Configure PKI authentication for PSM for Windows

A public key infrastructure (PKI) is a security infrastructure that creates and manages digital certificates. A personal user certificate with a private key is generated and signed by the Certificate Authority (CA). This personal certificate allows the user to authenticate to any system that trusts this CA.

Windows operating systems allow authentication via smart card, utilizing PKI infrastructure. PSM authentication to the Vault is integrated into the native smart card authentication by Windows.

When establishing a PSM for Windows connection, the user is prompted to connect the smart card and enter the PIN code. Then authentication is performed on the domain level and the connection to the target is established.

Requirements

  • PSM is installed on a domain-joined machine
  • The Vault is configured with LDAP integration
  • Smart card drivers are installed on the PSM machine
  • The Access this computer from the network group policy is enabled for all users who use PKI authentication.

    To set the Access this computer from the network group policy with the relevant user groups, perform the following on the PSM machine or on the domain GPO:

    • On the PSM machine, run gpedit.msc.
      1. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
      2. Add the relevant user groups to the Access this computer from the network setting.
    • On the domain, run gpmc.msc.
      1. Open the relevant group policy object, right click, and select Edit.
      2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
      3. Add the relevant user groups to the Access this computer from the network setting.
  • If the user is required to use Network Authentication Level (NLA), the user must be a member of the Remote Desktop users group on the PSM machine.

During PSM installation

If you install PSM using the installation wizard, select Enable PKI authentication for PSM. For details, see PSM wizard installation.

If you install PSM using the automatic installation scripts, during the registration stage set usepkiauthentication=Yes. For details, see Registration.

If you did not enable PKI authentication during installation, you must add the relevant authorization to the PSMGW user:

  1. In PrivateArk, go to Tools > users and groups.
  2. Select the PSMGW user.
  3. In the General tab, select Provide full impersonation.
  4. Click OK.

In PVWA

To automatically have the Vault provision the user's Subject Name from the Active Directory into the Vault user's DN field:

  1. Go to Administration > LDAP Integration.
  2. Expand Directories and select the integrated directory.
  3. Set UseLDAPCertificateOnly to Yes.

Default authentication method

The PSM for Windows connection supports authentication with credentials or through a smart card. The default authentication type uses credentials and the user can select smart card authentication using Windows tiles.

To set the default type to smart card, add SetPKIAuthAsDefault=Yes to the basic_psm.ini file. For details, see SetPKIAuthAsDefault.

For Windows 2016 and Windows 2019, you must edit the Assign a default credential provider group policy on the PSM machine or on the domain GPO.

  • On the PSM machine, run gpedit.msc.
    1. Go to Computer Configuration > Administrative Templates > System > Logon.
    2. Set Assign a default credential provider to {8FD7E19C-3BF7-489B-A72C-846AB3678C96}.
  • On the domain, run gpmc.msc.
    1. Open the relevant group policy object, right click, and select Edit.
    2. Go to Computer Configuration > Administrative Templates > System > Logon.
    3. Set Assign a default credential provider to {8FD7E19C-3BF7-489B-A72C-846AB3678C96}.

PKI with Principal Name (PKI\PN)

The default Smart Card authentication is based on PKI with Distinguished Name (DN). To configure it to be based on PKI with Principal Name (PKI\PN):

  1. In the PVWA, open configuration > options.
  2. Go to Configurations > PSM > General settings > Server settings > Advanced settings.
  3. Set EnablePKIPNAuth=Yes.

    For details, see EnablePKIPNAuth.

Limitations

To connect through PSM in NLA without providing the target system details, your username must contain the login pattern as configured by your Administrator under the PSMLoginPattern parameter. For details, see PSM basic parameters file .

To connect with PKI authentication, you must use the pattern in the username.For details, see Connect to a target.