¶ Status Quo
You can see the list of Users in the Console together with their Token statuses. The list is searchable and can be tweaked with the help of the toolbar.
By assigning a Token to a User, you enable that User for SystoLOCK.
Be sure to install SystoLOCK Client on the User's workstation prior to enabling the User.
¶ Assigning a Token
You can assign a token to a user at various stages and places:
- From the User list by clicking on Assign Token... on the side or context menu
- From the User property page by clicking on Assign Token... button
- From the Token list by clicking on Assign to User... on the side or context menu
- From the Token property page by clicking on Unassigned link
- Using PowerShell by executing the
Set-SystoLOCKAssignmentcmdlet
You need to be a memeber of either Domain Admins group or SystoLock Administrators group in order to be able to assign tokens to users.
While assigning a Token to a User, you can set a new PIN or leave the PIN unset. The later case is called Delayed Initialization and is used to signal to the system that the user can complete the provisioning on their own and select the PIN themselves:
If, for any reason, you need to keep the user's password, you can select Retain Windows password checkbox.
Please, bear in mind that setting this option reduces the security of that user's account considerably!
You can also use PowerShell to assign a Token:
PS C:\> $Token = Get-SystoLockToken -TokenId YSB2EA27DAB7
PS C:\> $User = Get-ADUser -Identity VassiliyPupkine
PS C:\> Add-SystoLockAssignment -Token $Token -User $User
# or: Add-SystoLockAssignment -Token $Token -User $User -Pin 12345
UserDN : CN=Vassiliy Pupkine,OU=Users,DC=company,DC=local
TokenId : YSB2EA27DAB7
Class : Software
Algorithm : TotpSha1
HasConstraints : False
IsActive : True
HasPin : False
LastUsed : 01/12/2019 21:37:36
Drift : -1
You can assign more than one Token to a User.
SystoLOCK MMC will assist you if there is a rights problem in AD with the accounts you are trying to assign a token to. If you stil encounter an 'Access denied' error, consult this chapter.
¶ Post-assignment tasks
Once you assigned a Token to a User, you can perform various tasks upon this assignment:
- Disable Token
- Enable Token
- Set PIN
- Remove PIN
- Test Token
- Synchronize Token
- Release Token (from the User)
All these tasks can be performed from the Console as well as from PowerShell.
¶ User Self-Provisioning
You can enable self-provisioning for the users, so that they can assign tokens to themselves and create PINs. There are two modes of self-provisioning: delayed initialization and smartphone provisioning, the later involves SystoLOCK Companion (recommended) or any other compatible smartphone-based OTP generator (See Token Compatibility).
In both modes, after administrators prepare Tokens and/or accounts, users execute "SystoLOCK Self-Provisioning" from the start menu or click on "First time smartphone-user" on the login screen or window.
| Click here ... | ... to open this | |
|---|---|---|
 |
 |
 |
¶ Delayed Initialization
Delayed initialization means that no PIN was provided for the Token Assignment when it was created. This Assignment, until the initialization is complete, cannot be used for authentication, the User must first complete the initialization and create a PIN for that Assignment.
To complete the initialization, the user needs to invoke the smartphone provisioning wizard as shown above, key in the following information:
- Their username
- Token-ID that was either conveyed by the administrator or that is imprinted on the physical token
- The new PIN, a string of arbitrary symbols with a minimum length of 5
- The OTP from the token
After the user clicks on OK, the Server completes the delayed initialization and the Token is enabled for authentication.
¶ Smartphone Provisioning
Smartphone self-provisioning means that, although no token was pre-assigned, the user was enabled for self-provisioning by assigning that user to a special SystoLOCK AD group - "SystoLOCK Self-Provisioning Users". Members of this group can self provision their accounts with SystoLOCK Companion without involving any administrator.
There are two ways of smartphone provisioning: with smartphone provisioning wizard shown above or with smartphone alone. The later requires either SystoLOCK be published to the Internet or SystoLOCK Servers be accessible from the smartphone within the internal network.
¶ 1. Using Smartphone Provisioning Wizard
The user needs to perform the following actions to invoke smartphone self-provisioning:
- Start the wizard as described above
- Key in their username and ...
- ... password
- If the user is allowed ti self-provision, a QR code is displayed on the right side of the wizard
- The user scans the QR code with SystoLOCK Companion (by clicking on a + in the app), the app registers the new account and starts displaying the OTP
- The user now keys in their new PIN and ...
- ... the OTP form the smartphone
¶ 2. Using SystoLOCK Companion Alone
To self-provision the user just by using SystoLOCK Companion, the user needs to start the app, tap on the + sign and select "SystoLOCK Account". On the resulting screen the user keys in their user name, password and the new PIN:
If the user is allowed to self-provision, the new account is added the SystoLOCK Companion and the self-provisioning completes.
It is only possible to self-provision an account once, since the password is then deleted from the account.