earthweb.com/reference/pro/1928994024/ch08/08-04.html (3 of 3) [8/3/2000 6:55:24 AM]
Configuring Windows 2000 Server Security:Smart Cards
Configuring Windows 2000 Server Security
by Thomas W. Shinder, M.D., MCSE, MCP+I, MCT, Debra Littlejohn Shinder, MCSE, MCP+I, MCT, D. Lynn White, MCSE, MCPS, MCP+I, MCT
Syngress Publishing, Inc.
ISBN: 1928994024 Pub Date: 06/01/99
Search this book:
Search Tips
Advanced Search
Previous Table of Contents Next
Title
Smart Card Certificate Enrollment
In order for a user to enroll for either type of smart card certificate (authentication or authentication plus e-mail), the usermust have access to the certificate template stored in Microsoft’s Active Directory. This is done because enrollment for smart card access needs to be a controlled procedure similar to the procedure
-----------
used for obtaining a ID badge for work. Microsoft’s recommends configuring badges through the “Enroll on Behalf of Station” that is integrated with Certificate Services.
When an enterprise certificate authority (CA) is installed, the installation includes the Enroll On-Behalf-Of Station. This station allows an administrator to act on behalf of a specific user and request that a certificate be installed on the user’s smart card. Since the cards themselves are partially proprietary, the station cannot offer card customization features such as building a file directory or changing the PIN. To perform these operations, consult the manufacturer’s documentation and software.
Before proceeding, make sure you have set up Active Directory and added to it a CA that supports public/private key certificates. An administrator should perform these procedures: 1. To connect to a CA, open Internet Explorer and type http://<machine-name>/certsrv into the address bar. Be sure to replace <machine-name> with the computer name of the issuing CA.
2. The Microsoft Certificate Service Welcome page appears as shown in Figure 8.8. Select Request a certificate, and then click Next to continue.
Figure 8.8 This is the Welcome screen from the Microsoft Certificate Services.
3. Select Advanced request from the Choose Request Type page and click Next.
4. Select Request a certificate for a smart card on behalf of another use, using the Smart Card Enrollment Station from the Advanced Certificate Requests page, and click Next.
http://corpitk.earthweb.com/reference/pro/1928994024/ch08/08-05.html (1 of 2) [8/3/2000 6:55:28 AM]
Configuring Windows 2000 Server Security:Smart Cards
5. The first time you use the enrollment station, a digitally signed ActiveX control is downloaded from the CA to the station computer. To use the station, select Yes from the Security Warning dialog box to install the control.
6. Five items need to be completed on the Smart Card Enrollment Station page before you submit the request.
• There are several certification templates to choose from. For smart card usage you are only concerned with two, Smart Card Logon and Smart Card User. Remember that the Smart Card Logon template is for access to public key interactive logon, and the Smart Card User template is for both logon and user authentication through e-mail.
• Select a certification authority.
• Select a cryptographic service Provider.
• Select an administrator signing certificate.
• Select the user by clicking Select User.
7. You are now ready to submit the certificate request as shown in Figure 8.9. Click Enroll on the Smart Card Enrollment Station page.
Figure 8.9 Select criteria to enroll a new Smartcard User.
8. If the card is not already inserted into the reader, you will be requested to insert it. Insert the card and click OK.
9. The request must be digitally signed by the private key that corresponds to the public key included in the certificate request. Because the key is stored on the card, the signature requires that the card owner verify the PIN and prove ownership of both the card and the key. Type the PIN for the card and click OK.
10. If the CA successfully processes the certificate request, the station will inform you that the smart card is ready. You can now either view the certificate by clicking View Certificate or you can specify a new user by clicking New User.
Smart Card Logon
Logging on with a smart card is a relatively simple and straightforward task. Approach a PC that has smart card logon enabled and perform these steps:
1. You will see a logon screen that reads “Insert card or press Ctrl-Alt-Delete to begin,” as was shown in Figure 8.6. Insert your card into the smart card reader.
2. The Log On to Windows dialog box will prompt you to enter your PIN. Enter it.