HP T5720 Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T
HP T5720 - Compaq Thin Client Manual
UPC - 882780099517
View all HP T5720 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP T5720 manual content summary:
- HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 1
t5720 Thin Clients and HP Blade PCs Introduction 2 Prerequisites 2 Reference hardware and software 3 Reference Documents 4 Client Software Configuration 5 Installing ActivClient PKI Only 5 Initializing the smart card 8 Server Software Configuration 9 Installing Microsoft Certificate Services - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 2
by offering strong, 2-factor authentication to offset weak passwords or cumbersome authentication policies requiring frequent password changes. This paper provides instructions for configuring a smart card with your HP Compaq t5720 Thin Clients and HP blade PCs. This white paper is not intended as - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 3
PC Blade Enclosure • Blade PCs • HP blade PC running Microsoft Windows XP SP2 w/HPSAM blade service installed. • Clients • HP Compaq t5720 thin client running Microsoft Windows XPe w/HP SAM Windows XPebased service installed. • HP Compaq dc7700 running Microsoft Windows XP w/HP SAM Windows XPe-based - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 4
Authority™ Security Manager Administration 7.1 • Entrust Authority Administration Services 7.0 • Entrust TruePass™ 8.0 • Entrust Entelligence Security Provider for Windows 7.1 • Entrust Java Toolkit 7.1. Reference Documents For more information about HP Consolidated Client Infrastructure, see http - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 5
on the HP thin client. An illustration of Administration provisioning is initializing a card and having to keep track of the "unlock code" manually or having to manually download certificates to the card. The remainder of this guide outlines installation of minimal client options, ActivDirectory - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 6
. Make note of the default setting so that it can be restored after installation is complete. To change RAMDisk size, click Start > Control Panel > HP RAMDisk Manager. Next, modify the thin client TEMP and TMP environmental variables to a location that can support the .msi user installation package - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 7
software CD. For specifics about implementing default templates, refer to the section about product customization in the ActivClient Customization and Deployment Guide included in the ActivClient Resource Kit. NOTE: To remove the ActivIdentity software from an HP Compaq t5720 Thin Client, you must - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 8
PIN Initialization Tool from the right-click menu. 2. Follow the PIN Initialization wizard. Note: PIN Initialization tool profile. ActivClient also supports a profile specifically created for the PIN Initialization tool 3. Enter your PIN code, confirm it, and then click Next. NOTE: The PIN code - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 9
maintain digital certificates via the Certification Authority (CA). The CA can be used by a user or administrator to provision a smart card. To install Microsoft Certificate Services for use as a certificate authority, please perform the following: 1. Click Start > Control Panel. 2. Select Add or - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 10
4. Click Certificate Services, and then click Next. 5. Select Enterprise Root CA, and then click Next. 10 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 11
6. Click Yes to accept the warning. 7. Type a Common name for this CA, and then click Next. 11 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 12
8. Select Next to accept Certificate Database Settings. The installation will configure components, as shown in the following screen. 12 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 13
a Certificate Authority (CA) service Configure a CA service. This white paper uses Microsoft Certificate Services to configure certificates. Refer to "Installing Microsoft Certificate Services" on page 9 on installing certificate services. After you install the CA service, perform the following - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 14
3. Create a duplicate template by right-clicking on the Smartcard Logon certificate template, and then selecting Duplicate Template. 4. Type a name for the new template in the Template Display name box. For this example we will use - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 15
5. Click the Request Handling tab. 6. Select 1024 in the Minimum key size box. 7. Click the CSPs button. 8. Select Requests can use any CSP available on the subject's computer. 9. Click the Security tab. 15 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 16
10. In the Permissions for Authenticated Users area, in the Allow column, select both Read and Enroll. You have created the creation of the template. 11. Copy the CCI SmartCard User certificate template into the Certificates Templates folder under the certificate server. a. Expand the Certificate - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 17
d. Select New > Certificate Template to Issue. 12. Select the template, and then click OK to import the template. 17 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 18
Microsoft Certificate Authority to Issue Smart Card User Certificate ActivClient 6.0 PKI Services support Digital certificate-based logon to Windows 2000, Windows XP Professional, and Windows Server 2003. The Services also support: • The ability to log off user and lock workstation on smart - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 19
2. Expand the defined CA. 3. Right-click Certificate Templates, and then select New. a. Select Certificate Template to Issue. b. Select Enrollment Agent. c. Select OK to add. 4. Launch Internet Explorer and browse to http://localhost/certsrv. 19 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 20
5. Under Select a task, select Request a certificate. 6. Select advanced certificate request. 20 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 21
7. Select Create and submit request to this CA. 8. In the Certificate Templates box, select Enrollment Agent. 21 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 22
the Key Options section as follows: • Create new key is selected • Microsoft Enhanced Cryptographic Provider v1.0 • Click Submit. 10. Accept default settings under Additional Options. 11. If a warning message displays about a potential scripting violation, press Yes to continue with the certificate - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 23
12. Install the Enrollment certificate requested. 13. Select Yes to Potential Scription Violation. You have successfully generated and installed required Enrollment Certificate, as shown below. 23 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 24
Manually issue Smart Card User Certificate 1. Launch Internet Explorer and browse to http://localhost/certsrv. 2. Select Request a certificate. 3. Select advanced certificate request. 24 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 25
4. Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station. 5. Select Smartcard User under Enrollment Options. 25 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 26
6. Define the user to enroll by clicking Select User. NOTE: ActivClient Libraries may report a container error message when used for secure logon purposes. It is important that the servers Active Directory User information contain an e-mail address on any smart card provisioned with a smart card - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 27
7. Insert Smart Card into Reader, and then select Enroll. Smart Card Validation Testing the Smart Card To verify that the CCI SmartCard Logon certificate for the user is installed on the smart card: 1. Click the ActivCard icon in the system tray to open the ActivClient user console. 2. In - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 28
: • who it was issued to • who is was issued by • valid dates Troubleshoot ActivClient The Troubleshooting Wizard helps you solve any problems with ActivClient. It analyzes your system, diagnoses the problems, and then displays the results on the Diagnosis And Resolutions page. 1. Open ActivClient - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 29
are a number of problems or if the instructions are long, then drag the scroll box to move through the information. 7. Follow the instructions displayed in the Diagnosis and Resolutions window, if any, then click Finish. Additional information Using a Smart Card For Windows Network Login During - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 30
requires some additional configuration to enhance the security of PDF documents. Instructions on how to do this can be found within Adobe Acrobat Help under "Digitally Signing PDF Documents". The Administration and User Guide also teaches security basics to help with the overall understanding - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 31
cases Usage case 1: User authentication from HP blade PC to Active Directory Domain The following steps provide instructions for performing a functional test of the SmartCard Logon certificate (assumes ActivClient PKI Only 6.0 libraries have been distributed to client blade PCs): 1. Ensure the CCI - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 32
PC or Active Directory Server using the HP SAM client Supported configurations: • Windows XP client (ActivClient optional) connecting to Terminal Server (ActivClient required). • Windows XP client (no ActivClient; smart card reader driver required for smart card support) connect- ing to Windows XP - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 33
The following steps provide instructions for performing a functional test of the CCI SmartCard Logon certificate: 1. Log out of the MS RDP session. 2. Open the HP SAM client window and initiate a connection to the HP blade PC or Active Directory Server. 3. Make sure a smart card is installed in the - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 34
access means access to any Web server with SSL v3 and a digital certificate. The following steps provide instructions for accessing a secure Web site using an ActivIdentity smart card through an HP blade PC or Active Directory Server. Installing and configuring a secure Web site is beyond the scope - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 35
on the client computer, open Network and Internet Connections. 2. Select the Create a connection to the network at your workplace task. ActivClient additionally supports Remote Access Dial-up/VPN log on with digital certificates. Please consult your ActivClient PKI Only User Guide for specific VPN - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 36
8. Select Add a shortcut for this connection to my desktop, and then click Finish. Depending upon the configuration of the VPN tunnel, you may have to change the configuration of the VPN connection. To change the configuration of the VPN window: 1. In Control Panel, open Network and Internet - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 37
the VPN connection. 2. In Smart card PIN, type the PIN, and then click OK. While establishing the VPN connection, the system displays Verifying username and password and Authenticated. 37 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 38
displays in the system tray. Usage case 6: User authentication from client device using Citrix server A single client can access multiple Citrix servers in the same session, with ActivClient running on each Citrix server. Supported Citrix authentication configurations: • Local user with pass-through - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 39
3. Select properties for the ICA connection, click the Logon Information tab, select Smart card, and then click OK. 4. Double-click the shortcut to connect to the Citrix server. 5. During logon to the server, the smart card login prompt appears for authorization. 39 - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 40
Access Card (for enterprise systems). CSP-Cryptographic Service Provider. FIPS-Federal Information Processing Standard. GP-GlobalPlatform Key Infrastructure) keys are used to encrypt passwords in 2 different modes: • Synchronous - Generates 1 password without any challenge. The server and the - HP T5720 | Implementing ActivIdentity Smart Cards for Use with HP Compaq t5720 T - Page 41
to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors
Implementing ActivIdentity Smart Cards for Use with
HP Compaq t5720 Thin Clients and HP Blade PCs
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Reference hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Reference Documents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Client Software Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Installing ActivClient PKI Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Initializing the smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Server Software Configuration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Installing Microsoft Certificate Services
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Configuring a Certificate Authority (CA) service
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Configuring Microsoft Certificate Authority to Issue Smart Card User Certificate
. . . . . . . . .18
Manually issue Smart Card User Certificate
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Smart Card Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Testing the Smart Card
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Troubleshoot ActivClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Using a Smart Card For Windows Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Working with ActivClient PKI Only 6.0 Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Usage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Usage case 1: User authentication from HP blade PC to Active Directory Domain . . . . . . . .31
Usage case 2: User authentication from client device to blade PC or Active Directory
Server using RDP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Usage case 3: User authentication from client device to HP blade PC or Active Directory
Server using the HP SAM client
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Usage case 4: Accessing secure Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Usage case 5: User authentication using VPN through firewall to HP blade PC or Active
Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Usage case 6: User authentication from client device using Citrix server
. . . . . . . . . . . . . .38
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Service and Support
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41