Certificate enrollment using smart cards

This article was previously published under Q257480
This article has been archived. It is offered "as is" and will no longer be updated.
The process required to configure smart card logon in Windows 2000 is broken down into four basic tasks:
  • Configuring the Certificate Authority (CA) to issue the proper certificates.
  • Specifying the policy that dictates which users can enroll for those certificates.
  • Configuring the enrollment agent account.
  • Enrolling users for smart cards.
This article describes these steps in detail.

NOTE: Windows 2000 smart card logon requires a Microsoft Certificate Authority (CA) configured with the enterprise policy module. Stand-alone CAs or third-party CAs are not supported.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
281245 Guidelines for enabling smart card logon with third-party Certification Authorities

Configure the CA to Issue the Proper Certificates

  1. Start the Certification Authority Microsoft Management Console (MMC) snap-in located in the Administration Tools folder on the enterprise CA.
  2. Open the Policy Settings folder. This folder contains all types of certificates the CA can issue.
  3. Right-click in the right-hand pane, click New, and then click Certificate to Issue.
  4. From the list of templates, click the following items:
    • Enrollment Agent
    • Smartcard Logon or Smartcard User, or both
    NOTE: Hold down the CTRL key to select more than one template.

  5. Click OK.
The CA is now configured to issue certificates for the enrollment agent and the actual smart card certificates that are issued to users.

Specify the Enrollment Policy

Certificates issued by the CA are based on certificate templates stored in Active Directory. The Access Control Lists (ACLs) set on these templates dictate for the CA which user and machine accounts can request which certificates. To configure the ACLs on these templates, use the following steps:
  1. Start the Active Directory Sites and Services MMC snap-in.
  2. If the Services node is not visible, click Show Services Node on the View menu.
  3. Click Services, click Public Key Services, and then click Certificate Templates.
  4. Right-click the EnrollmentAgent template, and then click Properties.
  5. On the Security tab, make sure the user or group designated as an enrollment agent by your organization has Read and Enroll permissions on the template, and then click OK.
  6. Right-click the MachineEnrollmentAgent template, and then click Properties.
  7. On the Security tab, make sure the computer or group designated as an enrollment station by your organization has Read and Enroll permissions on the template, and then click OK.
  8. Right-click the SmartcardUser and/or SmartcardLogon template, and then click Properties.
  9. On the Security tab, make sure the user or group that is designated as enrollment agent has Read and Enroll permissions on the template, and then click OK.

Configure the Smart Card Enrollment Station and the Enrollment Agent Account

To enroll for a smart card certificate on behalf of someone, the user must have an enrollment agent certificate. The smart card enrollment agent can create smart cards on behalf of any user, including an enterprise administrator. After the smart card is created, you can use it to log on to the domain with the credentials of the user for which it was created. Thus, it is a very sensitive role. The Enrollment Agent certificate gives administrators control over which user accounts can create enroll forsmart cards. This, in combination with appropriate physical security, can generate a great deal of confidence in the smart card generation process.

To configure the smart card enrollment agent, follow these steps:
  1. Log on to the domain with the same account. This account requires no special rights and can be a simple domain user.
  2. Configure the Certificates MMC snap-in as described in the steps above.
  3. Open the Personal folder, right-click in the right-hand pane, and then click All Tasks.
  4. Click Request New Certificate.
  5. Complete the Certificate Request Wizard and request an enrollment agent certificate.
The enrollment agent is now ready to start enrolling users for smart cardcertificates.

Enroll Users for Smart Cards

After the CA is configured, the enrollment policy is set, and the enrollment agent and enrollment station are configured, you can enroll users for smart cards. You must use the following steps for every smart card issued:
  1. On the enrollment station, start Microsoft Internet Explorer and point the browser to http://CAServer/certsrv (where CAServer is the CA).
  2. On the Welcome Page, click Request a certificate, and then click Next.
  3. Click Advanced Request, and then click Next.
  4. Click Request a certificate for a smart card, and then click Next.
  5. The first time the Smart Card Enrollment Station page is loaded, an ActiveX control is downloaded from the CA. Install this control when prompted.
  6. Use the boxes to design your request. Click Smartcard Logon or Smartcard User as the certificate template.
  7. If there are multiple CAs in the organization, select the CA that is configured to issue smart cards. If there is only one CA in the organization, it should be automatically selected. The CA names are pulled from Active Directory.
  8. Select the Cryptographic Service Provider. This should match the brand of smart card you are using. Windows 2000 ships with providers for the two most popular smart card manufacturers (GemPlus and Schlumberger).
  9. The Administrator Signing Certificate should already be set. This is the enrollment agent certificate requested in the previous section.
  10. Select the user to enroll. This user must have Enroll permissions for the SmartCard template, either individually or through group membership.
  11. Insert the blank smart card into the reader attached to the enrollment station, and then click Enroll.
  12. When prompted, type the PIN for the smart card. The default PIN for GemPlus cards is 1234. The default for Schlumberger cards is 00000000 (eight zeros). Use the option to force the user to change the PIN the first time the smart card is used.
  13. When the process is complete, click View Certificate to check the certificate, or click New User to enroll another user.
For additional information about public key installation, click the following article number to view the article in the Microsoft Knowledge Base:
231881 How to install/uninstall a public key Certificate Authority for Windows 2000

PKINIT is an IETF Internet Draft for "Public Key Cryptography for Initial Authentication in Kerberos." Windows 2000 uses this protocol when Smart Cards are being used for interactive logon. Windows 2000 implements draft 9 of the IETF Internet Draft for "Public Key Cryptography for Initial Authentication in Kerberos." Microsoft will revise the implementation when this Internet Draft becomes a standard.

IETF Internet Drafts can be found at http://www.ietf.org. They expire six months after publication.Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Article ID: 257480 - Last Review: 12/05/2015 19:08:48 - Revision: 4.4

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Datacenter Server

  • kbnosurvey kbarchive kbcertservices kbenv kbhowto kbppkey KB257480