Thursday, May 1, 2014

CAC Card Authentication Using KCD With CRM 2011 and TMG


CRM

  • Allow website to use Kerberos
  • Create an SPN for CRM
    • setspn -a http/crm-2011.test.local Domain/User
AD
  • Open TMG Computer Account in AD and allow delegation to the SNP you created earlier.

TMG
  • Install DoD Root Certificates (http://iase.disa.mil/pki-pke/function_pages/tools.html)
  • Install Tumbleweed on TMG Server ***** this is extremely important on gov sites that use this software.  *****
  • Import Tumbleweed client configuration file
  • Disable HTTPS Inspection and NIS in TMG
  • Publish DoD E-mail certs to the NT Auth Store
    • certutil -dspublish -f <filename> NTAuthCA
  • Make sure GPO for TMG machine is updated with the following.
    • Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client - Auto-Enrollment
    • Configuration Model should be enabled and Renew expired certificates and Update certificates should both be checked.
  • Create Listener
  • Create Rule
USERS
  • Add the EDIPI number from the back of the CAC to the User Principal Name on the AD account (ie 123456789@mil)
  • When creating the CRM users you should still use their original AD user name (ie DOMAIN\rick.wilson) not the EDIPI.