Controlling Smartcard Removal Behavior in WWPass Dashboard

May 2016

TABLE OF CONTENTS

Chapter 1 – Overview
Chapter 2 – Smartcard Removal Behavior

CHAPTER 1 – OVERVIEW

Overview

The Smartcard removal behavior setting defines the action WWPass Dashboard performs when a user disconnects a smartcard from the computer. The value of the Smartcard removal behavior setting can be viewed and changed in the Advanced tab of the WWPass Dashboard application. Alternatively, a system administrator can create a Windows Group Policy to control the value of the Smartcard removal behavior setting on a set of multiple computers connected to a Windows domain.

The Smartcard removal behavior setting of the WWPass Dashboard should not be confused with the Smart card removal behavior setting of Microsoft Windows. Under some circumstances Windows Smart Card Removal Policy service may trigger false smart card removal events even if delayed start of the Smart Card Removal Policy service has been configured. This is likely to happen when slow client or server computers are used, or the network connection between them has low bandwidth available.

The Smartcard removal behavior setting of the WWPass Dashboard is intended to help a system administrator to get a consistent behavior on smartcard removal in situations where the Smart Card Removal Policy Service of Microsoft Windows does not operate as needed.

When the user disconnects a smartcard (e.g. a WWPass PassKey), the WWPass Dashboard application waits 5 seconds to make sure the smartcard stays disconnected. If the smartcard stays disconnected for 5 seconds, the WWPass Dashboards performs an action defined by the value of the Smartcard removal behavior setting.

WWPass Smartcard removal behavior defines an additional action which is not available in Windows Smart card removal behavior policy. This action is called “Disconnect remote sessions” and unlike other actions executes on a client computer that initiates a remote connection. When “Disconnect remote sessions” is selected and a user disconnects WWPass PassKey, WWPass Security Pack silently terminates all instances of Microsoft Remote Desktop on a client computer, effectively leaving RDP sessions in the “Disconnected" state.

Requirements

Server side: Microsoft Windows Server 2008 R2 and later.

Client side: Microsoft Windows Vista and later.

CHAPTER 2 – SMARTCARD REMOVAL BEHAVIOR

Registry Key

The Smartcard removal behavior setting is stored in the following registry key:

HKEY_CURRENT_USER\Software\WWPass\Dashboard

Value name is onRemove.

This setting can take the following values:

ValueAction
0No action.
1Disconnect (logoff).
2Force logoff (disconnect).
3Disconnect all Remote Sessions (disconnectAll).

The WWPass Dashboard reads the value of the Smartcard removal behavior variable every time the application is started and each time the user switches to the Advanced tab of the application.

Creating Group Policy to Control Smartcard Removal Behavior

  1. Log on to your domain controller and start a command prompt as аn Administrator.
  2. Execute 'gpmc' command.
  3. Right click on the Organizational Unit where the required users reside. Select 'Create a GPO in this domain, and link it here...'.
  4. Specify a new GPO name.
  5. Right click on the newly created GPO and select 'Edit...'.
  6. Expand folders 'Preferences\Windows Settings' under 'User Configuration' on the left pane of 'Group Policy Management Editor' window.
  7. Right click on 'Registry' and select 'New\Registry Item'. 'New Registry Properties' window appears.
  8. Select 'Create' under 'Action'.
  9. Specify the following parameters:
    1. Select ‘HKEY_CURRENT_USER’ under ‘Hive’;
    2. Browse and select the Key Path: Software\WWPass\Dashboard;
    3. Enter ‘onRemove’ under ‘Value name’;
    4. Select ‘REG_SZ’ under ‘Value type’;
    5. Enter the ‘Value data’ according to the required action:
      1. ‘0’ for no action;
      2. ‘1’ for disconnect (logoff);
      3. ‘2’ for force logoff (disconnect);
      4. ‘3’ for disconnect of all Remote Sessions (disconnectAll).
  10. Click 'OK' button.

Applying the Group Policy Settings

  1. Execute 'gpupdate /force' command on the client’s computer to apply the created Group Policy settings.
  2. Open the registry editor regedit and make sure the new registry keys appeared.


Copyright 2014 WWPass Corp. All rights reserved.
WWPass | 1155 Elm Street, Manchester, NH 03101 | Tel: +1.603.836.4932 or +1.888.997.2771 | www.wwpass.com