Using a Non-Microsoft CA with Smartcard Logon
Last updated: 10/12/2004
Introduction and Purpose
Microsoft Windows has the ability to use PKI smartcards and USB tokens for interactive logon authentication to Active Directory (AD). This authentication is currently the strongest available for AD, and the use of PKI smartcards or USB tokens allows economical two-factor authentication for AD. Institutions using Microsoft’s Server 2003 CA product report that it is straightforward to make smartcard logon work with AD. Other institutions using non-Microsoft CAs have encountered more difficulties.
The purpose of this document is to report what
Versions and Products
This works for us using the following software:
- Windows XP Professional, Service Pack 2
- Aladdin eToken PRO USB token, RTE version 3.51
- Active
Directory, version XXX
Caveats
We have not extensively tested this, but wanted to document it while it was still fresh in our minds. We do not yet have hundreds of users using this on a daily basis.
Your mileage may vary with other versions of software. In particular, some CA implementations may not have the flexibility required to generate all the required fields in the smartcard-enabled certificates. You should check into this earlier rather than later.
We do not document the actual CA operations required to get
the proper fields in the certificate.
Our CA is a discontinued commercial product, so our details probably
wouldn’t be very useful. Instead, we
present the details of the fields required so you can see what you need to make
your CA do.
References
We found the Microsoft Knowledge Base article at: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281245
to be useful. We are not allowed to copy
it, so please refer to this URL for information that may not be included in
this document. Note: We did not do step
7 in this document – just having the certificate on the token is enough, and
there is no need to install it in the computer beforehand.
Instructions
There are three areas of work to make smartcard logon work:
- Configure the client
- Produce smartcard-enabled end user certificates from your CA
- Configure Active Directory
Configure the client
We installed the Aladdin RTE (USB token) drivers and made sure we didn’t have Aladdin’s eGina product installed on the client.
Produce smartcard-enabled end user certificates from your CA
Example Certificate
Here is a certificate with the proper magic in it:
Base 64 encoded text:
-----BEGIN CERTIFICATE-----
MIIFRTCCBC2gAwIBAgICDIQwDQYJKoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixk
ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMx
GjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGgg
Q2VydEF1dGgxMB4XDTA0MTAwNzE2NDEyOFoXDTA4MTAwNzE2NDEyOFowgcsxEzAR
BgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxGjAY
BgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRgwFgYDVQQLEw9Qcml2YXRlR3JvdXBW
UE4xGjAYBgoJkiaJk/IsZAEBEwoxOTI3NzQzODM4MRkwFwYDVQQDExBNYXJrIEou
IEZyYW5rbGluMSwwKgYJKoZIhvcNAQkBFh1NYXJrLkouRnJhbmtsaW5ARGFydG1v
dXRoLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApTUHUkCRFAeLAR/3
MdrdJbofS8Z3rm1tOo9E6hX3f8X5Mx1g4OvWHBQjxafJ/PpjQ+bxr+XZdoDeZEr8
EJo5MC1ImXrbIBluH4D+a3AioT7+PjRGGM8xdBR1nr6/dyO58kcfD7k3Z2tWkj/C
WEvqhxps5t6LQ0K0N7zaxcUYoUECA0ZS56OCAggwggIEMBEGCWCGSAGG+EIBAQQE
AwIFoDAOBgNVHQ8BAf8EBAMCBeAwgbIGA1UdIASBqjCBpzCBpAYKKwYBBAFBAgEB
AjCBlTBJBggrBgEFBQcCAjA9MBgWEURhcnRtb3V0aCBDb2xsZWdlMAMCAQEaIUhp
Z2ggQXNzdXJhbmNlIENlcnRpZmljYXRlIFBvbGljeTBIBggrBgEFBQcCARY8aHR0
cDovL3d3dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTX0hBXzE5
RmViMDQucGRmMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jb2xsZWdlY2EuZGFy
dG1vdXRoLmVkdS9jb2xsZWdlY2EuY3JsMB8GA1UdIwQYMBaAFD/A1senTwB+7waZ
Z2y8lh5No3cSMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2Nv
bGxlZ2VjYS5kYXJ0bW91dGguZWR1L29jc3AwXgYDVR0RBFcwVYEdTWFyay5KLkZy
YW5rbGluQERhcnRtb3V0aC5lZHWgNAYKKwYBBAGCNxQCA6AmDCRNYXJrLkouRnJh
bmtsaW5Aa2lld2l0LmRhcnRtb3V0aC5lZHUwKQYDVR0lBCIwIAYIKwYBBQUHAwIG
CisGAQQBgjcUAgIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBBQUAA4IBAQCvGQyObL1A
DjDJg1EOGir9apdOlP5KjpcJfocYw7ao+l21Z1BReq0eH7+0UXP6v1t5Uo5GDAoX
bVDLobzexbQUwiQln4U/NYIFK/Z5Gv9HiFDbAGN6VTQB7/Yitds1NCsq/FjvJhWg
nN+Rb9Ojowk+cJcQdwKuTJ7hQwT3Op4cDWxJ+RTE4Bb9jEBa7EHWM98JZa60jlx7
ItqYfcg8US1U63b9Ih9UHeKSo9LsBA2X8ZRAiZSdijEgWcFS0BSLDUg10//1anhF
kquLOnRY3lA50bvKpsqfBfqJ+l3qsg2fVFVomxIVoG1j2SpKQXUBwEalpTMavWvA
QVEW3gJJTgVc
-----END CERTIFICATE-----
We found it extremely valuable to have an example of a working smartcard-enabled certificate as we adjusted our CA to produce our own. We referred to it frequently in order to get the proper fields in our own certificates.
Required fields
Fields we had to add to our certificate are:
Note 1: We found that https on the URL for the CDP did not work.
Note 2: We have since implemented multiple URLs in this field, and this seems to work fine.
Key Usage:
Enhanced Key Usage:
Note: We added the Secure Email and Client Authentication entries because Windows appeared to disregard the Key Usage bits once we added Smart Card Logon in Enhanced Key Usage.
Subject Alternative Name:
Note 1: The text needs to be formatted as ASN1 / UTF-8 or it will not be readable in the Certificate viewer as above and will not work properly for smartcard logon.
Note 2: We already had the RFC822 Name part in Subject Alternative Name. It’s probably not necessary for smartcard logon purposes.
Subject
Microsoft requires a Subject field even though they also
require the UPN in the Othername part of the Subject Alternative Name. They say populating Subject is optional. Most certificates have Subject, so this
probably isn’t an issue for you.
Configure Active Directory
There are three certificate installation steps required. Details about how to do all of these are in the Microsoft Knowledge Base article above, or consult your Active Directory documentation.
- Install your third party CA root certificate in the Active Directory Group Policy object.
- Make sure your root certificate is in the NTAuth store. In our case, this appeared to happen automatically when we did step 1.
- Make sure your domain controller(s) has(have) domain controller certificates. Ours already had one for other reasons (SSL communications). We used the Windows Server 2003 CA to issue this certificate.
Once we had all the pieces in place, smartcard logon was automatically enabled by Active Directory and the Windows clients.
We didn’t have to change anything about our root certificate (e.g. no smartcard key usage bits required). Here is our root certificate:
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIBAjANBgkqhkiG9w0BAQUFADB3MRMwEQYKCZImiZPyLGQB
GRYDZWR1MRkwFwYKCZImiZPyLGQBGRYJZGFydG1vdXRoMQswCQYDVQQGEwJVUzEa
MBgGA1UEChMRRGFydG1vdXRoIENvbGxlZ2UxHDAaBgNVBAMTE0RhcnRtb3V0aCBD
ZXJ0QXV0aDEwHhcNMDMwMTA5MDUwMDAwWhcNMTMwMTA5MDUwMDAwWjB3MRMwEQYK
CZImiZPyLGQBGRYDZWR1MRkwFwYKCZImiZPyLGQBGRYJZGFydG1vdXRoMQswCQYD
VQQGEwJVUzEaMBgGA1UEChMRRGFydG1vdXRoIENvbGxlZ2UxHDAaBgNVBAMTE0Rh
cnRtb3V0aCBDZXJ0QXV0aDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDg36IP1LlOICbXPlLEeiIRrQjcLIbu45zX0bUPPfweIlJPgjjTr8oOBXkzIhiR
cMdDgE9o7iIOugcy/ZHVnTlh6W8eZDwsbm0ofVjrI2sMmENH7Zre43Hw/Af/OpES
U8+5mDikrgozOW7+dTdmeOD91BVlACKmKkK4X5AFDmqoKtBbuM1ZbVdzaq/eGjCJ
Mhnit+sroHJRg5FIEwgowANe85/iVdB8xTBcEny4fm53PMZzLOPs+bkZOCLTKoHz
xSN7HbydVmkPGI8foHOD95C6P5moiHqWxxg7mdvfU5j3bedRA1AhrrpoP1Wwi3W3
6oLUCfnS7XEntOyW+a3REr61AgMBAAGjdjB0MBEGCWCGSAGG+EIBAQQEAwIABzAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ/wNbHp08Afu8GmWdsvJYeTaN3EjAf
BgNVHSMEGDAWgBQ/wNbHp08Afu8GmWdsvJYeTaN3EjAOBgNVHQ8BAf8EBAMCAYYw
DQYJKoZIhvcNAQEFBQADggEBAKhinGIWf6z85SlleOn618GCs4RTJYtlch4xaa1h
X/GfcZahh3RmDuBLrzgl6z74TZoY3Ey+0YvUxg8ZsUIL95jF9VZ+edb5E87uV6GV
6f9QHykJFSa74zN5Oc5mUfeoeGenLkNHh/L+m7onrOoc7hRNmZRYXdtNU4TlL6RU
c5SjJ8ogXqldj9O0eJ6K6AWbuwrnakOhZNg20ZF81fx/it3D76BSd24nyVCjwV8C
pKxvnM3xfwrlPrfl01HrAytnE9zIPXdfXvSsqIiXtVrgA3Q3bEfq1KKz57/4UyO1
dDEdFfPXMw1yJWHAh5SbZgk3ECyoCOJA14V9cJ12S3Qab1w=
-----END CERTIFICATE-----
Debugging
The two error messages we encountered while debugging were
reasonably descriptive. The Microsoft
Knowledge Base Article referenced above has quite a bit of troubleshooting
information in it, but we didn’t need most of it.