One obstacle that administrators looking to deploy information cards in an enterprise will inevitably face is getting information cards to their users. Nobody wants to have to send an email to their users saying that in order to access a web service, they’ll need to go to an issuance website and download an information card. Things should just work. With that in mind, the “Geneva” Server and CardSpace teams created Silent Card Provisioning, a feature that uses Group Policy to deploy information cards to domain users automatically.
Step by Step
Setting up Silent Card Provisioning is very simple. In the “Geneva” Server UI, select your information card and choose “Save Group Policy Template Files.” This will save group policy files called IdentitySelectorBaseGPTemplate and AutoCardProvisioningGPTemplate. The .adm versions of these files are needed for Windows Server 2003 domain controllers, while the .admx and .adml are for use in Windows Server 2008. For more details and a step-by-step guide to setting up silent card provisioning, see this link.
“Geneva” Server creates the necessary group policy templates for you.
Once the group policy is set on the domain controller, domain users with CardSpace “Geneva” will automatically connect to the server, download and install the card. This process happens silently and the user doesn’t have to know or worry about it. If anything about the card, such as the image or authentication types, is changed on the Server, CardSpace will automatically pick up those changes. If the card is disabled on the Server, CardSpace will delete it from client machines. This means that once CardSpace is installed, the user doesn’t have to do anything to get the cards they need.
Tips and tricks
· This feature integrates well with Card Usage Policy. By setting a card to be silently provisioned and automatically used, administrators can really streamline their user experience.
· The group policy template files specify the location of the Geneva Server, the issuer name, and the time interval to check for card updates. This interval is set to two days by default but can be made longer or shorter if necessary. In addition to updating at this interval, users will have their cards updated each time they log on.
· The easiest way to ensure that a client machine gets its group policy and cards updated right away is to log off and log back on. For testing, the following commands run from an administrative command prompt will also update a client’s card(s):
o GpUpdate /force
o "%PROGRAMFILES%\Windows CardSpace\bin\CSHelper.exe" /provision
Hopefully this feature will streamline your experience with Geneva in the enterprise and we look forward to hearing your feedback.
Oren MelzerSoftware Development Engineer“Geneva” Team