Appterix
Menu
Skip to main content
How can we help?
Table of Contents
<All topics
Print

Connecting YubiKey Card Authentication (CCID) to MS AD Certificate Services (AD CS)

Appterix makes it easy to create and deploy SmartCard authentication certificates. Administrators can use an enrollment policy to easily allow users to create certificates from their MS Active Directory Certificate Services themselves, for example for Windows authentication, and store them on YubiKeys.

The Certificate-Based Authentication (ZBA) enrollment step allows you to request and obtain a PKI certificate from Active Directory Certificate Services (AD CS) to enable secure login with a YubiKey.
Before adding the ZBA step to YubiKey enrollment, make sure your Active Directory environment is set up with ZBA support.
It is recommended that this process be performed by a qualified domain administrator.
If you encounter any problems during setup or implementation, please refer to the section Certificate-based authentication: FAQs and troubleshooting.

YubiKey compatibility

  • YubiKey 5 FIPS Series
  • YubiKey FIPS (4 Series)
  • YubiKey 5 Series
  • YubiKey 4 Series
  • YubiKey C Bio – Multi-protocol Edition
  • YubiKey Bio – Multi-protocol Edition
  • YubiKey NEO
  • YubiKey NEO-n

Requirements

Before enabling certificate-based authentication for users via enrollment, ensure that:

  1. Active Directory Domain Services (AD DS) are installed to create and manage the Active Directory domain.
    Installation instructions can be found at Installing AD DS.
  2. Any client device designated for certificate-based authentication has joined the domain.
  3. Active Directory Certificate Services (AD CS) is installed to enable certificate issuance. Multiple instances of AD CS can be installed if needed.
    Installation instructions can be found at Installing AD CS.
  4. An AD import source has been created and configured within the respective organization for user synchronization. Instructions for creating and configuring an import source can be found at Create an import source.
  5. The AD Synchronization Service is installed on the required Windows Server and connected to the correct AD import source for your organization.
    See Installing AD Sync Serviceif the service is not yet installed.

Enable certificate-based authentication via enrollment

Once the connection between EM Platform Server and Active Directory is confirmed and all Requirements have been met, you can enable certificate-based authentication for selected users and/or groups via YubiKey enrollment.

How to add the step to YubiKey enrollment

  1. In the Appterix Management UI, navigate to YubiKey Management > Enrollment.
  2. click on Add Enrollment.
  3. Select the step PIV reset to ensure that any existing keys or certificates on the YubiKey are removed.   
    -OR-
    Select the step PIV input to verify PIV credentials during enrollment without deleting any data. The PIV entry and PIV reset steps are mutually exclusive—only one of them may be included in a configuration.
  4. Select Certificate-based authentication .
  5. Click on the step to edit its settings.
    The dialog box Edit enrollment step appears.
  6. Click the drop-down arrow next to Slot, and then select the required slot.
  7. The option Key generation on the YubiKey is enabled by default. Disable it if necessary. Enabling this option is recommended for improved security. If disabled, key generation occurs outside of the YubiKey, increasing the risk of the private key being compromised.
  8. click on Close.
  9. (Optional) Add additional steps to this YubiKey enrollment if needed.
  10. Assign users, select the preferred enrollment method, and enable or disable automatic enrollment.

The YubiKey enrollment was successfully configured.

Next steps: Certificate enrollment using Appterix Agent

Users who have been provided with this enrollment will now see behind the respective YubiKey in the YubiKeys the button Start enrollment By completing the enrollment, Appterix Agent creates the certificate request, which passes it to Appterix Server / EM Platform Server and forwards it to your AD CS via EgoMind AD Sync Service.

After the certificate has been created, it is sent back to Appterix Agent and directly on the YubiKey in Slot 9a (Card Authentication) Furthermore, the necessary registry entries are set on the Windows client so that the next time you log in to Windows, you can be authorized using the certificate and the YubiKey PIN (PIV).

Certificate-based authentication: FAQs and troubleshooting

This article contains answers to frequently asked questions (FAQs) about setting up and implementing ZBA. To find the answers to your questions, press Ctrl + Fto open the search function and then enter the corresponding keyword in the search field.

Q1: When do I need to generate new credentials for the AD synchronization service?

A: The default credentials are only valid if the AD Sync service was installed using the Appterix installation wizard—this method installs the service on the same server as Appterix and EM Platform Server and automatically connects it to the default import source under the root organization.
If the AD Synchronization Service has been manually installed on a separate server or is to be used in a non-root organization, new credentials must be generated for the corresponding import source and the AD Synchronization Service reconfigured .

How to reconfigure the connection between EM Platform Server and AD Synchronization Service

  1. Navigate to the following path to open the EM AD Sync Service Control Panel:
    C:\Program Files\EgoMind\EMADSyncService\Utils
  2. Run EMADSyncService.ControlPanel.exe as administrator.
  3. Fill in Server Connect the required fields:
    • Enter in the field Server URL Enter the server name in the following format:
      • For on-premise installations: https:// /administration
      • For users of the cloud-based solution: https://administration.appterix.eu
  4. click on Apply (Apply filter) to save changes.

Q2: Why does synchronization fail or not start?

A: This is usually due to configuration or connection problems.

Recommended exams:

  • Verify that the account password is correctly specified in the AD import configuration.
    Please note that after a password change in AD, it must also be updated accordingly in the AD import configuration.
  • Check if the AD domain controller is reachable and responding to ping requests.
  • Make sure that no firewall rules block communication between the AD Sync Service and the domain controller.
  • Make sure that AD Sync Service is connected to the intended import source in the correct organization.

Q3: Why are the certificate templates missing in the CA?

A: The missing certificate templates may be due to authorization issues or incorrect configuration.

Recommended checks:

  1. Make sure that the correct name of the certification authority (CA Name) is specified in the AD import configuration.
    Example: WinSer2022.demo-egomind.local\demo-egomind-WinSer2022-CA
    For more information, see the section How do I find the name of the certificate authority (CA)?.
  2. Make sure that the correct Server URL specified in the AD import configuration:
    • For LDAPS: Enter the fully qualified domain name (FQDN) of the directory service you are connecting to.
      Example: WIN-FEKLLGO3TDA.demo-egomind.local
    • For LDAP: You can also use the server's IP address.
  3. Check the user account (User name) in the AD import configuration.
    When configuring AD import, it is critical to use an account with appropriate permissions to enable certificate issuance through AD CS.
    • If the use of a domain administrator account is allowed: Ensure that a domain administrator account is specified in the AD import configuration in the following format:
      \
    • If the use of a domain administrator account is restricted: Configure You the tool EM AD Sync Service Control Panelto issue certificates with a non-administrator account.

Before configuring the EM AD Sync Service Control Panel, update the User name in the AD import configuration to enter the non-administrator account. Use the following format:
\

How to configure EM AD Sync Service Control Panel for non-admin users

  1. Navigate to the following path to open the EM AD Sync Service Control Panel:
    C:\Program Files\EgoMind\EMADSyncService\Utils
  2. Run EMADSyncService.ControlPanel.exe as administrator.
  3. Fill in AD CS Connect the required fields:
    1. Enter in the field user Name (User name) enter the name of any non-admin user in the following format:

      Ensure that the user name entered here matches the name specified in the AD import configuration. Note the different formats to avoid misconfigurations:
      • In the AD import configuration, use the format:
        \
      • Here you enter only the user name without the domain prefix.
    2. Enter in the field Domain Name (domain name) enter the domain name.
    3. Enter in the field CA Name (ZS name) the name of the certification authority.
      For more information, see the section How do I find the name of the certificate authority (CA)?.
  4. click on Apply (Apply filter) to save the changes.

Q4: How do I find the name of the Certificate Authority (CA)?

A: Specifying the correct CA name is crucial for the successful issuance of certificates.

If only one certificate authority is used in your environment, you can use the CA name field (CA Name) blank — the system will detect it automatically.

How to find the CA name:

  1. Öffnen Sie die command prompt as administrator on the ZS server.
  2. Run the following command:
    certutil -dump
  3. Look for the field that starts with Config This displays the CA name in the required format.
    For example: Config: WinSer2022.demo-egomind.local\demo-egomind-WinSer2022-CA

Q5: Where can I find the AD Sync Service logs?

AIf you encounter problems during setup or synchronization, you can view the AD synchronization service logs to diagnose the problem.

Default log storage location:

C:\Program Files\EgoMind\EMADSyncService\Logs

If necessary, send the relevant log files to the support team for further error analysis and assistance.

Within the Contacting support:

  • Attach relevant log files
  • Include detailed error messages
  • Describe the steps that led to the problem

 

Published
Updated
FromAppterix