Re: Setting up AD (W2K3) for SmartCard Authentication

The SmartCards can log into on AD Forest, but not another. The two forest
don't trust each other.

Looked that the article on 3rd party CA's, but still no go. The 3rd party
CA's root certificates are in the NTAuthCA store, and the CRLs have been
imported into Certificate manager and placed in the CRL store.

"Brian Komar (MVP)" wrote:

The domain controller certificate will work for smart card authentication.
You meed to look at the KB article on enabling smart card auth certs from
3rd paty CAs.
http://support.microsoft.com/kb/281245/en-us

Does the certificate contain the user's UPN in the subject alternative name
Is the CA in the NTAuth store
Are all CRLs and CA certificates for the 3rd party chain available

Brian

"Don Jones" <DonJones@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:90ACC56E-F936-4A4B-BF85-272F3DF00DFA@xxxxxxxxxxxxxxxx
Thanks for the response. I have read the articles, have a question.

We have smartcards issued by a third party ca, and have the root-ca's
certificate listed in the places mentioned in the articles. Our
DomainController Certificate is not from the Same CA that issued the
SmartCards Certificates. The Certificate is from our Enterprise CA. We
are
currently using the DomainController template, which doesn't list
SmartCard
Logon as a property.

Does the DomainController's certificate contain the SmartCard Logon
property? If so, How can I add the SmartCard Logon property to the
DomainController Template or do I need to upgrade to Enterprise Edition?

Don Jones

"Dobromir Todorov" wrote:

Try this if you are looking at a third party (non-Microsoft) CA, or
Microsoft Standalone CA.

http://support.microsoft.com/kb/281245

If you are looking at your own, Microsoft Enterprise CAs, you'd suggest
that
you go for a longer read here:
http://technet2.microsoft.com/windowsserver/en/library/40c46d0e-f4a1-4b27-8b45-f09b448130ae1033.mspx?mfr=true

--
---
HTH,
Dobromir

Visit http://www.iamechanics.com

"Don Jones" <DonJones@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:014B2D7A-CDBC-46ED-95B8-E9D22952AEBB@xxxxxxxxxxxxxxxx
Can someone direct me to some articles that explain how to configure AD
for
Smart Card Authentication? If read various articles and they were not
clear
as to what is required and how to implement smartcard authentication.

If this isn't the correct group, please let me know what the correct
group
would be.

Thanks.

Don Jones





.

Relevant Pages

  • Re: Setting up AD (W2K3) for SmartCard Authentication
    ... the NTAuth store does not contain root certs, it must contain the CA that issued the smart card certificate ... Look at the CA stores in the working forest using PKIView.msc. ... imported into Certificate manager and placed in the CRL store. ... > Does the DomainController's certificate contain the SmartCard Logon ...
    (microsoft.public.security)
  • RE: Relative Security Provided by Cached Domain Credentials?
    ... So when a user logs on the w2k terminal using a smartcard + pin no (rather ... If it does then EFS ... profile currently logged on for the private certificate. ...
    (Focus-Microsoft)
  • Re: SmartCards
    ... Smartcards can contain many authentication id's. ... client certificates can be stored on the smartcard. ... The user must provide the PKI ... certificate. ...
    (Security-Basics)
  • Re: Key archival and smartcard CSP
    ... the first question is that does your smartcard ... CSP allow the public/private key pair to be imported into its own store? ... > - When the certificate has been issued, i get the container name and the ...
    (microsoft.public.platformsdk.security)
  • Re: Removing smartcard certificates from the Microsoft Certificate Store (possible MCS API defect)
    ... You friend comes over, plugs in his smartcard, his certificate is automatically transferred over to the Microsoft Certificate Store, he takes out his smartcard and the system is set to go. ... When a client arrives to the office the client's smartcard is inserted into the lawyer's PC and the client's certificate is transferred over to the Microsoft Certificate Store. ... The lawyer and client do their thing, client takes out his smartcard and leaves. ...
    (microsoft.public.platformsdk.security)