Windows Desktop MFA - AD CS configuration

Windows Desktop MFA - AD CS configuration

Overview

Active Directory Certificate Services (AD CS) is leveraged to perform certificate based login, i.e., smart card login post completing MFA via idemeum mobile application.

The configuration required at the Domain Controller (DC) is divided into three steps to use a Passwordless MFA logon.

  1. Configure the Enrollment Agent Certificate Template
  2. Configure the User Certificate Template
  3. Enabling both Enrollment Agent and User Certificate templates in CA

1. Configure the Enrollment Agent Certificate Template

  • Navigate to Microsoft Management Console (MMC).                                                       Run mmc (To launch Console Root)
  • File Add/Remove Snap-in...
  • Choose Certificate Templates
  • Click Add Click OK.
Ignore the above steps if Certificate Templates have already been added.
  • Console Root Certificate Templates → Choose Enrollment Agent → right-click → Duplicate Template
  • General → ENTER Template display name as "Idemeum enrollment agent"
  • Request HandlingPurposeSignature and smartcard logon
  • Click Yes
  • SecurityAuthenticated UsersAllow Enroll in the Permissions for Authenticated Users section
  • Subject Name → Choose Subject name format as None → Click Apply → Click OK

2. Configure the User Certificate Template

  • Console Root Certificate Templates User → right-click → Duplicate Template
  • General → ENTER Template display name as "Idemeum windows"
  • Request Handling → Uncheck Allow private key to be exported
=
  • Request HandlingPurposeSignature and smartcard logon
  • Click Yes
  • Subject Name → Uncheck E-mail name
  • Subject Name → Choose Subject name format as None → Click Apply → Click OK
  • Issuance Requirements → Select This number of authorized signatures
  • Issuance RequirementsApplication policy → Select Certificate Request Agent → Click Apply → Click OK


3. Enabling both Enrollment Agent and User Certificate templates in CA

  • Server ManagerDashboardToolsCertificate Authority
  • Select Certificate Templates
  • right-click → NewCertificate Template to Issue
  • Select both the templates ("Idemeum enrollment agent" & "Idemeum windows") configured → Click OK
Table of Contents
Great! Next, complete checkout for full access to idemeum integrations.
Welcome back! You've successfully signed in.
You've successfully subscribed to idemeum integrations.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.