Enabling CAC/PIV Smart Cards for Secret Launchers
For release dates, end-of-support timelines, and upgrade guidance, see the Secret Server Product Lifecycle page.
You can view the latest version of the Secret Server documentation here.
Overview
A Common Access Card (CAC) or Personal Identity Verification (PIV) smart card is a physical card with an embedded electronic chip that uses a certificate-key pair to authenticate users. The certificate is issued by an authorized organization. The user has a PIN that should be known only to that user, which serves a second factor for two-factor authentication—access requires physical possession of the card, as well as the PIN. The user inserts the card into a card reader, which prompts for the PIN.
Secret Server launchers can pass smart card credentials through Remote Desktop Protocol (RDP) sessions. This is useful when a user needs to authenticate through an RDP session to a resource that requires smart card authentication, for example, a secured network drive that the user attempts to open while using the RDP session.
Currently, you can enable this either globally, via user settings, or per secret:
Enabling Globally with User Settings
-
In Secret Server, click the user icon and select User Preferences. The User Preferences page appears.
-
Click the Settings tab.
-
In the Launcher Settings section, click to enable the Allow Access to Smart Cards toggle. The change is automatically saved.
Enabling on a Specific Secret
-
On a Secret with an RDP launcher, click the Settings tab.
-
Click the Edit link on the Under RDP Launcher – Personalized User Settings title bar. The page changes to edit mode.
-
Click to select the Allow Access to Smart Cards check box.
-
Click the Save button.
