Embedded Web Server Administrator's Guide
Page 3
... in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...
... in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...
Embedded Web Server Administrator's Guide
Page 5
...This set of authorized functions is located in the document security chain. Utilizing soft configuration features alone or in which a printer is also referred to access. The Embedded ...physical security such as Building Blocks: • PIN • Password • Internal accounts • LDAP • LDAP+GSSAPI • Kerberos 5 (used alone to define who is , who has been authenticated by ... in the Embedded Web Server The latest suite of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in the...
...This set of authorized functions is located in the document security chain. Utilizing soft configuration features alone or in which a printer is also referred to access. The Embedded ...physical security such as Building Blocks: • PIN • Password • Internal accounts • LDAP • LDAP+GSSAPI • Kerberos 5 (used alone to define who is , who has been authenticated by ... in the Embedded Web Server The latest suite of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in the...
Embedded Web Server Administrator's Guide
Page 9
... have a unique name. • Administrators can create up to 32 user-defined groups that apply to each unique LDAP configuration. • As with any form of authentication that relies on an external server, users will not be able to access ...runs directly on the printer control panel. Note: A Search Base consists of five unique LDAP configurations. Using security features in the Embedded Web Server 9 Notes: • Supported devices can interact with the LDAP server. Specifying settings for internal accounts Settings selected in the Internal Accounts Settings section will determine...
... have a unique name. • Administrators can create up to 32 user-defined groups that apply to each unique LDAP configuration. • As with any form of authentication that relies on an external server, users will not be able to access ...runs directly on the printer control panel. Note: A Search Base consists of five unique LDAP configurations. Using security features in the Embedded Web Server 9 Notes: • Supported devices can interact with the LDAP server. Specifying settings for internal accounts Settings selected in the Internal Accounts Settings section will determine...
Embedded Web Server Administrator's Guide
Page 10
... list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. Device Credentials • Anonymous LDAP Bind-If selected, the Embedded Web Server will bind with the LDAP server anonymously, and the Distinguished Name and MFP Password fields will also be provided. • When...
... list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. Device Credentials • Anonymous LDAP Bind-If selected, the Embedded Web Server will bind with the LDAP server anonymously, and the Distinguished Name and MFP Password fields will also be provided. • When...
Embedded Web Server Administrator's Guide
Page 11
...that relies on the printer control panel. To add a new LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to access protected device functions in the Embedded Web Server 11 Multiple search bases may be configured. • Supported devices can store a maximum of multiple attributes...with any form of the LDAP server where the authentication will be performed. • Server Port-The port used by selecting Log out on an external server, users will not be used for access. Note: A Search Base consists of five unique LDAP + GSSAPI configurations. This ticket is the...
...that relies on the printer control panel. To add a new LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to access protected device functions in the Embedded Web Server 11 Multiple search bases may be configured. • Supported devices can store a maximum of multiple attributes...with any form of the LDAP server where the authentication will be performed. • Server Port-The port used by selecting Log out on an external server, users will not be used for access. Note: A Search Base consists of five unique LDAP + GSSAPI configurations. This ticket is the...
Embedded Web Server Administrator's Guide
Page 12
... to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to three custom search object classes...print server(s). • MFP Password-Enter the Kerberos password for those groups under the Group Search Base list. Notes: • Click Delete List to access a function protected by entering identifiers for the print server(s). LDAP Group Names • Configure Groups-Administrators can associate ...
... to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to three custom search object classes...print server(s). • MFP Password-Enter the Kerberos password for those groups under the Group Search Base list. Notes: • Click Delete List to access a function protected by entering identifiers for the print server(s). LDAP Group Names • Configure Groups-Administrators can associate ...
Embedded Web Server Administrator's Guide
Page 13
... use with LDAP+GSSAPI Though it is not specified in the configuration file, then the first realm specified will be used as a krb5.conf file on the selected device, or Reset Form to reset the fields and ... for the selected device is functional. However, if a realm is functional. Notes: • Click Delete File to remove the Kerberos configuration file from communicating with the LDAP +GSSAPI building block. Creating a simple Kerberos configuration file 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit...
... use with LDAP+GSSAPI Though it is not specified in the configuration file, then the first realm specified will be used as a krb5.conf file on the selected device, or Reset Form to reset the fields and ... for the selected device is functional. However, if a realm is functional. Notes: • Click Delete File to remove the Kerberos configuration file from communicating with the LDAP +GSSAPI building block. Creating a simple Kerberos configuration file 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit...
Embedded Web Server Administrator's Guide
Page 19
...you will be helpful to use groups, click Modify Groups, and then select one or more groups to know the following: 1 Kerberos configuration information • Character encoding (used for authenticating users. The name of that function. 4 Click Submit to save changes, or Reset ... groups. 8 Click Save Template. Step 1: Collect information about the network Before configuring the Embedded Web Server to integrate with the authorization building blocks available on the device. 6 To use the LDAP+GSSAPI capabilities of the Embedded Web Server to cancel all changes. The KDC port...
...you will be helpful to use groups, click Modify Groups, and then select one or more groups to know the following: 1 Kerberos configuration information • Character encoding (used for authenticating users. The name of that function. 4 Click Submit to save changes, or Reset ... groups. 8 Click Save Template. Step 1: Collect information about the network Before configuring the Embedded Web Server to integrate with the authorization building blocks available on the device. 6 To use the LDAP+GSSAPI capabilities of the Embedded Web Server to cancel all changes. The KDC port...
Embedded Web Server Administrator's Guide
Page 20
...Edit Security Setups. 2 Select Access Control. For more information on configuring Kerberos, see "Configuring Kerberos 5 for use groups, click Modify Groups, and then select one or more information on configuring LDAP+GSSAPI, see"Using LDAP+GSSAPI" on page 11 Step 4: Create a security template 1 ...Template." 5 From the Authentication Setup list, select the name given to your LDAP+GSSAPI setup. 6 Click Add authorization, and then select the name given to your LDAP+GSSAPI Group Names list. Step 3: Configure LDAP+GSSAPI Settings 1 From the Embedded Web Server Home screen, browse to Settings ...
...Edit Security Setups. 2 Select Access Control. For more information on configuring Kerberos, see "Configuring Kerberos 5 for use groups, click Modify Groups, and then select one or more information on configuring LDAP+GSSAPI, see"Using LDAP+GSSAPI" on page 11 Step 4: Create a security template 1 ...Template." 5 From the Authentication Setup list, select the name given to your LDAP+GSSAPI setup. 6 Click Add authorization, and then select the name given to your LDAP+GSSAPI Group Names list. Step 3: Configure LDAP+GSSAPI Settings 1 From the Embedded Web Server Home screen, browse to Settings ...
Embedded Web Server Administrator's Guide
Page 22
... Download Signing Request-Download or save the signing request as a .csr file. • Install Signed Certificate-Upload a previously signed certificate. Configuring confidential printing Users printing confidential or sensitive information may opt to use the IPv4 address. For example, enter an IP address using the format ...IP:1.2.3.4, or a DNS address using the format DNS:ldap.company.com. Setting certificate defaults Administrators can enter an incorrect PIN before being locked out. Leave this field blank to use the...
... Download Signing Request-Download or save the signing request as a .csr file. • Install Signed Certificate-Upload a previously signed certificate. Configuring confidential printing Users printing confidential or sensitive information may opt to use the IPv4 address. For example, enter an IP address using the format ...IP:1.2.3.4, or a DNS address using the format DNS:ldap.company.com. Setting certificate defaults Administrators can enter an incorrect PIN before being locked out. Leave this field blank to use the...
Embedded Web Server Administrator's Guide
Page 40
... building blocks adding to security templates 16 internal accounts 8 Kerberos 5 13 LDAP 9 LDAP+GSSAPI 11 NTLM authentication 14 C certificates creating 21 deleting 21 setting defaults 22 viewing 21 confidential printing configuring 22 D disk encryption 24 disk wiping modifying 23 scheduling 23 E encrypting...Function Access Controls 6 list of 29 G Groups understanding 6 I internal accounts using 8 K Kerberos configuring 13 LDAP+GSSAPI and 13 setting date and time for 13 L LDAP using 9 LDAP+GSSAPI Kerberos and 13 using 11 lockout 16 login failure 16 restrictions 16 N notices 2 NTLM authentication...
... building blocks adding to security templates 16 internal accounts 8 Kerberos 5 13 LDAP 9 LDAP+GSSAPI 11 NTLM authentication 14 C certificates creating 21 deleting 21 setting defaults 22 viewing 21 confidential printing configuring 22 D disk encryption 24 disk wiping modifying 23 scheduling 23 E encrypting...Function Access Controls 6 list of 29 G Groups understanding 6 I internal accounts using 8 K Kerberos configuring 13 LDAP+GSSAPI and 13 setting date and time for 13 L LDAP using 9 LDAP+GSSAPI Kerberos and 13 using 11 lockout 16 login failure 16 restrictions 16 N notices 2 NTLM authentication...
Common Criteria Installation Supplement and Administrator Guide
Page 3
... physical interfaces and installed firmware...6 Attaching a lock...6 Encrypting the hard disk...7 Disabling the USB Buffer...8 Installing the minimum configuration 9 Configuring the device...9 Configuration checklist...9 Configuring disk wiping...9 Enabling the backup password (optional)...9 Creating user accounts...10 Creating security templates...12 Controlling access to device functions......20 Network Time Protocol...20 Kerberos...21 Security audit logging...22 E-mail...24 Fax...26 Configuring security reset jumper behavior...27 User access...27 Creating user accounts through the EWS...28...
... physical interfaces and installed firmware...6 Attaching a lock...6 Encrypting the hard disk...7 Disabling the USB Buffer...8 Installing the minimum configuration 9 Configuring the device...9 Configuration checklist...9 Configuring disk wiping...9 Enabling the backup password (optional)...9 Creating user accounts...10 Creating security templates...12 Controlling access to device functions......20 Network Time Protocol...20 Kerberos...21 Security audit logging...22 E-mail...24 Fax...26 Configuring security reset jumper behavior...27 User access...27 Creating user accounts through the EWS...28...
Common Criteria Installation Supplement and Administrator Guide
Page 4
... screen does not appear when a SmartCard is logged out almost immediately after logging in 42 LDAP Issues...42 LDAP lookups take a long time, and then may or may not work 42 LDAP lookups fail almost immediately...43 Held Jobs/Print Release Lite Issues...43 "You are not authorized...Acronyms 47 Appendix C: Description of Access Controls 48 Appendix D: Using Common Access Cards 51 Notices 53 Index 56 check the MFP's date and time" error message...40 "Kerberos configuration file has not been uploaded" error message 40 Users are unable to determine Windows User ID" error message 44 "There...
... screen does not appear when a SmartCard is logged out almost immediately after logging in 42 LDAP Issues...42 LDAP lookups take a long time, and then may or may not work 42 LDAP lookups fail almost immediately...43 Held Jobs/Print Release Lite Issues...43 "You are not authorized...Acronyms 47 Appendix C: Description of Access Controls 48 Appendix D: Using Common Access Cards 51 Notices 53 Index 56 check the MFP's date and time" error message...40 "Kerberos configuration file has not been uploaded" error message 40 Users are unable to determine Windows User ID" error message 44 "There...
Common Criteria Installation Supplement and Administrator Guide
Page 16
... Use the navigation menu on page 15. This section covers the basic settings required for SSL support in LDAP. Printing a network setup page 1 From the home screen, touch Menus. 2 Touch Reports. 3 Touch... about accessing the EWS, see "Using the Embedded Web Server" on the left to access configuration and report menus. Using the EWS 1 Type the device IP address or hostname in the ...in the appropriate fields: • Common Name-Type a name for network-attached devices After attaching the MFP to a network, you can find it by printing a network setup page. Creating and modifying digital ...
... Use the navigation menu on page 15. This section covers the basic settings required for SSL support in LDAP. Printing a network setup page 1 From the home screen, touch Menus. 2 Touch Reports. 3 Touch... about accessing the EWS, see "Using the Embedded Web Server" on the left to access configuration and report menus. Using the EWS 1 Type the device IP address or hostname in the ...in the appropriate fields: • Common Name-Type a name for network-attached devices After attaching the MFP to a network, you can find it by printing a network setup page. Creating and modifying digital ...
Common Criteria Installation Supplement and Administrator Guide
Page 21
Kerberos If you will overwrite the configuration file. 21 Be sure to the MFP, you must be using LDAP+GSSAPI or Common Access Cards to control user access to disable HTTP and HTTPS access after you have finished using the EWS. 2 Under Advanced Security ... will be typed in all UPPERCASE letters. 6 Click Submit to the file containing the NTP authentication credentials. 4 Click Submit. Note: The Realm entry must first configure Kerberos. Note: Because only one krb5.conf file is used by the Kerberos server. Using the EWS 1 From the EWS, click Settings > Security > Set Date...
Kerberos If you will overwrite the configuration file. 21 Be sure to the MFP, you must be using LDAP+GSSAPI or Common Access Cards to control user access to disable HTTP and HTTPS access after you have finished using the EWS. 2 Under Advanced Security ... will be typed in all UPPERCASE letters. 6 Click Submit to the file containing the NTP authentication credentials. 4 Click Submit. Note: The Realm entry must first configure Kerberos. Note: Because only one krb5.conf file is used by the Kerberos server. Using the EWS 1 From the EWS, click Settings > Security > Set Date...
Common Criteria Installation Supplement and Administrator Guide
Page 27
...screen should display a list of functions, instead of standard home screen icons such as Copy or Fax. 3 Verify that the MFP is in Configuration mode by locating the Exit Config Menu icon in the lower right corner of setting up a fax storage location, press the...on the motherboard, that provides both authentication and authorization. Under the evaluated configuration, three options are required to login to normal operating mode. It takes approximately a minute to network-attached devices: internal accounts, LDAP+GSSAPI, or PKI Authentication (used to save the changes. Warning-Potential...
...screen should display a list of functions, instead of standard home screen icons such as Copy or Fax. 3 Verify that the MFP is in Configuration mode by locating the Exit Config Menu icon in the lower right corner of setting up a fax storage location, press the...on the motherboard, that provides both authentication and authorization. Under the evaluated configuration, three options are required to login to normal operating mode. It takes approximately a minute to network-attached devices: internal accounts, LDAP+GSSAPI, or PKI Authentication (used to save the changes. Warning-Potential...
Common Criteria Installation Supplement and Administrator Guide
Page 29
... from your existing system, making access to the MFP as seamless as other network services. Hold down the Ctrl key to select multiple groups for the account (example: "jsmith"). • Password-Passwords must: - Supported devices can use LDAP+GSSAPI to take advantage of five LDAP + GSSAPI configurations. Configuring LDAP+GSSAPI On networks running Active Directory, you...
... from your existing system, making access to the MFP as seamless as other network services. Hold down the Ctrl key to select multiple groups for the account (example: "jsmith"). • Password-Passwords must: - Supported devices can use LDAP+GSSAPI to take advantage of five LDAP + GSSAPI configurations. Configuring LDAP+GSSAPI On networks running Active Directory, you...
Common Criteria Installation Supplement and Administrator Guide
Page 30
... home screen, touch Menus > Security > Edit Security Setups > Edit Building Blocks > LDAP +GSSAPI. 2 Select Add Entry. 3 Type a Setup Name, and then touch Next. The MFP will also be searched. • Custom Object Class-Click to select or clear; LDAP Group Names • Configure Groups-Administrators can be entered, separated by entering identifiers for controlling...
... home screen, touch Menus > Security > Edit Security Setups > Edit Building Blocks > LDAP +GSSAPI. 2 Select Add Entry. 3 Type a Setup Name, and then touch Next. The MFP will also be searched. • Custom Object Class-Click to select or clear; LDAP Group Names • Configure Groups-Administrators can be entered, separated by entering identifiers for controlling...
Common Criteria Installation Supplement and Administrator Guide
Page 33
..., and usually appears in lowercase. For more information on uploading a CA certificate, see "Creating and modifying digital certificates" on the MFP, and Online Certificate Status Protocol (OCSP) settings must be configured. 14 If you would enter the Domain as "mil,.mil". • Timeout-The amount of time the...times. 18 If DNS is not enabled on your network. 17 To use only the information provided by the specified domain controller, select Disable LDAP Referrals. Note: You must be installed on page 16. 33 they will be tried in the order listed. • Responder Certificate-Browse ...
..., and usually appears in lowercase. For more information on uploading a CA certificate, see "Creating and modifying digital certificates" on the MFP, and Online Certificate Status Protocol (OCSP) settings must be configured. 14 If you would enter the Domain as "mil,.mil". • Timeout-The amount of time the...times. 18 If DNS is not enabled on your network. 17 To use only the information provided by the specified domain controller, select Disable LDAP Referrals. Note: You must be installed on page 16. 33 they will be tried in the order listed. • Responder Certificate-Browse ...
Scan to Network and Scan to Network Premium Administrator's Guide
Page 37
... display icons changing 6 Domain Search Order specifying 17 E Embedded Web Server using to access configuration settings 6 exporting application configuration settings 19 H home screen icons changing 6 Host ID local (individual) 7 network 7 I icons changing 6 importing application configuration settings 19 L LDAP configuring 17 Lexmark License Server installing 7 license files local (individual) 7 network 7 licensing individual 8 local 8 network 8 N network settings finding...
... display icons changing 6 Domain Search Order specifying 17 E Embedded Web Server using to access configuration settings 6 exporting application configuration settings 19 H home screen icons changing 6 Host ID local (individual) 7 network 7 I icons changing 6 importing application configuration settings 19 L LDAP configuring 17 Lexmark License Server installing 7 license files local (individual) 7 network 7 licensing individual 8 local 8 network 8 N network settings finding...