The PKI method enables you to authenticate using any PKI device such as a contact card and USB token that contains the digital certificate. The PKI reader validates the digital certificate and the identity of users. When you try to authenticate on any device, the certificate in the device is compared with the actual certificate. If the certificates match, you are authenticated successfully.
NOTE:You must install the Device Service for the PKI method enrollment.
To authenticate by using the PKI method, perform the following steps:
Insert the card in the reader or connect token to your machine.
Specify the PIN.
If the digital certificate in the card or token and enrolled certificate are identical, the PKI authentication is successful.
IMPORTANT:The PKI method supports the 1:N feature. The user name is detected automatically by the Advanced Authentication. You can authenticate by pressing CTRL+ALT+DEL and then plugging in your PKI device.
The following table describes the possible error messages along with the workaround for the PKI authentication.
Table 7-7 PKI authenticator - error messages
|
Error |
Possible Cause and Workaround |
|---|---|
|
Wrong card |
The card that is used is incorrect. Try authenticating with another valid card or token. You can enroll the authenticator again in the Self-Service portal or contact your helpdesk administrator. |
|
Present card |
The PKI device is not connected properly. Try to connect it to a different USB slot and authenticate again. |
|
<Your user name> has no authenticator for PKI |
You have not enrolled for PKI method. You must enroll the authenticator in the Self-Service portal or contact the helpdesk administrator. |
The behavior of 1:N login depends on the window that is displayed when a card is placed to the card reader:
When the Username and password login window is set:
Case 1: The Other user window is displayed (username of the user is not submitted). User is logged in through 1:N when the card is placed to a card reader.
Case 2: The list of chains is displayed (username of the user is submitted). User is logged in through 1:N when the card is placed to a card reader.
Case 3: Chain is selected (example, Password only). Enter password window is displayed. User is not logged in through the 1:N when the card is placed to a card reader.
When the List of users login window is set.
1:N login is performed when the login window with the list of users is displayed (authentication window is not displayed) or after selecting the Other user.
1-N login is not performed after selecting a user from the list when the list of chain for the user is displayed. When you select any user from the list:
Case 1: The list of chains is displayed: User is not logged in through 1:N, when placing the card to the card reader.
Case 2: Select a chain: User is not logged in through 1:N, when placing the card to the card reader.
When you select Other user item on login window: The behavior is the same as in the case of Username and password.
NOTE:
1:N does not work in FUS. After selecting a user from the list in FUS, 1:N login cannot be performed.
For the screens that are in the sleep or screensaver mode, the authentication window must be opened to perform 1:N login.