security Settings -> Local Policies -> Security Options
  3. Double click on policy STRG+ALT+ENTF Disable login request
  4. Setting the value:
    Disabled = CTRL+ALT+ENTF dialog is displayed
    Enabled = CTRL+ALT+ENTF dialog is NOT displayed
    NOTE Confusing by double negation!
  5. Restart the computer

In the registry:

  1. Open the Registry Editor by Start -> Run -> Regedit
  2. Change to the following paths:
    a) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    (b) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. Setting the values:
    DisableCAD = 0 -> CTRL+ALT+ENTF dialog is displayed
    DisableCAD = 1 -> CTRL+ALT+ENTF dialog will NOT be displayed
    NOTE Confusing by double negation!
  4. Restart the computer

NOTE Often the settings and policies are only effective after a certain time (synchronization with the server) or a restart of the computer.

In the settings you define which action the computer should perform when the smart card or the USB token is pulled.

Additionally abylon LOGON Version 5.2 or higher offers the possibility to directly select a corresponding action when dragging the smart card without changing the settings. Just press one of the following keys (HotKeys) while dragging the chip card:

  • Shift key: Lock the computer
  • Ctrl key: Do not do
  • Alt key: Log off computers
  • Ctrl+Alt: Shutdown the computer

After pulling the smart card you have to hold down the corresponding key (HotKey) until the computer beeps twice. Depending on the card reader this can take up to 3 seconds!

Windows uses a trick to speed up the login process by displaying the desktop before all drivers and services are loaded. This speeds up the login process, but can cause problems.

As we have no influence on the order of loading, our software has to wait until all services and drivers are loaded. This is necessary to be able to access the corresponding smart card or USB token.

NOTE: To speed up the login process, only the required keys should be activated in the settings on the page Logon settings under Media allowed for login!

  1. The software abylon LOGON is not activated yet!
  2. The setting option Do NOT allow account creation for new smart cards during Windows logon! is enabled! If this option is activated, it is not possible to create a new account in the settings!
  3. The chip card is not an EC card, a health insured card, a certificate chip card or a USB token!
  4. The EC card has only a magnetic strip and no chip!
  5. The PC/SC driver must be installed on the EC card!
  6. For health insurance cards, a CT32.DLL must be installed!
  7. For a certificate smart card or USB token, the appropriate CSP must be entered in the corresponding field!
  8. You have a smart card reader with older drivers. Under certain circumstances, these can only read entries with a memory size of 40 bytes. However, with the new EC cards, entries with up to 255 bytes must be read!

To fix this, make sure you have

  1. that abylon LOGON is activated!
  2. that the preference option will be disabled during account creation!
  3. you have a supported smart card or USB token!
  4. you have an EC card with chip!
  5. that a corresponding PC/SC driver is installed! (NOTE With Reiner SCT card reader, this driver is not installed during standard installation - download from the homepage https://www.reiner-sct.de)
  6. that a corresponding CT32.DLL is installed. In case of problems please contact the card reader manufacturer!
  7. that the correct CSP is entered in the corresponding field. In case of problems please contact the manufacturer of the smart card or the USB token for a CSP!
  8. that a current driver is installed. In case of problems please contact the card reader manufacturer regarding a current driver update!

With the single version, an account can only be created or tested with an activated logon, because only then the required service is running!

To use our software with a certificate smart card, the corresponding CSP (Crypto Service Provider = interface between the certificate on the smart card and the software) must be entered in the corresponding field in the settings. This starts the CSP during the logon process and only then is access to the certificate possible.

The CSP is usually shipped with the certificate chip card and the certificate.

A CSP is NOT part of our software!

In principle our software abylon LOGON works together with all common card readers that use common standards. If the card reader is correctly installed, you can test the functionality of our software with a normal EC card. These are usually supported by every card reader.

If you want to test the functionality with a certificate smart card, you have to enter the used CSP (Crypto Service Provider: driver interface between the certificate on the smart card and the software) in the corresponding field of the settings. The best way to do this is to contact the card reader manufacturer or smart card issuer.

For concrete questions please feel free to contact us.

In this case the correct driver for the certificate chip card was not loaded during logon, so that abylon LOGON simply treated the chip card as EC card. You simply have to add the corresponding CSP modules (drivers) in the corresponding list in the setup.

Example SmartTrust driver:

File SmartCertmover.exe in the directory CSP

To find out the corresponding files, please read the instructions for your smart card reader and your smart card reader or contact the manufacturer.

FAQ: Password

Information about password usage and related security issues.

For this purpose, a mouse click event was inserted programmatically from version 19.10.1 and 2020.1 on. If there are problems with this, it can be switched on or off via the registry. To do this, under HKEY_LOCAL_MACHINE\SOFTWARE\abylon\[PROGRAM NAME, e.g. ENTERPRISE]\FLAGS set the value FWACTIVATEWINDOW from YES to NO.

After the password entry the software displays the message "The entered password is wrong or the key file (certificate) does not belong to this object!". What is the reason for this?

Please check first whether the password was really entered correctly or the keyboard layout has changed.

Another possibility is that the password scrambler converts certain special characters into other characters. For this reason it is necessary in such cases to activate or deactivate the password scrambler according to the creation of the encrypted element. I.e., if the password scrambler was activated during encryption, it must also be activated during decryption.

The password scrambler must be deactivated in any case if a password or the SecureID are entered into the password field via Copy&Paste. Otherwise, the program will not recognize a keyboard entry and the password field will remain empty.

The SecureID is a so-called emergency password. If the chip card or USB stick is defective or lost, this can be entered as an alternative for decryption.
The SecureID is determined during the encryption process on the page 'Key management >SYMM-System'.
The SecureID is identical for each encrypted object (abylon KEYSAFE, abylon CRYPTDRIVE, abylon BASIC, abylon SHAREDDRIVE) and is built as follows:

# + 32 characters + . + 32 characters + # 
(characters only numbers 0-9 or letters A-F; e.g. #A54E1CB23F31464AC3B7D65F4557C1D1D. 50F4B4A9EC30705944EB12870284C419#

NOTE
- Starting with version 8.3, both upper and lower case letters can be entered. In older versions the input is Case-Sensitive.
- The password scrambler should be deactivated for input!
- The SecureID should be stored in a secure place!
- The SecureIDs are different for encryption and Windows logon.

A "brute force attack" means trying out all possible character combinations of passwords. For example, the process starts with 00000001 and then continues with 00000002, 00000003, 00000004.... A password that has only 4 digits and consists only of numbers can easily be "cracked" within a few seconds. A good password should consist of at least 12 characters with lower case letters, upper case letters, numbers and special characters. In addition, no words from dictionaries, names or relevant password databases should be used. If you follow these rules, you can be sure that it will not be possible to decrypt the protected data economically in the foreseeable future.

 

Unfortunately / fortunately it is not possible to open protected data without the corresponding password. I.e., the software of abylonsoft offers neither a back door nor a so-called "general key". If you have lost your password, you can no longer access your stored data. 

You should remember the used passwords well and possibly write them down in a secret place. However, this should not be on the hard disk or near the computer. Alternatively, so-called password managers (such as abylon KEYSAFE) offer the possibility to store the different passwords in a secure database. In this case you only have to remember a password

An insecure password is always a date of birth, a nickname, a name in principle or any other word that is frequently used or that is in the dictionary.

A secure password is a password consisting of several random characters, e.g. myz<_/k)),%06YLbcw3pU. It consists of special characters ( ! "§$%&/()==?´*?+#´\ß^.;:_@<>|{[]}), numbers (1234567890), uppercase letters (QWERTZUIOPÜÄÖLKJHGFDSAYXCVBNM) and lowercase letters (qwertzuiopüäölkjhgfdsayxcvbnm).

If you cannot remember such a password, you can use a trick. Although the password is not as secure as the previous one, it is still much more secure than "Otto" or "Müller". And this is how it works. Think of a long sentence that you can easily remember, such as : I live in the model city 134b. My phone number is 123456789.  Now simply take the first letters / characters from this sentence. In this case that would be? IwidM1.Mti1.?. However, you should make sure that at least some numbers and special characters are present in the sentence. In addition you must pay attention to upper and lower case.

To create a really secure password, you should use the integrated password generator. You can find it for example in abylon KEYSAFE.

FAQ: Installation

Questions and Answers about the installation of software products from abylonsoft.

Usually, with abylonsoft software, the new version can be installed over the old version. This is also the case if the setup asks in advance and offers the uninstall option. If an over-installation for any reason is not possible, so you will be pointed out during installation. In this case no other option is offered.

Yes, because during the installation the software has to make some settings for which only the administrator has rights. So log in for the installation as an administrator or contact your responsible administrator.

Possible cause of error:

  1. You have entered the registration data incorrectly! The safest way is to copy and paste the name and the registration key from the email directly into the registration dialog of our software.
  2. Each license key is created individually for each program and each version. Check whether your registration data are also intended for the version you have installed!

Updates in the same major version number are free. Updates to the next major version number are subject to an update fee. If you have any questions or problems with us you are welcome to contact us in Kontakt.

This is because when a new user is created, Windows first creates the registry and makes entries. Since our software also has to make registry entries, an operating system restart is required for proper operation.

.

If this error occurs, you should manually download and install the setup from the download page. All settings of the previous version will be adopted.

FAQ: General

General questions and answers about the software from abylonsoft.

This error is caused by the rights management under Windows
,
  • If you open a file, the error message The path is not available is displayed.
  • If you open a folder, the error message Unhandled exception in the application - The root folder cannot be retrieved is displayed.
user's root folder or the own files. This causes the above error message and is due to the Windows rights policy. As a workaround, you could adjust the NTFS permissions, for example, add the rights for administrators in the user directory.

Redist Pack for Microsoft Visual Studio 2008

Redist-Error-Message 0xc0150002

We unfortunately had to realize that Microsoft has changed something since the end of the Windows 7 support. Since that time it seems to be necessary to install a so-called Redist-Pack of Microsoft Visual Studio. This was not necessary before, but now it seems to be absolutely necessary. Please download and install the Redist-Pack of Microsoft Visual Studio 2008.

Alternatively please use our contact form for further information! Please indicate the software version and operating system.

From version 19.1 or 2020.1 the appropriate Redist-Pack is delivered with the setup.

Interaction with electromagnetic radiation

First of all, passive RFID tokens (chip cards or key fobs) need a magnetic field or high-frequency radio wave to be supplied with energy. This is usually done by the RFID card reader. The data integrity on the RFID token is not endangered by light magnetic or radio fields. The data is not likely to be erased, for example by a mobile phone, a magnet or a monitor. However, an electromagnetic interference source can lead to an impairment of the reading reliability.

Storing the RFID token in the same pocket as the mobile phone is no problem. In order not to disturb the reading process, the RFID card reader should be placed as far away from electromagnetic sources as possible! In a microwave, on the other hand, the RFID token is likely to be destroyed.

Tray-Icons are small buttons, which are displayed in the taskbar at the bottom right, next to the clock.
These icons are used to display information and call functions. In the preferences, Windows deactivates tray icons of programs so that they are not displayed for the time being. The following section describes how the settings for all or individual icons can be set.
NOTE The description is general. Depending on the program, you must select the appropriate tray icon. You can find this in the help or the FAQ's.

How do I open the settings for the tray icons?

To the left of the clock, there is a small white arrow pointing upwards, which can be used to display the other tray icons.

Adjust Tray-Icons

With "Customize" you can define the behavior of the tray icons. The "Info Area Symbols" window opens.
NOTE Below are alternative ways to open this window.

Information area symbols

In the settings window for info area symbols, you can define the behavior of each individual tray icon.
Select the corresponding icon and select "Show icon and notifications" as option. After that you will find the tray icon on the taskbar to the left of the clock at any time.
Alternatively, you can enable the option "Always show all icons and notifications on the taskbar". In this case, the tray icons of future programs will also be displayed directly on the taskbar.

Alternative 2 to open the notification area icon settings

Move the mouse to a free area of the taskbar and press the right mouse button. Select Properties from the menu. The dialog for customizing the info area symbols opens on the Taskbar page via the "Customize" button.

Taskbar Properties

Alternative 3 to open the notification area icon settings

As a further option, you can also open the Control Panel via the Start menu. Select "Large Icons" or "Small Icons" in the upper right corner. Now you can open the settings via the "Info Area Symbols" icon.

All_System_Controls

Because of errors in the operating system or other software, as well as the variety of the hardware used, apparently occurring errors and / or irregularities in the software of abylonsoft must not necessarily be justified in this software. This means that the interactions between our software and software / hardware from other manufacturers are so complex that they cannot be taken into account by us in all cases. Often errors / defects in other software (e.g. the operating system) also occur, which only become effective in combination with our software. These errors usually manifest themselves in a general protection violation or a system crash. For these reasons we subject our software to a very extensive test before release in order to reduce the problems and errors to a minimum.

Should you nevertheless become aware of a direct error in our software, we will correct it as soon as possible. So that we can understand the error / the problem, you should give us all the details:

  • Operating system
  • Service packs
  • Other software used
  • Whereby the error occurred
  • If the error is reproducible
  • Etc.

Please use our support form support form!

for this purpose

For more see AGB's

FAQ: Compatibility

Questions and answers for compatibility tests of our software products with special hardware.

Microsoft has disabled the automatic installation of the framework .NET 3.5 under Windows 10. This causes crashes and protection violations during the execution of the .NET 3.5 versions of abylonsoft.

How can I still activate .NET 3.5 under Windows 10?

.NET 3.5 unter Windows 10 aktivieren

As shown in the screenshot, Microsoft .NET 3.5 can be enabled via the Windows features:

  1. Open the Control Panel under Windows 10, e.g. via the Search field or the Settings icon in the Start menu.
  2. Display all system control elements and select the entry Programs and Features. This item is also displayed directly under Programs.
  3. Open the Windows features on the left.
  4. Search entry .NET Framework 3.5 (contains .NET 2.0 and 3.0) in list.
  5. If the entry Activated is, then first Deactivate (Otherwise skip this point). With Ok Windows takes over the changes, which can take some time.
  6. After or if the point is Disabled anyway, the option is activated by clicking Activated. This operation is also done with Ok.

subsequently the version .NET 3.5 of our software should also run without problems under Windows 10.

To use a removable disk (e.g. USB stick) as "key" for login and encryption or mobile use (switch "install modules on USB stick"), the following conditions must be met:

  1. The USB stick must be plugged in
  2. The USB stick must create a new drive
  3. The drive must be formatted
  4. The drive must be writable (write permissions)
  5. The drive must have enough disk space
  6. The driver must register the drive as "Removable Device"

Card reader:

Our software supports all card readers that offer the standard PC/SC interface. In addition, you have to pay attention to which smart cards are supported by the card reader. In addition to contact smart cards, there is a large variety of suppliers and different technologies available for wireless smart cards. Here the supported frequencies 125 kHz (long wave) and 13.56 MH (short wave) are to be mentioned for example.

chip cards:

  • Contacting ACOS1 or ACOS3 chip cards
  • Other contact processor smart card (on request)
  • 13.56 MH Legic ATC
  • other 13.56 MH (on request)
  • 13.56 MH Mifare Classic
  • 13.56 MH Mifare Desfire
  • 13.56 MH Mifare UX
  • 125 kHz HITAG (on request)
  • 125 kHz EM (on request)
  • other RFID cards/keyfobs (on request)

Our software can be fully tested for 30 days. You should definitely take advantage of this offer. If you have any questions about compatibility, you can also contact us with confidence approach.
On our hardware page you will also find a selection of compatible card readers and chip cards.

Support request for abylon LOGON Business Windows login with a hardware key

1 Support request

Avatar von Anusha #188

Anusha - Eintrag vom: 20.09.2023 um 10:54 Uhr 
Software-Version: 23.60.00.3 - Betriebssystem: Windows Server 2019 Datacenter 64 bit

Frage: Chip scanning and login doesnt work on client machine

I have scanned a chip and created a login account from my server. But when I login on the client computer, the chip is not getting scanned and the account details are not being shown. Chip Scan doesnt work on the client machine. Also, I do not see the .imk files or the account login files being synced to the client machine. The folder is empty on the client machine, even after initiating sync from the server machine many times. Please help

-- following question --
I setup the software again from scratch this morning, and I'm still facing the same issue. I checked in with all your points below, and everything is setup correctly. After adding the logon account on the server, I initiated sync, and restarted both the server & client machines. When I try to logon to the client machine with scanning the chip, it doesn’t work at all (not getting scanned). Please refer the screenshot for how the login screen is, when I try to scan ID chip on client machine.

Please help me with this. I'm testing this for one of my clients and I want to set Abylon up for their environment.

Avatar of abylonsoft support #188

Reply:

Thank you for your interest in our software abylon LOGON.

Your problem may have several causes, which are difficult to determine remotely.


  1. The software abylon LOGON Business must be installed on the server (does not have to be a real server) and on the connected clients.

  2. On the "server" all logon accounts can be created (under Logon accounts). For this purpose, the smart card is learned with the corresponding Windows user name and password.
    As you write, for each account an IMK file with the data is created on the server.

  3. The abylon LOGON Business software will also be installed on the client. Here the server name (UNC or IP) is specified in the settings (Logon page) under Server. After pressing "Apply" the data will be synchronized.

  4. For this to work, however, the services (to be seen on the settings page Administrative Settings) must be running and the user for synchronization must have been created.
    This is also shown on the "Logon Settings" settings page at the bottom under Application Status.



You can also find a rough instruction in the following PDF file.

--- following ansver ---
It now looks to us like the card reader or RFID token is not installed or configured properly. Otherwise our software would react in some way (e.g. teach card).

You should look in the windows device manager if the card reader is installed correctly. In some cases it is better to use the card reader manufacturer's driver, sometimes it is better to use the default driver from Microsoft.

You should also make sure that the card reader supports the RFID token. There are many different standards.
If necessary, try to learn the card on the client.

If necessary, also try to teach the card on the client in the settings dialog of abylon LOGON Business (not in the login screen). The application status in the abylon LOGON settings on the "Logon settings" page can also provide an indication of problems.

Submit a support request

For general comments, please use our Comments Form!

Please enter your name or a pseudonym (alias) for the salutation!
Your email address will only be used for questions and notification and will not be saved!
Please enter the operating system you are using (incl. service pack and 32- or 64-bit platform) or "unknown"!
Please enter the version number of our software or "unknown"? The version number is displayed in the About dialog of our software.
Outline your problem in a short question!

The more detailed you describe your problem, the sooner we can help. We can only contact you if you have entered your email address correctly.
I have understood and accept the Privacy Policy.