Dell Endpoint Security Smartcard Configuration Guide

To leverage smartcard authentication with the Dell Endpoint Security Pre-Boot Environment, we must configure Active Directory to allow for certificate enrollment and generation.

An Enrollment Agent certificate must be assigned to any users who are attempting to assign certificates to smartcards for other users.

To setup and configure templates, Enable the Certificate Template for the Enrollment Agent, and then Add a New Smartcard User Template.

To enable the certificate template for the enrollment agent:

1. Open the Certification Authority Microsoft Management Console (MMC).
   
2. Expand to Certificate Templates.
3. Right-click the right-pane and then click Manage.
   
4. Right-click Enrollment Agent and then click Duplicate Template.
   
5. Go to the General tab.
6. Select the option to Publish certificate in Active Directory.
7. Optionally, update the Template display name, and Template name.
   

To add a smartcard user template:

1. In the Certification Authority’s Certificate Template Console, right-click the Smartcard User template and then click Duplicate Template.
   
2. Under the Request Handling tab, modify the Purpose to Signature and smartcard logon.
   
3. Accept the resulting prompt.
   
4. Ensure that Allow private key to be exported is checked.
   
5. Within the Subject Name tab, options are present by default to require a defined email address to be used as an alternate validation method. Some environments may want to clear these options to avoid issues with users that may not have Active Directory defined email addresses.
   1. Clear the checkbox for Include e-mail name in subject name.
      
   2. Clear E-mail name under the Include this information in alternate subject name section.
      
6. Under the Issuance Requirements tab, select This Number of authorized signatures box.
   1. Leave This number of authorized signatures set to 1.
   2. Leave the Policy Type required in the signature as Application Policy.
   3. Modify the Application Policy to Certificate Request Agent.
      
7. Click OK to publish this template.
8. Allow both templates to be issued by right-clicking Certificate Templates in the Certification Authority MMC, and then clicking Certificate Template to Issue.
   
9. Select the two new Certificate Templates that you created.
   
10. Click OK.

This section describes the changes necessary to the Dell Security Management Server to allow smartcard functionality in the Pre-Boot Authentication environment.

An administrator must Import the Root CA and Modify Policy. Click the appropriate process for more information.

Import the Root CA

Since the smartcard certificates are signed by the internal certificate authority (CA) in this guide, we must ensure the root CA, and any intermediaries (not shown in this guide) are imported into the certificate chain.

1. Export the root Certification Authority’s certificate from the certificate Microsoft Management Console (MMC).
   1. Launch MMC.
   2. Click File.
   3. Click Add/Remove Snap-in.
   4. Select Certificates.
   5. Click Add.
   6. Select the Computer account radial.
   7. Click Finish.
   8. Click OK.
      
   9. Expand the Certificates.
   10. Expand the Trusted Root Certification Authorities.
   11. Select Certificates.
   12. Right-click the certificate issued by your domain’s CA. These are synced with Group Policy.
       
   13. Select All Tasks and then click Export.
   14. Export the certificate as DER encoded binary X.509 (.CER).
   15. Save it and then record the location as it is used shortly.
2. Import this certificate into the Trusted Certificates of the Java keystore.
   1. Open an administrative Command Prompt.
   2. Modify the path to allow keytool commands to be ran by typing Set path=%PATH%;"C:\Program Files\Dell\Java Runtime\jre1.8\bin" and then type Enter.
      Note: For Dell Security Management Server version 9.2 and earlier, type Set path=%PATH%;"C:\Program Files\Dell\Java Runtime\jre1.7\bin" and then press Enter.
   3. Go to the Security Server’s conf directory by typing %INSTALLDIR%\Enterprise Edition\Security Server\conf\ and then press Enter.
      
   4. Import the .cer file that we exported in Step 1 into the Java keystore (cacerts) by typing Keytool –import –alias RootCA –file C:\exportedroot.cer –keystore cacerts and then press Enter.
      
   5. Enter the cacerts file password.
   6. Accept the prompt to trust the certificate by typing Y.
      
   7. Restart the Security Server to complete the import.

Modify Policy

Click the Dell Data Security server version for appropriate policy configurations. For versioning information, reference How to Identify the Dell Data Security / Dell Data Protection Server Version.

v9.8.0 and Later

To modify the policy to allow smartcards for the PBA authentication mechanism:

1. Open the Dell Data Security Administration Console.
   Note: For more information, reference How to Access the Dell Data Security / Dell Data Protection Server Administration Console.
2. Log in as a user who can modify and commit policy.
3. Go to the population where you want to make the policy change. For example, select Populations and then click Enterprise.
4. Select the Security Policies tab.
   
5. Select Pre-Boot Authentication.
6. Modify the SED Authentication Method from Password to Smartcard.
   Note: Ensure that a self-encrypting drive policy is set to on to enable this for the entire enterprise.
   
   
7. Save and commit policies.
   Note: For more information, reference How to Commit Policies for Dell Data Security / Dell Data Protection Servers.

v9.2.0 to 9.7.0

To modify the policy to allow smartcards for the PBA authentication mechanism:

1. Open the Dell Data Protection Administration Console.
   Note: For more information, reference How to Access the Dell Data Security / Dell Data Protection Server Administration Console.
2. Log in as a user who can modify and commit policy.
3. Go to the population where you want to make the policy change. For example, select Populations and then click Enterprise.
4. Select the Security Policies tab.
   
5. Select Self-Encrypting Drive (SED).
6. Modify the SED Authentication Method from Password to Smartcard.
   Note: Ensure that a self-encrypting drive policy is set to on to enable this for the entire enterprise.
   
   
7. Save and commit policies.
   Note: For more information, reference How to Commit Policies for Dell Data Security / Dell Data Protection Servers.

v8.0.0 to 9.1.5

To modify the policy to allow smartcards for the PBA authentication mechanism:

1. Modify the policy to allow smartcards as the authentication mechanism for PBA.
   1. Open the Remote Management Console.
      Note: For more information, reference How to Access the Dell Data Security / Dell Data Protection Server Administration Console.
   2. Log in as a user who can modify and commit policy.
   3. Go to Enterprise.
   4. Click Security Policies at the top.
   5. Override (not available in Virtual Edition).
   6. Modify the Policy Category drop-down to Self-Encrypting Drives.
      
   7. Expand SED Administration.
   8. Modify the SED Authentication Method from Password to Smartcard.
      
      Note: Ensure that Enable SED Management and Activate PBA are set to True to enable this for the entire enterprise.
   9. Save this policy.
   10. Click Commit Policies on the left.
   11. Click Apply Changes.

Smartcards are blank by default. Each smartcard must have a certificate that is assigned to it to add a certificate for authentication. Certificates are typically assigned to smartcards through a middleware application. The examples below outline the import through a legacy Charismathics software for enterprise-class smartcards, and VersaSec for personal identity verification (PIV)-based smartcards. An administrator must Enable Single Sign-on to Windows Using Smartcards after assigning the certificate. Select the appropriate process for more information.

Charismathics

To leverage smartcards, we must have an enrollment agent who can assign certificates to the device and a middleware which translates the certificate information coming from the Microsoft Certification Authority into something the card can use.

Most smartcards do not have security tokens preset on them. An administrator must Stage a Security Token on a New Smartcard, Add a Certificate for the Enrollment Agent, and then Enroll Users and Push Certificates. Click the appropriate process for more information.

Stage a Security Token on a New Smartcard

1. Open the Cryptographic Service Provider (CSP).
2. When we insert a card without an active token, we get basic information.
   
3. Once we create a security token, we must ensure it is set for a PKCS15 profile.
   
4. After this is created, we will have many more options, and can import a certificate properly.
   

Add a Certificate for the Enrollment Agent

1. Open the Microsoft Management Console (MMC).
2. Click File.
3. Click Add/Remove snap-ins.
4. Select Certificates.
5. Click Add.
6. Select the radial for My user account.
7. Click Finish.
8. Click OK.
9. Expand Certificates - Current User.
10. Expand Personal.
11. Expand Certificates if it exists.
12. Right-click in the center pane, select All Tasks, and then Request New Certificate.
    
13. Click Next.
14. Leave Active Directory Enrollment Policy selected.
15. Click Next.
16. Select the Enrollment Agent Certificate that we created and published earlier.
    
17. Click Enroll.
18. Click Finish once it is completed.

Enroll Users and Push Certificates

Now we can Enroll users into the smartcard that we generated and push certificates to the card using the certificate MMC.

To enroll users and push certificates:

1. Open the Microsoft Management Console (MMC).
2. Click File.
3. Click Add/Remove snap-ins.
4. Select Certificates.
5. Click Add.
6. Select the radial for My user account.
7. Click Finish.
8. Click OK.
9. Expand Certificates - Current User.
10. Expand Personal.
11. Expand Certificates if it exists.
12. Right-click in the center pane, select All Tasks, Advanced Operations, and then Enroll on Behalf Of.
    
13. Click Next.
14. Leave Active Directory Enrollment Policy selected.
15. Click Next.
16. Click Browse.
17. Select the Enrollment Agent Certificate that we generated earlier and then click OK.
    
18. Click Next.
19. Select the radial for the Smartcard User Template that we generated earlier.
    
20. Select the Details dropdown and then click Properties.
    
21. Modify the Cryptographic Service Provider to the application that you are leveraging. In this case, it is Charismathics.
    
22. Click OK.
23. Click Next.
24. Click Browse and then modify the Locations to pull from your domain.
    
    
    
25. Enter the username of the user to enroll.
26. Click Check Names to validate the user.
    
27. Click OK.
28. Click Enroll.
29. Follow the prompts.
    
    
    
    
    
30. Either click Next User to enroll further users using the same method or click Close to continue.

Smartcards can now be leveraged for PBA authentication.

VersaSec

VersaSec uses previously generated certificates for new certificate enrolling. This process uses certificate templates that are created through Active Directory to enable an employee to generate log-in certificates for other employees to use during their log-in session. An administrator must complete Certificate Enrollment, Certificate Export, and then Assign a Certificate to a Smartcard. Click the appropriate process for more information.

Certificate Enrollment

To enroll a certificate:

1. Open Microsoft Management Console (MMC) as an administrator assigning certificates on a device joined to the domain where certificate templates have been configured.
   
2. Select the option to Add/Remove Snap-in.
   
3. Select Certificates then select Add.
   
4. Ensure that the option for My user account is selected.
   
5. Select OK to load the selected snap-ins.
   
6. Expand the Certificates - Current User pane, right-click the right pane, and then select All Tasks, then Request New Certificate.
   
7. Ensure that the option for Active Directory Enrollment Policy is selected and then click Next.
   
8. Select the certificate template that allows for an Enrollment Agent to be created for the current user, then select Enroll. This example uses the previously created Enrollment Agent Registration template.
   
9. Once the enrollment is completed, click Finish.
   
10. With an Enrollment Agent certificate, generate a smartcard user certificate that is based on a pregenerated template by selecting the Certificates folder in the left pane. Select All Tasks, Advanced Operations, then Enroll On Behalf Of.
    
11. Ensure that the option for Active Directory Enrollment Policy is selected and then click Next.
    
12. Select Browse when an Enrollment Agent Certificate is requested.
    
13. Ensure that the appropriate certificate is selected and then click OK.
    
14. Confirm that the appropriate user is defined and then click Next.
    
15. Select the template that has been precreated for smartcard user enrollment and then click Next. This example leverages a template that is called Smartcard User Enrollment.
    
16. Select Browse to find the appropriate user.
    
17. Modify the location to search the entire directory by clicking Location.
    
18. Select the appropriate domain or organizational unit and then click OK.
    
19. Enter the user that you want to generate a smartcard certificate for, then select Check Names to validate the user principal name (UPN).
    
20. Confirm the correct user if multiple users are found and then select OK.
    
21. Confirm the user information and then click OK.
    
22. Confirm the user information again and then click Enroll.
    
23. The enrollment completes quickly. Either select Next User to generate another user certificate, or select Close to complete the certificate generation process. More certificates can be created for additional users at any time in the future.
    

Certificate Export

Certificates first be exported in PKCS12 format to be assigned to smartcards. Certificates must include the private key and the full certificate chain.

To export a certificate:

1. Open Microsoft Management Console (MMC) as an administrator who is assigning certificates on a device that is joined to the domain where certificate templates are configured.
   
2. Select the option to Add/Remove Snap-in.
   
3. Select Certificates and then select Add.
   
4. Ensure that the option for My user account is selected.
   
5. Select OK to load the selected snap-ins.
   
6. Expand the Certificates - Current User pane, then right-click the user to export. Select All Tasks and then click Export.
   
7. Select the option Yes, export the private key, and then select Next.
   
8. Clear the option to Enable certificate privacy, select Export all extended properties, and then click Next.
   
9. Select the option for Password, assign a secure password for the certificate, and then select Next.
   
   Note: Do not modify the Encryption option.
10. Assign a filename and location, then select Next.
    
11. Confirm the details, then select Finish to complete the export.
    

Assign a Certificate to a Smartcard

Install and download the VersaSec software and any administrative middleware that may be required for the smartcards that are being provisioned.

To assign a certificate to a smartcard:

1. Launch the VersaSec agent and insert a smartcard.
2. Go to Card Actions - Certificates and Keys, then select Import.
   
3. Browse to and select the exported certificate to bind to the Smartcard. Enter the certificate password within the Password field, then select Import.
   
4. Enter the user pin when prompted for the Passcode and then select OK.
   
5. Once the certificate is finalized being written, it appears within the list.
   
6. Once all certificates for all accounts are written to the smartcard, it can be used to log in to Windows or the Dell preboot authentication environment.

Enable Single Sign-on to Windows Using Smartcards

The process to enable single sign-on to Windows using smartcards differs depending on the version of Dell Encryption Enterprise that is in use. Select the appropriate version for more information. For versioning information, reference How to Identify the Dell Encryption Enterprise or Dell Encryption Personal Version.

Dell Encryption Enterprise, v8.18 and Later

No endpoint changes are required. Once the policy has been set through the management console, all endpoint changes occur automatically.

Smartcards themselves may require a middleware. Consult with your smartcard vendor to determine if a middleware solution must be installed on each endpoint to allow for authentication into Windows.

Dell Encryption Enterprise, v8.17.2 and Earlier

The client machines will not single sign-on by default. A registry key must be added to allow this to occur.

The registry key is:

[HKLM\SOFTWARE\DigitalPersona\Policies\Default\Smartcards]
"MSSmartcardSupport"=dword:1
0 or no key = Smart Card Support Off, 1 = Smart Card Support On  

1. Open Registry Editor
2. Expand HKEY Local Machine.
3. Expand Software.
4. Expand DigitalPersona.
5. Expand Policies.
6. Expand Default.
7. Create a Key and then name it Smartcards.
   
8. Create a DWORD and then name it MSSmartcardSupport.
   
9. Set the Value data to 1.