You must create a certificate template that can be used for issuing short-lived certificates, and you must specify which computers in the domain can request this type of certificate.

About this task

You can create more than one certificate template. You can configure only one template per domain but you can share the template across multiple domains. For example, if you have an Active Directory forest with three domains and you want to use True SSO for all three domains, you can choose to configure one, two, or three templates. All domains can share the same template, or you can have different templates for each domain.

Prerequisites

  • Verify that you have an enterprise CA to use for creating the template described in this procedure. See Set Up an Enterprise Certificate Authority.

  • Verify that you have prepared Active Directory for smart card authentication. For more information, see the View Installation document.

  • Create a security group in the domain and forest for the enrollment servers, and add the computer accounts of the enrollment servers to that group.

Procedure

  1. To configure True SSO, on the machine that you are using for the certificate authority, log in to the operating system as an administrator and go to Administrative Tools > Certification Authority.
    1. Expand the tree in the left pane, right-click Certificate Templates and select Manage.
    2. Right-click the Smartcard Logon template and select Duplicate.
    3. Make the following changes on the following tabs:

      Tab

      Action

      Compatibility tab

      • For Certificate Authority, select Windows Server 2008 R2.

      • For Certificate Recipient, select Windows 7/Windows Server 2008 R2.

      General tab

      • Change the template display name to True SSO.

      • Change the validity period to a period that is as long as a typical working day; that is, as long as the user is likely to remain logged into the system.

        So that the user does not lose access to network resources while logged on, the validity period must be longer than the Kerberos TGT renewal time in the users domain.

        (The default maximum lifetime of the ticket is 10 hours. To find the default domain policy, you can go to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy:Maximum lifetime for user ticket.)

      • Change the renewal period to 1 day.

      Request Handling tab

      • For Purpose, select Signature and smartcard logon.

      • Select, For automatic renewal of smart cards, …

      Cryptography tab

      • For Provider Category, select Key Storage Provider.

      • For Algorithm name, select RSA.

      Server tab

      Select Do not store certificates and requests in the CA database.

      Important:

      Make sure to deselect Do not include revocation information in issued certificates. (This box gets selected when you select the first one, and you have to deselect (clear) it.)

      Issuance Requirements tab

      • Select This number of authorized signatures, and type 1 in the box.

      • For Policy type, select Application Policy and set the policy to Certificate Request Agent.

      • For, Require the following for reenrollment, select Valid existing certificate.

      Security tab

      For the security group that you created for the enrollment server computer accounts, as described in the prerequisites, provide the following permissions: Read, Enroll

      1. Click Add.

      2. Specify which computers to allow to enroll for certificates.

      3. For these computers select the appropriate check boxes to give the computers the following permissions: Read, Enroll.

    4. Click OK in the Properties of New Template dialog box.
    5. Close the Certificate Templates Console window.
    6. Right-click Certificate Templates and select New > Certificate Template to Issue.
      Note:

      This step is required for all certificate authorities that issue certificates based on this template.

    7. In the Enable Certificate Templates window, select the template you just created (for example, True SSO Template) and click OK.
  2. To configure Enrollment Agent Computer, on the machine that you are using for the certificate authority, log in to the operating system as an administrator and go to Administrative Tools > Certification Authority.
    1. Expand the tree in the left pane, right-click Certificate Templates and select Manage.
    2. Locate and open the Enrollment Agent Computer template and then make the following change on the Security tab:

      For the security group that you created for the enrollment server computer accounts, as described in the prerequisites, provide the following permissions: Read, Enroll

      1. Click Add.

      2. Specify which computers to allow to enroll for certificates.

      3. For these computers select the appropriate check boxes to give the computers the following permissions: Read, Enroll.

    3. Right-click Certificate Templates and select New > Certificate Template to Issue.
      Note:

      This step is required for all certificate authorities that issue certificates based on this template.

    4. In the Enable Certificate Templates window, select Enrollment Agent Computer and click OK.

What to do next

Create an enrollment service. See Install and Set Up an Enrollment Server.