Allow Certificates-Primarily based Authentication for Home windows Admin Middle Gateway Servers with AD CS

Implementing certificate-based authentication for Home windows Admin Middle (WAC) entails leveraging sensible card login (person certificates) in Lively Listing. In a manufacturing Lively Listing setting, you possibly can require directors to authenticate with a consumer certificates. These are sometimes saved on a wise card or digital sensible card, earlier than the administrator they’ll entry the WAC gateway. That is achieved through the use of Lively Listing Certificates Companies (AD CS) to difficulty logon certificates to customers and configuring Authentication Mechanism Assurance (AMA) in Lively Listing to tie these certificates to a safety group. WAC is then configured to permit entry solely to customers who current the accepted certificates (through membership within the particular group). The result’s that solely customers who’ve authenticated with a legitimate sensible card certificates can entry WAC, including a powerful second issue past passwords.

Earlier than configuring certificate-based auth for WAC, guarantee the next conditions are in place:

• Lively Listing Area: WAC and customers should reside in an AD area.
• AD CS (PKI) Deployment: An enterprise Lively Listing Certificates Companies Certification Authority must be put in and trusted by the area.
• Good Card Infrastructure: Customers will want sensible card gadgets or digital sensible playing cards. This may very well be a bodily sensible card + reader for every admin, or a TPM-backed digital sensible card (VSC) on their gadget. Every person will need to have a private certificates that will likely be used for logon.
• Home windows Admin Middle: WAC must be put in in gateway mode on a domain-joined Home windows Server. For manufacturing, exchange the default self-signed certificates WAC generates with an SSL certificates issued by your CA that matches the WAC gateway’s DNS title.
• WAC Gateway Entry Teams: Determine which AD safety group(s) will likely be allowed as gateway customers in WAC. Additionally create or establish a gaggle to make use of for the smartcard enforcement. For instance, create a gaggle referred to as “WAC-CertAuth-Required” (World/Common scope). No members will likely be straight added to this group. Membership will likely be assigned dynamically through AMA primarily based on logon methodology.
• Area Controller Certificates: Guarantee your area controllers have legitimate certificates for Kerberos PKINIT (Area Controller Authentication certificates). Enterprise CAs normally auto-enroll these. This ensures DCs can settle for sensible card logons. Additionally confirm DCs can attain the CRL distribution factors on your CA certificates to test revocation.
• Group Coverage for Good Playing cards: It’s really helpful to implement sure insurance policies: e.g., allow “Interactive logon: Require sensible card” on accounts or methods if you wish to forestall password logon completely for these accounts, and allow “Good card removing conduct: Lock workstation” on consumer PCs to auto-lock when a wise card is eliminated. Additionally contemplate enabling “All the time watch for the community at laptop startup and logon” to keep away from cached logons interfering with AMA group project.

First, arrange a certificates template in AD CS on your directors’ logon certificates. You may both use the built-in Smartcard Logon template or create a devoted one:

• Create a Devoted Template: In your CA, open the Certificates Templates console. Duplicate the Smartcard Logon template (or the Person template with changes) so you possibly can customise it. Give it a reputation like “IT Admin Smartcard Logon”. Within the template’s properties, configure the next key settings:
  • Compatibility: Guarantee it’s set for not less than Home windows Server 2008 R2 / Home windows 7 for full sensible card assist.
  • Cryptography: Select a powerful key size (2048 or greater) and CSP/KSP supporting your sensible playing cards. Allow “Immediate for PIN on use” if obtainable.
  • Topic Title: Set to “Construct from this AD data” utilizing the person’s Person principal title (UPN). The UPN will likely be included within the certificates’s topic different title. That is essential because the area controller makes use of the certificates’s UPN to map to the person account throughout logon.
  • Extensions: Underneath Utility Insurance policies (Prolonged Key Utilization), guarantee Good Card Logon (OID 1.3.6.1.4.1.311.20.2.2) is current. You might also embody Consumer Authentication (1.3.6.1.5.5.7.3.2) if customers may authenticate to different companies. Take away any EKUs not wanted. Additionally, guarantee “Signature and Smartcard Logon” or comparable is chosen because the issuance coverage if related.
  • Safety: Assign Enroll (and Learn) permissions to the person group that may obtain these certificates (e.g. your IT admins group), and to the enrollment brokers if utilizing one.
  • Expiration: Set an acceptable validity interval (e.g. 1 or 2 years) and publish well timed CRLs so expired/revoked certs are acknowledged.

This course of will generate a novel Object Identifier (OID) for the brand new template (seen on the Basic tab or through certutil -template). Pay attention to this template OID, as we’ll use it for AMA mapping. (If utilizing the built-in Smartcard Logon template, it has a default OID you possibly can receive equally.)

• Publish the Template: In case you created a brand new template, publish it on the CA (so it’s obtainable for enrollment). Within the Certificates Authority MMC, right-click Certificates Templates > New > Certificates Template to Situation, and choose your template.
• Enroll Certificates to Admins: Enroll every administrator for a wise card certificates utilizing this template. Sometimes, that is completed through the use of the Certificates MMC on a consumer with a wise card reader:

o   Have the person insert their sensible card and open certmgr.msc (or use a devoted sensible card enrollment software if obtainable).

o   Enroll for the “IT Admin Smartcard Logon” certificates. This can generate a non-public key on the cardboard and difficulty the certificates to the cardboard. The certificates ought to now reside within the person’s Private retailer and on the cardboard.

o   Make sure the certificates reveals the proper UPN within the Topic Various Title and the Good Card Logon coverage within the Utility Insurance policies.

• Confirm AD Belief of the Certificates: As a result of that is an enterprise CA, the issued certificates will routinely be trusted by Lively Listing for logon (the CA’s root is within the NTAuth retailer). Simply to be protected, verify that the CA’s root cert is current within the NTAuthCertificates container in AD (use certutil -viewstore -enterprise NTAuth). If not, publish it utilizing certutil -dspublish -f rootcert.cer NTAuth. This ensures area controllers belief certificates from this CA for authentication.

At this stage, every admin person ought to have a legitimate sensible card logon certificates issued by AD CS, which incorporates an OID figuring out the template. Subsequent, we’ll configure Lively Listing to acknowledge this OID and hyperlink it to a safety group through Authentication Mechanism Assurance.

Authentication Mechanism Assurance (AMA) is an Lively Listing characteristic that provides a person to a safety group dynamically after they go surfing with a certificates that accommodates a particular issuer coverage or template OID. We’ll use AMA to flag customers who authenticated with our sensible card certificates. The plan is to map the OID of our “IT Admin Smartcard Logon” certificates template to a particular safety group (e.g. “WAC-CertAuth-Required”). When a person logs on with that certificates, area controllers will routinely embody this group within the person’s Kerberos token; in the event that they go surfing with a password or different methodology, they gained’t have this group.

Comply with these steps to configure AMA:

1. Create a Common Safety Group: If not already created, make a brand new safety group in AD (ideally within the Customers container or a devoted OU) named for instance “WAC-CertAuth-Required”. Make it a common group (really helpful for AMA) and set scope to Safety. Don’t add any members to it as AMA will management membership. Additionally, don’t use this group for every other assignments besides this goal.
2. Discover the Certificates Template OID: Find the OID of the certificates template you’re utilizing:

o   Open the properties of the certificates template within the Certificates Templates console. On the Basic tab be aware the Template OID (e.g. 1.3.6.1.4.1.311.x.x.xxxxx.xxxx…). Alternatively, use Get-CATemplate in PowerShell or certutil -v -dstemplate to get the OID.

o   In case you used the built-in Smartcard Logon template, its OID could be discovered equally (every template has a novel OID).

3. Map the OID to the Group in AD: This step requires modifying the AD Configuration partition utilizing ADSI Edit or PowerShell:

o   Open ADSI Edit (adsiedit.msc) as an enterprise admin.

o   Proper-click ADSI Edit > Connect with…. Choose Configuration well-known naming context.

o   Navigate to CN=Public Key Companies,CN=Companies,CN=Configuration,. Underneath this, discover CN=OID (Object Identifiers). This container holds objects for certificates template OIDs and issuance coverage OIDs.

o   Search for an object whose msPKI-Cert-Template-OID attribute matches the OID of your certificates template. The objects are sometimes named after the template or have a GUID. It’s possible you’ll want to examine every till you discover the matching OID worth.

o   As soon as discovered, open the properties of that OID object. There will likely be an attribute msDS-OIDToGroupLink. That is the place we hyperlink the OID to a gaggle.

o   Copy the distinguishedName of the “WAC-CertAuth-Required” group you created (you will discover it by connecting ADSI Edit to the Default naming context, finding the group, and copying the DN).

o   Within the OID object’s properties, set msDS-OIDToGroupLink to the DN of your group. Apply the change.

This mapping tells AD: for any person logging in with a certificates issued from this template OID, embody the required group of their token.

A fast method to verify the mapping is working is to attempt including a member to the “WAC-CertAuth-Required” group in AD Customers & Computer systems. It ought to forestall you from manually including any members now, giving an error like “OID mapped teams can not have members.”. That is anticipated because the group is now managed by AMA.

Now AMA is configured. When a person authenticates with our sensible card cert, the area controller will consider the certificates, see the template OID, and if it matches the mapped OID, will add the “WAC-CertAuth-Required” group SID to the person’s Kerberos token. If the person logs on with username/password, that group will not be current.

AMA triggers solely throughout interactive logon (or unlock) when the person truly makes use of the certificates to go online to Home windows. It does not dynamically add/take away teams in the midst of a session. This implies the person should log onto their machine with the sensible card certificates to get the group.

WAC helps two id suppliers for gateway entry: Lively Listing (default) or Microsoft Entra ID. We’re utilizing AD with an added sensible card requirement. WAC offers a setting to require membership in a “smartcard authentication group” along with the traditional person group.

Do the next on the WAC gateway server (whereas logged in as a WAC gateway administrator or native admin):

1. Open WAC Entry Settings: In an internet browser, entry the Home windows Admin Middle portal (e.g. https://). Go to the Settings (gear icon) > Entry panel. Guarantee “Use Lively Listing” (or “Use Home windows Entry Management”) is chosen because the id supplier, since we’re utilizing AD teams.
2. Configure Gateway Customers Group(s): Underneath Person Entry, it’s best to see an choice to specify who can entry the WAC gateway (“Gateway customers”). By default, if no group is listed, any authenticated person can entry. Add your directors group (or teams) right here to limit WAC entry to solely these customers. For instance, add “IT Admins” or no matter AD group accommodates the admins that ought to use WAC. After including, it’ll present up within the checklist of allowed person teams.
3. Allow Smartcard Enforcement: Nonetheless within the Entry settings, search for the Smartcard authentication possibility while you add . WAC permits specifying an extra required group that signifies sensible card utilization. Add the “WAC-CertAuth-Required” (the AMA-linked group) right here because the Smartcard-required group. Within the WAC UI, this could be completed by clicking “+ Add smartcard group” or marking one of many added teams as a smartcard group. (In some variations, you first add the group below Customers, then test a field to designate it as a smartcard-enforced group.)

o   After this configuration, WAC’s efficient entry test turns into: a person’s AD account should be a member of not less than one allowed group and should be a member of the required smartcard group. This corresponds precisely to requiring certificates logon. In keeping with Microsoft’s documentation: “After you have added a smartcard-based safety group, a person can solely entry the WAC service if they’re a member of any safety group AND a smartcard group included within the customers checklist.”. In our case, which means the person should be in (for instance) “IT Admins” and in “WAC-CertAuth-Required”. The latter solely occurs after they’ve logged on with the certificates, so successfully the person should be utilizing their sensible card.

4. Configure Gateway Directors (if wanted): If there are others who will administer the WAC gateway settings, you too can add teams/customers below the Directors tab. You can too implement a smartcard group on directors equally. Sometimes, native Directors on the server have already got admin entry to WAC by default. Ensure these accounts additionally use sensible playing cards otherwise you exclude accounts accordingly for safety.
5. Save Settings: Save or apply the Entry settings. The WAC gateway service might restart to use adjustments.

You may confirm WAC entry settings through PowerShell on the WAC server. Open PowerShell and use: Get-SMEAuthorization (if obtainable) or test the configuration file. WAC shops allowed teams and the smartcard-required group. Make sure the output lists your teams appropriately. There’s additionally a PowerShell (Set-SMEAuthorization) to configure these settings when you favor scripting (documentation covers utilizing -RequiredGroups and -RequiredSmartCardGroups parameters for WAC).

At this level, WAC is configured to require certificate-based authentication. The gateway will carry out Home windows Built-in Authentication (Kerberos/NTLM) as typical, however it’ll solely authorize the session if the person’s token accommodates the smartcard group SID along with an allowed group SID. If the person logged in with a password, the smartcard group SID is lacking and WAC will deny entry (HTTP 401/403).

It’s essential to check the setup end-to-end to find out if the configuration capabilities as anticipated.:

• Take a look at Case 1. Password login (must be denied): Have an admin person try to entry WAC with out utilizing their sensible card. For instance, the person can signal out and go surfing to Home windows with simply username/password (or disable their sensible card login quickly). Then navigate to the WAC URL. The WAC web site will immediate for authentication (the browser will attempt Built-in Home windows Auth). The person could also be prompted to authenticate; if that’s the case, even coming into right AD credentials ought to lead to entry denied on the gateway. The person will see a 401 Unauthorized error from WAC after login, or WAC will hold prompting for credentials. That is anticipated as a result of though the person is within the allowed admin group, they don’t seem to be within the AMA smartcard group (since they logged on with a password). WAC will refuse entry for the reason that AND situation isn’t met. This confirms {that a} password-only login is inadequate.
• Take a look at Case 2. Good card login (must be allowed): Now have the person log out and go surfing to Home windows utilizing the sensible card. (On the Home windows login display screen, they need to insert the cardboard, select the sensible card login possibility, and enter the PIN. This makes use of their certificates to authenticate to AD.) After interactive logon with the sensible card, the person’s Kerberos ticket now contains the “WAC-CertAuth-Required” group, courtesy of AMA. Now entry the WAC portal once more (e.g. through Microsoft Edge or Chrome). The browser will carry out Built-in Auth (which is able to use the logged-on person’s credentials/ticket). The person must be granted entry to WAC this time and see the same old WAC interface. No extra prompts happen. WAC sees the person is in each required teams and permits the connection.
• Affirm Group Presence: On the person’s machine, you possibly can run whoami /teams in a command immediate after logging in with the sensible card. You must see the “WAC-CertAuth-Required” group listed within the teams. In case you log in with password, that group is not going to be listed. It is a fast method to confirm AMA is working as supposed.
• WAC Logging: Within the Home windows Admin Middle server, test the occasion log “Microsoft-ServerManagementExperience” (below Functions and Companies Logs) for any related warnings or errors. When a person is denied as a result of not assembly group necessities, WAC will usually log an occasion indicating the person’s id was not licensed. This may also help verify that the smartcard requirement was the rationale (versus different failures).
• Edge/Browser Conduct: If the browser pops up a Home windows Safety login dialog repeatedly even after utilizing the sensible card, be certain that the location is in Intranet Zone or Trusted Websites in order that Built-in Auth is seamless. Additionally make sure the person’s certificates authentication to the area is functioning (they’ve a Kerberos TGT). Usually, after a wise card desktop login, the browser mustn’t immediate in any respect. It ought to silently use the present Kerberos ticket.

By finishing these checks, you validate that the system is appropriately distinguishing certificate-based logons from password logons when gating WAC entry.

Regardless of cautious setup, you may encounter points. Listed below are frequent issues and their options:

• Person not being added to AMA Group: After logging on with a wise card, if whoami /teams doesn’t present the “WAC-CertAuth-Required” group:

o   Confirm the certificates was issued from the proper template (test the certificates’s particulars: below Particulars, Certificates Template Data ought to present your template title/OID).

o   Confirm the OID mapping in ADSI Edit is right (no typos within the DN, and it’s in the correct OID object).

o   The group should be common scope if in a multi-domain forest. If it’s world and the person/DC are in one other area, it may not be assigned. Use Common as really helpful.

o   Guarantee area purposeful stage is 2008 R2 or greater; AMA gained’t work under that.

o   If the person is logging on to a machine that’s offline (no DC contact) and utilizing cached credentials, AMA gained’t apply for the reason that DC can’t consider the certificates. The “All the time watch for community at logon” GPO setting (Pc Configuration → System → Logon) must be enabled to pressure on-line logon. If the person should logon cached (like laptop computer off VPN), they gained’t get the AMA group till they’ll contact a DC (which might then occur after they entry area assets).

o   Test the Occasion Go surfing the Area Controller dealing with the logon (Safety log). Search for occasion 4768 or 4771 across the logon time:

• • • 4771 with Failure Code 0x12 or textual content about “Encryption sort not supported” may point out a lacking DC certificates or Kerberos settings difficulty.
    • Errors about “The certification authority isn’t trusted” or “Smartcard logon isn’t supported for person” point out belief issues. Ensure the CA cert is in NTAuth and the person cert has the correct UPN.
    • In case you see Occasion 19 within the System go surfing the DC (KDC occasion for failed sensible card logon), it usually offers a cause code. For instance, “KDC certificates lacking” or “No legitimate CRL” and so forth.

o   One fast test: run on a DC certutil -verify -urlfetch utilizing the exported person certificates. This can take a look at if the DC (or whichever machine you run it on) can validate the cert chain and CRLs. Any errors right here want addressing (belief chain, CRL, or lacking template OID mapping).

o   If the person’s certificates doesn’t have the Good Card Logon EKU and also you as a substitute tried utilizing simply Consumer Authentication: area controllers by default require the precise Smartcard EKU (or the brand new “Kerberos Authentication” EKU in newer domains). Ensure the template included the proper EKU for sensible card logon, in any other case the DC might not deal with it as a wise card login try in any respect.

• Person can log in to WAC with password (not anticipated): If someway a person was in a position to entry WAC with out utilizing the sensible card:

o   Double-check WAC’s Entry settings. Maybe the smartcard-required group wasn’t correctly added. On the WAC server, run Get-SMEAcls or test the config to make sure the RequiredSmartcardGroups attribute contains the proper group SID.

o   Affirm the person’s account isn’t in that smartcard group completely (nobody must be a direct member; AMA teams shouldn’t have any static members). Use ADUC or PowerShell to make sure the group has no members attribute set. If somebody manually added a person to that group, then that person will bypass the necessity for a cert (they all the time have the group). Take away any unintended members. “OID mapped teams can not have members” enforcement ought to forestall this, but when the mapping was improper and never truly utilized, somebody might need populated the group. Repair the mapping and clear members.

o   Make sure the person didn’t someway have the AMA group from a earlier sensible card logon cached. A identified caveat: If a person beforehand logged on with a wise card after which logs off and again on with a password on the identical machine and not using a reboot, Home windows may cache the group within the token (as a result of an optimization). This could occur with “quick logon” or unlock situations. The repair is the GPO talked about (disable quick logon). In observe, a recent reboot + password logon ought to drop the group. Warn customers that switching from smartcard to password login on a machine with out reboot may very well be inconsistent. It’s most secure to all the time use the sensible card, or reboot if they have to log in with password for some cause.

o   If utilizing distant desktop to WAC server or a leap field, guarantee the identical certificates enforcement is taken into account there. If somebody logs into the leap field with a password after which tries to make use of WAC, they’ll fail. That’s anticipated. They need to RDP with sensible card as effectively (RDP helps sensible card logon pass-through).

• Repeated credential prompts when accessing WAC: If a person who logged in with a wise card nonetheless will get prompted for credentials within the browser:

o   Make sure the browser is configured for built-in authentication. For Web Explorer/Edge (IE mode), the WAC URL must be within the Native Intranet zone (which normally permits computerized Home windows auth). For contemporary Edge/Chrome, they sometimes routinely try desktop credentials, but when not, you possibly can go to edge://settings -> Computerized profile switching or edge://flags for built-in auth, or use group coverage “Built-in Home windows Authentication” to permit the WAC URL. In Chrome, you possibly can run it with –auth-server-whitelist=”wacservername.area.com”.

o   If the browser prompts for a certificates choice (some configuration may trigger the location to request consumer cert at TLS stage), that’s not default for WAC. WAC by itself doesn’t use TLS client-cert authentication, so that you shouldn’t see a certificates choice popup. In case you do, maybe you or somebody configured the HTTP.sys binding on the WAC server to Require Consumer Certificates. That’s not needed for this resolution (and would intervene, as WAC isn’t anticipating to parse consumer certs itself). If enabled, contemplate disabling that requirement, as our strategy makes use of Kerberos group membership as a substitute. Take away any guide netsh http consumer cert negotiation settings except you have got a particular cause.

o   Test that the person’s sensible card credential was cached in Home windows correctly. Typically after a recent logon, the primary hit to a safe web site may set off a PIN immediate if the browser tries to make use of the certificates for TLS or one thing. Make sure the PIN was entered throughout login and remains to be legitimate (some sensible playing cards may require PIN re-entry for signing, however normally not for Kerberos since Kerberos is already obtained at logon).

o   Lastly, verify that the person’s Home windows session certainly has the AMA group. If not, WAC will hold prompting as a result of it sees the person in allowed group however not in smartcard group, and may deal with them as unauthorized (inflicting the browser to immediate once more). This can lead to a 401. You may see the immediate come up repeatedly after which a clean web page. In WAC’s log, an occasion or error saying the person isn’t licensed will verify it. The answer is to get the AMA group within the token (log in with the cardboard correctly, repair AMA if damaged).

• Good card login fails on Home windows: That is extra of a PKI/AD difficulty than WAC difficulty:

o   If when inserting card at logon, you get messages like “The system couldn’t log you on” or “No legitimate logon servers” or “certificates not acknowledged,” debug the sensible card logon itself. Frequent causes: the person certificates is lacking the UPN or has a UPN that doesn’t match the account, the CA that issued it isn’t in NTAuth or not trusted by the consumer or DC, or the DC’s personal certificates is lacking (test DC has a cert in its private retailer issued by your CA for area controller authentication).

o   On the consumer, when the logon fails, you possibly can typically hit “Change Person -> Good card logon” and see if it lists the certificates. If not, the cardboard middleware may not be put in or working. If it lists it however errors after PIN, then seemingly an AD belief difficulty. Area controller safety log could have particulars.

• Certificates Revocation points: If a person’s certificates was revoked or expired, clearly they gained’t be capable to authenticate with it. The DC will deny the sensible card logon (occasion will point out revoked or expired cert). The person would fall again to password (if allowed) which then gained’t grant WAC entry. The repair is to resume their certificates upfront. All the time hold observe of expiry dates and set reminders.
• Updating Certificates: When an admin will get issued a brand new sensible card or cert (or their cert is renewed with a brand new OID template), guarantee your AMA mapping covers it. In case you created a brand new template (with a brand new OID) for any cause, you could map that OID as effectively. AMA can map a number of OIDs by linking them to probably totally different teams. WAC solely helps one smartcard group in settings, so ideally you’d hold utilizing the identical template OID for all admin certs. If a brand new OID is required (say you have got a number of CAs or totally different templates), you may map it to the identical group or embody a number of teams in WAC (although the UI helps one, you may workaround by nesting teams or including a number of allowed combos). Less complicated is to stay to at least one cert template for this goal.
• Group Coverage caching: The AMA group inclusion occurs on the Kerberos TGT stage. If a person logs on with sensible card, will get the group, then later the group mapping is eliminated or modified, an present TGT may nonetheless have the group till it expires (~10 hours by default). Clearing the Kerberos ticket (by klist purge or logoff) would take away it. Preserve this in thoughts throughout adjustments: when you take away the mapping or change group, there may very well be a latency till all tickets expire or customers logoff.
• Alternate entry strategies: If somebody tries to make use of PowerShell Remoting (Enter-PSSession) or different instruments to hook up with the WAC gateway, they are going to nonetheless bear the identical test. Sometimes WAC is accessed through internet, however simply know the Home windows auth is at play no matter interface.

When utilizing certificate-based authentication for WAC through this methodology, concentrate on the next limitations or issues:

• Area-Joined Shoppers Required: This resolution assumes admins are utilizing domain-joined Home windows machines for WAC entry (in order that their sensible card logon yields a Kerberos token with the group). If an admin tries to entry WAC from a non-domain system (the place they’ll’t do a Home windows built-in logon), they’d be prompted for credentials. They may technically insert their sensible card and choose it within the browser when prompted for credentials, however that will try a certificates mapping at WAC which isn’t configured. WAC does not natively assist direct consumer certificates mapping on the internet utility layer. The one supported method is through AD group as we’ve completed. So in observe, non-domain or exterior entry must be completed via a safe methodology (e.g. VPN into area or utilizing Azure AD integration as talked about). That is by design as WAC depends on Home windows Authentication, not kinds or client-cert internet auth.
• No Native OTP/MFA Immediate: In contrast to some internet apps, WAC itself doesn’t have a secondary immediate for OTP or comparable. The sensible card enforcement leverages the Home windows login. So there’s no separate UI in WAC for “insert your certificates”. It’s all clear as soon as arrange. As such, you possibly can’t combine password + cert in a single login to WAC because it’s one or the opposite through how the person logged into Home windows.
• Single Smartcard Group Restrict: WAC’s configuration permits just one “smartcard-required” group to be set. In case you had totally different ranges of assurance or a number of certificates profiles, you may have to create a typical group that each one certificate-authenticated customers get. For instance, when you difficulty totally different certs (say some with greater assurance), you could map a number of OIDs to the identical AMA group in order that any of them will fulfill the WAC test. Plan your AMA mappings accordingly (you possibly can map a number of OIDs to at least one group by concatenating DNs within the msDS-OIDToGroupLink, or by having a number of template OID objects level to the identical group DN).
• Auditing: Be aware that when customers entry WAC with this setup, the logon audit on the WAC server will present a standard Kerberos login by the person. There isn’t an express occasion on the WAC server saying “used certificates”. The proof of certificates use is within the DC’s logs (Kerberos AS ticket was obtained through sensible card). So, auditing sensible, you may correlate that if a person accessed WAC and had the AMA group, it means they used a wise card. If auditing that’s essential, guarantee to retain area safety logs. You might additionally arrange a scheduled job and script to log an occasion on the WAC server when a person missing the group tries to attach (e.g., monitor WAC error occasions for unauthorized entry).