SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date 19.05.2010 Version V1.0

SECO Whitepaper SuisseID Smart Card Logon Configuration Guide Prepared for SECO Publish Date 19.05.2010 Version V1.0 Prepared by Martin Sieber (Microsoft) Contributors Kunal Kodkani (Microsoft) Template Version March 2010

Revision and Signoff Sheet Change Record Date Author Version Change reference 11.3.2010 M.Sieber 0.1 Initial draft for review/discussion within Microsoft 22.3.2010 M. Sieber 0.6 Updated document with the SECO template 24.3.2010 A.Keller 0.9 Additions to SuisseID template 30.3.2010 M.Sieber 0.93 Implemented internal feedback, changed suisseid.local to upn.suisseid.ch 31.3.2010 A.Keller 0.95 Official draft for SECO 23.4.2010 M.Sieber 1.0 Integration DRAFT Feedback Reviewers Name Version approved Postion Date A.Keller 0.9 Engagement Manager MSFT 24.3.2010 1.0 18.5.2010 Acceptance Name Version approved Postion Date U. Bürge 1.0 PL SECO SuisseID MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers. 2010 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Template Version March 2010

1. Table of Contents 1 Introduction... 4 1.1 About this guide... 4 1.2 Reasons to use Smart Card Logon with SuisseID... 4 1.3 Technical Overview on Smart Card Logon... 5 1.4 Limitations and Restrictions... 6 2. Overview on SuisseID Installation... 7 3. General Preparation Steps... 8 3.1 SuisseID... 8 3.2 Client... 8 3.3 Network (Internet Access for Domain Controllers)... 9 4. Active Directory Certificate Authority on Windows Server 2003 R2...10 4.1 Installation of Certification Authority...10 4.2 Configure the Certification Authority to issue Domain Controller certificates only...14 4.3 Configure Autoenrollment of DC certificates...16 5. Active Directory Certificate Services on Windows Server 2008 or higher...19 5.1 Install Active Directory Certificate Services...19 5.2 Configure Active Directory Certificate Services...26 5.3 Configure Autoenrollment of DC certificates...27 6. Preparation steps to enable SuisseID in a Windows 2003 R2 AD...28 6.1 Publish the root CA certificate to the DS Trusted Root store...28 6.2 Publish the root CA certificate to the DS Trusted Root store...29 6.3 Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com...30 6.4 Allow upn.suisseid.ch as Alternative UPN Suffix...33 6.5 Changing the UPN of a specific user object using AD Users and Computers...34 7. Preparation steps to enable SuisseID in a Windows Server 2008 AD...36 7.1 Publish the root CA certificate to the DS Trusted Root store...36 7.2 Publish Issuing CA certificate to the NTAuth Store...38 7.3 Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com...39 7.4 Map SuisseID to Active Directory User object using Alternate Security ID...41 7.5 Adding upn.suisseid.ch as the Alternative UPN suffix...42 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 2 of 48

7.6 Changing the UPN of the specific user object using AD Users and Computers...43 8. Troubleshooting Steps...45 8.1 Certificate and configuration problems...45 8.2 Revocation checking problems...45 8.3 Other Issues...46 Appendix A - Abbreviations used in the Document...47 Appendix B - References...48 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 3 of 48

1 Introduction 1.1 About this guide The goal of this guide is to help an IT professional to implement Smart Card Logon (or token based logon) using the SuisseID authentication system. The target audience does not consist of security experts, but rather IT professionals responsible for an Active Directory day after day who have the task to enable users to log on with SuisseID. While this guide only contains a small overview on the Smart Card Logon process, technical details on the SuisseID smart cards are only shown as far as needed for the implementation. 1.2 Reasons to use Smart Card Logon with SuisseID One of the big challenges for today s organization is the management of passwords. People forget passwords, use the same password for different services or use weak passwords per see. This results in loss of productivity, higher helpdesk costs and/or reduced security. Imagine If users no longer need to remember complex password, but still can login in a secure way. The SuisseID authentication system using smart cards or token could provide such a solution. Windows allows the use of Smart Cards such as SuisseID to logon: the user inserts the Smart Card and enters a PIN (the equivalent to a short password). The Smart Card PIN doesn t need to be complex and there is no strong requirement to change the PIN. Despite being much simpler to use, Smart Card authentication is more secure than authentication with user name and password: While it s sufficient for an attacker to know your user name and password, the attacker needs to possess the token and need to know the PIN. Therefore Smart Card Logon is called two factor authentication or strong authentication. Smart Card logon adds additional security to the identity management process, but is in most cases more confortable to a user, because the user has no need to maintain and remember complex passwords. Smart Cards are normally being issued for users of an organization that maintains its own Public Key Infrastructure (PKI). SuisseID Smart Cards, issued by a public PKI, combine the benefits of strong authentication 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 4 of 48

(and other PKI functionality) without adding the additional costs for an own PKI that deals with user certificates and hardware tokens. SuisseID therefore allows an organization to implement strong authentication with minimum initial effort. 1.3 Technical Overview on Smart Card Logon This section explains at a high level how Smart Card Logon works with a SuisseID 1. We assume the systems are configured correctly as explained in later sections of this white paper. The term Windows clients may refer both to client and server operating systems, depending on where the user performs a Smart Card Logon. Overview: a) The user inserts the SuisseID in the USB slot or Smart Card reader (depending on the form factor of the SuisseID) and enters the PIN. b) The Windows client tries to access the Smart Card using the PIN provided by the user. c) If successful, the Windows client digitally signs a request containing the Authentication certificate of SuisseID with that certificate. The signed request is sent to the Windows Domain Controller (DC). d) The DC verifies the signature and checks the validity of the SuisseID Authentication certificate. Further the DC tries to map the SuisseID to a user account. e) If successful, the DC replies with a message signed with the DC certificate and encrypted with the public key of the SuisseID Authentication certificate. f) The Windows client decrypts the message using the SuisseID Authentication certificate, verifies the signature and checks the validity of the DC certificate. The logon succeeds. This description already shows the main conditions for making Smart Card Logon with SuisseID possible: Users have a valid SuisseID according to the specification. The Windows clients have the necessary drivers installed to support the respective SuisseID Smart Card / reader or a USB token. The DCs have a valid DC certificate. They trust the SuisseID certificates and can verify the validity of the user certs (using the CRL). The Windows clients trust the DC certificates and can check their validity. The DCs are able to map each SuisseID to a Windows user account. 1 See Guidelines for enabling smart card logon with third-party certification authorities [1] 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 5 of 48

In the next chapters, we ll provide more details about these conditions. 1.4 Limitations and Restrictions Since this version of the white paper has been written before the official SuisseID launch, we tested the steps using SuisseID test tokens from SwissPost SwissSign. In this guide we use the fictitious organization Contoso to name e.g. the Active Directory Forest and CAs. Please determine the adequate name of the objects before starting with the configuration. Enabling Smart Card Logon requires several steps changing sensitive areas of the Active Directory environment. While every precaution has been taken during creation of this white paper to ensure a smooth transition, Microsoft makes no warranties as to the information in this paper. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 6 of 48

2. Overview on SuisseID Installation Enabling Smart Card Logon requires several steps which need to be documented on each target environment. We dedicate one chapter per step and environment. Here we provide an overview on the steps described in greater detail in subsequent chapters. Description Platform Chapter Outlines the requirements on the SuisseID Smart Cards, the client and Internet connectivity of the DCs. all platforms 3 General Preparation Steps Describes how to install a CA that provides certificates for the DCs. Windows Server 2003 / Windows Server 2003 R2 4 Certification Authority on Windows Server 2003 R2 In case there s a preexisting Windows Enterprise CA that provides DC certificates this step is NOT needed, please refer to the introduction of chapters 5 and 6. Windows Server 2008 (or later) 5 Active Directory Certificate Services on Windows Server 2008 or higher Describes configuration steps on Active Directory to enable a specific user to log on with SuisseID. Windows Server 2003 / Windows Server 2003 R2 Windows Server 2008 DCs (or later) 6 7 Preparation steps to enable SuisseID in a Windows 2003 R2 AD Preparation steps to enable SuisseID in a Windows Server 2008 AD Usually, only the instructions of two or three chapters need to be followed, depending on whether there s already an Enterprise CA available for issuing DC certificates. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 7 of 48

3. General Preparation Steps 3.1 SuisseID To ensure your SuisseID Smart Cards are compatible with Smart Card Logon in your environment, please consult the following table: Some Windows XP clients Only Windows Vista (or later) clients Some DCs on Windows Server 2003 UPN mandatory UPN mandatory All DCs running Windows Server 2008 or later UPN mandatory UPN optional The UPN is an optional certificate attribute used for mapping a certificate to a specific Active Directory user. If there are clients running Windows XP OR DCs running Windows Server 2003, the SuisseID MUST contain the UPN attribute. In this case, please check with your provider when ordering the SuisseIDs to make sure they ll contain a UPN. All users must be equipped with a valid SuisseID before they can start using them for Smart Card logon. Some vendors may request you to finalize the SuisseID on your workstation. Make sure you follow the necessary steps for all SuisseID tokens being used. 3.2 Client The clients need to be equipped with drivers and application programs that your SuisseID supplier has provided. Smart Card Logon is only possible on Windows 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 8 of 48

clients joined to the domain, i.e. standalone machines or other operating systems are not supported. SuisseIDs currently can be issued by any of the four designated ID providers (BIT, QuoVadis, Swisscom, Swiss Post SwissSign). The available form factors and the manufacturer of the Tokens will be different with each provider. The Smart Card readers will also be chosen by the providers. Therefore there will be several different types of form factors of tokens and smart card readers manufactured by different parties. Along with the SuisseID the user will receive drivers and CSP software with appropriate instructions. E.g. the Swiss Post issued SuisseIDs, smart card reader and CSP software can be downloaded at https://postzertifikat.ch/installationssoftware. The software is available for Windows 7 / Windows Vista and Windows XP both in 32 and 64 bit versions. 3.3 Network (Internet Access for Domain Controllers) All DCs need to be able to download the CRLs for all SuisseID that will be in use. Please be aware that there are several URLs for each SuisseID provider where CRLs need to be downloaded. Keep in mind that the CRLs are being downloaded by the machine accounts of the DCs. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 9 of 48

4. Active Directory Certificate Authority on Windows Server 2003 R2 As a prerequisite for SmartCard Logon all Domain Controllers need a valid Domain Controller certificate. Basically an organization may choose between the following options to provide these certificates: 1) Issue the Domain Controller certificates with a preexisting Enterprise CA. 2) Buy them from a public CA. 3) Install a new Enterprise CA as outlined in this chapter for issuing the certificates. Disclaimer: The following description serves only as a technical illustration on installing an Enterprise CA. We strongly recommend to follow best practice on implementing a PKI. This chapter describes how to install a Certificate Authority (CA) on Windows Server 2003 R2 and configure it to issue Domain Controller certificates. 4.1 Installation of Certification Authority Roles and resources Role: Enterprise Admin Resource: A Windows 2003 R2 DC or a adequately protected member server 1. Start Control Panel Add or Remove Programs 2. Select Add/Remove Windows Components 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 10 of 48

3. Select Certificate Services 4. Read and click Yes to accept the warning message 5. Confirm that Enterprise root CA is selected and click Next 6. Enter Common name for the CA Contosonet Domain Controller CA (Choose an appropriate name for your organization) 7. Click Next 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 11 of 48

8. Verify the path of the CA database and log files and Click Next 9. Click Next 10. Click OK to accept the warning 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 12 of 48

11. Click Finish 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 13 of 48

4.2 Configure the Certification Authority to issue Domain Controller certificates only Roles and resources Role: Enterprise Admin Resource: none Action to be performed on the machine that contains the newly installed Certification Authority 1. Start the Certificate Authority console by selecting Start Administrative Tools Certificate Authority 2. Expand the Contosonet Domain Controller CA 3. Click on Certificate Templates to display the issuable certificate templates in the right pane 4. Use the Control key and select all the Certificate templates except Domain Controller Authentication 5. Right click in the selection and select Delete 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 14 of 48

6. Confirm the dialog Are you sure you want to disable the selected certificate template(s) on this Certificate Authority by selecting Yes 7. Verify that only Domain Controller Authentication appears under the issuable Certificate Templates 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 15 of 48

4.3 Configure Autoenrollment of DC certificates This section illustrates how to update the Domain Controllers Policy to allow autoenrollment of machine certificates. Generally it s recommended to manage GPOs with Group Policy Management Console (GPMC). Since this is an optional component, we describe an option that works without GPMC. Roles and resources Role: Enterprise Admin Resource: none Action to be performed on a machine that has Group Policy Management Console or Active Directory Users and Computers installed 1. Start - > Administrative Tools -> Active Directory Users and Computers 2. Right click on the OU Domain Controllers and select Properties 3. Select the Group Policy Tab 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 16 of 48

4. Select the Domain Controllers Policy and click on the Edit button to start the Group Policy Object Editor 5. Expand Computer Configuration Windows Settings Security Settings Public Key Policies and right click Autoenrollment Settings 6. Make sure Enroll certificates automatically is selected 7. Activate Renew expired certificates, update pending certificates and remove revoked certificates 8. Activate Update certificates that use certificate templates 9. Click OK and close the Group Policy Object Editor 10. Click OK and close the Active Directory Users and Computers console The domain controllers in the contoso.net domain will automatically enroll for domain controller certificates after the next Group Policy update. In order to hasten this process one may also start the command prompt on the Domain controller and type the following commands: C:\> gpupdate /force (This will force a group policy update) C:\>certutil pulse (This will trigger the autoenrollment) process To verify that your DC has a new domain controller authentication certificate use the following command: 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 17 of 48

C:\>certutil dcinfo (Verify that there is at least 1 KDC certificate for each domain controller) 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 18 of 48

5. Active Directory Certificate Services on Windows Server 2008 or higher As a prerequisite for SmartCard Logon all Domain Controllers need a valid Domain Controller certificate. Basically an organization may choose between the following options to provide these certificates: 1) Issue the Domain Controller certificates with a preexisting Enterprise CA. 2) Buy them from a public CA. 3) Install a new Enterprise CA as outlined in this chapter for issuing the certificates. Disclaimer: The following description serves only as a technical illustration on installing an Enterprise CA. We strongly recommend to follow best practice on implementing a PKI. This chapter describes how to install Active Directory Certificate Services on Windows Server 2008 or higher and configure it to issue domain controller certificates. 5.1 Install Active Directory Certificate Services Roles and resources Role: Enterprise Admin Resource: A Windows 2008 R2 DC or member server that s adequately protected 1. Start Server Manager 2. Select "Roles", right-click "Add Roles" 3. Click Next 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 19 of 48

4. Select the Active Directory Certificate Services role 5. Click Next twice 6. Verify that only Certification Authority is selected and click Next 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 20 of 48

7. Verify that Enterprise is selected and click Next 8. Verify that Root CA is selected and click Next 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 21 of 48

9. Verify that Create a new private key is selected and click Next 10. Click Next 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 22 of 48

11. Click Next 12. Click Next 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 23 of 48

13. Click Next 14. Note the warning and click Install 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 24 of 48

15. Click Close 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 25 of 48

5.2 Configure Active Directory Certificate Services Roles and resources Role: Enterprise Admin Resource: none Action to be performed on the machine that contains the newly installed Active Directory Certificate Services 1. On the Server Manager Console expand Roles -> Active Directory Certificate Services -> CA contoso-dc1-ca -> Certificate Templates 2. Use the Control key and select all the certificate templates except Domain Controller Authentication 3. Right click in the selection and select Delete 4. Confirm the dialog Are you sure you want to disable the selected certificate template(s) on this Certificate Authority by selecting Yes 5. Verify that only Domain Controller Authentication appears under the issuable Certificate Templates 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 26 of 48

5.3 Configure Autoenrollment of DC certificates Roles and resources Role: Enterprise Admin Resource: none Action to be performed on each Domain Controller. 1. Select Computer Windows Settings Security Settings and Click on Public Key Policies 2. On the right hand pane double click Certificate Services Client Auto- Enrollment 3. Change the configuration mode from Not Configured to Enabled 4. Select Renew expired certificates, update pending certificates, and remove revoked certificates 5. Select Update certificates that use certificate templates 6. Click OK 7. Close Group Policy Editor and Server Manager. The Domain Controllers in contoso.com will autoenroll for a new certificate after the next Group Policy update. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 27 of 48

6. Preparation steps to enable SuisseID in a Windows 2003 R2 AD This chapter shows how to prepare a Windows Server 2003 Active Directory to use SuisseID for Smart Card Logon. As explained in chapter 3.1, the SuisseIDs MUST contain a UPN with DCs running Windows Server 2003 R2 - no matter what clients are in place. The chapter explains in greater detail the following steps: Publish the root CA certificate to the DS Trusted Root store Publish the issuing CA certificate to the NTAuth Store Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.net Allow upn.suissid.ch as Alternative UPN suffix Map SuisseID to a user using the UPN (repeat per user) 6.1 Publish the root CA certificate to the DS Trusted Root store Roles and resources Role: Enterprise Admin Resource: root CA certificate file Platinum_G2.der 1. Log on to the domain controller in the forest with Enterprise Admin privileges. 2. Start cmd prompt 3. Run certutil -f -dspublish <RootCAFileName> RootCA. 4. Verify that the command ran successfully. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 28 of 48

6.2 Publish the root CA certificate to the DS Trusted Root store Roles and resources Role: Enterprise Admin Resource: Issuing CA certificate file SuisseID_Platinum_G2.der 1. Log on to the domain controller in the forest with Enterprise Admin privileges. 2. Start cmd prompt 3. Run certutil -f -dspublish <IssuingCAFileName> NTAuthCA 4. Verify that the command ran successfully. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 29 of 48

6.3 Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com Roles and resources Role: Enterprise Admin Resource: Root CA certificate Platinum_G2.der Action to be performed on a machine in the contoso.com domain where Group Policy Management console is installed 1. Log on to DC1 2. Click Start --> Administrative Tools Active Directory Users and Computers 3. Right click on domain contoso.net and select Properties 4. Select the Group Policy tab 5. Select the "Default Domain Policy" and click on the Edit button 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 30 of 48

6. Navigate to Computer Configuration - Policies - Windows Settings - Security Settings - Public Key Policies - Trusted Root Certificate Autorities 7. Right click and select Import 8. Follow the Certificate Import Wizard 9. Click Next 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 31 of 48

10. Browse to select SwissSign Root CA file (Platinum_G2.der) and click Next 11. Click Next and Finish to complete the Certificate Import Wizard 12. If the wizard is successful you will see "The import was successful" 13. Close the Group Policy Management Editor 14. Close the Group Policy Management Console All clients and servers will receive this setting at the next GPO refresh. Without reboot, this may take about 90 minutes. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 32 of 48

6.4 Allow upn.suisseid.ch as Alternative UPN Suffix Roles and resources Role: Enterprise Admin Resource: The UPN suffix of a SuisseID certificate is specified as upn.suisseid.ch Action to be performed on a machine in the forest contoso.com domain where Active Directory Domains and Trusts console is available 1. Click Start Administrative Tools - Active Directory Domains and Trusts console 2. Right click Active Directory Domains and Trusts and select Properties 3. Type upn.suisseid.ch and click Add 4. Click OK to add upn.suisseid.ch as the Alternative UPN suffix 5. Close the Active Directory Domains and Trusts window. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 33 of 48

6.5 Changing the UPN of a specific user object using AD Users and Computers This step needs to be repeated for each user whose SuisseID contains a UPN. Roles and resources Role: Enterprise Admin Resource: The UPN suffix of a SuisseID certificate is specified as *upn.suisseid.ch. E.g. the sample UPN in the certificate of Hans Muster is 0001-9384-9341-8453@upn.suisseid.ch Action to be performed on a machine in the forest contoso.com domain where Active Directory Domains and Trusts console is available 1. Click Start Administrative Tools - Active Directory Users and Computers console 2. Find the user object to whom you want to match the SuisseID e.g. Hans Muster 3. Double-klick Hans Muster 4. Click on the Account Tab 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 34 of 48

5. Change the User logon name to 0001-9384-9341-8453@upn.suisseid.ch. Change the suffix to upn.suisseid.ch using the drop-down menu 6. Click OK to complete the change 7. Close the Active Directory Users and Computers console 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 35 of 48

7. Preparation steps to enable SuisseID in a Windows Server 2008 AD This chapter shows how to prepare a Windows Server 2008 or higher Active Directory to use SuisseID for Smart Card Logon. Please consider the following information regarding UPN in SuisseIDs: As explained in chapter 3.1 the SuisseIDs MUST contain a UPN with Windows Server 2008 (or higher) DCs if there are still Windows XP clients in place. SuisseIDs running on Windows Vista or later authenticating against Windows Server 2008 DCs are supported with and without a UPN. To map a SuisseIDs without UPN to a specific user account, the Alternate Security ID method can be used. If a SuisseID contains a UPN, the mapping will always be based on the UPN, i.e. the Alternate Security ID method will be ignored. The chapter explains in greater detail the following steps: Publish the root CA certificate to the DS Trusted Root store Publish the issuing CA certificate to the NTAuth Store Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com Map SuisseID to Active Directory User object using Alternate Security ID Map SuisseID to Active Directory user object using UPN 7.1 Publish the root CA certificate to the DS Trusted Root store Roles and resources Role: Enterprise Admin Resource: root CA certificate file SwissSign Root CA.cer 1. Log on to the domain controller in the forest with Enterprise Admin privileges. 2. Start cmd prompt 3. Run certutil -f -dspublish <RootCAFileName> RootCA. 4. Verify that the command ran successfully 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 36 of 48

19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 37 of 48

7.2 Publish Issuing CA certificate to the NTAuth Store Roles and resources Role: Enterprise Admin Resource: Issuing CA certificate file SwissSign Issuing CA.cer 1. Log on to the domain controller in the forest with Enterprise Admin privileges. 2. Start cmd prompt 3. Run certutil -f -dspublish <IssuingCAFileName> NTAuthCA 4. Verify that the command ran successfully 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 38 of 48

7.3 Install the SwissSign Root CA certificate as a "Trusted Root Certificate Authority" for contoso.com Roles and resources Role: Enterprise Admin Resource: Hans Musters SuisseID certificate file Hans Muster.cer Action to be performed on a machine in the contoso.com domain where Group Policy Management console is installed 1. Log on to a Domain Controller. 2. Click Start --> Type Group Policy in the Search programs and files box and click on "Group Policy Management" to start the console 3. Open the "Default Domain Policy" by right clicking and selecting "Edit" 4. Navigate to Computer Configuration - Policies - Windows Settings - Security Settings - Public Key Policies - Trusted Root Certificate Autorities 5. Right click and select Import 6. Follow the Certificate Import Wizard 7. Click Next 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 39 of 48

8. Browse to select SwissSign Root CA certificate 9. Click Open 10. Click Next twice 11. Click Next and Finish to complete the Certificate Import Wizard 12. Check for the message "The import was successful" 13. Close the Group Policy Management Editor 14. Close the Group Policy Management Console All clients and servers will receive this setting at the next GPO refresh. Without reboot, this may take about 90 minutes. 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 40 of 48

7.4 Map SuisseID to Active Directory User object using Alternate Security ID Smart card logon with Alternate Security ID mapping method will only work for Windows Vista and Window 7 clients. Smart card logon with Alternate Security ID mapping method will only work if there is no UPN in the SuisseID certificate. This step needs to be repeated for each user Roles and resources Role: Domain Admin Resource: Hans Musters SuisseID certificate file Hans Muster.cer 1. Start Active Directory Users and Computers console 2. Find the user object to whom you want to match the SuisseID e.g. Hans Muster 3. Right click the user object and select Name Mappings 4. Click Add and browse to certificate file Hans Muster.cer and click Open 5. Verify that Use Subject for alternate security identity checkbox is selected and Click OK twice 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 41 of 48

7.5 Adding upn.suisseid.ch as the Alternative UPN suffix This step needs to be done if one or more SuisseIDs contain a UPN. Roles and resources Role: Enterprise Admin Resource: The UPN suffix of a SuisseID certificate is specified as *upn.suisseid.ch Action to be performed on a machine in the forest contoso.com domain where Active Directory Domains and Trusts console is available 1. Start the Active Directory Domains and Trusts console 2. Right click Active Directory Domains and Trusts and select Properties 3. Type upn.suisseid.ch and click Add 4. Click OK to add upn.suisseid.ch as the Alternative UPN suffix 5. Close the Active Directory Domains and Trusts window 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 42 of 48

7.6 Changing the UPN of the specific user object using AD Users and Computers This step needs to be repeated for each user whose SuisseID contains a UPN. Roles and resources Role: Enterprise Admin Resource: The UPN suffix of a SuisseID certificate is specified as *upn.suisseid.ch. E.g. the sample UPN in the certificate of Hans Muster is 0001-9384-9341-8453@upn.suisseid.ch Action to be performed on a machine in the forest contoso.com domain where Active Directory Domains and Trusts console is available 1. Start Active Directory Users and Computers console 2. Find the user object to whom you want to match the SuisseID e.g. Hans Muster 3. Double-click Hans Muster 4. Click on the Account Tab 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 43 of 48

5. Change the User logon name to 0001-9384-9341-8453@upn.suisseid.ch. Change the suffix to upn.suisseid.ch using the drop-down menu 6. Click OK to complete the change 7. Close the Active Directory Users and Computers console 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 44 of 48

8. Troubleshooting Steps Smart Card Logon can fail for several reasons. This chapter provides a few troubleshooting steps that might solve the issue. 8.1 Certificate and configuration problems The most common error message seen at Smart Card Logon is The system could not log you on. Your credentials could not be verified. This generic error message can be the result of one or more of several issues. The following steps can help you to resolve them: 2 - Check if the domain controller has no valid domain controller certificate, if needed request a new domain controller certificate. - Make sure the Smart Card has a trusted certificate by importing the issuing CA into the NTAuth store. - Make sure the Root CA of the Smart Card certificate is trusted by importing it into the Trusted Root store. - Verify that the SuisseID certificate is still valid. - When running on Windows XP or authenticating against Windows Server 2003 DCs, verify that the SuisseID certificate contains a UPN. - If the Smart Card has a UPN, make sure the user account in the AD has the same UPN associated. 8.2 Revocation checking problems If the revocation checking fails when the domain controller validates the Smart Card logon certificate, the domain controller denies the logon. The domain controller may return the error message mentioned earlier or the following error message: The system could not log you on. The Smart Card certificate used for authentication was not trusted. The revocation check must succeed from both the client and the domain controller. Make sure the following are true: - The CRL has a Next Update field and the CRL is up to date. You can check that the CRL is online at the CDP and valid by downloading it from Internet Explorer. 2 Excerpt from Guidelines for enabling smart card logon with third-party certification authorities [1] 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 45 of 48

You should be able to download and view the CRL from any of the HTTP CDPs in Internet Explorer from both the Smart Card workstation and the domain controller. - Verify that each unique HTTP CDP that is used by a certificate in your enterprise is online and available. To verify that a CRL is online and available from a HTTP CDP: - To open the certificate in question, double-click on the.cer file or double-click the certificate in the store. - Click the Details tab, scroll down and select the CRL Distribution Point field. - In the bottom pane, highlight the full HTTP URL and copy it. - Open Internet Explorer and paste the URL into the Address bar. - When you receive the prompt, select the option to Open the CRL. - Make sure that there is a Next Update field in the CRL and the time in the Next Update field has not passed. 8.3 Other Issues For issues with the smart card readers refer to the appropriate guide 3 or consult the provider of your SuisseID. For other issues, we recommend to open a service request at Microsoft technical support or contact your Microsoft partner. 3 Smart Card Troubleshooting Guide [2] 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 46 of 48

Appendix A - Abbreviations used in the Document AD CA CDP CRL DC GPMC GPO KDC PIN PKI Active Directory Certificate Authority CRL Distribution Point, HTTP or LDAP URL where the current CRL can be downloaded Certificate Revocation List, list of certificates that were explicitly revoked by a CA Domain Controller Group Policy Management Console Group Policy Object Key Distribution Center, Kerberos terminology for a Domain Controller Personal Identification Number, in case of Smart Cards this can often be a password Public Key Infrastructure, system that provides certificates for machines or users UPN User Principal Name, e.g. userx@test.org or 0001-00002-0003-0004@upn.suisseid.ch 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 47 of 48

Appendix B - References [1] Guidelines for enabling smart card logon with third-party certification authorities < http://support.microsoft.com/kb/281245/en-us> [2] Smart Card Troubleshooting Guide <http://technet.microsoft.com/en-us/library/dd979536(ws.10).aspx> [3] Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) <http://www.ietf.org/rfc/rfc4556.txt> 19.05.2010 SECO Whitepaper - SuisseID Smart Card Logon Configuration Guide (V1.0) page 48 of 48