Configuring an Active Directory Certification Authority

How does passwordless authentication work?

It is based on Microsoft Virtual Smart Card technology - which allows you to log in to domain accounts using smart cards, not physical but virtual. As with regular smart cards, this is possible if you set up a domain controller and certification authority. A virtual smart card is created on a workstation using the TPM module.

When initializing a virtual smart card, part of the information required to log in to the account (smart card credentials) is transferred to the mobile application and stored there. During the logon, the user scans the QR code on the computer screen, which allows you to establish a connection between the computer and the phone, after which the smart card credentials are transferred to the computer and then PC is unlocked.

Active Directory Certification Authority setup

On Certification Authority, you need to create a template for the certificate that you will request for the virtual smart card.

To create the certificate template:

1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type mmc.exe from the Start menu, right-click mmc.exe, and click Run as administrator.

2. Click File, and then click Add/Remove Snap-in.
3. In the available snap-ins list, click Certificate Templates, and then click Add.
4. Certificate Templates is now located under Console Root in the MMC. Double-click it to view all the available certificate templates.

5. Right-click the Smartcard Logon template, and click Duplicate Template.
6. On the Compatibility tab, under Certification Authority, review the selection, and change it if needed.
7. On the General tab:

   1. Specify a name, such as TPM Virtual Smart Card Logon.

   2. Set the validity period to the desired value.

8. On the Request Handling tab:

   1. Set the Purpose to Signature and smart card logon.

   2. Click Prompt the user during enrollment.

9. On the Cryptography tab:

   1. Set the minimum key size to 2048.

   2. Click Requests must use one of the following providers, and then select Microsoft Base Smart Card Crypto Provider.

10. On the Security tab, add the security group that you want to give Enroll access to. For example, if you want to give access to all users, select the Authenticated users group, and then select Enroll permissions for them.

11. Click OK to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.

12. Select File, then click Add/Remove Snap-in to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably Local Computer.
13. In the left pane of the MMC, expand Certification Authority (Local), and then expand your CA within the Certification Authority list.

14. Right-click Certificate Templates, click New, and then click Certificate Template to Issue.
15. From the list, select the new template that you just created (TPM Virtual Smart Card Logon), and then click OK. Note: It can take some time for your template to replicate to all servers and become available in this list.
16. After the template replicates, in the MMC, right-click in the Certification Authority list, click All Tasks, and then click Stop Service. Then, right-click the name of the CA again, click All Tasks, and then click Start Service.