Re: Single Sign-on authentication using Smart Cards

From: bill (bill_at_discussions.microsoft.com)
Date: 02/23/05 

Date: Wed, 23 Feb 2005 12:47:01 -0800

Thanks. I do have the Certs on the card but when I insert it during the logon
screen and enter my PIN this does not log me onto the domain. I guess my real
question is how do you tie in domain logon information with the Smart Card?
Is this done at the CA or do I have to purchase additional middleware?

"Herb Martin" wrote:

> "bill" <bill@discussions.microsoft.com> wrote in message
> news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> > Hello security group,
> >
> > As a requirement for work, I've been doing research for work regarding
> > Single sign-on Windows authentication using a Smart card. I know that
> Windows
> > 2000/2003 servers have good integration with Smart Cards, however I'm
> > wondering what the requirements are for implementing single sign-on site
> > wide. Ideally I would like something that integrates with AD, but I know
> that
> > is not necessarily a requirement. I've been tasked wtih doing a demo on a
> > single workstation, is this possible? What software/hardware would I need
> to
> > do this?
>
> You have it already for AD domains.
>
> > Just to clarify what I mean by single sign-on, I'm thinking something that
> > can allow a user to simply put in a Smart Card, enter their PIN, and have
> > access to the system, including their email profile.
>
> Win2000 and Win2003 domains (and 2000/XP clients)
> have this ability built-in -- if there is a smart card reader
> on the station it becomes a choice.
>
> > Also, just to add to what I wrote up top, I am currently using Smart
> Cards,
> > however only for signing and encrypting email and viewer secured sites,
> not
> > to log into a Windows domain. Thanks again.
>
> Why don't you just try using (your own) Smart Card to
> logon.
>
> Add a reader to your machine and you should see the
> choice at logon -- if you card has the required certificate
> then it will "just work". (You may have to add a cert to
> it if it doesn't have the right type/trust from the domain
> CA.)
>
> --
> Herb Martin
>
>
> >
> > Thank you all in advance.
>
>
>

Relevant Pages

  • Re: HELP, Vulnerability in Debit PIN Encryption security, possibly
    ... school a couple of years ago where they tried to push a Smart card system. ... Your note about credit card fraud in Europe was interesting. ... a PIN for all transactions would lower the fraud cost. ...
    (sci.crypt)
  • Re: Smart Card Module : CardAuthenticatePin
    ... corresponding SCard API that will allow my card module to authenticate ... we thought of using SCardTransmit function to read the PIN from ... the smart card and then compare it in our smart card module and return ... you send a PIN code to the card and the _card_ will ...
    (microsoft.public.platformsdk.security)
  • Re: Smart Card Module : CardAuthenticatePin
    ... corresponding SCard API that will allow my card module to authenticate ... the smart card and then compare it in our smart card module and return ... seperate access mechanisms for reading the PIN from the smart card. ... you send a PIN code to the card and the _card_ will ...
    (microsoft.public.platformsdk.security)
  • Re: LogOnUser with Smart Card Credentials
    ... from the Windows logon dialog and serves our application only). ... call LogonUser with the credentials provided in the dialog. ... The card needs to be present to verify the PIN and also to obtain a token. ...
    (microsoft.public.platformsdk.security)
  • Re: LogOnUser with Smart Card Credentials
    ... from the Windows logon dialog and serves our application only). ... call LogonUser with the credentials provided in the dialog. ... The card needs to be present to verify the PIN and also to obtain a token. ...
    (microsoft.public.platformsdk.security)