Setting up AD (W2K3) for SmartCard Authentication

Setting up AD (W2K3) for SmartCard Authentication
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Setting up AD (W2K3) for SmartCard Authentication =?Utf-8?B?RG9uIEpvbmVz?= 03-04-2008
Posted by =?Utf-8?B?RG9uIEpvbmVz?= on March 4, 2008, 7:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Can someone direct me to some articles that explain how to configure AD for
Smart Card Authentication? If read various articles and they were not clear
as to what is required and how to implement smartcard authentication.

If this isn't the correct group, please let me know what the correct group
would be.

Thanks.

Don Jones

Posted by Paul Adare on March 4, 2008, 8:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Tue, 4 Mar 2008 04:21:00 -0800, Don Jones wrote:

> Can someone direct me to some articles that explain how to configure AD for
> Smart Card Authentication? If read various articles and they were not clear
> as to what is required and how to implement smartcard authentication.
>
> If this isn't the correct group, please let me know what the correct group
> would be.

Where are the certificates coming from?

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
The attention span of a computer is only as long as its power cord.

Posted by Dobromir Todorov on March 5, 2008, 8:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Try this if you are looking at a third party (non-Microsoft) CA, or
Microsoft Standalone CA.

http://support.microsoft.com/kb/281245

If you are looking at your own, Microsoft Enterprise CAs, you'd suggest that
you go for a longer read here:
http://technet2.microsoft.com/windowsserver/en/library/40c46d0e-f4a1-4b27-8b45-f09b448130ae1033.mspx?mfr=true

--
---
HTH,
Dobromir

Visit http://www.iamechanics.com

> Can someone direct me to some articles that explain how to configure AD
> for
> Smart Card Authentication? If read various articles and they were not
> clear
> as to what is required and how to implement smartcard authentication.
>
> If this isn't the correct group, please let me know what the correct group
> would be.
>
> Thanks.
>
> Don Jones



Posted by =?Utf-8?B?RG9uIEpvbmVz?= on April 2, 2008, 8:53 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks for the response. I have read the articles, have a question.

We have smartcards issued by a third party ca, and have the root-ca's
certificate listed in the places mentioned in the articles. Our
DomainController Certificate is not from the Same CA that issued the
SmartCards Certificates. The Certificate is from our Enterprise CA. We are
currently using the DomainController template, which doesn't list SmartCard
Logon as a property.

Does the DomainController's certificate contain the SmartCard Logon
property? If so, How can I add the SmartCard Logon property to the
DomainController Template or do I need to upgrade to Enterprise Edition?

Don Jones

"Dobromir Todorov" wrote:

> Try this if you are looking at a third party (non-Microsoft) CA, or
> Microsoft Standalone CA.
>
> http://support.microsoft.com/kb/281245
>
> If you are looking at your own, Microsoft Enterprise CAs, you'd suggest that
> you go for a longer read here:
>
http://technet2.microsoft.com/windowsserver/en/library/40c46d0e-f4a1-4b27-8b45-f09b448130ae1033.mspx?mfr=true
>
> --
> ---
> HTH,
> Dobromir
>
> Visit http://www.iamechanics.com
>
> > Can someone direct me to some articles that explain how to configure AD
> > for
> > Smart Card Authentication? If read various articles and they were not
> > clear
> > as to what is required and how to implement smartcard authentication.
> >
> > If this isn't the correct group, please let me know what the correct group
> > would be.
> >
> > Thanks.
> >
> > Don Jones
>
>
>

Posted by Brian Komar \(MVP\) on April 2, 2008, 8:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
The domain controller certificate will work for smart card authentication.
You meed to look at the KB article on enabling smart card auth certs from
3rd paty CAs.
http://support.microsoft.com/kb/281245/en-us

Does the certificate contain the user's UPN in the subject alternative name
Is the CA in the NTAuth store
Are all CRLs and CA certificates for the 3rd party chain available

Brian

> Thanks for the response. I have read the articles, have a question.
>
> We have smartcards issued by a third party ca, and have the root-ca's
> certificate listed in the places mentioned in the articles. Our
> DomainController Certificate is not from the Same CA that issued the
> SmartCards Certificates. The Certificate is from our Enterprise CA. We
> are
> currently using the DomainController template, which doesn't list
> SmartCard
> Logon as a property.
>
> Does the DomainController's certificate contain the SmartCard Logon
> property? If so, How can I add the SmartCard Logon property to the
> DomainController Template or do I need to upgrade to Enterprise Edition?
>
> Don Jones
>
> "Dobromir Todorov" wrote:
>
>> Try this if you are looking at a third party (non-Microsoft) CA, or
>> Microsoft Standalone CA.
>>
>> http://support.microsoft.com/kb/281245
>>
>> If you are looking at your own, Microsoft Enterprise CAs, you'd suggest
>> that
>> you go for a longer read here:
>>
http://technet2.microsoft.com/windowsserver/en/library/40c46d0e-f4a1-4b27-8b45-f09b448130ae1033.mspx?mfr=true
>>
>> --
>> ---
>> HTH,
>> Dobromir
>>
>> Visit http://www.iamechanics.com
>>
>> > Can someone direct me to some articles that explain how to configure AD
>> > for
>> > Smart Card Authentication? If read various articles and they were not
>> > clear
>> > as to what is required and how to implement smartcard authentication.
>> >
>> > If this isn't the correct group, please let me know what the correct
>> > group
>> > would be.
>> >
>> > Thanks.
>> >
>> > Don Jones
>>
>>
>>


Similar ThreadsPosted
biometric (i.e. fingerprint), SmartCard and authentication October 13, 2005, 8:51 am
MS05-051 on W2K3 October 18, 2005, 12:16 pm
W2K3 3-tier CA Implementation November 10, 2006, 8:28 am
Bypass W2K3 SP2 WMF Security June 6, 2007, 4:43 pm
How to disable security warning in W2k3 SP1? July 19, 2005, 3:02 pm
Folder Security/ Permissions problem on W2K3 March 1, 2006, 11:25 pm
Assigning Security through W2k3 to W2k Trusted Domains March 14, 2006, 1:52 pm
How to extend expiry for Server Certs issued with W2k3 CA November 27, 2006, 5:19 am
W2k3 SP2 breaks Security Configuration and Analysis util April 7, 2007, 3:42 am
How to prevent users on unauthorized machines from w2k3 files November 27, 2007, 4:23 pm

The site map in XML format XML site map

Contact Us | Privacy Policy