Ok, let’s get it over with. Once and for all a decent how-to to setup Authentication Mechanism Assurance (AMA) in Active Directory Domain Services…
The last time I talked about this, is when I just found out of it existence at techet, in a talk by Hasain Alshakarti and Marcus Murray .
It basically shows a difference in group memberships between logging in using a regular username/password , and logging in using smarcards. If you login with a password you’ll become a normal user, when you logon with a smartcard you’re an admin! 🙂
The Microsoft step-by-step guide however is a bit long, and a bit clumsy… So here a quick rewrite 🙂
➡ Required components: a Windows Server, a PKI (or the default one in ADDS whatever), and some time.
First, we’ll have to create a new certificate template.
Open the certificate template management console, and go to the templates.
Lets start by duplicating the “smartcard logon” one. Choose 2008R2 for everything.
This default template should be good, 1 little thing needs to change.
Open the template, go to the extensions tab. And you see the issuance policies. Here you’ll need to add a new one.
Give it some useful name, for example “server admin” or whatever.
This extra extension will now go into the actual enrolled certificate…
Next we’ll need to teach the ADDS how to map that extension to an actual Security Group. This can be done using the weird PowerShell script provided by Microsoft, but let’s do it manually here (it goes way faster!)
The link between the OID we just created and a security group is a policy defined in the regular SYSTEM partition of ADDS. Open it either using ADSIEDIT or the Sites and Services mmc.
Ofcourse we’re working with the Public Key Services, OID config, and there are all the policies stored. We’re looking for the OID of the policy we created earlier (add the “displayname” to the mmc-colums to make your life easier).
If you’ve found the correct object, rightmouseclick it, open attributes, and search for the “msDS-OIDToGroupLink” attribute.
⭐ This is the magic attribute ⭐
Fill in the DN of the security group.
And you’re good to go!
Next steps are of course the enrollment and issuance of the CA template to the correct users. But I hope you know how that works 😉
From here on you can either put it in a Virtual Smart Card, and start using it!