Limited support for this configuration is described later in this article. Active Directory must trust a certification authority to authenticate users based on certificates from that CA. Both Smartcard workstations and domain controllers must be configured with correctly configured certificates. Both the domain controllers and the smartcard workstations trust this root. Export or download the third-party root certificate. How to obtaining the party root certificate varies by vendor.
The certificate must be in Base64 Encoded X. To configure Group Policy in the Windows domain to distribute the third-party CA to the trusted root store of all domain computers:. If the CA that issued the smart card logon certificate or the domain controller certificates is not properly posted in the NTAuth store, the smart card logon process does not work. The corresponding answer is "Unable to verify the credentials".
The NTAuth store is located in the Configuration container for the forest. By default, this store is created when you install a Microsoft Enterprise CA. The object can also be created manually by using ADSIedit.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:. After you put the third-party CA in the NTAuth store, Domain-based Group Policy places a registry key a thumbprint of the certificate in the following location on all computers in the domain:.
Request and install a domain controller certificate on the domain controller s. Each domain controller that is going to authenticate smartcard users must have a domain controller certificate.
If you install a Microsoft Enterprise CA in an Active Directory forest, all domain controllers automatically enroll for a domain controller certificate.
For more information about requirements for domain controller certificates from a third-party CA, click the following article number to view the article in the Microsoft Knowledge Base:. Using a non-Microsoft CA to issue a certificate to a domain controller may cause unexpected behavior or unsupported results.
An improperly formatted certificate or a certificate with the subject name absent may cause these or other capabilities to stop responding. Enroll for a certificate from the third-party CA that meets the stated requirements. The method for enrollment varies by the CA vendor. This field is a mandatory extension, but the population of this field is optional. There are two predefined types of private keys. Make sure that the appropriate smartcard reader device and driver software are installed on the smartcard workstation.
Viewed times. Improve this question. Add a comment. Active Oldest Votes. Improve this answer. Martin Schlatter Martin Schlatter 11 1 1 bronze badge. Xearinox Xearinox 3, 2 2 gold badges 21 21 silver badges 38 38 bronze badges. Sign up or log in Sign up using Google.
Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. Install the app. For a better experience, please enable JavaScript in your browser before proceeding. You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser. Thread starter David Start date Jan 16, When the card is inserted, on Windows we receive the SAS notification event, we read the card and all is ok.
On Windows XP Professional - installed on a standalone machine - we do not receive the event. No result. We know that, if the machine joined an Active Directory domain, the insertion event is received by the GINA but we need to make it works on a standalone machine. Are there any suggestion? Many thanks David. David, This is a user mode question, Gina is like an Application.
0コメント