EUCZero Trust 2020 Secure AccessCertificate Based Authentication

Certificate Based Authentication

In this lab you will be deploying a certificate to an enrolled Windows 10 virtual machine. This certificate will be generated by the built-in CA in Workspace ONE UEM.

We will later configure Workspace ONE Access to trust certificates issued by UEM and configure the Certificate (Cloud Deployment) authentication adapter.

Finally we will test everything on a Windows 10 Machine to ensure we are able to have a seamless authentication experience.

Part 1: WorkspaceOne UEM - Certificate Profile

  1. On your ControlCenter2 jumpbox
    1. Open Google Chrome
    2. Navigate to https://uem.euc-livefire.com
    3. Authenticate using :
      • Username admin_livefire
      • Password VMware1!
  1. In the Workspace ONE UEM Console
    • Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Workspace ONE Access > Configuration
  1. In the Configuration page
    • Under Certificate select ENABLE (if not already enabled)
  1. In the Configuration page
    • Select EXPORT in the Certificates section on the Workspace ONE Access page
      • When prompted select Keep
      • Note this will download a .cer file (VidmAirWatchRootCertificate.cer)
      • Close the Settings window in the top right-corner, by selecting x
  1. In the Workspace ONE UEM admin console
    • Navigate to Devices > Profiles & Resources > Profiles > ADD > Add Profile
  1. In the Add Profile window
    • Select Windows > Windows Desktop > User Profile
    • Under General
      • Next to Name: type W10 - SCEP - SSO .
  1. In the Add a New Windows Desktop Profile
    • In the General tab,
      • Scroll down to Smart Groups
        • Select  Livefire(Livefire) with the world icon next to it.
  1. In the Add a New Windows Desktop Profile
    • In the LEFT MENU, navigate to the SCEP
    • Select CONFIGURE
  1. In the Add a New Windows Desktop Profile
    • Under SCEP, Set the following, next to:
      • Credential Source: AirWatch Certificate Authority
      • Certificate Template: Certificate (Cloud Deployment)
      • Issuer: LiveFire
      • Key Location: Software
      • Select SAVE AND PUBLISH at the bottom right of the window
  1. On the View Device Assignment page
    • Confirm your device is showing
    • Select PUBLISH

Part 2 : Configure Workspace ONE Access

  1. On your ControlCenter2 server
  1. In the Workspace ONE Access admin console
    • Navigate to Identity & Access Management > Authentication Methods.
    • Select the pencil icon next to Certificate (Cloud Deployment)
  1. In the Certificate (Cloud Deployment) page
    • Select the tickbox to Enable Certificate Adapter
    • Select Select File for the Root and Intermediate CA Certificates
    • Select the certificate we have downloaded from the UEM console earlier
    • Select Open
  1. In the Update Auth Adapter window
    • Select OK.
  • In the Certificate (Cloud Deployment) window
    • At the bottom of the page, select Save
  1. In the Workspace ONE Access Console
    • Navigate Identity Providers
    • Under Identity & Access Management, select on Built-in
  1. In the Built-In page
    • Navigate to the Authentication Methods area
    • Select the check box next to Certificate (Cloud Deployment)
    • Select Save at the bottom of the page.
  1. In the Workspace ONE Access console
    • Navigate to Identity & Access Management > Policies
    • Select default_access_policy_set
  1. Under Policies  \ default_access_policy_set
    • Select EDIT
  1. In the Edit Policy page
    • Select the second tab from the left column Configuration
    • Select All Ranges next to Web Browser in the Device Type Category
  1. In the Edit Policy Rule page, edit the following next to:
    • then the user may authenticate using * change to  : Certificate (Cloud Deployment)
    • if preceding method fails or is not applicable then  change to Password (Cloud Deployment),
    • then Select ADD FALLBACK METHOD
    • Select Password (Local Directory) as the third authentication option.
    • Select SAVE at the bottom of the window
  1. In the Edit Policy \ Configuration page
    • Select ADD POLICY RULE
  1. In the Add Policy Rule page, add the following next to :
    • and user accessing content from : from the drop down select:-   Windows 10
    • then the user may authenticate using: from the drop down select:-   Certificate (Cloud Deployment)
    • If the preceding method fails or is not applicable, then : from the drop down select:- Password (cloud deployment)
    • Select +ADD FALLBACK METHOD
    • If the preceding method fails or is not applicable, then : from the drop down select:- Password (Local Deployment)
    • Select SAVE
  1. In the Edit Policy page
    • Next to ALL RANGES for Windows 10 on the left select the 6 DOTS and drag to the top
    • Select NEXT on the Edit Policy Page
  1. On the Edit Policy \ Summary page
    • Select SAVE .
      • You have now enabled Certificate (Cloud Deployment) as an authentication method on the default access policy.
      • Our next step is to ensure this implementation is working.

Part 3: Windows 10 Single Sign-On using Certificates

  1. On the Desktop of ControlCenter2
    • Open your Remote Desktops folder
    • RDP to your Windows 10 Client  (W10Client01.RDP)
    • Authenticated using :
      • Username euc-livefire\administrator
      • Password VMware1!
  1. On your W10Client01
    • Open the Edge browser
    • Navigate to https://access.euc-livefire.com
  1. On your W10Client01
    • You will within a second get a prompt from the Edge Browser to confirm the use of the installed client certificate
    • Notice the URL has /cas which is the certificate authentication service that will validate that certificate.
  • Select OK to confirm the use of the certificate.

NOTE: If you do not see the Certificate pop-up window, instead you are directed to the normal Access authentication page. Go back to Part 1 in UEM and ensure the Certificate profile we have published has been installed on the device.

 

  1. You should now be authenticated to the Intelligent Hub on the Edge browser.

This concludes the Certificate-Based authentication lab, allowing users to authentication to corporate resources securely from a managed Windows 10 device.

 

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.