In my experience, the various client-side software elements, which extend/integrate the physical card/token with Windows Logon, also include other elements like an enrolment station (for saving certs to the card/token), and the needed middleware/driver components. These are all provided as part of the solution from the card/token vendor. MS provides a framework, but the card/token vendor has to supply the card reader drivers, management software, etc. I recommend you look for white papers etc on the card/token vendor sites. Many vendors have demo/trial kits available. (we use a solution that leverages our own internal AD-based PKI, we don't need/use external PKI for our SSO)Don

Hello, See this article about Guidelines for enabling smart card logon with third-party certification authorities: http://support.microsoft.com/kb/281245 Also, see that: http://blogs.technet.com/b/ad/archive/2006/11/13/smartcard-logon-considerations-or-how-i-learned-to-love-authentication-with-smartcards.aspx More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads So, I can't use a Self-signed cert then? I have to buy one from a CA, correct?Owner, Quilnet Solutions

In my experience, the various client-side software elements, which extend/integrate the physical card/token with Windows Logon, also include other elements like an enrolment station (for saving certs to the card/token), and the needed middleware/driver components. These are all provided as part of the solution from the card/token vendor. MS provides a framework, but the card/token vendor has to supply the card reader drivers, management software, etc. I recommend you look for white papers etc on the card/token vendor sites. Many vendors have demo/trial kits available. (we use a solution that leverages our own internal AD-based PKI, we don't need/use external PKI for our SSO) Don So, the software that came with the unit would generate a cert for me?Owner, Quilnet Solutions

So, the software that came with the unit would generate a cert for me? Owner, Quilnet Solutions for a trial/demo, yes. for a production authentication solution, you would want a proper authentication/identity solution that utilises a central store.Don

So, the software that came with the unit would generate a cert for me? Owner, Quilnet Solutions for a trial/demo, yes. for a production authentication solution, you would want a proper authentication/identity solution that utilises a central store. Don So this swings me back around to me intermediate question, will a cert created from the Windows Server CA role work, or must it be from an internet-trusted CA?Owner, Quilnet Solutions

Is there any information on how to set up a smartcard for use with domain account authentication under a Windows 7 client using Windows Server 2008 R2? I'm not looking for information on the smartcard itself, just on what will need to be configured in windows and what needs to be installed. Also, can a self-signed PKI cert be used (or Windows Server CA role), or do I have to get one from an authorized CA somewhere on the internet?Owner, Quilnet Solutions

we use a solution that leverages our own internal AD-based PKI, we don't need/use external PKI for our SSO, SC, VPNDon

This article may help: http://support.microsoft.com/kb/281245 In ADUC, on the "Account" tab of user properties you can select "Smartcard is required for interactive logon" (you need to scroll down the list). Richard Mueller - MVP Directory Services

In my experience, the various client-side software elements, which extend/integrate the physical card/token with Windows Logon, also include other elements like an enrolment station (for saving certs to the card/token), and the needed middleware/driver components. These are all provided as part of the solution from the card/token vendor. MS provides a framework, but the card/token vendor has to supply the card reader drivers, management software, etc. I recommend you look for white papers etc on the card/token vendor sites. Many vendors have demo/trial kits available. (we use a solution that leverages our own internal AD-based PKI, we don't need/use external PKI for our SSO)Don

Hi Quilnux, You might also want to create a new post in Security forums if you have further queries. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsVote As Helpful, if you find my information useful ! This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Hello, See this article about Guidelines for enabling smart card logon with third-party certification authorities: http://support.microsoft.com/kb/281245 Also, see that: http://blogs.technet.com/b/ad/archive/2006/11/13/smartcard-logon-considerations-or-how-i-learned-to-love-authentication-with-smartcards.aspx More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi Quilnux, You might also want to create a new post in Security forums if you have further queries. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Vote As Helpful, if you find my information useful ! This posting is provided "AS IS" with no warranties or guarantees and confers no rights. I think I get the picture now. I'll Start a new thread over there if I get stuck. Thanks guys!Owner, Quilnet Solutions