Introduction
It is possible to configure workflows such that when a domain user logs onto their workstation, and that user is a member of a specific Windows group, an issuance flow can be triggered. This will provide control around which users can be issued with a credential via self-service.
In order to use this feature, the vSEC:CMS User application will need to run in the system tray of the host and the RSDM service will need to be running on the host.
Additionally, using this feature it will be possible to capture information around user behaviour when using the self-service workflow. The behaviour that can be captured is as follows:
- When the self-service issuance dialog is presented to the user;
- If the user clicks the cancel button from the issuance dialog;
- When the issuance did succeed or fail.
The article will cover the following:
- Setup a template that will allow you to create and issue a Windows logon certificate to a credential;
- Automatically start the issuance of a credential with a Windows logon certificate on a client when a user that is a member of a specific domain logs on;
- Perform Windows logon with the credential.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
We will issue a Virtual credential in this example but you could use any vSEC:CMS supported physical credential.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Manage Virtual Credentials using vSEC:CMS User Self-Service. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Credential Configuration
Before beginning the configuration it will be necessary to have already successfully completed the instructions in the article Manage Virtual Credentials using vSEC:CMS User Self-Service.
1. On the client side a registry key will need to be set. A DWORD named cms.issuance.mngmt.enabled with a value of 1 needs to be set here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_RSDM\Service]
This setting can be set through GPO. See the article Configure Windows GPO and the section Enable user enrollment for details.
2. It is possible to configure the Windows group DN that the end user will be a member of or the actual user that will be allowed to use this functionality. Additionally, the credential template that will be used is configured here.
From Repository – Device Management - Enrollment Configuration select the credential template that will be used from the available drop-down list.
Click the Add user or group button to select a group or individual user that will be allowed to use this functionality.
For example, if it was required that a user who is a member of VSC Logon Group and this user should get prompted to create and issue a credential when they log onto their workstation using the pre-configured card template MS VSC (VSC), then you would select the MS VSC (VSC) template from the drop-down list and add the group VSC Logon Group as in the example above.
Issue Credential
On the client side the vSEC:CMS User application should be running in the system tray.
When a user logs onto their client and the user is a member of the Windows group VSC Logon Group (as in example above) RSDM will trigger the automatic issuance flow.
Enter the domain user details, if configured, and set the PIN for the credential.
Once you complete this then the credential can be used to log onto your domain environment.