CP - Configuration
Veridium Credential provider can be configured through registry keys. This allows system administrators to adjust settings, and deploy those settings via GPO's. This is in addition to the existing VeridiumID Server configuration.
Enhanced configuration options for the Veridium Credential Provider:
Registry keys can be used to customize features, providing greater flexibility.
Default registry settings enable all features, with the ability to restrict or modify as needed.
Registry key changes can be deployed using Group Policy Objects (GPOs) for centralized management.
Parent Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\VeridiumID\VeridiumAD]
Parameter list:
Registry key | Default value | Type | Description | Available from version |
|---|---|---|---|---|
BOPS_URL | string | URL to VeridiumID Server when it’s in the Internal Network. | 3.6.2 | |
BOPS_URL_EXTERNAL | string | URL to VeridiumID Server reachable from Internet. If Veridium server is not reachable from Internet, keep same value as BOPS_URL | 3.6.2 | |
RA_URL | string | URL to VeridiumAD RA Server. | 3.6.2 | |
ENROLL_URL | string | URL to VeridiumAD EP Server. | 3.6.2 | |
FIDO_ORIGIN | string | FIDO Origin configuration. Needs to match VeridiumID Server settings. | 3.6.2 | |
LastServiceStart | 2196406213 | dword | Internal CP use | 3.2 |
MemberID | ADv2MultiStepEnrollment | string | Internal CP use | 3.2 |
MemberInternalID | d2535f4f-f510-4875-8991-55974a566a69 | string | Internal CP use | 3.2 |
PollTimeMs | 1000 | dword | Internal CP use | 3.6.2 |
EnableCameraSensor | 1 | dword | Legacy | 3.2 |
EnableLumidigmFingerprintSensor | 0 | dword | Legacy | 3.2 |
EnableShellExtension | 0 | dword | Enable/Disable Veridium CP in shell context menu: | 3.6.2 |
 | 3.6.2 | |||
EnableOrchestratorLogin | 1 | dword | Enable/Disable entire VeridiumID CP display in Windows Login screen | 3.6.2 |
EnableOrchestratorInUserTile | 1 | dword | Enable/Disable Veridium CP in User Tile. | 3.6.2 |
EnableOrchestratorQR | 1 | dword | Enable/Disable QR authentication flow on this CP. | 3.6.2 |
EnableOrchestratorPush | 1 | dword | Enable/Disable Push authentication flow on this CP. | 3.6.2 |
EnableOrchestratorOffline | 1 | dword | Enable/Disable Offline authentication flow on this CP. | 3.6.2 |
EnableOrchestratorVFACE | 1 | dword | Enable/Disable VFACE authentication flow on this CP. | 3.6.2 |
EnableOrchestratorFIDO | 1 | dword | Enable/Disable FIDO authentication flow on this CP. | 3.6.2 |
OrchestratorTileImagePath |
|
| Path to 256x256 pixels bitmap to be used as logo. If not specified, VeridiumID default logo is used: | 3.6.2 |
 | ||||
OrchestratorSmallTileImagePath |
|
| Path to 64x64 pixels bitmap to be used in smaller tiles. If not specified, VeridiumID logo is used as default. | 3.6.2 |
EnableOrchestratorHELP | 0 | dword | Not yet used, placeholder for a future feature. | 3.6.2 |
SetVeridiumAsDefaultCP | 1 | dword | When set to 1, Veridium CP is pre-selected as default credential provider. | 3.6.2 |
ProviderOfflineCaptionFallback | No network available. Switching to offline mode... | string | Message appears when user session started as online but currently network is not available. | 3.6.2 |
ProviderOfflineCaptionFallbackNoCert | No network available, offline mode is not available on this device. | string | Message appears in Offline logon case, but when no cached credentials are available. | 3.6.2 |
ProviderOfflineMessageUserTile |
| string | Error message shown when EnableOrchestratorOffline=1 AND EnableOrchestratorInUserTile=1 and user is doing Unlock in Offline mode. User tile means - user is selected from list of logged on users: | 3.6.2 |
 | 3.6.2 | |||
FaceConfig | C:\Program Files\VeridiumID\VeridiumAD\FaceConfig | string | Legacy | 3.2 |
LivenessTrackerConfig | C:\Program Files\VeridiumID\VeridiumAD\LivenessConfig\Facial Features Tracker.cfg | string | Legacy | 3.2 |
EnableOrchestratorAllowedAccountsPwAuth | <empty> | string | List of semicolon separated values of accounts allowed to logon using password. By default list is empty. | 3.6.2 |
ConnectionMaxRetryCount | 1 | dword | No of retries applied when lost connection to server. There is normally around 1s between each try. | 3.6.2 |
EnableSensorPreview | 0 | dword | Enable/Disable preview window in CP authentication when DactyID20 fingerprint sensor is used. | 3.6.2 |
EnableDactyID20FingerprintSensor | 0 | dword | Enable integration of DactyID20 fingerprint sensor. | 3.6.2 |
ApplicationName | VeridiumCP | string | String used in CP Main GUI | 3.6.2 |
ConnectionTimeout | 30 | dword | Timeout set to wait until server responds | 3.6.2 |
CryptographicServiceProvider | Microsoft Software Key Storage Provider | string | Key Storage Provider for User certificate. Possible values are “BOPS Key Storage Provider” and “Microsoft Software Key Storage Provider” for user authentication certificates. | 3.6.2 |
DeviceAlgName | RSA | string | Device certificate algorithm. RSA is the only supported at the moment. | 3.6.2 |
DeviceCertKSP | Microsoft Software Key Storage Provider | string | CP stores device certificate in Local computer certificate store. As a KSP might be used "Microsoft Software Key Storage Provider" or "Microsoft Platform Crypto Provider" (to store the private key on TPM). In case when DeviceCertKSP will be changed, computer certificate needs to be deleted manually form a computer store and BopsLogonService needs to be restarted. | 3.6.2 |
DeviceCertRenewal | 60 | dword | The Device certificate is by default valid one year; certificate is renewed automatically after 60% of the validity time. | 3.6.2 |
DeviceKeyLength | 2048 | dword | Device certificate key length. | 3.6.2 |
EnableOrchestratorExternalPIN | 1 | dword | Allows external token as authentication method (Radius) | 3.6.2 |
EnableOrchestratorLDAP_PASSWORD | 1 | dword | Allows LDAP password as authentication method (e.g. Active Directory account password) | 3.6.2 |
EnableOrchestratorLOST | 1 | dword | Allows Lost mode authentication method | 3.6.2 |
EnableOrchestratorPIN | 1 | dword | Allows PIN authentication method | 3.6.2 |
EnableOrchestratorSMS | 1 | dword | Allows SMS authentication method | 3.6.2 |
EnableOrchestratorSSP | 0 | dword | Allows to start Self Service Portal directly from Credential Provider. The Kiosk account neewd to be configured. | 3.6.2 |
EnableOrchestratorUseLastAuthenticationMethod | 0 | dword | Credential Provider (CP) supports last used (preferred) authentication method – in case of logon and unlock user will be directed directly to last used authentication method. In case of: Push, SMS, DactyID20, user have to press “Enter” to start authentication (to prevent to send Push notifications, SMS, etc. directly). | 3.6.2 |
KIOSK_Account | kiosk | string | Name of account used to start Self Service from CP directly. To enable it, SSP_URL and EnableOrchestratorSSP must be set. | 3.6.2 |
OfflineMaxRetryCount | 1 | dword | No of retires in Offline mode to decide if computer is online/offline. Each try takes about 2 sec | 3.6.2 |
SSP_URL | https://ssp.develop.Veridium-dev.com/ssp/index.html#enrollment/ | string | URL to Self Service Portal | 3.6.2 |
SupressCPUserTiles | 0 | dword | When set to 1 Veridium Credential Provider is not visible in User tile, but only as a separate CP. | 3.6.2 |
DeviceCertFriendlyName | VeridiumID Device Certificate | string | Friendly name of device certificate. | 3.6.2 |
ShowEditBox | 0 | dword | Not used in active user flows. | 3.6.2 |
EnableSecondaryURLs | 0 | dword | When enabled, system is able to connect to one of several VeridiumID servers. Specific production use case, refer to separate documentation. | 3.6.2 |
IsCitrixSession | 0 | dword | for internal use only | 3.6.2 |
EnableOrchestratorOTP | 1 | dword | Allow to use OTP in list of authenticationmethods | 3.6.2 |
EnableOrchestratorYUBICO_OTP | 1 | dword | Allow to use YUBICO_OTP in list of authentication methods | 3.6.2 |
SecondaryURLsSuffix |
| string | When enabled, system is able to connect to one of several VeridiumID servers. Refer to special document to enable this feature. | 3.6.2 |
ExternalID | S-1-5-21-410015106-2063711249-828150371-1997 | string | Internal CP use | 3.6.2 |
TempFolder | C:\temp\ | string | Folder for creation of VFACE temporary files. User must have re-write access, user path must end with backslash. It is used only when debug is set to 1 | 3.6.2 |
EnableAutoQRRefresh | 0 | dword | When the key is set to 1: CP QR code is automatically refreshing at session timeout. When the key is not created or set to 0: The QR will expire after the timeout and will require manual refresh. | 3.6.2 |
DeviceCertStoreName |
| string | When the string value is defined, the device certificate is created in a separate certificate store. | |
AllowPasswordAuthForNonOnboardedUsers | 0 | dword | When set to 1, when “Other user“ name is typed, than when user is not onboarded, process is asking for password and allowing classical password authentication. | 3.7 |
BopsLogonServiceDelay | 400 | dword | Retry mechanism configuration for communication between CP and Bops Logon service. Value controls delay between retries (in ms). | 3.7 |
BopsLogonServiceRetryCount | 5 | dword | Retry mechanism configuration for communication between CP and Bops Logon service. Value controls number of retries (in ms). | 3.7 |
ValidateHTTPSCert | 0 | dword | Validate SSL certificate validity when calling RESTAPI calls to server | 3.6.2 |
DactyID20Port | 19090 | dword | Port to communicate with DactyID20 app. Currently not used, integration done with DLL | 3.6.2 |
DactyID20TimeOut | 60 | dword | Timeout for communication with DactyID20 app. Currently not used, integration done with DLL | 3.6.2 |
EnableFIDOWindowsHello | 0 | dword | When set to 1, Windows Hello can be used as FIDO token. | 3.6.2 |
NormalizeUserIdentifier | 1 | dword | SID is used as standard user identifier | 3.6.2 |
debug | 0 | dword | When set to 1, detailed debug information will be generated | 3.6.2 |
SupressCP | 0 | dword | CP GUI will be suppressed. | 3.6.2 |
DistinguishUnlockLogon | 0 | dword | Since Windows 11, OS is not distinguishing between UNLOCK and LOGON scenarios. When set to 1, unlock flow is distinguished by listing existing sessions (alternative way).. | 3.6.2 |
EnableOrchestratorUserQROnList | 0 | dword | When there is a QR on workflow as a authentication method and this is set to 1, QR is not showed as link, but in the list of auth method screen. | 3.6.2 |
IdentityFormat | SID | string | values are "SID" or "sAMAccountName". This flag is controlled, how user is identified when calling server restapi. | 3.6.2 |
UseOpenSSLForEncryption | 0 | dword | when set to 1, openssl is used for data encryption. When set to 0, standard windows DPAPI is used. | 3.6.2 |
EnableRDPSSO | 0 | dword | This should be set to 1 on target server to which RDP SSO is expected. | 3.6.2 |
EnableRDPEnforceMFA | 0 | dword | When set to 1, any coming authentication package is ignored and Veridium authentication is required | 3.6.2 |
UseDetectedFIDOasPreferredMethod | 0 | dword | When FIDO is available, it is used as preferred authentication method. | 3.6.2 |
UseDeviceIntuneCertificate | 0 | dword | Should be set to 1 when client is only azure joined but not domain joined. | 3.6.2 |
DeviceIntuneCaName | Intune | string | Substring of the name of CA which issued Intune certificate. | 3.6.2 |
CleanUnusedUserCerts | 1 | dword | Automatically clean unused user certificates from user store. | 3.6.2 |
DelegatedAccountUnlock | 1 | dword | When set to 1 and a shared account was used and there is an unlock scenario, unlock starts directly in the delegation flow. | 3.6.2 |