Select Page

Joining domain using smart card

Joining domain using smart card
Advertisement

In this post, I will be talking on how joining domain using smart card works. Long time ago, I started working on smart cards, and I was obsessed with the idea of using smart cards as a replacement to normal passwords. Back then, I usually tend to make all network administrators using smart cards only, and never use their passwords directly. I went to the extreme of randomizing network admin passwords, and only provide them with a smart card and its PIN. This way, network admins will not be able to use their passwords if they are so lazy using smart cards.

To do this, you must work hard to make sure every service in your network can talk using Kerberos, so that smart card authentication works, and single sign on is your hero in such case. You do not want a password prompt appearing on your screen, when all you have is a smart card and a PIN.

Things worked good for me, to the extreme that we enrolled all management and key people with smart cards, and we randomize their passwords to force the use of smart card only. Of course, smart cards come with a management overhead, and I had to work on a Microsoft Smart Card Management solution, to facilitate the enrollment and retirement of smart cards, but that’s a different story.

Joining domain using smart card

One day in the morning, one of the network administrators called me, saying that he wants to Joining domain using smart card using his admin account, but he only had a smart card. His admin password is randomized and he is not able to provide his admin credentials in form of username and password combination. I started to look at the situation from different perspectives.

First challenge is that the machine to be joined to the domain, does not trust our corporate certificate authorities. So, there is a trust issue to start with.

Also, the machine is not joined to the domain yet, so it has no idea what is the domain name and how to treat the certificates in the smart card.

To overcome all those challenges, there are couple of requirements that should be satisfied to facilitate Joining domain using smart card. Those requirements are related to the signing certificate existing inside the smart card:

  • The signing certificate for the network administrator inside the smart card must contain a Subject field that contains the DNS domain name within the distinguished name. If it does not contain this field, resolution to the appropriate domain will fail, causing the domain join with smart card to fail.
  • The smart card certificate must contain a UPN in which the domain part of the UPN must resolve to the actual domain. This is required so that the Kerberos client would not be able to find the appropriate domain.
  • Else, the workaround is to supply a hint (enabled via GPO setting X509HintsNeeded) in the credentials user interface for domain join.

Microsoft TechNet article also specify this:
If the client computer is not joined to a domain, then the client will only be able to resolve the server domain by viewing the distinguished name on the certificate (as opposed to the UPN). For this scenario to work, the Subject field for the certificate must include “DC=” for domain name resolution. To deploy root certificates on smart cards for the currently joined domain, the following command can be used [certutil –scroots]”

About The Author

Ammar Hasayen

Ammar is a digital transformer, cloud architect, public speaker and blogger. He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing. His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional. Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hi, I’m Ammar Hasayen

Ammar-New-MVP

About Me

Cloud Architect | Cybersecurity | CISSP | Microsoft MVP | Pluralsight Author | Book Author | International Speaker | World Explorer | @ammarhasayen

 

LinkedIn Profile

My Pluralsight Course

Speaking at Microsoft Ignite Dubai

Ammar Hasayen Speaker Ignite

Pin It on Pinterest