Using a Non-Microsoft CA with Smartcard Logon

 

Dartmouth College PKI Lab

Last updated: 10/12/2004

 

Introduction and Purpose

Microsoft Windows has the ability to use PKI smartcards and USB tokens for interactive logon authentication to Active Directory (AD).This authentication is currently the strongest available for AD, and the use of PKI smartcards or USB tokens allows economical two-factor authentication for AD.Institutions using Microsoftís Server 2003 CA product report that it is straightforward to make smartcard logon work with AD.Other institutions using non-Microsoft CAs have encountered more difficulties.

 

The purpose of this document is to report what Dartmouth had to do to get our certificates issued by our non-Microsoft CA to work with smartcard logon.We hope that our experiences will help others as they implement smartcard logon with a non-Microsoft CA.We found it extremely useful to get hints from some industry colleagues who had implemented smartcard logon with a non-Microsoft CA (even just knowing they had succeeded was a big help).Now we hope to share our experiences as widely as possible so others can implement this as efficiently as possible.

Versions and Products

This works for us using the following software:

  • Windows XP Professional, Service Pack 2
  • Aladdin eToken PRO USB token, RTE version 3.51
  • SunONE CA, version XXX
  • Active Directory, version XXX

Caveats

We have not extensively tested this, but wanted to document it while it was still fresh in our minds.We do not yet have hundreds of users using this on a daily basis.

 

Your mileage may vary with other versions of software.In particular, some CA implementations may not have the flexibility required to generate all the required fields in the smartcard-enabled certificates.You should check into this earlier rather than later.

 

We do not document the actual CA operations required to get the proper fields in the certificate.Our CA is a discontinued commercial product, so our details probably wouldnít be very useful.Instead, we present the details of the fields required so you can see what you need to make your CA do.

References

We found the Microsoft Knowledge Base article at: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281245 to be useful.We are not allowed to copy it, so please refer to this URL for information that may not be included in this document.Note: We did not do step 7 in this document Ė just having the certificate on the token is enough, and there is no need to install it in the computer beforehand.

Instructions

There are three areas of work to make smartcard logon work:

 

  1. Configure the client
  2. Produce smartcard-enabled end user certificates from your CA
  3. Configure Active Directory

Configure the client

We installed the Aladdin RTE (USB token) drivers and made sure we didnít have Aladdinís eGina product installed on the client.

Produce smartcard-enabled end user certificates from your CA

Example Certificate

Here is a certificate with the proper magic in it:

 

Link

 

Base 64 encoded text:

-----BEGIN CERTIFICATE-----

MIIFRTCCBC2gAwIBAgICDIQwDQYJKoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixk

ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMx

GjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGgg

Q2VydEF1dGgxMB4XDTA0MTAwNzE2NDEyOFoXDTA4MTAwNzE2NDEyOFowgcsxEzAR

BgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxGjAY

BgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRgwFgYDVQQLEw9Qcml2YXRlR3JvdXBW

UE4xGjAYBgoJkiaJk/IsZAEBEwoxOTI3NzQzODM4MRkwFwYDVQQDExBNYXJrIEou

IEZyYW5rbGluMSwwKgYJKoZIhvcNAQkBFh1NYXJrLkouRnJhbmtsaW5ARGFydG1v

dXRoLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApTUHUkCRFAeLAR/3

MdrdJbofS8Z3rm1tOo9E6hX3f8X5Mx1g4OvWHBQjxafJ/PpjQ+bxr+XZdoDeZEr8

EJo5MC1ImXrbIBluH4D+a3AioT7+PjRGGM8xdBR1nr6/dyO58kcfD7k3Z2tWkj/C

WEvqhxps5t6LQ0K0N7zaxcUYoUECA0ZS56OCAggwggIEMBEGCWCGSAGG+EIBAQQE

AwIFoDAOBgNVHQ8BAf8EBAMCBeAwgbIGA1UdIASBqjCBpzCBpAYKKwYBBAFBAgEB

AjCBlTBJBggrBgEFBQcCAjA9MBgWEURhcnRtb3V0aCBDb2xsZWdlMAMCAQEaIUhp

Z2ggQXNzdXJhbmNlIENlcnRpZmljYXRlIFBvbGljeTBIBggrBgEFBQcCARY8aHR0

cDovL3d3dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTX0hBXzE5

RmViMDQucGRmMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jb2xsZWdlY2EuZGFy

dG1vdXRoLmVkdS9jb2xsZWdlY2EuY3JsMB8GA1UdIwQYMBaAFD/A1senTwB+7waZ

Z2y8lh5No3cSMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2Nv

bGxlZ2VjYS5kYXJ0bW91dGguZWR1L29jc3AwXgYDVR0RBFcwVYEdTWFyay5KLkZy

YW5rbGluQERhcnRtb3V0aC5lZHWgNAYKKwYBBAGCNxQCA6AmDCRNYXJrLkouRnJh

bmtsaW5Aa2lld2l0LmRhcnRtb3V0aC5lZHUwKQYDVR0lBCIwIAYIKwYBBQUHAwIG

CisGAQQBgjcUAgIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBBQUAA4IBAQCvGQyObL1A

DjDJg1EOGir9apdOlP5KjpcJfocYw7ao+l21Z1BReq0eH7+0UXP6v1t5Uo5GDAoX

bVDLobzexbQUwiQln4U/NYIFK/Z5Gv9HiFDbAGN6VTQB7/Yitds1NCsq/FjvJhWg

nN+Rb9Ojowk+cJcQdwKuTJ7hQwT3Op4cDWxJ+RTE4Bb9jEBa7EHWM98JZa60jlx7

ItqYfcg8US1U63b9Ih9UHeKSo9LsBA2X8ZRAiZSdijEgWcFS0BSLDUg10//1anhF

kquLOnRY3lA50bvKpsqfBfqJ+l3qsg2fVFVomxIVoG1j2SpKQXUBwEalpTMavWvA

QVEW3gJJTgVc

-----END CERTIFICATE-----

 

We found it extremely valuable to have an example of a working smartcard-enabled certificate as we adjusted our CA to produce our own.We referred to it frequently in order to get the proper fields in our own certificates.

Required fields

Fields we had to add to our certificate are:

Note 1: We found that https on the URL for the CDP did not work.

Note 2: We have since implemented multiple URLs in this field, and this seems to work fine.

 

Key Usage:

 

Enhanced Key Usage:

Note: We added the Secure Email and Client Authentication entries because Windows appeared to disregard the Key Usage bits once we added Smart Card Logon in Enhanced Key Usage.

 

Subject Alternative Name:

Note 1: The text needs to be formatted as ASN1 / UTF-8 or it will not be readable in the Certificate viewer as above and will not work properly for smartcard logon.

Note 2: We already had the RFC822 Name part in Subject Alternative Name.Itís probably not necessary for smartcard logon purposes.

 

Subject

 

Microsoft requires a Subject field even though they also require the UPN in the Othername part of the Subject Alternative Name.They say populating Subject is optional.Most certificates have Subject, so this probably isnít an issue for you.

Configure Active Directory

There are three certificate installation steps required.Details about how to do all of these are in the Microsoft Knowledge Base article above, or consult your Active Directory documentation.

 

  1. Install your third party CA root certificate in the Active Directory Group Policy object.
  2. Make sure your root certificate is in the NTAuth store.In our case, this appeared to happen automatically when we did step 1.
  3. Make sure your domain controller(s) has(have) domain controller certificates.Ours already had one for other reasons (SSL communications).We used the Windows Server 2003 CA to issue this certificate.

 

Once we had all the pieces in place, smartcard logon was automatically enabled by Active Directory and the Windows clients.

 

We didnít have to change anything about our root certificate (e.g. no smartcard key usage bits required).Here is our root certificate:

 

Link

 

-----BEGIN CERTIFICATE-----

MIID3zCCAsegAwIBAgIBAjANBgkqhkiG9w0BAQUFADB3MRMwEQYKCZImiZPyLGQB

GRYDZWR1MRkwFwYKCZImiZPyLGQBGRYJZGFydG1vdXRoMQswCQYDVQQGEwJVUzEa

MBgGA1UEChMRRGFydG1vdXRoIENvbGxlZ2UxHDAaBgNVBAMTE0RhcnRtb3V0aCBD

ZXJ0QXV0aDEwHhcNMDMwMTA5MDUwMDAwWhcNMTMwMTA5MDUwMDAwWjB3MRMwEQYK

CZImiZPyLGQBGRYDZWR1MRkwFwYKCZImiZPyLGQBGRYJZGFydG1vdXRoMQswCQYD

VQQGEwJVUzEaMBgGA1UEChMRRGFydG1vdXRoIENvbGxlZ2UxHDAaBgNVBAMTE0Rh

cnRtb3V0aCBDZXJ0QXV0aDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQDg36IP1LlOICbXPlLEeiIRrQjcLIbu45zX0bUPPfweIlJPgjjTr8oOBXkzIhiR

cMdDgE9o7iIOugcy/ZHVnTlh6W8eZDwsbm0ofVjrI2sMmENH7Zre43Hw/Af/OpES

U8+5mDikrgozOW7+dTdmeOD91BVlACKmKkK4X5AFDmqoKtBbuM1ZbVdzaq/eGjCJ

Mhnit+sroHJRg5FIEwgowANe85/iVdB8xTBcEny4fm53PMZzLOPs+bkZOCLTKoHz

xSN7HbydVmkPGI8foHOD95C6P5moiHqWxxg7mdvfU5j3bedRA1AhrrpoP1Wwi3W3

6oLUCfnS7XEntOyW+a3REr61AgMBAAGjdjB0MBEGCWCGSAGG+EIBAQQEAwIABzAP

BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ/wNbHp08Afu8GmWdsvJYeTaN3EjAf

BgNVHSMEGDAWgBQ/wNbHp08Afu8GmWdsvJYeTaN3EjAOBgNVHQ8BAf8EBAMCAYYw

DQYJKoZIhvcNAQEFBQADggEBAKhinGIWf6z85SlleOn618GCs4RTJYtlch4xaa1h

X/GfcZahh3RmDuBLrzgl6z74TZoY3Ey+0YvUxg8ZsUIL95jF9VZ+edb5E87uV6GV

6f9QHykJFSa74zN5Oc5mUfeoeGenLkNHh/L+m7onrOoc7hRNmZRYXdtNU4TlL6RU

c5SjJ8ogXqldj9O0eJ6K6AWbuwrnakOhZNg20ZF81fx/it3D76BSd24nyVCjwV8C

pKxvnM3xfwrlPrfl01HrAytnE9zIPXdfXvSsqIiXtVrgA3Q3bEfq1KKz57/4UyO1

dDEdFfPXMw1yJWHAh5SbZgk3ECyoCOJA14V9cJ12S3Qab1w=

-----END CERTIFICATE-----

Debugging

The two error messages we encountered while debugging were reasonably descriptive.The Microsoft Knowledge Base Article referenced above has quite a bit of troubleshooting information in it, but we didnít need most of it.