Windows OS login with PIV key

1 Overview

This document is mainly about how to configure Certificate Authority at Windows Server before smart card login certificates can be requested and loaded to FIDO keys. There are five main parts:

Create a smart card login template
Publish the template in the Certification Authority
Edit Group Policy about user enrollment
Auto-enroll certificate at user 's machines
Manually enroll for current user

2 Prerequisites

A Windows Server with domain controller and certificate authority configured. In this document, Windows Server 2016 with AD CA is used.
Guest machines (could be the Windows Server itself) and available Windows accounts which have already joint in the CA 's domain. In this document a Windows 10 enterprise is used.
The FIDO product supports PIV function.
The Minidriver of EsMiniTokenSetup.exe is installed in relevant machines.

3 Set up the Certificate Templates for Enrol on behalf

3.1 Create a Smartcard Enrolment Template for Agents

Press Win+R, type "certtmpl.msc" and press Enter.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav5435424ec38a74961b32555b48b94952.png

Click Certificate Templates, right-click Enrollment Agent, and select Duplicate Template.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddave17000ef522de6567d1d9305e9aa4a35.png

Select the General and Compatibility tab, and make the following changes:

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav6c6ce2d3de8558ff0ff0933cf3e36ccf.png
The Certification Authority should be your CA server 's OS version and the Certificate recipient should be your oldest OS version that the domain includes.

Select the Request Handling and Cryptography tab, and make the following changes as needed.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddavd79923645a29575dbccc982b0c10b0fd.png

Under the Cryptography tab, change the minimum key size to 2048, select "Requests must use one of the following providers", and check the Microsoft Base Cryptographic Provider v1.0.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav2329a8e766e02bde08ec1e23ad54346e.png

Under the Security tab, be sure the Read and Enroll ability is set for the user or group of users who will be setting up the smart cards for logon.
Click Apply, and then click OK to close the template properties window. Close the Certificate Templates window.

3.2 Adding the Template to the Certification Authority

Right-click the Windows Start button and select Run.
Type "certsrv.msc" and press Enter.
Click Certification Authority, double-click your server, right-click Certificate Templates, select New and then select Certificate Template to Issue.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav3a0d0abb99746e79aa046cfda8e7f663.png

Locate and select the recently created self-enrollment template, and then click OK

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav9f513eec705f914252cdd51508b4dbea.png

3.3 Issue Enrolment Certificate template to Agent

Login the issuer account, run certmgr.msc. Right click the Certificate – Current User / Personal / Certificate, and select All Tasks / Request New Certificate…

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddavdc2b019fb2cd4ff53dfc7e330194f728.png

Click 'next'

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddava3875a69946572087edd346bfaace37e.png

Make sure your AD Enrollment Policy, click 'next'

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav2a3a009a1b1cd593735b6a4b2fd35ca9.png

Select the certificate, ie 'PIV Smartcard Enrolment Template for Agents', and click 'Enroll'

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav4b00673cb71407dfaac10c8f38915d12.png

Succeed.

3.4 Create a certificate Logon Template for target users by Agents

In order to be able to issue a smart card certificate on behalf of another user, the Smart Card User or Logon template needs to be adjusted to require the Enrolment Agent certificate for enrolment.
Duplicate and configure a Smart Card User or Logon template.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav1482d229554ec0ba1f24b650b8594196.png

Make the following changes to following changes

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddava8af89e13416cf0cffbcf8df3844ed7a.png

In Security Tab, make sure the "Read and Enroll" ability is set for the group or users who act as the Enrollment Agents to set up the other users with this certificate.
Issue the cert template.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav34f2e846e853dbef1e637a28a61e3fce.png

Enroll a Smart Card Certificate on behalf of others

1. Log in as the user that will do enrollment for others, then run certmgr.msc. Right click the Certificate – Current User / Personal / Certificate, and select "Enroll on behalf of" from All Tasks / Advanced Operations.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav53ed94ab1f5e3e07f5697fd756d2a911.png

1. Click through the "Before You Begin" screen, and on the "Certificate Enrollment" screen, click the "Browse…" button and select the enrollment agent certificate you have been issued in Step 3.1 .

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav5eecd123a0fe97a1ef1170d4329d41c7.png
Click 'OK'.

1. Note: If no Enrollment Agent certificate is available you will need to request one be issued to you.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddavaf902858856e0e556413c5969b4ca489.png

1. On the next page select the smart card enrollment certificate template, ie. PIV Smartcard Logon Template for Agents.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav9ac4927fc11240405e020d8f51eb2b79.png

1. Click Next and enter the target domain user you are going to enroll the certificate on the behalf of.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav1cb849b535b105cf83d3d5d0d543eb53.png

1. Click Next, and it asks you to insert the user's smart card if it is not already inserted. Enter the PIN.
2. If the enrollment is successful, the dialog will show the following:

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav3d36a3bf269538531cbc54e82203cd81.png

1. After the enrollment is success, the smart card is ready for target user, and Agent can click 'Next user' to enroll for others or close windows.
2. You can see the issued smartcard is listed in Agent's personal store.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddavfe4c430010e3cf595f33246cdb9e63eb.png

1. Now, the smart card sign-in is ready for end user, and user is able to login domain with the issued smartcard.