Introduction to Network Authentication Guides
Dec 2022 - Update to Microsoft Network Authentication Issue
The Microsoft KB mentioned above is updated. Note that the "disabled" mode retirement is still targeted at 2/14/23. CISA encourages any agency still reliant on "disabled" mode to move to "compatibility mode" by following the CISA Guidance as soon as possible while a timeline and plans around long term resolution of this issue is finalized with Microsoft. Additional technical guidance can be requested through cyberlaison at CISA dot DHS dot gov.
May 2022 - Known PIV Network Authentication Issue
Some PIV-based authentication to Microsoft Domain Controllers are impacted by May 2022 Windows server patches. If you encounter these PIV network logon issues, please review the CISA Guidance which is supported by the following KB5014754—Certificate-based authentication changes on Windows domain controllers page. Additional technical guidance can be requested through cyberlaison at CISA dot DHS dot gov.
These Network Authentication guides will help you configure your Windows network domain for smart card logon using PIV credentials.
There are many useful pages and technical articles available online that include details on configurations and using generic smart cards. The information presented here addresses common questions and configurations specific to the U.S. federal government, PIV smart cards, and U.S. federal civilian agency certification authorities.
Teamwork
Work with your Network Engineers, Domain Admins, Account Management, and Information Security colleagues to review the information, perform the configurations, and troubleshoot any issues.
Pre-Launch Checklist
Check the following items before reviewing these network guides and lessons learned:
- Users have PIV credentials and PIV card readers.
- You are using Microsoft Active Directory to manage your Windows network.
- Domain Controllers are Microsoft 2012 or newer.
- User workstations are joined to your network and are Windows 8 or Windows 10-based.
Configuration Checklist
There are five configuration categories to review with your colleagues. All five include steps that must be completed; it’s best to review and complete the configuration categories in this order:
- Network Ports and Protocols
- Domain Controllers
- Trust Stores
- Account Linking: Associating PIV credentials with User Accounts
- Group Policies and Enforcement
There are five additional guides:
- Network Tuning
- Local Certification Authority
- Authentication Assurance
- PIV Authentication on MacOS
- Troubleshooting PIV Logon
We want to add additional information for installing Online Certificate Status Protocol (OCSP) services, addressing common errors and troubleshooting, and configuring MacOSX and other operating systems.
Submit an Issue to identify information that would be helpful to you, or consider contributing a page to these guides with your lessons learned.
