by Greg Shields

Usernames and passwords are good things. They provide a mechanism to prove that the identified person is indeed who they are. But usernames and passwords are only one component of authentication, providing merely “something you know.” Elevating a weak authentication system such as passwords to a strong authentication system also requires “something you have.”

In today’s computing environment, that “something you have” is typically manifested through the use of smart cards. When users carefully secure their smart cards and use them in combination with usernames and passwords, you further ensure that the right person is receiving access.

However, the central problem with smart cards is that you have to have them with you if you want to use them. If you’ve ever left your smart card at home, only to realize that you won’t be logging in at work that day, you know this pain.

What many environments really want with smart cards is not necessarily a required component of every login. Connecting to low-sensitivity resources might be acceptable with just a username and password combination alone. Many environments long for a two-stage, two-factor authentication solution. In such a solution, the individual’s username and password combination authenticates them well enough to grant access to most of their resources. Other more highly-sensitive resources are locked behind authentication’s second stage, with access gained by smart card authentication.

Such a solution wasn’t natively available until Windows Server 2008 R2. With this OS version’s new Authentication Mechanism Assurance feature, it becomes possible to create that very two-stage authentication. At its simplest, Authentication Mechanism Assurance creates a special group in your AD. This group is applied to sensitive resources that need strong authentication. On the other side, users are only added to this group when their login includes the use of a smart card.

As a result, users who login with smart cards gain special access to special resources. Others who don’t login with smart cards, have no access.
The complete step-by-step walkthrough for this process can be found in the Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide found at http://technet.microsoft.com/en-us/library/dd378897(WS.10,printer).aspx. Environments that want to implement this feature should pay special attention to the steps in that document, as the process requires many non-automated steps to lay down the feature’s framework. However, this article will get you started with a few key steps.

Step one requires a domain that is at the Windows Server 2008 R2 Domain Functional Level. This process requires every domain controller in the domain to be upgraded to that OS. See this series’ article on upgrading if you need the details on this process. Clients who use this service must also be running Windows 7.

Step two first requires copying two PowerShell scripts from the URL noted earlier. Named get-IssuancePolicy.ps1 and set-IssuancePolicyToGroupLink.ps1, these two scripts provide a way to view and set the necessary certificate-to-group mapping. Remember that any smart card is really just a container for one or more certificates that uniquely identify its user and their accesses. In the case of this feature, you will use these scripts to map a particular certificate issuance policy to a Universal Security Group. This step assumes you have an identified certificate issuance policy for sensitive data that is currently provisioned to your user’s smart cards.

Step three is far simpler. In this step, simply replace the accesses for your sensitive data with the Universal Security Group created in step two. With this new security group as the only group for the resource, users will obviously need to be in the group to access the resource. Their user token will be in that correct group when they login using their smart card by virtue of step two’s certificate-to-group mapping.

These steps are only a simplification of how the entire setup process works; however, they’re designed to get you started before you read through Microsoft’s not-very-simple step-by-step guide. If your environment today has or is considering the use of smart cards, take a look at this feature. You might find that its creation of a double standard for sensitive data access makes the far-less expensive weak authentication a smart move for everyone else.

About the Author

Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.