Smart Access Card Solution Administrator's Guide June 2013 A00 www.dell.com | dell.
Contents 2 Contents Overview.....................................................................................................4 Configuring the applications.........................................................................5 Configuring printer settings for use with the applications........................................................................5 Changing the panel login timeout................................................................................................................
Contents 3 Secure Scan To E-mail issues...................................................................................................................36 Secure Print Jobs Release issues.............................................................................................................40 LDAP issues..............................................................................................................................................41 Licensing issues.....................................
Overview 4 Overview • Smart Card Authentication Client—This lets you secure access to printers by requiring users to log in using a Smart Card or a user name and password. You can use the application to secure access to all applications and functions on the printer home screen or to individual applications and functions. The application also provides Kerberos authentication options and a Kerberos ticket that can be used by other secured applications.
Configuring the applications 5 Configuring the applications Configuring printer settings for use with the applications Even if the printer has been set up previously, make sure all settings have been configured to enable the security features of each application to work correctly.
Configuring the applications 6 Installing certificates automatically For eSF v4.x printers, the CA certificate can be installed automatically. Note: Make sure to add the printer to the Active Directory Domain. For more information on how to add the printer to the Active Directory, see the Embedded Web Server Administrator's Guide for your printer. 1 From the Embedded Web Server, click Settings or Configuration.
Configuring the applications 7 4 Select the correct time zone. Note: If you select (UTC+user) Custom, then you must configure additional settings under the Custom Time Zone Setup heading. 5 If daylight saving time (DST) is observed in your area, then select Automatically Observe DST. 6 If you are located in a nonstandard time zone or in an area that observes an alternate DST calendar, then adjust the Custom Time Zone Setup settings.
Configuring the applications 8 Configuring Smart Card Authentication Client Smart Card Authentication Client and Application Access Manager must be configured correctly for the other Smart Access Card Solution applications to function securely. Perform all necessary configuration steps in this section before configuring the other applications. Securing access to the printer Note: Before securing access to the printer, make sure the Application Access Manager application is installed and running.
Configuring the applications 9 Setting up group authorization for the Security Template Notes: • This method applies only to printers running Embedded Solutions Framework (eSF) version 3.0 or later. • Make sure you have configured the Group Authorization List from the Smart Card Authentication Client application configuration settings. For more information, see “Configuring advanced settings” on page 14. a b c d e From the Manage Security Templates list, select the security template name.
Configuring the applications 10 On printers running the Embedded Solutions Framework (eSF) version 3.0 or later: a Make sure that you have created a security template that uses Smart Card Authentication Client to obtain user credentials. See “Setting up a security template” on page 8. b c d e f From the Embedded Web Server, click Settings > Security > Security Setup. From Step 3 under the Advanced Security Setup heading, click Access Controls. If necessary, expand the Device Solutions folder.
Configuring the applications 11 Securing access to built‑in printer functions Use this method to restrict access to built‑in printer functions, such as copy and fax. 1 Make sure you have created a security template that uses Smart Card Authentication Client to obtain user credentials. See “Setting up a security template” on page 8. 2 From the Embedded Web Server, click Settings or Configuration, and then click Security > Security Setup.
Configuring the applications 12 Configuring manual login setup settings Notes: • If users are allowed to log in to the printer manually (using a user name and password instead of a Smart Card), then specify a list of Windows domains for users to select from during login. • For eSF v4.x printers, make sure to specify the domain or domains available for manual login to work. To view the complete list of supported printers for each version of the Embedded Web Server, see the Readme file.
Configuring the applications 13 Using simple Kerberos setup If you selected Use simple Kerberos setup, then enter the Kerberos information manually under the Simple Kerberos Setup heading. When you click Apply, the values you entered are used to create a Kerberos configuration file. • Realm—Specify the Kerberos realm as configured in Active Directory. This is typically the Windows domain name. Only one realm can be specified here.
Configuring the applications 14 Configuring advanced settings Not all networks require you to configure advanced settings. If necessary, adjust the settings to enable the printer to communicate on your network. 1 Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server. 2 Under the Advanced Settings heading, configure the following settings: • Session User ID—Select how the user ID will be obtained when a user logs in: – None—The user ID is not set.
Configuring the applications 15 Type the mappings in the text file in this format: IP address, space, server host name. For example, 0.0.0.0 HostName. You can assign multiple host names to an IP address. For example, 0.0.0.0 HostName1 HostName2 HostName3. You cannot assign multiple IP addresses to a host name. To assign IP addresses to groups of host names, type each IP address and its associated host names on a separate line of the text file. For example: 123.123.123.123 HostName1 HostName2 456.456.456.
Configuring the applications 16 • Secondary SMTP Gateway—If you are using a secondary or backup SMTP server, then type the server IP address or host name. • Secondary SMTP Gateway Port—If you are using a secondary or backup SMTP server, then enter the server port number. • SMTP Timeout—Specify the number of seconds the printer will wait for a response from the SMTP server before timing out. • Reply Address—Make sure this field is cleared.
Configuring the applications 17 • Transmission Log—The recommended setting is Print only for error. • E-mail Bit Depth—Select 8 bit for grayscale imaging or 1 bit for black and white. 4 Adjust the other scan settings if necessary. 5 Click Submit. Configuring the address book Configuring these settings enables users to search your network global address book for e-mail addresses. 1 From the Embedded Web Server, click Settings or Configuration. 2 Click Network/Ports > Address Book Setup.
Configuring the applications 18 Configuring the application settings Configuring digital signing 1 Access the application configuration settings from the Embedded Web Server. 2 Configure the following setting: • Sign E‑mail—Do one of the following: – Select Prompt User to let users choose to digitally sign their e-mail. – Select Disabled to disable digital signing. – Select Always Sign to require all e‑mail to be digitally signed.
Configuring the applications 19 To secure access to the e‑mail function and specify where to get the user’s e‑mail address: 1 Make sure you have created a security template that uses Smart Card Authentication Client to obtain user credentials. See “Setting up a security template” on page 8. 2 From the Embedded Web Server, click Settings or Configuration, and then click Security > Security Setup. 3 From Step 3 under the Advanced Security Setup heading, click Access Controls.
Configuring the applications 20 5 Under the Location heading, select Network Folder, and then configure the location settings. 6 Under the Authentication Options heading, select Use Kerberos authentication. The Kerberos credentials from Smart Card Authentication Client will be used to access the network destination. Notes: • This option is visible if the location is set to Network Folder. • If you select this option, then make sure that Use MFP authentication credentials is also selected.
Configuring the applications 21 Configuring Secure Print Jobs Release Note: Before configuring Secure Print Jobs Release, make sure you have configured all necessary Smart Card Authentication Client security settings. See “Configuring Smart Card Authentication Client” on page 8. Configuring and securing the application 1 2 Configure the following settings: • Icon Text—Specify a name for the application icon that appears on the printer home screen.
Configuring the applications 22 f Under Advanced Security Setup in step c, click Access Controls. g If necessary, expand the Device Solutions or Apps folder. h From the Secure Print Jobs Release menu, select your security template, and then click Submit. On printers running eSF version 2.0: a From the Embedded Web Server, access the configuration page for the Application Access Manager application. b From the Secure Print Jobs Release menu, select Smart Card Authentication Client. c Click Apply.
Using the applications 23 Using the applications Using Secure Scan To E-mail Note: If manual login is enabled, then the “Wait for user information” option must be selected in the Smart Card Authentication Client application configuration settings. See “Configuring advanced settings” on page 14. This ensures that a manual login user’s e‑mail address is stored in the login session and is available for use with Secure Scan To E‑mail.
Using the applications 24 10 For encrypted e‑mail to be sent to a recipient, the recipient must be in the global address book and must have a valid encryption certificate. If an encryption certificate error message appears, then follow the instructions on the screen: • If the message “Cannot encrypt e‑mail for one or more recipients” appears, then do one of the following: – Select Send encrypted e‑mail only to send encrypted e‑mail only to recipients who have encryption certificates.
Using the applications 25 Using Secure Print Jobs Release Printing held jobs 1 With a document open, click File > Print. 2 Select the print‑and‑hold feature: • For Windows users, click Properties, Preferences, Options, or Setup. Then click Print and Hold, or click Other Options > Print and Hold. • For Macintosh users, select Job Routing from the print options or the ”Copies & Pages” menu.
Troubleshooting 26 Troubleshooting Smart Card Authentication Client login issues “A card reader was not detected on this device” error message MAKE SURE A SUPPORTED SMART CARD READER IS ATTACHED If you want users to access the printer using a Smart Card, then attach a supported Smart Card reader to the printer. See the Readme file for a list of supported card readers.
Troubleshooting 27 3 From the Filter menu, select an application status. 4 From the Application menu, select the application, and then click Submit. If you are still unable to determine the cause of the error, then you may need to replace the card.
Troubleshooting 28 The printer home screen fails to return to a locked state when not in use Try one or more of the following: MAKE SURE ALL REQUIRED APPLICATIONS ARE INSTALLED AND RUNNING Smart Card Authentication Client, Application Access Manager, and the authentication token for your Smart Card must be installed and running in order to restrict access to the printer home screen or to individual home screen applications and functions.
Troubleshooting 29 “Kerberos configuration file is not properly formatted” error message This system log error indicates that the Kerberos configuration file contains incorrect information, is missing information, or is not formatted properly. MODIFY THE INSTALLED KERBEROS CONFIGURATION FILE If you used the device Kerberos setup file, then modify and reinstall the file. If you used simple Kerberos setup, then modify the simple Kerberos setup settings.
Troubleshooting 30 “The domain controller did not respond within the required time; the domain controller timeout may need to be increased” error message Try one or more of the following: INCREASE THE DOMAIN CONTROLLER TIMEOUT If you used the device Kerberos setup file, then increase the number of seconds specified for the timeout entry in the file. When you are done, reinstall the file on the printer.
Troubleshooting 31 “The domain controller issuing certificate has not been installed” error message This system log error indicates that the required Certificate Authority (CA) certificate is not installed or that an incorrect certificate is installed. If an incorrect certificate is installed, then the error message specifies the name of the certificate that is needed: “The domain controller issuing certificate [NAME OF CERTIFICATE] has not been installed.
Troubleshooting 32 “Unable to contact the domain controller for the user’s realm” error message This system log error indicates that the domain, realm, or domain controller specified in the Kerberos configuration file is incorrect. CHECK THE DOMAIN, REALM, AND DOMAIN CONTROLLER IN THE KERBEROS CONFIGURATION FILE If you used the device Kerberos setup file, then: 1 From the Embedded Web Server, click Settings or Configuration. 2 Click Security > Security Setup > Kerberos 5 > View File.
Troubleshooting 33 CHECK THE DOMAIN CONTROLLER VALIDATION METHOD 1 Access the application configuration settings from the Embedded Web Server. 2 Under the Smart Card Setup heading, make sure you selected the correct method from the Domain Controller Validation menu. For information about configuring this setting, see “Selecting the domain controller validation method” on page 13. 3 Click Apply.
Troubleshooting 34 “An error occurred while trying to connect to the OCSP responder” error message This system log error indicates that the OCSP responder URL is configured incorrectly or that the responder timed out before the application could connect to it. Try one or more of the following: CHECK THE OCSP RESPONDER URL 1 Access the application configuration settings from the Embedded Web Server.
Troubleshooting 35 “The OCSP responder certificate, stored on the printer, does not match the one returned by the responder” error message Try one or more of the following: CHECK THE OCSP RESPONDER CERTIFICATE 1 Access the application configuration settings from the Embedded Web Server. 2 Under the Online Certificate Status Protocol (OCSP) heading, make sure the correct certificate has been uploaded in the Responder Certificate field. 3 Click Apply.
Troubleshooting 36 ADD THE USER’S GROUP TO THE AUTHORIZATION LIST FOR THE PRINTER Make sure the user’s Active Directory group is listed in the Group Authorization List field in the application configuration settings. 1 Access the application configuration settings from the Embedded Web Server. 2 Under the Advanced Settings heading, add the user’s Active Directory group to the Group Authorization List field. Separate multiple groups with a comma. 3 Click Apply.
Troubleshooting 37 “No signing certificate is available to sign your e-mail. Press Next to continue without digital signature” or “The e‑mail cannot be sent because your signing certificate could not be found” error message E‑mail can be digitally signed only if users log in using a Smart Card that contains a valid signing certificate. Users cannot digitally sign e‑mail if they log in manually (using a user name and password) or if they do not have a signing certificate on their Smart Card.
Troubleshooting 38 If you configured the application to allow users to choose whether to encrypt their e‑mail, then the first error message is shown to users when one or more recipients do not have encryption certificates. Users can choose one of the following on the printer touch screen: • Send encrypted e‑mail only—Encrypted e‑mail will be sent only to recipients who have encryption certificates. Recipients who do not have encryption certificates will not receive the e‑mail.
Troubleshooting 39 CHECK THE SMTP SERVER AUTHENTICATION SETTING 1 From the Embedded Web Server, click Settings or Configuration. 2 Click E-mail/FTP Settings > SMTP Setup. 3 Under the Authentication heading, from the SMTP Server Authentication menu, do one of the following: • Select Kerberos 5 if the SMTP server requires user credentials. • Select No authentication required if Kerberos is not supported.
Troubleshooting 40 3 Click Apply. Secure Print Jobs Release issues “Unable to determine user id. Contact your system administrator” error message This error indicates that Smart Card Authentication Client is not setting the user ID for the session. MAKE SURE THE SESSION USER ID IS SET CORRECTLY 1 Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server.
Troubleshooting 41 LDAP issues LDAP lookups fail Try one or more of the following: MAKE SURE PORT 389 (NON‑SSL) AND PORT 636 (SSL) ARE NOT BLOCKED BY A FIREWALL The printer uses these ports to communicate with the LDAP server. The ports must be open for LDAP lookups to work. VERIFY THAT THE ADDRESS BOOK SETUP CONTAINS THE HOST NAME FOR THE LDAP SERVER 1 From the Embedded Web Server, click Settings or Configuration. 2 Click Network/Ports > Address Book Setup.
Troubleshooting 42 NARROW THE LDAP SEARCH BASE Narrow the LDAP search base to the lowest possible scope that includes all necessary users. VERIFY THAT THE LDAP ATTRIBUTES BEING SEARCHED FOR ARE CORRECT Make sure all LDAP attributes for the user are correct. Licensing issues License error A license error can occur if there is a problem with the Smart Access Card Solution application or its license.
Appendix 43 Appendix Accessing application configuration settings using the Embedded Web Server 1 Obtain the printer IP address: • From the printer home screen • From the TCP/IP section in the Network/Ports menu • By printing a network setup page or menu settings page, and then finding the TCP/IP section Note: An IP address appears as four sets of numbers separated by periods, such as 123.123.123.123. 2 Open a Web browser, and then type the printer IP address in the address field.
Appendix 44 Licensing applications Applications require a valid electronic license to run on select printers. For more information on purchasing a license for an application, or for any other licensing information, contact your Dell representative.
Notices 45 Notices Edition notice June 2013 The following paragraph does not apply to any country where such provisions are inconsistent with local law: THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
Notices 46 property rights in and to Software are owned and retained by the manufacturer or owner of the Software. All rights not expressly granted under this Agreement are reserved by the manufacturer or owner of the Software. By opening or breaking the seal on the Software packet(s), installing, downloading, activating the Software, click-accepting these terms, or using the Software, you agree to be bound by the terms of this Agreement.
Notices 47 PARTICULAR PURPOSE OR ANY WARRANTY REGARDING TITLE OR AGAINST INFRINGEMENT, FOR THE SOFTWARE AND ALL ACCOMPANYING WRITTEN MATERIALS. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS; YOU MAY HAVE OTHERS, WHICH VARY FROM JURISDICTION TO JURISDICTION.
Notices 48 U.S. Government Restricted Rights The software and documentation are "commercial items" as that term is defined at 48 C.F.R. 2.101, consisting of "commercial computer software" and "commercial computer software documentation" as such terms are used in 48 C.F.R. 12.212. Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4, all U.S. Government end users acquire the software and documentation with only those rights set forth herein.
Notices 49 Copyright (c) 2001 Markus Friedl Copyright (c) 2002 Olaf Kirch Copyright (c) 2003 Kevin Stefanik Redistribution and use in source an binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
Index 50 Index A D a card reader was not detected on this device 26 accessing application configuration settings using the Embedded Web Server 43 adding idle screen images 9 address book securing 18 address book setup 15 advanced settings configuring 14 an error occurred while reading the card 26 application configuration settings accessing 43 applications licensing 44 securing 10 authentication failed 28 automatic logout 5 date and time setting 6 deleting held print jobs 25 digital certificates instal
Index 51 importing a configuration using the Embedded Web Server 43 installing certificates automatically 6 installing certificates manually 5 no jobs available for user 40 no signing certificate is available to sign your e‑mail 37 NTP settings configuring 6 J O job expiration settings configuring 21 jobs are not held at printer 40 jobs print immediately 40 OCSP certificate not configured 33 OCSP responder certificates do not match 35 OCSP responder connection error 34 OCSP responder URL not configur
Index troubleshooting a card reader was not detected on this device 26 an error occurred while reading the card 26 authentication failed 28 cannot encrypt e‑mail for one or more recipients 37 certificate not installed 31 certificate status unknown 34 chain validation error 33 clocks out of sync 32 credentials validation failed 27 domain controller and device clocks out of sync 32 domain controller certificate validation error 35 domain controller did not respond within the required time 30 domain controlle