Single Sign-on authentication using Smart Cards

Archived from groups: microsoft.public.win2000.security (More info?)

Hello security group,

As a requirement for work, I've been doing research for work regarding
Single sign-on Windows authentication using a Smart card. I know that Windows
2000/2003 servers have good integration with Smart Cards, however I'm
wondering what the requirements are for implementing single sign-on site
wide. Ideally I would like something that integrates with AD, but I know that
is not necessarily a requirement. I've been tasked wtih doing a demo on a
single workstation, is this possible? What software/hardware would I need to
do this?

Just to clarify what I mean by single sign-on, I'm thinking something that
can allow a user to simply put in a Smart Card, enter their PIN, and have
access to the system, including their email profile.

Thank you all in advance.
9 answers Last reply
More about single sign authentication smart cards
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Also, just to add to what I wrote up top, I am currently using Smart Cards,
    however only for signing and encrypting email and viewer secured sites, not
    to log into a Windows domain. Thanks again.

    "bill" wrote:

    > Hello security group,
    >
    > As a requirement for work, I've been doing research for work regarding
    > Single sign-on Windows authentication using a Smart card. I know that Windows
    > 2000/2003 servers have good integration with Smart Cards, however I'm
    > wondering what the requirements are for implementing single sign-on site
    > wide. Ideally I would like something that integrates with AD, but I know that
    > is not necessarily a requirement. I've been tasked wtih doing a demo on a
    > single workstation, is this possible? What software/hardware would I need to
    > do this?
    >
    > Just to clarify what I mean by single sign-on, I'm thinking something that
    > can allow a user to simply put in a Smart Card, enter their PIN, and have
    > access to the system, including their email profile.
    >
    > Thank you all in advance.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    "bill" <bill@discussions.microsoft.com> wrote in message
    news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
    > Hello security group,
    >
    > As a requirement for work, I've been doing research for work regarding
    > Single sign-on Windows authentication using a Smart card. I know that
    Windows
    > 2000/2003 servers have good integration with Smart Cards, however I'm
    > wondering what the requirements are for implementing single sign-on site
    > wide. Ideally I would like something that integrates with AD, but I know
    that
    > is not necessarily a requirement. I've been tasked wtih doing a demo on a
    > single workstation, is this possible? What software/hardware would I need
    to
    > do this?

    You have it already for AD domains.

    > Just to clarify what I mean by single sign-on, I'm thinking something that
    > can allow a user to simply put in a Smart Card, enter their PIN, and have
    > access to the system, including their email profile.

    Win2000 and Win2003 domains (and 2000/XP clients)
    have this ability built-in -- if there is a smart card reader
    on the station it becomes a choice.

    > Also, just to add to what I wrote up top, I am currently using Smart
    Cards,
    > however only for signing and encrypting email and viewer secured sites,
    not
    > to log into a Windows domain. Thanks again.

    Why don't you just try using (your own) Smart Card to
    logon.

    Add a reader to your machine and you should see the
    choice at logon -- if you card has the required certificate
    then it will "just work". (You may have to add a cert to
    it if it doesn't have the right type/trust from the domain
    CA.)

    --
    Herb Martin


    >
    > Thank you all in advance.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks. I do have the Certs on the card but when I insert it during the logon
    screen and enter my PIN this does not log me onto the domain. I guess my real
    question is how do you tie in domain logon information with the Smart Card?
    Is this done at the CA or do I have to purchase additional middleware?

    "Herb Martin" wrote:

    > "bill" <bill@discussions.microsoft.com> wrote in message
    > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
    > > Hello security group,
    > >
    > > As a requirement for work, I've been doing research for work regarding
    > > Single sign-on Windows authentication using a Smart card. I know that
    > Windows
    > > 2000/2003 servers have good integration with Smart Cards, however I'm
    > > wondering what the requirements are for implementing single sign-on site
    > > wide. Ideally I would like something that integrates with AD, but I know
    > that
    > > is not necessarily a requirement. I've been tasked wtih doing a demo on a
    > > single workstation, is this possible? What software/hardware would I need
    > to
    > > do this?
    >
    > You have it already for AD domains.
    >
    > > Just to clarify what I mean by single sign-on, I'm thinking something that
    > > can allow a user to simply put in a Smart Card, enter their PIN, and have
    > > access to the system, including their email profile.
    >
    > Win2000 and Win2003 domains (and 2000/XP clients)
    > have this ability built-in -- if there is a smart card reader
    > on the station it becomes a choice.
    >
    > > Also, just to add to what I wrote up top, I am currently using Smart
    > Cards,
    > > however only for signing and encrypting email and viewer secured sites,
    > not
    > > to log into a Windows domain. Thanks again.
    >
    > Why don't you just try using (your own) Smart Card to
    > logon.
    >
    > Add a reader to your machine and you should see the
    > choice at logon -- if you card has the required certificate
    > then it will "just work". (You may have to add a cert to
    > it if it doesn't have the right type/trust from the domain
    > CA.)
    >
    > --
    > Herb Martin
    >
    >
    > >
    > > Thank you all in advance.
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    "bill" <bill@discussions.microsoft.com> wrote in message
    news:388662CB-CAB3-4F88-8AE0-3C634408D41D@microsoft.com...
    > Thanks. I do have the Certs on the card but when I insert it during the
    logon
    > screen and enter my PIN this does not log me onto the domain.

    "The certs" which one(s)?

    > I guess my real
    > question is how do you tie in domain logon information with the Smart
    Card?

    The certs need to be issued by a "trusted" (by the domain)
    CA which usually means an "Enterprise CA".

    Effectively 'Enterprise' MEANS and Active Directory CA.

    They also have to marked for this purpose.

    > Is this done at the CA or do I have to purchase additional middleware?

    No, you do it from a "smart card enrollment" station.
    (Just a PC that can add the cert to the card and by
    a use [admin etc.] who can request them on another
    users behalf.)

    Search for those phrases through Google:

    [ smartcard logon "certificate enrollment station" site:microsoft.com ]


    --
    Herb Martin


    >
    > "Herb Martin" wrote:
    >
    > > "bill" <bill@discussions.microsoft.com> wrote in message
    > > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
    > > > Hello security group,
    > > >
    > > > As a requirement for work, I've been doing research for work regarding
    > > > Single sign-on Windows authentication using a Smart card. I know that
    > > Windows
    > > > 2000/2003 servers have good integration with Smart Cards, however I'm
    > > > wondering what the requirements are for implementing single sign-on
    site
    > > > wide. Ideally I would like something that integrates with AD, but I
    know
    > > that
    > > > is not necessarily a requirement. I've been tasked wtih doing a demo
    on a
    > > > single workstation, is this possible? What software/hardware would I
    need
    > > to
    > > > do this?
    > >
    > > You have it already for AD domains.
    > >
    > > > Just to clarify what I mean by single sign-on, I'm thinking something
    that
    > > > can allow a user to simply put in a Smart Card, enter their PIN, and
    have
    > > > access to the system, including their email profile.
    > >
    > > Win2000 and Win2003 domains (and 2000/XP clients)
    > > have this ability built-in -- if there is a smart card reader
    > > on the station it becomes a choice.
    > >
    > > > Also, just to add to what I wrote up top, I am currently using Smart
    > > Cards,
    > > > however only for signing and encrypting email and viewer secured
    sites,
    > > not
    > > > to log into a Windows domain. Thanks again.
    > >
    > > Why don't you just try using (your own) Smart Card to
    > > logon.
    > >
    > > Add a reader to your machine and you should see the
    > > choice at logon -- if you card has the required certificate
    > > then it will "just work". (You may have to add a cert to
    > > it if it doesn't have the right type/trust from the domain
    > > CA.)
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > > >
    > > > Thank you all in advance.
    > >
    > >
    > >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    There is a great chapter in the Windows 2003 Deployment Kit on how to do what
    you want. See the link below in Part II on planning a smart card deployment. It
    is mostly the same for Windows 2000 though you can not use type 2 certificate
    templates to use autoenrollment for users with a Windows 2000 CA. You probably
    have what you need already but the wrong certificate type on your smartcard that
    would include the UPN for a domain user for domain logon. --- Steve

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp

    "bill" <bill@discussions.microsoft.com> wrote in message
    news:388662CB-CAB3-4F88-8AE0-3C634408D41D@microsoft.com...
    > Thanks. I do have the Certs on the card but when I insert it during the logon
    > screen and enter my PIN this does not log me onto the domain. I guess my real
    > question is how do you tie in domain logon information with the Smart Card?
    > Is this done at the CA or do I have to purchase additional middleware?
    >
    > "Herb Martin" wrote:
    >
    > > "bill" <bill@discussions.microsoft.com> wrote in message
    > > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
    > > > Hello security group,
    > > >
    > > > As a requirement for work, I've been doing research for work regarding
    > > > Single sign-on Windows authentication using a Smart card. I know that
    > > Windows
    > > > 2000/2003 servers have good integration with Smart Cards, however I'm
    > > > wondering what the requirements are for implementing single sign-on site
    > > > wide. Ideally I would like something that integrates with AD, but I know
    > > that
    > > > is not necessarily a requirement. I've been tasked wtih doing a demo on a
    > > > single workstation, is this possible? What software/hardware would I need
    > > to
    > > > do this?
    > >
    > > You have it already for AD domains.
    > >
    > > > Just to clarify what I mean by single sign-on, I'm thinking something that
    > > > can allow a user to simply put in a Smart Card, enter their PIN, and have
    > > > access to the system, including their email profile.
    > >
    > > Win2000 and Win2003 domains (and 2000/XP clients)
    > > have this ability built-in -- if there is a smart card reader
    > > on the station it becomes a choice.
    > >
    > > > Also, just to add to what I wrote up top, I am currently using Smart
    > > Cards,
    > > > however only for signing and encrypting email and viewer secured sites,
    > > not
    > > > to log into a Windows domain. Thanks again.
    > >
    > > Why don't you just try using (your own) Smart Card to
    > > logon.
    > >
    > > Add a reader to your machine and you should see the
    > > choice at logon -- if you card has the required certificate
    > > then it will "just work". (You may have to add a cert to
    > > it if it doesn't have the right type/trust from the domain
    > > CA.)
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > > >
    > > > Thank you all in advance.
    > >
    > >
    > >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Steven, I think you're right. I'm using Schlumberg card/reader and ActivCard
    Gold 2.1 software. The certs that I see using the ActivCard software show one
    for signature, encryption, and identity but I don't see one for logon. Is
    this added during the card's creation?

    "Steven Umbach" wrote:

    > There is a great chapter in the Windows 2003 Deployment Kit on how to do what
    > you want. See the link below in Part II on planning a smart card deployment. It
    > is mostly the same for Windows 2000 though you can not use type 2 certificate
    > templates to use autoenrollment for users with a Windows 2000 CA. You probably
    > have what you need already but the wrong certificate type on your smartcard that
    > would include the UPN for a domain user for domain logon. --- Steve
    >
    > http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp
    >
    > "bill" <bill@discussions.microsoft.com> wrote in message
    > news:388662CB-CAB3-4F88-8AE0-3C634408D41D@microsoft.com...
    > > Thanks. I do have the Certs on the card but when I insert it during the logon
    > > screen and enter my PIN this does not log me onto the domain. I guess my real
    > > question is how do you tie in domain logon information with the Smart Card?
    > > Is this done at the CA or do I have to purchase additional middleware?
    > >
    > > "Herb Martin" wrote:
    > >
    > > > "bill" <bill@discussions.microsoft.com> wrote in message
    > > > news:C373D198-A60B-48BF-9380-10A4BB5ED89C@microsoft.com...
    > > > > Hello security group,
    > > > >
    > > > > As a requirement for work, I've been doing research for work regarding
    > > > > Single sign-on Windows authentication using a Smart card. I know that
    > > > Windows
    > > > > 2000/2003 servers have good integration with Smart Cards, however I'm
    > > > > wondering what the requirements are for implementing single sign-on site
    > > > > wide. Ideally I would like something that integrates with AD, but I know
    > > > that
    > > > > is not necessarily a requirement. I've been tasked wtih doing a demo on a
    > > > > single workstation, is this possible? What software/hardware would I need
    > > > to
    > > > > do this?
    > > >
    > > > You have it already for AD domains.
    > > >
    > > > > Just to clarify what I mean by single sign-on, I'm thinking something that
    > > > > can allow a user to simply put in a Smart Card, enter their PIN, and have
    > > > > access to the system, including their email profile.
    > > >
    > > > Win2000 and Win2003 domains (and 2000/XP clients)
    > > > have this ability built-in -- if there is a smart card reader
    > > > on the station it becomes a choice.
    > > >
    > > > > Also, just to add to what I wrote up top, I am currently using Smart
    > > > Cards,
    > > > > however only for signing and encrypting email and viewer secured sites,
    > > > not
    > > > > to log into a Windows domain. Thanks again.
    > > >
    > > > Why don't you just try using (your own) Smart Card to
    > > > logon.
    > > >
    > > > Add a reader to your machine and you should see the
    > > > choice at logon -- if you card has the required certificate
    > > > then it will "just work". (You may have to add a cert to
    > > > it if it doesn't have the right type/trust from the domain
    > > > CA.)
    > > >
    > > > --
    > > > Herb Martin
    > > >
    > > >
    > > > >
    > > > > Thank you all in advance.
    > > >
    > > >
    > > >
    >
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <7131E925-F0C2-4ADE-BC1F-2AF397CDDA48@microsoft.com>, in the
    microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=
    <bill@discussions.microsoft.com> says...

    > The certs that I see using the ActivCard software show one
    > for signature, encryption, and identity but I don't see one for logon. Is
    > this added during the card's creation?
    >

    No, it is added during the certificate request process. All of your
    questions can be answered by reading the information at the links
    provided to you by Steven.

    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    OK, I think I know what we need now to complete the smart card logon project
    but I have a question about a Microsoft Technet article.

    In article Q281245, (Guidelines for Enabling Smart Card Logon with Third
    party CA's), the first line in the requirements section says:

    "Required: Active Directory must have the third-party issuing CA in the
    NTAuth store to authenticate users to active directory."

    What exactly does this mean? Does it mean that a copy of the Third-party CA
    must be installed in the NTAuth store or some kind of connection must be made
    with the third-party?

    "Paul Adare" wrote:

    > In article <7131E925-F0C2-4ADE-BC1F-2AF397CDDA48@microsoft.com>, in the
    > microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=
    > <bill@discussions.microsoft.com> says...
    >
    > > The certs that I see using the ActivCard software show one
    > > for signature, encryption, and identity but I don't see one for logon. Is
    > > this added during the card's creation?
    > >
    >
    > No, it is added during the certificate request process. All of your
    > questions can be answered by reading the information at the links
    > provided to you by Steven.
    >
    > --
    > Paul Adare
    > "On two occasions, I have been asked [by members of Parliament],
    > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
    > will the right answers come out?' I am not able to rightly apprehend
    > the kind of confusion of ideas that could provoke such a question."
    > -- Charles Babbage (1791-1871)
    >
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    "bill" <bill@discussions.microsoft.com> wrote in message
    news:2B583768-96D0-44B8-98E6-7431D313F72F@microsoft.com...
    > OK, I think I know what we need now to complete the smart card logon
    project
    > but I have a question about a Microsoft Technet article.
    >
    > In article Q281245, (Guidelines for Enabling Smart Card Logon with Third
    > party CA's), the first line in the requirements section says:
    >
    > "Required: Active Directory must have the third-party issuing CA in the
    > NTAuth store to authenticate users to active directory."

    For AD (the DCs) to trust the user's cert is properly
    issued it must "know" the issuing CA -- since a 3rd
    party CA's cert if not automatically in the AD store
    (NTAuth) you must add that Cert.

    This is very similar to visiting a web site for SSL,
    to trust the cert of the Web server your browser must
    have the TRUST Certificate for the issuing server in
    it's store.

    Or at least a parent CA for that issuing CA (you can
    trust a subordinate CA by trusting the parent in many
    cases.)

    > What exactly does this mean? Does it mean that a copy of the Third-party
    CA
    > must be installed in the NTAuth store or some kind of connection must be
    made
    > with the third-party?

    No, not necessarily*. It means the trust CERT must
    be obtained and loaded into that store.

    *It should be setup so that the CRL (certificate revocation
    list) is readily available (online or periodically obtained).

    --
    Herb Martin


    >
    > "Paul Adare" wrote:
    >
    > > In article <7131E925-F0C2-4ADE-BC1F-2AF397CDDA48@microsoft.com>, in the
    > > microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=
    > > <bill@discussions.microsoft.com> says...
    > >
    > > > The certs that I see using the ActivCard software show one
    > > > for signature, encryption, and identity but I don't see one for logon.
    Is
    > > > this added during the card's creation?
    > > >
    > >
    > > No, it is added during the certificate request process. All of your
    > > questions can be answered by reading the information at the links
    > > provided to you by Steven.
    > >
    > > --
    > > Paul Adare
    > > "On two occasions, I have been asked [by members of Parliament],
    > > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
    > > will the right answers come out?' I am not able to rightly apprehend
    > > the kind of confusion of ideas that could provoke such a question."
    > > -- Charles Babbage (1791-1871)
    > >
Ask a new question

Read More

Authentication Security Windows