Embedded Web Server Administrator's Guide
Page 3
... basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN...
... basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN...
Embedded Web Server Administrator's Guide
Page 5
...printer through the Embedded Web Server involves combining one or more components- This set of authorized functions is the method by Lexmark to enable administrators to build secure, flexible profiles that provide end users the functionality they will be individually identified, passwords ...and group permissions, administrators can be a weak link in conjunction with LDAP+GSSAPI) • NTLM Some Building Blocks, such as Building Blocks: • PIN • Password • Internal accounts • LDAP • LDAP+GSSAPI • Kerberos 5 (used alone to or stored on the ...
...printer through the Embedded Web Server involves combining one or more components- This set of authorized functions is the method by Lexmark to enable administrators to build secure, flexible profiles that provide end users the functionality they will be individually identified, passwords ...and group permissions, administrators can be a weak link in conjunction with LDAP+GSSAPI) • NTLM Some Building Blocks, such as Building Blocks: • PIN • Password • Internal accounts • LDAP • LDAP+GSSAPI • Kerberos 5 (used alone to or stored on the ...
Embedded Web Server Administrator's Guide
Page 6
... sets of security Internal Accounts Authentication only Internal Accounts with Groups Authentication and authorization Kerberos 5 Authentication only LDAP Authentication only LDAP with Groups Authentication and authorization LDAP + GSSAPI Authentication only LDAP + GSSAPI with either the Internal accounts or LDAP/LDAP+GSSAPI building blocks. In order to accommodate users in different groups needing access to a common set...
... sets of security Internal Accounts Authentication only Internal Accounts with Groups Authentication and authorization Kerberos 5 Authentication only LDAP Authentication only LDAP with Groups Authentication and authorization LDAP + GSSAPI Authentication only LDAP + GSSAPI with either the Internal accounts or LDAP/LDAP+GSSAPI building blocks. In order to accommodate users in different groups needing access to a common set...
Embedded Web Server Administrator's Guide
Page 9
...credentials-Select either cn (common name), uid, userid, or user-defined. • Search Base-The Search Base is the node in the LDAP server where user accounts reside. Note: A Search Base consists of multiple attributes-such as the information a user must submit when authenticating. ...organizational unit), o (organization), c (country), or dc (domain)-separated by selecting Log out on the printer control panel. Using LDAP Lightweight Directory Access Protocol (LDAP) is a standards-based, cross-platform, extensible protocol that runs directly on top of the TCP/IP layer, and is used to...
...credentials-Select either cn (common name), uid, userid, or user-defined. • Search Base-The Search Base is the node in the LDAP server where user accounts reside. Note: A Search Base consists of multiple attributes-such as the information a user must submit when authenticating. ...organizational unit), o (organization), c (country), or dc (domain)-separated by selecting Log out on the printer control panel. Using LDAP Lightweight Directory Access Protocol (LDAP) is a standards-based, cross-platform, extensible protocol that runs directly on top of the TCP/IP layer, and is used to...
Embedded Web Server Administrator's Guide
Page 10
Notes: • Click Delete List to delete all LDAP setups in the list. • An LDAP building block cannot be grayed out. • Distinguished Name-Enter the distinguished name of the print server(s). • MFP Password-Enter the password for controlling access to device functions. 5... classes • Person-Click to previous values. Device Credentials • Anonymous LDAP Bind-If selected, the Embedded Web Server will bind with the LDAP server anonymously, and the Distinguished Name and MFP Password fields will also be provided. • When creating Security Templates, the...
Notes: • Click Delete List to delete all LDAP setups in the list. • An LDAP building block cannot be grayed out. • Distinguished Name-Enter the distinguished name of the print server(s). • MFP Password-Enter the password for controlling access to device functions. 5... classes • Person-Click to previous values. Device Credentials • Anonymous LDAP Bind-If selected, the Embedded Web Server will bind with the LDAP server anonymously, and the Distinguished Name and MFP Password fields will also be provided. • When creating Security Templates, the...
Embedded Web Server Administrator's Guide
Page 11
... Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 The LDAP+GSSAPI Server Setup dialog is divided into four parts: General Information • Setup Name-This name will be used ... Server to communicate with the authenticating server. • To help prevent unauthorized access, users are encouraged to securely end each particular LDAP+GSSAPI Server Setup when creating security templates. • Server Address-Enter the IP Address or the Host Name of authentication that Kerberos...
... Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 The LDAP+GSSAPI Server Setup dialog is divided into four parts: General Information • Setup Name-This name will be used ... Server to communicate with the authenticating server. • To help prevent unauthorized access, users are encouraged to securely end each particular LDAP+GSSAPI Server Setup when creating security templates. • Server Address-Enter the IP Address or the Host Name of authentication that Kerberos...
Embedded Web Server Administrator's Guide
Page 12
... delete all LDAP+GSSAPI setups .... To delete an existing LDAP+GSSAPI setup 1 From the Embedded Web... LDAP+GSSAPI. 3 Select a setup from the list. 4 Make any needed changes in the LDAP ...Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. To edit an existing LDAP...Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the ...groups stored on the LDAP server, by the LDAP building block. Both...custom search object classes (optional). LDAP Group Names • Configure ...LDAP+GSSAPI building block cannot be searched. •...
... delete all LDAP+GSSAPI setups .... To delete an existing LDAP+GSSAPI setup 1 From the Embedded Web... LDAP+GSSAPI. 3 Select a setup from the list. 4 Make any needed changes in the LDAP ...Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. To edit an existing LDAP...Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the ...groups stored on the LDAP server, by the LDAP building block. Both...custom search object classes (optional). LDAP Group Names • Configure ...LDAP+GSSAPI building block cannot be searched. •...
Embedded Web Server Administrator's Guide
Page 13
Notes: • Click Delete File to remove the Kerberos configuration file from communicating with the LDAP +GSSAPI building block. Using security features in the Realm field 6 Click Submit to save the information as the default realm for authentication. •... for the selected device. • Click Test Setup to verify that krb5.conf file can specify a default realm. Configuring Kerberos 5 for use with LDAP+GSSAPI Though it is functional. Creating a simple Kerberos configuration file 1 From the Embedded Web Server Home screen, browse to multiple realms and Kerberos Domain ...
Notes: • Click Delete File to remove the Kerberos configuration file from communicating with the LDAP +GSSAPI building block. Using security features in the Realm field 6 Click Submit to save the information as the default realm for authentication. •... for the selected device. • Click Test Setup to verify that krb5.conf file can specify a default realm. Configuring Kerberos 5 for use with LDAP+GSSAPI Though it is functional. Creating a simple Kerberos configuration file 1 From the Embedded Web Server Home screen, browse to multiple realms and Kerberos Domain ...
Embedded Web Server Administrator's Guide
Page 19
... 1: Collect information about the network Before configuring the Embedded Web Server to integrate with the authorization building blocks available on the device. 6 To use the LDAP+GSSAPI capabilities of the Embedded Web Server to take advantage of the Realm (or domain) where the KDC is located • The Kerberos username (distinguished...
... 1: Collect information about the network Before configuring the Embedded Web Server to integrate with the authorization building blocks available on the device. 6 To use the LDAP+GSSAPI capabilities of the Embedded Web Server to take advantage of the Realm (or domain) where the KDC is located • The Kerberos username (distinguished...
Embedded Web Server Administrator's Guide
Page 20
..., such as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication Setup list, select the name given to your LDAP+GSSAPI Group Names list. Using security features in step 1. Hold down the Ctrl key to 128 characters. Step 5: Assign security templates to access controls...screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. For more information on configuring Kerberos, see "Using LDAP+GSSAPI" on page 11 Step 4: Create a security template 1 From the Embedded Web Server Home screen, browse to Settings ª Security ...
..., such as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication Setup list, select the name given to your LDAP+GSSAPI Group Names list. Using security features in step 1. Hold down the Ctrl key to 128 characters. Step 5: Assign security templates to access controls...screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. For more information on configuring Kerberos, see "Using LDAP+GSSAPI" on page 11 Step 4: Create a security template 1 From the Embedded Web Server Home screen, browse to Settings ª Security ...
Embedded Web Server Administrator's Guide
Page 21
... of information transmitted to and from the list. For example, enter an IP address using the format IP:1.2.3.4, or a DNS address using the format DNS:ldap.company.com. Viewing, downloading, and deleting a certificate 1 From the Embedded Web Server Home screen, browse to any function controlled by the security template. Leave this...
... of information transmitted to and from the list. For example, enter an IP address using the format IP:1.2.3.4, or a DNS address using the format DNS:ldap.company.com. Viewing, downloading, and deleting a certificate 1 From the Embedded Web Server Home screen, browse to any function controlled by the security template. Leave this...
Embedded Web Server Administrator's Guide
Page 22
... enter an incorrect PIN before being locked out. For example, enter an IP address using the format IP:1.2.3.4, or a DNS address using the format DNS:ldap.company.com. Configuring confidential printing Users printing confidential or sensitive information may opt to use the confidential print option, which allows print jobs to be...
... enter an incorrect PIN before being locked out. For example, enter an IP address using the format IP:1.2.3.4, or a DNS address using the format DNS:ldap.company.com. Configuring confidential printing Users printing confidential or sensitive information may opt to use the confidential print option, which allows print jobs to be...
Embedded Web Server Administrator's Guide
Page 39
what the user is allowed to a user, i.e. They include: password, PIN, Internal accounts, LDAP, LDAP+GSSAPI, Kerberos 5, and NTLM. Authentication and Authorization tools used in the Embedded Web Server. A method for securely ientifying a user. A profile created and stored in the ...
what the user is allowed to a user, i.e. They include: password, PIN, Internal accounts, LDAP, LDAP+GSSAPI, Kerberos 5, and NTLM. Authentication and Authorization tools used in the Embedded Web Server. A method for securely ientifying a user. A profile created and stored in the ...
Embedded Web Server Administrator's Guide
Page 40
...list of 29 managing with PIN or password 16 managing with security templates 16 understanding 6 authenticating using Kerberos 13 using LDAP 9 using LDAP+GSSAPI 11 using NTLM authentication 14 Authentication understanding 5 Authorization understanding 5 B backup password creating 15 using 15 building ...blocks adding to security templates 16 internal accounts 8 Kerberos 5 13 LDAP 9 LDAP+GSSAPI 11 NTLM authentication 14 C certificates creating 21 deleting 21 setting defaults 22 viewing 21 confidential printing configuring 22 D disk ...
...list of 29 managing with PIN or password 16 managing with security templates 16 understanding 6 authenticating using Kerberos 13 using LDAP 9 using LDAP+GSSAPI 11 using NTLM authentication 14 Authentication understanding 5 Authorization understanding 5 B backup password creating 15 using 15 building ...blocks adding to security templates 16 internal accounts 8 Kerberos 5 13 LDAP 9 LDAP+GSSAPI 11 NTLM authentication 14 C certificates creating 21 deleting 21 setting defaults 22 viewing 21 confidential printing configuring 22 D disk ...
Common Criteria Installation Supplement and Administrator Guide
Page 3
... Security audit logging...22 E-mail...24 Fax...26 Configuring security reset jumper behavior...27 User access...27 Creating user accounts through the EWS...28 Configuring LDAP+GSSAPI...29 Configuring Common Access Card access...32
... Security audit logging...22 E-mail...24 Fax...26 Configuring security reset jumper behavior...27 User access...27 Creating user accounts through the EWS...28 Configuring LDAP+GSSAPI...29 Configuring Common Access Card access...32
Common Criteria Installation Supplement and Administrator Guide
Page 4
...error message...39 The printer home screen does not return to a locked state when not in 42 LDAP Issues...42 LDAP lookups take a long time, and then may or may not work 42 LDAP lookups fail almost immediately...43 Held Jobs/Print Release Lite Issues...43 "You are not authorized to...41 "Client [NAME] unknown" error message...42 Login hangs for a long time at "Getting User Info..."...42 User is inserted 39 "The KDC and MFP clocks are printing out immediately...44 Appendix A: Using the touch screen 45 Appendix B: Acronyms 47 Appendix C: Description of Access Controls 48 Appendix D: Using ...
...error message...39 The printer home screen does not return to a locked state when not in 42 LDAP Issues...42 LDAP lookups take a long time, and then may or may not work 42 LDAP lookups fail almost immediately...43 Held Jobs/Print Release Lite Issues...43 "You are not authorized to...41 "Client [NAME] unknown" error message...42 Login hangs for a long time at "Getting User Info..."...42 User is inserted 39 "The KDC and MFP clocks are printing out immediately...44 Appendix A: Using the touch screen 45 Appendix B: Acronyms 47 Appendix C: Description of Access Controls 48 Appendix D: Using ...
Common Criteria Installation Supplement and Administrator Guide
Page 16
...in the Certificate Management task. 1 From the EWS, click Settings > Security > Certificate Management. After the network setup page prints, the MFP will return to use the device hostname as the Common Name. • Organization Name-Type the name of the company or organization issuing the... field of your Web browser using the EWS. 2 Select Set Certificate Defaults. 3 Enter values in LDAP. This section covers the basic settings required for network-attached devices After attaching the MFP to a network, you have finished using the secure version of the page (with the address beginning ...
...in the Certificate Management task. 1 From the EWS, click Settings > Security > Certificate Management. After the network setup page prints, the MFP will return to use the device hostname as the Common Name. • Organization Name-Type the name of the company or organization issuing the... field of your Web browser using the EWS. 2 Select Set Certificate Defaults. 3 Enter values in LDAP. This section covers the basic settings required for network-attached devices After attaching the MFP to a network, you have finished using the secure version of the page (with the address beginning ...
Common Criteria Installation Supplement and Administrator Guide
Page 17
...: For information about accessing the EWS, see "Using the Embedded Web Server" on page 15. For example, enter an IP address using the format DNS:ldap.company.com. Note: For information about accessing the EWS, see "Using the Embedded Web Server" on page 15.
...: For information about accessing the EWS, see "Using the Embedded Web Server" on page 15. For example, enter an IP address using the format DNS:ldap.company.com. Note: For information about accessing the EWS, see "Using the Embedded Web Server" on page 15.
Common Criteria Installation Supplement and Administrator Guide
Page 21
... Center) IP. 4 For KDC Port, type the number of the NTP server. 4 If the NTP server requires authentication, set Enable Authentication to the MFP, you have finished using LDAP+GSSAPI or Common Access Cards to control user access to On. 5 Touch Submit. Note: The Realm entry must be using the EWS. 2 Select...
... Center) IP. 4 For KDC Port, type the number of the NTP server. 4 If the NTP server requires authentication, set Enable Authentication to the MFP, you have finished using LDAP+GSSAPI or Common Access Cards to control user access to On. 5 Touch Submit. Note: The Realm entry must be using the EWS. 2 Select...
Common Criteria Installation Supplement and Administrator Guide
Page 27
...your device came with a hard disk installed, you will return to reset the security settings on the device. The MFP will not be able to network-attached devices: internal accounts, LDAP+GSSAPI, or PKI Authentication (used to the main Configuration menu. 6 To finish, press Back, and then Exit Config...scroll through the configuration menus until you locate the Fax Storage Location menu selection. 5 Select Disk as Copy or Fax. 3 Verify that the MFP is lost, you have a hard disk installed. Note: Using the security reset jumper can be required to save the changes. To regain ...
...your device came with a hard disk installed, you will return to reset the security settings on the device. The MFP will not be able to network-attached devices: internal accounts, LDAP+GSSAPI, or PKI Authentication (used to the main Configuration menu. 6 To finish, press Back, and then Exit Config...scroll through the configuration menus until you locate the Fax Storage Location menu selection. 5 Select Disk as Copy or Fax. 3 Verify that the MFP is lost, you have a hard disk installed. Note: Using the security reset jumper can be required to save the changes. To regain ...