A newer version of this documentation is available.

MiniDriver

This section controls the behavior of the Minidriver component. It is a requirement that the Minidriver component is included in the installation.

It is recommended to read the Microsoft Smart Card Minidriver Specification to fully understand the terminology.

The values used are verified with Microsoft minidriver certification utility, so any changes may cause the certification to fail.

The minidriver certification uses a smart card with full access to administrator keys and some parameters are used to handle situations where the smart card profile is more or less read-only.

AllowSecondary

This entry can be used to enable/disable writing of secondary certificates. When it is disabled, writing of the same certificate object will result in the existing certificate being overwritten. The normal behavior for smart card minidriver is not to support secondary certificates, meaning there is no support for multiple certificates using the same key.

0: Don’t allow secondary certificates
1: Allow secondary certificates

Default value is 0; secondary certificates are not allowed.

CacheCard

This entry can be used to enable/disable writing of certificate/container information to a cache file. This cache is used by Credential Provider when used in pass-through mode. Microsoft has some limitations with multiple access, so this is used to avoid extra access from Net iD Enterprise Credential Provider towards minidriver when used with Microsoft Provider.

0: Certificate information is not written
1: Certificate information is written

Default value is 1, certificate information is written.

DO NOT EDIT, the default value should be used.

CertificateCompression

This entry is used to tell whether certificate compression is supported internally or not.

0: Certificate compression is not supported
1: Certificate compression is supported

Default value is 1; certificate compression is supported.

DO NOT EDIT! Certificates are always stored compressed and without compression, the value will be compressed by the caller when writing and will usually need the real certificate value when writing the certificates to most smart cards.

CheckFileCMap

This entry is used to tell whether certificate mapping file content should be checked before writing. When checked the mapping file will only be written when different from the auto-generated content.

0: Certificate mapping file always written
1: Certificate mapping file only written when different from auto-generated

Default value is 0; certificate mapping file always written.

ClearUserPinCache

This entry will enable/disable clear of user PIN cache by the internal certificate propagation service.

0: Will not clear user PIN cache
1: Will clear user PIN cache for logged on user at disconnect/lock windows/exit windows
2: Will clear all user PIN cache for all smart cards
4: Will clear all user PIN cache for all tokens in same session

Default value is 2; will clear user PIN cache for all users.

In terminal server sessions value 2 should never be used, since it will clear PIN cache for other users.

Disable

This entry specifies a list of applications which will not be able to use the minidriver, separated with ;.

Disable=test.exe

DisableFileCache

This entry enables/disables Microsoft smart card file cache.

0: Microsoft smart card file cache active
1: Microsoft smart card file cache not active

Default value is 0; smart card file cache is active.

Microsoft have some known problems with the smart card file cache when running terminal server, so it is recommended to disable cache for these environments.

DisablePinCache

This entry enables/disables Microsoft smart card PIN cache.

0: Microsoft smart card PIN cache active
1: Microsoft smart card PIN cache not active

Default value is 0; smart card PIN cache is active.

FriendlyName

This entry is used to register a friendly name for the certificate in CryptoAPI user certificate store. The following wild cards may be used:

%label%
%issuer.<object identifier>%
%subject.<object identifier>%

Label is the certificate label stored with the certificate object, issuer and subject are any of the object identifiers available in the subject or issuer field from the certificate. Any combination of static text and wild cards above may be used.

Default value is "%subject.2.5.4.3% (%issuer.2.5.4.3%)".

For unknown reason some CryptoAPI applications require friendly name to be static for a certificate. This may cause problems when both Net iD Enterprise certificate service and Microsoft is registering the certificate in CryptoAPI user certificate store, since Microsoft will not specify any friendly name.

GuidKeyId

This entry enables/disables the use of guid from certificate mapping file as key id.

0: Key id is generated from public key digest
1: Key id is generated from guid

Default value is 0; key id is generated from guid.

Enable this parameter when certificate mapping file is disabled (IgnoreFileCMap=1). The result of the combination is that the automatically generated mapping file will be identical to the original Microsoft mapping file.

IgnoreFileCardCF

This entry enables/disables internal use of the card cache file \cardcf. The card cache file will be automatically generated from card update counter when disabled.

0: Microsoft card cache file will be used
1: Automaticlly generated card cache file will be used

Default value is 0; Microsoft card cache file will be used.

IgnoreFileCMap

This entry enables/disables internal use of the certificate mapping file \mscp\cmapfile. The mapping file content will be automatically generated when disabled.

0: Microsoft certificate mapping file will be used
1: Automaticlly generated certificate mapping file will be used

Default value is 0; Microsoft certificate mapping file will be used.

Will cause interoperability problems when enabled, since Microsoft will not detect changes from other components, for example certificates written by the plugin component.

IgnoreLogout

This entry specifies a list of applications which will not be able to logout, all logout calls will be ignored.

IgnoreLogout=lsass.exe;logonui.exe

Default value is none; all applications will be able to logout.

This parameter should be used with Microsoft logon applications, since they always logout after accessing the smart card. Allowing these applications to logout will disable the single-sign-on feature.

KeyGenerateMode

This entry specifies the mode for key id generation, either let the smart card decide the key id or generate a key id based on the GuidKeyId parameter.

0: Key id is depending on smart card type
1: Let smart card decide key id
2: Generate random key id

Default value is 0.

MaxKeySize

This entry specifies the maximum size of the RSA keys.

MaxKeySize=2048

Default value is 2048; maximum RSA key size of 2048 bits.

The value must be larger than MinKeySize, since the certification utility will hang if the same values are used for minimum and maximum key sizes. The incremental size, difference between minimum and maximum size, must be at least 8.

MinKeySize

This entry specifies the minimum size of the RSA keys.

MinKeySize=1024

Default value is 1024; minimum RSA key size of 1024 bits.

The value must be less than MaxKeySize, since the certification utility will hang if the same values are used for minimum and maximum key sizes. The incremental size, difference between minimum and maximum size, must be at least 8.

MoveCertificates

This entry specifies whether internal certificate propagation to CryptoAPI store should be used or not.

0: Don’t move certificates to CryptoAPI store
1: Move certificates to CryptoAPI store

Default value is 0; Microsoft certificate propagation should be used to move certificates.

NoLoadPkcs11Keys

This entry specifies whether pkcs#11 keys without connected certificates should be mapped as minidriver keys.

0: Load pkcs#11 keys
1: Don’t load pkcs#11 keys

Default value is 0; load pkcs#11 keys.

OverwriteCertificates

This entry specifies whether move certificates should overwrite possible existing certificates for internal certificate propagation. This will have affect when there are several different certificate propagation services enabled or when the same smart card is supported by several vendors.

0: Don’t overwrite existing certificates in CryptoAPI store
1: Overwrite existing certificates in CryptoAPI store

Default value is 0; will not overwrite.

RegisterCertificate

This entry specifies a list of applications which will generate an event to register the certificates for CryptoAPI to Net iD CSP instead of to Minidriver.

IgnoreLogout=lsass.exe;logonui.exe

Default value is none; no applications will generate an event to register the certificates.

This parameter should be used to register Net iD CSP as default handler of certificates instead of Microsoft Base Smart Card CSP with the Minidriver.

PinCacheDisable

This entry enables/disables Microsoft PIN cache. Will only affect PIN1, secondary PIN will always have PIN cache disabled.

0: Microsoft PIN cache is active
1: Microsoft PIN cache is inactive

Default value is 0; Microsoft PIN cache is active.

Microsoft Windows logon may fail if pin cache is inactive.

PinCacheTimeout

This entry specifies the timeout value for Microsoft pin cache.

X: Number of seconds Microsoft pin cache is active

Default value is 0; Microsoft pin cache is active as long as Microsoft think is suitable.

ReadOnly

This entry specifies whether the minidriver should report all smart cards as read-only, i.e. not possible to update in any way.

0: Smart cards are not considered read-only
1: Smart cards are considered read-only

Default value is 0; smart cards are updateable.

SetDefaultCertificate

This entry specifies whether a default certificate should be marked as default for minidriver certificate mapping file.

0: Don’t mark default certificate
1: Mark default certificate

Default value is 0; default certificate is not marked.

Default certificate is based on certificate sorting, see SortCertificate below.

This parameter only has effect when certificate mapping file is generated, and will be ignored when written towards smart card; see IgnoreFileCMap above.

SortCertificate

This entry specifies how the certificates should be sorted when a default certificate is used.

0: Don’t sort certificate, use sorting from pkcs#11
1: Sort newest certificate first
2: Sort oldest certificate first

Default value is 0; sorting inherited from pkcs#11.

UseSuppliedPadding

This entry specifies whether the supplied key padding mechanism or the internal implementation should be used. The padding mechanism is needed to format data to be signed or data to be encrypted before the key operation.

0: Use internal padding
1: Use supplied padding

Default value is 0; internal padding is used.

UseExternCardCF

This entry specifies whether caller is allowed to update the card update counter. When not allowed all updates will be ignored and the update is handled internally.

0: Update counter internally
1: Use caller update counter

Default value is 0; internal update counter is used.

Version

This entry specifies which version of the minidriver specification that should be supported. Currently versions 4 to 6 are supported.

Version=5

Default value is all versions.

WriteCardBlock

The minidriver file system will be stored in a virtual file system. This entry specifies the block size for the virtual file system, to avoid unnecessary reallocation when objects are created on smart cards which separate data from information about the data.

WriteCardBlock=64

Default value is 0; a suitable value is chosen for the smart card type.