So secure the end user cannot get in!

Some organizations utilize a security hardened OS image.  Across the US government this is referred to as applying a STIG.  Recently I came across an interesting roadblock while working with a customer to resolve a problem logging into StoreFront using a DoD CAC (smart card).  The user was presented with a message that they could not log in using smart card.

Investigating the issue

StoreFront contains a new Delivery Services log that is in the Windows Event  Viewer.  I have found this to be very helpful in troubleshooting StoreFront, and a welcome improvement over Web Interface.  However, in this case, there were not too many clues as to the issue.  I discovered the following while troubleshooting:

  • Smartcard authentication did work via the test.aspx page (CTX139201).  However, this page reads limited information off the certificate by design.
  • There were no errors in the Delivery Services log
  • Information events showed the full Subject of the CAC.  For a CAC the SubjectAltName is what should be used to map the user to AD.
  • Setting StoreFront to start as a domain administrator allowed smart card logon to work but was not desired.

Mapping a smart card user to AD

User mapping is done by StoreFront via a kerberos extension called S4U.  In order to perform kerberos, the account making the request must be a member of the Windows Authorization Access group in AD.  By default the StoreFront services are set to logon as a network service.  This means StoreFront will use the computer account.  In some highly secured environments certain users rights restrictions or group membership restrictions will prevent the StoreFront machine account from being a member of this group.  The fact that starting the StoreFront services as the domain administrator resolved is issue helped support this as being the possible cause.

Resolving the issue

Examining the membership of the Windows Authorization Access group showed that neither the StoreFront machine account nor a group in which it was a member had been added to the group.  If the group membership contains “Authenticated Users” then it includes a valid domain joined computer account.  As there was only one StoreFront server in this environment, the customer resolved the issue by added the StoreFront computer account and resetting the StoreFront services to start as a network service.  In a larger environment it would be more beneficial to create an AD group for StoreFront servers and adding that group to Windows Authorization Access.  Then update the build documentation for StoreFront to include adding the computer account to that group when a new server is created.

If you encounter other issues in your secured environment involving StoreFront and smart card, please leave a comment and let me know.