UniToken Integration Guide Windows 2008 Server Smart Card Configuration

From SecuTech Wiki
Jump to: navigation, search

Network Configuration

From the Start Menu, and click on [Server Manager].

Tokensmart img01.jpg

Click on [View Network Connections]on the right-hand side of the window under "Server Summary", "Computer Information".

Tokensmart img02.jpg

Right-click on the connection interface used between clients and the server and select [Properties].

Tokensmart img03.jpg

In the properties window of the connection, highlight [Internet Protocol (TCP/IPv4)] and click on [Properties] below.

Tokensmart img04.jpg

In the "Internet Protocol Version 4 (TCP/IPv4) Properties" window, select [Use the following IP address] and input a static IP address, subnet mask and default gateway for your server.

Select [Use the following DNS server addresses] and input the same IP address as your static IP address. This server will be used as the main DNS server.

Click on [OK] on all windows to finish.

Tokensmart img05.jpg

Active Directory Installation

From the Start Menu, click [Run...] or in the search box from the Start Menu, type "dcpromo", without quotation marks, and press [Enter].

Tokensmart img06.jpg

Wait while the binaries for Active Directory Services are being installed.

Tokensmart img07.jpg

On the "Active Directory Domain Services Installation Wizard" welcome screen, click on [Next].

Tokensmart img08.jpg

On "Operating System Compatibility" step, click on [next].

Tokensmart img09.jpg

On the "Choose a Deployment Configuration" step, verify that [Create a new domain in a new forest] is selected and click [Next].

Tokensmart img10.jpg

On the "Name the Forest Root Domain" step, input a name for the domain and click on [Next].

Tokensmart img11.jpg

On the "Set Forest Functional Level" step, keep the default settings and click on [Next].

Tokensmart img12.jpg

On the following "Set Forest Functional Level" step, keep the default settings and click on [Next].

Tokensmart img13.jpg

In the screen [Additional Domain Controller Options], check the option [DNS Server] and click on [Next]

Tokensmart img14.jpg

In the dialog box "Active Directory Domain Services Installation Wizard", click on [Yes] when asked "Do you want to continue?" to continue.

Please note, in this tutorial, we are assuming the preferred DNS on the local network is our server and that DNS information is distributed to clients by the DHCP service installed on this server.

Tokensmart img15.jpg

On the "Location for Database, Log Files, and SYSVOL" step, click on [Next].

Tokensmart img16.jpg

On the "Directory Service Restore Mode Administrator Password" ste[, set the password for the administrator of restore mode and click on [Next].

Tokensmart img17.jpg

In the "Summary" screen , verify the settings up to now are correct, then click [Next] to continue.

Tokensmart img18.jpg

Wait until the configuration of Active Directory is completed.

Tokensmart img19.jpg

Click [Finish] to close the wizard.

Tokensmart img20.jpg

Certification Authority Installation

From the Start Menu, click on [Server Manager].

Tokensmart img21.jpg

From the left-hand side pane, click on [Roles].

Tokensmart img22.jpg

In the right-hand side of the window, click on [Add Roles].

Tokensmart img23.jpg

Click [Next] on the screen [Before You Begin] to begin.

Tokensmart img24.jpg

On the "Select Server Roles" step, select [Active Directory Certificate Services], then click [Next].

Tokensmart img25.jpg

On the "Introduction to Active Directory Certificates Services" page, click on [Next]

Tokensmart img26.jpg

On the "Select Role Services" page, check [Certification Authority] and [Certification Authority Web Enrollment], then click [Next].

Tokensmart img27.jpg

In the "Add Roles Wizard" dialog box, click on [Add Required Role Services].

Tokensmart img28.jpg

Make sure that [Certification Authority Web Enrollment] and click on [Next].

Tokensmart img29.jpg

On the "Specify Setup Type" page, select [Enterprise], then click [Next].

Tokensmart img30.jpg

On the "Specify CA Type" page, select [Root CA], and click [Next].

Tokensmart img31.jpg

On the "Set Up Private Key" page, click [Next].

Tokensmart img32.jpg

On the "Configure Cryptography for CA" page, click [Next].

Tokensmart img33.jpg

On the "Configure CA Name" page, accept the proposed CA Name or otherwise input a new CA name. Click on [Next].

Tokensmart img34.jpg

On the "Set Validity Period" page, click on [Next].

Tokensmart img35.jpg

On the "Configure Certificate Database" page, click on [Next].

Tokensmart img36.jpg

On the "Web Server(IIS)" page, click on [Next]

Tokensmart img37.jpg

On the "Select Role Services", verify that the required services have been selected and click on [Next].

Tokensmart img38.jpg

On the "Confirm Installation Selections" page, verify installation information is correct, then click on [Install] to begin the installation.

Tokensmart img39.jpg

On the "Installation Results" page, verify that the installation has been completed successfully, then click on [Close] to complete.

Tokensmart img40.jpg

Secure Access to Certsrv with SSL

From the Start Menu, click [Administrative Tools], [Internet Information Services (IIS) Manager].

Tokensmart img41.jpg

In the left pane, select the corresponding server under "Connection", then in the main window double-click on [Server Certificates].

Tokensmart img42.jpg

On the [Server Certificates] page, from the "Actions" menu on the right, click on [Create Self-Signed Certificate...].

Tokensmart img43.jpg

In the "Create Self-Signed Certificate" window, on the "Specify Friendly Name" step, enter a name for the certificate and click on [OK].

Tokensmart img44.jpg

In the left pane, under "Sites", right-click on [Default Web Site] and click [Edit Bindings...].

Tokensmart img45.jpg

On the [Site Bindings] window, click [Add].

Tokensmart img46.jpg

Modify the following settings:

  • Type: https
  • IP address: All Unassigned
  • Port: 443
  • Certificate: (the certificate created earlier)

Click [OK].

Tokensmart img47.jpg

Click on [CertSrv] within [Default Web Site] from the left pane. Double-click on [SSL settings].

Tokensmart img48.jpg

On the "SSL Settings" page, check [Require SSL] and [Require 128-bit SSL]. Under "Client certificates", select [Ignore] and click on [Apply] to save changes.

Tokensmart img49.jpg

Create Users in Active Directory

From the Start Menu, click [Administrative tools], [Active directory Users and Computers].

Tokensmart img50.jpg

From the tree list on the left under the "Active Directory Users and Computers" window, right click on [(Domain)], [Users], then from the popup menu [New], [User].

Tokensmart img51.jpg

Complete the form on the new user and click [Next].

Tokensmart img52.jpg

Fill in the [Password] and [Confirm password] fields. Choose the corresponding options as needed and click on [Next].

Tokensmart img53.jpg

Verify information about the new user is correct and click [Finish] to close the window.

Tokensmart img54.jpg

Set Access Rights for Certificate Templates

From the Start Menu, click [Run...] or in the search box from the Start Menu, type "certtmpl", without quotation marks, and press [Enter].

Tokensmart img55.jpg

In the "Certificate Templates Console" window, right-click [Smartcard User] from the list on the right and click [Properties].

Tokensmart img56.jpg

Under the [Security] tab, click on [Add] to add a new user to the list.

Tokensmart img57.jpg

Select the user previously created (UniTokenPRO in this example) and click [OK] to apply.

Tokensmart img58.jpg

Back on the [Security] tab, select the newly added user and check [Read] and [Enroll] for the user's permissions. Click on [OK] to finish.

Tokensmart img59.jpg

From the Start Menu, click on [Administrative Tools], [Certification Authority].

Tokensmart img60.jpg

On the "Certification Authority" window, right-click on [Certificate Template], and select [New], [Certificate Template to Issue].

Tokensmart img61.jpg

Under the "Enable Certificate Templates" window, select [Smartcard User] and click [OK] to finish.

Tokensmart img62.jpg