You may need administrative rights to configure the application.
Use the login screen settings to set how you want users to log in to the printer.
From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Smart Card Authentication Client > Configure
From the Login Screen section, select the login type.
In the User Validation Mode menu, select the method for validating user certificates.
Active Directory—The user certificate on the smart card is validated using Kerberos authentication. This setting may require LDAP lookups.
Active Directory with guest access—Users who have smart cards but are not in the Active Directory can access some of the printer functions. A properly configured Online Certificate Status Protocol (OCSP) server is required. If the Active Directory authentication fails, then the application queries the OCSP server.
Pin-Only—Users can access only the applications or functions that do not require Kerberos authentication.
In the Validate Smart Card menu, select the method for authenticating users after tapping a smart card.
If necessary, allow users to change the login method.
Click Apply.
For manual login, the printer uses the default domain specified in the Kerberos configuration file. If you use a different domain, then specify the domain name in the manual login settings.
From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Smart Card Authentication Client > Configure
From the Manual Login Setup section, in the Manual Login Domains field, type one or more domains.
Click Apply.
| Note: Make sure that the network connection between the printer and the authenticating server is configured properly. For more information, contact your system administrator. |
From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Smart Card Authentication Client > Configure
From the Smart Card Setup section, in the Kerberos Information menu, select either of the following:
Use device Kerberos setup file—A Kerberos configuration file must be installed on the printer manually. Do the following:
From the Embedded Web Server, click Settings > Security > Login Methods.
From the Network Accounts section, click Add Login Method > Kerberos.
From the Import Kerberos File section, browse to the appropriate krb5.conf file.
If your network does not use reverse DNS lookup, then from the Miscellaneous Settings section, select Disable Reverse IP Lookups.
Click Save and Verify.
Use simple Kerberos setup—A Kerberos file is created on the printer automatically. Specify the following:
Realm—The realm must be typed in uppercase.
Domain Controller—Use commas to separate multiple values. The domain controllers are validated in the order listed.
Domain—The domain that must be mapped to the Kerberos realm specified in the Realm field. Use commas to separate multiple domains.
| Note: The domain is case sensitive. |
Timeout—Enter a value from 3 to 30 seconds.
In the Domain Controller Validation menu, select the method for validating the domain controller certificate.
| Note: Before configuring this setting, make sure that the appropriate certificates are installed on the printer. For more information, see Installing certificates manually. |
Use device certificate validation—The CA certificate that is installed on the printer is used.
Use device chain validation—The entire certificate chain that is installed on the printer is used.
Use OCSP validation—The OCSP server is used. The entire certificate chain must be installed on the printer. From the Online Certificate Status Protocol (OCSP) section, configure the following:
Responder URL—The IP address or host name of the OCSP responder or repeater, and the port number used. Use commas to separate multiple values.
For example, , where is the IP address or host name, and is the port number.
Responder Certificate—The X.509 certificate is used.
Responder Timeout—Enter a value from 5 to 30 seconds.
Allow Unknown Status—Users can log in even if the status of one or more certificates is unknown.
Click Apply.
From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Smart Card Authentication Client > Configure
From the Advanced Settings section, select a session user ID.
| Note: Some applications, such as Secure Held Print Jobs and Secure E-mail, require a value for the session user ID. |
In the E-mail From Address menu, select where the printer retrieves the user e-mail address.
If necessary, select Wait for user information to retrieve all user information before the user is allowed to access the home screen or secure application.
If the following settings are set to LDAP Lookup, then select this option.
Session User ID
E-mail From Address
If the following settings are not empty, then select this option.
Other User Attributes
Group Authorization List
| Note: If you are using manual login for Secure E-mail, then select this option to store the user e-mail address in the login session. To allow manual login users to send e-mail to themselves, enable “Send me a copy” in the printer e-mail settings. |
If necessary, select Use SSL for User Info to retrieve user information from the domain controller using an SSL connection.
If necessary, in the Other User Attributes field, type other LDAP attributes that must be added to the session. Use commas to separate multiple values.
In the Group Authorization List, type the Active Directory groups that can access applications or functions. Use commas to separate multiple values.
| Note: The groups must be in the LDAP server. |
If DNS is not enabled in your network, then upload a hosts file.
Type the mappings in the text file in the format of , where is the IP address and is the host name. You can assign multiple host names to an IP address. For example, .
You cannot assign multiple IP addresses to a host name. To assign IP addresses to groups of host names, type each IP address and its associated host names on a separate line of the text file.
For example:
Click Apply.