Client Setup Instructions
Enzoic for Active Directory v3.3
Enzoic for Active Directory includes an optional Windows client application that can be deployed to domain-joined Windows workstations in your organization to provide users with better feedback and assistance when selecting a new password. The Windows client application augments the built-in Windows password change screen by adding text to indicate what your password requirements are and in the case of a rejected password change, additional details as to the reasons. For example, if a user’s password is rejected due to being a known compromised password, they will be informed of this fact and asked to select a different password.
Compatibility with 3rd Party Authentication Products
3rd party authentication products which add additional capabilities such as multi-factor authentication typically integrate with the Windows winlogon system using a credential provider. Windows is capable of supporting multiple credential providers, including the default set that ships with the OS. A vanilla Windows installation will have the default system credential provider active, which processes user password-based logins and handles user password changes. The Enzoic Client functions by installing as another credential provider. It wraps and disables the Windows system credential provider. This is necessary for Enzoic to provide the user with feedback.
As previously mentioned, in some environments other credential providers, such as Windows Hello for Business or 3rd party credential providers which provide multi-factor or biometric authentication such as DUO, may be present and may be the default provider. To work alongside these providers, the Enzoic Client will need some additional configuration and you will likely need to whitelist the Enzoic Client's credential provider in your product.
See the Client Settings section of the Enzoic Console documentation for more information on the settings available and how to configure Enzoic to wrap a 3rd party credential provider. See the Setup Instructions for Specific Alternate Credentials Providers for instructions specific to selected providers.
Download the Client Installer
The installer is available as an MSI to ease deployment via GPO. Microsoft .NET Framework 4.5 is required.
Links to download the most current version (Domain Controllers must all run the same version):
https://cdn.enzoic.com/files/EnzoicForADClient.msi MD5: cfb3522304aea036f616e382f53f2585
Read the current release notes.
Automated Deployment to Multiple Workstations via GPO
You can use GPO push installs to easily install the Enzoic for Active Directory Client to multiple user workstations. Note that the Enzoic Client requires .NET Framework 4.5, which does not get installed automatically when running the MSI installer.
Steps for Pushing the Enzoic Client via GPO
Troubleshooting GPO Deployments
If the client is failing to deploy via GPO, check the following:
Does the GPO apply to the affected system? Check the Scope tab on the GPO in the Group Policy Management Console to ensure the affected workstation(s) are covered by the GPO.
Have the affected workstation(s) been restarted? In some cases it may take two reboot cycles before the GPO gets deployed.
Is the distribution point share and MSI accessible by the affected system(s)? Check that they can access the share and MSI.
Do the affected system(s) have at least .NET Framework 4.5 installed? The MSI will not handle installing this, so you will need to ensure that all target systems have at least .NET Framework 4.5 before pushing the Enzoic Client.
Check the Event Log on the affected system for GPO or install failures occurring after the reboot. If the installer is failing, there should be some indication here.
Setup Instructions for 3rd Party Credentials Providers
If you don't see instructions for your specific provider below, you can try the instructions in the Other section.
DUO
If you are using DUO for MFA, you can setup Enzoic to wrap it as follows:
Prior to installing the Enzoic Client, open the Enzoic Console and paste the DUO credential provider GUID into the Settings | Client Settings | Alternate Credential Provider GUID field: 44E2ED41-48C7-4712-A3C3-250C5E6D5D84 Click Update Configuration
In the registry on machines that will run the Enzoic Client, add the following values: Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv Value name: ProvidersWhitelist Value type: REG_MULTI_SZ Value data: {C6522CF0-8F6E-4E5A-BC65-93B7E8390C2}
Finally, install the Enzoic Client and verify that DUO and Enzoic are working as expected. You should see Enzoic's password change policies on the password change screen and be prompted to validate with DUO when you attempt to save a new password.
Other
If you don't see specific instructions for your product, try the following:
Locate the credential provider GUID for your product. This can generally be found at the following registry key on a workstation that was used to login with that product: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnProvider
Prior to installing the Enzoic Client, open the Enzoic Console and paste the found credential provider GUID into the Settings | Client Settings | Alternate Credential Provider GUID field. Then click Update Configuration
Determine if it is necessary and if so how to whitelist the Enzoic Client's credential provider with the 3rd party product. This will often be accomplished via a registry entry on the target systems. You may need to contact support for the product to get assistance with this.
Finally, install the Enzoic Client and verify that the 3rd party product and Enzoic are working as expected. You should see Enzoic's password change policies on the password change screen.
Last updated