3rd party smartcard logon

141 Views
Last Post 14 August 2019

daemonr00t posted this 11 August 2019

Hi folks,

Anyone out there with a really functional and detailed guide to enable 3rd party smartcard logon to Windows?

So far I've seen stuff that's inaccurate and/or out dated.

Thanks a bunch.

~dannyCS

#Permalink
0
0
0

group-policy

4 Comments

Order By: Standard | Newest | Votes

daemonr00t posted this 12 August 2019

Anyone out there?

~s

Sent from Windows Mail

#Permalink
0
0
0

Ravi.Sabharanjak posted this 13 August 2019

Does this help?
https://support.microsoft.com/en-us/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio
In short:- install smart card capable cert on DCs. We use one that also has our ldap vip name in the SAN.- create templates for smart card enrollment.- install drivers- set account options to require smart card. (Optional)- group policy on devices to require smart card for logins.(optional)- install smart card drivers.
We use an internal pki for the cards, external should work as long as the chain is trusted.
If you lock down accounts and servers to smart cards, be aware that there is no access if there is an issue with the pki infra.
Recently, I heard about a product (Entrust?) That uses your phone to store the identify cert, instead of a physical card. Would be interested in learning more about this if anyone has tried this.
-Ravi

#Permalink
0
0
0

chriss3 posted this 13 August 2019

It all depends on the 3^rd party implementation, you’re saying 3^rd party Smart Cards – this can be everything from having their own CSP, Min-driver, Middleware.

Or do you mean a 3^rd party CA for issuing Certificates for Smart Cards?

I have ben working this 3^rd party for example:

https://www.secmaker.com/en/secmaker

#Permalink
0
0
0

daemonr00t posted this 14 August 2019

Thanks so much!

There’s a glitch in the formatting of the cert.

I guess we’ll have to that address or explorer another provider.

Thank you both Ravi and Christoffer again.

~danny

Sent from Mail for Windows 10

From: ActiveDir-owner@xxxxxxxxxxxxxxxx <ActiveDir-owner@xxxxxxxxxxxxxxxx> on behalf of Christoffer Andersson <Christoffer.Andersson@xxxxxxxxxxxxxxxx>

Sent: Tuesday, August 13, 2019 4:21:39 AM

To: ActiveDir@xxxxxxxxxxxxxxxx <ActiveDir@xxxxxxxxxxxxxxxx>

Subject: RE: [ActiveDir] 3rd party smartcard logon

It all depends on the 3^rd party implementation, you’re saying 3^rd party Smart Cards – this can be everything from having their own CSP, Min-driver, Middleware.

Or do you mean a 3^rd party CA for issuing Certificates for Smart Cards?

I have ben working this 3^rd party for example:

https://www.secmaker.com/en/secmaker

From: ActiveDir-owner@xxxxxxxxxxxxxxxx <ActiveDir-owner@xxxxxxxxxxxxxxxx>

On Behalf Of Ravi Sabharanjak

Sent: den 13 augusti 2019 04:27

To: ActiveDir@xxxxxxxxxxxxxxxx

Subject: Re: [ActiveDir] 3rd party smartcard logon

Does this help?

https://support.microsoft.com/en-us/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio

In short:

- install smart card capable cert on DCs. We use one that also has our ldap vip name in the SAN.

- create templates for smart card enrollment.

- install drivers

- set account options to require smart card. (Optional)

- group policy on devices to require smart card for logins.(optional)

- install smart card drivers.

We use an internal pki for the cards, external should work as long as the chain is trusted.

If you lock down accounts and servers to smart cards, be aware that there is no access if there is an issue with the pki infra.

Recently, I heard about a product (Entrust?) That uses your phone to store the identify cert, instead of a physical card. Would be interested in learning more about this if anyone has tried this.

-Ravi

On Mon, Aug 12, 2019, 3:00 PM Danny CS <daemonroot@xxxxxxxxxxxxxxxx> wrote:

Anyone out there?

~s

Sent from Windows Mail

From: Danny CS

Sent: ‎Sunday‎, ‎August‎ ‎11‎, ‎2019 ‎6‎:‎35‎ ‎AM

To: activedir@xxxxxxxxxxxxxxxx

Hi folks,

Anyone out there with a really functional and detailed guide to enable 3rd party smartcard logon to Windows?

So far I've seen stuff that's inaccurate and/or out dated.

Thanks a bunch.

~dannyCS

#Permalink
0
0
0

3rd party smartcard logon

Categories

Search

Popular Tags

This Weeks High Earners

Hot Topics