PIN Caching
ActivClient provides advanced Card Authentication Management, which defines how you can use PIN-protected services on the card, such as the RSA private keys.
This involves the use of a PIN Caching service, that is flexible and that you can configure with a variety of settings, ranging from very easy-to-use to more complex secure settings.
For a full description of the ActivClient PIN Caching service, see PIN Caching Service.
For the PIN Caching policy changes to be applied, you must restart the workstation.
Allow per-process PIN caching
Description:
Defines if the PIN cache is shared between Microsoft Windows processes.
If this setting is not configured or disabled, then all processes running in the same session share the same PIN cache.
Allow PIN sharing when a ASR Rule is configured
Description:
Defines if the PIN cache is shared between Microsoft Windows system processes.
When user configures to enable ASR rule under "Windows Defender Exploit Guard" to "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", Enable this GPO to Allow system processes to share the PIN Cache.
If this setting is not configured or disabled, the system processes cannot share the PIN Cache.
Disable PIN cache clearance on workstation lock
Description:
Disables the clearance of the PIN cache when the workstation is locked.
If this setting is not configured or disabled, then the PIN is cleared from the cache when the workstation is locked.
Disabling PIN cache clearance when the workstation is locked lowers the smart card deployment security.
Enable PIN caching for "PIN Always" private keys
Description:
Defines if the PIN cache is applicable for operations with a private key configured for "PIN Always".
If enabled with the PIN Cache Type - User Acknowledgement, a confirmation dialog guarantees non-repudiation for these operations.
If enabled and the selected PIN Cache Type is Full Caching, then PIN entry is automatic without user action (not compliant with FIPS 201).
If this setting is enabled, per-process PIN caching is recommended for improved security and for FIPS 201 compliance.
Exclude Executables from ActivClient PIN cache
Description:
List of executables excluded from ActivClient PIN cache use (applicable to CAPI/CNG-based executables).
Possible Values:
-
Not Configured
-
Enabled – allows to add the list of applications for which PIN caching should be excluded.
-
Disabled
Number of minutes before PIN cache is cleared
Description:
Defines the number of minutes before the PIN cache is cleared. The default value is 15.
If this value is set to 9999, the PIN cache timeout is infinite. This means that PIN cache is cleared at log off or shutdown or session disconnect or card removal or workstation lock (depending on the Disable PIN cache clearance on workstation lock setting).
If this setting is disabled or not configured, the default value is used.
Possible Values:
-
Not Configured
-
Enabled – displays the default value, 15, and can be updated
-
Disabled
Enable logging for ActivClient PIN cache use
Description:
Enables the creation of entries in the Microsoft Windows Event Viewer for ActivClient PIN cache use (PIN set, removed). This is used to troubleshoot potential PIN caching issues.
If this setting is disabled or not configured, then ActivClient PIN cache use events are not logged.
Possible Values:
-
Not Configured
-
Enabled – PIN cache use events are logged.
-
Disabled