๐ Secure Bits ๐ก
๐ช๐ฎ๐ป๐ ๐๐ผ ๐ฒ๐ป๐ณ๐ผ๐ฟ๐ฐ๐ฒ ๐ฟ๐ผ๐น๐ฒ-๐ฏ๐ฎ๐๐ฒ๐ฑ ๐ฎ๐ฐ๐ฐ๐ฒ๐๐ ๐ฏ๐ฎ๐๐ฒ๐ฑ ๐ผ๐ป ๐น๐ผ๐ด๐ผ๐ป ๐บ๐ฒ๐๐ต๐ผ๐ฑโ๐ป๐ฎ๐๐ถ๐๐ฒ๐น๐?
Use ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐ ๐ฒ๐ฐ๐ต๐ฎ๐ป๐ถ๐๐บ ๐๐๐๐๐ฟ๐ฎ๐ป๐ฐ๐ฒ (๐๐ ๐) to give users different access based on how they authenticate.
๐ชช Log on with smart card โ โ
get extra group membership
๐ Log on with password โ โ no access to sensitive resources
Thatโs the power of AMAโbuilt into Active Directory since 2008 R2.
๐๐ฒ๐ฟ๐ฒโ๐ ๐ต๐ผ๐ ๐ถ๐ ๐๐ผ๐ฟ๐ธ๐:
1๏ธโฃ You create a custom Issuance Policy with a unique OID (e.g. 1.3.6.1.4.1.49955.5.1.1)
2๏ธโฃ You link it to an empty universal group
3๏ธโฃ You issue smart card certificates that embed this policy
4๏ธโฃ When a user logs on via smart card, the group SID is added to the Kerberos TGT
5๏ธโฃ Access to protected resources is now possibleโonly when logging in via certificate
And yes: theyโre not a member of the group in ADโbut their TGT says otherwise.
Magic? ๐ก๐ผ. ๐๐ ๐.
๐งช Tested with YubiKey 5 NFC + smart card templates
๐จโ๐ป Admins use cert templates + issuance policy + certmgr.msc/YubiKey Manager
๐ฏ Resource access: SMB, SharePoint, MECM, etc.โonly when certificate-authenticated
โ ๏ธ Password logon = no group SID = no access
Tip: Don’t use Microsoftโs built-in assurance levelsโcreate your own OID instead.
๐๐ฎ๐๐ฒ ๐๐ผ๐ ๐ฑ๐ฒ๐ฝ๐น๐ผ๐๐ฒ๐ฑ ๐๐ ๐ ๐ถ๐ป ๐ฝ๐ฟ๐ผ๐ฑ๐๐ฐ๐๐ถ๐ผ๐ป? Or planning passwordless access that adapts to auth type?๐
Letโs share best practices.
Author: Martin Handl โ ๐ณ๐๐น๐น ๐ฎ๐ฟ๐๐ถ๐ฐ๐น๐ฒ: https://iqunit.com/smartcard-logon-teil-2-ama/
