SlideShare a Scribd company logo

AD authentication with be eID

Andre Debilloez
Andre Debilloez

How to use an Belgian identitycard to logon into a Windows Domain

Technology
1 of 12
Active Directory authentication with BE eID Smartcard This guide explains how to configure an ActiveDirectory to enable Be eID Smartcard as authentication token. Why this ? More and more countries are deploying smartcard systems that could be used to authenticate a user. I’m sure you are tired to remember so many password and the lack of security caused (most simple password, helpdesk nightmare, reset password with sometimes very simplistic reset rules …) Deploying HW token become usual in many company but this require investment. So why not using already available smartcard in your wallet. This document will explain how to used the Belgian identity card and PIN to authenticated a user. Using BE eID card is not so trivial because these Card didn’t use some pre-requisite information (ie UPN, AT_KEYEXCHANGE, EKU) and the CRL can also be difficult. This document must be used as a Lab. Documentation, to do a proof of concept not used in production ! Changing or implementing your PKI infra is at your own risk. This document only reflect our own setup to get the evidence that using BE-eID-Card for NT Domain authentication is feasible. You can notice that some non-domain authentication software are available on the web: http://www.mysmartlogon.com/products/eidauthenticate.html http://code.google.com/p/eid-applet/ We apologize, but Print -Screen will be in French. Material needed :  Recommended Windows 7 and Windows 2008 R2 (Windows Vista, and Windows 2008 is the minimum)  The Windows 2008 R2 Enterprise (here the link to a trial) http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx  Belgium eID (identity card) and associated software (on Server and Client) www.eid.be (eid framework ie ver 3.5.4)  Certificate already deployed on your Domain Controller (we recommend to used Microsoft Certification Authority, see later in the doc.)  Two BE eID Smartcard reader (ie. ACR 38 U) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Part 1 : Setup of a Test Windows Domain  Run the Windows 2008 R2 Setup  Make you initial logon and perform all security update  Run your DCPROMO and create a dedicated and isolated domain for this lab.  At the end of the DCPROMO and after the reboot you have a new Forest and a DNS Running onto your test server lab.  Install a Windows 7 Client (ie. Test drive business edition))  Join this Windows 7 to the domain  Install the BE EID framework on all machine Y Part 2 : Installing Microsoft Certification Authority  These step are to perform on your DC.  Microsoft Certification Authority is a Role you need to add on your server. o During the Process you will have to choose for a :  Select Root Authority  And Select an Enterprise CA (this will be helpful for future lab. We will provide later)  Obtain a Certificate for you DC o Runn MMC add the certificate Snapp-in for the Local “Computer Account” o Open the ” Personal” folder -> Certificates o Right Click on certificate and Request a new certificate : André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Next and Select an Active Directory plocicy :  Select and Next, After Select the following roles :  At the end perform a reboot  If you have not correctly followed these steps, an event ID 19 will be logged into your DC and Login with Smartcard will failed stating that your account is not configured for Smart Card authentication. This is due to the fact that PKI Init (authentication with the DC is not feasible due to the lack of the certificate on the DC, in real live each DC will require a such certificate…) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Part 3 : Tunning the Domain controller and the client to accept a BE eID Card. Step 1 - Domain Policy:  Setup you domain default policy (look here to localize them and which are to be set)  After that they will be applied (ie. GPUpdate) you will have the following registry key (on both DC and Client) [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSmartCardCredentialProvi der] "AllowCertificatesWithNoEKU"=dword:00000001 "AllowSignatureOnlyKeys"=dword:00000001 "ForceReadingAllCertificates"=dword:00000001 Step 2 :Customize registry These step are needed to ensure BE eID card specifycities are accepted for Autentication  On the client and DC, configure registry as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
"CRLTimeoutPeriod"=dword:00000001  On the Domain Controlle onlyr as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 "SCLogonEKUNotRequired"=dword:00000001 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 Part 4 : Import BE Autority certification Authority Currenlty there is not only one set of eID authority, you need 3 in fact (because since 17 of October 2008, a new authority as been deployed).  You will have one for the Root Called: Belgian Root CA  And 2 with the name :Citizen CA (2 because this new re-deployment, in this doc we will assume the one you get with the one you use) Step 1 : Export the Public key Authority certificate (.cer) For these step the easiest is to export them into files for the eID-Viewer  Put a Card into the reader and launch the eID Viewer->go under certificate tab André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on Root (1) after Click details (1a) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on the Tab details André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Click on th button Copy to File …  Save it in ie C:tmp with the Name “Belgian Root CA.CER”  Redo these steps for the Citizen CA, see printtscreen here upper the blue (2) and (2a) but saved it with ”Citizen CA.cer”  At this step you have exported the public key of the 2 of 3 Belgian Authority. These are to be imported into your infra to get them recognized as trusted. Step 2 : Import them into your systems Import them onto your DC and Client . Please note that you can use a GPO for these task see: http://support.microsoft.com/kb/281245  Copy these 2 files (.cer) ie in c:tmp André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -addstore ROOT “Belgian CA.cer” o C:tmp>certutil -addstore CA ”Citizen CA.cer” Step 3 : Register these Authority as NTAuthCA Look here for more info : http://support.microsoft.com/kb/295663/ Go back onto your DC ONLY with the Admin CMD.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -dspublish -f “Belgian CA.cer” NTAuthCA o C:tmp>certutil -dspublish -f ”Citizen CA.cer” NTAuthCA Part 5 : User configuration and certificate mapping Step1 : Export your user certificate Use the same process that in Part4 –Step1 . You will be to export you own user certificate and store them into c:tmpmyuser.cer (Take the “Authentication certificate”) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Step2 : Configure the certificate for your user  Open AD users and computers.  Check to use the Advanced Features. André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
 Right click the user you want to map this card to and choose name mappings. Select the certificate you want to map to (ie c:tmpmyuser.cer) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
Reboot both and test under “insert Smartcard” Logon screen! André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.

Recommended

1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-sslJamshoo Lakhani
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market ResearchTetsuyuki Oishi
 
Nerea Eta Andrea
Nerea Eta AndreaNerea Eta Andrea
Nerea Eta Andreaan6
 
Reference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesReference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesAkihiro Kameda
 
PRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFPRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFbryceives
 
SQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldSQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldProgress
 
Lewis Diagram
Lewis DiagramLewis Diagram
Lewis Diagramkitcoffeen
 
Momentum Pres
Momentum PresMomentum Pres
Momentum Preskitcoffeen
 

Recommended

1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-sslJamshoo Lakhani
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market ResearchTetsuyuki Oishi
 
Nerea Eta Andrea
Nerea Eta AndreaNerea Eta Andrea
Nerea Eta Andreaan6
 
Reference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesReference Scope Identification in Citing Sentences
Reference Scope Identification in Citing SentencesAkihiro Kameda
 
PRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFPRESENTATION ABOUT SYN - ABAF
PRESENTATION ABOUT SYN - ABAFbryceives
 
SQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldSQL Connectivity in a MongoDB World
SQL Connectivity in a MongoDB WorldProgress
 
Lewis Diagram
Lewis DiagramLewis Diagram
Lewis Diagramkitcoffeen
 
Momentum Pres
Momentum PresMomentum Pres
Momentum Preskitcoffeen
 
Booting from VHD
Booting from VHDBooting from VHD
Booting from VHDAndre Debilloez
 
What Are Dreams
What Are DreamsWhat Are Dreams
What Are Dreamsguest9aec79
 
Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Mike Sharples
 
FunHalo
FunHaloFunHalo
FunHalotvpsoft
 
Ruta
Ruta Ruta
Ruta pikinsmaria7
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007guest0b2315
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamineandresta
 
Esitlus
EsitlusEsitlus
Esitlusandresta
 
Creation
CreationCreation
CreationAmitava Dutta
 
Rombus
RombusRombus
Rombusandresta
 
Chembond
ChembondChembond
Chembondkitcoffeen
 
Creation
CreationCreation
CreationAmitava Dutta
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentationguest1b1543
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech TipsProgress
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesAkihiro Kameda
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardykitcoffeen
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)siouxhotornot
 
2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activationtasha ou
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Matt Lucas
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A VsRaj Chanchal
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)MongoDB
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule timetopomax
 

More Related Content

Viewers also liked

Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Mike Sharples
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007guest0b2315
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamineandresta
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentationguest1b1543
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech TipsProgress
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesAkihiro Kameda
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardykitcoffeen
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)siouxhotornot
 

Viewers also liked (17)

Booting from VHD
Booting from VHDBooting from VHD
Booting from VHD
 
What Are Dreams
What Are DreamsWhat Are Dreams
What Are Dreams
 
Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007 Becta Research Conference Sept. 2007
Becta Research Conference Sept. 2007
 
FunHalo
FunHaloFunHalo
FunHalo
 
Ruta
Ruta Ruta
Ruta
 
Keywords Marzo Abril2007
Keywords Marzo Abril2007Keywords Marzo Abril2007
Keywords Marzo Abril2007
 
Tegurdamine
TegurdamineTegurdamine
Tegurdamine
 
Esitlus
EsitlusEsitlus
Esitlus
 
Creation
CreationCreation
Creation
 
Rombus
RombusRombus
Rombus
 
Chembond
ChembondChembond
Chembond
 
Creation
CreationCreation
Creation
 
A,E,J &J Presentation
A,E,J &J PresentationA,E,J &J Presentation
A,E,J &J Presentation
 
Rollbase Mobile Tech Tips
Rollbase Mobile Tech TipsRollbase Mobile Tech Tips
Rollbase Mobile Tech Tips
 
PATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic TypesPATTY: A Taxonomy of Relational Patterns with Semantic Types
PATTY: A Taxonomy of Relational Patterns with Semantic Types
 
Physicsjeopardy
PhysicsjeopardyPhysicsjeopardy
Physicsjeopardy
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)
 

Similar to AD authentication with be eID

2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activationtasha ou
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Matt Lucas
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A VsRaj Chanchal
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)MongoDB
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule timetopomax
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesteam-WIBU
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federpfederpmatc
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configurationAlberto Rivai
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10githe26200
 
Ammar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar Hasayen
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xAbdelilah CHARBOUB
 
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Rajesh Anbalagan
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...Protect724tk
 
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxSH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxMongoDB
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...Azilen Technologies Pvt. Ltd.
 

Similar to AD authentication with be eID (20)

2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation2018. 03 mb sd connect c4 c5 xentry start key activation
2018. 03 mb sd connect c4 c5 xentry start key activation
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)
 
Validating A Product Key In A Vs
Validating A Product Key In A VsValidating A Product Key In A Vs
Validating A Product Key In A Vs
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
 
Control relay via schedule time
Control relay via schedule timeControl relay via schedule time
Control relay via schedule time
 
Using idoc method in lsmw
Using idoc method in lsmwUsing idoc method in lsmw
Using idoc method in lsmw
 
Azure hands on lab
Azure hands on labAzure hands on lab
Azure hands on lab
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevices
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10
 
Ammar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guideAmmar hasayen microsoft ILM/FIM 2007 guide
Ammar hasayen microsoft ILM/FIM 2007 guide
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183x
 
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
Microsoft.certleader.az 220.free.pdf.2020-may-30.by.tony.0q.vce (1)
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
 
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxSH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...A step by step guide to develop temperature sensor io t application using ibm...
A step by step guide to develop temperature sensor io t application using ibm...
 

Recently uploaded

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

AD authentication with be eID

  • 1. Active Directory authentication with BE eID Smartcard This guide explains how to configure an ActiveDirectory to enable Be eID Smartcard as authentication token. Why this ? More and more countries are deploying smartcard systems that could be used to authenticate a user. I’m sure you are tired to remember so many password and the lack of security caused (most simple password, helpdesk nightmare, reset password with sometimes very simplistic reset rules …) Deploying HW token become usual in many company but this require investment. So why not using already available smartcard in your wallet. This document will explain how to used the Belgian identity card and PIN to authenticated a user. Using BE eID card is not so trivial because these Card didn’t use some pre-requisite information (ie UPN, AT_KEYEXCHANGE, EKU) and the CRL can also be difficult. This document must be used as a Lab. Documentation, to do a proof of concept not used in production ! Changing or implementing your PKI infra is at your own risk. This document only reflect our own setup to get the evidence that using BE-eID-Card for NT Domain authentication is feasible. You can notice that some non-domain authentication software are available on the web: http://www.mysmartlogon.com/products/eidauthenticate.html http://code.google.com/p/eid-applet/ We apologize, but Print -Screen will be in French. Material needed :  Recommended Windows 7 and Windows 2008 R2 (Windows Vista, and Windows 2008 is the minimum)  The Windows 2008 R2 Enterprise (here the link to a trial) http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx  Belgium eID (identity card) and associated software (on Server and Client) www.eid.be (eid framework ie ver 3.5.4)  Certificate already deployed on your Domain Controller (we recommend to used Microsoft Certification Authority, see later in the doc.)  Two BE eID Smartcard reader (ie. ACR 38 U) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 2. Part 1 : Setup of a Test Windows Domain  Run the Windows 2008 R2 Setup  Make you initial logon and perform all security update  Run your DCPROMO and create a dedicated and isolated domain for this lab.  At the end of the DCPROMO and after the reboot you have a new Forest and a DNS Running onto your test server lab.  Install a Windows 7 Client (ie. Test drive business edition))  Join this Windows 7 to the domain  Install the BE EID framework on all machine Y Part 2 : Installing Microsoft Certification Authority  These step are to perform on your DC.  Microsoft Certification Authority is a Role you need to add on your server. o During the Process you will have to choose for a :  Select Root Authority  And Select an Enterprise CA (this will be helpful for future lab. We will provide later)  Obtain a Certificate for you DC o Runn MMC add the certificate Snapp-in for the Local “Computer Account” o Open the ” Personal” folder -> Certificates o Right Click on certificate and Request a new certificate : André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 3.  Next and Select an Active Directory plocicy :  Select and Next, After Select the following roles :  At the end perform a reboot  If you have not correctly followed these steps, an event ID 19 will be logged into your DC and Login with Smartcard will failed stating that your account is not configured for Smart Card authentication. This is due to the fact that PKI Init (authentication with the DC is not feasible due to the lack of the certificate on the DC, in real live each DC will require a such certificate…) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 4. Part 3 : Tunning the Domain controller and the client to accept a BE eID Card. Step 1 - Domain Policy:  Setup you domain default policy (look here to localize them and which are to be set)  After that they will be applied (ie. GPUpdate) you will have the following registry key (on both DC and Client) [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSmartCardCredentialProvi der] "AllowCertificatesWithNoEKU"=dword:00000001 "AllowSignatureOnlyKeys"=dword:00000001 "ForceReadingAllCertificates"=dword:00000001 Step 2 :Customize registry These step are needed to ensure BE eID card specifycities are accepted for Autentication  On the client and DC, configure registry as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 5. "CRLTimeoutPeriod"=dword:00000001  On the Domain Controlle onlyr as follow: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 "SCLogonEKUNotRequired"=dword:00000001 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 Part 4 : Import BE Autority certification Authority Currenlty there is not only one set of eID authority, you need 3 in fact (because since 17 of October 2008, a new authority as been deployed).  You will have one for the Root Called: Belgian Root CA  And 2 with the name :Citizen CA (2 because this new re-deployment, in this doc we will assume the one you get with the one you use) Step 1 : Export the Public key Authority certificate (.cer) For these step the easiest is to export them into files for the eID-Viewer  Put a Card into the reader and launch the eID Viewer->go under certificate tab André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 6.  Click on Root (1) after Click details (1a) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 7.  Click on the Tab details André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 8.  Click on th button Copy to File …  Save it in ie C:tmp with the Name “Belgian Root CA.CER”  Redo these steps for the Citizen CA, see printtscreen here upper the blue (2) and (2a) but saved it with ”Citizen CA.cer”  At this step you have exported the public key of the 2 of 3 Belgian Authority. These are to be imported into your infra to get them recognized as trusted. Step 2 : Import them into your systems Import them onto your DC and Client . Please note that you can use a GPO for these task see: http://support.microsoft.com/kb/281245  Copy these 2 files (.cer) ie in c:tmp André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 9.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -addstore ROOT “Belgian CA.cer” o C:tmp>certutil -addstore CA ”Citizen CA.cer” Step 3 : Register these Authority as NTAuthCA Look here for more info : http://support.microsoft.com/kb/295663/ Go back onto your DC ONLY with the Admin CMD.  Run CMD.exe With Administrative privilege (righ click and run with administrative privilege!!!).  Go under c:tmp  Run the following command : o C:tmp>certutil -dspublish -f “Belgian CA.cer” NTAuthCA o C:tmp>certutil -dspublish -f ”Citizen CA.cer” NTAuthCA Part 5 : User configuration and certificate mapping Step1 : Export your user certificate Use the same process that in Part4 –Step1 . You will be to export you own user certificate and store them into c:tmpmyuser.cer (Take the “Authentication certificate”) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 10. Step2 : Configure the certificate for your user  Open AD users and computers.  Check to use the Advanced Features. André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 11.  Right click the user you want to map this card to and choose name mappings. Select the certificate you want to map to (ie c:tmpmyuser.cer) André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.
  • 12. Reboot both and test under “insert Smartcard” Logon screen! André Debilloez , www.sec4bizz.com , free to copy but let me know if it was useful for you.