Skip to main content
Skip table of contents

CP - Configuration

Veridium Credential provider can be configured through registry keys. This allows system administrators to adjust settings, and deploy those settings via GPO's. This is in addition to the existing VeridiumID Server configuration.

Enhanced configuration options for the Veridium Credential Provider:

  • Registry keys can be used to customize features, providing greater flexibility.

  • Default registry settings enable all features, with the ability to restrict or modify as needed.

  • Registry key changes can be deployed using Group Policy Objects (GPOs) for centralized management.

Parent Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\VeridiumID\VeridiumAD]

Parameter list:

Registry key

Default value

Type

Description

Available from version

BOPS_URL

https://develop.Veridium-dev.com/websec/rest/enterprise/

string

URL to VeridiumID Server when it’s in the Internal Network.

3.6.2

BOPS_URL_EXTERNAL

https://develop.Veridium-dev.com/websec/rest/enterprise/

string

URL to VeridiumID Server reachable from Internet. If Veridium server is not reachable from Internet, keep same value as BOPS_URL

3.6.2

RA_URL

https://dev-dc1.dev.local/RaWebApp/api/

string

URL to VeridiumAD RA Server.

3.6.2

ENROLL_URL

https://dev-dc1.dev.local/BopsEnroll/BopsEnroll.svc/

string

URL to VeridiumAD EP Server.

3.6.2

FIDO_ORIGIN

https://develop.Veridium-dev.com

string

FIDO Origin configuration. Needs to match VeridiumID Server settings.

3.6.2

LastServiceStart

2196406213

dword

Internal CP use

3.2

MemberID

ADv2MultiStepEnrollment

string

Internal CP use

3.2

MemberInternalID

d2535f4f-f510-4875-8991-55974a566a69

string

Internal CP use

3.2

PollTimeMs

1000

dword

Internal CP use

3.6.2

EnableCameraSensor

1

dword

Legacy

3.2

EnableLumidigmFingerprintSensor

0

dword

Legacy

3.2

EnableShellExtension

0

dword

Enable/Disable Veridium CP in shell context menu:

3.6.2

3.6.2

EnableOrchestratorLogin

1

dword

Enable/Disable entire VeridiumID CP display in Windows Login screen

3.6.2

EnableOrchestratorInUserTile

1

dword

Enable/Disable Veridium CP in User Tile.

3.6.2

EnableOrchestratorQR

1

dword

Enable/Disable QR authentication flow on this CP.

3.6.2

EnableOrchestratorPush

1

dword

Enable/Disable Push authentication flow on this CP.

3.6.2

EnableOrchestratorOffline

1

dword

Enable/Disable Offline authentication flow on this CP.

3.6.2

EnableOrchestratorVFACE

1

dword

Enable/Disable VFACE authentication flow on this CP.

3.6.2

EnableOrchestratorFIDO

1

dword

Enable/Disable FIDO authentication flow on this CP.

3.6.2

OrchestratorTileImagePath

 

 

Path to 256x256 pixels bitmap to be used as logo. If not specified, VeridiumID default logo is used:

3.6.2

OrchestratorSmallTileImagePath

 

 

Path to 64x64 pixels bitmap to be used in smaller tiles. If not specified, VeridiumID logo is used as default.

3.6.2

EnableOrchestratorHELP

0

dword

Not yet used, placeholder for a future feature.

3.6.2

SetVeridiumAsDefaultCP

1

dword

When set to 1, Veridium CP is pre-selected as default credential provider.

3.6.2

ProviderOfflineCaptionFallback

No network available. Switching to offline mode...

string

Message appears when user session started as online but currently network is not available.

3.6.2

ProviderOfflineCaptionFallbackNoCert

No network available, offline mode is not available on this device.

string

Message appears in Offline logon case, but when no cached credentials are available.

3.6.2

ProviderOfflineMessageUserTile

 

string

Error message shown when EnableOrchestratorOffline=1 AND EnableOrchestratorInUserTile=1 and user is doing Unlock in Offline mode. User tile means - user is selected from list of logged on users:

3.6.2

3.6.2

FaceConfig

C:\Program Files\VeridiumID\VeridiumAD\FaceConfig

string

Legacy

3.2

LivenessTrackerConfig

C:\Program Files\VeridiumID\VeridiumAD\LivenessConfig\Facial Features Tracker.cfg

string

Legacy

3.2

EnableOrchestratorAllowedAccountsPwAuth

<empty>

string

List of semicolon separated values of accounts allowed to logon using password. By default list is empty.

3.6.2

ConnectionMaxRetryCount

1

dword

No of retries applied when lost connection to server. There is normally around 1s between each try.

3.6.2

EnableSensorPreview

0

dword

Enable/Disable preview window in CP authentication when DactyID20 fingerprint sensor is used.

3.6.2

EnableDactyID20FingerprintSensor

0

dword

Enable integration of DactyID20 fingerprint sensor.

3.6.2

ApplicationName

VeridiumCP

string

String used in CP Main GUI

3.6.2

ConnectionTimeout

30

dword

Timeout set to wait until server responds

3.6.2

CryptographicServiceProvider

Microsoft Software Key Storage Provider

string

Key Storage Provider for User certificate. Possible values are “BOPS Key Storage Provider” and “Microsoft Software Key Storage Provider” for user authentication certificates.

3.6.2

DeviceAlgName

RSA

string

Device certificate algorithm. RSA is the only supported at the moment.

3.6.2

DeviceCertKSP

Microsoft Software Key Storage Provider

string

CP stores device certificate in Local computer certificate store. As a KSP might be used "Microsoft Software Key Storage Provider" or "Microsoft Platform Crypto Provider" (to store the private key on TPM). In case when DeviceCertKSP will be changed, computer certificate needs to be deleted manually form a computer store and BopsLogonService needs to be restarted.

3.6.2

DeviceCertRenewal

60

dword

The Device certificate is by default valid one year; certificate is renewed automatically after 60% of the validity time.

3.6.2

DeviceKeyLength

2048

dword

Device certificate key length.

3.6.2

EnableOrchestratorExternalPIN

1

dword

Allows external token as authentication method (Radius)

3.6.2

EnableOrchestratorLDAP_PASSWORD

1

dword

Allows LDAP password as authentication method (e.g. Active Directory account password)

3.6.2

EnableOrchestratorLOST

1

dword

Allows Lost mode authentication method

3.6.2

EnableOrchestratorPIN

1

dword

Allows PIN authentication method

3.6.2

EnableOrchestratorSMS

1

dword

Allows SMS authentication method

3.6.2

EnableOrchestratorSSP

0

dword

Allows to start Self Service Portal directly from Credential Provider. The Kiosk account neewd to be configured.

3.6.2

EnableOrchestratorUseLastAuthenticationMethod

0

dword

Credential Provider (CP) supports last used (preferred) authentication method – in case of logon and unlock user will be directed directly to last used authentication method. In case of: Push, SMS, DactyID20, user have to press “Enter” to start authentication (to prevent to send Push notifications, SMS, etc. directly).

3.6.2

KIOSK_Account

kiosk

string

Name of account used to start Self Service from CP directly. To enable it, SSP_URL and EnableOrchestratorSSP must be set.

3.6.2

OfflineMaxRetryCount

1

dword

No of retires in Offline mode to decide if computer is online/offline. Each try takes about 2 sec

3.6.2

SSP_URL

https://ssp.develop.Veridium-dev.com/ssp/index.html#enrollment/

string

URL to Self Service Portal

3.6.2

SupressCPUserTiles

0

dword

When set to 1 Veridium Credential Provider is not visible in User tile, but only as a separate CP.

3.6.2

DeviceCertFriendlyName

VeridiumID Device Certificate

string

Friendly name of device certificate.  

3.6.2

ShowEditBox

0

dword

Not used in active user flows.

3.6.2

EnableSecondaryURLs

0

dword

When enabled, system is able to connect to one of several VeridiumID servers. Specific production use case, refer to separate documentation.

3.6.2

IsCitrixSession

0

dword

for internal use only 

3.6.2

EnableOrchestratorOTP

1

dword

Allow to use OTP in list of authenticationmethods

3.6.2

EnableOrchestratorYUBICO_OTP

1

dword

Allow to use YUBICO_OTP in list of authentication methods

3.6.2

SecondaryURLsSuffix

 

string

When enabled, system is able to connect to one of several VeridiumID servers. Refer to special document to enable this feature.

3.6.2

ExternalID

S-1-5-21-410015106-2063711249-828150371-1997

string

 Internal CP use

3.6.2

TempFolder

C:\temp\

string

Folder for creation of VFACE temporary files. User must have re-write access, user path must end with backslash. It is used only when debug is set to 1

3.6.2

EnableAutoQRRefresh

0

dword

When the key is set to 1: CP QR code is automatically refreshing at session timeout. When the key is not created or set to 0: The QR will expire after the timeout and will require manual refresh.

3.6.2

DeviceCertStoreName

 

string

When the string value is defined, the device certificate is created in a separate certificate store.

AllowPasswordAuthForNonOnboardedUsers

0

dword

When set to 1, when “Other user“ name is typed, than when user is not onboarded, process is asking for password and allowing classical password authentication.

3.7

BopsLogonServiceDelay

400

dword

Retry mechanism configuration for communication between CP and Bops Logon service. Value controls delay between retries (in ms).

3.7

BopsLogonServiceRetryCount

5

dword

Retry mechanism configuration for communication between CP and Bops Logon service. Value controls number of retries (in ms).

3.7

ValidateHTTPSCert

0

dword

Validate SSL certificate validity when calling RESTAPI calls to server

3.6.2

DactyID20Port

19090

dword

Port to communicate with DactyID20 app. Currently not used, integration done with DLL 

3.6.2

DactyID20TimeOut

60

dword

Timeout for communication with DactyID20 app. Currently not used, integration done with DLL 

3.6.2

EnableFIDOWindowsHello

0

dword

When set to 1, Windows Hello can be used as FIDO token.

3.6.2

NormalizeUserIdentifier

1

dword

SID is used as standard user identifier

3.6.2

debug

0

dword

When set to 1, detailed debug information will be generated

3.6.2

SupressCP

0

dword

CP GUI will be suppressed. 

3.6.2

DistinguishUnlockLogon

0

dword

Since Windows 11, OS is not distinguishing between UNLOCK and LOGON scenarios. When set to 1, unlock flow is distinguished by listing existing sessions (alternative way).. 

3.6.2

EnableOrchestratorUserQROnList

0

dword

When there is a QR on workflow as a authentication method and this is set to 1, QR is not showed as link, but in the list of auth method screen.

3.6.2

IdentityFormat

SID

string

values are "SID" or "sAMAccountName". This flag is controlled, how user is identified when calling server restapi.

3.6.2

UseOpenSSLForEncryption

0

dword

when set to 1, openssl is used for data encryption. When set to 0, standard windows DPAPI is used. 

3.6.2

EnableRDPSSO

0

dword

This should be set to 1 on target server to which RDP SSO is expected. 

3.6.2

EnableRDPEnforceMFA

0

dword

When set to 1, any coming authentication package is ignored and Veridium authentication is required

3.6.2

UseDetectedFIDOasPreferredMethod

0

dword

When FIDO is available, it is used as preferred authentication method.

3.6.2

UseDeviceIntuneCertificate

0

dword

Should be set to 1 when client is only azure joined but not domain joined. 

3.6.2

DeviceIntuneCaName

Intune

string

Substring of the name of CA which issued Intune certificate. 

3.6.2

CleanUnusedUserCerts

1

dword

Automatically clean unused user certificates from user store. 

3.6.2

DelegatedAccountUnlock

1

dword

When set to 1 and a shared account was used and there is an unlock scenario, unlock starts directly in the delegation flow

3.6.2

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.