It is possible to configure workflows such that when a domain user logs onto their workstation, and that user is a member of a specific Windows group, a Virtual Credential (VC) issuance flow can be triggered. This will provide control around which users can be issued with a VC via self-service.
In order to use this feature, the vSEC:CMS User Self-Service (USS) application will need to run in the system tray of the host and the RSDM service will need to be running on the host.
Additionally, using this feature it will be possible to capture information around user behavior when using the self-service workflow. The behavior that can be captured is as follows:
- When the self-service issuance dialog is presented to the user;
- If the user clicks the cancel button from the issuance dialog;
- When the issuance did succeed or fail.
The article will cover the following:
- Setup a template that will allow you to create and issue a Windows logon certificate to a VC credential;
- Automatically start the creation and issuance of a VC with a Windows logon certificate on a client when a user that is a member of a specific domain logs on;
- Perform Windows logon with the VC.
Note: The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
Important: It will be required that at minimum you have already successfully completed the configuration steps described in the article Manage Virtual Credentials using vSEC:CMS User Self-Service. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Before beginning the configuration it will be necessary to have already successfully completed the instructions in the article Manage Virtual Credentials using vSEC:CMS User Self-Service.
1. On the client side a registry key will need to be set. A DWORD named cms.issuance.mngmt.enabled with a value of 1 needs to be set. If the client is a 64-bit operating system then create the key here:
If the client is a 32-bit operating system then create the key here:
Note: This setting can be set through GPO. See the article Configure Windows GPO and the section Enable user enrollment for details.
2. It is possible to configure the Windows group DN that the end user will be a member of or the actual user that will be allowed to use this functionality. Additionally, the credential template that will be used is configured here.
From Repository – Device Management - Enrollment Configuration select the credential template that will be used from the available drop-down list.
Click the Add user or group button to select a group or individual user that will be allowed to use this functionality.
For example, if it was required that a user who is a member of VSC Logon Group and this user should get prompted to create and issue a credential when they log onto their workstation using the pre-configured card template MS VSC (VSC), then you would select the MS VSC (VSC) template from the drop-down list and add the group VSC Logon Group as in the example above.
Important: On the client side the USS should be running in the system tray.
When a user logs onto their client and the user is a member of the Windows group VSC Logon Group (as in example above) RSDM will trigger the automatic issuance flow.
Enter the domain user details, if configured, and set the PIN for the credential.
Once you complete this then the credential can be used to log onto your domain environment.