Configure AirLock for Your Organization
  • 02 Dec 2024
  • 15 Minutes to read
  • Dark
    Light
  • PDF

Configure AirLock for Your Organization

  • Dark
    Light
  • PDF

Article summary

This section details the configurations of the various registry keys and GPO. We recommend these settings be set via GPO in the provided administrative templates to provide consistent configuration across all AirLock-enabled workstations.

  • All manual configurations are in HKLM:\\SOFTWARE\Axiad\AirLock.

  • All policy configurations are in HKLM:\\SOFTWARE\Policies\Axiad\AirLock, and override manual configurations.

Kiosk Settings

The kiosk is the Unified Portal session used to enroll or update an identity.

Registry and GPO Keys

Key Type

Description

Value

reg: KioskAlwaysLogout

GPO: Always Logout After AirLock

REG_SZ

If enabled, when a user completes a process in AirLock and would otherwise be sent to their desktop, they will instead be logged out of Windows. (This does not affect cases where the user does not need to enter AirLock.)

Most situations lead to a logout; however, if the user employs a valid authenticator and the process completed in AirLock does not affect that authenticator, then they can proceed to their Windows session without logging back in.

Default: “true” - meaning enabled.

When “false”, AirLock will determine whether to allow desktop access or log the user out based on whether they have met the enforcement rules.

reg: KioskAutoLogonDomains

GPO: Authorized domains for Kerberos SSO

REG_SZ

A comma-separated list of domain names that should be authorized to use Kerberos SSO to automatically log into AirLock.

No default. Mandatory for leveraging Windows domain logon for the AirLock kiosk.

reg: KioskImmuneGroupSids

GPO: Immune Security IDs

REG_MULTI_SZ

A list of Security IDs (SIDs) corresponding to roles for a user that should be immune to AirLock enforcement.

Default: S-1-5-32-544

This is the built-in Windows administrator SID for local and domain administrators.

Any value (including an empty list) will override the default.

Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use.

reg: KioskLogicCard

GPO: Logic to use after PKI-based logon

REG_SZ

The "logic module" used to determine whether the user must go to the kiosk due to an expired or almost expired certificate on an inserted smartcard (any smartcard that is inserted, not only the one being used for authentication).

validity: User is redirected to AirLock when a certificate is about to expire

when-online: User is redirected to AirLock when a certificate is within renewal window AND Axiad can establish connectivity with the Unified Portal

Never (default): Axiad does not check the certificates of the inserted smartcards

reg: KioskLogicConnectivityTest

GPO: Logic to use for testing network connectivity

REG_SZ

The method that should be used to determine whether or not the user is online (and therefore whether or not they should be eligible for the AirLock).

Active Directory: Test whether the computer's Active Directory network is available. (Default)

Direct: Test whether the Axiad Unified Portal server is accessible.

One of “direct” or “ad”.

Default: “ad”

reg: KioskLogicPass

GPO: Logic to use after regular logon

REG_SZ

The "logic module" used to determine whether the user must go to the kiosk, which will be used only when the user did NOT log in with a smart card.

One of:

"slb-securityFlag" - See “Module: slb-securityFlag” for additional configuration.

“always” to always enforce on use of password

“when-online” to enforce when online

or “never” to never enforcement on use of password

Values are case-sensitive.

Default: "never"

reg: KioskOfflinePolicy

GPO: Policy for offline users

REG_SZ

The desired action to take when the AirLock detects that a user is offline.

Defer: Let the other configured policies ("logic modules") decide what happens. (Default)

Bypass: All users are allowed to use their desktop while offline.

Admins Only: Admins are allowed to use their desktop while offline. All other users are logged out.

Require Certificate: Users that have logged in with a certificate are allowed to use their desktop while offline. All other users are logged out.

One of “defer”, “bypass”, “admins-only”, or “require-certificate”.

Default: “defer”

reg: KioskRequireGroupSids

GPO: Require Security IDs

REG_MULTI_SZ

A list of Security IDs (SIDs) corresponding to roles of users that should be AirLock enforced.

Only users with these roles will be enforced - The opposite effect of KioskImmuneGroupSids.

Registry Deprecation

This registry setting is deprecated in AirLock 2.4+

No default.

Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use.

reg:KioskSilenceErrors

GPO: Silence Standard Error Dialogues

REG_SZ

Whether or not standard error dialogues should be suppressed.

These dialogues appear when a malfunction has been detected in the AirLock.

Default: “false”

reg:

KioskSplashColor

GPO: Splash screen background color

REG_SZ

Kiosk splash screen background color. Must be formatted as 6-character RRGGBB.

Default: "0067A8"

reg: KioskSplashLevel

GPO: Splash screen display level

REG_DWORD

Level for configuring splash screen display.

Default: 3

0: No logo or progress bar

1: Show logo but not progress bar

2: Show logo and progress bar

3: Show logo, progress bar, and status updates

reg: KioskUrl

GPO: Base URL for the kiosk

REG_SZ

The URL which AirLock will start the kiosk with.

This value will follow the pattern: https://portal-<customer>.cloud.axiadids.net/user/

Required

reg: RenewFullscreen

GPO: Force optional renewal to become maximized

REG_SZ

Whether or not the optional renewal browser window should be opened in full-screen mode, or as a regular window.

One of “true” or “false”.

Default: “false”

reg: KioskIdleExitSeconds
GPO: Amount of time a user might be idle

REG_WORD

The number of seconds that users can be idle while viewing the Airlock kiosk, before Airlock will automatically exit.

Default: 60

reg:

KioskImmuneUserSids

GPO: SIDs of the users immune to AirLock enforcement

REG_MULTI_SZ

A list of Security IDs (SIDs) corresponding to users immune from AirLock enforcement.

By default, this list is empty. Providing any entries will enable this feature.

This is an optional configuration.

reg:

KioskAuthBypass

GPO: Authentication providers that bypass AirLock

REG_MULTI_SZ

A list of GUIDs corresponding to the authentication providers that are exempt from AirLock enforcement.

Exception

If KioskLogicCard is set to validity and the user has a smartcard inserted that has an expired certificate, then they will still be redirected to the AirLock workflow even if they use a bypass authenticator.

This applies to any smartcard inserted, not only the one used for authentication.

By default, this list contains the Axiad ID Winlogon provider and the Microsoft Hello authentication providers.

This is an optional configuration.

Enforcement Logic

slb-securityFlag

Note

All required keys are only required when KioskLogicPass = "slb-securityFlag".

Registry and GPO Keys

Key Type

Description

Value

SlbAction*

(where “*” is a number) / Helpdesk Enforcement

REG_SZ

The action which should be appended to the existing KioskUrl when the user's slb-securityFlag AD attribute equals a given value.

If a value is supplied that does not match a configured SlbAction* key, enforcement will be bypassed.

E.g.: Defining SlbAction3 as “xyz” would append ?action=xyz to the value of KioskUrl.

Valid options are:

  • credentialing for issuance

  • resetPin for PIN reset

  • update for device cert renewal

  • updateQA for resetting the question and answer credentials

Default definitions are as follows when no value is supplied for each of the following:

  • "SlbAction3"="credentialing"

  • "SlbAction10"="credentialing"

  • "SlbAction12"="credentialing"

  • "SlbAction24"="resetPin"

  • "SlbAction73"="update"

  • "SlbAction81"="updateQA"

To override one of the above defaults, either supply a new action value or:

  • to bypass enforcement, use a value of “internal.bypass”

  • to go to the kiosk without a specific action, use a value of “internal.none”

Validity

Note

All required keys are only required when KioskLogicCard = "validity".

Registry and GPO Keys

Key Type

Description

Value

reg: RenewOptionalPeriod

GPO: Days before expiration to offer device renewal

REG_DWORD

The number of days before certificate expiration where the user should be asked if they wish to renew their logon cert.

Required

reg: RenewRequiredPeriod

GPO: Days before expiration to require device renewal

REG_DWORD

The number of days before certificate expiration where the user is forced to renew their logon cert.

Required

reg: RenewAction

GPO: Action to take when nearing expiration

REG_SZ

The action which should be appended to the existing KioskUrl when X509 cert renewal is either required or requested.

E.g.: Defining RenewAction as issue would append ?action=issue to the value of KioskUrl.

Default is no action

reg: RenewSilenceAmbiguousCerts

GPO: Silence Ambiguous Certificate Renewal Message

REG_SZ

Whether or not display MsgRenewAmbiguous should be hidden when the user's certificate could not be identified amongst other logon certificates currently available devices

Registry Deprecation

This registry setting is deprecated in AirLock 2.4+

Default: "false"

Branding and User Messaging

Note

  • The Registry and GPO key values are under the Customize sub-key.

  • All manual configurations go in HKLM:\\SOFTWARE\Axiad\AirLock\Customize.

  • All policy configurations go in HKLM:\\SOFTWARE\Policies\Axiad\AirLock\Customize and override manual configurations.

Registry and GPO Keys

Key Type

Description

Value

reg: MsgDisallowedByPolicy

GPO: Offline user logout warning

REG_SZ

The message shown to warn the user that they're being logged out due to the AirLock offline policy.

Default:

“Your administrator has configured Axiad AirLock to deny this logon; you will be logged out after this prompt.”

reg: MsgEnforcementReasonCertificateExpiration

GPO: Mandatory Enforcement: Certificate Expiration

REG_SZ

The message shown when the user must renew their expiring logon certificate immediately.

Default:

“The certificate issued to %s must be renewed immediately.”

reg: MsgRenewOffline


GPO: Offline Certificate Renewal Message

REG_SZ

A customized message that displays when a user's certificate is about to expire, and the user is offline.

Provide one instance of %s in the string to insert the number of days remaining until the certificate expires.

Default:

"Your certificate will expire in %s days.
Renew it now?"

reg: MsgRenewOptional

GPO: Optional Certificate Renewal Message

REG_SZ

The message that displays when the user's certificate will expire before RenewRequiredPeriod but after RenewOptionalPeriod.

Provide one instance of %s in the string to insert the number of days remaining until the certificate must be renewed.

Default:

“Your logon certificate will expire in %s days.

Renew it now?”

reg: BmpSplashLogo

GPO: Splash Screen BMP File

REG_SZ

The fully qualified filename of the logo image to display during enforcement processing.

Default: Empty string which defaults to Axiad’s logo.

This must be an absolute filesystem path to a 256x256px .bmp image accessible by any user.

reg: MsgErrorShellMinor

GPO: Minor Error Message

REG_SZ

The message displayed when an unexpected but recoverable error has occurred during enforcement.

These errors should only occur when AirLock is misconfigured or there is a runtime issue with

Default:

“An error occurred; please notify your administrator or support team.

Your regular desktop will open after this message.”

reg: MsgErrorShellMajor

GPO: Major Error Message

REG_SZ

The message displayed when an unexpected and unrecoverable error has occurred during enforcement.

These errors should only occur when AirLock is misconfigured or there is a runtime issue with

Default:

“A critical error occurred; you will be logged out after this prompt.

Please notify your administrator or support team for assistance.”

reg: MsgErrorValidity

GPO: Validity Error message

REG_SZ

The message displayed when the kiosk is launched but fails.

These errors should only occur when AirLock is misconfigured or there is a runtime issue.

Default:

Your logon certificate may be expiring soon, but an error occurred while trying to offer you a solution.\n\nPlease visit the User Portal in order to renew your certificate.

reg: MsgRenewAmbiguous

GPO: Ambiguous Certificate Renewal Message

REG_SZ

Prompt shown when the user's certificate could not be identified amongst other logon certificates currently available devices.

Default:

“The Axiad AirLock could not discern which certificate was used to log in. Your certificate might require renewal.”

Debugging

Registry and GPO Keys

Key Type

Description

Value

reg: DebugLogFileService

GPO: Log file for the Lockdown Service

REG_SZ

Where debug logs for the Lockdown Service go.

Default: "C:\\Program Files\\Axiad\\AirLock\\Service.log"

Note the doubled “\” path separators.

reg: DebugLogFileShell

GPO: Log file for the Custom Shell

REG_SZ

Where debug logs for the Custom Shell go.

Default: "%LocalAppData%\\Axiad\\AirLock\\Shell.log"

Note the doubled “\” path separators.

reg: DebugLogLevel

GPO: Log level

REG_DWORD

The debug log detail level.

Default: 5

The range is from 1-6; 5 is recommended for effective bug reports.

reg: DebugSafeMode

GPO: Safe Mode

REG_SZ

If enabled, AirLock will be started in safe mode without fullscreen mode and without the keyboard lockdown. In addition, the debug flags will be enabled in AirLock.

Default: “false” for disabled

“true” to enable

reg: DebugSafeModeDumpFile

GPO: Network dump file for Safe Mode

REG_SZ

The path to save a network dump when DebugSafeMode is enabled. This file will be overwritten on each launch of AirLock.

Default: “%LocalAppData%\\Axiad\\AirLock\\Network Dump.json”

Example Configurations

Phase in AirLock Enforcement to a Subset of Users

Scenario

In this example, AirLock is deployed via GPO. The binary is installed on workstations, but we have not yet configured any options.

We plan to stagger enforcement of AirLock by leveraging the Enforcement Groups configuration parameter. AirLock will be utilized primarily to deny password logins and force users to enroll for (and use) their PKI credentials. For now, we will allow password for offline logins and only exempt the Administrators group.

An AD group is created, containing the first group of pilot users to be enforced. Each day, we plan to add an additional 50 users to this group. This is balanced between our target date for 100% enforcement, and the ability of Helpdesk to support any users with issues.

Configuration

GPO Setting

Registry Setting & Type

Value

Notes

Base URL for the kiosk

KioskUrl (REG_SZ)

https://<userportal.domain.com>/user

Typically the same as the Axiad Unified Portal URL

Logic to use after regular logon

KioskLogicPass (REG_SZ)

when-online

We want password-based logins for the users in-scope to be denied when online

Require security IDs

KioskRequireGroupSids (REG_MULTI_SZ)

S-1-5-21-<example>

The SID of the AD group containing users to be enforced

Immune security IDs

KioskImmuneGroupSids (REG_MULTI_SZ)

<not configured>

By default, the Administrators group will be exempt

Outcome

When a user who is a member of the “Require security IDs” group attempts to log into their Windows machine with a password, Axiad AirLock initiates, checks the policy, notes that password login is not allowed, and redirects the user the Unified Portal kiosk experience to enroll a certificate (authenticator). Once the authenticator is registered, the user is brought back to the login screen, and when they select the certificate device for login rather than a password, they can access their machine.

Ensure Compliance for Offline Logins

Scenario

Following the previous example, Axiad AirLock is deployed and our users are forced to log in with their certificate devices; but we now have a requirement to extend this enforcement to offline logins.

To prevent lockout, we will retain the default setting of bypassing enforcement for the built-in local administrators group and add an additional custom AD group.

Notes for Offline Logins

  • Credentials must be cached. Users should log in at least once while on the network (with a line-of-sight to a domain controller) before taking their device off-network

  • Your domain credential caching policy should account for all different types of credentials (PKI, password) as per this reference article

  • CRL locations must either be available offline (e.g. if published externally, then CRL is available over the internet but not the domain), or the cached CRL must still be valid

Configuration

For this scenario, we will update / add the following configuration options on top of those from the previous example:

GPO Setting

Registry Setting & Type

Value

Notes

Logic to use after regular logon

KioskLogicPass (REG_SZ)

always

We want password-based logins for the users in-scope to be denied always

Policy for offline users

KioskOfflinePolicy (REG_SZ)

require-certificate

When offline, we will only permit (cached) logins using PKI

Immune security IDs

KioskImmuneGroupSids (REG_MULTI_SZ)

S-1-5-32-544,S-1-5-21-<example>

In addition to the default Administrators group, we will exempt a custom AD group by referencing the AD groups SID

Logic Module Settings

Logic to use for testing network connectivity

KioskLogicConnectivityTest

Direct

For determining offline status, we will rely on a connectivity check to the Axiad Portal URL (configured in Base URL for the kiosk). The default configuration value is “ad” - ie line-of-sight to the Domain Controller.

Outcome

When a user who is a member of the “Require security IDs” group takes their laptop away from the network and attempts to log into their Windows machine with a password, Axiad AirLock initiates, checks the policy, notes that password login is not allowed when offline, and denies the login attempt since the user cannot access the Unified Portal to enroll a certificate.

If the same user logs in with their enrolled certificate device while offline, then they are granted access to the machine as that type of authentication is permitted.

Manage the Certificate-based Authentication (CBA) Lifecycle

Scenario

Axiad AirLock is now deployed in the enterprise, and we have met our compliance goals by denying password-based logins.

Our last and final objective is to leverage AirLock to ease certificate renewals. We will configure AirLock to remind users to renew their certificate within 15 days of the “valid until” date and force the users to renew within 5 days of their “valid until” date.

Configuration

GPO Setting

Registry Setting & Type

Value

Notes

Logic Module Settings

Certificate Renewal Enforcement

RenewAction (REG_SZ)

RenewOptionalPeriod (REG_DWORD)

RenewRequiredPeriod (REG_DWORD)

internal.none

15

5

Display a notification to users if the certificate used to log in is within 15 days of expiry; force the users to the Unified Portal to renew if the certificate is within 5 days of expiry

Outcome

  1. When a user logs into their Windows machine with a certificate that will expire in more than 15 days, they will experience a standard login flow.

  2. When a user logs into their Windows machine with a certificate that will expire in 6 - 15 days, they will be notified via a small dialog box during the login flow that their certificate is about to expire and they can update it now or dismiss the message. If the user updates the certificate during this time, then they will no longer see the notifications and will not experience the third outcome.

  3. When a user logs into their Windows machine with a certificate that will expire within 5 days or has already expired, then they will be automatically redirected to the Unified Portal to renew their certificate before they can get access.

Brand AirLock

The Axiad AirLock logo, color schema, and messaging can all be customized. The list of branding parameters is comprehensive and can be found in the release notes PDF within the AirLock installation package.

Scenario

In this example, we will customize the logo shown during AirLock initialization (right after a user logs in), as well as change the default “Entering the AirLock” message.

Configuration

GPO Setting

Registry Setting & Type

Value

Notes

Branding and Message Customization

Splash Screen BMP file

Customize--> BmpSplashLogo (REG_SZ)

\\<network fileshare>\logo.bmp

256x256 pixel logo, BMP format, stored on a network share

Branding and Message Customization

Splash Screen BMP file

Customize--> MsgSplashLoadingPortal (REG_SZ)

MFA required - redirecting

Custom message to be shown when entering the AirLock portal

Outcome

Bypass AirLock based on Authentication Types

In addition to bypassing AirLock based on the specific user, you can also bypass AirLock based on the authentication types that your users employ to log onto their machine.

Scenario

You want to allow any user that employs Windows Hello biometric authentication (face, fingerprint, iris, etc.) to log into their machine without prompting AirLock redirects.

Configuration

Configure the KioskBypassAuth registry on top of your existing AirLock setup.

GPO Setting

Registry Setting & Type

Value

Notes

Authentication providers that bypass AirLock

KioskBypassAuth (REG_MULTI_SZ)

{C885AA15-1764-4293-B82A-0586ADD46B35}, {8AF662BF-65A0-4D0A-A540-A338A999D36F}, {BEC09223-B018-416D-A0AC-523971B639F5}

Create a list of the authenticator GUID(s) that you want to bypass AirLock, comma separated

Note

This scenario uses three out of the five default bypass authenticators, so we have removed two of them from the value and added a new one in the configuration for this to work.

Outcome

When a user uses a Windows Hello biometric authentication method to log into their machine, they are not redirected to AirLock, regardless of other settings that may require updates.

Bypass Exception

If KioskLogicCard is set to validity and the user has a smartcard inserted that has an expired certificate, then they will still be redirected to the AirLock workflow even if they use a bypass authenticator.

This applies to any smartcard inserted, not only the one used for authentication.

Well-known Authenticator GUIDs

Use these GUIDs to create your authenticator bypass list.

Default GUIDs

By default, the following GUIDs are added to the KioskBypassAuth registry. If you do not want these authenticators to bypass AirLock, then you need to remove them from the list.

  • {59d82958-741e-46be-be5d-66a4e14c69ae} Axiad ID Winlogon provider

  • {D6886603-9D2F-4EB2-B667-1971041FA96B} Windows Hello PIN

  • {8AF662BF-65A0-4D0A-A540-A338A999D36F} Windows Hello Facial Recognition

  • {BEC09223-B018-416D-A0AC-523971B639F5} Windows Hello Fingerprint

  • {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD} Windows Hello Trusted Signal

# Password
{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} 'PasswordProvider'
{8841d728–1a76–4682-bb6f-a9ea53b4b3ba} 'PasswordProvider\LogonPasswordReset'

# Windows Hello
{D6886603-9D2F-4EB2-B667-1971041FA96B} 'PINLogonProvider'
{C885AA15-1764-4293-B82A-0586ADD46B35} 'IrisCredentialProvider'
{8AF662BF-65A0-4D0A-A540-A338A999D36F} 'FaceCredentialProvider'
{BEC09223-B018-416D-A0AC-523971B639F5} 'WinBio Credential Provider'
{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD} 'TrustedSignal Credential Provider'

# Picture logon
{2135f72a-90b5-4ed3-a7f1-8bb705ac276a} 'PicturePasswordLogonProvider'

# smart card
{1b283861-754f-4022-ad47-a5eaaa618894} 'Smartcard Reader Selection Provider'
{1ee7337f-85ac-45e2-a23c-37c753209769} 'Smartcard WinRT Provider'
{8FD7E19C-3BF7-489B-A72C-846AB3678C96} 'Smartcard Credential Provider'
{94596c7e-3744-41ce-893e-bbf09122f76a} 'Smartcard Pin Provider'

# FIDO2
{F8A1793B-7873-4046-B2A7-1F318747F427} 'FIDO Credential Provider'

# Other
{600e7adb-da3e-41a4–9225–3c0399e88c0c} 'CngCredUICredentialProvider'
{25CBB996-92ED-457e-B28C-4774084BD562} 'GenericProvider'
{3dd6bec0-8193-4ffe-ae25-e08e39ea4063} 'NPProvider'
{D6886603-9D2F-4EB2-B667-1971041FA96B} 'NGC Credential Provider'
{F8A0B131-5F68-486c-8040-7E8FC3C85BB6} 'WLIDCredentialProvider'
{A910D941-9DA9-4656-8933-AA1EAE01F76E} 'Remote NGC Credential Provider'
{e74e57b0–6c6d-44d5–9cda-fb2df5ed7435} 'CertCredProvider'
{C5D7540A-CD51-453B-B22B-05305BA03F07} 'Cloud Experience Credental Provider'


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.