Configuring Common Access Card Authentication

ProfileUnity™ with FlexApp provides support for using Common Access Card (CAC) authentication when logging in to the ProfileUnity Management Console. CAC authentication provides a higher level of security by requiring a two-factor authentication process involving a smart card and a PIN.

ProfileUnity’s CAC Secure Mode is compatible with Microsoft Windows Server 2016, 2019, and 2022. The server should already have the CAC software installed and working.

Configuring CAC Secure Mode

Preliminary Steps

  1. Log in to the ProfileUnity Server.
  2. After you enable CAC mode in the UI, the local ProfileUnity admin account will no longer work for login. Therefore, before enabling CAC, go to the Administration screen and click the Users And Roles tab in the top right corner. Scroll to the User Management section and create a new user, then select the Link to Ldap checkbox for that new user.
  3. Stop the Liquidware Labs ProfileUnity Service and set it to a domain account.
  4. Add this domain account to the Local Administrators groups on the ProfileUnity server. This account will also need the following Console Service Account Permissions:
  5. User Account Recommended Permissions Target
    ProfileUnity Console Service Account  Full Control Deployment Paths
    ProfileUnity Console Service Account  Read Only Access Active Directory, Users, Groups, OUs  
    ProfileUnity Console Service Account  Read Only Access File shares for printers and importing shortcuts or registry keys.
  6. Restart the Liquidware Labs ProfileUnity Service.

Enabling Common Access Card Authentication in the User Interface

To configure CAC Secure Mode, complete the following steps:

  1. Install the ProfileUnity Management Console on Windows Server if not previously done.
  2. Log in to the Console.
  3. Hover over your username in the top right corner of the screen.
  4. In the drop-down menu that appears, click the Administration option.
  5. The Administration screen opens with the Settings tab displayed.
  6. Click the Users And Roles tab in the top right corner of the screen.
  7. In the User Management field, make sure that there is an Active Directory user in this list that you can use for the next step. If one does not exist, click the Add User button and create one.
  8. In the Role Management field, enter the Active Directory username and password to serve as the Service Account for Deployment.
  9. Click the Add/Update button.
  10. In the top right corner of the Administration screen, click the Settings tab.
  11. Scroll down to the Miscellaneous section.
  12. Select the Enable CAC Secure Mode checkbox.
  13. Click the Select Certificate Authorities from Local Machine Root field, then pick one or more certificate authorities to use from the drop-down list that appears.
  14. Select the Enable CAC Certificate Revocation List Cache checkbox.
  15. (Optional) Select the Enable Secure Banner Text checkbox, then review the Secure Banner Text and the Secure Login Banner Text fields and make any necessary edits.
  16. Click the Update button in the top right corner of the screen.
  17. Restart the ProfileUnity service.

Troubleshooting Steps

If you see a 403 Forbidden error message, you are not authenticated with a CAC card. To resolve this issue, complete the following steps:

  1. Close the current browser and reopen.
  2. Connect to the ProfileUnity console URL.
  3. Select the appropriate certificate.
  4. Enter the PIN when prompted.

If these steps fail, you might need to disable CAC authentication. To turn off CAC mode in the user interface, stop the ProfileUnity Console service, and then run the following command in an Administrator Command Prompt:

Copy
C:\Program Files (x86)\Liquidware Labs\ProfileUnity\profileunity.host.exe /govmode:false

If the command executes correctly, the following code should appear: