AD authentication with be eID

Active Directory authenticationwith BE eID SmartcardThis guide explains how to configure an ActiveDirectory to enable Be eID Smartcard as authenticationtoken.Why this ?More and more countries are deploying smartcard systems that could be used to authenticate a user.I’m sure you are tired to remember so many password and the lack of security caused (most simplepassword, helpdesk nightmare, reset password with sometimes very simplistic reset rules …)Deploying HW token become usual in many company but this require investment. So why not usingalready available smartcard in your wallet. This document will explain how to used the Belgianidentity card and PIN to authenticated a user.Using BE eID card is not so trivial because these Card didn’t use some pre-requisite information (ieUPN, AT_KEYEXCHANGE, EKU) and the CRL can also be difficult.This document must be used as a Lab. Documentation, to do a proof of concept not used inproduction ! Changing or implementing your PKI infra is at your own risk. This document only reflectour own setup to get the evidence that using BE-eID-Card for NT Domain authentication is feasible.You can notice that some non-domain authentication software are available on the web: http://www.mysmartlogon.com/products/eidauthenticate.html http://code.google.com/p/eid-applet/We apologize, but Print -Screen will be in French.Material needed :  Recommended Windows 7 and Windows 2008 R2 (Windows Vista, and Windows 2008 is the minimum)  The Windows 2008 R2 Enterprise (here the link to a trial) http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx  Belgium eID (identity card) and associated software (on Server and Client) www.eid.be (eid framework ie ver 3.5.4)  Certificate already deployed on your Domain Controller (we recommend to used Microsoft Certification Authority, see later in the doc.)  Two BE eID Smartcard reader (ie. ACR 38 U) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

Part 1 : Setup of a Test Windows Domain  Run the Windows 2008 R2 Setup  Make you initial logon and perform all security update  Run your DCPROMO and create a dedicated and isolated domain for this lab.  At the end of the DCPROMO and after the reboot you have a new Forest and a DNS Running onto your test server lab.  Install a Windows 7 Client (ie. Test drive business edition))  Join this Windows 7 to the domain  Install the BE EID framework on all machineY Part 2 : Installing Microsoft Certification Authority  These step are to perform on your DC.  Microsoft Certification Authority is a Role you need to add on your server. o During the Process you will have to choose for a :  Select Root Authority  And Select an Enterprise CA (this will be helpful for future lab. We will provide later)  Obtain a Certificate for you DC o Runn MMC add the certificate Snapp-in for the Local “Computer Account” o Open the ” Personal” folder -> Certificates o Right Click on certificate and Request a new certificate : André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

 Next and Select an Active Directory plocicy : Select and Next, After Select the following roles : At the end perform a reboot If you have not correctly followed these steps, an event ID 19 will be logged into your DC and Login with Smartcard will failed stating that your account is not configured for Smart Card authentication. This is due to the fact that PKI Init (authentication with the DC is not feasible due to the lack of the certificate on the DC, in real live each DC will require a such certificate…) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

Part 3 : Tunning the Domain controller and the client to accept a BEeID Card.Step 1 - Domain Policy:  Setup you domain default policy (look here to localize them and which are to be set)  After that they will be applied (ie. GPUpdate) you will have the following registry key (on both DC and Client) [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSmartCardCredentialProvi der] "AllowCertificatesWithNoEKU"=dword:00000001 "AllowSignatureOnlyKeys"=dword:00000001 "ForceReadingAllCertificates"=dword:00000001Step 2 :Customize registry These step are needed to ensure BE eID card specifycities are accepted for Autentication  On the client and DC, configure registry as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

"CRLTimeoutPeriod"=dword:00000001  On the Domain Controlle onlyr as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 "SCLogonEKUNotRequired"=dword:00000001 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001Part 4 : Import BE Autority certification Authority Currenlty there is not only one set of eID authority, you need 3 in fact (because since 17 of October 2008, a new authority as been deployed).  You will have one for the Root Called: Belgian Root CA  And 2 with the name :Citizen CA (2 because this new re-deployment, in this doc we will assume the one you get with the one you use)Step 1 : Export the Public key Authority certificate (.cer)For these step the easiest is to export them into files for the eID-Viewer  Put a Card into the reader and launch the eID Viewer->go under certificate tab André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

 Click on Root (1) after Click details (1a) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

 Click on the Tab details André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

 Click on th button Copy to File …  Save it in ie C:tmp with the Name “Belgian Root CA.CER”  Redo these steps for the Citizen CA, see printtscreen here upper the blue (2) and (2a) but saved it with ”Citizen CA.cer”  At this step you have exported the public key of the 2 of 3 Belgian Authority. These are to be imported into your infra to get them recognized as trusted.Step 2 : Import them into your systemsImport them onto your DC and Client . Please note that you can use a GPO for these task see: http://support.microsoft.com/kb/281245  Copy these 2 files (.cer) ie in c:tmp André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

 Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -addstore ROOT “Belgian CA.cer” o C:tmp>certutil -addstore CA ”Citizen CA.cer”Step 3 : Register these Authority as NTAuthCALook here for more info : http://support.microsoft.com/kb/295663/Go back onto your DC ONLY with the Admin CMD.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -dspublish -f “Belgian CA.cer” NTAuthCA o C:tmp>certutil -dspublish -f ”Citizen CA.cer” NTAuthCAPart 5 : User configuration and certificate mappingStep1 : Export your user certificateUse the same process that in Part4 –Step1 . You will be to export you own user certificate and storethem into c:tmpmyuser.cer (Take the “Authentication certificate”) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

Step2 : Configure the certificate for your user  Open AD users and computers.  Check to use the Advanced Features. André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

 Right click the user you want to map this card to and choose name mappings.Select the certificate you want to map to (ie c:tmpmyuser.cer) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

Reboot both and test under “insert Smartcard” Logon screen! André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

AD authentication with be eID

by Andre Debilloez on Dec 27, 2010

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 21

Statistics

AD authentication with be eID — Document Transcript

http://blog.debilloez.net	20
http://www.slideshare.net	1