Information on GINA chaining.
There are two sorts of GINA:
Schema of GINA chainingWinLogon [-> GINA Stub 1 [-> GINA Stub 2 [-> GINA Stub 3 [-> GINA Stub 4... ]]]] -> Final GINA
Example with Citrix and SSOWatch GINA
WinLogon -> SSOWatch (Stub) -> Citrix (stub) -> MSGINA
See Attached Schematic
In this example, the Microsoft GINA is displayed, it gets the user credentials, sends them back to the Citrix GINA stub which sends them back to the SSOWatch GINA stub which sends them back to WinLogon which opens the session
GINA chaining behavior is the following (NB: GINA function is only present on Windows NT, 2000, XP, 2003 ; it is not available on Vista, Windows 2008).
When WinLogon (process calling GINA) starts, it looks at GinaDLL registry value (REG_SZ - under HKLM\SOFTWARE\Microsoft\WindowsNT\Current Version\WinLogon registry key) and calls the GINA the name of which is in GinaDLL. If this value does not exist, Microsoft GINA is called.
This GINA can itself either call another GINA if it is a GINA stub or require the credentials if it is a final GINA (like Advanced Login or MSGINA).
If another GINA is called, it follows the same principle. Finally, a final GINA must be called and the credentials obtained will be sent back to all the previous GINA stub (each one sending back the credentials to the GINA that called it, then finally to WinLogon).
The Quest Enterprise SSO / WiseGuard GINA stub is installed as GINA which is called first. If a value is present in GinaDLL registry value, it will be written in OldGinaDLL registry value (under HKLM\SOFTWARE\Enatel\WiseGuard\AdvancedLogin\OldGinaDLL registry key) and the Enterprise SSO / WiseGuard GINA will be written in GinaDLL. If there is no value in GinaDLL, Microsoft GINA will be written in OldGinaDLL.
In case of Advanced Login GINA (not stub), the value stored in OldGinaDLL is only for un-installation purpose, it is not used in GINA chaining (different from GINA stub case).
When WinLogon starts, it calls Quest Enterprise SSO / WiseGuard GINA stub that calls itself the following GINA(s). The final GINA must get the credentials, send them back to Quest Enterprise SSO / WiseGuard GINA stub which transmits them to WinLogon.
Important:1. There could not be two final GINA (like Advanced Login) as it is not designed to call another one.
2. It is imperative all the GINA Stub can be chained (they must be real stubs).
3. Order of GINA stubs can be changed, but the last GINA must be a "final GINA" like MSGINA or Advanced Login.
Each GINA stub has its own registry key value to know which is the following one. In CITRIX case, it is the ctxGinaDLL value under WinLogon registry key.