Set up Yubikey PIV Authentication for Windows RPD Sessions
The logs when I configured the YubiKey token to RDP into Windows servers. YubiKey official site is a bit complicated so I put it together. We use YubiKey 5 NFC in our environment.
Table of Contents
Toggle1. Set PIN on YubiKey token
With Yubikey Manager
-> Applications -> PIV -> PIN Management
2. Install YubiKey minidriver
Download Smart card drivers and tools.
Install it on clients and servers.
- Clients
- Servers
Make sure to use the optionINSTALL_LEGACY_NODE=1
Use the commandmsiexec /i .YubiKey-Minidriver-4.1.1.210-x64.msi INSTALL_LEGACY_NODE=1 /quiet
3. Install CA roles for the domain
- Certification Authority
- Certification Authority Web Enrollment (if you need to use an off-domain client machine)
Create a private key that suits the requirement.
Creating a Certification Authority
4. Enable templates with schema version above 2
If "flags" attribute in [CN=Configuration,DC=\<DCName>] – [CN=Services] – [CN=Public Key Services] – [CN=Enrollment Services] on ADSI Edit is 2.
Run the commands on the CA server
# Set a registry
certutil -setreg CASetupStatus +SETUP_UPDATE_CAOBJECT_SVRTYPE
# Resetart CA Service
net stop certsvc & net start certsvc
5. Add support for Elliptic Curve Cryptography (ECC) certificate login
GPO
- Edit a GPO policy that includes computers for IT admins
- Expand Computer Configuration > Policies > Administrative Templates > Windows Components > Smart Card.
- Right-click on Allow ECC certificates to be used for logon and authentication and select Edit.
- On the Edit window select Enabled.
Registry
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider" -Force;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider" -Name 'SmartCardCredentialProvider' -Value 1 -PropertyType DWord -Force;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider" -Name 'EnumerateECCCerts' -Value 1 -PropertyType DWord -Force;
6. Create CA template
Follow the steps in Setting up Smart Card Login for Enroll on Behalf of; by the step "To specify the permissions for the enrollment agents and publish the certificate template".
While duplicating the template, should not click "Apply" until you change "Cryptography" tab.
7. Create enrollment agent certificate
Setting up Smart Card Login for Enroll on Behalf of
- Login to a domain-joined machine with an admin account that has "enroll" permission for Enrollment Agent.
- Open certmgr.msc from Run
- Under Console Root, click to expand Certificates - Current User.
- Click to expand Personal.
- Click to select Certificates.
- Right-click on the white space within the center pane, select All Tasks, and then select Request New Certificate…
- Click Next.
- Select Active Directory Enrollment Policy and then click Next.
- Locate and select the Enrollment Agent template, and then click Enroll.
8. Register certificate on Yubikey token
- Login to a domain-joined machine with the enrollment agent certificate
- Under Console Root, click to expand Certificates - Current User.
- Click to expand Personal.
- Right-click on the white space within the center pane, select All Tasks, select Advanced Operations, and then select Enroll on Behalf of.
- Select Active Directory Enrollment Policy and then click Next.
- Click Browse, choose your enrollment agent certificate from the Security Pop-up screen, and then click Next.
- Locate and select the smart card template you created for enroll on behalf of, and then click Next.
- Click Browse, select the user you want to enroll, and then click OK.
- In the User name or Alias field, verify you have the correct user, and then click Enroll.
- Enter the PIN for the Smart Card and then click OK. The YubiKey with be loaded with a certificate for the selected user. It is recommended that users change their PIN once the certificate is loaded.
9. If you want to use off-domain PCs to RDP with YubiKey
When using a PC that is not joined to the domain, if the CA server is left in its default settings, the non-domain PC cannot access the Certificate Revocation List (CRL), resulting in a failure to check the certificate installed on the YubiKey. Therefore, it is necessary to publish the CRL via HTTP and add the CRL address to the certificate.
Install CA cert on machine to "Trusted Root Certification Authorities"
You can install it on the GUI or run the command below.
certutil -addstore root .your-ca-cert.cer
Request cert for Kerberos Authentication on DC servers
Publish CRLs via HTTP on CA server
In order to verify revocation status without ldap. Open Certsrv and right click on the CA name then open properties.
The web server must be accessible by HTTP, not HTTPS. If HSTS is enabled for the domain, you need another domain pointing to the server without HSTS.
On the Extentions tab, make sure to use http for both AIA and CDP.
Make sure to check both at http for AIA.
10. Force users to use smart card for logon
Check the option on the user's property on your AD.
11. Troubleshooting
Make sure:
- You have installed the YubiKey minidriver on the machine
- You have installed the YubiKey minidriver on the remote machine with
INSTALL_LEGACY_NODE=1
option - You have installed the CA cert
- ECC cert login is enabled
See installed certs
You can see the certificates installed on the smart card. If the CRL cannot be reached it might fail to check the revocation status.
certutil -scinfo
Update SCRoot
certutil –scroots update
Verify certs
Verify the cert including "smart card logon"; check if the certification revocation check completed successfully.
certutil -verify -urlfetch .thecert.cer
See CA configurations
Connect to "Configuration" on ADSI Edit and open Services -> Public Key Services
You can see AIA, CDP, and etc info.
You May Also Like
