Certificate attributes for Smart Card Logon
- From: "Aumy" <nospam@xxxxxxxxxxxx>
- Date: Tue, 13 Jan 2009 09:31:12 +0100
Hi,
I set up smart card logon to my windows 2003 domain for XP clients. I use a
AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My domain
controllers each already have their own certificates.
Question: the default certificate templates "smartcard logon" and "smartcard
user" both have the key usage settings "digital signature" and "allow key
exchange only with key encryption (key encipherment)" set. However, the
knowledge base article
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains that
smart card certificates only need the "digital signature" key usage
attribute. But further down, the article also says that "...Smartcard logon
certificates must have a Key Exchange(AT_KEYEXCHANGE) private key type...".
However, I tested both with and without "allow key exchange only with key
encryption (key encipherment)" set and both types of certificates work for
smart card logon!
So is there anybody out there who can tell me if smart card logon
certificates necessarily need the "key encipherment" attribute?
Thanks,
Chris
PS: we intend to use the same certificate for S/MIME signing (but not
encryption). So if "key encipherment" is set, this certificates can
unfortunately also be used for S/MIME encryption. So it would be nice if
smart card logon reliably works without the "key encipherment" attribute...
.
- Follow-Ups:
- Re: Certificate attributes for Smart Card Logon
- From: Brian Komar \(MVP\)
- Re: Certificate attributes for Smart Card Logon
- Prev by Date: Re: Default file/folder security permissions for a new user
- Next by Date: Re: Default file/folder security permissions for a new user
- Previous by thread: Default file/folder security permissions for a new user
- Next by thread: Re: Certificate attributes for Smart Card Logon
- Index(es):
Relevant Pages
|
