Client Tools
With Axidian CertiFlow Client Tools you can unlock cards that are used for Windows OS authentication in online and offline modes, as well as cards not used for OS logon.
Install Client Tools
To install Axidian CertiFlow Client Tools on user workstations, run the AxidianCertiFlow.Client.Tools-<version number>.en-us.msi file from the AxidianCertiFlow.Client catalog and follow the wizard instructions.
Card unlock modes
You can unlock a card using two modes: online and offline. For more information, see Administrator guide.
- Online
- Offline
Online mode requires a connection between the user's workstation (where the locked card is connected) and the Axidian CertiFlow server. This connection is used to authenticate the user by verifying their answers to security questions.
We recommend using a secure HTTPS connection for communication between user workstations and the Axidian CertiFlow server for online unlock.
In offline mode, an Axidian CertiFlow operator unlocks the card using a challenge-response authentication mechanism.
When the PIN retry limit is reached, the user receives a card lockout message along with a unique 16-character challenge code. The user must contact an Axidian CertiFlow operator (for example, by phone) to verify their identity.
Configure online card unlock
Configure card unlock using Windows Group Policies or the Windows Registry (for workstations outside a Windows domain).
- Windows Group Policies
- Windows Registry
To enable the online card unlock feature, configure a Group Policy Object (GPO). This procedure installs the necessary administrative templates and applies the policy to the user workstations.
Copy the contents of the AxidianCertiFlow.Client\Misc\ catalog to your central ADMX file store. The standard location on a domain controller is C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.
infoIf you use a local ADMX store instead, copy the files to C:\Windows\PolicyDefinitions.
Open the Group Policy Management console.
In the console tree, create a new GPO or select an existing GPO that applies to the target user workstations.
Right-click the GPO and select Edit.
In the Group Policy Management Editor, go to Computer Configuration → Policies → Administrative Templates → Axidian CertiFlow → Client.
Enable the Smart card unlocking server policy and configure the following parameters:
- In the
Service URLparameter, specify the link to the credprovapi component hosted on the Axidian CertiFlow server:https://<Server FQDN>/certiflow/credprovapi. - In the
Verify server certificateparameter, set the value toYesif server certificate authentication is required. Set it toNo(default) if no authentication is required.
Link the edited GPO to the Organizational Unit (OU) or security group that contains the workstations of the Axidian CertiFlow users.
Select Apply.
Force a policy update on the target workstations or wait for the next refresh cycle.
Optional settings of the smart card unlocking service
| Policy | Description |
|---|---|
| Set explanations for offline unlocking | This policy applies to user workstations. If the policy is disabled or not defined, the explanation text for offline card unlock is not displayed in the Credential Provider. This text could provide the contact phone number of the Axidian CertiFlow administrator. |
| Credential Providers: Disable smart card standard provider wrapping | This policy applies to user workstations. If the policy is disabled or not defined, the user can unlock the smart card using the standard Windows OS smart card logon interface. If the policy is enabled, a separate smart card unlock option appears on the OS logon screen. This setting is useful when third-party software is installed on the workstation that prevents card unlock using the standard Credential Provider. |
| Credential Providers: Hide the "Disable the smart card" option | This policy applies to user workstations. If the policy is disabled or not defined, the user can disable the smart card from the Windows OS logon interface. If the policy is enabled, the option to disable the smart card is hidden on the OS logon screen. |
If the Axidian CertiFlow server and user workstations are outside a Windows domain, enter the path to the credprovapi application in the registry of each client workstation.
Create a REG file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\AxidianCertiFlow\Client]
"CredProvAPIURL"=""
"AdminDetails"=""
"DisableServerCertificateChecking"=dword:00000000
"DisableSuspendCP"=dword:00000000
"DisableWrapperCP"=dword:00000000
CredProvAPIURL: Specify the address of the credprovapi application on the Axidian CertiFlow server.AdminDetails: Specify the explanation text for the user.DisableServerCertificateChecking: Set the value to 0 (default) if authentication of the Axidian CertiFlow server certificate is required. Set it to 1 (dword:00000001) if authentication is not required.DisableSuspendCP: Set the value to 0 (default) to display the Disable smart card option in the OS logon interface. Set it to 1 (dword:00000001) if the Disable smart card option should not be displayed.DisableWrapperCP: Set the value to 0 (default) to perform smart card unlock using the standard Credential Provider. Set it to 1 (dword:00000001) to use a different Credential Provider.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\AxidianCertiFlow\Client]
"CredProvAPIURL"="https://server.domain.loc/certiflow/credprovapi"
"AdminDetails"="Contact the administrator at extension 1607"
"DisableServerCertificateChecking"=dword:00000000
"DisableSuspendCP"=dword:00000001
"DisableWrapperCP"=dword:00000001
In this example, the machine name is server.domain.loc, server certificate authentication is enabled, Disable smart card button is hidden, the smart card unlock option is enabled using a different Credential Provider on the OS logon screen.