I have been having some “fun” this week in exploring two-factor authentication possibilities for Macintosh and Windows 7 clients when connecting to Server 2008 and Server 2003 resources, especially via RDP. Findings so far:
All Smart Cards are not created Equal:
- Microsoft released a new Cryptographic API (CNG) with Vista/Server 2008. This API allows Smart Cards to use the “Microsoft Smart Card Key Storage Provider” CSP (which, apparently, is part of the MS “Base CSP”), instead of a vendor-specific CSP, when generating certificates for Smart Card-based logon. You must still install a driver for each Smart Card, but very often these drivers are available though Windows Update.
- Aladdin/SafeNet eTokens do not support CNG, so you cannot use CNG-based Certificate Templates (i.e. Server 2008-compatible templates) when issuing Smart Card Logon certificates to Aladdin eTokens. Thus, you must make sure that any Certificate Template that you use for Smart Cards are compatible with Server 2003 or earlier. You also will need a software stack including the eToken CSP and drivers before you will be able to perform Smart Card login using an eToken.
- Gemalto .NET Smart Cards do support CNG, so you can use CNG certificate templates with these Smart Cards.
- RSA SecurID Hybrid Authenticators do not appear to support CNG, according to their (dated) product data sheet, so I expect you would need a custom CSP to use these for Windows Logon, too.
- PGP Desktop can be configured to use keys stored on a Smart Card to unlock PGP-WDE encrypted drives. However, only a few vendor’s Smart Cards are supported in this capacity, probably because PGP has hard-coded in support for only a few CSPs:
- Aladdin eToken devices are supported both for WDE sign-on and for Administrator Key storage.
- RSA Smart Cards are supported for WDS sign-on only
- Gemalto Smart Cards are not supported at all.
Web Service Enrollment was dead:
- Most how-to sites you visit on certificate enrollment and smart card logon (including one in Tech Net) state that you should set up a Certificate Enrollment Agent Workstation to use the Web Services interface on your MS Certificate Server. Guess what? The procedures do not work anymore on Server 2008:
- Server 2008 R2 has a new Web Enrollment interface that supports Smart Card enrollment from Vista/Win7 workstations. Ban the use of Server 2008 R1!
- Use the “Certificates” MMC snap-in in place of web enrollment if you must run Server 2008 (R1).
RDGateway – Smart Card Authentication requires trust:
- Smart Card auth to our Remote Desktop Gateway Load Balancing cluster (based on F5) was failing. Apparenly something about the SSL-offload configuration was creating a trustworthiness problem, and this was preventing Kerberos/Smart Card authentication from working. We switched to a TCP/Layer-4 forwarding config, and now Smart Card authorization works just fine. Note that the config that works is not the one that was recommended by F5. They are big into TCP offload over there. The thing is, for Kerberos and Smart Cards to work in an SSL-offload config, you need F5′s expensive Advanced Client Authenticaiton module. I do not need more cost and complexity, so we will keep things simple this time.