EUCEUC: Advanced Integrations - 2019 Day 3Windows 10 Certificate Single Sign On using an AirWatch Certificate Authority

Windows 10 Certificate Single Sign On using an AirWatch Certificate Authority

In this lab you will be deploying a certificate to an enrolled Windows 10 virtual machine. This certificate will be generated by the built-in CA in Workspace ONE UEM.

We will later configure Workspace ONE Access to trust certificates issues by UEM and configure the Certificate (Cloud Deployment) authentication adapter.

Finally we will test everything on a Windows 10 Machine to ensure we are able to have a seamless authentication experience.

Part 1: WorkspaceOne UEM - Certificate Profile

1

  • Open Chrome on your ControlCenter2 jumpbox and navigate to https://cn-livefire.awmdm.com Authenticate using your e-mail address and unique password
    1. Navigate to Groups & Settings > All Settings > Enterprise Integration > VMware Identity Manager> Configuration
    2. Under Certificate select ENABLE (this should be enabled from a previous lab)
    3. Under Certificate next to Issuer Certificate select EXPORT

 2. WorkspaceOne UEM - Certificate Profile continued...

  1. Then navigate to Devices > Profiles & Resources > Profiles > ADD > Add Profile > Windows > Windows Desktop > User Profile Give it a name : W10 - SCEP - SSO .
  2. Select your Smart Group with the World icon for the Smart Group  
  3. Select the SCEP payload on the left hand navigation panel.
  4. Select CONFIGURE
  5. Set the following
    • Credential Source: AirWatch Certificate Authority
    • Certificate Template: Certificate (Cloud Deployment)
    • Issuer: LiveFire
    • Click SAVE AND PUBLISH
  6. In the Device Assignment notice your device in the list of device being added. Then click PUBLISH

Part 2: Configuring Workspace ONE Access Certificate (Cloud Deployment) Authentication

1. Configuring Workspace ONE Access Certificate (Cloud Deployment) Authentication

  • In this next section, we will configure Workspace ONE Access Certificate Auth Adaptor to trust the certificates being presented by the devices.
    1. On your ControlCenter server, use your unique Workspace ONE Access server and authenticate to the local directory using administrator account and password.
    2. Under Identity & Access Management > Manage select Authentication Methods
    3. Click on the Pencil to Configure the Certificate (Cloud Deployment) authentication method.
    4. Select the checkbox Enable Certificate Adapter and click Select File to upload the Certificate (VidmAirWatchRootCertificate.cer) you downloaded above in the UEM console.
    5. On the Update Auth Adapter window select OK
    6. Leave everything else in here as default and click Save.
    7. Now navigate Identity Providers under Identity & Access Management click on Built-in
    8. Navigate to the Authentication Methods area and select the check box next to Certificate (Cloud Deployment) and select Save at the bottom of the page.

2.

  • Configuring Workspace ONE Access Certificate (Cloud Deployment) Authentication....continued
    1. Navigate to Policies under Identity & Access Management then click on the SSO policy. 
    2. Select Edit
    3. Next to Configuration select +ADD POLICY RULE. 
    4. In the Add Policy Rule window add the following, next to : -
      • 'and user accessing content from' to  Select Windows 10 from the drop down
      • then the user may authenticate using* change  to Certificate (Cloud Deployment)
      • "if the preceding method fails or is not applicable, then" change Select failback method... to Password (Cloud Deployment)  
    5. Select SAVE
    6. Select +ADD POLICY RULE. 
    7. In the Add Policy Rule window add the following, next to : -
      • 'and user accessing content from' select Web Browser from the drop down
      • then the user may authenticate using* change  to Certificate (Cloud Deployment)
      • "if the preceding method fails or is not applicable, then" change Select failback method... to Password (Cloud Deployment)  
    8. Select SAVE, 
    9. Next to ALL RANGES for Windows 10 on the left select the 6 DOTS and drag to the top
    10. Select NEXT, select SAVE. 

Part 3: Windows 10 Single Sign On using Certificates

  • Now that the administrative elements are in place we will now test the authentication flow from our Windows 10 VM.
    1. On the ControlCenter2 VM on the desktop you will find the Remote Desktop folder. In this folder click double click on w10client01.RDP
    2. Inside the Windows 10 Virtual Machine open Microsoft Edge from the desktop and type OFFICE.COM in the address bar
    3. In the Office.com page select Sign In
    4. In the Sign in window, type your email address. eg user35crsj@sanjose35.euc-livefire.com.
    5. Select Next
    6. Notice now that you are being re-directed to cas.vidmpreview.com in the URL field and you are prompted for a Certificate.
    7. Click OK on the pop-up for your certificate and notice your are straight into your WorkspaceOne bookmarks Tab.
    8. Now click on any one of your Office365 deeplinks and notice your are authenticated without further credentials. If you get prompted to "Stay Signed in?" simply click No.
    9. You are now authenticated to your O365 environment using a certificate based authentication method.

This completes this lab.

0 Comments

Add your comment

E-Mail me when someone replies to this comment