Enabling Smart Card Logon for Microsoft ... - Qlik Community · b) From the Dashboard, click Add...

UNCLASSIFIED

UNCLASSIFIED

DoD Public Key Enablement (PKE) Reference Guide Enabling Smart Card Logon for Microsoft Windows Server 2012 Using DoD PKI Contact: [email protected] URL: https://iase.disa.mil/pki-pke/ URL: http://iase.disa.smil.mil/pki-pke/

Enabling Smart Card Logon for Microsoft Windows Server 2012 Using DoD Public Key

Infrastructure (PKI)

27 September 2017

Version 2.0

DoD PKE Team

Enabling Smart Card Logon for Microsoft Windows Server 2012 UNCLASSIFIED

ii

UNCLASSIFIED

Revision History

Issue Date Revision Change Description

2/12/13 1.0 Initial Document Developed 8/26/13 1.1 GrabDCInfo.vbs script and SIPRNet NSS PKI URLs were added

10/30/13 1.2 Updated version of GrabDCInfo.vbs script and certificate procedures 6/27/14 1.3 Updated formatting in Appendix D 8/11/14 1.4 Updated InstallRoot instructions to reflect newest version

10/14/14 1.5 Updated instructions to use script to generate certificate request and use InstallRoot to update NTAuth store.

9/27/17 2.0 Updated CA URLs and some images


iii

UNCLASSIFIED

Contents INTRODUCTION ..................................................................................................................................................... 1

PURPOSE ...................................................................................................................................................................... 1 SCOPE ......................................................................................................................................................................... 1

BACKGROUND ....................................................................................................................................................... 2

PLANNING AND PREPARATION .............................................................................................................................. 3

INSTALL THE CERTIFICATION AUTHORITY (CA) TRUST ANCHORS .............................................................................................. 3 PUBLISH DOD PKI CERTIFICATES TO THE ACTIVE DIRECTORY NTAUTH STORE USING INSTALLROOT ............................................... 3

DOMAIN CONTROLLER CERTIFICATE INSTALLATION .............................................................................................. 8

OBTAIN THE DOMAIN CONTROLLER CERTIFICATE REQUEST GENERATION SCRIPT ........................................................................ 8 GENERATE THE CERTIFICATE REQUEST ON THE DOMAIN CONTROLLER ...................................................................................... 9 SUBMIT THE DC CERTIFICATE REQUEST ............................................................................................................................ 11 RETRIEVE THE DC CERTIFICATE REQUEST .......................................................................................................................... 12 INSTALL THE DC CERTIFICATE ......................................................................................................................................... 12 VERIFY THE DC CERTIFICATE .......................................................................................................................................... 12

ENABLING SMART CARD LOGON .......................................................................................................................... 14

ALTERNATIVE USER PRINCIPAL NAME SUFFIX .................................................................................................................... 14 USER ACCOUNTS ......................................................................................................................................................... 14

Multiple Account Use Cases ............................................................................................................................... 15 Remote Access ................................................................................................................................................... 15 Manually Remapping Existing Users who currently authenticate via username/password .............................. 15 Manually Creating New Users ............................................................................................................................ 16

SETTING DOMAIN- OR ORGANIZATIONAL UNIT (OU)-LEVEL GROUP POLICY ........................................................ 18

SMART CARD REMOVAL BEHAVIOR ................................................................................................................................. 18 REQUIRING THE USE OF SMART CARDS FOR DOMAIN LOGON ............................................................................................... 19

USER WORKSTATIONS ......................................................................................................................................... 21

SMART CARD READERS ................................................................................................................................................. 21 SMART CARD MIDDLEWARE ........................................................................................................................................... 21 CERTIFICATE VALIDATION SOFTWARE ............................................................................................................................... 21

APPENDIX A: ACRONYMS AND ABBREVIATIONS .................................................................................................. 22

APPENDIX B: DISTINGUISHED NAME MAPPING ................................................................................................... 24

MAPPING CERTIFICATES USING THE DISTINGUISHED NAME .................................................................................................. 24 CONFIGURE GROUP POLICY FOR CLIENT WORKSTATIONS ..................................................................................................... 24

APPENDIX C: CERTIFICATE VALIDATION OPTIONS ................................................................................................ 26

APPENDIX D: GRABDCINFOV2.VBS ...................................................................................................................... 27

APPENDIX E: CONFIGURE SMART CARD LOGON FOR APPROVED EXTERNAL PKIS ................................................ 29

DIRECT TRUST ............................................................................................................................................................. 29 NTAuth Store Update ......................................................................................................................................... 30

CROSS-CERTIFICATE TRUST ............................................................................................................................................ 30 MAPPING USERS FROM DOD-APPROVED EXTERNAL PKIS ................................................................................................... 31


iv

UNCLASSIFIED

Adding the Alternate Suffix ................................................................................................................................ 31 Mapping the User............................................................................................................................................... 32

CERTIFICATE VALIDATION OF EXTERNAL PKIS .................................................................................................................... 33 If intended partner PKI implements AIA OCSP.................................................................................................... 33 If OCSP is not an option ...................................................................................................................................... 34

APPENDIX F: MANUALLY PUBLISHING DOD PKI CERTIFICATES TO THE ACTIVE DIRECTORY NTAUTH STORE ........ 35

APPENDIX G: MANUALLY GENERATE DOMAIN CONTROLLER CERTIFICATE REQUEST ........................................... 36

GENERATE THE CERTIFICATE REQUEST ON THE DOMAIN CONTROLLER .................................................................................... 36

APPENDIX H: SUPPORT AND INFORMATION ........................................................................................................ 39

WEBSITE .................................................................................................................................................................... 39 TECHNICAL SUPPORT .................................................................................................................................................... 39

APPENDIX I: REFERENCES ..................................................................................................................................... 40


1 UNCLASSIFIED

Introduction The DoD Public Key Enablement (PKE) reference guides are developed to help organizations augment their security posture through the use of the DoD and National Security Systems (NSS) Public Key Infrastructures (PKI). The PKE reference guides contain procedures for enabling products and associated technologies to leverage the security services offered by the DoD and NSS PKIs.

Purpose The procedures in this document guide the reader in configuring Windows Server 2012 for smart card logon (SCL). The information provided is a guide based on DoD best practices; however, users should consult with their organization’s PKI help desk to determine organization-specific guidelines.

Scope This document is intended for all users of PKI technologies. No in-depth knowledge of PKI is required. Some experience installing and configuring software on Windows platforms is helpful when reading this guide. Administrative privileges will be required. It is assumed that the server is configured as a domain controller for an established Active Directory domain.


2

UNCLASSIFIED

Background Smart card logon provides a cryptographic based logon method using DoD PKI keys and certificates. This logon method is a two factor authentication mechanism using something you have, the smart card, and something you know, the smart card PIN.

As part of the DoD Instruction (DoDI) 8520.02i requirement to properly secure DoD information systems and networks, the enterprise must Public Key-enable network access. This requires that all local and remote access be authenticated using approved DoD PKI credentials. This may require deployment of new hardware and software, and requires special configuration of Active Directory and other remote access technologies such as Virtual Private Networks (VPNs), if deployed.


3

UNCLASSIFIED

Planning and Preparation Install the Certification Authority (CA) Trust Anchors The most current root certificates must be installed on both servers and workstations. InstallRoot is a utility that manages certificates for DoD and NSS trusted root and intermediate CAs on Microsoft servers and workstations.

Unclassified/NIPRNet systems:

Download, install, and run the NIPRNet InstallRoot application.

1) Open a web browser, navigate to https://iase.disa.mil/pki-pke, and select Tools.

2) Download the latest Windows Installer (MSI) version of InstallRoot under the heading labeled Trust Store Management.

3) Execute the InstallRoot installation tool.

NOTE: Administrative rights are required when installing the InstallRoot application under the C:\Program Files\ location on the system.

4) Run the tool as an administrator to install the DoD NIPRNet certificates into the Windows/Internet Explorer local machine trust store.

NOTE: Refer to the InstallRoot User Guide for installation and configuration instructions for InstallRoot. This guide is located on the DoD PKE website at https://iase.disa.mil/pki-pke under Tools > Trust Store Management.

Secret/SIPRNet systems:

Download the InstallRoot SIPR Windows Installer to install the SIPRNet/NSS root and intermediate CA certificates. The download is available on SIPRNet URL http://iase.disa.smil.mil/pki-pke/ under Tools > Trust Store Management. Additional information is available in the InstallRoot User Guide in the same location.

Once the tool is downloaded, execute similar steps as mentioned in the above Unclassified/NIPRNet systems section.

Publish DoD PKI Certificates to the Active Directory NTAuth Store using InstallRoot Active Directory has an additional certificate store called NTAuth. The certificates that get installed in the Active Directory NTAuth store then get replicated to the local NTAuth store on the Domain Controllers. The Domain Controllers must have the intermediate and root CA certificates installed in their local NTAuth store in order to allow for smart card authentication using the certificates on the DoD CAC or SIPRNet token. These steps will install the CA certificates into the Active Directory NTAuth store using InstallRoot. InstallRoot version 4.1 or newer is required to install CA certificates into the NTAuth store. If InstallRoot 4.1 or newer cannot be used Appendix F:

https://iase.disa.mil/pki-pke


http://iase.disa.smil.mil/pki-pke/


4

UNCLASSIFIED

Manually Publishing DoD PKI Certificates to the Active Directory NTAuth Store contains alternative procedures.

NOTE: In some environments NTAuth certificate installation may require using the actual built in Administrator account. If an account with administrative privilges gives permission errors please try the built in Administrator account.

To install the CA certificates into the NTAuth store, perform the following steps:

1) Run the InstallRoot utility as an administrator who has domain administrative rights. Right-click and select run as administrator when launching InstallRoot.

2) Click on the Certificate tab.

3) Expand the Install DoD Certificates group by clicking the ▼ symbol.

4) Highlight the top certificate (DoD Root CA2). Do the same for the other DoD Root CAs.

5) Click the PEM Export button and select a directory to store the exported certificate (e.g., c:\certs).

6) Open an elevated command prompt using Run as administrator, and navigate to the directory where the certificate was stored in the previous step (e.g., c:\certs).

7) Run this command: certutil -dspublish -f "DoD_Root_CA_2__0x05__DoD_Root_CA_2.cer" NTAuthCA

The below screen shot shows the certificate successfully installed into the NTAuth store.

8) Back in the InstallRoot utility click on the Store tab. Then click on the Active

Directory NTAuth icon.

9) A pop-up window will appear with a security warning stating that any actions in the NTAuth store impact the entire domain. Click OK.

10) A new store called NTAuth will be created. Select that tab.


5

UNCLASSIFIED

11) Confirm there is a green check beside Install DoD Certificates or if on SIPRNet beside Install SIPR Certificates.

12) Click the Home tab. Then click the Install Certificates button. You may receive a

prompt that configuration changes have been made and would you like to save those changes. Click Yes to proceed.

13) A summary window should now display with the results. After checking the results click OK then exit InstallRoot.

NOTE: Active Directory Enterprise Administrator rights are required to successfully load the CA certificates into the NTAuth certificate store.

Success! The certificates should now be imported into the NTAuth store. To verify that the certificates were properly installed do the following:


6

UNCLASSIFIED

1) Add the Enterprise PKI snap-in capability:

a) Click the Server Manager.

b) From the Dashboard, click Add roles and features.

c) Click Next on the Before you begin page.

d) Select the Role-based or feature-based installation option and select Next.

e) Select the server(s) on which the Enterprise PKI feature will be installed and select Next.

f) Click Next on the Select server roles page.

g) Check Active Directory Certificate Services Tools and click Next.

h) Select Install to install the new roles and features.

i) Once installed, open the charms bar by pressing Windows+C ( or swiping cursor over bottom right corner). Select the search option and type mmc. Select the mmc.exe tool from the results.

j) Navigate to File > Add/Remove Snap-in.

k) Select Enterprise PKI. Click Add, then click Ok.

2) Once the snap-in is loaded, right-click the Enterprise PKI and select Manage AD Containers.

3) This will open a user interface for viewing the NTAuth store. Verify the appropriate CA certificates are in it.


7

UNCLASSIFIED

NOTE: The InstallRoot utility can be used to verify all the Domain Controllers in the environment receive the NTAuth store updates. Starting with InstallRoot version 4.1 there is a NTAuth comparison feature available, which compares the NTAuth store of the local machine against the AD NTAuth container. Refer to the InstallRoot User Guide for more information. This guide is located on the DoD PKE website at https://iase.disa.mil/pki-pke under Tools > Trust Store Management.



8

UNCLASSIFIED

Domain Controller Certificate Installation DoD or NSS PKI-issued domain controller (DC) certificates must be installed on all DCs in the enterprise.

The next two sections contain procedures for generating a certificate request using the Domain Controller Certificate Request Generation Script, which is a Windows Powershell script. If this script cannot be used Appendix G: Manually Generate Domain Controller Certificate Request contains alternate procedures for generating the request. If using the Appendix G instructions skip to the section Submit the DC Certificate Request after completing Appendix G.

Obtain the Domain Controller Certificate Request Generation Script These steps will download, install, and verify the Domain Controller Certificate Request Generation Windows Powershell script.

1) Open a web browser, navigate to https://iase.disa.mil/pki-pke or http://iase.disa.smil.mil/pki-pke if on SIPRNet, and select Tools.

2) Download the latest version of the Domain Controller Certificate Request Generation script under the heading labeled Certificate Tools.

3) Place the downloaded zip file on the domain controller.

4) Create a new directory, which will hold the script, (e.g., c:\dc-cert-requests).

5) Extract the contents of the zip file to the new directory just created in the previous step.

6) In Windows Explorer, right-click the script, dc-cert-request_v<#>.ps1 or dc-cert-request_S_v<#>.ps1 if on SIPRNet, and click Properties.

7) Select the Digital Signatures tab and then select the signature under Signature list and click the Details button.

8) In the Digital Signature Details window you should see the message “This digital signature is OK”. If you don’t see this message, verify the DoD CA certificates have been installed and then contact DoD PKE Support for assistance.



9

UNCLASSIFIED

9) Click the View Certificate button to open the Certificate window. Then click the Certification Path tab. Verify the certificate chains up to DoD Root CA 3.

NOTE: In some environments Domain Controller certificate installation may fail when logged on under an account with administrative privileges. If this occurs try the actual built in Administrator account.

Generate the Certificate Request on the Domain Controller These procedures will use the Windows Powershell script, obtained in the previous section, to generate a domain controller certificate request. This requires the Windows Powershell execution policy to be at AllSigned or less restrictive in order to be able to execute the script. The Powershell command to change the execution policy is Set-ExecutionPolicy (e.g., Set-ExecutionPolicy AllSigned).


10

UNCLASSIFIED

1) Open the charms bar by pressing Windows+C ( or swiping the cursor over bottom right corner). Select the search option and type windows powershell. Right-click the Windows Powershell tool from the results and select Run as administrator.

2) In the Windows Powershell Console, navigate to to the directory containing the Domain Controller Request Generation Powershell script using the cd command (e.g., cd c:\dc-cert-requests).

3) Execute the Powershell script by typing .\dc-cert-request_v<#>.ps1 and pressing Enter, where <#> is the version number of the script (e.g., dc-cert-request_v1-0.ps1).

a. The script should first prompt you to enter the Common Name to be used in the certificate request. The script attempts to determine the FQDN of the current system and shows this as the default value; to use this value simply press Enter. You may also type a different Common Name and then press Enter.

b. The script will then prompt for the Organization Unit to be used in the certificate request. Type an Organization Unit and then press Enter. If you are not sure of your Organization Unit, please contact your Local Registration Authority (LRA), Registration Authority (RA), or your CC/S/A PKI help desk.

c. The script will then display the values entered from the previous two steps and prompt to ask if you would like to proceed. If the values are correct press Enter to proceed, otherwise type N and press Enter to exit.

d. The script will then generate the certificate request and attempt to find the GUID of the domain controller. If the script cannot find a domain controller matching the Common Name given previously, it will prompt the user to ask if they would like to see the GUIDs of all domain controllers. Press Enter to see GUID information for all domain controllers or type N and press Enter to skip displaying all the domain controller GUID information.

e. The script should now be complete. The output file will be in the current directory (e.g., c:\dc-cert-requests) and follow the naming convention of <cn>_<date>.txt (e.g., test-dc.pke.mil_2014-10-15-12-01-25.txt). Where <cn> is the Common Name given during execution of the script and <date> is the date/time of when the script was executed, in the format YYYY-MM-DD-hh-mm-ss.


11

UNCLASSIFIED

Submit the DC Certificate Request 1) Open a web browser and navigate to one of the following URLs:


https://ee-id-sw-ca-37.disa.mil/



https://nss-sw-ca-4.csd.disa.smil.mil/ca/ee/ca

NOTE: For NIPRNet or SIPRNet test certificates, contact your local Registration Authority (RA) for the Joint Interoperability Test Command (JITC) test certificate request URL. The above URL is for production certificates.

If a popup window appears to notify you that the website certificate is from an untrusted CA, verify the DoD PKI CA certificates are properly installed in your computer trust store. If the DoD PKI CA certificates were correctly installed as instructed in previous sections, this popup window should not appear.

2) Scroll down the list and select the correct profile:


Manual PKCS10 Domain Controller 2048-bit Certificate Enrollment


NSS Domain Controller Certificate Enrollment

3) In Notepad, open the PKCS10 certificate request file generated in the previous section. If the Powershell script was used to generate the request, this is the script output file with the .txt file extension (e.g., test-dc.pke.mil_2014-10-15-12-01-25.txt). Copy the encoded certificate request from the text file, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the Certificate Request field on the web site.

4) Include your contact information under the Requestor Information section. Open the Powershell script output file (e.g., test-dc.pke.mil_2014-10-15-12-01-25.txt) from the previous section. In the DNS Name box use the value from the DNS Hostname line of the script output file. Copy and paste the GUID from the script output file into the GUID box. The GUID will be on the line that starts GUID: in the DC Information section of the script output file (e.g., test-dc.pke.mil_2014-10-15-12-01-25.txt).

5) Click Submit. Record the CA to which the request was submitted and the resulting Request ID.



https://nss-sw-ca-4.csd.disa.smil.mil/ca/ee/ca


12

UNCLASSIFIED

6) Notify your organizational Local RA (LRA) or RA of the certificate request submission via digitally signed email. In the email, include the CA to which the request was submitted and the request ID. The LRA/RA will require more detailed information about the server and your organization before providing support.

Retrieve the DC Certificate Request 1) Once the LRA/RA has approved and issued the certificate, they will send a

signed email with a URL from which the certificate can be downloaded. Navigate to the provided URL with a web browser.

2) Click the Retrieval tab, enter your request number and click Submit.

3) Click the Issued certificate (serial number) link.

4) Verify the certificate and form contents are correct. Scroll down to the base 64-encoded certificate, and highlight and copy the certificate to the clipboard, including the ----- BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.

5) Open Notepad and paste the certificate into a text file. Save the file to an easily accessible location; use All Files as the Save As Type, and save with a .cer extension. If the system from which the certificate is retrieved is different from the domain controller from which the request was generated, the retrieved certificate must be transported to the requesting domain controller via removable media or copied via the network.

Install the DC Certificate 1) Open the charms bar by pressing Windows+C (or swiping cursor over bottom

right corner). Select the search option and type cmd. Press Enter.

2) Within the command prompt, navigate to the certificate file location using the cd command. Install the certificate by typing the following command:

certreq –accept <file>.cer

NOTE: There will not be any output if successfully installed. It will just start a new command line.

Verify the DC Certificate Open the certificate in MMC.

1) Open the charms bar by pressing Windows+C (or swiping the cursor over bottom right corner). Select the search option and type mmc. Select the mmc.exe tool from the results.

2) Select File > Add/Remove Snap-in.


13

UNCLASSIFIED

3) At the Add/Remove Snap-in screen, select Add.

4) Select the Certificates snap-in and click Add.

5) Select Computer Account for the type of certificates to manage. Click Next.

6) Select Local Computer as the computer to manage. Click Finish.

7) When returned to the Add/Remove Snap-in screen, click OK.

8) At the main MMC window, the Certificates (Local Computer) snap-in should appear. Expand Certificates (Local Computer) > Personal > Certificates.

9) Observe the certificate for this domain controller is in the local computer’s personal certificate store. Ensure the certificate is verified and has a valid private key.

10) Close all windows from this section.


14

UNCLASSIFIED

Enabling Smart Card Logon The Microsoft implementation for certificate-based authentication to Active Directory (AD) requires a unique identifier called the User Principal Name (UPN) to be present in the Subject Alternative Name (SAN) field of the user’s certificate. The DoD implements this value in the user’s email signature certificate.

The UPN consists of two parts: the generic name and the domain identifier suffix. The DoD generic name is formatted as the individual’s Electronic Data Interchange – Personnel Identifier (EDI-PI). The EDI-PI is appended with the domain identifier suffix: “@mil” for NIPRNet and “@smil.mil” or “@agency.smil” for SIPRNet. This unique value (User_EDI-PI@mil or [email protected]/agency.mil) must match the UPN value listed in the user’s account in AD in order for authentication to succeed.

Alternative User Principal Name Suffix AD must be configured to accept the DoD-specific alternative UPN suffix. This is a one-time action that must be performed using Active Directory Domains and Trusts.

1) Open Server Manager. On the top of the Dashboard select Tools > Active Directory Domains and Trusts.

2) Right-click the Active Directory Domains and Trusts root node and select Properties.

3) In the Alternative UPN Suffix text box:


Insert mil and click Add.


Insert smil.mil and agency.smil and click Add.

4) Click OK. Close the Active Directory Domains and Trusts window.

User Accounts To map a user’s certificate to their AD account in Windows Server 2012 using the standard method of mapping (UPN), the certificate must contain two things:

• An Enhanced Key Usage (EKU) of “Smart Card Logon” or no EKU, and a Key Usage of “Digital Signature”.

• A UPN value in the SAN attribute of the certificate. This UPN must be in the form of xxxxx@domain_suffix.

Their account User Logon Name must be renamed to match the UPN in the certificate. Existing user accounts can be modified easily in Active Directory Users and


15

UNCLASSIFIED

Computers, and new users can be configured properly from the start using the existing new user wizard.

NOTE: If the user’s certificate does not contain a UPN value or contains an improperly formatted value, Windows Server 2012 does provide the ability to use alternate security identities such as the Issuer and Subject Distinguished Names of a certificate for mapping. Refer to Appendix B: Distinguished Name Mapping for guidance on this implementation.

Multiple Account Use Cases All users that currently log on with group or role-based accounts and accounts that have been identified as elevated privilege or administrative accounts in addition to their standard user accounts, can use alternative logon tokens (ALTs). The DoD PKI has approved methods for issuing ALTs to system administrators, allowing them to obtain PKI certificates specifically for their administrative account, stored on a hardware token other than the CAC or user SIPRNet token. Contact your organizational RA for more information.

Remote Access If the enterprise deploys a remote access solution utilizing a VPN infrastructure, PK-enabling this remote access solution should occur shortly after the internal network is configured for SCL.

Manually Remapping Existing Users who currently authenticate via username/password

1) Open Server Manager. On the top of the Dashboard select Tools > Active Directory Users and Computers.

2) Navigate to a user who will be migrated to smart card logon.

3) Right-click the user and select Properties.

4) Select the Account tab. Note the user’s logon name and UPN suffix.

5) Change the User Logon Name to match the UPN of this user.


Select the @mil extension from the domain suffix drop-down box to match the domain suffix in the user’s certificate UPN value. Do not change the User logon name (pre-Windows 2000) fields.


16

UNCLASSIFIED

Secret/SIPRNet systems

Select the @smil.mil or @agency.smil extension from the domain suffix drop-down box to match the domain suffix in the user’s certificate UPN value. Do not change the User logon name (pre-Windows 2000) fields.

6) If your organizational policy requires users to log on with smart cards only (no username/password allowed), scroll down to the Account options section and check Smart card is required for interactive logon.

7) Click OK to save the modifications.

Manually Creating New Users 1) Open Server Manager. On the top of the Dashboard select Tools > Active

Directory Users and Computers.

2) Navigate to the OU container that will hold the new user. Right-click the container and select New > User.


17

UNCLASSIFIED

3) Enter the user’s information similar to the screen shot below. Enter the user’s real name information, but for the User Logon Name enter the EDI-PI of the user with the appropriate domain suffix:


EDIPI@mil domain suffix


[email protected] or [email protected] domain suffix

Form the User Logon Name (pre-Windows 2000) as it would conform to the proper username convention of your network. Click Next when done. (If necessary, please see Appendix B: Distinguished Name Mapping covering certificates not using the DoD format.)

4) Enter the appropriate temporary password for the user, selecting the standard

options for your domain. Click Next when done.

5) When done, click Finish.


18

UNCLASSIFIED

Setting Domain- or Organizational Unit (OU)-Level Group Policy Smart Card Removal Behavior Users should always remove their CAC or SIPRNet token from the reader when leaving their workstation. Since the CAC or SIPRNet token is required for authentication, the workstation should subsequently lock itself. A policy can be enforced in AD at the appropriate Group Policy Object (GPO) level to force the system to enter a locked state when the user removes their smart card.

1) Open Server Manager. On the top of the Dashboard select Tools > Group Policy Management.

2) Expand Forest: XXX Domains. Right-click the domain name and select Create a GPO in this Domain, and link it here.

3) Name the new GPO:


Enter CAC Users GPO.


Enter NSS Users GPO.

Select None for the source and click OK.

4) Right-click the linked GPO and select Edit. Once the GPO window appears, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.


19

UNCLASSIFIED

5) Double-click Interactive Logon: Smart card removal behavior.

6) Check the box labeled Define this policy setting, and select Lock Workstation

from the drop-down menu. Click OK.


Requiring the Use of Smart Cards for Domain Logon Computers in the domain may be configured to require the use of smart card logon.


2) Expand Forest: XXX Domains. Right-click the domain name and select Create a GPO in this Domain, and link it here.

NOTE: If the CAC Users or NSS Users GPO already exists, skip to step 4.

3) Name the new GPO:


Enter CAC Users GPO.


Enter NSS Users GPO.

Select None for the source and click OK.


20

UNCLASSIFIED

4) Right-click the linked GPO and select Edit. Once the GPO window appears, expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

5) Double-click Interactive Logon: Require Smart Card.

NOTE: Before enabling this setting please verify CAC logon is functioning properly. When this setting is enable username/password will no longer function correctly.

6) Check the box labeled Define this policy setting and select the Enabled radio button. Click OK.



21

UNCLASSIFIED

User Workstations User workstations will need to have the following items to support smart card logon.

Smart Card Readers All hardware needed for CAC and SIPRNet token authentication (smart card readers) shall be procured and deployed. Any identified shortcomings or missing hardware will be processed immediately.

Smart Card Middleware The enterprise should procure and deploy the latest CAC and SIPRNet token middleware to process certificates and enable smart card logon. Contact your local procurement office for more details. Currently, 90Meter Smart Card Manager (SCM) middleware is the DoD PKI PMO-provided middleware for SIPRNet tokens, but any approved SIPRNet middleware is appropriate.

NOTE: Windows Vista and above have the ability to natively read the PIV authentication certificate of the CAC without middleware. For users leveraging only the PIV authentication certificate, middleware may not be required. SIPRNet tokens require middleware in all circumstances.

Certificate Validation Software Ensure your Certificate Revocation List (CRL) checking solutions or Online Certificate Status Protocol (OCSP) clients are configured to retrieve the new CRLs. If you are using third-party tools that require individual entries per CA/CRL you must add new entries for the new CA CRLs that are released periodically. Appendix C: Certificate Validation Options has several caching solution options you may explore.


22

UNCLASSIFIED

Appendix A: Acronyms and Abbreviations AD Active Directory AIA Authority Information Access ALT Alternate Logon Token CA Certification Authority CAC Common Access Card CAPI Cryptographic Application Programming Interface CN Common Name CNG Cryptography Next Generation CRL Certificate Revocation List DC Domain Controller DISA Defense Information Systems Agency DN Distinguished Name DNS Domain Name System DoD Department of Defense DoDI DoD Instruction DV Desktop Validator EDI-PI Electronic Data Interchange – Personnel Identifier EKU Enhanced Key Usage (Microsoft definition) FBCA Federal Bridge Certification Authority FQDN Fully Qualified Domain Name GPO Group Policy Object GUID Global Unique Identifier ID Identifier IRCA Interoperability Root Certification Authority JITC Joint Interoperability Test Command JRE Java Runtime Environment LRA Local Registration Authority MMC Microsoft Management Console MSI Microsoft Installer file format NIPRNet Unclassified but Sensitive Internet Protocol Router Network NSA National Security Agency NSS National Security Systems OCSP Online Certificate Status Protocol OID Object Identifier OU Organizational Unit PIN Personal Identification Number PIV Personal Identity Verification PIV-I Personal Identity Verification - Interoperable PKCS Public Key Cryptography Standard PKE Public Key Enablement PKI Public Key Infrastructure PMO Program Management Office RA Registration Authority


23

UNCLASSIFIED

RCVS Robust Certificate Validation Service RG Reference Guide SAN Subject Alternative Name SCL Smart Card Logon SCM Smart Card Manager SIPRNet Secret Internet Protocol Router Network UPN User Principal Name URL Uniform Resource Locator VPN Virtual Private Network


24

UNCLASSIFIED

Appendix B: Distinguished Name Mapping To map a certificate that does NOT have a UPN value in the SAN attribute to the user account, it is permissible to use a certificate without the “Smart Card Logon” key usage but it must have a key usage of “Digital Signature.” Mapping Certificates using the Distinguished Name After determining the user account that will be mapped, configure Active Directory Distinguished Name (DN) mapping for the account. This method will map the issuer and subject DN from the user certificate to the user’s account. The DNs are stored under the AltSecurityIdentities attribute of the Active Directory user. This method is employed when the user’s certificate does not contain a UPN value in the SAN attribute.

To include each user’s matching certificate in their alternate security identities database, perform the following steps:

1) Open the charms bar by pressing Windows+C (or swiping cursor over bottom right corner). Select the search option and type mmc. Select the mmc.exe tool from the results.

2) Select File > Add/Remove Snap in > Add. Select the Active Directory Users and Computers snap-in from the list and click Add.

3) Click Close,then OK.

4) Expand your Domain and the Group you want to access within the snap-in.

You will now be able to view your Active Directory users. To add a certificate to a user’s mapping database:

1) On the toolbar, select View > Advanced Features. (It will refresh.)

2) Right-click the user you want to edit and select Name Mappings.

You may now add the user’s certificate from a file to their account. When the user attempts to log on to the server, their full DN on the certificate will be used to identify them in Active Directory.

Configure Group Policy for Client Workstations A Group Policy setting must be configured to allow certificates without the traditional “Smart Card Logon” key usage to be used for domain logon. To enable the Allow certificates with no extended key usage certificate attribute Group Policy setting, follow these steps on a domain controller:



25

UNCLASSIFIED

2) Right-click the domain name and choose Create a GPO in this domain, and Link it here….

3) Name it Smart Card Auth Policy.

4) Right-click the policy and choose Edit.

5) Expand Computer Configuration > Policies > Administrative Templates > Windows Components, and then expand Smart Card.

6) Double-click Allow certificates with no extended key usage certificate attribute.

7) Select Enabled and click OK.

8) Run Gpupdate /force to update group policies on the workstations with smart card readers.


26

UNCLASSIFIED

Appendix C: Certificate Validation Options All workstations, domain controllers, and servers that authenticate users via the certificates on the CAC or SIPRNet token should have a reliable revocation checking mechanism in place. The enterprise can deploy the Tumbleweed Desktop Validator (DV) or CoreStreet DV applications to provide robust certificate validation capabilities to enterprise users. The Tumbleweed DV offers a variety of components to satisfy requirements of unique devices on the network. For example, the DV Enterprise Edition is targeted for use on DCs, the DV Standard Edition is for use with workstations, and there are a variety of plug-in modules that can be used for web servers and other server components that need to perform certificate validation.

Without a DV application, the Windows Server 2012 will use its native revocation checking capabilities. Windows Server 2012 can do both OCSP and CRL checking natively but is not as configurable and flexible as third-party revocation clients.

The primary validation authority used in the DoD to provide revocation status information OCSP will be either the NIPRNet Robust Certificate Validation Service (RCVS) or SIPRNet RCVS. The DoD PKE team recommends the use of third-party tools such as those from Tumbleweed and CoreStreet for OCSP revocation checking. The enterprise should consider developing and deploying a failover option should network connectivity fail or the RCVS service itself becomes unavailable. Examples of viable failover mechanisms include hosting CRLs on an internal web server or standing up an internal validation authority.

Contact your local procurement office for information on obtaining the latest certificate validation software.

Unclassified/NIPRNet systems: Configuring Certificate Validation

The DoD PKE team has developed guidance on how to properly configure the Tumbleweed and CoreStreet applications for reliable certificate validation. Refer to the DoD reference guides for configuration of Tumbleweed or CoreStreet. These documents can be found on the DoD PKE web site at https://iase.disa.mil/pki-pke/.

Secret/SIPRNet systems: Configuring the Desktop Validator (Tumbleweed)

The DoD PKE team has developed guidance on how to properly configure the Tumbleweed application for reliable certificate validation. Refer to the DoD reference guide for configuration of Tumbleweed on SIPRNet. This document can be found on the DoD PKE web site at http://iase.disa.smil.mil/pki-pke/. CoreStreet is pending development for SIPRNet.

https://iase.disa.mil/pki-pke/

http://iase.disa.smil.mil/pki-pke/


27

UNCLASSIFIED

Appendix D: GrabDCInfov2.vbs The script below should be used to obtain the server’s Global Unique Identifier for use in making the Domain Controller certificate request:

' DCTOOLS Enumerate the DCs and provide the GUID and DNS ' VBScript program to enumerate all Domain Controllers in the domain. 'GrabDCinfo verion 2.0 10-30-2013 ' ' Option Explicit Dim objRootDSE, strConfig, objConnection, objCommand, strQuery Dim objRecordSet, objDC, dc_GUIDr Dim dc_GUIDnf, dc_GUIDfd Dim wshShell, strComputerName ' Determine configuration context from RootDSE object. Set objRootDSE = GetObject("LDAP://RootDSE") strConfig = objRootDSE.Get("DefaultNamingContext") ' Determine the computer name of the local machine. Set wshShell = WScript.CreateObject( "WScript.Shell" ) strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" ) ' Use ADO to search Active Directory for ObjectClass nTDSDSA. Set objCommand = CreateObject("ADODB.Command") Set objConnection = CreateObject("ADODB.Connection") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" objCommand.ActiveConnection = objConnection strQuery = "<LDAP://" & strConfig _ & ">;(ObjectClass=rIDSet);AdsPath;subtree" objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 30 objCommand.Properties("Cache Results") = False '**************************************************** '* Create the file to save the DC Information for '* the certificate request '**************************************************** 'Set fs = CreateObject("Scripting.FileSystemObject") 'Set SvGUID = fs.CreateTextFile("..\getguid.txt", True) Set objRecordSet = objCommand.Execute ' The parent object of each object with ObjectClass=nTDSDSA is a Domain ' Controller. The parent of each Domain Controller is a "Servers" ' container, and the parent of this container is the "Site" container.


28

UNCLASSIFIED

Do Until objRecordSet.EOF Set objDC = GetObject( _ GetObject(objRecordSet.Fields("AdsPath")).Parent) '**************************************************** '* Get the GUID from the DC and Reformat for input '* to the certificate request '**************************************************** If objDC.cn = strComputerName Then dc_GUIDr = objDC.GUID dc_GUIDnf = Mid(dc_GUIDr, 7, 2) & Mid(dc_GUIDr, 5, 2) & Mid(dc_GUIDr, 3, 2) & Mid(dc_GUIDr, 1, 2) & Mid(dc_GUIDr, 11, 2) & Mid(dc_GUIDr, 9, 2) & Mid(dc_GUIDr, 15, 2) & Mid(dc_GUIDr, 13, 2) _ & Mid(dc_GUIDr, 17, 4) & Mid(dc_GUIDr, 21, 12) _ dc_GUIDfd = Left(dc_GUIDnf,8) & "-" & Mid(dc_GUIDnf, 9, 4) & "-" & Mid(dc_GUIDnf, 13, 4) _ & "-" & Mid(dc_GUIDnf, 17, 4) & "-" & Right(dc_GUIDnf, 12) Wscript.Echo "Domain Controller: " & objDC.cn & vbCrLf _ & "DNS Host Name: " & objDC.DNSHostName & vbCrLf _ & "GUID: " & dc_GUIDnf & vbCrLf _ & "DN: " & objDC.distinguishedName End If objRecordSet.MoveNext Loop ' Clean up. objConnection.Close Set objRootDSE = Nothing Set objCommand = Nothing Set objConnection = Nothing Set objRecordSet = Nothing Set objDC = Nothing


29

UNCLASSIFIED

Appendix E: Configure Smart Card Logon for Approved External PKIs NOTE: This section does not apply to SIPRNet environments.

NOTE: DoD Instruction 8520.2 allows approved partners Network Logon access with PIV certificates only (this excludes PIV-I and commercial partners). In addition, user certificates must assert the “common-auth” policy Object Identifier (OID): 2.16.840.1.101.3.2.1.3.13 in the certificate policies attribute.

The following are guidelines on how to set up trust for a DoD-approved partner PKI. To become a permitted partner, the partner’s PKI must be successfully tested by JITC and the PKIs must be cross-certified with the Federal Bridge CA (FBCA) at Federal PKI medium hardware (or above) assurance level. More details on the approval process are available in the Department of Defense External Interoperability Plan on the DoD PKE website at https://iase.disa.mil/pki-pke under Interoperability.

Direct Trust The Direct Trust model is when the DoD-approved partner PKI is explicitly trusted by installing the partner’s root and issuing CAs in the local computer trust store. Once installed, all end users whose certificates chain to an installed issuing and root CA will be trusted by your domain controller’s system.

The authoritative list of DoD-approved external PKIs, as well as pertinent partner information such as root and subordinate CA certificates, approved certificate policy OIDs and CRL/OCSP information, can be found on the DoD PKE website at https://iase.disa.mil/pki-pke under Interoperability.

Current partner testing status can be found on the JITC site at http://jitc.fhu.disa.mil/PKI/PKE_LAB/PARTNER_PKI_TESTING/PARTNER_PKI_STATUS.HTML.

To implement Direct Trust, you must obtain and install the CA certificates of the DoD approved external partner (available from the DoD PKE site above). The steps to install the CA certificates are shown below:

1) Right-click the certificate.

2) Select Install Certificate.

3) Click Next.

4) Select Place all Certificates in the following Store and click Browse.

5) Check the Show Physical Stores box.

6) Select the appropriate certificate store:



http://jitc.fhu.disa.mil/PKI/PKE_LAB/PARTNER_PKI_TESTING/PARTNER_PKI_STATUS.HTML

http://jitc.fhu.disa.mil/PKI/PKE_LAB/PARTNER_PKI_TESTING/PARTNER_PKI_STATUS.HTML


30

UNCLASSIFIED

a) For a root CA certificate, select Trusted Root Authorities > Local Computer.

b) For an intermediate or subordinate CA certificate, select Intermediate Certificate Authorities > Local Computer.

7) Click Next and then Finish.

8) Repeat this process for each certificate to be trusted.

Your system will now trust all of the end user certificates issued by the external partner.

NOTE: OID filtering does not occur during this authentication process. Administrators should inspect client certificates during the account mapping process to ensure the “common-auth” policy Object Identifier (OID) is asserted in the certificate.

NTAuth Store Update You must add each partner CA certificate (Root and intermediate/subordinate) to your NTAuth store.

To update the NTAuth store:

1) Open a command prompt.

2) Change directories to the location of the CA certificate files in the command window.

3) Run the following command for each CA certificate: certutil –dspublish –f “the_certificate” NTAuthca

4) Verify the certificate was added successfully; a message should indicate that the certificate was “..added to DS store.”

Cross-Certificate Trust Cross-certificate trust is not recommended for smart card logon deployments.

In order for smart card authentication to process correctly, both the local computer Cryptographic Application Programming Interface (CAPI) and NTAuth store must trust the user’s certificate. CAPI has the ability to path build but the NTAuth store does not and requires explicit installation of every CA certificate in a given chain. The only way cross-certificate trust will work is to add all CA certificates in the chain (from the DoD Interoperability Root CA (IRCA) trust anchor down to the partner issuing CA) into the NTAuth store. However, this approach is not recommended for maintenance purposes.


31

UNCLASSIFIED

Mapping Users from DoD-Approved External PKIs Windows Server 2012 with Microsoft Vista clients and above can use the Distinguished Name (Issuer/Subject) of the user certificate for mapping. This allows Administrators to use certificates without the UPN for smart card logon.

Administrators must consult with the External PKI and obtain the following information:

• The certificate profile of the certificates they will be using for SCL. This certificate must contain a UPN in the SAN and also an EKU for “Smart Card Logon”. By default the Microsoft PKINT will not read a certificate for smart card logon without the proper EKU. See Appendix B for instructions on how to override this requirement through Group Policy.

• The UPN suffix of their organization.

• Administrators should ensure proper provisioning of new users to the system, (whether it’s automated or manual) and verify each user UPN is correct and matches the one asserted in that user’s PIV certificate.

NOTE: DoD PKE is currently working on compiling UPN suffix information for DoD approved PIV partners and will post to the DoD PKE website (http://iase.disa.mil/pki-pke/) under Interoperability along with other partner specific information once compiled.

The following are implementation steps for mapping External Partner PKI users in Active Directory.

Adding the Alternate Suffix If the users that need to be trusted have a different UPN suffix (information after the @) from your organization, you must add the suffix to your domain properties:

1) Open the charms bar by pressing Windows+C (or swiping cursor over bottom right corner). Select the search option and type mmc. Select the mmc.exe tool from the results.

2) Navigate to File > Add/Remove Snap in > Add.

3) Select Active Directory Domains and Trusts. Click Add.

4) Click Close, then OK.

5) Right-click the Active Directory Domains and Trusts in your mmc console and select Properties.

6) Add the external partner suffix in the suffix field without the “@”.

7) Click Add.

The suffix will now be available for selection in the user properties.

http://iase.disa.mil/pki-pke/interoperability


32

UNCLASSIFIED

Mapping the User The UPN must be in the form of “xxxxx@domain_suffix”. The following is an example of a user certificate with the UPN:

Navigate to Active Directory Users and Computers for your domain:

1) Open the charms bar by pressing Windows+C (or swiping cursor over bottom right corner). Select the search option and type in mmc. Select the mmc.exe tool from the results.

2) Select File > Add/Remove Snap in > Add.

3) Select Active Directory Users and Computers and click Add.

4) Click Close, then OK.

5) Expand the snap-in and select your domain .

The UPN of a certificate.


33

UNCLASSIFIED

Select the Organizational Unit containing the user account and double-click the user name to access the user’s properties. The Account tab will contain the UPN. View the following screenshot.

The user’s log on name should match the UPN in the certificate. After you have added the correct alternate suffix to your Active Directory Domains and Trust (following the instructions in the previous section), select the appropriate suffix from the drop-down list.

Certificate Validation of External PKIs Certificate validation for external PKIs must be planned according to what options are available from the particular partner being validated. The following are recommended generic solutions for the different scenarios.

If intended partner PKI implements AIA OCSP • If the external PKI implements the OCSP protocol, the Authority Information

Access (AIA) attribute of their CA and end entity certificates should specify a responder URL. Third party validation products such as Tumbleweed and CoreStreet may need to be re-configured to follow the AIA OCSP link as a primary validation procedure (as opposed to using http://ocsp.disa.mil for all certificates).

http://ocsp.disa.mil/


34

UNCLASSIFIED

• In the event that OCSP fails or is not supported, applications must be able to fail over to CRLs. Administrators will need to obtain CRL Distribution Points from the external PKI or refer to the DoD Approved External CRL Distribution Points (CRLDPs) on the DoD PKE website at https://iase.disa.mil/pki-pke under Interoperability.

The following are options for CRL failover:

o Configure a Third-Party Application

Third party applications such as Tumbleweed and CoreStreet can be configured to first try AIA OCSP and then failover to CRLs.

o Use a nightly automated CRL retrieval solution.

CRLs should be downloaded at least once a day to ensure your domain controller has the latest revocation information. Solutions vary and some DoD components choose to purchase Tumbleweed or CoreStreet plug-ins for their servers.

o Manually download and install CRLs.

CRLs can be manually downloaded to the domain controller or a local cache on a regular basis. However, this option would be a tremendous burden to administrators. To do this, once the CRL file has been downloaded, right-click the CRL and install into the appropriate certificate store (Local Computers Intermediate or Root Certificate Authorities store) based on the CRL’s issuer.

If OCSP is not an option A CRL solution must be implemented. Tumbleweed or CoreStreet can be configured to pull the CRLs on the fly from the CRL Distribution Point in the certificate. Tumbleweed or CoreStreet can be configured to do the same or download CRLs on an appointed schedule to increase reliability.



35

UNCLASSIFIED

Appendix F: Manually Publishing DoD PKI Certificates to the Active Directory NTAuth Store Active Directory has an additional certificate store called NTAuth that must have the intermediate and root CA certificates installed in order to allow for smart card authentication using the certificates on the DoD CAC or SIPRNet token. These steps will publish the DoD PKI certificates to the NTAuth store. These are alternative steps to using InstallRoot to publish the certificates to the NTAuth store as referenced in the section Publish DoD PKI Certificates to the Active Directory NTAuth Store using InstallRoot.

NOTE: : In some environments NTAuth certificate installation may require using the actual built in Administrator account. If an account with administrative privilges gives permission errors please try the built in Administrator account.

To install the CA certificates into the NTAuth store, perform the following steps:

1) Export all appropriate certificates into a folder on the local file system. Use the latest version of the InstallRoot tool (GUI version) to export all the root and intermediate CA certificates to a folder on the server’s file system. Refer to the InstallRoot User Guide for exporting instructions for InstallRoot. This guide is located on the DoD PKE website at https://iase.disa.mil/pki-pke under Tools > Trust Store Management.

2) A script will now be run to import the certificates into the NTAuth store. Open Notepad, and paste or type in the following script:

@echo off

FOR %%i IN (“\Reference folder location(optional)\*.*”) DO certutil -dspublish -f "%%i" NTAuthCA

NOTE: Replace Reference folder location (optional) with the correct folder location.

You can install one certificate at a time using the command: certutil -dspublish -f "THE CERT" NTAuthCA

3) Click File > Save as, and save the notepad file into the folder where you exported the certificates. Save it as Import.bat.

4) Open a command window and change directories to the folder where you saved the script. Run the script by typing import.bat and pressing Enter.

NOTE: Active Directory Enterprise Administrator rights are required to successfully load the CA certificates into the NTAuth certificate store.



36

UNCLASSIFIED

Appendix G: Manually Generate Domain Controller Certificate Request This section contains manual steps to generate the domain controller certificate request as an alternative to using the Domain Controller Certificate Request Generation Script as referenced in the section Generate the Certificate Request on the Domain Controller.

The Force strong key protection for user keys stored on the computer setting will need to be temporarily relaxed via Group Policy while the certificate request is generated. When this setting is set to User must enter a password each time they use a key, a Key Protection password is required for use of the Domain Controller’s private key. This will cause silent operations such as Smart Card Logon/Mutual Authentication to fail. Perform these steps before requesting the Domain Controller certificate.

NOTE: In some environments Domain Controller certificate installation may fail when logged on under an account with administrative privileges. If this occurs try the actual built in Administrator account.


2) Expand Forest: XXX > Domains > your domain.

3) Expand Domain Controllers. Right-click Default Domain Controllers Policy and select Edit.

4) Expand Computer Configuration/Policies/ Windows Settings/Security Settings/Local Policies. Select Security Options.

5) Double-click System Cryptography: Force strong key protection for user keys stored on the computer.

6) Set this setting to User input is not required when new keys are stored and used.

7) Restart the system.

Generate the Certificate Request on the Domain Controller 1) Open the charms bar by pressing Windows+C ( or swiping cursor over bottom

right corner). Select the search option and type mmc. Select the mmc.exe tool from the results.

2) Navigate to File > Add/Remove Snap-in.

3) At the Add/Remove Snap-in screen, select Add.

4) Select the Certificates snap-in and click Add.

5) Select Computer Account for the type of certificates to manage. Click Next.


37

UNCLASSIFIED

6) Select Local Computer as the computer to manage. Click Finish.

7) When returned to the Add/Remove Snap-in screen, click OK.

8) At the main MMC window, the Certificates (Local Computer) snap-in should appear. Expand Certificates (Local Computer) > Personal. Right-click Certificates and select All Tasks > Advanced Operations > Create custom request.

9) Click Next.

10) Click Proceed without Enrollment Policy and then click Next.

11) Select the (No Template) CNG Key. Check the Suppress default extensions box. Ensure PKCS #10 is selected. Click Next.

12) Click the drop-down arrow next to Details and click the Properties button.

13) On the Subject tab under Subject name, select the drop-down type Full DN. Enter the distinguished name to be used in the domain controller certificate request. Unclassified/NIPRNet systems CN=<Domain Controller FQDN>, OU=<CC/S/A>, OU=PKI, OU=DoD, O=U.S. Government, C=US Secret/SIPRNet systems

CN=<Domain Controller FQDN>, OU=<CC/S/A>, OU=DoD, OU=NSS, O=U.S. Government, C=US

14) Click the Add button and the DN will appear on the right side.

15) On the Private Key tab, expand Key options. Select the Key size 2048 and check only the box Make private key exportable. Click OK.

16) At the Certificate Information screen, verify the details and click Next.

17) Enter the file name to save the certificate request or click the Browse button to select a file path. Name the request with a .txt extension. Ensure the Base 64 radio button is selected. Click Finish to save the request and exit the certificate request wizard.

18) Copy the text from Appendix D: GrabDCInfov2.vbs to a text file on the domain controller. Name the file GrabDCInfo.vbs and save as type All Files.

19) Open the charms bar by pressing Windows+C (or swiping cursor over bottom right corner). Select the search option and type cmd. Right-click the command prompt and Run as Administrator.

20) In the command prompt, use the cd command to navigate to the directory where you saved GrabDCInfo.vbs.

21) Type cscript GrabDCInfo.vbs to run the script and press Enter.


38

UNCLASSIFIED

22) Record the GUID (32 alpha-numeric characters). It will be used in the next section to submit the certificate request.

You may right-click the command window toolbar and select Edit > Mark to highlight the GUID. Then select Edit > Copy to copy to the clipboard.

If you relaxed the Force strong key protection for user keys stored on the computer setting, you can reset it back to its original value now. Follow the same steps used at the beginning of this section to relax it, but set the value to User must enter a password each time they use a key instead.


39

UNCLASSIFIED

Appendix H: Support and Information Website Please visit the URL below for additional information.

https://iase.disa.mil/pki-pke (NIPRNet)

http://iase.disa.smil.mil/pki-pke (SIPRNet)

Technical Support Contact technical support.

[email protected]


http://iase.disa.smil.mil/pki-pke

mailto:[email protected]


40

UNCLASSIFIED

Appendix I: References “Department of Defense Instruction (DoDI) 8520.02: Public Key Infrastructure (PKI) and Public Key (PK) Enabling,” http://www.dtic.mil/whs/directives/corres/pdf/852002p.pdf. “Department of Defense Instruction (DoDI) 8520.03: Identity Authentication for Information Systems” http://www.dtic.mil/whs/directives/corres/pdf/852003p.pdf

http://www.dtic.mil/whs/directives/corres/pdf/852002p.pdf

Enabling Smart Card Logon for Microsoft ... - Qlik Community · b) From the Dashboard, click Add...

Documents

Transcript of Enabling Smart Card Logon for Microsoft ... - Qlik Community · b) From the Dashboard, click Add...