Certificate Based Authentication
In this lab you will be deploying a certificate to an enrolled Windows 10 virtual machine. This certificate will be generated by the built-in CA in Workspace ONE UEM.
We will later configure Workspace ONE Access to trust certificates issued by UEM and configure the Certificate (Cloud Deployment) authentication adapter.
Finally we will test everything on a Windows 10 Machine to ensure we are able to have a seamless authentication experience.
Part 1: WorkspaceOne UEM - Certificate Profile
- On your ControlCenter2 jumpbox
- Open Google Chrome
- Navigate to https://uem.euc-livefire.com
-
Authenticate using :
- Username admin_livefire
- Password VMware1!
- In the Workspace ONE UEM Console
- Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Workspace ONE Access > Configuration
-
In the Configuration page
- Under Certificate select ENABLE (if not already enabled)
-
In the Configuration page
- Select EXPORT in the Certificates section on the Workspace ONE Access page
- When prompted select Keep
- Note this will download a .cer file (VidmAirWatchRootCertificate.cer)
- Close the Settings window in the top right-corner, by selecting x
- Select EXPORT in the Certificates section on the Workspace ONE Access page
- In the Workspace ONE UEM admin console
- Navigate to Devices > Profiles & Resources > Profiles > ADD > Add Profile
-
In the Add Profile window
- Select Windows > Windows Desktop > User Profile
- Under General
- Next to Name: type W10 - SCEP - SSO .
- In the Add a New Windows Desktop Profile
- In the General tab,
- Scroll down to Smart Groups
- Select Livefire(Livefire) with the world icon next to it.
- Scroll down to Smart Groups
- In the General tab,
- In the Add a New Windows Desktop Profile
- In the LEFT MENU, navigate to the SCEP
- Select CONFIGURE
- In the Add a New Windows Desktop Profile
- Under SCEP, Set the following, next to:
- Credential Source: AirWatch Certificate Authority
- Certificate Template: Certificate (Cloud Deployment)
- Issuer: LiveFire
- Key Location: Software
- Select SAVE AND PUBLISH at the bottom right of the window
- Under SCEP, Set the following, next to:
- On the View Device Assignment page
- Confirm your device is showing
- Select PUBLISH
Part 2 : Configure Workspace ONE Access
- On your ControlCenter2 server
- In the Chrome browser
- Navigate to https://access.euc-livefire.com
- Authenticate using System Domain
- username: Admin
- password: VMware1!
- In the Workspace ONE Access admin console
- Navigate to Identity & Access Management > Authentication Methods.
- Select the pencil icon next to Certificate (Cloud Deployment)
- In the Certificate (Cloud Deployment) page
- Select the tickbox to Enable Certificate Adapter
- Select Select File for the Root and Intermediate CA Certificates
- Select the certificate we have downloaded from the UEM console earlier
- Select Open
- In the Update Auth Adapter window
- Select OK.
- In the Certificate (Cloud Deployment) window
- At the bottom of the page, select Save
- In the Workspace ONE Access Console
- Navigate Identity Providers
- Under Identity & Access Management, select on Built-in
- In the Built-In page
- Navigate to the Authentication Methods area
- Select the check box next to Certificate (Cloud Deployment)
- Select Save at the bottom of the page.
- In the Workspace ONE Access console
- Navigate to Identity & Access Management > Policies
- Select default_access_policy_set
-
Under Policies \ default_access_policy_set
- Select EDIT
- In the Edit Policy page
- Select the second tab from the left column Configuration
- Select All Ranges next to Web Browser in the Device Type Category
- In the Edit Policy Rule page, edit the following next to:
- then the user may authenticate using * change to : Certificate (Cloud Deployment)
- if preceding method fails or is not applicable then change to Password (Cloud Deployment),
- then Select ADD FALLBACK METHOD
- Select Password (Local Directory) as the third authentication option.
- Select SAVE at the bottom of the window
- In the Edit Policy \ Configuration page
- Select ADD POLICY RULE
- In the Add Policy Rule page, add the following next to :
- and user accessing content from : from the drop down select:- Windows 10
- then the user may authenticate using: from the drop down select:- Certificate (Cloud Deployment)
- If the preceding method fails or is not applicable, then : from the drop down select:- Password (cloud deployment)
- Select +ADD FALLBACK METHOD
- If the preceding method fails or is not applicable, then : from the drop down select:- Password (Local Deployment)
- Select SAVE
- In the Edit Policy page
- Next to ALL RANGES for Windows 10 on the left select the 6 DOTS and drag to the top
- Select NEXT on the Edit Policy Page
- On the Edit Policy \ Summary page
- Select SAVE .
- You have now enabled Certificate (Cloud Deployment) as an authentication method on the default access policy.
- Our next step is to ensure this implementation is working.
- Select SAVE .
Part 3: Windows 10 Single Sign-On using Certificates
- On the Desktop of ControlCenter2
- Open your Remote Desktops folder
- RDP to your Windows 10 Client (W10Client01.RDP)
- Authenticated using :
- Username euc-livefire\administrator
- Password VMware1!
- On your W10Client01
- Open the Edge browser
- Navigate to https://access.euc-livefire.com
- On your W10Client01
- You will within a second get a prompt from the Edge Browser to confirm the use of the installed client certificate
- Notice the URL has /cas which is the certificate authentication service that will validate that certificate.
- Select OK to confirm the use of the certificate.
NOTE: If you do not see the Certificate pop-up window, instead you are directed to the normal Access authentication page. Go back to Part 1 in UEM and ensure the Certificate profile we have published has been installed on the device.
- You should now be authenticated to the Intelligent Hub on the Edge browser.
This concludes the Certificate-Based authentication lab, allowing users to authentication to corporate resources securely from a managed Windows 10 device.
0 Comments
Add your comment