Smart card setup for Windows 2000

Although smart cards have been around for a while, they're just now beginning to see acceptance by network administrators. Many are unaware of the process to set up users for smart card use. Deb Shinder walks you through the process.

Smart card technology has come a long way. A number of states have already begun distributing smart driver’s licenses, and many large companies are taking advantage of the smart card’s unique ability to store user and login information,  and act as a bridge to other databases. The simplicity and user-friendliness of the smart card make it one of the most important technological advancements to come along in awhile.

For those admins who are setting up and working with smart cards for the first time, I’ll go through the setup of a smart card for a new user in the Windows 2000 environment.

Want to know more?
Check out these other TechProGuild articles to round out your knowledge of smart card technology:
”Enhancing network security through the use of smart cards”
”Enhancing security with the use of smart cards”
”Use smart cards for flexible, secure authentication”

Requesting a certificate
After acquiring the necessary smart card gear, the procedure for setting up a smart card for a user is the same for Windows 2000 and .NET networks. First, log on with either a domain admin or enrollment agent account. To request a smart card certificate, open the Internet Explorer Web browser and access the certificate services Web pages by entering http://<servername>/certsrv for the URL. Select the Request A Certificate option and click Next. You’ll be asked to choose the request type. Select the Advanced Request option and click Next.

In the next window, choose the third option: Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station and then click Next. If the card will only be used to log on, select Smartcard Logon from the drop-down list of certificate templates. If the user will also use the smart card for secure e-mail, select Smartcard User.

The following list highlights the other options available:
  • Certification Authority (the CA that will issue the certificate)
  • Cryptographic Service Provider (this depends on the manufacturer of the smart cards you’re using)
  • An enrollment agent certificate that will be used to sign the smart card certificate
  • The name of the user to whom the certificate will be issued (selected from a drop-down box of user accounts)

What’s in a name?
When you create a certificate authority (CA) on a server (that is, when you install Certificate Services), you'll be asked to provide a name for the CA. This could be the name of the server itself (its network identification) or something more representative of its function. Let's say I have a server named BigServer and I install Certificate Services. Since it's my root CA, I might want to identify it that way and name it RootCA.

For an analogy, think about Web servers. I could have a Web server named www running on a server machine named BigServer. If you want to access the server itself across the network, you use its network ID (BigServer), but if you want to connect to its Web services with a Web browser, you identify it in the URL as "www."

After you’ve entered this information (including the CA name), you’ll be prompted to insert a card into the reader attached to the computer. Since smart cards are reusable (the card is cleared with the reader, and different readers have different steps for clearing), you may be asked if you want to overwrite the credentials that are already on the card.

You don’t have to give a user domain administrator privileges for him or her to set up smart cards. Using the Active Directory Sites And Services tool, you can issue that user an Enrollment Agent certificate. The user must be granted access to the certificate template. Because enrollment agents can create smart cards for any user (and use those cards to log on to the network), be very careful about who you designate as an enrollment agent.

Smart card login
To log in with a smart card, a user is not required to press [Ctrl][Alt][Delete] as he or she would for a regular login. Instead, users initiate the process by putting the card in the reader and inputting their PIN. In a mixed Windows 2000 and .NET environment, if the computer the user is logging in to is running Windows 2000, the smart card must be enrolled from a Windows 2000 computer. If the user is logging in to a computer that runs Windows XP or .NET Server, the card can be enrolled from a Windows 2000, Windows XP, or .NET computer.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks