Automated EnrollmentChapter9Authentication395Setting Up Pin Based EnrollmentPin based authentication involves setting up pins for each of your users in theLDAP directory, distributing those pins to your users, and then having the usersprovide their pin along with their user ID and password when they fill out acertificate request. Users are then authenticated both against an LDAP directoryusing their user ID and password, and against the pin that is contained in theirLDAP entry. When the user successfully authenticates, their request isautomatically processed and a new certificate is issued.CMS provides a tool that will add the need schema for pins to the Directory Server,and generate the pins for each user.To set up pin based authentication you do the following:•Use the pin tool to add schema needed for pins, add pins to the user entries inyour directory, and then distribute the pins to your users. See“Creating Pins,”on page 396.•Set any policies for certificate extensions, or for constraints on certificates, seeChapter 11,“Policies”for information about policies. Alternatively, you canenroll users through the certificate profile functionality setting policies forspecific certificates in the certificate profile, see Chapter 10,“CertificateProfiles”for information about policies.•Create an instance of theUidPwdPinDirAuthAuthentication plug-in moduleand configure the instance. See“Setting Up the UidPwdPinDirAuthAuthentication,”on page 397 for details.•Customize the HTML enrollment forms. Make sure the proper authenticationmethod is contained in the form, and do any other customization required.In the enrollment form you use, be sure to include the following line, andreplacemyAuthMgrwith the name of the authentication instance you added.For more information on customizing the enrollment forms, see theCMSCustomization Guide.•In the case of certificate profile-based enrollments, customize the enrollmentforms by configuring the inputs in the certificate profile. Make sure youinclude the information that will be needed by the plug-in to authenticate theuser. If the default inputs do not contain all of the information that needs to becollected, you can either create an input that does using the CMS SDK, orsubmit a request created with a third-party tool.
