Graphical identification and authentication
Encyclopedia
The graphical identification and authentication (GINA) library is a component of some Microsoft Windows
operating system
s that provides secure authentication and interactive logon
services.
GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon
when the machine is started. It is responsible for handling the secure attention sequence
, typically Control-Alt-Delete
, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell
) when they first log on.
Winlogon can be configured to use a different GINA, providing for non-standard authentication methods such as smart card
readers or identification based on biometrics
, or to provide an alternate visual interface to the default GINA. Developers who implement a replacement GINA are required to provide implementations for a set of API
calls which cover functionality such as displaying a "workstation locked" dialog, processing the secure attention sequence in various user states, responding to queries as to whether or not locking the workstation is an allowed action, supporting the collection of user credentials on Terminal Services
-based connections, and interacting with a screensaver
.
A custom GINA could be made entirely from scratch, or just be the original GINA with modifications. A custom GINA can be specified by placing a string named GinaDLL in the registry
location
When the Winlogon process starts, it compares its version number to that which is supported by the loaded GINA library. If the GINA library is of a higher version than Winlogon, Windows will not boot. This is done because a GINA library written for a given version of Winlogon will expect a certain set of API calls to be provided by Winlogon.
Support for replaceable GINA DLLs was introduced with Windows NT Server 3.51 and Windows NT Workstation 4.0 SP3. Successive versions of Windows have introduced additional functionality into Winlogon, resulting in additional functionality that can be implemented by a replacement GINA. Windows 2000
, for example, introduced support for displaying status messages (including verbose messages that can be turned on through Group Policy
) about the current state to the user (e.g. "Applying computer settings..."), and starting applications in the user's context; this facilitates restarting Windows Explorer
automatically if it crashes, as well as starting the Task Manager. Windows XP
introduced support for Fast User Switching
, Remote Desktop
and a more interactive, simplified and user-friendly full-screen logon.
, GINA has been entirely replaced by Credential Providers, which allow for significantly increased flexibility in supporting multiple credential collection methods. To support the use of multiple GINA models, a complex chaining method used to be required and custom GINAs often did not work with fast user switching
. GINA libraries do not work with Windows Vista and later Windows versions. One difference, however, is that GINA could completely replace the Windows logon user interface; Credential Providers cannot.
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s that provides secure authentication and interactive logon
Logging (computer security)
In computer security, a login or logon is the process by which individual access to a computer system is controlled by identifying and authentifying the user referring to credentials presented by the user.A user can log in to a system to obtain access and can then log out or log off In computer...
services.
GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon
Winlogon
In computing, Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, and optionally locking the computer when a screensaver is running...
when the machine is started. It is responsible for handling the secure attention sequence
Secure attention key
A secure attention key is a special key or key combination to be pressed on a computer keyboard before a login screen must be trusted by a user. The operating system kernel, which interacts directly with the hardware, is able to detect whether the secure attention key has been pressed...
, typically Control-Alt-Delete
Control-Alt-Delete
Control-Alt-Delete is a computer keyboard command on IBM PC compatible systems that can be used to reboot the computer, and summon the task manager or Windows Security in more recent versions of the Microsoft Windows operating system...
, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell
Windows Shell
The Windows shell is the main graphical user interface in Microsoft Windows, and since Windows 95 hosted by Windows Explorer. The Windows shell includes well-known Windows components such as the Taskbar and the Start menu...
) when they first log on.
Overview
A default GINA library, MSGINA.DLL, is provided by Microsoft as part of the operating system, and offers the following features:- Authentication against Windows domainWindows Server domainA Windows domain is a collection of security principals that share a central directory database. This central database contains the user accounts and security information for...
servers with a supplied user name/password combination. - Displaying of a legal notice to the user prior to presenting the logon prompt.
- Automatic Logon, allowing for a user name and password to be stored and used in place of an interactive logon prompt. Automatic logon can also be configured to execute only a certain number of times before reverting to interactive logon. In older versions of Windows NTWindows NTWindows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
, the password could only be stored in plain text in the registry; support for using the Local Security Authority'sLocal Security Authority Subsystem ServiceLocal Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...
private storage capabilities was introduced in Windows NT 4.0 Workstation Service Pack 3 and Windows NT Server 3.51. - "Security Options" dialog when the user is logged on, which provides options to shut down, log off, change the password, start the Task ManagerWindows Task ManagerWindows Task Manager is a task manager application included with the Microsoft Windows NT family of operating systems that provides detailed information about computer performance and running applications, processes and CPU usage, commit charge and memory information, network activity and...
, and lock the workstation.
Winlogon can be configured to use a different GINA, providing for non-standard authentication methods such as smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
readers or identification based on biometrics
Biometrics
Biometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
, or to provide an alternate visual interface to the default GINA. Developers who implement a replacement GINA are required to provide implementations for a set of API
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
calls which cover functionality such as displaying a "workstation locked" dialog, processing the secure attention sequence in various user states, responding to queries as to whether or not locking the workstation is an allowed action, supporting the collection of user credentials on Terminal Services
Terminal Services
Remote Desktop Services in Windows Server 2008 R2, formerly known as Terminal Services in Windows Server 2008 and previous versions, is one of the components of Microsoft Windows that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop...
-based connections, and interacting with a screensaver
Screensaver
A screensaver is a type of computer program initially designed to prevent phosphor burn-in on CRT and plasma computer monitors by blanking the screen or filling it with moving images or patterns when the computer is not in use...
.
A custom GINA could be made entirely from scratch, or just be the original GINA with modifications. A custom GINA can be specified by placing a string named GinaDLL in the registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
. The Winlogon component is solely responsible for calling these APIs in the GINA library.When the Winlogon process starts, it compares its version number to that which is supported by the loaded GINA library. If the GINA library is of a higher version than Winlogon, Windows will not boot. This is done because a GINA library written for a given version of Winlogon will expect a certain set of API calls to be provided by Winlogon.
Support for replaceable GINA DLLs was introduced with Windows NT Server 3.51 and Windows NT Workstation 4.0 SP3. Successive versions of Windows have introduced additional functionality into Winlogon, resulting in additional functionality that can be implemented by a replacement GINA. Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, for example, introduced support for displaying status messages (including verbose messages that can be turned on through Group Policy
Group Policy
Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and...
) about the current state to the user (e.g. "Applying computer settings..."), and starting applications in the user's context; this facilitates restarting Windows Explorer
Windows Explorer
This article is about the Windows file system browser. For the similarly named web browser, see Internet ExplorerWindows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface...
automatically if it crashes, as well as starting the Task Manager. Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
introduced support for Fast User Switching
Fast user switching
Fast user switching is a feature on some modern multi-user operating systems such as Windows XP and newer, Mac OS X, Linux. It allows users to switch between user accounts on a single PC without quitting applications and logging out. Analogous functionality was first developed on consumer level...
, Remote Desktop
Remote Desktop Protocol
Remote Desktop Protocol is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer. The protocol is an extension of the ITU-T T.128 application sharing protocol. Clients exist for most versions of Microsoft Windows , Linux, Unix, Mac OS...
and a more interactive, simplified and user-friendly full-screen logon.
Recent Windows versions
In Windows VistaWindows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, GINA has been entirely replaced by Credential Providers, which allow for significantly increased flexibility in supporting multiple credential collection methods. To support the use of multiple GINA models, a complex chaining method used to be required and custom GINAs often did not work with fast user switching
Fast user switching
Fast user switching is a feature on some modern multi-user operating systems such as Windows XP and newer, Mac OS X, Linux. It allows users to switch between user accounts on a single PC without quitting applications and logging out. Analogous functionality was first developed on consumer level...
. GINA libraries do not work with Windows Vista and later Windows versions. One difference, however, is that GINA could completely replace the Windows logon user interface; Credential Providers cannot.
See also
- List of Microsoft Windows components
- WinlogonWinlogonIn computing, Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, and optionally locking the computer when a screensaver is running...
- Windows NT Startup ProcessWindows NT Startup ProcessThe Windows NT startup process is the process by which Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize...
External links
- Winlogon and GINA, developer information on how the login components interact
- Customizing GINA Part 1, Developer tutorial for writing a custom GINA.
- Customizing GINA Part 2, Developer tutorial for writing a custom GINA.