4 Replies Latest reply on Dec 11, 2014 5:01 AM by Kinetos

    Authentication step in standard signing workflow

    Kinetos

      Is it possible to add authentication step into standard signing workflow? We cannot use any other signature handler except the standard one (PPKLight) - there is a restriction in the documents. But we need to authenticate user once she wants to sign,

      Thanks in advance,

      Nikita

        • 1. Re: Authentication step in standard signing workflow
          Steven.Madwin Adobe Employee

          Hi Nikita,

           

          There are ways to force the user to authenticate every time they sign, but it is dependent on where the digital ID used to create the digital signature resides. For example, if it's in the Windows Certificate Store you have to set High Assurance on digital ID import. If the digital ID is in a P12/PFX file attached to Acrobat you can adjust the password timeout settings. The best way to figure out where the digital ID is residing is to look at this dialog and see what is listed in the Storage Mechanism column:

          Sec Settings.jpg

          Getting to the dialog depends on the version you are using so if you can let me know the version I can give you the steps.

           

          Steve

          • 2. Re: Authentication step in standard signing workflow
            Kinetos Level 1

            Hi Steve,

             

              Thank you for your attention to my question!

              By the requirements we need to make user enter password every time when he/she signs document.

              We are aware of the strong private key protection for digital IDs from Windows Certificate Store and about digital ID files in Adobe. But in case of Windows Certificate Store Adobe asks for password only first time when user sign document, all the next are skipped; in case of digital ID files Adobe allows user to adjust password timeout - we need somehow restrict this option for user so he/she cannot set anything except entering password "Always".

             

              There are 2 open questions now for us and it would be very helpful if you knew the answer:

              1) How to overcome the "certificate caching" in case of Windows Certificate Store or how to restrict adjusting password timeout for digital ID files in Adobe?

              2) It would be even better if we could authenticate user in third party system every time he/she tries to sign document. I was looking for some kind of authentication interceptor which Adobe could use right before starting signing procedure, but no luck so far. Do you know if it is possible? And if yes then how?

             

              Thank you for your help in advance!

             

            Nikita

            • 3. Re: Authentication step in standard signing workflow
              Steven.Madwin Adobe Employee

              Hi Nikita,

               

              I was wrong about Windows, it does only ask for the password once per session even with high assurance security set. There's nothing we can do from the Acrobat side of things if the digital ID is in Windows as it's up to Windows to handle their own security.

               

              The good news though is if you are using a digital ID from a file (P12 or PFX) you can make Acrobat always ask for the password. However, this only can be down in an enterprise environment where the user doesn't have administrator rights to the machine. The way to force the password to always be supplied (or more correctly, to disallow password caching) is to add a registry setting in the portion of the registry not accessible by a standard user (non-administrator). The easiest thing to do is to go to Preference Reference for Acrobat and Adobe Reader and search for Password Caching (or you could look up bAllowPasswordSaving). There you'll find the explanation of how to set the registry.

               

              Good luck,

              Steve

              • 4. Re: Authentication step in standard signing workflow
                Kinetos Level 1

                Hi Steve,

                 

                  We are aware of bAllowPasswordSaving flag and we see that it blocks option "Never" in Password Timeout dialog. But user can still select "After" and "Once per session", which brings us back to the similar situation with Windows Certificate Store. Do you know if it is possible to block "After" and "Once per session" options as well?

                  And getting back to the question #2 from previous post, do you know if extra authentication step (i.e. via LDAP) is possible when user signs the document? (self-made security handler is not an option, we should use default PPKLight).

                 

                Thank you again!

                Nikita