Smart Card Authentication to do

Others 2020-03-19 01:51:56 views: null

Smart Card Authentication to do

https://www.cnblogs.com/AlexanderYao/p/4307304.html

 

1, the network environment to build:

+1 machine with three sets of virtual machines take a single physical network segment test: 172.16.188.x, as follows:

Machine name IP operating system effect
judgment 172.16.188.1 win server 2008 R2 / VM Domain server AD, AD server certificate, IIS server
Tue 172.16.188.10 win server 2008 R2 / VM Remote Desktop server (also formerly Terminal Server)
win7 172.16.188.100 win7 / VM Analog win7 client
xp 172.16.188.101 win xp sp3 / physical machines Analog xp client

 

2, configure a certificate server

1) into the dom, first add the Active Directory Domain Services, Web Server (IIS), and then add the Active Directory Certificate Services, which will establish a CertSrv website in IIS for the certificate request and issuance. When you add a Certificate Services, it will generate a CA root certificate, such as secret-DOM-CA, all subsequent certificates enacted by this certificate.

2) management certificate templates: Open Administrative Tools -> Certificate Authority -> Certificate Templates, right-click "management." In the pop-up "Certificate Templates Console", modify the "smart card logon" and "smart card users" Right Properties -> Security tab -> Add Domain Users are allowed to read + registration. You can also create a new certificate template by copying an existing template.

3) a certificate template: Open Administrative Tools -> Certificate Authority -> Certificate Templates, right-click on the "New" -> Certificate Template to Issue, select "Smart Card Logon" and "smart card users," OK.

4) Modify the CA attribute: Open Administrative Tools -> Certificate Authority -> CA name (such as secret-DOM-CA), Right Properties -> Security, add Domain Users are allowed to read + request a certificate.

 

3, configure IIS server

1) add support https: Open Administrative Tools -> Internet Information Services (IIS) Manager -> Default Web Site-> right click "Edit Bindings." The default is to support both http + https, if not, manually add https, SSL certificates can choose a, for example dom.secret.company.com.

2) Add CertSrv Authentication: Because a user to log in CertSrv and submit your application, it will generate the user's credentials, so to get rid of anonymous authentication, and add basic + Digest authentication. Click CertSrv Website -> Authentication, accordingly disable / enable it.

3) If you do not bind SSL, will be reported "in order to complete the registration certificate, the CA must be configured to use https site authentication."

 

4, the configuration domain environment

1) and domain: 3 additional machine was replaced by the domain name and secret.company.com added, the restart after the domain. At this time management tools -> Active Directory Users and Computers -> Computers will appear in domain-joined machines, namely ter, win7, xp.

2) Add the domain user: Administrative Tools -> Active Directory Users and Computers -> Users to add users in the test.

3) Installation ePass3000: all machines are installed ePass3000 drive, pay attention to check the "operating system to support smart card logon or VPN", is said to only be installed on the machine submitting applications.

 

5, apply for a certificate

1) the CertSrv Log: Any one of the driven machine is mounted on ePass, open IE input https://dom.secret.company.com/certsrv (Note: If the direct input in the IP address 172.16.188.1 and above will IE8 News "site's security certificate has a problem," because the certificate identifies the domain name, not IP, IP to generate an identity certificate if binding, then the output IP address will not be reported), using a test user login .

2) application for a certificate: In the case of insertion ePass3000, click on the application for a certificate -> Advanced Certificate Application -> Create and submit a request to this CA, for the first time to install the plug-CertEnrollCtrl. At this Certificate Template drop-down box should have a "smart card users" and "Smart Card Logon" These two, and only the default user + basic EFS, if only these two, or simply do not have one, and the newspaper "could not find any certificate template. You do not have permission error from the CA request a certificate or when accessing Active Directory ", please refer to" 2, configure a certificate server. " CSP drop-down box should be "FEITIAN ePassNG RSA Cryptographic Service Provider", if not, explain ePass on this machine driver installation problems, such as how I can not get out this one on Server 2008 R2.

3) Install Certificate: click submit, ePass begin to generate the key pair. The next page, click on the "Install Certificate", ePass start generating X.509 certificates. Use ePass management tools ePassNgMgr.exe, you can clearly see usb has been stored in the user's test certificate and a key pair.

 

6, Smart Card logon windows

In the windows login screen insert the smart card, enter the pin code that domain users can log on the test. There are two small problems:

1) If you enter the pin code verification report is not valid, please try to install the CA root certificate that the CA's root certificate to join the current machine "Trusted Root Certification Authorities."

2) If the usb that there's more than one certificate, will take the first time login window, and the browser (IE8 +, chrome, firefox, etc.) usually prompts you to select one of them.

 

7, Smart Card Login Remote Desktop

1) First insert the smart card, if even that xp, when the output is good IP click on the link will directly let you lose pin code, if it is even win7 +, there will be three ways you choose, select the first three smart card to log on to.

2) may report a "smart card error: drive system card is not required": This question has not been fully resolved, yet even xp is OK, but even win7 + Server 2008 R2 have reported this wrong. I understand should be ePass on a remote machine driver is not installed properly, but after the discovery by normal login remote desktop smart card is actually mapped correctly passed.

  • But during a visit CertSrv-> advanced certificate request, CSP there is really no "FEITIAN ePassNG RSA Cryptographic Service Provider".
  • This " How to CSP Rate this page Currently Installed the Find Computer ON A " indicates the location of the machine all CSP in the registry, if the manual in the Feitian CSP xp registry entries into the target machine, turn it on again CertSrv-> Advanced Certificate Request when the page, CSP drop-down box with Feitian, but select News "You may have selected an unsupported key type of CSP defined template. Please change the key categories in the template, or select a different CSP or certificate template. ", seems still not able to drive properly installed + registration, Oh, this is doubtful!

3) ePass installation problems: It is possible to install the newspaper "Initialize PKCS # 11 Library Failed, 0x0000 0030", found the key to open the services.msc service ngSlotD did not create or did not start. You can create yourself:

1 sc create ngslotd binPath= "%ProgramFiles%\ngsrv\ngslotd.exe" start= auto depend= ScardSvr
2 sc start ngslotd

4) Allow Remote Desktop: The default domain policy seems to allow remote desktop. Domain Server -> Administrative Tools -> Group Policy Management -> Group Policy Object -> Default Domain Policy-> Right-editor, open the Group Policy Management Editor.

  • Computer Configuration -> Policies -> windows settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow logon through Remote Desktop Services, the Add Domain Users, Remote Desktop Users and other related groups.
  • Computer Configuration -> Policies -> Administrative Templates -> windows components -> Remote Desktop Services -> Remote Desktop Session Host -> Connection -> Remote Desktop Services allows users to connect remotely instead enabled.
  • If these settings are disabled, you can target machine - Right My Computer> -> Properties -> Remote -> select the user in ... Add Domain Users, Remote Desktop Users and other related groups.

 

8, reference

1)《Smart Card Logon And Authentication

2)《USB eToken for Windows domain user RDP Authentication

3)《How to find CSP currently installed on a computer

 

============= End

 

Guess you like

Origin www.cnblogs.com/lsgxeva/p/12521565.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com