PIV/CAC Card Authentication
Dispatcher Phoenix Web supports the use of PIV Authentication for user login. Dispatcher Phoenix Web uses the Universal Principal Name (UPN) taken from the Subject Alternative Name (SAN) field of the Client Certificate from the PIV/CAC Card to search for a user in the LDAP Directory and allow or deny access based on the information found.
Important! To ensure that users are able to login properly, make sure the following options have been configured for Dispatcher Phoenix prior to enabling the PIV authentication:
- Enable LDAP for Dispatcher Phoenix
- Make sure to configure and test your LDAP settings for Dispatcher Phoenix
Enabling PIV Authentication in Dispatcher Phoenix Web
Dispatcher Phoenix Web supports PIV Authentication for customers. In order to enable and set up PIV Authentication, do the following:
-
Launch the IIS Manager.
-
Select the server name in the “Connections” panel on the left side.
-
Under the “Management” section, double-click the Configuration Editor.
-
Open the Section dropdown, located at the top of the window. Navigate to system.webServer > security > access, as in the following illustration:
-
In the “Actions” panel on the right, expand the Section dropdown and select Unlock Section.
-
Open Windows file explorer and navigate to C:\Program Files\Konica Minolta\Dispatcher Phoenix Web\wwwroot.
-
Open the web.config file in a text editor.
-
Remove the opening
(<!--)
and closing(-->)
xml comment tags at the end of the file, and save the file. See the following illustration: -
Using Windows file explorer, navigate to C:\Program Files\Konica Minolta\Dispatcher Phoenix Web.
-
Open the piv-auth.json file in a text editor.
-
Change the “enable” value from no to yes, and save the file. See the following illustration.
Note: For the “signinMode” field, you can either set the value to dual, which allows end users to login to Dispatcher Phoenix Web using both their AD Credentials and their PIV/CAC Card, or card, which allows end users to login using only their PIV/CAC Card. You can also edit the “signinLabel” field to change the label of the PIV/CAC sign in button.
-
In the IIS Manager, select DPWebPortal under the Sites folder in the “Connections” Panel.
-
In the “Actions” panel, under the “Edit Site” section, select Bindings…
-
Select the HTTPS Port (Port 44353), and then click Edit.
-
At the bottom, select the SSL Certificate dropdown and select the signed SSL Certificate you are going to be using.
Important! Make sure the Dispatcher Phoenix server has an SSL Root level CA Certificate that has been signed by a Certificate Authority (CA).
-
Open your web browser and navigate to Dispatcher Phoenix Web using https protocol and port 44353. For example, the URL would look like “https://your-ip-address:44353”. With the “signinMode” set to dual, the user will be able to sign in with a Username and Password or “Sign in with PIV/CAC Card”, as in the following illustration:
If you have set the “signinMode” value to card, the option to “Sign in with PIV/CAC Card” will be the only option, as in the following illustration: