Since I couldn’t find an all-in-one guide anywhere out there, I’m going to write up a short post on how to enable smart card logon in a Microsoft Active Directory environment.
It’s short since I’m a little bit lazy in documenting every step (these are mainly notes for myself), but if enough people request, I’ll expand this post to include more details.
– Active Directory (Windows 2003 and up). You cannot have smartcard login without some sort of directory service – that defeats the purpose of PKI.
– Smart card, smart card reader, and its middleware / drivers installed wherever you will be logging into the domain.
I. Install Certificate Services on a server that is part of the domain, configure a root CA, enable the Smartcard Logon certificate template
II. Create an GPO that auto-enrolls domain machines so that all your domain machines get a certificate & can renew them automatically. Make sure computers and all domain controllers have a certificate.
III. Logon to a domain machine, open Certificates snap-in for the current user, request new certificate, select “advanced options”, pick the CSP for your smartcard and complete the request.
IV. Test logins 🙂