Recently trying to authenticate with smart cards, take the ePass3000 of flying integrity as an example.
1, the network environment to build:
Use 3 virtual machines + 1 physical machines to set up a separate test network segment: 172.16.188.x, as follows:
Machine name |
Ip |
Operating system |
Role |
Dom |
172.16.188.1 |
Win Server r2/virtual machine |
AD domain server, ad Certificate Server, IIS Server |
ter |
172.16.188.10 |
Win Server r2/virtual machine |
Remote Desktop Server (that is, the previous Terminal server) |
Win7 |
172.16.188.100 |
win7/Virtual Machine |
Simulating the Win7 client |
Xp |
172.16.188.101 |
Win XP sp3/Physical machine |
Simulating XP Clients |
2. Configuring the Certificate Server
1) Enter the DOM, add Active Directory Domain Services, Web server (IIS), and then add Active Directory Certificate Services, which will create a certsrv Web site in IIS for certificate requests and issuance. When you add Certificate Services, a CA root certificate such as SECRET-DOM-CA is generated, and all subsequent certificates are issued by this certificate.
2) Manage certificate templates: Open the Certificate Authority--Certificate template, Administrative Tools, and right-click Manage. In the certificate template console that pops up, modify the "Smart card logon" and "smart card User" right-click Properties, and add the Allow read + registration for domain Users . You can also create a new certificate template by copying an existing template.
3) Issue Certificate Template: Open the certificate template, certificate Authority, Administrative Tools, right-click the certificate template that you want to issue with new , select Smart card logon and smart card user, OK.
4) Modify CA properties: Open Administrative Tools, certification authority->CA name (such as SECRET-DOM-CA), right-click Properties--security, add the Allow read + request certificate for domain users.
3. Configuring the IIS Server
1) Add HTTPS support: Open Administrative Tools->internet Information Services (IIS) Manager->default Web site-> Right-click Edit bindings. The default is to support Http+https at the same time, if not, manually add HTTPS,SSL certificate Select One, such as dom.secret.company.com.
2) Add CertSrv Authentication: Because a user logs on to CertSrv and submits the request, the user's certificate is generated, so anonymous authentication is removed and basic + Digest authentication is added . Click the CertSrv website---authentication, do the appropriate disable/enable.
3) If SSL is not bound, the CA's Web site must be configured to use HTTPS authentication in order to complete certificate enrollment.
4. Configuring the domain environment
1) Add domain: Another 3 machines changed to the above name and joined the secret.company.com domain, after the restart is in the domain. In this case, the management tool->active directory Users and Computers->computers domain-joined machines, respectively, ter, Win7, XP.
2) Add-on users: Administrative Tools->active Directory Users and Computers->users adding user test.
3) Install ePass3000: All machines are installed ePass3000 driver, note check "Support smart card login operating system or VPN", it is said that only need to be installed on the machine to submit the request.
5. Application Certificate
1) Login CertSrv: On any machine with Epass driver installed, open IE input https://dom.secret.company.com/ CertSrv (Note: If the direct output IP address 172.16.188.1 in IE8 and above will be reported "this site's security certificate has a problem", this is because the certificate identifies the domain name, not the IP, if the binding generates a certificate to identify the IP, then the output IP address will not be reported), Log on using the test user.
2) apply for a certificate: in the case of inserting ePass3000, click on request Certificate--Advanced certificate request, create and submit a request to this CA, first use to install plug-in Certenrollctrl. In this case, the certificate Template drop-down box should have "smart card user" and "smart card login", the default is only the user + basic EFS, if only 2 items, or simply 1 none, and reported that "no certificate template found." If you do not have permission to request a certificate from this CA or if an error occurred while accessing Active Directory , refer to "2, configure Certificate Server". The CSP drop-down box should have "Feitian epassng RSA Cryptographic Service Provider", if not, indicating that there is a problem with the Epass driver installation on this machine, such as my server 2008 There is no such item on the R2.
3) Install the certificate: Click Submit, Epass start to generate the key pair. Next page, click "Install Certificate", Epass start to generate the certificate. Using the Epass management tool EPassNgMgr.exe, you can see clearly that the USB has stored the test user's certificate and key pair.
6. Smart Card Login Windows
Insert the smart card in the Windows login interface, enter the PIN code, which can be logged in as a domain user of test. Here are 2 minor questions:
1) If the PIN is entered and the validation is not valid, try to install the CA root certificate by joining the root certificate of the CA to the Trusted root certification authority of the current machine.
2) If there is more than one certificate in the USB, window will only take the first one when login, and the browser (ie8+, Chrome, Firefox, etc.) will usually prompt you to choose one.
7. Smart Card Login Remote Desktop
1) First plug in the smart card, if the connection is XP, lose the IP Click Connect will directly let you lose the PIN code, if it is even win7+, there will be 3 ways to let you choose, select the 3rd smart card login.
2) may be reported " Smart card error: The drive required by the card is not on the system ": This problem has not been fully resolved, the current even XP is OK, but even win7+server R2 all reported this mistake. I understand that the Epass driver on the remote machine is not properly installed, but the smart card is mapped correctly after logging on to the Remote desktop properly.
- However, there is really no "Feitian epassng RSA Cryptographic Service Provider" in CSP when accessing certsrv-> advanced certificate requests.
- This "How to find CSP currently installed on a computer" points out the location of all CSPs in the registry, if you manually import the Feitian CSP registry entry in XP to the target machine, turn it on again certsrv- > Advanced Certificate Request page, Feitian is available in the CSP drop-down box, but select "You may have selected a CSP that does not support key types defined in the template. Either change the key category in the template, or select a different CSP or certificate template. ", it seems that the driver did not install the correct + registration, oh, this is doubtful!
3) Epass installation problem: It is possible to install post-report "Initialize pkcs#11 Library Failed, 0x0000 0030", open services.msc found critical service NGSLOTD not created or failed to start. You can create it yourself:
1 Start= Auto depend= scardsvr2start NGSLOTD
4) Allow Remote Desktop: The default Domain policy does not appear to allow Remote Desktop. Group Policy Object->default domain policy-> Right-click Edit, open the Group Policy Management editor.
- User rights assignment, local policies, security settings, such as Computer Configuration, policy->windows settings, and so on, allows you to add related groups such as domain users, Remote Desktop users, and so on by logging on remotely.
- Computer Configuration, policies, Administrative Templates,->windows components, Remote Desktop Services, Remote Desktop Session host, connections, and so on, allow users to connect remotely using Remote Desktop services, which is enabled instead.
- If none of the above settings are valid, you can select users in the target machine, right-click My Computer, properties, remote ... Add domain Users, Remote Desktop users, and other related groups.
8. References
1) "Smart Card Logon and Authentication"
2) "USB Etoken for Windows domain user RDP Authentication"
3) How to find CSPs currently installed on a computer
Flying Integrity Usb-key Login windows+ Remote Desktop