Smartcard Removal Behavior
Controlling Smartcard Removal Behavior in WWPass Dashboard
CHAPTER 1 – OVERVIEW
Overview
The Smartcard removal behavior setting defines the action WWPass Dashboard performs when a user disconnects a smartcard from the computer. The value of the Smartcard removal behavior setting can be viewed and changed in the Advanced tab of the WWPass Dashboard application. Alternatively, a system administrator can create a Windows Group Policy to control the value of the Smartcard removal behavior setting on a set of multiple computers connected to a Windows domain.
The Smartcard removal behavior setting of the WWPass Dashboard should not be confused with the Smart card removal behavior setting of Microsoft Windows. Under some circumstances Windows Smart Card Removal Policy service may trigger false smart card removal events even if delayed start of the Smart Card Removal Policy service has been configured. This is likely to happen when slow client or server computers are used, or the network connection between them has low bandwidth available.
The Smartcard removal behavior setting of the WWPass Dashboard is intended to help a system administrator to get a consistent behavior on smartcard removal in situations where the Smart Card Removal Policy Service of Microsoft Windows does not operate as needed.
When the user disconnects a smartcard (e.g. a WWPass Key), the WWPass Dashboard application waits 5 seconds to make sure the smartcard stays disconnected. If the smartcard stays disconnected for 5 seconds, the WWPass Dashboards performs an action defined by the value of the Smartcard removal behavior setting.
WWPass Smartcard removal behavior defines an additional action which is not available in Windows Smart card removal behavior policy. This action is called “Disconnect remote sessions” and unlike other actions executes on a client computer that initiates a remote connection. When “Disconnect remote sessions” is selected and a user disconnects WWPass Key, WWPass Security Pack silently terminates all instances of Microsoft Remote Desktop on a client computer, effectively leaving RDP sessions in the “Disconnected" state.
Requirements
Server side: Microsoft Windows Server 2008 R2 and later.
Client side: Microsoft Windows Vista and later.
CHAPTER 2 – SMARTCARD REMOVAL BEHAVIOR
Registry Key
The Smartcard removal behavior setting is stored in the following registry key:
HKEY_CURRENT_USER\Software\WWPass\Dashboard
Value name is onRemove.
This setting can take the following values:
| Value | Action |
|---|---|
| 0 | No action |
| 1 | Disconnect (logoff) |
| 2 | Force logoff (disconnect) |
| 3 | Disconnect all Remote Sessions (disconnectAll) |
Creating Group Policy to Control Smartcard Removal Behavior
Log on to your domain controller and start a command prompt as аn Administrator.
Execute 'gpmc' command.
Right click on the Organizational Unit where the required users reside. Select 'Create a GPO in this domain, and link it here...'.
Specify a new GPO name.
Right click on the newly created GPO and select 'Edit...'.
Expand folders 'Preferences\Windows Settings' under 'User Configuration' on the left pane of 'Group Policy Management Editor' window.
Right click on 'Registry' and select 'New\Registry Item'. 'New Registry Properties' window appears.
Select 'Create' under 'Action'.
Specify the following parameters:
9.1. Select ‘HKEY_CURRENT_USER’ under ‘Hive’;
9.2. Browse and select the Key Path: Software\WWPass\Dashboard;
9.3. Enter ‘onRemove’ under ‘Value name’;
9.4. Select ‘REG_SZ’ under ‘Value type’;
9.5. Enter the ‘Value data’ according to the required action:
- ‘0’ for no action;
- ‘1’ for disconnect (logoff);
- ‘2’ for force logoff (disconnect);
- ‘3’ for disconnect of all Remote Sessions (disconnectAll).
Click
Applying the Group Policy Settings
Execute 'gpupdate /force' command on the client’s computer to apply the created Group Policy settings.
Open the registry editor regedit and make sure the new registry keys appeared.