Configuring an Active Directory Certification Authority

How does passwordless authentication work?

It is based on Microsoft Virtual Smart Card technology - which allows you to log in to domain accounts using smart cards, not physical but virtual. As with regular smart cards, this is possible if you set up a domain controller and certification authority. A virtual smart card is created on a workstation using the TPM module.

When initializing a virtual smart card, part of the information required to log in to the account (smart card credentials) is transferred to the mobile application and stored there. During the logon, the user scans the QR code on the computer screen, which allows you to establish a connection between the computer and the phone, after which the smart card credentials are transferred to the computer and then PC is unlocked.

Active Directory Certification Authority setup

On Certification Authority, you need to create a template for the certificate that you will request for the virtual smart card.

To create the certificate template:

  1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type mmc.exe from the Start menu, right-click mmc.exe, and click Run as administrator.

  2. Certificate Templates is now located under Console Root in the MMC. Double-click it to view all the available certificate templates.

  3. On the General tab:

    1. Specify a name, such as TPM Virtual Smart Card Logon.

    2. Set the validity period to the desired value.

  4. On the Request Handling tab:

    1. Set the Purpose to Signature and smartcard logon.

    2. Click Prompt the user during enrollment.

  5. On the Cryptography tab:

    1. Set the minimum key size to 2048.

    2. Click Requests must use one of the following providers, and then select Microsoft Base Smart Card Crypto Provider.

  6. On the Security tab, add the security group that you want to give Enroll access to. For example, if you want to give access to all users, select the Authenticated users group, and then select Enroll permissions for them.

  7. Click OK to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.

  8. In the left pane of the MMC, expand Certification Authority (Local), and then expand your CA within the Certification Authority list.