Page 1
Authentication Unit AU-211P
For
User’s Guide
Page 2
Contents
Contents
Contents ............................................................................ 1
1 Introduction....................................................................... 3
1.1 Safety Information ................................................................................ 4
2 Getting Started.................................................................. 7
2.1 Product Overview ................................................................................. 7
2.2 Part names and their functions ........................................................... 8
2.3 Pre-Setting ............................................................................................ 9
2.3.1 Configuring Network Settings ........................................................... 9
2.3.2 Registering Active Directory for Authentication ............................... 11
2.3.3 Correcting the MFP Time ................................................................ 12
2.3.4 Registering the DNS Server Associated with Active Directory ........ 13
2.3.5 Specifying the PIV Transitional Mode .............................................. 14
2.3.6 Configuring Settings for Verifying the Active Directory
2.4 Operation Settings ............................................................................. 20
Certificate ........................................................................................ 15
3 How to Use the Authentication Unit ............................. 21
3.1 Login and Logout ............................................................................... 21
3.1.1 Login ................................................................................................ 21
3.1.2 Logout ............................................................................................. 23
3.2 Functions Using the PKI Card Authentication System ................... 24
3.3 Address Search (LDAP) Using PKI Card .......................................... 25
3.3.1 Overview .......................................................................................... 25
3.3.2 Related Settings .............................................................................. 26
3.3.3 Handling Address Search (LDAP) .................................................... 28
3.4 SMB TX Using PKI Card .................................................................... 31
3.4.1 Overview .......................................................................................... 31
3.4.2 Related Settings .............................................................................. 32
3.4.3 Using SMB TX ................................................................................. 34
AU-211P 1
Page 3
Contents
3.5 Scan to E-mail (S/MIME) Using PKI Card ........................................ 36
3.5.1 Overview .......................................................................................... 36
3.5.2 Related Settings .............................................................................. 37
3.5.3 Encrypting an E-Mail and Adding a Digital Signature ..................... 39
3.6 PKI Card Print ..................................................................................... 40
3.6.1 Overview .......................................................................................... 40
3.6.2 Installing the Printer Driver .............................................................. 41
3.6.3 Specifying the Print Data Deletion Time .......................................... 44
3.6.4 Handling PKI Card Print .................................................................. 45
3.7 Scan To Me ......................................................................................... 50
3.7.1 Overview .......................................................................................... 50
3.7.2 Before Using Scan To Me ............................................................... 52
3.7.3 Related Settings .............................................................................. 52
3.7.4 Handling Scan To Me ...................................................................... 53
3.8 Scan To Home .................................................................................... 54
3.8.1 Overview .......................................................................................... 54
3.8.2 Before Using Scan To Home ........................................................... 55
3.8.3 Related Settings .............................................................................. 56
3.8.4 Using Scan To Home ...................................................................... 57
4 Added or Changed Setting Information........................ 58
4.1 User Settings ...................................................................................... 58
4.1.1 System Settings .............................................................................. 58
4.2 Administrator Settings ....................................................................... 59
4.2.1 System Settings .............................................................................. 59
4.2.2 User Authentication/ Account Track ............................................... 59
4.2.3 Network Settings ............................................................................. 60
4.2.4 Security Settings ............................................................................. 61
4.2.5 License Settings .............................................................................. 61
5 Appendix.......................................................................... 62
5.1 Product Specifications ...................................................................... 62
5.2 Cleaning the Authentication Unit ...................................................... 62
5.3 Troubleshooting ................................................................................. 63
AU-211P 2
Page 4
Introduction
1 Introduction
Thank you for choosing this device.
This User’s Guide provides descriptions of the operating procedures and
precautions for using Authentication Unit (IC Card Type) AU-211P. Carefully
read this User’s Guide before using this device.
The actual screens that appear may be slightly different from the screen
images used in this User’s Guide.
Trademark/copyright acknowledgements
- Microsoft
trademarks of Microsoft Corporation in the United States and/or other
countries.
- All other company names and product names mentioned in this
User’s Guide are either registered trademarks or trademarks of their
respective companies.
Restrictions
- Unauthorized use or reproduction of this User’s Guide, whether in its
entirety or in part, is strictly prohibited.
- The information contained in this User’s Guide is subject to change
without notice.
®
and Windows® are either registered trademarks or
1
AU-211P 3
Page 5
Introduction
1.1 Safety Information
Carefully read this information, and then store it in a safe place.
- Before using this device, carefully read this information and follow it
to operate the device correctly.
- After reading this information, store it in the designated holder with
the warranty.
Important information
- The reprinting or reproduction of the content of this publication, either
in part or in full, is prohibited without prior permission.
- The content of this publication is subject to change without notice.
- This publication was created with careful attention to content;
however, if inaccuracies or errors are noticed, please contact your
sales representative.
- The marketing and authorization to use our company’s product
mentioned in this information are provided entirely on an “as is” basis.
- Our company assumes no responsibility for any damage (including
lost profits or other related damages) caused by this product or its
use as a result of operations not described in this information. For
disclaimers and warranty and liability details, refer to the User’s Guide
Authentication Unit (IC Card Type AU-211P).
- This product is designed, manufactured and intended for general
business use. Do not use it for applications requiring high reliability
and which may have an extreme impact on lives and property.
(Applications requiring high reliability: Chemical plant management,
medical equipment management and emergency communications
management)
- Use with other authentication devices is not guaranteed.
- In order to incorporate improvements in the product, the
specifications concerning this product are subject to change without
notice.
For safe use
1
• Do not this product near water, otherwise it may
be damaged.
• Do not cut, damage, modify or forcefully bend the
USB cable. A malfunction may occur as a result
of a damaged or cut USB cable.
• Do not disassembly this device, otherwise it may
be damaged.
AU-211P 4
Page 6
Introduction
Regulation notices
USER INSTRUCTIONS FCC PART 15 - RADIO FREQUENCY DEVICES
(For U.S.A. Users)
NOTE:
This equipment has been tested and found to comply with the limits for a
Class B digital device, pursuant to Part 15 of the FCC Rules.
These limits are designed to provide reasonable protection against harmful
interference in a residential installation. This equipment generates, uses and
can radiate radio frequency energy and, if not installed and used in
accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not
occur in a particular installation. If this equipment does cause harmful
interference to radio or television reception, which can be determined by
turning the equipment off and on, the user is encouraged to try to correct the
interface by one or more of the following measures:
WARNING:
The design and production of this unit conform to FCC regulations, and any
changes or modifications must be registered with the FCC and are subject
to FCC control. Any changes made by the purchaser or user without first
contacting the manufacturer will be subject to penalty under FCC
regulations.
1
FCC: Declaration of Conformity
Product Type Authentication Unit (IC Card Type)
Product Name AU-211P
(This device complies with Part 15 of the FCC Rules.) Operation is subject to the
following two conditions: (1) this device may not cause interference, and (2) this
device must accept any interference, including interference that may cause
undesired operation of this device.
- Reorient or relocate the receiving antenna.
- Increase the separation between the equipment and receiver.
- Connect the equipment into an outlet on a circuit different from that
to which the receiver is connected.
- Consult the dealer or an experienced radio/TV technician for help.
AU-211P 5
Page 7
Introduction
INTERFERENCE-CAUSING EQUIPMENT STANDARD (ICES-003 ISSUE
4) (For Canada Users)
(This device complies with RSS-Gen of IC Rules.) Operation is subject to the
following two conditions: (1) this device may not cause interference, and (2)
this device must accept any interference, including interference that may
cause undesired operation of this device.
This Class B digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe B est conforme à la norme NMB-003 du
Canada.
1
AU-211P 6
Page 8
Getting Started
2 Getting Started
2.1 Product Overview
This product is a PKI card authentication unit that scans a PKI card (CAC or
PIV card) to perform personal authentication.
Connecting this unit enables you to run a PKI card authentication system
(hereinafter referred to as "this system") that uses the PKI card
authentication unit on the MFP.
Using this system will enable you to carry out operations without making a
password public on the network, and to configure the system environment
with a higher level of security. You can also implement the unique functions
using this system on the MFP.
Use conditions
The following conditions are required to use this system.
- PKI card authentication unit (This unit)
- MFP compatible with a PKI card authentication system
- PKI card available for PIV and CAC
- User management using Active Directory (Kerberos authentication +
PKINIT)
- Connectable to the MFP via the USB port. (The MFP contains the
optional local connection kit.)
2
2
Note
This system can not be used with applications other than the printer
driver and PageScope Authentication Manager compatible with this
system.
2
Reminder
Do not disconnect the USB cable while using this unit. Doing so may
cause this system to become unstable.
AU-211P 7
Page 9
Getting Started
2.2 Part names and their functions
2
1
No. Part name Description
1 Card inlet Used to insert the PKI card.
2 LED lamp Turns green when you log in using the PKI card.
Blinks green while authentication.
3 USB cable Used for connecting this device to the
multifunctional product.
2
3
AU-211P 8
Page 10
Getting Started
2.3 Pre-Setting
To use this system, pre-configure the following settings on the MFP.
- Configuring network settings (page 9)
- Registering Active Directory for authentication (page 11)
- Correcting the MFP time (page 12)
- Registering the DNS server associated with Active Directory
(page 13)
- Specifying the PIV transitional mode (page 14)
- Configuring settings for verifying the Active Directory certificate
(page 15)
2.3.1 Configuring Network Settings
Configure the basic settings required to use the MFP in a network
environment.
TCP/IP Settings
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [TCP/IP Settings].
2
Item Description
ON/OFF Select [ON].
IPv4 Settings
Item Description
IP Application Method Select whether to automatically retrieve the IP address
or directly specify it.
Auto Input When automatically retrieving the IP address, select the
automatic retrieval method.
IP Address When directly specifying the IP address, enter the IP
AU-211P 9
address of the MFP.
Page 11
Getting Started
Item Description
Subnet Mask When directly entering the IP address, specify the
Default Gateway When directly entering the IP address, specify the
IPv6 Settings
2
Note
These settings are required when using the MFP in an IPv6 environment.
Item Description
ON/OFF Select [ON] when using the MFP in an IPv6
Auto IPv6 Settings Select [ON] when automatically retrieving the IPv6
DHCPv6 Setting Select [ON] when retrieving the IPv6 address using
Global Address Specify the IPv6 global address when not automatically
Prefix Length Specify the IPv6 global address prefix length when not
Gateway Address Specify the IPv6 gateway address when not
Link-Local Address Displays the link-local address generated from the MAC
DNS Host
2
subnet mask for the connected network.
default gateway for the connected network.
environment.
address.
DHCPv6.
retrieving the IPv6 address.
automatically retrieving the IPv6 address.
automatically retrieving the IPv6 address.
address.
Item Description
DNS Host Name Specify the host name of the MFP (up to 63 characters).
Dynamic DNS Settings Select [Enable] when automatically registering the
specified DNS host name in the DNS server that
supports the Dynamic DNS function.
DNS Domain
Item Description
Domain Name Auto
Retrieval
Select whether to automatically retrieve the domain
name. This item is available when using DHCP.
AU-211P 10
Page 12
Getting Started
Item Description
Search Domain Name
Auto Retrieval
Default DNS Domain
Name
DNS Search Domain
Name 1 to 3
Select whether to automatically retrieve the search
domain name. This item is available when using
DHCPv6.
Specify the domain name that the MFP is connected to
(up to 255 bytes with the host name).
Specify the DNS search domain name (up to 253 bytes).
2.3.2 Registering Active Directory for Authentication
Register Active Directory for authentication in the MFP. You can register up
to 20 Active Directory services.
External Server Settings
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [User Authentication/Account Track] - [External
Server Settings] - [New].
2
Item Description
Server Name Specify the name of the external server (up to 32
characters).
Server Type Select Active Directory, and specify its default domain
name (up to 64 characters).
!
Detail
When registering multiple Active Directory services, specify the default
Active Directory previously. Select the desired Active Directory on the
External Server Settings screen, and press [Set as Default].
AU-211P 11
Page 13
Getting Started
2.3.3 Correcting the MFP Time
You cannot log into Active Directory if the MFP system time is extremely
different between the MFP and Active Directory. Correct the MFP time so it
matches the Active Directory time with the system time.
Time Adjustment Setting
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [Forward] - [Detail Settings] [Time Adjustment Setting].
Page 1/2
Item Description
ON/OFF Select [ON].
Auto IPv6 Retrieval To automatically obtain the IPv6 address of the NTP
server, select [ON].
This item is necessary when IPv6 is used while DHCPv6
is enabled.
Host Address Specify the host address of the NTP server associated
with Active Directory.
Port Number Specify the port number.
Set Date Correct the time.
Page 2/2
2
Item Description
Auto Time Adjustment When an automatic time correction is made, select
[ON].
Polling Interval When [ON] is selected for Auto Time Adjustment, set the
polling interval.
AU-211P 12
Page 14
Getting Started
2.3.4 Registering the DNS Server Associated with Active Directory
Register the DNS server associated with Active Directory in the MFP.
DNS Server Settings (IPv4)
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [TCP/IP Settings] - [DNS
Server Settings (IPv4)].
Item Description
DNS Server Auto Obtain Select whether to automatically obtain the DNS server
Priority DNS Server Specify the IPv4 address of the priority DNS server
Secondary DNS Server 1
and 2
DNS Server Settings (IPv6)
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [TCP/IP Settings] - [DNS
Server Settings (IPv6)].
address. This item is available when using DHCP.
associated with Active Directory.
Specify the IPv4 address of the secondary DNS server
associated with Active Directory.
2
2
Note
These settings are required when using the MFP in the IPv6 environment.
AU-211P 13
Page 15
Getting Started
Item Description
DNS Server Auto Obtain Select whether to automatically obtain the DNS server
address. This item is available when using DHCPv6.
Priority DNS Server Specify the IPv6 address of the priority DNS server
associated with Active Directory.
Secondary DNS Server 1
and 2
Specify the IPv6 address of the secondary DNS server
associated with Active Directory.
2.3.5 Specifying the PIV Transitional Mode
Specify the PIV transitional mode.
Authentication Device Settings
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [User Authentication/Account Track] [Authentication Device Settings] - [General Settings] - [PKI Card
Authentication].
2
Item Description
PIV Transitional Mode Select PIV or CAC as the PIV transitional mode.
AU-211P 14
Page 16
Getting Started
2
2.3.6 Configuring Settings for Verifying the Active Directory Certificate
Configure the certificate verification settings to verify the Active Directory
certificate when communicating with Active Directory.
Certificate Verification Setting
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [User Authentication/Account Track] - [Certificate
Verification Setting].
Item Description
Verify Validity Period Select whether to verify that the certificate is within the
Check Root Signature Select whether to check the root signature.
Check CRL Expiration Select whether to check that the certificate is not
Check OCSP Expiration Select whether to check that the certificate is not
validity period.
To check the root signature, view the external
certificates managed on the MFP. For details on how to
register an external certificate on the MFP, refer to
"External Certificate Setting" (page 18).
expired in the CRL (Certificate Revocation List).
expired in the OCSP service.
For details on how to configure the OCSP service
setting, refer to "Certificate Verification Settings"
(page 16).
AU-211P 15
Page 17
Getting Started
Certificate Verification Settings
In the PageScope Web Connection administrator mode, select [Security],
and then [Certificate Verification Settings].
2
Note
For details on how to use PageScope Web Connection, refer to the
User's Guide [Network Administrator] supplied together with the MFP.
2
Item Description
Certificate Verification
Settings
Timeout Enter the timeout period to check the expiration date.
OCSP Service Select this check box to use an OCSP service.
URL Enter the URL of the OCSP service (up to 511
Proxy Server Address To check the expiration date via a proxy server, enter
Select [ON] to enable certificate verification.
characters).
If this item is left blank, the system accesses the URL of
the OCSP service embedded in the certificate. If the
URL of the OCSP service is not embedded in the
certificate, it will result in an error.
the proxy server address.
If the DNS server is specified, you can enter the host
name instead.
If [IPv6] is set to [ON], you can also specify the IPv6
address.
AU-211P 16
Page 18
Getting Started
Item Description
Proxy Server Port
Number
User Name Enter the user name to log in to the proxy server (up to
Password Enter the password to log in to the proxy server (up to
Address not using Proxy
Server
2
Enter the port number for the proxy server.
63 characters).
63 characters).
When changing the registered password, select
[Password is changed.], and enter a new password.
Specify an address with no proxy server used
depending on your environment when checking the
expiration date.
If the DNS server is specified, you can enter the host
name instead.
If [IPv6] is set to [ON], you can also specify the IPv6
addresses.
AU-211P 17
Page 19
Getting Started
External Certificate Setting
In the PageScope Web Connection administrator mode, select
and then
!
Detail
• To check the root signature in Certificate Verification, register the external
certificate you want to view when checking the root signature as
necessary.
• For details on how to use PageScope Web Connection, refer to the
User's Guide [Network Administrator] supplied together with the MFP.
2
[Security] ,
[PKI Settings] - [External Certificate Setting].
Item Description
Certificate type Select the type of the external certificate you want to
display, and click [Changes the display]. You will see a
list of the selected types of external certificates.
[New Registration] Click this button to register a new external certificate.
Click [Browse] in the New Registration screen, and
specify a new external certificate.
Issuer Displays the issuer of the external certificate.
Subject Displays the destination to issue the external certificate.
Validity Period Displays the validity period of the external certificate.
Detail View the detailed information about the external
Delete Displays the deletion confirmation dialog box. If
AU-211P 18
certificate.
necessary, you can delete the external certificate.
Page 20
Getting Started
<New Registration>
Item Description
File Click [Browse] in the Import Certificates (PEM/DER)
2
screen, and specify a new external certificate to be
registered.
• If [Trusted CA Root Certificate] is selected,
register the root certificate from the CA
(Certificate Authority).
• If [Trusted CA Intermediate Certificate] is
selected, register the intermediate certificate from
the CA (Certificate Authority).
• If [Trusted EE (End Entity) Certificate] is selected,
register the certificates individually.
• If [Non-Trusted Certificate] is selected, register
the non-trusted certificates individually.
AU-211P 19
Page 21
Getting Started
2.4 Operation Settings
When operating this system, configure the following settings to ensure a
higher level of security.
Disabling the OpenAPI function
To associate the MFP with PageScope Authentication Manager, register the
MFP in the initial setting of PageScope Authentication Manager, and disable
the OpenAPI function of the MFP in the disable state. However, the initial
setting results in the MFP administrator password being made public on the
network. To ensure security, change the administrator password as required
after the initial setting.
!
Detail
• To disable the OpenAPI function, press the [Utility/Counter] key, and then
[Administrator Settings] - [System Connection] - [OpenAPI Settings] on
the MFP control panel, and set [Access Setting] to [Restrict].
• To change the MFP administrator password, press the [Utility/Counter]
key, and then [Administrator Settings] - [Security Settings] [Administrator Password] on the MFP control panel.
Disabling TCP Socket, FTP server, SNMP v1/v2c write setting, and
SNMP v3
To operate this system, disable the TCP Socket, FTP server, SNMP v1/v2c
write setting, and SNMP v3 in the disable state.
2
!
Detail
On the MFP that supports this system, the TCP Socket, FTP server, and
SNMPv3 functions are disable by default. For details on each setting,
refer to the User's Guide [Network Administrator] supplied together with
the MFP.
AU-211P 20
Page 22
How to Use the Authentication Unit
3 How to Use the Authentication Unit
This chapter explains how to log in and log out using this unit and also
describes the functions for use with this system.
2
Note
The following explains the procedures applicable in the normal display
mode. This unit is also available in the Enlarge Display mode. For details
on the Enlarge Display mode, refer to the User's Guide [Enlarge Display
Operations] supplied together with the MFP.
3.1 Login and Logout
3.1.1 Login
Use the following steps to insert a PKI card into this unit and log into the
MFP.
1 Insert a PKI card in the unit.
– To change the server for authentication, click [Server Name] to
select the desired server, and click [OK].
– You can log in as a public user if Public User Access is enabled.
– If logging into the MFP as an administrator or User Box
administrator, press [ID & PW], and enter the password.
3
AU-211P 21
Page 23
How to Use the Authentication Unit
!
Detail
• If you insert a PKI card into the unit while logged in as a public user, you
will be logged out as a public user and the PIN code entry screen
appears. However, even if logged in as a public user, you will not be
logged out by inserting a PKI card during operations, when warnings
occur, or when a screen that you cannot log out by pressing the [ID] key
on the control panel is displayed.
• If you log into the MFP as an administrator, you can check or delete the
desired job.
• If you log into the MFP as a User Box administrator, you can view the
contents of all the created User Boxes regardless of whether a password
has been specified.
2 Enter the PIN code.
– You can use the keypad to enter the PIN code directly.
– When [PIN] is pressed, the keyboard screen appears. If necessary,
use this keyboard screen to enter characters as a PIN code.
3
!
Detail
If an incorrect PIN code is entered, "No. of Auth. Failure Allowed"
appears on the screen. If the number of authentication failures reaches
an upper limit, the PKI card will be locked to prevent the authentication.
For details on the allowable number of PKI card authentication failures
and how to unlock the PKI card, contact your PKI card administrator.
3 Touch [OK] or press the [Start] key.
This starts authentication and logs into the MFP.
AU-211P 22
Page 24
How to Use the Authentication Unit
!
Detail
When Account Track is enabled, use the PKI card to perform user
authentication before account authentication. When Account Track is
enabled on the MFP that supports this system, user authentication is
forcibly associated with account authentication.
3.1.2 Logout
To log out the MFP, pull the PKI card out of this unit.
!
Detail
• If a PKI card is used to log in to the MFP, you cannot log out by pressing
the [ID] key on the control panel.
• If the MFP sub power is turned off while logging in using the PKI card, you
will be logged out of the MFP.
• When the time for the system auto reset function is specified, the function
will activate and you will be logged out automatically if the MFP is not
operated for the specified time. If no operations are carried out for over 1
minute while you are logged in, you will be logged out automatically even
when the system auto reset function is set to [OFF].
• In order to prevent the card from being left in the unit, the caution sound
can be issued when you are logged out automatically.To issue the
caution sound, select [Sound Setting] - [Sound Setting] and set [Warning
Sound] to [On] in [Accessibility Setting], and also set [Simple Caution
Sound (Level 1)] to [Yes] in [Sound Setting] - [Caution Sound] in advance.
3
AU-211P 23
Page 25
How to Use the Authentication Unit
3.2 Functions Using the PKI Card Authentication System
This section explains the functions using the PKI card authentication system.
Function Description See
Address Search
(LDAP) using PKI
card
SMB TX using PKI
card
Scan to E-mail (S/
MIME) using PKI
card
PKI Card Print The user can encrypt print data using the PKI card
Scan To Me Sends scanned data to the user's e-mail address.
Scan To Home Sends scanned data to the user's computer.
Logs into the LDAP server using the Kerberos
authentication ticket that is obtained by Active
Directory authentication with the PKI card when
searching for the destination via the LDAP server.
The user can perform authentication only once to
obtain access privileges, and configure the single
sign-on environment to be convenient.
Logs into the destination computer using the
Kerberos authentication ticket that is obtained by
Active Directory authentication with the PKI card
when sending scanned data via SMB.
The user can perform authentication only once to
obtain access privileges, and configure the single
sign-on environment to be convenient.
Adds a digital signature using the PKI card when
sending an e-mail.
This function prevents fabrication or spoofing of
an e-mail.
before sending the data to the MFP. The print data
is saved temporarily in the MFP. Once the same
user performs authentication at the MFP with the
PKI card, the data is decrypted and printed.
The print data is encrypted when it i s sent from t he
printer driver and can only be printed when
authentication at the MFP using the PKI card is
successful; therefore, you can ensure the
confidentiality of documents.
The user can obtain the user's e-mail address
using the LDAP protocol, and easily send data to
the obtained address.
This function is effective when frequently sending
scanned data to a user's address.
The user can obtain the position of the user's
Home folder from Active Directory, and easily
send data to the Home folder of the user's
computer.
This function is effective when frequently sending
scanned directly to their Home folder.
p. 25
p. 31
p. 36
p. 40
p. 50
p. 54
3
AU-211P 24
Page 26
How to Use the Authentication Unit
3.3 Address Search (LDAP) Using PKI Card
3.3.1 Overview
This function logs in to the LDAP server using the Kerberos authentication
ticket that is obtained by Active Directory authentication with the PKI card
when searching for the destination via the LDAP server.
If a Kerberos authentication ticket is used to authenticate the LDAP server,
the user can use the LDAP server securely without making the password
public on the network.
The user can also perform the Active Directory authentication only once to
obtain access privileges, and configure the single sign-on environment to be
convenient.
Active Directory
3
PKI Card
(1)
(2)
LDAP Server
(3)
Address SearchAddress Search
(1) Insert the PKI card into the MFP to perform Active Directory
authentication.
(2) Obtain the Kerberos authentication ticket.
(3) Use the Kerberos authentication ticket to log in to the LDAP server and
search for the destination.
2
Note
This function is not available when you log in to the MFP as a public user
or User Box administrator.
AU-211P 25
Page 27
How to Use the Authentication Unit
3.3.2 Related Settings
This section explains how to configure the address search (LDAP) settings
on the MFP that supports this system.
Enabling LDAP
Configure settings to use the LDAP server.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [LDAP Settings] - [Enabling
LDAP].
Item Description
Enabling LDAP Select [ON].
3
Setting Up LDAP
Register the desired LDAP server to search for the destination.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [LDAP Settings] - [Setting Up
LDAP].
AU-211P 26
Page 28
How to Use the Authentication Unit
Item Description
LDAP Server Name Specify the LDAP server name (up to 32 characters).
Max. Search Results Enter the maximum number of items that can be
Timeout Specify the timeout period for address search (LDAP).
Initial Setting for Search
Details
Change Search Attribute Select the attribute of the name used for LDAP
Server Address Specify the conditions of address search (LDAP).
Search Base Specify the search starting point in the directory
SSL Setting Select [ON] to encrypt communication between the
Port Number Specify the LDAP port number.
Port Number (SSL) Enter the desired port number for SSL communication.
Certificate Verification
Level Settings
3
received as address search (LDAP) results.
Specify address search (LDAP) conditions.
searching.
You can toggle this attribute between [Name] (cn) and
[Nickname] (displayName).
structure under the LDAP server (up to 255 characters).
This search function also covers subdirectories under
the specified starting point.
MFP and LDAP server with SSL.
To verify the server certificate, configure settings to
verify the certificate.
[Expiration Date]: Select whether to check that the
server certificate is within the validity period.
[Key Usage]: Select whether to check that the server
certificate is used according to the purpose approved
by the issuer.
[Chain]: Select whether to check that the server
certificate chain (certification path) is correct. The chain
is validated by referencing the external certificates
managed on this machine.
[Expiration Date Confirmation]: Select whether to check
that the server certificate is within the validity period.
The OCSP service and CRL (Certificate Revocation List)
are checked in this order when the expiration date of the
certificate is checked.
[CN]: Select whether to check that the CN of the server
certificate matches the server address.
AU-211P 27
Page 29
How to Use the Authentication Unit
Item Description
Authentication Type Select the authentication method to connect to the
LDAP server.
When connecting to the LDAP server using the
Kerberos authentication method, select [GSSSPNEGO]. Then specify the domain name of the Active
Directory in [Domain Name].
When specifying the LDAP server with an anonymous
user enabled, you can select [Anonymous].
Referral Setting Select whether to use the referral function. Match the
LDAP server environment.
Domain Name Specify the domain name to log in to the LDAP server
(up to 64 characters).
3.3.3 Handling Address Search (LDAP)
Use the Fax/Scan screen on the MFP control panel, and press [Address
Search]. The procedures can vary depending on whether a single or multiple
LDAP servers are registered.
2
Note
If address search (LDAP) setting incorrectly configured properly,
[Address Search] will not appear. Check that the address search (LDAP)
setting is configured correctly.
3
When a single LDAP server is registered
Press [Begin Authentication] to perform authentication with the Kerberos
authentication ticket and connect to the LDAP server.
After connecting to the LDAP server, select the desired method to search for
the destination.
AU-211P 28
Page 30
How to Use the Authentication Unit
When multiple LDAP servers are registered
1 Select the LDAP server to be the target for LDAP search.
– Multiple LDAP servers can be selected.
2 Press [OK].
Perform authentication using the Kerberos authentication ticket, and
connect to the LDAP server.
3 Select the desired method to search for the destination.
– You can check the authentication result of each server by pressing
the number key of a desired LDAP server.
– Press [Select Servers] to select the LDAP server to be searched
among the LDAP servers that have succeeded in authentication.
3
!
Detail
• When authentication has failed for all of the selected LDAP servers,
[Select Servers], [Search], and [Advanced Search] will not be displayed.
• If only one LDAP server has succeeded in authentication, [Select Servers]
will not appear.
AU-211P 29
Page 31
How to Use the Authentication Unit
2
Note
For details on the address search (LDAP) function, refer to the User's
Guide [Network Scan/Fax/Network Fax Operations] supplied together
with the MFP.
3
AU-211P 30
Page 32
How to Use the Authentication Unit
3.4 SMB TX Using PKI Card
3.4.1 Overview
This function logs into the destination computer using the Kerberos
authentication ticket that is obtained by Active Directory authentication with
the PKI card when sending scanned data via SMB.
If the Kerberos authentication ticket is used for authentication in the
destination computer, the user can carry out SMB TX securely without
making the password public on the network.
The user can also perform the Active Directory authentication only once to
obtain access privileges, and configure the single sign-on environment to be
convenient.
Active Directory
3
PKI Card
(2)
(1)
Scanned data
Client PC
(3)
Save in shared folder
(1) Insert the PKI card into the MFP to perform Active Directory
authentication.
(2) Obtain the Kerberos authentication ticket.
(3) Use the Kerberos authentication ticket to log in to the destination
computer and save scanned data.
2
Note
This function is not available while logged into the MFP as a public user
or as a User Box administrator.
AU-211P 31
Page 33
How to Use the Authentication Unit
3.4.2 Related Settings
This section explains how to configure the SMB TX settings on the MFP that
supports this system.
Client Settings
Configure the setting to perform SMB TX.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [SMB Settings] - [Client
Settings].
Item Description
ON/OFF Select [ON].
SMB Authentication
Setting
User Authentication
(NTLM)
DFS Setting To perform SMB TX in a DFS (Distributed File System)
3
Select the SMB TX authentication method.
When performing SMB TX for a folder accessible in the
Active Directory domain environment, select [Kerberos].
When performing SMB TX in the environment in which
the Active Directory and NT domains are used together,
select [Kerberos/NTLMv2/v1].
Select whether or not the NTLM user authentication is
performed.
environment, select [Enable].
AU-211P 32
Page 34
How to Use the Authentication Unit
Item Description
Password Authentication
Restriction
2
Note
Specify the WINS server or direct hosting service to fit your environment.
For details, refer to the User's Guide [Network Administrator] supplied
together with the MFP.
3
For authentication with the PKI card, this system uses
the Kerberos authentication ticket that is obtained from
Active Directory with the Kerberos authentication when
performing SMB TX. In this item, select the operation
required when authentication has failed using the
Kerberos authentication ticket.
If [Limit] is selected, it results in an authentication
failure.
When [Do Not Limit] is selected while [SMB
Authentication Setting] is set to [Kerberos/NTLMv2/v1],
if authentication has failed using the Kerberos
authentication ticket, it is changed to the NTLM
authentication. In this case, the window appears to
prompt you to enter the user ID and password.
AU-211P 33
Page 35
How to Use the Authentication Unit
3.4.3 Using SMB TX
SMB TX
Use the Fax/Scan screen on the MFP control panel to specify the target SMB
address.
When SMB TX starts, you can use the Kerberos authentication ticket to log
into the destination computer and save scanned data in a shared holder.
2
Note
• For details on how to register the SMB address or use SMB TX, refer to
the User's Guide [Network Scan/Fax/Network Fax Operations] supplied
together with the MFP.
• In [Client Settings], you can specify the operation required when
authentication has failed using the Kerberos authentication ticket. For
details, refer to "Client Settings" (page 32).
3
AU-211P 34
Page 36
How to Use the Authentication Unit
Searching for SMB address
If [Reference] is pressed to register or specify the SMB address, the system
searches for computers on the Windows network to enable you to register or
specify the desired one as a destination.
If a PKI card is used to log in to the MFP, log in to the searched computer
using the Kerberos authentication ticket to register or specify it as a
destination.
<SMB address registration screen>
<SMB address specification screen (Direct Input)>
3
!
Detail
If either one of the following settings is selected in "Client Settings"
(page 32), [Reference] will not appear on the SMB address registration
screen (Administrator Settings) and SMB address specification screen.
• [SMB Authentication Setting] is set to [Kerberos].
• [Password Authentication Restriction] is set to [Limit].
AU-211P 35
Page 37
How to Use the Authentication Unit
3.5 Scan to E-mail (S/MIME) Using PKI Card
3.5.1 Overview
This function uses the PKI card to add a digital signature when sending an
e-mail. Sending an e-mail with a digital signature enables you to prove you
are the e-mail sender.
If a certificate is registered in the target address, you can combine this
function with e-mail encryption when sending an e-mail. Sending an
encrypted e-mail prevents information from being leaked to a third party on
the transmission route.
The certificate obtained from the PKI card is used to encrypt an e-mail to the
user's address using the Scan to Me function. For details on the Scan to Me
function, refer to "Scan to Me" (page 50).
Tapping, fabrication or spoofing
PKI Card
3
Encryption +
Digital Signature
2
Note
This function is not available when you log into the MFP as a public user
or User Box administrator.
AU-211P 36
Page 38
How to Use the Authentication Unit
3.5.2 Related Settings
This section explains how to configure settings to encrypt an e-mail or add
a digital signature on the MFP that supports this system.
S/MIME Communication Settings
Configure settings to encrypt an e-mail and add a digital signature.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [E-Mail Settings] - [S/MIME
Communication Settings].
Item Description
ON/OFF Select [ON].
Digital Signature To add a digital signature, select [Always add signature]
E-Mail Text Encryption
Method
Print S/MIME Information Select whether or not S/MIME information is printed
Automatically Obtain
Certificates
3
or [Select when sending]. The default is [Select when
sending].
If [Select when sending] is selected, specify whether to
add a digital signature before sending an e-mail.
If [Always add signature] is selected, a digital signature
is automatically added using the PKI card when sending
an e-mail.
Select the e-mail text encryption method.
when sending and receiving e-mail message.
Select whether or not certificates are automatically
obtained when sending and receiving e-mail messages.
AU-211P 37
Page 39
How to Use the Authentication Unit
Item Description
Certificate Verification
Level Settings
Digital Signature Type Select the digital signature type.
2
Note
For details on how to configure the settings required to send an e-mail,
refer to the User's Guide [Network Administrator] supplied together with
the MFP.
3
To verify the server certificate, configure settings to
verify the certificate.
[Expiration Date]: Select whether to check that the
server certificate is within the validity period.
[Key Usage]: Select whether to check that the server
certificate is used according to the purpose approved
by the issuer.
[Chain]: Select whether to check that the server
certificate chain (certification path) is correct. The chain
is validated by referencing the external certificates
managed on this machine.
[Expiration Date Confirmation]: Select whether to check
that the server certificate is within the validity period.
The OCSP service and CRL (Certificate Revocation List)
are checked in this order when the expiration date of the
certificate is checked.
AU-211P 38
Page 40
How to Use the Authentication Unit
3.5.3 Encrypting an E-Mail and Adding a Digital Signature
Display the Fax/Scan screen on the MFP control panel, and press
[Communication Settings].
- To encrypt an e-mail, press [E-Mail Encryption].
- If [Select when sending] is selected to add a digital signature, press
[Digital Signature]. If [Always add signature] is selected, a digital
signature will be automatically added.
!
Detail
• When setting to enable encryption or to add a digital signature, you can
specify up to 10 E-mail addresses to be broadcasted.
• When setting to enable encryption or to add a digital signature after 11 or
more E-mail addresses have already been specified, you need to cancel
all the specified addresses once and reselect them.
• When the encryption is set after specifying the E-mail addresses (up to
10 E-mail addresses), specified E-mail addresses that do not have a
registered certificate will be canceled.
• For details on how to send an e-mail, refer to the User's Guide [Network
Scan/Fax/Network Fax Operations] supplied together with the MFP.
• For details on how to register the certificate in the e-mail address, refer
to the User's Guide [Network Administrator] supplied together with the
MFP.
• When adding a digital signature with a PIV card, enter the PIN code when
sending an e-mail. If the PIV card is locked as a result of an incorrectly
entered PIN code, the e-mail sending job will be discarded.
3
AU-211P 39
Page 41
How to Use the Authentication Unit
3.6 PKI Card Print
3.6.1 Overview
This function encrypts print data using the PKI card before sending the data
from the printer driver to the MFP. The print data is saved in the PKI
Encrypted Document User Box of the MFP, and the same user can perform
authentication at the MFP with the PKI card to decrypt and print the data.
The print data is encrypted when it is sent from the printer driver and can only
be printed when authentication at the MFP using the PKI card is successful;
therefore, you can ensure the confidentiality of documents.
3
Active Directory
PKI Card
(4)
PKI Card
(1)
Print data
(5)
(2)
(3)
(1) Insert the PKI card into the computer to perform Active Directory
authentication.
(2) Encrypt print data using the PKI card to send it from the printer driver to
the MFP.
(3) Take the PKI card to the MFP.
(4) Insert the PKI card into the MFP to perform Active Directory
authentication.
(5) Decrypt print data using the PKI card, and print it.
AU-211P 40
Page 42
How to Use the Authentication Unit
3.6.2 Installing the Printer Driver
To use PKI Card Print, install a printer driver compatible with this system in
the computer.
Required System Environment
The printer drivers are available in the following environment.
3
Type Page
description
language
PCL driver PCL6 Windows 2000 Professional (SP4 or later)
Supported Operating System
Windows XP Home Edition (SP1 or later)
Windows XP Professional (SP1 or later)
Windows XP Professional x64 Edition
Windows Vista Home Basic *
Windows Vista Home Premium *
Windows Vista Business *
Windows Vista Enterprise *
Windows Vista Ultimate *
Windows 7 Home Basic
Windows 7 Home Premium *
Windows 7 Professional *
Windows 7 Enterprise *
Windows 7 Ultimate *
Windows 2000 Server (SP4 or later)
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003 R2, Standard Edition
Windows Server 2003 R2, Enterprise Edition
Windows Server 2003, Standard x64 Edition
Windows Server 2003, Enterprise x64 Edition
Windows Server 2003 R2, Standard x64 Edition
Windows Server 2003 R2, Enterprise x64 Edition
Windows Server 2008 Standard *
Windows Server 2008 Enterprise *
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
* Available in 32-bit (x86) or 64-bit (x64) environment.
AU-211P 41
Page 43
How to Use the Authentication Unit
3
Type Page
description
language
PS driver PostScript 3
Emulation
Supported Operating System
Windows 2000 Professional (SP4 or later)
Windows XP Home Edition (SP1 or later)
Windows XP Professional (SP1 or later)
Windows XP Professional x64 Edition
Windows Vista Home Basic *
Windows Vista Home Premium *
Windows Vista Business *
Windows Vista Enterprise *
Windows Vista Ultimate *
Windows 7 Home Basic
Windows 7 Home Premium *
Windows 7 Professional *
Windows 7 Enterprise *
Windows 7 Ultimate *
Windows 2000 Server (SP4 or later)
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003 R2, Standard Edition
Windows Server 2003 R2, Enterprise Edition
Windows Server 2003, Standard x64 Edition
Windows Server 2003, Enterprise x64 Edition
Windows Server 2003 R2, Standard x64 Edition
Windows Server 2003 R2, Enterprise x64 Edition
Windows Server 2008 Standard *
Windows Server 2008 Enterprise *
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
* Available in 32-bit (x86) or 64-bit (x64) environment.
AU-211P 42
Page 44
How to Use the Authentication Unit
Installing the printer driver
The installer enables you to easily install the printer driver by following the
instructions displayed on the pages.
2
Note
Administrator authority is required to install the printer driver on your
computer.
1 Start the installer.
2 Check the contents of the license agreement, and click [AGREE].
– If you disagree, you will not be able to install the driver.
3 Install the printer driver by following the instructions displayed on the
pages.
2
Note
• The printer driver installation method varies depending on how the printer
driver is connected to the MFP or which protocol is used. For details,
refer to the User's Guide [Print Operations] supplied together with the
MFP.
• For details on how to uninstall the printer driver, refer to the User's Guide
[Print Operations] supplied together with the MFP.
3
AU-211P 43
Page 45
How to Use the Authentication Unit
3.6.3 Specifying the Print Data Deletion Time
The data encrypted with the PKI card is deleted from the PKI Encrypted
Document User Box of the MFP after saved in the User Box and printed on
the MFP.
However, if unprinted print data in the PKI Encrypted Document User Box
exceed the User Box upper limit, new data cannot be saved in the User Box.
To avoid this problem, you can configure the setting to automatically delete
data that remains saved in the User Box for a specific length of time.
2
Note
The PKI Encrypted Document User Box can contain up to 200
documents.
PKI Encrypted Document Delete Time Setting
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [System Settings] - [User Box Settings] - [PKI
Encrypted Document Delete Time Setting].
Specify the period from the document saving time to the automatic deletion
time.
3
AU-211P 44
Page 46
How to Use the Authentication Unit
3.6.4 Handling PKI Card Print
The following explains how to handle PKI Card Print.
Sending print data (Printer driver setting)
Use the following steps to configure the printer driver setting when
encrypting print data using the PKI card and sending it to the MFP.
1 Click [Print] in the menu of the application software.
2 Select the desired printer .
3 Click [Properties] or [Preferences].
4 Click the [Basic] tab.
5 Click [Authentication/Account Track].
3
6 Select the [Realm(Domain)] and [IC Card Reader CSP], and click [OK].
– The value of [Realm(Domain)] corresponds to the registration
number of the Active Directory. For example, if the registration
number of an Active Directory is set to [2], the value of [Realm(Domain)] is also set to [2].
– PKI Card Print uses authentication information of the PKI card;
therefore, it disables the authentication information specified in
[User Authentication].
AU-211P 45
Page 47
How to Use the Authentication Unit
– If Account Track is enabled, enter the [Department Name] and
[Password] under [Account Track]. To enable Account Track, configure the printer driver setting separately. For details on setting, refer to the User's Guide [Print Operations] supplied together with the
MFP.
7 Under [Output Method], select [PKI Card Print], and click [OK].
3
8 Send print data.
AU-211P 46
Page 48
How to Use the Authentication Unit
!
Detail
• If the MFP is associated with PageScope Authentication Manager, and
the user is not registered in PageScope Authentication Manager or the
user has no print privileges, an authentication failure will occur, and the
print job will be discarded.
• To print without using a PKI card, select the [Other] tab, and then clear
the [IC card is used] check box. In this case, perform authentication
according to the [User Authentication] setting in step 6. The [IC card is
used] check box is selected by default. If the check box is cleared, [PKI
Card Print] cannot be selected in step 7.
3
AU-211P 47
Page 49
How to Use the Authentication Unit
MFP printing
The following explains how to print data on the MFP.
The MFP provides two printing methods: (1) printing data simultaneously
with authentication and (2) selecting and printing data in the PKI Encrypted
Document User Box after authentication.
- Using method (1), you can insert the PKI card into the MFP and
perform authentication to easily print the relevant user's data.
- Using method (2), you can select only the required data from the PKI
Encrypted Document User Box to print it. You can also delete
unnecessary data.
2
Note
• Selecting method (1) prints all print documents stored in the user's PKI
Encrypted Document User Box.
• The documents stored in the PKI Encrypted Document User Box are
deleted automatically after the specified period has lapsed. For details on
how to specify the deletion time, refer to "Specifying the Print Data
Deletion Time" (page 44).
• The printed data is deleted from the PKI Encrypted Document User Box
after printing.
3
<Printing data simultaneously with authentication>
When the PKI Encrypted Document User Box contains print data, [Print &
Access] appears on the login screen.
% Press [Print & Access], and insert the PKI card into the authentication
unit attached to the MFP.
– If the PKI card is inserted, the PIN code entry screen appears. When
authentication succeeds after entering the PIN code, the system
prints all the relevant user's data and logs into the MFP.
AU-211P 48
Page 50
How to Use the Authentication Unit
!
Detail
If necessary, this function also prints data in the ID & Print User Box. For
details on ID & Print, refer to the User's Guide [Print Operations] supplied
together with the MFP.
<Selecting and printing data in the PKI Encrypted Document User Box >
1 Press [Access], and insert the PKI card into the authentication unit
attached to the MFP.
3
2 Enter the PIN code and to log into the MFP.
3 Press the [User Box] key, and then [System User Box] - [PKI Encrypted
Document User Box] - [Use/File].
A login user's print data list is displayed.
4 Select the desired data, and press [Print].
– To delete data, press [Filing Settings], select the data to be deleted,
and press [Delete].
– Press [Document Details] to view detailed information on the se-
lected document.
AU-211P 49
Page 51
How to Use the Authentication Unit
3.7 Scan To Me
3.7.1 Overview
Scan To Me is a function that sends scanned data to the user's e-mail
address.
This function is useful when frequently sending scanned data to the user's
address.
Using this function, the user can obtain the authenticated user's e-mail
address using the LDAP protocol to easily send data to the obtained
address. The user can also encrypt an e-mail using the PKI card or add a
digital signature when sending an e-mail, ensuring a higher level of security.
3
AU-211P 50
Page 52
How to Use the Authentication Unit
3
Active Directory
PKI Card
(2)
E-mail
PKI Card
(5)
(6)
(3)
(1)
Send to the user’s
address
(4)
(1) Insert the PKI card into the MFP to perform Active Directory
authentication.
(2) Obtain the user's e-mail address.
(3) Send the e-mail to the user's e-mail address. If necessary, the user can
use the PKI card to encrypt an e-mail or add a digital signature.
(4) Take the PKI card to the computer.
(5) Insert the PKI card into the computer to perform Active Directory
authentication.
(6) Receive the e-mail. If the user encrypts an e-mail or adds a digital
signature when sending, check the e-mail decoding or digital signature
using the PKI card.
2
Note
This function is not available when you log in to the MFP as a public user
or User Box administrator.
AU-211P 51
Page 53
How to Use the Authentication Unit
3.7.2 Before Using Scan To Me
Restrictions
The following restrictions are applied for use of the Scan to Me function.
- The user cannot directly enter the address using e-mail TX, FTP TX,
SMB TX, WebDAV TX, or Save in User Box.
- The user cannot use Annotation User Box.
- The user cannot save documents using the User Box function.
- The user cannot use the URL notification function.
- The user cannot use the TSI distribution function.
- The user cannot change the specified address when confirming it.
Operation settings
To ensure a higher level of security when using Scan To Me, apply the
following settings.
- Disable Address Search (LDAP) (when no LDAP server is registered).
- Disable saving a document in an external memory.
- When Public User Access is enabled, disable scanning in the public
user mode.
2
Note
For details on settings, refer to the User's Guide [Network Administrator]
supplied together with the MFP.
3
3.7.3 Related Settings
The following explains the settings required to use the Scan To Me function.
Obtaining the E-mail address
In your environment, configure the settings required to obtain the user's email address using the LDAP protocol.
E-Mail TX (SMTP) setting
Configure the setting to send an e-mail from the MFP.
For details on settings, refer to the User's Guide [Network Administrator]
supplied together with the MFP.
S/MIME Communication Setting
This function enables you to encrypt an e-mail using the PKI card or add a
digital signature as required when sending an e-mail.
For details on how to handle e-mail TX using the PKI card and configure its
settings, refer to "Scan to E-mail (S/MIME) Using the PKI Card" (page 36).
AU-211P 52
Page 54
How to Use the Authentication Unit
3.7.4 Handling Scan To Me
The following explains how to handle Scan To Me on the MFP.
!
Detail
• If the correct settings are configured to use Scan To Me, [Me] appears on
the Fax/Scan screen to send data to the user's e-mail address.
• If the system fails to obtain the certificate in the PKI card when encrypting
the e-mail to the user's address using the PKI card, [Me] will not appear.
For details on the e-mail encryption setting, refer to "Scan to E-mail (S/
MIME) Using the PKI Card" (page 36).
1 Press the [Fax/Scan] key on the control panel.
2 Specify scan conditions in [Scan Settings], [Original Settings], and
[Communication Settings].
3 Press [Me].
3
4 Load the original and press the [Start] key on the control panel.
This scans the original and sends data to the user's e-mail address.
2
Note
For details on scan conditions, refer to the User's Guide [Network Scan/
Fax/Network Fax Operations] supplied together with the MFP.
AU-211P 53
Page 55
How to Use the Authentication Unit
3.8 Scan To Home
3.8.1 Overview
Scan To Home is a function that sends scanned data to the user's computer.
This function is effective when frequently sending scanned data to the user's
address.
The user can obtain the position of the user's Home folder from Active
Directory, and easily send data to the user's Home folder. To perform
authentication in the user's computer, this function uses the Kerberos
authentication ticket obtained when logging into the MFP, preventing the
password from being made public on the network.
3
Active Directory
PKI Card
(1)
(2)
Scanned data
User's PC
(3)
Save in home folder
(1) Insert the PKI card into the MFP to perform Active Directory
authentication.
(2) Obtain the Kerberos authentication ticket and the position of the user's
Home folder.
(3) Use the Kerberos authentication ticket to log into the user's computer
and save scanned data in the Home folder.
2
Note
This function is not available when you log in to the MFP as a public user
or as a User Box administrator.
AU-211P 54
Page 56
How to Use the Authentication Unit
3.8.2 Before Using Scan To Home
Restrictions
The following restrictions are applied for use of the Scan to Home function.
- The user cannot directly enter the address using E-mail TX, FTP TX,
SMB TX, WebDAV TX, or Save in User Box.
- The user cannot use Annotation User Box.
- The user cannot save documents using the User Box function.
- The user cannot send documents from User Boxes.
- The user cannot use the URL notification function.
- The user cannot use the TSI distribution function.
- The user cannot change the specified address when confirming it.
Operation settings
To ensure a higher level of security when using Scan To Home, apply the
following settings.
- Disable Address Search (LDAP) (with no LDAP server registered).
- Disable saving a document in an external memory.
- When Public User Access is enabled, disable scanning in the public
user mode.
2
Note
For details on settings, refer to the User's Guide [Network Administrator]
supplied together with the MFP.
3
AU-211P 55
Page 57
How to Use the Authentication Unit
3.8.3 Related Settings
The following explains the settings required to use the Scan To Home
function.
Obtaining the Home folder position
Configure the setting to enable the user to obtain the position of the user's
Home folder from Active Directory.
Client Setting
Configure the setting to perform SMB TX.
For details on how to handle SMB TX using the PKI card and configure its
settings, refer to "SMB TX Using the PKI Card" (page 31).
2
Note
Specify the WINS server or direct hosting service to fit your environment.
For details, refer to the User's Guide [Network Administrator] supplied
together with the MFP.
Scan to Home Settings
Enable the Scan to Home function.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [User Authentication/Account Track] - [Scan to
Home Settings].
3
Item Description
Scan to Home Settings Select [Enable].
AU-211P 56
Page 58
How to Use the Authentication Unit
3.8.4 Using Scan To Home
The following explains how to use Scan To Home on the MFP.
!
Detail
If the correct settings are configured to use Scan To Home, [Home]
appears on the Fax/Scan screen to send data to the user's Home folder.
1 Press the [Fax/Scan] key on the control panel.
2 Press [Home].
3 Specify scan conditions in [Scan Settings], [Original Settings], and
[Communication Settings].
3
4 Load the original and press the [Start] key on the control panel.
This scans the original and sends data to the user's Home folder.
2
Note
For details on scan conditions, refer to the User's Guide [Network Scan/
Fax/Network Fax Operations] supplied together with the MFP.
AU-211P 57
Page 59
Added or Changed Setting Information
4 Added or Changed Setting Information
The MFP that supports this system provides some settings added or
changed from an ordinary MFP model. This chapter shows a list of the added
or changed setting items for each category.
2
Note
For the settings of an ordinary MFP model, refer to the User's Guide
supplied together with the MFP.
4.1 User Settings
4.1.1 System Settings
Item Description
Language Selection The available language is English only.
4
AU-211P 58
Page 60
Added or Changed Setting Information
4.2 Administrator Settings
4.2.1 System Settings
User Box Settings
Item Description
PKI Encrypted Document
Delete Time Setting
4.2.2 User Authentication/ Account Track
General Settings
Item Description
User Authentication Not displayed.
Public User Access The default is [Restrict].
Synchronize User
Authentication & Account
Track
Ticket Hold Time Setting The allowable range has been changed to "1 to 600".
Allows the user to specify the time required to delete a
PKI encrypted document.
For details, refer to "Specifying the Print Data Deletion
Time" (page 44).
User Authentication is automatically set to External
Server Authentication.
Not displayed.
Specified so that User Authentication is automatically
associated with Account Track when enabling Account
Track.
4
External Server Settings
Description
Active Directory is only available as an external server.
Authentication Device Settings
Item Description
General Settings [PKI Card Authentication] is the only available
authentication method. In PIV Transitional Mode, select
PIV or CAC.
Certificate Verification Settings
Description
Allows the user to configure the setting to verify a certificate. For details, refer to
"Configuring Settings for Verifying the Active Directory Certificate" (page 15).
AU-211P 59
Page 61
Added or Changed Setting Information
4.2.3 Network Settings
FTP Settings
Item Description
FTP Server Settings The default is [OFF].
SMB Settings
Item Description
Client Settings [NTLM Settings] has been changed to [SMB
Authentication Setting].
[Password Authentication Restriction] has been added.
For details, refer to "Client Settings" (page 32).
LDAP Settings
Item Description
Setting Up LDAP [Login Name], [Password] and [Select Server
Authentication Method] are not displayed.
[Authentication Type] is available only for [GSSSPNEGO] or [Anonymous].
[Select Server Authentication Method] is automatically
set so that User Authentication is enabled.
For details, refer to "Setting Up LDAP" (page 26).
E-Mail Settings
4
Item Description
E-Mail TX (SMTP) [Detail Settings] - [SMTP Authentication] -
[Authentication Setting] is fixed to [Use Set Value].
When performing SMTP authentication, specify the
user ID and password for SMTP authentication.
S/MIME Communication
Settings
[Digital Signature Type] has been added. For details,
refer to "S/MIME Communication Settings" (page 37).
SNMP Settings
Item Description
SNMP v1/v2c Settings The default of [Write Setting] is [Invalid].
SNMP v3 (IP) The default is [OFF].
TCP Socket Settings
Item Description
TCP Socket The default is [OFF].
AU-211P 60
Page 62
Added or Changed Setting Information
WebDAV Settings
Item Description
WebDAV Server Settings This function is not supported.
4.2.4 Security Settings
Security Details
Item Description
Password Rules This function is not supported.
Prohibited Functions
when Authentication
Error
Confidential Document
Access Method
Job Log Settings [Audit Log] is not supported.
Enhanced Security Mode
Description
This function is not supported.
The default is [Mode 2].
The default is [Mode 2].
4
4.2.5 License Settings
Description
This function is not supported.
AU-211P 61
Page 63
Appendix
5Appendix
5.1 Product Specifications
Product name Authentication unit (PKI-IC card type) AU-211P
Dimensions 70 mm (L) × 70 mm (W) × 10 mm (H)
Weight 60 g
Power supply USB bus power
Range of
operating temperature
Interface Full speed USB (12 Mbps)
Connector shape USB A type connector
Compatible card PKI-IC card (PIV, CAC)
5.2 Cleaning the Authentication Unit
Wipe the surface using a soft, dry cloth. If the surface is still dirty, moisten a
cloth with mild detergent and thoroughly wring it out before cleaning. Once
the dirt has been removed, moisten a cloth with water, thoroughly wring it
out, and wipe off the detergent.
0 to 50°C
5
2
Reminder
• Remove this unit from the MFP before cleaning. Loading the USB port
will result in a malfunction.
• Take care so that no water gets into this unit when cleaning. If water gets
into this unit, it will result in a malfunction.
• Do not clean this unit using organic solvent such as benzene or alcohol.
Doing so will result in a malfunction.
• Before disconnecting or connecting this unit, turn the MFP Main Power
off. After 10 seconds or more have lapsed, turn the MFP Main Power on.
Failing to do so may result in a malfunction.
• When connecting or disconnecting the USB cable, hold the plug. Failing
to do so will result in a malfunction.
AU-211P 62
Page 64
Appendix
5.3 Troubleshooting
If an error occurs during running, refer to the following.
Status Point to be checked Action
Failed to
login.
Cannot login. Is the PKI card locked? If the number of authentication
Scanning
does not
start.
If you format the HDD after changing the encryption word, you will not be
able to use this system. In that case, contact your service representative.
If any of the above errors recur after taking the specified action, or if other
errors occur, contact your service representative.
Did you enter the correct PIN
code?
Did you restart the MFP after
connecting this unit to the
MFP?
5
Check the PIN code, and enter the
correct one.
failures reaches a specific limit, the
PKI card will be locked to prevent
the authentication. For details on
how to unlock the PKI card, contact
the PKI card administrator.
Turn the MFP Main Power off,
disconnect the USB cable from
either the MFP or this unit once,
and connect it again. Wait at least
10 seconds, and turn the MFP Main
Power on.
AU-211P 63
Page 65
2010
http://konicaminolta.com
Copyright
2010. 3A1UD-AU11-00
Loading...