7 Replies Latest reply on Feb 24, 2009 8:58 AM by SafeBoot

    Using smart cards as a means of authentication

      Hi,

      Has anyone out there sucessfully implemented the use of smart cards as a means of authenticated SafeBoot? If there is, would you care to share any thoughts or comments?

      The Management Centre guides (pdf's) do not seem to have anything useful in them with regards to configuring of SafeBoot to use smart cards/certificates as a means of authentication.

      Thanks,
      Jon
        • 1. RE: Using smart cards as a means of authentication
          If you mean smart cards with EEPC, what card/reader combination are you trying to use?

          the detail of using tokens with EEPC is in the Endpoint Encryption for PC's guide, the management center guide only discusses that component.

          S.
          • 2. RE: Using smart cards as a means of authentication
            The smart cards we are using are the smart cards that are issued by Conneting for Health to all NHS trusts in the England; GemSAFE Smart Card (16K). The readers are predominantly Dell Intergrated Smart Card keyboards (RT7D60), with a few OMNIKEY Card Man 3121 readers.

            Thanks,
            Jon
            • 3. RE: Using smart cards as a means of authentication



              I think both are supported - check your EEPC/Device Encryption Admin Guide. If you have the option to select the GemPlus card as a token in your admin system, you can try simply creating a user with that and logging in (again to your admin system). It very much depends on the card though - it's quite possible whoever set them up for the original project locked them so no other applications can be added.

              this is something it's worth getting a day of PS to evaluate. The cards work, but as you have already provisioned them, whether they can be added to is up to whoever currently "owns" the card.
              • 4. RE: Using smart cards as a means of authentication
                Thanks for your reply.

                I've added the GemAltoNet Certificate Smart Card token - GemPlus and AxAlto merged to form GemAlto - so I'll see if I can get the smart card authentication working with that.

                However I've got to get past another issue first; I'm getting sync issues between my test PC and EEManager. I'm getting an error of Error [db010010] Object Not Found.

                I think this issue stems from creating an 'offline install'. I've imported the machine details using the SBXFERDB.SDB file on the test PC, and I can force a reboot from the EE Manager on the test PC - so they will talk to each other - but the sync isn't happening.

                Any thoughts?

                Thanks,
                Jon
                • 5. RE: Using smart cards as a means of authentication
                  can you post the tail of your client log so we can see exactly what's going on? Usually that error means you didnt import the sdb file, or you imported it into a different database than the one the machine is connecting to.

                  Have you installed more than once? If so remember that EVERY activation will create a new sdb file.

                  The other thing is that the network name and name in EEM must match for the machine to find it's object. This just for the first sync. Once the two are connected they use the ID (not name) to communicate. So, make sure the two still agree.

                  Personally, there are so few reasons to use offline installs that unless you seriously want to go to the effort of manually bringing that file across, I'd start again in online mode.
                  • 6. RE: Using smart cards as a means of authentication
                    I changed the EEM to match the network name and it sync'd up fine.

                    Many thanks for your hepl!

                    Regards
                    Jon
                    • 7. RE: Using smart cards as a means of authentication
                      np. Stick to online installs if you can though, as the machine will then create itself in the group and you don't have to do anything.

                      if you forget to import that sdb file, you'll never be able to recover the data from a machine if things go wrong...