search cancel

CCS support in a smartcard-enabled environment

book

Article ID: 162627

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

In a smartcard-enabled Active Directory environment, when a CCS user runs a Collection-Evaluation-Reporting (CER) job or an Evaluation job, the evaluation activity fails, and the following error message is displayed:

Smartcard logon is required and was not used.

Resolution

This problem occurs due to the user impersonation failure in a smartcard-logon-enabled environment. Windows credentials are used for user impersonation. The enforcement of smartcard-logon-enabled environment makes credentials invalid for impersonation, which results in a failure.

The problem occurs in all smartcard-logon-enabled environemts irrespective of your CCS topology.

To resolve the problem, you must exempt the CCS Manager in the Evaluator role and the CCS Manager in the Reporter role from the group policy that enforces the smart card logon. You must also verify that the smartcard setting for the CCS Service account user is not enabled.

For detailed steps, refer to the following procedures:

Exempting a CCS Manager from the group policy

Note: If your Group Policy Object (GPO) contains configured policy settings in addition to the Interactive Logon: Require smart card setting, exempting a CCS Manager from such a GPO affects the application of the other policy settings to that CCS Manager. To avoid this, set the Interactive Logon: Require smart card setting in your existing GPO to Not Defined; create a new GPO dedicated only to Interactive Logon: Require smart card setting; and then follow the steps mentioned in Exempting a CCS Manager from the group policy. If you have created a standalone GPO dedicated only to the Interactive Logon: Require smart card setting, follow the steps mentioned in Exempting a CCS Manager from the group policy.

Configuring smartcard setting for CCS service account

Exempting a CCS Manager from the group policy

The images in this article are used as examples to explain the procedure. The following image displays the map view of a completely distributed Control Compliance Suite deployment.

Figure 1: Control Compliance Suite map view

In this scenario, five standalone CCS Managers are installed, each of which is assigned a unique CCS Manager role. Out of these five, the SMC-CCSMGR2: CCS Manager Service performs the role of an Evaluator, and the SMC-CCSMGR3: CCS Manager Service performs the role of a Reporter.

To exempt a CCS Manager from the group policy,

  1. Go to <GPO that enforces the smart card logon>
  2. Click the Delegation tab.
    The Groups and users screen is displayed.
  3. In the lower right corner, click Advanced.
    The <GPO> Security Settings dialog box is displayed.
  4. Add the CCS Managers that perform the roles of an evaluator and a reporter, and then select the Deny checkbox against the Apply group policy permission.


    Figure 2: Exemption of a CCS Manager from the group policy
     
  5. Click OK to save the changes.
     

Configuring smartcard setting for CCS service account

To confirm that the Smart card is required for interactive logon option is not selected for CCS service account,

  1. Go to Active Directory Users and Computers > <CCS user> Properties > Account.
  2. In the Account Options section, make sure that the checkbox against the Smart card is required for interactive logon option is not selected for the service context in which the CCS manager services are running.


    Figure 3: Configuring smartcard setting for CCS service account

  3. Click OK to save the changes.

Attachments