Using a smart card for Windows domain login

The goals of this post are 1) Push out a trusted root CA certificate via group policy; 2) Enable certificate auto-enrollment for users; 3) Test domain sign-in via a smart card.  I'd also like to test smart cards with my employer's web-based ticketing system, but that can be done later.

Step 1 - Setup JQR-DC1 as the domain controller and certificate authority.  First, let's review the available certificate services:

The Certificate Authority is what you need to issue certificates in the first place.

The Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service work allow non-domain joined computers and devices enroll for a certificate via HTTPS (e.g. cross forest scenarios).

The Certification Authority Web Enrollment lets you request certificates and more through a web interface instead of via the MMC snap-in.  It's a convenient way to go.

The Network Device Enrollment Service allows devices to obtain a certificate from your CA using the Simple Certificate Enrollment Protocol.  Sonicwall routers can do this - I'd like to try that out.

The Online Responder appears to be an alternative to the CRL (certificate revocation list) in that a computer can check via HTTP whether a cert is valid or not.  I'm not entirely clear on the pros/cons of using it with smart cards.

Skimmed an overview of smart cards from Microsoft and this handy forum post.  Got it working!  Here are the steps:
  • Duplicate the Enrollment Agent certificate template
  • Duplicate the Smartcard Logon template.  
    • Under the "Request Handling" tab, set the purpose to "Signature and smartcard logon".
    • Under the "Cryptography" tab, set the Provider to "Microsoft Base Smart Card Crypto Provider".
    • Under "Issuance Requirements", set the number of authorized signatures to 1.
  • Enable both certificate templates on the CA.
  • Log into a domain-joined Windows 7 workstation as the domain Administrator; open certmgr.msc.
  • Request an enrollment agent certificate.
  • Connect the smart card reader and card.  Drivers for Gemalto cards are installed automatically via Windows Update.  That's the other nice thing about Gemalto cards - the middleware for them is baked right into Windows.

  •  Enroll in a smart card logon certificate on behalf of the chosen user account.

  • It will prompt you for a PIN.  The default Gemalto PIN is 0000.  You can change this later by pressing Ctrl + Alt + Del, just like the password for your domain user account.

All set.  You may sign in to Windows with this smart card + PIN now.

Now, the next annoyance that I noticed is that when I lock the console, I'm required to press Ctrl + Alt + Del to unlock it again (now that it's domain joined), so I enabled a group policy to disable this behavior so frequent console locks remain practical.

I didn't try it out, but supposedly you can put other certificates on a Gemalto smart card with the Gemalto Minidriver Manager.

InstructionsDownload link.

OK, pushing trusted root certificate authorities via group policy is super easy:

...and lastly, you can enable certificate auto-enrollment with two steps:

1) Enable it in group policy:

2) Duplicate the certificate template that you're interested in and enable auto-enrollment for the appropriate group of users.

Be aware that by default, certificates have a maximum lifetime of two years.  How to change:

1. certutil -getreg ca\ValidityPeriod              - this should show "Years"
2. certutil -getreg ca\ValidityPeriodUnits    - this should show "2"
3. certutil -setreg ca\validityperiodunits 6  - this sets it to 6 years, or whatever you prefer


Windows Anytime Upgrade

So I have Windows 7 Home Premium on my laptop.  I'd like to upgrade to Ultimate for BitLocker.

Before doing so, it's a good idea to record the product key for your current edition of Windows, in case you ever want to roll-back.  I used ProduKey, exported the report as HTML, and printed it.

Checked the Windows lifecycle fact sheet and found that Windows 7 will be in extended support until 1/14/2020.  For reference, here's a list of Windows 7 Upgrade Paths.

BitLocker FAQ on Windows 7


Yes - you can enable BitLocker on Hyper-V Server 2012 R2

Followed steps from this blog to get the job done.  Also learned you *can* save the BitLocker startup keys for multiple computers on one USB drive (per the Microsoft BitLocker FAQ).

1. Run the Powershell command Install-WindowsFeature bitlocker

2. My server core was joined to a no-longer-existent domain, and the sconfig.cmd utility wouldn't let me dis-join it!  So, I ran netdom remove /d:domain hostname /force

3.Edited the registry to allow BitLocker to work w/out a TPM.

4. Ran through the following three commands

More about smart cards

Today I ordered a $15 smart card reader / writer.  However, Amazon doesn't sell the smart cards to go with it.  What card should I buy?  I'd learned from a phone call that I should not get a "memory card" (although I'm not sure what they are used for currently); instead I need a "microprocessor card" (comparison here).  Why didn't I find SmartCardBasics sooner?!  See also "Smart Card Concepts" from Microsoft.

I was interested in the $7-per-piece price from CardLogix, but you need a minimum order of 10 cards.  So I was interested in a smart card from Gemalto's online store, read this summary of their cards, settled on the .NET card for $26...and then realized the S&H is $30 'cause they're in France.  Ouch.  So I called a California-based Gemalto distributor named Envoy Data and spoke with two people there who were very helpful.  They agreed to sell me a single card for $23 + $12 S&H.  They also suggested that I check out vSEC:CMS from Versetile Security for managing certificates and that I also consider products by "Active Identity".


Certificates, Workplace Join, and UPN suffix routing between forests

I was recently asked what could cause a DNS zone that you've just signed with DNSSec to stop replicating to a secondary server.  I still don't know the answer to that, but I have learned that the replication interval of a non-AD integrated zone is defined by the "refresh interval" value in its SOA record.

That said, you can also click the "Notify" button under the Zone Transfer tab and basically enable the pushing of real time DNS updates to a non-AD integrated DNS server this way.  One guy describes using a secondary DNS zone as a backup for just the DNS records in an AD-integrated zone.

Next, I decided to learn about registering devices through "Workplace Join".  Here's a scenario where you'd want it: you've implemented "dynamic access control" on your file server(s) and are using device claims to provide seamless second factor authentication.  Your problem is that 'till now, only Windows 8 supported those device claims.  Workplace Join extends support for device claims (essentially a device certificate) to Windows 7 Pro/Enterprise/Ultimate, Apple IOS devices, and Android devices.  By default, it includes persistent SSO for 7 days.

First, renamed one of my domain member servers via Rename-Computer -NewName "adfs1" -ComputerName "dac-server2" -domaincredential mydomain\myuser, followed by Restart-Computer dac-server2 -force.  Now I was ready for step 4 in this tutorial.  Skipped step 5, as the AD FS wizard is happy to create a Globally Managed Service Account (GMSA) for you.

Uh-oh, got stuck on certificates...here's what I learned...

You need to request a "Web Server" certificate for the AD FS server.  After learning this, I duplicated the "Web Server" template, enabled domain computers to enroll for it, and published the template.  I also checked the box to require CA admin approval, just for fun.

So after returning to the AD FS server, I requested a web server certificate and it announced that my request was pending:

No problem - I ambled back to the CA and approved it.  But now what?  The answer is to enable a group policy setting:

Like this:

So you can right-click on "Certificates" and retrieve your issued certificate!  I learned this here.

OK, back to the tutorial...

I finished it up and ran into a problem with Workplace Join on my iPhone, so I'm stepping away from that project for now.  No sense in banging my head on a newly introduced feature which might get patched or updated in the near future.


Excursion into storage: it appears that Open Filer is something to avoid.  Nextenta Community Edition is not supported in a production environment.  Which brings me back to FreeNAS.  I plan to work with iSCSI for now, as Windows likes it...someday I'd like to learn NFS for VMware.

Based on the forum reading from tonight, ZFS (the filesystem used by FreeNAS) works best if your RAID controller presents a JBOD and lets ZFS manage the RAID level.


OK, I need to get Server 2012 certified, then I'll move on to learning storage technologies!

Workplace Join requires a forest functional level of 2012 R2.

So I was wondering...if a person authenticates to their computer with a smart card and you need to halt their access...how do you do that?  Well, perhaps through the Certificate Authority snap-in, by revoking their certificate.  I want to get some hands-on experience with this, so I read about certificates, then found a $15 reader, then wanted to buy a $13 smart card, but the shopping cart link is broken and a TechNet thread suggests that Gemalto cards might be better anyway.  Also found instructions for getting started with smart cards.  Well, the Gemalto cards are about $25 each and I'm not at all sure that they can be read and written to through the card reader above, so will not pursue this any further for now.  I am curious as to what the $20 Gemalto software does.  Also, found a good reseller of smart cards and their readers - txsystems.com.  OK, that ends my research for today into smart cards.

With the recent demise of TrueCrypt, I want to learn BitLocker - I'd like to try it out with a TPM and with a smart card...and try out enforcing a console lock timeout of 5 minutes.

Next up: UPN suffix routing between forests - what is it and how do you do it?

First, a UPN is a way to uniquely identify a user account in a forest.  It's often the user's email address, but is not required to be a valid DNS name.  Reasons for using it instead of the downlevel-logon format DOMAIN\USER include: 1) simplifying usernames in a deep domain structure; 2) simplifying usernames in a hard to remember domain name; 3) you've renamed the company or organization - changing a UPN suffix is vastly easier than renaming a domain.

UPN suffix routing refers to how authentication requests are transmitted between forests that trust each other (reference).  First, you need to setup the forest trusts.  Before you can do that, you need to configure conditional DNS forwarding on both servers.

If you only do conditional forwarding on one server, you'll get this error:

According to this forum, you can also get this error if you have two servers with the same name in different domains on the same subnet.

OK, so I have forest trusts in place.  How can I efficiently test user authentication between forests?  With a Powershell function from a forum:

Function Test-ADAuthentication {
    (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null

PS C:\> Test-ADAuthentication "dom\myusername" "mypassword"
PS C:\>

Sweet!  This function validates an outgoing trust from where it is run to the target domain/forest.

I have three forests: forest1.local, forest2.local, and dac.local.  The first two each have a two-way transitive trust to dac.local; note that forest1 and forest2 do not trust each.  So I added a child domain to forest1.local (child.forest1.local) and found that UPN suffix routing did not immediately work - so I clicked on the "Validate" button in the forest trust and that asked if I wanted to update the name suffix routing info, so I said yes, and then all was well.

Next I disabled routing for the child.forest1.local name suffix, but that didn't take effect immediately, so I flushed the DNS cache via the MMC console and then it took effect.

Next I added an "external" trust between dac.local and child.forest1.local and tested it OK.  When I deleted it, it kept on working until I restarted the Active Directory Domain Services service (which also restarted four other services: Kerberos Key Distribution Center, Intersite Messaging, DNS Server, DFS Replication).

Explicit UPN suffix routing works with forest trusts, but an external trust only supports implicit UPN (i.e. user@domain.xyz) suffixes (link).

In the FSRM - if you try to delete a local classification that is reference by a rule, you'll be told:

If you delete a classification property that is used by files, that's OK - they will simply lose that particular classification property.

Server 2012 introduced the ability to manually classify files/folders.