Configuring Common Access Card Authentication

Summary

ProfileUnity™ with FlexApp provides support for using Common Access Card (CAC) authentication when logging in to the ProfileUnity Management Console. CAC authentication provides a higher level of security by requiring a two-factor authentication process involving a smart card and a PIN.

Requirements

ProfileUnity’s CAC Secure Mode is compatible with Microsoft Windows Server 2008 R2, 2012 R2, and 2016. The server should already have the CAC software installed and working.

Configuring CAC Secure Mode

To configure CAC Secure Mode, complete the following steps:

  1. Install the ProfileUnity Management Console on Windows Server if not previously done.
  2. Log in to the ProfileUnity Management Console.
  3. Hover over your username in the top right corner of the screen.
  4. In the drop-down menu that appears, click Administration.
  5. The Administration screen opens with the Settings tab displayed.
  6. Click the Users And Roles tab in the top right corner of the screen.
  7. In the User Management field, click the name of a user that is linked to Active Directory. If one does not already exist, click the Add User button and create one.
  8. In the Role Management field, enter the Active Directory username and password to serve as the Service Account for Deployment.
  9. Click the Add/Update button.
  10. In the top right corner of the Administration screen, click the Settings tab.
  11. Scroll down to the Miscellaneous section.
  12. Select the Enable CAC Secure Mode checkbox.
  13. Click the Select Certificate Authorities from Local Machine Root field, then pick one or more certificate authorities to use from the drop-down list that appears.
  14. Select the Enable CAC Certificate Revocation List Cache checkbox.
  15. Select the Enable Secure Banner Text checkbox.
  16. Review the Secure Banner Text and the Secure Login Banner Text and make any necessary edits.
  17. Click the Update button in the top right corner of the screen.
  18. Restart the ProfileUnity service.

Note: The server security GPO setting to require smart cards at logon conflicts with ProfileUnity’s CAC Secure Mode and prevents authorized users from logging in to the ProfileUnity Management Console. The workaround is to disable the following server GPO:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require smart card

For more information, read the knowledge base article entitled "Impersonation Failed Due to Logon User."