How can we help?

Windows Credential Enrollment Management

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

It is possible to configure workflows such that when a domain user logs onto their workstation, and that user is a member of a specific Windows group, a smart card issuance flow can be triggered. This will provide control around which users can be issued with a smart card via self-service.

To use this feature, the USS application will need to run in the System Tray of the host and the RSDM service will need to be running on the host.

Additionally, using this feature it will be possible to capture information about user behavior when using the self-service workflow. The behavior that can be captured is as follows:

  • When the self-service issuance dialog is presented to the user;
  • When the issuance did succeed or fail.
Important
This functionality is only available from version 5.0.1 and above.

Configure Windows Credential Enrollment Management

Step 1 – Configure Required Registry Values 

By default, the functionality is not enabled. Therefore, registry values need to be configured on the server and client side to be able to use this functionality.

On the server where the vSEC:CMS is installed the following registry values can be set in this location [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_T\Service] :

Name

Type

Description

cms.issuance.enroll.maxCancel

DWORD

If it is required to force the user to issue their smart card after a configurable number of cancels. For example, when the user is presented with the issuance dialog the user can cancel the issuance. Using this optional registry value, it is possible to set a limit on the number of cancels the user is allowed before the cancel button is removed from the issuance dialog. If the user is allowed to cancel 3 times then enter a value of 3.

cms.issuance.log.file

STRING

If it is required to capture user behaviour statistics then enter a location where the statistic file will be written to. A description of the data that is captured is provided below in the Statistics section. For example, if you wish to write the information to temp folder on root of c:\ drive on the server then enter: c:\temp\cms-issuance-stats.log as the entry for the registry string value.

cms.issuance.mngmt.reportstatus

DWORD

If it is required to capture user behaviour statistics then enter a hexadecimal value of ffffffff which will result in all the data as described below in the Statistics section being captured.

On the client side it will be required to have the RSDM service fully configured to communicate with the server side and the USS application running in the system tray. If the client is a 64-bit operating system then create a registry DWORD named cms.issuance.mngmt.enabled in this location with a value of 1:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Versatile Security\vSEC_CMS_RSDM\Service]

If the client is a 32-bit operating system then create a registry DWORD named cms.issuance.mngmt.enabled in this location with a value of 1:

[HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_RSDM\Service]

Step 2 – Configure User and Card Template Use

It is possible to configure the Windows group DN that the end user will be a member of or the actual user that will be allowed to use this functionality. Additionally, the card template that will be used is configured here.

From Repository – Enrollment Configuration select the card template that will be used from the available drop-down list. Click the Add user or group button to select a group or individual user that will be allowed to use this functionality. For example, if it was required that a user who is a member of Smart Cards Group and this user should get prompted to issue a smart card logon credential to their smart card when they log onto their workstation using the pre-configured card template Smart Card Logon, then you would select the Smart Card Logon template from the drop-down list and add the group Smart Cards Group.

Statistics

The statistics file will contain information about the end user behaviour that can be useful when managing the deployment of smart cards in your organization.

The data captured in the file will be:

  • ID: this is the ID that describes what operation was captured. See the table below for full description;
  • Timestamp: the time when the operation was performed;
  • RSDM Device ID: the actual device ID as set on the client workstation;
  • USS CLID: The Id of the USS application;
  • Dialog ID: the ID of the dialog that is shown to the end user;
  • Template ID: the ID of the card template that is used when issuing the smart card;
  • User DN: the DN of the user that is logged in;
  • Logged-on Windows user: the Windows name of the currently logged on user.

The ID description are:

ID

Description

1

The Issuance dialog has been launched on the end user’s workstation.

2

The end user clicked the Cancel button in the Issuance dialog.

3

The issuance has been performed successfully.

4

The issuance has been performed but an error occurred during this process.

5

The end user did log onto their workstation and got an enrolment granted message from the server.

6

This ID is reserved for future assignment.

7

The end user did logon but the server did deny issuance.

Additional Details

To avoid heavy traffic on the server side some mechanisms have been implemented on the client side to limit the number of requests. These are:

  • A response from a request will be cached for up to 2 hours. This means when the same user logs on again within the next 2 hours the client will not ask the server again. This cache can be cleared for testing and/or debugging reasons by a registry value.

If the client is a 64-bit operating system then create a registry DWORD named cms.issuance.mngmt.cache.clear in this location with a value of 1:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Versatile Security\vSEC_CMS_RSDM\Service]

If the client is a 32-bit operating system then create a registry DWORD named cms.issuance.mngmt.cache.clear in this location with a value of 1:

[HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_RSDM\Service]

  • If a user is already enrolled on a workstation the system will not ask the server again until the credentials have been retired from the workstation.