Configuring Active Directory for Passwordless Login
Active Directory Certificate Services (AD CS) is leveraged to perform certificate based login, i.e., smart card login post completing Monofor Identity mobile application.
The configuration required at the Domain Controller (DC) is divided into three steps to use a Passwordless logon.
Configure the Enrollment Agent Certificate Template
Configure the User Certificate Template
Enabling both Enrollment Agent and User Certificate templates in CA
1. Configure the Enrollment Agent Certificate Template
Navigate to Microsoft Management Console (MMC). Run → mmc (To launch Console Root)
Click File and, click Add/Remove Snap-in.
After that, select “Certificate Templates” and, “Add” button. Click OK.
This will help you to see all Certificate Templates on your Directory Server. Expand Certificate Templates, find “Enrollment Agent” and right-click. Select Duplicate Template.
In “General” tab, give a following Template display name and Template name. This is very important, please act carefully.
General
Field | Value |
|---|---|
Template display name |
|
Template name |
|
Select Purpose as “Signature and smartcard logon”, and click “Yes” on the warning screen.
On the list, select “Authenticated Users” and, mark “Enroll” “Allow” like you see on the list.
Also, we need to add SYSTEM user to the list (if not present).
Click “Add”, type “SYSTEM” and click OK.
You will see “SYSTEM” user on the list. Once again, select “SYSTEM” user, and mark “Enroll” “Allow”.
One last thing on this UI. We need to go to the “Subject Name” tab and select Subject name format as “None”.
And we can click Apply button.
2. Configure the User Certificate Template
Right now, we need a User certificate. Find the “User” certificate template on the list and right-click, Duplicate Template.
Like we did before, in “General” tab, give a following Template display name and Template name. This is very important, please act carefully. This time, we are giving a different name.
Field | Value |
|---|---|
Template display name |
|
Template name |
|
Once again, click “Security” tab. Add SYSTEM user like we did before. For both “Authenticated Users” and “SYSTEM” should have access “Enroll” “Allow” again.
Final result should like following.
Authenticated Users - Enroll - Allow ✅
SYSTEM - Enroll - Allow ✅
Click “Request Handling” tab. Once again, select purpose as “Signature and smartcard logon”. Click “Yes” when you see the warning.
You can see the final result on the “Request Handling” tab.
Click “Subject Name” tab.
Select “Subject name format” as “None” again.
And uncheck “E-mail name” from the “Include this information in alternate subject name” section.
You can see the final result on the right.
Final Result of “Subject Name” tab.
Now, you can click “Issuance Requirements”.
Final Result of Issuance Requirements
This is our last section for Certificate Templates.
Check “This number of authorized signatures”. Value should be 1.
In Application policy section, we need to select Certificate Request Agent from the list.
Please check the final result on the left.
And now, we can click Apply.
3. Enabling both Enrollment Agent and User Certificate Templates in Certificate Authority (CA)
Use Win+R shortcut or click Start and Run application. Type certsrv.msc and OK.
certsrv.msc
On the UI, right-click to “Certificate Templates”, select New and “Certificate Template to Issue”.
Find and select both “Monofor Identity - Client“ and “Monofor Identity - Enrollment“ on the list and click OK. You can use Shift key on the keyboard for select multiple.
You will see them on the list when you click OK.
That’s it. We are good to go.