Cannot use one Certificate for Smart Card Logon and EAP-TLS for Wireless

From: erha (rudy_at_guardmydata.com)
Date: 04/18/05

• Next message: Michel Gallant: "Re: CryptImportKey() & CryptExportPublicKeyInfo()"
• Previous message: phoebe: "How to invoke custom CSP?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 18 Apr 2005 20:44:21 +0800

Hi all, (especially Microsoft)

We currently try to integrate our Smart Card to be used in Wireless EAP-TLS
authentication.
Currently we use our Smart Card for Microsoft Windows Certificate Logon.
To support the EAP-TLS, we add Client Authentication to the Extended Key
Usage (EKU).
But we are failed. The Microsoft complain the "Windows was unable to find a
certificate to log you on the network XXXX".

Upon this error, we are trying to use certificate from Certificate Store.

We import Certificate#1 to the Certificate store.

Certificate #1:
EKU=Client Authentication
Key Usage=Digital Signature, keyEncipherment, keyAgreement

MS Windows do not complain when we are using Certificate#1. The Wireless is
successfully connected.

We delete Certificate#1 from Certificate store and import Certificate# 2.

Certifcate #2:
EKU=Client Authentication, Smart Card Logon
Key Usage=Digital Signature, keyEncipherment, keyAgreement

And ha ha ......

The MS Windows complain "Windows was unable to find a certificate to log you
on the network XXXX".

Why does the Smart Card Logon on EKU make the EAP-TLS failed ?

We need this two EKU on one Certificate because currently Microsoft called
our CSP using "default container" for Smart Card Logon and EAP-TLS.
And we cannot differentiate who is actually calling our CSP.

Has anyone face this problem before ?

Can someone from Microsoft confirm about this problem ?

Thank in advance for any help or idea......

Rudy

• Next message: Michel Gallant: "Re: CryptImportKey() & CryptExportPublicKeyInfo()"
• Previous message: phoebe: "How to invoke custom CSP?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Offline Smart Card Logon ... So smart card logon would only work as long the notebooks have a vaild, ... If the CRL has expired, ... > For successful smart card logon, a valid CRL (certificate revocation list) ... (microsoft.public.windows.server.security) RE: Problems enabling smart card login on windows 2000 ... Bad Certificate; ... Troubleshooting Windows 2000 PKI Deployment and Smart Card Logon ... | - Installing a Windows 2000 Server as a Domain Controller ... (microsoft.public.win2000.security) RE: updates after format ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ... (microsoft.public.windows.mediacenter) Re: Need help configuring Wireless Connection profile ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ... (microsoft.public.windowsxp.general) LSALogonUser and smart cards.... ... I have the following question concerning smart card logon on windows station. ... we query from a smart card (or any other certificate store). ... (microsoft.public.win32.programmer.networks)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint