Per Session or Per Process PIN Caching

ActivClient PIN cache can be configured to apply either per session (this refers to the Windows session) or per process (this refers to a Windows process).

Per session mode (the default configuration) allows all the processes in the user’s Windows session to share the same PIN cache (that is, user authentication is required once for the entire session whatever the applications used during the session).

In per process mode, the PIN cache is separate for each Windows process (that is, users need to enter their PIN at least once per process that will use the card).

Policy Name: Allow per-process PIN caching

Description:

Defines if the PIN cache is shared between Microsoft Windows processes.

If this setting is not configured or disabled, then all processes running in the same session share the same PIN cache.

Example 1: Per Process Mode

The following steps are an example of processes running on a workstation:

  1. Set the policy to Enabled.

  1. Open Microsoft Outlook with your smart card inserted.

  2. Send a signed email, and enter your PIN when prompted.

  3. Send a second signed email. You are not prompted for the PIN because it is already cached.

  4. Close and re-open Microsoft Outlook.

  5. Send a signed email. You are prompted for the PIN again because it is a different Windows process.

The same behavior would occur if one process was Microsoft Outlook and the other was Internet Explorer (running simultaneously), or if two Internet Explorer processes were running simultaneously.

Example 2: Per Session Mode

The following steps are an example of processes running on a workstation:

  1. Set the policy to Disabled.

  1. Open Outlook with your smart card inserted.

  2. Send a signed email. You are prompted for the PIN.

  3. Send a second signed email. You are not prompted for the PIN because it is already cached.

  4. Close and re-open Microsoft Outlook.

  5. Send a signed email. You are not prompted for the PIN because it is cached and shared between processes.

Example 3: Per Session Mode

The following steps are an example of processes running on a Microsoft Terminal Server and on a user workstation:

  1. On the user workstation and on the server, set the policy to Disabled.

  1. Open Microsoft Outlook on the workstation, with your smart card inserted.

  2. Send a signed email, and enter your PIN when prompted.

  3. Send a second signed email. You are not prompted for the PIN because it is already cached.

  4. Close Microsoft Outlook.

  5. Open the session to Terminal Server. In this remote session, open Outlook.

  6. Send a signed email. You are prompted for the PIN again because it is cached only for the local workstation. ActivClient running on Terminal Server has a separate Windows session with its separate PIN cache.