Smart card authentication

Similar Messages

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• Smart card authentication for IOS device

  I am just wondering if anyone was able to successfully implement smart card authentication for vty and console session.  if anyone did, can you please point me to the documentation and the implementation guide?  thanks

  Actually, with the rsa key pair setup in ISO 15+, you can use a smart card to authenticate to cisco switches.  I'm still working out all the details but you would need SecureCRT or Putty-CAC.  SecureCRT allows you to export the public key from a pki cert and then import that into the switch/router.  The disadvantage is you can only use the first cert in the list.  Putty-CAC allows you to select which PKI cert you want to use but I haven't verified you can export the public key from a cert.  If you contact me, I'll email you the info need to use use SecureCRT.

• Configuring Weblogic Server for X.509 Smart Card Authentication

  0 down vote favorite
  share [g+] share [fb] share [tw]
  I am running Oracle Weblogic 11g (10.3.6) and attempting to configure two-way SSL (client certificate requested and enforced). The client certificate is on a smart card.
  I have enabled "basic" ssl in the weblogic server, and used keytool to import the relevant root CA certificates into the DemoTruststore.jks file. I have set the Two-way client cert behavior to Client Certs Requested and Enforced for the server.
  Unfortunately, attempting to access my application causes the following:
  <pre>
  <Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  <NO_CERTIFICATE alert was received from 127.0.0.1 - 127.0.0.1. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
  <Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  </pre>
  The ActivClient dialog never appears to select a certificate from the Smart Card, and a pin is never requested. Therefore, I think I misconfigured something.
  Help would be greatly appreciated.
  Jason

  Hello Mukunthan Damodharan,
  this means that the SSL Server Certificate has not his fully quallified name in the subject alternative name extension of the X.509 certificate.
  You can create a valid one or disbale that check in the Secure Login Client.
  How does the configuration gets to the clients?
  With the Policy Download you can disable that check over the Secure Login Server Administration console in the corresponding authentication profile.
  If manually you can change the following registry key:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile name>
  "sslHostAlternativeNameCheck"=dword:00000000
  the value 0 disable that check on the client.
  best regards
  Alexander Gimbel

• Support for smart-card authentication in PowerBuilder based application

  Hi, I have an application on PB11.5 with an Oracle DB back-end (11.2g). My DoD customer wants the application to use their DoD CAC Card (Smart Card) to authenticate against the Enterprise - Windows Active Directory domain, currently the application uses user-id\password for user authentication.  Is this something newer versions of PB can support and implement? Thank you.

  You have a couple of choices:
  1.  Depending on how old their workstations are, or if they have ACTIVCLIENT installed, you could call the CAPICOMM ActiveX using OLE commands
  2.  A solution that doesn't require that ActiveX is to use the Smart Card SDK built into newer versions of Windows.  It does require a lot lower level coding though, as you have to issue specific APDU commands to the card and know how to handle the responses.
  I posted a sample of the latter to the NNTP groups back in 2011.  I suppose I should get around to creating a blog entry explaining how to use it.

• UAG smart card authentication plus kcdauthentication true

  Hi
  I have already setup smart card certificate authentication to UAG portal. I'm using certificate's field Subject Alternative Name and RFC822 Name to read UPN information. It says 'RFC822
  Name=[email protected]'. That information i'm comparing to AD account's mail attribute. Authentication works ok.
  In Active Directory, samaccount is created from UPN's first part: firstname.lastname. So far i have been able to use kcdauthentication and create valid kerberos ticket which is acceptable for delegation.
  Customer changed their samaccoun to a different form. KCD does not work anymore. I've tried to use regkey:
  HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\KCDUseUPN,1. It does not work.
  I have no idea how to change from inc files that do not use samaccount but instead us UPN. UPN matches mail.
  Any ideas ?
  thanks in advance :)
  br -teemu

  Below Article might not give you direct answer.
  But, you may get an excellent idea on how to play around with INC files for your scenario.
  http://social.technet.microsoft.com/wiki/contents/articles/17031.how-to-get-client-certificate-authentication-working-on-a-uag-2010-portal.aspx
  Please let us know, how it goes. :)

• ACS with CAC/Smart Card Authentication

  I have configured ACS 5.1 to authenticate a wireless user via EAP-TLS using the predefined Certificate Authentication Profile within ACS, but I don't understand how it is successfuly authenticating users. Is it simply trusting any user that presents a certificate signed by the root certificate I imported into the ACS certificate authority?
  Thanks.

  I have configured ACS 5.1 to authenticate a wireless user via EAP-TLS using the predefined Certificate Authentication Profile within ACS, but I don't understand how it is successfuly authenticating users. Is it simply trusting any user that presents a certificate signed by the root certificate I imported into the ACS certificate authority?
  Thanks.

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.

• How to use Smart Card API's (OCF) in Web Application

  Hi frnds,
  For our new smart card based project, i have few queries,
  1. Can we choose web based application for smart card based projects?
  2. How servlet will communicate with opencard CTListener class?
  3. While the card insertion and remove how the event will be reflet the servlet?
  4. For that is it needed to design the client UI by using Swing?
  5. Without Swing will servlet give all solution for smart card connection and events?
  Rgrds,
  dhaya.

  I am also looking for smart card Authentication using web. Any info really appreciated

• Smart Card Problem in Java with server

  Hi everybody.I use smart card authentication to sign my web application which was deployed in apache tomcat and I use servlet & jsp fro developing this web application.When deploy application on local machine there is no problem.
      public String getInfo(String password) {
          String certInfo = "";
          try {
              String configName = "C:/smartcards/config/pkcs11.cfg";
              String PIN = password;
              Provider p = new sun.security.pkcs11.SunPKCS11(configName);
              Security.addProvider(p);
              ((SunPKCS11) p).logout();
              KeyStore keyStore = KeyStore.getInstance("PKCS11");
              char[] pin = PIN.toCharArray();
              keyStore.load(null, pin);
              Enumeration aliasesEnum = keyStore.aliases();
              String alias = (String) aliasesEnum.nextElement();
              X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias);
              certInfo += cert.toString();
          } catch (Exception e) {
              System.out.println(e.getMessage());
          return certInfo;
  The preceding method return String which was stored in smart card when I pass password of smart card.If password wrong load failed.
  Then I deployed this web app in the server.When I run this app everything is ok when I also remote desktop connected to server.When I close RDP I get Token has been removed exception on web server.How can I solve this problem.I want to also sign to app without remote desktop connection.

  Use PreparedStatement and SimpleDateFormat classes
  http://onesearch.sun.com/search/onesearch/index.jsp?qt=%2BPreparedStatement+%2BSimpleDateFormat+&qp=siteforumid%3Ajava48&chooseCat=allJava&col=developer-forums&site=dev

• Issues regarding Smart Card login inside domain and on SmartPhones

  Hi
  i am planning to implemnt at my domain login ONLY with smartcard
  i saw i have some option how to do it , one with GPO that covers all the computers (or some computers with defined groups)
  or i can check the "smart card is  required ...." this could be the easy way but when i check this  box
  the users with the smartphones no longer can authenticate with it to get emails , also the OWA is not availble for them
  is there any solution so the users will have to login with smartcard and still get the emails to the smartphones ?
  thanks
  TK

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• TACACS+ and Smart Card login

  We are currently using Cisco ACS 5.3 integrated with Active Directory for authentication to our Cisco devices. We are looking to move to smart card logins and trying to find out if this is possible to authenticate to the console/ssh on the router/switch using a smart card.

  Direct Smart card authentication is not supported for vty / console session on IOS. However, via TACACS to a AAA server (e.g. Cisco ACS) you can turn it to use a two factor-based external authentication store. Even if the Smart card get the PKI cert of some kind to the client PC and then to the terminal emulator like Putty or SecureCRT, AAA with Tacacs + would not be possible as Tacacs is not capable for encapsulating any kind of PKI.
  Jatin Katyal
  - Do rate helpful posts -

• Dc7800 "smart card reader not present" during POST

  Hi,
  I've got a dc7800 Small Form Factor system. It was working fine but after a reboot it won't start up normally anymore. The black POST screen appears, RAM testing starts to count up and then I see and error about "system options not set". After less than a second, a blue window in the middle of the screen displays the message "smart card authentication" and below that, "smart card reader not present".
  From a bit of reading it seems like a BIOS problem but I can't figure out how to really reset the CMOS and get things working again. I've tried removing the CMOS jumper and booting the system, removing the power cord and CMOS battery for 10 minutes, and have tried putting a BIOS .bin file on a FAT32 USB key in an attempt to use the BIOS recovery option, none of which has worked.
  Is there a way to do one of the following:
  - force the CMOS defaults to reset and remove the configuration that requires the smart card authentication?
  - force a BIOS recovery, with a key combination or by using a different jumper or jumpers on the motherboard?
  I see various other jumpers and pads on the motherboard like "ROM RCVRY" and the E15 Boot Block Recovery Header but scant information about how these might be used to solve the problem.
  It seems to me that the hardware is fine as it powers up and displays the POST screen. It's like a BIOS setting has been reset to require a smart card, even though there isn't one, nor even a smart card reader, in the system.
  Any advice would be greatly appreciated.
  TIA,
  JS

  Hi:
  After doing some research on the message, I came across this post.
  I guess your PC has a smart card optional system.
  http://h30499.www3.hp.com/t5/Business-PCs-Compaq-E​lite-Pro/DC7800-smart-card-athentication/m-p/10691​...
  Now, if you can get into the BIOS menus, if you look at the top of page 8, you will see what you need to do in order to enable/disable the smart card reader message.
  http://bizsupport1.austin.hp.com/bc/docs/support/S​upportManual/c01162201/c01162201.pdf
  Whatever the problem is, it is a security setting issue, and clearing the CMOS or updating the BIOS will not have any effect on that setting.
  Unfortunately, I have no experience with the security settings or protect tools software on HP business PC's.
  I have a dc7800 (and only use HP business desktops and notebooks), so I am very familiar with all the other aspects of the PC but that one.
  You may want to post your issue on the HP business support forum, business PC section.  Hopefully someone there has experience with turning this feature on or off.
  http://h30499.www3.hp.com/t5/Business-PCs-Compaq-E​lite-Pro/bd-p/bsc-271#.Uk2rcJAo69I
  You may also want to log in and reply to that post, but don't get your hopes up that it will be answered.
  RichS hasn't replied to a post in 3 years. Although someone else may.
  Good luck, and please post back if you find the solution to the problem.

• Set up a smart card for user logon to windows server 2012 R2

  Good Evening,
  I have Windows Server 2012 R2 Datacenter edition (dreamspark license)
  Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain
  to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.
  Kind Regards,
  Tomasz

  It would take a few things to do this, and could cause some security issues. In short, I assume the certificate you "already have" came from another environment or a commercial provider. You would need to configure your computer to trust that CA
  to be an issuer of smart card authentication certificates. That effectively moves a good portion of your computer security control out of your environment. For many environments that is an unacceptable security risk.
  If you dont have an Active Directory running, you will also need to make some accommodations to the standard guides. I dont believe there are any published guides on how to do this with a single server and third-party CAs. 
  Here are some references for generic smart card authentications. They are not 100% applicable to your need, so some interpretation is going to be needed.
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.