Entrust Managed Services PKI: Windows Smart Card Logon ...

More documents

Recommendations

Info

Requirements Architecture You require the following prior to configuring your environment for Windows Smart Card Logon: • Machines with the Windows operating system • Internet access for retrieving certificate revocation lists (CRLs) • Directory with the users you want to configure for Windows Smart Card Logon • Supported Web browser Figure 1: Windows Smart Card Logon overview 1. Insert either smart card or token into computer and enter PIN Smart card and reader Token Entrust Managed Services PKI 5. Look up user entry in directory 2. Retrieve certificate from smart card or token 8. Sent TGT 3. Send certificate 7. Send TGT 4. Verify certificate 6. Build TGT Computer Domain Controller 1 When the user inserts the smart card or token, Windows prompts for a Personal Identification Number (PIN) in a logon window. Note: Windows Vista does not automatically prompt for logon. Users must press Ctrl+Alt+Del to call the logon window. For more information on Vista differences, see “Smart Card Logon in Vista” on page 43. 2 The smart card subsystem authenticates the user as the owner of the smart card or token, and retrieves the certificate from the card. 6 Entrust Managed Services PKI Windows Smart Card Logon Configuration Guide Document issue: 1.0 Report any errors or omissions
3 The smart card client software sends the certificate to the Kerberos Key Distribution Center (KDC) on the Domain Controller. 4 The KDC verifies the Smart Card Logon certificate by building a certificate chain until it finds the root CA certificate. During the verification process, each certificate in the chain is checked against the Certification Revocation List (CRL) in the CRL Distribution Point (CDP). 5 The KDC retrieves the UserPrincipalName (UPN) from the subjectAltName of the Smart Card Logon certificate, and uses it as a reference to look up the user entry in the directory. 6 The KDC builds a Kerberos ticket-granting ticket (TGT), which contains the user account and access control information. 7 The KDC encrypts the TGT with a session key, encrypts that key with the user’s public key, and returns the encrypted TGT to the user’s workstation. 8 The smart card decrypts the session key with its private key, and uses the session key to decrypt the TGT. At this point, the KDC lets the user log in to the Windows domain. Overview Report any errors or omissions 7
Page 1 and 2: Entrust Managed Services PKI Entrus
Page 3 and 4: TOC Overview . . . . . . . . . . .
Page 5: 1 Overview This guide documents how
Page 9 and 10: 2 Configuring for Windows Smart Car
Page 11 and 12: 3 Click Save to save the files to a
Page 13 and 14: Creating a Domain Controller certif
Page 15 and 16: You successfully logged in to Admin
Page 17 and 18: 6 From the User Information section
Page 19 and 20: Note: If you navigated away from th
Page 21 and 22: 4 In the Subject Alternative Naming
Page 23 and 24: Enrolling the certificate for the D
Page 25 and 26: 7 Click Yes to request a certificat
Page 27 and 28: 2 From the left pane under CA Certi
Page 29 and 30: To run the installCert.bat 1 Naviga
Page 31 and 32: 3 From the User Type drop-down list
Page 33 and 34: directory when you signed up for En
Page 35 and 36: 15 Scroll down to the bottom of the
Page 37 and 38: 17 Click Submit. A success message
Page 39 and 40: 4 Complete Step 13 on page 33 to St
Page 41 and 42: 4 Based on your search results, sel
Page 43 and 44: Smart Card Logon in Vista Windows V

Entrust Managed Services PKI: Windows Smart Card Logon ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?