Smart Card related Group Policy Settings in Vista

The following table illustrates the Group Policy Settings that can be used on a per-machine basis. There are no settings on a per user basis. Some of these settings can be applied only to a Vista level functional domain – for example Domain Hints. All of the keys are located under \Policies\Microsoft\Windows\SmartCardCredentialProvider and \Policies\Microsoft\Windows\CertProp hierarchy.

From the Group Policy Editor (gpedit.exe), group policy can be edited and applied to machines on the domain. Smart Card related policies exist under:

Computer Configuration\Administrative Templates\Windows components\Smart Card

Once they are applied by the Domain Administrator, on the user’s local machine they will reside in [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]

Key

Description

AllowSignatureOnlyKeys

Allow signature keys valid for Logon (also applies to whenever Credential UI is called)

This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.

If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen.

If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen.

AllowCertificatesWithNoEKU

This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.

Under previous versions of Microsoft Windows, the EKU extension was required to have the smart card logon Object Identifier (OID) present. This setting controls that restriction.

If you enable this policy setting, only those smart card based certificates that contain the smart card logon OID or no EKU extension will be listed on the logon screen.

If you disable or do not configure this policy setting then only those smart card based certificates that contain the smart card logon OID will be listed on the logon screen.

AllowTimeInvalidCertificates

This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.

Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine.

If you enable this policy setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired.

If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen.

AllowIntegratedUnblock

This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).

In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature.

If you enable this policy setting, the integrated unblock feature will be available.

If you disable or do not configure this policy setting then the integrated unblock feature will not be available.

ReverseSubject

This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon.

By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization.

If you enable this policy setting or do not configure this setting, then the subject name will be reversed.

If you disable , the subject name will be displayed as it appears in the certificate.

X509HintsNeeded

This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user.

If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed.

If you disable or do not configure this policy setting, an optional field that allows a users to enter their user name or user name and domain will not be displayed.

IntegratedUnblockPromptString

This policy setting allows you to manage a specific string is displayed when a smart card is blocked.

If you enable this policy setting, the specified string will be displayed to the user when the smart card is blocked. Note: The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon.

If you disable or do not configure this policy setting, the default string will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled.

CertPropEnabledString

This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.

If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card.

If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook.

CertPropRootEnabledString

This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.

If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. Note: For this policy setting to work the following policy setting must also be enabled: Turn on certificate propagation from smart card

If you disable this policy setting then root certificates will not be propagated from the smart card.

RootsCleanupOption

Configure root certificate clean up. This option is located in HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\CertProp

This policy setting allows you to manage the clean up behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate clean up will occur on log off.

Root certificate clean up options include:

§ No cleanup (Default)

§ Clean up certificates on smart card removal

§ Clean up certificates on user log off

Note: This policy works in conjunction with HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots\Flags. If this is set (off by default), then root certificates even from Smart Card will be disabled for propagation.

Require Smart Card (Machine Policy) – Policies for Interactive logon

Enforce Smart Card required for Logon on a per machine basis.

Key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Policies\System\scforceoption

The following are the supported values:

0 à No Action

1 à Enable Smart Card Required for Logon

Smart Card Removal Policy – Policies for Interactive logon

Note: If Smart Card Removal Policy service is not running, then start the policy using the command: net start ScPolicySvc and set start type to Auto (sc config scpolicysvc start= auto )

Key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoption

If this is set (off, 0, by default), the removal of Smart Card will lock the workstation. The following are the supported values:

0 à No Action

1 à Lock Workstation – user session locked on Smart Card removal

2 à Log Off – User logged off on Smart Card removal

3 à Disconnect from remote Terminal Server Session – removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped terminal, without having to log on again.

FilterDuplicateCertificates

This policy settings lets you configure if all your valid logon certificates are displayed.

During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).

If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown. Note: This setting will be applied after the following policy: "Allow time invalid certificates"

If you enable or do not configure this policy setting, filtering will take place.

If you disable this policy setting, no filtering will take place.

ForceReadingAllCertificates

(0 == default only, 1 == all certificates)

Force reading of all certificates from the smart card regardless of the supported feature set in the CSP. This policy is applicable whenever Smart Card Credential Provider or Credential UI is called.

If you enable this setting, then Windows will attempt to read all certificates on the smart card regardless of the feature set in the CSP.

If you disable or do not configure this setting (default), Windows will only read the default container of the Smart Card for logon unless it supports retrieval of all certificates in a single call Certificates stored other than in the default container will not be available for logon.

Note: During deployment additional policies may be required for ease of use or better security. Some of them include:

  • Turning off Delegation for machines
  • Do not require CAD @ logon (not recommended)

Local Policy Settings for Microsoft Base Smart Card Crypto Service and Key Storage Provider

Local Policy Settings for Microsoft Base Smart Card Crypto Service Provider are located in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]: (Same settings exist for Smart Card Key Storage Provider under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider)

Key

Description

DefaultPrivateKeyLenBits

Type = dword

Default Value = 00000400

Default key generation parameter – 1024 bit keys

RequireOnCardPrivateKeyGen

Type = dword

Default Value = 00000000This sets the flag for requiring on card private key generation (default)

If this value is set, then key generated on a host can be imported into the card. This is used for cards which don’t support on-card key generation or where key escrow is required.

TransactionTimeoutMilliseconds

Type = dword

Default Value = 000005dc1500, 1.5 seconds is the default timeout for holding transactions to the card

AllowPrivateSignatureKeyImport

Type = dword

Default Value = 00000000Allow importing of signature keys, i.e. key archival scenarios

AllowPrivateExchangeKeyImport

Type = dword

Default Value = 00000000 Allow import of exchange keys, i.e. key archival scenarios