none
Smart Cards in Windows 2008 - Getting started RRS feed

  • Question

  • Hi guys,

    I am brand new to working with smart cards and would like to implement them in my test network however the literature I have at my disposal only has a tiny paragraph about this topic.  (Configuring Windows Server 2008 Active Directory - Page 757).

    Is there any place I can find detailed instructions on how to set this up from sctrach? 

    I am also going to need to source cards and card readers.  Are all cards and card readers generally the same?  Do they tend to require their own drivers or is all that autodetected using USB?

    Any help would be much appreciated!

    Tuesday, July 13, 2010 2:33 PM

All replies

  • Hello,

    First you need to define your requirements. For example, do you want to use the smart cards for more than network logon? Or digital signing only?

    Is your business required to use a Shared Service Provider or can you stand up your own PKI?

    How do you want to setup your Certificate Authorities?

    Do you want to use OCSP devices?

    There are some really good books that can describe much of what is needed, but you first need to define what you want to accomplish.

    There is a Microsoft Press Book written by Brian Komar which I think is something like Microsoft Windows 2003 Public Key Infrastructure. That book will surely provide the basics needed to get you going from scratch.

    Hopefully that helps some.

    MagikD

    Tuesday, July 13, 2010 4:25 PM
  • Hi,

    In addition to MagikD's information, the following guides could be helpful for your work:

    http://technet.microsoft.com/en-us/library/dd277362.aspx

    http://technet.microsoft.com/en-us/library/ee706526(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc776850(WS.10).aspx

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by dbutch1976 Thursday, July 15, 2010 4:41 PM
    • Unmarked as answer by dbutch1976 Thursday, July 15, 2010 4:41 PM
    Wednesday, July 14, 2010 2:17 AM
    Moderator
  • Hi,

    In addition to MagikD's information, the following guides could be helpful for your work:

    http://technet.microsoft.com/en-us/library/dd277362.aspx

    http://technet.microsoft.com/en-us/library/ee706526(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc776850(WS.10).aspx

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Thanks for the links.  I see that there's a 'what's new in 2008' link, but it would be great if there was an actual step by step implemenation guide like the one for 2003.  I guess I'll just have to work through the 2003 guide and hopefully the interface hasn't changed too much.

    Thanks.

    Thursday, July 15, 2010 4:43 PM
  • Hi,

    I am afraid that there is no step by step guide for Windows Server 2008; however, most of the steps in the article for Windows Server 2003 should apply to Windows Server 2008.

    If there is anything unclear, please do not hesitate to respond back,

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 16, 2010 7:32 AM
    Moderator
  • Hi guys,

    I am having a bit of a strange issue.  I having installed a CA on my test domain and created a template for smart cards.  I have obtained a keyboard with a built in card reader.  I understand from my research that card readers are also card writers (generally).  The keyboard I am using is:

    HP - Model no.  KUSO133

    The card I am trying to use is a:

    Sun Microsystems 370-4328-03

    I beleive I have installed the drivers correctly because when I insert the card the reader reads it, however I get the error:

    "The card supplied requires drivers that are not present on this system.  Please try another card"

    This appears to be an issue that is specific to the card, not the reader.  Does anyone know how I can resolve this issue?  I have check this on Windows 7 64 and Windows XP, it does not work on either.

    Tuesday, July 20, 2010 6:11 PM
  • On Tue, 20 Jul 2010 18:11:09 +0000, dbutch1976 wrote:

    Hi guys,

    I am having a bit of a strange issue.? I having installed?a CA on my test domain and created a template for smart cards.? I have obtained a keyboard with a built in card reader.? I understand from my research that card readers are also card writers (generally).? The keyboard I am using is:

    HP - Model no.? KUSO133

    The card I am trying to use is a:

    Sun Microsystems 370-4328-03

    I beleive I have installed the drivers correctly because when I insert the card the reader reads it, however I get the error:

    "The card supplied requires drivers that are not present on this system.? Please try another card"

    This appears to be an issue that is specific to the card, not the reader.? Does anyone know how I can resolve this issue?? I have check this on Windows 7 64?and Windows XP, it does not work on either.

    You're going to have to get drivers and middleware for the card from Sun.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Tuesday, July 20, 2010 6:23 PM
  • On Tue, 20 Jul 2010 18:11:09 +0000, dbutch1976 wrote:

    Hi guys,

    I am having a bit of a strange issue.? I having installed?a CA on my test domain and created a template for smart cards.? I have obtained a keyboard with a built in card reader.? I understand from my research that card readers are also card writers (generally).? The keyboard I am using is:

    HP - Model no.? KUSO133

    The card I am trying to use is a:

    Sun Microsystems 370-4328-03

    I beleive I have installed the drivers correctly because when I insert the card the reader reads it, however I get the error:

    "The card supplied requires drivers that are not present on this system.? Please try another card"

    This appears to be an issue that is specific to the card, not the reader.? Does anyone know how I can resolve this issue?? I have check this on Windows 7 64?and Windows XP, it does not work on either.

    You're going to have to get drivers and middleware for the card from Sun.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca


    Ahh, OK.  Jus to confirm, this is NOT a keyboard driver issue?  I have installed the most recent driver for my keyboard which I located on the HP website:

    http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=ir-79253-1&lang=en&cc=us&idx=0&mode=4&

    However finding drivers for the smart card has been much trickier.  The cards I was provided are presently being used on Sun Ray terminals.  I don't know if such a driver exists for Windows boxs.  Can I test this with another card?  In order words is there another type of card that should definately have no compatibility issues?

    Tuesday, July 20, 2010 6:36 PM
  • OK, I'm making some progress now.  I could not get the Sun card to read and finally I just gave up.  Instead I have a Gemalto card which was also giving me the same error message until I installed Microsoft Base Smart Card Cryptographic Service Provider Package: x86 (KB909520)  from here:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=e8095fd5-c7e5-4bee-9577-2ea6b45b41c6&displaylang=en

    Now I am able to read the Gemalto card however I don't seem to be able to install a certificate on the card.  I am working from these instructions:

    http://technet.microsoft.com/en-us/library/dd277383.aspx

    Each screenshot seems to be to be slightly different from mine in the instructions.  I am able to select a smartcard logon and I get to the screen where I am able to submit.  If I select Microsoft Base Smart Card Cryptographic Service I and submit it props me to enter a PIN at which point I get the message:

    "An error occurred while creating the certificate request.   Please verify that your CSP supports settings you have made and that your inputs are valid."

    My CA is a 2008 box and the template looks nothing like the one in the document:

    http://technet.microsoft.com/en-us/library/Dd277383.smar0914_big(en-us,TechNet.10).gif

    I am not able to select a user, there is no place to select an enrollment account.  Any thoughts on what I'm doing wrong?

    Thursday, July 22, 2010 2:44 AM
  • On Thu, 22 Jul 2010 02:44:45 +0000, dbutch1976 wrote:

    OK, I'm making some progress now.? I could not get the Sun card to read and finally I just gave up.? Instead I have a Gemalto card which was also giving me the same error message until I installed Microsoft Base Smart Card Cryptographic Service Provider Package: x86 (KB909520)? from here:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=e8095fd5-c7e5-4bee-9577-2ea6b45b41c6&displaylang=en

    Now I am able to read the Gemalto card however I don't seem to be able to install a certificate on the card.? I am working from these instructions:

    http://technet.microsoft.com/en-us/library/dd277383.aspx

    Each screenshot seems to be to be slightly different from mine in the instructions.? I am able to select a smartcard logon and I get to the screen where I am able to submit.? If I select Microsoft Base Smart Card Cryptographic Service I and submit it props me to enter a PIN at which point I get the message:

    "An error occurred while creating the certificate request.?? Please verify that your CSP supports settings you have made and that your inputs are valid."

    My CA is a 2008 box and the template looks nothing like the one in the document:

    http://technet.microsoft.com/en-us/library/Dd277383.smar0914_big(en-us,TechNet.10).gif

    Those instructions are for a Windows 2000 CA, not for a Windows 2008 CA.


    I am not able to select a user, there is no place to select an enrollment account.? Any thoughts on what I'm doing wrong?

    What Certificate template are you using? Have you issued an Enrollment
    Agent certificate?


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    • Proposed as answer by Haf932 Friday, January 4, 2013 11:28 AM
    • Unproposed as answer by Haf932 Friday, January 4, 2013 11:28 AM
    Thursday, July 22, 2010 8:58 AM
  • Hi Paul,

    I'm aware that the instructions are Windows 2000 CA, but Joson mentioned earlier that not very much had changed in from 2000 to 2008 so I had hopes the screens would be similar.

    Here's what I've done so far:

    I've grant the domain users group read and enrollment permissions on the following templates:

    Enrollment Agent
    Smartcard User
    Smartcard Logon

    I have then ran through the 'requesting a certificate' instructions.  I have created and installed a certificate on a Windows XP laptop using my domain administrator account.  This account has fully permissions to the template.  I install the template locally on the machine.  I install it automatically and do not place it in a specific locaiton (do I need to play it somewhere else??)

    The next series of steps is title "Enrolling a certificate on behalf of another user."

    It's not specified but I assume I need to log in with my priviledged account to to this (domain\admin).  The target user is a user on my system that has only read/enroll priviledges granted their domain users memberships.  The user's name is (domain\Tcavella).

    In XP I browse to the CA at:  http://dc1/certsrv -->request certificate-->advanced certificate request-->Create and submit a certificate request to this CA-->Select Smart Card logon from the drop down box-->  select Microsoft Base Smart Card Cypto Provider--> **Accept all other defaults and click submit.  I'm then prompted to insert the card and enter a PIN number which I do.  After clicking OK I get the error:  "An error occurred while creating the certificate request.?? Please verify that your CSP supports settings you have made and that your inputs are valid."

    Here is what I'm missing.  After I click advanced request I do not see this option:

    Click Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment Station.

    Dd277383.smar0912(en-us,TechNet.10).gif

    Neither do I have any of these options:

    On the Certificate Template menu, click the Smartcard Logon template. If you configured multiple sub-CAs, point the certificate request to the proper sub-CA. On the Cryptographic Service Provider menu, select the associated service provider, and the user to whom the logon certificate will be issued. In this example, the enrollee candidate is using a smart card and reader associated with GemPlus.

    Dd277383.smar0914(en-us,TechNet.10).gif

     

    Why do these screens look complete different to what I have?  Either the process has changed completely or the laptop is not functioning as an enrollment station because I've missed a step...

    Thursday, July 22, 2010 2:30 PM
  • Hi there dbutch,

    It's hard to tell from the screenshots exactly what's missing, but it may simply be that some of the old mechanisms that were present in the 2000/2003 versions of Certificate Services Web Enrollment Pages are no longer present in 2008/2008 R2.  Specifically, enroll on behalf of is no longer supported through the web pages.  So if you're following the old directions and they are having you look for that option, that may be why it's not showing up.  You'll need to use the MMC to enroll instead.

    Can you give these steps a try and see if they work any better for you?

    Step by Step to get Smartcard working on Windows 2008 / R2

    1. Install a Windows 2008 CA

    2. Create a user/group in AD to use as Enrollment Agent

    3. After installation, open the Certificate Authority Management console on the CA.

    4. Right Click on Certificate Templates and select Manage.

    5. Change the permissions on the following template so the account created in step 2 has read and enroll permissions:

    • Enrollment Agent
    • Smartcard User
    • Smartcard Logon

    6. Publish the above mentioned templates to the CA

    7. Log on to the enrollment workstation (below steps assume that the OS is Vista or higher. When using the Windows 2008 Web Enrollment or Windows 2003 Web Pages with update 922706, ROB functionality is not present via web interface)

    • Open Certificate Management Console by running certmgr.msc
    • Select the 'Personal Store'; and from the context menu select All Tasks->Request New Certificate
    • Select the "Enrollment Agent" template to get a certificate which will later be used for signing.
    • Select "Enroll" to finish the wizard and get a certificate
    • Next, select the "Personal Store" and from the context menu, select All Tasks-> Advanced Operations-> Enroll on behalf of
    • When prompted to select a signing certificate, select the "Enrollment Agent Certificate" enrolled earlier
    • Next, it will show all the available templates, select "Smartcard Logon" or "Smartcard User" based upon the requirement
      Click on Details for the selected template and then select Properties for the same
    • On the "Private Key" tab, click on "Cryptographic Service Provider" and select the appropriate CSP (If you have a smartcard which works out of the box and doesn't require a middleware CSP, then you can select "Microsoft Base Smart Card Crypto Provider)
    • Select the user for whom you want to enroll the certificate
    • Insert the smartcard in the reader and when prompted, enter the PIN
    • The information would be written to the smart card and you can repeat the same  process for another account or close the wizard to complete it.

    Note: Microsoft Base CSP update (KB909520) along with any other middleware (CSP) should be installed on the enrollment workstation and on the client machines where the smartcard would be used.


    David Beach - Microsoft Online Community Support
    Tuesday, July 27, 2010 1:48 PM
  • Thanks David, these are defiantely the most concise steps I've found up to this point.  I'll work through your instructions and get back to you if I'm stuck.  Thanks for your help.
    Wednesday, July 28, 2010 5:13 PM
  • Hi David,

    This is probably a very basic question, but when I open the certificate templates MMC on the CA and right-click the cert I don't see a 'publish' option.  I only see a 'duplicate' option.  How do I publish the certificates to the CA?

    Duncan.

     

    Wednesday, July 28, 2010 7:18 PM
  • Hi,

    To publish the certificate template, please refer to the following steps:

    1. Open Certification Authority snap-in on the CA.
    2. Select CAName\Certificate Templates in the left pane of the snap-in.
    3. Click Action, click New, click Certificate Template to Issue, and then select the certificate templates and click OK.

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 29, 2010 1:25 AM
    Moderator
  • Hi,

    To publish the certificate template, please refer to the following steps:

    1. Open Certification Authority snap-in on the CA.
    2. Select CAName\Certificate Templates in the left pane of the snap-in.
    3. Click Action, click New, click Certificate Template to Issue, and then select the certificate templates and click OK.

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Thanks Joson,

    I believe I've made some progress to the point that I think I've found my issue.  I believe it relates to this step which was provided in David's step by step process above:

  • On the "Private Key" tab, click on "Cryptographic Service Provider" and select the appropriate CSP (If you have a smartcard which works out of the box and doesn't require a middleware CSP, then you can select "Microsoft Base Smart Card Crypto Provider)
  • Select the user for whom you want to enroll the certificate
  • Insert the smartcard in the reader and when prompted, enter the PIN

    I am using a Gemalto card.  I found an article here (http://www.docstoc.com/docs/33039831/Gemalto-NET-20-Smart-Card) which states:
    Gemalto .NET smart cards are natively supported in Microsoft Vista.  For Windows 2000, XP and Server 2003 they are integrated with Microsoft's Base Smart Card Cryptographic Service Provider (CSP) package, which is available for doanload via Windows Update.  As a result, users do not need to install any proprietary middleware to use the Gemalto .NET card.

    When I insert my test card I am prompted to enter a PIN.  I get the error:

    There was an error while validating your PIN:
    Error code: 0x80100004.

    Does this simply mean the card I'm using for testing is not blank?  Can I not overwrite this card?

     

Monday, August 9, 2010 3:49 PM
  • That error code (0x80100004) means SCARD_E_INVALID_PARAMETER There are a few reasons this can happen. Try reinstalling your reader driver. You might also want to doublecheck your certificate template and make sure that everything is good there. Finally, this can also come up if there's a bad certificate cached for the card in your user profile, so try the operation from a different user profile and see if the behavior changes at all.
    David Beach - Microsoft Online Community Support
    Tuesday, August 10, 2010 1:04 PM
  • That error code (0x80100004) means SCARD_E_INVALID_PARAMETER There are a few reasons this can happen. Try reinstalling your reader driver. You might also want to doublecheck your certificate template and make sure that everything is good there. Finally, this can also come up if there's a bad certificate cached for the card in your user profile, so try the operation from a different user profile and see if the behavior changes at all.
    David Beach - Microsoft Online Community Support


    Here's what I've checked:

    1.  Tried the same Gemalto card with the same enrollment agent but a new user.  Same error.  This should eliminated a cached certificate.
    2.  Tried to log in using the Gemalto card - It says no valid ceritifcates exist on the card.    This should also ensure that no certifcates are cached on the card.
    3.  This server has been freshly installed with the correct driver.  It is having the same issue that the previous server had so I beleive this elminates a driver issue.
    4.  I've double checked the certificate template and it has been configured correctly.

    Ok, I'm throwing in the towel with this Gamlto card and I'm going to try to get these SUN smart cards working.  I read here (http://technet.microsoft.com/en-us/library/dd277362.aspx) that SUN smart cards should work with Windows certificate services:

    "Sun Microsystems has published and currently maintains specifications for both Windows for Smart Cards and a “Java Card.”

    However, each time I insert the SUN smart card into the reader I get: 

    "The card supplied requires drivers that are not present on this system"

    I have googled the ^%$^@@##out of this term and can find nothing telling me where I can obtain a driver that is compatible with this card even though the technet article above doesn't mention any compatiblity issues, nor can I find any Sun smart card discussion forum where I can get support of any kind.  Does anyone know where I can find information or drivers on these cards? 

    Tuesday, August 10, 2010 1:49 PM
  • I expanded the details of the error I was getting with the gemalto card and saw these addtional details:

    "The card is being shared by another process. However, the card is not the one being requested, and cannot be used for the current operation."

    This led me to this KB article:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;955548&sd=rss&spid=12925

    This issue applies to Windows Vista Service Pack 1 (SP1)-based computer or on a Windows Server 2008-based computers.  Since this test environment is composed of a single 2008 DC/cert server I think that could explain some of my problem.  I tried to use the fix provided however the fix only appears to apply Vista and I get the error "No updates apply to this system."

    Moving right along, I grabbed a laptop loaded with XP and joined it to the domain.  Why is the process to request a certificate so radically different in XP?  Here are the changes:

    Open MMC--> Add Certificates MMC (user) -->  Click Certificates -->  Personal--> Right click Ceritifcates

    Change #1 - There is no Advanced option here, so I have no choice but to select Request New Certificate.

    Click Next.  Select Smartcard User from the list.  Check the advanced box.  -->  Select Microsoft Base Smart Card Cyrpto Provider -->  Prompted for CA, I accept the default -->  Prompted for a name for the certificate --> I enter a name.  Greeted with a summary screen.  Click Finish.  Prompted to enter the smartcard. -->  Prompted to enter a PIN, I enter 0000, click OK and I get "The certificate requet failed.  One or more of the parameters could not be properly interpreted.

    My main question is, why man I not being prompted for the enrollment agent certificate?  I have requested the enrollment agent certificate on this machine and received one, I have logged in with the enrollment agent's user account, however I can't find the request on behalf of another user option anywhere!!!

    How do I enroll on behalf using XP??  This aritcle seems to indicate web enrollment (http://technet.microsoft.com/en-us/library/cc775842(WS.10).aspx) but from what I understand web enrollment for smart cards (enroll on behalf) are not supported by a 2008 Certificate server.

    So how do I make the requet from an XP enrollement station??

     

     

    Wednesday, August 11, 2010 3:18 PM
  • I found this article here (http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/7a66ad54-63e4-4ee6-aef7-70e3dfcdfc99) this gist of it says "ScrdEnrll.dll was depracated after Windows 2003.  To enroll a smart card, as Vadims has mentioned, you first need an enrollment agent certifcate.  You then need either a Windows Vista/Windows 2008 or Windows 7/Windows 2008 R2 client computer."

    Well isn't that just perfect, there is a known issue (http://support.microsoft.com/default.aspx?scid=kb;en-us;955548&sd=rss&spid=12925) on Vista and 2008 Server which only leaves Windows 7 as a possible client that may work as an enrollment station.  I highly doubt this will work either.

    Wednesday, August 11, 2010 3:23 PM
  • Hi Everyone,

    I've finally got the test environment up and working using the Gemalto card that had been blocked.  I was able to unblock the card by using this webpage:

    https://www.netsolutions.gemalto.com/UnblockPIN.aspx

    I now have a functioning test environment and would like to make a smart card purchase but I can't find a vendor anywhere in Canada.  I am looking for smart cards that can be used with the Windows PKI and hopefully the Windows Base CSP.  I'm hoping to find something reasonably priced, but at this point I'm not able to find any vendors at all that are able to answer my questions.  For those of you that have set up a smart card environment how did you locate a vendor?

     

    Thanks.

    Tuesday, September 7, 2010 2:02 PM