Using the vSEC:CMS it is possible to create and manage Virtual Credentials (VC) which leverages on Trusted Platform Module (TPM) chip available on most computers.
It is possible to use Microsoft’s built in support for VC in Windows 8 and above (which uses Microsoft’s tpmvscmgr) or you can use Versasec’s vSEC:CMS Virtual Smart Card (vSEC:CMS VSC) product which is supported from Windows 7 and above
vSEC:CMS can be used to manage devices in a centralized model. The centralized model gives greater control of what devices can be issued as VCs as the process of creating and managing the VC is performed and controlled centrally by the operators of the vSEC:CMS.
The article will cover the following:
- Setup a template that will allow you to create and issue a Windows logon certificate to a VC credential;
- Create and issue a VC with a Windows logon certificate on a client;
- Perform Windows logon with the VC.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Manage Virtual Credentials using vSEC:CMS User Self-Service. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Before beginning the configuration it will be necessary to have already successfully completed the instructions in the article Manage Virtual Credentials using vSEC:CMS User Self-Service.
1. From Repository - Device Management - Managed Devices select a device and right click and select Issue.
2. Enter your Operator credential PIN when prompted and click the Manage button.
3. Click the Add button.
In Template name enter an appropriate name for the template.
From the Smart card template to issue drop-down list select the already created template that will be used to issue the VC. The VC template selected here will then only be available from this management task.
Select the Enable username+password logon if it is required to set the local registry key on the device to allow the end user to log onto the device using their Windows domain username and password if the device is already configured to enforce smart card logon. By enabling this setting, the local registry key below will be set to a value of 0
If a GPO is in place that configures the device to enforce smart card logon then the GPO will override the registry key.
Select the Automatically return to former state and enter a timeout period in the field provided. This will set the registry key above back to a value of 1 enforcing smart card logon. This may be required if the device was not issued within an appropriate period of time thereby requiring that the device be returned to its former configured state.
Enable the Launch user self-service after user logon checkbox if it is required to automatically launch the vSEC:CMS User Self-Service (USS) application when the user logs into their device which will allow for a streamlined VC creation and issuance workflow. The USS in this case will need to be configured to run in the client system tray.
Enable the Force logout after issuance and enforce sc logon if it is required to force the user to logout after setting the PIN code for the VC at the end of the issuance workflow through the USS. This would only be required if it is required to enforce Windows smart card logon.
In the Description window a detailed description of the management task template can be added if required.
Enable the Minimize user interaction if it is required to have less end user participation during the self-service issuance flow. This will change the flow from an end user perspective. If this option is enabled the end user will be prompted to enter their authentication credential and their PIN code at the start of the issuance flow. Then the issuance flow will begin with a less intrusive issuance dialog running in the bottom right corner of the user’s screen.
In the Permissions section, it is possible to configure what operator role is allowed to execute the template. Click the Edit button to select from the available roles available on the system.
Click Save to save and close the template.
From Repository - Device Management - Managed Devices an Operator selects a device and right clicks and selects Issue.
Enter your Operator credential PIN when prompted and select the template from Select card template drop-down list and click Perform.
In this example we will presume that the client is online at this time and correctly configured to connect to the backend. The Operator should get a success message when the Perform message is sent.
On the client side the USS should be running in the system tray.
When the client receives the RSDM message to trigger the issuance the flow will begin. Click Issue to start the issuance.
Enter the domain credentials of the user to authenticate.
At the end of the process you will be prompted to enter a PIN for the credential to complete the flow.
Once you complete this then the credential can be used to log onto your domain environment.