Custom

[Custom]
AdminCertificateIssuer={issuer:2.5.4.3}
AdminTokenDescription={token-number-string}
AdminTokenName={token-name}
AutoRenewServer=
AutoRenewTask=
AutoRenewTokenModel=*
AutoRenewIssuerName=*
:Debug=0x028002C8
EnrollMode=PreLogin,PreLoginEnroll
EnrollServer=
EnrollTokenModelExisting=IDPrime*
EnrollTokenModelNew=TPM
UnlockMode=Unlock,PreLoginUnlock
UnlockServer=
UnlockTokenModelAllow=any
UnlockUseChallenge=IDPrime MD 830B;IDPrime .NET;TPM

AdminCertificateIssuer

Presentation of Issuer field in the administration utility.

AdminTokenDescription

Presentation of Token description field in the administration utility.

AdminTokenName

Presentation of Token name field in the administration utility.

Token and certificate auto renewal

These are the properties to use when you use the token and certificate auto renewal function.

AutoRenewServer

To use the token and certificate auto renewal function, the AutoRenewServer property is mandatory. If it has no value, the function is turned off.

Examples

Example 1. Set up the Net iD Portal renewal server.

To set up the server, use the host name of the Net iD Portal that you use.

[Custom]
AutoRenewServer=nip.example.com (1)

1	Net iD Portal server host name

AutoRenewTask

The AutoRenewTask sets which task to run. The setting is optional, and if no task is given a task is chosen automatically.

If a task exists, it will be used. If more than one task exists, a task containing both the words "token" and "renew" is used. The words are case insensitive so both "RenewToken" and "renewtoken" can be used, but "RenewToken" is the default task type name in Net iD Portal.

It is recommended to not set this property, and make sure to configure Net iD Portal so that there is only one applicable task type available for self-service.

Examples

Use the task RenewToken in Net iD Portal.

To use the task RenewToken in Net iD Portal, set the AutoRenewTask property to:

[Custom]
AutoRenewTask=RenewToken

AutoRenewTokenModel

The AutoRenewTokenModel property sets the token model to use by matching conditions to activate the autorenew dialog. To set this property is mandatory, but if it is set to the wildcard * it matches all cards.

Examples

Example 2. Only allow IDEMIA smart cards to be renewed.

To only allow, for example, IDEMIA smart cards, use the following setting.

[Custom]
AutoRenewTokenModel=IAS ECC*

AutoRenewIssuerName

The AutoRenewIssuerName is the common name used by matching conditions to activate the autorenew dialog. To set this property is mandatory. If it is set to the wildcard * it matches all cards.

This property makes a check of the issuer common name, that is, 2.5.4.3 in the issuer field.

Examples

Example 3. Only allow smart cards with common names starting with YourName to be renewed.

To only allow smart cards with a common name starting with YourName, use the following setting.

[Custom]
AutoRenewIssuerName=YourName*

Pre-login token management

With the pre-login function, users can enroll and unlock tokens using the Net iD Portal functionality before they log in to Windows and without having access to the organization network. But internet access is required.

Unlock PIN is self-administered using a mobile identity. Enrollment is done by using an OTP initiated by a Net iD Portal officer, or by self-enrollment using a mobile identity.

Net iD Portal and Net iD Access setup is required. Net iD Access Server must be accessible on the internet.

Token limitations apply. Please contact Pointsharp for more information and setup assistance.

The pre-login solution requires sensitive information like unlock codes to be sent through the internet. Communication is protected, but there is always a risk for man-in-the-middle attack due to that the solution uses the internet and not the internal network.
The solution has undergone a security review by an independent party. Please contact Pointsharp for more information.

Debug

The Debug parameter is used to add debug log in the pre-login GUI.

Values

It contains a DWORD value, with upper WORD for width, and lower WORD for height.

:Debug=0x028002C8

EnrollMode

The EnrollMode parameter tells which mode to use in the client. This corresponds with the mode setup in Net iD Access Server.

EnrollServer

The EnrollServer tells which Net iD Access Server to communicate with.

Examples

Example 4. Set up the Net iD Access Server to communicate with.

To set up the server, use the host name of the Net iD Access Server that you use.

[Custom]
UnlockServer=nias.example.com (1)

1	Net iD Access Server host name

EnrollTokenModelExisting

The EnrollTokenModelExisting parameter tells which existing tokens that are allowed and can be used to enroll a certificate.

Examples

Example 5. Set YubiKey to be the allowed token model.

[Custom]
EnrollTokenModelExisting=YubiKey

EnrollTokenModelNew

The EnrollTokenModelNew parameter is used to configure which local tokens that are allowed to be created and used to enroll a certificate.

Examples

Example 6. Set TPM to be the allowed local token model.

[Custom]
EnrollTokenModelNew=TPM

UnlockMode

The UnlockMode parameter tells which mode to use in the client. This corresponds with the mode setup in Net iD Access Server.

UnlockServer

The UnockServer tells which Net iD Access Server to communicate with.

Examples

Example 7. Set up the Net iD Access Server to communicate with.

To set up the server, use the host name of the Net iD Access Server that you use.

[Custom]
UnlockServer=nias.example.com (1)

1	Net iD Access Server host name

UnlockTokenModelAllow

The UnlockTokenModelAllow parameter is used to configure which tokens that are allowed to be unlocked with the pre-login function.

UnlockUseChallenge

The UnlockUseChallenge parameter is used to configure which tokens that use challenge response to unlock the PIN.

Example 8. Set YubiKey to be the allowed token model.

[Custom]
UnlockUseChallenge=IDPrime MD 830B;IDPrime .NET;