Authentication Unit AU-211P For User’s Guide
Contents Contents Contents ............................................................................ 1 1 Introduction ....................................................................... 3 1.1 2 Getting Started.................................................................. 7 2.1 Product Overview ................................................................................. 7 2.2 Part names and their functions ........................................................... 8 2.
Contents 3.5 3.5.1 Related Settings .............................................................................. 37 3.5.3 Encrypting an E-Mail and Adding a Digital Signature ..................... 39 3.6.1 PKI Card Print ..................................................................................... 40 Overview .......................................................................................... 40 3.6.2 Installing the Printer Driver .......................................................
Introduction 1 1 Introduction Thank you for choosing this device. This User’s Guide provides descriptions of the operating procedures and precautions for using Authentication Unit (IC Card Type) AU-211P. Carefully read this User’s Guide before using this device. The actual screens that appear may be slightly different from the screen images used in this User’s Guide.
Introduction 1.1 1 Safety Information Carefully read this information, and then store it in a safe place. - Before using this device, carefully read this information and follow it to operate the device correctly. After reading this information, store it in the designated holder with the warranty. Important information - - - - The reprinting or reproduction of the content of this publication, either in part or in full, is prohibited without prior permission.
Introduction 1 Regulation notices USER INSTRUCTIONS FCC PART 15 - RADIO FREQUENCY DEVICES (For U.S.A. Users) FCC: Declaration of Conformity Product Type Authentication Unit (IC Card Type) Product Name AU-211P (This device complies with Part 15 of the FCC Rules.) Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of this device.
Introduction 1 INTERFERENCE-CAUSING EQUIPMENT STANDARD (ICES-003 ISSUE 4) (For Canada Users) (This device complies with RSS-Gen of IC Rules.) Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of this device. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.
Getting Started 2 2 Getting Started 2.1 Product Overview This product is a PKI card authentication unit that scans a PKI card (CAC or PIV card) to perform personal authentication. Connecting this unit enables you to run a PKI card authentication system (hereinafter referred to as "this system") that uses the PKI card authentication unit on the MFP.
Getting Started 2.2 2 Part names and their functions 3 2 1 AU-211P No. Part name Description 1 Card inlet Used to insert the PKI card. 2 LED lamp Turns green when you log in using the PKI card. Blinks green while authentication. 3 USB cable Used for connecting this device to the multifunctional product.
Getting Started 2.3 2 Pre-Setting To use this system, pre-configure the following settings on the MFP. - 2.3.
Getting Started 2 Item Description Subnet Mask When directly entering the IP address, specify the subnet mask for the connected network. Default Gateway When directly entering the IP address, specify the default gateway for the connected network. IPv6 Settings 2 Note These settings are required when using the MFP in an IPv6 environment. Item Description ON/OFF Select [ON] when using the MFP in an IPv6 environment. Auto IPv6 Settings Select [ON] when automatically retrieving the IPv6 address.
Getting Started 2.3.2 2 Item Description Search Domain Name Auto Retrieval Select whether to automatically retrieve the search domain name. This item is available when using DHCPv6. Default DNS Domain Name Specify the domain name that the MFP is connected to (up to 255 bytes with the host name). DNS Search Domain Name 1 to 3 Specify the DNS search domain name (up to 253 bytes). Registering Active Directory for Authentication Register Active Directory for authentication in the MFP.
Getting Started 2.3.3 2 Correcting the MFP Time You cannot log into Active Directory if the MFP system time is extremely different between the MFP and Active Directory. Correct the MFP time so it matches the Active Directory time with the system time. Time Adjustment Setting On the MFP control panel, press the [Utility/Counter] key, and then [Administrator Settings] - [Network Settings] - [Forward] - [Detail Settings] [Time Adjustment Setting]. Page 1/2 Item Description ON/OFF Select [ON].
Getting Started 2.3.4 2 Registering the DNS Server Associated with Active Directory Register the DNS server associated with Active Directory in the MFP. DNS Server Settings (IPv4) On the MFP control panel, press the [Utility/Counter] key, and then [Administrator Settings] - [Network Settings] - [TCP/IP Settings] - [DNS Server Settings (IPv4)]. Item Description DNS Server Auto Obtain Select whether to automatically obtain the DNS server address. This item is available when using DHCP.
Getting Started 2.3.5 2 Item Description DNS Server Auto Obtain Select whether to automatically obtain the DNS server address. This item is available when using DHCPv6. Priority DNS Server Specify the IPv6 address of the priority DNS server associated with Active Directory. Secondary DNS Server 1 and 2 Specify the IPv6 address of the secondary DNS server associated with Active Directory. Specifying the PIV Transitional Mode Specify the PIV transitional mode.
Getting Started 2.3.6 2 Configuring Settings for Verifying the Active Directory Certificate Configure the certificate verification settings to verify the Active Directory certificate when communicating with Active Directory. Certificate Verification Setting On the MFP control panel, press the [Utility/Counter] key, and then [Administrator Settings] - [User Authentication/Account Track] - [Certificate Verification Setting].
Getting Started 2 Certificate Verification Settings In the PageScope Web Connection administrator mode, select [Security], and then [Certificate Verification Settings]. 2 Note For details on how to use PageScope Web Connection, refer to the User's Guide [Network Administrator] supplied together with the MFP. AU-211P Item Description Certificate Verification Settings Select [ON] to enable certificate verification. Timeout Enter the timeout period to check the expiration date.
Getting Started AU-211P 2 Item Description Proxy Server Port Number Enter the port number for the proxy server. User Name Enter the user name to log in to the proxy server (up to 63 characters). Password Enter the password to log in to the proxy server (up to 63 characters). When changing the registered password, select [Password is changed.], and enter a new password.
Getting Started 2 External Certificate Setting In the PageScope Web Connection administrator mode, select [Security] , and then [PKI Settings] - [External Certificate Setting]. ! Detail • • AU-211P To check the root signature in Certificate Verification, register the external certificate you want to view when checking the root signature as necessary. For details on how to use PageScope Web Connection, refer to the User's Guide [Network Administrator] supplied together with the MFP.
Getting Started 2 Item Description File Click [Browse] in the Import Certificates (PEM/DER) screen, and specify a new external certificate to be registered. • If [Trusted CA Root Certificate] is selected, register the root certificate from the CA (Certificate Authority). • If [Trusted CA Intermediate Certificate] is selected, register the intermediate certificate from the CA (Certificate Authority).
Getting Started 2.4 2 Operation Settings When operating this system, configure the following settings to ensure a higher level of security. Disabling the OpenAPI function To associate the MFP with PageScope Authentication Manager, register the MFP in the initial setting of PageScope Authentication Manager, and disable the OpenAPI function of the MFP in the disable state. However, the initial setting results in the MFP administrator password being made public on the network.
How to Use the Authentication Unit 3 3 How to Use the Authentication Unit This chapter explains how to log in and log out using this unit and also describes the functions for use with this system. 2 Note The following explains the procedures applicable in the normal display mode. This unit is also available in the Enlarge Display mode. For details on the Enlarge Display mode, refer to the User's Guide [Enlarge Display Operations] supplied together with the MFP. 3.1 Login and Logout 3.1.
How to Use the Authentication Unit 3 ! Detail • • • If you insert a PKI card into the unit while logged in as a public user, you will be logged out as a public user and the PIN code entry screen appears. However, even if logged in as a public user, you will not be logged out by inserting a PKI card during operations, when warnings occur, or when a screen that you cannot log out by pressing the [ID] key on the control panel is displayed.
How to Use the Authentication Unit 3 ! Detail When Account Track is enabled, use the PKI card to perform user authentication before account authentication. When Account Track is enabled on the MFP that supports this system, user authentication is forcibly associated with account authentication. 3.1.2 Logout To log out the MFP, pull the PKI card out of this unit. ! Detail • • • • AU-211P If a PKI card is used to log in to the MFP, you cannot log out by pressing the [ID] key on the control panel.
How to Use the Authentication Unit 3.2 3 Functions Using the PKI Card Authentication System This section explains the functions using the PKI card authentication system. AU-211P Function Description Address Search (LDAP) using PKI card p. 25 Logs into the LDAP server using the Kerberos authentication ticket that is obtained by Active Directory authentication with the PKI card when searching for the destination via the LDAP server.
How to Use the Authentication Unit 3.3 3 Address Search (LDAP) Using PKI Card 3.3.1 Overview This function logs in to the LDAP server using the Kerberos authentication ticket that is obtained by Active Directory authentication with the PKI card when searching for the destination via the LDAP server. If a Kerberos authentication ticket is used to authenticate the LDAP server, the user can use the LDAP server securely without making the password public on the network.
How to Use the Authentication Unit 3.3.2 3 Related Settings This section explains how to configure the address search (LDAP) settings on the MFP that supports this system. Enabling LDAP Configure settings to use the LDAP server. On the MFP control panel, press the [Utility/Counter] key, and then [Administrator Settings] - [Network Settings] - [LDAP Settings] - [Enabling LDAP]. Item Description Enabling LDAP Select [ON]. Setting Up LDAP Register the desired LDAP server to search for the destination.
How to Use the Authentication Unit AU-211P 3 Item Description LDAP Server Name Specify the LDAP server name (up to 32 characters). Max. Search Results Enter the maximum number of items that can be received as address search (LDAP) results. Timeout Specify the timeout period for address search (LDAP). Initial Setting for Search Details Specify address search (LDAP) conditions. Change Search Attribute Select the attribute of the name used for LDAP searching.
How to Use the Authentication Unit 3.3.3 3 Item Description Authentication Type Select the authentication method to connect to the LDAP server. When connecting to the LDAP server using the Kerberos authentication method, select [GSSSPNEGO]. Then specify the domain name of the Active Directory in [Domain Name]. When specifying the LDAP server with an anonymous user enabled, you can select [Anonymous]. Referral Setting Select whether to use the referral function. Match the LDAP server environment.
How to Use the Authentication Unit 3 When multiple LDAP servers are registered 1 Select the LDAP server to be the target for LDAP search. – 2 Multiple LDAP servers can be selected. Press [OK]. Perform authentication using the Kerberos authentication ticket, and connect to the LDAP server. 3 Select the desired method to search for the destination. – – You can check the authentication result of each server by pressing the number key of a desired LDAP server.
How to Use the Authentication Unit 3 2 Note For details on the address search (LDAP) function, refer to the User's Guide [Network Scan/Fax/Network Fax Operations] supplied together with the MFP.
How to Use the Authentication Unit 3.4 3 SMB TX Using PKI Card 3.4.1 Overview This function logs into the destination computer using the Kerberos authentication ticket that is obtained by Active Directory authentication with the PKI card when sending scanned data via SMB. If the Kerberos authentication ticket is used for authentication in the destination computer, the user can carry out SMB TX securely without making the password public on the network.
How to Use the Authentication Unit 3.4.2 3 Related Settings This section explains how to configure the SMB TX settings on the MFP that supports this system. Client Settings Configure the setting to perform SMB TX. On the MFP control panel, press the [Utility/Counter] key, and then [Administrator Settings] - [Network Settings] - [SMB Settings] - [Client Settings]. AU-211P Item Description ON/OFF Select [ON]. SMB Authentication Setting Select the SMB TX authentication method.
How to Use the Authentication Unit 3 Item Description Password Authentication Restriction For authentication with the PKI card, this system uses the Kerberos authentication ticket that is obtained from Active Directory with the Kerberos authentication when performing SMB TX. In this item, select the operation required when authentication has failed using the Kerberos authentication ticket. If [Limit] is selected, it results in an authentication failure.
How to Use the Authentication Unit 3.4.3 3 Using SMB TX SMB TX Use the Fax/Scan screen on the MFP control panel to specify the target SMB address. When SMB TX starts, you can use the Kerberos authentication ticket to log into the destination computer and save scanned data in a shared holder. 2 Note • • AU-211P For details on how to register the SMB address or use SMB TX, refer to the User's Guide [Network Scan/Fax/Network Fax Operations] supplied together with the MFP.
How to Use the Authentication Unit 3 Searching for SMB address If [Reference] is pressed to register or specify the SMB address, the system searches for computers on the Windows network to enable you to register or specify the desired one as a destination. If a PKI card is used to log in to the MFP, log in to the searched computer using the Kerberos authentication ticket to register or specify it as a destination.
How to Use the Authentication Unit 3.5 3 Scan to E-mail (S/MIME) Using PKI Card 3.5.1 Overview This function uses the PKI card to add a digital signature when sending an e-mail. Sending an e-mail with a digital signature enables you to prove you are the e-mail sender. If a certificate is registered in the target address, you can combine this function with e-mail encryption when sending an e-mail.
How to Use the Authentication Unit 3.5.2 3 Related Settings This section explains how to configure settings to encrypt an e-mail or add a digital signature on the MFP that supports this system. S/MIME Communication Settings Configure settings to encrypt an e-mail and add a digital signature. On the MFP control panel, press the [Utility/Counter] key, and then [Administrator Settings] - [Network Settings] - [E-Mail Settings] - [S/MIME Communication Settings].
How to Use the Authentication Unit 3 Item Description Certificate Verification Level Settings To verify the server certificate, configure settings to verify the certificate. [Expiration Date]: Select whether to check that the server certificate is within the validity period. [Key Usage]: Select whether to check that the server certificate is used according to the purpose approved by the issuer. [Chain]: Select whether to check that the server certificate chain (certification path) is correct.
How to Use the Authentication Unit 3.5.3 3 Encrypting an E-Mail and Adding a Digital Signature Display the Fax/Scan screen on the MFP control panel, and press [Communication Settings]. - To encrypt an e-mail, press [E-Mail Encryption]. If [Select when sending] is selected to add a digital signature, press [Digital Signature]. If [Always add signature] is selected, a digital signature will be automatically added.
How to Use the Authentication Unit 3.6 3.6.1 3 PKI Card Print Overview This function encrypts print data using the PKI card before sending the data from the printer driver to the MFP. The print data is saved in the PKI Encrypted Document User Box of the MFP, and the same user can perform authentication at the MFP with the PKI card to decrypt and print the data.
How to Use the Authentication Unit 3.6.2 3 Installing the Printer Driver To use PKI Card Print, install a printer driver compatible with this system in the computer. Required System Environment The printer drivers are available in the following environment.
How to Use the Authentication Unit AU-211P 3 Type Page description language Supported Operating System PS driver PostScript 3 Emulation Windows 2000 Professional (SP4 or later) Windows XP Home Edition (SP1 or later) Windows XP Professional (SP1 or later) Windows XP Professional x64 Edition Windows Vista Home Basic * Windows Vista Home Premium * Windows Vista Business * Windows Vista Enterprise * Windows Vista Ultimate * Windows 7 Home Basic Windows 7 Home Premium * Windows 7 Professional * Windows 7
How to Use the Authentication Unit 3 Installing the printer driver The installer enables you to easily install the printer driver by following the instructions displayed on the pages. 2 Note Administrator authority is required to install the printer driver on your computer. 1 Start the installer. 2 Check the contents of the license agreement, and click [AGREE]. – 3 If you disagree, you will not be able to install the driver.
How to Use the Authentication Unit 3.6.3 3 Specifying the Print Data Deletion Time The data encrypted with the PKI card is deleted from the PKI Encrypted Document User Box of the MFP after saved in the User Box and printed on the MFP. However, if unprinted print data in the PKI Encrypted Document User Box exceed the User Box upper limit, new data cannot be saved in the User Box.
How to Use the Authentication Unit 3.6.4 3 Handling PKI Card Print The following explains how to handle PKI Card Print. Sending print data (Printer driver setting) Use the following steps to configure the printer driver setting when encrypting print data using the PKI card and sending it to the MFP. 1 Click [Print] in the menu of the application software. 2 Select the desired printer . 3 Click [Properties] or [Preferences]. 4 Click the [Basic] tab. 5 Click [Authentication/Account Track].
How to Use the Authentication Unit – AU-211P 3 If Account Track is enabled, enter the [Department Name] and [Password] under [Account Track]. To enable Account Track, configure the printer driver setting separately. For details on setting, refer to the User's Guide [Print Operations] supplied together with the MFP. 7 Under [Output Method], select [PKI Card Print], and click [OK]. 8 Send print data.
How to Use the Authentication Unit 3 ! Detail • • AU-211P If the MFP is associated with PageScope Authentication Manager, and the user is not registered in PageScope Authentication Manager or the user has no print privileges, an authentication failure will occur, and the print job will be discarded. To print without using a PKI card, select the [Other] tab, and then clear the [IC card is used] check box. In this case, perform authentication according to the [User Authentication] setting in step 6.
How to Use the Authentication Unit 3 MFP printing The following explains how to print data on the MFP. The MFP provides two printing methods: (1) printing data simultaneously with authentication and (2) selecting and printing data in the PKI Encrypted Document User Box after authentication. - Using method (1), you can insert the PKI card into the MFP and perform authentication to easily print the relevant user's data.
How to Use the Authentication Unit 3 ! Detail If necessary, this function also prints data in the ID & Print User Box. For details on ID & Print, refer to the User's Guide [Print Operations] supplied together with the MFP. 1 Press [Access], and insert the PKI card into the authentication unit attached to the MFP. 2 Enter the PIN code and to log into the MFP.
How to Use the Authentication Unit 3.7 3.7.1 3 Scan To Me Overview Scan To Me is a function that sends scanned data to the user's e-mail address. This function is useful when frequently sending scanned data to the user's address. Using this function, the user can obtain the authenticated user's e-mail address using the LDAP protocol to easily send data to the obtained address.
How to Use the Authentication Unit 3 Active Directory PKI Card (1) PKI Card (5) (2) E-mail (6) (3) Send to the user’s address (4) (1) Insert the PKI card into the MFP to perform Active Directory authentication. (2) Obtain the user's e-mail address. (3) Send the e-mail to the user's e-mail address. If necessary, the user can use the PKI card to encrypt an e-mail or add a digital signature. (4) Take the PKI card to the computer.
How to Use the Authentication Unit 3.7.2 3 Before Using Scan To Me Restrictions The following restrictions are applied for use of the Scan to Me function. - The user cannot directly enter the address using e-mail TX, FTP TX, SMB TX, WebDAV TX, or Save in User Box. The user cannot use Annotation User Box. The user cannot save documents using the User Box function. The user cannot use the URL notification function. The user cannot use the TSI distribution function.
How to Use the Authentication Unit 3.7.4 3 Handling Scan To Me The following explains how to handle Scan To Me on the MFP. ! Detail • • If the correct settings are configured to use Scan To Me, [Me] appears on the Fax/Scan screen to send data to the user's e-mail address. If the system fails to obtain the certificate in the PKI card when encrypting the e-mail to the user's address using the PKI card, [Me] will not appear.
How to Use the Authentication Unit 3.8 3 Scan To Home 3.8.1 Overview Scan To Home is a function that sends scanned data to the user's computer. This function is effective when frequently sending scanned data to the user's address. The user can obtain the position of the user's Home folder from Active Directory, and easily send data to the user's Home folder.
How to Use the Authentication Unit 3.8.2 3 Before Using Scan To Home Restrictions The following restrictions are applied for use of the Scan to Home function. - The user cannot directly enter the address using E-mail TX, FTP TX, SMB TX, WebDAV TX, or Save in User Box. The user cannot use Annotation User Box. The user cannot save documents using the User Box function. The user cannot send documents from User Boxes. The user cannot use the URL notification function.
How to Use the Authentication Unit 3.8.3 3 Related Settings The following explains the settings required to use the Scan To Home function. Obtaining the Home folder position Configure the setting to enable the user to obtain the position of the user's Home folder from Active Directory. Client Setting Configure the setting to perform SMB TX. For details on how to handle SMB TX using the PKI card and configure its settings, refer to "SMB TX Using the PKI Card" (page 31).
How to Use the Authentication Unit 3.8.4 3 Using Scan To Home The following explains how to use Scan To Home on the MFP. ! Detail If the correct settings are configured to use Scan To Home, [Home] appears on the Fax/Scan screen to send data to the user's Home folder. 1 Press the [Fax/Scan] key on the control panel. 2 Press [Home]. 3 Specify scan conditions in [Scan Settings], [Original Settings], and [Communication Settings]. 4 Load the original and press the [Start] key on the control panel.
Added or Changed Setting Information 4 4 Added or Changed Setting Information The MFP that supports this system provides some settings added or changed from an ordinary MFP model. This chapter shows a list of the added or changed setting items for each category. 2 Note For the settings of an ordinary MFP model, refer to the User's Guide supplied together with the MFP. 4.1 4.1.1 AU-211P User Settings System Settings Item Description Language Selection The available language is English only.
Added or Changed Setting Information 4.2 4.2.1 4 Administrator Settings System Settings User Box Settings 4.2.2 Item Description PKI Encrypted Document Delete Time Setting Allows the user to specify the time required to delete a PKI encrypted document. For details, refer to "Specifying the Print Data Deletion Time" (page 44). User Authentication/ Account Track General Settings Item Description User Authentication Not displayed.
Added or Changed Setting Information 4.2.3 4 Network Settings FTP Settings Item Description FTP Server Settings The default is [OFF]. SMB Settings Item Description Client Settings [NTLM Settings] has been changed to [SMB Authentication Setting]. [Password Authentication Restriction] has been added. For details, refer to "Client Settings" (page 32). LDAP Settings Item Description Setting Up LDAP [Login Name], [Password] and [Select Server Authentication Method] are not displayed.
Added or Changed Setting Information 4 WebDAV Settings 4.2.4 Item Description WebDAV Server Settings This function is not supported. Security Settings Security Details Item Description Password Rules This function is not supported. Prohibited Functions when Authentication Error The default is [Mode 2]. Confidential Document Access Method The default is [Mode 2]. Job Log Settings [Audit Log] is not supported. Enhanced Security Mode Description This function is not supported. 4.2.
Appendix 5 5 Appendix 5.1 Product Specifications 5.2 Product name Authentication unit (PKI-IC card type) AU-211P Dimensions 70 mm (L) × 70 mm (W) × 10 mm (H) Weight 60 g Power supply USB bus power Range of operating temperature 0 to 50°C Interface Full speed USB (12 Mbps) Connector shape USB A type connector Compatible card PKI-IC card (PIV, CAC) Cleaning the Authentication Unit Wipe the surface using a soft, dry cloth.
Appendix 5.3 5 Troubleshooting If an error occurs during running, refer to the following. Status Point to be checked Action Failed to login. Did you enter the correct PIN code? Check the PIN code, and enter the correct one. Cannot login. Is the PKI card locked? If the number of authentication failures reaches a specific limit, the PKI card will be locked to prevent the authentication. For details on how to unlock the PKI card, contact the PKI card administrator. Scanning does not start.
http://konicaminolta.com Copyright A1UD-AU11-00 2010 2010.