{"id":445,"date":"2013-10-06T20:20:28","date_gmt":"2013-10-07T01:20:28","guid":{"rendered":"https:\/\/www.softwareab.net\/wordpress\/?p=445"},"modified":"2013-10-06T20:20:28","modified_gmt":"2013-10-07T01:20:28","slug":"cac-integration-with-w2k8r2-active-directory","status":"publish","type":"post","link":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/","title":{"rendered":"CAC Integration with W2K8R2 Active Directory"},"content":{"rendered":"<h3>SmartCard (CAC) Integration<\/h3>\n<p>Integrating Active Directory with CAC requires a number of steps. A good online reference is at <a href=\"http:\/\/support.microsoft.com\/kb\/281245\">Microsoft KB281245<\/a> (pre Server 2008 but still valuable). For rebuild purposes, use the following sections.<\/p>\n<p><!--more--><\/p>\n<h4>Setup Local Windows Enterprise Certificate Authority<\/h4>\n<p>The instructions for the NTP \/ Standalone CA walked thru in our test lab use the openssl standalone CA used to support our local certs. However, smartcard support has very specific requirements for a special \u00e2\u20ac\u0153Domain Controller Certificate\u00e2\u20ac\u009d which is documented at <a href=\"http:\/\/support.microsoft.com\/kb\/291010\">Microsoft KB291010<\/a>. Unfortunately, the openssl implementation as of this writing (11 FEB 13) does not support the extensions required for the Domain Controller Certificate. Thus, to use CAC authentication requires a Microsoft CA to be installed.<\/p>\n<ol>\n<li>On a dedicated VM (in our Lab we used a server named CALOCAL001CA) install the Active Directory Certificate Services. Because the external standalone openssl CA is used for all Web server certificates, there is no need for the CA Web Enrollment Role Service; just install the Certificate Authority.<\/li>\n<li>Run <code>gpupdate \/force<\/code> on the domain controller after installing the CA. This should ensure that Kerberos will function correctly for a smartcard login.<\/li>\n<li>If you receive Event ID 29 (\u00e2\u20ac\u0153The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons\u00e2\u20ac\u00a6\u00e2\u20ac\u009d) then simply open Computer certificates Personal store and select to request a new certificate.<\/li>\n<li>On the domain controller: open ADSI Edit  and right-click the forest to edit Properties. Within properties, add a UPN suffix of \u00e2\u20ac\u0153mil\u00e2\u20ac\u009d (by itself). The CAC certificates all reference a UPN of [edipi]@mil which must exist as a user on the Active Directory.<\/li>\n<li>OPTIONAL: Within ADUC, create a new OU for CAC users and add CAC logins. Each login will be identified by [edipi]@mil as the login although the Display Name can be anything.<\/li>\n<\/ol>\n<p>This handles setup on local CA and domain controller.<\/p>\n<h4>Setup Certificate Trusts<\/h4>\n<p>For CAC authentication to work, all signing CAs up to the root CA for *each certificate* on the CAC must be trusted. By default on an AGM machine the root DoD CA is trusted (\u00e2\u20ac\u0153DOD CA-2\u00e2\u20ac\u009d root). However, the intermediate certificates can be a pain. For example: On a current CAC as of 11 FEB 13, the signing CA is \u00e2\u20ac\u0153DOD CA-30\u00e2\u20ac\u009d which is relatively new and was not on many of the domain members. Get down the latest DoD root certs from DISA if necessary!<br \/>\nFollow these steps:<\/p>\n<ol>\n<li>On one computer within the domain, use the <code>certutil -dspublish -f [cert_file] NtAuthCA<\/code> command for all necessary intermediate CAs *and* the root CA. Once completed, run <code>gpupdate \/force<\/code> on the local computer and then open <code>regedit<\/code> to check the value of the <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\EnterpriseCertificates\\NTAuth\\Certificates<\/code> entry for the certificate thumbprints. (Use the Certificates snapin to get the thumbprints for the DoD certs you mapped.)<\/li>\n<li>Within the Certificates snapin for the local computer, check both the intermediate CAs as well as the trusted root CAs containers to verify that all the necessary DoD certificates exist.<\/li>\n<li>IMPORTANT: The CAC has three certs on it, and Windows Logon may use *any* of these three. So be sure to look at the signing chain for each certificate and validate that all CAs are in both the <code>NtAuthCA<\/code> store (per step #1 above) as well as in the intermediate \/ root CAs in the Certificates snapin. This is only confusing if you do not remember that \u00e2\u20ac\u201c from an OS perspective \u00e2\u20ac\u201c all three certificates are exactly alike because all three have the same UPN of [edipi]@mil. Thus, any one of the three could be used for a given login attempt.<\/li>\n<li>Be sure to check the \u00e2\u20ac\u0153Allow login from Remote Desktop\u00e2\u20ac\u009d security privilege; by default, only Administrators can login via RDP. Check that the CAC user within AD has RDP login privilege.<\/li>\n<\/ol>\n<p>At this point it should be possible to login to the client box. First try logging in with the AD user [edipi]@mil and a password; if that works then try logging in with CAC. Both should function. Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SmartCard (CAC) Integration Integrating Active Directory with CAC requires a number of steps. A good online reference is at Microsoft KB281245 (pre Server 2008 but still valuable). For rebuild purposes, use the following sections.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[43],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CAC Integration with W2K8R2 Active Directory - softwareab<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CAC Integration with W2K8R2 Active Directory - softwareab\" \/>\n<meta property=\"og:description\" content=\"SmartCard (CAC) Integration Integrating Active Directory with CAC requires a number of steps. A good online reference is at Microsoft KB281245 (pre Server 2008 but still valuable). For rebuild purposes, use the following sections.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/\" \/>\n<meta property=\"og:site_name\" content=\"softwareab\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cloudraticsolutions\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/cloudraticsolutions\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-10-07T01:20:28+00:00\" \/>\n<meta name=\"author\" content=\"Andrew Bruce\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@realcloudratics\" \/>\n<meta name=\"twitter:site\" content=\"@realcloudratics\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Andrew Bruce\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/\"},\"author\":{\"name\":\"Andrew Bruce\",\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/1337443eaeb75104e0410b508e67f600\"},\"headline\":\"CAC Integration with W2K8R2 Active Directory\",\"datePublished\":\"2013-10-07T01:20:28+00:00\",\"dateModified\":\"2013-10-07T01:20:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/\"},\"wordCount\":653,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/1337443eaeb75104e0410b508e67f600\"},\"keywords\":[\"CAC\"],\"articleSection\":[\"Windows Server\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/\",\"url\":\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/\",\"name\":\"CAC Integration with W2K8R2 Active Directory - softwareab\",\"isPartOf\":{\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/#website\"},\"datePublished\":\"2013-10-07T01:20:28+00:00\",\"dateModified\":\"2013-10-07T01:20:28+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.softwareab.net\/wordpress\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CAC\",\"item\":\"https:\/\/www.softwareab.net\/wordpress\/tag\/cac\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CAC Integration with W2K8R2 Active Directory\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/#website\",\"url\":\"https:\/\/www.softwareab.net\/wordpress\/\",\"name\":\"softwareab\",\"description\":\"Technocratica, Technopolitik, Technophobia\",\"publisher\":{\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/1337443eaeb75104e0410b508e67f600\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.softwareab.net\/wordpress\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/1337443eaeb75104e0410b508e67f600\",\"name\":\"Andrew Bruce\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.softwareab.net\/wordpress\/wp-content\/uploads\/2024\/03\/andy-cartoon.jpg\",\"contentUrl\":\"https:\/\/www.softwareab.net\/wordpress\/wp-content\/uploads\/2024\/03\/andy-cartoon.jpg\",\"width\":400,\"height\":330,\"caption\":\"Andrew Bruce\"},\"logo\":{\"@id\":\"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/image\/\"},\"description\":\"Team-oriented systems mentor with deep knowledge of numerous software methodologies, technologies, languages, and operating systems. Excited about turning emerging technology into working production-ready systems. Focused on moving software teams to a higher level of world-class application development. Specialties:Software analysis and development...Product management through the entire lifecycle...Discrete product integration specialist!\",\"sameAs\":[\"http:\/\/cloudraticsolutions.net\/\",\"https:\/\/www.facebook.com\/cloudraticsolutions\/\",\"https:\/\/twitter.com\/realcloudratics\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CAC Integration with W2K8R2 Active Directory - softwareab","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/","og_locale":"en_US","og_type":"article","og_title":"CAC Integration with W2K8R2 Active Directory - softwareab","og_description":"SmartCard (CAC) Integration Integrating Active Directory with CAC requires a number of steps. A good online reference is at Microsoft KB281245 (pre Server 2008 but still valuable). For rebuild purposes, use the following sections.","og_url":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/","og_site_name":"softwareab","article_publisher":"https:\/\/www.facebook.com\/cloudraticsolutions\/","article_author":"https:\/\/www.facebook.com\/cloudraticsolutions\/","article_published_time":"2013-10-07T01:20:28+00:00","author":"Andrew Bruce","twitter_card":"summary_large_image","twitter_creator":"@realcloudratics","twitter_site":"@realcloudratics","twitter_misc":{"Written by":"Andrew Bruce","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/#article","isPartOf":{"@id":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/"},"author":{"name":"Andrew Bruce","@id":"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/1337443eaeb75104e0410b508e67f600"},"headline":"CAC Integration with W2K8R2 Active Directory","datePublished":"2013-10-07T01:20:28+00:00","dateModified":"2013-10-07T01:20:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/"},"wordCount":653,"commentCount":0,"publisher":{"@id":"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/1337443eaeb75104e0410b508e67f600"},"keywords":["CAC"],"articleSection":["Windows Server"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/","url":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/","name":"CAC Integration with W2K8R2 Active Directory - softwareab","isPartOf":{"@id":"https:\/\/www.softwareab.net\/wordpress\/#website"},"datePublished":"2013-10-07T01:20:28+00:00","dateModified":"2013-10-07T01:20:28+00:00","breadcrumb":{"@id":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.softwareab.net\/wordpress\/cac-integration-with-w2k8r2-active-directory\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.softwareab.net\/wordpress\/"},{"@type":"ListItem","position":2,"name":"CAC","item":"https:\/\/www.softwareab.net\/wordpress\/tag\/cac\/"},{"@type":"ListItem","position":3,"name":"CAC Integration with W2K8R2 Active Directory"}]},{"@type":"WebSite","@id":"https:\/\/www.softwareab.net\/wordpress\/#website","url":"https:\/\/www.softwareab.net\/wordpress\/","name":"softwareab","description":"Technocratica, Technopolitik, Technophobia","publisher":{"@id":"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/1337443eaeb75104e0410b508e67f600"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.softwareab.net\/wordpress\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/1337443eaeb75104e0410b508e67f600","name":"Andrew Bruce","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/image\/","url":"https:\/\/www.softwareab.net\/wordpress\/wp-content\/uploads\/2024\/03\/andy-cartoon.jpg","contentUrl":"https:\/\/www.softwareab.net\/wordpress\/wp-content\/uploads\/2024\/03\/andy-cartoon.jpg","width":400,"height":330,"caption":"Andrew Bruce"},"logo":{"@id":"https:\/\/www.softwareab.net\/wordpress\/#\/schema\/person\/image\/"},"description":"Team-oriented systems mentor with deep knowledge of numerous software methodologies, technologies, languages, and operating systems. Excited about turning emerging technology into working production-ready systems. Focused on moving software teams to a higher level of world-class application development. Specialties:Software analysis and development...Product management through the entire lifecycle...Discrete product integration specialist!","sameAs":["http:\/\/cloudraticsolutions.net\/","https:\/\/www.facebook.com\/cloudraticsolutions\/","https:\/\/twitter.com\/realcloudratics"]}]}},"_links":{"self":[{"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/posts\/445"}],"collection":[{"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/comments?post=445"}],"version-history":[{"count":1,"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/posts\/445\/revisions"}],"predecessor-version":[{"id":446,"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/posts\/445\/revisions\/446"}],"wp:attachment":[{"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/media?parent=445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/categories?post=445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.softwareab.net\/wordpress\/wp-json\/wp\/v2\/tags?post=445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}