SlideShare a Scribd company logo

AD authentication with be eID

Andre Debilloez
Andre Debilloez

How to use an Belgian identitycard to logon into a Windows Domain

Technology
1 of 12
Active Directory authentication with BE eID Smartcard This guide explains how to configure an ActiveDirectory to enable Be eID Smartcard as authentication token. Why this ? More and more countries are deploying smartcard systems that could be used to authenticate a user. I’m sure you are tired to remember so many password and the lack of security caused (most simple password, helpdesk nightmare, reset password with sometimes very simplistic reset rules …) Deploying HW token become usual in many company but this require investment. So why not using already available smartcard in your wallet. This document will explain how to used the Belgian identity card and PIN to authenticated a user. Using BE eID card is not so trivial because these Card didn’t use some pre-requisite information (ie UPN, AT_KEYEXCHANGE, EKU) and the CRL can also be difficult. This document must be used as a Lab. Documentation, to do a proof of concept not used in production ! Changing or implementing your PKI infra is at your own risk. This document only reflect our own setup to get the evidence that using BE-eID-Card for NT Domain authentication is feasible. You can notice that some non-domain authentication software are available on the web: http://www.mysmartlogon.com/products/eidauthenticate.html http://code.google.com/p/eid-applet/ We apologize, but Print -Screen will be in French. Material needed :  Recommended Windows 7 and Windows 2008 R2 (Windows Vista, and Windows 2008 is the minimum)  The Windows 2008 R2 Enterprise (here the link to a trial) http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx  Belgium eID (identity card) and associated software (on Server and Client) www.eid.be (eid framework ie ver 3.5.4)  Certificate already deployed on your Domain Controller (we recommend to used Microsoft Certification Authority, see later in the doc.)  Two BE eID Smartcard reader (ie. ACR 38 U) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Part 1 : Setup of a Test Windows Domain  Run the Windows 2008 R2 Setup  Make you initial logon and perform all security update  Run your DCPROMO and create a dedicated and isolated domain for this lab.  At the end of the DCPROMO and after the reboot you have a new Forest and a DNS Running onto your test server lab.  Install a Windows 7 Client (ie. Test drive business edition))  Join this Windows 7 to the domain  Install the BE EID framework on all machine Y Part 2 : Installing Microsoft Certification Authority  These step are to perform on your DC.  Microsoft Certification Authority is a Role you need to add on your server. o During the Process you will have to choose for a :  Select Root Authority  And Select an Enterprise CA (this will be helpful for future lab. We will provide later)  Obtain a Certificate for you DC o Runn MMC add the certificate Snapp-in for the Local “Computer Account” o Open the ” Personal” folder -> Certificates o Right Click on certificate and Request a new certificate : André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Next and Select an Active Directory plocicy :  Select and Next, After Select the following roles :  At the end perform a reboot  If you have not correctly followed these steps, an event ID 19 will be logged into your DC and Login with Smartcard will failed stating that your account is not configured for Smart Card authentication. This is due to the fact that PKI Init (authentication with the DC is not feasible due to the lack of the certificate on the DC, in real live each DC will require a such certificate…) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Part 3 : Tunning the Domain controller and the client to accept a BE eID Card. Step 1 - Domain Policy:  Setup you domain default policy (look here to localize them and which are to be set)  After that they will be applied (ie. GPUpdate) you will have the following registry key (on both DC and Client) [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSmartCardCredentialProvi der] "AllowCertificatesWithNoEKU"=dword:00000001 "AllowSignatureOnlyKeys"=dword:00000001 "ForceReadingAllCertificates"=dword:00000001 Step 2 :Customize registry These step are needed to ensure BE eID card specifycities are accepted for Autentication  On the client and DC, configure registry as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
"CRLTimeoutPeriod"=dword:00000001  On the Domain Controlle onlyr as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 "SCLogonEKUNotRequired"=dword:00000001 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 Part 4 : Import BE Autority certification Authority Currenlty there is not only one set of eID authority, you need 3 in fact (because since 17 of October 2008, a new authority as been deployed).  You will have one for the Root Called: Belgian Root CA  And 2 with the name :Citizen CA (2 because this new re-deployment, in this doc we will assume the one you get with the one you use) Step 1 : Export the Public key Authority certificate (.cer) For these step the easiest is to export them into files for the eID-Viewer  Put a Card into the reader and launch the eID Viewer->go under certificate tab André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on Root (1) after Click details (1a) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on the Tab details André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on th button Copy to File …  Save it in ie C:tmp with the Name “Belgian Root CA.CER”  Redo these steps for the Citizen CA, see printtscreen here upper the blue (2) and (2a) but saved it with ”Citizen CA.cer”  At this step you have exported the public key of the 2 of 3 Belgian Authority. These are to be imported into your infra to get them recognized as trusted. Step 2 : Import them into your systems Import them onto your DC and Client . Please note that you can use a GPO for these task see: http://support.microsoft.com/kb/281245  Copy these 2 files (.cer) ie in c:tmp André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -addstore ROOT “Belgian CA.cer” o C:tmp>certutil -addstore CA ”Citizen CA.cer” Step 3 : Register these Authority as NTAuthCA Look here for more info : http://support.microsoft.com/kb/295663/ Go back onto your DC ONLY with the Admin CMD.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -dspublish -f “Belgian CA.cer” NTAuthCA o C:tmp>certutil -dspublish -f ”Citizen CA.cer” NTAuthCA Part 5 : User configuration and certificate mapping Step1 : Export your user certificate Use the same process that in Part4 –Step1 . You will be to export you own user certificate and store them into c:tmpmyuser.cer (Take the “Authentication certificate”) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Step2 : Configure the certificate for your user  Open AD users and computers.  Check to use the Advanced Features. André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Right click the user you want to map this card to and choose name mappings. Select the certificate you want to map to (ie c:tmpmyuser.cer) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Reboot both and test under “insert Smartcard” Logon screen! André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

Recommended

1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-sslJamshoo Lakhani
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market ResearchTetsuyuki Oishi
 
Nerea Eta Andrea
Nerea Eta AndreaNerea Eta Andrea
Nerea Eta Andreaan6
 
Reference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesReference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesAkihiro Kameda
 
PRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFPRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFbryceives
 
SQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldSQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldProgress
 
Lewis Diagram
Lewis DiagramLewis Diagram
Lewis Diagramkitcoffeen
 
Momentum Pres
Momentum PresMomentum Pres
Momentum Preskitcoffeen
 

Recommended

1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-sslJamshoo Lakhani
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market ResearchTetsuyuki Oishi
 
Nerea Eta Andrea
Nerea Eta AndreaNerea Eta Andrea
Nerea Eta Andreaan6
 
Reference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesReference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesAkihiro Kameda
 
PRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFPRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFbryceives
 
SQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldSQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldProgress
 
Lewis Diagram
Lewis DiagramLewis Diagram
Lewis Diagramkitcoffeen
 
Momentum Pres
Momentum PresMomentum Pres
Momentum Preskitcoffeen
 
Booting from VHD
Booting from VHDBooting from VHD
Booting from VHDAndre Debilloez
 
What Are Dreams
What Are DreamsWhat Are Dreams
What Are Dreamsguest9aec79
 
Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Mike Sharples
 
FunHalo
FunHaloFunHalo
FunHalotvpsoft
 
Ruta
Ruta Ruta
Ruta pikinsmaria7
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007guest0b2315
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamineandresta
 
Esitlus
EsitlusEsitlus
Esitlusandresta
 
Creation
CreationCreation
CreationAmitava Dutta
 
Rombus
RombusRombus
Rombusandresta
 
Chembond
ChembondChembond
Chembondkitcoffeen
 
Creation
CreationCreation
CreationAmitava Dutta
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentationguest1b1543
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech TipsProgress
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesAkihiro Kameda
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardykitcoffeen
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)siouxhotornot
 
2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activationtasha ou
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Matt Lucas
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A VsRaj Chanchal
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)MongoDB
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule timetopomax
 

More Related Content

Viewers also liked

Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Mike Sharples
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007guest0b2315
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamineandresta
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentationguest1b1543
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech TipsProgress
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesAkihiro Kameda
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardykitcoffeen
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)siouxhotornot
 

Viewers also liked (17)

Booting from VHD
Booting from VHDBooting from VHD
Booting from VHD
 
What Are Dreams
What Are DreamsWhat Are Dreams
What Are Dreams
 
Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007
 
FunHalo
FunHaloFunHalo
FunHalo
 
Ruta
Ruta Ruta
Ruta
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamine
 
Esitlus
EsitlusEsitlus
Esitlus
 
Creation
CreationCreation
Creation
 
Rombus
RombusRombus
Rombus
 
Chembond
ChembondChembond
Chembond
 
Creation
CreationCreation
Creation
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentation
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech Tips
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic Types
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardy
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)
 

Similar to AD authentication with be eID

2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activationtasha ou
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Matt Lucas
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A VsRaj Chanchal
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)MongoDB
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule timetopomax
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesteam-WIBU
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federpfederpmatc
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configurationAlberto Rivai
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10githe26200
 
Ammar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar Hasayen
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xAbdelilah CHARBOUB
 
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Rajesh Anbalagan
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...Protect724tk
 
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxSH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxMongoDB
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...Azilen Technologies Pvt. Ltd.
 

Similar to AD authentication with be eID (20)

2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A Vs
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule time
 
Using idoc method in lsmw
Using idoc method in lsmwUsing idoc method in lsmw
Using idoc method in lsmw
 
Azure hands on lab
Azure hands on labAzure hands on lab
Azure hands on lab
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevices
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10
 
Ammar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guide
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183x
 
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
 
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxSH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

AD authentication with be eID

  • 1. Active Directory authentication with BE eID Smartcard This guide explains how to configure an ActiveDirectory to enable Be eID Smartcard as authentication token. Why this ? More and more countries are deploying smartcard systems that could be used to authenticate a user. I’m sure you are tired to remember so many password and the lack of security caused (most simple password, helpdesk nightmare, reset password with sometimes very simplistic reset rules …) Deploying HW token become usual in many company but this require investment. So why not using already available smartcard in your wallet. This document will explain how to used the Belgian identity card and PIN to authenticated a user. Using BE eID card is not so trivial because these Card didn’t use some pre-requisite information (ie UPN, AT_KEYEXCHANGE, EKU) and the CRL can also be difficult. This document must be used as a Lab. Documentation, to do a proof of concept not used in production ! Changing or implementing your PKI infra is at your own risk. This document only reflect our own setup to get the evidence that using BE-eID-Card for NT Domain authentication is feasible. You can notice that some non-domain authentication software are available on the web: http://www.mysmartlogon.com/products/eidauthenticate.html http://code.google.com/p/eid-applet/ We apologize, but Print -Screen will be in French. Material needed :  Recommended Windows 7 and Windows 2008 R2 (Windows Vista, and Windows 2008 is the minimum)  The Windows 2008 R2 Enterprise (here the link to a trial) http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx  Belgium eID (identity card) and associated software (on Server and Client) www.eid.be (eid framework ie ver 3.5.4)  Certificate already deployed on your Domain Controller (we recommend to used Microsoft Certification Authority, see later in the doc.)  Two BE eID Smartcard reader (ie. ACR 38 U) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 2. Part 1 : Setup of a Test Windows Domain  Run the Windows 2008 R2 Setup  Make you initial logon and perform all security update  Run your DCPROMO and create a dedicated and isolated domain for this lab.  At the end of the DCPROMO and after the reboot you have a new Forest and a DNS Running onto your test server lab.  Install a Windows 7 Client (ie. Test drive business edition))  Join this Windows 7 to the domain  Install the BE EID framework on all machine Y Part 2 : Installing Microsoft Certification Authority  These step are to perform on your DC.  Microsoft Certification Authority is a Role you need to add on your server. o During the Process you will have to choose for a :  Select Root Authority  And Select an Enterprise CA (this will be helpful for future lab. We will provide later)  Obtain a Certificate for you DC o Runn MMC add the certificate Snapp-in for the Local “Computer Account” o Open the ” Personal” folder -> Certificates o Right Click on certificate and Request a new certificate : André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 3.  Next and Select an Active Directory plocicy :  Select and Next, After Select the following roles :  At the end perform a reboot  If you have not correctly followed these steps, an event ID 19 will be logged into your DC and Login with Smartcard will failed stating that your account is not configured for Smart Card authentication. This is due to the fact that PKI Init (authentication with the DC is not feasible due to the lack of the certificate on the DC, in real live each DC will require a such certificate…) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 4. Part 3 : Tunning the Domain controller and the client to accept a BE eID Card. Step 1 - Domain Policy:  Setup you domain default policy (look here to localize them and which are to be set)  After that they will be applied (ie. GPUpdate) you will have the following registry key (on both DC and Client) [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSmartCardCredentialProvi der] "AllowCertificatesWithNoEKU"=dword:00000001 "AllowSignatureOnlyKeys"=dword:00000001 "ForceReadingAllCertificates"=dword:00000001 Step 2 :Customize registry These step are needed to ensure BE eID card specifycities are accepted for Autentication  On the client and DC, configure registry as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 5. "CRLTimeoutPeriod"=dword:00000001  On the Domain Controlle onlyr as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 "SCLogonEKUNotRequired"=dword:00000001 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 Part 4 : Import BE Autority certification Authority Currenlty there is not only one set of eID authority, you need 3 in fact (because since 17 of October 2008, a new authority as been deployed).  You will have one for the Root Called: Belgian Root CA  And 2 with the name :Citizen CA (2 because this new re-deployment, in this doc we will assume the one you get with the one you use) Step 1 : Export the Public key Authority certificate (.cer) For these step the easiest is to export them into files for the eID-Viewer  Put a Card into the reader and launch the eID Viewer->go under certificate tab André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 6.  Click on Root (1) after Click details (1a) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 7.  Click on the Tab details André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 8.  Click on th button Copy to File …  Save it in ie C:tmp with the Name “Belgian Root CA.CER”  Redo these steps for the Citizen CA, see printtscreen here upper the blue (2) and (2a) but saved it with ”Citizen CA.cer”  At this step you have exported the public key of the 2 of 3 Belgian Authority. These are to be imported into your infra to get them recognized as trusted. Step 2 : Import them into your systems Import them onto your DC and Client . Please note that you can use a GPO for these task see: http://support.microsoft.com/kb/281245  Copy these 2 files (.cer) ie in c:tmp André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 9.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -addstore ROOT “Belgian CA.cer” o C:tmp>certutil -addstore CA ”Citizen CA.cer” Step 3 : Register these Authority as NTAuthCA Look here for more info : http://support.microsoft.com/kb/295663/ Go back onto your DC ONLY with the Admin CMD.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -dspublish -f “Belgian CA.cer” NTAuthCA o C:tmp>certutil -dspublish -f ”Citizen CA.cer” NTAuthCA Part 5 : User configuration and certificate mapping Step1 : Export your user certificate Use the same process that in Part4 –Step1 . You will be to export you own user certificate and store them into c:tmpmyuser.cer (Take the “Authentication certificate”) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 10. Step2 : Configure the certificate for your user  Open AD users and computers.  Check to use the Advanced Features. André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 11.  Right click the user you want to map this card to and choose name mappings. Select the certificate you want to map to (ie c:tmpmyuser.cer) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 12. Reboot both and test under “insert Smartcard” Logon screen! André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.