/adminkey: the admin key that you are assigning to the virtual smart card. Admin keys are used for management purposes. After the virtual smartcard creation it can be treated just like a traditional smart card by using the “Microsoft Base Smart Card Crypto Provider” or “Microsoft Smart Card Key Storage Provider”. The issue is a Windows 10 AD DS and Azure AD joined computer behaves differently in terms of SSO to Azure / O365 / Store for Business if a user logs on with their smart card rather than with their username and password. The additional benefits of SSO don't seem to work when smart card is used for logon. Voiceover In this lesson we'll startto get an overview of virtual smart cardsand we'll start with this question,what is a virtual smart card anyway?Well simply put it's something that behavesexactly the way a physical smart card doesexcept that the virtual smart carddoesn't have a physical component,except kind of it does.So I'll explain that here as we continue.
Smart Card Temecula
In this article I am going to walkthrough how to configure your internal certificate authority (Windows Active Directory Certificate Services) in order to allow you to use smartcard authentication on your windows active directory domain.
- Can you tell me how to setup smart card logon step-by-step This thread is locked. Visit our Microsoft Answers Feedback Forum and let us know what you think.
- What is a Smart Card. Smart cards are a key component of the public key infrastructure (PKI) that Microsoft is integrating into the Windows platform because smart cards enhance software-only solutions, such as client authentication, logon, and secure email. Smart cards are a point of convergence for public key certificates and associated keys.
- Can we develop Smart card reader driver in UMDF? If YES, Can we develop driver as virtual driver? Is Microsoft using SmartCardReader class as only for Microsoft? If not, what are the prerequisites for developing UMDF driver as complaint to Smart card readers class?
The need for security and enhanced privacy is increasing as electronic forms of identification replace face-to-face and paper-based ones. The emergence of the global Internet and the expansion of the corporate network to include access by customers and suppliers from outside the firewall have accelerated the demand for solutions based on public key cryptography technology.
A few examples of the kinds of services that public key cryptography technology enables are secure channel communications over a public network, digital signatures to ensure image integrity and confidentiality, authentication of a client to a server (and vice versa), and the use of smart cards for strong authentication.
The Microsoft Windows operating system platform is smart card–enabled and is the best and most cost-effective computing platform for developing and deploying smart card solutions.
Smart cards are a key component of the public key infrastructure (PKI) that Microsoft is integrating into the Windows platform because smart cards enhance software-only solutions, such as client authentication, logon, and secure email. Smart cards are a point of convergence for public key certificates and associated keys because they:
- Provide tamper-resistant storage for protecting private keys and other forms of personal information
- Isolate security-critical computations, involving authentication, digital signatures, and key exchange from other parts of the system that don’t have a need to know
- Enable portability of credentials and other private information between computers at work, at home, or on the road
The smart card has become an integral part of the Windows platform because smart cards provide new and desirable features as revolutionary to the computer industry as the introduction of the mouse or CD-ROM
If you do not have an Internal PKI Infrastructure at the moment then you need to ensure you do this first. I am not going to cover the installation of this role in this particular article but information on how to implement this can be found here: http://technet.microsoft.com/en-us/library/hh831740.aspx
I have always recommended to clients Gemalto Identity & Access Security – They provide a wide selection are smartcards that could also work with your door access systems, meaning that you can not only have a card to access your corporate building but to also access your corporate network. If this is the first time you have looked at Smartcard Access in your corporate environment, I would recommend you purchase the following Proof of Concept Kit from Smartcard Focus.
The kit contains:
Note: You will need to speak with your Door Access Security company in order to find out what type of cards would work with the system you use.
- Launch Certificate Authority MMC from Administrative Tools
- Click on the ‘Certificate Templates’ node and select Manage
- Right Click on the ‘Smartcard User’ Certificate Template and then select ‘Duplicate’
4. Change your compatibility settings accordingly, this will depend on your CA infrastructure & End User Devices
5. Give the new Template an appropriate name, and ensure that the validity period is 5 years
6. Ensure that the Request Handling Tab matches the following configuration
Tnpds
7. On the Cryptography tab ensure that you select ‘Requests must use one of the following providers’ and then select ‘Microsoft Base Smart Card Crypto Provider’
8. Ensure that the Issuance Requirements match the following settings
9. Once these steps have been completed, go ahead and press OK and go back to the Certificate Authority MMC. Right Click on the Certificate Templates node, Select New and then select ‘Certificate Template to Issue’.
You need to now Import
th
e ‘Enrollment Agent’ & ‘Duplicated Template’ < The one you just created.
th
e ‘Enrollment Agent’ & ‘Duplicated Template’ < The one you just created.
It is recommended that you do this on a Client Machine (IT Administrators Desktop).
- Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’
2. Right Click on the ‘Personal’ Node, Select ‘All Tasks’ and then Select ‘Request New Certificate’
3. Click Next on the wizard, and then select ‘Active Directory Enrollment Policy’
4. Select the ‘Enrollment Agent’ Certificate, and then click on ‘Enroll’
Your IT Administrators desktop is now setup as an Enrollment Station, This will now enable you to Enroll new smartcards on behalf of other users.
In order for you to now provide employees with smartcards for authentication, you need to enroll them and generate the certificate which will then be imported on to the Smartcard.
1. Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’
2. Right Click on Personal > Certificates and select All Tasks > Advanced Operations and click on ‘Enroll on behalf of…’
3. Select next on the wizard, and choose the ‘Active Directory Enrollment Policy’ and select next
4.You will now be asked to select the Signing Certificate, This is the enrollment certificate you requested earlier.
Microsoft Virtual Smart Card Setup Download
5. On the next screen, you need to select which certificate you would like to request and in this instance it will be ‘Vakkundig Smartcard User’ which is the Template we created earlier.
6. Next, You need to select the user you wish to enroll on behalf off. click browse and type in the username of the employee you wish to enroll. In this instance I am just going to use my Administrator Account.
7. On the next screen, proceed with the enrollment by clicking on ‘Enroll’ where you will then be asked to insert a smartcard into your reader.
8. Once you have inserted your smartcard, it should be detected as follows
9. You will then be asked to type in the smartcard PIN number. (Default Pin: 0000)
10. Finally, Once you have seen ‘Enrollment Successful’ screen. You can remove the card and then use that to logon to a domain joined computer.
- If you find that your computer does not recognize the smartcard when it is inserted. You may need to download and install the following files. The download is available on the Microsoft Catalog Website.
- To manage the smart cards I recommend you use the following tool which is available at the following URL: https://www.netsolutions.gemalto.com/netutils/Default.aspx this tool will allow you to reset pin numbers, unlock cards and see what certificates have been installed on to a smart card.
- The default PIN Number for the .NET smart cards is 0000
- If one of your employees looses the smartcard, you will need to REVOKE the issued certificate from within your Certificate Authority.
- If an employee leaves, and they hand back the Smartcard you are able to remove the certificate from the card and then re-issue it to another employee if you so wish.
I hope this helps, if you have any questions feel free to contact me.
James. ?
Hey Everyone, I am back with part 2 of this 3 part series on TPM protected certificates. The topics covered in this are related to Virtual Smart Cards, their benefits, and lastly their limitations. I will also cover how to create a Virtual Smart Cards. Management of certificates contained on the virtual smart card are similar to those of a traditional smart card are not covered in this article.
Virtual Smart Cards function very similarly to conventional Smart Cards. The difference is the private key is protected by the TPM and not the smart card media. The Virtual smart card emulates a smart card and reader so the device presents itself to operating system and applications as a traditional smart card. As for the storage of the private key, this is handled similarly to that of a key protected by the Microsoft Platform Crypto Provider. The private key is encrypted and stored on the file system.
Virtual Smart Cards offer the following similarities with traditional Smart Cards.
Non-Exportability: Since the private key is encrypted by the TPM is cannot be used on any other device.
Anti-Hammering: The TPM will lockout if a pin is entered incorrectly too many times. This behavior is manufacturer specific.
Key Isolation: Privatekeys protected by the TPM are never exposed to the operating system or malware. All private key operations are handled within the TPM.
For more information see the following related article:
TPM Fundamentals - http://technet.microsoft.com/en-us/library/jj889441.aspx
Assumptions
This article assumes the individual has a basic understanding of Microsoft PKI and its components.
Prerequisites
•A domain controller running Windows Server 2003 or later*
•An enterprise certificate authority running Windows Server 2012 R2
•A desktop or laptop with a configured TPM, running Windows 8.1
•An enterprise certificate authority running Windows Server 2012 R2
•A desktop or laptop with a configured TPM, running Windows 8.1
*In order to process Smart Card logons. Domain Controllers must obtain a certificate based on the Domain Controller Authentication certificate template.
In this section we will create a virtual smart card on the Windows 8.1 laptop or laptop. Creating a virtual smartcard is not a difficult task however there are a few ways of doing it. The easiest method is using the command line utility TPMVSCMGR.EXE.
To create a virtual smartcard from the command line use the following command. Note: You must have admin rights on the host and the command line must be (run as admin).
Tpmvscmgr.exe create /name “TestVirtualSC” /pin prompt /adminkey default /generate
You should be prompted to enter a pin, enter a pin of your choosing then re-enter it to confirm.
Before we go further let’s take note of what this will actually do.
Create: This is pretty self-explanatory. We are creating a virtual smartcard here.
/name: This is the name that will be given to the device you will see in Device Manager (see below)
/pin: This is the pin that unlocks the virtual smart card. Similar to physical smartcard but protected by the TPM anti-hammering feature.
/adminkey: the admin key that you are assigning to the virtual smart card. Admin keys are used for management purposes.
After the virtual smartcard creation it can be treated just like a traditional smart card by using the “Microsoft Base Smart Card Crypto Provider” or “Microsoft Smart Card Key Storage Provider”.
In this section we will create the certificate template to be used for smartcard logon. This template will be configured to leverage the “Microsoft Smart Card Key Storage Provider”. So unless a physical or Virtual Smart Card is present the user will not be able to enroll for this type of certificate. Before we get started I want to note a few things.
- Creating this template will require Enterprise Admin rights unless you have delegated access to the templates by using one of the steps defined in this article: http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
- The template settings defined here should not be used in a production environment. Obtaining a certificate that can be used for smart card logon should not be easy. Processes should be put into place to ensure these types of certificates are procured in a secure manner (Issuance Policies), especially if they are to be used for non-repudiation. See the last section in this document “Further Considerations” for more info.
Now that this stuff is out of the way…
From the Enterprise Certificate Authority.
- Open the Certificate Templates Console - certtmpl.msc,
- Duplicate the Smartcard Logon certificate templates
- On the Compatibility tab set the Certificate Authority to Windows Server 2012 and Certificate recipient to Windows 8.1/Windows Server 2012 R2*Note: Windows 8.1 and Windows Server 2012 R2 are only required for key attestation. We will reuse this template in part 3 for this purpose. If your CA and client are Windows 8 and Windows Server 2012 you can still complete this exercise. If this is the case simply choose Windows 8/Windows Server 2012 in the compatibility settings.
- Click on the General Tab and give the template a name.
- Click on the Cryptography tab
- Change the Provider Category to Key Storage Provider
- Select Requests must use one of the following providers:(Van Halen) Jump03. Karaoke making software free download. (Dean Martin) Evening in Roma04. (Hole) Celebrity Skin05.
- Check the box for Microsoft Smart Card Key Storage Provider.
- Click Apply and OK.
- Open the Certificate Authority MMC – certsrv.msc
- Right click on the Certificate Templates container and select new, certificate template to issue.
- Click on the certificate template you created and click OK.
After your Virtual Smart Card and Smart Card Logon Template has been created now we are ready to enroll for a certificate.
- Open CertMgr.msc
- Right click on the Personal container -> all tasks -> Request New Certificate
- Certificate Enrollment Wizard
- On the “Before You Begin” page click Next
- On the Select “Certificate Enrollment Policy” page Active Directory Enrollment Policy is the default. Click Next
- Choose the certificate template you created by filling the checkbox to its left and click Enroll
- Click Finish
That’s it. We now have a Virtual Smart Card and a certificate for Smart Card Logon. We are ready to use it to log in.
Before I get started on the next section. Sorry for the low res pictures 🙂
Now what we have everything we need to log in. What will your users see? Users will see the familiar interface but there will be a new link below: Sign-in options
Clicking on Sign-in options reveals the following.
The first is the icon that looks like a key, this is the username/password option. Do I need to explain this any further? I hope not.
This is the one we are interested in. The icon that looks like an IC or chip. Clicking on this changes the box above to state “Security Device” and the place you would typically put your password says PIN now. Hmmm…… where did I see that PIN before, oh yeah when we created the Virtual Smart Card. I hope you remember what you set it to. Enter the PIN you used when you created the Virtual Smart Card. Viola! Smart Card Logon.
In this last section I will show you how to change a PIN for a Virtual Smart Card.
While logged in using the Virtual Smart Card press Ctrl+Alt+Del and select the option to “Change a password”. Enter the old PIN, the new PIN then confirm. That’s it.
Issuance Policy/Enrollment Requirements
It is important to give consideration as to why you are implementing Virtual Smart Cards. Most organizations choose to issue Smart Cards or Virtual Smart Cards to strengthen security. Smart card logon achieves this by requiring the user to have their physical smart card and the associated PIN in order to logon. Virtual Smart Cards are very similar. The user must have the TPM enabled device, and know the PIN.
Additional considerations should be given for enrollment for a virtual smart card. Much as that of traditional Smart Cards a username and password should not be the only factor to obtain one. Your organization may determine that someone needs to enroll in person and/or provide positive ID, fill out forms or other requirements.
Shared Devices/Computers
It is possible to have more than one Virtual Smart Card on a device. If you do have a requirement to have more than one the interface presents similar to what you see here:
User 1: Bob
User 2: Wes
I hope you all enjoyed this post on Virtual Smart Cards and I hope it assists you in your evaluation of this security related feature. Again, this is part 2 of a 3 part series regarding protecting certificate private keys using Trusted Platform Modules. I’ll be back really soon with part 3, Key Attestation in Windows Server 2012 R2 and Windows 8.1.
Understanding and Evaluating Virtual Smart Cards - http://technet.microsoft.com/en-us/library/dn578507.aspx
TPM Platform Crypto-Provider Toolkit - http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/default.aspx