Today's guest blog post comes from Matthias Büchner and Michael Hutchinson, Pre-Sales and Software Engineers at Gemalto, a leader in digital security. Microsoft has a long history with Gemalto as they have been using Gemalto smart cards as a corporate badge since 2005 for login into Windows, VPN access, to sign and encrypt emails but also for physical access. This post explains how they configured a demonstration environment for their Windows OTP (One Time Password) Logon solution on a Windows 8 tablet using the Test Lab Guide: Demonstrate Direct Access. This solution creates an additional layer of authentication and security for your PC or device and can be used to meet mandated security requirements for strong authentication.
We have been demonstrating the integration of our Windows OTP Logon with Direct Access in a few trade shows all around the world. For TechEd 2012 in Orlando and Amsterdam, we wanted to showcase our product on a Windows 8 tablet rather than on a Windows 7 virtual image.
As we are doing live demos at the Gemalto booth, we did not want to rely on an external Internet connection. Building a self-contained demonstration environment seemed to be a safer approach and the Test Lab Guide (TLGs) are a very helpful resource to do so. We implemented all the components required for DirectAccess on Hyper-V virtual machines running on a single laptop.
The Demonstrate DirectAccess TLG details how to configure a Windows 7 and Windows Server 2008 R2 environment for DirectAccess. Using this guide we were able to configure all the different Hyper-V virtual machine images. We kept a snapshot at each stage of the setup so we are able to go back if necessary.
To enhance the demonstration with a Windows 8 workstation, we just had to create a new Hyper-V image with a pre-release Windows 8 client, connect the VM to the Hyper-V network and add it to the DirectAccess group. We setup the Gemalto Windows OTP Logon solution and were able to authenticate with Windows 8 using Gemalto’s two-factor authentication (2FA) devices.
Adding a tablet to the environment proved to be more of a challenge due to the requirement to interface the tablet network to the Hyper-V network. As the tablet we are using does not have an embedded Ethernet NIC, connecting using the Wi-Fi seemed to be the obvious choice. Who wants a cable attached to their tablet anyway?
Step 1: Connecting the tablet to the Hyper-V network
First, we had to connect the tablet to the Hyper-V network so it could join the domain. To do so through Wi-Fi, we configured the Corpnet virtual switch to use the demo laptop’s Ethernet network adapter.
Then we bridged the Ethernet adapter and the Wi-Fi adapter.
The last step consists of creating an ad hoc network and following the wizard.
At this point, DC1’s DHCP services are accessible via the Wi-Fi network.
Step 2: Joining the domain
We logged on using the local administrator account on the tablet and connected to the internal network to join the tablet to the domain. This worked fine but joining a domain through an ad-hoc connection felt more like a hack than anything else…
Step 3: Login on with a domain user account
The next logical step would be to log off from the local admin user and login with the domain user account. Unfortunately, an ad-hoc connection is not persisted after a log off so we could not use the Wi-Fi connection to logon the tablet with a domain account for the first time! Note this behavior of Windows is specific to ad-hoc wireless connections and does not apply to traditional enterprise Wi-Fi connection; however Wi-Fi routers are usually configured with NAT which we thought would make it impossible to use to join a domain.
The simple alternative was to go hard wired by using a USB/Ethernet adapter. We connected the tablet to Corpnet by associating the Corpnet virtual switch to the Ethernet NIC and connected it to the tablet using the USB/Ethernet adapter.
During TechEd 2012 in Orlando, we learned we also could have done an Offline Domain Join as described in this article. It seems particularly useful to add remote user devices to the domain, especially when using an ad-hoc wireless network.
Step 4: Setup and test the Windows OTP Logon with Direct Access
Gemalto provides an MSI to run on the client that enables the OTP authentication during Windows logon. It adds the authentication tile shown in the screenshot below.
To test the integration with Direct Access, we can configure the virtual switch to use the “Internet” virtual network instead of the “Corpnet” virtual network.
A video demonstration is available here.