DirectAccess is a great way to easily connect your company laptops to internal resources when connected to an outside network. Once a network connection has been established (mostly over WiFi) a DirectAccess connection will be created on the fly. Although very convinient for the user, it poses some challenges. Image this user giving the laptop to one of his/her offspring to play a game. With full access to internal company resources this could lead to some painfull issues like accidentially deleted folders. Of course the guy/lady shouldn’t give the laptop to others but that’s another discussion.
We can avoid automatic connection over DirectAccess using (virtual) smartcards. This article will explain how to configure both client and server to be able to use this as an extra security measure.

On the infrastructure side two things need to be prepared for smartcard authentication in DirectAccess. A new certicate template needs to be made available on the Enterprise Certificate Authority. After that is done, smart card authentication needs to be enabled on the DirectAccess server.
Logon to your Enterprise Certificate Authority server and open a management console. Add the Certificates Templates add-in

1mmc_template

 

 

 

 

 

 

 

 

 

 

 
Find the SmartCard Logon template and right click it and choose “Duplicate Template”

2copy_template

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The following details need to be updated in the new copy:
On the “General” tab:
Enter a new name for the “Display Name”.

Request “Handling” tab:
Select “Prompt the user during enrollment and require user input when the private key is used”
“Cryptography” tab:
Minimum key size = 2048
Select “Requests must must use one of the following providers”
From the “Providers list”, check “Microsoft Base Smart Card Crypto Provider”
“Security” tab:
Make sure that “Enroll” is checked for Authenticated Users
Now open the Certification Authority console and go to the “Certificates Templates” section. Right click and choose New>Certificate Template to issue:

6issue_template

 

 

 

 

 

 

 

 

 

 

 

 

 

Look for the freshly made template.

7select cert

 

 

 

 

 

 

 

 

 

 

If it isn’t there yet, wait until all domain controllers have replicated and try again.
Once the domain controllers have been replicated again, the new certificate is ready to be rolled out.8certificate_rolledout

 

 

 

 

 

 

 

 

 
Enabling smart card authentication in DirectAccess
Logon to the DirectAccess server and open the Remote Access Management console. Under “Configuration” click on “DirectAccess”.

9diracc

 

 

 

 

 

 

 

 

 

 

 

 
In Step 2 Remote Access server click “edit” and go to  “Authentication “. Select “Two-factor authentication” and click Finish
This enables DirectAccess to use smart card authentication:

10diracc_2factor

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The next steps are creating the actual virtual smart card on the laptop and link the user certificate to it
On the laptop a virtual smart card needs to be created. This smart card is written in the Trusted Platform Module, which is a physical chip in the laptop. Open a command prompt and enter the following command:

tpmvscmgr.exe create /name /tpmvsc /pin prompt /adminkey random /generate

 

You have to enter a pin code of at least 8 digits. Make sure the user chooses a pin code he/she easily can remember!

12create smartcard2

 

 

 

 

 

 
Once the virtual smart card has been created, the smart card user certificate can be linked to it. Open a management console (mmc) and add the certificates add-in for the local user (My user account):

13linkcert0

 

 

 

 

 

 

 

 

 

 

 

 

 

Navigate to the Personal store and right click Certicates. Choose “Request New Certificate” and select the Active Directory Enrollment Policy.

14_linkcert1

 

 

 

 

 

 

 

 

 

Press next and from the list of presented certificates, choose the certificate which we added earlier.

16_linkcert3

 

 

 

 

 

 

 

 

 

 

 

 

Click on “Enroll” When prompted enter the pin code which was used when creating the virtual smart card.

17linkcert4

 

 

 

 

 

 

 

 

Now the user certificate will be linked to the virtual smart card. This actually “binds” the user to this laptop. DirectAccess wont’ work for another user on this laptop or for this user on another laptop!

18linkcert5

 

 

 

 

 

 

 

 

 

 

 

 

Once the certificate has been enrolled, we can test the DirectAccess connection.  Connect this laptop to an outside network. Once the connection has been established, DirectAccess wants to automatlically connect to the company. However now we will get a warning “Action required” This is where we need to ente the pin code. Once the correct pin code has been entered, the DirectAccess connection will be established and the status will change to “Connected”

20EnterPin

Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someone