none
FIM CM enrol a smart card so the PIN is blocked RRS feed

  • Question

  • Is it possible to enrol a smart card and to configure the user PIN to be blocked using FIM CM?

    I am implementing a centralised registration model and want to issue cards in a blocked state. The intention is to get the user to perform an offline unblock through a call to the help desk from their Windows 7 workstations. For reference the smart cards are Gemalto .Net.

    Steve G

    Tuesday, November 20, 2012 9:23 AM

Answers

  • On Tue, 20 Nov 2012 14:08:38 +0000, Steven Griffiths wrote:

    Thanks, Paul.

    This is how I have the profile template currently configured, but the card isn't in a blocked state. The behaviour I'm after is for the user to enter a single random PIN and be told that the smart card is blocked. On Windows 7 this will then force the credential manager (or whatever it is called) to display a challenge that can be provided to the help desk so that the card can be unblocked using the Offline Unblock policy.

    I suppose I could ask the users just to keep entering a random pin until the card is blocked (or they guess the correct random pin, which I'm sure should make the eligible for a large cash prize!), but I was hoping to minimise their effort. However, if there's no other way, I'm happy to tell the users to keep entering a random PIN until they get the challenge, upon which they should call the help desk.

    Yeah, there's no way to do that since FIM CM has no knowledge of whether or
    not the card is actually blocked. Perhaps you could have whomever is
    creating the card block it using the PIN Tool.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Remember the good old days, when CPU was singular?

    Tuesday, November 20, 2012 2:36 PM

All replies

  • On Tue, 20 Nov 2012 09:23:27 +0000, Steven Griffiths wrote:

    Is it possible to enrol a smart card and to configure the user PIN to be blocked using FIM CM?

    I am implementing a centralised registration model and want to issue cards in a blocked state. The intention is to get the user to perform an offline unblock through a call to the help desk from their Windows 7 workstations. For reference the smart cards are Gemalto .Net.

    Configure the User PIN policy in the Profile Template to generate a
    randomized PIN.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Your fault -- core dumped.

    Tuesday, November 20, 2012 1:55 PM
  • Thanks, Paul.

    This is how I have the profile template currently configured, but the card isn't in a blocked state. The behaviour I'm after is for the user to enter a single random PIN and be told that the smart card is blocked. On Windows 7 this will then force the credential manager (or whatever it is called) to display a challenge that can be provided to the help desk so that the card can be unblocked using the Offline Unblock policy.

    I suppose I could ask the users just to keep entering a random pin until the card is blocked (or they guess the correct random pin, which I'm sure should make the eligible for a large cash prize!), but I was hoping to minimise their effort. However, if there's no other way, I'm happy to tell the users to keep entering a random PIN until they get the challenge, upon which they should call the help desk.

    Steve G

    Tuesday, November 20, 2012 2:08 PM
  • On Tue, 20 Nov 2012 14:08:38 +0000, Steven Griffiths wrote:

    Thanks, Paul.

    This is how I have the profile template currently configured, but the card isn't in a blocked state. The behaviour I'm after is for the user to enter a single random PIN and be told that the smart card is blocked. On Windows 7 this will then force the credential manager (or whatever it is called) to display a challenge that can be provided to the help desk so that the card can be unblocked using the Offline Unblock policy.

    I suppose I could ask the users just to keep entering a random pin until the card is blocked (or they guess the correct random pin, which I'm sure should make the eligible for a large cash prize!), but I was hoping to minimise their effort. However, if there's no other way, I'm happy to tell the users to keep entering a random PIN until they get the challenge, upon which they should call the help desk.

    Yeah, there's no way to do that since FIM CM has no knowledge of whether or
    not the card is actually blocked. Perhaps you could have whomever is
    creating the card block it using the PIN Tool.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Remember the good old days, when CPU was singular?

    Tuesday, November 20, 2012 2:36 PM
  • Sounds like a way forward! Thanks, Paul.

    Steve G

    Tuesday, November 20, 2012 3:56 PM