Product Documentation

This document is a guide specifically for the OpenOTP SmartCard Provider for Windows. The SmartCard Provider is included in the OpenOTP Credential Provider for Windows. As a first step of the installation, you are invited to install the SmartCard component. The installation of this package is not covered in this guide. Please refer to the Credential Provider for Windows documentation for installation instructions.

The installation or configuration of WebADM is also not covered here. For detailed installation and usage guides for WebADM, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide, available through the RCDevs documentation.

Product Overview

The OpenOTP SmartCard Provider for Windows integrates SmartCard authentication with the OpenOTP authentication server into the Windows login process. SmartCard-based authentication is supported by Windows for all login types involving Credential Providers.

A key feature of the OpenOTP SmartCard Provider is the ability to add multifactor authentication after SmartCard login. In this scenario, two authentication requests are sent to the OpenOTP Authentication Server:

  1. One request validates the user certificate presented by the SmartCard.
  2. The second request performs the second-factor authentication.

The second factor can be a push notification via the OpenOTP Token application, any OTP-based authenticator supported by the OpenOTP Server, FIDO keys, Magic Links, and more.

Note: Offline mode is not supported for SmartCard-based authentication.

The OpenOTP SmartCard Provider allows you to set up a passwordless authentication system. Instead of requesting the user account password, the system will prompt for a PIN to unlock the SmartCard and access the certificate stored on it.

The OpenOTP SmartCard Provider for Windows offers two options for issuing certificates on the SmartCard:

  • Issuing user certificates through Windows PKI services.
  • Issuing user certificates via WebADM Internal PKI.

This documentation will cover both scenarios in detail.

For OpenOTP to validate the certificate presented by the SmartCard, the certificate must be available in the user's account under the UserCertificate attribute. For a certificate not issued by WebADM CA, the SubjectAltName of the certificate must contain the UserPrincipalName (UPN) of the user to whom the certificate was issued.

In this documentation, we use the PIV slot of a YubiKey 5C. To inject and use the certificate on the SmartCard via Remote Desktop Protocol, the YubiKey Mini Driver must be installed on the remote machine. Refer to your SmartCard provider to determine whether a driver needs to be installed for proper functionality.

On your Remote Desktop client, SmartCard transport/redirection must be enabled.

Configuration for Certificate issued by Microsoft Certificate Authorithy

Create a SmartCard certificate template

To open the Certificate Template in Active Directory, follow these steps:

  1. Press Win + R, type mmc.exe, and press Enter to open the Microsoft Management Console (MMC).
  2. Click File > Add/Remove Snap-in.
  3. Select Certificate Templates, click Add, then OK.

You should now see the list of available certificate templates.

Certificate Templates

Right-click on the SmartCard User template, then select Duplicate. You will be prompted to configure the new template.

On the first page, update the compatibility settings as follows:

Compatibility settings

Switch to the General tab and assign a user-friendly name to your template.

General settings

In the Request Handling tab, check the following options:

Request Handling settings

Access the Cryptography tab and configure as follow:

Chryptography settings

Access the Security tab and configure the following permissions for Domain Users:

Security settings

Access the Key Attestation tab and configure as follow:

Key Attestation

Access the Subject Name tab and configure the following parameters:

Subject Name

Finally, access the Issuance Requirements and configure as below:

Issuance Requirements

The template configuration is now finished.

Publish the Certificate Template

Press Win + R, type certsrv.msc, and press Enter.

In the Certification Authority console, expand your CA server.

In the Certification Authority console, right-click Certificate Templates and select New > Certificate Template to Issue.

Select your freshly created template from the list and click OK.

Open the Certificates MMC (certmgr.msc) on a client machine. Attempt to request a new certificate to ensure the published template appears.

Now, your certificate template is published and ready for users or devices to request certificates.

Issue a certificate on the SmartCard

Open the certmgr.msc on a client machine. For the current user, under Personal, right click on Certificates store and navigate to All Tasks and click on Request New Certificate.

New Certificate Request

Click on Next.

Choose the Active Directory Enrollment Policy and click next:

Active Directory Enrollment Policy

On the next page, select the SmartCard template you previously created. Before clicking Enroll, ensure that the SmartCard is plugged in. The certificate will be automatically injected into the SmartCard during the creation process.

Enrollment

You are invited to provide the PIN which is protecting the SmartCard. Provide it and the process will continu.

SmartCard PIN
SmartCard enrollment processing

Then a success message should appears once the enrollment is done:

Enrollment success

Click on Finish button. On the Certificate Management page, you should see the certificate freshly enrolled.

Enrollment success

From WebADM Administrator Portal or from self-services, you should see the certificate available on the user account.

Certificate available on the user account

You may notice that the certificate is marked with a red message indicating Untrusted CA. This meesage appears because the Microsoft CA has not been trusted yet in WebADM. This will be done on the next step.

Trust relationship of your Microsoft CA in WebADM

To use the certificates issued by Microsoft CA with your WebADM Framework, WebADM must trust the Microsoft CA. To do this, you need to import the CA certificate into WebADM.
Download your Microsoft CA certificate in PEM format for import into WebADM.

To export the Microsoft CA certificate in PEM format, follow these steps:

Open the Certification Authority Console

  1. Press Win + R, type certsrv.msc, and press Enter.
  2. In the Certification Authority console, right-click your CA server name.
  3. Select Properties.

Export the CA Certificate

  1. In the General tab, click View Certificate.
  2. In the Certificate window, go to the Details tab.
  3. Click Copy to File to open the Certificate Export Wizard.
  4. Click Next, then select Base-64 encoded X.509 (.CER).
  5. Click Next, choose a file location (e.g., C:\CA_Certificate.cer), and click Finish.

Now, you have successfully exported the Microsoft CA certificate in PEM format.

Log in to WebADM with an administrator account, then click on the Admin tab. In Licensing and Configurations, click on Trusted CA Certificates, and then click the Import CA Certificate button.

Choose your preferred import method and click the corresponding Import Certificate Data button.

Microsoft CA Import

Once imported, you should see your Microsoft Certificate Authority listed:

Microsoft CA trusted

If you navigate now again to the user account you issued the certificate, you will see that the red masssage disapears and now External CA in blue appears.

Microsoft CA trusted

If you click the Detail button on the certificate, you will see a red message saying, Certificate missing from certificate cache (check duplicates)!

Certificate missing in caches

This is normal and occurs because the certificate has not been added to the WebADM certificate cache yet. You can either wait for the automatic cache update or manually run the background jobs to update it from the Admin tab by selecting Start scheduled background tasks. Once the cache is updated, the certificate will be available for use with OpenOTP.

Certificate in cache

Login attempt

During the installation of the SmartCard Provider, I enabled the additional MFA authentication after the smartcard authentication. I received a push notification once the certificate validation was completed.
For the testing phase, I did not enforce the RCDevs Providers as default providers, which is why you see multiple providers on the login screen. For production use, the Credential Provider filter must be installed during the installation of the OpenOTP CP for Windows.

From the login screen, I choose the RCDevs SmartCard provider. I am invited to provide the PIN which is protecting the smartcard:

Smartcard Provider

Once submitted, the login process begins. At this step, you can see the certificate validation session in the WebADM logs, identified by the openotpPKILogin method used:

[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] New openotpPKILogin SOAP request
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] > Certificate: 2090 Bytes
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] > Client ID: Windows
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] > Options: NOVOICE
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] > Virtual: preferredLanguage=EN
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Enforcing client policy: Windows Login (matched client ID)
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Registered openotpPKILogin request
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Checking OpenOTP license for RCDevs Documentation
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] License Ok (21/100 active users)
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Resolved LDAP user: CN=Administrator,CN=Users,DC=rcdevsdocs,DC=com
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Resolved LDAP groups: Group Policy Creator Owners,Domain Admins,Enterprise Admins,Schema Admins,Administrators,Denied RODC Password Replication Group
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Started transaction lock for user
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Found user fullname: Administrator
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Found user language: EN
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Found 1 user emails: administrator@rcdevsdocs.com
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Found 11 user settings: EnableLogin=Yes,OfflineExpire=30,ReplyData=[2 Items]
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Updated user data
[2025-02-28 10:52:30] [192.168.4.163:56580] [OpenOTP:UXDKFCBS] Sent login success response

The certificate was validated successfully. Then, since I enabled additional MFA, a second authentication request is processed, sending me a push notification through the OpenOTP Token application.

Second factor authentication

I approve the login from the application. Below are the logs related to the second authentication session:

[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] New openotpNormalLogin SOAP request
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] > Username: Administrator
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] > Domain: rcdevsdocs
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] > Client ID: Windows
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] > Context: rpJI7BJ4XtofcaXRnXrVWfgue2k2AG0I
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] > Options: -LDAP,OFFLINE,NOVOICE
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] > Virtual: preferredLanguage=EN
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Enforcing client policy: Windows Login (matched client ID)
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Registered openotpNormalLogin request
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Resolved LDAP user: CN=Administrator,CN=Users,DC=rcdevsdocs,DC=com (cached)
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Resolved LDAP groups: Group Policy Creator Owners,Domain Admins,Enterprise Admins,Schema Admins,Administrators,Denied RODC Password Replication Group (cached)
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Started transaction lock for user
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Found user language: EN
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Found 1 user emails: administrator@rcdevsdocs.com
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Found 52 user settings: LoginMode=LDAPMFA,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,ReplyData=[2 Items],MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Found 28 user data: PwnedState,Device1Type,Device1Name,Device1Data,Device1State,Device2Type,Device2Name,Device2Data,Device2State,Device3Type,Device3Name,Device3Data,Device3State,TokenType,TokenKey,TokenState,TokenID,TokenSerial,Token2Type,Token2Key,Token2State,Token2ID,Token2Serial,Token3Type,Token3Key,Token3State,Token3ID,Token3Serial
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Token #2 (TOTP) is disabled
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Found 2 registered OTP tokens (TOTP,YUBIKEY)
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Device #1 (FIDO2) is disabled
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Device #2 (FIDO2) is disabled
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Found 1 registered FIDO device
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Requested login factors: OTP | U2F
[2025-02-28 10:52:30] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Authentication challenge required
[2025-02-28 10:52:31] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Sent push notification for token #1 (session kfIBks1555lZsw1n)
[2025-02-28 10:52:31] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Waiting 27 seconds for mobile response
[2025-02-28 10:52:49] [192.168.3.210:55023] [OpenOTP:2RWNEAQC] Received mobile login response from 192.168.3.210
[2025-02-28 10:52:49] [192.168.3.210:55023] [OpenOTP:2RWNEAQC] > Session: kfIBks1555lZsw1n
[2025-02-28 10:52:49] [192.168.3.210:55023] [OpenOTP:2RWNEAQC] > Password: 16 Bytes
[2025-02-28 10:52:49] [192.168.3.210:55023] [OpenOTP:2RWNEAQC] Found authentication session started 2025-02-28 10:52:30
[2025-02-28 10:52:49] [192.168.3.210:55023] [OpenOTP:2RWNEAQC] PUSH password Ok (token #1)
[2025-02-28 10:52:49] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Updated user data
[2025-02-28 10:52:49] [192.168.4.163:56581] [OpenOTP:2RWNEAQC] Sent login success response

After both authentication requests are completed successfully, the Windows session opens.

Windows session opens

Configuration for Certificate issued by WebADM Certificate Authorithy

Coming soon

Create Certificate

Coming soon

Inject the certificate on the SmartCard

Coming soon