CP - Configuration
There is an option to configure Veridium Credential Provider by registry keys and also in VeridiumID Server. Registry keys are by default set to enable all available features, however there is a option to restrict/change some of the features. Registry keys changes can be distributed also by GPOs.
Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\VeridiumID\VeridiumAD]
Values description:
Key | Default value | type | description |
|---|---|---|---|
BOPS_URL | string | URL to VeridiumID Server when in Internal Network. | |
BOPS_URL_EXTERNAL | string | URL to VeridiumID Server reachable from Internet. If Veridium server is not reachable from Internet, keep same value as BOPS_URL | |
RA_URL | string | URL to VeridiumAD RA Server. | |
ENROLL_URL | string | URL to VeridiumAD EP Server. | |
FIDO_ORIGIN | string | FIDO Origin configuration. Needs to match VeridiumID Server settings.  | |
LastServiceStart | 2196406213 | dword | internal |
MemberID | ADv2MultiStepEnrollment | string | Internal |
MemberInternalID | d2535f4f-f510-4875-8991-55974a566a69 | string | Internal |
PollTimeMs | 1000 | dword | Internal |
EnableCameraSensor | 1 | dword | Legacy |
EnableLumidigmFingerprintSensor | 0 | dword | Legacy |
EnableShellExtension | 0 | dword | Enable/Disabel Veridium CP in shell context menu:  |
EnableOrchestratorLogin | 1 | dword | Enable/Disable entire VeridiumID CP |
EnableOrchestratorInUserTile | 1 | dword | Enable/Disable Veridium CP in User tile. |
EnableOrchestratorQR | 1 | dword | Enable/Disable QR authentication flow on this CP. |
EnableOrchestratorPush | 1 | dword | Enable/Disable Push authentication flow on this CP. |
EnableOrchestratorOffline | 1 | dword | Enable/Disable Offline authentication flow on this CP. |
EnableOrchestratorVFACE | 1 | dword | Enable/Disable VFACE authentication flow on this CP. |
EnableOrchestratorFIDO | 1 | dword | Enable/Disable FIDO authentication flow on this CP. |
OrchestratorTileImagePath | path to 256x256 pixels bitmap. If not specified, VeridiumID logo is used:  | ||
OrchestratorSmallTileImagePath | Path to 64x64 pixels bitmap. If not specified, VeridiumID logo is used as default. | ||
EnableOrchestratorHELP | 0 | dword | Not yet used |
SetVeridiumAsDefaultCP | 1 | dword | When set to 1, Veridium CP is pre-selected as default credential provider. |
ProviderOfflineCaptionFallback | No network available. Switching to offline mode... | string | Message appears when user session started as online but currently network is not available. |
ProviderOfflineCaptionFallbackNoCert | No network available, offline mode is not available on this device. | string | Message appears in Offline logon case, but when no cached credentials are available. |
ProviderOfflineMessageUserTile | string | Error message shown when EnableOrchestratorOffline=1 AND EnableOrchestratorInUserTile=1 and user is doing Unlock in Offline mode. User tile means - user is selected from list of logged on users:  | |
FaceConfig | C:\Program Files\VeridiumID\VeridiumAD\FaceConfig | string | Legacy not used |
LivenessTrackerConfig | C:\Program Files\VeridiumID\VeridiumAD\LivenessConfig\Facial Features Tracker.cfg | string | Legacy |
EnableOrchestratorAllowedAccountsPwAuth | <empty> | string | List of semicolon separated values of accounts allowed to logon using password. By default list is empty. |
ConnectionMaxRetryCount | 1 | dword | No of retries applied when lost connection to server. There is normally around 1s between each try. |
EnableSensorPreview | 0 | dword | Enable/Disable preview window in CP authentication when DactyID20 is used. |
EnableDactyID20FingerprintSensor | 0 | dword | Enable integration of DactyID20. |
ApplicationName | VeridiumCP | string | String used in CP Main GUI |
ConnectionTimeout | 30 | dword | Timeout set to wait till server responds |
CryptographicServiceProvider | Microsoft Software Key Storage Provider | string | Key Storage Provider for User certificate. Possible values are “BOPS Key Storage Provider” and “Microsoft Software Key Storage Provider” for user authentication certificates. |
DeviceAlgName | RSA | string | Device certificate alghorithm. RSA is the only supported at the moment. |
DeviceCertKSP | Microsoft Software Key Storage Provider | string | CP stores device certificate newly in Local computer certificate store. As a KSP might be used "Microsoft Software Key Storage Provider" or "Microsoft Platform Crypto Provider" (to store private key on TPM). In case when DeviceCertKSP will be changed, computer certificate needs to be deleted manually form a computer store and BopsLogonServcie needs to be restarted. |
DeviceCertRenewal | 60 | dword | The Device certificate is by default valid one year; certificate is renewed automatically after 60% of the validity time. |
DeviceKeyLength | 2048 | dword | Device certificate key length. |
EnableOrchestratorExternalPIN | 1 | dword | Allows external token as authentication method (Radius) |
EnableOrchestratorLDAP_PASSWORD | 1 | dword | Allows LDAP password as authentication method (e.g. Active Directory password) |
EnableOrchestratorLOST | 1 | dword | Allows Lost mode authentication method |
EnableOrchestratorPIN | 1 | dword | Allows PIN authentication method |
EnableOrchestratorSMS | 1 | dword | Allows SMS authentication method |
EnableOrchestratorSSP | 0 | dword | Allows to start Self Service Portal directly from Credential Provider. The Kiosk account neewd to be configured. |
EnableOrchestratorUseLastAuthenticationMethod | 0 | dword | Credential Provider (CP) supports last used (preferred) authentication method – in case of logon and unlock user will be directed directly to last used authentication method. In case of: Push, SMS, DactyID20, user have to press “Enter” to start authentication (to prevent to send Push notifications, SMS, etc. directly). |
KIOSK_Account | kiosk | string | Name of account used to start Self Service from CP directly. To enable it, SSP_URL and EnableOrchestratorSSP must be set. |
OfflineMaxRetryCount | 1 | dword | No of retires in Offline mode to decide if computer is online/offline. Each try takes about 2 sec |
SSP_URL | https://ssp.develop.veridium-dev.com/ssp/index.html#enrollment/ | string | URL to Self Service Portal |
SupressCPUserTiles | 0 | dword | When set to 1 Veridium Credential Provider is not visible in User tile, but only as a separate CP. |
DeviceCertFriendlyName | VeridiumID Device Certificate | string | |
ShowEditBox | 0 | dword | |
EnableSecondaryURLs | 0 | dword | |
IsCitrixSession | 0 | dword | |
EnableOrchestratorOTP | 1 | dword | |
EnableOrchestratorYUBICO_OTP | 1 | dword | |
SecondaryURLsSuffix | string | ||
ExternalID | S-1-5-21-410015106-2063711249-828150371-1997 | string | |
TempFolder | C:\temp\ | string | Folder for creation of VFACE temporary files. User must have re-write access, user path must end with backslash. |
EnableAutoQRRefresh | 0 | dword | When the key is set to 1: CP QR code is automatically refreshing, When the key is not created or set to 0: The QR will expire after the timeout. |
DeviceCertStoreName | string | When the string value is definied, the device certificate is created in a separate certificate store. | |
AllowPasswordAuthForNonOnboardedUsers | 0 | dword | (3.7) When set to one, when “Other user“ name is typed, than when user is not onboarded, process is asking for password and allowing clasical password authenticaiton. |
BopsLogonServiceDelay | 400 | dword | There is a new option (3.7) for retry mechanism for communication between CP and Bops Logon service. New registry keys are introduced to control delay between retries (in ms). |
BopsLogonServiceRetryCount | 5 | dword | There is a new option (3.7) for retry mechanism for communication between CP and Bops Logon service. New registry keys are introduced to control number of retries. |