These guides help configure Windows domains for PIV smart card logon, particularly for U.S. federal civilian agencies. They address common questions and specific configurations.
Before delving into these network guides and lessons learned, please ensure the following:
Users possess both PIV credentials and PIV card readers.
You are utilizing Microsoft Active Directory for Windows network management.
Your Domain Controllers are Microsoft 2012 or a more recent version.
User workstations are integrated into your network and run either Windows 8 or Windows 10.
Your workstations, servers, network domain controllers, and applications must constantly verify the validity of PIV certificates and all intermediate certificate authority (CA) certificates. Additionally, during the certificate chain path building process, intermediate CA certificates may be fetched and downloaded.
Domain controller certificate:
For network authentication using smart cards and PIV credentials, it’s essential for all domain controllers to possess authentication certificates. U.S. federal civilian agencies maintain a range of information security policies, which determine whether domain controller certificates should be sourced from the agency’s local enterprise certification authority (CA) or from a CA under the Federal Public Key Infrastructure (FPKI) certification. It is crucial to adhere to the specific information security policy of your agency.
Local Certification Authority:
Local Certification authority is need in order to issue a local certificate. This certificate will be installed on domain controller and user endpoints. The server hosting the Certification Authority (CA) needs to be integrated into the domain. It is important to ensure that the CA is not located on servers designated as domain controllers. Additionally, one must hold the role of Enterprise Administrator within the domain to execute these operations.
Enabling Enterprise Trust of the Common Policy Certificate:
To establish organizational trust for the FCPCA Root Certificate, the process involves these actions:
Acquiring and authenticating the FCPCAG2 Certificate
Distribute the certificate across operating systems
To obtain the FCPCAG2 root certificate, Access and download the certificate from the specified URL: http://repo.fpki.gov/fcpca/fcpcag2.crt.
Once the certificate is obtained, you can use windows group policy to distribute the certificate to endpoints.
Authentication Assurance:
To effectively manage access within your network when Single Sign-on is active, it’s crucial to identify the authentication method utilized by the user:
Username and password combination
PIV (Personal Identity Verification) credential
Understanding which authentication method was employed is essential for applying detailed access control policies and determining whether to permit or restrict user access to applications and network-shared resources. Windows Active Directory’s Authentication Mechanism Assurance (AMA) feature facilitates this by allowing the addition of a group membership identifier to the user’s Kerberos token based on the authentication method used.