Because I actually got some requests on how to accomplish this on my previous Belgium eID post, a more technical post here… It’s a bit chaotic, so I hope you’ll figure the details out on your own 🙂
I’m not reinventing wheels here. All of the things are loosely based on http://blog.debilloez.net/2010/12/ad-authentication-with-be-eid.html , http://setspn.blogspot.be/2014/10/configure-windows-logon-with-electronic.html and https://social.technet.microsoft.com/Forums/office/en-US/4eae5d60-c90c-4238-82b7-67b0ac261b8e/eid-login-for-domain?forum=winserversecurity , https://blogs.msdn.microsoft.com/spatdsg/2008/04/17/smartcard-in-2008-and-vista-national-id-card-no-upn-no-eku-no-problem/ and there even was a word document i can’t seem to find anymore…
You can have this up and running in less then an hour.
Requirements:
- Active Directory Domain Services
- Active Directory Certificate Services with Enterprise CA (in good circumstances, this role is NOT installed on your DC…)
- Some server or workstation (Windows Desktop or Terminal Server or whatever where you want your users to log-on)
Configuration
Forest/Domain
Basically, the certificate chain consists of end-entity -> intermediate -> root ( -> globalsign, FEDICT made 2 roots)
Root needs to be in “Trusted Root Certification Authorities”, intermediate needs to be in “Intermediate Certificate Authorities” of all involved machines: DC, client, server.
Download all useful certificates from http://certs.eid.belgium.be/ (please script this)
“useful” meaning:
- non expired root certificates
- all non expired citizen intermediate certificates
- (foreigner if your use case needs this)
For easy deployment: create a new group policy, and add the root’s to “Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities” and the intermediates to the “Intermediate Certificate Authorities” store in the same location.
Deploy this GPO to all servers involved: Domain Controllers, IIS, RDP, …
ADCS
Make sure the “Kerberos Authentication” certificate template is made available for Domain Controllers on your freshly installed CA, DC’s have enrolled them, and have them actually available in the certlm.msc (this is the newer version of Domain Controller Authentication template, which is a newer version of the very original Domain Controller template). On of them good enough). Make sure your general PKI is healthy.
DC
Create a user.
Export the authentication certificate from the smart card (either with the Be eID viewer or using certmgr.msc).
The mapping of a Be eID to an active directory user happens in Active Directory Users and Computers (dsa.msc). Go to a user, right mouse click, name mapping, and add the exported version of the Be eID authentication certificate here.
The DC’s also need a modification in the registry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
Note: the new 2017 BE eID’s don’t require the AllowCertificatesWithNoEKU and AllowSignatureOnlyKeys anymore (as they actually set the correct EKU), old eID’s do.
CRL timeout is also not really required if outgoing network access allows it.
Target
IIS/Terminal Server/Windows logon
Always install the eID middleware, download from https://eid.belgium.be/
And set the same registry keys again
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001
Same notes on regkeys as above, for the newest eID’s only ForceReadingAllCertificates is really required.
ForceReadingAllCertificates is needed because the smart card contains 2 certs.
Windows Logon
You can use a eID for regular logon on a physical machine (with a reader – think cherry keyboard or terminals)
On the lock screen, logon but select smart card.
Rest should be self explanatory.
RDP host
It’s best to set an gateway in between, as NLA sometimes blocks smart card logon (or disable NLA, but not recommended).
Under normal operations, use mstsc to connect to an RDP, in the authentication windows select the correct smart card (authentication) and logon.
Once connected, you’ll notice a 1-4 seconds delay, just give it some time to tunnel the reader over the rdp connection and logon will occur.
On the computer you are using to connect to the RDP server, also set the registry keys and install the eID middleware (driver for the smart card), see below for more info.
IIS
To be updated…
Basically use the iisClientCertificateMappingAuthentication
, which needs to installed as an additional feature, and us that from there on. It’s also possible to cover the mapping directly in asp. Will update this part if I find some time.
Client
The machine you’re actually working on, and connecting to the servers above.
Install the eID middleware, download from https://eid.belgium.be/
The chip on the eID itself contains 2 certificates: 1 meant for signing, 1 for authenticating.
By default, Windows only reads the 1 certificate on a smart card, and tries to use that one to authenticate. On the Belgium eID’s, this is the signing one. (plus, with pre-2017 certificates, it has a wrong EKU). So we need to configure the Windows Client to actually read both certificates and allow certificates without EKU… (Note, in the 2017 eID’s the correct EKU, client authentication, is actually set, but still on the 2nd certificate)
Registry keys!
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001
Also, same comments on regkeys as earlier.
Limitations
There are some limitations for this solution, such as the certificate-user mapping process, deployment of eID certificates to servers, exceptions when someone lost his eID, etc…
At tSF we did try to fix those limitations, using extra policies when a user forgot their smart card and give them an exception on the authentication policy, and by building some extra tools to manage all this way easier.
But of course I can’t share those… =)
Other way around, if you’re interested, you’re always free to contact tSF: https://www.thesecurityfactory.be 😉