TokenTPM
[TokenTPM]
CheckExpire=60
Events=4
LoadFromPCSC=1
:LoginTimeout=0
:ModeReadOnly=0
:ModeRegisterCertificate=0
NameAllow=
NameDeny=Microsoft Virtual Smart Card*;Windows Hello*;Intercede Virtual Reader*
PinExpire=0
PinMaxLen=32
PinMinLen=2
:PinPolicy=
:PinType=0
SingleSignOn=1
UseChallengeResponse=180
Events
The Events parameter tells when to validate the soft token for updates. The value is a bitmask so it can be checked at several places.
#define VALIDATE_TOKEN_OFF 0
#define VALIDATE_TOKEN_EVENT 1
#define VALIDATE_TOKEN_LIST_SLOT 2
#define VALIDATE_TOKEN_DETECT_RUN 4
[TokenTPM]
Events=4
LoadFromPCSC
The standard behavior is to load TPM modules from PC/SC. The alternative is to specify the names to load.
[TokenTPM]
LoadFromPCSC=1
LoginTimeout
LoginTimeout specifies the number of seconds the login procedure can be inactive. The counter resets when the PIN is used.
Resets the counter:
-
Login
-
Login (when already logged in)
-
Key usage (sign/verify/encrypt/decrypt/etc.)
-
Card update (create/delete/etc.)
Does not reset the counter:
-
Search for object
-
Reading object
-
Login status check
#define PIN1 0x01
#define PIN2 0x02
#define PIN3 0x04
[TokenTPM]
LoginTimeout=<seconds>,<pin-bit-mask>
ModeReadOnly
There are situations when Net iD Client should load the TPM modules but not allow any update, such as changing of PIN.
[TokenTPM]
ModeReadOnly=0
ModeRegisterCertificate
Certificates from the TPM modules are most likely registered by Microsoft using Microsoft Certificate propagation. This parameter enables/disables certificate registration.
[TokenTPM]
ModeRegisterCertificate=0
NameAllow, NameDeny
The NameAllow and NameDeny parameters are used as a whitelist/blacklist of the TPM module names that should be handled.
[TokenTPM]
NameAllow=
NameDeny=Microsoft Virtual Smart Card*;Windows Hello*;Intercede Virtual Reader*
PinExpire
Soft tokens always support time stamps for PIN change, so you can also include an automatic PIN expiration functionality. This means that the end-user will be forced to change PIN at regular intervals. The PinExpire parameter tells the number of days until a change is required.
[TokenTPM]
PinExpire=90
PinMaxLen
PIN policy should be stored in the smart card profile. But the configuration can add more requirements. The PinMaxLen parameter tells the maximum number of characters in the PIN.
[TokenTPM]
PinMaxLen=6
PinMinLen
PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinMinLen parameter tells the minimum number of characters in the PIN.
[TokenTPM]
PinMinLen=6
PinPolicy
PinPolicy specifies the default PIN policy to use when creating a new TPM token. Normally, PinPolicy is specified during creation.
PinType
PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinType parameter tells that a specific PIN policy is necessary.
// Password type:
// 0 -> all chars (case sensitive)
// 1 -> all chars (case insensitive)
// 2 -> all chars (max 2 in row or normal/keyboard sequence)
// 3 -> all chars (max 2 in row or normal sequence)
// 4 -> all chars (max 2 in row)
// 5 -> only digits
//
// Normal sequence:
// a-z, z-a, 0-9, 9-0
// Keyboard sequence:
// qwertyuiop, poiuytrewq
// asdfghjkl, lkjhgfdsa,
// zxcvbnm, mnbvcxz,
// qaz, zaq, wsx, xsw, ...
[TokenTPM]
PinType=5