CP - Configuration
There is an option to configure Veridium Credential Provider by registry keys and also in VeridiumID Server. Registry keys are by default set to enable all available features, however there is a option to restrict/change some of the features. Registry keys changes can be distributed also by GPOs.
Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\VeridiumID\VeridiumAD]
Values description:
Key | Default value | type | description |
---|---|---|---|
BOPS_URL | string | URL to VeridiumID Server when in Internal Network. | |
BOPS_URL_EXTERNAL | string | URL to VeridiumID Server reachable from Internet. If Veridium server is not reachable from Internet, keep same value as BOPS_URL | |
RA_URL | string | URL to VeridiumAD RA Server. | |
ENROLL_URL | string | URL to VeridiumAD EP Server. | |
FIDO_ORIGIN | string | FIDO Origin configuration. Needs to match VeridiumID Server settings. | |
LastServiceStart | 2196406213 | dword | internal |
MemberID | ADv2MultiStepEnrollment | string | Internal |
MemberInternalID | d2535f4f-f510-4875-8991-55974a566a69 | string | Internal |
PollTimeMs | 1000 | dword | Internal |
EnableCameraSensor | 1 | dword | Legacy |
EnableLumidigmFingerprintSensor | 0 | dword | Legacy |
EnableOfflineLogin | 0 | dword | Enable/Disable Special CP allowing only Offline logon. Will not be supported since next version. |
LOGIN_MODE | 0 | dword | internal |
EnablePushLogin | 0 | dword | Enable/Disable Special CP allowing only Push. Will not be supported since next version. |
EnablePinLogin | 0 | dword | Enable/Disable Special CP allowing only PIN. Will not be supported since next version. |
EnableSMSLogin | 0 | dword | Enable/Disable Special CP allowing only SMS. Will not be supported since next version. |
EnableNFCLogin | 0 | dword | Enable/Disable Special CP allowing only NFC. Will not be supported since next version. |
EnableTOTPLogin | 0 | dword | Enable/Disable Special CP allowing only TOTP. Will not be supported since next version. |
EnableShellExtension | 0 | dword | Enable/Disabel Veridium CP in shell context menu: |
EnableOrchestratorLogin | 1 | dword | Enable/Disable entire VeridiumID CP |
EnableOrchestratorInUserTile | 1 | dword | Enable/Disable Veridium CP in User tail. |
EnableOrchestratorQR | 1 | dword | Enable/Disable QR authentication flow on this CP. |
EnableOrchestratorPush | 1 | dword | Enable/Disable Push authentication flow on this CP. |
EnableOrchestratorOffline | 1 | dword | Enable/Disable Offline authentication flow on this CP. |
EnableOrchestratorVFACE | 1 | dword | Enable/Disable VFACE authentication flow on this CP. |
EnableOrchestratorFIDO | 1 | dword | Enable/Disable FIDO authentication flow on this CP. |
ProviderPinLoginCaption | PIN | string | String in CP GUI. PIN flow. |
ProviderPinLoginInputCaption | PIN | string | String in CP GUI. PIN flow. |
ProviderQRLoginCaption | VeridiumID QR | string | String in CP GUI. QR code flow. |
ProviderPushLoginCaption | VeridiumID Push | string | String in CP GUI. Push flow |
ProviderSMSCaption | SMS | string | String in CP GUI. SMS flow |
ProviderSMSPINCaption | PIN | string | String in CP GUI. SMS flow |
ProviderFIDOCaption | FIDO | string | String in CP GUI. FIDO flow |
ProviderVFACECaption | VFACE | string | String in CP GUI. VFACE flow |
BrowserAuthenticator | C:\Program Files\VeridiumID\VeridiumAD\VLogonBrowser\VLogonBrowser.exe | string | Intenal. Reference to start browser for VFACE authentication. |
ProviderSMSValidationCodeCaption | Validation code | string | String in CP GUI. SMS Flow |
ProviderNFCCaption | Tap your NFC token | string | Not used |
ProviderNFCPINCaption | PIN | string | Not used |
ProviderNFCValidationCodeCaption | Enter your token PIN | string | Not used |
ProviderTOTPCaption | TOTP | string | String in CP GUI. TOTP Flow |
ProviderTOTPPINCaption | PIN | string | String in CP GUI. TOTP Flow |
ProviderTOTPValidationCodeCaption | Validation code | string | String in CP GUI. TOTP Flow |
ProviderOrchestratorCaption | VeridiumID | string | name of VeridiumID Credential provider |
ProviderLostModeCaption | Lost your authentication device? | string | String in CP GUI. |
ProviderOfflineCaption | Offline Logon | string | String in CP GUI. |
ProviderOtherAuthCaption | Use other authentication method | string | String in CP GUI. |
OrchestratorTileImagePath | path to 256x256 pixels bitmap. If not specified, VeridiumID logo is used: | ||
OrchestratorSmallTileImagePath | Path to 64x64 pixels bitmap. If not specified, VeridiumID logo is used as default. | ||
EnableOrchestratorHELP | 0 | dword | Not yet used |
SetVeridiumAsDefaultCP | 1 | dword | When set to 1, Veridium CP is pre-selected as default credential provider. |
BrowserHelp | C:\Program Files\VeridiumID\VeridiumAD\VLogonBrowser\BrowserApp.exe | string | Not yet used |
ProviderOfflineCaptionFallback | No network available. Switching to offline mode... | string | Message appears when user session started as online but currently network is not available. |
ProviderOfflineCaptionFallbackNoCert | No network available, offline mode is not available on this device. | string | Message appears in Offline logon case, but when no cached credentials are available. |
ProviderOfflineMessage | Computer failed to create session with the VeridiumID server. | string | Message appears when network connection is generally available, but URL set on BOPS_URL registry setting is not reachable. It leads to Offline mode. |
ProviderOfflineMessageUserTail | string | Error message shown when EnableOrchestratorOffline=1 AND EnableOrchestratorInUserTile=1 and user is doing Unlock in Offline mode. User tail means - user is selected from list of logged on users: | |
FaceConfig | C:\Program Files\VeridiumID\VeridiumAD\FaceConfig | string | Legacy not used |
LivenessTrackerConfig | C:\Program Files\VeridiumID\VeridiumAD\LivenessConfig\Facial Features Tracker.cfg | string | Legacy |
EnableOrchestratorAllowedAccountsPwAuth | <empty> | string | List of semicolon separated values of accounts allowed to logon using password. By default list is empty. |
debug | 0 | dword | When enabled (set to 1), deatiled information are provided to event log. Only for investigation purposes, don’t let it enabled in normal production used. |
SupressCPWhenCitrixLogon | 0 | dword | When set to 1 supress to start Credential provider GUI when Citrix logon detected. |
SupressCP | 0 | dword | Key exists in registry, but switched off in the code. |
EnableOrchestratorCacheCerts | 1 | dword | When set to 1, client certificate is cached in BopsLogonService. Certificate cached till certificate expires or computer/service restarted. |
ConnectionMaxRetryCount | 1 | dword | No of retries applied when lost connection to server. There is normally around 1s between each try. |
EnableSensorPreview | 0 | dword | Enable/Disable preview window in CP authentication when DactyID20 is used. |
EnableDactyID20FingerprintSensor | 0 | dword | Enable integration of DactyID20. |
ApplicationName | VeridiumCP | string | String used in CP Main GUI |
ConnectionTimeout | 30 | dword | Timeout set to wait till server responds |
CryptographicServiceProvider | Microsoft Software Key Storage Provider | string | Key Storage Provider for User certificate. Possible values are “BOPS Key Storage Provider” and “Microsoft Software Key Storage Provider” for user authentication certificates. |
DeviceAlgName | RSA | string | Device certificate alghorithm. RSA is the only supported at the moment. |
DeviceCertKSP | Microsoft Software Key Storage Provider | string | CP stores device certificate newly in Local computer certificate store. As a KSP might be used "Microsoft Software Key Storage Provider" or "Microsoft Platform Crypto Provider" (to store private key on TPM). In case when DeviceCertKSP will be changed, computer certificate needs to be deleted manually form a computer store and BopsLogonServcie needs to be restarted. |
DeviceCertRenewal | 60 | dword | The Device certificate is by default valid one year; certificate is renewed automatically after 60% of the validity time. |
DeviceKeyLength | 2048 | dword | Device certificate key length. |
EnableOrchestratorExternalPIN | 1 | dword | Allows external token as authentication method (Radius) |
EnableOrchestratorLDAP_PASSWORD | 1 | dword | Allows LDAP password as authentication method (e.g. Active Directory password) |
EnableOrchestratorLOST | 1 | dword | Allows Lost mode authentication method |
EnableOrchestratorPIN | 1 | dword | Allows PIN authentication method |
EnableOrchestratorSMS | 1 | dword | Allows SMS authentication method |
EnableOrchestratorSSP | 0 | dword | Allows to start Self Service Portal directly from Credential Provider. The Kiosk account neewd to be configured. |
EnableOrchestratorTOTP_DESKTOP | 1 | dword | Allows TOTP desktop authentication method |
EnableOrchestratorTOTP | 1 | dword | Allows TOTP authentication method |
EnableOrchestratorUseLastAuthenticationMethod | 0 | dword | Credential Provider (CP) supports last used (preferred) authentication method – in case of logon and unlock user will be directed directly to last used authentication method. In case of: Push, SMS, DactyID20, user have to press “Enter” to start authentication (to prevent to send Push notifications, SMS, etc. directly). |
KIOSK_Account | kiosk | string | Name of account used to start Self Service from CP directly. To enable it, SSP_URL and EnableOrchestratorSSP must be set. |
OfflineMaxRetryCount | 1 | dword | No of retires in Offline mode to decide if computer is online/offline. Each try takes about 2 sec |
ProviderExternalPinLoginCaption | External token | string | Caption for External Token (Radius) Authenticaiton method |
ProviderExternalPinLoginInputCaption | token code | string | Used in External token authentication method to name the input box |
ProviderLDAPPasswordCaption | Password | string | Caption for LDAP Password Authenticaiton method |
ProviderLDAPPasswordInputCaption | Password | string | Used in LDAP Password authentication method to name the input box |
ProviderTOTP_DESKTOPCaption | TOTP Desktop | string | Caption for TOTP Desktop Authenticaiton method |
ProviderTOTPCaption | TOTP | string | Caption for TOTP Authenticaiton method |
SSP_URL | https://ssp.develop.veridium-dev.com/ssp/index.html#enrollment/ | string | URL to Self Service Portal |
SupressCPUserTails | 0 | dword | When set to 1 Veridium Credential Provider is not visible in User tail, but only as a separate CP. |