This article will describe how you can configure vSEC:CMS to support the lifecycle management of Thales IDPrime MD credentials. The article will cover the following:
- Setup a template that will allow you to create and issue a Windows logon certificate to an IDPrime MD credential from vSEC:CMS console application;
- Issue a Windows logon certificate to the credential;
- Log onto a Windows client using the issued credential.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
It will be necessary to have the appropriate credential drivers (minidriver) installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Configure Smart Card Access
Typically the smart card access is already set to the correct type but for completeness we will cover this in the article.
From Options - Smart Card Access attach an IDPrime MD credential that you will manage with the vSEC:CMS. The vSEC:CMS will filter the card type and present the entry in the table. There are several different types of IDPrime MD credentials, therefore the entry that is filtered will depend on the credential type. For example, if you are managing an IDPrime MD 830 credential then you would see as below.
Click the Edit button and for Smart Card Access make sure that Use minidriver if possible is selected and click Save to save and close.
If the table is empty when you attach the credential to filter for the card type then you should follow the instructions in the article Add Credential Configuration for details on how to add the correct template for the card type that you use.
1. From Templates – Card Templates click the Add button.
Click the Edit link beside General. Enter a template name and attach an IDPrime MD credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect that it is an IDPrime MD credential and click Ok.
Leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click Ok to save and close the template.
From the Lifecycle page attach a blank IDPrime MD credential to your host.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential. Once you complete this then the credential can be used to log onto your domain environment.
Once you complete this then the credential can be used to log onto your domain environment.