Configure Server 2012 CA for Smartcard Authentication
In this article I am going to walkthrough how to configure your internal certificate authority (Windows Active Directory Certificate Services) in order to allow you to use smartcard authentication on your windows active directory domain.
Introduction
The need for security and enhanced privacy is increasing as electronic forms of identification replace face-to-face and paper-based ones. The emergence of the global Internet and the expansion of the corporate network to include access by customers and suppliers from outside the firewall have accelerated the demand for solutions based on public key cryptography technology.
A few examples of the kinds of services that public key cryptography technology enables are secure channel communications over a public network, digital signatures to ensure image integrity and confidentiality, authentication of a client to a server (and vice versa), and the use of smart cards for strong authentication.
The Microsoft Windows operating system platform is smart card–enabled and is the best and most cost-effective computing platform for developing and deploying smart card solutions.
What is a Smart Card
Smart cards are a key component of the public key infrastructure (PKI) that Microsoft is integrating into the Windows platform because smart cards enhance software-only solutions, such as client authentication, logon, and secure email. Smart cards are a point of convergence for public key certificates and associated keys because they:
Provide tamper-resistant storage for protecting private keys and other forms of personal information
Isolate security-critical computations, involving authentication, digital signatures, and key exchange from other parts of the system that don’t have a need to know
Enable portability of credentials and other private information between computers at work, at home, or on the road
The smart card has become an integral part of the Windows platform because smart cards provide new and desirable features as revolutionary to the computer industry as the introduction of the mouse or CD-ROM
If you do not have an Internal PKI Infrastructure at the moment then you need to ensure you do this first. I am not going to cover the installation of this role in this particular article but information on how to implement this can be found here: https://technet.microsoft.com/en-us/library/hh831740.aspx
Recommended Smartcards
I have always recommended to clients Gemalto Identity & Access Security – They provide a wide selection are smartcards that could also work with your door access systems, meaning that you can not only have a card to access your corporate building but to also access your corporate network. If this is the first time you have looked at Smartcard Access in your corporate environment, I would recommend you purchase the following Proof of Concept Kit from Smartcard Focus.
IDPrime .NET card proof of concept kit
The kit contains:
5 x GemPC Twin/TR readers
5 x Gemalto .NET cards,
1 x Gemalto .NET + Prox card,
1 x Gemalto .NET + Mifare card,
1 x Gemalto .NET + DESfire card
Note: You will need to speak with your Door Access Security company in order to find out what type of cards would work with the system you use.
Configure Certificate Authority Templates
- Launch Certificate Authority MMC from Administrative Tools
- Click on the ‘Certificate Templates’ node and select Manage
- Right Click on the ‘Smartcard User’ Certificate Template and then select ‘Duplicate’
4. Change your compatibility settings accordingly, this will depend on your CA infrastructure & End User Devices
5. Give the new Template an appropriate name, and ensure that the validity period is 5 years
6. Ensure that the Request Handling Tab matches the following configuration
7. On the Cryptography tab ensure that you select ‘Requests must use one of the following providers’ and then select ‘Microsoft Base Smart Card Crypto Provider’
8. Ensure that the Issuance Requirements match the following settings
9. Once these steps have been completed, go ahead and press OK and go back to the Certificate Authority MMC. Right Click on the Certificate Templates node, Select New and then select ‘Certificate Template to Issue’.
You need to now Import
th
e ‘Enrollment Agent’ & ‘Duplicated Template’ < The one you just created.
Enroll the Enrollment Agent Certificate
It is recommended that you do this on a Client Machine (IT Administrators Desktop).
- Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’
2. Right Click on the ‘Personal’ Node, Select ‘All Tasks’ and then Select ‘Request New Certificate’
3. Click Next on the wizard, and then select ‘Active Directory Enrollment Policy’
4. Select the ‘Enrollment Agent’ Certificate, and then click on ‘Enroll’
Your IT Administrators desktop is now setup as an Enrollment Station, This will now enable you to Enroll new smartcards on behalf of other users.
Enroll on behalf of….
In order for you to now provide employees with smartcards for authentication, you need to enroll them and generate the certificate which will then be imported on to the Smartcard.
1. Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’
2. Right Click on Personal > Certificates and select All Tasks > Advanced Operations and click on ‘Enroll on behalf of…’
3. Select next on the wizard, and choose the ‘Active Directory Enrollment Policy’ and select next
4.You will now be asked to select the Signing Certificate, This is the enrollment certificate you requested earlier.
5. On the next screen, you need to select which certificate you would like to request and in this instance it will be ‘Vakkundig Smartcard User’ which is the Template we created earlier.
6. Next, You need to select the user you wish to enroll on behalf off. click browse and type in the username of the employee you wish to enroll. In this instance I am just going to use my Administrator Account.
7. On the next screen, proceed with the enrollment by clicking on ‘Enroll’ where you will then be asked to insert a smartcard into your reader.
8. Once you have inserted your smartcard, it should be detected as follows
9. You will then be asked to type in the smartcard PIN number. (Default Pin: 0000)
10. Finally, Once you have seen ‘Enrollment Successful’ screen. You can remove the card and then use that to logon to a domain joined computer.
Helpful Notes
If you find that your computer does not recognize the smartcard when it is inserted. You may need to download and install the following files. The download is available on the Microsoft Catalog Website.
To manage the smart cards I recommend you use the following tool which is available at the following URL: https://www.netsolutions.gemalto.com/netutils/Default.aspx this tool will allow you to reset pin numbers, unlock cards and see what certificates have been installed on to a smart card.
The default PIN Number for the .NET sma
rt cards is 0000
If one of your employees looses the smartcard, you will need to REVOKE the issued certificate from within your Certificate Authority.
If an employee leaves, and they hand back the Smartcard you are able to remove the certificate from the card and then re-issue it to another employee if you so wish.
I hope this helps, if you have any questions feel free to contact me.
James. :-)
Comments
- Anonymous
February 17, 2017
Hello,Nice guide!Im wondering, could i use this to authenticate Windows remote desktop acces?Kind regardsKevin- Anonymous
April 25, 2017
Kevin, yes you can. Just enable GPO to request smart card for that windows machine and when user connects via RDP or sits in front of computer it will be asked to insert smart card!
- Anonymous
- Anonymous
May 10, 2017
Hello, thanks for the guide!I can enroll a certificate to my smartcard. But when I try to login into my user account, an error appears saying my account is not configured for smartcard use.Is there something beside the CA configuration I have to do?- Anonymous
May 22, 2017
I did solve it myself :)There was no valid KDC-certificate for the DC.
- Anonymous
- Anonymous
December 25, 2017
Hi,After step 7. by clicking on ‘Enroll’ I'm not be asked to insert a smartcard into my reader.