Smart card unlocking is implemented in two modes. Online mode stipulates for that the user workstation is connected to Indeed Certificate Manager server and the locked smart card is connected to that workstation as well. Connection to server is required for user authentication by answering the secret questions. Secure connection (https) is recommended in this case.

Unlocking in Offline mode is performed by Indeed CM operator using challenge-response authentication mechanism. When the predefined number of PIN code input attempts is reached, the user is notified of that his or her smart card is locked. Along with that, the user receives a unique 16-character request code. The user has then to communicate with the system operator (say, by phone) and confirm his or her identity.

To enable online unlocking, the corresponding group policy must be configured accordingly. The policy should apply to Indeed CM user workstations.

To add an Indeed CM administrative template (ADMX), proceed as follows:

1. Copy the contents of IndeedCM.Client.Tools\Misc\ folder to the central ADMX file storage of domain controller C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.

When using local ADMX file storage, the Indeed CM templates are to be placed to C:\Windows\PolicyDefinitions folder.

2. Open the Group Policy Management console.
3. Create a new group policy object in the console tree or select an existing one.
4. Open the context menu and select the Edit item.
5. In the opened Group Policy Management Editor select Computer Configuration > Policies >Administrative Templates > Indeed CM > Client (Figure 9).

Figure 9 – Indeed CM Group policies.

6. Enable the Smart card unlocking server policy and specify its values:

    • Specify the path to the credprovapi component, located at the Indeed CM server, in the Service URL parameter. For example: https://cmsrv.demo.local/credprovapi
    • Set the Verify server certificate parameter to Yes (default value) if the server certificate validity is to be verified. Otherwise set it to No.

7. Link this policy object to a group, where Indeed CM user workstations reside.
8. Click Apply and perform policy update.

Configure additional policies that define the unlocking service operation, if required:

Set explanations for offline unlocking
The policy applies to user workstations. If the policy is disabled or is not configured, no explanation text is displayed in Credential Provider during offline smart card unlocking.
If the policy is enabled, the defined explanation text is displayed in Credential Provider during offline unlocking. It can be, for instance, phone number of Indeed CM administrator.

Credential Providers: Disable smart card standard provider wrapping
The policy applies to user workstations. If the policy is disabled or is not configured, a user can unlock a smart card via standard Windows smart card login interface.
If the policy is enabled, then the separate option is displayed for smart card unlock in the login screen.
This setting might be used when card unlocking via standard Credential Provider is prohibited by third party software, installed on the user workstation.

Credential Providers: Hide the "Disable the smart card" option
The policy applies to user workstations. If the policy is disabled or is not configured, a user can disable a smart card in the Windows log on screen.
If the policy is enabled, then the corresponding option is not displayed in the log on screen.

Configuration of device unlocking outside the Windows domain

If the Indeed CM server and user workstations are outside the Windows domain, then the path to credprovapi application must be explicitly defined in the system registry of each workstation. To do so, create a registry file (.reg) containing the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\IndeedCM\Client]

"CredProvAPIURL"=""
“AdminDetails"=""
"DisableServerCertificateChecking"=dword:00000000
"DisableSuspendCP"=dword:00000000
"DisableWrapperCP"=dword:00000000

The CredProvAPIURL parameter should indicate the path to credprovapi application at the Indeed CM server.

The AdminDetails parameter sets the text of explanation displayed to a user.

Set the DisableServerCertivicateChecking parameter to 0 (default value), if the Indeed CM server certificate authentication is required. Set it to 1 (dword:00000001), if authentication is not necessary.

Set the DisableSuspendCP parameter to 0 (default value), if the "Disable the smart card" button is to be displayed in the logon interface otherwise, set it to (dword:00000001).

Set the DisableWrapperCP parameter to 0 (default value), if smart card unblocking is to be carried out using the standard Credential Provider. Set it to (dword:00000001), if a separate Credential Provider is required.

Here is an example of registry file for Indeed CM server with machine name of CMSRV.demo.local, server certificate authentication enabled, "Disable the smart card" button not displayed and using a separate Credential Provider to unblock a smart card in the logon interface:

Example:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\IndeedCM\Client]

"CredProvAPIURL"="https://CMSRV.demo.local/credprovapi"
“AdminDetails"="Please contact your administrator. Internal phone number is 1607"
"DisableServerCertificateChecking"=dword:00000000
"DisableSuspendCP"=dword:00000001
"DisableWrapperCP"=dword:00000001


  • No labels