Not Applicable
This guide outlines certificate creation and issuance by a trusted administrator, writing the certificates to smartcards leveraged by end users.
An administrator must:
To leverage smartcard authentication with the Dell Endpoint Security Pre-Boot Environment, we must configure Active Directory to allow for certificate enrollment and generation.
An Enrollment Agent certificate must be assigned to any users who are attempting to assign certificates to smartcards for other users.
To setup and configure templates, Enable the Certificate Template for the Enrollment Agent, and then Add a New Smartcard User Template.
Figure 1: (English Only) Open Certification Authority
Figure 2: (English Only) Click Manage
Figure 3: (English Only) Click Duplicate Template
Figure 4: (English Only) Update Template display name and Template name
Figure 5: (English Only) Click Duplicate Template
Figure 6: (English Only) Modify Purpose to Signature and smartcard logon
Figure 7: (English Only) Click Yes
Figure 8: (English Only) Ensure that Allow private key to be exported is checked
Figure 9: (English Only) Clear checkbox for Include e-mail name in subject name
Figure 10: (English Only) Clear E-mail name
Figure 11: (English Only) Update This Number of authorized signature box
Figure 12: (English Only) Click Certificate Template to Issue
Figure 13: (English Only) Select the two new Certificate Templates
This section describes the changes necessary to the Dell Security Management Server to allow smartcard functionality in the Pre-Boot Authentication environment.
An administrator must Import the Root CA and Modify Policy. Click the appropriate process for more information.
Since the smartcard certificates are signed by the internal certificate authority (CA) in this guide, we must ensure the root CA, and any intermediaries (not shown in this guide) are imported into the certificate chain.
Figure 14: (English Only) Export the root Certification Authority's certificate
Figure 15: (English Only) Right-click the certificate issued by your domain's CA
DER encoded binary X.509 (.CER)
.Set path=%PATH%;"C:\Program Files\Dell\Java Runtime\jre1.8\bin"
and then type Enter.Set path=%PATH%;"C:\Program Files\Dell\Java Runtime\jre1.7\bin"
and then press Enter.
%INSTALLDIR%\Enterprise Edition\Security Server\conf\
and then press Enter.
Figure 16: (English Only) Type %INSTALLDIR%\Enterprise Edition\Security Server\conf\
Keytool –import –alias RootCA –file C:\exportedroot.cer –keystore cacerts
and then press Enter.
Figure 17: (English Only) Typing Keytool –import –alias RootCA –file C:\exportedroot.cer –keystore cacerts
Y
.
Figure 18: (English Only) Type Y
Click the Dell Data Security server version for appropriate policy configurations. For versioning information, reference How to Identify the Dell Data Security / Dell Data Protection Server Version.
Figure 19: (English Only) Click Security Policies tab
Figure 20: (English Only) Modify the SED Authentication Method from Password to Smartcard
Figure 21: (English Only) Click the Security Policies tab
Figure 22: (English Only) Modify the SED Authentication Method from Password to Smartcard
Figure 23: (English Only) Modify the Policy Category drop-down to Self-Encrypting Drives
Figure 24: (English Only) Modify the SED Authentication Method from Password to Smartcard
Smartcards are blank by default. Each smartcard must have a certificate that is assigned to it to add a certificate for authentication. Certificates are typically assigned to smartcards through a middleware application. The examples below outline the import through a legacy Charismathics software for enterprise-class smartcards, and VersaSec for personal identity verification (PIV)-based smartcards. An administrator must Enable Single Sign-on to Windows Using Smartcards after assigning the certificate. Select the appropriate process for more information.
To leverage smartcards, we must have an enrollment agent who can assign certificates to the device and a middleware which translates the certificate information coming from the Microsoft Certification Authority into something the card can use.
Most smartcards do not have security tokens preset on them. An administrator must Stage a Security Token on a New Smartcard, Add a Certificate for the Enrollment Agent, and then Enroll Users and Push Certificates. Click the appropriate process for more information.
Figure 25: (English Only) Basic information of the active token
Figure 26: (English Only) Ensure that PKCS15 is set
Figure 27: (English Only) Security Token Staged on a New Smartcard
Figure 28: (English Only) Click Request New Certificate
Figure 29: (English Only) Select the Enrollment Agent Certificate
Now we can Enroll users into the smartcard that we generated and push certificates to the card using the certificate MMC.
Figure 30: (English Only) Click Enroll on Behalf Of
Figure 31: (English Only) Select the Enrollment Agent Certificate
Figure 32: (English Only) Select the radial for the Smartcard User Template
Figure 33: (English Only) Click Properties
Figure 34: (English Only) Modify the Cryptographic Service Provider
Figure 35: (English Only) Click locations
Figure 36: (English Only) Locations on your domain
Figure 37: (English Only) Click Check Names
Figure 38: (English Only) Insert Smart card prompt
Figure 39: (English Only) Charismathics Smart Security Interface CSP prompt
Figure 40: (English Only) Certificate installation Results prompt
Smartcards can now be leveraged for PBA authentication.
VersaSec uses previously generated certificates for new certificate enrolling. This process uses certificate templates that are created through Active Directory to enable an employee to generate log-in certificates for other employees to use during their log-in session. An administrator must complete Certificate Enrollment, Certificate Export, and then Assign a Certificate to a Smartcard. Click the appropriate process for more information.
Figure 41: (English Only) Open Microsoft Management Console
Figure 42: (English Only) Click Add/Remove Snap-in
Figure 43: (English Only) Click Add
Figure 44: (English Only) Ensure that the option for My user account is selected
Figure 45: (English Only) Click OK
Figure 46: (English Only) Click Request New Certificate
Figure 47: (English Only) Click Next
Figure 48: (English Only) Click Enroll
Figure 49: (English Only) Click Finish
Figure 50: (English Only) Click Enroll on Behalf of
Figure 51: (English Only) Click Next
Figure 52: (English Only) Click Browse
Figure 53: (English Only) Click OK
Figure 54: (English Only) Click Next
Figure 55: (English Only) Click Next
Figure 56: (English Only) Click Browse
Figure 57: (English Only) Click Location
Figure 58: (English Only) Click OK
Figure 59: (English Only) Click Check Names
Figure 60: (English Only) Click OK
Figure 61: (English Only) Click OK
Figure 62: (English Only) Click Enroll
Figure 63: (English Only) Click Next User
Certificates first be exported in PKCS12 format to be assigned to smartcards. Certificates must include the private key and the full certificate chain.
Figure 64: (English Only) Open Microsoft Management Console
Figure 65: (English Only) Click Add/Remove Snap-in
Figure 66: (English Only) Click Add
Figure 66: (English Only) Ensure that the option for My user account is selected
Figure 67: (English Only) Click OK
Figure 68: (English Only) Click Export
Figure 69: (English Only) Click Next
Figure 70: (English Only) Click Next
Figure 71: (English Only) Click Next
Figure 72: (English Only) Click Next
Figure 73: (English Only) Click Finish
Install and download the VersaSec software and any administrative middleware that may be required for the smartcards that are being provisioned.
Figure 74: (English Only) Click Import In VersaSec agent
Figure 75: (English Only) Click Import
Figure 76: (English Only) Click OK
Figure 77: (English Only) Certificate appears in list
The process to enable single sign-on to Windows using smartcards differs depending on the version of Dell Encryption Enterprise that is in use. Select the appropriate version for more information. For versioning information, reference How to Identify the Dell Encryption Enterprise or Dell Encryption Personal Version.
No endpoint changes are required. Once the policy has been set through the management console, all endpoint changes occur automatically.
Smartcards themselves may require a middleware. Consult with your smartcard vendor to determine if a middleware solution must be installed on each endpoint to allow for authentication into Windows.
The client machines will not single sign-on by default. A registry key must be added to allow this to occur.
The registry key is:
[HKLM\SOFTWARE\DigitalPersona\Policies\Default\Smartcards] "MSSmartcardSupport"=dword:1 0 or no key = Smart Card Support Off, 1 = Smart Card Support On
Smartcards
.
Figure 78: (English Only) Open Registry Editor
MSSmartcardSupport
.
Figure 79: (English Only) Create a DWORD and then name it MSSmartcardSupport
Figure 80: (English Only) Set the Value data to 1
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.
https://technet.microsoft.com/library/cc772393%28v=ws.10%29.aspx
Required Role Services:
Certificates are not being accepted in the PBA.
PBA logs show:
[2015.04.07 17:53:18] [3C9ADA3BD9] [3061987072] [898] [E:](CCredPasswordDlg::SmartcardAuthentication()) No smartcard certificate!
Resolution:
Assign a Certificate through the Certificates MMC instead of through the CSP.
Caused by:
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors 2015-05-04 21:06:00,169 ERROR SED [qtp914277914-24] - PBA auth error. Code=InvalidCertificate com.credant.sed.pba.resources.AuthException 2015-05-04 21:06:00,138 INFO SED [qtp914277914-24] - Smartcard auth from agent abbc4a5d-6e6d-4fac-9181-2a1dee1599ee 2015-05-04 21:06:00,169 ERROR SED [qtp914277914-24] - Invalid smartcard cert com.credant.security.x509.InvalidCertificateException: Invalid cert path at com.credant.security.x509.CertificateVerifier.validate(CertificateVerifier.java:141)
Resolution:
Import the Certification Authority’s root or intermediary certificate into the Java keystore for Security Server and restart the Security Server service.