Buy smart cards and log in via them on Windows 10 and Windows Server 2016

  • Windows Server
  • AD CS
  • 4/6

8. Manually install the latest SafeNet Minidriver

If you have the SafeNet Minidriver driver (downloaded from the THALES site or obtained from the intermediary where you purchased your smart cards), launch the "SafeNet-Minidriver-x64-10.8-R6.msi" file located in the "MSI\x64" folder of the downloaded zip file.

Note : if you have a PC or a server that uses the 32-bit architecture (x86), then launch the "SafeNet-Minidriver-x86-10.8-R6.msi" file which is located in the "MSI\x86" folder of the downloaded zip file.

The "SafeNet Minidriver 10.8 R6 - InstallShield Wizard" installer appears.
Click Next.

Accept the license agreement.

As you can see, by default, an icon will be added to your computer/server taskbar to be able to change your smart card password and to unlock it (if necessary).
So, leave this "SAC Tray Application (for Change/Unblock PIN)" box checked.

Wait while installing this SafeNet Minidriver.

During the installation, you will see that "SafeNet Smart Cards" driver will be offered.
However, you will notice that this driver is signed this time by "Thales DIS CPL USA, Inc" and not by Microsoft.
Click Install.

The "SafeNet Minidriver" driver has been installed.

Once this driver is installed, you will need to restart your computer/server.

Once the computer/server has restarted, you will see that a SafeNet Authentication Client icon will have appeared in the taskbar (next to the clock).

However, since it's the driver (SafeNet Minidriver) that you have installed and not the full software (SafeNet Authentication Client), the only options available will be :

  • Change Token Password : to change the smart card password.
    The default password for "IDPrime" smart cards is : 0000.
  • Unlock Token : unlock your smart card.

You will therefore not have access to the complete "SafeNet Authentication Client" program allowing you to fully manage your smart cards.

If you go to device manager and view the properties of your "SafeNet IDPrime MD Smart Card" smart card, you will see that the driver installed is newer than the one from Microsoft and that this driver has been digitally signed by its manufacturer (Thales DIS CPL USA, Inc) and not by Microsoft.

9. Request and enroll a certificate on a smart card

To request a smartcard logon certificate for a user and enroll it on a smart card on behalf of the desired user, log in to your CA as an enrollment agent.

Once the session is open, don't forget to connect your smart card reader to your server acting as a certification authority (if it hasn't already been done).

Open a "mmc" console, go to "File -> Add/Remove Snap-in" and add the "Certificates" component.

Click OK.

In the "Personal" certificate store, right-click "All Tasks -> Advanced Operations -> Enroll On Behalf Of ...".

Note : as you can see, we already have an enrollment agent (Certificate Request Agent) certificate.

To begin, you must choose your enrollment agent certificate by clicking on : Browse.

Your enrollment agent certificate appears.
Click OK.

The name present in this enrollment agent certificate appears.
Click Next.

Select the "Smartcard Logon v2" certificate template created earlier in this tutorial.

Note : if this certificate template doesn't appear, make sure that :

  • you have added the "Smartcard Logon v2" certificate template to the list of certificate templates that your CA can issue.
  • your enrollment agent user account has "Read" and "Enroll" rights to this certificate template.

Now, you need to select the user for whom you want to enroll a smart card logon certificate.
To do this, simply click on : Browse.

Warning : by default, the "Select User" window will perform the search on the local server where you are.
In our case : our CA server.

To select a user of your domain, first click on the "Locations" button.

Select your Active Directory domain and click OK.

Provide the user name of your desired Active Directory domain and click OK.

In our case, we created a simple "InformatiUser" user on our Active Directory domain controller.

Once the desired user is selected, click Enroll.

In our case, at the moment, our "HID OMNIKEY 3121" smart card reader is plugged in, but no smart card is inserted.

Given that the appropriate driver for your smart card reader is installed and the certificate template is correctly configured, a small "Enrolling for the user certificate" window will appear and ask you to insert a smart card (if there is no smart card inserted at the moment).

Note that your smart card reader model will also appear.
In our case : OMNIKEY AG Smart Card Reader USB 0.

Insert a smart card into your smart card reader.

Warning : if the driver for your smart card is not installed, the following error will appear :

Plain Text

Smart card error
OMNIKEY AG Smart Card Reader USB 0
The smart card requires drivers that are not present on this system. Try another smart card or contact your administrator.

To resolve this problem, install the driver for your smart card from the Microsoft server or install the "SafeNet Minidriver" driver (in the case of a "THALES IDPrime MDxxx" smart card for example).

If your smart card driver is installed on the server you are on, your smart card model will appear.

Plain Text

IDPrime MD T=0
OMNIKEY AG Smart Card Reader USB 0
The smart card is ready for use.

Now, click OK.

Enter your smart card user PIN.

By default, this PIN code is "0000" for THALES IDPrime 940 cards.

Wait while the certificate is enrolled on your smart card.
This may take about ten seconds, depending on the smart card used.

While writing the certificate to your smart card, you will see that the LED of your "HID OMNIKEY 3121" card reader will flash red.

Once the certificate is registered, the "Succeeded" status will appear and the LED of your smart card reader will return to yellow/green.

Note that the certificate has been enrolled in your smart card, as well as in your "Personal" certificate store.

Click "Close" or click "Next user" if you want to enroll a new certificate for another user on another smart card.

As you can see, the certificate is also present in your "Personal" certificate store.

If you double-click on this new certificate, you will see that it is designed for the following roles :

  • Proves your identity to a remote computer
  • Smart Card Logon

You will also see that it was issued to the intended user (not the enrollment agent who made the certificate request) and that it was issued by your certification authority.

As expected, you will see that a public key will be present in this certificate.

If you select the "Enhanced Key Usage" field, you will see that this certificate can be used for :

  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
  • Client Authentication (1.3.6.1.5.5.7.3.2)

To see also

Comments

No comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.