none
Smart Card Enrollment not showing in CertSrv

    Question

  • I have been reading various whitepapers on how to set up smart card enrollment via online web enroller but I have ran into a roadblock that I cannot figure out.  I have set up a Windows Server 2008 Enterprise server as a Enterprise Root CA.  I have also installed the web enrollment role and verified that is working as I can get to the pages and request certificates.  I have also installed the following certificates on the server: enrollment agent, enrollment agent (computer) and smarcard logon.  But when I go to http://<server_name>/CertSrv, request certificate, advanced I do not see the option to "Request a certificate for a smart card on behalf of another user...".  I am wondering if I have missed a few steps to get this to work.  Can an Enterprise root CA be on the same server as an enrollment agent?  If you need more information let me know but I am just confused at this point.

    Any help would be appreciated!
    Troy
    Saturday, January 23, 2010 1:07 AM

Answers

  • ScrdEnrll.dll was depracated after Windows 2003.
    To enroll a smart card, as Vadims has mentioned, you first need an enrollment agent certifcate.
    You then need either a Windows Vista/Windows 2008 or Windows 7/Windows 2008 R2 client computer.
    The functionality has been moved to the Certificates MMC focused on the current user.
    You need to perform an Enroll on Behalf of operation from Advanced Operations
    Brian
    Sunday, January 24, 2010 12:55 AM

All replies

  • At first you need to enroll 'Enrollment Agent' certificate that will be used for request signing.
    http://www.sysadmins.lv
    Saturday, January 23, 2010 8:25 AM
  • ScrdEnrll.dll was depracated after Windows 2003.
    To enroll a smart card, as Vadims has mentioned, you first need an enrollment agent certifcate.
    You then need either a Windows Vista/Windows 2008 or Windows 7/Windows 2008 R2 client computer.
    The functionality has been moved to the Certificates MMC focused on the current user.
    You need to perform an Enroll on Behalf of operation from Advanced Operations
    Brian
    Sunday, January 24, 2010 12:55 AM
  • Hi,

    How's everything going? We've not heard back from you in a few days and wanted to check if the suggestion has helped. If you need any further assistance, please do not hesistate to respond back.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, February 02, 2010 7:19 AM
    Moderator
  • I just got everything up and running a few days ago and have been testing successfully so far.  Thanks for the help.

    Troy
    Tuesday, February 02, 2010 2:41 PM
  • Thanks for your update, Troy.

    Have a nice day.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, February 03, 2010 12:59 AM
    Moderator
  • hi

    i am also doing the same thing, i have followed the steps given above and could get smart card logon certificate in MMC on behalf of three users. please tell me how to write them to the smart card? the process did not ask me to insert a smart card into the reader, though the reader is attached with the machine. i am using windows 2008 machine as a client.

    muki

    Friday, March 26, 2010 10:44 AM
  • If the certificate is being issued but is not being written to the card then you have not selected the correct CSP on your certificate template. Edit the certificate template to select the smart card CSP that you're using and you'll be fine. Note that when editing the certificate template, the CSP you want to use has to be installed on the computer from which you are performing the edit.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Friday, March 26, 2010 11:01 AM
  • thanx Paul for your response. does it mean my smart card provider has to give me a CSP that i need to install on my machine before doing this exercise? i am using GemPlus (GemAlto) smart card and i don't have a CSP from company. can i download it from their website or do i have to get it from the company exclusively?

     

    muki

    Monday, March 29, 2010 11:00 AM
  • You have to *purchase* the software. Whether you get it from the company or purchase it from Gemalto does not matter

    Brian

    Monday, March 29, 2010 1:44 PM
  • thanx for your help. is there any opensource or freeware software that can work here? i am a university student and doing it as my final project. 
    Tuesday, March 30, 2010 4:49 AM
  • Not that I'm aware of no, and Gemplus cards are ancient. Gemplus merged with Axalto back in 2006. You could try contacting Gemalto and explaining your situation. The other option is to buy a Gemalto .NET Base CSP card. The Microsoft Base CSP ships with Windows Vista and above and is available from Windows Update for XP systems.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, March 30, 2010 10:44 AM