On Behalf Enrollment using MMC

Pre-requisites

Before you proceed for on behalf enrollment using MMC, you need to ensure the following pre-requisites:

• The On Behalf Connect registry key is enabled. You can manually set the Connect on behalf of the user setting using the Registry Editor.

  

• Enrollment Agent Certificate is present in the respective user or computer store.

• Smart Card Logon Template is configured for on behalf enrollment for AD users.

  

Enrolling a User Smart Card

Perform the following steps to enroll a user smart card:

1. Right-click the SafeNet IDPrime Virtual Client tray icon and log in as an administrator.

2. Right-click the SafeNet IDPrime Virtual Client tray icon and click Connect on Behalf of user.

   

3. On the Connect on behalf of the user window, enter a user name, and click OK.

   

   The user with the respective card is visible in the systray. Optionally, the adminitrator can create new smart card for the user.

   

4. Open the user certificate store, and perform the following steps:

   1. In the left pane, click Personal.

   2. Right-click Certificates and click All Tasks > Advanced Operations > Enroll On Behalf Of.

      

5. The Certificate Enrollment window is displayed. Perform the following steps:

   1. Click Next.

      

   2. Click Next.

      

   3. Click Browse to search and select the certificate and click OK.

      

   4. Click Next.

      

   5. Under Active Directory Enrollment Policy, select the Smart Card Logon Template (for example, OnBehalf_Smartcard Logon).

      

   6. Under Select a user, click Browse to select the user for which card enrollment is to be done, and click Enroll.

      

6. Select the user smart card for enrollment.

   

7. Enter a PIN for the user smart card and click OK.

   

   The user smart card enrollment is successfully done. The newly enrolled certificate is visible in SAC.

   

Verifying the Enrolled User Smart Card Certificate

Open SafeNet Authentication Client and you will see that the certificate is available for the enrolled smart card.

Testing the Enrolled Card for TLS Authentication

Open any supported application, which can use the certificate for a PKI operation. Given below is an example of TLS authentication using Google Chrome.

When TLS authentication is performed, you will be prompted to enter your smart card PIN. Enter the PIN and click OK.

TLS authentication should be successfully completed.