The PKI method enables you to authenticate using any PKI device such as a contact card or USB token that contains the digital certificate. The PKI reader validates the digital certificate and the identity of users. When you try to authenticate on an application, the certificate in the device is compared with the actual certificate. If the certificates match, you are authenticated successfully.
NOTE:To use the PKI method for authentication, you must install the Advanced Authentication Device Service. For more information about the Device Service, see the Advanced Authentication - Device Service guide.
To authenticate using the PKI method, perform the following steps:
Insert a card or plug the token to your machine.
Specify the PIN.
If the digital certificate in the card or token and enrolled certificate are identical, the PKI authentication is successful.
IMPORTANT:The PKI method supports the 1:N feature. The user name is detected automatically by the Advanced Authentication. You can authenticate by pressing CTRL+ALT+DEL and then plugging in your PKI device.
The following table describes the possible error messages along with the workaround for the PKI authentication.
Table 10-8 PKI authenticator - error messages
|
Error |
Possible Cause and Workaround |
|---|---|
|
Wrong card |
The card you have used for authentication is incorrect. Try authenticating with another valid card or token. Enroll the authenticator again in the Self-Service portal or contact your helpdesk administrator. |
|
Present card |
The PKI device is not connected properly. Try to connect it to a different USB slot and authenticate again. |
|
<Your user name> has no authenticator for PKI |
You have not enrolled for the PKI authenticator. You must enroll the authenticator in the Self-Service portal or contact the helpdesk administrator. |
|
No template for Card |
The card is not enrolled or you are trying to log in with the non-cached authenticator in the offline mode. |
NOTE:To log in to a computer using the PKI authenticator, you must place the card on the reader or connect token to the computer. After log in, you can remove the card from the reader or disconnect token to lock the computer automatically.
Advanced Authentication does not support the tapping of a card to lock or unlock a computer.