• Active Directory – Admin privilege
  • Active Directory Certificate Service – Admin privilege
  • Direct Access server – Remote Access-DirectAccess and VPN (RAS) role on Win 2012
  • Trusted Platform Module (TPM) chip support – on the client

Setup Direct Access Server

  • Have a Win 2012 server inside the domain
  • Good to have 2 network adapters (one for internal and one for external)
  • Add Remote Access (DirectAccess and VPN) role
  • Use “Remote Access Management” to configure after the installation
  • Select a reliable Windows network


Setup Certificate templates

  • Add Cert Agent & Smart Card (User or Logon) templates


Setup the client

  • Enable TPM from the Boot setup
  • Prepare/Turn On TPM – tpm.msc
  • Create a Virtual Smart Card (VSC)
    • tpmvscmgr.exe from command prompt
    • Specify or remember the PIN for later use
    • Remember the Instance ID for future reference
  • Enroll the VSC by getting a certificate
    • certmgr.exe
    • Current User -> Personal – >Certificates
    • Request New Certificate -> Certificate Agent
    • All Task -> Advanced Options -> Request Certificate On Behave of Others
      • Browse to get the right Certificate
      • Specify which user you want to request for
      • Select Smart Card Cert -> Property -> Private Key -> Select ONLY MS Base Smart Card (de-select the default one)
      • Enter the PIN from the creation of the VSC