Owner's Manual
306 Using the CMC Directory Service
Configuring Smart Card Two-Factor
Authentication
Traditional authentication schemes use user name and password to
authenticate users. Two-factor-authentication, on the other hand, provides a
higher-level of security by requiring users to have a password or PIN and
a physical card containing a private key or digital certificate. Kerberos,
a network authentication protocol, uses this two-factor authentication
mechanism allowing systems to prove their authenticity. Microsoft
Windows 2000, Windows XP, Windows Server 2003, Windows Vista,
and Windows Server 2008 use Kerberos as their preferred authentication
method. Starting with CMC version 2.10, CMC can use Kerberos to support
Smart Card login.
NOTE: Selecting a login method does not set policy attributes with respect to other
login interfaces, for example, SSH. You must set other policy attributes for other
login interfaces as well. If you want to disable all other login interfaces, navigate to
the Services page and disable all (or some) login interfaces.
System Requirements
The "System Requirements" on page 300 for Smart Card are the same as
Single Sign-On.
Configuring Settings
The "Prerequisites" on page 301 for Smart Card are the same as Single Sign-
On.
Configuring Active Directory
To configure Active Directory:
1
Set up Kerberos realm & Key Distribution Center (KDC) for Active
Directory, if not already configured (ksetup).
NOTE: Ensure a robust NTP and DNS infrastructure to avoid issues with
clock drift & reverse lookup.
2
Create Active Directory users for each CMC, configured to use
Kerberos DES encryption but not pre-authentication.
3
Register the CMC users to the Key Distribution Center with Ktpass
(this also outputs a key to upload to CMC).