Lexmark X864 PKI-Enabled Device Installation and Configuration Guide - Page 13

Active Directory Configuration

Note:

As with any form of authentication that relies on an external server, users will not be able to access protected

device functions in the event a network issue prevents the printer from communicating with the authenticating

server.

1

From the Embedded Web Server, click

Settings

>

Embedded Solutions

>

PKI Authentication

>

Configure

.

2

Under Active Directory Configuration, select a User Validation Mode:

•

PIN Only

—Users are validated locally with SmartCard and PIN. Network functions that require authentication

will not be available to users.

•

Active Directory

—Users are validated against Active Directory with SmartCard and PIN.

3

Select

Use MFP Kerberos Setup

to use the Kerberos settings already configured on the printer, or clear the check

box to use Simple Kerberos Setup.

4

For Simple Kerberos Setup you must provide:

•

Realm

—The Kerberos realm as configured in Active Directory; typically the Windows Domain Name. The

Realm must be entered in UPPERCASE.

•

Domain Controller

—IP address or hostname of the domain controller used for validation. Multiple values

can be entered, separated by commas; they will be tried in the order listed.

•

Domain

—The SmartCard domain that should be mapped to the specified Realm. This is the principal name

used on the SmartCard, and should be listed by itself, followed by a comma, a period, and then the principal

name again. This value is case-sensitive, and usually appears in lowercase. Multiple values can be entered,

separated by commas.

Example: If a U.S. DoD Common Access Card uses “123456789@mil” to identify a user, “mil” is the principle

name. In this case, you would enter the Domain as “mil,.mil”.

•

Timeout

—The amount of time the printer should wait for a response from the domain controller before

moving to the next one in the list.

5

If users are allowed to login manually, provide at least one

Manual Login Domain

(a Windows Domain Name)

to choose from when logging in. Multiple domains can be entered, separated by commas.

6

Select a DC Validation Mode for validating the domain controller certificate when users login to the printer:

•

Device Certificate Validation

—The most common method. The certificate of the CA that issued the domain

controller certificate must also be installed on the printer.

•

MFP Chain Validation

—The entire certificate chain, from the domain controller to the root CA, must be

installed on the printer.

•

OCSP Validation

—The entire certificate chain, from the domain controller to the root CA, must be installed

on the printer, and

Online Certificate Status Protocol

(OCSP) settings must be configured.

7

If you selected OCSP Validation, configure the following:

•

Responder URL

—The IP address or hostname of an OCSP responder/repeater, along with the port being

used (usually 80). The correct format is “http://ip_address:port_number” (http://255.255.255.0:80). Multiple

values can be entered, separated by commas; they will be tried in the order listed.

•

Responder Certificate

—Browse to locate the X.509 certificate for the responder.

•

Responder Timeout

—The amount of time the printer should wait for a response from the OCSP Responder

before moving to the next one in the list.

•

Unknown Status is Valid

—Select this check box if you want to allow users to login even if the OCSP response

indicates the certificate status is unknown.

8

Continue to User Session and Access Control, or click

Apply

at the bottom of the screen to save changes.

Configuring PKI-enabled devices

13

Section	Page
Contents	3
Configuring PKI-enabled devices	5
Overview	5
Supported devices	5
Before configuring the printer	5
Installing the firmware and applications	6
Verifying and updating the firmware	6
Installing the authentication token application	7
Installing PKI applications	7
Configuring printer settings for use with PKI applications	8
TCP/IP settings	8
Date and time	9
Panel login timeout	9
Certificate management	10
Configuring Scan to Email	10
SMTP settings	10
E-mail settings	11
Address Book setup	11
Configuring PKI Authentication	12
Logon screen	12
Active Directory Configuration	13
User Session and Access Control	14
Advanced Settings	14
Configuring PKI S/MIME Email	15
PKI S/MIME settings	15
Configuring PKI Scan to Network	16
General Settings	16
Default Scan Settings	17
Creating file shares	17
Editing or deleting a file share	19
Configuring PKI Held Jobs	19
PKI Held Jobs settings	19
Troubleshooting	21
Login Issues	21
“Unsupported USB Device” error message	21
The printer home screen does not return to a locked state when not in use	21
Login screen does not appear when a SmartCard is inserted	22
“The KDC and MFP clocks are different beyond an acceptable range; check the MFP's date and time” err ...	22
“Kerberos configuration file has not been uploaded” error message	22
Users are unable to authenticate	22
“The Domain Controller Issuing Certificate has not been installed” error message	23
“The KDC did not respond within the required time” error message	23
“User's Realm was not found in the Kerberos Configuration file” error message	23
“Realm on the card was not found in the Kerberos Configuration File” error message	24
“Client [NAME] unknown” error message	24
Login hangs for a long time at “Getting User Info...”	24
User is logged out almost immediately after logging in	24
LDAP issues	24
LDAP lookups take a long time, and then may or may not work	24
LDAP lookups fail almost immediately	25
Scan to Email issues	26
“Email cannot be sent because an error occurred trying to get your email address” error message	26
“Email cannot be sent because you are not authorized to perform this function” error message	26
“The email cannot be sent because a valid digital signature could not be found on your card” error m ...	26
“The email cannot be sent because it cannot be digitally signed when a manual login is performed” er ...	26
“Email cannot be sent. Unable to find valid encryption certificate for [E-mail address]” error message	27
Unable to send E-mail (SMTP-related issues)	27
Scan to Network issues	28
“You are not authorized to use this feature” Scan to Network error message	28
“This feature is not available because no file shares have been configured by the system administrat ...	28
“This feature is not available because you are not authorized to scan to any of the available file s ...	28
“An LDAP error occurred trying to retrieve the selected file share destination” error message	28
“No UNC Path has been defined for this destination” error message	29
“The scanned file size and saved file size do not match” error message	29
“User does not have read access to the file share; unable to verify the file size” error message	29
“Invalid filename specified” error message	30
“An error occurred connecting or writing to the File Share” error message	30
“The network share name does not exist on the specified file server” error message	30
Held Jobs/Print Release Lite issues	31
“You are not authorized to use this feature” Held Jobs error message	31
“Unable to determine Windows User ID” error message	31
“There are no jobs available for [USER]” error message	31
Jobs are printing out immediately	32
Notices	33
GNU Lesser General Public License	33
LEXMARK SOFTWARE LICENSE AGREEMENT	33
Additional copyrights	35

Lexmark X864 PKI-Enabled Device Installation and Configuration Guide - Page 13

Active Directory Configuration

Page 13 highlights