Controlling Access to a Realm without an Authentication Server by Using Device Profiles and Client

03/26/2020 4 10017

DESCRIPTION:
Controlling Access to a Realm without an Authentication Server by Using Device Profiles and Client Certificates

RESOLUTION:

Overview

Procedure

Importing the CA Root Certificate

You must first obtain a CA root certificate.  For the Microsoft CA Service, follow this procedure:

1. Open the Certification Authority MMC.
2. Right-click on the name of the CA and then select Properties.
3. On the General tab, highlight the CA certificate you want and click View Certificate.
4. Click the Details tab, and then click Copy to File.
5. Export the certificate as a Base-64 encoded X.509 file (.CER) file.
6. In AMC, select SSL Settings, and then click Edit in the CA Certificates section.
7. Click New.
8. Browse to the file that was created earlier and select it.
9. Under the Usage section, enable the Device profiling (End Point Control) check box.
10. Click Import.

Creating the Zone and Device Profile

1. In AMC, select End Point Control.
2. Click New, and then select Standard Zone.
3. Type a name for the zone.
4. Under All Profiles, click New.
5. Select Microsoft Windows.
6. Type a name for the profile.
7. Under Add attribute(s), select Client Certificate from the Type drop-down list.
8. Select the appropriate certificate vendor from the Vendor list.
9. Enable the System store and user store check box next to Look in: section.
10. Click Add to Current Attributes.
11. Click Save. The window closes.
12. On the Zone Definition page, select the profile you just created, and then click the >> button to assign it to the In Use field.
13. Click Save.

Assign the Zone to a Community

1. From the list of standard zones, select the client certificate zone you just created, and then click the >> button to assign it to the In Use field.
2. Click OK.
3. Click Save.
4. Apply these changes.

Requesting and Installing a Client Certificate from the Microsoft CA Server

1. Using Internet Explorer, go to the address of your Microsoft CA server.
2. Click Request a certificate.
3. Click advanced certificate request.
4. Click Create and submit a request to this CA.
5. Select User under the Certificate Template drop-down list.
6. Select Mark keys as exportable and Enable strong private key protection.
7. Click the Submit > button at the bottom of the page.
8. When prompted, click Yes to the message that discusses allowing trusted sites to request certificates for you.
9. Click OK to the Creating a new RSA exchange key.
10. Click Install this certificate and then click Yes to the warnings.

Using the same certificate on multiple clients

If you want to copy this certificate to multiple clients, you can export it from the browser store from which it was first installed.

1. Launch Internet Explorer.
2. Click on Tools and then choose Internet Options.
3. Click on the Content tab.
4. Click Certificates.
5. Select the Personal tab, and then select the appropriate certificate.
6. Click Export.
7. Click Next.
8. Select the Yes, export the private key option, and then click Next.
9. Select the following options for Export File Format:
   • Personal Information Exchange PKCS #12 (.pfx)
   • Include all certificates in the certification path, if possible
   • Enable Strong Protection.
10. Click Next.
11. Enter a password and then select a location and name for the certificate file.
12. Finish the export of the certificate.
13. The resulting .pfx file can be imported to any Windows client from the same location from which it was exported.

Going further

Because the realm is configured with no authentication server, you can set up a Deny Zone for users who do not have the client certificate.