Enabling Smartcard Logon for Active Directory


Since I couldn’t find an all-in-one guide anywhere out there, I’m going to write up a short post on how to enable smart card logon in a Microsoft Active Directory environment.

It’s short since I’m a little bit lazy in documenting every step (these are mainly notes for myself), but if enough people request, I’ll expand this post to include more details.

Requirements:
– Active Directory (Windows 2003 and up). You cannot have smartcard login without some sort of directory service – that defeats the purpose of PKI.
– Smart card, smart card reader, and its middleware / drivers installed wherever you will be logging into the domain.

Phases:
I. Install Certificate Services on a server that is part of the domain, configure a root CA, enable the Smartcard Logon certificate template
II. Create an GPO that auto-enrolls domain machines so that all your domain machines get a certificate & can renew them automatically. Make sure computers and all domain controllers have a certificate.
III. Logon to a domain machine, open Certificates snap-in for the current user, request new certificate, select “advanced options”, pick the CSP for your smartcard and complete the request.
IV. Test logins 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.