Hideez Identity Cloud
  • Getting Started Guide
    • Key features of Hideez Identity Cloud
    • Quick Start Guide
      • The Hideez Desktop Client
      • Hideez Authenticator App
    • Tennant manegement
      • User Management
        • Passkey
        • Hideez Authenticator App
        • FIDO Security Key
        • Platform Authentication via Windows Hello
        • Password+OTP
      • Workstation management
  • PC Authorization
    • Passwordless Authorization
      • Active Directory
        • Setting Up the Active Directory Certification Authority
        • Setting Up Workstation Passwordless Logon Settings on Hideez Identity Cloud
      • Microsoft Entra ID
    • Password-based Authorization
  • INTEGRATIONS
    • SAML 2.0
      • GitHub Enterprise
      • Google Workspace
      • Okta
    • OIDC (OpenID Connect)
      • Services that support OIDC and their configuration as Client
    • WS-Federation
      • Login to Exchange Outlook Web Application and Exchange Admin Center via Hideez Identity Cloud
    • Active Directory On-Premises
      • Connect Active Directory to Hideez Identity Cloud
      • ADFS integration
        • Login to Microsoft Exchange OWA Using AD FS and Hideez Identity Cloud as a Third-Party IdP
    • Microsoft Entra ID
      • Synchronization and import employees from Microsoft Entra ID to Hideez Identity Cloud
      • Configuration of Hideez Cloud as an External Authentication Method for Microsoft Entra ID via OIDC
    • Chrome OS
  • USE CASES
    • Passkey Login
    • Hideez Authenticator App login
    • FIDO Security Key login
    • Platform login via Windows Hello
    • Password+TOTP login
  • SUPPORT
    • Get Support
    • FAQ
      • What to do if a user loses their key/device and cannot access the site?
      • Can a custom domain name be created for the tenant instead of the default one?
      • Why am I already logged in Hideez, and no authorization occurs when I access my web application?
      • How long does an open authorization session last?
      • How to log out of the web application?
      • Can I administer multiple tenants simultaneously?
      • Can there be multiple administrators for the Hideez Identity Cloud?
    • Glossary
  • Hideez Documentation Portal
Powered by GitBook
On this page
  • Overview
  • Preconditions
  • Setting Up the Active Directory Certification Authority
  1. PC Authorization
  2. Passwordless Authorization
  3. Active Directory

Setting Up the Active Directory Certification Authority

PreviousActive DirectoryNextSetting Up Workstation Passwordless Logon Settings on Hideez Identity Cloud

Last updated 1 month ago

Overview

To enable passwordless login via virtual smart cards, a certificate issued by a trusted Certification Authority (CA) is required. In a Windows domain environment, this role is typically performed by the Active Directory Certification Authority. Setting up the CA ensures that each user's virtual smart card is associated with a valid certificate that can be used for secure authentication during workstation login. This step is essential for establishing trust between the workstation, the user’s smart card credentials, and the domain controller.

Without a properly configured CA, the system will not be able to issue or validate the certificates required for virtual smart card authentication.

Preconditions

Before you configure the certificate template for passwordless login using virtual smart cards, ensure the following prerequisites are met:

  1. Active Directory Certificate Services (AD CS) is installed and configured.

  • The Certification Authority (CA) role must be installed on your server.

  • The CA must be configured as an Enterprise CA. Standalone CA is not supported for smart card logon.

  1. You are logged in as a Domain Administrator or equivalent.

  • The account must have permissions to manage certificate templates and issue new ones.

The Certification Authority (CA) can be installed either on the domain controller or on a separate server. The steps described in this guide assume that you have access to the server where the CA role is installed, regardless of whether it is a domain controller or a standalone member server.

Setting Up the Active Directory Certification Authority

  1. Sign in to the Certification Authority (CA) server using a Domain Administrator account.

  2. Launch MMC (mmc.exe) via Run or Start Menu.

  3. Go to File → Add/Remove Snap-in → add Certificate Templates.

  4. In the available snap-ins list, click Certificate Templates, and then click Add.

  5. Certificate Templates is now located under Console Root in the MMC. Double-click it to view all the available certificate templates.

  6. Right-click the Smartcard Logon template, and click Duplicate Template.

  7. On the Compatibility tab, under Certification Authority, review the selection, and change it if needed.

  8. On the General tab:

    1. Specify a name, such as TPM Virtual Smart Card Logon.

    2. Set the validity period to the desired value.

  9. On the Request Handling tab:

    1. Set the Purpose to Signature and smartcard logon.

    2. Click Prompt the user during enrollment.

  10. On the Cryptography tab:

    1. Set the minimum key size to 2048.

    2. Click Requests must use one of the following providers, and then select Microsoft Base Smart Card Crypto Provider.

  11. On the Security tab, add the security group that you want to give Enroll access to. For example, if you want to give access to all users, select the Authenticated users group, and then select Enroll permissions for them.

  12. Click OK to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.

  13. Select File, then click Add/Remove Snap-in to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably Local Computer.

  14. In the left pane of the MMC, expand Certification Authority (Local), and then expand your CA within the Certification Authority list.

  15. Right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  16. From the list, select the new template that you just created (TPM Virtual Smart Card Logon), and then click OK. Note: It can take some time for your template to replicate to all servers and become available in this list.

  17. After the template replicates, in the MMC, right-click in the Certification Authority list, click All Tasks, and then click Stop Service. Then, right-click the name of the CA again, click All Tasks, and then click Start Service.

Learn more: Installing the Certification Authority on Windows Server (Microsoft Docs)