步骤3规划 OTP 证书部署Step 3 Plan OTP Certificate Deployment

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

在规划 RADIUS 服务器后,您必须为证书颁发机构规划 (CA) 要求,包括将颁发一次性密码 (OTP) 证书、OTP 证书模板和远程访问服务器用来对所有 DirectAccess 客户端 OTP 证书请求进行签名的证书颁发机构证书的 CA。After planning the RADIUS server, you must plan for certification authority (CA) requirements, including the CA that will issue one-time password (OTP) certificates, the OTP certificate template, and the registration authority certificate used by the Remote Access server to sign all DirectAccess client OTP certificate requests. 这些证书的使用方式如下:These certificates are used as follows:

  1. DirectAccess 客户端请求 OTP 证书,远程访问服务器接收该请求。The DirectAccess client requests an OTP certificate, and the Remote Access server receives the request.

  2. 远程访问服务器验证 OTP 凭据,如果它们有效,服务器将充当注册机构,并使用简短的签名证书对 OTP 证书注册请求进行签名。The Remote access server verifies the OTP credentials and if they are valid, the server acts as a registration authority, and signs the OTP certificate enrollment request using a short-lived signing certificate.

  3. 远程访问服务器将签名证书注册请求发送回 DirectAccess 客户端The Remote Access server sends the signed certificate enrollment request back to the DirectAccess client

  4. 然后,客户端使用服务器签名的证书注册请求从 CA 注册 OTP 证书。The client then enrolls the OTP certificate from the CA using the certificate enrollment requests signed by the server.

  5. CA 将验证凭据和请求。The CA verifies the credentials and the request.

任务Task 描述Description
3.1 计划 OTP CA3.1 Plan the OTP CA 规划证书颁发机构 (CA) 用于向 DirectAccess 客户端颁发用于 OTP 身份验证的证书。Plan the certification authority (CA) to use to issue certificates to DirectAccess clients for OTP authentication.
3.2 计划 OTP 证书模板3.2 Plan the OTP certificate template 规划 OTP 证书模板。Plan the OTP certificate template.
3.3 规划注册机构证书3.3 Plan the registration authority certificate 规划注册机构证书以签署所有 OTP 身份验证证书申请。Plan the registration authority certificate to sign all OTP authentication certificate requests.

3.1 计划 OTP CA3.1 Plan the OTP CA

若要使用一次性密码身份验证 (OTP) 部署 DirectAccess,需要使用内部 CA 向 DirectAccess 客户端计算机颁发 OTP 身份验证证书。To deploy DirectAccess using one-time password authentication (OTP), you require an internal CA to issue the OTP authentication certificates to DirectAccess client computers. 出于此目的,你可以使用用于颁发证书的相同内部 CA,以便进行常规 IPsec 计算机身份验证。For this purpose, you can use the same internal CA that you use to issue the certificates that are used for regular IPsec computer authentication.

3.2 计划 OTP 证书模板3.2 Plan the OTP certificate template

每个 DirectAccess 客户端都需要一个 OTP 身份验证证书才能获得对内部网络的访问权限。Each DirectAccess client requires an OTP authentication certificate in order to gain access to the internal network. 必须在内部 CA 上为 OTP 证书配置模板。You must configure a template on your internal CA for the OTP certificate. 配置 OTP 证书模板时,请注意以下事项:Note the following when configuring the OTP certificate template:

  • 所有需要执行 OTP 身份验证的用户都必须具有此模板的 "读取" 和 "注册" 权限。All users who need to perform OTP authentication must have read and enroll permissions for this template.

  • 使用者名称应从 Active Directory 信息生成,以确保使用者名称与 OTP 用户名匹配,而不是执行证书请求的远程访问服务器的名称。The subject name should be built from Active Directory information, to ensure that the subject name matches the OTP user name, and not the name of the Remote Access server that performs the certificate request. "使用者名称" 必须为完全可分辨名称格式,"使用者备用名称" 必须为 UPN 格式。The subject name must be in the fully distinguished name format, and the subject alternative name must be in UPN format. 这可以确保已注册的 OTP 证书对智能卡 Kerberos 身份验证有效。This ensures that the enrolled OTP certificate is valid for Smartcard Kerberos authentication.

  • 证书的预期用途必须是智能卡登录The intended purpose of the certificate must be Smart Card Logon

  • 颁发必须需要一个授权签名。Issuance must require one authorized signature. 签名必须在 "注册机构签名证书" 模板中设置预定义的 "DirectAccess OTP 应用程序策略"。The signature must be configured with the predefined DirectAccess OTP Application Policy set in the registration authority signing certificate template.

  • 有效期应设置为一小时。The validity period should be set to one hour.

    备注

    在 CA 服务器是 Windows Server 2003 计算机的情况下,必须在另一台计算机上配置模板。In situations where the CA server is a Windows Server 2003 computer, then the template must be configured on a different computer. 这是因为,在运行 2008/Vista 之前的 Windows 版本时,不能以小时为单位设置有效期This is due to the fact that setting the Validity period in hours is not possible when running Windows versions prior to 2008/Vista. 如果用于配置模板的计算机未安装证书服务角色,或者它是一台客户端计算机,则可能需要安装 "证书模板" 管理单元。If the computer that you use to configure the template does not have the Certification Service role installed, or it is a client computer, then you may need to install the Certificate Templates snap-in. 有关此主题的详细信息,请单击此处For more information on this subject click here.

  • 续订期应设置为0。The renewal period should be set to 0.

  • (可选) 证书和请求不应存储在 CA 数据库中。(Optional) Certificates and requests should not be stored in the CA database.

  • 必须正确设置证书增强型密钥用法参数,如下所示:The certificate Enhanced Key Usage parameter must be set correctly, as follows:

    • 对于 "DirectAccess 注册签名证书" 模板,请使用密钥1.3.6.1.4.1.311.81.1.1。For the DirectAccess registration signing certificate template use the key 1.3.6.1.4.1.311.81.1.1.

    • 对于 OTP 身份验证证书模板,请使用密钥1.3.6.1.4.1.311.20.2.2 密钥。For the OTP authentication certificate template use the key 1.3.6.1.4.1.311.20.2.2 key.

3.3 规划注册机构证书3.3 Plan the registration authority certificate

当 DirectAccess 客户端请求 OTP 证书时,远程访问服务器将接收来自客户端的请求。When DirectAccess clients request an OTP certificate, the Remote Access server receives the request from the client. 远程访问服务器使用注册机构证书对来自客户端的所有 OTP 证书请求进行签名。The Remote Access server signs all OTP certificate requests from clients using the registration authority certificate. 仅当远程访问服务器上的注册机构证书对请求进行签名时,CA 才会颁发证书。The CA issues certificates only if the request is signed by the registration authority certificate on the Remote Access server. 证书必须由内部 CA 颁发,证书不能是自签名证书。The certificate must be issued by an internal CA, the certificate cannot be self-signed. 它不必由颁发 OTP 证书的 CA 颁发,但颁发 OTP 证书的 CA 必须信任颁发注册机构签名证书的 CA。It does not have to be issued by the CA that issued the OTP certificates but the CA that issues the OTP certificates must trust the CA that issues the registration authority signing certificate.

另请参阅See also