Re: Single Sign-on authentication using Smart Cards

From: Herb Martin (news_at_LearnQuick.com)
Date: 02/23/05 

Date: Wed, 23 Feb 2005 14:18:19 -0600

"bill" <bill@discussions.microsoft.com> wrote in message
news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> Hello security group,
>
> As a requirement for work, I've been doing research for work regarding
> Single sign-on Windows authentication using a Smart card. I know that
Windows
> 2000/2003 servers have good integration with Smart Cards, however I'm
> wondering what the requirements are for implementing single sign-on site
> wide. Ideally I would like something that integrates with AD, but I know
that
> is not necessarily a requirement. I've been tasked wtih doing a demo on a
> single workstation, is this possible? What software/hardware would I need
to
> do this?

You have it already for AD domains.

> Just to clarify what I mean by single sign-on, I'm thinking something that
> can allow a user to simply put in a Smart Card, enter their PIN, and have
> access to the system, including their email profile.

Win2000 and Win2003 domains (and 2000/XP clients)
have this ability built-in -- if there is a smart card reader
on the station it becomes a choice.

> Also, just to add to what I wrote up top, I am currently using Smart
Cards,
> however only for signing and encrypting email and viewer secured sites,
not
> to log into a Windows domain. Thanks again.

Why don't you just try using (your own) Smart Card to
logon.

Add a reader to your machine and you should see the
choice at logon -- if you card has the required certificate
then it will "just work". (You may have to add a cert to
it if it doesn't have the right type/trust from the domain
CA.) 

-- 
Herb Martin
>
> Thank you all in advance.