Configure group policies for AD servers

After teams import a certificate into Active Directory (AD), they must still configure server resources for use with Advanced Server Access. Okta recommends teams place all Advanced Server Access-protected servers in a separate Organizational Unit (OU) from other resources on the domain. Teams can then centrally manage domain controllers and resources within the OU using a Group Policy Object (GPO).

Warning: Teams shouldn't apply smart card authentication to domain controllers until passwordless authentication has been thoroughly tested. Doing so may cause teams to become locked out of the domain.

Start the task

  1. Distribute the certificate using a GPO.
    1. Right-click the Domain Controllers object and select Create a GPO in this domain, and Link it here....
    2. From the New GPO window, name the GPO Advanced Server Access - Certificate.
    3. Click OK.
    4. In the console tree, go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
    5. Right-click Trusted Root Certification Authorities and click Import.
    6. In the Welcome to the Certificate Import Wizard, click Next.
    7. Specify the path to the certificate file that you created earlier and click Next.
    8. Click Place all certificates in the following store and click Next.
    9. Verify the information and click Finish.
  2. Disable Network Level Authentication.
    1. From the Group Policy Management screen, identify Advanced Server Access - Certificate GPO.
    2. Right-click the GPO and click Edit.
    3. In the console tree, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.
    4. Double-click Require user authentication for remove connections by using Network Level Authentication.
    5. In the properties window, select Disabled.
    6. Click Apply and then click OK.
  3. Assign the GPO to the Advanced Server Access OU.
    1. From the Group Policy Management snap-in, identify the Advanced Server Access OU.
    2. Right-click the domain controller and click Link an Existing GPO.
    3. In the Select GPO window, select the Advanced Server Access - Certificate GPO.
    4. Click OK.
  4. Require smart card authentication for accounts.
    • Don't apply this policy to domain controllers until passwordless authentication has been thoroughly tested. Doing so may cause you to become locked out of the domain.
    • If your Okta org uses Active Directory delegated authentication, applying this policy to user accounts will make them unable to access the Okta dashboard.
    1. Right-click the Advanced Server Access OU and select Create a GPO in this domain, and Link it here....
    2. From the New GPO window, name the GPO Advanced Server Access - Authentication.
    3. Click OK.
    4. In the console tree, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
    5. Double-click Interactive logon: Require Windows Hello for Business or smart card.
      Note: Some Windows versions use the Interactive logon: Require smart card instead.
    6. In the properties window, select Define this policy setting.
    7. Select Enabled.
      Warning: Teams shouldn't apply smart card authentication to domain controllers until passwordless authentication has been thoroughly tested. Doing so may cause teams to become locked out of the domain.
    8. Click Apply and then click OK.

Next Steps

Add a certificate to an Active Directory connection