To deploy smart cards in a Windows 2000 or Windows Server 2003 Active Directory environment, the following requirements must be met:
■ All domain controllers and computers in the forest must trust the root certification authority (CA) of the smart card certificate's certificate chain.
■ The CA that issues the smart card certificate must be included in Active Directory's NT Authority (NTAuth) store. When a CA certificate is added to the NTAuth object in Active Directory (CN=NTAuthCertificates,CN=Public Key Services,
Important Smart cards can only be used for Active Directory authentication. You cannot use a smart card to authenticate with an account in the local account database of the computer because this form of authentication is not a Kerberos authentication, but an NTLM or NTLMv2 authentication process.
Note UPN values must be unique in a Windows 2000 or Windows 2003 Active Directory environment.
CN=Services,CN=Configuration,DC=ForestRootDomain), the thumbprint of the CA's certificate is automatically distributed to all Windows 2000 and later domain members in the HKEY_LOCAL_MACHINE\Software\Microsoft \EnterpriseCertificates\NTAuth\Certificates registry key.
Note You can verify the CA certificates included in the NTAuth store by using the PKI Health Tool (pkiview.msc) included in the Windows Server 2003 Resource Kit.
■ The smart card certificate must contain the Smart Card Logon (22.214.171.124.4.1.3126.96.36.199) and Client Authentication (188.8.131.52.184.108.40.206.2) object identifier (OID) in the Enhanced Key Usage (EKU) extension or in the Application Policies extension.
Important The Smart Card Logon and Client Authentication OIDs must be valid in the entire certificate chain.
■ The smart card certificate must contain the user's UPN in the subject alternative name extension.
A Windows Server 2003 Enterprise Edition CA meets these requirements. Alternatively, a third-party CA can issue a smart card certificate, as long as the requirements are met. The requirements are detailed in Microsoft Knowledge Base Article 281245, "Guidelines for Enabling Smart Card Logon with Third-Party Certification Authorities." referenced in the "Additional Information" section at the end of the chapter.
Was this article helpful?