Re: Single Sign-on authentication using Smart Cards

From: Herb Martin (news_at_LearnQuick.com)
Date: 02/25/05 

Date: Fri, 25 Feb 2005 10:57:12 -0600

"bill" <bill@discussions.microsoft.com> wrote in message
news:2B583768-96D0-44B8-98E6-7431D313F72F@microsoft.com...
> OK, I think I know what we need now to complete the smart card logon
project
> but I have a question about a Microsoft Technet article.
>
> In article Q281245, (Guidelines for Enabling Smart Card Logon with Third
> party CA's), the first line in the requirements section says:
>
> "Required: Active Directory must have the third-party issuing CA in the
> NTAuth store to authenticate users to active directory."

For AD (the DCs) to trust the user's cert is properly
issued it must "know" the issuing CA -- since a 3rd
party CA's cert if not automatically in the AD store
(NTAuth) you must add that Cert.

This is very similar to visiting a web site for SSL,
to trust the cert of the Web server your browser must
have the TRUST Certificate for the issuing server in
it's store.

Or at least a parent CA for that issuing CA (you can
trust a subordinate CA by trusting the parent in many
cases.)

> What exactly does this mean? Does it mean that a copy of the Third-party
CA
> must be installed in the NTAuth store or some kind of connection must be
made
> with the third-party?

No, not necessarily*. It means the trust CERT must
be obtained and loaded into that store.

*It should be setup so that the CRL (certificate revocation
list) is readily available (online or periodically obtained). 

-- 
Herb Martin
>
> "Paul Adare" wrote:
>
> > In article <7131E925-F0C2-4ADE-BC1F-2AF397CDDA48@microsoft.com>, in the
> > microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=
> > <bill@discussions.microsoft.com> says...
> >
> > > The certs that I see using the ActivCard software show one
> > > for signature, encryption, and identity but I don't see one for logon.
Is
> > > this added during the card's creation?
> > >
> >
> > No, it is added during the certificate request process. All of your
> > questions can be answered by reading the information at the links
> > provided to you by Steven.
> >
> > -- 
> > Paul Adare
> > "On two occasions, I have been asked [by members of Parliament],
> > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > will the right answers come out?' I am not able to rightly apprehend
> > the kind of confusion of ideas that could provoke such a question."
> > -- Charles Babbage (1791-1871)
> >

Relevant Pages

  • Re: Accessing certificate store from ASP.NET web project
    ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ...
    (microsoft.public.dotnet.security)
  • Re: Need advice: Storing EFS, S/MIME, VPN certs on USB token
    ... into the OS's secure store. ... > your encrypted files on the same device as the encrypted files. ... > Granted, it is protected by the master key encrypting the cert store, ... > So I turn to USB devices. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ADAM wirh SSL
    ... The cert is in both the local machine personal store and trust roots store, ... Unfortunately, I have 174 files in my machinekeys directory, so I'm not ... I'd like to be able to find the root cause instead of giving ...
    (microsoft.public.windows.server.active_directory)
  • Re: Outlook over internet RPC not working
    ... The cert was already in that store, ... same certificate, and then regardless of the configuration on the working ... Checked all Outlook over the Internet settings? ...
    (microsoft.public.windows.server.sbs)
  • Re: Exporting/ importing certificates
    ... Sorry - I guess I didn't see "import successful" in the earlier thread. ... I wonder if somehow there's already a copy of the cert in the store that's ... >>Likewise if I run install cert ...
    (microsoft.public.security)