Rutoken documentation

Page tree

This section contains instructions for configuring domain login upon presentation of a token in the Windows Server 2019 operating system.

To configure, you need a computer with the Windows 2019 Server Rus operating system and Rutoken drivers installed, as well as the distribution of this OS.

The operating system must be configured as Domain controller, Certification Services must be installed, and users must have been issued certificates of the User with a smart card type or Login with a smart card type.

All the actions described are performed with system administrator rights.

The Admin account is used as an example.

Stages of setting up a domain login upon presentation of a token:

Stage 1: Setting up user accounts.

Stage 2: Setting up domain security policies.

Stage 3: Configuring the client operating system.

Setting up user accounts

First of all, you need to set up user accounts. In this example, a User account will be configured - a domain user included only in the Domain users group.

To set up a user account:

  1. Openthe Control panel.
  2. In the search box, enter the word "administration".
  3. Double-click on the name of the Administration
    In a domain running Windows Server 2019, it is possible to prohibit everyone from entering the domain without a Rutoken device with the necessary certificate (a user with an Administrator account also will not be able to enter the domain without a Rutoken device) in just one action. Steps 2-5 of this instruction should be performed only if there are users in the domain not only with Rutoken devices, but also using alternative authentication methods (passwords, biometric data, etc.). In this case, steps 9-10 should be skipped.
  4. Double-click on the name Active Directory users and computers.
  5. In the left part of the snap-in window, click on the name of the Users folder.
  6. Right-click on the name of the user who will be allowed to enter the domain only if there is a Rutoken device, and select Features.
  7. In the User properties window, go to the tab Account.
  8. In the sectionAccount settings check the box Smart card required to log in to the network interactively. Click on the OK button.
  9. Close the Active Directory - Users and Computers window.
  10. Set up other accounts in the domain in a similar way. For such users, domain login will be available only if there is a Rutoken device with a certificate issued by the domain administrator.

Configuring Domain Security Policies

To configure security policies:

  1. Open the Control panel.
  2. Double-click on the name of the Administration item.
  3. Double-click on the snap-in name Group policy management.
  4. In the window called Group Policy Management click on the arrow next to the category name Group Policy Objects.
  5. Right-click on the name of the group policy object Default Domain Policy and select Edite...
    Steps 4-5 should be performed only if all users are prohibited from entering the domain without a Rutoken device with the required certificate.
  6. In the window Group Policy Management Editor click on the arrow next to the item name Windows Configuration.
  7. Click on the arrow next to the item name Security settings.
  8. Click on the arrow next to the Local policies item name.
  9. Click on the Security settings item name.
  10. Double-click on the policy name Interactive login: Require Windows Hello for Business or a smart card.
  11. Check the box Define the following policy settings.
  12. Set the switch to Enabled.
  13. Click on the OK button.
  14. In the window Group Policy Management Editor click on the arrow next to the item called Windows Configurations.
  15. Click on the arrow next to the Security settings subitem.
  16. Click on the arrow next to the Local policies name.
  17. Click on the Security settings subitem name.
  18. Right-click on the policy name Interactive login: behavior when removing the smart card and select Features.
  19. Check the box Define the following policy settings.
  20. Select the behavior of the client OS when disconnecting the Rutoken device during an open user session from the drop-down list. In this example, the OS behavior Blocking the workstation is selected.
  21. Click on the OK button.
  22. Close the Group Policy Management Editor window.
  23. Close the Control panel.

The setting will be available only after the computer is restarted. The configuration of the server operating system will then be completed.

Configuring the client operating system

Computers with Windows 10/8.1/8/7/Vista/XP/2000 client operating systems installed must be entered into the domain and it is needed to install Rutoken drivers on them.

OS editions should include the ability to join a domain.

If the client computers were booted up during server setup, then they need to be rebooted.

Now users who have been issued a certificate of the User with a smart card or Login with a smart card type, will be able to enter the domain only when a Rutoken device with this certificate is connected to the computer.
When removing the Rutoken device during an open user session, the client OS will be automatically locked (in Windows 10/8.1/8/7/Vista, to lock the desktop when the Rutoken device is disconnected, you need to set the automatic start of the Smart Card Removal Policy/Smart Card Removal Policy service).

  • No labels