Setting up Windows Server side to comply RAS SAML pre-requisites

1 users found this article helpful

 

This article is a step by step guide for configuring Windows Server to comply SAML pre-requuisites. 

Configuring User Account for Enrollment Agent

 

1. Create Enrollment Agent user account in AD. Any username can be used (for example, enrolman@domain)

2. Delegate it Read & Write permissions for Alt-Security-Identities attribute (contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication) either at domain (CN=USERS) or OU level where user accounts of the RAS users which will use SAML.

 

 

 

 

Configuring NLA user account

 

1. Create NLAUser user account.
2. NLAUser user account must be a member of local "Remote Desktops Users" group on RDS hosts and VDI guests but at the same time, it MUST be prohibited from logon via RDP. Use GPO to configure group membership. Create a new GPO or use "Default Domain Policy" GPO:

 

 

 

 

 

Installing and Configuring Active Directory Certificate Services role

 

  1. At Server Manager choose Add Roles and Features, select target server and proceed with installing the Certification Authority component of  Active Directory Certificate Services role:

Reboot the machine if required

 

  1. Once role installed, proceed with configuring it:

Click on the appropriate button at Server Manager

 

 

Proceed with the wizard.

  1. Specify the credential used for configuring the role:

  1. Should you configure the environment from scratch, specify the type of your CA as Enterprise and Root. If you already have Root CA, proceed with setting up Subordinate CA.

 

  1. Either create a new private key or use an existing one:

 

  1. Set the key length to 4096 and name it as you wish (the name must differ from the server's hostname.)

 

  1. Specify validity period and database locations

 

 

 

  1. On the Confirmation page click Configure

Once configuration succeeded, close the wizard.

Final checks

Go to Administrative Tools > Certification Authority > your CA > Issued Certificated and make sure that AD CS and DC machines received certificates.

 

 

 

​​​​​​Configuring Certificate Authority Templates

 

Create Enrollment Agent Template

  1. Launch Certificate Authority snap-in from Administrative Tools
  2. Right-click on Certificate Templates node > Manage.
  3. Right-click on the Enrollment Agent template > Duplicate Template.

  1. New template properties window is opened now. Configure it as follows:

NOTE: Type the template name PrlsEnrollmentAgent (this name is required).

  1. Right Click on the Certificate Templates node, select New and then select “Certificate Template to Issue”. You need to now Import the template you just created.

 

Create Smartcard Logon Certificate Template

  1. Launch Certificate Authority snap-in from Administrative Tools on CA machine.
  2. Right-click on Certificate Templates node > Manage.
  3. Right-click on the Smartcard Logon template > Duplicate Template.
  4. New template properties window is opened now. Configure it as follows:
    • General tab:

NOTE: Type the template name PrlsSmartcardLogon  (this is required name).

 

 

 

 

6. Right Click on the Certificate Templates node, select New and then select “Certificate Template to Issue”. You need to now Import the template you just created.

 

 

Restarting Active Directory Certificate Services

 

On the Certificate Authority machine go to services.msc and restart Active Directory Certificate Services service:

 

 

 

Certificate Services connection string

 

Via certutil, you can browse all the available CA and when one is selected, a ping is applied to understand if the certificate services is responsive or not.

 

1. Please execute the command

certutil -config - -ping

2. Choose required CA in the opened window:

 

​​​​​​3. After you choose a CA, click OK and check the result of ping test:

 

Note: The connection string required for RAS Enrollment Server to be able to enroll certificates for users should be in the format highlighted in the screenshot above. i.e. computer name\CA name

 

Issuing PrlsEnrollmentAgent certificate to Enrollment Agent user

 

1. On Certification Authoruity server, open mmc.exe as Enrollment Agent user you created previously and open Certificates snap-in

2. Right-click on Personal folder > All Tasks > Request New Certificate…

3. Select PrlsEnrollmentAgent from the list, click Enroll and proceed with the wizard/

 

Was this article helpful?

Tell us how we can improve it.