Configure Server 2012 CA for Smartcard Authentication

  • Article

certificate_authority In this article I am going to walkthrough how to configure your internal certificate authority (Windows Active Directory Certificate Services) in order to allow you to use smartcard authentication on your windows active directory domain.

Introduction

The need for security and enhanced privacy is increasing as electronic forms of identification replace face-to-face and paper-based ones. The emergence of the global Internet and the expansion of the corporate network to include access by customers and suppliers from outside the firewall have accelerated the demand for solutions based on public key cryptography technology.

A few examples of the kinds of services that public key cryptography technology enables are secure channel communications over a public network, digital signatures to ensure image integrity and confidentiality, authentication of a client to a server (and vice versa), and the use of smart cards for strong authentication.

The Microsoft Windows operating system platform is smart card–enabled and is the best and most cost-effective computing platform for developing and deploying smart card solutions.

What is a Smart Card

Smart cards are a key component of the public key infrastructure (PKI) that Microsoft is integrating into the Windows platform because smart cards enhance software-only solutions, such as client authentication, logon, and secure email. Smart cards are a point of convergence for public key certificates and associated keys because they:

  • Provide tamper-resistant storage for protecting private keys and other forms of personal information

  • Isolate security-critical computations, involving authentication, digital signatures, and key exchange from other parts of the system that don’t have a need to know

  • Enable portability of credentials and other private information between computers at work, at home, or on the road

The smart card has become an integral part of the Windows platform because smart cards provide new and desirable features as revolutionary to the computer industry as the introduction of the mouse or CD-ROM

If you do not have an Internal PKI Infrastructure at the moment then you need to ensure you do this first. I am not going to cover the installation of this role in this particular article but information on how to implement this can be found here: https://technet.microsoft.com/en-us/library/hh831740.aspx

Recommended Smartcards

I have always recommended to clients Gemalto Identity & Access Security – They provide a wide selection are smartcards that could also work with your door access systems, meaning that you can not only have a card to access your corporate building but to also access your corporate network. If this is the first time you have looked at Smartcard Access in your corporate environment, I would recommend you purchase the following Proof of Concept Kit from Smartcard Focus.

IDPrime .NET card proof of concept kit

The kit contains:

5 x GemPC Twin/TR readers

5 x Gemalto .NET cards,

1 x Gemalto .NET + Prox card,

1 x Gemalto .NET + Mifare card,

1 x Gemalto .NET + DESfire card

Note: You will need to speak with your Door Access Security company in order to find out what type of cards would work with the system you use.

Configure Certificate Authority Templates

  1. Launch Certificate Authority MMC from Administrative Tools
  2. Click on the ‘Certificate Templates’ node and select Manage
  3. Right Click on the ‘Smartcard User’ Certificate Template and then select ‘Duplicate’

image014.  Change your compatibility settings accordingly, this will depend on your CA infrastructure & End User Devices

Compat_01 5. Give the new Template an appropriate name, and ensure that the validity period is 5 years

General_01 6. Ensure that the Request Handling Tab matches the following configuration

Request_Handling7.  On the Cryptography tab ensure that you select ‘Requests must use one of the following providers’ and then select ‘Microsoft Base Smart Card Crypto Provider’

Cryp8.  Ensure that the Issuance Requirements match the following settings

Issu_Req

9. Once these steps have been completed, go ahead and press OK and go back to the Certificate Authority MMC. Right Click on the Certificate Templates node, Select New and then select ‘Certificate Template to Issue’.

image02 You need to now Import
th
e ‘Enrollment Agent’ & ‘Duplicated Template’ < The one you just created.

Import_EnAge Import_Temp

Enroll the Enrollment Agent Certificate

It is recommended that you do this on a Client Machine (IT Administrators Desktop).

  1. Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’

image2. Right Click on the ‘Personal’ Node, Select ‘All Tasks’ and then Select ‘Request New Certificate’

3. Click Next on the wizard, and then select ‘Active Directory Enrollment Policy’

4. Select the ‘Enrollment Agent’ Certificate, and then click on ‘Enroll’

image

Your IT Administrators desktop is now setup as an Enrollment Station, This will now enable you to Enroll new smartcards on behalf of other users.

Enroll on behalf of….

In order for you to now provide employees with smartcards for authentication, you need to enroll them and generate the certificate which will then be imported on to the Smartcard.

1. Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’

2. Right Click on Personal > Certificates and select All Tasks > Advanced Operations and click on ‘Enroll on behalf of…’

image3. Select next on the wizard, and choose the ‘Active Directory Enrollment Policy’ and select next

4.You will now be asked to select the Signing Certificate, This is the enrollment certificate you requested earlier.

image5. On the next screen, you need to select which certificate you would like to request and in this instance it will be ‘Vakkundig Smartcard User’ which is the Template we created earlier.

image 6. Next, You need to select the user you wish to enroll on behalf off. click browse and type in the username of the employee you wish to enroll. In this instance I am just going to use my Administrator Account.

image7. On the next screen, proceed with the enrollment by clicking on ‘Enroll’ where you will then be asked to insert a smartcard into your reader.

image8. Once you have inserted your smartcard, it should be detected as follows

image9. You will then be asked to type in the smartcard PIN number. (Default Pin: 0000)

image10. Finally, Once you have seen ‘Enrollment Successful’ screen. You can remove the card and then use that to logon to a domain joined computer.

image   

Helpful Notes

  • If you find that your computer does not recognize the smartcard when it is inserted. You may need to download and install the following files. The download is available on the Microsoft Catalog Website.image

  • To manage the smart cards I recommend you use the following tool which is available at the following URL: https://www.netsolutions.gemalto.com/netutils/Default.aspx this tool will allow you to reset pin numbers, unlock cards and see what certificates have been installed on to a smart card.

  • The default PIN Number for the .NET sma

    rt cards is 0000

  • If one of your employees looses the smartcard, you will need to REVOKE the issued certificate from within your Certificate Authority.

  • If an employee leaves, and they hand back the Smartcard you are able to remove the certificate from the card and then re-issue it to another employee if you so wish.

I hope this helps, if you have any questions feel free to contact me.

James. :-)