Windows OS login with PIV key

1 Overview

This document is mainly about how to configure Certificate Authority at Windows Server before smart card login certificates can be requested and loaded to FIDO keys. There are five main parts:

• Create a smart card login template
• Publish the template in the Certification Authority
• Edit Group Policy about user enrollment
• Auto-enroll certificate at user 's machines
• Manually enroll for current user

2 Prerequisites

• A Windows Server with domain controller and certificate authority configured. In this document, Windows Server 2016 with AD CA is used.
• Guest machines (could be the Windows Server itself) and available Windows accounts which have already joint in the CA 's domain. In this document a Windows 10 enterprise is used.
• The FIDO product supports PIV function.
• The Minidriver of EsMiniTokenSetup.exe is installed in relevant machines.

3 Set up the Smart Card Login Template for User Self-Enrollment

A smart card login certificate template is required before loading certificate to your keys. Follow the steps on the Windows Server that runs CA:

3.1 Create a Smart Card Login Template for User Self-Enrollment

1. Press Win+R, type "certtmpl.msc" and press Enter.

Image Removed

1. Click Certificate Templates, right-click Smartcard Logon, and select Duplicate Template.

Image Removed

1. Select the General and Compatibility tab, and make the following changes: Image Removed

...

1. Select the Request Handling and Cryptography tab, and make the following changes as needed.

Image Removed
Image Removed

• Algorithm name: Select either RSA, ECDH_P256,or ECDH_P384 from the dropdown. Note: ECDH_P521 is not supported.
• Note that if an ECDH algorithm is selected, the client Windows systems need to have Elliptic Curve Cryptography (ECC) Certificate Login support added using Group Policy or by editing the registry.
• Minimum key size: If you selected RSA in the previous step, enter 2048. If you selected ECDH_P256 or ECDH_P384 in the previous step, this field automatically populated.
• In general, do not check "Allow private key to be exported" unless you need to help other client users of this domain to enroll their keys.

1. On the Security tab, make sure to add Read, Write and Enroll to administrator groups and Enroll and Autoenroll permissions to the target users.

Image Removed

• Make sure there are "Domain Users" and ensure the options for all users are checked for at least Read, Enroll, and Autoenroll. Other user 's permission could be set by needs.

1. Click Apply, and then click OK to close the template properties window. Close the Certificate Templates window.

3.2 Adding the Template to the Certification Authority

1. Right-click the Windows Start button and select Run.
2. Type "certsrv.msc" and press Enter.
3. Click Certification Authority, double-click your server, right-click Certificate Templates, select New and then select Certificate Template to Issue.

Image Removed

1. Locate and select the recently created self-enrollment template, and then click OK

Image Removed

3.3 Editing Group Policy to Enable Auto-Enrollment

1. Right-click the Windows Start button and select Run.
2. Type "gpmc.msc" and press Enter.
3. Navigate to the AD forest and Domain containing your server, double-click your server and double-click Group Policy Objects.
4. Right-click on the group policy you want to edit, and then select Edit.

Image Removed

1. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
2. Right-click Certificate Services Client – Certificate Enrollment Policy and select Properties.

Image Removed

1. Make changes as below:

Image Removed

1. Right-click Certificate Services Client – Auto-Enrollment Policy and select Properties and make changes as below:

Image Removed

1. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Apply same changes to same polices. Image Removed

• You may need to restart your machine to apply these changes

4 Using Auto-Enrollment to Enroll Users

This section describes the steps users will need to follow to auto-enroll their key for Login.

1. Log into a user account on a Windows 10 PC connected to the domain. A Certificate Enrollment notification appears above the System Tray.

Image Removed

1. Click the Certificate Enrollment notification to open the Certificate Enrollment wizard. If the popup has disappeared (or didn't initially appear) click the arrow in the System Tray to expand the list of options and click on the certificate icon.
2. On the initial screen, click Next.

Image Removed

1. Select the newly created certificate template and click Enroll.

Image Removed

1. Enter your key 's PIV PIN and then click OK. If that PIN has not been set, enter the default PIN:123456.

Image Removed
Note: Mini drier: 'EsMiniTokenStepup' is required in this stage, otherwise, it will be 'read-only'.
Image Removed

1. Windows will enroll the for Windows login. After the process succeeds, click Finish.

Image Removed

1. Check the windows certificate store, the new cert is also stored in the cert store, as well as the smart card token.

Image Removed
Image Removed

1. When you login to this machine next time, you can select Smart Card method to logon.

...

5 Enroll manually

If you want to enroll the certificate manually, or something unexpectedly stop the auto enrollment, you can change the properties of the certificate template and enroll it by userself.
First open the certificate template at certtmpl.msc, move to Security tab and uncheck the Autoenroll permission at certificate template security tab.
Image Removed
And then run certmgr.msc, move to Personal-Certificates, right click, All tasks, Request New Certificate.
Image Removed
Next,
Image Removed
Click 'next'
Image Removed
Select the certificate template you created at previous steps.
Image Removed
Success. Next time you login to this account with our key inserted, you can use smart card logon method.
Image Removed