SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

Size: px
Start display at page:

Download "SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date 19.05.2010 Version V1.0"

Transcription

1 SECO Whitepaper SuisseID Smart Card Logon Configuration Guide Prepared for SECO Publish Date Version V1.0 Prepared by Martin Sieber (Microsoft) Contributors Kunal Kodkani (Microsoft) Template Version March 2010

2 Revision and Signoff Sheet Change Record Date Author Version Change reference M.Sieber 0.1 Initial draft for review/discussion within Microsoft M. Sieber 0.6 Updated document with the SECO template A.Keller 0.9 Additions to SuisseID template M.Sieber 0.93 Implemented internal feedback, changed suisseid.local to upn.suisseid.ch A.Keller 0.95 Official draft for SECO M.Sieber 1.0 Integration DRAFT Feedback Reviewers Name Version approved Postion Date A.Keller 0.9 Engagement Manager MSFT Acceptance Name Version approved Postion Date U. Bürge 1.0 PL SECO SuisseID MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Template Version March 2010

3 1. Table of Contents 1 Introduction About this guide Reasons to use Smart Card Logon with SuisseID Technical Overview on Smart Card Logon Limitations and Restrictions Overview on SuisseID Installation General Preparation Steps SuisseID Client Network (Internet Access for Domain Controllers) Active Directory Certificate Authority on Windows Server 2003 R Installation of Certification Authority Configure the Certification Authority to issue Domain Controller certificates only Configure Autoenrollment of DC certificates Active Directory Certificate Services on Windows Server 2008 or higher Install Active Directory Certificate Services Configure Active Directory Certificate Services Configure Autoenrollment of DC certificates Preparation steps to enable SuisseID in a Windows 2003 R2 AD Publish the root CA certificate to the DS Trusted Root store Publish the root CA certificate to the DS Trusted Root store Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com Allow upn.suisseid.ch as Alternative UPN Suffix Changing the UPN of a specific user object using AD Users and Computers Preparation steps to enable SuisseID in a Windows Server 2008 AD Publish the root CA certificate to the DS Trusted Root store Publish Issuing CA certificate to the NTAuth Store Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com Map SuisseID to Active Directory User object using Alternate Security ID Adding upn.suisseid.ch as the Alternative UPN suffix SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 2 of 48

4 7.6 Changing the UPN of the specific user object using AD Users and Computers Troubleshooting Steps Certificate and configuration problems Revocation checking problems Other Issues...46 Appendix A - Abbreviations used in the Document...47 Appendix B - References SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 3 of 48

5 1 Introduction 1.1 About this guide The goal of this guide is to help an IT professional to implement Smart Card Logon (or token based logon) using the SuisseID authentication system. The target audience does not consist of security experts, but rather IT professionals responsible for an Active Directory day after day who have the task to enable users to log on with SuisseID. While this guide only contains a small overview on the Smart Card Logon process, technical details on the SuisseID smart cards are only shown as far as needed for the implementation. 1.2 Reasons to use Smart Card Logon with SuisseID One of the big challenges for today s organization is the management of passwords. People forget passwords, use the same password for different services or use weak passwords per see. This results in loss of productivity, higher helpdesk costs and/or reduced security. Imagine If users no longer need to remember complex password, but still can login in a secure way. The SuisseID authentication system using smart cards or token could provide such a solution. Windows allows the use of Smart Cards such as SuisseID to logon: the user inserts the Smart Card and enters a PIN (the equivalent to a short password). The Smart Card PIN doesn t need to be complex and there is no strong requirement to change the PIN. Despite being much simpler to use, Smart Card authentication is more secure than authentication with user name and password: While it s sufficient for an attacker to know your user name and password, the attacker needs to possess the token and need to know the PIN. Therefore Smart Card Logon is called two factor authentication or strong authentication. Smart Card logon adds additional security to the identity management process, but is in most cases more confortable to a user, because the user has no need to maintain and remember complex passwords. Smart Cards are normally being issued for users of an organization that maintains its own Public Key Infrastructure (PKI). SuisseID Smart Cards, issued by a public PKI, combine the benefits of strong authentication SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 4 of 48

6 (and other PKI functionality) without adding the additional costs for an own PKI that deals with user certificates and hardware tokens. SuisseID therefore allows an organization to implement strong authentication with minimum initial effort. 1.3 Technical Overview on Smart Card Logon This section explains at a high level how Smart Card Logon works with a SuisseID 1. We assume the systems are configured correctly as explained in later sections of this white paper. The term Windows clients may refer both to client and server operating systems, depending on where the user performs a Smart Card Logon. Overview: a) The user inserts the SuisseID in the USB slot or Smart Card reader (depending on the form factor of the SuisseID) and enters the PIN. b) The Windows client tries to access the Smart Card using the PIN provided by the user. c) If successful, the Windows client digitally signs a request containing the Authentication certificate of SuisseID with that certificate. The signed request is sent to the Windows Domain Controller (DC). d) The DC verifies the signature and checks the validity of the SuisseID Authentication certificate. Further the DC tries to map the SuisseID to a user account. e) If successful, the DC replies with a message signed with the DC certificate and encrypted with the public key of the SuisseID Authentication certificate. f) The Windows client decrypts the message using the SuisseID Authentication certificate, verifies the signature and checks the validity of the DC certificate. The logon succeeds. This description already shows the main conditions for making Smart Card Logon with SuisseID possible: Users have a valid SuisseID according to the specification. The Windows clients have the necessary drivers installed to support the respective SuisseID Smart Card / reader or a USB token. The DCs have a valid DC certificate. They trust the SuisseID certificates and can verify the validity of the user certs (using the CRL). The Windows clients trust the DC certificates and can check their validity. The DCs are able to map each SuisseID to a Windows user account. 1 See Guidelines for enabling smart card logon with third-party certification authorities [1] SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 5 of 48

7 In the next chapters, we ll provide more details about these conditions. 1.4 Limitations and Restrictions Since this version of the white paper has been written before the official SuisseID launch, we tested the steps using SuisseID test tokens from SwissPost SwissSign. In this guide we use the fictitious organization Contoso to name e.g. the Active Directory Forest and CAs. Please determine the adequate name of the objects before starting with the configuration. Enabling Smart Card Logon requires several steps changing sensitive areas of the Active Directory environment. While every precaution has been taken during creation of this white paper to ensure a smooth transition, Microsoft makes no warranties as to the information in this paper SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 6 of 48

8 2. Overview on SuisseID Installation Enabling Smart Card Logon requires several steps which need to be documented on each target environment. We dedicate one chapter per step and environment. Here we provide an overview on the steps described in greater detail in subsequent chapters. Description Platform Chapter Outlines the requirements on the SuisseID Smart Cards, the client and Internet connectivity of the DCs. all platforms 3 General Preparation Steps Describes how to install a CA that provides certificates for the DCs. Windows Server 2003 / Windows Server 2003 R2 4 Certification Authority on Windows Server 2003 R2 In case there s a preexisting Windows Enterprise CA that provides DC certificates this step is NOT needed, please refer to the introduction of chapters 5 and 6. Windows Server 2008 (or later) 5 Active Directory Certificate Services on Windows Server 2008 or higher Describes configuration steps on Active Directory to enable a specific user to log on with SuisseID. Windows Server 2003 / Windows Server 2003 R2 Windows Server 2008 DCs (or later) 6 7 Preparation steps to enable SuisseID in a Windows 2003 R2 AD Preparation steps to enable SuisseID in a Windows Server 2008 AD Usually, only the instructions of two or three chapters need to be followed, depending on whether there s already an Enterprise CA available for issuing DC certificates SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 7 of 48

9 3. General Preparation Steps 3.1 SuisseID To ensure your SuisseID Smart Cards are compatible with Smart Card Logon in your environment, please consult the following table: Some Windows XP clients Only Windows Vista (or later) clients Some DCs on Windows Server 2003 UPN mandatory UPN mandatory All DCs running Windows Server 2008 or later UPN mandatory UPN optional The UPN is an optional certificate attribute used for mapping a certificate to a specific Active Directory user. If there are clients running Windows XP OR DCs running Windows Server 2003, the SuisseID MUST contain the UPN attribute. In this case, please check with your provider when ordering the SuisseIDs to make sure they ll contain a UPN. All users must be equipped with a valid SuisseID before they can start using them for Smart Card logon. Some vendors may request you to finalize the SuisseID on your workstation. Make sure you follow the necessary steps for all SuisseID tokens being used. 3.2 Client The clients need to be equipped with drivers and application programs that your SuisseID supplier has provided. Smart Card Logon is only possible on Windows SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 8 of 48

10 clients joined to the domain, i.e. standalone machines or other operating systems are not supported. SuisseIDs currently can be issued by any of the four designated ID providers (BIT, QuoVadis, Swisscom, Swiss Post SwissSign). The available form factors and the manufacturer of the Tokens will be different with each provider. The Smart Card readers will also be chosen by the providers. Therefore there will be several different types of form factors of tokens and smart card readers manufactured by different parties. Along with the SuisseID the user will receive drivers and CSP software with appropriate instructions. E.g. the Swiss Post issued SuisseIDs, smart card reader and CSP software can be downloaded at https://postzertifikat.ch/installationssoftware. The software is available for Windows 7 / Windows Vista and Windows XP both in 32 and 64 bit versions. 3.3 Network (Internet Access for Domain Controllers) All DCs need to be able to download the CRLs for all SuisseID that will be in use. Please be aware that there are several URLs for each SuisseID provider where CRLs need to be downloaded. Keep in mind that the CRLs are being downloaded by the machine accounts of the DCs SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 9 of 48

11 4. Active Directory Certificate Authority on Windows Server 2003 R2 As a prerequisite for SmartCard Logon all Domain Controllers need a valid Domain Controller certificate. Basically an organization may choose between the following options to provide these certificates: 1) Issue the Domain Controller certificates with a preexisting Enterprise CA. 2) Buy them from a public CA. 3) Install a new Enterprise CA as outlined in this chapter for issuing the certificates. Disclaimer: The following description serves only as a technical illustration on installing an Enterprise CA. We strongly recommend to follow best practice on implementing a PKI. This chapter describes how to install a Certificate Authority (CA) on Windows Server 2003 R2 and configure it to issue Domain Controller certificates. 4.1 Installation of Certification Authority Roles and resources Role: Enterprise Admin Resource: A Windows 2003 R2 DC or a adequately protected member server 1. Start Control Panel Add or Remove Programs 2. Select Add/Remove Windows Components SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 10 of 48

12 3. Select Certificate Services 4. Read and click Yes to accept the warning message 5. Confirm that Enterprise root CA is selected and click Next 6. Enter Common name for the CA Contosonet Domain Controller CA (Choose an appropriate name for your organization) 7. Click Next SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 11 of 48

13 8. Verify the path of the CA database and log files and Click Next 9. Click Next 10. Click OK to accept the warning SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 12 of 48

14 11. Click Finish SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 13 of 48

15 4.2 Configure the Certification Authority to issue Domain Controller certificates only Roles and resources Role: Enterprise Admin Resource: none Action to be performed on the machine that contains the newly installed Certification Authority 1. Start the Certificate Authority console by selecting Start Administrative Tools Certificate Authority 2. Expand the Contosonet Domain Controller CA 3. Click on Certificate Templates to display the issuable certificate templates in the right pane 4. Use the Control key and select all the Certificate templates except Domain Controller Authentication 5. Right click in the selection and select Delete SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 14 of 48

16 6. Confirm the dialog Are you sure you want to disable the selected certificate template(s) on this Certificate Authority by selecting Yes 7. Verify that only Domain Controller Authentication appears under the issuable Certificate Templates SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 15 of 48

17 4.3 Configure Autoenrollment of DC certificates This section illustrates how to update the Domain Controllers Policy to allow autoenrollment of machine certificates. Generally it s recommended to manage GPOs with Group Policy Management Console (GPMC). Since this is an optional component, we describe an option that works without GPMC. Roles and resources Role: Enterprise Admin Resource: none Action to be performed on a machine that has Group Policy Management Console or Active Directory Users and Computers installed 1. Start - > Administrative Tools -> Active Directory Users and Computers 2. Right click on the OU Domain Controllers and select Properties 3. Select the Group Policy Tab SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 16 of 48

18 4. Select the Domain Controllers Policy and click on the Edit button to start the Group Policy Object Editor 5. Expand Computer Configuration Windows Settings Security Settings Public Key Policies and right click Autoenrollment Settings 6. Make sure Enroll certificates automatically is selected 7. Activate Renew expired certificates, update pending certificates and remove revoked certificates 8. Activate Update certificates that use certificate templates 9. Click OK and close the Group Policy Object Editor 10. Click OK and close the Active Directory Users and Computers console The domain controllers in the contoso.net domain will automatically enroll for domain controller certificates after the next Group Policy update. In order to hasten this process one may also start the command prompt on the Domain controller and type the following commands: C:\> gpupdate /force (This will force a group policy update) C:\>certutil pulse (This will trigger the autoenrollment) process To verify that your DC has a new domain controller authentication certificate use the following command: SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 17 of 48

19 C:\>certutil dcinfo (Verify that there is at least 1 KDC certificate for each domain controller) SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 18 of 48

20 5. Active Directory Certificate Services on Windows Server 2008 or higher As a prerequisite for SmartCard Logon all Domain Controllers need a valid Domain Controller certificate. Basically an organization may choose between the following options to provide these certificates: 1) Issue the Domain Controller certificates with a preexisting Enterprise CA. 2) Buy them from a public CA. 3) Install a new Enterprise CA as outlined in this chapter for issuing the certificates. Disclaimer: The following description serves only as a technical illustration on installing an Enterprise CA. We strongly recommend to follow best practice on implementing a PKI. This chapter describes how to install Active Directory Certificate Services on Windows Server 2008 or higher and configure it to issue domain controller certificates. 5.1 Install Active Directory Certificate Services Roles and resources Role: Enterprise Admin Resource: A Windows 2008 R2 DC or member server that s adequately protected 1. Start Server Manager 2. Select "Roles", right-click "Add Roles" 3. Click Next SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 19 of 48

21 4. Select the Active Directory Certificate Services role 5. Click Next twice 6. Verify that only Certification Authority is selected and click Next SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 20 of 48

22 7. Verify that Enterprise is selected and click Next 8. Verify that Root CA is selected and click Next SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 21 of 48

23 9. Verify that Create a new private key is selected and click Next 10. Click Next SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 22 of 48

24 11. Click Next 12. Click Next SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 23 of 48

25 13. Click Next 14. Note the warning and click Install SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 24 of 48

26 15. Click Close SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 25 of 48

27 5.2 Configure Active Directory Certificate Services Roles and resources Role: Enterprise Admin Resource: none Action to be performed on the machine that contains the newly installed Active Directory Certificate Services 1. On the Server Manager Console expand Roles -> Active Directory Certificate Services -> CA contoso-dc1-ca -> Certificate Templates 2. Use the Control key and select all the certificate templates except Domain Controller Authentication 3. Right click in the selection and select Delete 4. Confirm the dialog Are you sure you want to disable the selected certificate template(s) on this Certificate Authority by selecting Yes 5. Verify that only Domain Controller Authentication appears under the issuable Certificate Templates SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 26 of 48

28 5.3 Configure Autoenrollment of DC certificates Roles and resources Role: Enterprise Admin Resource: none Action to be performed on each Domain Controller. 1. Select Computer Windows Settings Security Settings and Click on Public Key Policies 2. On the right hand pane double click Certificate Services Client Auto- Enrollment 3. Change the configuration mode from Not Configured to Enabled 4. Select Renew expired certificates, update pending certificates, and remove revoked certificates 5. Select Update certificates that use certificate templates 6. Click OK 7. Close Group Policy Editor and Server Manager. The Domain Controllers in contoso.com will autoenroll for a new certificate after the next Group Policy update SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 27 of 48

29 6. Preparation steps to enable SuisseID in a Windows 2003 R2 AD This chapter shows how to prepare a Windows Server 2003 Active Directory to use SuisseID for Smart Card Logon. As explained in chapter 3.1, the SuisseIDs MUST contain a UPN with DCs running Windows Server 2003 R2 - no matter what clients are in place. The chapter explains in greater detail the following steps: Publish the root CA certificate to the DS Trusted Root store Publish the issuing CA certificate to the NTAuth Store Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.net Allow upn.suissid.ch as Alternative UPN suffix Map SuisseID to a user using the UPN (repeat per user) 6.1 Publish the root CA certificate to the DS Trusted Root store Roles and resources Role: Enterprise Admin Resource: root CA certificate file Platinum_G2.der 1. Log on to the domain controller in the forest with Enterprise Admin privileges. 2. Start cmd prompt 3. Run certutil -f -dspublish <RootCAFileName> RootCA. 4. Verify that the command ran successfully SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 28 of 48

30 6.2 Publish the root CA certificate to the DS Trusted Root store Roles and resources Role: Enterprise Admin Resource: Issuing CA certificate file SuisseID_Platinum_G2.der 1. Log on to the domain controller in the forest with Enterprise Admin privileges. 2. Start cmd prompt 3. Run certutil -f -dspublish <IssuingCAFileName> NTAuthCA 4. Verify that the command ran successfully SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 29 of 48

31 6.3 Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com Roles and resources Role: Enterprise Admin Resource: Root CA certificate Platinum_G2.der Action to be performed on a machine in the contoso.com domain where Group Policy Management console is installed 1. Log on to DC1 2. Click Start --> Administrative Tools Active Directory Users and Computers 3. Right click on domain contoso.net and select Properties 4. Select the Group Policy tab 5. Select the "Default Domain Policy" and click on the Edit button SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 30 of 48

32 6. Navigate to Computer Configuration - Policies - Windows Settings - Security Settings - Public Key Policies - Trusted Root Certificate Autorities 7. Right click and select Import 8. Follow the Certificate Import Wizard 9. Click Next SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 31 of 48

33 10. Browse to select SwissSign Root CA file (Platinum_G2.der) and click Next 11. Click Next and Finish to complete the Certificate Import Wizard 12. If the wizard is successful you will see "The import was successful" 13. Close the Group Policy Management Editor 14. Close the Group Policy Management Console All clients and servers will receive this setting at the next GPO refresh. Without reboot, this may take about 90 minutes SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 32 of 48

34 6.4 Allow upn.suisseid.ch as Alternative UPN Suffix Roles and resources Role: Enterprise Admin Resource: The UPN suffix of a SuisseID certificate is specified as upn.suisseid.ch Action to be performed on a machine in the forest contoso.com domain where Active Directory Domains and Trusts console is available 1. Click Start Administrative Tools - Active Directory Domains and Trusts console 2. Right click Active Directory Domains and Trusts and select Properties 3. Type upn.suisseid.ch and click Add 4. Click OK to add upn.suisseid.ch as the Alternative UPN suffix 5. Close the Active Directory Domains and Trusts window SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 33 of 48

35 6.5 Changing the UPN of a specific user object using AD Users and Computers This step needs to be repeated for each user whose SuisseID contains a UPN. Roles and resources Role: Enterprise Admin Resource: The UPN suffix of a SuisseID certificate is specified as *upn.suisseid.ch. E.g. the sample UPN in the certificate of Hans Muster is Action to be performed on a machine in the forest contoso.com domain where Active Directory Domains and Trusts console is available 1. Click Start Administrative Tools - Active Directory Users and Computers console 2. Find the user object to whom you want to match the SuisseID e.g. Hans Muster 3. Double-klick Hans Muster 4. Click on the Account Tab SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 34 of 48

36 5. Change the User logon name to Change the suffix to upn.suisseid.ch using the drop-down menu 6. Click OK to complete the change 7. Close the Active Directory Users and Computers console SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 35 of 48

37 7. Preparation steps to enable SuisseID in a Windows Server 2008 AD This chapter shows how to prepare a Windows Server 2008 or higher Active Directory to use SuisseID for Smart Card Logon. Please consider the following information regarding UPN in SuisseIDs: As explained in chapter 3.1 the SuisseIDs MUST contain a UPN with Windows Server 2008 (or higher) DCs if there are still Windows XP clients in place. SuisseIDs running on Windows Vista or later authenticating against Windows Server 2008 DCs are supported with and without a UPN. To map a SuisseIDs without UPN to a specific user account, the Alternate Security ID method can be used. If a SuisseID contains a UPN, the mapping will always be based on the UPN, i.e. the Alternate Security ID method will be ignored. The chapter explains in greater detail the following steps: Publish the root CA certificate to the DS Trusted Root store Publish the issuing CA certificate to the NTAuth Store Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com Map SuisseID to Active Directory User object using Alternate Security ID Map SuisseID to Active Directory user object using UPN 7.1 Publish the root CA certificate to the DS Trusted Root store Roles and resources Role: Enterprise Admin Resource: root CA certificate file SwissSign Root CA.cer 1. Log on to the domain controller in the forest with Enterprise Admin privileges. 2. Start cmd prompt 3. Run certutil -f -dspublish <RootCAFileName> RootCA. 4. Verify that the command ran successfully SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 36 of 48

38 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 37 of 48

39 7.2 Publish Issuing CA certificate to the NTAuth Store Roles and resources Role: Enterprise Admin Resource: Issuing CA certificate file SwissSign Issuing CA.cer 1. Log on to the domain controller in the forest with Enterprise Admin privileges. 2. Start cmd prompt 3. Run certutil -f -dspublish <IssuingCAFileName> NTAuthCA 4. Verify that the command ran successfully SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 38 of 48

40 7.3 Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com Roles and resources Role: Enterprise Admin Resource: Hans Musters SuisseID certificate file Hans Muster.cer Action to be performed on a machine in the contoso.com domain where Group Policy Management console is installed 1. Log on to a Domain Controller. 2. Click Start --> Type Group Policy in the Search programs and files box and click on "Group Policy Management" to start the console 3. Open the "Default Domain Policy" by right clicking and selecting "Edit" 4. Navigate to Computer Configuration - Policies - Windows Settings - Security Settings - Public Key Policies - Trusted Root Certificate Autorities 5. Right click and select Import 6. Follow the Certificate Import Wizard 7. Click Next SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 39 of 48

41 8. Browse to select SwissSign Root CA certificate 9. Click Open 10. Click Next twice 11. Click Next and Finish to complete the Certificate Import Wizard 12. Check for the message "The import was successful" 13. Close the Group Policy Management Editor 14. Close the Group Policy Management Console All clients and servers will receive this setting at the next GPO refresh. Without reboot, this may take about 90 minutes SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 40 of 48

42 7.4 Map SuisseID to Active Directory User object using Alternate Security ID Smart card logon with Alternate Security ID mapping method will only work for Windows Vista and Window 7 clients. Smart card logon with Alternate Security ID mapping method will only work if there is no UPN in the SuisseID certificate. This step needs to be repeated for each user Roles and resources Role: Domain Admin Resource: Hans Musters SuisseID certificate file Hans Muster.cer 1. Start Active Directory Users and Computers console 2. Find the user object to whom you want to match the SuisseID e.g. Hans Muster 3. Right click the user object and select Name Mappings 4. Click Add and browse to certificate file Hans Muster.cer and click Open 5. Verify that Use Subject for alternate security identity checkbox is selected and Click OK twice SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 41 of 48

43 7.5 Adding upn.suisseid.ch as the Alternative UPN suffix This step needs to be done if one or more SuisseIDs contain a UPN. Roles and resources Role: Enterprise Admin Resource: The UPN suffix of a SuisseID certificate is specified as *upn.suisseid.ch Action to be performed on a machine in the forest contoso.com domain where Active Directory Domains and Trusts console is available 1. Start the Active Directory Domains and Trusts console 2. Right click Active Directory Domains and Trusts and select Properties 3. Type upn.suisseid.ch and click Add 4. Click OK to add upn.suisseid.ch as the Alternative UPN suffix 5. Close the Active Directory Domains and Trusts window SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 42 of 48

44 7.6 Changing the UPN of the specific user object using AD Users and Computers This step needs to be repeated for each user whose SuisseID contains a UPN. Roles and resources Role: Enterprise Admin Resource: The UPN suffix of a SuisseID certificate is specified as *upn.suisseid.ch. E.g. the sample UPN in the certificate of Hans Muster is Action to be performed on a machine in the forest contoso.com domain where Active Directory Domains and Trusts console is available 1. Start Active Directory Users and Computers console 2. Find the user object to whom you want to match the SuisseID e.g. Hans Muster 3. Double-click Hans Muster 4. Click on the Account Tab SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 43 of 48

45 5. Change the User logon name to Change the suffix to upn.suisseid.ch using the drop-down menu 6. Click OK to complete the change 7. Close the Active Directory Users and Computers console SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 44 of 48

46 8. Troubleshooting Steps Smart Card Logon can fail for several reasons. This chapter provides a few troubleshooting steps that might solve the issue. 8.1 Certificate and configuration problems The most common error message seen at Smart Card Logon is The system could not log you on. Your credentials could not be verified. This generic error message can be the result of one or more of several issues. The following steps can help you to resolve them: 2 - Check if the domain controller has no valid domain controller certificate, if needed request a new domain controller certificate. - Make sure the Smart Card has a trusted certificate by importing the issuing CA into the NTAuth store. - Make sure the Root CA of the Smart Card certificate is trusted by importing it into the Trusted Root store. - Verify that the SuisseID certificate is still valid. - When running on Windows XP or authenticating against Windows Server 2003 DCs, verify that the SuisseID certificate contains a UPN. - If the Smart Card has a UPN, make sure the user account in the AD has the same UPN associated. 8.2 Revocation checking problems If the revocation checking fails when the domain controller validates the Smart Card logon certificate, the domain controller denies the logon. The domain controller may return the error message mentioned earlier or the following error message: The system could not log you on. The Smart Card certificate used for authentication was not trusted. The revocation check must succeed from both the client and the domain controller. Make sure the following are true: - The CRL has a Next Update field and the CRL is up to date. You can check that the CRL is online at the CDP and valid by downloading it from Internet Explorer. 2 Excerpt from Guidelines for enabling smart card logon with third-party certification authorities [1] SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 45 of 48

47 You should be able to download and view the CRL from any of the HTTP CDPs in Internet Explorer from both the Smart Card workstation and the domain controller. - Verify that each unique HTTP CDP that is used by a certificate in your enterprise is online and available. To verify that a CRL is online and available from a HTTP CDP: - To open the certificate in question, double-click on the.cer file or double-click the certificate in the store. - Click the Details tab, scroll down and select the CRL Distribution Point field. - In the bottom pane, highlight the full HTTP URL and copy it. - Open Internet Explorer and paste the URL into the Address bar. - When you receive the prompt, select the option to Open the CRL. - Make sure that there is a Next Update field in the CRL and the time in the Next Update field has not passed. 8.3 Other Issues For issues with the smart card readers refer to the appropriate guide 3 or consult the provider of your SuisseID. For other issues, we recommend to open a service request at Microsoft technical support or contact your Microsoft partner. 3 Smart Card Troubleshooting Guide [2] SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 46 of 48

48 Appendix A - Abbreviations used in the Document AD CA CDP CRL DC GPMC GPO KDC PIN PKI Active Directory Certificate Authority CRL Distribution Point, HTTP or LDAP URL where the current CRL can be downloaded Certificate Revocation List, list of certificates that were explicitly revoked by a CA Domain Controller Group Policy Management Console Group Policy Object Key Distribution Center, Kerberos terminology for a Domain Controller Personal Identification Number, in case of Smart Cards this can often be a password Public Key Infrastructure, system that provides certificates for machines or users UPN User Principal Name, e.g. or SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 47 of 48

49 Appendix B - References [1] Guidelines for enabling smart card logon with third-party certification authorities < [2] Smart Card Troubleshooting Guide <http://technet.microsoft.com/en-us/library/dd979536(ws.10).aspx> [3] Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) <http://www.ietf.org/rfc/rfc4556.txt> SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 48 of 48

Entrust Managed Services PKI

Entrust Managed Services PKI Entrust Managed Services PKI Entrust Managed Services PKI Windows Smart Card Logon Configuration Guide Using Web-based applications Document issue: 1.0 Date of Issue: June 2009 Copyright 2009 Entrust.

More information

Troubleshooting smart card logon authentication on active directory

Troubleshooting smart card logon authentication on active directory Troubleshooting smart card logon authentication on active directory Version 1.0 Prepared by: "Vincent Le Toux" Date: 2014-06-11 1 Table of Contents Table of Contents Revision History Error messages The

More information

HOTPin Integration Guide: DirectAccess

HOTPin Integration Guide: DirectAccess 1 HOTPin Integration Guide: DirectAccess Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; Celestix assumes no responsibility

More information

EventTracker: Support to Non English Systems

EventTracker: Support to Non English Systems EventTracker: Support to Non English Systems Publication Date: April 25, 2012 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Introduction This document has been prepared to

More information

Secure IIS Web Server with SSL

Secure IIS Web Server with SSL Secure IIS Web Server with SSL EventTracker v7.x Publication Date: Sep 30, 2014 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Abstract The purpose of this document is to help

More information

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority In this post we will see the steps for deploying the client certificate for windows computers. This post is a part of Deploy PKI Certificates for SCCM 2012 R2 Step by Step Guide. In the previous post we

More information

Symantec Managed PKI. Integration Guide for ActiveSync

Symantec Managed PKI. Integration Guide for ActiveSync Symantec Managed PKI Integration Guide for ActiveSync ii Symantec Managed PKI Integration Guide for ActiveSync The software described in this book is furnished under a license agreement and may be used

More information

Check Point FDE integration with Digipass Key devices

Check Point FDE integration with Digipass Key devices INTEGRATION GUIDE Check Point FDE integration with Digipass Key devices 1 VASCO Data Security Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document

More information

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication Certificate Based 2010 Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 31 Disclaimer Disclaimer of

More information

Implementing a Basic PKI in Windows Server 2012 R2

Implementing a Basic PKI in Windows Server 2012 R2 Implementing a Basic PKI in Windows Server 2012 R2 Windows Server 2012 R2 Hands-on lab In this lab, you will learn how to implement a basic public key infrastructure (PKI) in Windows Server 2012 R2 to

More information

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates Entrust Managed Services Entrust Managed Services PKI Configuring secure LDAP with Domain Controller digital certificates Document issue: 1.0 Date of issue: October 2009 Copyright 2009 Entrust. All rights

More information

DriveLock Quick Start Guide

DriveLock Quick Start Guide Be secure in less than 4 hours CenterTools Software GmbH 2012 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise

More information

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users SyAM Management Utilities and Non-Admin Domain Users Some features of SyAM Management Utilities, including Client Deployment and Third Party Software Deployment, require authentication credentials with

More information

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Step By Step Guide: Demonstrate DirectAccess in a Test Lab Step By Step Guide: Demonstrate DirectAccess in a Test Lab Microsoft Corporation Published: May 2009 Updated: October 2009 Abstract DirectAccess is a new feature in the Windows 7 and Windows Server 2008

More information

NetWrix Password Manager. Quick Start Guide

NetWrix Password Manager. Quick Start Guide NetWrix Password Manager Quick Start Guide Contents Overview... 3 Setup... 3 Deploying the Core Components... 3 System Requirements... 3 Installation... 4 Windows Server 2008 Notes... 4 Upgrade Path...

More information

Configuring File Servers and Active Directory with Domain Services for Windows-Lab

Configuring File Servers and Active Directory with Domain Services for Windows-Lab Configuring File Servers and Active Directory with Domain Services for Windows-Lab OES11 Novell Training Services ATT LIVE 2012 LAS VEGAS www.novell.com Legal Notices Novell, Inc., makes no representations

More information

Installation and Configuration Guide

Installation and Configuration Guide Entrust Managed Services PKI Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0 Date of Issue: July 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark

More information

User Documentation for SmartPolicy. Version 1.2

User Documentation for SmartPolicy. Version 1.2 User Documentation for SmartPolicy Version 1.2 Prepared by: "Vincent Le Toux" Date: 07/02/2013 1 Table of Contents Table of Contents Introduction... 4 System Specifications... 4 Requirement... 4 Installation...

More information

Microsoft Windows Server 2003 Integration Guide

Microsoft Windows Server 2003 Integration Guide 15370 Barranca Parkway Irvine, CA 92618 USA Microsoft Windows Server 2003 Integration Guide 2008 HID Global Corporation. All rights reserved. 47A3-905, A.1 C200 and C700 December 1, 2008 Crescendo Integration

More information

Windows Clients and GoPrint Print Queues

Windows Clients and GoPrint Print Queues Windows Clients and GoPrint Print Queues Overview The following tasks demonstrate how to configure shared network printers on Windows client machines in a Windows Active Directory Domain and Workgroup

More information

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.com Copyright and Trademarks Specops Deploy is a trademark owned by Specops Software. All

More information

Smartcard Logon Overview

Smartcard Logon Overview etoken for Windows Smartcard Logon Lesson 9 April 2004 etoken Certification Course Smartcard Logon Overview Windows 2000/2003 Enterprise Server built-in feature Smartcard logon requires issuing a personal

More information

Chapter 2 Editor s Note:

Chapter 2 Editor s Note: [Editor s Note: The following content was excerpted from the free ebook The Tips and Tricks Guide to Securing Windows Server 2003 (Realtimepublishers.com) written by Roberta Bragg and available at http://www.netiq.com/offers/ebooks.]

More information

File and Printer Sharing with Microsoft Windows

File and Printer Sharing with Microsoft Windows Operating System File and Printer Sharing with Microsoft Windows Microsoft Corporation Published: November 2003 Abstract File and printer sharing in Microsoft Windows allows you to share the contents of

More information

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide Protecting Juniper SA using Certificate-Based Authentication Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.

More information

Deploying System Center 2012 R2 Configuration Manager

Deploying System Center 2012 R2 Configuration Manager Deploying System Center 2012 R2 Configuration Manager This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

More information

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE Copyright 1998-2013 Tools4ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted in any form or by any means

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics Event Source Log Configuration Guide Microsoft Windows using Eventing Collection Last Modified: Thursday, July 30, 2015 Event Source Product Information: Vendor: Microsoft Event

More information

eadvantage Certificate Enrollment Procedures

eadvantage Certificate Enrollment Procedures eadvantage Certificate Enrollment Procedures Purpose: Instructions for members to obtain a digital certificate which is a requirement to conduct financial transactions with the Federal Home Loan Bank of

More information

Introduction to DirectAccess in Windows Server 2012

Introduction to DirectAccess in Windows Server 2012 Introduction to DirectAccess in Windows Server 2012 Windows Server 2012 Hands-on lab In this lab, you will configure a Windows 8 workgroup client to access the corporate network using DirectAccess technology,

More information

Avaya one X Portal 1.1.3 Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) Configuration

Avaya one X Portal 1.1.3 Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) Configuration Avaya one X Portal 1.1.3 Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) Configuration This document provides configuration steps for Avaya one X Portal s 1.1.3 communication

More information

WINDOWS 7 & HOMEGROUP

WINDOWS 7 & HOMEGROUP WINDOWS 7 & HOMEGROUP SHARING WITH WINDOWS XP, WINDOWS VISTA & OTHER OPERATING SYSTEMS Abstract The purpose of this white paper is to explain how your computers that are running previous versions of Windows

More information

Setting Up SSL on IIS6 for MEGA Advisor

Setting Up SSL on IIS6 for MEGA Advisor Setting Up SSL on IIS6 for MEGA Advisor Revised: July 5, 2012 Created: February 1, 2008 Author: Melinda BODROGI CONTENTS Contents... 2 Principle... 3 Requirements... 4 Install the certification authority

More information

ACTIVE DIRECTORY DEPLOYMENT

ACTIVE DIRECTORY DEPLOYMENT ACTIVE DIRECTORY DEPLOYMENT CASAS Technical Support 800.255.1036 2009 Comprehensive Adult Student Assessment Systems. All rights reserved. Version 031809 CONTENTS 1. INTRODUCTION... 1 1.1 LAN PREREQUISITES...

More information

Diamond II v2.3 Service Pack 4 Installation Manual

Diamond II v2.3 Service Pack 4 Installation Manual Diamond II v2.3 Service Pack 4 Installation Manual P/N 460987001B ISS 26APR11 Copyright Disclaimer Trademarks and patents Intended use Software license agreement FCC compliance Certification and compliance

More information

Wavecrest Certificate

Wavecrest Certificate Wavecrest InstallationGuide Wavecrest Certificate www.wavecrest.net Copyright Copyright 1996-2015, Wavecrest Computing, Inc. All rights reserved. Use of this product and this manual is subject to license.

More information

etoken Enterprise For: SSL SSL with etoken

etoken Enterprise For: SSL SSL with etoken etoken Enterprise For: SSL SSL with etoken System Requirements Windows 2000 Internet Explorer 5.0 and above Netscape 4.6 and above etoken R2 or Pro key Install etoken RTE Certificates from: (click on the

More information

AD RMS Step-by-Step Guide

AD RMS Step-by-Step Guide AD RMS Step-by-Step Guide Microsoft Corporation Published: March 2008 Author: Brian Lich Editor: Carolyn Eller Abstract This step-by-step guide provides instructions for setting up a test environment to

More information

Portions of this product were created using LEADTOOLS 1991-2009 LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Portions of this product were created using LEADTOOLS 1991-2009 LEAD Technologies, Inc. ALL RIGHTS RESERVED. Installation Guide Lenel OnGuard 2009 Installation Guide, product version 6.3. This guide is item number DOC-110, revision 1.038, May 2009 Copyright 1992-2009 Lenel Systems International, Inc. Information

More information

Table of Contents. CHAPTER 1 About This Guide... 9. CHAPTER 2 Introduction... 11. CHAPTER 3 Database Backup and Restoration... 15

Table of Contents. CHAPTER 1 About This Guide... 9. CHAPTER 2 Introduction... 11. CHAPTER 3 Database Backup and Restoration... 15 Table of Contents CHAPTER 1 About This Guide......................... 9 The Installation Guides....................................... 10 CHAPTER 2 Introduction............................ 11 Required

More information

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service white paper TABLE OF CONTENTS 1. Document overview......... 1 2. References............. 1 3. Product overview..........

More information

Create, Link, or Edit a GPO with Active Directory Users and Computers

Create, Link, or Edit a GPO with Active Directory Users and Computers How to Edit Local Computer Policy Settings To edit the local computer policy settings, you must be a local computer administrator or a member of the Domain Admins or Enterprise Admins groups. 1. Add the

More information

Aspera Connect User Guide

Aspera Connect User Guide Aspera Connect User Guide Windows XP/2003/Vista/2008/7 Browser: Firefox 2+, IE 6+ Version 2.3.1 Chapter 1 Chapter 2 Introduction Setting Up 2.1 Installation 2.2 Configure the Network Environment 2.3 Connect

More information

DigitalPersona Pro. Password Manager. Version 5.x. Application Guide

DigitalPersona Pro. Password Manager. Version 5.x. Application Guide DigitalPersona Pro Password Manager Version 5.x Application Guide 1996-2012 DigitalPersona, Inc. All Rights Reserved. All intellectual property rights in the DigitalPersona software, firmware, hardware

More information

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014 S/MIME on Good for Enterprise MS Online Certificate Status Protocol Installation and Configuration Notes Updated: October 08, 2014 Installing the Online Responder service... 1 Preparing the environment...

More information

X.509 Certificate Generator User Manual

X.509 Certificate Generator User Manual X.509 Certificate Generator User Manual Introduction X.509 Certificate Generator is a tool that allows you to generate digital certificates in PFX format, on Microsoft Certificate Store or directly on

More information

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess SafeNet Authentication Service Integration Guide SAS Using RADIUS Protocol with Microsoft DirectAccess Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet,

More information

Universal Management Service 2015

Universal Management Service 2015 Universal Management Service 2015 UMS 2015 Help All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or mechanical, including photocopying, recording,

More information

ADFS Integration Guidelines

ADFS Integration Guidelines ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS

More information

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII Windows 2008 Server DIRECTIVAS DE GRUPO Administración SSII Group Policy A centralized approach to applying one or more changes to one or more users or computers Setting: Definition of a change or configuration

More information

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008 7 Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008 All information herein is either public information or is the property of and owned

More information

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide 1 of 7 DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide Process Overview Step Description

More information

USER GUIDE WWPass Security for Email (Outlook) For WWPass Security Pack 2.4

USER GUIDE WWPass Security for Email (Outlook) For WWPass Security Pack 2.4 USER GUIDE WWPass Security for Email (Outlook) For WWPass Security Pack 2.4 March 2014 TABLE OF CONTENTS Chapter 1 Welcome... 4 Introducing WWPass Security for Email (Outlook)... 5 Supported Outlook Products...

More information

Deploy two-tier hierarchy of PKI

Deploy two-tier hierarchy of PKI Windows Server 2012 Deploy two-tier hierarchy of PKI Hands On Lab Type the Abstract This document contains instructions to deploy two-tier PKI hierarchy which an Offline Root Certification Authority and

More information

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.com Copyright and Trademarks Specops Deploy is a trademark owned by Specops Software. All

More information

SafeWord Domain Login Agent Step-by-Step Guide

SafeWord Domain Login Agent Step-by-Step Guide SafeWord Domain Login Agent Step-by-Step Guide Author Johan Loos Date January 2009 Version 1.0 Contact johan@accessdenied.be Table of Contents Table of Contents... 2 Why SafeWord Agent for Windows Domains?...

More information

Windows Server Update Services 3.0 SP2 Step By Step Guide

Windows Server Update Services 3.0 SP2 Step By Step Guide Windows Server Update Services 3.0 SP2 Step By Step Guide Microsoft Corporation Author: Anita Taylor Editor: Theresa Haynie Abstract This guide provides detailed instructions for installing Windows Server

More information

6421B: How to Install and Configure DirectAccess

6421B: How to Install and Configure DirectAccess Demonstration Overview Introduction In preparation for this demonstration, the following computers have been configured: NYC-DC1 is an Active Directory Domain Services (AD DS) domain controller and DNS

More information

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

I. Configuring Digital signature certificate in Microsoft Outlook 2003: I. Configuring Digital signature certificate in Microsoft Outlook 2003: In order to configure Outlook 2003 to use the new message security settings please follow these steps: 1. Open Outlook. 2. Go to

More information

Windows XP Exchange Client Installation Instructions

Windows XP Exchange Client Installation Instructions WINDOWS XP with Outlook 2003 or Outlook 2007 1. Click the Start button and select Control Panel: 2. If your control panel looks like this: Click Switch to Classic View. 3. Double click Mail. 4. Click show

More information

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION Contents 1. Getting Started... 4 1.1 Specops Deploy Supported Configurations... 4 2. Specops Deploy and Active Directory...5 3. Specops Deploy

More information

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government. END USER S GUIDE VeriSign PKI Client Government Edition v 1.5 End User s Guide VeriSign PKI Client Government Version 1.5 Administrator s Guide VeriSign PKI Client VeriSign, Inc. Government Copyright 2010

More information

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide N109548 Disclaimer The information contained in this publication is subject to change without notice. VERITAS Software Corporation makes

More information

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS Lab Manual Expediting WSUS Service for XP Embedded OS Summary In this lab, you will learn how to deploy the security update to your XP Pro or XP embedded images. You will also learn how to prepare the

More information

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab Microsoft Corporation Published: May, 2005 Author: Microsoft Corporation Abstract This guide describes how to create

More information

Password Manager Windows Desktop Client

Password Manager Windows Desktop Client Password Manager Windows Desktop Client EmpowerID provides an extension that allows organizations to plug into Password Manager to customize the Windows logon experience beyond that supplied by the standard

More information

IBM Client Security Solutions. Client Security User's Guide

IBM Client Security Solutions. Client Security User's Guide IBM Client Security Solutions Client Security User's Guide December 1999 1 Before using this information and the product it supports, be sure to read Appendix B - Notices and Trademarks, on page 22. First

More information

The cloud server setup program installs the cloud server application, Apache Tomcat, Java Runtime Environment, and PostgreSQL.

The cloud server setup program installs the cloud server application, Apache Tomcat, Java Runtime Environment, and PostgreSQL. GO-Global Cloud 4.1 QUICK START SETTING UP A WINDOWS CLOUD SERVER AND HOST This guide provides instructions for setting up a cloud server and configuring a host so it can be accessed from the cloud server.

More information

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016 ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference May 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government

More information

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2 SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2 Table of Contents 1 Introduction...2 2 Procurement of DSC...3 3 Installation of DSC...4 4 Procedure for entering the DSC details of

More information

NSi Mobile Installation Guide. Version 6.2

NSi Mobile Installation Guide. Version 6.2 NSi Mobile Installation Guide Version 6.2 Revision History Version Date 1.0 October 2, 2012 2.0 September 18, 2013 2 CONTENTS TABLE OF CONTENTS PREFACE... 5 Purpose of this Document... 5 Version Compatibility...

More information

Deploying CTERA Agent via Microsoft Active Directory and Single Sign On. Cloud Attached Storage. September 2015 Version 5.0

Deploying CTERA Agent via Microsoft Active Directory and Single Sign On. Cloud Attached Storage. September 2015 Version 5.0 Deploying CTERA Agent via Microsoft Active Directory and Single Sign On Cloud Attached Storage September 2015 Version 5.0 Copyright 2009-2015 CTERA Networks Ltd. All rights reserved. No part of this document

More information

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

More information

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide c623242f-20f0-40fe-b5c1-8412a094fdc7 Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide Microsoft Corporation Published: June 2009 Updated: April 2010 Abstract

More information

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network How To Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network Introduction This document describes how to create a secure LAN, using two servers and an 802.1xcompatible

More information

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR TECHNICAL ARTICLE Product Version: 5.0 July 2013. Legal Notice The information in this publication is furnished for information use

More information

Technical Certificates Overview

Technical Certificates Overview Technical Certificates Overview Version 8.2 Mobile Service Manager Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good

More information

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide Microsoft Corporation Published: October 2006 Author: Brian Lich Editor: Carolyn Eller Abstract This step-by-step guide

More information

VERITAS Backup Exec TM 10.0 for Windows Servers

VERITAS Backup Exec TM 10.0 for Windows Servers VERITAS Backup Exec TM 10.0 for Windows Servers Quick Installation Guide N134418 July 2004 Disclaimer The information contained in this publication is subject to change without notice. VERITAS Software

More information

Install the Production Treasury Root Certificate (Vista / Win 7)

Install the Production Treasury Root Certificate (Vista / Win 7) Install the Production Treasury Root Certificate (Vista / Win 7) The Production Treasury Root Certificate should be maintained on your local workstations to use OTCnet Check Capture and Deposit Reporting.

More information

HP Universal Print Driver Series for Windows Active Directory Administrator Template White Paper

HP Universal Print Driver Series for Windows Active Directory Administrator Template White Paper HP Universal Print Driver Series for Windows Active Directory Administrator Template White Paper Table of Contents: Purpose... 2 Active Directory Administrative Template Overview.. 2 Decide whether to

More information

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients Note: I have only tested these procedures on Server 2003 SP1 (DC) and XP SPII client, in a controlled lab environment,

More information

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012.

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012. Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012. Copyright 1995-2012 Lenel Systems International, Inc. Information

More information

Shakambaree Technologies Pvt. Ltd.

Shakambaree Technologies Pvt. Ltd. Welcome to Support Express by Shakambaree Technologies Pvt. Ltd. Introduction: This document is our sincere effort to put in some regular issues faced by a Digital Signature and USB Token user doing on

More information

Yale Software Library

Yale Software Library Yale Software Library http://www.yale.edu/its/software/ For assistance contact the ITS Help Desk 203-432-9000, helpdesk@yale.edu Two-factor authentication: Installation and configuration instructions for

More information

Integrating LANGuardian with Active Directory

Integrating LANGuardian with Active Directory Integrating LANGuardian with Active Directory 01 February 2012 This document describes how to integrate LANGuardian with Microsoft Windows Server and Active Directory. Overview With the optional Identity

More information

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014 DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014 Contents Overview... 2 System requirements:... 2 Before installing... 3 Download and installation... 3 Configure DESLock+ Enterprise Server...

More information

Project management integrated into Outlook

Project management integrated into Outlook y Project management integrated into Outlook InLoox PM 7.x deployment via Group Policy An InLoox Whitepaper Published: October 2011 You can find up-to-date information at http://www.inloox.com The information

More information

Velocity Web Services Client 1.0 Installation Guide and Release Notes

Velocity Web Services Client 1.0 Installation Guide and Release Notes Velocity Web Services Client 1.0 Installation Guide and Release Notes Copyright 2014-2015, Identiv. Last updated June 24, 2015. Overview This document provides the only information about version 1.0 of

More information

Password Policy Enforcer

Password Policy Enforcer Password Policy Enforcer Evaluator s Guide V7.6 Copyright 1998-2013 ANIXIS. All rights reserved. ANIXIS, ANIXIS Password Reset, Password Policy Enforcer, PPE/Web, Password Policy Client, Password Policy

More information

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0 Xcalibur Global Version 1.2 Installation Guide Document Version 3.0 December 2010 COPYRIGHT NOTICE TRADEMARKS 2010 Chip PC Inc., Chip PC (Israel) Ltd., Chip PC (UK) Ltd., Chip PC GmbH All rights reserved.

More information

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol... Page 1 of 16 Security How to Configure Windows Firewall in a Small Business Environment using Group Policy Introduction This document explains how to configure the features of Windows Firewall on computers

More information

How to Enable LDAP Directory Services Authentication to Microsoft Active Directory in the HP cclass Onboard Administrator

How to Enable LDAP Directory Services Authentication to Microsoft Active Directory in the HP cclass Onboard Administrator How to Enable LDAP Directory Services Authentication to Microsoft Active Directory in the HP cclass Onboard Administrator I. Certificate Services a. Install a Certificate Authority onto a Windows server

More information

TROUBLESHOOTING GUIDE

TROUBLESHOOTING GUIDE Lepide Software LepideAuditor Suite TROUBLESHOOTING GUIDE This document explains the troubleshooting of the common issues that may appear while using LepideAuditor Suite. Copyright LepideAuditor Suite,

More information

www.novell.com/documentation Installation Guide Novell Storage Manager 4.1 for Active Directory September 10, 2015

www.novell.com/documentation Installation Guide Novell Storage Manager 4.1 for Active Directory September 10, 2015 www.novell.com/documentation Installation Guide Novell Storage Manager 4.1 for Active Directory September 10, 2015 Legal Notices Condrey Corporation makes no representations or warranties with respect

More information

Exchange 2010 PKI Configuration Guide

Exchange 2010 PKI Configuration Guide Exchange 2010 PKI Configuration Guide Overview 1. Summary 2. Environment 3. Configuration a) Active Directory Configuration b) CA Configuration c) Exchange Server IIS Configuration d) Exchange Configuration

More information

ECA IIS Instructions. January 2005

ECA IIS Instructions. January 2005 ECA IIS Instructions January 2005 THIS PAGE INTENTIONALLY BLANK ECA IIS Instructions ii July 22, 2005 Table of Contents 1. Install Certificate in IIS 5.0... 1 2. Obtain and Install the ECA Root Certificate

More information

DIGIPASS CertiID. Getting Started 3.1.0

DIGIPASS CertiID. Getting Started 3.1.0 DIGIPASS CertiID Getting Started 3.1.0 Disclaimer Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express

More information

For Active Directory Installation Guide

For Active Directory Installation Guide For Active Directory Installation Guide Version 2.5.2 April 2010 Copyright 2010 Legal Notices makes no representations or warranties with respect to the contents or use of this documentation, and specifically

More information

NETWRIX EVENT LOG MANAGER

NETWRIX EVENT LOG MANAGER NETWRIX EVENT LOG MANAGER ADMINISTRATOR S GUIDE Product Version: 4.0 July/2012. Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment

More information