Single Sign-on authentication using Smart Cards

[bill]

Archived from groups: microsoft.public.win2000.security (More info?)

Hello security group,

As a requirement for work, I've been doing research for work regarding
Single sign-on Windows authentication using a Smart card. I know that Windows
2000/2003 servers have good integration with Smart Cards, however I'm
wondering what the requirements are for implementing single sign-on site
wide. Ideally I would like something that integrates with AD, but I know that
is not necessarily a requirement. I've been tasked wtih doing a demo on a
single workstation, is this possible? What software/hardware would I need to
do this?

Just to clarify what I mean by single sign-on, I'm thinking something that
can allow a user to simply put in a Smart Card, enter their PIN, and have
access to the system, including their email profile.

Thank you all in advance.

 

[bill]

Archived from groups: microsoft.public.win2000.security (More info?)

Also, just to add to what I wrote up top, I am currently using Smart Cards,
however only for signing and encrypting email and viewer secured sites, not
to log into a Windows domain. Thanks again.

"bill" wrote:

> Hello security group,
>
> As a requirement for work, I've been doing research for work regarding
> Single sign-on Windows authentication using a Smart card. I know that Windows
> 2000/2003 servers have good integration with Smart Cards, however I'm
> wondering what the requirements are for implementing single sign-on site
> wide. Ideally I would like something that integrates with AD, but I know that
> is not necessarily a requirement. I've been tasked wtih doing a demo on a
> single workstation, is this possible? What software/hardware would I need to
> do this?
>
> Just to clarify what I mean by single sign-on, I'm thinking something that
> can allow a user to simply put in a Smart Card, enter their PIN, and have
> access to the system, including their email profile.
>
> Thank you all in advance.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"bill" <bill@discussions.microsoft.com> wrote in message
news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> Hello security group,
>
> As a requirement for work, I've been doing research for work regarding
> Single sign-on Windows authentication using a Smart card. I know that
Windows
> 2000/2003 servers have good integration with Smart Cards, however I'm
> wondering what the requirements are for implementing single sign-on site
> wide. Ideally I would like something that integrates with AD, but I know
that
> is not necessarily a requirement. I've been tasked wtih doing a demo on a
> single workstation, is this possible? What software/hardware would I need
to
> do this?

You have it already for AD domains.

> Just to clarify what I mean by single sign-on, I'm thinking something that
> can allow a user to simply put in a Smart Card, enter their PIN, and have
> access to the system, including their email profile.

Win2000 and Win2003 domains (and 2000/XP clients)
have this ability built-in -- if there is a smart card reader
on the station it becomes a choice.

> Also, just to add to what I wrote up top, I am currently using Smart
Cards,
> however only for signing and encrypting email and viewer secured sites,
not
> to log into a Windows domain. Thanks again.

Why don't you just try using (your own) Smart Card to
logon.

Add a reader to your machine and you should see the
choice at logon -- if you card has the required certificate
then it will "just work". (You may have to add a cert to
it if it doesn't have the right type/trust from the domain
CA.)

--
Herb Martin


>
> Thank you all in advance.

 

[bill]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks. I do have the Certs on the card but when I insert it during the logon
screen and enter my PIN this does not log me onto the domain. I guess my real
question is how do you tie in domain logon information with the Smart Card?
Is this done at the CA or do I have to purchase additional middleware?

"Herb Martin" wrote:

> "bill" <bill@discussions.microsoft.com> wrote in message
> news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> > Hello security group,
> >
> > As a requirement for work, I've been doing research for work regarding
> > Single sign-on Windows authentication using a Smart card. I know that
> Windows
> > 2000/2003 servers have good integration with Smart Cards, however I'm
> > wondering what the requirements are for implementing single sign-on site
> > wide. Ideally I would like something that integrates with AD, but I know
> that
> > is not necessarily a requirement. I've been tasked wtih doing a demo on a
> > single workstation, is this possible? What software/hardware would I need
> to
> > do this?
>
> You have it already for AD domains.
>
> > Just to clarify what I mean by single sign-on, I'm thinking something that
> > can allow a user to simply put in a Smart Card, enter their PIN, and have
> > access to the system, including their email profile.
>
> Win2000 and Win2003 domains (and 2000/XP clients)
> have this ability built-in -- if there is a smart card reader
> on the station it becomes a choice.
>
> > Also, just to add to what I wrote up top, I am currently using Smart
> Cards,
> > however only for signing and encrypting email and viewer secured sites,
> not
> > to log into a Windows domain. Thanks again.
>
> Why don't you just try using (your own) Smart Card to
> logon.
>
> Add a reader to your machine and you should see the
> choice at logon -- if you card has the required certificate
> then it will "just work". (You may have to add a cert to
> it if it doesn't have the right type/trust from the domain
> CA.)
>
> --
> Herb Martin
>
>
> >
> > Thank you all in advance.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"bill" <bill@discussions.microsoft.com> wrote in message
news:388662CB-CAB3-4F88-8AE0-3C634408D41D@microsoft.com...
> Thanks. I do have the Certs on the card but when I insert it during the
logon
> screen and enter my PIN this does not log me onto the domain.

"The certs" which one(s)?

> I guess my real
> question is how do you tie in domain logon information with the Smart
Card?

The certs need to be issued by a "trusted" (by the domain)
CA which usually means an "Enterprise CA".

Effectively 'Enterprise' MEANS and Active Directory CA.

They also have to marked for this purpose.

> Is this done at the CA or do I have to purchase additional middleware?

No, you do it from a "smart card enrollment" station.
(Just a PC that can add the cert to the card and by
a use [admin etc.] who can request them on another
users behalf.)

Search for those phrases through Google:

[ smartcard logon "certificate enrollment station" site:microsoft.com ]


--
Herb Martin


>
> "Herb Martin" wrote:
>
> > "bill" <bill@discussions.microsoft.com> wrote in message
> > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> > > Hello security group,
> > >
> > > As a requirement for work, I've been doing research for work regarding
> > > Single sign-on Windows authentication using a Smart card. I know that
> > Windows
> > > 2000/2003 servers have good integration with Smart Cards, however I'm
> > > wondering what the requirements are for implementing single sign-on
site
> > > wide. Ideally I would like something that integrates with AD, but I
know
> > that
> > > is not necessarily a requirement. I've been tasked wtih doing a demo
on a
> > > single workstation, is this possible? What software/hardware would I
need
> > to
> > > do this?
> >
> > You have it already for AD domains.
> >
> > > Just to clarify what I mean by single sign-on, I'm thinking something
that
> > > can allow a user to simply put in a Smart Card, enter their PIN, and
have
> > > access to the system, including their email profile.
> >
> > Win2000 and Win2003 domains (and 2000/XP clients)
> > have this ability built-in -- if there is a smart card reader
> > on the station it becomes a choice.
> >
> > > Also, just to add to what I wrote up top, I am currently using Smart
> > Cards,
> > > however only for signing and encrypting email and viewer secured
sites,
> > not
> > > to log into a Windows domain. Thanks again.
> >
> > Why don't you just try using (your own) Smart Card to
> > logon.
> >
> > Add a reader to your machine and you should see the
> > choice at logon -- if you card has the required certificate
> > then it will "just work". (You may have to add a cert to
> > it if it doesn't have the right type/trust from the domain
> > CA.)
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Thank you all in advance.
> >
> >
> >

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

There is a great chapter in the Windows 2003 Deployment Kit on how to do what
you want. See the link below in Part II on planning a smart card deployment. It
is mostly the same for Windows 2000 though you can not use type 2 certificate
templates to use autoenrollment for users with a Windows 2000 CA. You probably
have what you need already but the wrong certificate type on your smartcard that
would include the UPN for a domain user for domain logon. --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp

"bill" <bill@discussions.microsoft.com> wrote in message
news:388662CB-CAB3-4F88-8AE0-3C634408D41D@microsoft.com...
> Thanks. I do have the Certs on the card but when I insert it during the logon
> screen and enter my PIN this does not log me onto the domain. I guess my real
> question is how do you tie in domain logon information with the Smart Card?
> Is this done at the CA or do I have to purchase additional middleware?
>
> "Herb Martin" wrote:
>
> > "bill" <bill@discussions.microsoft.com> wrote in message
> > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> > > Hello security group,
> > >
> > > As a requirement for work, I've been doing research for work regarding
> > > Single sign-on Windows authentication using a Smart card. I know that
> > Windows
> > > 2000/2003 servers have good integration with Smart Cards, however I'm
> > > wondering what the requirements are for implementing single sign-on site
> > > wide. Ideally I would like something that integrates with AD, but I know
> > that
> > > is not necessarily a requirement. I've been tasked wtih doing a demo on a
> > > single workstation, is this possible? What software/hardware would I need
> > to
> > > do this?
> >
> > You have it already for AD domains.
> >
> > > Just to clarify what I mean by single sign-on, I'm thinking something that
> > > can allow a user to simply put in a Smart Card, enter their PIN, and have
> > > access to the system, including their email profile.
> >
> > Win2000 and Win2003 domains (and 2000/XP clients)
> > have this ability built-in -- if there is a smart card reader
> > on the station it becomes a choice.
> >
> > > Also, just to add to what I wrote up top, I am currently using Smart
> > Cards,
> > > however only for signing and encrypting email and viewer secured sites,
> > not
> > > to log into a Windows domain. Thanks again.
> >
> > Why don't you just try using (your own) Smart Card to
> > logon.
> >
> > Add a reader to your machine and you should see the
> > choice at logon -- if you card has the required certificate
> > then it will "just work". (You may have to add a cert to
> > it if it doesn't have the right type/trust from the domain
> > CA.)
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Thank you all in advance.
> >
> >
> >

 

[bill]

Archived from groups: microsoft.public.win2000.security (More info?)

Steven, I think you're right. I'm using Schlumberg card/reader and ActivCard
Gold 2.1 software. The certs that I see using the ActivCard software show one
for signature, encryption, and identity but I don't see one for logon. Is
this added during the card's creation?

"Steven Umbach" wrote:

> There is a great chapter in the Windows 2003 Deployment Kit on how to do what
> you want. See the link below in Part II on planning a smart card deployment. It
> is mostly the same for Windows 2000 though you can not use type 2 certificate
> templates to use autoenrollment for users with a Windows 2000 CA. You probably
> have what you need already but the wrong certificate type on your smartcard that
> would include the UPN for a domain user for domain logon. --- Steve
>
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp
>
> "bill" <bill@discussions.microsoft.com> wrote in message
> news:388662CB-CAB3-4F88-8AE0-3C634408D41D@microsoft.com...
> > Thanks. I do have the Certs on the card but when I insert it during the logon
> > screen and enter my PIN this does not log me onto the domain. I guess my real
> > question is how do you tie in domain logon information with the Smart Card?
> > Is this done at the CA or do I have to purchase additional middleware?
> >
> > "Herb Martin" wrote:
> >
> > > "bill" <bill@discussions.microsoft.com> wrote in message
> > > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
> > > > Hello security group,
> > > >
> > > > As a requirement for work, I've been doing research for work regarding
> > > > Single sign-on Windows authentication using a Smart card. I know that
> > > Windows
> > > > 2000/2003 servers have good integration with Smart Cards, however I'm
> > > > wondering what the requirements are for implementing single sign-on site
> > > > wide. Ideally I would like something that integrates with AD, but I know
> > > that
> > > > is not necessarily a requirement. I've been tasked wtih doing a demo on a
> > > > single workstation, is this possible? What software/hardware would I need
> > > to
> > > > do this?
> > >
> > > You have it already for AD domains.
> > >
> > > > Just to clarify what I mean by single sign-on, I'm thinking something that
> > > > can allow a user to simply put in a Smart Card, enter their PIN, and have
> > > > access to the system, including their email profile.
> > >
> > > Win2000 and Win2003 domains (and 2000/XP clients)
> > > have this ability built-in -- if there is a smart card reader
> > > on the station it becomes a choice.
> > >
> > > > Also, just to add to what I wrote up top, I am currently using Smart
> > > Cards,
> > > > however only for signing and encrypting email and viewer secured sites,
> > > not
> > > > to log into a Windows domain. Thanks again.
> > >
> > > Why don't you just try using (your own) Smart Card to
> > > logon.
> > >
> > > Add a reader to your machine and you should see the
> > > choice at logon -- if you card has the required certificate
> > > then it will "just work". (You may have to add a cert to
> > > it if it doesn't have the right type/trust from the domain
> > > CA.)
> > >
> > > --
> > > Herb Martin
> > >
> > >
> > > >
> > > > Thank you all in advance.
> > >
> > >
> > >
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <7131E925-F0C2-4ADE-BC1F-2AF397CDDA48@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=
<bill@discussions.microsoft.com> says...

> The certs that I see using the ActivCard software show one
> for signature, encryption, and identity but I don't see one for logon. Is
> this added during the card's creation?
>

No, it is added during the certificate request process. All of your
questions can be answered by reading the information at the links
provided to you by Steven.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[bill]

Archived from groups: microsoft.public.win2000.security (More info?)

OK, I think I know what we need now to complete the smart card logon project
but I have a question about a Microsoft Technet article.

In article Q281245, (Guidelines for Enabling Smart Card Logon with Third
party CA's), the first line in the requirements section says:

"Required: Active Directory must have the third-party issuing CA in the
NTAuth store to authenticate users to active directory."

What exactly does this mean? Does it mean that a copy of the Third-party CA
must be installed in the NTAuth store or some kind of connection must be made
with the third-party?

"Paul Adare" wrote:

> In article <7131E925-F0C2-4ADE-BC1F-2AF397CDDA48@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=
> <bill@discussions.microsoft.com> says...
>
> > The certs that I see using the ActivCard software show one
> > for signature, encryption, and identity but I don't see one for logon. Is
> > this added during the card's creation?
> >
>
> No, it is added during the certificate request process. All of your
> questions can be answered by reading the information at the links
> provided to you by Steven.
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"bill" <bill@discussions.microsoft.com> wrote in message
news:2B583768-96D0-44B8-98E6-7431D313F72F@microsoft.com...
> OK, I think I know what we need now to complete the smart card logon
project
> but I have a question about a Microsoft Technet article.
>
> In article Q281245, (Guidelines for Enabling Smart Card Logon with Third
> party CA's), the first line in the requirements section says:
>
> "Required: Active Directory must have the third-party issuing CA in the
> NTAuth store to authenticate users to active directory."

For AD (the DCs) to trust the user's cert is properly
issued it must "know" the issuing CA -- since a 3rd
party CA's cert if not automatically in the AD store
(NTAuth) you must add that Cert.

This is very similar to visiting a web site for SSL,
to trust the cert of the Web server your browser must
have the TRUST Certificate for the issuing server in
it's store.

Or at least a parent CA for that issuing CA (you can
trust a subordinate CA by trusting the parent in many
cases.)

> What exactly does this mean? Does it mean that a copy of the Third-party
CA
> must be installed in the NTAuth store or some kind of connection must be
made
> with the third-party?

No, not necessarily*. It means the trust CERT must
be obtained and loaded into that store.

*It should be setup so that the CRL (certificate revocation
list) is readily available (online or periodically obtained).

--
Herb Martin


>
> "Paul Adare" wrote:
>
> > In article <7131E925-F0C2-4ADE-BC1F-2AF397CDDA48@microsoft.com>, in the
> > microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=
> > <bill@discussions.microsoft.com> says...
> >
> > > The certs that I see using the ActivCard software show one
> > > for signature, encryption, and identity but I don't see one for logon.
Is
> > > this added during the card's creation?
> > >
> >
> > No, it is added during the certificate request process. All of your
> > questions can be answered by reading the information at the links
> > provided to you by Steven.
> >
> > --
> > Paul Adare
> > "On two occasions, I have been asked [by members of Parliament],
> > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > will the right answers come out?' I am not able to rightly apprehend
> > the kind of confusion of ideas that could provoke such a question."
> > -- Charles Babbage (1791-1871)
> >