Pre-installation

The following configurations need to be performed in sequence by the STA administrators in order to use the Passwordless Windows Logon feature:

• Simple Certificate Enrollment Protocol (SCEP) Service Setup

• STA-side Setup

• SafeNet SCEP Adaptor Installation and Configuration

Simple Certificate Enrollment Protocol (SCEP) Service Setup

SCEP is used to automate the task of PKI certificate issuance. There are two ways to add the certificate template and set up the required AD CS:

1. Through Utility: The ADCS_SetupForPwdlessDesktopLogon.zip utility consists of two PowerShell scripts that need to be executed. For more details, click here.

2. Manually: The overall SCEP service setup involves the following tasks:

   1. Configuring Active Directory Certificate Services (ADCS)

   2. Creating Certificate Template

   3. Configuring SCEP service

Configuring Active Directory Certificate Services (AD CS)

Proceed with the default or existing configuration of AD CS with a valid Root CA, and then perform the steps mentioned in the following sections to configure the SCEP service.

Creating Certificate Template

On the domain server, a template needs to be created for the certificate that will be used later. Perform the following steps to create the SCEP Certificate Template to fulfill the devices’ SCEP requests.

1. Navigate to the Server Manager.

2. Click Tools and then click Certification Authority.

3. Double-click the CA name, right-click Certificate Templates, and then click Manage.

   

4. On the Certificate Templates Console, right-click Smartcard Logon, and then click Duplicate Template.

   

5. On the General tab,

   1. In the Template display name field, specify a name, for example, SmartCardLogonTemplateTest.

      Ensure that the template name does not contain any whitespace.

   2. Set the Validity period to the desired value. Recommended: 1 year

      

6. On the Request Handling tab,

   1. Set the Purpose to Signature and smartcard logon.

   2. Select Prompt the user during enrollment.

      

7. On the Cryptography tab,

   1. Set the Minimum key size to 2048.

   2. Select Requests must use one of the following providers, and then select Microsoft Base Smart Card Crypto Provider.

      

8. On the Security tab, add the security group to give Enroll access to. For example, to give access to all users, select the Authenticated users group, and then select Enroll permissions for them.

   

9. Under Subject Name, select Supply in the request, and then click Apply.

   

10. Click OK.

Now, after the certificate template is created successfully, it needs to be issued.

Issuing Certificate Template

Perform the following steps to issue the certificate template that is created above:

1. On the Server Manager, under Certificate Authority, right-click Certificate Template, and then click New > Certificate Template to Issue.

   

2. On the Enable Certificate Templates window, select SmartCard Logon Template Test and then click OK.

   

3. Restart the Certificate Authority service.

Configuring SCEP Service

Before the SCEP service configuration, a user (for example, ndes-user) needs to be created in AD that must be a member of IIS_IUSRS and Domain Admins groups.

As a prerequisite, ensure that the SCEP endpoints are accessible from the Windows machine where WLA is installed. Configuring SCEP Service involves the following steps:

• Adding Network Device Enrollment Service (NDES) Role

• Configuring Network Device Enrollment Service (NDES) Role

• Configuring Certificate Template in SCEP

Adding Network Device Enrollment Service (NDES) Role

It is recommended to install and configure the NDES Role on a different server machine other than the ADCS-installed machine.

To add the NDES Role on the server machine, perform the following steps:

1. Navigate to the Server Manager. At the top pane, on the right-hand side, click Manage > Add Roles and Features.

   

2. On the Add Roles and Features Wizard, in the left pane, click Role Services, and then select Certification Authority Web Enrollment and Network Device Enrollment Service services for Active Directory Certificate Service (AD CS).

   

3. Click Next.

4. Under Confirmation, click Install.

   

5. Click Restart.

6. Under Results, after verifying the successful installation, click Close.

   

Now, the newly created NDES Role needs to be configured in AD CS.

Configuring Network Device Enrollment Service (NDES) Role

Perform the following steps to configure the NDES Role that you created in the above section:

1. Navigate to the Server Manager. At the top pane, on the right-hand side, click the Warning icon, and then click Configure Active Directory Certificate Services on the destination server link.

   

2. On the AD CS Configuration window, under Credentials, click Next.

   

3. Under Role Services, select Network Device Enrollment Service, and then click Next.

   

4. Under Service Account for NDES, in the Specify service account (recommended) field, click Select to select the user (for example, ndes-user) that is created earlier.

   

5. Click Next.

6. On the confirmation pop-up window, to add another role service, click No.

   

7. Under RA Information, enter the required details, and then click Next.

   

8. Under Confirmation, click Configure.

   

9. Under Results, click Close.

   

10. Restart the IIS server.

Configuring Certificate Template in SCEP

The SCEP service uses the registry to store configuration settings on the machine where the SCEP service is configured. All settings are stored under the registry key at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP

Setting	Description	Accepted Values
EnforcePassword\EnforcePassword	Used to enable or disable the use of a password for MSCEP. Set it to 0 to enable the passwordless configuration.	1 (Default): MSCEP requires a password for enrollment requests 0: Passwords are not enforced
GeneralPurposeTemplate	If this key is set, the service will use the value of the certificate template name when the device sends an enrollment request with an empty or 0xa0 value for the KeyUsage extension. If it is not set, the service will use the IPSECIntermediate Offline template.	IPSECIntermediateOffline (Default) <Created template name>: Use the template name as created earlier. For example, SmartCardLogonTemplateTest.

STA-side Setup

This section explains the steps that are required to configure the Passwordless Windows Logon feature through STA:

Application Setup

Perform the following process to have the required installation and configuration files for an initial installation: 

1. Log in to STA as an operator.

2. On the STA console, in the top right-hand side corner, click the drop-down and select the required virtual server account.

3. Click the Applications tab.

4. Click Add Application (if no applications are added) or + (displayed next to Applications) to add an application. The Add Application window is displayed with a list of available applications.

   

5. Select Windows Logon (from the list of available applications). Enter a Display Name (any custom name can be used) and then click Add.

   

6. Navigate to the Windows Logon application that you created above.

7. Under Agent Setup, select the Allow passwordless authentication check box, to allow the agent to proceed with passwordless specific configurations and settings.

   

   Now, under Agent Setup, the following passwordless specific configurations will be available:

   • Server Setup

   • Passwordless authentication settings

     

8. Under Server Setup, click Download Package, to download the SafeNet SCEP Adaptor installation and configuration file.

   

   The following components will be downloaded:

   • Installation file (SafeNet SCEP Adaptor)

   • Configuration file (Safenet_SCEP_Adaptor_Config_<date>.config file)

   These downloaded files are used to install SafeNet SCEP Adaptor on the IIS server for secure communication between the SafeNet Agent for Windows Logon and SCEP endpoints.

   We recommend to keep both the installation and configuration files in the same folder on machine where the SCEP service is configured.

9. Under Passwordless authentication settings, enter the details in the following fields:

   • SCEP SERVICE URL: Specifies the URL where the SCEP service is installed. For example, https://<FQDN>/certsrv/mscep/mscep.dll

     where, <FQDN> is the Fully Qualified Domain Name (FQDN) of the machine where SafeNet SCEP Adaptor is installed. 

   • CERTIFICATE AUTHORITY NAME: Specifies the Root CA that is configured during the deployment of AD CS.

   • ENROLLMENT WINDOW: Specifies the number of days in which the user can enroll for the logon certificate.

     Default: 10
     Range: 1-99

   • RENEWAL WINDOW: Specifies the number of days in which the user can re-enroll for the logon certificate.

     Default: 21
     Range: 1-99

     

10. Click Next Step.

    

    Now, the configuration will be updated successfully.

11. Under Download and Deploy, click Install Package, to download the SafeNet Agent for Windows Logon installation and configuration file. You can click HELP DOCUMENTATION to view the WLA documentation.

    The following components will be downloaded:

    • Installation file (SafeNet Authentication Service Agent for Win 8-10-2012-2016 x64.msi)

    • Configuration file (.agent file)

    Ensure to keep both the installation and configuration files in the same folder.

    

Enable Passwordless Login

To enable the passwordless authentication, enable the Passwordless Logon Policy on STA > Policies.

By default, the global logon policy applies to all the users of a tenant. However, the passwordless logon policy takes the precedence over global logon policy for the group/groups of users, if it is enabled for them.

SafeNet SCEP Adaptor Installation and Configuration

SafeNet SCEP Adaptor protects the SCEP service from unauthorized requests. This section explains the steps involved in installing, configuring, and uninstalling the SafeNet SCEP Adaptor on machine where the SCEP service is configured.

Ensure that both the installation and configuration files (downloaded in Step 8) are in the same folder, to automatically detect the configuration.

Installing SafeNet SCEP Adaptor

Perform the following steps to install the SafeNet SCEP Adaptor on the server machine where the SCEP service is configured:

1. Navigate to the application folder that is downloaded earlier in Step 8 and double-click the SafeNet SCEP Adaptor application to launch the installer.

   

2. On the Welcome to the InstallShield Wizard for SafeNet SCEP Adaptor window, click Next.

   

3. On the License Agreement window, read the software license agreement and to proceed, select I accept the terms in the license agreement option, and then click Next.

   

4. On the Customer Information window, perform the following steps:

   1. In the User Name field, enter the user name.

   2. In the Organization field, enter the name of organization (any custom name can be used).

   3. Click Next.

      

5. On the Destination Folder window, perform one of the following steps:

   1. To accept the default installation destination folder, click Next.

   2. To change the installation folder, other than the default one, click Change, and then browse to locate and select the required folder.

   3. Click Next.

      

6. On the Ready to Install the Program window, click Install.

   

7. Click Next.

8. When the installation process completes, the Installshield Wizard Completed window is displayed. Click Finish.

   

Configuring SafeNet SCEP Adaptor

After the successful installation, the SafeNet SCEP Adaptor is configured automatically to protect MSCEP endpoints.

Customizing Log Level and Log Path

Perform the following steps to customize the following:

• Logging Level

• Log File Location

Logging Level

1. Navigate to <SafeNet SCEP Adaptor installation folder> > bin > Default_Web_Site.

2. Open the AuthISAPI_Generic.ini file to update it.

3. Modify the value of LogLevel field as required. For example, 5.

   Following are the log levels:

   1 – Critical: Very severe error events that might cause the application to terminate.

   2 – Error: Error events that prevent normal program execution, but might still allow the application to continue running.

   3 – Warning: (Default) Potentially harmful error events.

   4 – Info: Informational error events that highlight the progress of the application.

   5 – Debug: Detailed tracing error events that are useful to debug an application. (Recommended)

4. Save the AuthISAPI_Generic.ini file and close it.

5. Restart the IIS server.

Log File Location

1. Navigate to <SafeNet SCEP Adaptor installation folder> > bin > Default_Web_Site.

2. Open the AuthISAPI_Generic.ini file to update it.

3. Modify the LogFile field to change the logging path (the location where the log files are saved) as required.

4. Save the AuthISAPI_Generic.ini file and close it.

5. Restart the IIS server.

Uninstalling SafeNet SCEP Adaptor

To uninstall the SafeNet SCEP Adaptor, perform the following steps:

1. Navigate to Start > Control Panel > Programs > Programs and Features.

2. Right-click the SafeNet SCEP Adaptor program.

3. Click Uninstall.

   

After the uninstallation, the SafeNet SCEP Adaptor will be removed successfully.

• To test the solution, refer to the steps mentioned here.
• To customize the SafeNet Desktop Logon application, click here.