This article will describe how vSEC:CMS can be used to manage credentials across multiple domains and/or forests. There may be environments where users reside in two different domains/forests where each domain/forest has their own CA. The users need certificate credentials to securely access the different domains/forests. Using vSEC:CMS it is possible to issue multiple credentials so the user can access the different domains/forests.
We will use an example scenario to describe how this can be done with vSEC:CMS. In this example scenario we will have 2 different domains and 2 different CAs. We will use Microsoft CA for this scenario. We will use the multi-role feature in vSEC:CMS to issue the user with multiple credentials.
It is presumed that at minimum the article Setup Evaluation Version of vSEC:CMS has been successfully completed.
Configure AD Connection
The first step will be to add the 2nd AD connector from the other domain/forest. From Options - Connections select Active Directory. Select Add and enter a template name. Since the 2nd AD is not connected we need to add the connection details in the Server field and enter the AD account/password that we will connect with.Click Test to ensure connectivity to this AD. Click Save to save and close.
Configure CA Connection
The next step will be to add the CA connection for the 2nd CA. Before we do that you should issue a pfx on this CA for a user who will be used as the Enrollment Agent for this CA inside vSEC:CMS. You will need to then open MMC as the Windows account that vSEC:CMS service runs under and import the pfx for the personal certificate store of this Windows user.
From Options - Connections click Add and select Certificate Authorities and click Ok.
Enter a template name and from the drop-down list select Windows CA (Microsoft Enterprise Certification Authority). Click the Select CA button to select how to connect to the domain controller where we retrieve the CA details. As the vSEC:CMS is not on the domain then select the Use specific server and enter the details of the domain controller you wish to connect to along with a Windows account and password. Click Ok to save and close.You should see now the CA details in the Enterprise CA Server dialog. To ensure you are communicating with the CA you can click the Templates button and select Show all checkbox and click the Update button and you should see all the CA templates that are available in your environment.
The Windows account used here should have appropriate permissions on the CA to connect to it. It is expected that the person setting this up has appropriate skills and expertise in MS CA to know what credentials to use here.
In the Enrollment Agent section enable Sign server side checkbox and in the drop down box select the certificate that was imported as a pfx earlier. Click Save to save and close the dialog.
Configure Credential Template
From Templates - Card Templates click the Add button.
Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type. Since we will use the multi-role feature here enable Supports multiple role(s).
Leave all other settings as default and click Ok to close and save.
Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection that the primary user will be selected from in the drop-down list.
Click the Role(s) button and click Manage. Click on Add and enter a template name. In the first drop-down box select Select (Manually select user) and then select the 2nd AD connection that we will manually select the user from when issuing later. Click Save to close and save the template.
Click Close and select the role from the Role templates drop-down box and Add it to Roles configured and click Ok.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select Standard User ID from User ID drop-down box. In the Certificate authority drop-down box select the CA from the domain/forest that vSEC:CMS is installed on and select the certificate that we are going to issue from the Certificate template list. Click Ok to save and close
Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
From the Lifecycle page attach a blank credential to your host. If it is a credential that is supported by vSEC:CMS you should see the reader and the credential similar to below.
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the primary user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential.
Finally we need to issue the second credential for the 2nd domain/forest. Navigate to Actions - Certificate(s)/keys and select the certificate template from the 2nd CA that we want to use and click the Issue button.
Select the role we configured earlier and select this in the User ID drop-down box. In the Certificate authority drop-down box select the CA from the 2nd domain/forest and select the template from Certificate template list. Click Ok to start the issuance process.
You will be prompted to select the user from the 2nd domain/forest that we will issue the certificate to. At the end of the process you will see an additional credential issued.
Once you complete this then the credential can be used to log onto either domain.