Smart card logon with third-party certification authorities
Hi all,
I wat to use smart card logon based on certificates from third party. No CA is in my Active directory environment. Following thos articles.
http://support.microsoft.com/kb/281245
http://social.technet.microsoft.com/wiki/contents/articles/3824.updated-requirements-for-a-windows-server-2008-r2-domain-controller-certificate-from-a-3rd-party-ca.aspx
In what way should I genereate CSR file for my domain controller?
http://support.microsoft.com/kb/291010
If I use MMC/Certificates and create "Custom request" there is no option to fill Certificate Template Name - DomainController.
"The
certificate template must have an extension with the BMP data value "DomainController".
What's the best way to create .csr for my domain controller?
September 12th, 2012 8:54am
There is another problem with your scenario. What "third-party" CA do you want to use? Is it any "normal" public SSL/TLS CA?
Are you sure that the public CA will issue the certificate for your domain controller? The domain controller certificate is not a standard "server certificate" as the public CAs call it usually. The certificate is special in that it must contain one of the
three things that you already mentioned:
the OID for KDC Authentication (1.3.6.1.5.2.3.5)
the presence of the Template Name DomainController in the certificate (all flavors of MS CAs stamp this on certificates if it is a part of the request)
the OID for SmartcardLogon (1.3.6.1.4.1.311.20.2.2)
The requirements mean that the CA would have to include either KDC Authentication or SmartCardLogon OID into the Enhanced Key Usage of the issued certificate. I doubt that the public CA would add the CertificateTemplate extension at all.
Although you can create a request that contain the SmartCardLogon or KDCAuthentication OID/s and submit such a request to the authority, I doubt any public CA that issues standard SSL/TLS web server certificates would include them anyway. Public CAs just
take the request, ignore everything except for the public key, create a certficate with whatever fields they want themselves (Server Authentication and Client Authentication usually).
So unless you are first sure that they issue certificates with SmartCardLogon and/or KDCAuthentication OIDs, you should consider your internal CA instead.
ondrej.
September 12th, 2012 12:55pm
Ahoj Ondrej :)
The third-party CA is our foreign company partner. They have already build up its own MS CA (and SUB CA) and it's trusted for our domain (but domains are not trusted ). The "problem" is that they can't publish certificate for our DC online, so
I have to send them CSR.
the OID for KDC Authentication (1.3.6.1.5.2.3.5)
the presence of the Template Name DomainController in the certificate (all flavors of MS CAs stamp this on certificates if it is a part of the request)
the OID for SmartcardLogon (1.3.6.1.4.1.311.20.2.2)
If one of these is present in the certificate, the KDC will consider it potentially usable as a DC certificate capable of servicing smartcard logons (if it also passes revocation checks).
So if I have KDC Authentication included in DC certificate no other conditions (Template name or
SmarecardLogon) have to be accomplished?
Free Windows Admin Tool Kit Click here and download it now
September 12th, 2012 1:23pm
Thanx Ondrej.
Firstly I will try to generate .CSR file without Certificate template name.
Your B) sollution looks also friendly. That would be second try.
I let you know.
Tomas
September 13th, 2012 3:01am
pokud chcete kdyztak mluvit cesky, tak mam email ondrej zavinac sevecek tecka com
o.
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2012 4:56am
Hi Tomas,
As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark
the answer as you wish.
BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
September 16th, 2012 11:33pm