Some common doubts that may arise when deploying the Microsoft Credential Provider
search cancel

Some common doubts that may arise when deploying the Microsoft Credential Provider

book

Article ID: 262756

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

  1. Some doubts regarding our solution Microsoft Credential Provider (About integrating Microsoft Credential Provider with Symantec VIP (broadcom.com)).

If you are planning to deploy this solution on a large scale using your method Large-scale deployment using Microsoft Active Directory group policy for online authentication (broadcom.com) and the “online authentication” option and have some doubts:

  1. Unlike the manual method (Manually installing the Credential Provider (broadcom.com)) do we really not have to install Visual C++ individually on the machines? We ask this because we see that the manual method’s step number 1, which consists in installing Visual C++, is not included as part of the large-deployment method.
  2. The RADIUS server settings for a final machine are specified in step number 5 of the manual method (by configuring the CPconfig.txt file). However, the large-scale deployment method says “Follow steps 2 – 4 of the procedure for manually installing the Credential Provider”, not Follow steps 2 – 5 of the procedure for manually installing the Credential Provider”. If step 5 is not included, we don’t exactly understand how the final machines will know which RADIUS server they must use to validate. Could you clear this doubt for us?
  3. On the operating system requirements (Operating system requirements (broadcom.com)) we see the description which you can find in the attachment "CompatibleVersions.png".We are not sure if, for example, Windows Server 2008 R2 includes Windows Server 2008 R2 Standard, Windows Server 2008 R2 Datacenter and  Windows Server 2008 R2-SP1 Latest or, instead, only Windows Server 2008 R2 is compatible and the other three are not. Could you specify this for us? We leave below a list of the machines we plan to protect by using the solution. As you can see, the same question occurs for Windows Server 2012, Windows Server 2016, and Windows Server 2019.
  4. We see on the below screenshot that, depending on the version of the computers we want to protect through Microsoft Credential Provider, we have to use a different version of the camouflage utility to encrypt the RADIUS server’s password. If we want to use the large-scale deployment on machines that use different versions of the camouflage utility, will we have to create one Vip Enterprise Gateway Credential Provider installer for each different version of the camouflage utility we have to use? Even if that’s the case, we understand that one RADIUS server is still enough for all the computers, am I correct?
  5. When we have to create the transform file during the large-scale deployment (Create the MSI transform (broadcom.com)) are there any requirements as to in which computer the creation must be performed? We ask this because we do not exactly understand why the computer’s registry is involved, could you clear this doubt for us?

 

Environment

Release : Enterprise Gateway - 9.9.0

Resolution

Introduction:
The VIP Enterprise Gateway Credential Provider is a tool used for online authentication of users on Windows servers. It can be deployed manually or using a large-scale deployment method through Microsoft Active Directory group policy. This article aims to provide answers to some common doubts that may arise when deploying the Credential Provider, especially when using the large-scale deployment method.

  • Do I need to install Visual C++ individually on each machine?
    No, the Visual C++ runtime is included in the installer package for the Credential Provider. Therefore, you do not need to install it separately on each machine.
  • How do I specify the RADIUS server settings on each machine?
    In the large-scale deployment method, the RADIUS server settings are included in the MSI transform file created in step 6. The transform file is applied during the installation of the Credential Provider on each machine, and it includes the RADIUS server settings, so the final machines will know which RADIUS server to use for validation.
  • Which versions of Windows Server are compatible with the Credential Provider?
    According to the Operating system requirements document, all versions of Windows Server 2008 R2, including Standard, Datacenter, and SP1 Latest, are compatible with the Credential Provider. The same goes for the other versions of Windows Server listed in the document.
  • Do I need to create a separate installer for each version of the camouflage utility?
    Yes, if you have machines that require different versions of the camouflage utility to encrypt the RADIUS server's password, you'll need to create a separate VIP Enterprise Gateway Credential Provider installer for each version of the utility. However, you only need one RADIUS server to authenticate all the computers.
  • How do I create the transform file, and why is the registry involved?
    The transform file is created using a computer that has the same version of the Credential Provider installed as the one you plan to deploy. The registry is involved because the transform file modifies the registry settings on the target machines during installation. The creation of the transform file is a one-time process, and you can use it to install the Credential Provider on all the target machines.

Conclusion:
The VIP Enterprise Gateway Credential Provider is a useful tool for online authentication of users on Windows servers. By understanding the deployment process and the requirements, you can successfully deploy the Credential Provider on your servers using the large-scale deployment method.

Powered by Wolken Software