Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide
Applies To: Windows 7, Windows Server 2008 R2
This guide demonstrates how to enable authentication mechanism assurance in Active Directory® Domain Services (AD DS) in the Windows Server® 2008 R2 operating system. Authentication mechanism assurance is an added capability in Windows Server 2008 R2 AD DS that you can use when the domain functional level is set to Windows Server 2008 R2. When it is enabled, authentication mechanism assurance adds an administrator-designated global group membership to a user’s Kerberos token when the user’s credentials are authenticated during logon using a certificate-based logon method. This makes it possible for network resource administrators to control access to resources, such as files, folders, and printers, based on whether the user logs on using a certificate-based logon method, in addition to the type of certificate used. For example, when a user logs on using a smart card, the user’s access to resources on the network can be specified as different from what the access is when the user does not use a smart card (that is, when the user logs on by entering a user name and password).
The major sections in this document are:
Technology review
Requirements for authentication mechanism assurance
Step 1: Create Certificates
Step 2: Link Certificate Policies to Groups
Step 3: Download and Test Certificates
Step 4: Configure the Federation Servers
Step 5: Access the Sample Application from the Client Computer
Technology review
When a certificate-based logon method (for example, smart-card logon) is used, and authentication mechanism assurance is enabled, an additional group membership is added to the user’s access token during logon. An administrator links the group membership from a specific certificate issuance policy, which is included in the certificate template. Because different certificate issuance policies can be linked to different groups, the administrator can identify whether a certificate was used during the logon operation. The administrator can also distinguish between different types of certificates. Ultimately, this makes it possible for resource administrators to secure resources by using group memberships. However, because membership in certain groups can be granted based on the certificate type that is used during logon, access to resources can be controlled according to whether a user logged on with a certificate, as well as the type of certificate that was used during logon.
For example, assume that a user named Todd has a smart card with a certificate that was distributed from a certificate template that includes the Medium Assurance certificate issuance policy. An administrator has linked the Medium Assurance certificate issuance policy to a group named Medium Access Level. A file share is configured so that the Medium Access Level group has Read access and another group named High Access Level group has Modify access. No other access permissions are configured on the file share. When Todd logs on using his smart card, his access token includes an additional group membership (in this case, to the Medium Access Level group). Todd is then granted Read access to the file share. If Todd does not log on using the smart card, he cannot access the file share. If a user named Cassie has a smart card with a certificate that was issued from a certificate template with a certificate issuance policy that is linked to the group named High Access Level, Cassie has Modify permissions to the file share when she logs on with her smart card.
You can also use the additional group membership that is specified in the user’s access token an Active Directory Federation Services (AD FS) interforest claim, which you can then use to grant varying levels of access between forests. You can combine this claim with other claims to further restrict access to federated resources.
Requirements for authentication mechanism assurance
To complete all the steps in this guide, you must first complete all the steps in the AD FS in Windows Server 2008 R2 Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133009). However, it should be possible to complete the first three steps in this guide using a different, but compatible, configuration that meets the following minimum requirements:
At least one Active Directory domain controller running Windows Server 2008 R2, with the domain functional level set to Windows Server 2008 R2
A client computer or server running Windows Vista®, Windows® 7, Windows Server 2008, or Windows Server 2008 R2 that is a member of the domain
A smart card reader, which must be attached to the client computer. If you have access to software that provides virtual smart cards and virtual smart card readers, you can use that software with a virtual ADFSCLIENT computer. If you do not have this software, you may have to create a physical computer named ADFSCLIENT. You join this computer to the domain using the same IP address and configuration as the virtual machine (VM) that is described in the AD FS in Windows Server 2008 R2 Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133009). You can then install a smart card reader. You must also have at least two different smart cards to which the different levels of access correspond. A single smart card that allows for multiple certificates or even rewrites can be used in place of multiple, individual smart cards.
Note
The instructions for installing the forest root domain controller, setting up the domain member client computer, and configuring the AD FS trusts and claims are not provided in this guide. They are provided in the AD FS in Windows Server 2008 R2 Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133009). However, the installation of the certificate server, as well as the configuration and distribution of certificates to smart cards, is explained in the first step of this guide.
Step 1: Create Certificates
Before you can implement authentication mechanism assurance, you must first deploy a certificate-based logon method. In this step, you deploy a certification authority (CA) and you configure the appropriate logon certificates. This step contains procedures for ensuring that the domain functional level is Windows Server 2008 R2, preparing the CA, and preparing the certificates. This step includes the following procedures:
Ensuring that the domain functional level is Windows Server 2008 R2
Preparing the CA
Preparing the certificates
To start these procedures, you must have an Active Directory Domain Services (AD DS) structure in place. Because there are many different ways an AD DS structure can be configured, this guide uses the configuration that is described in the AD FS in Windows Server 2008 R2 Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133009). That guide explains how to configure two forests, adatum.com and treyresearch.net, and how to set up trust relationships between them. When you complete the steps in that guide, the two forests are configured with a trust relationship that grants access from the adatum.com forest to the treyresearch.net forest. This guide assumes that the configuration in the AD FS in Windows Server 2008 R2 Step-by-Step Guide is in place. However, you can complete the first three steps of this guide using a single Windows Server 2008 R2 domain controller and a Windows 7 client or a Windows Vista client computer, without completing the configuration in the AD FS in Windows Server 2008 R2 Step-by-Step Guide. If you are completing the steps in this guide using a configuration that is not specified in the AD FS in Windows Server 2008 R2 Step-by-Step Guide, you must make the appropriate adjustments to the forest, domain, and computer names and you must account for any configuration differences.
Security Note |
---|
In a production environment, use the least privileged user account that is necessary to perform the required tasks. Because this guide is written for use in a test environment, in many procedures you are instructed to use the local and domain Administrator accounts to reduce the number of required steps. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). Administrative credentials To perform all of the tasks in this step, log on with the Administrator account for the domain. |
Ensuring that the domain functional level is Windows Server 2008 R2
Note
If you want to use the authentication mechanism assurance feature, the domain functional level must be Windows Server 2008 R2.
To ensure that the domain functional level is Windows Server 2008 R2
Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
In the contents pane, expand Active Directory Domain Services and Active Directory Users and Computers, if necessary.
Right-click the object that represents the domain (adatum.com), and then click Raise domain functional level.
In the Raise domain functional level dialog box, you should see that the Current domain functional level is Windows Server 2008 R2. If it is not, raise the domain functional level: select Windows Server 2008 R2, and then click Raise.
When you confirm that the functional level is Windows Server 2008 R2, click Close.
Preparing the CA
The procedure in this section installs Active Directory Certificate Services (AD CS) and configures the CA on the domain controller ADFSAccount. For more information about AD CS, see the Foundation Network Companion Guide: Deploying Server Certificates (https://go.microsoft.com/fwlink/?LinkId=132129).
Note
In a production environment, we recommend that a CA not be installed on a domain controller.
To install AD CS and configure the CA
In the contents pane of Server Manager, expand Roles.
Right-click Roles, and then click Add Roles.
If the Before You Begin page appears, click Next.
On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next. On the Introduction to Active Directory Certificate Services page, click Next.
On the Select Role Services page, ensure that the Certification Authority check box is selected, and then click Next.
On the Specify Setup Type page, ensure that Enterprise is selected, and then click Next.
On the Specify CA Type page, ensure that the Root CA check box is selected, and then click Next.
On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next.
On the Configure Cryptography for the CA page, leave all the default settings in place (unless you know that changes are required for the specific type of smart-card media and reader that you will be using), and then click Next.
On the Configure CA Name page, review the names that will be assigned, and then click Next.
On the Set Validity Period page, leave the default setting in place, and then click Next.
On the Configure Certificate Database page, leave the default locations in place (unless you prefer to store the database and log file in different locations), and then click Next.
On the Confirm Installation Selections page, review the information that is presented. You should see a warning indicating that the name and domain settings of the computer cannot be changed after the CA has been installed. Click Install.
On the Installation Results page, confirm that the installation was successful, and then click Close.
Preparing the certificates
The procedures in this section configure two certificates for distribution to smart-card users. These certificates use two different certificate policies. They will eventually be linked to groups that can be used on resource access control lists (ACLs) or mapped to Active Directory Federation Services (AD FS) claims. Because certificates are created and issued based on certificate templates, you use the following procedure to create and configure the certificate templates.
To create the certificate templates
Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
In the contents pane, expand Active Directory Certificate Services, and then click Certificate Templates.
In the details pane, right-click Smartcard Logon, and then click Duplicate Template.
In the Duplicate Template dialog box, click Windows Server 2008 Enterprise, and then click OK.
In the Properties of New Template dialog box, on the General tab, in Template display name, type a name for the new certificate template, such as Authentication Mechanism Medium Level Access.
Click the Security tab. Ensure that the Authenticated Users group is selected, and then select the Allow check box that corresponds to the Enroll permission for Authenticated Users.
Note
If you plan to distribute certificates automatically using Active Directory Domain Services (AD DS), select the Allow check box that corresponds to the Autoenroll permission. This guide does not describe that method of distributing certificates.
Verify that the Allow check box is also selected for the Read permission for Authenticated Users.
Click the Extensions tab. Under Extensions included in this template, click Issuance Policies, and then click Edit.
In the Edit Issuance Policies Extension dialog box, click Add.
Under Issuance policies, click Medium Assurance, and then click OK.
Note
Although the default issuance policies of Medium Assurance and High Assurance are used in this guide, you can also create a new issuance policy by clicking New in the Add Issuance Policy dialog box and then adding values for Name and CPS location in the New Issuance Policy dialog box. For more information about creating issuance policies, see Walkthroughs (Implementing and Administering Certificate Templates in Windows Server 2003) (https://go.microsoft.com/fwlink/?LinkId=132135).
Ensure that Medium Assurance is listed in the Edit Issuance Policies Extension dialog box, and then click OK.
Click the Cryptography tab. Ensure that the settings here are appropriate for your equipment, according to the information provided by the vendor of the smart-card reader and smart cards. Otherwise, leave the default settings in place, and then click OK.
Right-click the Smartcard Logon template, and then click Duplicate.
In the Duplicate Template dialog box, click Windows Server 2008 Enterprise, and then click OK.
In the Properties of New Template dialog box, on the General tab, in Template display name, type a name for the new certificate template, such as Authentication Mechanism Assurance High Level Access.
Click the Security tab. Ensure that the Authenticated Users group is selected, and then select the Allow check box that corresponds to the Enroll permission for Authenticated Users.
Verify that the Allow check box is also selected for the Read permission for Authenticated Users.
Click the Extensions tab. Under Extensions included in this template, click Issuance Policies, and then click Edit.
In the Edit Issuance Policies Extension dialog box, click Add.
Under Issuance policies, click High Assurance, and then click OK.
Ensure that High Assurance is listed in the Edit Issuance Policies Extension dialog box, and then click OK.
Click the Cryptography tab. Ensure that the settings here are appropriate for your equipment, according to the information provided by the vendor of the smart-card reader and the smart cards. Otherwise, leave the default settings in place, and then click OK.
To enable the new certificate templates
In the contents pane of Server Manager, expand the object that represents your certificate server (adatum-ADFSACCOUNT-CA). Under that object, select Certificate Templates.
In the details pane, under the server object, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
Press and hold the CTRL key. In the Enable Certificate Templates dialog box, click the Authentication Mechanism Assurance High Level Access template, and then click the Authentication Mechanism Assurance Medium Level Access template. Release the CTRL key, and then click OK.
Step 2: Link Certificate Policies to Groups
In this step you use two Active Directory module for Windows PowerShell cmdlets to map authentication mechanism assurance certificates to the group memberships that the resources will use to grant access.
Administrative credentials
To perform all of the tasks in this step, log on with the Administrator account for the domain. The procedures in this step include:
Creating test user accounts
Preparing the scripts
Linking certificate policies to groups
Creating test user accounts
In this section you create two user accounts and use them to test the differences in user access tokens, depending on whether they use smart cards to log on.
To create test user accounts
In the details pane of Server Manager, under Active Directory Domain Services, under Active Directory Users and Computers, ensure that the object that represents the domain (adatum.com) is expanded.
In the contents pane, select the Users container.
Right-click the Users container, click New, and then click User.
In the New Object – User dialog box, type Cassie as the first name, type Hicks as the last name, type CassieHi as the user logon name, and then click Next.
In Password and Confirm password, type a new password for the user account. If you do not have a password in mind, use P@ssw0rd. Clear the User must change password at next logon check box, and then click Next.
Review the account creation details, and then click Finish.
Create a user account with the first name Todd, last name Meadows, and user logon name of ToddMead, and then click Next.
Set and confirm the password for ToddMead, clear the User must change password at next logon check box, and then click Next.
Review the account creation details, and then click Finish.
Preparing the scripts
In this section you create two Active Directory module cmdlets. You will use these scripts later to display and link the certificate issuance policies to their respective groups. You will copy the first script to a file named get-IssuancePolicy.ps1. This script can display the available issuance policies on the certification authority (CA). You will copy the second script to a file named set-IssuancePolicyToGroupLink.ps1. This second script creates a group and an organizational unit (OU). It also makes the link from the certificate issuance policies that you created earlier to the groups that will be used to represent the authentication mechanism and certificate type or purpose.
To create the script files
Open a Command Prompt window on the domain controller (ADFSAccount). To open a Command Prompt, click Start. In Start Search, type cmd, and then double-click cmd.exe in the Programs list.
At the command prompt, type
cd %userprofile%
, and then press ENTER. This ensures that you are in the current user profile directory, which is the typical default location for Active Directory module.Type
notepad get-IssuancePolicy.ps1
, and then press ENTER.In the Notepad dialog box, confirm that you want to create the file by clicking Yes.
Copy the following text, and then paste it into the Notepad file that you just created.
####################################### ## Parameters to be defined ## ## by the user ## ####################################### Param ( $Identity, $LinkedToGroup ) ####################################### ## Strings definitions ## ####################################### Data getIP_strings { # culture=“en-US” ConvertFrom-StringData -stringdata @’ help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targetted. help2 = Usage: help3 = The following parameter is mandatory: help4 = -LinkedToGroup:<yes|no|all> help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. help6 = "no" will return only Issuance Policies that are not currently linked to any group. help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. help8 = The following parameter is optional: help9 = -Identity:<Name, Distinguished Name or Display Name of the Issuance Policy that you want to retrieve>. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. help11 = Examples: errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: LinkedIPs = The following Issuance Policies are linked to groups: displayName = displayName : {0} Name = Name : {0} dn = distinguishedName : {0} InfoName = Linked Group Name: {0} InfoDN = Linked Group DN: {0} NonLinkedIPs = The following Issuance Policies are NOT linked to groups: ’@ } ##Import-LocalizedData getIP_strings import-module ActiveDirectory ####################################### ## Help ## ####################################### function Display-Help { "" $getIP_strings.help1 "" $getIP_strings.help2 "" $getIP_strings.help3 " " + $getIP_strings.help4 " " + $getIP_strings.help5 " " + $getIP_strings.help6 " " + $getIP_strings.help7 "" $getIP_strings.help8 " " + $getIP_strings.help9 "" $getIP_strings.help10 "" "" $getIP_strings.help11 " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" "" } $root = get-adrootdse $domain = get-addomain -current loggedonuser $configNCDN = [String]$root.configurationNamingContext if ( !($Identity) -and !($LinkedToGroup) ) { display-Help break } if ($Identity) { $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * if ($OIDs -eq $null) { $errormsg = $getIP_strings.ErrorIPNotFound -f $Identity write-host $errormsg -ForegroundColor Red } foreach ($OID in $OIDs) { if ($OID."msDS-OIDToGroupLink") { # In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. $groupDN = $OID."msDS-OIDToGroupLink" $group = get-adgroup -Identity $groupDN $groupName = $group.Name # Analyze the group if ($group.groupCategory -ne "Security") { $errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName write-host $errormsg -ForegroundColor Red } if ($group.groupScope -ne "Universal") { $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName write-host $errormsg -ForegroundColor Red } $members = Get-ADGroupMember -Identity $group if ($members) { $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName write-host $errormsg -ForegroundColor Red foreach ($member in $members) { write-host " " $member -ForeGroundColor Red } } } } return $OIDs break } if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * write-host "" write-host "*****************************************************" write-host $getIP_strings.LinkedIPs write-host "*****************************************************" write-host "" if ($LinkedOIDs -ne $null){ foreach ($OID in $LinkedOIDs) { # Display basic information about the Issuance Policies "" $getIP_strings.displayName -f $OID.displayName $getIP_strings.Name -f $OID.Name $getIP_strings.dn -f $OID.distinguishedName # Get the linked group. $groupDN = $OID."msDS-OIDToGroupLink" $group = get-adgroup -Identity $groupDN $getIP_strings.InfoName -f $group.Name $getIP_strings.InfoDN -f $groupDN # Analyze the group $OIDName = $OID.displayName $groupName = $group.Name if ($group.groupCategory -ne "Security") { $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName write-host $errormsg -ForegroundColor Red } if ($group.groupScope -ne "Universal") { $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName write-host $errormsg -ForegroundColor Red } $members = Get-ADGroupMember -Identity $group if ($members) { $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName write-host $errormsg -ForegroundColor Red foreach ($member in $members) { write-host " " $member -ForeGroundColor Red } } write-host "" } }else{ write-host "There are no issuance policies that are mapped to a group" } if ($LinkedToGroup -eq "yes") { return $LinkedOIDs break } } if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * write-host "" write-host "*********************************************************" write-host $getIP_strings.NonLinkedIPs write-host "*********************************************************" write-host "" if ($NonLinkedOIDs -ne $null) { foreach ($OID in $NonLinkedOIDs) { # Display basic information about the Issuance Policies write-host "" $getIP_strings.displayName -f $OID.displayName $getIP_strings.Name -f $OID.Name $getIP_strings.dn -f $OID.distinguishedName write-host "" } }else{ write-host "There are no issuance policies which are not mapped to groups" } if ($LinkedToGroup -eq "no") { return $NonLinkedOIDs break } }
After you paste the text into Notepad, click the File menu, and then click Save.
Click the File menu, and then click Exit.
At the command prompt, type
notepad set-IssuancePolicyToGroupLink.ps1
, and then press ENTER.In the Notepad dialog box, confirm that you want to create the file by clicking Yes.
Copy the following text, and then paste it into the Notepad file that you just created.
####################################### ## Parameters to be defined ## ## by the user ## ####################################### Param ( $IssuancePolicyName, $groupOU, $groupName ) ####################################### ## Strings definitions ## ####################################### Data ErrorMsg { # culture=“en-US” ConvertFrom-StringData -stringdata @’ help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. help2 = Usage: help3 = The following parameters are required: help4 = -IssuancePolicyName:<name or display name of the issuance policy that you want to link to a group> help5 = -groupName:<name of the group you want to link the issuance policy to>. If no name is specified, any existing link to a group is removed from the Issuance Policy. help6 = The following parameter is optional: help7 = -groupOU:<Name of the Organizational Unit dedicated to the groups which are linked to issuance policies>. If this parameter is not specified, the group is looked for or created in the Users container. help8 = Examples: help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? OUCreationSuccess = Organizational Unit "{0}" successfully created. OUcreationError = Error: Organizational Unit "{0}" could not be created. OUFoundSuccess = Organizational Unit "{0}" was successfully found. multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? groupCreationSuccess = Univeral Security group "{0}" successfully created. groupCreationError = Error: Univeral Security group "{0}" could not be created. GroupFound = Group "{0}" was successfully found. confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. UnlinkError = Removing the link failed. UnlinkExit = Exiting without removing the link from the issuance policy to the group. IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? LinkSuccess = The certificate issuance policy was successfully linked to the specified group. LinkError = The certificate issuance policy could not be linked to the specified group. ExitNoLinkReplacement = Exiting without setting the new link. ’@ } # import-localizeddata ErrorMsg function Display-Help { "" write-host $ErrorMsg.help1 "" write-host $ErrorMsg.help2 "" write-host $ErrorMsg.help3 write-host "`t" $ErrorMsg.help4 write-host "`t" $ErrorMsg.help5 "" write-host $ErrorMsg.help6 write-host "`t" $ErrorMsg.help7 "" "" write-host $ErrorMsg.help8 "" write-host $ErrorMsg.help9 ".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " "" write-host $ErrorMsg.help10 '.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' "" } # Assumption: The group to which the Issuance Policy is going # to be linked is (or is going to be created) in # the domain the user running this script is a member of. import-module ActiveDirectory $root = get-adrootdse $domain = get-addomain -current loggedonuser if ( !($IssuancePolicyName) ) { display-Help break } ####################################### ## Find the OID object ## ## (aka Issuance Policy) ## ####################################### $searchBase = [String]$root.configurationnamingcontext $OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * if ($OID -eq $null) { $tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase write-host $tmp -ForeGroundColor Red break; } elseif ($OID.GetType().IsArray) { $tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase write-host $tmp -ForeGroundColor Red break; } else { $tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName write-host $tmp -ForeGroundColor Green } ####################################### ## Find the container of the group ## ####################################### if ($groupOU -eq $null) { # default to the Users container $groupContainer = $domain.UsersContainer } else { $searchBase = [string]$domain.DistinguishedName $groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} if ($groupContainer.count -gt 1) { $tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase write-host $tmp -ForegroundColor Red break; } elseif ($groupContainer -eq $null) { $tmp = $ErrorMsg.confirmOUcreation write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline $userChoice = read-host if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName if ($?){ $tmp = $ErrorMsg.OUCreationSuccess -f $groupOU write-host $tmp -ForegroundColor Green } else{ $tmp = $ErrorMsg.OUCreationError -f $groupOU write-host $tmp -ForeGroundColor Red break; } $groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} } else { break; } } else { $tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name write-host $tmp -ForegroundColor Green } } ####################################### ## Find the group ## ####################################### if (($groupName -ne $null) -and ($groupName -ne "")){ ##$searchBase = [String]$groupContainer.DistinguishedName $searchBase = $groupContainer $group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase if ($group -ne $null -and $group.gettype().isarray) { $tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase write-host $tmp -ForeGroundColor Red break; } elseif ($group -eq $null) { $tmp = $ErrorMsg.confirmGroupCreation write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline $userChoice = read-host if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" if ($?){ $tmp = $ErrorMsg.GroupCreationSuccess -f $groupName write-host $tmp -ForegroundColor Green }else{ $tmp = $ErrorMsg.groupCreationError -f $groupName write-host $tmp -ForeGroundColor Red break } $group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase } else { break; } } else { $tmp = $ErrorMsg.GroupFound -f $group.Name write-host $tmp -ForegroundColor Green } } else { ## If the group is not specified, we should remove the link if any exists if ($OID."msDS-OIDToGroupLink" -ne $null) { $tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline $userChoice = read-host if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" if ($?) { $tmp = $ErrorMsg.UnlinkSuccess write-host $tmp -ForeGroundColor Green }else{ $tmp = $ErrorMsg.UnlinkError write-host $tmp -ForeGroundColor Red } } else { $tmp = $ErrorMsg.UnlinkExit write-host $tmp break } } else { $tmp = $ErrorMsg.IPNotLinked write-host $tmp -ForeGroundColor Yellow } break; } ####################################### ## Verify that the group is ## ## Universal, Security, and ## ## has no members ## ####################################### if ($group.GroupScope -ne "Universal") { $tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName write-host $tmp -ForeGroundColor Red break; } if ($group.GroupCategory -ne "Security") { $tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName write-host $tmp -ForeGroundColor Red break; } $members = Get-ADGroupMember -Identity $group if ($members -ne $null) { $tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName write-host $tmp -ForeGroundColor Red foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} break; } ####################################### ## We have verified everything. We ## ## can create the link from the ## ## Issuance Policy to the group. ## ####################################### if ($OID."msDS-OIDToGroupLink" -ne $null) { $tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline $userChoice = read-host if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { $tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} set-adobject -Identity $OID -Replace $tmp if ($?) { $tmp = $Errormsg.LinkSuccess write-host $tmp -Foreground Green }else{ $tmp = $ErrorMsg.LinkError write-host $tmp -Foreground Red } } else { $tmp = $Errormsg.ExitNoLinkReplacement write-host $tmp break } } else { $tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} set-adobject -Identity $OID -Add $tmp if ($?) { $tmp = $Errormsg.LinkSuccess write-host $tmp -Foreground Green }else{ $tmp = $ErrorMsg.LinkError write-host $tmp -Foreground Red } }
After you paste the text into Notepad, click the File menu, and then click Save.
Click the File menu, and then click Exit.
Linking certificate policies to groups
In this section you run the Active Directory module cmdlets to create the first group and the OU and to map the first certificate to the first policy. The following procedure creates the additional groups and maps those groups to the applicable policies, but it stores the new groups in the existing OU that you created in the previous procedure.
Note
In Beta versions of Windows Server 2008 R2 the Active Directory Module for Windows PowerShell is called Active Directory PowerShell.
To link the certificate issuance policies to the appropriate groups
Open the Active Directory Module for Windows PowerShell on the domain controller (ADFSAccount). To open the Active Directory Module for Windows PowerShell, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell.
By default, the Active Directory module prompt should be at the %userprofile% directory where you created the Active Directory module cmdlets in the previous procedure.
Note
Before you run Active Directory module cmdlets on your system, check the execution policy of Windows PowerShell. To do this, run the command Get-Execution Policy. If you see the word Restricted in the command output, run the command Set-Execution Policy Unrestricted. Later, when you finish running these scripts, you may want to return the execution policy to Restricted by running the command Set-Execution Policy Restricted.
- In the Active Directory Module for Windows PowerShell command window, type
.\get-IssuancePolicy.ps1 –LinkedToGroup:All
, and then press ENTER. This command displays the certificate issuance policies that are linked to groups and the policies that are not linked to groups. Initially, you should see that no policies are linked to groups.
Note
If you see the error message Get-ADRootDSE: “Unable to find a default server”
, open the Services snap-in. To open the Services snap-in, click Start, click Run, type services.msc, and then press ENTER. Ensure that Active Directory Web Services is running. To do this, double-click Active Directory Web Services. If the service status is Stopped, click Start. Click OK, close the Services console, and then run the previous command again in the Active Directory Module for Windows PowerShell.
At a command prompt, type
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyDisplayName:"High Assurance" –groupOU:"Auth Mech Assurance Groups" –groupName:"High Level Access"
, and then press ENTER. This command links the group High Level Access to the High Assurance certificate issuance policy. However, because the group and OU do not exist, you are prompted to create them.When you are prompted to create the OU, type
Y
, and then press ENTER.When you are prompted to create the group, type
Y
, and then press ENTER.Type
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyDisplayName:"Medium Assurance" –groupOU:"Auth Mech Assurance Groups" –groupName:"Medium Level Access"
, and then press ENTER. This command links the group Medium Level Access to the Medium Assurance certificate issuance policy. Because the group Medium Level Assurance does not exist, you are prompted to create it.When you are prompted to create the group, type
Y
, and then press ENTER.Type
.\get-IssuancePolicy.ps1 –LinkedToGroup:Yes
, and then press ENTER. The command should show that there are two assurance policies—Medium Assurance and High Assurance—that are linked to groups.To close the Active Directory Module for Windows PowerShell window, type
Exit
, and then press ENTER.
Step 3: Download and Test Certificates
In this step you place the appropriate certificates on the applicable smart cards and then test how those smart cards affect the user’s access token when they are used to log on. You must have an attached and configured smart-card reader on the client computer (ADFSClient) and two smart cards, which you can use to download the certificates from the certification authority (CA). The procedures in this step include:
Obtaining the appropriate certificates
Verifying additional group membership
Administrative credentials
To perform all of the tasks in this step, log on with the Administrator account for the domain.
Obtaining the appropriate certificates
In this section you log on using the Cassie Hicks account and then download a certificate to a smart card that is designated for High Authentication Mechanism Assurance. Then, you log on using the Todd Meadows account and download a certificate to a different smart card that is designated for Medium Authentication Mechanism Assurance.
To download certificates
Log on to the client computer (ADFSClient) using the CassieHi user account.
Insert the smart card into the smart-card reader that you want to use for Cassie Hicks. (Either card should work; just keep track of to whom you assigned the cards.)
Click Start. In Start Search, type certmgr.msc, and then press ENTER.
In the contents pane of the certmgr [Certificates – Current User] console, right-click Personal, click All Tasks, and then click Request New Certificate.
On the Before You Begin page, click Next.
On the Certificate Enrollment page, ensure that Enterprise Policy is selected, and then click Next.
Select the Authentication Mechanism Assurance High Level Access check box, and then click Enroll.
Note
If you do not see any certificates, open an elevated Command Prompt window. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Run the command gpupdate /force, and then try to request a certificate again.
Click Finish.
Log off, and remove the smart card from the reader.
Log on as ToddMead.
Insert the smart card that you want to use for the Todd Meadows. (This card should be different from the card that you used for Cassie Hicks, unless you are sure that you have a smart card that supports multiple certificates).
Perform steps 3 through 6 above, and then go to step 13 (the following step).
Select the Authentication Mechanism Assurance Medium Level Access check box, and then click Enroll.
Click Finish.
Log off.
Verifying additional group membership
In this section you log on first as Todd Meadows and later as Cassie Hicks. After each logon, you check the user’s group memberships to verify that each user has an additional membership added to their access token because they logged on using their smart-card certificate.
To log on using a smart card and view the access token
The smart card for ToddMead should be in the smart-card reader. Access the logon screen. You should see an icon representing each user’s optional smart-card logon. In Windows Vista or Windows Server 2008, you must click Start, click the right arrow, and then click Switch User to see these icons.
Click the smart-card logon icon that corresponds to ToddMead. Enter the personal identification number (PIN) for the smart card when you are prompted for it.
Note
If you see an error message that reads “The system could not log you on. Your account domain controller does not support smart card logon. Please contact your system administrator to ensure that smart card logon is configured for your organization,” restart the domain controller. After you restart the domain controller, log on to the client computer using a password. Open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Run the command gpupdate /force. When you see that the User Policy and Computer Policy updates were completed successfully, log off. Then, try to log on again using the smart card.
Open a Command Prompt window. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.
At the command prompt, type
whoami /groups
, and then press ENTER. Notice that the Medium Access Level group membership is now included in the access token.Log off, and remove the smart card.
Log on using the ToddMead account and password (that is, log on without the smart card).
At the command prompt, run the whoami /groups command again. Notice that the Medium Access Level group membership is no longer included in the access token.
Insert the smart card for CassieHi, and access the logon screen. Click the icon that represents the smart-card logon for CassieHi. Enter the PIN for the smart card when you are prompted for it.
Open a Command Prompt window. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.
At the command prompt, type
whoami /groups
, and then press ENTER. Notice that the High Access Level group membership is now included in the access token.Log on using the CassieHi account and password (that is, log on without the smart card).
Open a Command Prompt window, and then run the
whoami /groups
command again. Notice that the High Access Level group membership is no longer included in the access token.Log off.
Step 4: Configure the Federation Servers
Now that you have configured the adfsaccount computer for authentication mechanism assurance, in this step you configure the Federation Service on the federation servers for both the A. Datum Corporation and Trey Research. In this step, you:
Create two organization group claims in the Federation Service for both A. Datum and Trey Research to represent the two security levels of each of the smart-card certificates (medium assurance and high assurance) that you created in an earlier step.
Configure two of the group claims so that they map to the appropriate group in Active Directory Domain Services (AD DS) that was created by the authentication mechanism assurance script.
Create two claim mappings in both organizations that will associate the claims that were created in A. Datum with the corresponding claims in Trey Research.
This step consists of the following tasks:
Create and map group claims in A. Datum
Create and enable group claims in Trey Research
To perform all the procedures in this step, log on to the adfsaccount computer and the adfsresource computer with the Administrator account for the domain.
Create and map group claims in A. Datum
This section includes the following procedures:
Creating two group claims in A. Datum
Mapping group claims to global groups in A. Datum
Creating two claim mappings in A. Datum
Creating two group claims in A. Datum
Complete the following procedure on the adfsaccount computer to create two organization group claims that will be used to represent the different security levels for each of the two smart-card certificates that were downloaded in Step 3: Download and Test Certificates.
To create two group claims in A. Datum
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Organization Claims, point to New, and then click Organization Claim.
In the Create a New Organization Claim dialog box, in Claim name, type High Assurance Claim.
Ensure that Group claim is selected, and then click OK. Repeat these steps to create another group claim named Medium Assurance Claim.
Mapping group claims to global groups in A. Datum
Complete the following procedure on the adfsaccount computer to map the two Active Directory global groups—that you created with a script in Step 2: Link Certificate Policies to Groups—to the newly created group claims.
To map group claims to global groups in A. Datum
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click My Organization, double-click Account Stores, right-click Active Directory, point to New, and then click Group Claim Extraction.
In the Create a New Group Claim Extraction dialog box, click Add, type high level access, and then click OK.
On the Map to this Organization Claim menu, click High Assurance Claim, and then click OK. Repeat these steps to create an additional Active Directory group mapping. This mapping should be created between the medium level access group and the corresponding Medium Assurance Claim claim.
Creating two claim mappings in A. Datum
Complete the following procedure on the adfsaccount computer to create two outgoing claim mappings that you will use to map the new security level claims in A. Datum to corresponding group claims that you will create later in Trey Research.
To create two claim mappings in A. Datum
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Resource Partners, right-click Trey Research, point to New, and then click Outgoing Group Claim Mapping.
In the Create a New Outgoing Group Claim Mapping dialog box, in Outgoing group claim name, type highassurancemapping.
Note
This value is case sensitive. It must match exactly the value that you specified in the incoming group claim mapping in the resource partner organization, Trey Research.
- In Organization group claims, click High Assurance Claim, and then click OK. Repeat these steps to create an additional claim mapping, named mediumassurancemapping, to the corresponding Medium Assurance Claim claim.
Create and enable group claims in Trey Research
This section includes the following procedures:
Creating two group claims in Trey Research
Creating two claim mappings in Trey Research
Enabling the claims in Trey Research
Creating two group claims in Trey Research
Complete the following procedure on the adfsresource computer to create two group claims in Trey Research that you will use to represent the security-level-named claims that originate from the A. Datum forest.
To create two group claims in Trey Research
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Organization Claims, point to New, and then click Organization Claim.
In the Create a New Organization Claim dialog box, in Claim name, type A. Datum High Assurance Claim.
Ensure that Group claim is selected, and then click OK. Repeat these steps to create an additional group claim named A. Datum Medium Assurance Claim.
Creating two claim mappings in Trey Research
Complete the following procedure on the adfsresource computer to create two incoming group claim mappings that you will use to map the security-level-named claims in A. Datum to corresponding security-level-named claims that you just created in Trey Research.
To create claim mappings in Trey Research
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partners, right-click A. Datum, point to New, and then click Incoming Group Claim Mapping.
In the Create a New Incoming Group Claim Mapping dialog box, in Incoming group claim name, type highassurancemapping.
Note
This value is case sensitive. It must match exactly the value that you specified in the outgoing group claim mapping in the account partner organization, A. Datum.
- In Organization group claim, click A. Datum High Assurance Claim, and then click OK. Repeat these steps to create an additional claim mapping named mediumassurancemapping that maps to the corresponding claim named A. Datum Medium Assurance Claim.
Enabling the claims in Trey Research
Complete the following procedure on the adfsresource computer to enable the new group claims in Trey Research to work with the sample claims-aware application.
To enable the claims in Trey Research
In the Applications folder in the console tree of the Active Directory Federation Services console, click Claims-aware Application.
Right-click A. Datum High Assurance Claim, and then click Enable. Repeat this step for the A. Datum Medium Assurance Claim claim.
Step 5: Access the Sample Application from the Client Computer
In this step, you test the different authentication mechanism assurance levels that you mapped to specific user accounts. You access the claims-aware application and view the group memberships that it recognizes as you access the application with different user accounts as the users log on using different authentication methods. This step includes the following procedures:
Accessing the sample application without a smart card (low assurance)
Accessing the sample application with a medium-assurance smart card
Accessing the sample application with a high-assurance smart card
To perform the procedures in this step, first make the user accounts adatum\alansh, adatum\cassieh, and adatum\toddmead members of the local Administrators group on the client computer.
Note
If for any reason you have problems accessing the claims-aware application, consider running the iisreset command or restarting the adfsweb computer. Also, make sure that the adfsclient computer has the adfsaccount, adfsresource, and adfsweb Secure Sockets Layer (SSL) certificates in the Trusted Root Certification Authorities store. If you do not find these certificates in the certificate store, perform step 3 in this guide again. Then, try to access the application again.
Accessing the sample application without a smart card (low assurance)
Complete the following procedure to access the sample claims-aware application from a client computer that has not been issued a smart card.
To access the sample application without a smart card
Log on to the adfsclient computer as alansh.
Open a browser window, and then go to https://adfsweb.treyresearch.net/claimapp/. When you are prompted for your home realm, click A. Datum Corporation, and then click Submit.
At this point the SSO Sample Application appears in the browser. You should see the value of the group claim appear in the SingleSignOnIdentity.SecurityPropertyCollection section of the sample application. You create this claim when you complete the instructions in the AD FS in Windows Server 2008 R2 Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133009).
Accessing the sample application with a medium-assurance smart card
Complete the following procedure to access the sample claims-aware application from a client computer that has been issued a smart card with a medium-assurance certificate.
To access the sample application with a medium-assurance smart card
Insert the smart card for Todd Meadows.
Log on to the adfsclient computer using the smart-card option for toddmead. You may have to click Start, click the right arrow, and then click Switch User to see the smart-card logon option. Enter the personal identification number (PIN) when you are prompted.
Open a browser window, and then go to https://adfsweb.treyresearch.net/claimapp/. When you are prompted for your home realm, click A. Datum Corporation, and then click Submit.
At this point the SSO Sample Application appears in the browser. You should see A. Datum Medium Assurance Claim in the SingleSignOnIdentity.SecurityPropertyCollection section of the sample application.
Accessing the sample application with a high-assurance smart card
Complete the following procedure to access the sample claims-aware application from a client computer that has been issued a smart card with a high-assurance certificate.
To access the sample application with a high-assurance smart card
Insert the smart card for Cassie Hicks.
Log on to the adfsclient computer using the smart-card option for cassiehi. You may have to click Start, click the right arrow, and then click Switch User to see the smart-card logon option. Enter the PIN when you are prompted.
Open a browser window, and then go to https://adfsweb.treyresearch.net/claimapp/. When you are prompted for your home realm, click A. Datum Corporation, and then click Submit.
At this point the SSO Sample Application appears in the browser. You will see A. Datum High Assurance Claim in the SingleSignOnIdentity.SecurityPropertyCollection section of the sample application.
After you have accessed the sample application, add the cassiehi and toddmead accounts to the treyclaimappusers security group in the adatum.com domain, and then try accessing the sample application again. After you add these accounts to the treyclaimappusers security group and reconnect the application, you will see the claim values cassiehi@adatum.com and toddmead@adatum.com displayed in the browser window along with their respective assurance-value claims.
Note
The treyclaimappusers group was created in the procedures of the AD FS in Windows Server 2008 R2 Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133009)