LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Setup Active Directory
  • Requirements
  • Deploy the Smart Card Certificates using Intune
  • Trusted Certificate Profile
  • Smart Card Certificate
  • Use Windows Hello for Business to connect to remote hosts

Was this helpful?

  1. Certificate Management
  2. Microsoft Intune
  3. Windows

Certificate Based Authentication for RDP

Last updated 1 month ago

Was this helpful?

You can use SCEPman to issue Smart Card Login certificates to your users. By enrolling them to Windows Hello for Business (Microsoft Passport Key Storage Provider) they can use these certificates to authenticate to on premises resources using their Hello PIN or biometric options.

This will allow users for example to connect to other clients over the Remote Desktop Protocol (RDP) using their Windows Hello for Business credentials.

Setup Active Directory

Requirements

  • SCEPman's CA certificate must be published in the NTAuth store to authenticate users to Active Directory

  • Domain Controllers need to have a domain controller certificate to authenticate smartcard users

  • Domain Controllers and target machines need to trust SCEPmans Root CA

Follow our guide on Domain Controller certificates to publish the SCEPman Root CA certificate to the NTAuth store and issue certificates to your domain controllers:

You can create a Group Policy Object to handle the distribution of the root certificate to the involved machines:

The certificate needs to be deployed to all Domain Controllers handling the authentications and all target machines that users want to connect to using this method.

Please be aware that once SCEPmans root certificate is published in the NTAuth store, users who can influence the content of certificates issued by SCEPman (e.g. Intune administrators) are able to impersonate any Active Directory principal.

Deploy the Smart Card Certificates using Intune

Trusted Certificate Profile

If you already use SCEPman to deploy certificates to your clients you will already have this profile in place.

Smart Card Certificate

Create a profile for Windows 10 and later with type SCEP certificate in Microsoft Intune and configure the profile as described:

Certificate type: User

Subject name format: CN={{UserPrincipalName}}

If the targeted users UPN suffix in Entra ID happens to be different to the one used in Active Directory you should use CN={{OnPrem_Distinguished_Name}}

Subject alternative name: UPN value: {{UserPrincipalName}} and URI value: {{OnPremisesSecurityIdentifier}}
Key storage provider (KSP): Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)

Key usage: Digital signature and Key encipherment

Key size (bits): 2048

Hash algorithm: SHA-2

Root Certificate: Profile from previous step (Trusted Certificate Profile)

Extended key use: Client Authentication and Smart Card Login

Client Authentication, 1.3.6.1.5.5.7.3.2

Smart Card Logon, 1.3.6.1.4.1.311.20.2.2

Use Windows Hello for Business to connect to remote hosts

With the certificate deployed to the authenticating client, just connect to the remote host and select the configured Windows Hello for Business credential provider.

Your clients will need to .

The URI with the SID is necessary to have a in AD. Alternatively, you can configure SCEPman to to user certificates and not configure the URI.

SCEP Server URLs: Open the SCEPman portal and copy the URL of

Domain Controller Certificates
To distribute certificates to client computers by using Group Policy
trust the root certificate of SCEPman
Intune MDM
Strong Certificate Mapping
add a extension with the SID