Setting up Windows Server side to comply RAS SAML pre-requisites

6 users found this article helpful

 

This article is a step-by-step guide for configuring Windows Server to comply SAML prerequisites. 

Configuring User Account for Enrollment Agent

 

1. Create Enrollment Agent user account in AD. Any username can be used (for example, enrolman@domain)

2. Delegate it Read & Write permissions for Alt-Security-Identities attribute (contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication) either at domain (CN=USERS) or OU level where user accounts of the RAS users which will use SAML.

 

Note: Enrollment user account should have "Allow log on locally" permissions on the Enrollment server

Configuring NLA user account

 

1. Create NLAUser user account. The purpose of this service account to initiate an RDP session to a host machine, receive logon error and trigger RAS credentials provider to supply user smart card.
2. NLAUser user account must be a member of local "Remote Desktops Users" group on RDS hosts and VDI guests

NOTE: The NLA User username can be any, but the full UPN format must be 20 chars or less.

3. At the same time, it MUST be prohibited from logon via RDP. Use GPO to configure group membership. Create a new GPO or use "Default Domain Policy" GPO:

 

Note: NLA user account should have "Allow log on locally" permissions on the Enrollment server

 

Installing and Configuring Active Directory Certificate Services role

 

  1. At Server Manager choose Add Roles and Features, select target server and proceed with installing the Certification Authority component of  Active Directory Certificate Services role:

Reboot the machine if required

 

  1. Once role installed, proceed with configuring it:

Click on the appropriate button at Server Manager

 

 

Proceed with the wizard.

  1. Specify the credential used for configuring the role:

  1. Should you configure the environment from scratch, specify the type of your CA as Enterprise and Root. If you already have Root CA, proceed with setting up Subordinate CA.

 

  1. Either create a new private key or use an existing one:

 

  1. Set the key length to 4096 and name it as you wish (the name must differ from the server's hostname.)

 

  1. Specify validity period and database locations

 

 

 

  1. On the Confirmation page click Configure

Once the configuration succeeded, close the wizard.

Final checks

Go to Administrative Tools > Certification Authority > your CA > Issued Certificated and make sure that AD CS and DC machines received certificates.

 

 

 

​​​​​​Configuring Certificate Authority Templates

 

Create an Enrollment Agent Template

  1. Launch Certificate Authority snap-in from Administrative Tools
  2. Right-click on Certificate Templates node > Manage.
  3. Right-click on the Enrollment Agent template > Duplicate Template.

  1. The new template properties window is opened now. Configure it as follows:

NOTE: Type the template name PrlsEnrollmentAgent (this name is required).

 

Create Smartcard Logon Certificate Template

  1. Launch Certificate Authority snap-in from Administrative Tools on the CA machine.
  2. Right-click on Certificate Templates node > Manage.
  3. Right-click on the Smartcard Logon template > Duplicate Template.
  4. The new template properties window is opened now. Configure it as follows:
    • General tab:

NOTE: Type the template name PrlsSmartcardLogon  (this is the required name).

 

 

 

 

6. Right Click on the Certificate Templates node, select New, and then select “Certificate Template to Issue”.

 

 

7. You need to select the template you just created (PrlsSmartcardLogon and PrlsEnrollmentAgent ) and click "OK":

 

 

8. PrlsSmartcardLogon and PrlsEnrollmentAgent templates should appear in the list:

 

 

 

Restarting Active Directory Certificate Services

 

On the Certificate Authority machine go to services.msc and restart Active Directory Certificate Services service:

 

 

 

Certificate Services connection string

 

Via certutil, you can browse all the available CA and when one is selected, a ping is applied to understand if the certificate services is responsive or not.

 

1. Please execute the command

certutil -config - -ping

2. Choose the required CA in the opened window:

 

​​​​​​3. After you choose a CA, click OK and check the result of ping test:

 

Note: The connection string required for RAS Enrollment Server to be able to enroll certificates for users should be in the format highlighted in the screenshot above. i.e. computer name\CA name

 

Issuing PrlsEnrollmentAgent certificate to Enrollment Agent user

 

1. On the Certification Authority server, open mmc.exe as the Enrollment Agent user you created previously and open the Certificates snap-in

2. Right-click on Personal folder > All Tasks > Request New Certificate…

3. Select PrlsEnrollmentAgent from the list, click Enroll and proceed with the wizard/

 

Was this article helpful?

Tell us how we can improve it.