A newer version of this documentation is available.

Settings

There are a number of settings, which can be set to change the functionality and/or behavior of the product. For Windows platforms there is an administration utility which can be used for update of some of the configuration parameters, but for all operating systems the parameters may be updated with the plugin object, see ApplyConfig in the Net iD Enterprise Developer’s Guide for more information.

The storage format of the configuration file is UTF-8, and the content is classic Windows settings format with sections and entries. From v6.0 of Net iD Enterprise, the configurations may be stored in Registry on Windows platforms, each section below will be translated to a key with sub-keys. The location will be stored at the uninstall key for the product.

The name of the file is iid.cfg for Windows and iid.conf for Linux/macOS, see installation section for each operating system for default location of the files. The location may be changed using environment variables iidconfig for the global configuration file and iidconfiglocal for the local configuration file.

There are both a local and global configurations available, the local configuration will always be read before the global configuration, but for most sections, the local configuration will be ignored. The following sections are read from both local and global configuration:

[ATR]
[Language]
[SmartCard]
[SmartCard Profiles]
[SoftToken]
[Trace]

[AllowedServers]

This entry contains a list of sites and access modes for use with the plugin. Currently there are five modes available:

0: Blocked access — only create non-repudiation signatures is allowed
1: Full access — including modify configuration
2: Use access — all except modify configuration
3: Limited access — user will be asked to allow access
4: Limited access — user will be asked to allow access and the answer will not be saved

A wild card * may be used to set a value for a group of sites.

Example 1. AllowedServers syntax

http://*=0
https://*.secmaker.com=2
https://netid.secmaker.com=1
https://demo.secmaker.com=1

File system access protection, also known as Sandbox, will also interfere with all updates. Never try to update unless your server is registered as trusted site in the web browser.

Parameter Plugin>Allowed is also used to set access mode for entire applications.

[Command]

This section is used to specify start parameters for internal applications instead of normal start parameters given when creating the application process.

Admin

This value is only used when no start parameters is given for the main loader component.

Example 2. Command Admin syntax

Admin=-command

Watch

This value is only used when no start parameter is given for the Watch component.

Example 3. Command Watch syntax

Watch=config

App

Default start parameter for App command.

Example 4. Command Admin syntax

App=-url file:///%InstallLocation%\gui\index.html -size 0x01400200 -center -resizing -useragent

[Components]

This section will contain information about the installed components. The information is only used to detect updates from the original installation, see section ValidateInstallation

[CredentialProvider]

This section specifies the behavior for Credential Provider. This provider is used by Microsoft standard dialogs in three different scenarios: selecting credential, selecting certificate, and enter PIN. In the scenarios of smart cards with certificates; selecting credential will be a combination of both selecting a certificate and enter PIN.

This section is used to configure the behavior for selecting credential. [CredentialProvider Certificate] is used to specify the behavior for certificate selection, and [CredentialProvider Pin] is used to specify the behavior for enter PIN.

All parameters in the CredentialProvider section can also be set using the application.

Example 5. CredentialProvider syntax

Mode=iid.exe,0x1121;*,0

This example sets Mode=0x1121 for iid.exe application and Mode=0 for all others.

It is a requirement that the credential provider component is included in the installation and that this configuration section is present.

Version

All entries except those used for presentation may have different values depending on Windows version. A value with version number as a postfix will only apply to that version of Windows.

<entry>_v61 → Windows 7
<entry>_v62 → Windows 8
<entry>_v63 → Windows 8.1
<entry>_v100 → Windows 10

Example 6. CredentialProvider Version syntax

Enable=0
Enable_v61=1
Enable_v100=1

Presentation

Presentation will be based on the information from [Dialog Presentation], but if presentation should be different it will be possible to specify the same entries in this section.

Image
Title
SubTitle
TextAbove
TextBelow

Enable

This entry specifies whether Credential Provider should be enabled or not.

0: Credential Provider not available
1: Credential Provider available

Default value is 1, Credential Provider is available, will still require that the configuration section is present and the component is available.

Disable

This entry specifies a list of applications that will not use the Credential Provider. Use semicolon (;) to separate the applications.
By default the list is empty; all applications will use Credential Provider.

AutoLogon

This entry specifies the automatically logon behavior in situations where there is only a single credential available and the PIN already has been entered. The dialog will be shown but the PIN entry will be automatically filled and the OK button will automatically be pressed.

0: Will not use automatically logon
1: Will use automatically logon

Default value is 0; automatically logon is disabled.

Activate

This entry is used to prompt PIN for Credential Provider.

0: Will not prompt
1: Will prompt PIN for windows logon
2: Will prompt PIN for CredUI
3: Will prompt PIN for all scenarios

Default value is 3; prompt PIN for all scenarios.

DisableAutoLogon

This entry specifies a list of applications that should not use the automatically logon feature. Use semicolon (;) to separate the applications. Default Windows logon applications logonui.exe;lsass.exe.

Example 7. CredentialProvider DisableAutoLogon syntax

DisableAutoLogon=lsass.exe;logonui.exe

InitChangePin

This entry is used to force a PIN change for Credential Provider. Used together with PinExpire in SmartCard section.

0: Will not force PIN change
1: Will force PIN change for windows logon
2: Will force PIN change for CredUI
3: Will force PIN change for all scenarios

Default value is 3; force PIN change for all scenarios.

Mode

This entry specifies the mode of operation, either pass-through provider or full provider. The pass-through provider will intercept the Microsoft standard provider and modify the behavior, but the full provider will implement all functionality itself and will not rely on anything else.
To make the full provider work as expected for all available parameters it is also necessary with some additional configurations that will not be described.

0: Will use pass-through provider
0x???1: Will use full provider

Default value is 0; will use pass-through provider.

Full CredentialProvider Mode.

Detect insert/remove Access mode:

0x01??: via PC/SC.
0x02??: via polling.
0x03??: via PKCS#11.

Read certificate Access mode:

0x00??: using CSP.
0x10??: using PKCS#11.

The values for Detect and Read are combined to form the complete access value.

Example 8. CredentialProvider Mode syntax (Detect via PC/SC and read via CSP)

Mode=0x01??

Example 9. CredentialProvider Mode syntax (Detect via PKCS#11 and read via PKCS#11)

Mode=0x13??

Other modes:

0x??1?: Show certificate even if it does not contain UPN.
0x??2?: Show all certificates, not only first.
0x??4?: Show all card readers, not all unused.
0x??8?: Show only certificates with key usage smart card logon.

Combining Access and Other mode will give the complete Full CredentialProvider mode.

Example 10. CredentialProvider Mode syntax (Detect PCSC, read PKCS11, show all cert)

Mode=0x1121

Example 11. CredentialProvider Mode syntax (Detect PKCS11, read PKCS11, show all cert but require smart card logon)

Mode=0x13A1

Soft token mode, currently only supported for test.

0x???4: Soft token mode.

Recommended mode for Windows login with soft token (virtual smart card):

Example 12. CredentialProvider Mode syntax (Detect PKCS11, read PKCS11, show all certificates and allow soft tokens.)

Mode=0x1325

[SmartCardReader]>Detect=0 is recommended for optimal performance.

When using Full Credential Provider, CredentialProvider Pin must be disabled, see CredentialProvider Pin — Enable.

WrappedGUID

This entry specifies the guid for the provider that should be wrapped when used in pass-through mode.
The default value will wrap Microsoft standard providers and is depending on provider scenario and Windows version.

BlockGUID

This entry specifies the guid which should be blocked. Default will block a possible provider that is wrapped when using pass-through, but this entry may also specify additional providers.

AcceptIssuers

This entry specifies a list of issuers of user certificates that are allowed to be used in Credential Provider, no other certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.

[CredentialProvider]
Mode=0x???1
AcceptIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

DefaultIssuers

This entry specifies a list of issuers that will be used when deciding which user certificate that should be considered as the default certificate in Credential Provider. Will set the certificate that is matching the most prioritized value in the list as default. The values in the list are prioritized from left to right. The configuration is only valid with the full provider.
Default none; no default certificate defined.

[CredentialProvider]
Mode=0x???1
DefaultIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

DenyIssuers

This entry specifies a list of issuers of user certificates that are not allowed to be used in Credential Provider, all other certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.

[CredentialProvider]
Mode=0x???1
DenyIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

RememberLastUsed

This entry is used to remember last used credential for LogonUI and CredUI. Max 10 credentials.

0: Will not remember last used
1: Will remember last used

Default value is 0; Will not remember last used credential.

[CredentialProvider Certificate]

This section is used for certificate selection with Credential Provider.

Enable

This entry specifies whether Certificate Provider should be enabled or not.

0: Certificate Provider not available
1: Certificate Provider available

Default value is 1, Certificate Provider is available, will still require that the configuration section is present and the component is available.

Disable

This entry specifies a list of applications that will not use the Certificate Provider. Use ; to separate the applications.
By default the list is empty; all applications will use Certificate Provider.

Disable=iexplore.exe;app.exe

[CredentialProvider Change]

This section specifies customization of a possible additional Credential Provider scenario: change PIN/password. Currently there are many limitations, so it should not be used. This may be enhanced in the future when no longer relying on Microsoft Credential Provider.

[CredentialProvider Enroll]

This section specifies the behavior when inserting an empty smart card; should a certificate be enrolled to the smart card or not? The behavior is relying on an additional component called LRA (local registration authority) and is currently only available on project basis, since it will require a connection to a certificate authority.

Parameters, RequestURL, and ResponseURL

These entries are used to generate the certificate request and the value is depending on the LRA component, see LRA documentation for more information.

ChallengeResponse

This entry tells whether challenge/response should be used when unlocking the PIN. The smart card to be enrolled may be locked for security reasons.

0: Normal PUK is used to unlock PIN
1: Challenge/response used to unlock PIN

Default value is 0; normal PUK is used to unlock PIN.

Timeout

This entry tells the number of seconds a challenge should be valid when using challenge/response mode.

The smart card will be locked during the operation, since the next call after generating the challenge should be the response. No other application will be able to access the smart card until the timeout is reached or the operation is finished/aborted.

AlwaysUnlock

This entry tells whether the smart card always should be unlocked during enrollment.

0: Will unlock smart card when locked
1: Will always unlock smart card

Default value is 0; will unlock smart card when locked.

[CredentialProvider Password]

This section specifies customization of a possible additional Credential Provider scenario, smart card with username/password stored as data object on a smart card (in chip or using Mifare).

The implementation is still experimental and should only be used for proof-of-concept.

[CredentialProvider Pin]

This section is used to enter PIN dialog with Credential Provider. Must be disabled when used with Full Credential Provider.

Enable

This entry specifies whether Pin Provider should be enabled or not.

0: Pin Provider not available
1: Pin Provider available

AutoLogon

0: Will not use automatically logon
1: Will use automatically logon

Default value is 0; automatically logon is disabled.

DisableAutoLogon

This entry specifies a list of applications that should not use the automatically logon feature. Use ; to separate the applications. Default Windows logon applications "logonui.exe;lsass.exe".

DisableAutoLogon=lsass.exe;logonui.exe

InitChangePin

This entry is used to force a PIN change for Pin Provider. Used together with PinExpire in SmartCard section.

0: Will not force PIN change
1: Will force PIN change for windows logon
2: Will force PIN change for CredUI
3: Will force PIN change for all scenarios

Default value is 3; force PIN change for all scenarios.

[CredentialProvider Unlock]

This section specifies the behavior when inserting a smart card with locked PIN. The same entries as available for [CredentialProvider] may be specified. There is also some additional information that may be specified.

ChallengeResponse

This entry tells whether challenge/response should be used when unlocking the PIN.

0: Normal PUK used to unlock PIN
1: Challenge/response used to unlock PIN

Default value is 0; normal PUK used to unlock PIN.

Timeout

This entry tells the number of seconds a challenge should be valid when using challenge/response mode.

[CSP]

This section specifies the behavior for the Microsoft CryptoAPI CSP.

AcceptBothKeySet

This entry will enable/disable usage of both key set types for internal key container format. Some CryptoAPI applications will not check for correct values in the certificate store instead assume the key type.

0: Only correct key set may be retrieved
1: Both key sets may be retrieved

Default value is 0; only correct key set may be retrieved.

AcceptIssuers

This entry specifies a list of issuers which will be registered in user store for CryptoAPI, use ; to separate different issuers. Default none, all certificate are registered.

May use [CSP]>DenyIssuers to specify a list that will be denied.

AllowedDuplicateUsage

This entry can be used to limit extended usage for duplicate certificates. Specify object identifier for the extended usages that should be allowed, separate with ';'. Use text string <none> to allow nothing. Default empty, no special handling for duplicate certificates.

Typical use for this entry is to continue to allow to use a certificate for decryption even after that the certificate has been replaced with a new certificate.

CacheCard

This entry can be used to enable/disable writing of certificate/container information to a cache file. The cache is used by Credential Provider when it is used in pass-through mode. Microsoft has some limitations regarding multiple access, so this is used to avoid extra access from the Credential Provider towards the CSP when used with Microsoft Provider.

0: Certificate information is not written
1: Certificate information is written

Default value is 1; certificate information is written.

DO NOT EDIT, default value should be used.

CertificateStoreMode

This entry is used to sort certificates for CSP via PP_USERCERT_STORE.

0x01: Newest certificate first
0x02: Oldest certificate first
0x04: Invert list

CertificateStoreMode=app.exe,0x01;app2.exe,0x04

ClearUserPinCache

This entry will enable/disable clear of user PIN cache by the internal certificate propagation service.

0: Will not clear user PIN cache
1: Will clear user PIN cache for logged on user
2: Will clear all user PIN cache for all smart cards
4: Will clear all user PIN cache for all tokens in same session

Default value is 2; will clear user PIN cache for all users.

In terminal server sessions value 2 should never be used, since it will clear PIN cache for other users.

ConnectPCSC

This entry specifies a list of applications, separated by using ;, that will have their own PCSC connection from CSP.

ConnectPCSC=lsass.exe;iexplore.exe

Default none; no applications will be handled.

ContainerNameMode

This entry specifies the name format of the container representing certificates and corresponding private key.

0: 'thumbprint (slotid)'
1: '\\.\cardreader\thumbprint (slotid)'
2: 'thumbprint'
3: '\\.\cardreader\thumbprint'

Default value is 0; 'thumbprint (slotid)'.

DeleteAtNewKeySet

This entry will enable/disable deletion of old key set when generating a new key.

0: Will not delete old key set
1: Will delete old key set

Default value is 0; will not delete key set.

Typically used with certificate enrollment for CA’s without support for delete key set. Normal behavior is that a delete operation is called before generating a new key set.

DenyIssuers

This entry specifies a list of issuers which will not be registered in user store for CryptoAPI, use ; to separate different issuers. Default none; all certificates are registered.

May use [CSP]>AcceptIssuers to specify a list that will be accepted.

DisableInsert

This entry will enable/disable showing of insert card dialog when requested smart card is not present.

0: Will show possible insert card dialog
1: Will not show possible insert card dialog, operation will fail.

Default value is 0; will show insert card dialog when needed.

DisableNonRep

This entry will try to enable/disable use of non-repudiation certificates for Microsoft CryptoAPI.

0: Will not disable certificates
1: Will disable certificates

Default value is 1; will try to disable use of non-repudiation certificates.

Will set extended key usage to document signing only for certificates with key usage non-repudiation if extended key usage is not available.

Will disable usage for all CryptoAPI applications using CryptoAPI to get the extended key usage property, but not applications retrieving this information from the certificate value.

DisableRandom

This entry will enable/disable use of Net iD CSP for generating random values.

0: Will allow to generate random values
1: Will not allow to generate random values

Default value is 1; will allow generating of random values.

Microsoft will generate two signatures during Windows smart card logon when CSP is used to generate random values, but only one signature when random is disabled. This will increase performance for smart cards with slow RSA operations.

DisableSilent

This entry will enable/disable check of CRYPT_SILENT flag when creating new CryptoAPI contexts with CryptAcquireContext. Setting the CRYPT_SILENT flag when creating new CryptoAPI context means that the calling application will not allow the CSP to show any dialogs.

0: Will check silent flag
1: Will ignore silent flag.

Default value is 0; will check silent flag.

Some CryptoAPI applications require silent operation, but forget to transmit PIN when accessing the private key. This allows CSP to show dialog even when silent operation is specified.

Enable

This entry is used to enable/disable to storage of certificates in CryptoAPI user store.

0: Certificate not registered
1: Certificate registered

Default value is 1; will register certificate in CryptoAPI user store.

FriendlyName

This entry is used to register a friendly name for the certificate in CryptoAPI user certificate store. The following wild cards may be used:

%label%
%issuer.<object identifier>%
%subject.<object identifier>%

Label is the certificate label stored with the certificate object, issuer and subject are any of the object identifiers available in the subject or issuer field from the certificate. Any combination of static text and wild cards above may be used.

Default value is "%subject.2.5.4.3% (%issuer.2.5.4.3%)".

For unknown reason some CryptoAPI applications require friendly name to be static for a certificate. This may cause problems when both Net iD Enterprise certificate service and Microsoft is registering the certificate in CryptoAPI user certificate store, since Microsoft will not specify any friendly name.

InitChangePin

This entry is used to initialize a change PIN dialog, when PIN is about to expire.

0: Will not initiate a change PIN
1: Will initiate a change PIN

Default value is 0; no change PIN dialog.

InstallCaCert

This entry can be used to control installation of CA certificates to CryptoAPI store.

0: Will not install
1: Will install

Default value is 1; will install CA certificates.

LoadExternal

This entry can be used to enable/disable loading of Net iD Enterprise main library directly when the CSP is loaded. This may increase performance, but may cause unloading to be slightly slower.

0: Will not load external
1: Will load external

Default value is 0; will not load external.

Do not use in terminal server sessions, since this may cause library to never be unloaded. If not unloaded this will cause memory leaks.

LoadMyself

This entry is used to control loading and unloading of the CSP, when enabled the CSP library will not be unloaded. This was recommended by Microsoft for enhanced performance, but is no longer recommended by Microsoft.

0: Will not load myself
1: Will load myself

Default value is 1; will load myself.

DO NEVER use in terminal server sessions, since it will cause memory leaks.

Recommended to use in normal client packages when not using a single-sign-on component. This loading will start automatic caching of PIN status to avoid multiple PIN dialogs for CryptoAPI applications.

KeepCertificates

This entry is used to control the behavior of certificate storage when a smart card is removed. Normally certificates will be removed from CryptoAPI user certificate store when smart cards are removed.

0: Will not keep certificates
1: Will keep certificates

Default value is 0; will not keep any certificates.

Certificate stored in CryptoAPI store will cause a smart card insert dialog if any application tries to use the certificate when the smart card is removed.

Do not keep certificates on a computer which is used by several different users, since all users' certificates will be available for selection.

KeepSessionAlive

This entry is used to control the behavior of CryptoAPI contexts. Normally the PKCS#11 sessions will be closed as soon as the context is released, using this parameter will cause the session to be alive and wait for a new identical session. This behavior may increase performance.

0: Will not keep session alive
1: Will keep session alive

It is also possible to specify a list of application names instead of 1, specified applications will have value 1 (all other 0).

Default value is 0; will not keep session alive.

KeepSessionAlive=1

KeepSessionAlive=iexplore.exe;lsass.exe

NamePrefix

This entry is used as prefix for names when registered for smart card logon during installation.
Default value is empty; none.

OverwriteCertificate

This entry is used to control the behavior of registering certificates in CryptoAPI stores. Normally Net iD Enterprise always will try to register the certificates to Net iD CSP, even if another CSP already has registered the certificate.

0: Will not overwrite certificate
1: Will overwrite certificate

Default value is 1; will overwrite certificate.

PublishMachineStore

This entry is used to control the behavior of registering certificates in CryptoAPI stores. Normally Net iD Enterprise always will try to register the certificate both for the user and the machine. This will allow applications running in system environment to use the certificate.

0: Will not publish in machine store
1: Will publish in machine store

Default value is 1; will try to publish in machine store.

ReplaceCertificate

This entry is used to control the behavior when writing certificates with the CSP. Normally we only write the certificate, but this parameter may be used to initiate a search for identical certificates and remove those if found. Identical means same issuer/subject/key.

0: Will not replace certificate
1: Will replace certificate

Default value is 0; will not replace certificate.

Replace certificate is useful for auto-enrollment to delete old certificate when new certificate is written.

StoreContainerName

This entry is used to when the container name has a special meaning for the calling application and needs to be used for future calls, i.e. Entrust. This will limit the use of secondary certificates and should be avoided.

0: Container name is automatically generated
1: Container name is stored and will be remembered

Default value is 0; container name is automatically generated.

UseCritical

This entry is used to add a critical section for all CryptoAPI contexts. This should normally not be needed, since the same context should not be used by multiple threads simultaneously. It will also be possible to add a global critical section, this will only allow one single thread at each time to access the CSP.

0: Critical section not present
1: Critical section present
2: Global critical section present

Default value is 1; will add a critical section.

VerifyCertificate

This entry will enable/disable validation of certificates before registration in CryptoAPI store. The validation is only made on the certificate value and signature if the CA certificate is available, no check is made regarding certificate revocation.

0: Will not verify certificate
1: Will verify certificate

Default value is 0; will not verify certificate.

[DefaultCertificate]

Some CryptoAPI applications still require the use of a default certificate and have no functionality to let the user select which certificate to use.

This section allows registering of a specific certificate to a specific application. Format:

application: The name of the application. The application name Default may be used to specify the default behavior.
token-number: The certificate serial number.
issuer: The certificate issuer field.
subject: The certificate subject field.
usage: The certificate key usage.

Only specify those values that should be matched. Set a * character to match any.

Example 13. DefaultCertificate string

The following requires a specific issuer common name and key usage when used with the application.

app.exe=*|2.5.4.3=SecMaker CA v2|*|A0

This section will be ignored if any certificate on the token is marked as default.

[Dialog]

This section controls the behavior when loading dialogs.

Advanced

This entry will enable/disable advanced dialogs for the old user interface. The advanced dialogs will include a bitmap representing the certificate used; see Dialog Image

0: No advanced dialog
1: Use advanced dialog

Default value is 1; will always try to use advanced dialogs.

By default not used with current GUI. Advanced dialogs requires a certificate to match correct dialog and to get name and validity information. Will show standard dialog if no certificate is available.

NoUserInterface

For a specified list of applications this entry will disable the user interface to be shown in the same process as the application itself. An attempt to show the user interface will instead create a separate process that will show the user interface, for example a PIN dialog.

Default value is "lsass.exe;iexplore.exe;firefox.exe;chrome.exe;"

Redirect

This entry will enable/disable redirection of open dialog requests to another process; the value is a full path to any application.

PathApplication

This entry specifies the full path to an application that should be used to show the web-based user interface. The parameter is required when a dialog is started from within an Internet Explorer session, since Internet Explorer will interfere with the user interface. The recommended value is the internal loader.

PathApplication=%InstallLocation%\iid.exe

PathApplicationDisable

This entry specifies a list of applications that should not use another application to show the user interface. Use ; to separate the applications.

Default is none; all applications will use another application when enabled.

PathResource

This entry specifies the full path to the location containing the web-based user interface. The recommended value is within the installation directory.

PathResource=file:///%InstallLocation%\gui\

Theme

This entry specifies the theme that should be used by the web-based user interface. This will be translated to a parameter when opening the dialog and the real meaning will be decided by the implementation of the web-based user interface.

Theme_v<nn>

This entry is the same as Theme, but specifies the theme that should be used for a specific Microsoft Windows version.

Theme_v61 → Windows 7
Theme_v62 → Windows 8
Theme_v63 → Windows 8.1
Theme_v100 → Windows 10

Default value is Theme_v62; Windows 8.

Timeout

This entry specifies the number of minutes the web-based dialog should be shown until it is automatically closed when using another application to show the user interface

Default value is 10; 10 minutes.

Info<name>

The web-based user interface will require configuration for each dialog that will be shown. The following list is currently available:

InfoAbout: About dialog
InfoAdmin: Administration dialog
InfoChangePIN: Change PIN dialog
InfoExitWindows: Exit Windows dialog
InfoFileXXXX: ExplorerMenu dialog
InfoInsertToken: Insert smart card dialog
InfoNotify: Notify dialog
InfoPIN: Enter PIN dialog
InfoSelect: Select certificate dialog
InfoSetup: Setup dialog
InfoUnlockPIN: Unlock PIN dialog
InfoViewToken: View token dialog

It is also possible to add custom utility dialogs started via main loader:

Info<custom>: Custom Utility started via iid.exe –admin <custom>

All entries have the following format:

<file>;<size>;<dynamic>;<extra>

The <file> value is either a full URL to any location or relative to the PathResource parameter:

Index.html
file:///%InstallLocation%/index.html

The <size> value is a hexadecimal digit where the first four digits specify the dialog width (pixels) and the last four digits specify the dialog height (pixels).

The <dynamic> value is used when calculating the dialog height based on dynamic content, i.e. select certificate may contain one or more certificates. The value is hexadecimal digit where the first four digits tells the number of objects that was used for the <size> parameter and the last four digits tells the number of pixels that should be added/removed for each object.

The <extra> value specifies other useful parameters, the current available list of parameters:

-application: Considered application and will not start new dialog (PathApplication ignored)
-center: Will calculate position to center of screen (override –position)
-debug: Will show any error and/or warning dialogs, i.e. javascript errors
-noframe: Will hide standard dialog frame (only Windows)
-position <value>: Position of dialog
-resizing: Will add resizing frame to dialog
-secure: Will start dialog using Secure Desktop (only Windows)
-theme: Will start selected dialog
-transparent <value>: Value is an RGB color value that should be translated to transparent (only Windows)

Customize

There are endless possibilities to customize the dialogs, since the web-based interface and the plugin object are available. The actual parameters for each type of dialog are not documented and may be updated for each future version. The best approach is to check the web pages for the delivered user interface and modify it. The parameters will probably not change until next major release, but there is no guaranty, even a minor update may change/add/remove parameters.

[Dialog Image]

This section specifies images (bmp and ico files supported) which will be displayed to represent a certificate when the advanced dialog is used.

Entry format:

<issuer commonname>|<issuer serialnumber>

Either issuer common name or serial number is used to identify which entry to use.

SecMaker CA v2=…

Value format:

<file>[,<position name>[#<color name>]:<position time>[#<color time>]]

The value specifies full path to the image file that should be loaded and positioning/color of name and time information from the certificate.

SecMaker CA v2=c:\images\card.bmp,0x00100044:0x00110058

Name information is subject common name from the certificate. Time information is the date part of the valid to field from the certificate.

Position is always calculated from upper left corner of the bitmap, first four hexadecimal digits is X coordinates (left to right) and last four hexadecimal digits is Y coordinates (top to bottom).

Color is specified with RGB values, two hexadecimal digits for each part: #RRGGBB.

SecMaker CA v2=c:\images\card.bmp,0x00100044#0xFF00AA

[Dialog] > Advanced must be enabled.

[Dialog Presentation]

This section is used to customize presentation for internal dialogs using the new web-based user-interface and Credential Provider dialogs.

The intention is to be able to show different information depending on the certificate, to enhance the user experience when selecting the certificate or enter the PIN. The information displayed is always one image and several text fields.

The following wild cards may be used below.

%cardlabel%
%cardnumber%
%expire%
%issuer.<object identifier>%
%keyusage%
%pinattempts%
%scenario%
%space%
%subject.<object identifier>%
%upn%

Card label and number are retrieved from the smart card. Key usage and expire will be retrieved from the certificate. For issuer and subject values, the object identifiers will be used to specify the values retrieved from the issuer respective subject fields of the certificate. The UPN value is the user principal name from the certificate. The PIN attempts will be available with a warning message when 0, 1 and 2 attempts remains. The space value is a single white space. The scenario is only available for Credential Provider and specifies the active scenario: CREDUI/LOGON/UNLOCK_WORKSTATION.

Language

To handle different strings for different language entries: Title, SubTitle, TextAbove and TextBelow may be prefixed with a short name of the language.

Title=eID Card %cardlabel%
en_Title=eID Card %cardlabel%
se_Title=eID Kort %cardlabel%

Multiple Choices

To handle different strings for different type of certificates: Image, Title, SubTitle, TextAbove and TextBelow may be specified with multiple choices, first combination that generates a non-empty string will be used. Separate with ; and will check from left to right.

Title=%subject.2.5.4.3%;%cardlabel%

Since character ; is used as separator, it may not be used as a part of the value.

Image

This entry specifies a list of images which may be used to display a certificate, bmp and ico files are supported. Use the wild cards above, wild cards will always be replaced, not found will generate an empty value. The search will try to find an entry in the same section with the generated string after wild card replacement.

Image=BMP(%issuer.2.5.4.3%);
BMP(SecMaker CA v2)=iidxca2.ico
BMP(SecMaker CA v3)=iidxca3.ico

Image=BMP(CA);
BMP(CA)=iidxca_%issuer.2.5.4.3%.ico

It is also possible to specify a nomatch and default image that will be shown for unknown certificates, without this entry Microsoft standard bitmap will be used.

BMP(Default)=iidxdef.bmp
BMP(NoMatch)=iidxnomatch.bmp

Unknown certificate means that the certificate is external, or that no smart card is present.

Image=BMP(%issuer%.2.5.4.3);BMP(NoMatch)
BMP(SecMaker CA v2)=iidxca2.ico
BMP(SecMaker CA v3)=iidxca3.ico
BMP(Default)=iidxdef.ico
BMP(NoMatch)=iidxnomatch.ico

Title

This entry specifies the title for selection entry. Use any combination of static text and wild cards above.

Default value is certificate common name. This value is always visible.

Title=%subject.2.5.4.3%

SubTitle

This entry specifies the subtitle for selection entry. Use any combination of static text and wild cards above.

Default value is static text "Smart card logon", translated to local language. This value is always visible.

SubTitle=%issuer.2.5.4.3%

TextAbove

This entry specifies an extra text field for the selection entry, located above the PIN entry edit field. Use any combination of static text and wild cards above.

Default value is user principle name from the certificate. This value is visible when selection entry is selected.

TextAbove=%cardlabel%

TextBelow

This entry specifies an extra text field for selection entry, located below the PIN entry edit field. Use any combination of static text and wild cards above.

Default value is none. This value is visible when selection entry is selected.

TextBelow=%pinattempts%

[Dialog Presentation Certificate]

This section is used when different information should be presented for certificate selection and enter PIN dialog. The same entries as for [Dialog Presentation] may be specified and the values in this section will be used for certificate selection when specified. If not specified the entries in [Dialog Presentation] will be used.

[Dialog Presentation Pin]

This section is used when different information should be presented for certificate selection and enter PIN dialog. Same entries as for [Dialog Presentation] may be specified and the values in this section will be used for PIN dialog when specified. If not specified the entries in [Dialog Presentation] will be used.

[Directory]

This section contains a list of directories which may be used during search for certificates. This information may be used to store certificates in a LDAP directory instead of the smart card. Currently this parameter is only used on Windows platforms.

Format:

<number>=<name>|<ldap>|<base>|<filter>

<name>

Entry description.

<ldap>

Complete address to the LDAP directory.

<base>

LDAP search base, where the certificate search should start.

<filter>

LDAP search filter used to limit the number of certificates found. Use any of the following filter criteria to find matching certificates:

<cardserialnumber>
<subjectkeyidentifier>
<publickeydigest>

Certificate service will try to find additional certificates when a smart card is inserted based on the information above.

1=SecMaker|ldap://ca.secmaker.com|CN=SecMaker CA,O=SecMaker,C=SE|card=<cardserialnumber>

[DynamicStrings]

This section is used for dynamic loading of strings. All strings are usually stored in string tables, but may instead be read from this section when enabled. This allows for custom strings, for example an informative warning message including custom specific information and/or link.

Enable

This entry will enable/disable the use of dynamic strings.

0: No dynamic strings
1: Use dynamic strings

Format

Any string may be replaced and they are identified by the short language name and the resource string id.

Example 14. About dialog title:

EN_1000=About
SE_1000=Om

Example 15. Remove short language to use the same string for all languages.

1000=About

You may retrieve the available resource string IDs by calling

iid.exe -strings [path]

[Encryption]

This section controls the behavior when creating encrypted messages.

Format

This entry specifies the default encryption format of the created encrypted message. Useful when encryption format is not specified, for example when used with Windows Explorer.

0: PKCS#7
1: S/MIME

Default value is 0; encrypted message is according to the PKCS#7.

[Encryption FileExtensions]

This section controls the default file extensions.

Encrypt

This entry specifies the default file extension when encrypting files.

Encrypt=p7m

Default value is p7m.

Sign

This entry specifies the default file extension when signing files.

Sign=p7s

Default value is p7s.

[Event <name>]

This section contains a list of commands that should be executed when the <name> event occur. Events are only supported on Windows platforms. The <name> event will be executed only if the current Windows user is using a smart card and the smart card PIN is verified. The matching between logged on Windows user and the used certificate requires a user principal name in the certificate.

The commands may be specified with wild cards to set the custom information:

%number%: Card serial number
%upn%: User principal name from the certificate
%user%: User name part of %upn%
%domain%: Domain part of %upn%

Each command is either a load external command or an application that should be started.

[Event TEST]
1=load %InstallLocation%\iid.dll,EntryAdmin –about
2=%programfiles%\view\load.exe –url index.html?number=%number%&upn=%upn%

[General]

CheckCaExpire
CheckCardExpire
CheckEnroll
CheckSoftExpire
EnableWinlogon
EventList
ExplorerExtension
ExplorerMenu
ExtraService
StartMenu
TaskbarAccessMode
TaskbarIcon
TaskbarMenuMode
TaskbarMoveColor
UseService

The entries are only available for Windows platforms.

CheckCaExpire

Use this parameter to get a warning message when a CA has expired. Specify common name from the issuer field, use ; to set multiple issuers. Default none, no warning message.

CheckCaExpire=SecMaker CA v2;SecMaker CA v3

CheckCardExpire

Use this parameter to get a warning message when a smart card is about to expire or has expired. Specify the number of days before the expiry that the message should be shown. It is also possible to specify a specific issuer name to only check certificates from a certain issuer and ignore all other certificates, separate with ,. May also specify a list of number of days and issuer names, separate with ;.

The card is about to expire when there is no certificate available with a validity that is longer than the specified number of days added to the current date.

Default value is 0; no warning message.

CheckCardExpire=30,CN=SecMaker CA v2;
CheckCardExpire=30,CN=SecMaker CA v2;20,CN=Inteom CA v3;

The warning message may be replaced with a custom action dialog, see Links Action for more information.

The certificate validity time must exceed twice the number specified to get a warning. This has been implemented to be able to handle the situation when the same CA is used to issue normal certificates and temporary certificates with short validity time. Temporary certificates will not get a warning message.

Use this parameter in combination with [DynamicStrings] to set a custom message with a direct URL link to a certificate update page.

CheckEnroll

Use this parameter to get an event when a smart card without any or a specific certificate is inserted. The value may specify a token model name and token serial number followed by the CA which is wanted. All values may be empty, which means that any smart card without certificates will generate an enroll event. Token model name requires a complete string match and token number requires a start string match. May also specify a list of values, separate with ;.

There is no warning message dialog, but it is possible to specify a custom action dialog, see Links Action for more information.

CheckEnroll=,,;
CheckEnroll=eID Smart Card,123456,CN=SecMaker CA v3;

CheckSoftExpire

Identical to CheckCardExpire, but will check soft tokens instead of smart cards.

EnableWinlogon

Use this parameter to enable/disable register of supported smart cards in Registry.

Smart cards must be registered to handle CryptoAPI applications using smart card reader names when connecting towards the CSP. Typical applications are Microsoft smart card logon on all Windows platforms.

0: Smart cards are not registered
1: Smart cards are registered

Default value is 1; smart cards are registered.

EventList

Use this parameter to listen to custom events. The value is a list of event names separated with ; and the action is specified in section [Event <name>].

[General]
EventList=TEST
[Event TEST]
1=%InstallLocation%\iid.exe –test

The event is generated by calling the main loader component.

iid.exe –event TEST

There is also a special INTERNAL event, the name must still be specified in the list if used. The INTERNAL event will start the event by using the main loader.

iid.exe –event INTERNAL -about

This command will show the about box in the background service context.

ExplorerExtension

Use this parameter to specify which applications that enables/disables extending of some menu entries for Windows Explorer.

[General]
ExplorerExtension=explorer.exe

Default value is none; No applications will be configured.

ExplorerMenu

Use this parameter to enable/disable extending of some menu entries for Windows Explorer.

0: Explorer menu not available
1: Explorer menu available

Default value is 1; Explorer menu is available.

ExtraService

Use this parameter to configure a list of services that will be started/stopped by CertMover. Services in the list are separated by semicolon.
Default value is none; No services will be configured.

[General]
ExtraService=SCS

StartMenu

Use this parameter to enable/disable installation of short cuts in the start menu.

0: Start menu entries are not available
1: Start menu entries are available

Default value is 1; start menu entries are available.

TaskbarAccessMode

Use this parameter to set access mode for the background service when moving certificates to CryptAPI store. The moving will be initiated by checking the smart card insert/remove event or via polling. The polling will occur each ten seconds, and the insert/remove event may be checked via PC/SC or PKCS#11.

0x01 – Check insert/remove event via PC/SC
0x02 – Check via polling
0x03 – Check insert/remove event via PKCS#11

There are also two different modes for reading certificates when a event is detected via mode above, either using PKCS#11 or CSP.

0x00 – Read certificate using CSP
0x10 – Read certificate using PKCS#11

Those two values are added for the complete access value.

Example 16. Detect via PC/SC and read via CSP:

0x01 + 0x00 = 0x01

Example 17. Detect via PKCS#11 and read via PKCS#11:

0x03 + 0x10 = 0x13

Default value is 0x13.

TaskbarIcon

Use this parameter to show/hide the taskbar icon. The task bar icon will contain a menu with some short cuts for common tasks, see TaskbarMenuMode below for more information. The taskbar icon will also show progress when cards are inserted or removed.

0: Taskbar icon is hidden
1: Taskbar icon is visible

Default value is 1; task bar icon is visible.

TaskbarMenuMode

Use this parameter to limit the number of components that should be visible on the taskbar menu.

0x0001: Change PIN
0x0002: Unlock PIN
0x0004: Administration (if available)
0x0008: Crypt (if available)
0x0010: Trace
0x0040: Pause certificate service
0x0080: Refresh certificate service
0x0100: Exit
0x0200: Certificates
0x0400: View token

Combine the bitmasks with OR operation to select which components that should be visible. For example, to show all above:

TaskbarMenuMode=0x07DF

Default value is 0x07Df; all components are visible.

Entries for support and help in the [Links] configuration section will be added to the task bar menu if available.

The [Links Custom] configuration section may be used to add additional entries to the task bar menu.

UseService

Use this parameter to install the certificate service as a Windows service or a background process. The certificate service is the process which may show a taskbar icon with menu.

0: Install as a background process
1: Install as a Windows service
-1: Do not install certificate service

Default value is 1; certificate service is installed as a Windows service.

It is not recommended to install as service any longer, since Windows Vista and later have increased the restrictions between the user environment and the system environment.

[Install]

This section contains information about the installation.

Build

This entry specifies the build or rather the installation package information. Any string value is acceptable, but there are some recommendations, more information is available through your support contact.

Configuration

This entry contains the full path to the configuration. This value is usually not specified, will use default based on what is suitable for each platform. For Windows platforms the default location is a configuration file in the installation folder, but it may be useful to move the entire configuration to Registry to be able to use GPO.

Configuration=%InstallLocation%\iid.cfg
Configuration=HKLM\SOFTWARE\SecMaker\NetiD\Enterprise

If the Registry is used software\policies will always be read first to check for GPO settings before other configurations are read. At the moment this only applies for a limited number of configurations that are included in the GPO policy template supplied by SecMaker.

Example of read order in Registry:

HKLM\SOFTWARE\Policies\SecMaker\NetiD\Enterprise
HKLM\SOFTWARE\SecMaker\NetiD\Enterprise

ProductName

This entry contains the product name used by an OEM installation.

List

This entry contains a list of installed product names, used during uninstall to remove everything after an upgrade between OEM and normal installation.

Version

This entry contains the complete version number in eight digits, two for each part:

<major><minor><fix><build>

The <major> and <minor> values specify a release, for example 05 and 04 for release 5.4.

The <fix> number always starts from 0 for first release and if there is any eventual problems found for the release which requires a new version, this value is increased, for example first fix for 5.4 is 5.4.1.

The <build> number starts from 1 for first build for a specific <major> and <minor> value. This value is increased for each delivered build. For example, for 5.4 was the first BETA 5.4.0.10, first RC was 5.4.0.20. The final 5.4 and 5.4.1 releases have the values 5.4.0.26 respective 5.4.1.34.

[Install Option]

This section contains information used during the installation.

MergeOldConfig

This entry specifies the behavior during upgrade, whether a configuration should be merged or overwritten.

0: Overwrite configuration at upgrade
1: Merge configuration at upgrade

Default value is 1; configuration will be merged during upgrade.

RemoveOldInstall

This entry specifies the behavior during upgrade, whether the installation should remove old installation before a possible upgrade.

0: Current installation is upgraded if old installation is available
1: Current installation is removed if old installation is available

Default value is 0; installation is upgraded.

ShowWizard

This entry is used to hide/show different wizard pages during installations, but some pages will always be available. The value is a bitmask, enable bits to show the page:

0x01 → Show select language page
0x02 → Show accept license page
0x04 → Show license value page
0x08 → Show upgrade warning page when upgrading with different build names
0xFF → Show all pages

Default value is 0xFF; show all pages.

SpecialBuild

This entry specifies the build information. There are three standard types defined, but any string value is acceptable. No value at all, means standard release:

UD – Under Development
BETA – Pre-release
RC – Release Candidate

UD build is completely unsupported; should only be used when testing some special feature.

BETA build is not usually supported; all functionality for the coming release is present, but only development tests have been performed.

RC build is usually not supported; all functionality for the coming release is present, but only sanity tests have been performed, not complete system tests.

[Install Shortcuts]

This section specifies a number of additional shortcuts that will be included in the product start menu folder for Windows.

Format:

Value <number> is the list entry number starting from 1.

Value <name> is the presentation name of the shortcut.

Value <binary> is the name of the application binary, must be available in the installation directory.

Value <arguments> is the eventual arguments needed by the application.

1=My Portal;iidxweb.exe;

[Language]

This section contains information about the language support.

Allowed

This entry specifies a list of supported languages, separate with ;. This list can be used to limit the number of supported languages. It is also possible to set a new name for the language. Format:

Allowed=<language name>[:<new language name>];

Allowed=English;Svenska;
Allowed=English:English US;Norsk:Norsk NN;

Default value is none; all supported languages will be available.

Current

This entry contains the current language, may also specify the string auto to use the current local language on the computer.

Current=English

Default language is English. Any unsupported language or invalid language string will use the default language.

[License]

This section contains license information.

Do not edit, the product will be unusable without correct license information.

Cards

This entry specifies a list of accepted smart cards defined by ATR. Seperated with ";".

Cards=123456ABCDEF;ABCDEF123456

Company

This entry specifies the company name of the license.

Company=SecMaker AB

Issuers

This entry specifies a list of accepted certificates.

Issuers=O=SecMaker*

Name

This entry specifies the user name of the license.

Name=DEMO ONLY

Value

This entry specifies the license value.

Value=WagC-YmLC-emxh-lyne-iMvT-JKE8

[Links]

This section contains links which may be available in dialog boxes or used by the web browser plugin.

Admin

This entry controls the administration start parameter.

Admin=-admin

Admin=http://www.secmaker.com/admin

Default value is -admin; starts Administration GUI.

Error

This entry will be appended to error dialog boxes.

Error=https://www.secmaker.com/help/

Default value is none; no extra link in error dialog boxes.

Help

This entry will be shown in taskbar menu and appended to error dialog boxes if Error link is not specified.

Help=http://www.secmaker.com/help/

Default value is none; no help link in taskbar menu.

Mail

This entry will be used by administration utility for default mail address when initiating any send mail. For example when sending a trace file from administration utility.

Mail=mailto:netid@secmaker.com

Default value is none; no default mail address.

Support

This entry will be shown in the taskbar menu.

Support=https://www.secmaker.com/support/

Default value is none; no support link in taskbar menu.

[Links Action]

There are several internal actions that may start a custom dialog instead of a message or internal dialog:

CaCertificateExpire
ChangePIN
Decrypt
Encrypt
ExitWindows Lock/Logout/Sleep/Hibernate/Disconnect/Restart/Shutdown
LicenseActivate
LicenseInvalid
PinExpired
Sign
TokenEvent
TokenInvalid
TokenNotPresent
TokenPresent
UnlockPIN
Verify
WarningCertificateEnroll
WarningCertificateExpired
WarningCertificateRenew

CA certificate expire will load custom action CaCertificateExpire instead of showing a message dialog.

ChangePIN/UnlockPIN are activated as soon as change or unlock PIN is requested, either by user selection from some menu or as an automatic generated event for example when a smart card is inserted.

Decrypt/Encrypt/Sign/Verify are used for ExplorerMenu.

ExitWindows is used to set custom actions for Exitwindows commands.

The License actions has not been fully implemented but will be used in future versions.

PinExpired is used to trigger events when the PIN validity period has expired according to the PIN policy, see settings in SmartCard — PinExpire.

The Token actions are used for custom token events.

The Warning actions are used to generate events automatically, for example when a smart card is inserted. All warning events are generated by background process, see CheckCardExpire, CheckSoftExpire, and CheckEnroll for more information.

All actions can specify a custom link to be opened:

XXX=-url http://netid.secmaker.com/xxx.html?xxx=zzz

XXX=-url file:///%InstallLocation%/xxx.html?xxx=zzz

There are some wild cards that will be used to identify the active token and/or certificate:

%ACTION%: The current action
%SLOTID%: The current slot id
%CERTIFICATE%: The current certificate
%EXPIRE%: The number of days until certificate is expired

The two latter wild cards are only availble for certificate expire/renewal.

It is also possible to add custom actions and run with -action:

TEST=-url http://www.secmaker.com
iid.exe –action TEST

[Links Custom]

This section includes any custom links to the taskbar menu for Windows, see TaskBarMenuMode for more information.

Format:

<name>=<http address>

Any name string is allowed, this will be the presentation in the taskbar menu.

Any http address or action is allowed, this will be the link that is opened when selecting the entry in the menu.

SecMaker=http://www.secmaker.com/
TESTLINK=-action TEST

[LRA]

This section specifies the behavior for the Local RA, see LRA documentation for more information.

[MiniDriver]

This section controls the behavior of the Minidriver component. It is a requirement that the Minidriver component is included in the installation.

It is recommended to read the Microsoft Smart Card Minidriver Specification to fully understand the terminology.

The values used are verified with Microsoft minidriver certification utility, so any changes may cause the certification to fail.

The minidriver certification uses a smart card with full access to administrator keys and some parameters are used to handle situations where the smart card profile is more or less read-only.

AllowSecondary

This entry can be used to enable/disable writing of secondary certificates. When it is disabled, writing of the same certificate object will result in the existing certificate being overwritten. The normal behavior for smart card minidriver is not to support secondary certificates, meaning there is no support for multiple certificates using the same key.

0: Don’t allow secondary certificates
1: Allow secondary certificates

Default value is 0; secondary certificates are not allowed.

CacheCard

This entry can be used to enable/disable writing of certificate/container information to a cache file. This cache is used by Credential Provider when used in pass-through mode. Microsoft has some limitations with multiple access, so this is used to avoid extra access from Net iD Enterprise Credential Provider towards minidriver when used with Microsoft Provider.

0: Certificate information is not written
1: Certificate information is written

Default value is 1, certificate information is written.

DO NOT EDIT, the default value should be used.

CertificateCompression

This entry is used to tell whether certificate compression is supported internally or not.

0: Certificate compression is not supported
1: Certificate compression is supported

Default value is 1; certificate compression is supported.

DO NOT EDIT! Certificates are always stored compressed and without compression, the value will be compressed by the caller when writing and will usually need the real certificate value when writing the certificates to most smart cards.

CheckFileCMap

This entry is used to tell whether certificate mapping file content should be checked before writing. When checked the mapping file will only be written when different from the auto-generated content.

0: Certificate mapping file always written
1: Certificate mapping file only written when different from auto-generated

Default value is 0; certificate mapping file always written.

ClearUserPinCache

This entry will enable/disable clear of user PIN cache by the internal certificate propagation service.

0: Will not clear user PIN cache
1: Will clear user PIN cache for logged on user at disconnect/lock windows/exit windows
2: Will clear all user PIN cache for all smart cards
4: Will clear all user PIN cache for all tokens in same session

Default value is 2; will clear user PIN cache for all users.

In terminal server sessions value 2 should never be used, since it will clear PIN cache for other users.

Disable

This entry specifies a list of applications which will not be able to use the minidriver, separated with ;.

Disable=test.exe

DisableFileCache

This entry enables/disables Microsoft smart card file cache.

0: Microsoft smart card file cache active
1: Microsoft smart card file cache not active

Default value is 0; smart card file cache is active.

Microsoft have some known problems with the smart card file cache when running terminal server, so it is recommended to disable cache for these environments.

DisablePinCache

This entry enables/disables Microsoft smart card PIN cache.

0: Microsoft smart card PIN cache active
1: Microsoft smart card PIN cache not active

Default value is 0; smart card PIN cache is active.

FriendlyName

This entry is used to register a friendly name for the certificate in CryptoAPI user certificate store. The following wild cards may be used:

%label%
%issuer.<object identifier>%
%subject.<object identifier>%

Default value is "%subject.2.5.4.3% (%issuer.2.5.4.3%)".

GuidKeyId

This entry enables/disables the use of guid from certificate mapping file as key id.

0: Key id is generated from public key digest
1: Key id is generated from guid

Default value is 0; key id is generated from guid.

Enable this parameter when certificate mapping file is disabled (IgnoreFileCMap=1). The result of the combination is that the automatically generated mapping file will be identical to the original Microsoft mapping file.

IgnoreFileCardCF

This entry enables/disables internal use of the card cache file \cardcf. The card cache file will be automatically generated from card update counter when disabled.

0: Microsoft card cache file will be used
1: Automaticlly generated card cache file will be used

Default value is 0; Microsoft card cache file will be used.

IgnoreFileCMap

This entry enables/disables internal use of the certificate mapping file \mscp\cmapfile. The mapping file content will be automatically generated when disabled.

0: Microsoft certificate mapping file will be used
1: Automaticlly generated certificate mapping file will be used

Default value is 0; Microsoft certificate mapping file will be used.

Will cause interoperability problems when enabled, since Microsoft will not detect changes from other components, for example certificates written by the plugin component.

IgnoreLogout

This entry specifies a list of applications which will not be able to logout, all logout calls will be ignored.

IgnoreLogout=lsass.exe;logonui.exe

Default value is none; all applications will be able to logout.

This parameter should be used with Microsoft logon applications, since they always logout after accessing the smart card. Allowing these applications to logout will disable the single-sign-on feature.

KeyGenerateMode

This entry specifies the mode for key id generation, either let the smart card decide the key id or generate a key id based on the GuidKeyId parameter.

0: Key id is depending on smart card type
1: Let smart card decide key id
2: Generate random key id

Default value is 0.

MaxKeySize

This entry specifies the maximum size of the RSA keys.

MaxKeySize=2048

Default value is 2048; maximum RSA key size of 2048 bits.

The value must be larger than MinKeySize, since the certification utility will hang if the same values are used for minimum and maximum key sizes. The incremental size, difference between minimum and maximum size, must be at least 8.

MinKeySize

This entry specifies the minimum size of the RSA keys.

MinKeySize=1024

Default value is 1024; minimum RSA key size of 1024 bits.

The value must be less than MaxKeySize, since the certification utility will hang if the same values are used for minimum and maximum key sizes. The incremental size, difference between minimum and maximum size, must be at least 8.

MoveCertificates

This entry specifies whether internal certificate propagation to CryptoAPI store should be used or not.

0: Don’t move certificates to CryptoAPI store
1: Move certificates to CryptoAPI store

Default value is 0; Microsoft certificate propagation should be used to move certificates.

NoLoadPkcs11Keys

This entry specifies whether pkcs#11 keys without connected certificates should be mapped as minidriver keys.

0: Load pkcs#11 keys
1: Don’t load pkcs#11 keys

Default value is 0; load pkcs#11 keys.

OverwriteCertificates

This entry specifies whether move certificates should overwrite possible existing certificates for internal certificate propagation. This will have affect when there are several different certificate propagation services enabled or when the same smart card is supported by several vendors.

0: Don’t overwrite existing certificates in CryptoAPI store
1: Overwrite existing certificates in CryptoAPI store

Default value is 0; will not overwrite.

RegisterCertificate

This entry specifies a list of applications which will generate an event to register the certificates for CryptoAPI to Net iD CSP instead of to Minidriver.

IgnoreLogout=lsass.exe;logonui.exe

Default value is none; no applications will generate an event to register the certificates.

This parameter should be used to register Net iD CSP as default handler of certificates instead of Microsoft Base Smart Card CSP with the Minidriver.

PinCacheDisable

This entry enables/disables Microsoft PIN cache. Will only affect PIN1, secondary PIN will always have PIN cache disabled.

0: Microsoft PIN cache is active
1: Microsoft PIN cache is inactive

Default value is 0; Microsoft PIN cache is active.

Microsoft Windows logon may fail if pin cache is inactive.

PinCacheTimeout

This entry specifies the timeout value for Microsoft pin cache.

X: Number of seconds Microsoft pin cache is active

Default value is 0; Microsoft pin cache is active as long as Microsoft think is suitable.

ReadOnly

This entry specifies whether the minidriver should report all smart cards as read-only, i.e. not possible to update in any way.

0: Smart cards are not considered read-only
1: Smart cards are considered read-only

Default value is 0; smart cards are updateable.

SetDefaultCertificate

This entry specifies whether a default certificate should be marked as default for minidriver certificate mapping file.

0: Don’t mark default certificate
1: Mark default certificate

Default value is 0; default certificate is not marked.

Default certificate is based on certificate sorting, see SortCertificate below.

This parameter only has effect when certificate mapping file is generated, and will be ignored when written towards smart card; see IgnoreFileCMap above.

SortCertificate

This entry specifies how the certificates should be sorted when a default certificate is used.

0: Don’t sort certificate, use sorting from pkcs#11
1: Sort newest certificate first
2: Sort oldest certificate first

Default value is 0; sorting inherited from pkcs#11.

UseSuppliedPadding

This entry specifies whether the supplied key padding mechanism or the internal implementation should be used. The padding mechanism is needed to format data to be signed or data to be encrypted before the key operation.

0: Use internal padding
1: Use supplied padding

Default value is 0; internal padding is used.

UseExternCardCF

This entry specifies whether caller is allowed to update the card update counter. When not allowed all updates will be ignored and the update is handled internally.

0: Update counter internally
1: Use caller update counter

Default value is 0; internal update counter is used.

Version

This entry specifies which version of the minidriver specification that should be supported. Currently versions 4 to 6 are supported.

Version=5

Default value is all versions.

WriteCardBlock

The minidriver file system will be stored in a virtual file system. This entry specifies the block size for the virtual file system, to avoid unnecessary reallocation when objects are created on smart cards which separate data from information about the data.

WriteCardBlock=64

Default value is 0; a suitable value is chosen for the smart card type.

[NetControl]

This section controls the behavior of the net control component. This component tries to keep track of SSL/TLS sessions in different web browsers and close those web browsers when a smart card is removed.

This feature is getting harder to accomplish, since web browsers are getting better at recovering closed sessions. A better solution is close from server side, using the Watch component.

Applications

This entry specifies a list of applications, separated with ;, that may be closed if they open a SSL session.

Applications=iexplore.exe;firefox.exe

Default value is none; no applications will be handled.

Ask

This entry specifies whether the user should be asked before trying to close an application.

0: Don’t ask user before close
1: Ask user before close

Default value is 1; ask user before close of application.

Enable

This entry specifies whether this feature should be active.

0: Net control inactive
1: Net control active

Default value is 0; net control is inactive.

LogonApplication

This entry specifies a list of logon applications, separated with ;, that may be closed if they open a TLS session.

LogonApplication=iexplore.exe;firefox.exe

Default value is none; no logon applications will be handled.

[Pkcs11]

This section controls the behavior for the PKCS#11 library.

AlwaysLoginForSSL

This entry is used to always require login for SSL/TLS. When enabled an automatic logout will be done each time an SSL/TLS connections is established.

0: No automatic logout
1: Automatic logout

Default value is 0; no automatic logout when SSL/TLS connection is established.

See Pkcs11 — LoginTimeout for another way to handle automatic logout.

This feature is normally used in combination with soft tokens to require password/PIN dialog even when renegotiating SSL/TLS connections.

DetectNewSlots

This entry specifies whether new slots should be detected each time the application asks for the current slot list. A slot is either a smart card reader or a soft token, so this parameter may be used to detect arrival of new smart card readers.

0: Will not detect new slots
1: Will detect new slots

Default value is 0; no detect of new slots.

See SmartCardReader — Detect for another way to detect arrival of smart card readers.

Recommended value for Detect is 1, when used in combination with this parameter.

DisableDuplicate

This entry specifies a list of applications, separated with ;, which will not be able to use duplicate certificates. Duplicates are certificates with identical issuer and subject field and same public key. Only the newest certificate will be available for the application.

DisableDuplicate=Firefox;Mozilla

Default value is none; all applications will see duplicate certificates.

DisableNonRep

This entry specifies a list of applications, separated with ;, which will not be able to use certificates with non-repudiation key usage.

DisableNonRep=Firefox;Mozilla

Default value is none; all applications will be able to use non-repudiation certificates.

EnableExternalMutex

This entry enables/disables the use of external mutex to protect multi-threaded sessions.

0: Internal mutex used
1: External mutex used (if available)

Default value is 0; always use internal mutex.

Multi-thread support is vital and to allow this protection to be handled externally may cause unknown results.

FriendlyName

This entry enables generation of a certificate label according to a specific format instead of using the default label from the token. The following wild cards may be used:

%label%
%issuer.<object identifier>%
%subject.<object identifier>%

Label is the certificate label stored with a certificate object, issuer and subject is any of the object identifiers available in the subject or issuer fields from the certificate. Any combination of static texts and wild cards above may be used.

Default value is none; the stored certificate label is used.

LoginTimeout

This entry is used to set a timeout for the login. When enabled an automatic logout will happen after the number of specified seconds.

0: No automatic logout
X: Automatic logout after X seconds

Default value is 0; no automatic logout.

See AlwaysLoginForSSL above for another way to handle automatic logout.

LogonApplication

This entry specifies a list of applications that should be considered as logon applications. This means that PIN cache always is ignored and that PIN always is verified even when being the same value as in PIN cache.

LogonApplication=lsass.exe;winlogon.exe

Default value is lsass.exe;winlogon.exe.

LogoutAtLastSession

This entry is used to control the behavior when the last session towards a token is closed. Specifies a list of applications that will generate a logout, separated with ;.

LogoutAtLastSession=svchost;winlogon

Default value is empty; no application will generate an automatic logout.

The reason for not logging out is to avoid unnecessary password/PIN dialogs. Usually PKCS#11 applications will open a session, login if needed, do something and thereafter close the session again. Setting no logout will keep the password/PIN status when the application opens the session again.

InsertEmptySlots

This entry is used to always create a number of empty slots which always will be available even when no smart card readers and/or soft tokens are present.

0: No extra empty slots
X: Add X extra slots

Default value is 0; no extra slots.

This parameter is only used for Firefox and installation of the PKCS#11 component. During installation the Firefox flag public readable certificates must be set, to avoid password/PIN dialosg when Firefox is searching for certificates. This flag will be set for the slots available at installation. Using this parameter will prepare a number of slots to have this flag set, so slots may be added after the installation and still get the public readable flag.

OpenSSL

This entry is used to specify an OpenSSL library that should be loaded to generate random and/or key pairs. Typical names for different platforms:

libeay32.dll – Windows
libcrypto.so – Linux
libcrypto.dylib – macOS

Default value is none; internal algorithms will be used for generating random and/or key pairs.

For Windows platform Microsoft CryptoAPI will be used for key pair generation, since their implementation is much faster than internal algorithm.

PinMaxDigits

This entry sets the global maximum number of digits policy. Specify the maximum number of required digits.

0: No maximum number of digits
X: X number of digits required

Default value is 0; no minimum number of digits required.

This parameter should not be used, use PIN policy flags in [SmartCard] or [SoftToken] instead.

PinMinDigits

This entry set the global minimum number of digits policy. Specify the minimum number of required digits.

0: No minimum number of digits
X: X number of digits required

Default value is 0; no minimum number of digits required.

This parameter should not be used, use PIN policy flags in [SmartCard] or [SoftToken] instead.

PinReportError

This entry is used to specify a location to report failed logon attempts on Windows platform. May be configured to report to either Windows EventViewer or to an ODBC source. Reporting to an ODBC source will require the table to be correctly formatted, more information is available from your support contact.

PinReportError=-eventlog
PinReportError=-database -connection <ODBC> -table <TABLE> -username <USER> -password <PWD>

Default value is none; no error reporting.

RandomDisabled

This entry is used to enable/disable the support of random generation.

0: Random generation support enabled
1: Random generation support disabled

Default value is 0; random generation available.

This only affects external applications; they will not be able to use the library to generate random bytes. Internally random generation will still be available.

ResetTempFiles

This entry is used to enable/disable reset of internal temporary files at initialize.

0: Reset at initialize disabled
1: Reset at initialize enabled

Default value is 0; reset at initialize disabled.

Will delete eventual smart card cache files, which may impact performance.

SeparateThreadSearch

This entry is used to enable/disable concurrent searches in different threads using the same session.

0: Don’t allow concurrent searches in different threads using same session
1: Allow concurrent searches in different threads using same session

Default value is 0; concurrent searches are not allowed in different threads using the same session.

DO NOT EDIT. This behavior is against standards and should never be used. Different threads may use the same session context, but the expected behavior should be to follow the PKCS#11 standard. Enabling of this behavior is against the PKCS#11 standard, but was added to show a proof-of-concept with an application unaware of their own multi-threading implementation.

SessionToken

This entry specifies a list of applications, separated with ;, which will set a write protected soft token.

SinglePin

This entry is used to enable/disable the use of a single password/PIN for smart cards. The parameter has no affect for soft tokens, since they always have a single password/PIN.

0: All available passwords/PINs usable
1: Only first password/PIN usable

Default value is 0; all available PINs are usable.

Will remove possible secondary PIN for the calling applications. This is usable for situations where your application has bad support for multiple PINs, or when only the first PIN objects should be used (everything connected with secondary PINs will be hidden).

TraceExecuteTime

This entry is used to enable/disable calculation of execute time. The time is the number of milliseconds spent within the pkcs#11 library. This will generate an extra trace entry with the number of milliseconds within library and also the number of milliseconds spent on card during this time. Used to measure the performance.

0: Execute time not written to trace
1: Execute time written to trace

Default value is 0; execute time not written.

This time may be misleading when measuring small time differences, since most of the time may be spent writing to trace.

UpdateSlotsForEvent

This entry is used to enable/disable update of slot list when library is called for active event list (C_WaitForSlotEvent). Default behavior will use [SmartCardReader[>Poll parameter to detect smart card insert/remove and [SmartCardReader]>Detect parameter to detect smart card reader insert/remove.

0: No update slot list when checking for event list
1: Update slot list when checking for event list

Default value is 0.

VerifyAlgorithms

This entry is used to enable/disable verification of cryptographic algorithms during initialize.

0: Algorithms not verified
1: Algorithms verified

Default value is 0; algorithms not verified.

WaitForSmartCardService

This entry is used to enable/disable wait for Windows smart cards service to start before initialize continues.

0: No wait
X: Wait X number of seconds

Default value is 0; no wait for smart card service.

This parameter was required for earlier versions of Windows, but is not needed any longer.

[Plugin]

This section controls the behavior of the plugin component. Will require the plugin component to be included in the installation.

From version 6.1 a new control mechanism is included to limit the usage of the plugin, each parameter and operation will be limited/checked separately. The default requirements may be updated via configuration parameters Plugin>AccessGetProperty, Plugin>AccessSetProperty, Plugin>AccessEnumProperty and Plugin>AccessInvoke.
For more information about the settings described in AccessGetProperty, AccessSetProperty, and AccessEnumProperty, see the Developer’s Guide.

AccessGetProperty

This entry may be used to update default access condition requirement for properties that are read from plugin.

[Plugin]
AccessGetProperty=Version,0;

AccessSetProperty

This entry may be used to update default access condition requirements and value checks for properties that are sent to plugin.

[Plugin]
AccessSetProperty=Version,1,1,0,16;

AccessEnumProperty

This entry may be used to update default access condition requirements for properties that are enumerated from plugin.

[Plugin]
AccessEnumProperty=Language,0;

AccessInvoke

This entry may be used to update default access condition requirements for invoke of plugin functions, see Developer’s Guide for more information.

[Plugin]
AccessInvoke=Sign,0;

Audit

This entry may be used to log blocked plugin calls.

[Plugin]
Audit=C:\Temp\plugin.txt

Allowed

This entry contains a list of application names with access mode for use with the plugin, separated with ;. Specify with name and access mode value. Currently three modes are available:

0: Blocked access – only create non-repudiation signatures is allowed
1: Full access – including modify configuration
2: Use access – all except modify configuration

Either specify name of file stored in installation folder, or specify full path to application (may use environment variables).

[Plugin]
Allowed=iid.exe,1;iidxcmt.exe,1;badapp.exe,0;

[Plugin]
Allowed=%programfiles%\Good\good.exe,1;%programfiles%\Bad\badapp.exe,0;

Configuration section [AllowedServers] may be used to set access mode for all web browser applications, access mode for web browsers are based on site instead of application.

Disable

This entry is used to specify a list of applications, separated with ;, which will not be allowed to use the ActiveX plugin.

Default value is none; all applications will be able to use the plugin.

This parameter have no affect for the Netscape plugin, since there is no good behavior in the API to block loading.

Enable

Use this parameter to enable/disable installation of web browser plugins.

0: Web browser plugins are not available
1: Web browser plugins are available

Default value is 1; web browser plugins are available.

StartService

This entry is used to enable/disable the start of certificate service when loaded.

0: Will not start service
1: Will start service

Default value is 0; will not start service.

[Report LOGON]

This section can be used to report successful workstation logon.

[Report LOGON]
1=load iid.dll,EntryAdmin -report -eventlog -info "Logon success %upn%" –app "LOGON" -number %number%

[Report PIN]

This section can be used to report successful PIN attempts.

[Report PIN]
1=-action <action>

[Report UNLOCK_WORKSTATION]

This section can be used to report successful workstation unlock.

[Report UNLOCK_WORKSTATION]
1=load iid.dll,EntryAdmin -report -eventlog -info "Unlock success %upn%" –app "UNLOCK" -number %number%

[SCS]

This section controls the behavior of the SCS (Signature Creation Service). SCS is a signature method used with HTML5 and has been implemented according to the VRK (the Finnish Population Register Centre) specifications HTML5 AND DIGITAL SIGNATURES, Signature Creation Service 1.0.1. For the specification, see https://eevertti.vrk.fi/Default.aspx?id=0&docid=1335.

The setting [General] → ExtraService has to include SCS for the configurations to have any effect.

[General]
ExtraService=SCS
[SCS]
Address=127.0.0.1
Ports=8088;23123;53951
Size=0x02000000
Protocols=https

Address

This entry is used to set the IP address of the SCS but must always be set to localhost (127.0.0.1) at the moment.

Will be used in the future if there will be any extensions for IP v6.

Ports

This entry is used to set the port for the SCS. The SCS specifications defines that the first port available will be used so the default settings should not be changed.

Will be used in the future if there will be any extensions for IP v6.

Default values is 8088;23123;53951; values should not be changed.

Protocols

This entry is used to define the protocols that are allowed for the use of SCS. Valid protocols are http or/and https.

Protocols=http;https

Default value is none; no protocols allowed.

Size

This entry is used to define the maximum size of a signature in bytes. The SCS specifications recommends to use 2 MB as the maximum size but it is possible to set the values in the interval of 4 kB to 16 MB.

Default value is 0x02000000; maximum size of 2MB.

Start

This entry is used to enable the SCS.

[SCS]
Start=-signsrv start

Stop

This entry is used to disable the SCS.

[SCS]
Stop=-signsrv stop

[SingleSignOn]

This section controls the behavior of the single-sign-on component for Windows. It will require the single-sign-on component to be included in the installation.

CSP

This entry is used to enable/disable the support for single-sign-on for CryptoAPI CSP.

0: CSP single-sign-on disabled
1: CSP single-sign-on enabled

Default value is 0; single-sign-on disabled.

Disable

This entry is used to specify a list of applications, separated with ;, which always will have single-sign-on disabled.

Default value is none; all applications will use single-sign-on when available.

PKCS11

This entry is used to enable/disable the support for single-sign-on for PKCS#11.

0: PKCS#11 single-sign-on disabled
1: PKCS#11 single-sign-on enabled

Default value is 0; single-sign-on disabled.

Server

This entry is used to specify a list of applications, separated with ;, which may act as single-sign-on server.

Server=winlogon.exe;lsass.exe

Default value is none; no application may act as single-sign-on server.

The single-sign-on server process should never be stopped or restarted since the result is unpredictable if single-sign-on client processes are connected when the server process is stopped or restarted. Either use the Windows logon process that is always available or use StartServer below.

StartServer

This entry is used to specify a list of applications, separated with ;, which may start single-sign-on server.

StartServer=winlogon.exe;lsass.exe;logonui.exe

Default value is none; no application may start single-sign-on server.

See note above regarding the Server entry for information when to use StartServer respective Server parameter.

UseCache

This entry is used to enable/disable the support for single-sign-on via a cache server. The normal single-sign-on solution will direct CSP/PKCS11 calls to a single process which will have exclusive access to the smart card.

0: Cache server disabled
1: Cache server enabled

Default value is 0; normal single-sign-on is used.

The cache server will act as a database for PINs and therefore PIN pad may not be used.

Disable CSP/PKCS11 single-sign-on when the cache server is enabled.

Enable single-sign-on server as a service when the cache server is enabled.

UseService

This entry specifies whether the single-sign-on server should be running as a service or as a background process.

0: Run as background process
1: Run as service

Default value is 0; run as background service.

UseStored

This entry specifies whether the single-sign-on server should search for username/password stored on tokens and use the information to automatically fill the username/password edit boxes.

0: Stored username/password not used
1: Stored username/password used

Default value is 0; no search for stored username/password.

The search will check the private box area for object with the following format:

<entry>=<name>;<title>;<user>;<pwd>

<entry>: Specifies the private object name, the name is "SSO" followed by a number starting from "1".
<name>: Descriptive string used for presentation.
<title>: Title of the username/password dialog that should be filled.
<user>: Username that will be filled in.
<pwd>: Password that will be filled in.

SSO1=My;Connect Database;JohnDoe;4711

[SmartCard]

This section controls the smart card policy.

CalculateUsedTime

This entry specifies whether execution time on smart card should be written to trace.

0: Will not calculate and write card execution time
1: Will calculate and write card execution time

Default value is 1; will calculate and write execution time.

This time may be misleading when measuring small time differences, since most of the time may be spent writing to trace.

CommandChaining

Command chaining will be activated when 256 or more bytes are sent towards smart card. This parameter may be used to set a lower number to activate command chaining earlier.

X: The number of bytes which will start command chaining

Default value is 0; command chaining is activated when needed.

CreateUpdateCounter

This entry enables/disables creation of the update counter as soon as logged in towards a smart card.

0: Update counter created when updating objects
1: Update counter created at logon

Default value is 0; will create update counter when creating any other object.

The update counter is needed for public object caching; not using update counter may affect performance, since it may cause unnecessary reading of public objects.

DefaultProfile

All smart card profiles have a detection mechanism built into the specification, but this parameter may be used to detect a card profile not using the standard detection mechanism. Currently, only "PKCS#15" and "ISO7816-15" are supported.

Default value is none; profiles are found according to specifications.

MaxProfiles

The card profile is detected after card type detection. Some smart cards have multiple profiles on the same smart card which should be loaded in parallel. This parameter specifies the number of maximum number of profiles that may be detected.

MaxProfiles=4

Default value is 4; the same value as the maximum number of PINs (currently 4).

NoDiskCache

This entry is used to disable writing card cache file to disk. SSO service will be used for card cache if available.

0: Card cache will be written to disk
1: Card cache will not be written to disk

Default value is 0; card cache will be written to disk.

ObjectSortMode

This entry is used to set sorting mode for the certificates on a smart card. Some applications will use the first returned certificate as the default certificate, so it can be considered as setting the default certificate.

0: none → Certificates are returned in stored order
1: day → Certificates are returned in newest order based on day
2: second → Certificates are returned in newest order based on seconds

Default value is 2; sorting based on seconds.

The sorting order also specifies the default behavior for different versions of Net iD Enterprise. Value 0 is the behavior for version 5.3 and earlier, value 1 is the behavior for version 5.4 to 5.5, and value 2 is behavior for version 5.6 and later.

PinExpire

This entry is used to enable/disable PIN expire policy. The PIN may be configured to require a change after X number of days.

0: PIN expire policy disabled
X: PIN will expire after X days

Default value is 0; no PIN expire policy.

Pin expire policy requires support for PIN update counter with time on smart card. Some smart cards only store a PIN update counter, a single byte without connection to any time.

PinHistory

This entry is used to enable/disable password history checking. When enabled the old password will be stored as a private object and compared with a new password.

0: Password history disabled
X: Password will compare X last passwords

Default value is 0; no password history checking.

PinMaxLen

This entry is used for maximum PIN length policy.

0: No maximum PIN length
X: Maxmimum X bytes PIN length

Default value is 0; smart card profile will specify the PIN policy.

Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.

PinMinLen

This entry is used for minimum PIN length policy.

0: No minimum PIN length
X: Minimum X bytes PIN length

Default value is 0; smart card profile will specify the PIN policy.

Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.

PinPolicy

This entry is used for password policy, 0xaAbBcCdD:

aA → min/max for number of digits
bB → min/max for number of lower characters
cC → min/max for number of upper characters
dD → min/max for number of special characters

Default value is 0; no special PIN policy.

Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.

PinType

This entry is used for PIN type policy, the requirement are below:

0: all characters (case sensitive)
1: all characters (case insensitive)
2: all characters (min 2 digits and max 2 in row or in sequence)
3: all characters (min 2 digits and max 2 in row)
4: only digits

Default value is 0; smart card profile will specify the PIN policy.

Pin policy in smart card profile must be fulfilled, so all policies must be fulfilled.

Temporary

This entry is used to specify a list of names, separated with ;, containing smart card types that should be considered temporary smart cards. The parameter only has any meaning when used with a LRA component, see LRA documentation for more information.

TemporaryValidity

This entry is used to specify a number of days for certificate validity to be considered as a temporary smart card. The parameter only has any meaning when used with a LRA component, see LRA documentation for more information.

TemporaryValidity=30

UseInternalUpdate

This entry specifies the use of internal update counter. The update counter is needed to detect updates of the smart cards, so it should usually always be activated

0: Internal update counter is inactive
1: Internal update counter is active

Default value is 1; will use internal update counter.

The update counter is needed for public object caching, not using the update counter may affect performance, since it may cause unnecessary reading of public objects.

ValidateUpdateCounter

This entry enables/disables validation of the update counter when external update counter is used.

0: Will assume application handling update counter will behave correct
1: Will validate update counter at each write to reset public cache when needed.

Default value is 0; will not validate update counter when using external update counter.

[SmartCard Compress]

Library

This entry specifies the full path to the Zlib compress library.

Default value is depending on the operating system used; will try to load by standard Zlib name.

UncompressOnly

This entry specifies the behavior for compressing. When reading uncompressing will always be done if the file is compressed, but files may be stored with or without compressing when written.

0: Will compress when writing
1: Will not compress when writing

Default value is 0; will compress when writing.

[SmartCard Keys]

This entry is used to specify the key to be used when secure messaging is enabled for a smart card. A mapping is made between the ATR of the smart card and the Secure Messaging key. The value of the key is usually a key identifier and depending on card type.

[SmartCardProfiles]

This section contains a list of smart card profiles that are available for smart card initialization. This section will be enumerated for Property Profile in the Net iD Enterprise Developer’s Guide.

1=Smart Card Profile

Each entry points to a new section with entry name as section name. The smart card profile section contains information about how the smart cards should be initialized, for example which files should be created. The profile information is specific for each supported smart card.

Do not use unless you know exactly what you are doing.

Do not use unless you know the consequences.

Do not use unless you accept the consequences.

Erase

This entry will enable/disable complete erasure of smart cards before initialization.

0: Smart card not erased
1: Smart card erased

Default value is 0; smart card not erased.

Keys

This entry specifies the number of key pairs that should be generated during initialization.

Default value is 0; no key pairs are generated.

Parameter

This entry specifies a custom parameter for a specific smart card.

Default value is none; no custom parameter.

SimpleErase

This entry will enable/disable simple erasure of smart card objects; delete access below will be overridden and set to ALW.

0: Simple erase disabled
1: Simple erase enabled

Default value is 0; simple erase disabled.

Files

The following entries in the section specify the files and/or directories that should be created.

Format:

<name>=<type>:<size>:<access>:<content>

Value <name> is the full name of the object; dependent on the smart card used, but usually a directory starting with EF(MF):

3F00=…
3F002F00=…

Value <type> is the type of object; dependent on the smart card used, but usually: DF (directory), EF (file), SEC (PIN):

3F00=DF:…
3F002F00=EF:…

Value <size> is a number telling the size of the object; dependent on the smart card used, may be a size of a file or number of objects that may be stored in the directory. Smart card may support the string value all and/or auto to take all remaining area respective try to guess the file size.

3f002f00=EF:auto:…

Value <access> is the access condition elements; dependent on the smart card used and type of object, but always four parts separated with :; <delete>, <read>, <write> and <execute>. Each element may have one of the following values: ALW (=always), NEV (=never), SO (admin PIN), PIN1, PIN2, PIN3 or PIN4.

3f002f00=EF:auto:ALW:SO:NEV:SO:…

Value <content> is the real object content in hexadecimal form; dependent on the smart card used and type of object.

3f002f00=EF:auto:ALW:SO:NEV:SO:0x612B4F0CA00…

[SmartCardReader]

This section controls the behavior for smart card readers.

AllowReaderRemoval

This entry enables/disables the possibility to remove smart card readers as PKCS#11 slots at runtime when reader is removed.

0: Reader will continue to exist
1: Reader will be removed

Default value is 0; reader will not be removed.

The reason for not removing is that the PKCS#11 standard has no defined policy for slot removal. Removal of slots may cause undefined behavior for PKCS#11 applications.

Accepted

This entry contains a list of smart card reader names that are acceptable, separated with ;.

Default value is none; all reader names are accepted.

Use [SmartCardReader]>Denied parameter to specify a list of reader names that are denied.

CachePath

This entry contains a full path to a directory which will be used to store the smart card cache.

Default value is none; will use the standard temporary directory, location depending on operating system and version.

CacheValidity

This entry specifies the number of minutes the smart card cache is valid for user environment.

CacheValidity=10080

Default value is 10080; one week, 7*24*60=10080 minutes.

CacheAcceptUnknown

This entry tells the status of smart card cache when no update counter is available.

0: Will not use cache when status is unknown
X: Will tell the number of minutes cache is valid when no update counter is available

Default value is 0; cache is inactive when no update counter is available.

CheckInformation

This entry enables/disables the check for information from the smart card reader, for example driver version or PIN pad information.

0: Will not check for information
1: Will check for information

Default value is 0; will not check for information.

There are smart card reader drivers that will crash when checking for information. Avoid them!

CheckPinPad

This entry enables/disables the check for PIN pad from the smart card reader, will require that checkInformation above is enabled.

0: Will not check for PIN pad
1: Will check for PIN pad

Default value is 0; will not check for PIN pad.

Denied

This entry contains a list of smart card reader names that are not acceptable, separated with ;.

Default value is none, all reader names are accepted.

Use [SmartCardReader]>Accepted parameter to specify a list of reader names that are accepted.

Detect

This entry specifies the number of seconds from initialize that the library should search for smart card readers. This allows smart card readers to be inserted after the library has been initialized.

0: Will not search for readers
1: Will do a single search for readers
X: Will search X seconds for readers
-1: Will search forever for readers

Default value is 60; will search in 60 seconds for smart card readers.

This search may cause memory leaks if bad PC/SC smart card reader drivers are installed, so not recommended with value -1 for terminal servers.

KeepLoggedInLocked

This entry controls the behavior when smart card is opened and session is logged on.

0: Will not lock reader when logged on
1: Will lock reader when logged on

Default value is 0; will not lock reader when logged on.

Locking the reader will stop other applications from using the smart card reader in parallel. This may cause interoperability problems.

This behavior is identical to the situation when smart card is used with PIN pad, it will not release the reader until logged out to avoid multiple PIN entries.

Only use this feature when single-sign-on is enabled or a single application is using the smart card.

KeepPinCache

This entry specifies the number of milliseconds the PIN should be kept after card removal. This can be used to avoid clear of PIN cache when a smart card reader generates strange remove/insert events, but should not be used in normal situations.

0: Will not keep PIN cache after remove event
X: Number of miliseconds PIN is kept in cache after remove event

Default value is 0; PIN cache is cleared when the smart card is removed.

LockDelay

This entry specifies the number of seconds to keep the card locked after usage. This may be used to increase performance, since lock/release card may require some substantial time.

0: Will not delay release
X: Will delay X seconds before release

Default value is 0; no delay when releasing card.

LockTimeout

This entry specifies the number of seconds to keep trying to lock the card when it is in use by another application.

0: No lock timeout
X: Will try to lock in X seconds

Default value is 30; will try locking the card for 30 seconds.

MaxTransfer

This entry configures the maximum number of bytes that may be transmitted for each smart card call. Minimum value is 64 bytes and maximum value is 255 bytes.

MaxTransfer=255

Default value is 255; 255 bytes.

Mode

This entry specifies the mode to connect with towards the smart card, either exclusive or shared mode. Exclusive mode requires the application to work alone with the smart card. Shared mode allows simultaneous connections and will require transaction handling to handle atomic operations.

0: Exclusive mode
1: Shared mode

Default value is 1; shared mode used.

Exclusive mode will cause interoperability problems.

Poll

This entry specifies the number of milliseconds between polling for card presence.

Poll=333

Default value is 333; 333 milliseconds.

Protocol

This entry specifies the protocol to use when communicating with the smart card.

0

T0, supported by most cards

1

T1, faster but not supported by older cards.

-1 → T0 or T1, negotiated with card

Default value is -1; protocol negotiated with smart card.

ReloadOnError

This entry specifies the behavior when the reader connection fails for some reason.

0: Do nothing
1: Reload connections
2: Reload connection and library

Default value is 0; do nothing.

SingleConnection

This entry specifies the behavior when connecting to the smart card reader. Either uses one connection for all purposes or two connections, one connection for smart card status and one connection for transmitting smart card commands.

0: Two connections
1: One connection
2: One global connection (never released)

Default value is 0; two connections.

Scope

This entry specifies the scope for the smart card reader connection: user, terminal, system or global. The real meaning of scope is depending on smart card reader type, currently only used by PC/SC. See PC/SC documentation for more information.

0: User scope
1: Terminal scope
2: System scope
3: Global scope

Default value is 0 for user processes and 2 for system processes.

SystemCacheValidity

This entry specifies the number of minutes the smart card cache is valid for system environment.

SystemCacheValidity =10080

Default value is 10080; one week, 7*24*60=10080 minutes.

[SmartCardReader CTAPI]

This section controls the behavior for the CTAPI smart card reader support.

Enable

This entry specifies whether the CTAPI smart card reader support should be available.

0: CTAPI support not available
1: CTAPI support available

Default value is 1; CTAPI smart card reader support is available.

List of libraries

All CTAPI drivers are delivered as a dynamic library and will be loaded by a numbered list starting from 1. The format for each entry is: "<ctn>,<pn>,<library>":

<ctn>: Context number, defined by each CTAPI driver, usually 0
<pn>: Port, defined by each CTAPI driver, usually 0
<library>: Full path to dynamic library

1=0,0,C:\Program Files\Net iD\iidctapi.dll

[SmartCardReader PCSC]

This section controls the behavior of the PC/SC smart card reader support.

CallTrace

This entry is used to include writing of each PC/SC call towards trace.

0: PC/SC calls are not written to trace
1: PC/SC calls are written to trace

Default value is 0; PC/SC calls are not written.

All PC/SC calls are written when enabled which may cause trace to grow large quite fast, since even smart card polling is written.

Enable

This entry specifies whether the PC/SC smart card reader support should be available.

0: PC/SC support not available
1: PC/SC support available

Default value is 1; PC/SC smart card reader support is available.

Library

This entry specifies the PC/SC library that should be loaded. Default values:

Windows – winscard.dll
Linux – libpcsclite.so
macOS – libpcsclite.dylib

StateTimeout

This entry changes the behavior for smart card present check.

Normally smart card presence is checked by asking the smart card readers quite often by polling, the poll time is controlled by [SmartCardReader]>Poll entry.

Using this parameter will change to a call method which will ask for state and not return until something has changed.

0: Normal polling is used
X: State driven presence is used, specify the number of minutes for timeout (10 recommended).

Default value is 0; normal polling is used.

This feature requires enhanced support for the PC/SC implementation and eventually some enhanced support for the PC/SC smart card reader driver. Currently this feature should only be used with Windows, since there are some unknown problems for Linux/macOS platforms.

This feature may work better with some PC/SC smart card drivers compared with polling, but there is no recommendation when polling respective state driven presence check should be used.

Unload

This entry is used to control the unloading of the PC/SC library.

0: Library never unloaded
1: Library unloaded when not used

Default value is 1; library unloaded when not used.

Library unloading currently works badly for Linux/macOS platforms, recommended value is therefore never unload on these platforms.

UseCritical

This entry is used to add a global critical section for all PC/SC calls. When it is enabled only one thread will access PC/SC at each time.

0: Critical section is not enabled, multiple threads may access
1: Critical section is enabled, multiple threads may not access

Default value is 0; critical sections should be handled by PC/SC.

Normal usage will have no problem with multiple threads accessing at the same time, but some drivers have problems, so it may be useful for testing.

[SoftToken]

This section controls the soft token policy.

The current password policy (PinMinLen, PinMaxLen and PinType) used when soft token is created will be stored within the soft token, so will not be able change after creation.

Events

This entry is used to add events handling to soft tokens. Soft tokens may be removed when removed from other processes and will also generate an insert event when the soft token is updated, to allow applications to detect updates.

0: No special event handling
1: Events are checked each time a calling application check for events
2: Events are checked each time a calling application check for slots
3: Events are checked each time a calling application check for events and/or slots

Default value is 0; no special event handling.

FileExtension

This entry is used to specify the file type used by soft tokens. The internal soft token format ".tkn" is the only supported value for Windows/Linux. macOS may use the internal format or Apple ".keychain".

Default value is none; internal soft token format.

FileExtension=.tkn

PinExpire

This entry is used to enable/disable password expire policy. The password may be configured to require a change after X number of days.

0: Password expire policy disabled
X: Password will expire after X days

Default value is 0; no password expire policy.

PinFailure

This entry is used to specify how password failures will be handled for soft tokens, i.e. if a user gives the wrong password when trying to use the soft token.

PinFailure=0xAABBCCDD

AA: Number of milliseconds of delay between failures to give the correct password. Will be multiplied with the number of failed tries.
BB: not used
CC: Number of minutes that the password will be blocked.
DD: Number of tries until the password is blocked.

Default value is none; no handling of password failures for soft tokens.

[SoftToken]
PinFailure=0x64000A0A

AA=64: 100 ms of delay between tries, i.e. the delay after first try is 100ms, after second try 200ms, and so on.
CC=0A: The password will be blocked for 10 minutes until it is possible to try again.
DD=0A: The password will be blocked after 10 failed tries.

If no blocking period is configured, that is, CC is set to 00, a restart of the application is necessary to be able make new tries. If a blocking period is configured a restart will make no difference since it is stored in the object, that is, you will have to wait until the blocking period ends to get DD new tries.

PinHistory

This entry is used to enable/disable password history checking. When enabled the old password will be stored as a private object and compared with a new password.

0: Password history disabled
X: Password will compare X last passwords

Default value is 0; no password history checking.

PinMaxLen

This entry is used for maximum password length policy.

0: No maximum password length
X: Maxmimum X bytes password length

Default value is 64; maximum 64 bytes password.

PinMinLen

This entry is used for minimum password length policy.

0: No minimum password length
X: Minimum X bytes password length

Default value is 2; minimum 2 bytes password.

PinPolicy

This entry is used for the password policy, 0xaAbBcCdD:

aA → min/max for number of digits
bB → min/max for number of lower characters
cC → min/max for number of upper characters
dD → min/max for number of special characters

Default value is 0; no password policy.

PinType

This entry is used for password type policy, the requirements are below:

0: all characters (case sensitive)
1: all characters (case insensitive)
2: all characters (min 2 digits and max 2 in row or in sequence)
3: all characters (min 2 digits and max 2 in row)
4: only digits

Default value is 0; all characters allowed and case sensitive.

[TaskbarEvent]

This section controls the behavior of taskbar events,

[TaskbarEvent Insert]

A list of commands executed when a smart card is inserted.

[TaskbarEvent Remove]

A list of commands executed when a smart card is removed.

[Trace]

This section is used to enable a trace for all components or specific components, always specify full path to a file.

Access condition must be fulfilled when writing to trace. This is usually only a problem when using Internet Explorer on Windows platforms, since File system access protection, also known as Sandbox, may stop updates even when everyone has full access.

Component

Use component name as entry instead of File to enable trace for a specific component:

Admin= C:\Temp\iid.txt

CredentialProvider=C:\Temp\iid.txt

CSP= C:\Temp\iid.txt

Directory=C:\Temp\iid.txt

MiniDriver=C:\Temp\iid.txt

Pkcs11=C:\Temp\iid.txt

Plugin=C:\Temp\iid.txt

SSO=C:\Temp\iid.txt

Watch=C:\Temp\iid.txt

Web=C:\Temp\iid.txt

File

Use File entry to specify trace for all components to same file without Net iD Trace service:

File=C:\Temp\iid.txt

Server

Use Server entry to specify trace for all components to same file with Net iD Trace service:

File=server

Server=C:\Temp\iid.txt

Using Net iD Trace service has less impact on the performance but must be manually started. If a reboot is needed when creating a trace file, set service to Automatic.

UseLocalTime

This entry specifies if local time should be used when creating trace file.

0: Local time is not used
1: Trace will be created with local time

Default value is 1; local time will be used.

[Trace Call]

This section specifies the call trace for different components. The difference between Trace Call and normal Trace is that this parameter will only trace function entries and results. Tracing will always affect speed performance, so this parameter has less impact on the performance.

The following components have call trace available:

CSP *
Minidriver *
Pkcs11

*) The component is only available on Windows platforms.

Specify full path to the file which will receive the trace.

Pkcs11=c:\temp\iid.txt

Normal Trace must be disabled.

[Trace]
File=
Server=

[View]

FileExtension

There are several ways to open different files, but to avoid misuse all file types that may be opened should be registered, separated with ;.

FileExtension=.txt;.html;.htm;.cer;.crt;http;https

Default value is .txt;.html;.htm;.cer;.crt;http;https.

iidxwatch.exe

There are several ways for the watch component to open different files, but to avoid misuse all file types that may be opened should be registered, separated with ;.

iidxwatch.exe=.exe;.bat;.vbs

Default value is none.

[Watch]

This section controls the behavior of the Watch component. Will require the Watch component to be included in the installation.

UseService

This entry specifies whether the Watch component should be running as a Windows service or a background process.

0: Run as background process
1: Run as Windows service

Default value is 0; run as background process. This parameter is for Windows only and will be ignored by other operating systems.

[Multiple Watch commands]

The original approach for Watch was a single command that should be executed either at insertion or removal of a smart card. To handle multiple commands the command "config" may be used:

iidxwatch.exe config

This command will check for a list of commands that should be executed when a smart card is inserted or removed. See section 7.2 Commands for more information about the available commands.

[Watch Insert]

A list of commands executed when a smart card is inserted.

[Watch Remove]

A list of commands executed when a smart card is removed.

[Multiple Watch running]

Some scenarios may require multiple Watch running in parallel:

iidxwatch.exe config Watch|Another

The result is that the initial Watch is started and it will spawn an additional process which will read startup and configuration information from different sections.

The example below will run two Watch activated by insertion of a smart card with certificates from two different CAs:

[Command]
Watch=-match "2.5.4.3=SecMaker CA v2|A0" config Watch|Another
Watch Another=-match "2.5.4.3=SecMaker CA v3|A0" config Another
[Watch Insert]
1=open c:\temp\ca_v2.txt
[Watch Another Insert]
1=open c:\temp\ca_v3.txt

[Logon Watch]

The normal Watch component will execute events based on smart card insertion and removal, but some scenarios will require a command to be executed only when a smart card for the logged on user is inserted and/or removed.

iidxwatch.exe config Logon

The only difference is that the name "Logon" is reserved for logged on user scenarios.

[Watch Logon Insert]

A list of commands executed when smart card is inserted for the logged on user.

[Watch Logon Remove]

A list of commands executed when smart card is removed for the logged on user.