7.7. Running the client on the logon screen¶
This entire chapter is only relevant for environments running the professional edition of IDERI note. So if your environment is running the lite edition of IDERI note or the standard edition, you can skip this entire chapter.
In a standard client configuration of IDERI note, the IDERI note client program runs on the user’s desktop and thus authenticates as the interactively logged in user against the IDERI note server. Having the IDERI note client run additionally on a domain computer’s logon screen provides a set of obstacles that are not easy to overcome and pose a number of challenges and associated limitations to a solution for this problem. First of all, the logon screen does not allow to run an application such as the IDERI note client at all without the help of a service that runs in the computer’s SYSTEM (aka “LocalSystem”) account. In addition, an application on the logon screen (aka the “Winlogon Desktop”) requires the application to run in the SYSTEM account as well. There is no way to launch a process on the logon screen with the account of an interactively logged in user. In the case of the IDERI note client, when installed with the option to run the client on the logon screen, the inclsess service will launch an IDERI note client instance running in the SYSTEM account on each logon screen created by the client computer system. Running the IDERI note client in the SYSTEM account also implies that such clients will only ever authenticate as the Active Directory® computer account against the IDERI note server. As a consequence, such client instances running on the logon screen can only show messages destined to the Active Directory® computer account of the domain member computer. Hence, messages that are supposed to appear on the logon screen, must have the “Send message to users and computers” addressing mode or the “Send message to computers only” addressing mode, which is also the reason, why this functionality is only available with servers running in the “professional” licensing mode. Figure 7.22 shows an example of an IDERI note message window and the IDERI note ticker running on the logon screen.
7.7.2. Message options for the logon screen¶
Support for showing messages on the logon screen is accomplished with the following two message options: “Show message on the logon screen” and “Show message on the logon screen only”. With the first option, IDERI note messages can be created that appear on both the user desktop and the logon screen. When using the second option, “Show message on the logon screen only”, the message will only be shown on logon screens, not on individual logged in users’ desktops.
7.7.3. Security and Performance considerations¶
When thinking about the Windows logon screen, it is important to know that there is no such thing as a single logon screen. An inherent part of the Windows NT architecture is the division of desktops with different security settings within terminal sessions. Therefore, each terminal session has its own logon screen called “winlogon”. The inclsess service will therefore launch the IDERI note client on each winlogon desktop as soon as a terminal session is created. This also means, that for each terminal session on a terminal server, an additional client instance with its own connection to the IDERI note server is created. Some versions of Windows will create additional terminal sessions in excess, so a terminal session is already prepared for the next interactive user to connect to. Since terminal session users on a typical windows terminal server normally only interact with the logon screen during login and when elevating an application, there is only little benefit from activating this feature on a windows terminal server at all. Note also, that some versions of the windows terminal server client, if allowed to connect to an RDP-capable windows computer, will show the logon screen’s content prior to authentication, so messages destined to the logon screen can be revealed to third parties across the network without authentication. But even if RDP access to a computer is set aside for the moment, having the IDERI note client running on the logon screen allows any passers-by or more generally, any physical observer of the computer screen, to see messages destined to the computer’s logon screen. After all, this is the very nature of this functionality, to show messages on the computer screen even if the logged on user has locked the screen or no user at all is logged in on the computer. You should therefore evaluate very carefully, on which computers to activate this feature. It makes very little or no sense at all to enable this feature on a pure terminal server, because users have no or only limited access to this feature while at the same time it imposes considerable load for the terminal server itself, and more prominently, on the IDERI note server that the logon screen clients eventually connect to. This is also the reason why this feature is not activated by default for an IDERI note client and server installation.
7.7.4. Activating logon screen client functionality¶
Activating the logon screen access functionality on a client requires the client to be installed with either the MSI property STARTWINLOGONCLIENTS set to a non-zero value or - when installing the clien msi file interactively - ticking the checkbox labeled “Run client on the logon screen” on the “Logon Screen Client Start Options” wizard page of the client setup.
7.7.5. Activating logon screen server functionality¶
After an installation of the IDERI note server with default settings, the IDERI note server is configured in such a way that it does not allow the connection of clients that run on the logon screen. So even if clients are configured to start the inclsess service and therefore will launch inotecln.exe instances on the logon screens, those clients will never successfully connect to their IDERI note server, unless the server allows connections for clients running on the logon screen. Allowing connections from clients running on the logon screen is done with the IDERI note server’s control panel applet on the page labeled “Logon Screen Access” and the checkbox labeled “Allow access for clients running on the logon screen”. In addition, access from clients running on the logon screen can be fine-grained by allowing or denying access using the Active Directory® computer accounts or groups of Active Directory® computer accounts with the access control dialog that is launched by clicking on the “Access rights” button on the aforementioned control panel applet page. By default, after a standard installation, access is allowed for authenticated users. So after activating the logon screen access by enabling the checkbox labeled “Allow access for clients running on the logon screen”, all logon screen clients that connect to the IDERI note server are granted access. As a consequence, if you intend to use this feature on a selected set of computers, you may also want to additionally fine-tune access to only this set of computers using the access control dialog for logon screen access. This access control dialog can also be invoked from the IDERI note administrator. Note that after enabling logon screen access on the IDERI note server, eligible clients require that their inclsess service gets restarted.
Activating logon screen server functionality requires a client reboot
When activating the logon screen functionality on the IDERI note by ticking the checkbox labeled “Allow access for clients running on the logon screen” IDERI note server’s control panel applet on the page labeled “Logon Screen Access”, a service restart (inotesvc) is required, like with most of the functionality that can be configured in this control panel applet. Unlike other functionality in this control panel applet, activating this functionality also requires either a restart of all eligible client computers that are currently connected to the IDERI note server, or a restart of their inclsess service.