SlideShare a Scribd company logo

AD authentication with be eID

Andre Debilloez
Andre Debilloez

How to use an Belgian identitycard to logon into a Windows Domain

Technology
1 of 12
Active Directory authentication with BE eID Smartcard This guide explains how to configure an ActiveDirectory to enable Be eID Smartcard as authentication token. Why this ? More and more countries are deploying smartcard systems that could be used to authenticate a user. I’m sure you are tired to remember so many password and the lack of security caused (most simple password, helpdesk nightmare, reset password with sometimes very simplistic reset rules …) Deploying HW token become usual in many company but this require investment. So why not using already available smartcard in your wallet. This document will explain how to used the Belgian identity card and PIN to authenticated a user. Using BE eID card is not so trivial because these Card didn’t use some pre-requisite information (ie UPN, AT_KEYEXCHANGE, EKU) and the CRL can also be difficult. This document must be used as a Lab. Documentation, to do a proof of concept not used in production ! Changing or implementing your PKI infra is at your own risk. This document only reflect our own setup to get the evidence that using BE-eID-Card for NT Domain authentication is feasible. You can notice that some non-domain authentication software are available on the web: http://www.mysmartlogon.com/products/eidauthenticate.html http://code.google.com/p/eid-applet/ We apologize, but Print -Screen will be in French. Material needed :  Recommended Windows 7 and Windows 2008 R2 (Windows Vista, and Windows 2008 is the minimum)  The Windows 2008 R2 Enterprise (here the link to a trial) http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx  Belgium eID (identity card) and associated software (on Server and Client) www.eid.be (eid framework ie ver 3.5.4)  Certificate already deployed on your Domain Controller (we recommend to used Microsoft Certification Authority, see later in the doc.)  Two BE eID Smartcard reader (ie. ACR 38 U) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Part 1 : Setup of a Test Windows Domain  Run the Windows 2008 R2 Setup  Make you initial logon and perform all security update  Run your DCPROMO and create a dedicated and isolated domain for this lab.  At the end of the DCPROMO and after the reboot you have a new Forest and a DNS Running onto your test server lab.  Install a Windows 7 Client (ie. Test drive business edition))  Join this Windows 7 to the domain  Install the BE EID framework on all machine Y Part 2 : Installing Microsoft Certification Authority  These step are to perform on your DC.  Microsoft Certification Authority is a Role you need to add on your server. o During the Process you will have to choose for a :  Select Root Authority  And Select an Enterprise CA (this will be helpful for future lab. We will provide later)  Obtain a Certificate for you DC o Runn MMC add the certificate Snapp-in for the Local “Computer Account” o Open the ” Personal” folder -> Certificates o Right Click on certificate and Request a new certificate : André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Next and Select an Active Directory plocicy :  Select and Next, After Select the following roles :  At the end perform a reboot  If you have not correctly followed these steps, an event ID 19 will be logged into your DC and Login with Smartcard will failed stating that your account is not configured for Smart Card authentication. This is due to the fact that PKI Init (authentication with the DC is not feasible due to the lack of the certificate on the DC, in real live each DC will require a such certificate…) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Part 3 : Tunning the Domain controller and the client to accept a BE eID Card. Step 1 - Domain Policy:  Setup you domain default policy (look here to localize them and which are to be set)  After that they will be applied (ie. GPUpdate) you will have the following registry key (on both DC and Client) [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSmartCardCredentialProvi der] "AllowCertificatesWithNoEKU"=dword:00000001 "AllowSignatureOnlyKeys"=dword:00000001 "ForceReadingAllCertificates"=dword:00000001 Step 2 :Customize registry These step are needed to ensure BE eID card specifycities are accepted for Autentication  On the client and DC, configure registry as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
"CRLTimeoutPeriod"=dword:00000001  On the Domain Controlle onlyr as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 "SCLogonEKUNotRequired"=dword:00000001 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 Part 4 : Import BE Autority certification Authority Currenlty there is not only one set of eID authority, you need 3 in fact (because since 17 of October 2008, a new authority as been deployed).  You will have one for the Root Called: Belgian Root CA  And 2 with the name :Citizen CA (2 because this new re-deployment, in this doc we will assume the one you get with the one you use) Step 1 : Export the Public key Authority certificate (.cer) For these step the easiest is to export them into files for the eID-Viewer  Put a Card into the reader and launch the eID Viewer->go under certificate tab André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on Root (1) after Click details (1a) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on the Tab details André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on th button Copy to File …  Save it in ie C:tmp with the Name “Belgian Root CA.CER”  Redo these steps for the Citizen CA, see printtscreen here upper the blue (2) and (2a) but saved it with ”Citizen CA.cer”  At this step you have exported the public key of the 2 of 3 Belgian Authority. These are to be imported into your infra to get them recognized as trusted. Step 2 : Import them into your systems Import them onto your DC and Client . Please note that you can use a GPO for these task see: http://support.microsoft.com/kb/281245  Copy these 2 files (.cer) ie in c:tmp André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -addstore ROOT “Belgian CA.cer” o C:tmp>certutil -addstore CA ”Citizen CA.cer” Step 3 : Register these Authority as NTAuthCA Look here for more info : http://support.microsoft.com/kb/295663/ Go back onto your DC ONLY with the Admin CMD.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -dspublish -f “Belgian CA.cer” NTAuthCA o C:tmp>certutil -dspublish -f ”Citizen CA.cer” NTAuthCA Part 5 : User configuration and certificate mapping Step1 : Export your user certificate Use the same process that in Part4 –Step1 . You will be to export you own user certificate and store them into c:tmpmyuser.cer (Take the “Authentication certificate”) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Step2 : Configure the certificate for your user  Open AD users and computers.  Check to use the Advanced Features. André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Right click the user you want to map this card to and choose name mappings. Select the certificate you want to map to (ie c:tmpmyuser.cer) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Reboot both and test under “insert Smartcard” Logon screen! André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

Recommended

1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-sslJamshoo Lakhani
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market ResearchTetsuyuki Oishi
 
Nerea Eta Andrea
Nerea Eta AndreaNerea Eta Andrea
Nerea Eta Andreaan6
 
Reference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesReference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesAkihiro Kameda
 
PRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFPRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFbryceives
 
SQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldSQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldProgress
 
Lewis Diagram
Lewis DiagramLewis Diagram
Lewis Diagramkitcoffeen
 
Momentum Pres
Momentum PresMomentum Pres
Momentum Preskitcoffeen
 

Recommended

1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-sslJamshoo Lakhani
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market ResearchTetsuyuki Oishi
 
Nerea Eta Andrea
Nerea Eta AndreaNerea Eta Andrea
Nerea Eta Andreaan6
 
Reference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesReference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesAkihiro Kameda
 
PRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFPRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFbryceives
 
SQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldSQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldProgress
 
Lewis Diagram
Lewis DiagramLewis Diagram
Lewis Diagramkitcoffeen
 
Momentum Pres
Momentum PresMomentum Pres
Momentum Preskitcoffeen
 
Booting from VHD
Booting from VHDBooting from VHD
Booting from VHDAndre Debilloez
 
What Are Dreams
What Are DreamsWhat Are Dreams
What Are Dreamsguest9aec79
 
Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Mike Sharples
 
FunHalo
FunHaloFunHalo
FunHalotvpsoft
 
Ruta
Ruta Ruta
Ruta pikinsmaria7
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007guest0b2315
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamineandresta
 
Esitlus
EsitlusEsitlus
Esitlusandresta
 
Creation
CreationCreation
CreationAmitava Dutta
 
Rombus
RombusRombus
Rombusandresta
 
Chembond
ChembondChembond
Chembondkitcoffeen
 
Creation
CreationCreation
CreationAmitava Dutta
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentationguest1b1543
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech TipsProgress
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesAkihiro Kameda
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardykitcoffeen
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)siouxhotornot
 
2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activationtasha ou
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Matt Lucas
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A VsRaj Chanchal
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)MongoDB
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule timetopomax
 

More Related Content

Viewers also liked

Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Mike Sharples
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007guest0b2315
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamineandresta
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentationguest1b1543
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech TipsProgress
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesAkihiro Kameda
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardykitcoffeen
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)siouxhotornot
 

Viewers also liked (17)

Booting from VHD
Booting from VHDBooting from VHD
Booting from VHD
 
What Are Dreams
What Are DreamsWhat Are Dreams
What Are Dreams
 
Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007
 
FunHalo
FunHaloFunHalo
FunHalo
 
Ruta
Ruta Ruta
Ruta
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamine
 
Esitlus
EsitlusEsitlus
Esitlus
 
Creation
CreationCreation
Creation
 
Rombus
RombusRombus
Rombus
 
Chembond
ChembondChembond
Chembond
 
Creation
CreationCreation
Creation
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentation
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech Tips
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic Types
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardy
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)
 

Similar to AD authentication with be eID

2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activationtasha ou
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Matt Lucas
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A VsRaj Chanchal
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)MongoDB
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule timetopomax
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesteam-WIBU
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federpfederpmatc
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configurationAlberto Rivai
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10githe26200
 
Ammar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar Hasayen
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xAbdelilah CHARBOUB
 
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Rajesh Anbalagan
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...Protect724tk
 
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxSH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxMongoDB
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...Azilen Technologies Pvt. Ltd.
 

Similar to AD authentication with be eID (20)

2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A Vs
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule time
 
Using idoc method in lsmw
Using idoc method in lsmwUsing idoc method in lsmw
Using idoc method in lsmw
 
Azure hands on lab
Azure hands on labAzure hands on lab
Azure hands on lab
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevices
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10
 
Ammar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guide
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183x
 
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
 
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxSH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

AD authentication with be eID

  • 1. Active Directory authentication with BE eID Smartcard This guide explains how to configure an ActiveDirectory to enable Be eID Smartcard as authentication token. Why this ? More and more countries are deploying smartcard systems that could be used to authenticate a user. I’m sure you are tired to remember so many password and the lack of security caused (most simple password, helpdesk nightmare, reset password with sometimes very simplistic reset rules …) Deploying HW token become usual in many company but this require investment. So why not using already available smartcard in your wallet. This document will explain how to used the Belgian identity card and PIN to authenticated a user. Using BE eID card is not so trivial because these Card didn’t use some pre-requisite information (ie UPN, AT_KEYEXCHANGE, EKU) and the CRL can also be difficult. This document must be used as a Lab. Documentation, to do a proof of concept not used in production ! Changing or implementing your PKI infra is at your own risk. This document only reflect our own setup to get the evidence that using BE-eID-Card for NT Domain authentication is feasible. You can notice that some non-domain authentication software are available on the web: http://www.mysmartlogon.com/products/eidauthenticate.html http://code.google.com/p/eid-applet/ We apologize, but Print -Screen will be in French. Material needed :  Recommended Windows 7 and Windows 2008 R2 (Windows Vista, and Windows 2008 is the minimum)  The Windows 2008 R2 Enterprise (here the link to a trial) http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx  Belgium eID (identity card) and associated software (on Server and Client) www.eid.be (eid framework ie ver 3.5.4)  Certificate already deployed on your Domain Controller (we recommend to used Microsoft Certification Authority, see later in the doc.)  Two BE eID Smartcard reader (ie. ACR 38 U) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 2. Part 1 : Setup of a Test Windows Domain  Run the Windows 2008 R2 Setup  Make you initial logon and perform all security update  Run your DCPROMO and create a dedicated and isolated domain for this lab.  At the end of the DCPROMO and after the reboot you have a new Forest and a DNS Running onto your test server lab.  Install a Windows 7 Client (ie. Test drive business edition))  Join this Windows 7 to the domain  Install the BE EID framework on all machine Y Part 2 : Installing Microsoft Certification Authority  These step are to perform on your DC.  Microsoft Certification Authority is a Role you need to add on your server. o During the Process you will have to choose for a :  Select Root Authority  And Select an Enterprise CA (this will be helpful for future lab. We will provide later)  Obtain a Certificate for you DC o Runn MMC add the certificate Snapp-in for the Local “Computer Account” o Open the ” Personal” folder -> Certificates o Right Click on certificate and Request a new certificate : André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 3.  Next and Select an Active Directory plocicy :  Select and Next, After Select the following roles :  At the end perform a reboot  If you have not correctly followed these steps, an event ID 19 will be logged into your DC and Login with Smartcard will failed stating that your account is not configured for Smart Card authentication. This is due to the fact that PKI Init (authentication with the DC is not feasible due to the lack of the certificate on the DC, in real live each DC will require a such certificate…) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 4. Part 3 : Tunning the Domain controller and the client to accept a BE eID Card. Step 1 - Domain Policy:  Setup you domain default policy (look here to localize them and which are to be set)  After that they will be applied (ie. GPUpdate) you will have the following registry key (on both DC and Client) [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSmartCardCredentialProvi der] "AllowCertificatesWithNoEKU"=dword:00000001 "AllowSignatureOnlyKeys"=dword:00000001 "ForceReadingAllCertificates"=dword:00000001 Step 2 :Customize registry These step are needed to ensure BE eID card specifycities are accepted for Autentication  On the client and DC, configure registry as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 5. "CRLTimeoutPeriod"=dword:00000001  On the Domain Controlle onlyr as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 "SCLogonEKUNotRequired"=dword:00000001 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 Part 4 : Import BE Autority certification Authority Currenlty there is not only one set of eID authority, you need 3 in fact (because since 17 of October 2008, a new authority as been deployed).  You will have one for the Root Called: Belgian Root CA  And 2 with the name :Citizen CA (2 because this new re-deployment, in this doc we will assume the one you get with the one you use) Step 1 : Export the Public key Authority certificate (.cer) For these step the easiest is to export them into files for the eID-Viewer  Put a Card into the reader and launch the eID Viewer->go under certificate tab André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 6.  Click on Root (1) after Click details (1a) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 7.  Click on the Tab details André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 8.  Click on th button Copy to File …  Save it in ie C:tmp with the Name “Belgian Root CA.CER”  Redo these steps for the Citizen CA, see printtscreen here upper the blue (2) and (2a) but saved it with ”Citizen CA.cer”  At this step you have exported the public key of the 2 of 3 Belgian Authority. These are to be imported into your infra to get them recognized as trusted. Step 2 : Import them into your systems Import them onto your DC and Client . Please note that you can use a GPO for these task see: http://support.microsoft.com/kb/281245  Copy these 2 files (.cer) ie in c:tmp André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 9.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -addstore ROOT “Belgian CA.cer” o C:tmp>certutil -addstore CA ”Citizen CA.cer” Step 3 : Register these Authority as NTAuthCA Look here for more info : http://support.microsoft.com/kb/295663/ Go back onto your DC ONLY with the Admin CMD.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -dspublish -f “Belgian CA.cer” NTAuthCA o C:tmp>certutil -dspublish -f ”Citizen CA.cer” NTAuthCA Part 5 : User configuration and certificate mapping Step1 : Export your user certificate Use the same process that in Part4 –Step1 . You will be to export you own user certificate and store them into c:tmpmyuser.cer (Take the “Authentication certificate”) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 10. Step2 : Configure the certificate for your user  Open AD users and computers.  Check to use the Advanced Features. André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 11.  Right click the user you want to map this card to and choose name mappings. Select the certificate you want to map to (ie c:tmpmyuser.cer) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 12. Reboot both and test under “insert Smartcard” Logon screen! André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.