Most security and IT professionals know that passwords are always at risk of being compromised or cracked. Those that seek to solve this problem generally turn to one of three mainstream solutions: One-time password systems such as an RSA SecurID token or the Google Authenticator app, out-of-band authentication via SMS, or the more recently developed Universal 2nd Factor (U2F) protocol. These solutions provide a mechanism to generate or receive a token or credential that an adversary would be unable to intercept or crack. These are all reasonable solutions, depending on the system and the audience that it needs to serve.
Another alternative which has probably been around the longest is the focus of our topic today: Certificate-based authentication. Asymmetric cryptography is the star of the show here, where a private/public key pair are used to validate your identity. Today we’ll talk about how to configure certificates for Windows Active Directory Authentication using a YubiKey.
What’s a YubiKey?
First things first – a YubiKey is a strong authentication hardware device made by Yubico. The nice thing about them is they support USB interfaces on just about any kind of device, and they also provide a number of strong authentication protocols including FIDO U2F, Smart Card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response (HMAC-SHA1). All this in a device that costs around $50 – very affordable compared to other alternatives! To find out which YubiKey will meet your needs, check out their Product Finder. Active Directory authentication uses a YubiKey’s Smart Card (PIV) functionality. For this you will need a YubiKey NEO or YubiKey 4. The less expensive YubiKey Nano does not have smart card functionality (but is great for protecting your Google account!)
Using Smart Cards and Certificates for Authentication in AD
Microsoft support for certificate-based authentication via smart cards in Active Directory is very mature, going back at least to Windows 2003. A smart card is a hardware device that can generate certificates and perform signing and encryption functions. This certificate is composed of a key pair, one private and one public. The private key is stored only on the smart card, and the public key is shared with any system which needs to interact with it such as a domain controller or the recipient of a digitally signed email.
To make all this work for AD authentication, the general principle is that you set up a Certificate Authority (CA) on a Windows server running the Certificate Services role. The CA’s job is to create root or intermediate certificates that are trusted by the domain, and to digitally sign other certificates used within the domain. In this case, the CA will sign the certificate that is generated by the YubiKey’s smart card function. During the certificate generation and signing process, it will also publish the new public key into the directory. This public key will be associated with the user who set it up and will be used to authenticate the user. Only the private key contained on the YubiKey will match this public key and can be used to authenticate that user.
When using a certificate stored on a smart card, the private key component is protected by a PIN. The user must enter the PIN in order to perform smart card functions such as login or screen unlocks. This PIN protects the smart card from being stolen and also serves to prevent unauthorized software (i.e. malware) from interacting with the smart card directly.
Setting Up Certificate Services
Yubico has a very detailed guide for configuring the Certificate Services to sign Smart Card certificates for authentication. This process involves installing the Certificate Services, setting up a new Certificate Template for Smart Card authentication, and enabling self-enrollment or proxy enrollment capability.
Once you have set up your Certificate Authority with the new Smart Card template for your YubiKeys, you will need to enroll your YubiKey for smart card authentication. This involves using a utility called the YubiKey PIV Manager. For the sake of brevity, here’s the link to the guide. One note: When prompted for the name of your certificate template, use the short/concatenated name in case your name contains spaces (i.e. YubiKeyLogon instead of “YubiKey Logon”).
Logging In Using the Smart Card
If all went well during the enrollment process, the PIV manager shows a certificate under the “Authentication” tab and the certificate has been published to Active Directory. When you insert the YubiKey to your Windows system, Smart Card will be displayed as a login option. Choosing this option will prompt you to enter your smart card PIN. Once you enter your PIN, you will be logged in!
OK, Great – Why Should I Use This?
The truth of the matter is that passwords are awful – no one likes remembering them and changing them, and they are subject to being reused or cracked. Smart card-based certificate authentication isn’t prone to these issues and lasts forever (or until the certificate expires!) Of course, deploying smart cards across an entire organization takes careful planning for your use case. My advice is to start with a very targeted deployment for your Enterprise Administrators, Domain Adminstrators, and key members of your IT and Security team. By doing this and disallowing password-based authentication for those users, you will go a long way to frustrating the adversaries trying to compromise your domain!