Re: Single Sign-on authentication using Smart Cards

From: bill (bill_at_discussions.microsoft.com)
Date: 02/24/05 

Date: Thu, 24 Feb 2005 05:23:03 -0800

Steven, I think you're right. I'm using Schlumberg card/reader and ActivCard
Gold 2.1 software. The certs that I see using the ActivCard software show one
for signature, encryption, and identity but I don't see one for logon. Is
this added during the card's creation?

"Steven Umbach" wrote:

> There is a great chapter in the Windows 2003 Deployment Kit on how to do what
> you want. See the link below in Part II on planning a smart card deployment. It
> is mostly the same for Windows 2000 though you can not use type 2 certificate
> templates to use autoenrollment for users with a Windows 2000 CA. You probably
> have what you need already but the wrong certificate type on your smartcard that
> would include the UPN for a domain user for domain logon. --- Steve
>
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp
>
> "bill" <bill@discussions.microsoft.com> wrote in message
> news:388662CB-CAB3-4F88-8AE0-3C634408D41D@microsoft.com...
> > Thanks. I do have the Certs on the card but when I insert it during the logon
> > screen and enter my PIN this does not log me onto the domain. I guess my real
> > question is how do you tie in domain logon information with the Smart Card?
> > Is this done at the CA or do I have to purchase additional middleware?
> >
> > "Herb Martin" wrote:
> >
> > > "bill" <bill@discussions.microsoft.com> wrote in message
> > > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> > > > Hello security group,
> > > >
> > > > As a requirement for work, I've been doing research for work regarding
> > > > Single sign-on Windows authentication using a Smart card. I know that
> > > Windows
> > > > 2000/2003 servers have good integration with Smart Cards, however I'm
> > > > wondering what the requirements are for implementing single sign-on site
> > > > wide. Ideally I would like something that integrates with AD, but I know
> > > that
> > > > is not necessarily a requirement. I've been tasked wtih doing a demo on a
> > > > single workstation, is this possible? What software/hardware would I need
> > > to
> > > > do this?
> > >
> > > You have it already for AD domains.
> > >
> > > > Just to clarify what I mean by single sign-on, I'm thinking something that
> > > > can allow a user to simply put in a Smart Card, enter their PIN, and have
> > > > access to the system, including their email profile.
> > >
> > > Win2000 and Win2003 domains (and 2000/XP clients)
> > > have this ability built-in -- if there is a smart card reader
> > > on the station it becomes a choice.
> > >
> > > > Also, just to add to what I wrote up top, I am currently using Smart
> > > Cards,
> > > > however only for signing and encrypting email and viewer secured sites,
> > > not
> > > > to log into a Windows domain. Thanks again.
> > >
> > > Why don't you just try using (your own) Smart Card to
> > > logon.
> > >
> > > Add a reader to your machine and you should see the
> > > choice at logon -- if you card has the required certificate
> > > then it will "just work". (You may have to add a cert to
> > > it if it doesn't have the right type/trust from the domain
> > > CA.)
> > >
> > > --
> > > Herb Martin
> > >
> > >
> > > >
> > > > Thank you all in advance.
> > >
> > >
> > >
>
>
>

Relevant Pages

  • Re: Single Sign-on authentication using Smart Cards
    ... I do have the Certs on the card but when I insert it during the ... > question is how do you tie in domain logon information with the Smart ... you do it from a "smart card enrollment" station. ...
    (microsoft.public.win2000.security)
  • Re: Smart Card Logon
    ... Are the CRLs all accessible and available in the certs for the entire chain? ... > smart card logon cert to account in AD. ... > 2) Placed external CAs Root certificate in Trusted CA ...
    (microsoft.public.win2000.security)
  • Event ID 675 - Pre-authentication failed
    ... DC certs deployed on a single forest, single domain, single domain ... DC and user smart card certs and all looks good. ... Does anyone know what this failure code means? ...
    (microsoft.public.win2000.security)
  • RE: Smart Card - Sun.
    ... It will hold your certs. ... If you lose your smart card, ... I have a Sun Blade 100 workstation, running Solaris 9. ...
    (Security-Basics)
  • Re: How to automatically install S/MIME certs on PCs?
    ... but what's the best way to install and configure the certs on ... The mail profiles will be automatically generated on logon ... using the CIW but I can't see how to add the certs automatically. ...
    (microsoft.public.outlook)