Common Criteria Installation Supplement and Administrator Guide
Page 3
... Security audit logging ...20 E-mail ...22 Fax...24 Configuring security reset jumper behavior ...25 User access...25 Creating user accounts through the EWS ...25 Configuring LDAP+GSSAPI...27 Configuring Common Access Card access...30
... Security audit logging ...20 E-mail ...22 Fax...24 Configuring security reset jumper behavior ...25 User access...25 Creating user accounts through the EWS ...25 Configuring LDAP+GSSAPI...27 Configuring Common Access Card access...30
Common Criteria Installation Supplement and Administrator Guide
Page 4
... "Unsupported USB Device" error message ...37 The printer home screen fails to return to a locked state when not in 40 LDAP issues...41 LDAP lookups take a long time and then fail ...41 LDAP lookups fail almost immediately ...41 Held Jobs/Print Release Lite issues...42 "You are not authorized to determine Windows User...
... "Unsupported USB Device" error message ...37 The printer home screen fails to return to a locked state when not in 40 LDAP issues...41 LDAP lookups take a long time and then fail ...41 LDAP lookups fail almost immediately ...41 Held Jobs/Print Release Lite issues...42 "You are not authorized to determine Windows User...
Common Criteria Installation Supplement and Administrator Guide
Page 6
... from unauthorized access. • The operating environment provides the ability to identify and authenticate users whose accounts are defined externally (LDAP, Kerberos, etc.). • When an administrator configures Network Time Protocol (NTP), the operating environment provides reliable time stamps. ... or if a DLE card has been installed, then contact your Lexmark representative before proceeding. 6 To verify the firmware version, under Device Information, locate Base =, and Network =. 7 Contact your Lexmark representative to verify that the Base and Network values are trained to ...
... from unauthorized access. • The operating environment provides the ability to identify and authenticate users whose accounts are defined externally (LDAP, Kerberos, etc.). • When an administrator configures Network Time Protocol (NTP), the operating environment provides reliable time stamps. ... or if a DLE card has been installed, then contact your Lexmark representative before proceeding. 6 To verify the firmware version, under Device Information, locate Base =, and Network =. 7 Contact your Lexmark representative to verify that the Base and Network values are trained to ...
Common Criteria Installation Supplement and Administrator Guide
Page 15
... will be available on page 15. 2 Click Set Certificate Defaults. 3 Enter values in the appropriate fields: • Common Name-Type a name for SSL support in LDAP. Accessing the EWS 1 Type the device IP address or host name in the address field of your device.
... will be available on page 15. 2 Click Set Certificate Defaults. 3 Enter values in the appropriate fields: • Common Name-Type a name for SSL support in LDAP. Accessing the EWS 1 Type the device IP address or host name in the address field of your device.
Common Criteria Installation Supplement and Administrator Guide
Page 16
For example, enter an IP address using the format DNS:ldap.company.com. Note: All fields accept a maximum of 128 characters, except where noted. Creating a new certificate 1 From the Embedded Web Server, click Settings > Security > Certificate ...
For example, enter an IP address using the format DNS:ldap.company.com. Note: All fields accept a maximum of 128 characters, except where noted. Creating a new certificate 1 From the Embedded Web Server, click Settings > Security > Certificate ...
Common Criteria Installation Supplement and Administrator Guide
Page 19
...;stamped. b Click Submit. 4 Click Submit. a Click Install MD5 key or Install Autokey IFF params, and then browse to the MFP, then you will be using LDAP+GSSAPI or Common Access Cards to control user access to the file containing the NTP authentication credentials. Kerberos If you must first configure Kerberos. Note...
...;stamped. b Click Submit. 4 Click Submit. a Click Install MD5 key or Install Autokey IFF params, and then browse to the MFP, then you will be using LDAP+GSSAPI or Common Access Cards to control user access to the file containing the NTP authentication credentials. Kerberos If you must first configure Kerberos. Note...
Common Criteria Installation Supplement and Administrator Guide
Page 25
... MFP using a method that function. Creating user accounts through the EWS Creating internal (device) accounts for granting access to network‑connected devices: internal accounts, LDAP+GSSAPI, and PKI Authentication (used to reset the security settings on reset and then return to that provides both authentication and authorization.
... MFP using a method that function. Creating user accounts through the EWS Creating internal (device) accounts for granting access to network‑connected devices: internal accounts, LDAP+GSSAPI, and PKI Authentication (used to reset the security settings on reset and then return to that provides both authentication and authorization.
Common Criteria Installation Supplement and Administrator Guide
Page 27
... should belong. Contain a minimum of authentication and authorization services already deployed on page 19. Each configuration must configure Kerberos before setting up LDAP+GSSAPI. 27 5 Click Settings > Security > Security Setup > Internal Accounts. 6 Click Add an Internal Account, and then provide the..., see "Kerberos" on the network. Using the EWS 1 From the Embedded Web Server, click Settings > Security > Security Setup. Configuring LDAP+GSSAPI On networks running Active Directory, you can store a maximum of the user ID. • Re‑enter password-Retype the password....
... should belong. Contain a minimum of authentication and authorization services already deployed on page 19. Each configuration must configure Kerberos before setting up LDAP+GSSAPI. 27 5 Click Settings > Security > Security Setup > Internal Accounts. 6 Click Add an Internal Account, and then provide the..., see "Kerberos" on the network. Using the EWS 1 From the Embedded Web Server, click Settings > Security > Security Setup. Configuring LDAP+GSSAPI On networks running Active Directory, you can store a maximum of the user ID. • Re‑enter password-Retype the password....
Common Criteria Installation Supplement and Administrator Guide
Page 28
...or dc (domain), separated by semicolons. Using the touch screen 1 From the home screen, touch > Security > Edit Security Setups > Edit Building Blocks > LDAP+GSSAPI. 2 Touch Add Entry. 3 Type a setup name, and then touch Done. Note: A search base consists of the print server or servers. ...security templates, you will also be searched. • Custom Object Class-Click to access a function protected by the LDAP building block. LDAP Group Names Administrators can provide Active Directory device credentials in addition to three custom search object classes. Multiple search bases...
...or dc (domain), separated by semicolons. Using the touch screen 1 From the home screen, touch > Security > Edit Security Setups > Edit Building Blocks > LDAP+GSSAPI. 2 Touch Add Entry. 3 Type a setup name, and then touch Done. Note: A search base consists of the print server or servers. ...security templates, you will also be searched. • Custom Object Class-Click to access a function protected by the LDAP building block. LDAP Group Names Administrators can provide Active Directory device credentials in addition to three custom search object classes. Multiple search bases...
Common Criteria Installation Supplement and Administrator Guide
Page 29
... to define, select a numbered group, and then specify the "Short name for group" and Group Identifier. Touch Back to return to the LDAP Group Names screen. • GSSAPI Group (1-32)-For each custom object class you want to supporting anonymous binding or the specified credentials in the...fields. • MFP's Kerberos Username-Type the distinguished name of the group search base, and then touch Submit. When the printer authenticates to the LDAP server, it can be searched. • Custom Object Classes-For each group you will be searched, and then type a name for the print ...
... to define, select a numbered group, and then specify the "Short name for group" and Group Identifier. Touch Back to return to the LDAP Group Names screen. • GSSAPI Group (1-32)-For each custom object class you want to supporting anonymous binding or the specified credentials in the...fields. • MFP's Kerberos Username-Type the distinguished name of the group search base, and then touch Submit. When the printer authenticates to the LDAP server, it can be searched. • Custom Object Classes-For each group you will be searched, and then type a name for the print ...
Common Criteria Installation Supplement and Administrator Guide
Page 32
... the PKI Authentication building block would be populated with the authentication building blocks that have been configured on the MFP (internal accounts, LDAP+GSSAPI, or PKI Authentication). Notes: • Because a PKI Authentication security template is created when you can be populated with the... authentication building blocks that have been configured on the MFP (internal accounts, LDAP+GSSAPI, or PKI Authentication). 7 Click Modify Groups, and then select one for authenticating users. This list will not be populated...
... the PKI Authentication building block would be populated with the authentication building blocks that have been configured on the MFP (internal accounts, LDAP+GSSAPI, or PKI Authentication). Notes: • Because a PKI Authentication security template is created when you can be populated with the... authentication building blocks that have been configured on the MFP (internal accounts, LDAP+GSSAPI, or PKI Authentication). 7 Click Modify Groups, and then select one for authenticating users. This list will not be populated...
Common Criteria Installation Supplement and Administrator Guide
Page 40
... a Kerberos configuration file, then verify that the KDC being used to the file correctly. Login does not respond at "Getting User Info" For information about LDAP‑related issues, see"LDAP issues" on the card was not found in seconds) of the Domain Controller is correct.
... a Kerberos configuration file, then verify that the KDC being used to the file correctly. Login does not respond at "Getting User Info" For information about LDAP‑related issues, see"LDAP issues" on the card was not found in seconds) of the Domain Controller is correct.
Common Criteria Installation Supplement and Administrator Guide
Page 41
...: • Server Port-Set this to 636. • Use SSL/TLS-Select SSL/TLS. • LDAP Certificate Verification-Select Never. 3 Click Submit to communicate with the LDAP server. 41 LDAP issues LDAP lookups take a long time and then fail This issue can occur during address book searches. The ports must ... login (at "Getting User Info") or during address book searches, user e-mail address searches, or user home directory searches. NARROW THE LDAP SEARCH BASE Narrow the LDAP search base to the lowest possible scope that will include all necessary users. Try one or more of the...
...: • Server Port-Set this to 636. • Use SSL/TLS-Select SSL/TLS. • LDAP Certificate Verification-Select Never. 3 Click Submit to communicate with the LDAP server. 41 LDAP issues LDAP lookups take a long time and then fail This issue can occur during address book searches. The ports must ... login (at "Getting User Info") or during address book searches, user e-mail address searches, or user home directory searches. NARROW THE LDAP SEARCH BASE Narrow the LDAP search base to the lowest possible scope that will include all necessary users. Try one or more of the...
Common Criteria Installation Supplement and Administrator Guide
Page 42
... From the Embedded Web Server, click Settings > Device Solutions > Solutions (eSF) > PKI Authentication > Configure. 2 In the User Session and Access Control section, select LDAP Lookup for [USER]" error message Try one or more of the Smart Card principal name or the credential provided by manual login is used to...). • EDI‑PI-The user ID portion of the following: MAKE SURE PKI AUTHENTICATION IS SETTING THE CORRECT USER ID Normally, LDAP lookup is used to set this feature" Held Jobs error message ADD THE USER TO THE APPROPRIATE ACTIVE DIRECTORY GROUP If user authorization is ...
... From the Embedded Web Server, click Settings > Device Solutions > Solutions (eSF) > PKI Authentication > Configure. 2 In the User Session and Access Control section, select LDAP Lookup for [USER]" error message Try one or more of the Smart Card principal name or the credential provided by manual login is used to...). • EDI‑PI-The user ID portion of the following: MAKE SURE PKI AUTHENTICATION IS SETTING THE CORRECT USER ID Normally, LDAP lookup is used to set this feature" Held Jobs error message ADD THE USER TO THE APPROPRIATE ACTIVE DIRECTORY GROUP If user authorization is ...
Common Criteria Installation Supplement and Administrator Guide
Page 54
... IPSec setting up 17 K Kerberos configuring 19 importing a krb5.conf file 19 simple setup 19 keyboard using the 44 54 krb5.conf file importing 19 L LDAP+GSSAPI configuring 27 logging configuring the security audit log 20 N network protocols allowed 18 network settings finding 15 network setup page printing 15 Network Time...
... IPSec setting up 17 K Kerberos configuring 19 importing a krb5.conf file 19 simple setup 19 keyboard using the 44 54 krb5.conf file importing 19 L LDAP+GSSAPI configuring 27 logging configuring the security audit log 20 N network protocols allowed 18 network settings finding 15 network setup page printing 15 Network Time...
Common Criteria Installation Supplement and Administrator Guide
Page 55
... immediately 43 KDC and MFP clocks out of sync 38 KDC did not respond within the required time 39 Kerberos file not uploaded 38 LDAP lookup failure 41 LDAP lookups take too long 41 login does not respond while getting user info 40 login screen does not appear when card is inserted... unknown client 40 unsupported USB device 37 user is logged out too quickly 40 user's realm not found 39 U USB buffering disabling 8 user access using LDAP+GSSAPI 27 user accounts creating at the device 10 using the EWS to create 25 using the touch screen to create 10 using this guide 5
... immediately 43 KDC and MFP clocks out of sync 38 KDC did not respond within the required time 39 Kerberos file not uploaded 38 LDAP lookup failure 41 LDAP lookups take too long 41 login does not respond while getting user info 40 login screen does not appear when card is inserted... unknown client 40 unsupported USB device 37 user is logged out too quickly 40 user's realm not found 39 U USB buffering disabling 8 user access using LDAP+GSSAPI 27 user accounts creating at the device 10 using the EWS to create 25 using the touch screen to create 10 using this guide 5
Lexmark Document Distributor
Page 4
... authentication...42 Monitoring and maintaining the system 43 Using Lexmark Management Console...43 Accessing Lexmark Management Console...43 Changing the administrator user name ...43 Changing the administrator password...43 Enabling LDAP server authentication for LMC...44 Device Groups tab tasks... installation...54 Changing the IP address on a configuration 1 system...55 Rebooting the LDD system ...55 Restarting the Lexmark Solutions Application Server...56 Uninstalling LDD components...56 Updating the Advanced Prompting Bundle ...57 Configuring communications...58 Configuring a connection...
... authentication...42 Monitoring and maintaining the system 43 Using Lexmark Management Console...43 Accessing Lexmark Management Console...43 Changing the administrator user name ...43 Changing the administrator password...43 Enabling LDAP server authentication for LMC...44 Device Groups tab tasks... installation...54 Changing the IP address on a configuration 1 system...55 Rebooting the LDD system ...55 Restarting the Lexmark Solutions Application Server...56 Uninstalling LDD components...56 Updating the Advanced Prompting Bundle ...57 Configuring communications...58 Configuring a connection...
Lexmark Document Distributor
Page 43
... system 43 Notes: • The default user name and password are both admin. • If LMC is configured to connect to an LDAP server, any valid user name and password may take several minutes to start all services when the LDD system is first booted. The Home ...tab is displayed upon successful login. Monitoring and maintaining the system Using Lexmark Management Console Accessing Lexmark Management Console 1 Launch LMC from your Internet browser using the URL http://loadbalancer:9780/lmc, where loadbalancer is the computer on which...
... system 43 Notes: • The default user name and password are both admin. • If LMC is configured to connect to an LDAP server, any valid user name and password may take several minutes to start all services when the LDD system is first booted. The Home ...tab is displayed upon successful login. Monitoring and maintaining the system Using Lexmark Management Console Accessing Lexmark Management Console 1 Launch LMC from your Internet browser using the URL http://loadbalancer:9780/lmc, where loadbalancer is the computer on which...
Lexmark Document Distributor
Page 44
... for the administrator account. 1 Select LDAP Setup from the System list. 2 Select the Enable LDAP Authentication check box. 3 If your LDAP server requires a secure connection, select Use Secure Connection (SSL/TLS). 4 Type the LDAP Server Address and Server Port. Enabling LDAP server authentication for LMC The administrator can...MyOrganization. 6 Beside User Search Filter, type the attribute used to log on to LMC, the user can set up a connection with an LDAP server to identify a user name, such as ou=Employees. 8 To filter the search to users in the directory. - Monitoring and ...
... for the administrator account. 1 Select LDAP Setup from the System list. 2 Select the Enable LDAP Authentication check box. 3 If your LDAP server requires a secure connection, select Use Secure Connection (SSL/TLS). 4 Type the LDAP Server Address and Server Port. Enabling LDAP server authentication for LMC The administrator can...MyOrganization. 6 Beside User Search Filter, type the attribute used to log on to LMC, the user can set up a connection with an LDAP server to identify a user name, such as ou=Employees. 8 To filter the search to users in the directory. - Monitoring and ...
Lexmark Document Distributor
Page 45
...Unlicensed printers are those that have chosen to appropriate tasks for the user. 9 Select an authentication mechanism: • If the LDAP server accepts anonymous connections, select Anonymous. • If the LDAP server requires authentication: a Select the option beside Username. Out-of -policy printers • Whether Secure Server Communication is enabled Name...number of unlicensed printers. c Type the Password associated with the selected group is configured to use a user name and password, you want to the LDAP server, such as uid=ldapuser,ou=Employees,o=MyOrganization. -
...Unlicensed printers are those that have chosen to appropriate tasks for the user. 9 Select an authentication mechanism: • If the LDAP server accepts anonymous connections, select Anonymous. • If the LDAP server requires authentication: a Select the option beside Username. Out-of -policy printers • Whether Secure Server Communication is enabled Name...number of unlicensed printers. c Type the Password associated with the selected group is configured to use a user name and password, you want to the LDAP server, such as uid=ldapuser,ou=Employees,o=MyOrganization. -