Smartcard Removal Behavior

Controlling Smartcard Removal Behavior in WWPass Dashboard#

CHAPTER 1 – OVERVIEW#

Overview#

The Smartcard removal behavior setting defines the action WWPass Dashboard performs when a user disconnects a smartcard from the computer. The value of the Smartcard removal behavior setting can be viewed and changed in the Advanced tab of the WWPass Dashboard application. Alternatively, a system administrator can create a Windows Group Policy to control the value of the Smartcard removal behavior setting on a set of multiple computers connected to a Windows domain.

The Smartcard removal behavior setting of the WWPass Dashboard should not be confused with the Smart card removal behavior setting of Microsoft Windows. Under some circumstances Windows Smart Card Removal Policy service may trigger false smart card removal events even if delayed start of the Smart Card Removal Policy service has been configured. This is likely to happen when slow client or server computers are used, or the network connection between them has low bandwidth available.

The Smartcard removal behavior setting of the WWPass Dashboard is intended to help a system administrator to get a consistent behavior on smartcard removal in situations where the Smart Card Removal Policy Service of Microsoft Windows does not operate as needed.

When the user disconnects a smartcard (e.g. a WWPass Key), the WWPass Dashboard application waits 5 seconds to make sure the smartcard stays disconnected. If the smartcard stays disconnected for 5 seconds, the WWPass Dashboards performs an action defined by the value of the Smartcard removal behavior setting.

WWPass Smartcard removal behavior defines an additional action which is not available in Windows Smart card removal behavior policy. This action is called “Disconnect remote sessions” and unlike other actions executes on a client computer that initiates a remote connection. When “Disconnect remote sessions” is selected and a user disconnects WWPass Key, WWPass Security Pack silently terminates all instances of Microsoft Remote Desktop on a client computer, effectively leaving RDP sessions in the “Disconnected" state.

Requirements#

Server side: Microsoft Windows Server 2008 R2 and later.

Client side: Microsoft Windows Vista and later.

CHAPTER 2 – SMARTCARD REMOVAL BEHAVIOR#

Registry Key#

The Smartcard removal behavior setting is stored in the following registry key:

HKEY_CURRENT_USER\Software\WWPass\Dashboard

Value name is onRemove.

This setting can take the following values:

ValueAction
0No action
1Disconnect (logoff)
2Force logoff (disconnect)
3Disconnect all Remote Sessions (disconnectAll)

Creating Group Policy to Control Smartcard Removal Behavior#

  1. Log on to your domain controller and start a command prompt as аn Administrator.

  2. Execute 'gpmc' command.

    Group Policy Management

  3. Right click on the Organizational Unit where the required users reside. Select 'Create a GPO in this domain, and link it here...'.

    Group Policy Management

  4. Specify a new GPO name.

    Group Policy Management

  5. Right click on the newly created GPO and select 'Edit...'.

    Group Policy Management

  6. Expand folders 'Preferences\Windows Settings' under 'User Configuration' on the left pane of 'Group Policy Management Editor' window.

  7. Right click on 'Registry' and select 'New\Registry Item'. 'New Registry Properties' window appears.

    Group Policy Management Editor

  8. Select 'Create' under 'Action'.

  9. Specify the following parameters:

    9.1. Select ‘HKEY_CURRENT_USER’ under ‘Hive’;

    9.2. Browse and select the Key Path: Software\WWPass\Dashboard;

    9.3. Enter ‘onRemove’ under ‘Value name’;

    9.4. Select ‘REG_SZ’ under ‘Value type’;

    9.5. Enter the ‘Value data’ according to the required action:

    • ‘0’ for no action;

    • ‘1’ for disconnect (logoff);

    • ‘2’ for force logoff (disconnect);

    • ‘3’ for disconnect of all Remote Sessions (disconnectAll).

    Group Policy Management Editor

  10. Click Button OK

Applying the Group Policy Settings#

  1. Execute 'gpupdate /force' command on the client’s computer to apply the created Group Policy settings.

  2. Open the registry editor regedit and make sure the new registry keys appeared.