Configuring User-at-Credprov Credential Provider Authentication for a Ivanti Secure Access Client Connection

With a user-at-credprov connection, the Ivanti Secure Access Client connection establishes the connection before user login using credentials collected at the selected credential tile, which provides single sign-on functionality. The connection is maintained as an active connection on the user’s desktop.

To enable user-at-credprov credential provider support for a Ivanti Secure Access Client connection:

1.Create a Ivanti Secure Access Client connection set for the role (Users > Ivanti Secure Access Client > Connections), and then create a new Ivanti Secure Access Client connection. You can select either a Layer 3 connection type, Ivanti Connect Secure or Ivanti Policy Secure (L3), or a Layer 3 connection type, UAC (802.1X).

2.In the Connection is established section, select "User" for the mode.

3.Under Options, select the Connect automatically and the Enable pre-desktop login (Credential provider) check boxes.

4.For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type ANY as the Server certificate DN. To allow only one server certificate, specify the server certificate’s full DN, for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; [email protected].

5.Specify Realm and Role Preferences to suppress realm or role selection dialogs during the login process:

•Preferred User Realm: Specify the realm for this connection. The connection ignores any other realm that is available for the specific login credentials.

The following options enable you to allow the user to login using a smart card or a password:

•Preferred Smartcard Logon Realm: Preferred realm to be used when user logs in with a smart card.

•Preferred Password Logon Realm: Preferred realm to be used when user logs in with a password.

Be sure that the authentication realms you specify exist, and that they support the appropriate login credential option.

•Preferred User Role Set: Specify the preferred role or the name of the rule for the role set to be used for user authentication. The role or rule name must be a member of the preferred user realm.

If the Ivanti Secure Access Client connection is configured to use a list of Ivanti servers, the preferred roles and realms you specify must be applicable to all of those servers.