win 2008 how to generate smart card certificates for users.
hi everyone. i set up a win 2008 sever for domain control. i know how to generate smart card for users in win 2003. but i found in win 2008 is not found option. anyone knows how to generate smart card certificates for users in win 2008. anyone help me . thanks. and i have other problem. it is win 2003 domain control. win xp is client. i want to use smart card join domain. buti it report error 0x4er. i google it. some people say win 2000 win 2003 win xp is not support using smart card join domain. it is true? thanks everyone.
March 9th, 2011 4:43am
Hi, Yes, the functionality to join domain using a smartcard in Windows 2000, Windows XP or Windows Server 2003 Platforms is not supported. This feature has been implemented for Vista and Windows 2008 platforms and is supported. http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyID=ac201438-3317-44d3-9638-07625fe397b9&displaylang=en To request a smart card certificate from Windows Server 2008 CA, please refer to the following steps: 1. Install a Windows 2008 CA 2. Create a user/group in AD to use as Enrollment Agent 3. After installation, open the Certificate Authority Management console on the CA. 4. Right Click on Certificate Templates and select Manage. 5. Change the permissions on the following template so the account created in step 2 has read and enroll permissions: o Enrollment Agent o Smartcard User o Smartcard Logon 6. Publish the above mentioned templates to the CA 7. Log on to the enrollment workstation (below steps assume that the OS is Vista or higher. When using the Windows 2008 Web Enrollment or Windows 2003 Web Pages with update 922706, ROB functionality is not present via web interface) o Open Certificate Management Console by running certmgr.msc o Select the 'Personal Store'; and from the context menu select All Tasks->Request New Certificate o Select the "Enrollment Agent" template to get a certificate which will later be used for signing. o Select "Enroll" to finish the wizard and get a certificate o Next, select the "Personal Store" and from the context menu, select All Tasks-> Advanced Operations-> Enroll on behalf of o When prompted to select a signing certificate, select the "Enrollment Agent Certificate" enrolled earlier o Next, it will show all the available templates, select "Smartcard Logon" or "Smartcard User" based upon the requirement Click on Details for the selected template and then select Properties for the same o On the "Private Key" tab, click on "Cryptographic Service Provider" and select the appropriate CSP (If you have a smartcard which works out of the box and doesn't require a middleware CSP, then you can select "Microsoft Base Smart Card Crypto Provider) o Select the user for whom you want to enroll the certificate o Insert the smartcard in the reader and when prompted, enter the PIN o The information would be written to the smart card and you can repeat the same process for another account or close the wizard to complete it. Note: Microsoft Base CSP update (KB909520) along with any other middleware (CSP) should be installed on the enrollment workstation and on the client machines where the smartcard would be used. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 14th, 2011 2:23am