Smartcard for Login
In my experience, the various client-side software elements, which extend/integrate the physical card/token with Windows Logon, also include other elements like an enrolment station (for saving certs to the card/token), and the needed middleware/driver components.
These are all provided as part of the solution from the card/token vendor.
MS provides a framework, but the card/token vendor has to supply the card reader drivers, management software, etc.
I recommend you look for white papers etc on the card/token vendor sites. Many vendors have demo/trial kits available.
(we use a solution that leverages our own internal AD-based PKI, we don't need/use external PKI for our SSO)Don
February 11th, 2012 6:12am
Hello,
See this article about Guidelines for enabling smart card logon with third-party certification authorities: http://support.microsoft.com/kb/281245
Also, see that: http://blogs.technet.com/b/ad/archive/2006/11/13/smartcard-logon-considerations-or-how-i-learned-to-love-authentication-with-smartcards.aspx
More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
So, I can't use a Self-signed cert then? I have to buy one from a CA, correct?Owner, Quilnet Solutions
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 9:10am
In my experience, the various client-side software elements, which extend/integrate the physical card/token with Windows Logon, also include other elements like an enrolment station (for saving certs to the card/token), and the needed middleware/driver components.
These are all provided as part of the solution from the card/token vendor.
MS provides a framework, but the card/token vendor has to supply the card reader drivers, management software, etc.
I recommend you look for white papers etc on the card/token vendor sites. Many vendors have demo/trial kits available.
(we use a solution that leverages our own internal AD-based PKI, we don't need/use external PKI for our SSO)
Don
So, the software that came with the unit would generate a cert for me?Owner, Quilnet Solutions
February 11th, 2012 9:11am
So, the software that came with the unit would generate a cert for me?
Owner, Quilnet Solutions
for a trial/demo, yes.
for a production authentication solution, you would want a proper authentication/identity solution that utilises a central store.Don
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 5:22pm
So, the software that came with the unit would generate a cert for me?
Owner, Quilnet Solutions
for a trial/demo, yes.
for a production authentication solution, you would want a proper authentication/identity solution that utilises a central store.
Don
So this swings me back around to me intermediate question, will a cert created from the Windows Server CA role work, or must it be from an internet-trusted CA?Owner, Quilnet Solutions
February 11th, 2012 7:06pm
Is there any information on how to set up a smartcard for use with domain account authentication under a Windows 7 client using Windows Server 2008 R2? I'm not looking for information on the smartcard itself, just on what will need to be configured in windows
and what needs to be installed.
Also, can a self-signed PKI cert be used (or Windows Server CA role), or do I have to get one from an authorized CA somewhere on the internet?Owner, Quilnet Solutions
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 8:40pm
we use a solution that leverages our own internal AD-based PKI, we don't need/use external PKI for our SSO, SC, VPNDon
February 11th, 2012 8:54pm
This article may help:
http://support.microsoft.com/kb/281245
In ADUC, on the "Account" tab of user properties you can select "Smartcard is required for interactive logon" (you need to scroll down the list).
Richard Mueller - MVP Directory Services
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2012 9:38pm
In my experience, the various client-side software elements, which extend/integrate the physical card/token with Windows Logon, also include other elements like an enrolment station (for saving certs to the card/token), and the needed middleware/driver components.
These are all provided as part of the solution from the card/token vendor.
MS provides a framework, but the card/token vendor has to supply the card reader drivers, management software, etc.
I recommend you look for white papers etc on the card/token vendor sites. Many vendors have demo/trial kits available.
(we use a solution that leverages our own internal AD-based PKI, we don't need/use external PKI for our SSO)Don
February 11th, 2012 10:14pm
Hi Quilnux,
You might also want to create a new post in Security forums if you have further queries.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsVote As Helpful, if you find my information useful ! This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2012 2:40am
Hello,
See this article about Guidelines for enabling smart card logon with third-party certification authorities: http://support.microsoft.com/kb/281245
Also, see that: http://blogs.technet.com/b/ad/archive/2006/11/13/smartcard-logon-considerations-or-how-i-learned-to-love-authentication-with-smartcards.aspx
More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
February 12th, 2012 4:47am
Hi Quilnux,
You might also want to create a new post in Security forums if you have further queries.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Vote As Helpful, if you find my information useful ! This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
I think I get the picture now. I'll Start a new thread over there if I get stuck.
Thanks guys!Owner, Quilnet Solutions
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2012 2:25pm