In this article I am going to walkthrough how to configure your internal certificate authority (Windows Active Directory Certificate Services) in order to allow you to use smartcard authentication on your windows active directory domain.
The need for security and enhanced privacy is increasing as electronic forms of identification replace face-to-face and paper-based ones. The emergence of the global Internet and the expansion of the corporate network to include access by customers and suppliers from outside the firewall have accelerated the demand for solutions based on public key cryptography technology.
A few examples of the kinds of services that public key cryptography technology enables are secure channel communications over a public network, digital signatures to ensure image integrity and confidentiality, authentication of a client to a server (and vice versa), and the use of smart cards for strong authentication.
The Microsoft Windows operating system platform is smart card–enabled and is the best and most cost-effective computing platform for developing and deploying smart card solutions.
What is a Smart Card
Smart cards are a key component of the public key infrastructure (PKI) that Microsoft is integrating into the Windows platform because smart cards enhance software-only solutions, such as client authentication, logon, and secure email. Smart cards are a point of convergence for public key certificates and associated keys because they:
Provide tamper-resistant storage for protecting private keys and other forms of personal information
Isolate security-critical computations, involving authentication, digital signatures, and key exchange from other parts of the system that don’t have a need to know
Enable portability of credentials and other private information between computers at work, at home, or on the road
The smart card has become an integral part of the Windows platform because smart cards provide new and desirable features as revolutionary to the computer industry as the introduction of the mouse or CD-ROM
If you do not have an Internal PKI Infrastructure at the moment then you need to ensure you do this first. I am not going to cover the installation of this role in this particular article but information on how to implement this can be found here: http://technet.microsoft.com/en-us/library/hh831740.aspx
I have always recommended to clients Gemalto Identity & Access Security – They provide a wide selection are smartcards that could also work with your door access systems, meaning that you can not only have a card to access your corporate building but to also access your corporate network. If this is the first time you have looked at Smartcard Access in your corporate environment, I would recommend you purchase the following Proof of Concept Kit from Smartcard Focus.
The kit contains:
Note: You will need to speak with your Door Access Security company in order to find out what type of cards would work with the system you use.
Configure Certificate Authority Templates
- Launch Certificate Authority MMC from Administrative Tools
- Click on the ‘Certificate Templates’ node and select Manage
- Right Click on the ‘Smartcard User’ Certificate Template and then select ‘Duplicate’
9. Once these steps have been completed, go ahead and press OK and go back to the Certificate Authority MMC. Right Click on the Certificate Templates node, Select New and then select ‘Certificate Template to Issue’.
Enroll the Enrollment Agent Certificate
It is recommended that you do this on a Client Machine (IT Administrators Desktop).
- Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’
3. Click Next on the wizard, and then select ‘Active Directory Enrollment Policy’
4. Select the ‘Enrollment Agent’ Certificate, and then click on ‘Enroll’
Your IT Administrators desktop is now setup as an Enrollment Station, This will now enable you to Enroll new smartcards on behalf of other users.
Enroll on behalf of….
In order for you to now provide employees with smartcards for authentication, you need to enroll them and generate the certificate which will then be imported on to the Smartcard.
1. Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’
2. Right Click on Personal > Certificates and select All Tasks > Advanced Operations and click on ‘Enroll on behalf of…’
4.You will now be asked to select the Signing Certificate, This is the enrollment certificate you requested earlier.
6. Next, You need to select the user you wish to enroll on behalf off. click browse and type in the username of the employee you wish to enroll. In this instance I am just going to use my Administrator Account.
- If you find that your computer does not recognize the smartcard when it is inserted. You may need to download and install the following files. The download is available on the Microsoft Catalog Website.
- To manage the smart cards I recommend you use the following tool which is available at the following URL: https://www.netsolutions.gemalto.com/netutils/Default.aspx this tool will allow you to reset pin numbers, unlock cards and see what certificates have been installed on to a smart card.
- The default PIN Number for the .NET sma
rt cards is 0000
- If one of your employees looses the smartcard, you will need to REVOKE the issued certificate from within your Certificate Authority.
- If an employee leaves, and they hand back the Smartcard you are able to remove the certificate from the card and then re-issue it to another employee if you so wish.
I hope this helps, if you have any questions feel free to contact me.