EUCbackup Default chapterAuthentication Method Windows 10 (ADCS)

Authentication Method Windows 10 (ADCS)

Using the Certificate Authentication adapter for Workspace One, we will configure and enable a Windows 10 device to Single Sign On (SSO) into Workspace One using user certificates.

In this setup we will be using certificated generated by the  corporate Microsoft Certificate Authority, using Active Directory  Certificate Services.

  1. Log into your ControlCenter server.  Select the Start Menu  and then to the right select Windows Administrative Tools. Select the Certificate Authority shortcut.
  2. Select Certification Authority, expand euc-livefire-ControlCenter2, select and right- click Certificate Templates, and select Manage.

3. In the Certificate Templates Console in the left pane , scroll down and select the User template, right-click and select Duplicate Template.

4.In the Properties of New Template Window select the General tab, Under the Template display name type Windows 10 SSO

5.Select the Subject Name tab, and select the radio button next to Supply in the request.

6. When prompted by the Certificate Templates Window, Click Ok. Click OK to Close the new Properties of New Template Window. Close the Certificate Templates Console

7. In the Certification  Authority (Local). Under euc-livefire-CONTROLCENTER2 select and right-click the  Certificate Templates folder, select New >  Certificate Template to Issue.

8.  In the Enable Certificate Templates window, scroll down and select the Windows 10 SSO template and select OK.

9. On the ControlCenter server select and right-click the Start Button and select Run. In the run type MMC.  Select File > Add/Remove Snap-In.

10. In the Add or Remove Snap-ins window select the Certificates snap-in, select Add, In the Certificates snap-in window select the Computer account radio button and select Next and select Finish. Select OK to close the Add or Remove Snap-ins window

11. Expand the Certificates (Local Computer), select  Trusted Root Certificate Authorities > Certificates.

Right-click and select  the top euc-livefire-CONTROLCENTER2-CA root certificate , and select Open.

12. Select the Details tab, and select Copy to File.

13.On the Welcome to the Certificate Export Wizard window select Next.

14. Select the Base-64 encoded X.509 radio button and select Next.

15. Select Browse, in the Save As window, select Desktop in the left-hand pane, in the file name type Windows 10 and select Save . In the file to export window select Next

16. Select Finish. Click OK to close the certificate Export was successful window

 

17. On your Controlcenter server Desktop,

  1. Copy the windows 10 certificate.
  2. Select and open the Software shortcut on the server desktop. Open the certificates folder
  3. Paste the Windows 10 certificate to the certificates folder.

18. On the ControlCenter server, open a Browser and log into your AirWatch Console. https://cn-livefire.awmdm.com/AirWatch/Login

19. Go to Groups and Settings > All  Settings >  System > Enterprise Integration > Certificate  Authorities.

 

20. Under the Certificate Authorities tab, select +Add.

21. In the Certificate Authority - Add/Edit window enter the following next to:-

  1. Name: EUCLivefire CA
  2. Authority Type: Microsoft ADCS
  3. Protocol: ADCS
  4. Server Hostname: ControlCenter2.euc-livefire.com
  5. Authority Name: euc-livefire-CONTROLCENTER2-CA
  6. Authentication: Service Account
  7. Username: administrator@euc-livefire.com
  8. Password: VMware1!

22. Select Test Connection. Confirm that the test is successful. Select Save.

23. In the Certificate Authorities interface next to the Certificate Authorities tab, select the Request Templates tab, and click + Add.

24. In the Certificate Template - Add/Edit window,

  • provide the following next to:
    1. Name: Windows 10 Template
    2. Certification Authority: EUCLivefireCA
    3. Issuing Template: Windows 10 SSO
    4. Subject Name: CN={EnrollmentUser}
    5. Private Key Type: Signing, Encryption
    6. San Type: User Principal Name           {UserPrincipalName}
                     DNS Name                           UDID={DeviceUid}
    7. Enable Certificate Revocation: Checked
  • Select Save.

25. From your ControlCenter server, log into the VMware Identity Manager administration console with your Admin credentials.

26. Select the Identity & Access Management tab , select Authentication Methods.

27. Under Configure, at the bottom select the Certificate ( Cloud Deployment ) pencil.

28. On the  Certificate (Cloud Deployment) window, next Enable Certificate Adapter select the checkbox

29. Select Select File .

  1. In the Open window under Quick access select Desktop, select and upload your Windows 10.cer certificate and select Open
  2. On the Update Auth Adapter Window, select OK

30 . Select Save to update the authentication adapter.

31. Under Identity & Access Management select Identity Providers, select Built-in

 

31. In the Built-in Identity Provider under Authentication Methods select the Certificate (Cloud deployment). checkbox

  • Scroll down and select Save

31.Under Identity & Access Management select Policies.

  • Select the default_access_policy_set policy radio button and click edit.
    1. In the Edit Policy page, go to step number 2. Configuration
    2. In the middle pane select + ADD Policy RULE
    3. In the Add Policy Rule Window add the following next to:
      • and user accessing content from : Windows 10
      • then the user may authenticate using: Certificate (Cloud Deployment)
      • Select  Save on the ADD Policy RULE interface
  • Select the Windows 10 Rule and drag it to ensure its above Workspace ONE App and Web Browser rules
  • On the Edit Policy interface select NEXT, select SAVE to close the Edit Policy window

Validate Access to Workspace ONE using a Web Browser on a device with a managed certificate

1.Log into the Workspace One UEM console.

2.Go to Add ->Profile, and select Windows ->Windows Desktop -> User Profile.

3.Fill out the details in the General tab, and ensure that the profile is applied to a Smart Group.

4.Click Configure the Credentials payload, and configure the credential to the following:

Credential Source: Defined Certificate Authority

Certificate Authority: Name of CA defined in above, Step 21

Certificate Template: Name of Template defined above, Step 24

Certificate Store: Personal Store Location: User

5.Click Save and Publish, then Publish the profile.

6.Enroll a Windows 10 device into the Workspace One UEM environment.

7.In Workspace One UEM, validate that the profile created in Steps  2-5 has been successfully installed and reported to the console.

8.On the Windows 10 device, launch MMC and add in the Certificates snap-in for My User account.

9.Browse to Certificates  Current User->Personal -> Certificates.

Validate that the enrolled user certificate is present here, signed  by the Enterprise CA. This certificate has been delivered to the device  by AirWatch through that profile.

10.Launch Edge on the Windows 10 device. Type in the URL of the VMware Identity Manager tenant.

Click Next.

11.When prompted, click OK to confirm the certificate being presented to the web browser.

NOTE: There is a setting in Internet Options to remove this prompt if  one certificate is being presented for authentication to the browser.

12.The session will be redirected to cas.vmwareidentity.com, and then to the VMware Identity Manager tenant.

Confirm access to the Workspace ONE web portal is granted without having to type in a username/password.

This authentication was completed using the Certificate (cloud deployment) adapter.

0 Comments

Add your comment

E-Mail me when someone replies to this comment