Announcing a new series!!! I recently got some YubiKeys from HQ (thanks @Peter) and since they provide all-in-one smart card (PIV) and OTP (OATH) capabilities plus they work great with Cen...
Announcing a new series!!!
I recently got some YubiKeys from HQ (thanks @Peter) and since they provide all-in-one smart card (PIV) and OTP (OATH) capabilities plus they work great with Centrify products.
Open Active Directory Users and Computers and navigate to your desired OU
Right click and select New > User and follow the wizard until the user is created.
Right click the newly-created user and select properties. In the general tab, update the Email to match the user principal name. e.g. user@corp.contoso.com and press OK.
Right click the OU and select New > Group and make it a Global/Security group. Call it "Smart Card Users"
Right click the Group, select properties, go to the Members tab, press Add and add the user created in step 2.
On the member server, grant the group or user the ability to log on remotely. Computer > Properties > Remote Settings > Remote Desktop > Select Users > Add > [select user or group] press OK twice.
Certificate Services
Modify the Smart Card User template
Open the Certification Authority console (Start > Search > Certification Authority) If you get an error, retarget the console to the appropriate server (e.g. DC1)
On the left pane, right click "Certificate Templates" and select Manage. This will open the Certificate Templates console.
In the template list, right-click the SmartCard User template and select "Duplicate Template"
In the General tab, give the template a descriptive name. I used "Smart card User V2" (this is the display name, the actual template name is SmartcardUserV2)
Click on the Security tab, press Add, select the newly-created Smart Card Users group, check the Enroll and Autoenroll boxes, then press OK and close the Certificate Templates console.
Publish the Newly-Created Template
In the Certification Authorities console, on the left pane, right click "Certificate Templates" and select New > Certificate Template to Issue
Select the newly-created version of the Smart Card User template (e.g. Smart Card User v2) and press OK.
Provision the Smart Card User Certificate into your Yubikey
Log on to your member system with the test user.
Open the Yubikey PIV manager tool with the Test User (shift+right click > run as different user)
If you're using a VM, connect the Yubikey to your virtual machine. Note: If you're using VMWare, you need to add the parameter below for the Yubikey to be available to your VM.
usb.generic.allowHID = "TRUE"
This step is performed by editing the .vmx file and editing it with your current text editor while the VM is off.
Initialize the Yubikey if brand new. Do not forget the PIN.
In Yubikey PIV manager, press Certificates > Generate New Key and make sure you type the Certificate Template name (not the display name) and press OK.
Type the PIN when challenged, and select your existing CA. In my case I use the non HTTP link and press OK
To test the smart card authentication, either lock your screen or logoff. If you can unlock or login successfully, you should be ready for the next steps.