TokenTPM
[TokenTPM]
CheckExpire=60
Events=4
LoadFromPCSC=1
:LoginTimeout=0
:ModeReadOnly=0
:ModeRegisterCertificate=0
NameAllow=
NameDeny=Microsoft Virtual Smart Card*;Windows Hello*;Intercede Virtual Reader*
PinExpire=0
PinMaxLen=32
PinMinLen=2
:PinPolicy=
:PinType=0
:RememberFailedAttempt=1
SingleSignOn=1
UseChallengeResponse=180Events
The Events parameter tells when to validate the soft token for updates. The value is a bitmask so it can be checked at several places.
#define VALIDATE_TOKEN_OFF 0
#define VALIDATE_TOKEN_EVENT 1
#define VALIDATE_TOKEN_LIST_SLOT 2
#define VALIDATE_TOKEN_DETECT_RUN 4
[TokenTPM]
Events=4LoadFromPCSC
The standard behavior is to load TPM modules from PC/SC. The alternative is to specify the names to load.
[TokenTPM]
LoadFromPCSC=1LoginTimeout
LoginTimeout specifies the number of seconds the login procedure can be inactive. The counter resets when the PIN is used.
Resets the counter:
-
Login
-
Login (when already logged in)
-
Key usage (sign/verify/encrypt/decrypt/etc.)
-
Card update (create/delete/etc.)
Does not reset the counter:
-
Search for object
-
Reading object
-
Login status check
#define PIN1 0x01
#define PIN2 0x02
#define PIN3 0x04
[TokenTPM]
LoginTimeout=<seconds>,<pin-bit-mask>ModeReadOnly
There are situations when Net iD Client should load the TPM modules but not allow any update, such as changing of PIN.
[TokenTPM]
ModeReadOnly=0ModeRegisterCertificate
Certificates from the TPM modules are most likely registered by Microsoft using Microsoft Certificate propagation. This parameter enables/disables certificate registration.
[TokenTPM]
ModeRegisterCertificate=0NameAllow, NameDeny
The NameAllow and NameDeny parameters are used as a whitelist/blacklist of the TPM module names that should be handled.
[TokenTPM]
NameAllow=
NameDeny=Microsoft Virtual Smart Card*;Windows Hello*;Intercede Virtual Reader*PinExpire
Soft tokens always support time stamps for PIN change, so you can also include an automatic PIN expiration functionality. This means that the end-user will be forced to change PIN at regular intervals. The PinExpire parameter tells the number of days until a change is required.
[TokenTPM]
PinExpire=90PinMaxLen
PIN policy should be stored in the smart card profile. But the configuration can add more requirements. The PinMaxLen parameter tells the maximum number of characters in the PIN.
[TokenTPM]
PinMaxLen=6PinMinLen
PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinMinLen parameter tells the minimum number of characters in the PIN.
[TokenTPM]
PinMinLen=6PinPolicy
PinPolicy specifies the default PIN policy to use when creating a new TPM token. Normally, PinPolicy is specified during creation.
PinType
PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinType parameter tells that a specific PIN policy is necessary.
// Password type:
// 0 -> all chars (case sensitive)
// 1 -> all chars (case insensitive)
// 2 -> all chars (max 2 in row or normal/keyboard sequence)
// 3 -> all chars (max 2 in row or normal sequence)
// 4 -> all chars (max 2 in row)
// 5 -> only digits
//
// Normal sequence:
// a-z, z-a, 0-9, 9-0
// Keyboard sequence:
// qwertyuiop, poiuytrewq
// asdfghjkl, lkjhgfdsa,
// zxcvbnm, mnbvcxz,
// qaz, zaq, wsx, xsw, ...
[TokenTPM]
PinType=5RememberFailedAttempt
A calling application can send the PIN by using CryptSetProvParam.
Normally each attempt will result in a call to the smart card.
This parameter can be used to avoid the locking of the PIN.
The last failed attempt with a specific PIN value and container will be remembered, and the call will return failed without an attempt to the smart card.
[TokenTPM]
RememberFailedAttempt=1