UniToken Integration Guide Windows 2003 Server Smart Card Configuration

From SecuTech Wiki
Jump to: navigation, search

Network Configuration

From the Start Menu, click on [Connect To], [Show all connections].

Tokensmart img123.jpg

Right-click on the connection interface between the domain controller and client and select [Properties].

Tokensmart img124.jpg

In the properties window of the connection, select [Internet Protocol (TCP/IP)] and click on [Properties].

Tokensmart img125.jpg

In the "Internet Protocol Version 4 (TCP/IPv4) Properties" window, select [Use the following IP address] and input a static IP address, subnet mask and default gateway for your server.

Select [Use the following DNS server addresses] and input the same IP address as your static IP address. This server will be used as the main DNS server.

Click on [OK] on all windows to finish.

Tokensmart img126.jpg

Active Directory Installation

From the start menu, click on “Run...”

Tokensmart img127.jpg

Input "dcpromo", without quotation marks, and click [OK] to launch the Active Directory wizard.

Tokensmart img128.jpg

On the "Active Directory Installation Wizard" welcome screen, click on [Next].

Tokensmart img129.jpg

On the "Operating System Compatibility" page, click on [Next].

Tokensmart img130.jpg

On the "Domain Controller Type" page, verify that [Controller for a new domain] is selected, then click [Next].

Tokensmart img131.jpg

On the "Create New Domain" page, verify that [Domain in a new forest] is selected, then click [Next].

Tokensmart img132.jpg

On the [New Domain Name] page, input a name for your domain, then click [Next].

Tokensmart img133.jpg

On the "NetBIOS Domain Name" page, input a NetBIOS name or otherwise leave the suggested name, then click on [Next].

Tokensmart img134.jpg

On the "Database and Log Folders" page, click on [Next].

Tokensmart img135.jpg

On the "Shared System Volume" page, click on [Next].

Tokensmart img136.jpg

On the [DNS Registration Diagnostics] page, select [Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server], then click on [Next].

Tokensmart img137.jpg

On the "Permissions" page, select [Permissions compatible only with Windows 2000 or Windows Server 2003], then click on [Next].

Tokensmart img138.jpg

On the "Directory Service Restore Mode Administrator Password" page, input a restore mode password, then click on [Next].

Tokensmart img139.jpg

On the "Summary" page, confirm the entered settings, then click on [Next].

Tokensmart img140.jpg

After the configuration of Active Directory is completed, the Windows Server 2003 CD-ROM is required to complete the procedure.

Tokensmart img141.jpg

Verify that the Active Directory has been installed successfully, then click on [Finish] to close the wizard.

Tokensmart img142.jpg

IIS Installation

From the Start Menu, click on [Control Panel], [Add or Remove Programs].

Tokensmart img143.jpg

Under the "Add or Remove Programs" window, choose [Add/Remove Windows Components] from the left-hand side menu.

Tokensmart img144.jpg

Check [Application Server] and click on [Next].

Tokensmart img145.jpg

Verify the installation was successful after completion.

Tokensmart img146.jpg

Certification Authority Installation

If continuing from the previous step, return to the "Add/Remove Windows Components" window. Otherwise, from the Start Menu, click on [Control Panel], [Add or Remove Programs], then choose [Add/Remove Windows Components] from the left-hand side menu.

In the "Add/Remove Windows Components" window, check [Certificate Services]. A warning message indicating the computer name and domain may not be changed once Certificate Services is installed will appear. Click [Yes] to continue.

Tokensmart img147.jpg

Verify that [Certificate Services] has been checked, and click on [Next].

Tokensmart img148.jpg

In the "CA Type" step, select [Enterprise root CA], then click on [Next].

Tokensmart img149.jpg

In the "CA Identifying Information" step, input the name for the CA in the field [Common name for this CA], and check that [Distinguish name suffix] corresponds to the domain name. Click on [Next] when done.

Tokensmart img150.jpg

On the "Certificate Database Settings" page, click on [Next]

Tokensmart img151.jpg

During the installation, a warning message indicating the IIS service must be stopped temporarily will be displayed. Click on “Yes” to continue the installation.

Tokensmart img152.jpg

The installation changes will be applied.

Tokensmart img153.jpg

A warning message asking if Active Server Pages is to be enabled will appear. Click on [Yes] to continue.

Tokensmart img154.jpg

Verify that the component has been installed successfully and click on [Finish] to close the wizard.

Tokensmart img155.jpg

Update CertSrv for Windows Vista/7

An update available from Microsoft configures the CA web interface to be resolve an issue with enrolling web certificates against a Windows Server 2003 Certificate Services Web enrollment, and improves the CA's compatibility with Windows XP to Windows Vista and 7. The file can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=4758.

Back up your data before installing this update! SecuTech cannot be held as responsible for any data loss caused by this update.

Double-click the downloaded file to launch the installation.

Tokensmart img156.jpg

Click on [Next] in the "Software Update Installation Wizard" screen.

Tokensmart img157.jpg

On the [License Agreement] step, select [I agree] and click on [Next] to continue.

Tokensmart img158.jpg

Changes will be applied.

Tokensmart img159.jpg

Verify that the update has been successfully installed and click on [Finish] to complete.

Tokensmart img160.jpg

Secure Access to Certsrv with SSL

From the Start Menu, click on [Administrative Tools], [Internet Information Services (IIS) Manager].

Tokensmart img161.jpg

In the "Internet Information Services (IIS) Manager" window, navigate to [Web Sites], [Default Website] in the tree list on the left. Right-click on [Default Website], then click on [Properties].

Tokensmart img162.jpg

Under the [Directory Security] tab, in the [Secure communications] section, click on [Server Certificate].

Tokensmart img163.jpg

Click on [Next] in the Web Server Certificate Wizard to begin.

Tokensmart img164.jpg

On the "Server Certificate" page, select [Create a new certificate], then click on [Next].

Tokensmart img165.jpg

In the "Delayed or Immediate Request" step, select [Prepare the request now, but send it later] and click on [Next].

Tokensmart img166.jpg

On the "Name and Security Settings" page, enter the name of the certificate, then click on [Next].

Tokensmart img167.jpg

On the "Organization Information" step, input the organization and organizational unit information and click on [Next].

Tokensmart img168.jpg

In the "Your Site's Common Name" step, input the name of your website and click on [Next].

Tokensmart img169.jpg

Input the [Country/region], [State/province], [City/locality] and click on [Next].

Tokensmart img170.jpg

Indicate the certificate request file path and name in the "Certificate Request File Name" page. Click on [Next] afterwards.

Tokensmart img171.jpg

On the "Request File Summary" page, verify the information is correct, then click on [Next].

Tokensmart img172.jpg

Click on [Finish] to complete the wizard.

Tokensmart img173.jpg

Launch your internet browser of your choice and navigate to "https://[address of domain server]/certsr".

Tokensmart img174.jpg

On the "Microsoft Active Directory Certificate Services" main page, under "Select a task", click on [Request a certificate]. Under "Request a certificate", click on [advanced certificate request].

Tokensmart img175.jpg

On the page “Advanced Certificate Request”, choose [Submit a certificate request by using a base 64 encoded CMC or PKCS#10 file, or submit a renewal request by using a base 64 encoded CMC or PKCS#7 file]

Tokensmart img176.jpg

Navigate to the folder where the "certreq.txt" file is located and open it.

Tokensmart img177.jpg

Excluding the first and last line, copy the whole contents of "certreq.txt" and paste it in the corresponding text area in the web page.

Tokensmart img178.jpg

Under "Certificate Template", choose [Web server] from the drop-down list and click on [Submit].

Tokensmart img179.jpg

Select [DER encoded] and click on [Download certificate].

Tokensmart img180.jpg

Save the file [certnew.cer] to a destination for later use.

Tokensmart img181.jpg

Return to the [Default Web Site Properties] window, and click on [Server Certificate] under "Secure communications".

Tokensmart img182.jpg

Under the "Welcome to the Web Server Certificate Wizard" welcome screen, click [Next].

Tokensmart img183.jpg

On the "Pending Certificate Request" step, select [Process the pending request and install the certificate].

Tokensmart img184.jpg

On the "Process a Pending Request" step, check or otherwise enter the path to the "certnew.cer" file created eariler. Click on [Next].

Tokensmart img185.jpg

On the [SSL Port] step, check the correct SSL port used on the server is correct and click on [Next].

Tokensmart img186.jpg

Click on [Finish] to complete the wizard.

Tokensmart img187.jpg

Return to the [Internet Information Service (IIS) Manager] window and expand [Default Web Site], right-click on the element [CertSrv], and select [Properties].

Tokensmart img188.jpg

In the tab [Directory Security], click on the [Edit…] button located under "Secure communications."

Tokensmart img189.jpg

In the [Secure Communications] window, check [Require secure channel (SLL)] and [Require 128-bit encryption]. Verify that [Ignore client certificates] is selected under "Client certificates" and select [Enable client certificate mapping]. Click [OK] to finish.

Tokensmart img190.jpg

Create Users in Active Directory

From the Start Menu, click [Administrative tools], [Active directory Users and Computers].

Tokensmart img191.jpg

From the tree list on the left under the "Active Directory Users and Computers" window, right click on [(Domain)], [Users], then from the popup menu [New], [User].

Tokensmart img192.jpg

Complete the form on the new user and click [Next].

Tokensmart img193.jpg

Fill in the [Password] and [Confirm password] fields. Choose the corresponding options as needed and click on [Next].

Tokensmart img194.jpg

Verify information about the new user is correct and click [Finish] to close the window.

Tokensmart img195.jpg

Set Access Rights for Certificate Templates

From the start menu, select [Run...].

Tokensmart img196.jpg

Type "certtmpl.msc", without quotation marks, then click [OK].

Tokensmart img197.jpg

On the "certtmpl - [Certificate Templates}" window, right-click [Smartcard User] from the list on the right and select [Properties].

Tokensmart img198.jpg

Under the [Security] tab, click on [Add] to add a new user to the list.

Tokensmart img199.jpg

Select the user previously created (UniTokenPRO in this example) and click [OK] to apply.

Tokensmart img200.jpg

Back on the [Security] tab, select the newly added user and check [Read] and [Enroll] for the user's permissions. Click on [OK] to finish.

Tokensmart img201.jpg

From the Start Menu, click on [Administrative Tools], [Certification Authority].

Tokensmart img202.jpg

On the "Certification Authority" window, right-click on [Certificate Template], and select [New], [Certificate Template to Issue].

Tokensmart img203.jpg

Under the "Enable Certificate Templates" window, select [Smartcard User] and click [OK] to finish.

Tokensmart img204.jpg