Windows Desktop MFA - AD CS configuration
Overview
Active Directory Certificate Services (AD CS) is leveraged to perform certificate based login, i.e., smart card login post completing MFA via idemeum mobile application.
The configuration required at the Domain Controller (DC) is divided into three steps to use a Passwordless MFA logon.
- Configure the Enrollment Agent Certificate Template
- Configure the User Certificate Template
- Enabling both Enrollment Agent and User Certificate templates in CA
1. Configure the Enrollment Agent Certificate Template
- Navigate to Microsoft Management Console (MMC). Run → mmc (To launch Console Root)
- File → Add/Remove Snap-in...
- Choose Certificate Templates
- Click Add → Click OK.
Ignore the above steps if Certificate Templates have already been added.
- Console Root → Certificate Templates → Choose Enrollment Agent → right-click → Duplicate Template
- General → ENTER Template display name as
Idemeum enrollment agent
❗
Please enter the name as
Idemeum enrollment agent
as the name of the template must match.- Request Handling → Purpose → Signature and smartcard logon
- Click Yes
- Under Security, verify if the SYSTEM user is present. If not, click Add.
- Type system -> Click Check Names -> Click OK.
- Allow Enroll in the Permissions for SYSTEM Users section.
- Security → Authenticated Users → Allow Enroll in the Permissions for Authenticated Users section.
- Subject Name → Choose Subject name format as None → Click Apply → Click OK
2. Configure the User Certificate Template
- Console Root → Certificate Templates → User → right-click → Duplicate Template
- General → ENTER Template display name as
Idemeum windows
❗
Please enter the name as
Idemeum windows
as the template name must match- Under Security, verify if the SYSTEM user is present. If not, click Add.
- Type system -> Click Check Names -> Click OK.
- Allow Enroll in the Permissions for SYSTEM Users section.
- Security → Authenticated Users → Allow Enroll in the Permissions for Authenticated Users section.
- Request Handling → Uncheck Allow private key to be exported.
- Request Handling → Purpose → Signature and smartcard logon
- Click Yes
- Subject Name → Uncheck E-mail name
- Subject Name → Choose Subject name format as None
- Issuance Requirements → Select This number of authorized signatures
- Issuance Requirements → Application policy → Select Certificate Request Agent → Click Apply → Click OK
3. Enabling both Enrollment Agent and User Certificate templates in CA
- Server Manager → Dashboard → Tools → Certificate Authority
- Select Certificate Templates
- right-click → New → Certificate Template to Issue
- Select both the templates ("Idemeum enrollment agent" & "Idemeum windows") configured → Click OK
💡
Please follow the guide below to validate the AD CS configuration