Follow

How to use Profiledisk when also using CAC for authentication

Product: ProfileUnity

Product Version: 6.7

Expires on: 365 days from publish date

Updated: November 16, 2017

 

Problem:

How to use ProfileDisk when also using CAC for authentication

 

Possible Resolution(s):

There are special considerations for desktop users using ProfileUnity’s ProfileDisk technology while using CAC authentication for logins. ProfileDisks can be deployed as either VHDs or VMDKs.

There are no extra configuration steps to take when working with VMDKs. In fact, ProfileDisk VMDKs work well with CAC authentication in ProfileUnity 6.5.10 and higher.

However, there are some extra configuration steps to take when working with ProfileDisk VHDs. ProfileUnity As a Service will need to be setup, and CAC Authentication must be enabled in the ProfileUnity Computer GPO (step 2). And setup your ProfleUnity client to run as a service (step 1)

1. Create a Service Account to use for process

  • In AD create an account to use as the service account for this process or use an existing account
  • Make sure the service account has full control on the share where the vhd ProfileDisks are to be stored.
  • In ProfileUnity Console> Navigate to Administration on top right
  • Scroll down to ProfileUnity Tools Section
  • Add relevant account info and download the .creds file to the share or netlogon folder where the ProfileUnity client tools (ini path) reside.  If the password for this account expires or changes you will need to repeat this process.

 

2. To enable CAC authentication:

  1. Open your computer Group Policy for ProfileUnity.
  2. Under Computer Configuration > Administrative Templates > Classic Administrative Templates >Liquidware Labs > ProfileUnity select 32 Bit or 64 Bit depending on the bit level of your target operating systems.
  3. Set ProfileDisk VHD CAC support to “Enabled”. ProfileDisk, when leveraging Common Access Card (CAC) Security, requires a setting so we know to impersonate the ProfileUnity as a Service user when connecting to the file share. We can NOT impersonate a CAC user for security reasons. We leverage ProfileUnity as a Service user name and password. This also means the minimum requirement for ProfileDisk VHD with CAC, is to have the ProfileUnity as a Service account full control on the file share. When it comes to ProfileDisk VMDK and CAC this setting is NOT required.
  4. Example:

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.