CAPI driver prerequisite configuration
The CAPI application driver installs certificates and private keys in the CAPI store of a Windows host running WinRM. You can also install CAPI certificates using the Server Agent. For more information about Server Agent, see Server Agent—Introduction.
IMPORTANT If you want to configure remote key generation using an HSM, you must activate Venafi Advanced Key Protect, an optional add-on feature to Venafi Trust Protection Platform. For more information, see Venafi Advanced Key Protect.
This topic outlines device and Trust Protection Platform system requirements.
Target device requirements
-
For Windows Server 2016, Windows Management Framework (WMF) 5.1 or higher is required.
-
Windows Remoting (WinRM) must be enabled.
Disabled by default, it can be enabled by executing one of the following on the target system (a computer certificate is required to enable WinRM over HTTPS):
winrm quickconfig
winrm quickconfig -transport:https
Trust Protection Platform tries to connect using the port number specified by the CAPI application object. Typically, HTTPS is attempted before HTTP; the order is only reversed when the port specified is 5985 or 80, which are the standard HTTP ports for WinRM.
WinRM over HTTP only allows Kerberos authentication without additional configuration. In order to allow WinRM over HTTP to accept NTLM for authentication, the WinRM client on the Trust Protection Platform server must have the target system in its Trusted Host list, which means that system will be trusted even though its identity cannot be authenticated.
CAUTION NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle, and brute force attacks.
Assuming that this risk is understood and acceptable, accounting for each target individually might not be feasible; so the following command can be executed on the Trust Protection Platform server to allow it to use NTLM when authenticating with WinRM over HTTP:
winrm set winrm/config/client '@{TrustedHosts="*"}'
One or more inbound rules may need to be added if the Windows Firewall is active on the target system. These rules would only need to allow access from each of the Trust Protection Platform servers that are capable of provisioning to the target device on the WinRM listening port.
An inbound rule might need to be added if the Windows Firewall is active on the target system. This can be accomplished using the MMC or by executing the following command:
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow enable=yes profile=any remoteip=<Trust Protection Platform IP>=5986 protocol=tcp program=System
-
(Required) Windows PowerShell Snap-In for IIS 7.0
- User account with permissions to access the server via WinRM, execute PowerShell commands that import and export certificates and private keys from the Windows CAPI store, and that can modify IIS configurations.
Trust Protection Platform system requirements
-
Windows Management Framework (WMF) 3.0 or higher
CAPI Connectivity
The following table summarizes CAPI connectivity options and settings.
|
Trusted Domain/Forest (Supports Kerberos Authentication) |
Non-Trusted Domain/Forest (Supports NTLM Authentication Only) |
---|---|---|
HTTP (5985/tcp) |
No additional configuration necessary. |
WinRM on the Trust Protection Platform systems is configured to explicitly consider which target systems are trusted For example, winrm set winrm/config/client @{TrustedHosts="*"} would allow the trusting of every target for NTLM. |
HTTPS (5986/tcp) |
WinRM on the target system must have (and be using) an SSL certificate that is trusted by the Trust Protection Platform server. This trust requirement setting can be globally disabled by creating a registry DWORD value in the HKLM\Software\Venafi\Platform key directory called WinRMSkipCACheck=1. |
WinRM on the target system must have (and be using) an SSL certificate that is trusted by the Trust Protection Platform server. This trust requirement setting can be globally disabled by creating a registry DWORD value in the HKLM\Software\Venafi\Platform key directory called WinRMSkipCACheck=1. |