background image

PKI Pre-Installation Guide 

Version 2.0.0 

 

Page 12 

 

MFP Chain 
Validation 

The PKI Authentication Application gets the certificate contained in 
the Domain Controller’s response to build the complete certificate 
chain to a trusted Root CA.  All certificates in this chain must have 
been previously installed on the MFP.   If the chain can be successfully 
built, the response is considered trusted and the logon proceeds.  If the 
chain cannot be built, the logon will fail. 

 

OCSP Certificate 
Validation 

The PKI Authentication Application gets the certificate contained in 
the Domain Controller’s response and performs the same validation as 
in the 

MFP Certificate Validation

 mode.  If that succeeds, it then uses 

an OCSP Responder/Repeater (such as Tumbleweed) to validate the 
Domain Controller certificate has not been revoked or otherwise 
marked as invalid.  If that succeeds, the logon proceeds; otherwise, it 
fails. 

 

OCSP Chain 
Validation 

The PKI Authentication Application gets the certificate contained in 
the Domain Controller’s response and performs the same validation as 
in the 

MFP Chain Validation 

mode.  If that succeeds, it then uses an 

OCSP Responder/Repeater (such as Tumbleweed) to validate that none 
of the certificates in the certificate chain have been revoked or 
otherwise marked as invalid.  If that succeeds for each certificate in the 
chain, the logon proceeds; otherwise, it fails. 

 
The configuration information needed varies according to the Domain Controller Validation 
method selected.  Check the box below to indicate the desired method. 
 
 

 

 

MFP Certificate Validation 

 

 

 

MFP Chain Validation 

 

 

 

OCSP Certificate Validation 

 

 

 

OCSP Chain Validation 

 
If 

MFP Certificate Validation 

or 

OCSP Certificate Validation

 is chosen, the certificate of each 

CA that issued each Domain Controller certificate listed in item 1 in section 3.2.2 must be 
installed on the device.  If 

MFP Chain Validation 

or 

OCSP Chain Validation

 is chosen, the 

certificate chain for each Domain Controller listed in item 1 in section 3.2.2 must be installed on 
the device. 
 
Each certificate needs to be in PEM (Base64) format; see section 7.5, 

Domain Controller 

Certificates

, for more information on generating the certificate file. 

 

Certificate / Certificate Chain:   Please have file ready at install time. 

 
If one of the OCSP validation options is selected, the following information is needed about the 
OCSP Responder/Repeater to be used. 
 

Содержание X782E

Страница 1: ...PKI Enabled MFP Pre Installation Guide Version 2 0 0 www lexmark com ...

Страница 2: ...use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you Kingdom and Eire call 44 0 8704 440 044 In other countries contact your point of purchase References in this publication to products programs or services do not imply that the manufacturer intends to make these available in all countries in which it operates Any reference ...

Страница 3: ...Login Type 9 3 1 5 Display MFP Info 9 3 1 6 Display Printer Status 10 3 2 User Authentication 10 3 2 1 PIN Only 10 3 2 2 Active Directory 10 3 2 2 1 SmartCard Configuration 11 3 2 2 1 1 Response Validation 11 3 2 2 1 2 User Lookup 13 3 2 2 2 Manual Login Configuration 14 3 3 User Authorization 14 3 4 Logout Behavior 15 3 4 1 Auto Logout 15 3 4 2 Card Removal 16 4 PKI AD Standard Applications Confi...

Страница 4: ...Settings 26 6 2 Fileshare Settings 26 6 3 Fileshare Examples 28 7 Finding Configuration Information 30 7 1 Kerberos Realm 30 7 2 Domain Controller 30 7 3 Kerberos Configuration File 31 7 4 LDAP Directory Information 33 7 5 Domain Controller Certificates 33 8 Custom LDAP Configurations 34 8 1 LDAP Configuration 1 35 8 2 LDAP Configuration 2 36 8 3 LDAP Configuration 3 37 ...

Страница 5: ... applications to function It provides the login screen and authentication mechanism It also supports the user authorization support for device and or individual device functions PKI AD Standard Applications Provides user authorization support for the standard Copy Fax and FTP functions on the device PKI AD Email Provides user authorization support and enhanced email functionality this includes gre...

Страница 6: ...nd EDI PI The UPN provides a standard identifier used throughout the organization The standard format for the UPN is principal name common domain name For a military CAC card the UPN would be something like 12345678 mil The mil is the DoD s common domain name The 12345678 is the EDI PI The EDI PI can be used as an identifier independently when separated from the mil domain o Email Address The user...

Страница 7: ...ation OCSP Validation 88 Kerberos Active Directory Authentication 389 LDAP non SSL Email Address Home Directory LDAP Lookup 445 Windows File Sharing Scan To Network 636 LDAP SSL Email Address Home Directory LDAP Lookup 1 5 Key Contacts Before proceeding it may be helpful to identify the appropriate people that can be contacted for assistance in filling this document out and or assisting during the...

Страница 8: ...is needed 1 The IP Address for the MFP needs to be assigned 2 The IP Address of the Gateway _______ _______ _______ _______ 3 The Netmask _______ _______ _______ _______ If the device has not or will not be connected to the network prior to the PKI installation please make sure the appropriate people are available to assist in getting the device active on the network 2 2 DNS and WINS Servers In or...

Страница 9: ... The printer will be assigned to a domain once it is on the network What domain should it be assigned to Printer Domain Name ______________________________________________ 2 What domain is the Domain Controller assigned to Same as Printer Domain Name Different Domain _______________________________________________ 3 What domain is the LDAP Server assigned to Same as Printer Domain Name Same as Dom...

Страница 10: ...SL is required to communicate with the server then the LDAP Server s SSL certificate will need to be installed on the device SSL is not required SSL is required Certificate Please have file ready at install time If SSL is used then the fully qualified domain name instead of just the IP Address needs to be used in item 1 4 If using SSL the LDAP Certification Validation method must be selected If no...

Страница 11: ...Search Timeout _________ seconds 7 Maximum Search Results The maximum number of search results to be displayed to the user Valid values are 5 to 500 results The default value of 100 is recommended Maximum Search Results ___________ 8 Access rights needed to access the LDAP directory The device supports anonymous binding the authenticated user s credentials or a service account using a Distinguishe...

Страница 12: ... before making copies check No below Yes No 3 1 2 Fax If Fax is enabled on the MFP the PKI Authentication application can allow faxes to be sent without logging onto the device If the user is allowed to send faxes without logging on to the device check Yes below If the user must log on to the device before sending faxes check No below Yes No 3 1 3 Login Text and Graphic The login screen for the us...

Страница 13: ...s mode smart cards are not supported and the smart card reader is not attached to the MFP Card or Manual Login The user can insert his her card or username and password to gain access to all device functions Check the box below to indicate the desired logon method Card Only Manual Login Only Card or Manual Login 3 1 5 Display MFP Info The MFP can be configured to display various info in the upper ...

Страница 14: ...ated the user is granted access to the device Check the box below to indicate the desired logon method PIN Only Active Directory 3 2 1 PIN Only No additional configuration information is needed for the PIN Only logon method Using this mode manual login is not supported and user s certificate is not verified The PKI Email application is the only other PKI application that can be used 3 2 2 Active D...

Страница 15: ... Server This can allow for greater flexibility in case multiple KDCs are specified so that the LDAP server does not have to be set to only one of them Do you want to set the default LDAP Server to be the KDC used for user authentication Yes No 3 2 2 1 SmartCard Configuration If SmartCard login is allowed the PKI Authentication application needs to validate the response from the Domain Controller I...

Страница 16: ... mode If that succeeds it then uses an OCSP Responder Repeater such as Tumbleweed to validate that none of the certificates in the certificate chain have been revoked or otherwise marked as invalid If that succeeds for each certificate in the chain the logon proceeds otherwise it fails The configuration information needed varies according to the Domain Controller Validation method selected Check t...

Страница 17: ...connection response is not received in that time the next OCSP Responder Repeater will be tried The default is 10 seconds Timeout ______ seconds 4 Certificate used by the OCSP Responder Repeater to sign its response This is used to validate that the response from the OCSP Responder Repeater is from a trusted source Certificate Please have file ready at install time 3 2 2 1 2 User Lookup In order t...

Страница 18: ...________ 2 In order to lookup information about the user the LDAP Attribute that corresponds to the user s id is needed This attribute is typically named samaccountname Manual Login Search Attribute _______________________________________ 3 If the username or password can contain non US English characters the code page used to process those characters must be set The code page already configured o...

Страница 19: ...on 2 as specified in section 8 2 LDAP Configuration 3 as specified in section 8 3 3 If User Authorization is enabled it can be used to restrict access to the device as a whole or just to individual functions For device access select the appropriate authorization setting All Users Can Use the Device no restrictions Only Users in the Groups specified in item 4 can use the device All Users Except tho...

Страница 20: ...ld happen Cancel Job and Return to Login Screen When the card is removed the current job is cancelled and the MFP returns to the locked out state Complete Job and Return to Login Screen When the card is removed the current job is completed and then the MFP returns to the locked out state Complete Job and Return to Options Screen When a copy is being made and the card is removed the current job is ...

Страница 21: ...3 1 1 for more information 1 If User Authorization is enabled it can be used to restrict access to the Copy function For copy access select the appropriate authorization setting All Users Can Make Copies no restrictions Only Users in the Groups specified in item 2 can use make copies All Users Except those in the Groups specified in item 2 can make copies 2 If User Authorization is enabled and the...

Страница 22: ...______________________________________________________________________ 4 3 FTP FTP access can be left open for all authenticated users or it can be restricted to certain Active Directory groups 1 If User Authorization is enabled it can be used to restrict access to the FTP function For FTP access select the appropriate authorization setting All Users Can Use FTP no restrictions Only Users in the G...

Страница 23: ...strict access to the Email function For email access select the appropriate authorization setting All Users Can Send Emails no restrictions Only Users in the Groups specified in item 2 can send emails All Users Except those in the Groups specified in item 2 can send emails 2 If User Authorization is enabled and the device access setting in item 1 requires groups to be included or excluded list the...

Страница 24: ...______________________________________ 4 All emails sent from the device will have a default message that can be changed if allowed by the user A suggested default is Please see the attached document Default Email Message ______________________________________________ __________________________________________________________________ ________________________________________________________________...

Страница 25: ...ion on page 2 This address is used as the user s email address LDAP Lookup The email address of the user can be queried from one of the specified LDAP Configurations Check the box below to indicate the desired email address method If Manual Login is allowed LDAP Lookup should be used for all email addresses since not all users will login with a SmartCard Card Email Address LDAP Lookup 5 4 1 Card E...

Страница 26: ... the user is given no option to add or otherwise modify the destinations Select to whom the user can send email User can only send email to self User can send email to self and or others 2 The application can be configured to allow the user to send email to only certain domains List the domains if any below that email destinations should be limited to No wildcards can used list the full domain for...

Страница 27: ...email is taken from the signing certificate available on the card 1 This feature can be always disabled always enabled or the user can be prompted The prompt that appears depends on the encryption setting Always Disabled Always Sign Prompt User 2 When the email is only signed not encrypted it can be signed so that the receiver of the email can read it even if his her email client does not support ...

Страница 28: ...educes the maximum allowed email size to approximately 15MB Which method should be used Sign and Encrypt Sign and Encrypt and Sign Again 3 The LDAP configuration designated for the Address Book Lookup in section 5 5 is used for searching for the encryption certificates A primary and alternate LDAP attribute can be specified for the location of the user s certificates The defaults are userSMIMECert...

Страница 29: ...sponse Always Sign Prompt User User is prompted with Sign the Email Sign and Encrypt the Email Email is sent signed encryption is based on user s response Prompt User Always Encrypt User is prompted with Encrypt the Email Sign and Encrypt the Email Email is sent encrypted signing is based on user s response Prompt User Prompt User User is prompted with Do Not Sign or Encrypt the Email Sign the Ema...

Страница 30: ...an be given to individual fileshares For general Scan To Network access select the appropriate authorization setting All Users Can Send Emails no restrictions Only Users in the Groups specified in item 3 can scan to network All Users Except those in the Groups specified in item 3 can scan to network 3 If User Authorization is enabled and the device access setting in item 1 requires groups to be in...

Страница 31: ...____________ 3 Display Name If the user has access to more than one fileshare all the possible choices are displayed in a list What name should be given to the fileshare File Share Display Name ____________________________________________ 4 UNC Path Each fileshare needs the UNC Path that corresponds to it If looking up data from LDAP to create the UNC Path use a u no quotes in the path to represen...

Страница 32: ...append the timestamp to the file Yes append the timestamp No do not append the timestamp 9 Remove For some fileshares a dollar sign may be included in a subfolder name but must be removed in order to write to the fileshare Should the dollar sign be removed Yes No 10 Create Directory If the directory specified does not exist the scan to fileshare will fail The application can be configured so that ...

Страница 33: ...server deptshares depta Replacement Value Not Used Replacement Lookup Not Used Replacement Attribute Not Used 3 Fileshare based on User s Windows ID Display Name S Drive UNC Path fileserver u Replacement Value LDAP Lookup Replacement Lookup LDAP MFP Default User s Credentials Replacement Attribute samaccountname ...

Страница 34: ...ServiceName krbtgt TargetName krbtgt FullServiceName steve DomainName SMARTCARD BP LEXMARK COM TargetDomainName SMARTCARD BP LEXMARK COM AltTargetDomainName SMARTCARD BP LEXMARK COM TicketFlags 0x40e00000 KeyExpirationTime 0 38 4 0 00 10776 StartTime 1 31 2007 8 41 47 EndTime 1 31 2007 18 41 47 RenewUntil 2 7 2007 8 41 47 TimeSkew 2 7 2007 8 41 47 The Kerberos Realm is listed as the DomainName Thi...

Страница 35: ... Select one from the list and use that value as the first domain controller listed in section 3 2 2 item 1 7 3 Kerberos Configuration File When User Validation Mode is set to Active Directory Kerberos must be configured on the MFP The PKI Authentication Application allows for configuring the basic Kerberos settings without downloading a file to the MFP For most environments the basic settings will...

Страница 36: ...ess or fully qualified domain name More than one KDC can be listed If the first KDC cannot be contacted then the next KDC is contacted This process repeats until all KDCs are contacted Note that if multiple KDCs are used certificate chains will need to be present in the MFP for all KDCs kdc tcp _ip_address_or_name_of_domain_controller_ default_domain _same_as_kdc_ pkinit_require_eku false pkinit_r...

Страница 37: ... 7 5 Domain Controller Certificates The local administrator should know how to obtain the certificates for the domain controller they can typically be downloaded from an internal website If this is not available the certificates can also be located in the Windows workstation s certificate cache which can be examined using Internet Explorer In Internet Explorer version 6 or 7 the cache can be acces...

Страница 38: ...ed on the device If the default LDAP configuration can be used for all lookups this section can skipped However if a custom LDAP configuration was specified as being needed for the user s email address lookup or the user s home directory lookup then complete the following LDAP configuration information Please refer to section 2 5 Default LDAP Configuration if more information is needed on any of t...

Страница 39: ...used for the lookup User Principal Name 12345678 mil RFC822 Name joe smith branch us mil Subject Name CN SMITH JOE 12345678 OU Contractor OU PKI OU DoD O U S Government C US EDIPI 12345678 7 LDAP attribute representing the data read from the card ___________________________________________ 8 Search Base Typically something like ou installation dc branch dc mil _____________________________________...

Страница 40: ...used for the lookup User Principal Name 12345678 mil RFC822 Name joe smith branch us mil Subject Name CN SMITH JOE 12345678 OU Contractor OU PKI OU DoD O U S Government C US EDIPI 12345678 7 LDAP attribute representing the data read from the card ___________________________________________ 8 Search Base Typically something like ou installation dc branch dc mil _____________________________________...

Страница 41: ...used for the lookup User Principal Name 12345678 mil RFC822 Name joe smith branch us mil Subject Name CN SMITH JOE 12345678 OU Contractor OU PKI OU DoD O U S Government C US EDIPI 12345678 7 LDAP attribute representing the data read from the card ___________________________________________ 8 Search Base Typically something like ou installation dc branch dc mil _____________________________________...

Страница 42: ...xmark with diamond design are trademarks of Lexmark International Inc registered in the United States and or other countries 2007 Lexmark International Inc 740 West New Circle Road Lexington KY 40550 www lexmark com ...

Отзывы: