Managing Virtual Smart Cards

Virtual smart card (VSC) devices are hosted on end-user computers and managed just like physical smart cards, in the sense that:

  • They are accessible through a smart card reader.

  • They can be enrolled in the User Portal (this setting must be enabled in the Operator Portal; for details, see Setting Parameters for Devices).

  • They can be managed in the Help Desk.

The major differences with respect to physical smart cards are:

  • VSC devices are always detected as present in their associated reader.

  • VSC devices cannot be recycled by an operator. Only the end-user can access the VSC device (on his/her computer).

About Microsoft Virtual Smart Cards

Microsoft’s virtual smart card technology emulates the two-factor authentication security benefits of card-based credentials. It eliminates the need for separate authentication hardware (physical cards and readers).

The virtual smart card is created in the native Trusted Platform Module (TPM) present on the device’s motherboard, and the associated keys are isolated in cryptographically secured hardware.

The virtual smart card is protected by a PIN, offering a two-factor authentication model.

The main difference compared to physical smart cards is that the virtual smart card is part of the Microsoft Windows device (desktop, laptop or tablet). Multiple virtual smart cards are needed if multiple Microsoft Windows devices are used.

The virtual smart card provides the same functionality as physical smart cards:

  • Authentication:

    • Authentication to the Microsoft Windows desktop.

    • Two-factor authentication-based remote access.

    • Client authentication using Secure Socket Layer (SSL) or a similar technology.

    • Remote desktop connections with virtual smart cards stored on the connecting computer that are loaded onto the remote computer.

    • Windows To Go with virtual smart cards provisioned for the user on removable storage devices.
  • Encryption:

    • S/MIME email

    • BitLocker for data volumes
    • Signing data using digital signatures containing a private key that is stored in the virtual smart card.

For further information about virtual smart cards, go to:
https://technet.microsoft.com/en-us/library/dn593708(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/dn578507(v=ws.11).aspx

Prerequisites for Using Virtual Smart Cards

  • The URL for the User Portal where the device is to be self-issued must be added as a Trusted Site in the user’s browser.

  • Self-binding and self-issuance must be enabled for the User Portal; for details; see Configure the ActivID CMS User Portal.

Virtual Smart Card Profile

ActivID CMS provides a dedicated profile for virtual smart cards.

ActivID CMS Virtual Smart Card Profile

Item

Description

Profile name

Generic 1024-2048 PKI-Only Profile for VSC Devices

Profile description

Profile with 16 PKIs (1024 or 2048-bit) for Virtual Smart Cards

Supported features

  • Personalization of up to 16 2048-bit PKIs

  • Online unlock using the User Portal*

  • Offline unlock

PIN Policy

  • Minimum PIN length – 8 characters

  • Maximum PIN length – 25 characters

  • Maximum number of PIN tries - 5

*Only when enrollment on User Portal is enabled for VSC devices; for details, see Setting Parameters for Devices.

The issuance profile only includes PKI applications:

  • Signature and Authentication certificates.

  • Encryption certificates, including recovered archived encryption certificates.

For more details about this device profile, refer to Device Profiles and Hardware Devices.

Creating a Virtual Smart Card

Prerequisites: With local administrator privileges, initialize and configure the ownership of the TPM on the user’s computer. For further instructions, go to https://technet.microsoft.com/en-us/library/dn466538(v=ws.11).aspx

ActivID CMS provides a PowerShell script, CreateVSC.ps1, which you can run to create the virtual smart card.

  • If only one virtual smart card is to be used on the computer, you can run the script without additional parameters.

  • If more than one virtual smart card is to be used on the same computer, you need to call the script with a unique name for each card defined in the parameters -cardName <cardname>.

Note:
  • You must have local administrator privileges to run the script.

  • You might need to sign the script depending on the execution policy configured in your environment.

Important: You can run the script directly on the computer or using Microsoft’s System Center Configuration Manager (SCCM).

Since Microsoft’s SCCM executes commands in a x86 (32-bit) process by default, on x64 computers you need to force the x64 PowerShell to execute by including the full path in the SCCM command as follows:

%windir%\Sysnative\WindowsPowerShell\v1.0\PowerShell.exe -NoProfile -ExecutionPolicy Bypass –file %~dp0CreateVSC.ps1

For more details about this work-around, see Deployment of Powershell Scripts in a 64-bit Environment via SCCM on the Microsoft Technet forum.

Alternatively, you can create the virtual smart card using the TPM virtual smart card manager command-line tool (Tpmvscmgr.exe). To be compatible with ActivID CMS, the virtual smart card should be created with the:

  • Default Admin Key (/adminkey default parameter).

  • File system generation (/generate parameter).

For further information, go to https://technet.microsoft.com/en-us/library/dn593707(v=ws.11).aspx

Both procedures create a virtual smart card with a GIDS profile that can be used with a Mini Driver embedded in Microsoft Windows.

The PIN policy is defined by the creation script with the following settings:

  • Uppercase, lowercase, digits and special characters are allowed

  • Minimum PIN length – 8

  • Maximum PIN length – 25

  • Maximum number of PIN tries – 5

  • No check for weak PIN

Note: If necessary, you can delete a virtual smart card using the DestroyVSC.ps1 script (applying the same conditions as above).

After the virtual smart cards are created, users can self-issue them (that is, load PKI keys and certificates) using the ActivID CMS User Portal. See detailed instructions in the ActivID CMS User online documentation.

Authenticating with Virtual Smart Cards

Once issued, the virtual smart card offers similar security and authentication functions as a physical smart card. All users have to do is enter the PIN code for the virtual smart card when prompted.

The possible use cases include:

  • Microsoft Windows Logon

  • VPN authentication

  • Secure access to web sites

  • Secure email

To applications and processes, the virtual smart card appears as a physical smart card that is always-inserted. All applications that support the Microsoft CAPI/CNG framework should work with the virtual smart card.

Virtual Smart Card Management Functions

The following table provides an overview of the ActivID CMS management functions available for virtual smart cards.

ActivID CMS Operator

End User Using the User Portal

  • Suspend / Revoke certificate

  • Request Applications Update

  • Request Re-Issuance

  • Terminate Card

  • Create Unlock Request

  • Get Unlock Code (for Offline Unlock)

  • View Certificate

  • Update Card

  • Unlock Card (by clicking the “Forgot your PIN?” link)

  • Cancel Card Replacement

The following operations can only be performed on a computer where there are no virtual smart cards:

  • Report Card Lost

  • Request Card Replacement

Important: If a virtual smart card is terminated in the Operator Portal, its policy remains referenced by the virtual smart card on the user’s computer and cannot be updated. As a result, the virtual smart card remains in the database and is not recycled.
Note:
For virtual smart card deployments:
  • In the Operator Portal, when ActivClient is installed, virtual smart cards are listed both as “Microsoft Virtual: Microsoft Virtual Smart Card X” and “ActivClient: Microsoft Virtual Smart Card X”. Only the first option should be used.

  • When a virtual smart card is locked, it can be unlocked in the User Portal by clicking on the “Forgot your PIN?” link.