1. Active Directory authentication
with BE eID Smartcard
This guide explains how to configure an ActiveDirectory to enable Be eID Smartcard as authentication
token.
Why this ?
More and more countries are deploying smartcard systems that could be used to authenticate a user.
I’m sure you are tired to remember so many password and the lack of security caused (most simple
password, helpdesk nightmare, reset password with sometimes very simplistic reset rules …)
Deploying HW token become usual in many company but this require investment. So why not using
already available smartcard in your wallet. This document will explain how to used the Belgian
identity card and PIN to authenticated a user.
Using BE eID card is not so trivial because these Card didn’t use some pre-requisite information (ie
UPN, AT_KEYEXCHANGE, EKU) and the CRL can also be difficult.
This document must be used as a Lab. Documentation, to do a proof of concept not used in
production ! Changing or implementing your PKI infra is at your own risk. This document only reflect
our own setup to get the evidence that using BE-eID-Card for NT Domain authentication is feasible.
You can notice that some non-domain authentication software are available on the web:
http://www.mysmartlogon.com/products/eidauthenticate.html
http://code.google.com/p/eid-applet/
We apologize, but Print -Screen will be in French.
Material needed :
Recommended Windows 7 and Windows 2008 R2 (Windows Vista, and Windows 2008 is the
minimum)
The Windows 2008 R2 Enterprise (here the link to a trial)
http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx
Belgium eID (identity card) and associated software (on Server and Client)
www.eid.be (eid framework ie ver 3.5.4)
Certificate already deployed on your Domain Controller (we recommend to used Microsoft
Certification Authority, see later in the doc.)
Two BE eID Smartcard reader (ie. ACR 38 U)
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
2. Part 1 : Setup of a Test Windows Domain
Run the Windows 2008 R2 Setup
Make you initial logon and perform all security update
Run your DCPROMO and create a dedicated and isolated domain for this lab.
At the end of the DCPROMO and after the reboot you have a new Forest and a DNS Running
onto your test server lab.
Install a Windows 7 Client (ie. Test drive business edition))
Join this Windows 7 to the domain
Install the BE EID framework on all machine
Y Part 2 : Installing Microsoft Certification Authority
These step are to perform on your DC.
Microsoft Certification Authority is a Role you need to add on your server.
o During the Process you will have to choose for a :
Select Root Authority
And Select an Enterprise CA (this will be helpful for future lab. We will
provide later)
Obtain a Certificate for you DC
o Runn MMC add the certificate Snapp-in for the Local “Computer Account”
o Open the ” Personal” folder -> Certificates
o Right Click on certificate and Request a new certificate :
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
3. Next and Select an Active Directory plocicy :
Select and Next, After Select the following roles :
At the end perform a reboot
If you have not correctly followed these steps, an event ID 19 will be logged into your DC and
Login with Smartcard will failed stating that your account is not configured for Smart Card
authentication.
This is due to the fact that PKI Init (authentication with the DC is not feasible due to the lack
of the certificate on the DC, in real live each DC will require a such certificate…)
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
4. Part 3 : Tunning the Domain controller and the client to accept a BE
eID Card.
Step 1 - Domain Policy:
Setup you domain default policy (look here to localize them and which are to be set)
After that they will be applied (ie. GPUpdate) you will have the following registry key (on
both DC and Client)
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSmartCardCredentialProvi
der]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001
Step 2 :Customize registry
These step are needed to ensure BE eID card specifycities are accepted for Autentication
On the client and DC, configure registry as follow:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
5. "CRLTimeoutPeriod"=dword:00000001
On the Domain Controlle onlyr as follow:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdc]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"SCLogonEKUNotRequired"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
Part 4 : Import BE Autority certification Authority
Currenlty there is not only one set of eID authority, you need 3 in fact (because since 17 of
October 2008, a new authority as been deployed).
You will have one for the Root Called: Belgian Root CA
And 2 with the name :Citizen CA (2 because this new re-deployment, in this doc we
will assume the one you get with the one you use)
Step 1 : Export the Public key Authority certificate (.cer)
For these step the easiest is to export them into files for the eID-Viewer
Put a Card into the reader and launch the eID Viewer->go under certificate tab
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
6. Click on Root (1) after Click details (1a)
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
7. Click on the Tab details
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
8. Click on th button Copy to File …
Save it in ie C:tmp with the Name “Belgian Root CA.CER”
Redo these steps for the Citizen CA, see printtscreen here upper the blue (2) and (2a) but
saved it with ”Citizen CA.cer”
At this step you have exported the public key of the 2 of 3 Belgian Authority. These are to be
imported into your infra to get them recognized as trusted.
Step 2 : Import them into your systems
Import them onto your DC and Client .
Please note that you can use a GPO for these task see:
http://support.microsoft.com/kb/281245
Copy these 2 files (.cer) ie in c:tmp
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
9. Run CMD.exe With Administrative privilege (righ click and run with administrative
privilege!!!).
Go under c:tmp
Run the following command :
o C:tmp>certutil -addstore ROOT “Belgian CA.cer”
o C:tmp>certutil -addstore CA ”Citizen CA.cer”
Step 3 : Register these Authority as NTAuthCA
Look here for more info : http://support.microsoft.com/kb/295663/
Go back onto your DC ONLY with the Admin CMD.
Run CMD.exe With Administrative privilege (righ click and run with administrative
privilege!!!).
Go under c:tmp
Run the following command :
o C:tmp>certutil -dspublish -f “Belgian CA.cer” NTAuthCA
o C:tmp>certutil -dspublish -f ”Citizen CA.cer” NTAuthCA
Part 5 : User configuration and certificate mapping
Step1 : Export your user certificate
Use the same process that in Part4 –Step1 . You will be to export you own user certificate and store
them into c:tmpmyuser.cer (Take the “Authentication certificate”)
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
10. Step2 : Configure the certificate for your user
Open AD users and computers.
Check to use the Advanced Features.
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
11. Right click the user you want to map this card to and choose name mappings.
Select the certificate you want to map to (ie c:tmpmyuser.cer)
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
12. Reboot both and test under “insert Smartcard” Logon screen!
André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.