Re: Smart card enrollment issues
- From: "John Bothner" <john.bothner@xxxxxxxxxxx>
- Date: Mon, 5 May 2008 13:51:20 +0200
I think I have the very same problem (your problem 1).
Same plattforms:
- Enterprise (domain) root issuing CA - Windows 2008 Enterprise
- Domain Controller: Windows 2008 Enterprise
- Enrollment station - Vista SP1
On the enrollment station: I use the Certificates mmc snap in, and similarily choose "enroll certificate on behalf of anoher user. The enrollment agent certificate is asked for and given, just fine. I have duplicated the "smart card logon" template, that template is not available from the enrollment station. When I check "Show all templates" I see my duplicated template with the error message
"The template is missing a required signature policy attribute. You do not have permission to view this type of certificate."
I have opened all rights (Full Control, this is not a production environment) in the Security tab for the enrollment agents (in the duplicated template).
I have also done as indicated in http://support.microsoft.com/kb/313629.
I have tried both for version 2 (2003) and version 3 (2008) certificate templates with no success.
My reader and card works fine when I test on the enrollment station with the CTRL-ALT-DEL-change-password-other-credentials. I am using the Gemalto .NET v2 cards. So I think the problem is not card or reader related, but with the CA or certificate templates?
Any suggestions are greatly appriciated.
Kind regards,
John Bothner
<verukins@xxxxxxxxx> wrote in message news:e6cca87d-2708-4d9d-a23a-3d7bed0001ad@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi all,
I am trying to enroll some smart cards with the following
setup
Reader - Gemalto PC Twin USB (Old Name = Gempc twin usb)
Cards - Gemalto Classic TPC IS White PVC (Old name = GemSafeXpresso
32K)
CA - Windows 2008 Enterprise Root CA
Enrollment station - Vista SP1
th intent is to use these cards for remote access via TSGateway.
Problem 1 - When trying to create another certificate template by
duplicating the "smart card logon" template, that template is not
available from the enrollment station. I have modified the issuance
requirements as per one of the technet articles below, but with no
sucess.
Problem 2 - When i try to issue from the standard "smart card logon",
i am prompted to insert my smartcard, however the certificate goes
straight into the personal store and does not prompt me for a PIN.
The gemalto troublshooting tools seem to indicate that my reader and
smartcard are all good.
I've been looking the the following articles (some of which are geared
towards win 2003)
http://207.46.196.114/windowsserver/en/library/99827b56-216a-475b-a7e9-84c8d4c749de1033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/5229033e-232b-4f91-9f86-0cbbd7cfc5a81033.mspx?mfr=true
http://support.microsoft.com/kb/313629
http://support.microsoft.com/kb/922706
Can anyone assist ?
.
- Follow-Ups:
- Re: Smart card enrollment issues
- From: frozen
- Re: Smart card enrollment issues
- Prev by Date: Re: Smart card enrollment issues
- Next by Date: Smart card reader and card supplier in Australia
- Previous by thread: Re: Smart card enrollment issues
- Next by thread: Re: Smart card enrollment issues
- Index(es):
Relevant Pages
|
|
