Configuring the Precise Biometrics Combination Smart Card and Fingerprint Reader

Imprivata Enterprise Access Management supports the Precise Biometrics Combination Smart Card and Fingerprint Reader for authentication via smart card and fingerprint.

The ARX Cryptokit software must be installed differently depending on whether the endpoint computer will be used for enrollment, or only for authentication:

How Authentication Works

  1. To authenticate to the desktop, the user inserts an enrolled and configured smart card into the Precision Biometrics reader.

  2. The ARX Minidriver Credential Provider authenticates the PIN stored on the smart card; the user does not have to enter their PIN again after enrolling it.

  3. The ARX software prompts the user to place their finger on the reader.

  4. When the user places their finger on the reader, the ARX software authenticates the user's fingerprint against the fingerprint template stored on the smart card.

  5. Enterprise Access Management only authenticates the smart card itself.

  6. See This section describes the following desktop authentication workflows: for details of the expected behavior when logging in.

Configure Endpoint Computers for Enrollment

Install the ARX CryptoKit software and drivers on an endpoint computer for enrollment. When installing ARX software for an endpoint computer that will be used only for authentication and not enrollment, see Configure Endpoint Computers for Authentication.

  1. Install the ARX CryptoKit. In the Custom Setup window, select Readers and Tokens > Biometric Reader

  3. In the Custom Setup window, select Application Interface Support > Utilities > ARgenie (selected by default)

  5. If requested, restart the endpoint computer after the installation is complete.

  6. Connect a Precise Biometrics 200 or 250 MC reader and allow it to install drivers on the endpoint computer.

Create a PIN and enroll your fingerprint with the AR Genie utility in Advanced Mode:

  1. From the Windows Start button, go to All programs > ARX > CryptoKit
  2. Right-click ARGenie (or ARGenie64) > Properties
  3. In the Properties menu > Shortcut tab, add /br (with a space before the slash) to the end of the Target value.
  4. Click OK.
  6. From the Windows Start button, go to All programs > ARX > CryptoKit > ARGenie (or ARGenie64)
  7. The AR Genie utility opens.
  8. Plug in the Precise Biometrics reader if it is not plugged in already.
  9. Select the Precise Biometrics reader from the list of slots.
  11. Note the X on the Slot ID icon: Insert a smart card in the reader and the icon changes:
  13. Select Token > Format.
  14. A message appears: Do you really want to format the token? Click Yes.
  15. The Initialize PIN dialog opens. Create a PIN for this smart card (minimum 6 characters) and click OK.
  16. A message appears: Do you want to enroll the next finger? Click Yes.
  17. Follow the onscreen instructions to enroll your fingerprint. When you are done, the message Format token successful appears. Click OK.

Test Fingerprint and PIN Enrollment

Use the AR Genie utility to test the fingerprint and PIN enrollment:

Test Fingerprint Enrollment
  1. Remove the smart card from the Precise Biometrics reader and insert it again.
  2. On the AR Genie menu, select Token > Login
  3. Place the finger you enrolled during the formatting process on the reader.
  4. An error message will be displayed if login is unsuccessful (The AR Genie utility shows no success message.)
Test PIN Enrollment

If you have access to a smart card reader not equipped with a fingerprint reader, you can test your PIN enrollment with the AR Genie utility:

  1. Remove the smart card from the Precise Biometrics reader, and insert it in another smart card reader not equipped with a fingerprint reader. In this example, the ARGenie utility lists the computer's internal smart card reader at Slot ID 1.
  3. On the AR Genie menu, select Token > Login
  4. Enter the PIN you created during the enrollment process.
  5. An error message will be displayed if login is unsuccessful (The AR Genie utility shows no success message.)

Install a certificate and two keys on the smart card:

  1. Insert your smart card into the reader.
  2. To go to Microsoft Certificate Services: Open Microsoft Internet Explorer on the endpoint computer.
  3. In the address field, enter the following URL, with the address of your Microsoft Active Directory Controller: https://IP address/certsrv/
  4. Microsoft Certificate Services opens. Select Request a Certificate.
  5. On the Request a Certificate page, select submit an advanced certificate request.
  6. On the Advanced Certificate Request page, select Create and submit a request to this CA.
  7. On the Advanced Certificate Request page > Certificate Template section, select Smartcard Logon from the drop-down.
  8. In the Key Options section, select Create new key set > and select CSP: AR Base Cryptographic Provider from the drop-down.
  9. In the Key Options section, select Key Size = 2048.
  10. Click Submit.
  12. The ARX Finger Verification window opens. Place your finger on the Precise Biometrics fingerprint reader to authenticate.
  13. Microsoft Certificate Services generates the request, sends it to the server, and opens to the Certificate Issued screen. Click Install this certificate to install the certificate on your endpoint computer; the AR Genie utility copies the certificate from your endpoint computer onto the smart card.

Optional — Import the Certificate and Keys Manually

You can also import a certificate and the keys directly within a PFX file: In the ARGenie utility, select Token > Import Key.

Verify the Installation

  1. In the ARGenie utility, double-click the Precise Biometrics reader. The Objects List window for the Precise Biometrics reader opens.
  2. Confirm three objects are present: the certificate, a private key, and a public key.

When setting up an endpoint computer for authenticating users only, follow these instructions.

NOTE: When installing ARX software for an endpoint computer that will be used for enrollment, see Configure Endpoint Computers for Enrollment.

Install Minidriver Credential Provider Only

Install the ARX Minidriver Credential Provider software. If the endpoint computer already has been used for enrolling PINs and fingerprints with the AR Genie utility, uninstall all ARX software and run the ARX Cryptokit MSI again.

  1. Install the ARX CryptoKit. In the Custom Setup window, select the Minidriver Credential Provider:
  3. If requested, restart the endpoint computer after the installation is complete.
  4. Connect a Precise Biometrics 200 or 250 MC reader and allow it to install drivers on the endpoint computer.
  5. After installing the Minidriver software (and restarting the endpoint computer if necessary), insert a smart card into the reader.
  6. The following messages appear from the Windows Notification Area:

Verify the Installation

To verify the card reader has been installed successfully, open the Windows Device Manager and locate ARX PrivateCard listed under Smart Cards.

Install a Certificate on the Endpoint Computer

Install a certificate from Microsoft Certificate Services on every endpoint computer where smart card authentication will take place.

NOTE: You can also install the certificate on endpoint computers by assigning a group policy.

  1. To go to Microsoft Certificate Services: Open Microsoft Internet Explorer on the endpoint computer.
  2. In the address field, enter http://IP address of the server/certsrv/
  3. Microsoft Certificate Services opens. Select Download a CA certificate, certificate chain, or CRL.
  4. Select Download CA certificate, then Save to save it to the Trusted Root Certificate Store.

Configure Smart Card Removal Behavior

On every computer where smart card authentication will take place, configure the behavior of the Windows desktop when the smart card is removed from the reader:

  1. Go to Start > Run
  2. Run secpol.msc. The Local Security Policy window opens.
  3. Go to Security Settings > Local Policies > Security Options.
  4. In the Policy list, double-click Interactive logon: Smart card removal behavior
  6. Select a removal behavior.
  7. Click OK to save your changes, then close the Local Security Policy window.

  8. BEST PRACTICE: Set the smart card removal behavior to Force Logoff.

Complete the following configurations to enable smart card authentication with Enterprise Access Management.

When configured as follows, the ARX Minidriver Credential Provider authenticates the user's PIN on the smart card. The ARX software also authenticates the user's fingerprint against the enrolled finger information on the smart card. Enterprise Access Management only authenticates the smart card itself, not the PIN or the fingerprint.

Set Registry Key for PIN Authentication

On every endpoint computer where smart card authentication will take place, create the registry key UseCustomPINDialog with a Type of DWORD and a Value of 1:

  • 64—bit — HKLM\Software\SSOProvider\DeviceManager\Devices\PKISC\Cards\PrivateCardEx

When this registry key value is set to 1, the user will not have to enter their PIN manually. The user's PIN enrolled on the smart card will be authenticated by the ARX Minidriver Credential Provider.

When this registry key value is set to 0 or the key is not present, the user will be prompted to authenticate the PIN on the smart card by Enterprise Access Management.

Configure a User Policy for Smart Cards

Configure a user policy for smart card authentication:

  1. In the Imprivata Admin Console, go to Users > User Policies and select a user policy.
  2. On the Authentication tab > Desktop Access authentication section, select Smart Card or USB token using external certificate.
  3. Optional — you may allow temporary use of conditional primary methods, but it is not required.
  4. Optional — you may select additional desktop access authentication methods, but they are not required for this workflow.
  5. At the bottom of the page, click Save.

This section describes the following desktop authentication workflows:

  • Enrolling your smart card with Enterprise Access Management when logging into the desktop with your smart card for the first time
  • Logging into the desktop with your smart card after your smart card is enrolled with Enterprise Access Management

NOTE: The user has already enrolled his PIN and fingerprint with the ARX CryptoKit software. See Create a PIN and enroll your fingerprint with the AR Genie utility in Advanced Mode:.

The ARX Minidriver Credential Provider authenticates the PIN stored on the user's smart card and prompts the user to authenticate with their fingerprint. Imprivata OneSign only authenticates the smart card itself.

Enrolling a Smart Card with Enterprise Access Management

  1. The user inserts their smart card into the Precise Biometrics reader.
  2. The ARX Finger Verification window opens. The user places their enrolled finger on the Precise Biometrics fingerprint reader.
  3. The Imprivata login dialog opens. To enroll the smart card, the user must enter their Enterprise Access Management username and password and click OK.
  4. The ARX Finger Verification window opens again. The user places their enrolled finger on the Precise Biometrics fingerprint reader.
  5. The user is logged into the desktop successfully and the smart card is enrolled with Enterprise Access Management.
  6. When the user removes their smart card they are automatically logged off. See Configure Smart Card Removal Behavior

Logging into the Desktop with Your Smart Card

  1. The user inserts their smart card into the Precise Biometrics reader.
  2. The ARX Finger Verification window opens. The user places their enrolled finger on the Precise Biometrics fingerprint reader.
  3. The user is logged into the desktop successfully.
  4. When the user removes their smart card they are automatically logged off. See Configure Smart Card Removal Behavior