In the situation that all or most users within a large organization are using password protected key files at Windows and Pre-Boot, but wish to transition to the use of Smart Card- or Token-protection, the following article will aid in making this transition easy.
On the Windows side of the equation, as the customer begins to migrate to PIV authentication for Windows, they will set the flag to force the use of Smart Card-based Log on at Windows.
What would be highly desirable would be to use this flag to automatically update the users' key files in SES, to automate the switch from Password- to Token-based protection.
Once the switch has been made made, SecureDoc Enterprise Server will be able to use PBConnex to send new new token-protected key files to those devices for those users. In this way, instead of the SES administrator logging in to the console to switch the users protection type, the result will instead by accomplished by logging into Active Directory and switch by forcing smart card log on.
The steps required to implement this process are as follows:
NOTE: We always apply Account Control settings from Active Directory (AD) if configured. This applies to both new and existing users.
Automatic update of user's key files will occur automatically ONLY if all the below conditions are in place:
a) The SES global option to "Send key file if user/device key, ... has changed" is selected/enabled.
b) ADSync updates user certificate, adding a certificate if it didn't exist before, or deleteing the existing certificate
c) Account Control in AD to "Use smartcard to login" is set/enabled, or "user token protection" has been explicitly set/selected for those users that are to be impacted by this change.
To apply:
Add a new clause (name-value pair) into the "WinMagic.SecureDoc.ADSync.Service.exe.config file, which can be found in Program Files\WinMagic\SDDB-NT\SDConnex, as follows:
'ApplySmartCardLogonFromUserAccountControl= "true" ' must be added in the ADSyncSettings section.
The resulting section will look something like this (your settings for other values may differ)
<ADSyncSettings settingsCache="5" eventTrackingTime="20" defaultADSyncSchedule="60"
scheduleFullSyncPeriod="1" scheduleFullSyncHour="3" defaultADSyncOnExceptionSchedule="20"
recreateADSyncPerfMon="false" MoveDeletedUsersToRecycleBin="true" ApplySmartCardLogonFromUserAccountControl= "true" />