Smart Card Authentication Client Administrator's Guide June 2013 A00 www.dell.com | dell.
Contents 2 Contents Overview.....................................................................................................3 Configuring Smart Card Authentication Client..............................................4 Configuring printer settings for use with the application.........................................................................4 Changing the panel login timeout.......................................................................................................................
Overview 3 Overview Smart Card Authentication Client is an authentication module application that lets you secure access to printers by requiring users to log in using a Smart Card or a user name and password. You can use the application to secure access to all applications and functions on the printer home screen or to individual applications and functions. The application also provides Kerberos authentication options and a Kerberos ticket that can be used by other secured applications.
Configuring Smart Card Authentication Client 4 Configuring Smart Card Authentication Client Configuring printer settings for use with the application Even if the printer has been set up previously, make sure all settings have been configured to enable the security features of the application to work correctly.
Configuring Smart Card Authentication Client 5 Installing certificates automatically For eSF v4.x printers, the CA certificate can be installed automatically. Note: Make sure to add the printer to the Active Directory Domain. For more information on how to add the printer to the Active Directory, see the Embedded Web Server Administrator's Guide for your printer. 1 From the Embedded Web Server, click Settings or Configuration.
Configuring Smart Card Authentication Client 6 4 Select the correct time zone. Note: If you select (UTC+user) Custom, then you must configure additional settings under the Custom Time Zone Setup heading. 5 If daylight saving time (DST) is observed in your area, then select Automatically Observe DST. 6 If you are located in a nonstandard time zone or in an area that observes an alternate DST calendar, then adjust the Custom Time Zone Setup settings.
Configuring Smart Card Authentication Client 7 There are two ways to secure access to the printer: • Enable a secure idle screen that restricts access to the entire home screen. When users insert a Smart Card or touch the screen, they will be prompted to authenticate before they can access the home screen. Note: The Background and Idle Screen application must be installed and running on the printer to enable this functionality. • Restrict access to individual applications and functions.
Configuring Smart Card Authentication Client 8 d Click Modify Groups. e Select one or more groups, and then click Save Template. For more information on configuring security templates and using access controls, see the Embedded Web Server Administrator’s Guide for your printer. Securing access to the home screen Use this method to require users to authenticate to view and use the printer home screen.
Configuring Smart Card Authentication Client 9 On printers running eSF version 2.0: a Access the Application Access Manager application configuration settings from the Embedded Web Server. b From the Idle Screen drop‑down menu, select Smart Card Authentication Client. c Click Apply. Note: If you are unsure about which version of eSF your printer is running, then see “Checking which version of the Embedded Solutions Framework is installed on a printer” on page 28.
Configuring Smart Card Authentication Client 10 5 For each function to which you want to secure access, select your security template from the drop‑down menu. 6 Click Submit. Notes: • If you have used a built-in printer security setup to protect the Use Profiles access control, then any installed applications you secure using Smart Card Authentication Client will prompt users for credentials twice.
Configuring Smart Card Authentication Client 11 • For eSF v4.x printers, if a manual domain is not specified, then the printer will use the domain in the Kerberos configuration file. To view the complete list of supported printers for each version of the Embedded Web Server, see the Readme file. 1 Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server.
Configuring Smart Card Authentication Client 12 Using simple Kerberos setup If you selected Use simple Kerberos setup, then enter the Kerberos information manually under the Simple Kerberos Setup heading. When you click Apply, the values you entered are used to create a Kerberos configuration file. • Realm—Specify the Kerberos realm as configured in Active Directory. This is typically the Windows domain name. Only one realm can be specified here.
Configuring Smart Card Authentication Client 13 Configuring advanced settings Not all networks require you to configure advanced settings. If necessary, adjust the settings to enable the printer to communicate on your network. 1 Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server.
Configuring Smart Card Authentication Client 14 Type the mappings in the text file in this format: IP address, space, server host name. For example, 0.0.0.0 HostName. You can assign multiple host names to an IP address. For example, 0.0.0.0 HostName1 HostName2 HostName3. You cannot assign multiple IP addresses to a host name. To assign IP addresses to groups of host names, type each IP address and its associated host names on a separate line of the text file. For example: 123.123.123.
Troubleshooting 15 Troubleshooting Smart Card Authentication Client login issues “A card reader was not detected on this device” error message MAKE SURE A SUPPORTED SMART CARD READER IS ATTACHED If you want users to access the printer using a Smart Card, then attach a supported Smart Card reader to the printer. See the Readme file for a list of supported card readers.
Troubleshooting 16 3 From the Filter menu, select an application status. 4 From the Application menu, select the application, and then click Submit. If you are still unable to determine the cause of the error, then you may need to replace the card.
Troubleshooting 17 The printer home screen fails to return to a locked state when not in use Try one or more of the following: MAKE SURE ALL REQUIRED APPLICATIONS ARE INSTALLED AND RUNNING Smart Card Authentication Client, Application Access Manager, and the authentication token for your Smart Card must be installed and running in order to restrict access to the printer home screen or to individual home screen applications and functions.
Troubleshooting 18 “Kerberos configuration file is not properly formatted” error message This system log error indicates that the Kerberos configuration file contains incorrect information, is missing information, or is not formatted properly. MODIFY THE INSTALLED KERBEROS CONFIGURATION FILE If you used the device Kerberos setup file, then modify and reinstall the file. If you used simple Kerberos setup, then modify the simple Kerberos setup settings.
Troubleshooting 19 “The domain controller did not respond within the required time; the domain controller timeout may need to be increased” error message Try one or more of the following: INCREASE THE DOMAIN CONTROLLER TIMEOUT If you used the device Kerberos setup file, then increase the number of seconds specified for the timeout entry in the file. When you are done, reinstall the file on the printer.
Troubleshooting 20 “The domain controller issuing certificate has not been installed” error message This system log error indicates that the required Certificate Authority (CA) certificate is not installed or that an incorrect certificate is installed. If an incorrect certificate is installed, then the error message specifies the name of the certificate that is needed: “The domain controller issuing certificate [NAME OF CERTIFICATE] has not been installed.
Troubleshooting 21 “Unable to contact the domain controller for the user’s realm” error message This system log error indicates that the domain, realm, or domain controller specified in the Kerberos configuration file is incorrect. CHECK THE DOMAIN, REALM, AND DOMAIN CONTROLLER IN THE KERBEROS CONFIGURATION FILE If you used the device Kerberos setup file, then: 1 From the Embedded Web Server, click Settings or Configuration. 2 Click Security > Security Setup > Kerberos 5 > View File.
Troubleshooting 22 CHECK THE DOMAIN CONTROLLER VALIDATION METHOD 1 Access the application configuration settings from the Embedded Web Server. 2 Under the Smart Card Setup heading, make sure you selected the correct method from the Domain Controller Validation menu. For information about configuring this setting, see “Selecting the domain controller validation method” on page 12. 3 Click Apply.
Troubleshooting 23 “An error occurred while trying to connect to the OCSP responder” error message This system log error indicates that the OCSP responder URL is configured incorrectly or that the responder timed out before the application could connect to it. Try one or more of the following: CHECK THE OCSP RESPONDER URL 1 Access the application configuration settings from the Embedded Web Server.
Troubleshooting 24 “The OCSP responder certificate, stored on the printer, does not match the one returned by the responder” error message Try one or more of the following: CHECK THE OCSP RESPONDER CERTIFICATE 1 Access the application configuration settings from the Embedded Web Server. 2 Under the Online Certificate Status Protocol (OCSP) heading, make sure the correct certificate has been uploaded in the Responder Certificate field. 3 Click Apply.
Troubleshooting 25 ADD THE USER’S GROUP TO THE AUTHORIZATION LIST FOR THE PRINTER Make sure the user’s Active Directory group is listed in the Group Authorization List field in the application configuration settings. 1 Access the application configuration settings from the Embedded Web Server. 2 Under the Advanced Settings heading, add the user’s Active Directory group to the Group Authorization List field. Separate multiple groups with a comma. 3 Click Apply.
Troubleshooting 26 NARROW THE LDAP SEARCH BASE Narrow the LDAP search base to the lowest possible scope that includes all necessary users. VERIFY THAT THE LDAP ATTRIBUTES BEING SEARCHED FOR ARE CORRECT Make sure all LDAP attributes for the user are correct. Smart Card Authentication Client licensing issues License error Try one or more of the following: MAKE SURE THE APPLICATION IS LICENSED Applications require a license to run.
Appendix 27 Appendix Configuring applications using the Embedded Web Server Accessing application configuration settings using the Embedded Web Server 1 Obtain the printer IP address: • From the printer home screen • From the TCP/IP section in the Network/Ports menu • By printing a network setup page or menu settings page, and then finding the TCP/IP section Note: An IP address appears as four sets of numbers separated by periods, such as 123.123.123.123.
Appendix 28 • Click Embedded Solutions. 2 From the list of installed applications, click the name of the application you want to configure. 3 Click Configure, and then do one of the following: • To export a configuration to a file, click Export, and then follow the instructions on the computer screen to save the configuration file. Note: If a JVM Out of Memory error occurs, then repeat the export process until the configuration file is saved.
Notices 29 Notices Edition notice June 2013 The following paragraph does not apply to any country where such provisions are inconsistent with local law: THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
Notices 30 property rights in and to Software are owned and retained by the manufacturer or owner of the Software. All rights not expressly granted under this Agreement are reserved by the manufacturer or owner of the Software. By opening or breaking the seal on the Software packet(s), installing, downloading, activating the Software, click-accepting these terms, or using the Software, you agree to be bound by the terms of this Agreement.
Notices 31 PARTICULAR PURPOSE OR ANY WARRANTY REGARDING TITLE OR AGAINST INFRINGEMENT, FOR THE SOFTWARE AND ALL ACCOMPANYING WRITTEN MATERIALS. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS; YOU MAY HAVE OTHERS, WHICH VARY FROM JURISDICTION TO JURISDICTION.
Notices 32 U.S. Government Restricted Rights The software and documentation are "commercial items" as that term is defined at 48 C.F.R. 2.101, consisting of "commercial computer software" and "commercial computer software documentation" as such terms are used in 48 C.F.R. 12.212. Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4, all U.S. Government end users acquire the software and documentation with only those rights set forth herein.
Notices 33 Copyright (c) 2001 Markus Friedl Copyright (c) 2002 Olaf Kirch Copyright (c) 2003 Kevin Stefanik Redistribution and use in source an binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
Index 34 Index A a card reader was not detected on this device 15 accessing application configuration settings using the Embedded Web Server 27 adding idle screen images 8 additional required applications 3 advanced settings configuring 13 an error occurred while reading the card 15 application configuration settings accessing 27 applications licensing 27 securing 9 authentication failed 17 automatic logout 4 B Background and Idle Screen 8 background image adding 8 C disabling reverse DNS lookups 13 DN
Index OCSP responder certificates do not match 24 OCSP responder connection error 23 OCSP responder URL not configured 22 OCSP validation 11 overview Smart Card Authentication Client 3 P panel login timeout changing 4 printer functions securing 9 R realm must be in uppercase 20 realm on card not found 20 reverse DNS lookups disabling 13 revoked certificate error 22 S securing applications 9 securing home screen icons 9 securing printer functions 9 securing the home screen 8 securing the idle screen 8 se