Introduction
vSEC:CMS can now automatically update the ScLogonRequired within the Active Directory userAccountControl (UAC) attribute during credential lifecycle operations.
This feature is useful if you need to dynamically toggle the Active Directory smart card requirement based on the current lifecycle status of a user's credentials in vSEC:CMS.
Example: You can automatically enforce smart card logon in AD when a token is issued, or disable the requirement if a token is revoked.
Configure
When you create a credential template (from Templates - Credential Templates), or edit an existing one, you need to enable Update 'ScLogonRequest' in the Issue Credential process dialog under the Enroll Certificate Options section.
For New Templates: When adding a new template in the certificate selection dialog, simply check the Update 'ScLogonRequest' box.
For Existing Templates: Select the existing certificate, click Edit, and then check the Update 'ScLogonRequest' box.
How the 'ScLogonRequired' Checkbox Works
This checkbox determines which User ID will have its ScLogonRequired flag updated in AD. vSEC:CMS will update the user's userAccountControl (UAC) attribute in AD. This will result in enforcing Windows Smart Card logon when the user attempts to log onto a Windows workstation.
The vSEC:CMS service account needs to have the appropriate permissions on the user AD object to update the UAC attribute.
Linked to the User, Not the Certificate: This setting applies to the User ID, not the specific certificate. If you enable this for multiple certificates assigned to the same user, they will all target and update that same single flag on the user's AD account.
Minimum Requirement: To automate this AD update, you must enable this checkbox for at least one certificate issued to the user.
Lifecycle Processes
For each of the different lifecycle process you should enable the checkbox option as required for your use case. Therefore, it is recommended to enable this for each of the lifecycle processes: Iniatate, Inactivate, Activate, Lock and Revoke.
When the ScLogonRequired flag is unset by vSEC:CMS, Windows will manage setting a random AD password on the user account.