none
eID login for domain

    Question

  • Hello

    I'm trying to use the Belgian eID so I can logon from a workstation to the domain. I followed several guides available at the internet, however I can't seem to get it to work. Some of those guides are outdated while others are for smart cards in general. The Belgian eID also has lots of certificates (see: http://certs.eid.belgium.be/) that needs to be stored in the correct place for someone who is inexperienced with certificates this is rather hard, also since no documentation about the certificates is supplied.

    An eID has a Belgium root certificate as root, these are named belgiumrca, belgiumrca2, belgiumrs, belgiumrs2. The ones with rca are selfsigned the ones with rs are signed by GlobalSign. I placed those certificates on the domain controller (local computer) in the Trusted Root CA and Third-Party Root CA. I also added these to a GPO in the Trusted Root CA of Public Key Policies. Also used dspublish to add them to NTAuthCA.

    As intermediate certificate an eID can have several (citizen, foreigner). I placed the citizen certificates (citizen & citizen2) and the ones from 2010 (citizen201001 - citizen201012) on the domain controller (local computer) in the Intermediate CA and Third-Party Root CA. I also added these to a GPO in the Intermediate CA of Public Key Policies. I use my own eID card to test this, I am a citizen and my card was distributed in June 2010. Also used dspublish to add them to NTAuthCA.

    In the GPO I also enabled Smart Card in Computer Configuration, Policies, Administrative Templates, Windows Components, Smart Card. In Enabled the following: Allow certificates with no extended key usage certificate attribute, allow signature keys valid for Logon, Turn on certificate propagation from smart card, Turn on root certificate propagation from smart card,  Force the reading of all certificates from the smart card, Allow user name hint.

    I ran gpupdate on the client and confirmed that the GPO was applied correctly and the certificates where inherited by the client (local computer).

    Finally I exported my personal certificate MyName (Authentication) by using the command certutil -scinfo. I added this to my Personal Certificate store on the client (local computer). Afterwards I mapped this certificate to my AD account. I rebooted both client and server.

    When I start the client I see the smart card login option. However when I insert my card and try to login by entering my PIN the error says "The system could not be unlocked. You cannot use a smart card to log on because smart card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.". I used google for this error but no solution provided leaded to a succesful login attempt.

    I would also like to note that the DC has a self signed certificate, this wasn't configured by me but by an experienced system engineer so I have faith in it that this was done correctly. I am a student currently at internship.

    I was wondering if someone has any ideas, experiences. A guide that was used to succesful implement eID logon would also be appreciated. Thanks in advance

    Tuesday, April 17, 2012 1:02 PM

Answers

  • I have done a similar work using the Swedish eID system for smart card logon. You need to do the following:

    1. The users personal certificate need to be trusted throughout your AD (clients and DCs). This is done by adding the Root CA certificate to the Root CA store. The intermediate CAs needs to be added to the Sub CA store. Both operations should be done using a domain level GPO or the certutil -dspublish command.
    2. The CA that issued the users personal certificate needs to be trusted in the NTAuth CA store

    Now for the smart card logon to happen you either need a certificate with Client Auth & Smart Card Logon in EKU and an UPN that matches the user account or you need a certificate without EKU. It is important to remember that if an EKU is present, the certificate must contain the smart card logon EKU. Certificates with no EKU can be used for logon.

    To enable certificates without EKU for smart card logon you need to do the following:

    1. Enable the no EKU requirement setting using GPO (apply to clients and DCs)
    2. Make sure the DC can perform revocation checking on the personal certificate and the complete chain it belongs to, if not you can disable/relax CRL checking (NOT RECOMMENDED!)
    3. Map the personal certificate to the user account by adding the certificate to the X509 certificate tab in the "Security Identity Mapping" for the user object
    4. All DCs must have the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\SCLogonEKUNotRequired enabled and set to 1

    Now the smart card logon using certificate without EKU should work

    /Hasain

    • Marked as answer by fwoooosh Wednesday, April 18, 2012 1:35 PM
    Tuesday, April 17, 2012 2:15 PM
  • Obviously, DC has no any suitable certificate for mutual authentiation (PKCA), or it is invalid.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by fwoooosh Wednesday, April 18, 2012 1:35 PM
    Tuesday, April 17, 2012 3:47 PM

All replies

  • I have done a similar work using the Swedish eID system for smart card logon. You need to do the following:

    1. The users personal certificate need to be trusted throughout your AD (clients and DCs). This is done by adding the Root CA certificate to the Root CA store. The intermediate CAs needs to be added to the Sub CA store. Both operations should be done using a domain level GPO or the certutil -dspublish command.
    2. The CA that issued the users personal certificate needs to be trusted in the NTAuth CA store

    Now for the smart card logon to happen you either need a certificate with Client Auth & Smart Card Logon in EKU and an UPN that matches the user account or you need a certificate without EKU. It is important to remember that if an EKU is present, the certificate must contain the smart card logon EKU. Certificates with no EKU can be used for logon.

    To enable certificates without EKU for smart card logon you need to do the following:

    1. Enable the no EKU requirement setting using GPO (apply to clients and DCs)
    2. Make sure the DC can perform revocation checking on the personal certificate and the complete chain it belongs to, if not you can disable/relax CRL checking (NOT RECOMMENDED!)
    3. Map the personal certificate to the user account by adding the certificate to the X509 certificate tab in the "Security Identity Mapping" for the user object
    4. All DCs must have the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\SCLogonEKUNotRequired enabled and set to 1

    Now the smart card logon using certificate without EKU should work

    /Hasain

    • Marked as answer by fwoooosh Wednesday, April 18, 2012 1:35 PM
    Tuesday, April 17, 2012 2:15 PM
  • Thanks for your answer.
    So what I did:
    Placed the MyName(Auth).cer in the GPO Trusted Root CA store.
    The intermediates I'd already store in the Intermediate CA store so I skipped this.

    Checked no EKU requirement on GPO this was OK.
    DC performing revocation checking:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors, set value to 1. Can I assume this is correct?
    Step 3, i'm clueless where to do this is this in AD or still in the GPO?
    Step 4, looked the registry key up and was ok .
    Tuesday, April 17, 2012 2:33 PM
  • Obviously, DC has no any suitable certificate for mutual authentiation (PKCA), or it is invalid.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by fwoooosh Wednesday, April 18, 2012 1:35 PM
    Tuesday, April 17, 2012 3:47 PM
  • The name mapping is done using "Active Directory Users and Computers" tool, you need to enable "Viewing Advanced Settings". Now right click the user account and select "Name Mappings"

    Vadims point is important, make sure all your DCs have a valid "Domain Controller Authentication" certificate either issued by an internal enterprise ADCS CA or equally issued by a NTAuth trusted CA.

    /Hasain

    Tuesday, April 17, 2012 4:14 PM
  • Obviously, DC has no any suitable certificate for mutual authentiation (PKCA), or it is invalid.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Thanks for your reply.

    So after all the DC authentication certificate was wrong. There also was a little misunderstanding since I was working on a webserver and not the actual DC. Now have to clean up the mess of certificates on the wrong server and continue on the DC.

    Will post update here.

    Wednesday, April 18, 2012 7:55 AM
  • Thanks for the replies. eID logon now working!

    • Edited by fwoooosh Wednesday, April 18, 2012 1:36 PM
    Wednesday, April 18, 2012 7:55 AM
  • Hello fwooooosh,

    I'm trying to do the same thing, did you add all those certificates from http://certs.eid.belgium.be/ in AD using users and computers tool? Or is it just one specific certificate that needs to be added there?

    Friday, February 22, 2013 4:23 PM