Windows Desktop MFA - AD CS configuration

Overview

Active Directory Certificate Services (AD CS) is leveraged to perform certificate based login, i.e., smart card login post completing MFA via idemeum mobile application.

The configuration required at the Domain Controller (DC) is divided into three steps to use a Passwordless MFA logon.

  1. Configure the Enrollment Agent Certificate Template
  2. Configure the User Certificate Template
  3. Enabling both Enrollment Agent and User Certificate templates in CA

1. Configure the Enrollment Agent Certificate Template

  • Navigate to Microsoft Management Console (MMC).                                                       Run mmc (To launch Console Root)
  • File Add/Remove Snap-in...
  • Choose Certificate Templates
  • Click Add Click OK.
Ignore the above steps if Certificate Templates have already been added.
  • Console Root Certificate Templates → Choose Enrollment Agent → right-click → Duplicate Template
  • General → ENTER Template display name as Idemeum enrollment agent
Please enter the name as Idemeum enrollment agent as the name of the template must match.
  • Request HandlingPurposeSignature and smartcard logon
  • Click Yes
  • Under Security, verify if the SYSTEM user is present. If not, click Add.
  • Type system -> Click Check Names -> Click OK.
  • Allow Enroll in the Permissions for SYSTEM Users section.
  • SecurityAuthenticated UsersAllow Enroll in the Permissions for Authenticated Users section.
  • Subject Name → Choose Subject name format as None → Click Apply → Click OK

2. Configure the User Certificate Template

  • Console Root Certificate Templates User → right-click → Duplicate Template
  • General → ENTER Template display name as Idemeum windows
Please enter the name as Idemeum windows as the template name must match
  • Under Security, verify if the SYSTEM user is present. If not, click Add.
  • Type system -> Click Check Names -> Click OK.
  • Allow Enroll in the Permissions for SYSTEM Users section.
  • SecurityAuthenticated UsersAllow Enroll in the Permissions for Authenticated Users section.
  • Request Handling → Uncheck Allow private key to be exported.
=
  • Request HandlingPurposeSignature and smartcard logon
  • Click Yes
  • Subject Name → Uncheck E-mail name
  • Subject Name → Choose Subject name format as None
  • Issuance Requirements → Select This number of authorized signatures
  • Issuance RequirementsApplication policy → Select Certificate Request Agent → Click Apply → Click OK


3. Enabling both Enrollment Agent and User Certificate templates in CA

  • Server ManagerDashboardToolsCertificate Authority
  • Select Certificate Templates
  • right-click → NewCertificate Template to Issue
  • Select both the templates ("Idemeum enrollment agent" & "Idemeum windows") configured → Click OK

💡
Please follow the guide below to validate the AD CS configuration
Windows Desktop MFA - Validate AD CS configuration
Follow the below steps to validate AD CS configuration from one of the domain-joined client machines. This validates successful connection to the Domain Controller and certificate issuance from CA. Verify Domain Control reachability * Navigate to Settings -> Accounts -> Access work or school *…