Tech

Set up Yubikey PIV Authentication for Windows RPD Sessions

The logs when I configured the YubiKey token to RDP into Windows servers. YubiKey official site is a bit complicated so I put it together. We use YubiKey 5 NFC in our environment.

1. Set PIN on YubiKey token

With Yubikey Manager
-> Applications -> PIV -> PIN Management

2. Install YubiKey minidriver

Download Smart card drivers and tools.

Install it on clients and servers.

  • Clients
  • Servers
    Make sure to use the option INSTALL_LEGACY_NODE=1
    Use the command msiexec /i .YubiKey-Minidriver-4.1.1.210-x64.msi INSTALL_LEGACY_NODE=1 /quiet

3. Install CA roles for the domain

  • Certification Authority
  • Certification Authority Web Enrollment (if you need to use an off-domain client machine)

Create a private key that suits the requirement.
Creating a Certification Authority

4. Enable templates with schema version above 2

Ref

If "flags" attribute in [CN=Configuration,DC=\<DCName>] – [CN=Services] – [CN=Public Key Services] – [CN=Enrollment Services] on ADSI Edit is 2.

Run the commands on the CA server

# Set a registry
certutil -setreg CASetupStatus +SETUP_UPDATE_CAOBJECT_SVRTYPE
# Resetart CA Service
net stop certsvc & net start certsvc

5. Add support for Elliptic Curve Cryptography (ECC) certificate login

GPO

  1. Edit a GPO policy that includes computers for IT admins
  2. Expand Computer Configuration > Policies > Administrative Templates > Windows Components > Smart Card.
  3. Right-click on Allow ECC certificates to be used for logon and authentication and select Edit.
  4. On the Edit window select Enabled.

Registry

New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider" -Force;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider" -Name 'SmartCardCredentialProvider' -Value 1 -PropertyType DWord -Force;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider" -Name 'EnumerateECCCerts' -Value 1 -PropertyType DWord -Force;

6. Create CA template

Follow the steps in Setting up Smart Card Login for Enroll on Behalf of; by the step "To specify the permissions for the enrollment agents and publish the certificate template".
While duplicating the template, should not click "Apply" until you change "Cryptography" tab.

7. Create enrollment agent certificate

Setting up Smart Card Login for Enroll on Behalf of

  1. Login to a domain-joined machine with an admin account that has "enroll" permission for Enrollment Agent.
  2. Open certmgr.msc from Run
  3. Under Console Root, click to expand Certificates - Current User.
  4. Click to expand Personal.
  5. Click to select Certificates.
  6. Right-click on the white space within the center pane, select All Tasks, and then select Request New Certificate…
  7. Click Next.
  8. Select Active Directory Enrollment Policy and then click Next.
  9. Locate and select the Enrollment Agent template, and then click Enroll.

8. Register certificate on Yubikey token

  1. Login to a domain-joined machine with the enrollment agent certificate
  2. Under Console Root, click to expand Certificates - Current User.
  3. Click to expand Personal.
  4. Right-click on the white space within the center pane, select All Tasks, select Advanced Operations, and then select Enroll on Behalf of.
  5. Select Active Directory Enrollment Policy and then click Next.
  6. Click Browse, choose your enrollment agent certificate from the Security Pop-up screen, and then click Next.
  7. Locate and select the smart card template you created for enroll on behalf of, and then click Next.
  8. Click Browse, select the user you want to enroll, and then click OK.
  9. In the User name or Alias field, verify you have the correct user, and then click Enroll.
  10. Enter the PIN for the Smart Card and then click OK. The YubiKey with be loaded with a certificate for the selected user. It is recommended that users change their PIN once the certificate is loaded.

9. If you want to use off-domain PCs to RDP with YubiKey

When using a PC that is not joined to the domain, if the CA server is left in its default settings, the non-domain PC cannot access the Certificate Revocation List (CRL), resulting in a failure to check the certificate installed on the YubiKey. Therefore, it is necessary to publish the CRL via HTTP and add the CRL address to the certificate.

Install CA cert on machine to "Trusted Root Certification Authorities"

You can install it on the GUI or run the command below.
certutil -addstore root .your-ca-cert.cer

Request cert for Kerberos Authentication on DC servers

Publish CRLs via HTTP on CA server

In order to verify revocation status without ldap. Open Certsrv and right click on the CA name then open properties.
The web server must be accessible by HTTP, not HTTPS. If HSTS is enabled for the domain, you need another domain pointing to the server without HSTS.

On the Extentions tab, make sure to use http for both AIA and CDP.

Make sure to check both at http for AIA.

10. Force users to use smart card for logon

Check the option on the user's property on your AD.

11. Troubleshooting

Make sure:

  • You have installed the YubiKey minidriver on the machine
  • You have installed the YubiKey minidriver on the remote machine with INSTALL_LEGACY_NODE=1 option
  • You have installed the CA cert
  • ECC cert login is enabled

See installed certs

You can see the certificates installed on the smart card. If the CRL cannot be reached it might fail to check the revocation status.
certutil -scinfo

Update SCRoot

certutil –scroots update

Verify certs

Verify the cert including "smart card logon"; check if the certification revocation check completed successfully.
certutil -verify -urlfetch .thecert.cer

See CA configurations

Connect to "Configuration" on ADSI Edit and open Services -> Public Key Services
You can see AIA, CDP, and etc info.

Leave a Reply

Your email address will not be published. Required fields are marked *

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security