The main propose is to let Smart Card Log-on works on my personal certificate ( Very Sign CA). This is what i have tried. 1. Install AD CS 2. <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:546189884; mso-list-type:hybrid; mso-list-template-ids:1531850944 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l0:level1 {mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level2 {mso-level-number-format:alpha-lower; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --> Add the third-party root CA to the trusted roots in an Active Directory Group Policy object. (281245) 3. <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:546189884; mso-list-type:hybrid; mso-list-template-ids:1531850944 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l0:level1 {mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level2 {mso-level-number-format:alpha-lower; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --> Add the third-party issuing the CA to the NTAuth store in Active Directory. At step 3 i have imported 3 certificate ( whole cert chain) What did it go wrong? Why do i need objectGUID for?

The main propose is to let Smart Card Log-on works on my personal certificate ( Very Sign CA). This is what i have tried. 1. Install AD CS 2. Add the third-party root CA to the trusted roots in an AD Group Policy object (281245) 3. Add the third-party issuing the CA to the NTAuth store in Active Directory. At step 3 i have imported 3 certificate ( whole cert chain) What did it go wrong? Why do i need objectGUID for?

Hi, the requirements for smart card logon using 3rd party CAs are specified here http://support.microsoft.com/kb/281245 Do you fulfill them all? Regards Martin

Hi Martin, Thanks for your reply. I have read article 281245 you send me. What i don't understand is step 5. Did I have to modify something ? Regards, Jordan

Well in order to use smart card logon in windows domain you will need two types of certificates 1) certificates for the clients (these certificates are stored on smart cards) 2) certificates for domain controllers The KB article specifies requirements on domain controller certificates as well as on user certificates. Step 5 describes the requirements that needs to be met for the client certificates. Do you use a specific Verisign service, or are you trying to use generic e-mail Verisign certificates (for example http://www.verisign.com/authentication/digital-id/index.html) for smart card logon? Also can you be more specific on what you do not understand in these requirements? Regards Martin

Hi Martin, I dont understand how the enrollment proces work on Third Party CA. As i told you i have VerySign personal certificate. It is use for secure Web. But with this certificate i also want to put it on my smartCard for windows Login. Did i have to create new Third Party Root CA? getting the GUID from my AD DS certificate and give this to Verysign? Regards, Jordan

On Fri, 25 Jun 2010 11:20:17 +0000, Jordan Ly wrote: I dont understand how the enrollment proces work on Third Party CA. This has nothing to do with the enrollment process for a 3rd party CA. As i told you i have VerySign personal certificate. It is use for secure Web. But with this certificate i also want to put it on my smartCard for windows Login. Certificates have purposes, and they can only be used for the purposes that are included in the certificate. You simply cannot use a "secure web" certificate for Windows logon. Did i have to create new Third Party Root CA? getting the GUID from my AD DS certificate and give this to Verysign? No, you really don't understand how certificates work. You can check with Verisign but they're not likely going to issue you a smartcard logon certificate. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Hi Paul Adare, Thanks for you email. Is there a solution to solve this? We Are TTP and can issue certificate. regards Jordan

On Fri, 25 Jun 2010 12:37:09 +0000, Jordan Ly wrote: Hi Paul Adare, ? Thanks for you email. Is there a solution to solve this? We Are TTP and can issue certificate. Sorry but I have no idea what TTP means. If you have your own AD CS deployment you can certainly issue your own smartcard logon certificates. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Hi Paul, The problem is, i want to use my own certificate for smartcard Logon. If i use microsoft certificate then it generate new certificate. The problem i dont know how to make the link between user account to own certificate.

On Mon, 28 Jun 2010 07:08:22 +0000, Jordan Ly wrote: The problem is, i want to use my own certificate for smartcard Logon. If i use microsoft certificate then it generate new certificate. The problem i dont know how to make the link between user account to own certificate. I'm not sure if I understand what you're trying to do here. If you're trying to use the certificate that you got from Verisign for smart card logon then that simply isn't going to work for the reasons I've already described to you. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Hello Paul, As you said before, the certificate must have purposes(s). So i am looking at my Personal Certificate and this is what i see: All application policies What does this mean for windows logon with SmcartCard? Greets, Quyen

On Mon, 28 Jun 2010 10:02:08 +0000, Jordan Ly wrote: As you said before, the certificate must have purposes(s). So i am looking at my Personal Certificate and this is what i see: All application policies What does this mean for windows logon with SmcartCard? So you're saying that the certificate you were issued by Verisign to you personally shows All Application policies? I think we've got a communication issue here. Can you export the certificate (don't export the private key) to a file and then run: certutil -dump filename.cer and then post the output? Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Hi Paul, For smartcard logon with Third party CA i need to have atribute in my personal certificate like Enhanced Key Usage. So for my situation it will never work. I am trying to get new certificate with the enchanced key ussage atribute. Thanks for you help.

Hi Paul, There is also a solution how to use smartcard logon without EKU atributes: http://blogs.msdn.com/b/spatdsg/archive/2008/04/17/smartcard-in-2008-and-vista.aspx