Support, help and instructions for abylon LOGON Business

Share page: || Newsletter: Subscribe Unsubscribe

Additional Info and Help Windows login with central administration

Questions and answers about the software abylon LOGON Business (FAQ's)

Windows login with hardware key and central administration

Windows 10

It is only possible to leave the logon lock screen under Windows 10. Just click the Cancel button. After that the Windows 10 login screen will be displayed.

In the abylon LOGON settings the Cancel switch on the page Logon Settings -> Login Behavior with the setting Allow switch to normal logon with abort (Esc) in logon mode" can be deactivated.

Under Windows 8 and older

Here it is NOT possible to exit the lock screen. If you press the Cancel button, our software displays the possibility to enter the login data.

Account management dialog: Checkbox or Pulldown

The checkbox Show account management on logon is displayed in the account management dialog at the bottom left. After deactivation, the dialog will no longer be displayed during logon and logon will be performed automatically with the last used user account (default).".

In the pull-down menu you can select the time when the Windows logon will be performed automatically. The last used user account (default) is also selected. The automatic Windows logon is deactivated if the time "0" has been set. In this case, the Windows logon is only performed after pressing the button Logon.

To display the account management dialog again, the icon Reset (red curl) must be pressed in the logon settings.

The synchronization of the logon account files restores them after the manual deletion. You should therefore first remove the locked file again in the abylon LOGON settings. Because after the first removal the logon account is locked. In order to learn a card again, this must be deleted first by a second time removal.

From next version 18 the difference between Blocked and Deleted Account file will be displayed more clearly in the settings dialog!

Procedure on the server: Final deletion of a locked logon account file with file extension IMK and file size 0 KB!

The account data on the server is stored in 2 folders:

In the working directory "C:\Users\Public\Documents\abylonsoft\apmLogon\DATA\LOGON" (or comparable) the program abylon LOGON Business makes all account changes and settings. From this directory the changes are copied into the release "C:\abylonsoft\LOGONACCOUNTS" (or comparable) with activated synchronization service. Only from this release folder the files are distributed to the clients.

If the locked null byte file is to be deleted, then first in the working directory under "Users\Public ...". The file can then be removed from the share.

Procedure on the client: If the setting "Synchronize account files created on the client with the server?" is enabled, the locked logon account files can be copied from the client back to the server!

In order to train an account on the client again, the 0 KB account file must also be permanently removed here. To do this, you should first deactivate the user synchronization service. Then the corresponding 0 KB file in the directory "C:\Users\Public\Documents\abylonsoft\apmLogon\DATA\LOGON" can be deleted. The logon account can then be newly created in the settings. After activating the user synchronization service, this new account is distributed to the server and the other connected clients.

Cause: Critical actions are only possible on the server!

If the synchronization mode is active, cards or accounts only can be deleted on the server and with admin rights. The corresponding icons are deactivated from the client.
The creation of logon accounts is not a security-critical action, so this is also possible on the client.

Cause: Password has expired

Screenshot: Active Directory User

In certain circumstances the Windows policies may specify that the password of the synchronization user expires. This should be checked in Active Directory user and Computer under LELogonUser_Sync User and changed if necessary (see screenshot).

This problem will be solved programmatically in one of the next versions!

FAQ abylon LOGON

Frequently asked questions about Windows login and the administration of the software abylon LOGON (various variants).

Only under Windows 10!

If abylon LOGON is activated, the Windows lock window can only be leave under Windows 10. When pressing the Cancel button the "normal" Windows logon screen is displayed.

On older Windows operating systems a login window of abylon LOGON is displayed. Here the password of the locked user can be entered via the keyboard.

The card monitoring is only active if the user has logged in with a hardware key via abylon LOGON. With started card monitoring an appropriate icon (two blue, vertical bars) is indicated in the task bar. About this icon some functions of the software abylon LOGON can be called.

Restart computer

After the installation of the software abylon LOGON the card monitoring is NOT directly active. After learning a new logon account the computer should be restarted. This may also be necessary when changing settings!

Beginning with version 18, the reliability of card monitoring has been significantly increased once again by an additional service check.

Straightforward under Windows 10, we have observed that access to a smart card can take a very long time. This makes it look as if the software is hanging. This is because the operating system searches online for a driver for the card reader and/or the smart card. Windows often replaces the card reader manufacturer's driver with a standard driver from Microsoft. This can also lead to the described problems.
These problems can also occur under Windows 7 or 8, although less often.


First of all you should check in the Windows Device Manager which drivers are entered in the card reader and the smartcards. In this case, a deactivation of the corresponding device (described below) may help.

Another option is to disable the automatic search for drivers. For this purpose we have created a registry patch. This patch can be downloaded under exclusion of a guarantee and liability under the following link.

Download Registry-Patch (at your own risk): Save target as

Please execute this Regpatch only if you know what you are doing and have the necessary technical background. If possible, create a backup or a system restore point beforehand.

Possibility A: Settings

In the settings on the page Logon settings -> Login settings the item Do NOT allow account settings for new smart cards during Windows logon is activated. On certain systems this can lead to problems when learning the hardware key.

This setting item should be deactivated as a remedy. The setting only takes effect after the computer has logged off once. Our development team is currently looking for a solution to this problem.

Possibility B: Driver search

This phenomenon occurs because the Plug&Play functionality of Windows searches for drivers for the hardware key (e.g. RFID chip card or contact chip card) when inserting the card. This involves searching the computer and the Internet, which can take from several minutes to an hour. During this time, access to the hardware key by our software is not possible. Either the error message appears after a certain time or the software is blocked.

abylon LOGON blocked for device installation under Windows


Even before you hang up the smart card, the device manager should be opened in the Control Panel:
Win 7: Start menu -> Control Panel -> System and Safety category. -> System section -> Device manager
Win 10: Start menu -> In text field Device manager enter and confirm
Then insert the smart card and wait until Windows has completed the driver installation. This action can take several minutes. If the smart card is installed by Windows, you should mark and deactivate it before the execution of abylon LOGON. The device manager shows under Smartcard the entry Unknown Smart card. Via the menu of the right mouse button it can be Deactivated. Usually the smartcard will be displayed as Generic directly after the activation. Now the software abylon LOGON can be used with the smartcard or the token as hardware key.

Change smartcard from unknown to generic in Windows device manager

If the smartcard is not displayed, the unknown devices may be hidden. In the menu under View the item Show hidden devices can be activated.

When creating a new logon account, the following dialog is displayed:

Enter logon credentials

As username and password the Windows account enters the login name and the assigned password.

Under Windows 10 it may be that the username must be specified in a special syntax:

  1. If it is an online account, the email address must be entered as user name. (for example
  2. If it is a domain user, the domain name and user name must be separated by a backslash (e.g. DOMAIN\UserName)

Info at Microsoft.

The Windows accounts are defined in the control panel under User accounts. An empty user account or an account without a password is not allowed!

under Domain / workgroup the following can be specified:

  1. Domain name
  2. Server name
  3. "ANYCLIENT" (without quotation marks)

Normally the host name should be there, so no customization is required.

A command line parameter can be used to personalize multiple processor chipcards in one go. Procedure:

  • Create a link to the file SALogon.exe or 64-bit SALogonx64.exe
  • link via right mouse button menu -> properties edit
  • under target the parameter /RESETACOS3 supplement
    complete string under target: "[PROGRAMMPFAD]\SALogonx64.exe" /RESETACOS3
  • execute link and insert the chip cards accordingly

Caution: This command line call is only available from version 15.30.3.

Procedure when using abylon LOGON with abylonsoft processor chipcards from ACOS:

  1. IMPORTANT! First close the settings window of the software abylon LOGON!
  2. Plug card reader (without card) into the USB port of the computer.
  3. Wait until the card reader driver is successfully installed and the device can be used! This may take a few minutes because the computer is searching online for a driver.
  4. Afterwards remove the card reader from the USB port (pull).
  5. Insert the processor chip card into the card reader and plug the card reader back into the USB port.
  6. Then Windows tries to install the smart card as a new device. In the status bar it is shown that a driver is searched for.
  7. Wait until the message appears: Driver for smartcard not found (also takes a few minutes)!
  8. Open the Windows Device Manager (Start -> Control Panel -> System -> Device Manager).
  9. Here the smartcard should be displayed with an exclamation mark (under Other / Other devices). Then right-click Select Smartcard and select Disable in the context menu that appears!
  10. Close device manager
  11. Finally the abylon LOGON Open settings with admin rights and create the logon account!

Important! If the creation of an abylon LOGON account with the processor chip card (smartcard) does not work, the smartcard must definitely be deactivated in the Windows device manager (as described above).
If the entry Smartcard with the exclamation mark is not displayed, the card reader should be removed from the USB port when the device manager is open and plugged back into the port with the smartcard inserted. The view in the device manager can be updated via an icon!

Yes in any case!

Even in safe mode, the Windows password must be entered.

In order to use a Windows password that is really secure against cracking, it should be as long as possible and contain numbers, uppercase letters, lowercase letters and also special characters. This can lead to the fact that the password is difficult to remember on the one hand and on the other hand has to be entered laboriously via the keyboard.

...And here comes the software abylon LOGON into play, which takes over the password input without you having to renounce the security.

In the basic version it is not possible to create a copy from a USB stick for security reasons.

But there are alternatives:

  1. SecureID:
    In order to still be able to log in to a lost or defective USB stick, the so-called SecureID is offered. This is a long string of characters that can be used for emergency logon. The SecureID can be created in the settings on the page Logon Accounts via the icon with the barcode (far right). To do this, the corresponding user must be selected in the list.
  2. A second USB stick:
    Another option is to create a second USB stick with the same credentials for Windows logon. This should be put away well and assigned with a PIN if possible for security reasons.

    With the software abylon LOGON there is no limit to the number of keys used. In principle, any number of keys can be configured for a Windows logon account!

  3. Secured mode:
    As last option there is always the possibility to log in to the secured mode.

    The possibility of logging on to the computer in secure mode does not pose a security risk if the Windows logon password is sufficiently secure (at least 12 characters, as well as the use of special characters, numbers, upper and lower case letters).

The SecureID is a so-called emergency password. This can be entered in the logon mask as an alternative to the Windows logon password if the chip card or USB stick is defective or lost.

The SecureID is determined during the setup of the Logon account or in the Setting dialog on the page Logon -> Accounts.

The SecureID is different for each Windows logon account and is structured as follows:

# + 48 characters + ## + 32 characters + #
(characters only numbers 0-9 or letters A-F; e.g. #01699A9534F683073795238AC7F12DA1950E0C3A08060202# #44D6D243E0AEF35FAFE4CB4A24087578#

NOTE: - Starting with version 8.3, both upper and lower case letters can be entered. In older versions the input is Case-Sensitive.
- The password scrambler should be deactivated for input!
- The SecureID should be stored in a secure place!
- The SecureIDs are different for encryption and Windows logon.

In About - Dialog the installed operating system is displayed wrong in the upper right corner. Due to different techniques between Windows XP and Vista the software abylon LOGON cannot be activated.


  1. Open the Registry Editor by Start -> Run -> Regedit
  2. Change to the following path:
  3. Create a new key:
    named XP, VISTA, WINDOWS7 or WINDOWS8 according to your operating system
  4. Restart the computer

NOTE: This option is only available from version 7.3!

For using USB-Token with our software abylon LOGON the following criteria must be fulfilled:

  • The USB stick must be displayed as a drive in the File Explorer!
  • The USB stick may be displayed not as drive A: or B: in the File Explorer!

For using a CD/DVD with our software abylon LOGON the following criteria must be fulfilled:

  • The root directory (ROOT) of the CD or DVD must contain not only directories. A sufficient number of files in the root directory is required to create the account!

In general, the card reader connected to the client is recognized with the default settings during the Remote Desktop connection and can be used directly.

If the card reader should not be recognized, it can be activated when creating the remote desktop connection under Options -> Local Resources -> Local Devices. Another setting option can be found under Terminal Services Configuration -> Connections -> Properties -> Client Settings -> Connection Settings of User Preferences or correspondingly in Policies.

Following card readers were tested successfully: Card readers from Cherry, Cardman 2020 and comparable, and the Aladdin eToken (USB token)!

To use a USB stick, it must also be known during remote desktop login.

After configuring your system it may happen that after unlocking the computer the Task-Manager is displayed. To prevent this you can skip in the abylon SETTINGS on the page Logon -> Advanced under Login Behavior the option Should the security dialog (PREVIOUS REGISTRATION PRESS CTRL+ALT+ENTF) be skipped automatically? deactivate (no check mark).

The software abylon LOGON is NOT active in secure mode (without network). This is a protection from our side, so that you can deactivate the software abylon LOGON in an emergency, without having to reinstall your whole system.

Even in safe mode, you must enter your password for Windows logon, so that this cannot be exploited for an attack. In normal operation, you do not need to enter your password for the Windows logon, just plug in the medium (chip card, CD, USB stick) and the Windows logon takes place automatically. For this reason, you can use an extremely long password (at least 12 characters, including numbers, special characters, small and capital letters). The longer the password is, the harder it becomes for an attacker to crack the password. This makes your system much more secure than if you use no or a short password. Only with the appropriate medium (chip card, CD, USB-.Stick) the Windows login is possible.

NOTE: For domain networks access can be deactivated via the secured mode!

This problem occurs due to problems with the Aladdin CSP when resetting the certificate store in the system user context.

Thereby the learning of accounts for the Aladdin eToken is only possible in the settings dialog of abylon LOGON. However, this has no effect on the use of the Aladdin USB token with our software.

For monitoring the pulling and inserting of the smart card or the USB token, it is necessary to start a service. After the installation the program must be activated in the settings and the computer must be booted once. In order not to burden the system resources unnecessarily, this service will not be started even when logging in via the normal Windows logon mask.

NOTE: The service can also be started manually using the following command:
abylon ENTERPRISE: Program directory\APMService /cardcheck
abylon LOGON: Program directory\SALService /cardcheck

Use the call "SALServiceX64" for 64-bit operating system versions!

The CT32-DLL is only required if our software is to be used with a memory chip card (e.g. health insurance card). In all other cases (e.g. EC cards), the presence of a CT32-DLL is NOT required.

If available, the CT32-DLL is installed during the driver installation of the card reader. Each card reader manufacturer delivers its own CT32 DLL, which also have different names. With our search functionality we offer a help to determine the CT32-DLL. Due to the large number of providers, however, a faultless determination cannot be guaranteed. In this case a manual selection of the file is also possible. As a rule, the CT32-DLL can be found in the Windows or Windows system directory. Here are some examples of providers:

  • PureSCT Cyberjack: CTRSCT32.DLL
  • SCM Microsystems (Older Chip Drive Models): CTAPIW32.DLL
  • SCM Microsystems (SCR3340): CTPCSC31.dll; port: 1; pin: 1
  • Kobil KAAN: CT32.DLL
  • Cherry card reader: none CT32-DLL

If the CT32-DLL search functionality did not produce a result and your card reader is not listed, please read the documentation of the card reader or ask the manufacturer if his product offers a CT32-DLL (CT-API).

In an operating system installation with default settings, a password without characters (blank password) and autologon can be set. These values are not allowed for our logon and lead to the password dialog not being displayed!

To solve this problem, assign a password to the corresponding user and deactivate the autologon!

After the correct uninstallation of abylon LOGON all settings made by the software in the registry will be reset to the value before the installation. In special cases, however, it can happen that the global settings are overwritten by the local settings. In this case you proceed as follows:

In the Policies:

  1. Open under Start -> Control Panel -> Administration the settings dialog Local Security Policy
  2. Switch to Path Security Settings -> Local Policies -> Security Options
  3. Double click on policy STRG+ALT+ENTF Disable login request
  4. Setting the value:
    Disabled = CTRL+ALT+ENTF dialog is displayed
    Enabled = CTRL+ALT+ENTF dialog is NOT displayed
    NOTE Confusing by double negation!
  5. Restart the computer

In the registry:

  1. Open the Registry Editor by Start -> Run -> Regedit
  2. Change to the following paths:
    a) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    (b) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. Setting the values:
    DisableCAD = 0 -> CTRL+ALT+ENTF dialog is displayed
    DisableCAD = 1 -> CTRL+ALT+ENTF dialog will NOT be displayed
    NOTE Confusing by double negation!
  4. Restart the computer

NOTE Often the settings and policies are only effective after a certain time (synchronization with the server) or a restart of the computer.

In the settings you define which action the computer should perform when the smart card or the USB token is pulled.

Additionally abylon LOGON Version 5.2 or higher offers the possibility to directly select a corresponding action when dragging the smart card without changing the settings. Just press one of the following keys (HotKeys) while dragging the chip card:

  • Shift key: Lock the computer
  • Ctrl key: Do not do
  • Alt key: Log off computers
  • Ctrl+Alt: Shutdown the computer

After pulling the smart card you have to hold down the corresponding key (HotKey) until the computer beeps twice. Depending on the card reader this can take up to 3 seconds!

Windows uses a trick to speed up the login process by displaying the desktop before all drivers and services are loaded. This speeds up the login process, but can cause problems.

As we have no influence on the order of loading, our software has to wait until all services and drivers are loaded. This is necessary to be able to access the corresponding smart card or USB token.

NOTE: To speed up the login process, only the required keys should be activated in the settings on the page Logon settings under Media allowed for login!

  1. The software abylon LOGON is not activated yet!
  2. The setting option Do NOT allow account creation for new smart cards during Windows logon! is enabled! If this option is activated, it is not possible to create a new account in the settings!
  3. The chip card is not an EC card, a health insured card, a certificate chip card or a USB token!
  4. The EC card has only a magnetic strip and no chip!
  5. The PC/SC driver must be installed on the EC card!
  6. For health insurance cards, a CT32.DLL must be installed!
  7. For a certificate smart card or USB token, the appropriate CSP must be entered in the corresponding field!
  8. You have a smart card reader with older drivers. Under certain circumstances, these can only read entries with a memory size of 40 bytes. However, with the new EC cards, entries with up to 255 bytes must be read!

To fix this, make sure you have

  1. that abylon LOGON is activated!
  2. that the preference option will be disabled during account creation!
  3. you have a supported smart card or USB token!
  4. you have an EC card with chip!
  5. that a corresponding PC/SC driver is installed! (NOTE With Reiner SCT card reader, this driver is not installed during standard installation - download from the homepage
  6. that a corresponding CT32.DLL is installed. In case of problems please contact the card reader manufacturer!
  7. that the correct CSP is entered in the corresponding field. In case of problems please contact the manufacturer of the smart card or the USB token for a CSP!
  8. that a current driver is installed. In case of problems please contact the card reader manufacturer regarding a current driver update!

With the single version, an account can only be created or tested with an activated logon, because only then the required service is running!

To use our software with a certificate smart card, the corresponding CSP (Crypto Service Provider = interface between the certificate on the smart card and the software) must be entered in the corresponding field in the settings. This starts the CSP during the logon process and only then is access to the certificate possible.

The CSP is usually shipped with the certificate chip card and the certificate.

A CSP is NOT part of our software!

In principle our software abylon LOGON works together with all common card readers that use common standards. If the card reader is correctly installed, you can test the functionality of our software with a normal EC card. These are usually supported by every card reader.

If you want to test the functionality with a certificate smart card, you have to enter the used CSP (Crypto Service Provider: driver interface between the certificate on the smart card and the software) in the corresponding field of the settings. The best way to do this is to contact the card reader manufacturer or smart card issuer.

For concrete questions please feel free to contact us.

In this case the correct driver for the certificate chip card was not loaded during logon, so that abylon LOGON simply treated the chip card as EC card. You simply have to add the corresponding CSP modules (drivers) in the corresponding list in the setup.

Example SmartTrust driver:

File SmartCertmover.exe in the directory CSP

To find out the corresponding files, please read the instructions for your smart card reader and your smart card reader or contact the manufacturer.

FAQ: Password

Information about password usage and related security issues.

For this purpose, a mouse click event was inserted programmatically from version 19.10.1 and 2020.1 on. If there are problems with this, it can be switched on or off via the registry. To do this, under HKEY_LOCAL_MACHINE\SOFTWARE\abylon\[PROGRAM NAME, e.g. ENTERPRISE]\FLAGS set the value FWACTIVATEWINDOW from YES to NO.

After the password entry the software displays the message "The entered password is wrong or the key file (certificate) does not belong to this object!". What is the reason for this?

Please check first whether the password was really entered correctly or the keyboard layout has changed.

Another possibility is that the password scrambler converts certain special characters into other characters. For this reason it is necessary in such cases to activate or deactivate the password scrambler according to the creation of the encrypted element. I.e., if the password scrambler was activated during encryption, it must also be activated during decryption.

The password scrambler must be deactivated in any case if a password or the SecureID are entered into the password field via Copy&Paste. Otherwise, the program will not recognize a keyboard entry and the password field will remain empty.

The SecureID is a so-called emergency password. If the chip card or USB stick is defective or lost, this can be entered as an alternative for decryption.
The SecureID is determined during the encryption process on the page 'Key management >SYMM-System'.
The SecureID is identical for each encrypted object (abylon KEYSAFE, abylon CRYPTDRIVE, abylon BASIC, abylon SHAREDDRIVE) and is built as follows:

# + 32 characters + . + 32 characters + # 
(characters only numbers 0-9 or letters A-F; e.g. #A54E1CB23F31464AC3B7D65F4557C1D1D. 50F4B4A9EC30705944EB12870284C419#

- Starting with version 8.3, both upper and lower case letters can be entered. In older versions the input is Case-Sensitive.
- The password scrambler should be deactivated for input!
- The SecureID should be stored in a secure place!
- The SecureIDs are different for encryption and Windows logon.

A "brute force attack" means trying out all possible character combinations of passwords. For example, the process starts with 00000001 and then continues with 00000002, 00000003, 00000004.... A password that has only 4 digits and consists only of numbers can easily be "cracked" within a few seconds. A good password should consist of at least 12 characters with lower case letters, upper case letters, numbers and special characters. In addition, no words from dictionaries, names or relevant password databases should be used. If you follow these rules, you can be sure that it will not be possible to decrypt the protected data economically in the foreseeable future.


Unfortunately / fortunately it is not possible to open protected data without the corresponding password. I.e., the software of abylonsoft offers neither a back door nor a so-called "general key". If you have lost your password, you can no longer access your stored data. 

You should remember the used passwords well and possibly write them down in a secret place. However, this should not be on the hard disk or near the computer. Alternatively, so-called password managers (such as abylon KEYSAFE) offer the possibility to store the different passwords in a secure database. In this case you only have to remember a password

An insecure password is always a date of birth, a nickname, a name in principle or any other word that is frequently used or that is in the dictionary.

A secure password is a password consisting of several random characters, e.g. myz<_/k)),%06YLbcw3pU. It consists of special characters ( ! "§$%&/()==?´*?+#´\ß^.;:_@<>|{[]}), numbers (1234567890), uppercase letters (QWERTZUIOPÜÄÖLKJHGFDSAYXCVBNM) and lowercase letters (qwertzuiopüäölkjhgfdsayxcvbnm).

If you cannot remember such a password, you can use a trick. Although the password is not as secure as the previous one, it is still much more secure than "Otto" or "Müller". And this is how it works. Think of a long sentence that you can easily remember, such as : I live in the model city 134b. My phone number is 123456789.  Now simply take the first letters / characters from this sentence. In this case that would be? IwidM1.Mti1.?. However, you should make sure that at least some numbers and special characters are present in the sentence. In addition you must pay attention to upper and lower case.

To create a really secure password, you should use the integrated password generator. You can find it for example in abylon KEYSAFE.