The use only smart cards for several hundred users
How can I assign soon as possible,
use only the smart card for
a few hundred users? I also have
a group of people who would like to allow the use of
a login and password, and smart card.
Using GPO to the computer,
will be applied to the station, and I would just like
to the user. I know that
the card user can select
to use a smart card, but
how to do it automatically for a group of people
(several hunderd)?
I would use LDAP query via GUI tools (like AD Administrative Console) or console tools (Active Directory PowerShell module) get target users by using some filter and enable smart card checkboxes. GPO cannot be used to make changes in AD.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.
Similar Messages
-
Need advice for an application that restricts access to other applications using a smart card
Hello everybody,
I am developing a system that uses a smart card reader attached to a USB port of a PC.
What the system should provide is:
When computer boots up and shows the users login screen, a user, previously registered, can use his smart card to access the system, instead of entering his password
Once the user is logged in, when he tries to launch an application, which has previously marked as "secured", a dialog box is shown indicating that the user has to present his smart card. If the smart card has access to the application, the application
is launched, otherwise an error message is shown to the user and the application is not executed.
I develop in C++ and C#. I have already created a library (in Visual C++) that manages the smart card reader and provides the card presented to it.
Now I am developing the applicastion (in C#) that will configure the security (assigning cards to users and applications).
Concerning this, I have 2 questions regarding each point above:
Is it possible to create the centralized application that lists all users and allows to assign cards to them? Then, when the users login screen is shown, the system must access that data before logging in, so that it can check which card was presented and
what user it corresponds to. I have seen in laptops, that have embedded fingerprint readers, a user must login to his account first and then he can register his fingerprints. In fact, what I need to do is something similar but with smart card reader instead
of fingerprint reader. So, perhaps, user must login into his account first and then he will be able to add his card and store that information somewhere (in windows registry maybe).
How can I launch my application when other application is executed but before its interface is actually shown? this is similar to what antivirus programs do, because they check the executable before it is actually ran. What is the best method to address
the application? by executable file name? process name? or other? if the best is by process name, how can I know the process name without actually running the application?
Well, that is all what I need to do. Please advice regarding this subject.
I look forward to hearing from you,
Best regards,
Jaime
Powered by C++> what was the guidance?
1. Research other software that does similar things (not just exactly the same) as you need. If you like something in their solutions, copy it :)
The only software I know that does that is an antivirus, but I am unlucky to find some code in c++ that allows to intercept the program execution before actually executing it.
2. If a kernel driver would fit in your solution, go for it (google for what is available for free, or find a consultant to write it for you).
There are a lot of information about kernel drivers, but the question is, is that really the solution?
Otherwise, you can just hide the application from user's reach and substitute the executable in shortcuts, etc. to run your program instead.
Definetly this is not the way to go
What is the best method to address the application? by executable file name? process name? or other?
By executable file name, like in the Windows Applocker, I think. Processes do not have names (they are artifact of Task manager and debugging tools, to represent the processes for user somehow). Or, only by the filename part of the full path.
I agree with that
if the best is by process name, how can I know the process name without actually running the application?
When the user runs the application, the driver will detect this and do its magic.
I have found this page: http://stackoverflow.com/questions/3556048/how-to-detect-win32-process-creation-termination-in-c. They mention WMI, but I will study it tommorow... it is so late for today :-)
Regards,
-- pa
Regards
Jaime
Powered by C++ -
We have several apple devices in our family who use my debit card for itune charges. I need to find out which device (itune account) these charges are coming from. Can you help?
You can't tell which device a purhcase was made on, but if your family members each have their own iTunes account to which your card is linked then you can check the purchase history on each of those accounts via the Store > View Account menu option on your computer's iTunes - that should have 'purchase history' section with a 'see all' link to the right of it
-
I'm working on ForeFront Identity Manager 2010. I'd like to enable AD users to use Smart Cards to reset their passwords. I watched this video www.youtube.com/watch?v=b4aGLnZHZN4. From this video (minute 2), it's said that we could use smart cards to authenticate
to Self-service Password Reset instead of Q/A gate.
I looked at ForeFront Identity Manager Portal but I couldn't find where to configure to use Smart Cards for this purpose. I only found "SMS authentication gate" and "Question and Answer Gate". Can somebody help me?
Thanks,
HaiI am still interested in Clients or other Inquiries in this
Subject. -
Why does the name change to my dad's name when I use his credit card for downloads?
I have an iPod touch. I have my own apple ID and icloud account. Why does the name change to my dad's name when I use his credit card for downloads? Is there a way I can have my own account and use my dad's card without having his name on my photostream and icloud?
I went on icloud.com and changed my name but it changes the credit card name to mine as well so I can't get apps unless its under his name, but it confuses everyone i share photo streams with, as there are two of my dads?
My aunt is having the same problem with her photostream, so I know its not only me.I have this problem and it's annoying. Plenty of people in this world do not pay for their own stuff!. So i have 5 kids. All there accounts show as my name when people add them for Photo streams etc etc. This is ridiculous. Why not seperate billing address / credit card details to the name of the person on the account? Why do they have to be the same?
-
Authenticate to the Domain using a Smart Card
Hi,
I'm trying to get authenticated using the Smart Card but got the following error messages:
On the Windows XP client, we inserted the PIV card, entered the PIN but received an error message “The system could not log you on. The server authenticating you reported an error (0xC00000BB).”
On the Windows 7 client, we received an error message “The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account.”
Here is our environment:
- Domain: Windows 2008 R2
- Client: Windows XP SP3 and Windows 7
- Smart Card: USAccess issued PIV card
- Care Reader: SCR3310
- Middleware: ActiveClient
Here is what I have already done:
- Imported the following Entrust certificates from http://sspweb.managed.entrust.com/EMSPKIFSSPCACertificateInformation.html into the Domain under the Trusted Root Certification Authorities
o Common Policy CA Certificate
o Common Policy to EMSPKI trust certificate
o Federal Root CA Expires 06/01/2012
o Federal SSP CA Expires 05/31/2012
o Federal Root CA Expires 05/09/2019
o Federal SSP CA Expires 05/08/2019
- Added the certificates to the NTAuth store in the Domain
- Posted Domain controller certificate (issued by NIST internal CA) in the NTAuth store
- Updated my UPN on the domain to match with the Subject Alternative Name on the card “[email protected]”
- Domain policy pushed down the Entrust certificates and Domain Controller certificate to the client computer
- Made PIV Card certificates available to the Windows via ActiveClient middleware
Am I missing some steps or configuration?
Thank you,To solve one of the issues related to:
"The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact
your system administrator to ensure that smart card logon is configured for your organization."
On the client side.
Ensure that the Certificate is assigned the Client Authentication function.
You can do this on Internet Explorer:
Tools -> Internet Options -> Content -> Certificates
Then select the certificate
Click the ‘Advanced’ button, this opens the Advanced Options dialog box.
Under ‘Certificate purposes:’ box check:
|X| Client Authentication -
Why being prompted for login/password when using OVDC, smart card,token/vdi
Hello,
I'm using VDI 3.2.1, OVDC, smart card and i assigned a smart card token to a desktop pool.
Inserting the smart card triggers a new VDI desktop selector which prompts for the login and password.
Is there any reason why VDI is prompting for the login/password in the VDI selector when using a smart card especially that the smart card token has been assigned to a desktop pool ?
Thanks
Thierry.You still have to authenticate to get a desktop. If you assigned a token to a pool, the ability to be assigned a desktop is based on the token not the user ID. That means that any user will be assigned a desktop if they use that card.
-
Wanted to include my sister and parents in the Family Sharing group under the iCloud app, but I don't want them using my credit card for their purchases. We just wanted to be able to share pictures and/or videos and find each other, if necessary. Is there a way around my card being the default for them when they go to purchase something?
If you don't want your sister to make purchases on your credit card, then Family Sharing is not an appropriate way to do what you want. You can use Find my Friends to locate each other and you can use Shared Photo Streams to share photos.
-
I have been using my DEBIT card for over a year but recently I had to update my billing information, since then it will not accept my card. All the information is correct, it's just telling me to visit iTunes support. Can someone help me? Much appreciated
Debit card? Are you sure?
USA iTunes Store does not appear to accept debit cards - http://www.apple.com/legal/itunes/us/terms.html "The iTunes Store, Mac App Store, App Store, and iBookstore services (“Services”) accept these forms of payment: credit cards issued by U.S. banks, payments through your PayPal account, iTunes Cards, iTunes Store Gift Certificates, Content Codes, and Allowance Account balances." -
I have 6p from a gift card left in the English store and can't spend it. I want to change to the Irish store as I have an Irish gift card for me to redeem but it won't let me change store. Also I don't want to use a credit card for the last 6p.
See:
How to manage unused iTunes Gift Card and Gift Certificate balances -
My problem is a sudden loss of ability to get to PSE12 Organizer when I tried to load a saved scan. Had been using the Organizer and the Editor with no problems for several hours just before that.
Can not load the Organizer from the icon at the bottom of Editor screen, from the icon on the MacBook Air dock (OS 10.10.2), nor from the file in applications located with Finder.
I have tried without success to access Organizer after turning off and on the scanner, turning off and on the computer, loading a fresh copy of PSE12 from the CD, and restoring default preferences. I have searched on line for other options but not found any.
Can you help me?Not Charge
- See:
iPod touch: Hardware troubleshooting
iPhone and iPod touch: Charging the battery
- Try another cable. The cable for 5G iPod (lightning connector) seems to be more prone to failure than the older cable.
- If a 5G iPod
Iphone 5 lightning port charging problem - SOLUTION!
- Try another charging source
- Inspect the dock connector on the iPod for bent or missing contacts, foreign material, corroded contacts, broken, missing or cracked plastic.
- Make an appointment at the Genius Bar of an Apple store.
Apple Retail Store - Genius Bar -
Intel HD Graphics 4000 IS THE ONLY GRAPHICS CARD FOR MINI?
Intel HD Graphics 4000 IS THE ONLY GRAPHICS CARD FOR MINI? OR APPLE SELLS Minis WITH A REAL GRAPHICS CARD?
lse123 wrote:
BOTH MINIS AND APPLE EXT OPTICAL DRIVE are dual band 110V/240V correct?
how much size has the box of mini and the optical drive?
Look here for what you want:
http://www.apple.com/mac-mini/specs.html -
How would I use a credit card for In-app purchases instead of my gift card credit?
I have a gift card credits linked to my account, but I do not want to use it for an in-app purchase. I want to use my credit card for the purchase. Is there any way around this?
You can't for in-app purchases, when you have a balance on your account then that will automatically be used for your purchases.
For other types of purchase you can try gifting the item to yourself so that your credit card is charged (gifting can only be done via a credit card), but you can't do that with IAPs. -
How to prevent the use of wild cards in select-option
Hello experts,
Is it possible to prevent the use of wild cards in a select-option? If yes, how is it done please?
I have a
SELECT-OPTIONS: o_comp FOR dbtab-field OBLIGATORY DEFAULT 'FI'.
and, I want to prevent the users for giving in some thing like FI* with the wildcard bc it would lead to dump.
I want an error message to display and prevent the users for making such entry.
Please I need your help and I would be very grateful.
Thanks
NadinYou have to use SELECT_OPTIONS_RESTRICT to restrict input allowed. Call this FM in INITIALIZATION or SELECTION-SCREEN OUPUT sections.
Sample :
TYPE-POOLS: sscr.
INITIALIZATION.
* Restrict SELECT-OPTIONS
PERFORM restrict_select.
FORM restrict_select.
DATA: restrict TYPE sscr_restrict,
opt_list TYPE sscr_opt_list,
*** TYPE sscr_***.
* Défine select-options modes (aka option list)
* - ALL standard - all options allowed
CLEAR opt_list.
MOVE 'ALL' TO opt_list-name.
MOVE 'X' TO: opt_list-options-bt,
opt_list-options-cp,
opt_list-options-eq,
opt_list-options-ge,
opt_list-options-gt,
opt_list-options-le,
opt_list-options-lt,
opt_list-options-nb,
opt_list-options-ne,
opt_list-options-np.
APPEND opt_list TO restrict-opt_list_tab.
* - EQU only equality allowed (list of values)
CLEAR opt_list.
MOVE 'EQU' TO opt_list-name.
MOVE 'X' TO opt_list-options-eq.
APPEND opt_list TO restrict-opt_list_tab.
* Affect modes to parameters or block of parameters
* ALL by default
CLEAR ***.
MOVE: 'A' TO ***-kind,
'*' TO ***-sg_main,
'ALL' TO ***-op_main.
APPEND *** TO restrict-***_tab.
* EQU to internal material number
CLEAR ***.
MOVE: 'S' TO ***-kind,
'S-MATNR' TO ***-name,
'I' TO ***-sg_main, " no exclusion
'EQU' TO ***-op_main. " only value list
APPEND *** TO restrict-***_tab.
* Call FM
CALL FUNCTION 'SELECT_OPTIONS_RESTRICT'
EXPORTING
restriction = restrict
EXCEPTIONS
OTHERS = 1.
ENDFORM. " restrict_select
In the sample, only select-options for matnr is restricted to single value list.
For your request build a mode with all options except "pattern" ones : CP and NP.
Regards -
Using one packing instruction for several materials
Dear Friends,
I need some inputs on how to use one packing instruction for several materials.
The scenarion here is :
Many materials are packed in a similar way. If certain materials differ in only one characteristic (for example, construction), having to maintain a packing instruction for each of them results in a considerable time and efforts.
Need some valuable inputs to complete this requirement.
Regards,
HarshHi.
Try with reference material for packing (MARA-RMATP). Same material number must be entered on all materials which are packed through same packing instructions.
Then you have to create/use access sequence for determination of packing instructions that contains that characteristic (RMATP).
Best regards
Milan
Maybe you are looking for
-
I have a m4 aqua dual and running Android lollipop
-
Get-queue command in exchange 2013
I want to know what is the new velocity option means when we type get-queue command in exchange 2013. 1dentity DeliveryType Status MessageCount Velocity RiskLevel OutboundIPPool XMAIL02\74177
-
Could not enlist in transaction
Hi All wls70 --> tux8.0 some times I get the following errors ==##[2004-07-08 08:43:57.516]##== HomeReceiver#[281] exception: interboss.util.InterException: -180001****??tuxedo????****TPESYSTEM(12):0:0:TPED_MINVAL(0):QMNONE(0):0:ERROR: Could not enli
-
Confirmation control key in PO
Dear All, What is the use of conformation key in PO?? i know it is used to update the data given by vendor I need to know more abt the confirmations 0001 given in std PO After choosing that confirmation next what we need to do ?? pl reply i could not
-
I've been waiting online for over an hour for someone to help me with my membership to Photoshop CC