Introduction

This article will describe how you can setup and use vSEC:CMS to issue and manage your Windows Hello for Business (WHfB) credential. While WHfB can be used "as is" for basic Windows logon use, vSEC:CMS allows users to fully leverage its capabilities for strong authentication (2FA) and PKI. Using vSEC:CMS the basics WHfB features can be extended to:

• Leverage vSEC:CMS Multiple Role support to manage additional credentials within WHfB container;
• Full lifecycle management of WHfB credentials issued through vSEC:CMS;
• Revocation and renewal of credentials possible;
• Supports a wide range of CA vendors;
• Full traceability of all credentials issued in WHfB container.

The article will detail an example scenario with the following configuration undertaken:

• Setup a template that will allow you to (all inside a WHfB container):

1. Create and issue a Windows logon certificate for the primary Windows account;

2. Create and issue a Windows logon certificate for the privilege Windows account;

3. Create, issue and archive an encryption certificate for the primary Windows account;

• Log onto a Windows client using the WHfB credential.

Server-Side Configuration

This section will detail the steps that need to be performed on the server-side for vSEC:CMS.

Self-Service Connection

If you don’t have a connection for self-service already set up then from Options - Connections click the Add button and select User Self-Service and click Ok. Enable the Enable gRPC checkbox as we will use gRPC for this article.

Depending on your environment settings enter a hostname and port to listen on. You can also setup support for SSL if you wish to use HTTPS for secure communication between the client and server. If you use SSL it is important that the HostIP address field is entered with the name of the server as it appears in the SSL certificate. The SSL certificate should be a machine certificate available on the vSEC:CMS server.

Make sure that the vSEC:CMS - User Self-Service service is running after you configure this in Windows services.

Remote Security Device Management Connection

If you don’t have a connection for Remote Security Device Management (RSDM) service already set up then from Options - Connections click the Add button and select RSDM Service and click Ok. Enable the Enable gRPC checkbox as we will use gRPC for this article.

Depending on your environment settings enter a hostname and port to listen on. You can also setup support for SSL if you wish to use HTTPS for secure communication between the client and server. If you use SSL it is important that the HostIP address field is entered with the name of the server as it appears in the SSL certificate. The SSL certificate should be a machine certificate available on the vSEC:CMS server.

Make sure that the vSEC:CMS - RSDM Service service is running after you configure this in Windows services.

Credential Configuration

1. From Options - Device Management enable Enable automatic device registration checkbox.

Make sure Force collecting certificates checkbox is not checked.

2. From Templates - Card Templates click the Add button.

Click the Edit link beside General. Enter a template name. Select Windows Hello for Business (WHfB) for Card type.

In the Features section enable Support multiple role(s) checkbox.

Click the Manage button beside Self-service using the following template. Click the Add button. Enter a template name and enable Self-issuance enabled and Retire card enabled checkboxes. From the User Authentication for PIN Unblock drop-down list select Use windows credentials to authenticate user. Leave all other settings as is and click the Save button to save and close.

Click Close and from the main General dialog enable Self-service using the following template and from the drop-down list select the template just created. Leave all other settings as is and click Ok to save and close the dialog.

3. Click the Edit link beside Issue Card. Select Issue by user(s) radio button.

Click the Configure button in the User ID Options section. Select the AD connection already configured from User ID from drop down list and select Current logged on windows credentials from Authenticate user using dropdown list. Click Ok to save and close.

Click the Roles button. Here we will configure a rule that will use the selected primary users DN (during the issuance) and determine the user's privilege Windows account from it. This Windows account will then be issued with a Windows logon certificate during the issuance flow. Click the Manage button. Enter a template name and select Generate (Generated ID from distinguished name (DN)). In the User DN field enter CN and in the Suffix field enter _Admin. Click Save to save and close. For example, in this rule, if the primary user’s DN is:

CN=Bob Smith,OU=CMS Users,DC=vs-lab,DC=com

then vSEC:CMS will try to find a user:

CN=Bob Smith_Admin,OU=CMS Users,DC=vs-lab,DC=com

Add the rule and click Ok to save and close.

Click the Manage button for Primary card PIN options and click Add. Enter a name for the PIN policy and select VSC (Windows Virtual Smart Card) and configure a policy that will be applied for the WHfB container. Click Save to save and close.

Enable the checkbox Apply PIN policy and select the policy just created from the drop down list.

In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select an encryption certificate template for Standard User ID and enable Archive key checkbox and click Ok to save and close. In the WHfB Settings enable the Gesture Required if it is required to provide your configured gesture (PIN, finger print or face) every time you need to access the certificate on the container. 

Click the Add button again and select Admin Role from the User ID dropdown list. Select a Windows logon certificate and click Ok to save and close.

Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.

Click Ok to save and close the template configuration dialog.

4. From Repository – Device Management - Enrollment Configuration select the credential template just created from the available dropdown list.

Click the Add user or group button to select a Windows group that the user is a member of such that when such a user logs on, the WHfB automatic issuance will be triggered.

Client-Side Configuration

This section will detail the steps that need to be performed on the client-side for vSEC:CMS.

Install Client Components

On a client machine it will be necessary to install the vSEC:CMS User Self-Service (USS) and the vSEC:CMS Remote Security Device Management (RSDM) application. Use the vSEC:CMS Client MSI to install these components. It is recommended to install silently as it is possible to pass in the URL link to the backend vSEC:CMS server that the USS and RSDM need to communicate with. This will remove the requirement to manually configure the USS and RSDM to communicate with the backend in this case.

Open a command Window as administrator and change to location where the MSI installer is located.

Where USSGRPC and RSDMGRPC point to the backend services where vSEC:CMS is installed and USSPCL=4 and RSDMPCL=4 configure the client to use gRPC.

Enable WHfB in USS

By default My WHfB page is not available from the USS. This will need to be enabled. Open a command window and go to the location where the USS is installed. Typically this will be here C:\Program Files (x86)\Versasec\vSEC_CMS Self-service.

From the Permissions tab select My WHfB and click Delete.

Select My WHfB and make sure that Viewable+Execute is selected from the dropdown list and click Add.

Select Close to save and close.

Enable WHfB in Registry

It will be necessary to enable registry keys on the client in order to be able to use this feature. In [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Versatile Security\vSEC_CMS_RSDM\Service] add 2 DWORD entries named cms.issuance.mngmt.enabled and cms.rsdm.whfb.mngmt.enabled and give them both a value of 1.

Issue Credential

When a user now logs onto the client and the user is a member of the Windows group and the USS is running in the system tray then the WHfB issuance flow will be triggered.

Click Issue to continue.

Select Set up PIN

Enter the domain credentials to authenticate the user.

The WHfB container will now be created and issued with a Windows logon certificate for the primary user. Select Ok when this stage completes.

Now the USS will continue to issue a Windows logon certificate for the privileged user that is derived from the rule configured in the template. Additionally an archived encryption certificate will be issued for the primary user. A short summary dialog will appear at the end of the flow.

You can view the WHfB container and the certificates that are managed by vSEC:CMS by right clicking on the system tray icon and selecting Start.

From My WHfB page you can see details on the certificates managed by vSEC:CMS. From here you can change the PIN and retire the WHfB container which will result in removing the credential from the client and revoke the certificates on the CA.

Additionally you can remove the WHfB container from the server side if required. This can be done from the Lifecycle page and searching for the user and deleting the credential. This will result in the local WHfB credential being removed.

You will now be able to log onto the client using your WHfB credential.