6/27/14

Using a smart card for Windows domain login

The goals of this post are 1) Push out a trusted root CA certificate via group policy; 2) Enable certificate auto-enrollment for users; 3) Test domain sign-in via a smart card.  I'd also like to test smart cards with my employer's web-based ticketing system, but that can be done later.

Step 1 - Setup JQR-DC1 as the domain controller and certificate authority.  First, let's review the available certificate services:

The Certificate Authority is what you need to issue certificates in the first place.

The Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service work allow non-domain joined computers and devices enroll for a certificate via HTTPS (e.g. cross forest scenarios).

The Certification Authority Web Enrollment lets you request certificates and more through a web interface instead of via the MMC snap-in.  It's a convenient way to go.

The Network Device Enrollment Service allows devices to obtain a certificate from your CA using the Simple Certificate Enrollment Protocol.  Sonicwall routers can do this - I'd like to try that out.

The Online Responder appears to be an alternative to the CRL (certificate revocation list) in that a computer can check via HTTP whether a cert is valid or not.  I'm not entirely clear on the pros/cons of using it with smart cards.

Skimmed an overview of smart cards from Microsoft and this handy forum post.  Got it working!  Here are the steps:
  • Duplicate the Enrollment Agent certificate template
  • Duplicate the Smartcard Logon template.  
    • Under the "Request Handling" tab, set the purpose to "Signature and smartcard logon".
    • Under the "Cryptography" tab, set the Provider to "Microsoft Base Smart Card Crypto Provider".
    • Under "Issuance Requirements", set the number of authorized signatures to 1.
  • Enable both certificate templates on the CA.
  • Log into a domain-joined Windows 7 workstation as the domain Administrator; open certmgr.msc.
  • Request an enrollment agent certificate.
  • Connect the smart card reader and card.  Drivers for Gemalto cards are installed automatically via Windows Update.  That's the other nice thing about Gemalto cards - the middleware for them is baked right into Windows.









  •  Enroll in a smart card logon certificate on behalf of the chosen user account.


















  • It will prompt you for a PIN.  The default Gemalto PIN is 0000.  You can change this later by pressing Ctrl + Alt + Del, just like the password for your domain user account.

All set.  You may sign in to Windows with this smart card + PIN now.









Now, the next annoyance that I noticed is that when I lock the console, I'm required to press Ctrl + Alt + Del to unlock it again (now that it's domain joined), so I enabled a group policy to disable this behavior so frequent console locks remain practical.

I didn't try it out, but supposedly you can put other certificates on a Gemalto smart card with the Gemalto Minidriver Manager.

InstructionsDownload link.





OK, pushing trusted root certificate authorities via group policy is super easy:











...and lastly, you can enable certificate auto-enrollment with two steps:

1) Enable it in group policy:








2) Duplicate the certificate template that you're interested in and enable auto-enrollment for the appropriate group of users.

Be aware that by default, certificates have a maximum lifetime of two years.  How to change:


1. certutil -getreg ca\ValidityPeriod              - this should show "Years"
2. certutil -getreg ca\ValidityPeriodUnits    - this should show "2"
3. certutil -setreg ca\validityperiodunits 6  - this sets it to 6 years, or whatever you prefer