Windows Desktop MFA - AD CS configuration

Overview

Active Directory Certificate Services (AD CS) is leveraged to perform certificate based login, i.e., smart card login post completing MFA via idemeum mobile application.

The configuration required at the Domain Controller (DC) is divided into three steps to use a Passwordless MFA logon.

1. Configure the Enrollment Agent Certificate Template
2. Configure the User Certificate Template
3. Enabling both Enrollment Agent and User Certificate templates in CA

1. Configure the Enrollment Agent Certificate Template

• Navigate to Microsoft Management Console (MMC).                                                       Run → mmc (To launch Console Root)

• File → Add/Remove Snap-in...

• Choose Certificate Templates

• Click Add → Click OK.

Ignore the above steps if Certificate Templates have already been added.

• Console Root → Certificate Templates → Choose Enrollment Agent → right-click → Duplicate Template

• General → ENTER Template display name as Idemeum enrollment agent

• Request Handling → Purpose → Signature and smartcard logon

• Click Yes

• Under Security, verify if the SYSTEM user is present. If not, click Add.

• Type system -> Click Check Names -> Click OK.

• Allow Enroll in the Permissions for SYSTEM Users section.

• Security → Authenticated Users → Allow Enroll in the Permissions for Authenticated Users section.

• Subject Name → Choose Subject name format as None → Click Apply → Click OK

2. Configure the User Certificate Template

• Console Root → Certificate Templates → User → right-click → Duplicate Template

• General → ENTER Template display name as Idemeum windows

• Under Security, verify if the SYSTEM user is present. If not, click Add.

• Type system -> Click Check Names -> Click OK.

• Allow Enroll in the Permissions for SYSTEM Users section.

• Security → Authenticated Users → Allow Enroll in the Permissions for Authenticated Users section.

• Request Handling → Uncheck Allow private key to be exported.

• Request Handling → Purpose → Signature and smartcard logon

• Click Yes

• Subject Name → Uncheck E-mail name

• Subject Name → Choose Subject name format as None

• Issuance Requirements → Select This number of authorized signatures

• Issuance Requirements → Application policy → Select Certificate Request Agent → Click Apply → Click OK

3. Enabling both Enrollment Agent and User Certificate templates in CA

• Server Manager → Dashboard → Tools → Certificate Authority

• Select Certificate Templates

• right-click → New → Certificate Template to Issue

• Select both the templates ("Idemeum enrollment agent" & "Idemeum windows") configured → Click OK

Windows Desktop MFA - Validate AD CS configuration

Follow the below steps to validate AD CS configuration from one of the domain-joined client machines. This validates successful connection to the Domain Controller and certificate issuance from CA. Verify Domain Control reachability * Navigate to Settings -> Accounts -> Access work or school *…

idemeum integrationsidemeum team