Controlling Access to a Realm without an Authentication Server by Using Device Profiles and Client
03/26/2020 4 11705
DESCRIPTION: Controlling Access to a Realm without an Authentication Server by Using Device Profiles and Client Certificates
This article demonstrates how to configure the appliance for null authentication, and then use a client certificate as a device watermark. The client certificates used in this article have been issued by a Microsoft Certification Authority server.
Use the following procedure to import a CA root certificate into the appliance, configure the zone and device profile, assign it to a realm/community, request a client certificate, and install the certificate on the client machine. It is assumed you already have a realm configured without an authentication server.
Importing the CA Root Certificate
You must first obtain a CA root certificate. For the Microsoft CA Service, follow this procedure:
Open the Certification Authority MMC.
Right-click on the name of the CA and then select Properties.
On the General tab, highlight the CA certificate you want and click View Certificate.
Click the Details tab, and then click Copy to File.
Export the certificate as a Base-64 encoded X.509 file (.CER) file.
In AMC, select SSL Settings, and then click Edit in the CA Certificates section.
Browse to the file that was created earlier and select it.
Under the Usage section, enable the Device profiling (End Point Control) check box.
Creating the Zone and Device Profile
In AMC, select End Point Control.
Click New, and then select Standard Zone.
Type a name for the zone.
Under All Profiles, click New.
Select Microsoft Windows.
Type a name for the profile.
Under Add attribute(s), select Client Certificate from the Type drop-down list.
Select the appropriate certificate vendor from the Vendor list.
Enable the System store and user store check box next to Look in: section.
Click Add to Current Attributes.
Click Save. The window closes.
On the Zone Definition page, select the profile you just created, and then click the >> button to assign it to the In Use field.
Assign the Zone to a Community
From the list of standard zones, select the client certificate zone you just created, and then click the >> button to assign it to the In Use field.
Apply these changes.
Requesting and Installing a Client Certificate from the Microsoft CA Server
Using Internet Explorer, go to the address of your Microsoft CA server.
Click Request a certificate.
Click advanced certificate request.
Click Create and submit a request to this CA.
Select User under the Certificate Template drop-down list.
Select Mark keys as exportable and Enable strong private key protection.
Click the Submit > button at the bottom of the page.
When prompted, click Yes to the message that discusses allowing trusted sites to request certificates for you.
Click OK to the Creating a new RSA exchange key.
Click Install this certificate and then click Yes to the warnings.
Using the same certificate on multiple clients
If you want to copy this certificate to multiple clients, you can export it from the browser store from which it was first installed.
Launch Internet Explorer.
Click on Tools and then choose Internet Options.
Click on the Content tab.
Select the Personal tab, and then select the appropriate certificate.
Select the Yes, export the private key option, and then click Next.
Select the following options for Export File Format:
Personal Information Exchange PKCS #12 (.pfx)
Include all certificates in the certification path, if possible
Enable Strong Protection.
Enter a password and then select a location and name for the certificate file.
Finish the export of the certificate.
The resulting .pfx file can be imported to any Windows client from the same location from which it was exported.
Because the realm is configured with no authentication server, you can set up a Deny Zone for users who do not have the client certificate.