Buy smart cards and log in via them on Windows 10 and Windows Server 2016

  • Windows Server
  • AD CS
  • 3/6

6. Create a new certificate template : Smartcard Logon

So that you can connect to a computer or server of your company using a smart card, you need a user certificate based on the "Smartcard Logon" template that you will write on your smart card.
However, it's important to duplicate the "Smartcard Logon" certificate template to create a copy that is configured to support your hardware.

Note that in business, it's an enrollment agent who will enroll the certificates on the smart cards.
So, follow our "WS 2016 - AD CS - Create an enrollment agent" tutorial first (skipping the step about the "Smartcard Logon" certificate template), then come back here.

Then, on your CA, duplicate the "Smartcard Logon" certificate template.

Note : if you created a copy of the "Smartcard Logon" certificate template by following our Enrollment Agent tutorial, delete that copy and duplicate the "Smartcard Logon" certificate template again.
Indeed, the settings are not the same in this tutorial.

In the "Compatibility" tab, select "Windows 10 / Windows Server 2016" for the certificate recipient.

In the "Resulting Changes" window, click OK.

The certificate recipient was set to "Windows 10 / Windows Server 2016".

In the "General" tab, specify "Smartcard Logon v2" as the full name of the model.

In the "Request Handling" tab, check the "Include symmetric algorithms allowed by the subject" box.

In the "Cryptography" tab, you will see that the minimum key size is 2048 by default.

Depending on your smart cards, it may be necessary to specify a lower value (for example : 1024) for the minimum key size.
Then, select the "Requests must use one of the following providers" option and check the "Microsoft Base Smart Card Crypto Provider" box.

This is necessary for enrolling the certificate on a smart card to be possible.

In the "Security" tab, click on : Add.

Specify the name of a user or group of users allowed to enroll this type of certificate.
In business, it's the enrollment agent who enrolls user certificates in their names to store them directly on smart cards.
Then, you distribute the smart cards to your users and they can log in using it and the associated PIN (User PIN) code.

In our case, this enrollment agent is called : IWAgent.

The desired user appears.
Grant it permissions : Read and Write.

When you enroll certificates as an enrollment agent, it's necessary to modify the issuance requirements of the type of certificate to be enrolled.
Otherwise, an error will be displayed when attempting to enroll the certificate due to multiple signatures required.
To avoid this problem, go to the "Issue Requirements" tab.

In this "Issue Requirements" tab, check the "This number of authorized signatures" box and specify "1" in the box to its right.

Then, select the options :

  • Policy type required in signature : Application policy (= when requesting the certificate)
  • Application policy : Certificate Request Agent

Now that this new certificate template is correctly configured, click OK.

The newly created certificate template appears.

As usual, don't forget to add the created certificate template to the list of certificate templates that your certificate authority can issue.

Select the "Smartcard Logon v2" certificate template,

The "Smartcard Logon v2" certificate template appears in the list of certificate templates to be issued.

7. Automatic smart card driver download and installation

If Windows is configured to automatically download and install drivers for your devices from the Internet (from Microsoft's servers), your computer/server may be able to automatically install drivers for your smart card reader and for your smart card.
In any case, this has been our case with the hardware used in this tutorial.

Plug in your card reader and you may see a "Device Setup" window pop up
This may vary from one version of Windows (Server) to another.

Then, an "Installing Smart Card Reader USB" window will appear.

In our case, our "HID Omnikey 3121" smart card reader appears under the name "Microsoft Usbccid Smartcard Reader (WUDF)".

Insert one of your smart cards and a "Installing Smart Card" window (on Windows 10 and Windows Server 2016 in our case) will appear.

Once the appropriate driver has been downloaded and installed automatically by Windows (Server), you will see that your smart card will be recognized under the name : SafeNet IDPrime MD Smart Card.

Note : there is no need to know the PIN code of the smart card used, the goal is simply to cause the installation of this driver so that you can later enroll certificates on it and/or connect with this smart card.

Since the driver is downloaded and installed automatically by Windows (Server), it means that the driver was downloaded from a Microsoft server.
You can check it by displaying the properties of this device : SafeNet IDPrime MD Smart Card.

As you can see :

  • the driver date is : 09/09/2021.
  • the driver version is : 10.8.2138.0.
  • the digital signer is : Microsoft Windows Hardware Compatibility Publisher.

In other words, it works, but the driver is necessarily older than if you installed it manually by downloading it from the official THALES website.

You can also manually find the drivers downloaded by Windows (Server) by searching for the term "SafeNet" (the supplier of the driver) on the Microsoft Update catalog.

To see also

Comments

No comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.