Set up a smart card for user logon to windows server 2012 R2
Good Evening,
I have Windows Server 2012 R2 Datacenter edition (dreamspark license)
Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain
to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.
Kind Regards,
Tomasz
It would take a few things to do this, and could cause some security issues. In short, I assume the certificate you "already have" came from another environment or a commercial provider. You would need to configure your computer to trust that CA
to be an issuer of smart card authentication certificates. That effectively moves a good portion of your computer security control out of your environment. For many environments that is an unacceptable security risk.
If you dont have an Active Directory running, you will also need to make some accommodations to the standard guides. I dont believe there are any published guides on how to do this with a single server and third-party CAs.
Here are some references for generic smart card authentications. They are not 100% applicable to your need, so some interpretation is going to be needed.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.
Similar Messages
-
Configuring group policy for user profiles in Windows Server 2012 R2 Domain
Requesting some experts advise on configuring group policy for user profiles.
We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
The settings which I am concerned:
1. Folder Redirection: Desktop, Documents, Favorites.
2. Quota for Folder Redirection - 1 GB per user.
3. Map a networked drive - 1 GB per user.
4. Roaming profile - (Will ignore if it does not suit our requirement).
The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
Thanks a lot for your valuable time and efforts.Hi,
>>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
This depends on where our outlook data files are stored. If these data files are stored under
drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
However, regarding your question, we can refer to the following thread to find the solution.
Roam outlook profiles without roaming profiles
http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
Configuring Folder Redirection
http://technet.microsoft.com/library/cc786749.aspx
Hope it helps.
Best regards,
Frank Shen -
What share/ntfs permission i've to setup for user profile disks on Server 2012 R2?
Please, let me know.
Regards!
Lasandro LopezHi Lasandro,
As far as I know, share permissions for UPD are automatically set up by the management tools.
Besides, regarding how to install and configure UPD, the following article can be referred to as reference.
Installing and Configuring User Profile Disks (UPD) in Windows Server 2012
https://social.technet.microsoft.com/wiki/contents/articles/15304.installing-and-configuring-user-profile-disks-upd-in-windows-server-2012.aspx
In addition, regarding UPD, the following article can be referred to for more information.
Easier User Data Management with User Profile Disks in Windows Server 2012
http://blogs.msdn.com/b/rds/archive/2012/11/13/easier-user-data-management-with-user-profile-disks-in-windows-server-2012.aspx
Best regards,
Frank Shen -
How do I get a reliable schedule for automatic update in Windows Server 2012 R2?
I don't understand why MS broke the automatic update in Windows Server 2012 R2. In previous versions, I used to set it for automatic updates - Saturdays at 2AM. I can no longer pick a weekly update in the GUI and the time seems to have no impact on its capricious
reboots due to updates. It might happen 2 days later at noon. The best option for now is to just shut off the automatic updates but I'm reading this issue has been around since 2012 R1. There supposedly is a fix/patch for
2012 but it doesn't say if the patch is for 2012 R2 and the automatic updates haven't installed a fix that actually fixes what is broken with the automatic updates.
Why even leave the GUI for automatic updates if it doesn't mean anything?
Is there a simple registry key I can change so updates occur according to the schedule that you created in the GUI? Please no powershell - worst crutch MS ever created to not fix their own gui.
I'm seeing people have tried some advanced work around using GPO but many said those don't work reliably either on hosts or domain controllers.This may explain:
http://blogs.technet.com/b/wsus/archive/2013/10/08/enabling-a-more-predictable-windows-update-experience-for-windows-8-and-windows-server-2012-kb-2885694.aspx
http://blogs.technet.com/b/wsus/archive/2013/06/11/wsus-blog-managing-updates-with-deadlines-in-an-era-of-automatic-maintenance.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Web Access for Remote Desktop on Windows Server 2012
Hello,
i've a Windows Server 2012 without a domain. So i installed the remote desktop session host, the remote desktop license server and the remote desktop gateway as a server role only. All is working fine. Without a domain, no management tools for remote
desktop are available. So i configure the remote desktop via the registry. I define (via registry) some remoteapps, too. All values are copied from a running Windows Server 2008 R2. So the remoteapps are runing.
Now i want to use the new Microsoft Remote Desktop client for Android. To use a remoteapp i must define a remote resource. To define a remote resource i need a url to the web access for remote desktop. So i installed the web access. But if i login to the
web access, i don't see any remoteapp. What's wrong? I've set the ShowInTSWA to 1. What must i do to access an existing remoteapp via web access?
MartinHi Martin,
Server 2012 RD Web Access is designed to retrieve published RemoteApps and Desktops from a Server 2012 RD Connection Broker and/or a Server 2008 R2 RD Session Host server. From your description it doesn't appear that you are using either of the above.
I know it is a more complicated set up, but you should consider having a domain, creating a RDS deployment, etc., so that you can use the full featureset as it was intended. You can do it all on a single server if needed. For Server 2012
there is a hotfix that needs to be applied to permit RD Connection Broker to work on the same server instance as active directory.
-TP -
Restore deleted AD User Account in Windows Server 2012
Good day.
I know Windows Server 2012 has an Active Directory Recycle Bin feature, however upon enabling the feature it doesn't display the deleted user account I have deleted prior to enabling the feature. Is this normal? Does the feature only displays deleted AD
objects after you have enabled it? Is there other way to display those objects? Thanks in advance.Hi James,
Yes, You should have a valid system state back to perform an authoritative restore.
In case you don’t have any system state backup, you can use ADRestore to restore tombstoned objects. When an object is deleted from Active Directory, it isn't actually removed but is instead marked as deleted by an internal marker called
a tombstone.
Note: ADRestore cannot restore the group membership for a user. Meanwhile, not all attribute data can be restored.
http://blogs.technet.com/b/asiasupp/archive/2006/12/14/using-adrestore-tool-to-restore-deleted-objects.aspx
Regards,
Rafic
If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
No he can _not_, as there is no tombstones when the recycle-bin is enabled, recycled objects can not be restored/reanimated.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Programmatic webdav/unc access requires user logon to windows server 2008 R2
I have an automated process (a .net windows service) that connects to sharepoint document library via a UNC (\\mysharepointsite\doclib). When the machine is rebooted,
accessing this folder results in a System.IO.IOException: The network name cannot be found exception.
However, if we log into the windows server 2008 r2 machine under the account that the service is running on, it starts working, and continues to work even when we log out. It continues to work until we reboot the computer.
I've already run into and solved other user-centric fixes for 2008. For example, the "Desktop Experience" feature is required to browse the path and all, and unchecking "automatically detect settings" significantly speeds up browsing of these paths.
However, I'm not sure what user logon initializes that would be fixing this problem.I can further simplify this. The following command will fail initially:
dir \\myspserver\mypath
However, running the same command after browsing to the same path in windows explorer succeeds. At this point I've eliminated the programming as an issue so i will try to post a similar question on technet. However, please let me know if anybody
has any further info. -
Firefox Settings for users in a Windows Server 2008/Win 7 Environment
I am currently building images of Windows 7 with Firefox 4 for use on our machines. We use Windows Server 2008 to apply user settings. I am looking for a way that I can provide bookmarks, change some of the default settings, and remove the start-up splash screens for Firefox. It turns out that each time a unique user logs into a computer, they have to walk through these splash screens, and the settings revert back to defaults, and the bookmarks are gone. We have several thousand users on our network, so any help fixing this issue would be appreciated.
Generally it is the browser service that populates network neighborhood. This technology is no longer used with newer OS like server 2008, windows 7/8.
Description of the Microsoft Computer Browser Service
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Auto start a program without logon on Windows Server 2012
I develop a software that starts at server startup without login, it works fine with older versions of Windows Server (2003, 2008) with 2012 my executable program that starts only when a session is opened (administrator or user).
My program uses a 32bit architecture it is found in:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Microsoft \ Windows \ CurrentVersion \ Run
How can i make my program starts automatically after any system reboot without logon?
Thank you for your cooperationMake it a service and configure it to start automatically.
.:|:.:|:. tim -
ADM templates for office 2003 on Windows server 2012
Hi Guys,
i am planing to upgrade from server 2003 to server 2012 but we will still be using office 2003.
Can i install office 2003 adm templates on server 2012?
Many thanks for your help
Theoyes, the template can still be installed in the policy store or on a computer running gpmc and added in on 2012.
they will process fine
although on a side note I think office 2003 is out of support - or due to be - so you might want to look at upgrading that too in the near future.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn: -
How to allow more than two users on remote desktop on windows server 2012 foundation?
i have a dell server power edge T300 with windows server 2012 foundation. I am unable to connect more than two remote desktop at once.
Hi,
Add to Brain, you cannot have more than 15 user accounts in Windows Server 2012 Foundation.
In order to access a hosted application, such as Microsoft® Office, a license for Windows Server 2012 Remote Desktop Services is required for each user account (not to exceed 15 user
accounts) that directly or indirectly uses RD Gateway to host a graphical user interface, including using Remote Desktop Connection (RDC) client. When using Remote Desktop Services, you may not install or use Remote Desktop Connection Broker or Remote
Desktop Virtualization Host role services. For more information about Remote Desktop CALs , see http://go.microsoft.com/fwlink/?LinkId=140238.
http://technet.microsoft.com/en-us/library/jj679892.aspx
Hope this helps.
Jeremy Wu
TechNet Community Support -
Multi-Hypervisior Manager support for Windows Server 2012 R2
Hi,
I am attempting to connect to a Windows Server 2012 R2 Hyper-V and am getting the following error message.
"Unable to Connect to host hyper01"
I have tested and can connect to a Windows Server 2012 without issue. Checking the documentation for support and whilst Windows Server 2012 is not supported I wanted to ensure I wasn't making an error.
If it is indeed not supported at this moment, is there a viable alternative?
Many Thanks
TristanHi,
Windows 2012 R2 is not supported by MHM 1.x. Please take a look at http://www.vmware.com/pdf/vcenter-multi-hypervisor-manager-11-guide.pdf, page 9, "vCenter Multi-Hypervisor Manager Software Requirements" section.
For you convenience I'm pasting the list of supported third-party hypervisors:
Microsoft Hyper-V Server 2012
Microsoft Hyper-V for Windows Server 2012
Microsoft Hyper-V Server 2008 R2
Microsoft Hyper-V for Windows Server 2008 R2
Microsoft Hyper-V for Windows Server 2008
Regards,
-Ilko -
The use only smart cards for several hundred users
How can I assign soon as possible,
use only the smart card for
a few hundred users? I also have
a group of people who would like to allow the use of
a login and password, and smart card.
Using GPO to the computer,
will be applied to the station, and I would just like
to the user. I know that
the card user can select
to use a smart card, but
how to do it automatically for a group of people
(several hunderd)?I would use LDAP query via GUI tools (like AD Administrative Console) or console tools (Active Directory PowerShell module) get target users by using some filter and enable smart card checkboxes. GPO cannot be used to make changes in AD.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Use smart card for 802.1x secured WiFi authentication
Hi,
is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
and granted access.
To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
fails.
As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
the local client computer configuration or in the Safenet software on the client computer.
I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
Thanks + Best Regards
MattHi,
I found some links form technet site which can be helpful in this case
Network access authentication and certificates
http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
Enable smart card or other certificate authentication
http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
Quote:
Client certificate requirements
With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
Yolanda Zhu
TechNet Community Support -
I'm working on ForeFront Identity Manager 2010. I'd like to enable AD users to use Smart Cards to reset their passwords. I watched this video www.youtube.com/watch?v=b4aGLnZHZN4. From this video (minute 2), it's said that we could use smart cards to authenticate
to Self-service Password Reset instead of Q/A gate.
I looked at ForeFront Identity Manager Portal but I couldn't find where to configure to use Smart Cards for this purpose. I only found "SMS authentication gate" and "Question and Answer Gate". Can somebody help me?
Thanks,
HaiI am still interested in Clients or other Inquiries in this
Subject.
Maybe you are looking for
-
How do I switch Apple ID users to get music from one computer to an iPad?
My iPad doesn't let me change my Apple ID to let me sync music and I don't know if deleting the current account on the iPad will permanantly delete it, which I do not want to do....... How can I switch users without deleting the current one?
-
DTP plugin can't connect to 10g DB that uses SERVICE_NAME instead of SID
Hi, I am trying to set up a connection to a database that uses a service name instead of a SID (see below for the TNSNAMES entry. It gets an ORA-12505 error because the listener does not know of SID given in connect descriptor. The Connection descrip
-
I have two differnt iphones and when I try to update my apps I get a request for the other phones apple id. How can I change to the other phones ID?
-
Is it possible to ensure a XML document is secure for different users. In other words can you password protect diferent areas of a document to be posted on the Web. Only valid users can gain access to one XML document for their details. Ie one file ,
-
What is the relation between Smart Card and Java Programming?
Kindly ingnore the message as this is just a test message by Mihir Mehta