Windows 7 Smart Card Logon
Hi, Testing PKI with Windows 7x64undera (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcardand validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart cardappears ok butwhen I try to logon with theuser and the smartcard inserted in the machine, I get the following error message:"The system could not log you on.You cannot use a smart cardto log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."Kind of weird message :-/The smart card reader isin-builtona Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to thecard via the netsolutions site at Gemalto ... Windows7 reads the smart cardandthe user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....Both the smart card service and the certificate propogation serviceare running...Regards,Mylo
December 8th, 2009 1:07am

Hi Mylo I've got the opposite problem. Got the Gemalto.NET card with certificates from 2008 R2 with Enterprise CA, and RDP with autologin to both Server 2008 and 2008 R2. But getting the card to login to Windows 7 (x64 Ultimate) is a problem. I'm also using Latitude E6400. Can it be the Controlpoint/Wave software that gives me a problem? All services are running. Btw; the E6400 is NOT part of any domain, just standalone workstation. Also; is there something within the certificate that must match any of the local credentials to work? I dont see the smartcard as a login option on the Logon GUI. Regards, Stigh
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2009 2:03pm

Hi Stigh,I've just been using the Controlpoint drivers without the actual Controlpoint software at the moment, primarily because of issues with respect toMobile Internet and HSPA cardswhen testing in the past. The HSPA/mobile broadband side is working at the moment (using a SIM in my laptop)....That's a fairly unusual situation you're describing.. i've using smartcard logon to TS Gateway in the past with no problem from a stand-alone. In your case though, since your machines is not domain-joined, then smartcard is likely fail as there's no security principal (the domain) to assert the validity of your credentials at logon, e.g. 123456@mydomain.com, as your machine is not domain joined, i.e. you're stuck between a rock and a hard place :-)Regards,Mylo
December 8th, 2009 2:33pm

Hi Mylo, So; since the cert is issued from the CA, the local W7 will not use this ? The strange thing is that the W7 does not even show the Smartcard option to login. I've checked the local Certificate store, and the cert fram the CA is in my Personal Certificate store. I've used manu hours (days & nights and got an angry girlfriend) to solve this issue. Basically; what you say is that its impossible to create a cert from the CA to the Gemalto card and use this for local login to a stand alone workstation ? Is it possible to create a local certificate on the W7 to use for local login? The Gemalto has space for several certificates; luckily... /Stigh
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2009 2:38pm

Hi Stigh,Pretty much... my understanding is thatsmartcard can only be usedfor logging on with a domain account, not a local one, so interactive logon in this case is out.Smartcard on your local machine doesn't really give you any more inherent protection btw....physical access to a machinecircumvents all other access...... that's why it has more value in the domain logon scenario, with two-factor authentication to your domain resources.With regards your question.. no, I don't think it is possible... at least not with the tools we're describing. Most solutions assume that your authentication provider (security database) isremote , not local to the machine.Regards,Mylo
December 8th, 2009 3:26pm

Hi Mylo, I actually disagree. As long as there is a EKU in the certificate, it should work for local logon. But I dont know if the certificate issued by the CA will work though. In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those. Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store. The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain. Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails. But I still think, and believe, that our problems are connected and that its the W7 who's the problem.... /Stigh
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2009 3:48pm

Stigh,OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)"I actually disagree." I can see you're healthy motivated to fix the problem.. which is good :-)"As long as there is a EKU in the certificate, it should work for local logon."Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes.. a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose isset to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo..."In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those. In my case Ihaven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers."Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"The Gemalto drivers from Windows 7 RTM worked ok for me."The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain. OK, but here's where I disagree :-) ..themachine in question will need to connect back toyour Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates arevalid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e.reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is dilutingsecurityeven further."Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is aworkable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV asyou mayrun into trust issues when sending encrypted mailsto parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machineand the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle. Good luck and post back if you want to discuss further!Regards,Mylo
December 9th, 2009 12:53am

Hi Mylo... Okie; I'll drop my "firewall" as a lack a lot of knowledge on this issue. 1 month ago I didnt know anything about smartcards, CA server etc. Now I've set up my own CA, I've createed certificates and I even made my own template (copied and edited an existing template from Server 2008 R2). We only got Server 2008 and R2's in our domain. Maybe its only with middleware I'm able to logon locally without a domain...? This I've seen from googling (Aloaha Software is one if them...). This is what I want to achieve: - Preboot Authentication (I already have this with my Mifare combo card, RFID and chip) done through Controlpoint Security - Logon to W7 only by smartcard for a normal user account (not admin account, this should be allowed with normal user credentials) - RDP only by smartcard (credentials disabled for RDP sessions, should be doable through policies on server) - S/MIME signing and encryption with Outlook and Exchange Now I have official certificates on my MiFare card, issued by a CA authority in Norway. With this I can use the S/MIME only for the moment, but by importing a certificate from my local CA I should be able to do the RDP too (I've already got it working with Gemalto.NET card, but as said earlier, not W7 logon). The reason for not beeing able to import the local CA certificate to my MiFare card is loss of admin pin to the card. A new one is on the way by snail mail :( I'll add my laptop to the domain then (you win!) and hopefully the rest will fall into place. About my local certificates and templates...: - I did take the Smartcard Logon template and copied it; then edited only the Security and expiration. It got Client Auth, SmartCard logon and Signature tags. - What is the difference of using v2 and v3 templates? - If member of domain, and I'm "offline", will my W7 laptop use cached information then? When I get all this to work; I'll roll out the solution to my fellow coworkers. Please feel free to contact me by e-mail, stigh (at) mobicom.no Thank you for your help and for clearing up some of my misunderstandings so far :) /Stigh
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2009 1:25am

Stigh,I'll contact you on the mail address above.Regards,Mylo
December 10th, 2009 10:17am

i am having a similar problem.i have windows 7 home premium and i'm trying to enable smart card login to windows. but i cannot find an option to enable this feature. what should i do ??? please help.
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2010 4:52pm

You can try the .NETBIO card, I have used this extensively with 2k8R2, and Windows 7 clients. I use the biometric smart-card logon template and export the public key. Then using Gemalto's web interface, I can write the certs to the card. WU will send the proper driver so that the card can be read, and tada! I can login to a stand alone machine using the creds, not connected to a domain. Correct me if Im wrong, but Im pretty sure this is the method I used. :)Network Systems Engineer * Zvetco Biometrics * Windows Server 2008 R2 * Core2 6600 @ 3.30GHz * 16 GIGS RAM * NVIDIA 9400GT * **>>PLEASE VOTE POSTS AS USEFUL TO ASSIST OTHER USERS<
May 17th, 2010 11:10pm

Hi bonym, First; what type of card are you trying to use? Any cards NOT listed as supported natively by Win 7 can not be used without any 3rd party software. Using cards with Java support, like the Gemalto .NET card, will work with embedded drivers. BUT; it will NOT log you in without beeing part of domain. To achieve this; you need 3rd party software and card, like MiFare cards and software from (example) Aloaha Software. Please notice; I've tried Aloaha, but didnt get it to work. So basic rule; without a domain controller; it will not work without 3rd party software. /Stigh
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2010 12:14pm

Have you tried the Eidauthenticate software ? They supports many brand of smart cards including national eid. It works with the DoD smart cards too.
December 2nd, 2010 6:47am

Can you check if client account has enough access at server? What member groups are the clients belonged to?
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2011 1:22pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics