Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v1.0
v1.0
  • Home
  • How does Access Manager help prevent lateral movement
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Downloads
    • Creating a service account for the Access Manager service
    • Choosing between the Microsoft and Lithnet agents for LAPS support
    • Installing Access Manager
      • Access Manager Agent
      • Access Manager Service
  • Configuration
    • Setting up Authentication
      • Setting up smart card authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
    • Deploying features
      • Setting up Microsoft LAPS
      • Setting up Bitlocker access
      • Setting up Just-in-Time access
      • Setting up password encryption and history
      • Installing in a Failover Cluster
      • Integrated Windows authentication
    • Importing authorization rules
      • Importing BitLocker permissions
      • Importing local administrators group membership
      • Importing Microsoft LAPS permissions
      • Importing mappings from a CSV file
      • Importing rules from Lithnet LAPS web app
  • Help & Support
    • Frequently asked Questions
    • Troubleshooting
    • Getting Support
  • Advanced help
    • Advanced help topics
      • Access evaluation in Access Manager Service (AMS)
      • Performing an offline discovery of local admins
      • Script-based authorization
      • Backing up Access Manager
      • Recovering from a lost encryption certificate private key
    • Application help pages
      • Active Directory
      • Audit variables
      • Auditing Page
      • Auditing scripts
      • Authentication Provider
      • Authorization Page
      • BitLocker Page
      • Effective Access Page
      • SMTP Server Settings
      • High Availability Page
      • Proxy Settings
      • Jit Access Page
      • Licensing-Page
      • Local Admin Passwords Page
      • Rate Limits Page
      • User Interface Page
      • Web Hosting Page
Powered by GitBook
On this page

Was this helpful?

  1. Configuration
  2. Setting up Authentication

Setting up smart card authentication

PreviousSetting up AuthenticationNextSetting up authentication with ADFS

Last updated 2 years ago

Was this helpful?

The default implementation of smart card/certificate support requires that the certificate contain a subject alternative name (SAN) containing the user's UPN in order for them to successfully log on.

You can also enable support for Active Directory altSecurityIdentities, to support certificates without a UPN.

The caveat with this implementation is that this only works in the forest that the AMS service is located within. As web-based certificate authentication happens at the TLS level, AMS is unable to prompt for a username or domain hint. Therefore, AMS can only search the local global catalog for the altSecurityIdentity values.

In line with the for altSecurityIdentities, AMS searches the directory for a user match in the following order

X509:<I><S>
X509:<S>*
X509:<I><SR>
X509:<SKI>
X509:<SHA1-PUKEY>
X509:<RFC822>*

(*) Use of these altSecurityIdentity types requires that certificate issuer validation against the NT Auth store is enabled

Enabling altSecurityIdentities Support

First, ensure you save and close any instances of the Access Manager Configuration Tool.

Then navigate to the AMS config file, usually located at C:\Program Files\Lithnet\Access Manager Service\config\appsettings.json

Locate the ClientCert element, and set the IdentityResolutionMode value to one of the following values

Value
Description

Default

Default behavior (equivalent to UpnSan)

UpnSan

Find the user using the UPN located in the certificate's subject alternative names. If the UPN is not present, or no match can be found in the directory, the user login is denied

AltSecurityIdentities

Find the user using the altSecurityIdentities attribute. If no match can be found, the user login is denied

UpnSan, AltSecurityIdentities

First, attempt to find the user using the UPN located in the certificate's subject alternative names. If the UPN is not present, or no match can be found in the directory, try to find the user using the altSecurityIdentities attribute. If no match can be found, the user login is denied. Note that the order of these values does not matter. The UPN check will always be performed first.

Example

"ClientCert": {
      "RequiredEkus": [],
      "ValidationMethod": "NtAuthStore",
      "RequireSmartCardLogonEku": true,
      "TrustedIssuers": [],
      "IdentityResolutionMode": "UpnSan, AltSecurityIdentities"
    }
Microsoft implementation