Advanced Sign-In Authentication
Use the settings in Security > Advanced to configure how administrators sign in to Ivanti Standalone Sentry System Manager. Administrators have the option to log in using password authentication or certificate authentication. Certificate authentication is done by enabling Personal Identity Verification (PIV) or Common Access Card (CAC). Password authentication is enabled by default.
To configure certificate authentication, in the Ivanti Standalone Sentry System Manager, got to Security > Advanced > Sign-In Authentication.
Sign-In Authentication
System Manager administrators are set up as local users in the System Manager in Security > Local Users. They can sign-in to the System Manager using one or both of the following methods:
- Password Authentication: A user name and password
These are the credentials for the local users as set up in the System Manager in Security > Local Users. This authentication method is the default. - Certificate Authentication: An identity certificate from a smart card
Using an identity certificate from a smart card is supported only on desktop computers.
Certificate authentication is also supported in FIPS mode.
Certificates required for certificate authentication
A PEM formatted certificate is required for setting up certificate authentication to System Manager. You must upload the PEM certificate to the Standalone Sentry System Manager. Ensure that the PEM file contains the following:
- The issuing certificate authority (CA) certificate
- The supporting certificate chain
- The Intermediate CA
Ensure that the certificate is a valid certificate that has not expired or has not been revoked.
When users sign in to the Ivanti Standalone Sentry System Manager, they provide an identity certificate from a smart card. The System Manager authenticates the user’s identity certificate against the certificate that you uploaded.
For authentication of local users, set the User ID of the local user to the user identity from the identity certificate.
Certificate attribute mapping used in certificate authentication
When the Sentry local users present an identify certificate for authentication, Sentry authenticates the identity certificate against the issuing CA certificate or certificate chain you uploaded. As part of that authentication, Sentry makes sure the user identity in the identity certificate is a valid Sentry local user.
Therefore, when you upload the certificate used for authenticating Sentry local user's identity certificate, you should configure the Certificate Attribute Mapping section:
- which field from the identity certificate the authentication uses as the user identity. Your choice must match the Subject Alternative Name type you choose for generating the identity certificate. The choices are:
- NT Principal Name
- RFC 822 Name
For the NT Principal Name, Sentry uses the User ID or Email Address in the Subject Alternative Name (SAN) in the identity certificate.
-
The variable in Sentry System Manager to which the identity certificate field is mapped.
- Consider the case in which you specify the NT Principal Name as the field to use from the identity certificate, as the substitution variable to match. Sentry accepts both of the following formats as a match:
- $USERID$
- $EMAIL$
- $EDIPI$ (for CAC only)
Unique identifier for the user. EDIPI is a mandatory credential when configured for CAC. The value is set up in the System Manager in Security > Local Users. This value is for the Department of Defense only.
However, If PIV is selected, then UserID and Email is mandatory configuration.
That is, the NT Principal Name and the substitution variable can have different formats, but match can be done as long as the domain and userid match.
Configuring certificate authentication to the System Manager
You can allow administrators to authenticate to the System Manager with the identity certificate on a smart card.
Before you begin
Have the PEM-formatted issuing CA certificate or certificate chain available to upload to Sentry.
Procedure
-
Log into System Manager.
-
Go to Security > Advanced > Sign-In Authentication.
-
Select Certificate Authentication.
-
Select PIV or CAC, depending on whether the identity certificate to authenticate is on a personal identity verification (PIV) card or common access card (CAC).
-
In Select Certificate Attribute Mapping:
-
In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
-
In the Map to attribute dropdown, select the variable with which to compare the user identity. If you selected CAC when choosing CAC versus PIV, you must select $EDIPI$.
-
-
Click Upload Issuing CA Certificate to open the Upload Issuing CA Certificate window.
-
Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
-
Click Upload Certificate > OK.
- Click Apply > OK.