Reputation: 45
Windows certificate interactive logon
I'm trying to logon to domain joined computer using certificate only, I wonder if it's possible, i read allot on smart card and virtual smart card and both requires ping code. From what i understand kerberos allows authentication using PKI certificate, so the basic question Is it possible to login the user to the domain using certificate only? Thanks
Upvotes: 0
Views: 1882
Answers (1)
Reputation: 4623
Yes. You need to deploy a CA that can issue certificates for users, and configure Active Directory to support certificate authentication. This involves registering a KDC certificate on each Domain Controller and issuing certificates to users. Certificates for interactive logon can be stored in smart cards or TPMs for classic authentication scenarios as well as using e.g. Windows Hello for more modern scenarios.
The basic process is along these lines:
- Spin up a Certificate Authority and generate the kerberos/user auth/smart card certificate templates (Example steps
- Request certificates for each DC for KDC auth
- Request certificates for a given user (enroll cert on smart card)
From there you can require certificates for interactive logons on a per-user basis. There's a bunch of guides on how to do this such as the one linked above.
Upvotes: 1
Related Questions
- Kerberos on Windows Server out of domain
- How to write a KSP to hook up into KERB_CERTIFICATE_LOGON
- Create Certificates for PKINIT-based Kerberos login on Active Directory
- Kerberos Authentication in IIS 7 Windows Server 2012
- Windows integrated authentication for java web application SSO
- windows authentication: negotiate, ntlm and kerberos
- Implement Kerberos authentication using C# on IIS
- KSP (Key Storage Provider) not being loaded at logon via a Credential Provider
- Certificate based login
- Internet Explorer and client authetication