GINA Chaining Problems

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

I resolved a problem for a client recently that brought light to a potential problem that isn’t always apparent with Desktop Password Reset applications, like Passlogix SSPR (Self-Service Password Reset) software.  The GINA chain created by using multiple GINAs (Graphical Identification and Authentication DLL) can be broken or malformed to create a loop which will put the machine into a state where a user cannot log onto the machine.

Before I explain the problem and solution, a little background about SSPR and GINAs.  The SSPR software consists of a client software package that adds a title bar to the standard Windows logon. The client connects to a web server that prompts the user to answer security questions before allowing the user to reset his/her Windows password.  This is a great tool that is easy to use and can drastically reduce helpdesk calls.  The real power of the tool is that the prompt to reset the user’s password is available even if the user can’t log into the machine.  Other tools use a standard website, but require that the user be logged into Windows to get to an internet browser.

This pre-logon title bar is implemented by using a custom GINA.  The Windows logon process uses a file named msgina.dll which provides the Windows logon box that everyone is familiar with.  SSPR installs a custom GINA name ssogina.dll.  In order to use both GINAs, a GINA chain is created.  The top GINA is set in the Windows registry in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonGinaDLL.  After the SSPR install, the GinaDLL will be set to ssogina.dll.  Passlogix then adds custom registry keys under HKEY_LOCAL_MACHINESOFTWAREPasslogix that points the product to the msgina.dll.  The GINA chain is created where SSPR GINA points to the MSGINA and allows both to function. Many products including hardware-encryption, VPN, smartcard, and fingerprint software all use custom GINAs to enable pre-Windows login functionality.  Multiple custom GINAs can be added to the GINA chain.

The problem arises when the GINA chain contains 3 or more GINAs and products are installed/uninstalled.  The problem is all about order of installation and subsequent uninstallation.  In a 3 GINA chain example, the PointSec GINA points to the SSPR GINA, which the points to the MSGINA.  This GINA chain would be created if SSPR is installed first and then PointSec is installed.  Take the same GINA chain (PointSec->SSPR->MSGINA), if SSPR is uninstalled and then reinstalled, which is common if the product were to be upgraded, the SSPR would be set as the top GINA.  The problem arises because the PointSec registry keys were not changed during the SSPR uninstall.  The GINA chain is now SSPR->PointSec->SSPR->PointSec->SSPR and on and on forever.  This causes a loop in the GINA chain and the machine never calls the MSGINA and the machine is unusable.

To remediate this problem, you can run Windows in Safe Mode (which disables custom GINAs) and reset the GinaDLL key to msgina.dll.  That will allow users to log into Windows again.  The overall solution is to make sure the GINA chain is cleaned up when products are uninstalled.  Calling in custom scripts or adding registry keys in an MSI during uninstallation can be used to forcibly set the GINA chain to the desired settings.  Manipulating the GINA chain normally involves a little extra design, configuration, and testing, but can save you from incapacitating entire groups of machines when deploying software.

Questions? Feel free to reach out to us at IDMWorks.