pGina
Contents
Before installing the Exprodo plugin, make sure the pGina application is installed and correctly working on the computer. Please refer to the pGina official instructions at https://github.com/pgina/pgina/wiki/Install.
Following documentation refers to pGina 3.1.8.0, which was the latest stable version, at the time of writing this guide.
The Exprodo plugin is made up of two DLL files:
•Newtonsoft.Json.dll (external library)
and depending on your Operating System:
•pGina.Plugin.Exprodo.dotNet45.dll (.NET 45 compatible - Windows 7 and later)
•pGina.Plugin.Exprodo.dotNet40.dll (.NET 4.0 compatible - Window XP)
Both DLLs are provided in the tar.gz download file that contains Calpendo. They are located in the INSTALL\pGina folder.
Both pGina.Plugin.Exprodo.dotNet45.dll (or pGina.Plugin.Exprodo.dotNet40.dll) and Newtonsoft.Json.dll need to be copied into the pGina directories. To see which one, follow these steps:
1.Start pGina configuration application, by locating pGina in your Start menu and clicking on the relevant icon:
2.From "General" Tab -> pGina Service section > click on Stop. This will stop pGina from running.
3.From "Plugin Selection" Tab -> Look at the "Search directories" section.
They should be:
c:\your installation root\pGina\Plugins\Core
c:\your installation root\pGina\Plugins\Contrib (or ....\Contrib\bin)
 |
| According to pGina documentation all external plugins should be added in “..\pGina\Plugin\Contrib” directory (or “..\pGina\Plugin\Contrib\bin”). (It's not mandatory to use one of these directories; any directory may be used as long as they are added to the "Search Directories" list.) |
4.Copy and paste “pGina.Plugin.Exprodo.dll” and "Newtonsoft.Json.dll" into ..\pGina\Plugin\Contrib (or ..\pGina\Plugins\Contrib\bin).
5.Click on "Save & Close" button.
6.Restart the pGina Configuration application and in the pGina Service section, on the General Tab, click on the Start button.
7.The Exprodo plugin will appear in the “Current Plugins” list showed in "Plugin Selection" Tab with all services provided: Authentication, Authorization, Gateway and Notification.
If the Plugin does not appear in the list, it is possible that the DLL files have been blocked by Windows and need to be unblocked for use. Follow the steps below:
In order to update the Exprodo plugin follow the next steps:
•Stop pGina service
•Go to the directory where your old exprodo plugin is located
•Replace the old plugin with the new version
•Restart pGina service (before doing that be sure that there is only one exprodo plugin in the directory).
All your previous settings will be saved.
1.Open Windows Explorer and locate the pGina folder that contains the files e.g. C:\Program Files\pGina\Plugins\Contrib
2.The following files should be displayed:
3.Right click on the first file, Newtonsoft.Json.dll. There should be an Unblock button at the bottom of the General Tab. Click on that button and then select Apply and OK.
4.Repeat this process for pGina.Plugin.Exprodo.dotNet45.dll.
5.Re-open the pGina Configuration application and click on the Stop and then Start buttons to restart the service.
6.Now click on the Plugin Selection screen, you should have the Exprodo Plugin in the list:
Before starting to use it, the Exprodo plugin needs to be configured.
1.Click on the Plugin Selection Tab. (see image above)
2.Left click on the Exprodo plugin to select it.
3.Click on the "Configure..." button. The Exprodo - Plugin Setting screen will be displayed.
Note: Each setting group is related to a specific feature of the plugin. Configure only the ones relevant to the system needs.
Function |
Description |
|---|---|
Calpendo / Exprodo |
This is the web link of the Calpendo server to which the plugin will send all the information to be stored. For example, https://yourCalpendoServer |
Computer Monitoring |
If enabled, the plugin will activate a repeating timer that will cause a notification to be sent to the Calpendo server with actual usage of the current machine and thereby indicate who is using the computer.
This information can be improved with the list of processes users want to monitor.
Note: To activate any change to Process Monitoring, Stop and Start the pGina Service. |
Processes to Monitor |
This contains a list of process names that the plugin will monitor. A notification will be sent to the Calpendo server, with the following information: - name of logged-in user
The name of a process is the name of the actual file executed, without any extension or path information. For example notepad rather than notepad.exe.
Note: To activate any change to Process Monitoring, Stop and Start the pGina Service. |
Authentication Methods |
This contains a list of authentication methods stored in the Calpendo server. They will be used when the Exprodo plugin attempts to authenticate users trying to login. |
Local Account: |
This is the local Windows account login name, with which users authenticated by the Calpendo server will login in to the local machine. The User Name can be selected from the existing local users. |
Local Account: |
This is the password of the selected Local Account. |
Local Group |
This is the name of the group that should be assigned to users authorised by the Exprodo plugin. The group can be selected from the existing local groups.
If using Windows Professional or Windows Enterprise, then please use the Windows-provided methods for adding and removing groups. |
Advanced Options |
This will open a new window to add or remove local groups. |
Add New Group (in Advanced Options) |
Allows the addition of a new group that will be immediately recognised for selection. |
Remove Existing Group (in Advanced Options) |
Allows the removal of groups previously added by Calpendo. |
Logout |
If enabled, the plugin will send “logout" action information to the Calpendo Server whenever any user authenticated and/or authorised by Calpendo logs out. |
The Exprodo plugin provides four independent services (Authentication, Authorization, Gateway and Notification) individually selected and one service (Computer Monitoring) activated when the plugin is loaded into pGina.
This service sends actual computer usage to the Calpendo server. There are two kinds of notification:
•Simple
•with Processes
"Simple Notification" notifies the Calpendo server which user is using the computer. This notification will still be sent if nobody is using the computer, but it will be empty.
All the information will be stored in the Remote User Log biskit and the data can be reviewed by clicking on Search -> Search, in Calpendo, selecting Remote User Log, in the Search for field, and then clicking on Go.
Type |
Created |
Remote Time |
Login Name |
Domain Name |
IP Address |
Accepted |
|---|---|---|---|---|---|---|
Ping |
16 Nov 2016 16:20 |
16 Nov 2016 16:20 |
mary or <empty> |
DESKTOP-ONE |
150.150.10.10 |
<True> or <False> |
User |
Remote Authentication Method |
Remote Activity Recorder |
Comments |
|---|---|---|---|
mary (mary brown) or <empty> |
Exprodo or <other plugin name> or <empty> |
pGina |
OK |
Notification with processes notifies the Calpendo server with the information sent for a Simple Notification, but also includes extra information about the running processes. Only those processes listed in Processes to monitor will be included in this service.
All information related to monitored processes will be stored in the Remote Process biskit.
Name |
User Log |
Start |
Process ID |
Remote User |
|---|---|---|---|---|
notepad |
Remote User Log #1612 |
30 Nov 2016 10:08 |
457 |
mary |
powershell |
Remote User Log #1612 |
30 Nov 2016 10:08 |
643 |
mary |
Both notifications run with the interval specified in the Exprodo - Plugin Setting screen. E.g. If the Computer monitoring time is set to 30 Minutes, as in the screen above, then every 30 minutes, a check will be made to see if the relevant applications are running e.g. Notepad, and if it is, a new line will be added to the relevant Calpendo database, which will log the application, time of check and the username of the user currently logged into the machine.
This service authenticates users using the Calpendo server. This means that any Calpendo user can login to the local machine using their Calpendo account at the pGina user login screen. Note that this only works for those authentication methods where Calpendo expects to be handling the user's password and cannot work when users are authenticated outside Calpendo, such as single-sign-on.
Windows, however, doesn't let any user login in without having a local account. So, once the Authentication service has authenticated a Calpendo user, a local user account (supplied in the Exprodo plugin settings screen) is then automatically used to log in to the local machine.
This additional implementation will not affect either Calpendo server data consistency nor correctness of local machine behaviour.
The Authentication service always sends the user’s original name to the Calpendo server, and not the local Windows user name, to guarantee data consistency. This also provides additional support to the local machine, in order to manage Calpendo users.
Because all Calpendo users are converted into the same local username, the local machine doesn't know who the real user is performing the action. For this reason, the Exprodo plugin will supervise all "lock" and "switch" actions (using Notification service) in case they are executed from a Calpendo user. In particular, it will execute a double check to be sure that only the corresponding original user could unlock the machine (analogous behaviour for switch action).
For Windows XP Only
When Windows XP locks the screen, it doesn't go through pGina. Consequently, the Exprodo plugin cannot supervise the action as previously described.
This presents a problem because the user credentials seen by Windows are different from the credentials the user supplied at login; the pGina plugin uses the same Windows user regardless of who logs in, with only pGina and Calpendo knowing the actual user involved.
Consequently, if the screen were locked, the password required would not be the password the user entered to log in initially, but the password Windows sees for the actual underlying Windows user.
This can be got around by either sharing this password amongst all users, having a Windows administrator unlock the screen or else by preventing Windows XP from ever locking the screen.
The most convenient of these is to prevent the screen from being locked.
Preventing Windows XP Professional from Locking The Screen
1.Open Group Policy Editor (from 'Run' > gpedit.msc) 2.Go to: User Configuration -> Administrative Templates > System > Ctrl+Alt+Del Options(*) 3.Double-Click on RemoveLockComputer and Select "Enabled" 4.Click on OK to confirm selection. (*) If "Administrative Templates" doesn't contain "System" you can add it with these simple steps:
•Right-Click on "Administrative Templates" and click on "Add/Remove Templates" •Select "System" and click on the "Add.." button ◦A "Policy Template" windows will be opened ◦Select "system.adm" and click the "Open" button Now you can continue from Step2 above |
|---|
Furthermore, as pGina allow the use of multiple authentication plugins, Exprodo plugin does not make any change to original login credentials, so that any other plugin can work with the correct original login values.
Every time the plugin tries to authenticate a user, the operation will be recorded in the Remote User Log biskit (see table below).
Type |
Created |
Remote Time |
Login Name |
Domain Name |
IP Address |
Accepted |
|---|---|---|---|---|---|---|
AUTHENTICATION |
16 Nov 2016 15:52 |
16 Nov 2016 15:52 |
john |
DESKTOP-ONE |
150.150.10.10 |
<True> or <False> |
User |
Remote Authentication Method |
Remote Activity Recorder |
Comments |
|---|---|---|---|
john (john smith) or <empty> |
Exprodo or <empty> |
pGina |
OK
Failed - User john can not be authenticated in Calpendo with given authentication methods
Failed - User john can not be identified in Calpendo with given authentication methods |
Authentication (Calpendo / Exprodo Server Side)
The Calpendo server authentication is made up of two phases:
1.Identification;
2.Authentication.
In Identification, the Calpendo server tries to retrieve the Calpendo User record from the provided login name and authentication methods list. This can be customised by setting up a workflow and using a "Remote User Identification Request Workflow Event". This is triggered by the identification requests, and allows the administator to choose how to perform this action. p
In Authentication, the Calpendo server tries to authenticate the identified Calpendo User with the password provided by the Exprodo plugin.
This service provides users with the authorisation to login to the local computer by asking the Calpendo server whether it should be allowed. This allows an opportunity to check things like whether you are trained to use an instrument associated with this local computer. This is done using a Calpendo server workflow that uses "Remote User Identification Request Workflow Event" and/or "Remote Authorisation Request Workflow Event". By default, authorisation requests succeed without a workflow whenever a user is correctly identified.
Note that authentication can be performed using another service, such as LDAP, and still go through the Calpendo authorisation process; it is not a requirement that all users pass through Calpendo authentication, only that at least one pGina plugin authenticates the user.
If the authorisation fails, then login to the local computer will be interrupted with a suitable message.
Regardless of whether authorisation succeeds, the operation will be recorded in the "Remote User Log" biskit (see table below).
Type |
Created |
Remote Time |
Login Name |
Domain Name |
IP Address |
Accepted |
|---|---|---|---|---|---|---|
AUTHORISATION |
16 Nov 2016 15:53 |
16 Nov 2016 15:53 |
mary |
DESKTOP-ONE |
150.150.10.10 |
<True> or <False> |
User |
Remote Authentication Method |
Remote Activity Recorder |
Comments |
|---|---|---|---|
mary (mary brown) or <empty> |
Exprodo or <other plugin name> |
pGina |
Ok - User authenticated by Calpendo
Ok - User authenticated by Local Machine
Failed - Can't find corresponding Calpendo User - mary has been authenticated by Local Machine |
This service will add users, authorised by Calpendo, into the group supplied in the Plugin Settings screen.
This does not affect the login procedure, but provides a means by which a computer administrator can ensure that only Calpendo-authorised users can run certain applications. This is possible by setting Windows security to require that a user is a member of the appropriate local user group in order to run the software you wish to control.
This allows the computer to be used for general purposes, while only allowing an instrument attached to the computer to be used when a user has been authorised to do so.
If for any reason the Exprodo plugin cannot perform this action, a notification to the Calpendo server will be sent, with a message explaining the kind of problem but the Login process will not stopped. However, the logged-in user would not be a member of the relevant local user group and so would not be able to run any application that required membership of said group.
Type |
Created |
Remote Time |
Login Name |
Domain Name |
IP Address |
Accepted |
|---|---|---|---|---|---|---|
GROUP |
16 Nov 2016 16:13 |
16 Nov 2016 16:13 |
mary |
DESKTOP-ONE |
150.150.10.10 |
<True> or <False> |
User |
Remote Authentication Method |
Remote Activity Recorder |
Comments |
|---|---|---|---|
mary (mary brown)
|
Exprodo or <other plugin name> |
pGina |
Error - I cannot extract user and group name from Exprodo plugin
Error - I cannot add user "CalpendoUser" to "Calpendo" group - Local Calpendo user doesn't exist!
Error - I cannot add user "CalpendoUser" to "Calpendo" group - Local Calpendo group doesn't exist!
Error - I cannot add user "CalpendoUser" to "Calpendo" group |
This service allows the Calpendo server:
•To get a notification about a Logout action
•To allow the Authentication service to know who is really using the computer when "lock" and "switch" actions are performed by users authenticated by Calpendo (see Authentication Service).
•To allow the Ping service to get all information about current user.
"Logout" runs every time a user authenticated and/or authorised by Calpendo performs a logout action.
Type |
Created |
Remote Time |
Login Name |
Domain Name |
IP Address |
Accepted |
|---|---|---|---|---|---|---|
LOGOUT |
16 Nov 2016 16:13 |
16 Nov 2016 16:13 |
mary |
DESKTOP-ONE |
150.150.10.10 |
<True> or <False> |
User |
Remote Authentication Method |
Remote Activity Recorder |
Comments |
|---|---|---|---|
mary (mary brown) |
Exprodo or <other plugin name> |
pGina |
Ok |
To ensure the authentication to Calpendo and Windows is completed successfully, you must check that Exprodo appears at the top of the lists, in the Plugin Order Tab. You can do this by clicking on Exprodo and then using the arrows, to right hand side of each box, to change the order.
