DirectAccess is a great way to easily connect your company laptops to internal resources when connected to an outside network. Once a network connection has been established (mostly over WiFi) a DirectAccess connection will be created on the fly. Although very convinient for the user, it poses some challenges. Image this user giving the laptop to one of his/her offspring to play a game. With full access to internal company resources this could lead to some painfull issues like accidentially deleted folders. Of course the guy/lady shouldn’t give the laptop to others but that’s another discussion.
We can avoid automatic connection over DirectAccess using (virtual) smartcards. This article will explain how to configure both client and server to be able to use this as an extra security measure.
On the infrastructure side two things need to be prepared for smartcard authentication in DirectAccess. A new certicate template needs to be made available on the Enterprise Certificate Authority. After that is done, smart card authentication needs to be enabled on the DirectAccess server.
Logon to your Enterprise Certificate Authority server and open a management console. Add the Certificates Templates add-in
Find the SmartCard Logon template and right click it and choose “Duplicate Template”
The following details need to be updated in the new copy:
On the “General” tab:
Enter a new name for the “Display Name”.
Request “Handling” tab:
Select “Prompt the user during enrollment and require user input when the private key is used”
Minimum key size = 2048
Select “Requests must must use one of the following providers”
From the “Providers list”, check “Microsoft Base Smart Card Crypto Provider”
Make sure that “Enroll” is checked for Authenticated Users
Now open the Certification Authority console and go to the “Certificates Templates” section. Right click and choose New>Certificate Template to issue:
Look for the freshly made template.
Enabling smart card authentication in DirectAccess
Logon to the DirectAccess server and open the Remote Access Management console. Under “Configuration” click on “DirectAccess”.
In Step 2 Remote Access server click “edit” and go to “Authentication “. Select “Two-factor authentication” and click Finish
This enables DirectAccess to use smart card authentication:
The next steps are creating the actual virtual smart card on the laptop and link the user certificate to it
On the laptop a virtual smart card needs to be created. This smart card is written in the Trusted Platform Module, which is a physical chip in the laptop. Open a command prompt and enter the following command:
tpmvscmgr.exe create /name /tpmvsc /pin prompt /adminkey random /generate
You have to enter a pin code of at least 8 digits. Make sure the user chooses a pin code he/she easily can remember!
Once the virtual smart card has been created, the smart card user certificate can be linked to it. Open a management console (mmc) and add the certificates add-in for the local user (My user account):
Navigate to the Personal store and right click Certicates. Choose “Request New Certificate” and select the Active Directory Enrollment Policy.
Press next and from the list of presented certificates, choose the certificate which we added earlier.
Click on “Enroll” When prompted enter the pin code which was used when creating the virtual smart card.
Now the user certificate will be linked to the virtual smart card. This actually “binds” the user to this laptop. DirectAccess wont’ work for another user on this laptop or for this user on another laptop!
Once the certificate has been enrolled, we can test the DirectAccess connection. Connect this laptop to an outside network. Once the connection has been established, DirectAccess wants to automatlically connect to the company. However now we will get a warning “Action required” This is where we need to ente the pin code. Once the correct pin code has been entered, the DirectAccess connection will be established and the status will change to “Connected”