Skip to main content

Configure the runurl program

If you do not install Credential Provider software on users’ workstations to allow them to access the domain help account, the runurl program, which is used to launch a web browser in kiosk mode, must be installed on a public share accessible to computers in the domain. You can then add runurl to the group policy for the help user, and it will be executed when the help user logs into the domain.

To configure the runurl program:

  1. Copy the files from the addon\Domain Login Assistant\ directory in your Bravura Security Fabric installation to the SYSVOL share on each domain controller.

    You can determine the location of your SYSVOL share by typing net share from the command prompt on your DC.

  2. Locate the gina.z file from the skin\default\en-us\ directory and make a copy of that file to the sysvol share as well.

  3. Create a text file called runurl.cfg that contains arguments (separated by whitespace) for the runurl program. Place this file with the other runurl files on the SYSVOL share.

  4. Test runurl from a command prompt on the Active Directory DC by typing:

    %LOGONSERVER%\sysvol\runurl.exe -cfg %LOGONSERVER%\sysvol\runurl.cfg

    Ensure that a web browser opens to the specified URL, and that the workstation is locked down according to the options you specified.

  5. Test runurl from the command prompt of a workstation logged into the domain by typing:

    %LOGONSERVER%\sysvol\runurl.exe -cfg %LOGONSERVER%\sysvol\runurl.cfg

    Ensure that a browser window opens to the specified URL, and that the workstation is locked down according to the options you specified.

runurl usage and examples

The runurl program launches a web browser on a Windows workstation and opens it to a specified URL. When configured to launch in kiosk mode the browser window fills the screen, removes all window borders and decorations, disables navigation, and disables all function keys, the Alt and Ctrl keys, the Windows logo key, and any combination of keys that you specify.

A major use for the runurl program is to enable users to reset their own passwords using a secure kiosk account (SKA).

Requirements

When invoked by a local SKA or Credential Provider, runurl is launched from the Login Assistant\ directory on the user’s workstation.

The following files must be located in the share or directory from which runurl is launched:

  • msgmap.txt – used to disable Windows message events on Windows workstations.

  • webbrowser.dll – used to block the [Ctrl], [Alt], and the right mouse button, and to run the web browser. It is also used by the Credential Provider.

  • pscredprov.dll – used to block the [Ctrl], [Alt], and the right mouse button, and to run the web browser. It is used by the Credential Provider.

  • launch_ska.exe – used to launch the SKA and invoke the runurl command.

Ensure that Internet Explorer 9 or higher is installed on the domain controller and all workstations that will access the help account. The runurl program relies on some components that are part of Internet Explorer 9 or higher.

Usage

runurl.exe -url <URL> [<options>]

runurl.exe -cfg <filename>

The runurl program works with the following command-line arguments:

Argument

Description

-url <URL>

Specify the URL that will be displayed in the web browser.

-userid <userID>

Bravura Security Fabric user ID to pass through the URL.

-ntkeymap <args>

Enable or disable a key or combinations of keys on a Windows workstation .

-msgmap <filename>

Specify a file containing Windows message events to block. Do not modify this file unless you know what you are doing.

-reg <filename>.reg

Load the named registry file into the registry before terminating runurl. This is used to restore standard registry entries in case runurl was launched during the first login of the help account, using a restrictive security policy, and the user elected to not save settings – which means that registry changes were applied to the default user rather than help.

-kiosk

Start the web browser in kiosk mode.

-keylock

Disable [ Ctrl] , [Alt] , and the right mouse button. This is implied by -kiosk.

-no_icw

Do not pop up Internet Connection Wizard when the user starts up the browser the first time.

-logoff

Log off from the workstation after the web browser closes.

-run "<programname>, <args>"

Run this program with these parameters before exiting, and before logging off. The run option requires quotes around the external program name and param arguments. If you need quotes inside of this then use a \ to escape them.

If both run and logoff are specified, run will execute first.

-cfg <filename>

If the command line is too long, use this option to read all arguments from this file. Write the file with the arguments separated by white space.

-trapsesslock

Trap the Windows workstation lock notification to ensure that runurl handles locked workstations correctly; for example a browser displaying a User notifications (PSN) module notification is returned to the state it was in before the lock.

Enabling or disabling key combinations

You can run runurl with the -ntkeymap option to enable or disable keys and combinations of keys on a Windows workstation (XP or higher). Write the arguments for -ntkeymap using the following syntax:

[-] [(] [<MOD>+] <KEY> [)] [, ...]

Where:

  • - enables the keys that follow

  • ( ) are optional brackets (these are for formatting only, they do not modify the meaning of the text)

  • <MOD> specifies one of [Alt] , [Shift] , [Ctrl] , or the Windows key <KEY > specifies the name of the key to enable/disable

  • <KEY> can be any of the following:

    BF22Num+S
    ,Backspace    F23Num-ScrollLock
    -CF24Num0Shift
    .CapsLockF3Num1Space
    /CtrlF4Num2SysReq
    0DF5Num3T
    1EF6Num4Tab
    2EnterF7Num5U
    3EscF8Num6V
    4FF9Num7W
    5F1GNum8Win
    6F10HNum9X
    7F11INumDelY
    8F12JOZ
    9F13KP[
    ;F15LPause\
    =F2MQ]
    AF20NR
    Alt    F21Num*    RightShift     

Examples

  1. To launch a web browser in kiosk mode and open it to the Change passwords (PSS) module, open a command prompt, and type on one line:

    runurl.exe -kiosk -logoff -no_icw -trapsesslock -url https://<server>/<instance>/change-passwords

  2. If runurl is run from a public share rather than your current workstation, specify the UNC path to runurl in your command. If the share is located on an Active Directory domain controller, open a command prompt, and type on one line:

    \\MyADDC\SYSVOL\runurl.exe -kiosk -logoff -no_icw -trapsesslock -url https://<server>/<instance>/change-passwords

  3. To disable keys on a Windows workstation using the -ntkeymap option, open a command prompt, and type on one line:

    runurl.exe -kiosk -logoff -no_icw -trapsesslock -url https://<server>/<instance>/change-passwords -ntkeymap Win+F1,-Shift+F1,Alt+Shift+F1,F1

    This is the same as:

    runurl.exe -kiosk  -logoff -no_icw -trapsesslock -url https://<server>/<instance>/change-passwords -ntkeymap (Win+F1),(-Shift+F1),(Alt+Shift+F1),(F1)

  4. To print a list of available key names for the -ntkeymap option on the command line, type the following in the Login Assistant\ directory:

    runurl -ntkeymap ?

  5. An example of a runurl.cfg file:

    -kiosk -logoff -no_icw -trapsesslock -url http://<server>/<instance>/?

  6. To run commands from a configuration file, type:

    runurl -cfg runurl.cfg
In this section: