Single Smart Card - Multiple Forests
We have an interesting challenge involving smart cards and we're looking for a good solution: We have multiple Windows 2003 forests that are air-gapped (i.e. no physical connectivity to each other or to the Internet) for regulatory reasons. The clients are all Windows XP. We are beginning to roll out a smart card solution across the corporation. The holy grail would be to have a single certificate on a card and be able to use that one certificate to log on to all of the networks. We know we could get this working with each network having its own Certificate Authority and either separate cards for each network or one card and install middleware (HID, Gemalto, etc.) onto each client that can read and select from multiple certificates on one card. This is as far as we've gotten: Had a CA from network 1 issue a certificate which we loaded onto a card. Successfully used that certificate in network 1 to log on Added network 1's CA to the Enterprise NTAuth store on the domain controller on network 2 Put the user's certificate in the user's personal store on network 2 Attempted to log on and received this error: "The system could not log you on. Your credentials could not be verified." Best I can figure out is that since the UPNs from network 1 and network 2 are different, the certificate is not being properly associated with a specific user account. As a matter of fact, when I try to authenticate to network 2, I'll see an entry in the security log that indicates "EMAIL REMOVED" was trying to log on. Has anyone tried anything like this? Should we just drop back and punt by having different Enterprise CAs in the labs? Any help would be appreciated. Jeremy
October 6th, 2009 12:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics