Share via

Authentication Reset System Registry Settings

  • Article

4/8/2010

The following table shows the description of registry settings for the Authentication Reset System.

Global Settings

This setting is used by Aygshell, the LAP, and can be used by any application.

AuthenticationReset

  • Description
    Specifies whether or not the user is allowed to reset authentication on the device.
  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset [AuthenticationReset]
  • Type
    REG_DWORD
  • Default Value
    <None>

  • Values
    0 - Authentication Reset is disabled.

    1 - Authentication Reset is enabled.

    Not specified or other values are the same as 0.

Note

This registry setting does not depend on the PasswordNotRequired policy. An administrator can set AuthenticationReset=1 even if no password is required on the device.

Common Authentication Reset Settings

These settings are designed for use by any Authentication Reset Component.

RequestMessage

  • Description
    The override string to be shown as the reset message. This registry value should be set by the IT administrator, if necessary. The user will be prompted with this message before beginning the Authentication Reset process. This message should identify prerequisites for the process, such as network connectivity, and identify any potential pitfalls for the user (e.g., "this process may take several hours to complete").

    If this registry key does not exist, the default reset message will be used.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset [RequestMessage]
  • Type
    REG_SZ
  • Default Value
    <None>

RequestSuccessMessage

  • Description
    The override string to be shown as the success message. This registry value should be set by the IT administrator, if necessary. This message will be displayed if the Authentication Reset process completes successfully.

    If this registry key does not exist, a default success message will be used.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset [RequestSuccessMessage]
  • Type
    REG_SZ
  • Default Value
    <None>

RequestFailureMessage

  • Description
    The override string to be shown as the generic failure message. This registry value should be set by the IT administrator, if necessary. This message will be displayed if the Authentication Reset process fails.

    If this registry key does not exist, a default failure message will be used.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset [RequestFailureMessage]
  • Type
    REG_SZ
  • Default Value
    <None>

WaitMessage

  • Description
    The override string to be shown as the wait message. This registry value should be set by the IT administrator, if necessary. This message will be displayed when the Authentication Reset Component requires a significant amount of time to perform an action, such as connecting to a remote server. The default implementation displays this message when synchronizing with the Exchange Server. 3rd-party Authentication Reset Components may choose to ignore this value.

    If this registry key does not exist, a default wait message will be used.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset [WaitMessage]
  • Type
    REG_SZ
  • Default Value
    <None>

Timeout

  • Description
    Timeout to allow or deny Authentication Reset, in seconds. The default implementation uses this timeout while waiting for user input and connecting to the Exchange Server. If the timeout elapses, the process is canceled. 3rd-party Authentication Reset Components may choose to ignore this value or use it in any way deemed appropriate.

    The default implementation uses a timeout of 120 (2 minutes) if this value is not set.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset [Timeout]
  • Type
    REG_DWORD
  • Default Value
    120

  • Values
    0 – No timeout is enforced.

    1 - 4294967295 – Number of seconds until timeout.

Aygshell Settings

These settings are used by Aygshell only.

Authentication Reset DLL

  • Description
    The path to the DLL to use as the Authentication Reset Component. This DLL must conform to the standards outlined for Authentication Reset Components. If the DLL is not in the Windows directory, the registry value must contain the full path.

    The system checks the policy value first, and if no DLL is specified, it falls back to the user value.

    If neither registry key exists, no Authentication Reset Component is loaded and Authentication Reset setup and requests fail.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset [Dll] (policy value)

    HKLM\Comm\Security\LASSD\AuthReset [Dll] (user value)

  • Type
    REG_SZ
  • Default Value
    "\Windows\lap_pw.dll" (user value)

ARC Settings

These settings are used for the Authentication Reset Component (ARC).

HashAlgorithm

  • Description
    The identifier of the algorithm used to generate a hash of the Admin Key for integrity-checking purposes. OEMs can update this if new algorithms are installed on the device.

    The ARC uses 0x800C (CALG_SHA_256) if this value is not set.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [HashAlgorithm]
  • Type
    REG_DWORD
  • Default Value
    <None>

  • Values
    Algorithm identifiers are defined in Wincrypt.h. The algorithm must have the the ALG_CLASS_HASH bit set and may not include the following hash types:

    ALG_SID_MD2,

    ALG_SID_MD4,

    ALG_SID_MD5,

    ALG_SID_SHA,

    ALG_SID_SHA1,

    ALG_SID_MAC,

    ALG_SID_RIPEMD,

    ALG_SID_RIPEMD160,

    ALG_SID_SSL3SHAMD5,

    ALG_SID_HMAC,

    ALG_SID_TLS1PRF,

    ALG_SID_HASH_REPLACE_OWF

    If any of the disallowed hash types are specified, the default value is used.

    The algorithm must be supported by the default provider, or the provider specified by CryptoProviderName and/or CryptoProviderType.

EncryptionAlgorithm

  • Description
    The identifier of the algorithm used for encryption. OEMs can update this if new algorithms are installed on the device.

    The ARC uses 0x660E (CALG_AES_128) if this value is not set.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [EncryptionAlgorithm]
  • Type
    REG_DWORD
  • Default Value
    <None>

  • Values
    Algorithm identifiers are defined in Wincrypt.h. The algorithm should denote a stream cipher. It must have the ALG_CLASS_DATA_ENCRYPT bit set and may not include the following encryption types:

    ALG_SID_DES,

    ALG_SID_3DES_112,

    ALG_SID_3DES,

    ALG_SID_DESX,

    ALG_SID_RC2,

    ALG_SID_RC4,

    ALG_SID_SEAL,

    ALG_SID_SKIPJACK,

    ALG_SID_TEK,

    ALG_SID_CYLINK_MEK,

    ALG_SID_AES

    If any of the disallowed encryption types are specified, the default value is used.

    The algorithm and provider must support key lengths of 512 bits or smaller. If the default key length is greater than 512 bits, an alternate key size must be set in the upper 16 bits of this value. For example, if the default key length is 1024 bits, but the algorithm supports key lengths of 512 bits, then the value 0x02000000 is combined with the algorithm identifier in a bitwise OR operation. Notice that the upper 16 bits of 0x02000000 is 0x0200, or 512 in decimal notation. If none of the upper 16 bits are set, the default key size is generated.

    The algorithm must be supported by the default provider, or the provider specified by CryptoProviderName and/or CryptoProviderType.

CryptoProviderName

  • Description
    The name of a cryptographic services provider that supports the encryption and hashing algorithms specified. OEMs can update this if new providers are installed on the device.

    The ARC uses the default provider if this value is not set (see documentation for CryptAcquireContext).

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [CryptoProviderName]
  • Type
    REG_SZ
  • Default Value
    <None>
  • Values
    The specified provider must be the type of provider specified in the CryptoProviderType registry value, or the default type if none exists. It must support the algorithm specified in the EncryptionAlgorithm and HashAlgorithm registry values or the default algorithms.

CryptoProviderType

  • Description
    The identifier of a cryptographic services provider type that supports the encryption and hashing algorithms specified. OEMs can update this if new providers are installed on the device.

    The ARC uses 24 (PROV_RSA_AES) if this value is not set.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [CryptoProviderType]
  • Type
    REG_DWORD
  • Default Value
    <None>
  • Values
    Cryptographic service providers are defined in Wincrypt.h. The provider must support the algorithm specified in the EncryptionAlgorithm and HashAlgorithm registry values or the default algorithms.

RecoveryPwdLength

  • Description
    Specifies the number of characters to include in the recovery password.

    The ARC uses 20 if this value is not set.

  • Registry Location
    HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [RecoveryPwdLength]
  • Type
    REG_DWORD
  • Default Value
    <None>
  • Values
    This value must be greater than 0 and less than 2048.

See Also

Reference

Authentication Reset System Reference

Concepts

Authentication Reset System