Page 1
PKI-Enabled MFP Installation and Configuration Guide Version 2.0.0 www.lexmark.com...
Page 2
Lexmark International Ltd., Marketing and Services Department, Westhorpe House, Westhorpe, Marlow Bucks SL7 3RQ. Lexmark may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Kingdom and Eire, call +44 (0)8704 440 044. In other countries, contact your point of purchase.
Lexmark that cannot be excluded or modified. If any such provisions apply, then to the extent Lexmark is able, Lexmark hereby limits its liability for breach of those provisions to one of the following: replacement of the Software Program or reimbursement of the price paid for the Software Program.
PKI Installation and Configuration Guide correction, and security testing. If you have such statutory rights, you will notify Lexmark in writing of any intended reverse engineering, reverse assembly, or reverse compilation. You may not decrypt the Software Program unless necessary for the legitimate Use of the Software Program.
PKI Installation and Configuration Guide Table of Contents Lexmark Software License Agreement ..................ii Other Notices ..........................iii Background Information......................1 Installing the Firmware and Applications................2 Firmware Update ......................2 Smartcard Driver......................3 PKI Applications......................6 Configuring the Basic MFP Settings ..................9 Date and Time.........................
Page 6
PKI Installation and Configuration Guide Version 2.0.0 Page v...
1 Background Information This document assumes you have read and completed the Pre-Installation Guide for the Lexmark PKI-Enabled MFP. If not, please consult that guide before continuing with the installation. Numerous mentions will be made throughout this document to the information that was gathered using that document.
2 Installing the Firmware and Applications The PKI application support comes in three parts: • PKI/AD Firmware • Smartcard Driver • PKI Applications All three need to be installed in order to activate PKI support. The SmartCard Reader cannot be installed on the MFP prior to completing all the steps in this section. 2.1 Firmware Update NOTE: Installing the PKI/AD Firmware will remove any previously installed embedded solutions.
MFP model. MFP Model Firmware File X644 and X646 LC2_MC_P254PAh1_full.fls X85x LC2_BE_P248PAh1_full.fls X782 LC2_TO_P077PAh1_full.fls X94x LC_BR_P065PAh1_full.fls T64x + X4600 LC2_TI_P249PAh1_full.fls 3. The file will take a few minutes to upload and for the MFP to be updated. Wait for the update to complete and then refresh the web page.
Page 10
2. One Embedded Solution (PKI/Active Directory Application) is automatically installed when the PKI/AD firmware is installed. Click the Install button. Version 2.0.0 Page 4...
Page 11
3. Browse to the Smartcard Driver solution file and click Start Install. See the table below for filename that corresponds to supported card types. Card Type Solution File CAC / DOD scif-cac-2_0_0.fls 4. Wait for the install to complete and then click Return. Version 2.0.0 Page 5...
5. There should now be two embedded solutions installed on the MFP. Note: The Name and Version of the Smartcard Driver Application displayed here may differ from what is displayed on your MFP. 2.3 PKI Applications Once the firmware and Smartcard Driver have been installed, the application files can then be installed.
Page 13
2. Browse to the PKI Authentication Application solution file, pkiad-2_0_0.fls, and click Start Install. 3. Wait for the install to complete and then click Return. Version 2.0.0 Page 7...
Page 14
4. Repeat steps 1 – 3 to install each of the following PKI applications. If a particular function will not be used, it does not need to be installed. PKI Function Solution File User Authorization for Copy, Fax, and/or FTP pkistdapps-2_0_0.fls Scan to Email pkiemail-2_0_0.fls...
3 Configuring the Basic MFP Settings This section describes the process for using the information obtained in the Pre-Installation Guide to configure the basic MFP Settings. Even if this device has been previously setup, follow through these steps to make sure all settings necessary for the PKI capability to function correctly have been configured.
Pre-Installation 2. The Date and Time screen is displayed. Section 2.3 If setting the time manually: If using a Time Server: • Set the Time Zone • Set the Time Zone • Set the Date & Time in the format shown •...
Page 17
1. Click Configuration and then click Network/Ports. 2. Click TCP/IP. Pre-Installation 3. Check the value in the Domain Name field. Set it to the value listed in Pre-Installation Section 2.4 Section 2.4, Item 1. If there are any other values given in Items 2 to 4, add them to the Domain Search Order;...
Pre-Installation 4. If using a Static IP Address, also check the WINS and DNS Server Address and make Section 2.2 sure there is a valid value specified for each. If a backup DNS Server is available, set that value as well. 5.
Page 19
1. Click Configuration and then click Network/Ports. 2. Click Email Server Setup. Version 2.0.0 Page 13...
Pre-Installation 3. The Email Server Setup screen is displayed. Section 5.2 Fill in the Primary SMTP Gateway and Port. If available, fill in the Secondary SMTP Gateway and Port. Provide a default email subject and message. The Reply Address is not necessary since it will be set to the logged in user’s email address.
Page 21
1. Click Configuration and then click Network/Ports. 2. Click Address Book Setup. Version 2.0.0 Page 15...
Page 22
Pre-Installation 3. The Address Book Setup page is displayed. Section 2.5, items 1 – 7 The following fields need to be filled in: Field Corresponding Pre-Installation Guide Section 4.2 Item Server Address Item 1 (Use the hostname rather than the IP address) Server Port Item 2 Use SSL/TLS...
Page 23
Pre-Installation 5. If using the user’s credentials to connect to the LDAP server, no other changes are Section 2.5, necessary. If connecting anonymously or using a service account, then return to the item 8 Address Book Setup Screen and click MFP Credentials. Version 2.0.0 Page 17...
Pre-Installation 6. The MFP Credentials page is displayed. Section 2.5, item 8 If connecting anonymously, check the Anonymous LDAP Bind. If connecting using a service account, uncheck the Anonymous LDAP Bind option and provide the MFP’s Distinguished Name and Password. The Kerberos settings are not used. Click Submit. 3.5 Auto-Logout 1.
Pre-Installation 2. Set the Auto “Log out” delay value. Section 3.4.1 3. Click Submit. 3.6 Certificate Management Pre-Installation Sections 2.5 Certificates are needed for SSL support in LDAP lookups and for Domain Controller item 3, 3.2.2.1.1, 8.1, verification. All certificates needed by the device must be in PEM (Base64) format and 8.2, &...
Page 26
1. Click Configuration and then click Security. 2. Click Certificate Management. Version 2.0.0 Page 20...
Page 27
3. Click Install a New Certificate Authority Certificate. 4. Browse to the file containing the certificates and then click Submit. Version 2.0.0 Page 21...
4 Configuring PKI/AD Authentication This application is required for the PKI-enabled MFP. This section details the configuration steps. 1. Click Configuration and then click Embedded Solutions. Version 2.0.0 Page 22...
2. Select the PKI/AD Authentication solution by clicking its name. 4.1 General Settings After selecting PKI/AD Authentication from the Embedded Solutions list, click the Configure tab. Version 2.0.0 Page 23...
Page 30
The following table lists each setting and the corresponding Pre-Installation Section/Item that contains the value needed for that field. Setting Corresponding Pre-Installation Guide Section/Item User Validation Mode Section 3.2 DC Validation Mode Section 3.2.2.1.1 OCSP Responder URL Section 3.2.2.1.1 Item 1 The format should be http://<ipaddress>:<port>.
Page 31
here. Disable Reverse DNS Lookups Section 3.2.2 Item 3 Use KDC for LDAP Server Section 3.2.2 Item 4 Login Screen Text Section 3.1.3 Item 1 Login Screen Image Section 3.1.3 Item 2 Logout Behavior Section 3.4.2 Allow Copy Without Card Section 3.1.1 Allow Fax Without Card Section 3.1.2...
4.2 Custom LDAP Settings If you have defined a custom LDAP configuration that differs from the MFP’s Default LDAP Configuration, continue with this section; otherwise, it can be skipped. After selecting PKI/AD Authentication from the Embedded Solutions list, click the LDAP Configuration tab. Version 2.0.0 Page 26...
4.2.1 Adding a New Configuration 1. Click New to create a new LDAP Configuration. Version 2.0.0 Page 27...
Page 34
2. The LDAP Configuration page is displayed. Referring to section 7 of the Pre-Installation Guide, use the following table to configure the settings. Setting Corresponding Pre-Installation Guide Section/Item Configuration Configuration 1 uses Section 8.1; Configuration 2 uses Section 8.2; Configuration 3 uses Section 8.3 Use KDC for LDAP Server Item 1 Server Address...
Search Base Item 8 Authentication Item 9 MFP Distinquished Name Item 9 Only Used if Authentication is set to MFP User ID. MFP Password Item 9 Only Used if Authentication is set to MFP User ID. 4. Click Apply. 5. Repeat for each custom configuration that needs to be created. A maximum of three configurations can be created;...
4.2.3 Removing an Existing Configuration 1. Check the box next to the configuration to be removed. 2. Click the Remove button. Version 2.0.0 Page 30...
5 Configuring PKI/AD Standard Applications This application is only used if User Authorization is enabled for Copy, Fax, or FTP. You can skip this section if this application has not been installed. 1. Click Configuration and then click Embedded Solutions. Version 2.0.0 Page 31...
Page 38
2. Select the PKI/AD Standard Apps solution by clicking its name. Version 2.0.0 Page 32...
Page 39
3. Click the Configure Tab. 4. The following table lists each setting and the corresponding Pre-Installation Section/Item that contains the value needed for that field. Setting Corresponding Pre-Installation Guide Section/Item Copy Authorization Section 4.1 Item 1 Copy Authorization List Section 4.1 Item 2 Fax Authorization Section 4.2 Item 1 Fax Authorization List...
6 Configuring PKI/AD Email This application is only used if Scan to Email is enabled. You can skip this section if this application has not been installed. 1. Click Configuration and then click Embedded Solutions. Version 2.0.0 Page 34...
Page 41
2. Select the PKI/AD Email solution by clicking its name. Version 2.0.0 Page 35...
Page 42
3. Click the Configure Tab. 4. The following table lists each setting and the corresponding Pre-Installation Section/Item that contains the value needed for that field. Setting Corresponding Pre-Installation Guide Section/Item Email Authorization Section 5.1 Item 1 Email Authorization List Section 5.1 Item 2 SMTP Server Authentication Section 5.2 Item 2 Device Userid...
Page 43
Sign Email Section 5.6.1 Item 1 Encrypt Email Section 5.6.2 Item 1 Require Email to be Signed or Section 5.6.3 (after table) Encrypted Signing Method Section 5.6.1 Item 2 Signing Algorithm SHA1 – only algorithm currently supported Non-Repudiation Required for Section 5.6.1 Item 3 Signing Sign and Encrypt Method...
7 Configuring PKI/AD Scan to Network This application is only used if Scan to Network is enabled. You can skip this section if this application has not been installed. 1. Click Configuration and then click Embedded Solutions. Version 2.0.0 Page 38...
2. Select the PKI/AD Scan To Network solution by clicking its name. 7.1 General Settings After selecting PKI/AD Scan To Network from the Embedded Solutions list, click the Configure tab. Version 2.0.0 Page 39...
Page 46
Corresponding Pre-Installation Guide Section/Item Button Text Section 6.1 Item 1 Up Icon To use a different icon, contact Lexmark to get a “blank” button to be used as the base. Down Icon To use a different icon, contact Lexmark to get a “blank”...
7.2 Fileshare Settings After selecting PKI/AD Scan To Network from the Embedded Solutions list, click the File Shares tab to define one or more fileshares that users can access. At least one fileshare must be defined or the user will see an error that this feature has not yet been configured. Version 2.0.0 Page 41...
Remove “$” from Fileshare Section 6.2 Item 9 Name Create Directory Section 6.2 Item 10 4. Click Apply. 5. Repeat for each fileshare that needs to be created. There is no limit to the number of fileshares that can be created. 7.2.2 Editing an Existing Fileshare 1.
8 Troubleshooting This section details some of the common issues that occur when setting up the PKI-enabled MFP. Please review these and possible causes/resolutions prior to contacting the Lexmark Solutions HelpDesk. 8.1 Login Issues Error Message/Symptom Possible Cause/Resolution Unsupported USB Device...
Page 53
beyond an acceptable range; check the minutes of each other. MFP's date and time. Resolution: Verify the date and time on the MFP; see section 3.1. Be sure the time zone and daylight savings time settings are correct. Kerberos configuration file has not Cause: The PKI/AD Authentication solution is been uploaded.
Windows domain in lower case to the Kerberos Domain setting. For example, if the user’s domain is “x.y.z”, set the Kerberos Domain to “mil,.mil.x.y.z”. Resolution: If using a Kerberos Configuration File, add a mapping to the “domain_realm” section, the maps from the lower case windows domain to the uppercase realm –...
Page 55
blocked by a firewall. Resolution: These ports are used by the MFP to communicate with the LDAP Server and must be open in order for LDAP lookups to work. Cause: Reverse DNS lookup are disabled on the network. Resolution: The MFP uses reverse DNS lookups to verify IP addresses.
8.3 Scan To Email Issues Error Message/Symptom Possible Cause/Resolution Email cannot be sent because an error Cause: Using manual login and the From Email occurred trying to get your email Address is configured to come from the card. address. Resolution: If manual login is allowed, the From Email Address must come from LDAP since a card may not (or can not) be used.
Resolution: Change the SMTP Server Authentication option in the PKI/AD Email solution settings to User Credentials. Resolution: Add the IP Address of the MFP as an SMTP Relay. Cause: SMTP Server Authentication is set to User Credentials but the SMTP Server was specified used an IP Address.
Page 58
access to any of the defined fileshares, the authorization list for the fileshare needs to be expanded to include an Active Directory group that includes this user. An LDAP error occurred trying to Cause: The LDAP lookup failed. retrieve the selected file share Resolution: See section 8.2 above.
Page 59
Resolution: If the hostname was not a fully qualified domain name, then MFP has to use its domain search order to determine the appropriate domain name to append to the hostname. See section 3.2 item 3. Cause: Port 445 is blocked by a firewall. Resolution: The MFP uses port 445 to communicate with the file server and transfer the file.
Need help?
Do you have a question about the X782 and is the answer not in the manual?
Questions and answers