CAC Card Authentication Using KCD With CRM 2011 and TMG


CRM

  • Allow website to use Kerberos
  • Create an SPN for CRM
    • setspn -a http/crm-2011.test.local Domain/User
AD
  • Open TMG Computer Account in AD and allow delegation to the SNP you created earlier.

TMG
  • Install DoD Root Certificates (http://iase.disa.mil/pki-pke/function_pages/tools.html)
  • Install Tumbleweed on TMG Server ***** this is extremely important on gov sites that use this software.  *****
  • Import Tumbleweed client configuration file
  • Disable HTTPS Inspection and NIS in TMG
  • Publish DoD E-mail certs to the NT Auth Store
    • certutil -dspublish -f <filename> NTAuthCA
  • Make sure GPO for TMG machine is updated with the following.
    • Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client - Auto-Enrollment
    • Configuration Model should be enabled and Renew expired certificates and Update certificates should both be checked.
  • Create Listener
  • Create Rule
USERS
  • Add the EDIPI number from the back of the CAC to the User Principal Name on the AD account (ie 123456789@mil)
  • When creating the CRM users you should still use their original AD user name (ie DOMAIN\rick.wilson) not the EDIPI.

Comments

Popular posts from this blog

Add User As Local Administrator On Domain Controller

An error occurred while applying security information to

Display ADFS 2.0 Forms Authentication Login Page Instead of Windows Authentication Prompt