1.3 Overview

The One-Time Password Certificate Enrollment Protocol is a stateless application-layer protocol. This protocol defines one type of request message, sent from the client to the server, and one type of response message, returned by the server to the client. The request message consists of the user name, one-time password (OTP), and certificate enrollment request. The response message consists of the return code, an optional signed certificate enrollment request (the same request that was sent by the client to the server), and (also optional) the name of the certification authority (CA) from which to enroll the certificate.

This protocol was created for OTP authentication with DirectAccess as described in [MSFT-OTP]. It is used as part of the mechanism that transforms OTP credentials into a short-lived smart card logon certificate that is used for Kerberos smart card authentication. The certificate is short-lived to minimize the risk of it being reused for future authentication sessions. It is configured to the minimum lifetime supported by the public key infrastructure (PKI) in use. The following figure shows how the protocol is used in DirectAccess authentication.

Figure 1: DirectAccess OTP authentication process

In the DirectAccess implementation of the One-Time Password Certificate Enrollment Protocol, the following events take place.

1. The DirectAccess client sends OTP credentials along with a short-lived smart card logon certificate enrollment request to the DirectAccess server over a Secure Sockets Layer (SSL) tunnel, where both client and server are mutually authenticated by certificates.

2. The DirectAccess server communicates with an OTP authentication server using the Password Authentication Protocol (PAP) [RFC1334] over Remote Authentication Dial-In User Service (RADIUS) in order to validate the OTP credentials.

3. The DirectAccess server signs the certificate enrollment request with a dedicated signing certificate only the DirectAccess server possesses. After that, the signed certificate request and the name of the CA (from which the DirectAccess client enrolls the short-lived smart card logon certificate) are sent to the DirectAccess client by using the OTPCE protocol.

4. The DirectAccess client communicates with the certification authority (CA) using a Public Key Cryptography Standards (PKCS) #10 request [RFC2986] and a PKCS #7 response [RFC2315] in order to enroll a short-lived smart card logon certificate. The enrolled short-lived certificate is used by the PKINIT Protocol ([MS-PKCA]) to acquire a new Kerberos ticket from the Key Distribution Center (KDC) for the user.

The following figure shows a protocol message exchange of successful OTP credential validation by the OTP server and the subsequent signing of the certificate enrollment request by the server.

Figure 2: Successful sequence for certificate enrollment

The following figure shows a typical protocol message exchange in which invalid OTP credentials are rejected by the OTP server. In this case, the server returns an error and does not proceed with the signing of the certificate enrollment request.

Figure 3: Typical sequence of a certificate enrollment with erroneous credentials

The following figure shows the use of the OTPCE protocol in Windows DirectAccess OTP authentication.

Figure 4: DirectAccess OTP authentication end to end flow