Setting up AD (W2K3) for SmartCard Authentication

  • Thread starter Thread starter Don Jones
  • Start date Start date
D

Don Jones

Can someone direct me to some articles that explain how to configure AD for
Smart Card Authentication? If read various articles and they were not clear
as to what is required and how to implement smartcard authentication.

If this isn't the correct group, please let me know what the correct group
would be.

Thanks.

Don Jones
 
On Tue, 4 Mar 2008 04:21:00 -0800, Don Jones wrote:

> Can someone direct me to some articles that explain how to configure AD for
> Smart Card Authentication? If read various articles and they were not clear
> as to what is required and how to implement smartcard authentication.
>
> If this isn't the correct group, please let me know what the correct group
> would be.

Where are the certificates coming from?

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
The attention span of a computer is only as long as its power cord.
 
Try this if you are looking at a third party (non-Microsoft) CA, or
Microsoft Standalone CA.

http://support.microsoft.com/kb/281245

If you are looking at your own, Microsoft Enterprise CAs, you'd suggest that
you go for a longer read here:
http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true

--
---
HTH,
Dobromir

Visit http://www.iamechanics.com

"Don Jones" wrote in message
news:014B2D7A-CDBC-46ED-95B8-E9D22952AEBB@microsoft.com...
> Can someone direct me to some articles that explain how to configure AD
> for
> Smart Card Authentication? If read various articles and they were not
> clear
> as to what is required and how to implement smartcard authentication.
>
> If this isn't the correct group, please let me know what the correct group
> would be.
>
> Thanks.
>
> Don Jones
 
Thanks for the response. I have read the articles, have a question.

We have smartcards issued by a third party ca, and have the root-ca's
certificate listed in the places mentioned in the articles. Our
DomainController Certificate is not from the Same CA that issued the
SmartCards Certificates. The Certificate is from our Enterprise CA. We are
currently using the DomainController template, which doesn't list SmartCard
Logon as a property.

Does the DomainController's certificate contain the SmartCard Logon
property? If so, How can I add the SmartCard Logon property to the
DomainController Template or do I need to upgrade to Enterprise Edition?

Don Jones

"Dobromir Todorov" wrote:

> Try this if you are looking at a third party (non-Microsoft) CA, or
> Microsoft Standalone CA.
>
> http://support.microsoft.com/kb/281245
>
> If you are looking at your own, Microsoft Enterprise CAs, you'd suggest that
> you go for a longer read here:
> http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true
>
> --
> ---
> HTH,
> Dobromir
>
> Visit http://www.iamechanics.com
>
> "Don Jones" wrote in message
> news:014B2D7A-CDBC-46ED-95B8-E9D22952AEBB@microsoft.com...
> > Can someone direct me to some articles that explain how to configure AD
> > for
> > Smart Card Authentication? If read various articles and they were not
> > clear
> > as to what is required and how to implement smartcard authentication.
> >
> > If this isn't the correct group, please let me know what the correct group
> > would be.
> >
> > Thanks.
> >
> > Don Jones
>
>
>
 
The domain controller certificate will work for smart card authentication.
You meed to look at the KB article on enabling smart card auth certs from
3rd paty CAs.
http://support.microsoft.com/kb/281245/en-us

Does the certificate contain the user's UPN in the subject alternative name
Is the CA in the NTAuth store
Are all CRLs and CA certificates for the 3rd party chain available

Brian

"Don Jones" wrote in message
news:90ACC56E-F936-4A4B-BF85-272F3DF00DFA@microsoft.com...
> Thanks for the response. I have read the articles, have a question.
>
> We have smartcards issued by a third party ca, and have the root-ca's
> certificate listed in the places mentioned in the articles. Our
> DomainController Certificate is not from the Same CA that issued the
> SmartCards Certificates. The Certificate is from our Enterprise CA. We
> are
> currently using the DomainController template, which doesn't list
> SmartCard
> Logon as a property.
>
> Does the DomainController's certificate contain the SmartCard Logon
> property? If so, How can I add the SmartCard Logon property to the
> DomainController Template or do I need to upgrade to Enterprise Edition?
>
> Don Jones
>
> "Dobromir Todorov" wrote:
>
>> Try this if you are looking at a third party (non-Microsoft) CA, or
>> Microsoft Standalone CA.
>>
>> http://support.microsoft.com/kb/281245
>>
>> If you are looking at your own, Microsoft Enterprise CAs, you'd suggest
>> that
>> you go for a longer read here:
>> http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true
>>
>> --
>> ---
>> HTH,
>> Dobromir
>>
>> Visit http://www.iamechanics.com
>>
>> "Don Jones" wrote in message
>> news:014B2D7A-CDBC-46ED-95B8-E9D22952AEBB@microsoft.com...
>> > Can someone direct me to some articles that explain how to configure AD
>> > for
>> > Smart Card Authentication? If read various articles and they were not
>> > clear
>> > as to what is required and how to implement smartcard authentication.
>> >
>> > If this isn't the correct group, please let me know what the correct
>> > group
>> > would be.
>> >
>> > Thanks.
>> >
>> > Don Jones
>>
>>
>>
 
The SmartCards can log into on AD Forest, but not another. The two forest
don't trust each other.

Looked that the article on 3rd party CA's, but still no go. The 3rd party
CA's root certificates are in the NTAuthCA store, and the CRLs have been
imported into Certificate manager and placed in the CRL store.

"Brian Komar (MVP)" wrote:

> The domain controller certificate will work for smart card authentication.
> You meed to look at the KB article on enabling smart card auth certs from
> 3rd paty CAs.
> http://support.microsoft.com/kb/281245/en-us
>
> Does the certificate contain the user's UPN in the subject alternative name
> Is the CA in the NTAuth store
> Are all CRLs and CA certificates for the 3rd party chain available
>
> Brian
>
> "Don Jones" wrote in message
> news:90ACC56E-F936-4A4B-BF85-272F3DF00DFA@microsoft.com...
> > Thanks for the response. I have read the articles, have a question.
> >
> > We have smartcards issued by a third party ca, and have the root-ca's
> > certificate listed in the places mentioned in the articles. Our
> > DomainController Certificate is not from the Same CA that issued the
> > SmartCards Certificates. The Certificate is from our Enterprise CA. We
> > are
> > currently using the DomainController template, which doesn't list
> > SmartCard
> > Logon as a property.
> >
> > Does the DomainController's certificate contain the SmartCard Logon
> > property? If so, How can I add the SmartCard Logon property to the
> > DomainController Template or do I need to upgrade to Enterprise Edition?
> >
> > Don Jones
> >
> > "Dobromir Todorov" wrote:
> >
> >> Try this if you are looking at a third party (non-Microsoft) CA, or
> >> Microsoft Standalone CA.
> >>
> >> http://support.microsoft.com/kb/281245
> >>
> >> If you are looking at your own, Microsoft Enterprise CAs, you'd suggest
> >> that
> >> you go for a longer read here:
> >> http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true
> >>
> >> --
> >> ---
> >> HTH,
> >> Dobromir
> >>
> >> Visit http://www.iamechanics.com
> >>
> >> "Don Jones" wrote in message
> >> news:014B2D7A-CDBC-46ED-95B8-E9D22952AEBB@microsoft.com...
> >> > Can someone direct me to some articles that explain how to configure AD
> >> > for
> >> > Smart Card Authentication? If read various articles and they were not
> >> > clear
> >> > as to what is required and how to implement smartcard authentication.
> >> >
> >> > If this isn't the correct group, please let me know what the correct
> >> > group
> >> > would be.
> >> >
> >> > Thanks.
> >> >
> >> > Don Jones
> >>
> >>
> >>
>
>
 
On Thu, 3 Apr 2008 16:30:11 -0700, Don Jones wrote:

> The SmartCards can log into on AD Forest, but not another. The two forest
> don't trust each other.

So you're trying to use smart cards issued in one forest to log on in a
second forest?

>
> Looked that the article on 3rd party CA's, but still no go. The 3rd party
> CA's root certificates are in the NTAuthCA store, and the CRLs have been
> imported into Certificate manager and placed in the CRL store.


--
Paul Adare
http://www.identit.ca
And on the seventh day, He exited from append mode.
 
This is the first that you mentioned a 2nd forest. Thanks for the info
the NTAuth store does not contain root certs, it must contain the CA that
issued the smart card certificate
Look at the CA stores in the working forest using PKIView.msc (from the
resource kit).
They must be the same in the other forest.

Number 2, does CRL checking work in the other forest (are the URLs
accessible)/

Number 3. Do the accounts have the same UPN in both forests. The UPN in the
cert must match the account's UPN in the 2nd forest to work

Brian

"Don Jones" wrote in message
news:49B24A2C-FFFD-49A9-B182-134704327EEB@microsoft.com...
> The SmartCards can log into on AD Forest, but not another. The two forest
> don't trust each other.
>
> Looked that the article on 3rd party CA's, but still no go. The 3rd party
> CA's root certificates are in the NTAuthCA store, and the CRLs have been
> imported into Certificate manager and placed in the CRL store.
>
> "Brian Komar (MVP)" wrote:
>
>> The domain controller certificate will work for smart card
>> authentication.
>> You meed to look at the KB article on enabling smart card auth certs from
>> 3rd paty CAs.
>> http://support.microsoft.com/kb/281245/en-us
>>
>> Does the certificate contain the user's UPN in the subject alternative
>> name
>> Is the CA in the NTAuth store
>> Are all CRLs and CA certificates for the 3rd party chain available
>>
>> Brian
>>
>> "Don Jones" wrote in message
>> news:90ACC56E-F936-4A4B-BF85-272F3DF00DFA@microsoft.com...
>> > Thanks for the response. I have read the articles, have a question.
>> >
>> > We have smartcards issued by a third party ca, and have the root-ca's
>> > certificate listed in the places mentioned in the articles. Our
>> > DomainController Certificate is not from the Same CA that issued the
>> > SmartCards Certificates. The Certificate is from our Enterprise CA.
>> > We
>> > are
>> > currently using the DomainController template, which doesn't list
>> > SmartCard
>> > Logon as a property.
>> >
>> > Does the DomainController's certificate contain the SmartCard Logon
>> > property? If so, How can I add the SmartCard Logon property to the
>> > DomainController Template or do I need to upgrade to Enterprise
>> > Edition?
>> >
>> > Don Jones
>> >
>> > "Dobromir Todorov" wrote:
>> >
>> >> Try this if you are looking at a third party (non-Microsoft) CA, or
>> >> Microsoft Standalone CA.
>> >>
>> >> http://support.microsoft.com/kb/281245
>> >>
>> >> If you are looking at your own, Microsoft Enterprise CAs, you'd
>> >> suggest
>> >> that
>> >> you go for a longer read here:
>> >> http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true
>> >>
>> >> --
>> >> ---
>> >> HTH,
>> >> Dobromir
>> >>
>> >> Visit http://www.iamechanics.com
>> >>
>> >> "Don Jones" wrote in message
>> >> news:014B2D7A-CDBC-46ED-95B8-E9D22952AEBB@microsoft.com...
>> >> > Can someone direct me to some articles that explain how to configure
>> >> > AD
>> >> > for
>> >> > Smart Card Authentication? If read various articles and they were
>> >> > not
>> >> > clear
>> >> > as to what is required and how to implement smartcard
>> >> > authentication.
>> >> >
>> >> > If this isn't the correct group, please let me know what the correct
>> >> > group
>> >> > would be.
>> >> >
>> >> > Thanks.
>> >> >
>> >> > Don Jones
>> >>
>> >>
>> >>
>>
>>
 
Back
Top