eID as a means of authentication

The eID (or electronic Identity Card) is a personal identification card. It was introduced in Belgium on a national scale and contains information about the identity of the card holder such as the address, date and place of birth, and more. The card also can be used as an authentication mechanism since the holder can use it to identify himself to applications (e.g. Web apps) by means of a unique client certificate embedded in the chip of the card.

Utilizing the eID for authentication on a web server and a SharePoint site is a good idea. Users don’t like to remember passwords, they forget passwords or even worse, they choose simple passwords which are easily cracked. With the eID users don’t have to remember their password, they don’t even need to know a password or a login name. This enables administrators to set complex, more secure passwords on the Windows accounts used to access a SharePoint site via the internet.

During one of our consultancy projects, there was a request for using the eID to enable authentication on Windows SharePoint Services team sites. Because we think it is an interesting thing to do, we would like to share with you the steps to accomplish this.

Step1: Enabling Secure Sockets Layer (SSL) on the Virtual Server hosting the SharePoint site

To enable SSL on a Virtual Server you first need a certificate. Certificates can be obtained from different authorities like VeriSign or GlobalSign. It’s also possible to use a self-signed certificate for testing purposes. We will discuss the last approach here in the article. The easiest way to create and install the self-signed certificate is to download and utilize the SSL Diagnostics Tool. The tool can be downloaded from the Microsoft site.

After the installation on the web server you run the tool from the Start menu.

A listing of all the virtual servers on the local machine will be displayed and the tool checks for any configuration errors.

Note: The tool might also list that host headers are not supported with SSL. This can be ignored if SP 1 is installed on the Windows 2003 server.

To install a test certificate you highlight the line listing the virtual server and click the Create New Cert menu item.

Your next step is to configure the virtual server for SSL thus requiring a client certificate for authentication. To do this you open the Internet Information Service manager (IIS) located in the Administrative tools of the Control Panel.
In the properties of the virtual server you select the Directory Security tab. Here you can set the SSL requirements by clicking Edit on the tab in the Secure Communication section.

You check the “Require secure channel” checkbox and choose “Require client certificates”. If you now click View Certificate on the Directory Security tab, the server certificate installed by the SSL Diagnostics tool is shown.

On the tab page Web Site you also specify 443 as SSL port.

If you have a site configured with a host header and worry about host headers not being supported with SSL, don’t. Well that is if you have SP1 of Windows Server 2003 installed. For more information on this see Configuring Server Bindings for SSL Host Headers (IIS 6.0).

Step 2: Setup the web server to accept eID certificates

By following step 1, your SharePoint site can now only be accessed trough https and by using a client certificate. But how will the server know what certificates to accept?

To allow the web server to accept eID client certificates, you need to import some root and intermediate certificates in the local computer certificate store of the web server.

First of all you download the necessary certificates from http://certs.eid.belgium.be. You store the certificates in a temporary folder on the web server. The certificates are listed in the table below together with the folder of the web servers’ local computer certificate store where to import them in.Certificate Store belgiumrca.crt Trusted Root Certificate Store citizen.crt Trusted Root Certificate Store belgiumrca.crt Third-Party Certification Authorities Store citizen2.crt Intermediate CA Certificate Store citizen2004.crt Intermediate CA Certificate Store government.crt Intermediate CA Certificate Store government2004.crt Intermediate CA Certificate Store government2005.crt Intermediate CA Certificate Store

Note: If more intermediate certificates are released, it’s possible these need also be installed.

To import a certificate in the local computer certificate store you take the following steps:

• On the IIS 6.0 Web server, click Start, and then click Run
  
  
• In the Open box, type mmc, and then click OK
  
  
• On the File menu click Add/Remove snap-in
  
  
• In the Add/Remove Snap-in dialog box, click Add
  
  
• In the Add Standalone Snap-in dialog box, click Certificates, and then click Add
  
  
• In the Certificates snap-in dialog box, click Computer account, and then click Next
  
  
• In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish
  
  
• In the Add Standalone Snap-in dialog box, click Close
  
  
• In the Add/Remove Snap-in dialog box, click OK
  
  
• In the left pane of the console, double-click Certificates (Local Computer)
  
  
• Right-click the folder where in the certificate needs to be imported, point to All Tasks, and then click Import
  
  
  
  
  
  
• On the Welcome to the Certificate Import Wizard page, click Next
  
  
• On the File to Import page, click Browse, locate your certificate file, and then click Next
  
  
• On the Certificate Store page, click Place all certificates in the following store, and then click Next
  
  
• Click Finish, and then click OK to confirm that the import was successful
  
  

You repeat the procedure for all the listed certificates.

Step 3: Setting up eID software on the client machine

Now let us focus on the client. There are some prerequisites you need to take care of on the client machine before the client will be able to present the web server with your eID client certificate.

To use the eID on a client machine two components are required:

• A smart card reader
  
  
• The specific software to read the eID card
  
  

The smartcard reader can be of any type, as long as it is compatible with the eID smartcard. Look through the manual of the specific hardware on how to install the reader for use on the client machine. For our project, we have been using the smart card reader ZETES ACR38 eID Card Reader.

After installing the reader, you now install the “Belgium Identity Card Run-time” which can be found on Belgium Identity Card Run-time. There are several downloads on the page and you take the one referring to Windows and the preferred language. The downloaded compressed file contains one executable representing the installation.

You can verify the client installation by introducing your eID card in the smart card reader and run the eIDGUI (

normally located in the C:\Program Files\Belgium Identity Card folder). You click the yellow chip on the GUI and after a few seconds the personal information appears.

There is one final step to make sure you can use the eID to authenticate against a web server. You have to install the client certificates in the Personal Certificate Store of the client computer. This can be done by going to the Certificates tab and clicking Register for both certificates. You can verify the installation by opening Internet Explorer and checking via Tools|Internet Options|Content| Certificates, that the personal certificates are listed under the tab page Personal.

Step 4: Mapping the eID client certificate to an Active Directory account trough IIS

The client is now ready and the web server is also ready to accept the certificates. But is SharePoint ready? What we want to achieve is a scenario where a user only needs to supply his or her eID certificate and pin code (pin code only the first time) and he or she will seamlessly sign in into the SharePoint site.

SharePoint authentication can use Active Directory accounts. Your next step is to map the eID client certificate to an Active Directory account that is representing a user in the domain and that has been granted access on the SharePoint sites. IIS enables you to do just that.

To accomplish this you first need to export the public key of your personal eID card.

An easy way to export the eID public key is opening an Internet Explorer browser window and via Tools|Internet Options|Content|Certificates|Personal, you select the eID certificate (Authentication). A click on the Export activates the Certificate Export Wizard.

• Click Next
  
  
• Check the radio button No, do not export the private key and hit Next
  
  
• Check the radio button DER encoded binary X.509 (.CER) and hit Next
  
  
• Specify a filename and click Next
  
  
• Click Finish
  
  

Now you need to map the eID public key to the Active Directory account. To do this you go back to IIS and you open the properties window of the virtual server you want to use eID authentication on.
You open the Secure Communications window by clicking the Edit button in the Secure Communications section on the Directory Security Tab.

Check Enable client certificate mapping and click the Edit button. In the Account Mappings window, click Add to specify a new client certificate – Active Directory account mapping.

Take the following steps:

• Browse to the exported public key file and click Ok
  
  
• Check Enable this mapping
  
  
• Specify a mapping name
  
  
• Browse for the Active Directory account and specify the password of the account. The account chose should have access to the SharePoint site
  
  
• Hit Ok and confirm the password
  
  

Step 5: Testing the authentication process.

After all that work, everything is set to test our eID enabled SharePoint site. You introduce the eID smart card in the reader and browse to the SharePoint site. (Don’t forget to specify https.) First window that pops up is one where Internet Explorer presents the server certificate for approval.

Clicking yes, Internet Explorer asks what certificate you want to use for authentication.

After you select the correct certificate, you must provide the pin code (only the first time the eID card is used). When all of this is successful, Internet Explorer loads the SharePoint site and we are automatically signed in. Voila, eID in action!

Conclusion

In this article we have shown the steps needed to enable eID authentication on a SharePoint site. In that way we have a more secure way of authenticating and authorizing the users of the sites. The eID is a wonderful way to start authenticating users, not only in Web applications but also in smart client applications such as the Office 2003 environment. We hope that we have inspired you with this article to start making us of this little handy thing all of us here in Belgium are starting to get in their pocket.

References

• MSDN Belux eID web site
  
  
• Belgium eID web site
  
  
• Microsoft SharePoint home page