Smart card authentication
This feature provides an additional authentication option for ADManager Plus login by enabling the use of smart cards/ PKI/ certificates to grant access to the tool. Smart card authentication strengthens the security further because getting access to ADManager Plus shall then require the user to possess the smart card and know the personal identification number (PIN) as well.
When the user attempts to access ADManager Plus' web-interface, he/ she would be allowed to proceed further only after completing smart card authentication in the machine, i.e., by presenting the smart card and subsequently entering the PIN. ADManager Plus' web-interface supplements smart card technology with SSL communication. So, the user is prompted to specify the X.509 certificate for getting access.<
The users can choose to provide the certificate from the smart card or the local certificate store, in which case ADManager Plus performs the steps to authenticate the user with the certificate. The users can also choose to decline providing the certificate and the tool takes them to the usual login page for authentication.
If you have a smart card authentication system enabled in your environment, you can configure ADManager Plus to authenticate users through it, bypassing other first factor authentication methods.
Steps to configure smart card authentication settings:
- Click the Admin tab.
- SSL port must be enabled for configuring smart card authentication settings. To check your SSL port settings, click Connection link provided under General Settings. If not enabled already, select the check box Enable SSL Port [https], and specify the port number in the field. Click Save Changes.
- Click Smart Card Authentication link under General Settings.
- To enable smart card authentication, select 'enabled' in the option Smart Card Authentication is.
- Click Add Smart Card Configuration button.
- Under the section Add Smart Card Configuration,
Click the small arrow sign next to the section OCSP Settings to expand the menu.
During authentication, ADManager Plus checks for certificate revocation status against an Online Certificate Status Protocol (OCSP) server, with details available in the certificate itself. If some certificates do not have OCSP information, the information provided in the settings here will be used.
- In Import CA Root Certification, click 'Browse' and import the required Certification Authority root certification file from your computer.
- Connect to http://CertificateAuthorityServerName/certsrv/ to download CA root certification.
- In Mapping Attribute in Certificate, specify the certificate attribute for mapping.
- The user details need to be mapped between the smart card certificate and the ADManager Plus user database. That means, the attribute in the smart card certificate that uniquely identifies the user should match with the corresponding value in the ADManager Plus user database. This mapping involves specifying which attribute in certificate should be taken up for comparison with which attribute in ADManager Plus user store.
- ADManager Plus provides the flexibility to specify any attribute of the smart card certificate that you feel uniquely identifies the user in your environment. You may choose any attribute among SAN.OtherName, SAN.RFC822Name, SAN.DirName, SAN.DNSName, SAN.URI, email, distinguishedName and CommonName. In case, in your environment, if any other attribute is used to uniquely identify the user, contact ADManager Plus support to add that attribute.
- In Mapping Attribute in AD, specify the LDAP attribute that should be matched with the specified certificate attribute.
- Here you need to specify the particular LDAP attribute that uniquely identifies the user in ADManager Plus user store, e.g., sAMAccountName.
- During authentication, ADManager Plus reads the value corresponding to the certificate attribute that you specified in Mapping Attribute in Certificate and compares it with the specified LDAP attribute in Mapping Attribute in AD.
- In Linked Domains, select the appropriate domains from the drop down menu.
Similarly, you can add more certificates by following the steps above.
- In OCSP Server Name, specify the name of the OCSP server.
- In OCSP Server Port, mention the OCSP server port number.