GINA Chaining with the MetaFrame Password Manager Agent
Overview
Graphical Identification and Authentication (GINA) is the Windows component that controls the CTRL+ ALT+ DELETE dialog box that collects the data needed to perform authentication. MetaFrame XP, MetaFrame Password Manager, and the Novell Netware client all require interaction with and/or the replacement of the Microsoft GINA.
If you install software that alters the GINA chain, you need to make sure that you do not disrupt the GINA chain. This may mean installing or uninstalling software in a specific order, preserving proper GINA chaining. A broken GINA chain can prevent standard logins, or prevent the operating system from loading. If the GINA chain is broken, you must boot into Windows Safe Mode, then repair the broken chain in the system Registry.
Installing the MetaFrame Password Manager Agent
Citrix recommends the MetaFrame Password Manager Agent be the last GINA installed on the system. If the Agent is installed on a system with 3rd party software that alters the Windows GINA chain, the Agent’s ssoGINA.dll will not implement all of the GINA functionality itself. Instead, it will use the previously installed GINA to support all the mandatory functionality, such as network logons, displaying logon UI, and displaying locked workstation UI.
MetaFrame Password Manager stores the name of the previous GINA in:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Shell\OrigGINADLL
The primary function of the MetaFrame Password Manager ssoGINA.dll is to obtain the user credentials after the previous GINA has indicated a successful authentication. The credentials are then passed directly to the Agent upon startup, authenticating the user seamlessly.
If another GINA, such as Novell’s NWGINA, is installed after the ssoGINA.dll, and this new GINA does not call into ssoGINA.dll, the user will have to manually authenticate to the Agent for access.
Upgrading GINA Chain Altering software
If you need to upgrade existing 3rd party software that alters the Windows GINA chain on a system that has the Agent installed, you must uninstall the Agent, install or upgrade the 3rd party software, then reinstall the Agent.
Editing the Registry to Repair a Broken GINA Chain
If you need to rebuild the GINA chain, you may need to boot the system into Safe Mode to edit the Windows Registry.
1. Boot your machine into SAFE MODE. This will launch the default MSGINA.dll
2. Login as an administrator, and run Regedit.
3. Edit the registry keys affecting the GINA chain. See the reference section below for specific information.
4. Once editing is complete, reboot the machine.
Windows Registry GINA Chain Reference
For Windows 2000/2003 Server Operating System:
With Citrix MetaFrame Password Manager only installed:
HKLM\Software\Mircrosoft\Windows NT\Current Version\Winlogon\GINADLL = SSOGINA.dll
HKLM\Software\Citrix\MetaFrame Password Manager\Shell\OrigGINADLL = NOGINAPREVIOUSLYINSTALLED
With Citrix MetaFrame only installed:
HKLM\Software\Mircrosoft\Windows NT\Current Version\Winlogon\GINADLL = ctxGINA.dll
With Novell Client 4.9 only installed:
HKLM\Software\Mircrosoft\Windows NT\Current Version\Winlogon\GINADLL = NwGINA.dll
With Citrix MetaFrame AND Novell Client installed:
HKLM\Software\Mircrosoft\Windows NT\Current Version\Winlogon\GINADLL = ctxGINA.dll
HKLM\Software\Mircrosoft\Windows NT\Current Version\Winlogon\ctxGINADLL = NwGINA.dll
With Citrix MetaFrame AND Citrix MetaFrame Password Manager installed:
HKLM\Software\Mircrosoft\Windows NT\Current Version\Winlogon\GINADLL = SSOGINA.dll
HKLM\Software\Citrix\MetaFrame Password Manager\Shell\OrigGINADLL = ctxGINA.dll
With Citrix MetaFrame, Citrix MetaFrame Password Manager AND Novell Client installed:
HKLM\Software\Mircrosoft\Windows NT\Current Version\Winlogon\GINADLL = SSOGINA.dll
HKLM\Software\Mircrosoft\Windows NT\Current Version\Winlogon\CtxGINADLL = NwGINA.dll
HKLM\Software\Citrix\MetaFrame Password Manager\Shell\OrigGINADLL = ctxGINA.dll
