Configure PKI authentication for RDP connections

A public key infrastructure (PKI) is a security infrastructure that creates and manages digital certificates. A personal user certificate with a private key is generated and signed by the Certificate Authority (CA). This personal certificate allows the user to authenticate to any system that trusts this CA.

Windows operating systems allow authentication via smart card, utilizing PKI infrastructure. PSM authentication to Privilege Cloud is integrated into the native smart card authentication by Windows.

When establishing an RDP connection, the user is prompted to connect the smart card and enter the PIN code. Then authentication is performed on the domain level and the connection to the target is established.

To configure smart card authentication you will need the assistance of CyberArk support. Provide CyberArk support with the following information:

  • The default Smart Card authentication is based on PKI with Distinguished Name (DN). Inform CyberArk support if you want to configure it to be based on PKI with Principal Name (PKI\PN).

Requirements

  • PSM is installed on a domain-joined machine
  • The Privilege Cloud environment is configured with LDAP integration
  • Smart card drivers are installed on the PSM machine
  • The Access this computer from the network group policy is enabled for all users who use PKI authentication.

Default authentication method

The PSM for Windows connection supports authentication with credentials or through a smart card. The default authentication type uses credentials and the user can select smart card authentication using Windows tiles.

To set the default type to smart card, add SetPKIAuthAsDefault=Yes to the basic_psm.ini file. For details, see SetPKIAuthAsDefault.

For Windows 2016 and Windows 2019, you must edit the Assign a default credential provider group policy on the PSM machine or on the domain GPO.

  • On the PSM machine, run gpedit.msc.
    1. Go to Computer Configuration > Administrative Templates > System > Logon.
    2. Set Assign a default credential provider to {8FD7E19C-3BF7-489B-A72C-846AB3678C96}.
  • On the domain, run gpmc.msc.
    1. Open the relevant group policy object, right click, and select Edit.
    2. Go to Computer Configuration > Administrative Templates > System > Logon.
    3. Set Assign a default credential provider to {8FD7E19C-3BF7-489B-A72C-846AB3678C96}.

PKI with Principal Name (PKI\PN)

The default Smart Card authentication is based on PKI with Distinguished Name (DN). To configure it to be based on PKI with Principal Name (PKI\PN):

  1. In the Privilege Cloud Portal, open configuration > options.
  2. Go to Configurations > PSM > General settings > Server settings > Advanced settings.
  3. Set EnablePKIPNAuth=Yes.

Limitations

To connect through PSM in NLA without providing the target system details, your username must contain the login pattern as configured by your Administrator under the PSMLoginPattern parameter. For details, see PSM basic parameters file .

To connect with PKI authentication, you must use the pattern in the username. For details, see Connect using RDP.