Introduction
Follow the instructions in this article to setup and configure the vSEC:CMS such that it will be possible to issue and manage credentials to be used for Windows credential logon where the user will be emailed their credential PIN code during the issuance flow.
The article will cover the following:
- Setup a template that will allow you to create and issue a Windows logon certificate to a credential from vSEC:CMS console application;
- Issue a Windows logon certificate to the credential;
- During the issuance process a random PIN value will be set and sent to the end user via email;
- Log onto a Windows client using the issued credential.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
In this article we will use Thales IDPrime MD credential. If other credentials are used the instructions described in this article are the same.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
It will be necessary to have the appropriate credential drivers (minidriver) installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Configure Credential Access
Typically the credential access is already set to the correct type but for completeness we will cover this in the article.
From Options - Credential attach an IDPrime MD credential that you will manage with the vSEC:CMS. The vSEC:CMS will filter the credential type and present the entry in the table. There are several different types of IDPrime MD credentials, therefore the entry that is filtered will depend on the credential type. For example, if you are managing an IDPrime MD 830 credential then you would see as below.
Click the Edit button and for Credential Access make sure that Use minidriver if possible is selected and click Save to save and close.
Configure Email Connection
It will be necessary to set up a connection to an SMTP email server that will be used to send an email with the credential PIN to the user who the credential will be issued to in this article.
1. From Options - Connections click the Configure button. Select Email and add this to the Selected pane and click Ok.
2. Click the Email connector to open the configuration dialog. Click the Add button. Enter a template name and in the Hostname enter the SMTP server details and the port that the server is listening on. For Email address enter any email address that a test email will be sent to when you click the Check connection button. From the Connection security drop-down list select the required setting for your email server. In the Credentials section select the appropriate credentials required to authenticate to the SMTP server. Click Check connection to test connectivity. An email should be sent to the email address set in the Email address field. Click Save to save and close.
3. It will be necessary to configure a data export template of type email in order to create the email content template for the email notification that will be sent with the credential PIN for the user who the credential will be issued to in this use case.
From Options - Connections click the Configure button. Select Data Export and add this to the Selected pane and click Ok.
Click Data Export to open the configuration dialog. Click the Add button and enter a template name. From the drop-down list select Email (Export to email). In the General section, we will select Send email automatically in this example. For SMTP server select the server configured earlier.
Click the Configure email button to configure the email content that will be sent. Two options are available - HTML or Text. In this example, plain text will be used. Enter the content into the Message window. You can use variable placeholders to extract user and system information that can be placed in the email content. For example, the user's email address ${UserEmail} is linked to the user's email attribute in AD.
Click the Test email button to send a test email to the email address set in the Email address field in step 2 above.
Credential Configuration
1. From Templates – Credential Templates click the Add button.
Click the Edit link beside General. Enter a template name and attach an IDPrime MD credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect that it is an IDPrime MD credential and click Ok.
Leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Credential.
In the General section enable Automatically initiate credentials after issuance checkbox.
In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click the Edit link beside Initiate Credential. Enable System set user PIN checkbox and click the Configure button. Enable Random PIN and set the length to 6. The vSEC:CMS will generate a random PIN value of 6 characters that meet the PIN policy as configured on the credential. Click the Characters button to configure specific characters that you may not want to be generated. For example, removing non-ascii characters can be helpful as these characters can be difficult to enter depending on your end-users technical expertise. From the drop-down list select the email template configured earlier and click the Add button. Click Ok to save and close. Click Ok.
4. Click Ok to save and close the template.
Issue Credential
From the Lifecycle page attach a blank IDPrime MD credential to your host.
Click the Issued oval and select the template from Select credential template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
The credential will now show as Active. The user should have received an email with the random PIN value. When the user physically receives the credential they will be able to use it to log onto their domain.