Issuing certificates directly to smart cards with Windows Certificate Manager

We’ve been working on a plan to deploy smart cards on our standalone network.  For initial certificate issuance, we planned on using the certmgr.msc MMC snap-in.  This is done by right-clicking the Personal folder and selecting All Tasks | Advanced Operations | Enroll On Behalf Of… option.  Everything seemed to be working, but the certificate was only issuing into the local store, and not onto the smart card.  After some trial and error, we found that our issue was an incorrect CSP for the certificate template.  By default, the Smartcard Logon template allows for the use of any CSP (with the Base Crypto Provider as the default).  Prior to issuance, the certificate template must be customized to issue directly to the smart card.  First, make sure that the “Allow private key to be exported” option is NOT selected (otherwise, the next setting won’t be available, which was our problem).  Then, ensure the CSP is set so that the Microsoft Base Smart Card Crypto Provider (or whatever CSP your smart card uses) is the only one allowed.  Once the template is published this way, logon certificates will issue directly to the card!

PKI certificate autoenrollment fails on Windows 7

Today is a blogging double-feature!  If your network has any type of security hardening (e.g. FDCC, DISA STIG, etc.) you may end up in a situation where your Windows 7 and 2008 R2 machines are not autoenrolling for PKI certificates from your internal enterprise CA.  We found that the following two settings must be enabled in policy:

1. NETWORK SERVICE must be given the “Access this computer from network” user right.  This allows the machine to enroll certificates.
2. The “Task Scheduler” service on the target machine must not be disabled.  The Certificate Services Client uses this service to autoenroll PKI certs.

A sample 802.1X configuration guide

Due to the complexity of 802.1X configuration, there is a lot of documentation out there. Unfortunately, due to the complexity of 802.1X, there are very few step-by-step guides on actually setting a system up to use it. This is merely a crib sheet that I use to create a nominal 802.1X configuration. This setup uses computer certificates only, with users logging in with passwords (not smart cards). The servers are Enterprise 2008 R2, and the clients are Windows XP SP3 and Windows 7.  Network gear consisted of Cisco 3750 and 2960 switches running IOS 12.2(52).  Note that you have to have a K9 version of the IOS, otherwise the security features are not available.  These instructions may or may not work if you are on different server/client versions.  I know there are NPS client limitations on the Standard server version and that you cannot create custom certificates on Standard either.  So Enterprise or better is required for your servers.  Hopefully, someone out there will find this helpful. As there are many, many, many ways to configure this stuff, you may need to adjust it for your needs. I cannot profess that I am an expert by any means, but if you have a question about something in (or not in) this checklist, please leave a comment.

Configuration of 802.1X is a multi-step process. Reference: http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx. Intel vPro AMT, if used, should be configured and operational prior to running this procedure.

1. Certificate Services
   This procedure assumes that an Enterprise CA has been previously installed and that client certificates have been provisioned to all workstations in the enterprise via Group Policy. Additionally, your primary site servers have been added into an AD security group called ‘SCCM Primary Site Servers’
   1. In this step, we will create and deploy the NPS certificate template.
      1. On the certification authority server, start the Certification Authority MMC snap-in
      2. Expand the CA node.
      3. In the console tree, right-click Certificate Templates. Select the Manage option. The Certificate Templates console will appear. Note the Domain Controller that the Console is connected to.
      4. In the details pane, click the RAS and IAS Server template.
      5. On the Action menu, click Duplicate Template. In the Duplicate Template dialog box, select the Windows Server 2003, Enterprise Edition template version.
      6. Click OK. The Properties dialog box for the certificate template opens.
      7. On the General tab, in Display Name, type a name for the new certificate template.
      8. Click the Security tab. In Group or user names, click RAS and IAS servers.
      9. In Permissions for RAS and IAS servers, under Allow, select the Enroll and Autoenroll permission check boxes, and then click OK.
      10. Close the Certificate Templates Console.
      11. Force replication across Domain Controllers using Active Directory Sites and Services. Begin replication from the server noted earlier.
      12. In the Certification Authority Console, right-click the Certificate Templates node. On the Action menu, point to New, and then click Certificate Template to Issue.
      13. Select the template that was just created, and then click OK.
   2. (If using Intel AMT, otherwise go to next section). Here, we will create the Client Authentication certificates for 802.1X AMT-Based computers. This is separate from the normal client certificates issued by the domain.
      1. In the console tree, right-click Certificate Templates. Select the Manage option. The Certificate Templates console will appear. Note the Domain Controller that the Console is connected to.
      2. In the details pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template. In the Duplicate Template dialog box, select the Windows Server 2003, Enterprise Edition template version.
      3. Click OK. The Properties dialog box for the certificate template opens.
      4. On the General tab, in Display Name, type a name like ‘AMT 802.1X Client Authentication’.
      5. Click the Subject Name tab, and then click Supply in the request. Click OK in the warning dialog box for this setting.
      6. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
      7. Click Add, and add SCCM Primary Site Servers.
      8. Select the following Allow permissions for this group: Read and Enroll.
      9. Close the Certificate Templates Console.
      10. Force replication across Domain Controllers using Active Directory Sites and Services. Begin replication from the server noted earlier.
      11. In the Certification Authority Console, right-click the Certificate Templates node. On the Action menu, point to New, and then click Certificate Template to Issue.
      12. Click AMT client template, and then click OK.
2. NPS server
   1. Ensure that the NPS server is a member of the ‘RAS and IAS Server’ group in Active Directory.
   2. Restart the server so it can autoenroll the newly assigned server certificate. If the certificate does not autoenroll, open a Certificates MMC session on the server and manually enroll the machine.
   3. Open the Server Manager Console and expand the tree to Roles | Network Policy and Access Services | NPS (local) | Policies | Connection Request Policies. Create a new Connection Request Policy. Name the new policy ‘Secure (Wired) Ethernet Connections’. Leave the type of network access server as Unspecified. Click Next.
   4. Add a new condition: NAS Port Type. In the popup, under Common 802.1X connection tunnel types, select Ethernet. Click OK, then Next.
   5. On the Specifiy Connection Request Forwarding, ensure ‘Authenticate requests on this server’ is ticked and click Next.
   6. Continue clicking Next until the Finish option appears, then click Finish.
   7. Verify the new policy is enabled and listed as Processing Order 1.
   8. In the tree, select ‘Network Policies’ and create a new network policy name ‘Secure Wired (Ethernet) Connections’.
   9. Type of network access server is ‘Unspecified’.
   10. Under Conditions, set ‘NAS Port Type’ to ‘Ethernet’, and ‘Windows Groups’ to ‘Domain Computers’ and ‘Domain Users’. Note that the ‘Windows Groups’ criteria should be a logical OR.
   11. Access permission is ‘Granted’.
   12. Add EAP Type ‘Microsoft: Protected EAP (PEAP). Verify the settings have a certificate association, ‘Enable Fast Reconnect’, and EAP subtype of ‘Secured password (EAP-MSCHAP v2).
   13. Leave the default ‘Less secure authentication methods’ as is.
   14. Do not configure any constraints
   15. Add the following Standard attributes (if you want to pass VLAN settings via the NPS server):
       1. Tunnel-Medium-Type: 802
       2. Tunnel-Preference: 1
       3. Tunnel-Pvt-Group-ID: <ID number or name of VLAN>
       4. Tunnel-Type: VLAN
   16. Set the newly created policy at Processing Order 1.
3. SCCM configuration (If using Intel AMT, otherwise go to next section)
   1. In the Configuration Manager console, navigate to System CenterConfiguration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Component Configuration.
   2. Right-click Out of Band Management, click Properties, and then click the 802.1X and Wireless tab.
   3. To configure 802.1X authentication for wired networks, select Enable 802.1X authentication for wired network access, and then click Set.
   4. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by selecting an enterprise CA from the forest. Ensure that From certification authority (CA) is selected, and select the CA from the drop-down list.
   5. Use the drop-down box to select PEAPv0/EAP-MSCHAPv2 as the client authentication method.
   6. Click Use client certificate to use a client certificate for authentication.
   7. Click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template ‘AMT 802.1X Client Authentication’, and then click OK.
   8. On ‘Out of Band Management Properties’ window, click OK.
4. Group Policy
   CAUTION: DUE TO A BUG IN WINDOWS 2008 R2/WINDOWS 7, THIS GPO MUST BE CREATED ON A WINDOWS 2008 RTM MACHINE. OTHERWISE, THE GPO WILL NOT APPLY PROPERLY AND YOU WILL GET A CONNECTION FAILURE ERROR DUE TO ‘VALIDATE SERVER CERTIFICATE’ BEING ERRONEOUSLY CHECKED. See http://blogs.technet.com/b/asiasupp/archive/2010/11/03/validate-server-certificate-option-is-unexpected-to-check-in-wired-network-ieee-802-3-policies.aspx
   1. Create a new group policy
      1. Computer Configuration | Policies | Windows Settings | Security Settings | System Services. Define ‘Wired AutoConfig’ to Automatic with default security.
      2. Computer Configuration | Policies | Windows Settings | Security Settings | Wired Network (IEEE 802.3) Policies. Create a new wired network policy.
         1. Name the policy
         2. Ensure ‘Use Windows Wired Auto Config service for clients’ is checked.
         3. On the Security tab:
            1. ‘Enable use of IEEE 802.1X authentication for network access’ is checked.
            2. Network authentication method is ‘Microsoft: Protected EAP (PEAP)’.
            3. Click ‘Properties’:
               1. Uncheck ‘Validate server certificate’
               2. Authentication method is ‘Secured Password (EAP-MSCHAP v2)’.
               3. Click ‘Configure…’. Ensure Windows logon option is checked.
               4. ‘Enable Fast Reconnect’ is checked.
               5. Close ‘Protected EAP Properties’ window.
            4. Authentication Mode is ‘User re-authentication’.
            5. ‘Cache user information for subsequent connection to this network’ is checked.
            6. Click ‘Advanced…’:
               1. ‘Enable Single Sign On for the network’ is checked.
               2. ‘Allow additional dialogs to be displayed during Single Sign On’ is unchecked.
               3. Close ‘Advanced security settings’ window.
         4. Close policy properties window.
5. Network Devices
   NOTE: This configuration assumes that RADIUS is already configured for on the switch for other uses (i.e. SSH logins). If not, you’ll need to create an association in the NPS server and input the server address and shared secret on the device configuration. Chuck Murison has a great blog on how to do this at: http://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/
   1. Enable RADIUS for 802.1X (at the global configuration prompt)
      1. aaa authentication dot1x default group radius
         This sets the device to use RADIUS for 802.1X authentication
      2. aaa authorization network default group radius
         This sets the device to use RADIUS to authorize users for specific access
      3. authentication mac-move permit
         This allows machines to be moved while a session is open (device closes old session)
      4. dot1x system-auth-control
         Globally turns on 802.1X authentication
   2. On a PER PORT basis, issue the following commands (a range command may be used to configure ports simultaneously):
      1. mab
         This allows for MAC authentication bypass (where required)
      2. authentication order dot1x mab
         This tells the network device to use 802.1X before MAB
      3. authentication priority dot1x mab
         This tells the network device to prioritize 802.1X before MAB
      4. dot1x pae authenticator
         This prevents the downline client from trying to be a supplicant
      5. authentication port-control auto
         This turns on 802.1X for the port.
      6. Port may need to be shut/no shut to force the client to authenticate.
   3. Follow-on actions
      1. Set the default VLAN for the port to something else (i.e. a guest or offline vlan). The VLAN is automatically switched to the operations VLAN once authenticated.
      2. Set a guest vlan for machines that are being imaged and not yet capable of 802.1X authentication. On the interface:
         dot1x guest-vlan <vlan-id>
      3. Device settings may need to be adjusted to prevent DHCP timeout prior to 802.1X timeout. The following settings were successfully used in the test lab:
         1. dot1x timeout quiet-period 3
            This setting is the idle time between failed authentication and the next attempt.
         2. dot1x timeout tx-period 5
            This setting is the idle time between transmissions.