View Source

Smart card unlocking is implemented in two modes.

Online mode stipulates for that the user workstation is connected to Axidian CertiFlow server and the locked smart card is connected to that workstation as well. Connection to server is required for user authentication by answering the secret questions. Secure connection (HTTPS) is recommended in this case.
Unlocking in Offline mode is performed by Axidian CertiFlow operator using challenge-response authentication mechanism. When the predefined number of PIN input attempts is reached, the user is notified of that his or her smart card is locked. Along with that, the user receives a unique 16-character request code. The user has then to communicate with the system operator (e.g. by phone) and confirm his or her identity.

Configuring smart cards unlock using Group Policies

To enable online unlocking, the corresponding group policy must be configured accordingly. The policy should apply to Axidian CertiFlow user workstations.

To add an Axidian CertiFlow administrative template (ADMX), proceed as follows:

1. Copy the contents of AxidianCertiFlow.Client\Misc\PolicyDefinitions folder to the central ADMX file storage of domain controller C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.

When using local ADMX file storage, Axidian CertiFlow templates are to be placed to C:\Windows\PolicyDefinitions folder.

2. Open the Group Policy Management console.
3. Create a new group policy object in the console tree or select an existing one.
4. Open the context menu and select the Edit item.
5. In the opened Group Policy Management Editor select Computer Configuration > Policies > Administrative Templates > Axidian CertiFlow > Client.

6. Enable the Smart card unlocking server policy and specify its values:

- Specify the path to the credprovapi component, located at Axidian CertiFlow server, in the Service URL parameter.
  https://<Axidian CertiFlow Server FQDN>/credprovapi
- Set the Verify server certificate parameter to Yes (default value) if the server certificate validity is to be verified. Otherwise set it to No.

Axidian CertiFlow Documentation > Configuring smart card unlock > grouppolicies.png

7. Link this policy object to a group, where Axidian CertiFlow user workstations reside.
8. Click Apply and perform policy update.

Configure additional policies that define the unlocking service operation, if required:

Set explanations for offline unlocking

The policy applies to user workstations. If the policy is disabled or not configured, no explanation text is displayed in Credential Provider during offline smart card unlocking.
If the policy is enabled, the defined explanation text is displayed in Credential Provider during offline unlocking. It can be, for instance, phone number of Axidian CertiFlow administrator.

Credential Providers: Disable smart card standard provider wrapping

The policy applies to user workstations. If the policy is disabled or not configured, a user can unlock a smart card via standard Windows smart card login interface.
If the policy is enabled, then the separate option is displayed for smart card unlock in the login screen.
This setting might be used when card unlocking via standard Credential Provider is prohibited by third party software, installed on the user workstation.

Credential Providers: Hide the "Disable the smart card" option

The policy applies to user workstations. If the policy is disabled or is not configured, a user can disable a smart card in the Windows log on screen.
If the policy is enabled, then the corresponding option is not displayed in the log on screen.

Configuration of smart cards unlocking via Registry

If Axidian CertiFlow server and user workstations are outside the Windows domain, then the path to credprovapi application must be explicitly defined in the system registry of each workstation. To do so, create a registry file (.reg) containing the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\CertiFlow\Client]
"CredProvAPIURL"=""
"AdminDetails"=""
"DisableServerCertificateChecking"=dword:00000000
"DisableSuspendCP"=dword:00000000
"DisableWrapperCP"=dword:00000000

The CredProvAPIURL parameter should indicate the path to credprovapi application at Axidian CertiFlow server.

The AdminDetails parameter sets the text of explanation displayed to a user.

Set the DisableServerCertificateChecking parameter to 0 (default value), if Axidian CertiFlow server certificate authentication is required. Set it to 1 (dword:00000001), if authentication is not necessary.

Set the DisableSuspendCP parameter to 0 (default value), if the "Disable the smart card" button is to be displayed in the logon interface otherwise, set it to 1 (dword:00000001).

Set the DisableWrapperCP parameter to 0 (default value), if smart card unblocking is to be carried out using the standard Credential Provider. Set it to 1 (dword:00000001), if a separate Credential Provider is required.

Here is an example of registry file for Axidian CertiFlow server with machine name of CertiFlow, server certificate authentication enabled, Disable the smart card button not displayed and using a separate Credential Provider to unblock a smart card in the logon interface:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\CertiFlow\Client]
"CredProvAPIURL"="https://certiflow.demo.local/credprovapi"
"AdminDetails"="Please contact your administrator. Internal phone number is 1607"
"DisableServerCertificateChecking"=dword:00000000
"DisableSuspendCP"=dword:00000001
"DisableWrapperCP"=dword:00000001