I have been reading various whitepapers on how to set up smart card enrollment via online web enroller but I have ran into a roadblock that I cannot figure out. I have set up a Windows Server 2008 Enterprise server as a Enterprise Root CA. I have also installed the web enrollment role and verified that is working as I can get to the pages and request certificates. I have also installed the following certificates on the server: enrollment agent, enrollment agent (computer) and smarcard logon. But when I go to http://<server_name>/CertSrv, request certificate, advanced I do not see the option to "Request a certificate for a smart card on behalf of another user...". I am wondering if I have missed a few steps to get this to work. Can an Enterprise root CA be on the same server as an enrollment agent? If you need more information let me know but I am just confused at this point.Any help would be appreciated!Troy

At first you need to enroll 'Enrollment Agent' certificate that will be used for request signing.http://www.sysadmins.lv

ScrdEnrll.dll was depracated after Windows 2003.To enroll a smart card, as Vadims has mentioned, you first need an enrollment agent certifcate.You then need either a Windows Vista/Windows 2008 or Windows 7/Windows 2008 R2 client computer.The functionality has been moved to the Certificates MMC focused on the current user.You need to perform an Enroll on Behalf of operation from Advanced OperationsBrian

Hi,How's everything going? We've not heard back from you in a few days and wanted to check if the suggestion has helped. If you need any further assistance, please do not hesistate to respond back.This posting is provided "AS IS" with no warranties, and confers no rights.

I just got everything up and running a few days ago and have been testing successfully so far. Thanks for the help. Troy

Thanks for your update, Troy. Have a nice day.This posting is provided "AS IS" with no warranties, and confers no rights.

hi i am also doing the same thing, i have followed the steps given above and could get smart card logon certificate in MMC on behalf of three users. please tell me how to write them to the smart card? the process did not ask me to insert a smart card into the reader, though the reader is attached with the machine. i am using windows 2008 machine as a client. muki

thanx Paul for your response. does it mean my smart card provider has to give me a CSP that i need to install on my machine before doing this exercise? i am using GemPlus (GemAlto) smart card and i don't have a CSP from company. can i download it from their website or do i have to get it from the company exclusively? muki

You have to *purchase* the software. Whether you get it from the company or purchase it from Gemalto does not matter Brian

thanx for your help. is there any opensource or freeware software that can work here? i am a university student and doing it as my final project.

Not that I'm aware of no, and Gemplus cards are ancient. Gemplus merged with Axalto back in 2006. You could try contacting Gemalto and explaining your situation. The other option is to buy a Gemalto .NET Base CSP card. The Microsoft Base CSP ships with Windows Vista and above and is available from Windows Update for XP systems. Paul Adare CTO IdentIT Inc. ILM MVP