Hello, we are using EEPC and users are using smartcard for authentication. Syncronization works and users are imported from AD and greated certificate based token. Every user is related to specific PC. Now we need to change user smartcards and it means for EEM that we need to change tokens for users from Cerificate A token to certificate B token.
Our approach is following:
We have defined two AD connectors 1 for certificate A and second for certificate B.
1) In AD we change groups and connector knows that it should use second connector.
2) In EEM we change binding numbers - for example SBADCON1.changes to SBADCON2. changes. We set changes parameter 0 to enforce syncronization (probably we don't need that because change in AD will force syncronization).
3) At next syncronization second connector will find user and will syncronize data, and all changes are OK, at least updated. The problem is that even syncronization updated all properties in binding tab, it seems that token hasn't been changed. At least if user wants to log in it will get error that wrong token.
I was wondering, if we delete SBADCON1.certid will it help us.(this pop up as I was writing question)
Anyway is our approach right and can we somehow switch users token or the only option is to delete user and recreate it with correc token.
Solved! Go to Solution.
the only official route is to force the certs to expire, then the connector will pick up the new one - it does not have a feature to roll certs on demand.
So, yes, the best approach may be indeed to delete the user and get the connector to recreate them. You could probably do something clever with the scripting API to sort out the user>machine relationships afterewards.
Can we use SBADMCL.exe to create new user with smartcard token enabled and that Sync will set then right certificate at next syncronization?