On the “Issuance Requirements” tab, select “This number of authorized signatures” and make sure “1” is filled in the box. Be sure to uncheck “Do not include revocation…” By checking that option, the second option also becomes checked. On the “Server” tab, check the option “Do not store certificates…”. On the “Cryptography” tab, change the Provider Category to “Key Storage Provider” and make sure the Algorithm name is set to RSA. On the “Request Handling” tab, change the purpose to “Signature and smartcard logon” and check the option “For automatic renewal of smart card…” Do not check the “Publish certificate in AD”! Set the renewal period to 50%~75% of the validity period. 10 hours), but longer than Kerberos TGT renewal time (by default 10 hours). Set the validity period to the average working time of the user (e.g. For simplicity, keep those the same and don’t use spaces. On the “general” tab, enter a display name and a template name. A popup will show the changes with the previous value, confirm that with OK On the “compatibility” tab, change the compatibility settings to at least Windows Server 2012 R2 for both the authority and the recipient. On the new template properties, we need to adjust several settings. In the Certificate templates window, search the “Smartcard Logon” template, right-click and choose “Duplicate Template” Right-click the Certificate Templates node and select Manage On one of the newly installed sub-CA servers open the Certification Authority console. Therefore we must create a specific certificate template to be used by TrueSSO based on the built-in template for smartcard logons. Those certificates are short-lived certificates, valid for approximately 8 or 12 hours (depending on the user’s average working time). The way TrueSSO works is it is using a certificate issued for the user after a successful SAML authentication and authenticates against AD using a smartcard type logon with that certificate. This is part of a series of post for setting up VMware Horizon authentication using AzureAD.
0 Comments
Leave a Reply. |