Configure CAC/PIV Authentication Settings

From the Navigation tree, select [CAC/PIV] ® [CAC/PIV Authentication Settings] to view the following settings described in the tables below.

The CAC/PIV options on the Configuration menu appear only after a CAC/PIV device license has been activated. You may need to restart your browser and log back into Streamline NX after you apply the licenses.

Once your changes are complete, click [Save].

General Settings

Setting	Options
Authentication Method	Supported authentication methods are: ActiveDirectory OCSP SCVP CRL

Setting

Options

Authentication Method

Supported authentication methods are:

ActiveDirectory
OCSP
SCVP
CRL

Active Directory Settings

Setting	Options
Device Login Name	Select the user login type that will be used to authenticate against CAC: PI (Personal Identifier) or UPN: For example, PIN or other random identifier; in the case of UPN username@domain.com or user.name@domain.com User Logon name (Pre-Windows 2000): For example, the user account name in the customer’s AD. Enable this option only
Retrieve User’s Home Folder	Enable this option to retrieve the User Home directory from Active Directory

Setting

Options

Device Login Name

Select the user login type that will be used to authenticate against CAC:

PI (Personal Identifier) or UPN: For example, PIN or other random identifier; in the case of UPN username@domain.com or user.name@domain.com
User Logon name (Pre-Windows 2000): For example, the user account name in the customer’s AD. Enable this option only

Retrieve User’s Home Folder

Enable this option to retrieve the User Home directory from Active Directory

OCSP/SCVP Settings

These options are available only if you selected OCSP or SCVP as the Authentication Method under General Settings. For these settings, you do not need to specify the port number when the default is used.

Setting	Options
Primary Validation Authority URL	Enter the URL of the primary validation authority Add http://(OCSPServer-IP-address-or-hostname):(port-number) to the Primary URL. The default port is 80. Enable Use Proxy if you have an optional proxy server set up for the OCSP server. Add http://(ProxyHost-IP-address-or-hostname):(port-number) to the URL when [Use Proxy] is checked. The default port number is 8080.
Secondary Validation Authority URL	Enter the URL of the secondary validation authority. Add http://(OCSPServer-IP-address-or-hostname):(port-number) to the Secondary URL. The default port is 80. Enable Use Proxy if you have an optional proxy server set up for the secondary OCSP server. Add http://(ProxyHost-IP-address-or-hostname):(port-number) to the URL when [Use Proxy] is checked. The default port number is 8080.
Proxy URL	Enter the URL of the optional proxy server.

Setting

Options

Primary Validation Authority URL

Enter the URL of the primary validation authority

Add http://(OCSPServer-IP-address-or-hostname):(port-number) to the Primary URL. The default port is 80.
Enable Use Proxy if you have an optional proxy server set up for the OCSP server. Add http://(ProxyHost-IP-address-or-hostname):(port-number) to the URL when [Use Proxy] is checked. The default port number is 8080.

Secondary Validation Authority URL

Enter the URL of the secondary validation authority.

Add http://(OCSPServer-IP-address-or-hostname):(port-number) to the Secondary URL. The default port is 80.
Enable Use Proxy if you have an optional proxy server set up for the secondary OCSP server. Add http://(ProxyHost-IP-address-or-hostname):(port-number) to the URL when [Use Proxy] is checked. The default port number is 8080.

Proxy URL

Enter the URL of the optional proxy server.

Email Address Settings

Setting	Description
Retrieve user’s email address	Email addresses can be retrieved either from the CAC/PIV Card or from Active Directory. The default setting is From Card.

Home Folder UNC Mapping

Setting	Description
Redirection Rules	1 or more lines of key=value strings (described below)
Redirection Test	This allows you to verify a redirection rule result, given the data in the Redirection Rules input field and a home folder string in the Candidate Folder input field. Candidate Folder: a candidate folder string, usually a user’s home folder stored in LDAP Rule Result: the result of applying the matching algorithm with the given Rules and candidate folder

Setting

Description

Redirection Rules

1 or more lines of key=value strings (described below)

Redirection Test

This allows you to verify a redirection rule result, given the data in the Redirection Rules input field and a home folder string in the Candidate Folder input field.

Candidate Folder: a candidate folder string, usually a user’s home folder stored in LDAP
Rule Result: the result of applying the matching algorithm with the given Rules and candidate folder

UNC Redirection configuration consists of a set of redirection rules: 1 or more lines of key=value strings. An individual rule is defined as a single line consisting of a key, presented as DOS/UNC formatted pathname, and a value presented as an SMB URI, separated by =. For instance, a configuration of two rules might look like:

\\hostname\share1\=smb://hostname2/Share2/pathname/

C:\hostname\othershare\pathname\=smb://hostname3/pathname2/

Spaces are significant in both the key and the value components.

The process of rewriting first starts with matching: a case-insensitive substring match of the home folder and the key of a rule. If there is a match, a new temporary home folder is created and used instead of the original home folder. No subsequent modifications are made to the temporary home folder. Specifically, if the configuration has a DNS domain setting, it will not be appended to any hostname portion of a home folder if a match is found.

If there is no match, the original home folder is used as if there had been no home folder redirection rules at all.

For example, given the two rules above, if a user's assigned home folder is \\HOSTNAME\Share\Homes\MyHome\, the first rule will match because \\hostname\share\ matches exactly (ignoring case) the first part of \\hostname\share1\. A temporary home folder will be constructed using the rule value (smb://hostname2/Share2/pathname/) with the part of the original home folder that does not match (ignoring case) the key (Homes\MyHome\). The temporary home folder would be: smb://hostname2/Share2/pathname/Homes/MyHome/. Note that the case is preserved, but not significant.

Given an assigned home folder of \\Hostname.tld\Share2\, this would not match any of the keys, and the temporary home folder is simply the original one.

Notes

Determining the temporary home folder occurs on initial login. If a change is made to the rules, a user has to logout and login before the new rules are applied.

There is no validation of the redirection rules. Consequences:

A rule key will not be verified to be a DOS/UNC formatted pathname
A rule value will not be verified to be an SMB URI
There is no check for duplicate rule keys. The application has been designed to return the first rule that matches.
The derived temporary home folder is not verified to exist on the network.

Since there is no rule validation, any issues with the redirection would only occur when the copy-to-folder was attempted (and there could be several reasons why a copy does not work). Therefore, there is a Test Redirection function on the configuration screen that will apply the rewrite matching functionality and display the result.