how to create the smartcard authencation


  • FYI, i want to deploy the smart card in my domain users , but no clue, please give some advice, thanks.
    Monday, June 30, 2014 7:11 AM


  • You need to issue certificates to users that have the User Principal Name in the Subject Alternative Name and whose keys are stored on smartcards, and Domain Controllers need machine certificates as well as this is mutual authentication.

    On a high level the setup of a solution using just components built into Windows (and smartcard middleware) is:

    • Setup a Public Key Infrastructure (or use an outsourced solution - but I would not recommend this for smartcards for authentication).
    • Define certificate templates for users with the properties described above - the smartcard crypto provider needs to be available at the machine where to manage the templates.
    • Publish certificate templates for users and domain controllers at a certificate authority.
    • Install smartcard middleware on clients and initialize them properly (e.g. set an admin key or admin PIN)
    • Issue certificates to users (I would recommend a pilot group) - either by registration officers that create cards on behalf of users or let the users themselves do it.

    The hardest part from an organizational perspective is the ongoing management of smartcards - such as: User lost card / provide user with replacement card; user just can't find card / give him a temp. card that will be withdrawn once he finds the long-term card again; how to manage the admin keys or admin PINs; how to re-new cards...

    Therefore in larger environments smartcard management solutions are used in addition to Windows certficate services, such as Microsoft Forefront Identity Manager.


    Monday, June 30, 2014 11:11 AM