There are a number of ways that a PIN unblock can be performed for smart cards that are managed by the vSEC:CMS. Follow the instructions in this section to see how you can go about performing PIN unblock.
Option 1 - Online PIN Unblock
For scenarios where the smart card holder is physically present with the operator of the vSEC:CMS, the smart card can be unblocked from the operator console.
1. From the Actions - Smart Card Unblock page attach the smart card that needs to be unblocked. Details about the managed smart card will be shown from the operator console in this case.
2. The smart card holder should then enter a new PIN code into the fields provided that meet the PIN policy requirements as set on the smart card and click the Unblock button.
3. The operator will then be prompted to enter their operator PIN code to authenticate and perform the PIN unblock.
4. A success dialog will appear once the unblock has completed successfully.
Option 2 - Offline PIN Unblock
For offline PIN unblock a number of options are available. An offline unblock means that the smart card holder's smart card is not physically attached to the same system that the vSEC:CMS application is running on and therefore an unblock challenge needs to be provided to the operator to perform the unblock operation. This is commonly referred to as a challenge-response PIN unblock.
Method 1 - Use Native Windows Credential Manager
1. From a client host connected to the domain the user can attempt to logon with their blocked smart card.
2. As the smart card is blocked and with the Allow Integrated Unblock screen to be displayed at the time of logon enabled through your Windows group policy the user will be informed that their smart card is blocked.
3. Click Ok and the user will be presented with an unblock screen. The user will then need to provide the unblock challenge code to the vSEC:CMS operator/helpdesk person.
4. The operator then needs to go to the Actions - Smart Card Unblock page and click the Search button and select the user who the smart card will be unblock for. Detailed information about the managed smart card will be displayed once the user is selected.
5. Enter the unblock challenge code as received from the smart card holder into the Challenge field and click the Cryptogram button. The operator will be required to enter their operator PIN code to authenticate and generate a cryptogram. This cryptogram generated is the unblock code. This code should be provided back to the smart card holder.
6. The smart card holder should enter the cryptogram and enter a new PIN and confirm and click the right arrow button to complete the unblock.
Important: There is a one-to-one relationship when performing the unblock therefore the smart card of the user should not be removed during this operation otherwise the challenge code will be invalidated and the operation will need to be performed again.
Method 2 - Use User Self-Service Application
If the smart card holder's smart card was issued with a user self-service (USS) template that allows PIN unblock then they can use the USS application to perform PIN unblock.
1. From the USS application go to the My PIN page and select the Unblock PIN (Crypto) radio button. Enter a new PIN code that meets the PIN policy requirements and confirm this value.
2. Click the Unblock button to proceed.
3. Enter the Windows domain user name and password to authenticate and click Ok.
4. In the background, a challenge-response will be performed with the vSEC:CMS to complete the unblock. Once complete a success dialog will appear.