Single Sign-on authentication using Smart Cards

[Guest]

Hello security group,

As a requirement for work, I've been doing research for work regarding
Single sign-on Windows authentication using a Smart card. I know that Windows
2000/2003 servers have good integration with Smart Cards, however I'm
wondering what the requirements are for implementing single sign-on site
wide. Ideally I would like something that integrates with AD, but I know that
is not necessarily a requirement. I've been tasked wtih doing a demo on a
single workstation, is this possible? What software/hardware would I need to
do this?

Just to clarify what I mean by single sign-on, I'm thinking something that
can allow a user to simply put in a Smart Card, enter their PIN, and have
access to the system, including their email profile.

Thank you all in advance.

 

[Guest]

Also, just to add to what I wrote up top, I am currently using Smart Cards,
however only for signing and encrypting email and viewer secured sites, not
to log into a Windows domain. Thanks again.

 

[Herb Martin]

Hello security group,

As a requirement for work, I've been doing research for work regarding
Single sign-on Windows authentication using a Smart card. I know that Windows
2000/2003 servers have good integration with Smart Cards, however I'm
wondering what the requirements are for implementing single sign-on site
wide. Ideally I would like something that integrates with AD, but I know that
is not necessarily a requirement. I've been tasked wtih doing a demo on a
single workstation, is this possible? What software/hardware would I need to
do this?

You have it already for AD domains.

Just to clarify what I mean by single sign-on, I'm thinking something that
can allow a user to simply put in a Smart Card, enter their PIN, and have
access to the system, including their email profile.

Win2000 and Win2003 domains (and 2000/XP clients)
have this ability built-in -- if there is a smart card reader
on the station it becomes a choice.

Also, just to add to what I wrote up top, I am currently using Smart Cards,
however only for signing and encrypting email and viewer secured sites, not
to log into a Windows domain. Thanks again.

Why don't you just try using (your own) Smart Card to
logon.

Add a reader to your machine and you should see the
choice at logon -- if you card has the required certificate
then it will "just work". (You may have to add a cert to
it if it doesn't have the right type/trust from the domain
CA.)

 

[Guest]

Thanks. I do have the Certs on the card but when I insert it during the logon
screen and enter my PIN this does not log me onto the domain. I guess my real
question is how do you tie in domain logon information with the Smart Card?
Is this done at the CA or do I have to purchase additional middleware?

 

[Herb Martin]

Thanks. I do have the Certs on the card but when I insert it during the logon
screen and enter my PIN this does not log me onto the domain.

"The certs" which one(s)?

I guess my real
question is how do you tie in domain logon information with the Smart

Card?

The certs need to be issued by a "trusted" (by the domain)
CA which usually means an "Enterprise CA".

Effectively 'Enterprise' MEANS and Active Directory CA.

They also have to marked for this purpose.

Is this done at the CA or do I have to purchase additional middleware?

No, you do it from a "smart card enrollment" station.
(Just a PC that can add the cert to the card and by
a use [admin etc.] who can request them on another
users behalf.)

Search for those phrases through Google:

[ smartcard logon "certificate enrollment station" site:microsoft.com ]

 

[Steven Umbach]

There is a great chapter in the Windows 2003 Deployment Kit on how to do what
you want. See the link below in Part II on planning a smart card deployment. It
is mostly the same for Windows 2000 though you can not use type 2 certificate
templates to use autoenrollment for users with a Windows 2000 CA. You probably
have what you need already but the wrong certificate type on your smartcard that
would include the UPN for a domain user for domain logon. --- Steve

http://www.microsoft.com/resources/...003/all/deployguide/en-us/dpgDSS_overview.asp

 

[Guest]

Steven, I think you're right. I'm using Schlumberg card/reader and ActivCard
Gold 2.1 software. The certs that I see using the ActivCard software show one
for signature, encryption, and identity but I don't see one for logon. Is
this added during the card's creation?

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=

The certs that I see using the ActivCard software show one
for signature, encryption, and identity but I don't see one for logon. Is
this added during the card's creation?

No, it is added during the certificate request process. All of your
questions can be answered by reading the information at the links
provided to you by Steven.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

OK, I think I know what we need now to complete the smart card logon project
but I have a question about a Microsoft Technet article.

party CA's), the first line in the requirements section says:

"Required: Active Directory must have the third-party issuing CA in the
NTAuth store to authenticate users to active directory."

What exactly does this mean? Does it mean that a copy of the Third-party CA
must be installed in the NTAuth store or some kind of connection must be made
with the third-party?

microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=

The certs that I see using the ActivCard software show one
for signature, encryption, and identity but I don't see one for logon. Is
this added during the card's creation?

No, it is added during the certificate request process. All of your
questions can be answered by reading the information at the links
provided to you by Steven.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Herb Martin]

OK, I think I know what we need now to complete the smart card logon project
but I have a question about a Microsoft Technet article.

party CA's), the first line in the requirements section says:

"Required: Active Directory must have the third-party issuing CA in the
NTAuth store to authenticate users to active directory."

For AD (the DCs) to trust the user's cert is properly
issued it must "know" the issuing CA -- since a 3rd
party CA's cert if not automatically in the AD store
(NTAuth) you must add that Cert.

This is very similar to visiting a web site for SSL,
to trust the cert of the Web server your browser must
have the TRUST Certificate for the issuing server in
it's store.

Or at least a parent CA for that issuing CA (you can
trust a subordinate CA by trusting the parent in many
cases.)

What exactly does this mean? Does it mean that a copy of the Third-party CA
must be installed in the NTAuth store or some kind of connection must be made
with the third-party?

No, not necessarily*. It means the trust CERT must
be obtained and loaded into that store.

*It should be setup so that the CRL (certificate revocation
list) is readily available (online or periodically obtained).

--
Herb Martin

microsoft.public.win2000.security news group, =?Utf-8?B?YmlsbA==?=

The certs that I see using the ActivCard software show one
for signature, encryption, and identity but I don't see one for logon. Is
this added during the card's creation?

No, it is added during the certificate request process. All of your
questions can be answered by reading the information at the links
provided to you by Steven.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)