5.3. Enrolling a Smart Card Automatically

Because the Enterprise Security Client is configured using the Phone Home feature, enrolling a smart card is extremely easy. Because the information needed to contact the backend TPS server is provided with each smart card, the user is guided quickly and easily through the procedure.
To enroll an uninitialized smart card:

Note

This procedure assumes that the smart card is uninitialized and the appropriate Phone Home information has been configured.
  1. Ensure that the Enterprise Security Client is running.
  2. Insert an uninitialized smart card, pre-formatted with the Phone Home information for the TPS and the enrollment interface URL for the user's organization.
    The smart card can be added either by placing a USB form factor smart card into a free USB slot, or by inserting a standard, full-sized smart card into a smart card reader.
    When the system recognizes the smart card, it displays a message indicating it has detected an uninitialized smart card.
  3. Click Enroll My Smart Card Now to display the smart card enrollment form.

    Note

    If you remove the card at this point, a message displays stating that the smart card can no longer be detected. Reinsert the card to continue with the enrollment process.
    The enrollment files are accessed remotely; they reside on the TPS instance. If the network connection is bad or broken, then an error may come up saying Check the Network Connection and Try Again. It is also possible that the enrollment window appears to open but the enrollment process does not proceed. The enrollment pages can be cached if the Enterprise Security Client previously connect to them successfully, so the enrollment UI opens even if the network is offline. Try restarting Enterprise Security Client and check the network connection.
  4. Because the Smart Card Manager now knows where the enrollment UI is located (it is included in the Phone Home information), the enrollment form is displayed for the user to enter the required information.
    This illustration shows the default enrollment UI included with the TPS server. This UI is a standard HTML form, which you can customize to suit your own deployment requirements. This could include adding a company logo or adding and changing field text.
  5. The sample enrollment UI requires the following information for the TPS server to process the smart card enrollment operation:
    • LDAP User ID. This is the LDAP user ID of the user enrolling the smart card; this can also be a screen name or employee or customer ID number.
    • LDAP Password. This is the password corresponding to the user ID entered; this can be a simple password or a customer number.

      Note

      The LDAP user ID and password are related to the Directory Server user. The TPS server is usually associated with a Directory Server, which stores user information and through which the TPS authenticates users.
      Passwords must conform to the password policy configured in the Directory Server.
    • Password and Re-Enter Password. These fields set and confirm the smart card's password, used to protect the card information.
  6. After you have entered all required information, click Enroll My Smart Card to submit the information and enroll the card.
  7. When the enrollment process is complete, a message page opens which shows that the card was successfully enrolled and can offer custom instructions on using the newly-enrolled smart card.