Hello everybody,
We are trying to implement a 2 factor authentication (domain logon + hardware token) using Symantec Encryption Desktop and Encryption Management Server.
The goal is that specific file shares are only accessible -using group keys- once the token has been inserted into the client machine.
The hardware token is being used as key generator and keystore (CKM) in the enrollment process.
Encrypting a share to the users keys works of course, but would result in constant re-encryption with every permission change.
Encrypting to group keys results in the LDAP authentication to be used to authenticate the user, not the token, which enables access even without the token and the private key.
Is there a way to use the hardware token as means of additional authentication and enable group key operations with it?
Or at least add the group membership characteristics to the token itself (for example by adding it as a device)?
I am very thankful for every hint or idea.
Cheers,
Uli