Installation and Configuration Guide Active Directory CA

Installation and Configuration Guide Active Directory CA

v 0.1.1

 

 

Prerequisites

The following configuration items must be in place before users can issue and renew smart cards:

  • Server Role ”Active Directory Certificate Authority” need to be configured and running.

  • A certificate template for smart card Login must be configured, please see section “Configuration of Certificate Template”.

 

Configuration of Certificate Template

The configuration of SmartSignatur Active Directory Certificate Template is required for SmartSigantur LocalID and optional for SmartSignatur GlobalID.

Configuration of SmartSignatur Default Template

Config SmartSignatur Template – default configuration:

  • On the Domain Controller or Member server running the ”Certificate Authority”.

  • Right-click ”Certificate Templates” select ”Manage” in the context menu.

  • ”Certificate Templates Console” opens.

  • Select the ”SmartCard Logon” template

  • Right-click and select ”Duplicate Template” in the context menu.

  • Select Tab->General

    • change Template Display Name to ”SmartSignatur”.

    • change Template Name to ”SmartSignatur”.

    • change Validity Period to 3 years

    • change Renewal Period to 820 days (max. Calculated from Validity Period)

    • set ”Publish certificate to Active Directory”

  • Select Tab->Request Handling

    • Change Purpose to ”Signatur and Smartcard logon”

  • Select Tab->Cryptography

    • change minimum key size to 2048

    • change cryptographic providers to ”Request must use one of the following providers”

    • only select ”Microsoft Base Smart Card Crypto Provider”

  • Select Tab->Security

    • select ”Authenticated Users”

    • in the Permissions for Authenticated Users select “Enroll” under Allow

  • Select Tab->Extensions

    • select ”Application Policies”

    • click “Edit”

    • List of Application policies must include the selection below; if any are missing - click “Add” and select the missing item(s):

      • Client Authentication

      • Document Encryption

      • Encrypting File System

      • Secure Email

      • Smart Card Logon

  • Click “OK” to save

 

 Configuration of Custom SmartSignatur Template

Config SmartSignatur Template – custom configuration:

  • On the Domain Controller or Member server running the ”Certificate Authority”.

  • Right-click ”Certificate Templates” select ”Manage” in the context menu.

  • ”Certificate Templates Console” opens.

  • Select the template that best fit the customer needs.

  • Right-click and select ”Duplicate Template” in the context menu.

  • Select Tab->General

    • change Template Display Name to ”SmartSignatur”, or the custom configured template name.

    • change Template Name to ”SmartSignatur”, or the custom configured template name.

  • Select Tab->Security

    • select ”Authenticated Users”

    • in the Permissions for Authenticated Users select “Enroll” under Allow

  • Customize the other settings to fit customer needs

 

Client Configuration

No client configuration is necessary. Settings below are all optional and should only be used in special cases.

Certificate Template

Per default, LocalID will use the certificate template called “SmartSignatur” in Active Directory. LocalID can be configured to use a specific template using the registry setting “AdCertificateTemplate”:

 [HKEY_LOCAL_MACHINE\SOFTWARE\Liga\SmartSignaturClient]

"AdCertificateTemplate"="<templatename>"

 

Support for multiple Root CA servers

LocalID will per default use the default CA-issuing service in Active Directory.

LocalID can be configured to use a specific CA-issuing service or let the user select the CA-issuing service.

Note: the CA-issuing service must have the configured Certificate Template assigned.

 

Configuration for default CA-issuing service

[HKEY_LOCAL_MACHINE\SOFTWARE\Liga\SmartSignaturClient]

"AdCA"="Default"

Will be the same as no configuration of the “ADCA” key in registry.

 

Configuration for User selected CA-issuing service

[HKEY_LOCAL_MACHINE\SOFTWARE\Liga\SmartSignaturClient]

"AdCA"="UserSelected"

 

A dialog will be shown to users and the user must select the issuing service or cancel the action.

 

Configuration for specific CA-issuing service

[HKEY_LOCAL_MACHINE\SOFTWARE\Liga\SmartSignaturClient]

"AdCA"="<FDN for CA server and Service>"

 

Names of possible legal values can be listed by configuring the "UserSelected" and run LocalID -> Issue, use the value from the windows dialog in the registry setting"UserSelected".

 

Configuration of GPO’s

 

The configuration is optional.

 

 

Lock session at smart card removal

https://technet.microsoft.com/en-us/library/ff404291(v=ws.10).aspx

 

Force smart card login

https://social.technet.microsoft.com/Forums/en-US/4c2aea7c-b52f-480e-a7ba-ec08c43be16b/windows-10-smart-card-login-by-default?forum=win10itprosetup

 
Troubleshooting

The permissions on the certificate template do not allow the current user to enroll for this type of certificate

 

Problem:

Renew throws error: 0x80094012 (-2146877422) Certificate Request Processor: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

Cause:

Security is configured incorrectly on the SmartSignatur certificate template.

Fix:

Configure permissions on the ”SmartSignatur” certificate Template:

  • On the Domain Controller or Member server running the ”Certificate Authority”.

  • Right-click ”Certificate Templates” select ”Manage” in the context menu.

  • ”Certificate Templates Console” opens.

  • Right click ”SmartSignatur” template

  • Select Tab->Security

    • select ”Authenticated Users”

    • in the Permissions for Authenticated Users select “Enroll” under Allow

 The requested certificate template is not supported by this CA

Problem:

Issue or Renew throw error CertEnroll::CX509CertificateRequestPkcs10:: InitializeFromPrivateKey: The requested certificate template is not supported by this CA. 0x80094800 (-2146875392)

Cause:

Certificate Template ”SmartSignatur” is not configured.

Fix:

Configure the ”SmartSignatur” certificate template as described in the documentation.

 

No valid certificates on chip card

 

Problem:

Client reports “No valid certificates on chip card” at logon.

Cause-A:

Root certificates from the CA-issuing service are not trusted.

Fix-A:

Verify that the correct CA is used and root certificates are present on desktop and domain controller servers.

Cause-B:

The issued User certificates are not updated on the user in Active Directory (verify that the attribute UserCertificate is present on the user object, using ADSIEdit).

Fix-B:

On the certificate template under the tab “General” verify that ”Publish certificate to Active Directory” is set.

Verify that Active Directory Domain Controller replication is functional.

Cause-C:

Mini driver setting not present in registry; they are located in “HKEY_LOCAL_MACHINE\SOFTWARE\cv cryptovision\sc interface” and “HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\cv cryptovision\sc interface”

Fix-C:

Reinstall the LocalID product to re-establish the settings.