SmartCard logins to Active Directory

Print Friendly, PDF & Email

Hello everyone! After the winter period and the rest that I usually use to regain strength… We're back with a lot of posts in the pipeline and a lot of desire to fight!!! Today we start with the use of SmartCard or smart cards in our organization, to allow users to validate themselves, ¡Started!

In this post we are going to try to see how convenient the use of SmartCards or smart cards can be in our organizations, being able to use a card that allows them to validate themselves in the services they need. In this first post we will see everything you need in the Active Directory to be able to issue these certificates, as well as to validate themselves at their workstations or by remote desktop.

But I also intend to bring this technology to you, that apart from providing us with a more secure layer to authentications, (And we're in control), Well, it's something accessible. This is, that we can buy packs of white cryptographic cards for ourselves with a card reader to be able to insert the certificates that we generate in our Active Directory. If you have any doubts, at the FNMT you can buy what you need, or in other places of course.

And for the 'printing press'’ of the design, well, As we imagine, They could be bought online and arrive already printed with our designs, or we can purchase a sticker receipt printer, quality, in color, without cartridges… that we can use to print the labels ourselves and stick them easily. Not to advertise, but in case anyone is guided, I use a Brother VC-500W for this that has a tape of 5 cm wide, ideal for these tasks. I also use it to print the QR codes that I send to customers who need it to see their Monitoring Data with smaller ribbons.

Well, Started, Let's divide the article into several blocks

  1. First: We start with the 'Enrollment Agent', This is, who will be able to request and sign the certificates that we will need to generate for our users. We'll define a new custom certificate template and then use it to generate the certificate. The holder of this certificate will be able to create the users' certificates. The certificate can be installed on the user/computer or can then also be put on a SmartCard.
  2. Second: Then we'll create a certificate template for our organization, then we will use it to generate the certificates that will be issued for the SmartCards.
  3. Third: Request a certificate on behalf of another Active Directory user.
  4. Room: And we tried it! At the end we will also create a GPO so that when the user extracts the SmartCard, your computer crashes immediately.

Creating an Enrollment Agent Certificate,

What I said, In this section we will see how we will finally obtain a certificate, that with it we will be able to generate the certificates that we will need from our users. The certificate holder will be able to request and sign the certificates that we will need in the future.

 

Open the Certificate Template Console (certtmpl.msc) and we doubled the workforce “Enrollment Agent”,

 

It will open up the properties to edit this certificate template, on the “General” we indicate the Display Name of the template, as well as check the option to publish the certificates in the Active Directory. On the “Compatibility” We will enable the highest versions by adapting them to our environment.

 

On the “Processing of the request” we will check the option 'Ask the user during registration'. On the “Cryptography” We change the supplier to “Legacy Crypto Service Provider” and “Microsoft base Cryptographic Provider v 1.0”.

 

And in the “Safety” we make sure that the user or group that we are going to allow to generate the certificates has the permissions to 'Read’ and 'Write'.

 

From the CA Management Console (certsrv.msc) We'll publish the template we just created, to be used. From Certificate Templates > New > Certificate template to be issued.

 

Select the template we have just created and click on “Accept”,

 

Nien, Now that the certificate template exists, that is, is published in Active Directory, we will now be able to request the certificate we need for the Certificate Agent. To do this,, We open the user's certificate management console (certmgr.msc), and from Personal > All tasks > You request a new certificate…

 

“Following”,

 

Select “Active Directory Enrollment Policy” & “Following”,

 

Now we select from which template we are going to request the certificate, This is, What type of certificate we will need, We select ours & “Following”,

 

List! We already have the certificate for our user, We will be able to create certificates for our end users with it. If we click on “Details” > “View certificate” we will be able to access it and export it in PFX and take it wherever we need it.

 

Creating the certificate template to issue to SmartCards,

As we said before, now it will be necessary to create a certificate template in our Active Directory in order to issue certificates to our SmartCards or smart cards. This is already the last step before we can do what we want, Create certificates!

 

Open the Certificate Template Console (certtmpl.msc) and we doubled the workforce “Smart Card User”,

 

It will open up the properties to edit this certificate template, on the “General” we indicate the Display Name of the template, as well as check the option to publish the certificates in the Active Directory. On the “Compatibility” We will enable the highest versions by adapting them to our environment.

 

On the “Processing of the request” we will check the options of 'Allow the private key to be exported', 'For automatic renewal of smart certificates use the existing key if a new key cannot be created’ and 'Ask the user during registration'.

 

On the “Safety”, we add “Domain Users” who must have Read permissions, Enroll & Auto-Enroll. On the “Issuance Requirements” We will dial 1 the name of authorized signatures, select the 'Enforcement policy'’ for signing and as an application policy we indicate 'Certificate Request Agent'.

 

And now to finish, from the CA management console (certsrv.msc) We will publish the template we have just created to be used. From Certificate Templates > New > Certificate template to be issued.

 

We select the template we just created and publish it!

 

Creating SmartCard Certificates on Behalf of Another User,

And we end up with what can already be a common task, which is nothing more than the need for us to have to create certificates for our users.

 

GOOD, We open our User Certificates Console (certmgr.msc), and from Personal > Certificates > All tasks > Advanced Operations > Enroll on behalf of…

 

“Following”,

Select “Active Directory Enrollment Policy” and “Following”,

 

Ask us for the certificate to sign the certificate application, we will have to have it previously installed on the machine (or have it on a SmartCard), Click on “Examine”,

 

We enter the certificate…

And we continue with the assistant, Click on “Following”,

We must select the template that we will use to create the certificate, This is, The type of certificate, So we tick ours and continue, “Following”,

From the “Examine…” we will be able to search for the user of our Active Directory that we need, to whom we are going to generate the certificate. Click on “Inscribe”,

And nothing, We may continue to request other certificates for other users, or before exporting the certificate that you have generated in PFX format and then importing it into the SmartCard.

 

Installing the certificate on the SmartCard and testing it!

It's time to save the certificate generated by the Active Directory on the smart card or SmartCard.

In my particular case I use the FNMT Certificate Importer, which is a software that allows you to You can download, And in case anyone has doubts, Yes, You can put more than 1 certificate, you will be able to enter the certificate of other AD users, as your user with administrative privileges, or others such as that of representative of a company, that of the FNMT of course…

Now, on any Windows computer 10, Windows 11 that we have in control, it will be as simple as inserting the smart card into the card reader and entering the PIN of the card to access. In Login Options we will see the middle icon when a valid certificate is detected to log in, If we had other certificates, more icons would come out of those.

We can also use them when connecting via Remote Desktop to our servers,

And one very important thing, if we want the card to be blocked from the user as soon as the card is removed from the device, we can create a GPO where we will 2 stuff, (i) indicate in Policies > Windows Settings > Security Settings > Local Directives > Security Options > Interactive login > We'll enable the 'Interactive Sign-In' policy: Smart Card Removal Behavior”, indicating in this case 'Lock the workstation', We have other options like logging out… And (Ii) we must take into account that the service “Smart card removal policy” should be as 'Automatic' and 'Started', so in the same GPO that we will apply to our teams in Preferences > Configuring the Control Panel > Services > We add it and indicate these configurations.

And with this ready! We will be able to generate as many certificates as we need, engrave them on our smart cards and even personalize them and give them a corporate touch! As usual, I hope that some soul can be interested and it can be good for them. It is a way to secure our organization and remove passwordless access, Nor tokens…

A hug!

Recommended Posts

VPN with Citrix NetScaler III - Authentication with certificates
Read
Implementing FSSOs to integrate Fortigate with Active Directory
Read
VPN with Citrix NetScaler II - Requiring certificates to access
Read
Implementing Windows LAPS
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

JumpServer

17 de October de 2023

Remarkable 2: Hacks & Own server

30 of January 2024