none
Is possible to use smart card logon without eku from Windows 7 against a 2003 domain? RRS feed

  • Question

  • Hi 

    In our organization we have a 2003 domain and we are trying to configure our smart cards so we can use them to initiate session in the Windows 7 clients. The smart cards don't have an Enhanced key usage attribute for Smart Card Logon but for Windows 7 that is no more a prerequisite if you configure the correct gpo's for that:
    https://technet.microsoft.com/en-us/library/ff404293%28v=ws.10%29.aspx
    https://technet.microsoft.com/en-us/library/ff404287%28v=ws.10%29.aspx

    with a 2008 R2 domain there would be no problem doing this but we are not sure if this configuration would work with a 2003 domain

    Anybody knows if this configuration is possible?

    Thanks :)


    Friday, June 19, 2015 12:40 PM

Answers

  • Hi,

    As we could see, the documents you have mentioned are applied for windows server 2008r2 and windows 7.

    I do not think this will work in a 2003 domain.

    Although Windows Server 2003 includes support for smart cards, the types of certificates that smart cards can contain are limited by strict requirements. Each certificate needs to be associated with a user principal name (UPN) and needs to contain the smart card logon object identifier (also known as OID) in the Enhanced Key Usage field.

    You could refer to:

    Smart Card Authentication Changes

    https://technet.microsoft.com/en-us/library/cc721959(v=ws.10).aspx

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, June 22, 2015 3:55 AM
    Moderator

All replies

  • Hi,

    As we could see, the documents you have mentioned are applied for windows server 2008r2 and windows 7.

    I do not think this will work in a 2003 domain.

    Although Windows Server 2003 includes support for smart cards, the types of certificates that smart cards can contain are limited by strict requirements. Each certificate needs to be associated with a user principal name (UPN) and needs to contain the smart card logon object identifier (also known as OID) in the Enhanced Key Usage field.

    You could refer to:

    Smart Card Authentication Changes

    https://technet.microsoft.com/en-us/library/cc721959(v=ws.10).aspx

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, June 22, 2015 3:55 AM
    Moderator
  • Hi,

    Any update about the issue?

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, June 25, 2015 2:27 AM
    Moderator
  • We have opened an official support case to look for an official answer to the question, I will update the issue when we have more information. Anyway, at the end probably I will have to build a lab to test this by myself

    thanks :)


    Thursday, June 25, 2015 10:07 AM
  • Hi,

    Thanks for your feedback.

    Please feel free to let us know if you have any update about the issue.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, June 30, 2015 5:05 AM
    Moderator