Government issued ID cards and smartcard logons

  • Article

Windows Server 2008 

I was recently involved in a support case concerning implementing government-issued ID cards (National ID with a chip on it) and how to use them to do a smartcard logon.

Before you begin, make sure the CSP being used fully supports smartcard logons on Vista/W2k8.

Running certutil –scinfo from within an elevated command prompt while logged with username/password should give an indication about whether you’re able to access the keys on the card (certutil will still complain about the missing EKU which is expected in this case).

Once you have confirmed that the CSP is usable for smartcard logon on Vista, make sure you read Spats blog concerning the requirements for an EKU-less logon: http://blogs.msdn.com/spatdsg/archive/2008/04/17/smartcard-in-2008-and-vista.aspx

In short:

Ø The client and Domain Controllers need to be at W2k8/Vista SP1 level.

Ø The post-SP1 W2k8 hotfix 959887 must be installed on all the W2k8 DC's

Ø The post-Sp1 Vista hotfix 955558 must be installed on all Vista clients involved.

Ø The X509 information from the smartcard must be imported to the AltSecurityIdentities attribute of the user (there is no implicit mapping for the RFC822 name).

Ø The registry settings on the client side (Vista or W2k8 member server) must be set in order for the certificate picker to allow the user to pick a smart card certificate without an EKU

Ø The registry settings on the server side (Domain Controller) must be set in order for the DC to allow a smartcard certificate without an EKU to be used.

Example: if the Subject Alternate Name is RFC822: user1@contoso.com the AltSecurityIdentities attribute should contain X509:<RFC822>user1@contoso.com. The MSDN documentation is not very clear on this point but this needs to be done for each user that wants to use a smartcard certificate without a UPN name.

Other potential caveats to look out for are:

- The CRL for the smartcard certificate (if any) may not be accessible from the DC’s

- The CRL for the DC certificates may not be accessible from the clients

- The Domain Controller certificate needs to be formatted as per KB321051 (if not from a Microsoft CA which would use the DomainControllerAuthentication certificate template)

Once all of this is in place; insert your national ID/government issue smartcard into a smartcard reader and logon with your PIN – it’s as simple as that! J

Further information:

Smartcard in 2008 and Vista..National ID card? No UPN? No EKU? No problem! http://blogs.msdn.com/spatdsg/archive/2008/04/17/smartcard-in-2008-and-vista.aspx

You cannot use a smart card certificate to log on to a domain from a Windows Vista-based client computer

http://support.microsoft.com/?id=959887

You cannot use a smart card certificate to log on to a domain from a Windows Vista-based or a Windows Server 2008-based client computer

http://support.microsoft.com/?id=955558