Assigning tokens with the Token Assignment Wizard

tokens to users

There are two ways to assign SafeNet tokens to Active Directory users. You may use the Token Assignment Wizard, or you can manually enter the token serial number in the serial number field. The Wizard assigns Software, Messaging, and Hardware tokens. It will automatically select and assign the next available Software or Messaging token. You select the Hardware token that you will be assigning with the Wizard.

Note: You must use the Token Assignment Wizard to assign Software tokens. If you are manually entering the token serial numbers, the interface will only accept Messaging and Hardware token serial numbers. You cannot assign Messaging tokens with the Token Assignment Wizard if the tokens were generated and imported before SafeWord 2008 version 2.1.0.03.

If you have not already done so, you must generate MobilePASS records before assigning Software or Messaging tokens (see “Generating MobilePASS records in ADUC” on page 41), and/or you must import your hardware token data files before assigning hardware tokens. For details, see “Importing token data files” on page 43.

Assigning tokens with the Token Assignment Wizard

The Wizard is located on the SAM Express tab of each user’s Properties window. To assign tokens using the Token Assignment Wizard, do the following:

1 In ADUC, highlight the user to whom you will be assigning a token.

Figure 20: Users node of ADUC

2 Right-click on the the user name and select Properties. The Properties window appears.

Chapter 3: Active Directory Management Assigning tokens to users

3 Click the SAM Express tab. If this user has not yet been assigned a token, the Token serial number field is empty on the displayed tab. If this user has a token assigned, the window appears with a serial number displayed.

Tip: If you get an error while attempting to view a user’s SAM Express tab, the administration service has rejected the user’s client certificate. This occurs when ADUC has been re-installed. Remove the user’s client certificate to access the SAM Express tab of their Properties window (see “Reinstalling a server or ADUC” on page 73).

Important: If the user already has a token assigned to them, the existing token will be replaced by a new token when the Wizard is used.

Figure 21: SAM Express tab of user properties window

4 Click the Wizard button. The Choose authenticator window appears.

Figure 22: Choose authenticator window

5 Select the type of token to assign. If assigning a Software or Messaging token, and an unassigned token of this type is available in the SAM Express database, the Wizard will automatically assign the next available token of that type and you are prompted to enter an activation code. If you are assigning a Hardware token, you will be prompted to enter the token serial number to assign the token to the user.

User with no tokens assigned User with a token assigned

Chapter 3: Active Directory Management Assigning tokens to users

6 Continue to the appropriate section for details on assigning specific tokens.

– If you select Software token, continue to “Assigning Software tokens to users” on page 55.

– If you select Messaging (SMS/Email) token, continue to “Assigning Messaging tokens to users” on page 57.

– If you select Hardware token, continue to “Assigning Hardware tokens to users” on page 57.

Assigning Software tokens to users

Administrators who are assigning Software tokens to Active Directory users should do the following:

a Select the Software token option, and then click the Next button. The window providing your policy string appears.

Figure 23: Policy String window

b Enter the policy string onto your device.The Enter Activation Code window appears.

Note: If there are no Software tokens available, the window appears with the Activation Code field grayed out, and with a message stating there are no tokens available. In this case, generate or import tokens before continuing.

Figure 24: Enter Activation Code window

Chapter 3: Active Directory Management Assigning tokens to users

c Enter the 20-digit activation code from your user’s MobilePASS device software, and then click the Assign button. The user is assigned a Software token. Confirm the Activation prompt on the device. The device is now ready to be distributed to the user.

d The Wizard closes and the token serial number appears on the User’s SAM Express tab. Continue to “Adding or changing PINs” on page 60.

If you will allow users to self-enroll their Software token, refer to “Allowing users to self-enroll” on page 97.

Chapter 3: Active Directory Management Assigning tokens to users

Assigning Messaging tokens to users

To assign Messaging tokens to users, do the following:

a Select the Messaging (SMS/Email) token option, and then click the Next button. A new window appears indicating that there are Messaging tokens available.

Figure 25: Messaging tokens available window

b Click the Assign button. The user is assigned the next available Messaging token.

c The Wizard closes and the token serial number appears on the User’s SAM Express tab. Continue to “Adding or changing PINs” on page 60.

Assigning Hardware tokens to users

To deploy Hardware tokens to your Active Directory users, you must import the token data files that were downloaded during activation, or import them from the CD that came with your token pack (see “Importing token data files” on page 43). Once the token data files have been imported, you can associate tokens to users using the Wizard or by manual assignment.

Assigning Hardware tokens with the Wizard

To assign Hardware tokens with the Wizard, do the following:

a Select a hardware token.

b Launch the Token Assignment Wizard, select the Hardware token option, and then click Next. The Hardware token enter serial number window appears.

Chapter 3: Active Directory Management Assigning tokens to users

Figure 26: Hardware token enter serial number window

c Enter the hardware token serial number (found on the back of the token) into the field, and then click Assign. The token is now assigned to the user and you are returned to the User’s Properties window.

d Give the token to the user. After a token is assigned by the Wizard, its serial number appears in the Serial Number field of the user’s SAM Express tab. Continue to “Adding or changing PINs” on page 60.

If you wish to allow users to self-enroll their Hardware token, refer to “Allow-ing users to self-enroll” on page 97.

Assigning tokens manually (“shortcut” method)

You can directly assign Messaging and Hardware tokens using the token serial number. This direct assignment method provides a “shortcut” for quickly assigning tokens. To directly assign a token to a user:

a Launch ADUC.

b On the left side of the window, highlight the Users folder.

c Locate the user to whom you will be assigning a token, right-click the user’s name and select Properties, then in the user’s Properties window click the SAM Express tab.

Tip: If some of your users will share a token, assign the same token serial number to each user who will share it.

Chapter 3: Active Directory Management Assigning tokens to users Figure 27: SAM Express

tab of the User Properties window

d In the Token serial number field (found in the SAM Express tab), enter the token’s serial number, and an optional four-digit PIN.

Requiring a PIN with a user passcode adds a second layer of security to your system. If you will require users to authenticate with a token pass-code and PIN, they must append the PIN to the end of the passpass-code. If they do not know their PIN, they will be denied access.

e Click Apply.

Note: See “Configuring the Authentication Policy” on page 250 for information on configuring group memberships.

Clicking Apply activates the lower portion of the window, allowing you to test the token (see “Testing tokens” on page 60).

f If you will not be testing the token now, click OK to close the window.

g Distribute the token to the user (be sure to tell them if they will need to append a PIN to the end of their passcode).

Chapter 3: Active Directory Management Assigning tokens to users

In document SafeNet Authentication Manager Express. Administration Guide All versions (Page 65-72)