Skip to main content
Sign In |
  Help (new window)
Aloaha Software

Aloaha Smartcard Connector

Go Search
Home
Aloaha PDF Suite
Aloaha PDF Signator
Aloaha Smartcard Connector
Aloaha PDF Saver
Aloaha Secure PDF Viewer
Aloaha PDF Crypter
  
Aloaha for professionals > Aloaha Smartcard Connector > Interesting Documents (en) > SmartcardLogon  

The Aloaha Smartcard Connector includes a generic Crypto Service Provider and a PKCS #11 Library
Introduction and Purpose
Microsoft Windows has the ability to use smartcards and USB tokens for interactive logon authentication to Active Directory (AD).  This authentication is currently the strongest available for AD, and the use of PKI smartcards or USB tokens allows economical two-factor authentication for AD. 
 
The purpose of this document is to explain how to use smardcards with certificates not issued by the AD Certification Authority
 
Requirements
Windows XP Professional, Service Pack 2
Windows 2000/3/8
Windows Vista
Aloaha supported smartcards such as Mifare, eGK, HBA, Micardo, etc...
Active Directory
Aloaha Cardconnector min. version 3.0.130
 
References
We found the Microsoft Knowledge Base article at: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281245 to be useful.
Note: We did not do step 7 in this document – just having the certificate on the token is enough, and there is no need to install it on the computer beforehand.
 
Instructions
There are three areas of work to make smartcard logon work:
  1. Configure the client (Install Aloaha Smartcard Connector, join AD, etc.)
  2. Produce or purchase windows logon enabled smartcards and make sure the attributes and the principal name in the certificate are correct.
  3. Configure Active Directory (store root certificates in NTauth Store and domain policy)

Install Aloaha Smartcard Connector
Download and install the Cardconnector from http://www.aloaha.comdownload/cardconnector.zip
Once installed please right click on the yellow Aloaha system tray icon and make sure that certificates will be automatically registred. It is also essential that the software is correct licensed.

Furthermore you need to register your card type in calais. Below you find a sample for Mifare 4K and a SagemOrga eGK. For other cards please contact our support!

dim csp
set csp =createobject("aloahacsp.provider")

call csp.register_Calais(cstr("3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 02 00 00 00 00 69"), cstr("MifarePKI"),cstr("Aloaha Cryptographic Provider"))
call csp.register_Calais(cstr("3B DF 96 FF 81 B1 FE 45 1F 03 00 64 04 05 06 00 31 BE 73 9E 21 53 00 90 00 C2"), cstr("eGK"),cstr("Aloaha Cryptographic Provider"))

set csp = nothing

Logon Certificate Requirements

  1. The CRL Distribution Point (CDP) location (where CRL is the Certification Revocation List) must be populated, online, and available.
  2. Key Usage = Digital Signature
  3. Enhanced Key Usage = Client Authentication, Secure Email and Client Authentication, Smart Card Logon.
  4. Subject Alternative Name = Other Name: Principal Name= UPN
  5. Subject = Distinguished name of user. This field is a mandatory extension, but the population of this field is optional.

Prepare Active Directory

  1. Add the third-party root CA to the trusted roots in an Active Directory Group Policy object.
    • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
    • In the left pane, locate the domain in which the policy you want to edit is applied. 
    • Right-click the domain, and then click Properties. 
    • Click the Group Policy tab. 
    • Click the Default Domain Policy Group Policy object, and then click Edit. A new window opens.
    • In the left pane, expand the following items:
      • Computer Configuration
      • Windows Settings
      • Security Settings
      • Public Key Policy 
    • Right-click Trusted Root Certification Authorities.
    • Select All Tasks, and then click Import. 
    • Follow the instructions in the wizard to import the certificate. 
    • Click OK.

  2. The smart card logon certificate must be issued from a CA that is in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If the CA that issued the smart card logon certificate or the domain controller certificates is not properly posted in the NTAuth store, the smart card logon process does not work. The corresponding answer is "Unable to verify the credentials".

    The easiest way to post a logon certificate by using the following command:
    certutil -dspublish -f filename NTAuthCA

    Other ways are explained in KB281245 and KB295663.

  3. Request and install a domain controller certificate on the domain controller(s). Each domain controller that is going to authenticate smartcard users must have a domain controller certificate. The easiest and recommendet way is to install a Microsoft Enterprise CA in an Active Directory forest. Like that all domain controllers automatically enroll for a domain controller certificate.

    For more information about requirements for domain controller certificates from a third-party CA, click the following article number to view the article in the Microsoft Knowledge Base: 291010 (http://support.microsoft.com/kb/291010/) Requirements for domain controller certificates from a third-party CA

 

Should you experience problems please do not hesitate to contact the Aloaha support or to post your questions in the
Aloaha Cardconnector Forum.