Skip to content
Tags

Smart Card Enrollment

June 1, 2014

A few days ago one of my friends asked if I knew how to enroll smart cards from Windows AD CS without using any type of specialized smart card management systems. I have done this type of enrollment a few years ago, but truth to be told, all of the enterprise environments usually use smart card management systems and I have not seen anyone using out of the box enrollment capabilities. I looked on the Internet, nothing came in the search then I remembered that I might have sample configuration somewhere in my my archives.  So I found in my archives configuration steps on how to enroll a smart card from AD CS and tested it in my lab. It was not a straightforward test, at first I could not make it to work. My test environment is running in Azure IaaS and my physical PC where I attach smart card is not part of the AD DS of the test environment, so in order to enroll from the Enterprise Issuing CA I use RDP connection to one of the workstations in the Azure IaaS environment. The workstation in IaaS did not recognize my Gemalto .NET smart card. It supposed to detect it via plug-play and install the drivers, but it did not do so. It took me a few tries and tests to figure out that I had to download proper drivers and install it manually. Then everything worked beautifully and I was able to enroll my test smart card with a cert for my test user.

You might ask, what is the configuration on ADCS to make it all work? I don’t want to dig in my archives again if I ever want to remember how to do this, so I decided to share it here.

Assumption: I assume that you already have Enterprise Issuing CA implemented in your environment. In current day and age I would recommend you to have it on Windows 2012 R2, but it will work on 2008, 2008 R2 and 2012 versions as well. It might even work against 2003 based OS, but that is too ancient by now and I hope everyone is moving to the latest greatest OS.

OK, you have AD CS running, to enroll a user with a smart card certificate we are going to use “Enroll on Behalf” concept. What it means is that we are going to designate one user (SC-Enroll user account in the following steps) with special permissions to enroll smart cards for other users in the environment. Usually it would be someone from the security department. To configure and then issue user cert to a smart card do the following steps:

  1. Configure Enrollment Agent Template
  2. Configure Smart Card Logon Template
  3. Assign created templates to Contoso Issuing CA
  4. Enroll for Enrollment Agent certificate
  5. Smart Card Certificate Enrollment for the end user

 

Configure Enrollment Agent Template

  1. Log on as Administrator to ADCS server.
  2. Open Certificate Authority MMC
  3. Right click on Certificate Template and click Manage
  4. It will open the Certificate Templates MMC (Certtmpl.msc).
  5. In the details pane, right-click on Enrollment Agent, and then click Duplicate Template.
  6. Choose “Windows Server 2012 R2” template.
  7. On the General tab, enter the Template display name as Contoso Smart Card Enrollment Agent, and then click Apply.
  8. Click on Security tab. Click on Add button. Type SC-Enroll and click on Check names button. Click OK. Give it Allow Enroll permission.
  9. While in Security tab select Domain Admins and uncheck Enroll check box.
  10. While in Security tab select Enterprise Admins and uncheck Enroll check box.
  11. Click OK to save and close Contoso Smart Card Enrollment Agent template.

 

Configure Smart Card Logon Template

  1. In the details pane, right-click on Smartcard Logon, and then click Duplicate Template.
  2. Choose “Windows Server 2012 R2” template. Click OK.
  3. On the General tab, enter the Template display name as Contoso Smart Card Logon, and then click Apply.
  4. Click on Issuance Requirements tab. Enable checkbox “This number of authorized signatures:” Make sure it requires only one (“1”) signature.
  5. Under Policy type required in signature select: Application Policy
  6. Under Application Policy select: Certificate Request Agent
  7. Under Cryptography tab, select “Requests must use one of the following providers:” and then select “Microsoft Base Smart Card Crypto Provider
  8. Click on Security tab. Click on Add button. Type SC-Enroll and click on Check names button. Click OK. Give it Allow Enroll permission.
  9. While in Security tab select Domain Admins and uncheck Enroll check box.
  10. While in Security tab select Enterprise Admins and uncheck Enroll check box.
  11. Click OK to save and close Contoso Smart Card Logon template

 

Assign created templates to Contoso Issuing CA

  1. Switch back to Certificate Authority MMC
  2. Right click on Certificate Templates, click New and Certificate Template to Issue.
  3. In selection window select newly created templates (Contoso Smart Card Logon and Contoso Smart Card Enrollment Agent) and click OK.

 

Enroll for Enrollment Agent certificate

  1. Logon to Enrollment Station (this is computer in the same domain where Issuing CA is implemented) as SC-Enroll
  2. Open MMC and add Certificates snap-in for the current user.
  3. Right click on Personal and select All Tasks and click on Request a New Certificate
  4. Click Next
  5. How many templates SC-Enroll have rights to enroll?
  6. In Request Certificates dialog box select Contoso Smartcard Enrollment Agent check box. Click on Details and click on Properties button.
  7. In General tab, type the Friendly name for this certificate (for example: Contoso SC-Enroll Certificate)
  8. In Description type the following: This cert is used issuing Smart Cards to users
  9. Click Apply button.
  10. Explorer other tab but do not change any properties.
  11. Click OK to close the Certificate Properties.
  12. Make sure Contoso Smartcard Enrollment Agent is still selected and click on Enroll button.
  13. Since we didn’t require Certificate Manager Approval, the certificate should be issued and the installation result status should be Success.
  14. Click Finish.
  15. Open Personal certificate store and verify that certificate is present. Open it and verify that private key is present on this computer.

 

Smart Card Certificate Enrollment

  1. Logon to Enrollment Station as SC-Enroll. Insert Smart Card reader into USB port.
  2. Insert Smart Card into the smart card reader.
  3. Open MMC and add Certificates snap-in for the current user.
  4. Right click on Personal and select All Tasks, click on Advanced Operations and click on Enroll on behalf of
  5. Click Next
  6. In Select Enrollment Agent Certificate click on Browse button, select Enrollment Agent certificate and click OK
  7. Click Next
  8. In Request Certificates select Contoso Smart Card Logon template and click Next
  9. In Select a User click on Browse button, type “User Name” (the user you need to enroll the smart card for…) and click on Check Names, click OK
  10. Click on Enroll button. You should be prompted to provide the PIN for inserted smart card. Type the PIN number and it will be enrolled with the certificate for “User Name” user account from AD DS.
  11. When asked to enroll for next user cancel it.
  12. Open command prompt and type the following command: Certutil –scinfo
  13. Type PIN number when prompted. You’ll see information about enrolled certificate on the smart card.

 

Smart card is ready and can be used for authentication.

From → AD DS, Azure IaaS, Cloud Security, PKI, Security

Leave a Comment

Leave a comment

«
»