Smart Cards in Windows 2008 - Getting started
Hi guys, I am brand new to working with smart cards and would like to implement them in my test network however the literature I have at my disposal only has a tiny paragraph about this topic. (Configuring Windows Server 2008 Active Directory - Page 757). Is there any place I can find detailed instructions on how to set this up from sctrach? I am also going to need to source cards and card readers. Are all cards and card readers generally the same? Do they tend to require their own drivers or is all that autodetected using USB? Any help would be much appreciated!
July 13th, 2010 5:33pm

Hello, First you need to define your requirements. For example, do you want to use the smart cards for more than network logon? Or digital signing only? Is your business required to use a Shared Service Provider or can you stand up your own PKI? How do you want to setup your Certificate Authorities? Do you want to use OCSP devices? There are some really good books that can describe much of what is needed, but you first need to define what you want to accomplish. There is a Microsoft Press Book written by Brian Komar which I think is something like Microsoft Windows 2003 Public Key Infrastructure. That book will surely provide the basics needed to get you going from scratch. Hopefully that helps some. MagikD
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2010 7:25pm

Hi, In addition to MagikD's information, the following guides could be helpful for your work: http://technet.microsoft.com/en-us/library/dd277362.aspx http://technet.microsoft.com/en-us/library/ee706526(WS.10).aspx http://technet.microsoft.com/en-us/library/cc776850(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 14th, 2010 5:17am

Hi, In addition to MagikD's information, the following guides could be helpful for your work: http://technet.microsoft.com/en-us/library/dd277362.aspx http://technet.microsoft.com/en-us/library/ee706526(WS.10).aspx http://technet.microsoft.com/en-us/library/cc776850(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks for the links. I see that there's a 'what's new in 2008' link, but it would be great if there was an actual step by step implemenation guide like the one for 2003. I guess I'll just have to work through the 2003 guide and hopefully the interface hasn't changed too much. Thanks.
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2010 7:43pm

Hi, I am afraid that there is no step by step guide for Windows Server 2008; however, most of the steps in the article for Windows Server 2003 should apply to Windows Server 2008. If there is anything unclear, please do not hesitate to respond back, This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 16th, 2010 10:32am

Hi guys, I am having a bit of a strange issue. I having installed a CA on my test domain and created a template for smart cards. I have obtained a keyboard with a built in card reader. I understand from my research that card readers are also card writers (generally). The keyboard I am using is: HP - Model no. KUSO133 The card I am trying to use is a: Sun Microsystems 370-4328-03 I beleive I have installed the drivers correctly because when I insert the card the reader reads it, however I get the error: "The card supplied requires drivers that are not present on this system. Please try another card" This appears to be an issue that is specific to the card, not the reader. Does anyone know how I can resolve this issue? I have check this on Windows 7 64 and Windows XP, it does not work on either.
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2010 9:11pm

On Tue, 20 Jul 2010 18:11:09 +0000, dbutch1976 wrote: Hi guys, I am having a bit of a strange issue.? I having installed?a CA on my test domain and created a template for smart cards.? I have obtained a keyboard with a built in card reader.? I understand from my research that card readers are also card writers (generally).? The keyboard I am using is: HP - Model no.? KUSO133 The card I am trying to use is a: Sun Microsystems 370-4328-03 I beleive I have installed the drivers correctly because when I insert the card the reader reads it, however I get the error: "The card supplied requires drivers that are not present on this system.? Please try another card" This appears to be an issue that is specific to the card, not the reader.? Does anyone know how I can resolve this issue?? I have check this on Windows 7 64?and Windows XP, it does not work on either. You're going to have to get drivers and middleware for the card from Sun. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca
July 20th, 2010 9:23pm

On Tue, 20 Jul 2010 18:11:09 +0000, dbutch1976 wrote: Hi guys, I am having a bit of a strange issue.? I having installed?a CA on my test domain and created a template for smart cards.? I have obtained a keyboard with a built in card reader.? I understand from my research that card readers are also card writers (generally).? The keyboard I am using is: HP - Model no.? KUSO133 The card I am trying to use is a: Sun Microsystems 370-4328-03 I beleive I have installed the drivers correctly because when I insert the card the reader reads it, however I get the error: "The card supplied requires drivers that are not present on this system.? Please try another card" This appears to be an issue that is specific to the card, not the reader.? Does anyone know how I can resolve this issue?? I have check this on Windows 7 64?and Windows XP, it does not work on either. You're going to have to get drivers and middleware for the card from Sun. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Ahh, OK. Jus to confirm, this is NOT a keyboard driver issue? I have installed the most recent driver for my keyboard which I located on the HP website: http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=ir-79253-1&lang=en&cc=us&idx=0&mode=4& However finding drivers for the smart card has been much trickier. The cards I was provided are presently being used on Sun Ray terminals. I don't know if such a driver exists for Windows boxs. Can I test this with another card? In order words is there another type of card that should definately have no compatibility issues?
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2010 9:36pm

OK, I'm making some progress now. I could not get the Sun card to read and finally I just gave up. Instead I have a Gemalto card which was also giving me the same error message until I installed Microsoft Base Smart Card Cryptographic Service Provider Package: x86 (KB909520) from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=e8095fd5-c7e5-4bee-9577-2ea6b45b41c6&displaylang=en Now I am able to read the Gemalto card however I don't seem to be able to install a certificate on the card. I am working from these instructions: http://technet.microsoft.com/en-us/library/dd277383.aspx Each screenshot seems to be to be slightly different from mine in the instructions. I am able to select a smartcard logon and I get to the screen where I am able to submit. If I select Microsoft Base Smart Card Cryptographic Service I and submit it props me to enter a PIN at which point I get the message: "An error occurred while creating the certificate request. Please verify that your CSP supports settings you have made and that your inputs are valid." My CA is a 2008 box and the template looks nothing like the one in the document: http://technet.microsoft.com/en-us/library/Dd277383.smar0914_big(en-us,TechNet.10).gif I am not able to select a user, there is no place to select an enrollment account. Any thoughts on what I'm doing wrong?
July 22nd, 2010 5:44am

On Thu, 22 Jul 2010 02:44:45 +0000, dbutch1976 wrote: OK, I'm making some progress now.? I could not get the Sun card to read and finally I just gave up.? Instead I have a Gemalto card which was also giving me the same error message until I installed Microsoft Base Smart Card Cryptographic Service Provider Package: x86 (KB909520)? from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=e8095fd5-c7e5-4bee-9577-2ea6b45b41c6&displaylang=en Now I am able to read the Gemalto card however I don't seem to be able to install a certificate on the card.? I am working from these instructions: http://technet.microsoft.com/en-us/library/dd277383.aspx Each screenshot seems to be to be slightly different from mine in the instructions.? I am able to select a smartcard logon and I get to the screen where I am able to submit.? If I select Microsoft Base Smart Card Cryptographic Service I and submit it props me to enter a PIN at which point I get the message: "An error occurred while creating the certificate request.?? Please verify that your CSP supports settings you have made and that your inputs are valid." My CA is a 2008 box and the template looks nothing like the one in the document: http://technet.microsoft.com/en-us/library/Dd277383.smar0914_big(en-us,TechNet.10).gif Those instructions are for a Windows 2000 CA, not for a Windows 2008 CA. I am not able to select a user, there is no place to select an enrollment account.? Any thoughts on what I'm doing wrong? What Certificate template are you using? Have you issued an Enrollment Agent certificate? Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 11:58am

Hi Paul, I'm aware that the instructions are Windows 2000 CA, but Joson mentioned earlier that not very much had changed in from 2000 to 2008 so I had hopes the screens would be similar. Here's what I've done so far: I've grant the domain users group read and enrollment permissions on the following templates: Enrollment Agent Smartcard User Smartcard Logon I have then ran through the 'requesting a certificate' instructions. I have created and installed a certificate on a Windows XP laptop using my domain administrator account. This account has fully permissions to the template. I install the template locally on the machine. I install it automatically and do not place it in a specific locaiton (do I need to play it somewhere else??) The next series of steps is title "Enrolling a certificate on behalf of another user." It's not specified but I assume I need to log in with my priviledged account to to this (domain\admin). The target user is a user on my system that has only read/enroll priviledges granted their domain users memberships. The user's name is (domain\Tcavella). In XP I browse to the CA at: http://dc1/certsrv -->request certificate-->advanced certificate request-->Create and submit a certificate request to this CA-->Select Smart Card logon from the drop down box--> select Microsoft Base Smart Card Cypto Provider--> **Accept all other defaults and click submit. I'm then prompted to insert the card and enter a PIN number which I do. After clicking OK I get the error: "An error occurred while creating the certificate request.?? Please verify that your CSP supports settings you have made and that your inputs are valid." Here is what I'm missing. After I click advanced request I do not see this option: Click Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment Station. Neither do I have any of these options: On the Certificate Template menu, click the Smartcard Logon template. If you configured multiple sub-CAs, point the certificate request to the proper sub-CA. On the Cryptographic Service Provider menu, select the associated service provider, and the user to whom the logon certificate will be issued. In this example, the enrollee candidate is using a smart card and reader associated with GemPlus. Why do these screens look complete different to what I have? Either the process has changed completely or the laptop is not functioning as an enrollment station because I've missed a step...
July 22nd, 2010 5:30pm

Hi there dbutch, It's hard to tell from the screenshots exactly what's missing, but it may simply be that some of the old mechanisms that were present in the 2000/2003 versions of Certificate Services Web Enrollment Pages are no longer present in 2008/2008 R2. Specifically, enroll on behalf of is no longer supported through the web pages. So if you're following the old directions and they are having you look for that option, that may be why it's not showing up. You'll need to use the MMC to enroll instead. Can you give these steps a try and see if they work any better for you? Step by Step to get Smartcard working on Windows 2008 / R2 1. Install a Windows 2008 CA 2. Create a user/group in AD to use as Enrollment Agent 3. After installation, open the Certificate Authority Management console on the CA. 4. Right Click on Certificate Templates and select Manage. 5. Change the permissions on the following template so the account created in step 2 has read and enroll permissions: Enrollment Agent Smartcard User Smartcard Logon 6. Publish the above mentioned templates to the CA 7. Log on to the enrollment workstation (below steps assume that the OS is Vista or higher. When using the Windows 2008 Web Enrollment or Windows 2003 Web Pages with update 922706, ROB functionality is not present via web interface) Open Certificate Management Console by running certmgr.msc Select the 'Personal Store'; and from the context menu select All Tasks->Request New Certificate Select the "Enrollment Agent" template to get a certificate which will later be used for signing. Select "Enroll" to finish the wizard and get a certificate Next, select the "Personal Store" and from the context menu, select All Tasks-> Advanced Operations-> Enroll on behalf of When prompted to select a signing certificate, select the "Enrollment Agent Certificate" enrolled earlier Next, it will show all the available templates, select "Smartcard Logon" or "Smartcard User" based upon the requirement Click on Details for the selected template and then select Properties for the same On the "Private Key" tab, click on "Cryptographic Service Provider" and select the appropriate CSP (If you have a smartcard which works out of the box and doesn't require a middleware CSP, then you can select "Microsoft Base Smart Card Crypto Provider) Select the user for whom you want to enroll the certificate Insert the smartcard in the reader and when prompted, enter the PIN The information would be written to the smart card and you can repeat the same process for another account or close the wizard to complete it. Note: Microsoft Base CSP update (KB909520) along with any other middleware (CSP) should be installed on the enrollment workstation and on the client machines where the smartcard would be used.David Beach - Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 4:48pm

Thanks David, these are defiantely the most concise steps I've found up to this point. I'll work through your instructions and get back to you if I'm stuck. Thanks for your help.
July 28th, 2010 8:13pm

Hi David, This is probably a very basic question, but when I open the certificate templates MMC on the CA and right-click the cert I don't see a 'publish' option. I only see a 'duplicate' option. How do I publish the certificates to the CA? Duncan.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 10:18pm

Hi, To publish the certificate template, please refer to the following steps: Open Certification Authority snap-in on the CA. Select CAName\Certificate Templates in the left pane of the snap-in. Click Action, click New, click Certificate Template to Issue, and then select the certificate templates and click OK. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 29th, 2010 4:25am

Hi, To publish the certificate template, please refer to the following steps: Open Certification Authority snap-in on the CA. Select CAName\Certificate Templates in the left pane of the snap-in. Click Action, click New, click Certificate Template to Issue, and then select the certificate templates and click OK. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Joson, I believe I've made some progress to the point that I think I've found my issue. I believe it relates to this step which was provided in David's step by step process above: On the "Private Key" tab, click on "Cryptographic Service Provider" and select the appropriate CSP (If you have a smartcard which works out of the box and doesn't require a middleware CSP, then you can select "Microsoft Base Smart Card Crypto Provider) Select the user for whom you want to enroll the certificate Insert the smartcard in the reader and when prompted, enter the PIN I am using a Gemalto card. I found an article here (http://www.docstoc.com/docs/33039831/Gemalto-NET-20-Smart-Card) which states: Gemalto .NET smart cards are natively supported in Microsoft Vista. For Windows 2000, XP and Server 2003 they are integrated with Microsoft's Base Smart Card Cryptographic Service Provider (CSP) package, which is available for doanload via Windows Update. As a result, users do not need to install any proprietary middleware to use the Gemalto .NET card. When I insert my test card I am prompted to enter a PIN. I get the error: There was an error while validating your PIN: Error code: 0x80100004. Does this simply mean the card I'm using for testing is not blank? Can I not overwrite this card?
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2010 6:49pm

That error code (0x80100004) means SCARD_E_INVALID_PARAMETER There are a few reasons this can happen. Try reinstalling your reader driver. You might also want to doublecheck your certificate template and make sure that everything is good there. Finally, this can also come up if there's a bad certificate cached for the card in your user profile, so try the operation from a different user profile and see if the behavior changes at all.David Beach - Microsoft Online Community Support
August 10th, 2010 4:04pm

That error code (0x80100004) means SCARD_E_INVALID_PARAMETER There are a few reasons this can happen. Try reinstalling your reader driver. You might also want to doublecheck your certificate template and make sure that everything is good there. Finally, this can also come up if there's a bad certificate cached for the card in your user profile, so try the operation from a different user profile and see if the behavior changes at all. David Beach - Microsoft Online Community Support Here's what I've checked: 1. Tried the same Gemalto card with the same enrollment agent but a new user. Same error. This should eliminated a cached certificate. 2. Tried to log in using the Gemalto card - It says no valid ceritifcates exist on the card. This should also ensure that no certifcates are cached on the card. 3. This server has been freshly installed with the correct driver. It is having the same issue that the previous server had so I beleive this elminates a driver issue. 4. I've double checked the certificate template and it has been configured correctly. Ok, I'm throwing in the towel with this Gamlto card and I'm going to try to get these SUN smart cards working. I read here (http://technet.microsoft.com/en-us/library/dd277362.aspx) that SUN smart cards should work with Windows certificate services: "Sun Microsystems has published and currently maintains specifications for both Windows for Smart Cards and a “Java Card.” However, each time I insert the SUN smart card into the reader I get: "The card supplied requires drivers that are not present on this system" I have googled the ^%$^@@##out of this term and can find nothing telling me where I can obtain a driver that is compatible with this card even though the technet article above doesn't mention any compatiblity issues, nor can I find any Sun smart card discussion forum where I can get support of any kind. Does anyone know where I can find information or drivers on these cards?
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2010 4:49pm

I expanded the details of the error I was getting with the gemalto card and saw these addtional details: "The card is being shared by another process. However, the card is not the one being requested, and cannot be used for the current operation." This led me to this KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;955548&sd=rss&spid=12925 This issue applies to Windows Vista Service Pack 1 (SP1)-based computer or on a Windows Server 2008-based computers. Since this test environment is composed of a single 2008 DC/cert server I think that could explain some of my problem. I tried to use the fix provided however the fix only appears to apply Vista and I get the error "No updates apply to this system." Moving right along, I grabbed a laptop loaded with XP and joined it to the domain. Why is the process to request a certificate so radically different in XP? Here are the changes: Open MMC--> Add Certificates MMC (user) --> Click Certificates --> Personal--> Right click Ceritifcates Change #1 - There is no Advanced option here, so I have no choice but to select Request New Certificate. Click Next. Select Smartcard User from the list. Check the advanced box. --> Select Microsoft Base Smart Card Cyrpto Provider --> Prompted for CA, I accept the default --> Prompted for a name for the certificate --> I enter a name. Greeted with a summary screen. Click Finish. Prompted to enter the smartcard. --> Prompted to enter a PIN, I enter 0000, click OK and I get "The certificate requet failed. One or more of the parameters could not be properly interpreted. My main question is, why man I not being prompted for the enrollment agent certificate? I have requested the enrollment agent certificate on this machine and received one, I have logged in with the enrollment agent's user account, however I can't find the request on behalf of another user option anywhere!!! How do I enroll on behalf using XP?? This aritcle seems to indicate web enrollment (http://technet.microsoft.com/en-us/library/cc775842(WS.10).aspx) but from what I understand web enrollment for smart cards (enroll on behalf) are not supported by a 2008 Certificate server. So how do I make the requet from an XP enrollement station??
August 11th, 2010 6:18pm

I found this article here (http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/7a66ad54-63e4-4ee6-aef7-70e3dfcdfc99) this gist of it says "ScrdEnrll.dll was depracated after Windows 2003. To enroll a smart card, as Vadims has mentioned, you first need an enrollment agent certifcate. You then need either a Windows Vista/Windows 2008 or Windows 7/Windows 2008 R2 client computer." Well isn't that just perfect, there is a known issue (http://support.microsoft.com/default.aspx?scid=kb;en-us;955548&sd=rss&spid=12925) on Vista and 2008 Server which only leaves Windows 7 as a possible client that may work as an enrollment station. I highly doubt this will work either.
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2010 6:23pm

Hi Everyone, I've finally got the test environment up and working using the Gemalto card that had been blocked. I was able to unblock the card by using this webpage: https://www.netsolutions.gemalto.com/UnblockPIN.aspx I now have a functioning test environment and would like to make a smart card purchase but I can't find a vendor anywhere in Canada. I am looking for smart cards that can be used with the Windows PKI and hopefully the Windows Base CSP. I'm hoping to find something reasonably priced, but at this point I'm not able to find any vendors at all that are able to answer my questions. For those of you that have set up a smart card environment how did you locate a vendor? Thanks.
September 7th, 2010 5:02pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics