3 Replies Latest reply on Aug 4, 2009 8:10 AM by SafeBoot

    Invalidated User

      Hello all, Im new to the MEE. I have a question concerning invalidated Users. I use SafeSign PKI Smartcards on a Test Notebook. The user is invalidated after three incorrect logins. Now i use the Recovery (User Recovery) and i change the users token to password only. (Referring to the manual all other options wont work when a user is invalidated).

      Now im able to login again (with password only token). Now i want to change the Password Only Token back into a SafeSignPKI Token or try to generate a new Token. This ends up with the error 0xe0010003 Unsupported Token Type. I could use the Machine Recovery to boot once but that doesnt helpt to activate that user again.

      If i dont change the token to password only i can reset the token with the Token Administration Software from Safe Sign. After doing this i can use the card again. This is nice in my test environment where my "User client" and card is in front of me.

      But what happens if a user who is for example in a foreign country forgets his Smartcard PIN ? I can change his token to password only and he can login but his Smartcard is worthless now. And How can i reactivate this card again ? Do i have to completely delete the user and recreate it ? Are there any other possibilties ?
        • 1. RE: Invalidated User
          this is really a question for the token maker - how you validate/invalidate the token is really something they control - we are just using it for auth.

          How do safesign recommend you do remote reactivation of a token?
          • 2. RE: Invalidated User
            I have no official support from AET (Safe Sign). I worked through some documentations about their SafeSign Middleware and i found nothing.
            I think a solution could be to use this Administration -Tool on every Client and use The Machine Recovery Option from Endpoint Encryption. (User has to reset his token on his own). But i see that this is not the responsibility of Endpoint Encryption.

            But whats about the changing of a token ? Is it generally not possible to change a password back into a safesign token? And another Question Pops up: Is it possible to assign 2 tokens to one user ? Lets say a password only token and a safe sign smart card token ?
            • 3. RE: Invalidated User
              you can switch which token a user should use with the recovery options, but very few tokens support remote creation - the safesign does not as it's based on certs.

              no, a user can only have one token active at any time.

              the connector will create a new pki token for the user and switch then if it detects a new cert in your AD - you can't "create" a pki token for a user - that's what the connector does for you.