Step 8: Configure ContosoSrv02 and FabrikamSrv02 for Step-Up Authentication

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

In the step-up authentication scenario, users are authenticated with a smart card. To simulate authentication with a smart card, we use a software-based, X.509 client certificate and protect it using a PIN. This certificate is available for enrollment by default in Active Directory Certificate Services (AD CS), which acts as the CA for the domain.

To request a certificate from the CA and set the private key PIN

  1. Log on to a client computer (FabrikamSrv02 or ContosoSrv02) as one of the users (FABRIKAM\frankm or CONTOSO\danielw) with "demo!23" as the user's password.

  2. Open a Command Prompt window. On the Start menu, click Run, type cmd, and then click OK.

  3. At the command prompt, type mmc, and then press ENTER. This command opens the Microsoft Management Console (MMC).

  4. In the MMC, click File, and then click Add/Remove Snap-in.

  5. In the Available snap-ins list, click Certificates, and then click Add.

  6. In the prompt, leave My user account selected, and then click Finish.

  7. Click OK. This action adds the snap-in for certificate enrollment.

  8. In the console tree, right-click Personal, click All Tasks, and then click Request New Certificate. The Certificate Enrollment window opens.

  9. In the Certificate Enrollment window, click Next twice.

  10. In the list, select the User check box, expand Details, and then click Properties. The Certificate Properties dialog box opens.

  11. Click the Private Key tab.

  12. Expand Key options, and select the Strong private key protection check box. Selecting this setting prompts you to select a PIN for the certificate during enrollment.

  13. Click OK. The Certificate Properties dialog box closes.

  14. Click Enroll. A dialog box opens prompting you to select the security level for using the certificate.

  15. Click Set Security Level. In the dialog box, click High, and then click Next.

  16. Type 1@234abcd as a PIN for the certificate in the Password field and in the Confirm field. Click Finish.

  17. Click OK.

  18. Click Finish in the Certificate Enrollment window.

  19. Close the console. (You can click No when you are prompted to save console settings.)

On ContosoSrv02 we have to register the .dll that will be needed to perform the step-up authentication scenario. We will use Gacutil.exe to register that dll. To obtain GacUtil.exe, download and install the .NET Framework 2.0 Software Development Kit (SDK) (x64) (https://go.microsoft.com/fwlink/?LinkId=179799) with default settings.