Hi Is it possible for one user to unblock the card of another user. I only get the execute option for an ublock request when logged in as the user who is the target of the request. This is the user who originally requested the card and so has the profile template registerd againts their user name. I would like something similar to the way you can use an enrollment agent to provision a card on behalf of a user, but for unblocking a card? Is this possible or is an offline unblock the only way to do it? Thanks

Would kiosk mode do this? If so how do you enable it?

why would u ever want someone else to unblock your card? It's a security issue. how do u know someone else has not used your cert to do something evil?

I was hoping that just a trusted group of admins could be given the rights to do this. Isn't that what you do with the offline unblock with a challenge/response scenario?

now you have to convince your CEO/Chief Security Officer that the card issuer (maybe some college students with minimal wages) will have a small window of attack... e.g. in windows, when your account is first created, it's marked as "user must change password", it's a good hint that my account is untouched since creation. For offline unblock, it's a different scenario. That's when i have forgotten my pin and i am stuck at Vista/Win7 logon screen. I call up helpdesk and go through the challenge/response. The difference here is, i am still in possession of my card. You seriously should consider let the card holder unblock his own card

But what's the point in doing it this way? In an unblock scenario the user still has possession of their card, they have the ability to log on to the system and have access to the portal, why incur the expense of having a group of admins or help desk agent being involved in the process? Paul Adare CTO IdentIT Inc. ILM MVP

I have the same problem as Yuf Atbasta. I have my offline Unblock working just fine, but I need to get the Unblock working, and have forgotten how we got it working in test. The main problem with the user self-service through the portal is that it assumes that the user can log in with a blocked smartcard. If you are going for getting rid of the static password on the user account (and in the face of APT, we should all be pursuing that), and you have flipped the "require Smartcard" bit on the User account. Then they can't log in to self-unblock themselves. So we are setting up our Helpdesk and Security People to be able to unblock people’s smartcards. I am pretty sure we got this working in test. But I am having trouble getting it to work in production.

I have the same problem as Yuf Atbasta. I have my offline Unblock working just fine, but I need to get the Unblock working, and have forgotten how we got it working in test. The main problem with the user self-service through the portal is that it assumes that the user can log in with a blocked smartcard. If you are going for getting rid of the static password on the user account (and in the face of APT, we should all be pursuing that), and you have flipped the "require Smartcard" bit on the User account. Then they can't log in to self-unblock themselves. So we are setting up our Helpdesk and Security People to be able to unblock people’s smartcards. I am pretty sure we got this working in test. But I am having trouble getting it to work in production.

I have the same problem as Yuf Atbasta. I have my offline Unblock working just fine, but I need to get the Unblock working, and have forgotten how we got it working in test. The main problem with the user self-service through the portal is that it assumes that the user can log in with a blocked smartcard. If you are going for getting rid of the static password on the user account (and in the face of APT, we should all be pursuing that), and you have flipped the "require Smartcard" bit on the User account. Then they can't log in to self-unblock themselves. So we are setting up our Helpdesk and Security People to be able to unblock people’s smartcards. I am pretty sure we got this working in test. But I am having trouble getting it to work in production. UPDATE: ok, now I am pretty sure that I must have been smoking something when I thought I got it working in test (got to lay off the Cat Nip). After trying lots of things and talking with Microsoft, it looks like the Online Unblock is designed for self-service where the user goes to the portal with their account and uses an OTP from the helpdesk. I think we are going to try using the xp / 2003 pintool.exe to generate a challenge and response from the helpdesks workstation, and have them preform offline unblocks. I can see where in most places they don't have the security infrastructure to handle / want this kind of Unblock, but for those places that have vested security resources; this kind of reset would have been nice.