Stéphane Thirion
  • Home
  • Consulting – Raidho
  • homelab
3K
0
0
0
Stéphane Thirion
Stéphane Thirion
  • Home
  • Consulting – Raidho
  • homelab
  • RDS
  • Security
  • Windows 2016

RDS access to applications with second authentication factor by smartcard

  • January 7, 2021
  • Rodolphe Herpeux
Total
1
Shares
0
0
1
0
0
0
0

Hello, I wrote this tutorial to represent the parameters to implement to successfully implement smart card authentication in RDS.

In this environment, RDS publishing servers is in a different Direcory Active Forest from users.

In this context, here are all the steps you need to take to properly set up active Directory and your RDS farm to allow this second authentication factor.

Attention I do not explain how to install the solution RDS, i detail all the prerequisites for smartcard authentication in a multi domain environment, multi forest works.

Environment description

ADDS

First forest AD DS : AD.LOCAL

  • One domain controller: DC01.ad.local
  • PKI
  • Domain name: AD.LOCAL
  • Content:
    • Users
    • Security groups
      Workstation

Second forest AD DS : FOREST.LOCAL

  • One domain controller: DC10.forest.local
  • Infra RDS details:
    • Rdshst rôles Broker et Host
    • Rdsgw rôles gateway et Web access

Trust relationship AD DS

Two-way trust

Infra RDS

Windows server services

Set smartcard logon service to start automatically and start the service on all servers of the RDS infra.

Remote Desktop Services

RD Web Access details

Web access URL: rds10.forest.local

RD Gateway details

Certificates deployment details

Properties of the collections

Remote APPS settings

Calculate


MsPaint


RD Gateway Manager settings

External URL : gateway.forest.local

Policies settings

RDG_CAP_AllUsers

RDG_AllDomainComputers

RDG_RDConnectionBrokers

Certificates models

Model domain controller

Comments Captures
Allow private key to be export
Minimum key size 2048
EKU :

  • Client authentication
  • Server authentication
  • KDC Authentication*

*KDC Authentication is needed for cross domain authentication for RDS infra

DNS Name for SAN
EKU details
The access to CRL need to be on format http uri

Model Smartcard

Comments Captures
Prompt user for certificate enrollment

 

Add email and UPN information’s

 

Application policies:

·       Smart Card Logon*

·       Client Authentication*

·       Secure Email

·       Encrypting File System

 

*Mandatory

 

Key Usage:

  • Digital Signature
Certificate result

Requirements and references

Add the third party issuing the CA to the NTAuth store in Active Directory.
The smart card logon certificate must be issued from a CA that is in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store.
If the CA that issued the smart card logon certificate or the domain controller certificates is not properly posted in the NTAuth store, the smart card logon process does not work. The corresponding answer is “Unable to verify the credentials”.
https://docs.microsoft.com/en-ca/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities
https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services

Command lines executed in forest.local

  • certutil -dspublish -f c:tempCA.cer NTAuthCA
  • certutil -enterprise -addstore NTAuth c:tempCA.cer
  • certutil -addstore -enterprise NTAUTH “C:Tempdc01.ad.local.cer”, need to be verify without this certificate

Group Policy Domain

Domain forest.local

Demonstration

Test with APP01 Account for Paint application

Open session on workstation Win10 with account user APP01
Open Edge browser and browse on url https://rds10.forest.local/rdweb portal
Open session with user account APP01
Open Paint applicationClick on « Connexion »
Enter smartcard code pin
Click on OK
Application is open. Access is valid.

Test with Rodo Account for Calculator application

Open session on workstation Win10 with account user RODO
Open Edge browser and browse on url https://rds10.forest.local/rdweb portal
Open session with user account RODO
Open Paint application
Click on « Connexion »
Enter smartcard code pin
Click on OK
Application is open. Access is valid.

Total
1
Shares
Tweet 0
Share 0
Share 1
Share 0
Share 0
Share 0
Share 0
Related Topics
  • 2FA
  • Active directory
  • Certificates
  • SmartCard
Rodolphe Herpeux

Previous Article
  • Windows 2016
  • Windows 2019

Migration farm ADFS operating system Windows server 2016 to Windows server 2019

  • January 6, 2021
  • Rodolphe Herpeux
View Post
Next Article
  • Azure
  • Azure
  • PowerShell
  • Scripting
  • Security

Export all Admin Roles and members from Azure AD

  • March 25, 2021
  • Rodolphe Herpeux
View Post
You May Also Like
View Post
  • Azure
  • Azure
  • PowerShell
  • Scripting
  • Security

Export all Admin Roles and members from Azure AD

  • Rodolphe Herpeux
  • March 25, 2021
View Post
  • Windows 2016
  • Windows 2019

Migration farm ADFS operating system Windows server 2016 to Windows server 2019

  • Rodolphe Herpeux
  • January 6, 2021
View Post
  • Windows 2016

Migrate ADFS configuration Database from WID to MS-SQL

  • Rodolphe Herpeux
  • January 5, 2021
View Post
  • Amazon
  • Citrix
  • Cloud
  • Experience
  • Microsoft
  • News
  • Office365
  • Raidho
  • Security
  • VMware

Mettre en place une solution de travail à distance (RemoteOffice / Remoteworking) 1/2

  • Stephane Thirion
  • March 22, 2020
View Post
  • Citrix
  • Citrix Virtual Apps and Desktops
  • Microsoft
  • PowerShell
  • Scripting
  • Windows 2016
  • Windows 2019
  • XenApp
  • XenDesktop

Enable SSL on Citrix Virtual Apps and Desktops 1912(+) XML Service

  • Stephane Thirion
  • February 13, 2020
View Post
  • Experience
  • Microsoft
  • PowerShell
  • Scripting
  • Windows 2016
  • XenApp

XenApp Windows 2016 build report

  • Stephane Thirion
  • May 25, 2018
View Post
  • Citrix
  • Microsoft
  • PowerShell
  • Security
  • XenApp
  • XenDesktop

Enable SSL on XenDesktop 7.x XML Service

  • Stephane Thirion
  • December 18, 2017
View Post
  • Microsoft
  • PowerShell
  • Uncategorized
  • Windows 2016

Hyper-V 2016 – Add-VMTPM issue

  • Rodolphe Herpeux
  • October 28, 2017
vmware
Coinbase – Affiliated link
Blog Stats
  • 1,237,011 hits
Categories
  • Amazon (1)
  • Apple (20)
    • iOS (5)
    • Mac OSx (11)
  • ArchY.net Site (30)
  • Azure (8)
  • Certifications (3)
  • Citrix (207)
    • ADC (1)
    • Citrix Virtual Apps and Desktops (3)
    • NetScaler (12)
    • Password Manager (3)
    • Personal vDisk (5)
    • Power and Capacity Management (3)
    • Provisioning Services (22)
    • Receiver (29)
    • ShareFile (8)
    • Single Sign On (3)
    • SmartAuditor (2)
    • Storefront (12)
    • Synergy (25)
    • User Profile Management (2)
    • VDI (7)
    • WebInterface (21)
    • XenApp (84)
    • XenApp Plugin (3)
    • XenClient (10)
    • XenDesktop (55)
    • XenServer (42)
  • Cloud (12)
  • Crystal Ball (2)
  • CTP (13)
  • Docker (2)
  • Events (35)
    • E2E – PubForum (9)
    • Geek Speak (3)
  • Experience (53)
  • Kubernetes (2)
  • Licensing (3)
  • Linux (12)
  • Microsoft (145)
    • Azure (8)
    • Office365 (4)
    • PowerShell (18)
    • RDS (5)
    • Windows 10 (6)
    • Windows 2003 (21)
    • Windows 2008 (20)
    • Windows 2008 R2 (54)
    • Windows 2012 (13)
    • Windows 2012R2 (13)
    • Windows 2016 (18)
    • Windows 2019 (4)
    • Windows 2022 (1)
    • Windows 7 (27)
    • Windows 8 (19)
    • Windows Virtual Desktop (1)
    • Windows XP (11)
  • News (5)
  • Raidho (2)
  • Raspberry (3)
  • Scripting (13)
  • Security (4)
  • Slide Deck (1)
  • Thin Clients (3)
  • Twitter (1)
  • Ubiquiti (1)
  • Uncategorized (12)
  • VMware (27)
    • VMWare WorkStation (2)
    • vSphere (15)
Stéphane Thirion
Don't Follow the Trend

Input your search keywords and press Enter.

 

Loading Comments...