Smart Card Authentication to Active Directory requires that Smartcard workstations, Active Directory, and Active Directory domain controllers be configured properly. Active Directory must trust a certification authority to authenticate users based on certificates from that CA. Both Smartcard workstations and domain controllers must be configured with correctly configured certificates.
As with any PKI implementation, all parties must trust the Root CA to which the issuing CA chains. Both the domain controllers and the smartcard workstations trust this root.
Active Directory and domain controller configuration
·Required: Active Directory must have the E-Tag issuing CA in the NTAuth store to authenticate users to active directory.
·Required: Domain controllers must be configured with a domain controller certificate to authenticate smartcard users.
·Optional: Active Directory can be configured to distribute the E-Tag root CA to the trusted root CA store of all domain members using the Group Policy.
Smartcard certificate and workstation requirements
·Required: All of the smartcard requirements outlined in the "Configuration Instructions" section must be met, including the text formatting of the fields. Smartcard authentication fails if they are not met.
·Required: The smartcard and private key must be installed on the smartcard.
1. Export or download the E-Tag root certificate. How to obtaining the party root certificate varies by vendor. The certificate must be in Base64 Encoded X.509 format.
2. Add the E-Tag root CA to the trusted roots in an Active Directory Group Policy object. To configure Group Policy in the Windows 2000 domain to distribute the E-Tag CA to the trusted root store of all domain computers:
a. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
b. In the left pane, locate the domain in which the policy you want to edit is applied.
c. Right-click the domain, and then click Properties.
d. Click the Group Policy tab.
e. Click the Default Domain Policy Group Policy object, and then click Edit. A new window opens.
f. In the left pane, expand the following items:
§Public Key Policy
g. Right-click Trusted Root Certification Authorities.
h. Select All Tasks, and then click Import.
i. Follow the instructions in the wizard to import the certificate.
j. Click OK.
k. Close the Group Policy window.
3. Add the E-Tag issuing the CA to the NTAuth store in Active Directory.
The smart card logon certificate must be issued from a CA that is in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store.
o If the CA that issued the smart card logon certificate or the domain controller certificates is not properly posted in the NTAuth store, the smart card logon process does not work. The corresponding answer is "Unable to verify the credentials".
o The NTAuth store is located in the Configuration container for the forest. For example, a sample location is as follows:
LDAP://server1.name.com/CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=name,DC=com
o By default, this store is created when you install a Microsoft Enterprise CA. The object can also be created manually by using ADSIedit.msc in the Windows 2000 Support tools or by using LDIFDE. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
295663 How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
o The relevant attribute is cACertificate, which is an octet String, multiple-valued list of ASN-encoded certificates.
After you put the E-Tag CA in the NTAuth store, Domain-based Group Policy places a registry key (a thumbprint of the certificate) in the following location on all computers in the domain:
This is refreshed every eight hours on workstations (the typical Group Policy pulse interval).
4. Request and install a domain controller certificate on the domain controller(s). Each domain controller that is going to authenticate smartcard users must have a domain controller certificate.
If you install a Microsoft Enterprise CA in an Active Directory forest, all domain controllers automatically enroll for a domain controller certificate. For more information about requirements for domain controller certificates from a third-party CA, click the following article number to view the article in the Microsoft Knowledge Base:
291010 Requirements for domain controller certificates from a third-party CA
NOTE: The domain controller certificate is used for Secure Sockets Layer (SSL) authentication, Simple Mail Transfer Protocol (SMTP) encryption, Remote Procedure Call (RPC) signing, and the smart card logon process. Using a non-Microsoft CA to issue a certificate to a domain controller may cause unexpected behavior or unsupported results. An improperly formatted certificate or a certificate with the subject name absent may cause these or other capabilities to stop responding.
5. Request a smart card certificate from the E-Tag CA.
Enroll for a user smart card with certificate from the E-Tag CA.
6. Install smartcard drivers and software to the smartcard workstation (GemSafe™ Standard Edition 5.1).
Make sure that the appropriate smartcard reader device and driver software is installed on the smartcard workstation. This varies by smartcard reader vendor.
7. Install the E-Tag smartcard certificate to the smartcard workstation.
If the smartcard was not already put into the smartcard user's personal store in the enrollment process in step 4, then you must import the certificate into the user's personal store. To do so:
. Open the Microsoft Management Console (MMC) that contains the Certificates snap-in.
a. In the console tree, under Personal, click Certificates.
b. On the All Tasks menu, click Import to start the Certificate Import Wizard.
c. Click the file that contains the certificates that you are importing.
NOTE: If the file that contains the certificates is a Personal Information Exchange (PKCS #12) file, type the password that you used to encrypt the private key, click to select the appropriate check box if you want the private key to be exportable, and then turn on strong private key protection (if you want to use this feature).
NOTE: To turn on strong private key protection, you must use the Logical Certificate Stores view mode.
d. Select the option to automatically put the certificate in a certificate store based on the type of certificate.
8. Log on to the workstation with the smartcard.