Tech

Configure Microsoft Entra CBA with on-prem CA

2024年9月19日

Ref: How to configure Microsoft Entra certificate-based authentication

Criteria

  • Users can use it on off-domain Windows/Mac PCs as additional factor of authentication.
  • An administraor needs to approve the certificate request.
  • Certificate will be issued per user (UPN).
  • The certificate cannot be reused on another PC (The private key is not exportable).

Use case

It can serve as an additional authentication factor. We can verify users through a conditional access policy, ensuring that they are using the correct device and account with the appropriate certificate installed.

For our users, our conditional access policy verifies that users are on an Entra hybrid-joined device. However, for users without domain-joined devices, this method can act as an additional factor to grant access to resources.

1. Install CA roles for domain

Install the CA roles below on a server if you don't have it in your environment.

  • Certification Authority
  • Certification Authority Web Enrollment

2. Create certificate template

  1. Open certtmpl.msc on the CA server

  2. Right-click on User -> Duplicate Template

    • General
      Determine the name and the validity period.
    • Extensions
    • Application Policies
      Choose "Smart Card Logon" and "Client Authentication".
    • Security
      Make sure that Domain Users can enroll.
    • Compatibility
      Choose up to Windows Server 2012 R2.
    • Request Handling
      Uncheck "Allow private key to be exported".
    • Cryptography
      Choose "Request must use one of the following providers" - Microsoft Smart Card Key Storage Provider.
    • Subject Name
      Choose only E-mail name.
    • Issuance Requirements

  3. Enable the template
    Open certsrv.msc and right-click on Certificate Template -> New -> Certificate Template to Issue -> Choose the one you just created.

3. Change the template’s schema version

You need to change the template's schema version because you cannot see the templates if the schema version is greater than 3. This change will degrade cryptography settings...

  1. Open ADSI Edit on an AD server
  2. Action -> Connect to -> choose Configuration
  3. See the templates
    [CN=Configuration,DC=\<Your domain name>] – [CN=Services] – [CN=Public Key Services] – [CN=Certificate Templates]
  4. Choose the template you just created and double-click
  5. Change the value msPKI-Template-Schema-Version to 2

4. Download CA cert and publish it on Entra ID

  1. Download the CA cert from the CA server
  2. On Entra ID, open "Certificate authorities" by searching it
  3. Choose "Is root CA certificate" and add

You can specify the CRL to manage them more strictly.

5. Enable users to authenticate with CBA

Add users to the target.

Protection Level must be Multi-factor authentication or users will fail the authentication.

6. Create conditional access policy to enforce using CBA as necessary

Please refer to other sites to configure this...

7. Request and issue certificate

Windows clients

These steps will use TPM as the key storage - Ref: Deploy Virtual Smart Cards

Run the commands as Administrator

  1. Generate a TPM Virtual Smart Card
    You need to set a PIN bigger than 8 digits. The PUK and admin key will be the default.
    tpmvscmgr.exe create /name VSC /pin PROMPT /puk default /adminkey default /generate
  2. Generate a request
    certreq -new request.inf certreq.txt
  3. Request a cert from the CSR on the CA web enrollment - log in with the target user
    e.g.) http://your-local-ca.example.com/certsrv/
    Put the CSR text and make sure to choose the template you created for it.
  4. Issue the certificate from the pending requests on the CA
  5. Download it and install it to Local Machine

request.inf is common among the users since the email attribute is retrieved from the AD user information.
request.inf

[Version]
Signature="$Windows NT$"

[NewRequest]
KeySpec = 1
KeyLength = 2048
HashAlgorithm = SHA256
Exportable = FALSE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

Mac clients

Run the commands below on Terminal on the target Mac machine.

  1. Create a key and a CSR from the .cnf file -> remember the PIN
    openssl req -new -out req.csr -keyout key.key -config request.cnf
  2. Request a cert with the CSR on the CA web enrollment
  3. Issue the cert from the pending requests
  4. Download it as Base 64 encoded
  5. Run the command below to combine the key and the cert <- use the PIN
    openssl pkcs12 -export -out cert.p12 -inkey key.key -in certnew_x64.cer
  6. Import the cert.p12 to KeyChain
  7. Restart Chrome and you'll see the certificate option to choose

request.cnf

[ req ]
default_bits       = 2048
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
C = US
ST = California
L = Your city
O = Your org
OU = IT
CN = example.com

[ req_ext ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, 1.3.6.1.4.1.311.20.2.2

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, 1.3.6.1.4.1.311.20.2.2

8. Log in with certificate

You may need to restart the browser completely for the certificate to be loaded. It will be prompted like the image below.
In our conditional access policy, the certificate needs to be verified that it was issued by the specified issuer and has the UPN of the target user in RFC822 Name in the SAN.

You May Also Like

Set up Yubikey PIV Authentication for Windows RPD Sessions
2024年9月20日

Leave a Reply

Your email address will not be published. Required fields are marked *

x Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security