Scribd Logo
Upload

Welcome to Scribd!

  • Windows Logon Using PKI Tokens

    Uploaded by

    pcouzens83
    1 views24 pages
    setup of epass 2003 PKI cards for win logon

    Original Title

    Windows Logon using PKI tokens

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    setup of epass 2003 PKI cards for win logon

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1 views24 pages

    Windows Logon Using PKI Tokens

    Uploaded by

    pcouzens83
    setup of epass 2003 PKI cards for win logon

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Configuring

    Windows smart card logon


    using Feitian PKI cards/tokens

    Setup Guide

    © Microcosm Ltd. 2023

    1
    Table of Contents
    Prerequisites.........................................................................................................................................3
    Environment.....................................................................................................................................3
    Software...........................................................................................................................................3
    Supported PKI Devices....................................................................................................................3
    Active Directory Certificate Services...................................................................................................4
    Installation.......................................................................................................................................4
    Post-Deployment Configuration......................................................................................................5
    Configure the Certificate Authority......................................................................................................6
    Configure Smart Card Logon..........................................................................................................6
    Configure an Enrollment Agent.....................................................................................................14
    Provision a Smart Card on behalf of a user........................................................................................20
    Log on to Windows using the Smart Card..........................................................................................22
    Support...............................................................................................................................................24
    Technical Support & General Enquiries........................................................................................24
    Sales/Ordering...............................................................................................................................24

    2
    Prerequisites

    Environment
    The following are prerequisites for using this setup guide.
    • Windows Domain with domain server running Windows Server 2012 R2 or later
    • Domain clients running Windows 7 or later

    Software
    You must run the ePass2003 installation package on each machine from which domain admins will
    provision smart cards.
    The installation package can be obtained from Microcosm support (see details at the end of this
    document).
    Important: Choose Private CSP when asked during the installation process.

    Supported PKI Devices


    This solution is compatible with the following PKI devices sold by Microcosm:
    • Feitian ePass2003
    • Microcosm PKI smart card

    3
    Active Directory Certificate Services
    Active Directory Certificates Services (AD CS) must be installed on the domain. In this section we
    show how to install and configure AD CS assuming you don’t have it installed already.

    Installation
    1. From the Server Manager Dashboard click Add roles and features to open the “Add Roles
    and Features Wizard”.
    2. On the Server Roles page tick Active Directory Certificate Services.

    4
    3. On the AD CS Role Services page tick the Certification Authority role service.

    4. Move on to the Confirmation page and click Install.

    Post-Deployment Configuration
    When installation of AD CS completes you will need to perform post-deployment configuration.
    1. Click the flag notification icon at the top of the Server Manager then click on Configure
    Active Directory Certificate Services on the destination server.
    2. On the AD CS Configuration wizard tick Certification Authority on the Role Services
    page.
    3. On the Setup Type page choose Enterprise CA then click Next.
    4. On the CA Type page choose Root CA then click Next.
    5. On the Private Key page choose Create new private key then click Next.
    6. Click the Next button to accept defaults on each subsequent page until you reach the
    Confirmation page where you can click the Configure button.

    5
    Configure the Certificate Authority
    These steps will configure the domain Certificate Authority to allow smart card logon certificates to
    be issued.

    Configure Smart Card Logon


    1. Open the Certification Authority by going to the Server Manager, click the Tools menu and
    then click on Certification Authority.
    2. In the Certification Authority window expand the server name then right-click on
    Certificate Templates then click Manage.

    3. In the Certificates Templates Console window locate the Smartcard Logon template, right-
    click it and click Duplicate Template. The New Template dialog will open.

    6
    4. Configure the General tab as follows (you can give a name of your own choosing for the
    template display name):

    7
    5. Configure the Compatibility tab. For the Certification Authority choose the version of
    Windows Server that AD CS is running on. For the Certificate Recipient choose a value
    that corresponds to the oldest client machines you are running. Click OK on any Resulting
    Changes prompts that appear. For example:

    8
    6. Configure the Request Handling tab as follows:

    9
    7. Configure the Cryptography tab as follows:

    10
    8. Configure the Issuance Requirements tab as follows:

    11
    9. Click OK. This will create the template and you should see it listed in the list in the
    Certificate Templates Console. Close the Certificate Templates Console window.
    10. In the Certification Authority window, right-click the Certificate Templates folder and go
    to New and then click on Certificate Template to Issue.

    12
    11. In the Enable Certificate Templates window, select the template we just created and click
    OK.

    12. You will now see the newly created template in the list under Certificate Templates in the
    Certification Authority window.

    13
    Configure an Enrollment Agent
    Configuring an Enrollment Agent allows a domain admin to enrol a smart card on behalf of a user.
    1. Open the Certification Authority by going to the Server Manager, click the Tools menu and
    then click on Certification Authority.
    2. In the Certification Authority window expand the server name then right-click on
    Certificate Templates then click Manage.
    3. In the list of templates find Enrollment Agent, right-click it then click Duplicate Template.
    4. On the General tab choose a name for the enrollment agent template such as “ePass2003
    Enrollment Agent” for example. Also tick the Publish certificate in Active Directory
    option.
    5. Configure the Compatibility tab. For the Certification Authority choose the version of
    Windows Server that AD CS is running on. For the Certificate Recipient choose a value
    that corresponds to the oldest client machines you are running. Click OK on any Resulting
    Changes prompts that appear. For example:

    14
    6. Configure the Request Handling tab as follows:

    15
    7. Configure the Cryptography tab as follows:

    8. On the Security tab ensure the Domain Admins group has the Enroll permission ticked.
    9. Click OK to create the new template then close the Certificate Template Console window.
    10. In the Certification Authority window, right-click on the Certificate Templates folder then
    go to New, then click on Certificate template to issue.

    16
    11. In the Enable Certificate Templates window select the Enrollment Agent template you just
    created then click OK.

    12. You should now see the template listed in the Certificate Templates folder of the
    Certification Authority.

    17
    13. You must now request an enrollment agent certificate on the domain admin account(s) that
    will be issuing smart cards to users.
    Right-click the Start menu and click Run. Type certmgr.msc then press Enter.
    14. In the Certificate Manager expand Certificates – Current User then expand Personal.
    Right click on Certificates then go All Tasks, Request New Certificate.

    18
    15. Click Next until you reach the Request Certificates screen. Here you must tick the
    Enrollment Agent certificate template name you created earlier, then click Enroll.

    16. On the Certificate Installation Results screen you should see that it succeeded. Click Finish.

    19
    Provision a Smart Card on behalf of a
    user
    1. Ensure you are logged in to a user account that is a member of the Domain Admins group.
    2. Ensure you have an ePass2003 USB token attached to the machine, or a smart card inserted
    in to a card reader/writer which is attach to the machine.
    3. Right click on the Start menu, go to Run then type certmgr.msc
    4. Expand Personal, then right-click Certificates, then go to All Tasks, Advanced Operations
    then click Enroll On Behalf Of.
    5. Click Next until you reach the Select Enrollment Agent Certificate screen. Click Browse and
    you will be prompted to pick the enrollment agent certificate you created at the end of the
    previous section. Click OK, then click Next.

    20
    6. On the Request Certificates screen choose the smart card logon template name that we
    created earlier (we used “ePass2003 Logon” in our example in the Configure Smart Card
    Logon section). Click Next.

    7. On the Select a user screen click Browse to choose the user to provision a smart card for.
    8. Click Enroll. You might be prompted to enter the PIN for the card/token. The default is
    12345678. We suggest you change this through the ePass2003 admin utility which you can
    open by double-clicking the icon in the system tray (see below).

    You can also use this utility to view the certificates on the card/token.

    21
    Log on to Windows using the Smart Card
    When you come to sign in to your account you should ensure the smart card or token is attached to
    the machine.
    You can then choose the Smart Card option at the Windows logon screen.

    22
    You will then be prompted to enter the PIN of the card/token. Type your PIN then hit Enter.

    You should now be logged in to your user account.

    23
    Support
    If you have any questions about this PKI product please contact Microcosm using one of following
    methods.

    Technical Support & General Enquiries


    Email: support@microcosm.com
    Telephone: +44 (0) 117 983 0084

    Sales/Ordering
    Email: sales@microcosm.com
    Telephone: +44 (0) 117 983 0084

    24

    You might also like