none
Windows Server 2012 - PIV smart card logon from client

    Question

  • Hello,

    I am trying to enable smart card piv logon in a test environment.

    I have successfully installed windows server 2012

    I have installed AD CS , AD DS, IIS, DNS

    I successfully can login from another computer with windows 7 in my LAN into my newly created domain.

    NOW:

    I have generated a key pair with openssl and generated a certificate request with:

    OpenSSL> engine dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so

    which looks like this:

    Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=Se, ST=Milan, L=Milan, O=test, OU=user, CN=tom/
    emailAddress=test@test.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):
    00:8d:ed:5f:22:84:6f:84:8c:23:7c:f4:17:7d:19:
    2b:b5:c4:26:12:54:a5:48:67:02:f1:13:f3:44:f2:
    e7:77:7d:f3:56:0c:78:fb:5a:4c:f2:9b:00:8b:75:
    8c:9c:89:45:2c:87:96:a7:65:35:55:3a:ad:7d:8e:
    ba:e3:57:11:9a:b6:f3:1a:c4:7a:2e:93:77:ff:5a:
    bb:3e:9e:b2:87:5d:33:ee:9c:1f:f1:9f:00:57:ce:
    17:e0:31:49:0e:f0:78:10:c2:2e:6e:48:a6:aa:d7:
    4f:fe:d7:5d:14:b9:05:ed:28:a3:28:20:f4:0b:bc:
    b0:ed:31:07:25:83:fa:88:23:75:9a:ce:ec:54:0a:
    21:65:83:2c:4b:bc:80:7a:8f:00:57:e7:7a:00:36:
    39:1c:d1:c1:d1:3d:5b:83:18:15:19:e0:53:49:70:
    96:97:3d:f4:f9:6c:59:95:1e:0d:f7:9e:51:17:1e:
    a4:57:05:64:78:94:21:a0:c2:5c:f7:7c:ac:d3:9f:
    eb:00:b8:db:91:1e:16:0c:2b:c3:c4:2c:98:0a:b0:
    7a:11:b0:8d:d2:1e:21:c7:e8:d4:56:e2:e1:fb:c2:
    c7:60:bb:4b:a6:1a:1d:4b:eb:aa:c7:1e:39:46:3e:
    01:a3:9d:70:4c:fa:fc:38:5a:11:a0:0a:fa:39:2e:
    e8:b5
    Exponent: 65537 (0x10001)
    Attributes:
    unstructuredName :Test
    Signature Algorithm: sha1WithRSAEncryption
    4f:11:12:8c:ef:a8:9e:64:fe:3e:6d:96:8e:5a:5f:9a:59:15:
    2d:fe:98:5c:e4:d8:9b:e2:f7:b4:01:e7:64:ba:5e:7c:02:ad:
    e7:0c:e5:37:e1:b9:e3:a8:f9:a4:6a:97:c5:f9:f0:86:42:af:
    f8:d4:5d:44:df:8d:ad:e0:b1:ae:ac:ca:97:c1:61:81:00:db:
    29:79:b7:7c:fc:4d:37:94:9d:ac:d2:65:24:8c:6a:4e:df:ff:
    7a:34:ad:04:35:ba:53:de:73:bb:66:e2:d9:0f:ca:0e:ba:ad:
    d1:e9:e5:8e:df:2e:9c:c1:04:63:7a:fe:c1:e5:15:8e:a7:e5:
    2b:23:7e:9d:26:56:bd:66:27:e6:fa:12:b8:62:80:b4:95:9a:
    ff:bd:19:86:c1:f2:1b:2d:dd:47:9c:13:ed:b3:cd:cf:94:39:
    eb:b4:6f:3b:15:80:53:34:e4:19:c6:cb:5d:5b:44:09:3b:29:
    90:06:38:85:10:49:1e:38:59:b1:05:d8:e7:50:7a:63:fe:07:
    08:26:ea:1d:32:1e:73:df:bb:33:d7:02:1f:51:ff:35:3f:af:
    5b:a5:a2:a1:b9:2b:37:0b:d5:e9:44:fa:d7:ff:a3:1b:7d:48:
    79:bf:c5:cf:0c:d7:c2:5d:94:a7:bc:cb:a5:e7:c8:80:9f:24:
    e6:7d:e3:e9
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC4DCCAcgCAQAwgYMxCzAJBgNVBAYTAlNlMRIwEAYDVQQIEwlTdG9ja2hvbG0x
    EjAQBgNVBAcTCVN0b2NraG9sbTEPMA0GA1UEChMGWXViaWNvMQ0wCwYDVQQLEwR1
    c2VyMQwwCgYDVQQDEwN0b20xHjAcBgkqhkiG9w0BCQEWD3Rlc3RAeXViaWNvLmNv
    bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI3tXyKEb4SMI3z0F30Z
    K7XEJhJUpUhnAvET80Ty53d981YMePtaTPKbAIt1jJyJRSyHlqdlNVU6rX2OuuNX
    EZq28xrEei6Td/9auz6esoddM+6cH/GfAFfOF+AxSQ7weBDCLm5IpqrXT/7XXRS5
    Be0ooygg9Au8sO0xByWD+ogjdZrO7FQKIWWDLEu8gHqPAFfnegA2ORzRwdE9W4MY
    FRngU0lwlpc99PlsWZUeDfeeURcepFcFZHiUIaDCXPd8rNOf6wC425EeFgwrw8Qs
    mAqwehGwjdIeIcfo1Fbi4fvCx2C7S6YaHUvrqsceOUY+AaOdcEz6/DhaEaAK+jku
    6LUCAwEAAaAXMBUGCSqGSIb3DQEJAjEIEwZZdWJpY28wDQYJKoZIhvcNAQEFBQAD
    ggEBAE8REozvqJ5k/j5tlo5aX5pZFS3+mFzk2Jvi97QB52S6XnwCrecM5TfhueOo
    +aRql8X58IZCr/jUXUTfja3gsa6sypfBYYEA2yl5t3z8TTeUnazSZSSMak7f/3o0
    rQQ1ulPec7tm4tkPyg66rdHp5Y7fLpzBBGN6/sHlFY6n5Ssjfp0mVr1mJ+b6Erhi
    gLSVmv+9GYbB8hst3UecE+2zzc+UOeu0bzsVgFM05BnGy11bRAk7KZAGOIUQSR44
    WbEF2OdQemP+Bwgm6h0yHnPfuzPXAh9R/zU/r1uloqG5KzcL1elE+tf/oxt9SHm/
    xc8M18JdlKe8y6XnyICfJOZ94+k=
    -----END CERTIFICATE REQUEST-----

    I have submitted this request to my CA and i have issued a certificate. I have then put the certificate test.cer in my smartcard.

    I have imported the ROOT CA into trusted root ca of my windows 7 client

    I have enabled "use smart card at login" option for the test user


    I go and try to login and i get a message that the smart card does not contain a valid certificate or to insert the smart card correctly (which is )

    this is what i can see about my certificate with certmgr.msc when i try to import it:

    I am using windows server 2012 on a virtual machine, hosted by windows 8.

    My client is on a different machine, same subnet with windows 7 (all updates installed)

    If anyone has a good advice to give it will be greatly appreciated. I can't find any documentation related to smart card and windows 2012. I have found some documents about adding template but none of them works as on windows 2012 i do not have the same button/interface/results described in the tutorials for win 2003,2008.

    Thank you in advance.

    Any help / suggestion would be greatly appreciated.


    Any help / suggestion would be greatly appreciated.




    Wednesday, September 11, 2013 12:25 PM

All replies

  • Hi,

    have you installed your root CA certificate to the NTAuthCA store?

    if not you can use certutil.exe to do so. You need to be an Enterprise Admin for that.

    certutil.exe -f -dspublish rootca.cer NTAuthCA

    (see also http://support.microsoft.com/kb/295663)

    Reards,

    Lutz

    Wednesday, September 11, 2013 12:30 PM
  • Thank you for your reply.

    I think i did not mention before, that i am using a standalone certification authority.

    I have installed the CA certificate as you suggested on my windows server 2012 but i think it doesn't matter on my standalone configuration. Anyway i tried to login again from the client and it didnt work.

    Wednesday, September 11, 2013 12:58 PM
  • are you using Standalone CA? In this case, your certificate is unlikely valid for smart card logon, because request doesn't contains any required information. Since Standalone CA do not use certificate templates, it cannot guess for what purposes request is intended and uses only information stored in certificate request. For smart card logon your certificate must meet the following minimum requirements:

    1) Enhanced Key Usage extension is set to "Smart Card Logon" (1.3.6.1.4.1.311.20.2.2)

    2) Subject Alternative Name extension must include user's User Principal Name (UPN) value, which is usually username@domainname.ext

    Also, issuing CA must be installed in the NTAuthCA store (you already completed this step).

    And the last node: make sure if you are trying to logon from a domain-joined computer (PKINIT cannot be initialized on workgroup computers).


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Wednesday, September 11, 2013 5:03 PM
  • Thanks,

    I will try to find a windows server 2012 enterprise edition, in order to be able to install an enterprise CA.

    Friday, September 13, 2013 12:39 PM
  • Hi,

    Microsoft has changed the SKUs in 2012 and there is no Enterprise edition any more, so you can go Standard or Datacenter either way for your purpose.

    A CA can be installed as Standalone CA or Enterprise CA (AD required) on Windows Server 2012 Standard or Datacenter. The term Enterprise CA does not refer to the Windows server edition.

    Regards,

    Lutz

    Friday, September 13, 2013 1:37 PM
  • Thank you.

    Yes, i noticed that and i fixed the problem by creating an enterprise admin in active directory, logging in with that user and installing the enterprise CA.

    I have also created a smartcard template for certificate, now I need to figure out how to create a new certificate request based on the smartcard template.

    currently i am running certmgr.msc andright click on personal, then i request new certificate and the certificate enrollment wizard opens.

    The problem is that i cannot select the newly added smart card template with my enterprise administrator user, and i need to figure out why.

    Thank you Lutz.

    Monday, September 16, 2013 2:57 PM
  • Thank you.

    Yes, i noticed that and i fixed the problem by creating an enterprise admin in active directory, logging in with that user and installing the enterprise CA.

    I have also created a smartcard template for certificate, now I need to figure out how to create a new certificate request based on the smartcard template.

    currently i am running certmgr.msc andright click on personal, then i request new certificate and the certificate enrollment wizard opens.

    The problem is that i cannot select the newly added smart card template with my enterprise administrator user, and i need to figure out why.

    Thank you Lutz.


    You say you created a new certificate template, but you don't mention that you've also published it at the CA. Also, if you have published it, make sure that you've got Read and Enroll permissions set.
    Monday, September 16, 2013 3:40 PM
  • Yes, thanks i did published it correctly i think.

    its called "copy of smartcard "

    If i'll manage to go through this i'll write a step by step guide

    Tuesday, September 17, 2013 7:58 AM
  • Yes, thanks i did published it correctly i think.

    its called "copy of smartcard "

    If i'll manage to go through this i'll write a step by step guide


    On the Request Certificates page in the Certificate Enrollment wizard, select the Show all templates check box the find your template in the list. There should be an explanation below that indicates why the template is not available. Post that explanation here.
    Tuesday, September 17, 2013 8:13 AM
  • Ok, it works but probably it is not the best way of doing it 

    windows server 2012 rc1 STANDALONE with all patches/upgrades installed at post date.

    1) create an enterprise administrator account in active directory
    2) login from that account
    3) install enterprise root CA 
    4) in certificate templates on the LEFT panel right click and select MANAGE
    5) select smartcard logon and duplicate it so if you break stuff you have the original
    6) Click MANAGE again and right click Copy of smartcard template
    7) set all the option, for example KEY SIZE i had to set it to 2048 MINIMUM to make it work
    8) once the certificate is ready you will need to publish it in your CA template simply click NEW and select "copy of smartcard certificate)
    9) open certmgr.msc right click the personal store request new certificate go through the whole wizard 
    10) issue the new request via your CA administration panel
    11) now the hard part, you have to put your certificate and private key in your smartcard, this depends on what smartcard you have etc etc, there is not a one way of doing it.
    I did export the certificate with private key in a PFX file then extracted the private key with open ssl following this tutorial http://sycure.wordpress.com/2008/05/15/tips-using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/ i have also extracted the certificate

    Good Luck.
    Tuesday, September 17, 2013 2:31 PM
  • Ok, it works but probably it is not the best way of doing it 

    windows server 2012 rc1 STANDALONE with all patches/upgrades installed at post date.

    1) create an enterprise administrator account in active directory
    2) login from that account
    3) install enterprise root CA 
    4) in certificate templates on the LEFT panel right click and select MANAGE
    5) select smartcard logon and duplicate it so if you break stuff you have the original
    6) Click MANAGE again and right click Copy of smartcard template
    7) set all the option, for example KEY SIZE i had to set it to 2048 MINIMUM to make it work
    8) once the certificate is ready you will need to publish it in your CA template simply click NEW and select "copy of smartcard certificate)
    9) open certmgr.msc right click the personal store request new certificate go through the whole wizard 
    10) issue the new request via your CA administration panel
    11) now the hard part, you have to put your certificate and private key in your smartcard, this depends on what smartcard you have etc etc, there is not a one way of doing it.
    I did export the certificate with private key in a PFX file then extracted the private key with open ssl following this tutorial http://sycure.wordpress.com/2008/05/15/tips-using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/ i have also extracted the certificate

    Good Luck.

    You have some things wrong with your procedure:

    1. By definition you can't use certificate templates with a standalone CA, only with an enterprise CA. Certificate templates are objects that are stored in Active Directory, a standalone CA is not joined to an Active Directory domain, therefore no access to certificate templates. If you were able to publish a certificate template at the CA then you have an enterprise CA, not a standalone.
    2. There is absolutely no need to manually put the certificate and private key on to the smart card. You simply need to select the correct CSP on the Request Handling tab of the certificate template, that is, one that corresponds to the smart cards you're using. Doing it this way is the correct approach for a number of reasons, not the least of which being this causes the key pair to be generated on the smart card (for most CSPs) and not in software.

    There are lots of how to's and labs etc. on the TechNet web site and others that describe in detail the proper procedures for implement AD CS and for deploying smart cards.

    Tuesday, September 17, 2013 2:55 PM
  • Hello Paul,

    In step 1 and 2 i mention to create an enterprise admin in order to install an enterprise CA, which I indeed did and used.

    Regarding your point 2.

    If i would be generating the keypair on the smartcard i would then have to generate the certificate request with openssl submit the request and get the certificate.

    Indeed you are right that is safer to have the smartcard generate the keys, but for testing purposes it is way more simple to have windows generate the PFX file based on the template without messing up with openssl config file in order to generate a request with the right attributes for the smart card template.

    In my case, no middleware/windows CSP can handle the smartcard i am using, I need to manage it with piv-tools 

    There are many tutorials which works fine before windows server 2012. None of the one i tried really worked for me I had to collect the information and figure out a way of doing it by assempling the pieces of information.

    Wednesday, September 18, 2013 6:57 AM