Link to home
Create AccountLog in
Avatar of Supracom
SupracomFlag for Netherlands

asked on

Replace a CA on a Windows SBS 2008 with a separate 2003 enterprise CA

We want to implement Smartcard logon in a Windows SBS 2008 network. The middleware that we want to use requires a Windows Enterprise CA server because we have to be able to edit the certificate templates.
Now, we know that the CA on a SBS 2008 server (which is installed by default) is a standard CA that does not support the creation of duplicate templates that we can edit. Also, during LAB testing we discoverd that the middleware works best in a 2003 network.

What we would like to do is to remove the CA role from the SBS 2008 domain controller. Then, we want to install an extra (virtual) Windows 2003 Enterprise server with a new Enterprise CA that is joined to this domain.

Would this be possible? And what do I do with the Domain Controller certificates that are currently issued to the DC?
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Supracom

ASKER

Hi breadtan,

Thank you for your extensive reply!

I'm no certificate expert but this really helps me with understanding the process. I think I will first go with the first option because that seems to have the least impact in the current configuration.

Currently, the root CA certificate is configured (deployed) in Group Policy so all domain members will trust it. However, if I'm not mistaking, it is also possible to integrate this certificate on to the Smartcard so users can logon from stations at home (or thin clients) that are not part of the domain right?

I will test option 1 next week and also read the articles you mentioned. I'll keep you posted.

Thanks again
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Hi Breadtan,

I understand your point about the fact that stations cannot log in to AD if they are not a member of the domain. What I meant was that users should be able to log in with RDS/Citrix from a machine that is not a member of the domain. Now I think about it, the TS offcourse is a member of the domain and should be able to verify the contents of the redirected Smartcard with the AD. The client is not really involved in this process.

I will go do some testing this week and let you know how this turns out
Avatar of btan
btan

agreed, very much appreciated.
Well, I guess this works just fine!

I installed a subordinate 2k3 enterprise CA in this SBS 2008 network. After that I was able to enroll for a Smartcard User certificate using this new CA. I was also able to log on to a normal PC that is a member of this domain without changing any settings in GPO .

However, I'm not able to log on through terminal services with this certificate on our 2 production terminal servers (2k3 and 2008R2). The strange thing is that I CAN log on through terminal services (Remote administration) on the Root CA and on the Subordinate CA.
So, things seem to be working like it should only not on our terminal servers. I'm sure that they receive the same GPO's as the CA's.

What could I check to verify the Smartcard/Certificate functionality and trust on these servers?

Thanks!
Believe the below extracted information would be useful. In the case they mention KDC, it is your Domain Controller (assuming your kerberos server in same box), thus should be your Win2K8. The tool CertUtil should be available on Vista and W2K3 Admin pack. Typically part of Certificate Services Management Tools.

@ http://technet.microsoft.com/en-us/library/ff404286%28WS.10%29.aspx

There is an older version and similar  @ http://technet.microsoft.com/en-us/library/cc721959%28WS.10%29.aspx

=======================
Remote Desktop Services and smart card logon

In addition to enabling the necessary Group Policy settings, policies specific to Remote Desktop Services need to be enabled for smart card–based logon.

To enable smart card logon to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, then the following command can be used to deploy the certificate:

certutil –dspublish NTAuthCA "DSCDPContainer"

The DSCDPContainer Common Name (CN) is usually the CA computer name.

Remote Desktop Services and smart card logon across domains
Scenario: Remote access to an enterprise

To enable this scenario, the root certificate for the domain must be provisioned on the smart card. To provision this on the smart card from a computer that is joined to a domain, run the following at the command line:

certutil –scroots update

For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the Windows Vista–based client computer's NTAUTH store. To add the store, run the following at the command line:

certutil –addstore –enterprise NTAUTH <CertFile>

Where <CertFile> is the root certificate of the KDC certificate issuer.

Remote Desktop Services logon across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>

The UPN in the certificate must include a domain that can be resolved. Otherwise, Kerberos cannot determine which domain to contact. You can resolve this problem by enabling GPO X509 domain hints. For more information about this setting, see Smart Card Group Policy and Registry Settings.
Hi Breadtan,

I don't really understand what's the cause of beeing unable to logon to terminal servers. I can logon via Remote Desktop to other servers (as long as they are a member of the domain and I have the middleware installed).
My goal is to provide Smart Card logon from machines that are not a member of the domain and can't be controlled by us (at home etc). Any certificates that have to be present on the RDS client should be available from the Smartcard itself. I tried some certutil commands but they can't seem to update the scroots on the card because it is beeing managed by the middleware I think.

However, you did help me out on the original question so I will accept your solution . Should you be able (and wanting) to provide more information than I'd happily receive it of course!
Update:

It turns out that I can succesfully log on via Remote Desktop (via Smart Card) to both the Win2k8 Root CA and the Win2k3 subordinate CA. If I try to log on to a random other server (a file server for instance) authentication fails.

So, it seems that these 2 CA servers have some other configuration on certificate level which causes them to succesfully authenticate my smart card logon. The question is, what could it be? They all apply the same default domain policy in which I configured the trusted root certificate so it must be something local...
Thanks

Rightfully certutil should be transparent to the middleware if the latter support and installed (not simply just dump p11 dll into system folder) properly for the OS smartcard service will be able to include it as one of the smartcard provider in its message relaying during its polling event (based on the smartcard id registered). That will trigger the installed middleware crypto services to pass on the message to the card.

certutil option @ http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx

I see it as RDC Client (Client) and RD Session Host (Server). I used these term below.

a) For the client to login into server, it need the KDC certificate in the client NTAuth store. It should be there if the machine is joined in the domain. But if the client is in different domain from the server, the KDC cert need to be published to client.

Note that the KDC cert is not the RootCA cert, KDC certificate is also known as the domain controller cert.
> certutil –dspublish NTAuthCA "DSCDPContainer" where DSCDPContainer Common Name (CN) is usually the CA computer name.

KDC certificate of the server must also be present in the Windows Vista–based client computer's NTAUTH store
> certutil –addstore –enterprise NTAUTH <CertFile> where <CertFile> is the root certificate of the KDC certificate issuer.

Remote Desktop Services logon across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>

Another mean that I am thinking of to enroll Root CA cert on smart card on a non-domain VISTA (not XP) machine :
0. Run "certutil -SCinfo" to see the root certs in the smart card
1. Run "certutil –scroots deploy" from command line to enroll Root CA cert into card if not there
2. Run "certutil –scroots view" to verify the cert

Note that Certutil with new scroots switch is a built-in tool in Windows Vista.

Should look out on "Possible issues" if you have error message "The system could not log you on. Your credentials could not be verified."
@ http://support.microsoft.com/kb/q281245/

b) For the server, I assume that it has been configured accordingly for the remote access basis regardless of smartcard login type. It should be able to remote login even w/o smartcard first. Also I am thinking that to login physically to server, it is already smartcard login capable before remote smartcard login.
@ http://technet.microsoft.com/en-us/library/cc743158.aspx
@ http://technet.microsoft.com/en-us/library/cc781181%28WS.10%29.aspx

Here are some event id to look out for in troubleshooting
@ http://ts.veranoest.net/ts_logon.asp

This link also share about "To enable smart card logon for these servers, you have to configure the RRAS service to use the Extensible Authentication Protocol (EAP)" @ http://www.tech-faq.com/understanding-and-implementing-smart-card-authentication.html