ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Configuring Smart Card Authentication for Symantec Management Console

book

Article ID: 184960

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Smart Card Authentication is a special case of client certificate based mutual authentication where the certificate that identifies the user resides on a smart card and is obtained by browser during the SSL handshake with the Web server.

During the Smart Card Authentication, the browser performs the certificate lookup not only in local user certificate storage but also on inserted smart card. After the SSL session is established, IIS looks for an account that is associated with the certificate and the server side processing continues under this account. This process is called certificate mapping.

Resolution

You can configure the certificate mapping in one of the following ways:

  • Active Directory mapping
    Client certificates are mapped to user accounts in Active Directory.
  • Local mapping
    Client certificates are mapped to user accounts locally on endpoints.
    For more information about configuring the local mapping, see the following article:
    IIS Client Certificate Mapping Authentication

After you configure the certificate mapping, you can set up the Smart Card Authentication for Symantec Management Console.

The process below describes the configuration of Smart Card Authentication for Symantec Management Console if you have configured the certificate mapping in Active Directory:

STEP 1 – Make sure that Client Certificate Mapping Authentication role is installed.

STEP 2 – Enable Active Directory Client Certificate Authentication and Anonymous Authentication.

The IIS configuration (steps 1-2) is described in more detail at the following URL:
https://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication

STEP 3 – Make sure that the SSL certificate that is specified for HTTPS communication is signed by the same Certificate Authority (CA) as the certificates that are used on smart cards.

STEP 4 – Configure the Symantec Management Console Site (Altiris\Console) to Require SSL with Accept client certificates option selected.
Note that the Accept option allows dual authentication in the Symantec Management Console. User can log on either using the certificate or providing the credentials. If you select Require option, certificate usage is mandatory. Symantec recommends to use Accept option rather than the Require option, because some of the IT Management Suite functionality (e.g. import of packages into the Software Library) may not work when Smart Card Authentication is used. In such case, the functionality will work properly if you use the Accept option and enter the credentials manually.

NB! After this change, Symantec Management Console is accessible only via HTTPS. HTTP connections will fail with the "Unauthorized" error. HTTP access for Symantec Management Agents remains.

STEP 5 – Configure the NS Web Site (Altiris\) to Require SSL with Accept client certificates option selected.

Limitations / Things to know

The Smart Card Authentication has currently the following limitations:

  • When you log in to Symantec Management Console using smartcard and try to add software package to Software Library, the Software Library Java plug-in stops responding. The workaround is to configure IIS to use the Accept option for the Require SSL settings and use only regular authentication (i.e. user/password) if working with Java Control is required. (Applicable only for ITMS 8.0)
  • Smart Card Authentication testing has not been performed with a sample card from a US government agency.
  • Smart Card Authentication has only been tested on IT Management Suite 8.0.

Additional Information

KB 210398 "Support on Multifactor / Two-Factor Authentication on Accessing SMP Console"

 

Attachments