Smart Card Authentication is a special case of client certificate based mutual authentication where the certificate that identifies the user resides on a smart card and is obtained by browser during the SSL handshake with the Web server.
During the Smart Card Authentication, the browser performs the certificate lookup not only in local user certificate storage but also on inserted smart card. After the SSL session is established, IIS looks for an account that is associated with the certificate and the server side processing continues under this account. This process is called certificate mapping.
You can configure the certificate mapping in one of the following ways:
After you configure the certificate mapping, you can set up the Smart Card Authentication for Symantec Management Console.
The process below describes the configuration of Smart Card Authentication for Symantec Management Console if you have configured the certificate mapping in Active Directory:
STEP 1 – Make sure that Client Certificate Mapping Authentication role is installed.
STEP 2 – Enable Active Directory Client Certificate Authentication and Anonymous Authentication.
The IIS configuration (steps 1-2) is described in more detail at the following URL:
STEP 3 – Make sure that the SSL certificate that is specified for HTTPS communication is signed by the same Certificate Authority (CA) as the certificates that are used on smart cards.
STEP 4 – Configure the Symantec Management Console Site (Altiris\Console) to Require SSL with Accept client certificates option selected.
Note that the Accept option allows dual authentication in the Symantec Management Console. User can log on either using the certificate or bproviding the credentials. If you select Require option, certificate usage is mandatory. Symantec recommends using Accept option rather than the Require option, because some of the IT Management Suite functionality (e.g. import of packages into the Software Library) may not work when Smart Card Authentication is used. In such case, the functionality will work properly if you use the Accept option and enter the credentials manually.
NB! After this change, Symantec Management Console is accessible only via HTTPS. HTTP connections will fail with the "Unauthorized" error. HTTP access for Symantec Management Agents remains.
STEP 5 – Configure the NS Web Site (Altiris\) to Require SSL with Accept client certificates option selected.
The Smart Card Authentication has currently the following limitations:
KB 210398 "Support on Multifactor / Two-Factor Authentication on Accessing SMP Console"