CAC/PIV Card Authentication
Dispatcher Phoenix Web supports the use of PIV Authentication for user login. Dispatcher Phoenix Web uses the Universal Principal Name (UPN) taken from the Subject Alternative Name (SAN) field of the Client Certificate from the CAC/PIV Card to search for a user in the LDAP Directory and allow or deny access based on the information found.
Important! To ensure that users are able to login properly, make sure the following options have been configured for Dispatcher Phoenix prior to enabling the PIV authentication:
- Enable LDAP for Dispatcher Phoenix
- Make sure to configure and test your LDAP settings for Dispatcher Phoenix
Caution! Dispatcher Phoenix recommends that any trust certificates that are going to be installed on a production environment are signed by a publicly trusted certificate authority (CA).
Enabling PIV Authentication in Dispatcher Phoenix Web
Dispatcher Phoenix Web supports PIV Authentication for customers. In order to enable and set up PIV Authentication, do the following:
-
In the IIS Manager, select DPWebPortal under the Sites folder in the “Connections” Panel.
-
In the “Actions” panel, under the “Edit Site” section, select Bindings….
-
Select Add to add a new binding.
-
Do the following:
- Select https from the “Type” dropdown.
- Enter the port you would like to use (such as 44353).
- At the bottom, select the SSL Certificate dropdown and select the signed SSL Certificate from the Trusted Certificate Authority.
Important! Make sure the Dispatcher Phoenix server has an SSL Root level CA Certificate that has been signed by a Certificate Authority (CA).
-
Select the OK button.
Note: The following steps are only required if you are configuring a CAC/PIV environment. Otherwise, you can continue setup at the next section.
-
In the IIS Manager, select DPWebPortalCac under the Sites folder in the “Connections” panel.
-
In the “Actions” panel, under the “Edit Site” section, select Bindings….
-
Do the following:
-
Select HTTPS from the “Type” drop-down menu.
Important! Make sure the Dispatcher Phoenix server has an SSL Root level CA Certificate that has been signed by a Certificate Authority (CA).
-
Enter the port you would like to use (such as 44355).
-
At the bottom, select the SSL Certificate dropdown and select the signed SSL Certificate from the Trusted Certificate Authority.
-
Select the Disable TLS 1.3 over TCP checkbox. This is required for client certificate authentication in Windows environments.
Important! If you are configuring these settings on a Windows Server 2022 or Windows 11 environment, this step is required for client certificate authentication.
-
-
Select the OK button.
Updating Windows Firewall to Allow Inbound Connections to Dispatcher Phoenix Web
-
Use the Windows search bar to search for Firewall. Open Windows Defender Firewall.
-
In the panel on the left, select Advanced Settings.
-
In the panel on the left, select Inbound Rules.
-
In the Actions panel on the right, select New Rule.
-
Select the Port option. Then select the Next button.
-
Ensure TCP is selected. Then select the Specific local ports option. Then, enter the ports you configured for the Dispatcher Phoenix Web HTTPS bindings, separated by a comma.
-
Select the Next button.
-
Select Allow the connection. Then select the Next button.
-
Select the Domain, Private, and Public options. Then select the Next button.
-
Enter a name for the new Inbound Rule. Then, select the Finish button.
Configuring CAC/PIV Authentication in Dispatcher Phoenix Web
-
Make sure you have your CAC/PIV Root SSL Certificate from your HID card user available. Copy the certificate file to the Desktop on your Dispatcher Phoenix server.
-
In the Windows search bar, search for “Manage computer certificates” and open the Certificate Manager.
-
In the “Certificates - Local Computer” area on the left, expand Trusted Root Certifications Authority.
-
Right-click Certificates and select Import.
-
This will open the Certificate Import Wizard. Click Next.
-
Select the Browse button. Use the browser to select the Root CA Certificate from your desktop. Then, click Next.
-
Select the Place all certificates in the following store option.
-
Browse and select Trusted Root Certification Authorities.
-
Select the Next button and continue importing the certificate. Close the Certificate Manager.
-
Using Windows file explorer, navigate to
C:\Program Files\Konica Minolta\Dispatcher Phoenix Web
. -
Open the piv-auth.json file in a text editor.
-
Make the following changes:
-
Change the “enable” value from “no” to “yes”.
-
In the “signinMode” field, do one of the following:
- Set the value to Dual, which allows end users to login to Dispatcher Phoenix Web using both their AD Credentials and their CAC/PIV Card.
- Set the value to Card, which allows end users to login using only their CAC/PIV Card. You can also edit the “signinLabel” field to change the label of the CAC/PIV sign in button.
-
Change the “host” value to the IP address of your Dispatcher Phoenix Server. Change the “port” value to match the port you assigned to DPWebPortalCAC Site in IIS. If you do not need to specify a port to access the DPWebPortalCac Site (e.g. the DPWebPortalCac Site is configured with real host name), enter a value of 0.
The file should look something like this:
-
{
"pivAuth": {
"enable": "yes",
"signinMode": "dual",
"signinLabel": "Sign in with PIV / CAC Card",
"host": "10.10.220.40",
"port": 44355
}
}
-
Save and close the file.
-
Launch the IIS Manager.
-
Select the server name in the “Connections” panel on the left side.
-
Under the “Management” section, double-click the Configuration Editor.
-
Open the Section dropdown, located at the top of the window. Navigate to
system.webServer > security > access
, as in the following illustration: -
In the “Actions” panel on the right, expand the Section dropdown and select Unlock Section.
-
Open the Section dropdown again, located at the top of the window. Navigate to
system.webServer > security > authentication > anonymousAuthentication
, as in the following illustration: -
In the “Actions” panel on the right, expand the Section dropdown and select Unlock Section.
-
In the IIS Manager, select DPWebPortalCAC under the Sites folder in the “Connections” Panel.
-
Double click on SSL Settings.
-
Select the Require SSL checkbox and then the Require client certificates option.
-
Select Apply in the “Actions” panel on the right.
-
In the IIS Manager, select DPWebPortalCAC site under the Sites folder in the “Connections” panel.
-
Select the “error-pages” folder on the left. Then, double click on SSL Settings.
-
Select Ignore Client certificates and deselect the Require SSL option.
-
Select Apply in the “Actions” panel on the right.
-
Select DPWebPortalCAC site under the Sites folder in the “Connections” panel.
-
Double click on Authentication.
-
Select Anonymous Authentication. Then, select Enable in the “Actions” panel on the right.
-
Now, select the root IIS server, and select Restart in the “Actions” panel on the right.
Testing CAC/PIV Authentication Using Dispatcher Phoenix Web
To ensure the setup and configuration has been successful, navigate to Dispatcher Phoenix Web using https protocol and port 44353. For example, the URL would look like “https://your-ip-address:44353”. With the “signinMode” set to dual, the user will be able to sign in with a Username and Password or the Sign in with CAC/PIV Card button, as in the following illustration:
If you have set the “signinMode” value to card, the option to Sign in with CAC/PIV Card will be the only option, as in the following illustration: