Most people who use Windows (even in corporate networks) authenticate with username/password. To be specific, here, the username is actually the User Principal Name (UPN), which can be entered as HUGHESNET-USlhughes or [email protected] in my network. The password is the one in the user’s Active Directory account (when using domain login).
It is possible to create Windows Logon Smart cards , which is just a PKI smart card that contains a certificate with the SubjectDN containing the user’s User Principal Name and the corresponding private key. The Windows computer has to be configured for Smart card Login. When the user wants to log in, they select Smart card and insert their smart card into a smart card reader on their computer.
For a TLS Client Certificate, the X.509 Enhanced Usage field must have the Client Authentication flag set (as opposed to the Server Authentication flag in a TLS Server Certificate). In a Windows Logon Certificate, the Enhanced Usage field must also have the Client Authentication flag set.
For a Windows Logon Certificate, the X.509 Subject Alternative Name field must contain the user’s UPN. There is no need for any Subject Alternative Name field in a TLS Client Certificate, but the presence of one does not interfere with its use for TLS client authentication.
There is no advantage of public hierarchy in a Windows Logon Certificate; private hierarchy is all that is needed. This is an ideal use for Active Directory Certificate Services.
Configure Active Directory Certificate Services to Issue Windows Logon Certificates
We will now configure Microsoft Certificate Services to issue Windows Logon Certificates that can be used for Windows Smart card Login. Each user must obtain a unique Windows Logon Certificate that identifies them with their UPN. In a Windows Logon Certificate, the Subject Distinguished Name field identifies a particular user in Active Directory. A Windows Logon Certificate can be used from any Windows workstation – it is not tied to particular node.
You can export your key material (Windows Logon Certificate and private key) in PKCS12 format and import it into one or more smart cards. If the key material is created inside the token from the start, there is no way to back up the key material (the private key can never be exported from the hardware token).
We will create a new certificate template for Windows Logon Certificates that has only the Client Authentication flag set and the user’s UPN in the Subject Alternative Name.
Create Template for Windows Logon Certificate
On the VM running your Subordinate CA (in my case, intca.us.hughesnet.org), in Server Manager, click Tools/Certification Authority.
Click the General tab.
Set the Template display name to Windows Logon. This will change the Template name to WindowsLogon.
Set the Validity period to one year.
Select Publish certificate in Active Directory.
Do not click OK yet.
Select the Subject Name tab.
Select Build from this Active Directory information.
Select Subject name format as Fully distinguished name.
Under Include this information in alternate subject name, select User principal name (UPN).
Select the Extensions tab.
You will see that the Application Policies are currently set to Client Authentication and Smart card Login.
Prepare for Issuing Windows Logon Certificates
Select it by clicking it, and then click OK. This will enable your new certificate template to be used for issuing new certificates.
Now right-click Certificate Templates and select Manage.
Find Windows Login in the list of templates. Right-click it and select Properties.
Select who you want to be able to enroll Windows Logon Certificates (e.g., Authenticated Users), and select Read and Enroll.
Request and Obtain a Windows Logon Certificate Using mmc.exe
The next step is to use mmc.exe to request a Windows Logon Certificate for Administrator (the currently logged in user).
Start mmc.exe by selecting Start/Run and entering mmc.exe.
Right-click the middle pane, and select All Tasks/Request New Certificate.
Ignore the Before You Begin page. Click Next.
Click Next.
Select Windows Logon. Click Enroll.
Congratulations, you have just issued a Windows Logon Certificate for the current user (Administrator). Click Finish.
The ValidFrom date is when I issued this certificate.
The ValidTo date is one year from then.
I have a private key that corresponds to this certificate.
Now select the Details tab.
Under CRL Distribution Point, you should see an LDAP URL pointing to your AD server.
This is exactly what you need for a Windows Logon Certificate.
The new certificate chains up to the PKIEdu Int CA Intermediate Cert. That cert chains up to the PKIEdu Root CA Root Certificate, which is trusted.
Congratulations! You have just issued a Windows Logon Certificate for Administrator.
Logging into Windows with a Windows Logon Certificate
To do this, you need a PKI type smart card (e.g., ACS ACOS5 EVO), a compatible smart card reader, and the ability to import your Windows Logon Certificate into it. All smart card vendors supply Windows apps to initialize blank cards and manage the contents (certificates and private keys) in those smart cards.
Microsoft Certificate Services installs your certificate in the Personal folder of your Certificate Store. In my case, the ACS Certificate Manager cannot import from the Certificate Store, but only from a PKCS12 file. By default, you cannot export the private key of your Windows Logon Certificate, so you have to request that the cert be exportable when you enroll for it.
To allow the certificate to be exportable, I click Properties.
I then click OK. In the Certificate Enrollment dialog, I click Enroll.
Note that the purposes include Smart card Logon.
The cert was issued to Lawrence Hughes.
It was issued (signed) by PKIEdu Int CA.
The ValidFrom date is the day I issued the cert.
The ValidTo date is one year later.
On the Details tab, I can see more detailed information on this certificate:
This certificate chains up to the PKIEdu Int CA Intermediate Certificate. That cert chains up to the PKIEdu Root CA Root Certificate, which is trusted.
This is exactly what I need for a Windows Logon Certificate for me.
Right-click my certificate in mmc.exe, and select All Tasks, Export.
I select Yes, export the private key.
I accept default settings on Export File Format (PFX).
I enter a passphrase to protect my PKCS12 (and confirm it).
I choose a folder to export my certificate into (in my case, C:Certs).
I specify the file name as Lawrence Hughes Windows Logon Certificate.
I now insert a blank ACS ACOS5 EVO smart card in my USB smart card reader and use the ACS Initialization Manager App to initialize it.
Now I log out of my Windows workstation and log back in. This time, I select Smart card (if it is not already selected) and insert my smart card into the reader. I enter the smart card PIN. In a few seconds, I am logged in as [email protected], without having to enter my UPN or any password.
If you installed your CA in VMs running on your computer, when you log out, the CA is no longer running, so login will not work. You can move your VMs to another computer or do this exercise on a different computer.
If I lose my smart card, I can create another one from the PKCS12 container or even issue a new Windows Logon Certificate and load that into a new smart card.