Testing PKI with Windows 7 x64 under a (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcard and validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart card appears ok but when I try to logon with the user and the smartcard inserted in the machine, I get the following error message:
"The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
Kind of weird message :-/ The smart card reader is in-built on a Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to the card via the netsolutions site at Gemalto ... Windows 7 reads the smart card and the user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....
Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....
Both the smart card service and the certificate propogation service are running...
I've got the opposite problem. Got the Gemalto.NET card with certificates from 2008 R2 with Enterprise CA, and RDP with autologin to both Server 2008 and 2008 R2. But getting the card to login to Windows 7 (x64 Ultimate) is a problem. I'm also using Latitude E6400. Can it be the Controlpoint/Wave software that gives me a problem? All services are running.
Btw; the E6400 is NOT part of any domain, just standalone workstation. Also; is there something within the certificate that must match any of the local credentials to work?
I dont see the smartcard as a login option on the Logon GUI.
I've just been using the Controlpoint drivers without the actual Controlpoint software at the moment, primarily because of issues with respect to Mobile Internet and HSPA cards when testing in the past. The HSPA/mobile broadband side is working at the moment (using a SIM in my laptop)....
That's a fairly unusual situation you're describing.. i've using smartcard logon to TS Gateway in the past with no problem from a stand-alone. In your case though, since your machines is not domain-joined, then smartcard is likely fail as there's no security principal (the domain) to assert the validity of your credentials at logon, e.g. email@example.com, as your machine is not domain joined, i.e. you're stuck between a rock and a hard place :-)
So; since the cert is issued from the CA, the local W7 will not use this ?
The strange thing is that the W7 does not even show the Smartcard option to login.
I've checked the local Certificate store, and the cert fram the CA is in my Personal Certificate store.
I've used manu hours (days & nights and got an angry girlfriend) to solve this issue.
Basically; what you say is that its impossible to create a cert from the CA to the Gemalto card and use this for local login to a stand alone workstation ?
Is it possible to create a local certificate on the W7 to use for local login? The Gemalto has space for several certificates; luckily...
Pretty much... my understanding is that smartcard can only be used for logging on with a domain account, not a local one, so interactive logon in this case is out.
Smartcard on your local machine doesn't really give you any more inherent protection btw.... physical access to a machine circumvents all other access...... that's why it has more value in the domain logon scenario, with two-factor authentication to your domain resources.
With regards your question.. no, I don't think it is possible... at least not with the tools we're describing. Most solutions assume that your authentication provider (security database) is remote , not local to the machine.
I actually disagree. As long as there is a EKU in the certificate, it should work for local logon. But I dont know if the certificate issued by the CA will work though.
In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store.
The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain. Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails.
But I still think, and believe, that our problems are connected and that its the W7 who's the problem....
OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)
"I actually disagree."
I can see you're healthy motivated to fix the problem.. which is good :-)
"As long as there is a EKU in the certificate, it should work for local logon."
Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes.. a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose is set to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo...
"In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
In my case I haven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers.
"Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"
The Gemalto drivers from Windows 7 RTM worked ok for me.
"The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain.
OK, but here's where I disagree :-) .. the machine in question will need to connect back to your Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates are valid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e. reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is diluting security even further.
"Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."
I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is a workable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV as you may run into trust issues when sending encrypted mails to parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.
On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machine and the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle.
Good luck and post back if you want to discuss further!
Okie; I'll drop my "firewall" as a lack a lot of knowledge on this issue. 1 month ago I didnt know anything about smartcards, CA server etc. Now I've set up my own CA, I've createed certificates and I even made my own template (copied and edited an existing template from Server 2008 R2). We only got Server 2008 and R2's in our domain.
Maybe its only with middleware I'm able to logon locally without a domain...? This I've seen from googling (Aloaha Software is one if them...).
This is what I want to achieve:
- Preboot Authentication (I already have this with my Mifare combo card, RFID and chip) done through Controlpoint Security
- Logon to W7 only by smartcard for a normal user account (not admin account, this should be allowed with normal user credentials)
- RDP only by smartcard (credentials disabled for RDP sessions, should be doable through policies on server)
- S/MIME signing and encryption with Outlook and Exchange
Now I have official certificates on my MiFare card, issued by a CA authority in Norway. With this I can use the S/MIME only for the moment, but by importing a certificate from my local CA I should be able to do the RDP too (I've already got it working with Gemalto.NET card, but as said earlier, not W7 logon). The reason for not beeing able to import the local CA certificate to my MiFare card is loss of admin pin to the card. A new one is on the way by snail mail :(
I'll add my laptop to the domain then (you win!) and hopefully the rest will fall into place.
About my local certificates and templates...:
- I did take the Smartcard Logon template and copied it; then edited only the Security and expiration. It got Client Auth, SmartCard logon and Signature tags.
- What is the difference of using v2 and v3 templates?
- If member of domain, and I'm "offline", will my W7 laptop use cached information then?
When I get all this to work; I'll roll out the solution to my fellow coworkers.
Please feel free to contact me by e-mail, stigh (at) mobicom.no
Thank you for your help and for clearing up some of my misunderstandings so far :)
You can try the .NETBIO card, I have used this extensively with 2k8R2, and Windows 7 clients. I use the biometric smart-card logon template and export the public key. Then using Gemalto's web interface, I can write the certs to the card. WU will send the proper driver so that the card can be read, and tada! I can login to a stand alone machine using the creds, not connected to a domain.
Correct me if Im wrong, but Im pretty sure this is the method I used. :)
Network Systems Engineer * Zvetco Biometrics * Windows Server 2008 R2 * Core2 6600 @ 3.30GHz * 16 GIGS RAM * NVIDIA 9400GT * **>>PLEASE VOTE POSTS AS USEFUL TO ASSIST OTHER USERS<
First; what type of card are you trying to use?
Any cards NOT listed as supported natively by Win 7 can not be used without any 3rd party software.
Using cards with Java support, like the Gemalto .NET card, will work with embedded drivers.
BUT; it will NOT log you in without beeing part of domain. To achieve this; you need 3rd party software and card, like MiFare cards and software from (example) Aloaha Software. Please notice; I've tried Aloaha, but didnt get it to work.
So basic rule; without a domain controller; it will not work without 3rd party software.