Requirements:
Setting up CAC authentication on the ProfileUnity console requires the hot fix for the new ProfileUnity Console as well as client tools (See below links for files, requirements).
It also assumes CAC is already up and running on the ProfileUnity server for login and software such as "Install Root", "Desktop Validator", "Active Client" are installed.
Make sure all certificates that are needed for those logging into the ProfileUnity console are installed on the server. These will show up later in the UI as options for selection.
Console links and notes:
Until 6.8.5 you will need to use this version of the 6.8.4 console. This is a full console installer and can be installed on top of 6.8.4 GA build.
https://www.liquidware.com/support/articles/360033876051-ProfileUnity-Hot-fix-List
Notes:
- Review the README txt file in hotfix for instructions on installing the new hotfix.
- Adds support for service accounts denied the "login interactively" privilege in conjunction with CAC-enforced logins to the ProfileUnity web console. (Requires the service account be manually set on the ProfileUnity service)
Process to complete:
Initial Steps for completion before enabling CAC in UI:
- Log into the ProfileUnity Server
- Warning -Once you enable CAC mode in UI the local ProfileUnity admin account will no longer work for login. You should pre-seed" the account for login under Users and Roles in administration. Add the user and password and link to ldap.
- Stop Liquidware Labs ProfileUnity Service and set it to a domain account.
- Add this domain account to the Local Administrators groups on the ProfileUnity server. This account will also need correct ACL's to the "INI" path if you decide to use UI to deploy the "INI" versus a manual download and copy to path process.
- Restart the Liquidware Labs ProfileUnity Service
Turning on CAC mode on the ProfileUnity console
- Open up the ProfileUnity console
- Go to administration on top right under your logged in name.
- Scroll down to to the MISC section and select enable CAC mode.
- You'll see the following message.
- Make sure to select ALL the CA’s that are part of the certificate chain for user’s CAC cards are selected from the local Machine root. Certificates you have added to the system should show up in the drop down list.
4. Optional - Add Secure Banner Text for use at login to UI.
5. Click update to lock in changes.
Troubleshooting UI if some steps were done incorrectly or unclear.
If you see a 403 Forbidden error message, you are not authenticated with a CAC card.
- Close the current browser and reopen.
- Connect to the ProfileUnity console URL.
- Select the appropriate certificate
- Enter the PIN when prompted.
If these steps fail, you may need to disable CAC authentication.
To turn off CAC mode in UI you can do this by running the following command in a Administrator CMD.
If executed properly the return would look like this.
Additional Resources / Information:
As of this hotfix version of the ProfileUnity console you no longer need to adhere to these limitations
Best Practices for Highly Secured Desktop Environments
Product: ProfileUnity
Product Version: 6.8.4 GA