Re: Single Sign-on authentication using Smart Cards
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 02/24/05
- Next message: Steven Umbach: "Re: How to track user account creation?"
- Previous message: Steven Umbach: "Re: prevent remote desktop connections"
- In reply to: bill: "Re: Single Sign-on authentication using Smart Cards"
- Next in thread: bill: "Re: Single Sign-on authentication using Smart Cards"
- Reply: bill: "Re: Single Sign-on authentication using Smart Cards"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Feb 2005 23:16:44 -0600
There is a great chapter in the Windows 2003 Deployment Kit on how to do what
you want. See the link below in Part II on planning a smart card deployment. It
is mostly the same for Windows 2000 though you can not use type 2 certificate
templates to use autoenrollment for users with a Windows 2000 CA. You probably
have what you need already but the wrong certificate type on your smartcard that
would include the UPN for a domain user for domain logon. --- Steve
"bill" <bill@discussions.microsoft.com> wrote in message
news:388662CB-CAB3-4F88-8AE0-3C634408D41D@microsoft.com...
> Thanks. I do have the Certs on the card but when I insert it during the logon
> screen and enter my PIN this does not log me onto the domain. I guess my real
> question is how do you tie in domain logon information with the Smart Card?
> Is this done at the CA or do I have to purchase additional middleware?
>
> "Herb Martin" wrote:
>
> > "bill" <bill@discussions.microsoft.com> wrote in message
> > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> > > Hello security group,
> > >
> > > As a requirement for work, I've been doing research for work regarding
> > > Single sign-on Windows authentication using a Smart card. I know that
> > Windows
> > > 2000/2003 servers have good integration with Smart Cards, however I'm
> > > wondering what the requirements are for implementing single sign-on site
> > > wide. Ideally I would like something that integrates with AD, but I know
> > that
> > > is not necessarily a requirement. I've been tasked wtih doing a demo on a
> > > single workstation, is this possible? What software/hardware would I need
> > to
> > > do this?
> >
> > You have it already for AD domains.
> >
> > > Just to clarify what I mean by single sign-on, I'm thinking something that
> > > can allow a user to simply put in a Smart Card, enter their PIN, and have
> > > access to the system, including their email profile.
> >
> > Win2000 and Win2003 domains (and 2000/XP clients)
> > have this ability built-in -- if there is a smart card reader
> > on the station it becomes a choice.
> >
> > > Also, just to add to what I wrote up top, I am currently using Smart
> > Cards,
> > > however only for signing and encrypting email and viewer secured sites,
> > not
> > > to log into a Windows domain. Thanks again.
> >
> > Why don't you just try using (your own) Smart Card to
> > logon.
> >
> > Add a reader to your machine and you should see the
> > choice at logon -- if you card has the required certificate
> > then it will "just work". (You may have to add a cert to
> > it if it doesn't have the right type/trust from the domain
> > CA.)
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Thank you all in advance.
> >
> >
> >
- Next message: Steven Umbach: "Re: How to track user account creation?"
- Previous message: Steven Umbach: "Re: prevent remote desktop connections"
- In reply to: bill: "Re: Single Sign-on authentication using Smart Cards"
- Next in thread: bill: "Re: Single Sign-on authentication using Smart Cards"
- Reply: bill: "Re: Single Sign-on authentication using Smart Cards"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
