Using Smart Cards for SSPR

Similar Messages

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• The use only smart cards for several hundred users

  How can I assign soon as possible,
  use only the smart card for
  a few hundred users? I also have
  a group of people who would like to allow the use of
  a login and password, and smart card.
  Using GPO to the computer,
  will be applied to the station, and I would just like
  to the user. I know that
  the card user can select
  to use a smart card, but
  how to do it automatically for a group of people
  (several hunderd)?

  I would use LDAP query via GUI tools (like AD Administrative Console) or console tools (Active Directory PowerShell module) get target users by using some filter and enable smart card checkboxes. GPO cannot be used to make changes in AD.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• XML Signatures using Smart Cards

  Hello guys,
  I know this is not exactly a javacard topic, but I think this forum is where I 'll get the best replies.
  We need to perform XML document signatures and verification using smart card stored certificates. The certificates are created using Microsoft Windows 2003 CA and stored in the cards using the cards' CSP.
  I have a notion on the libraries that I am going to have to use:
  - sun.security.pkcs11 for the smart card access,
  - java.security.* for cryptography stuff (keystore, public-privateKey etc.),
  - sun.security.cert.X509Certificate for the certificates,
  - org.apache.xml for the xml documents.
  Could you please verify that I am heading to the correct direction? I would be glad if you could suggest suitable starting points, similar scenarios etc. If you think that there is a more appropriate forum for my question please tell me so.
  Thanks in advance for your help.

  yes you are moving towards right directiong actualy PKCS11 is a standard that is used for hardware cryptographic operations so it would be used for smart cards 2. I'll suggest u to use a wrapper and provider API given by IAIK it would help u a lot and will also ease ur work

• Set up a smart card for user logon to windows server 2012 R2

  Good Evening,
  I have Windows Server 2012 R2 Datacenter edition (dreamspark license)
  Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain
  to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.
  Kind Regards,
  Tomasz

  It would take a few things to do this, and could cause some security issues. In short, I assume the certificate you "already have" came from another environment or a commercial provider. You would need to configure your computer to trust that CA
  to be an issuer of smart card authentication certificates. That effectively moves a good portion of your computer security control out of your environment. For many environments that is an unacceptable security risk.
  If you dont have an Active Directory running, you will also need to make some accommodations to the standard guides. I dont believe there are any published guides on how to do this with a single server and third-party CAs. 
  Here are some references for generic smart card authentications. They are not 100% applicable to your need, so some interpretation is going to be needed.
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• How to create a 802.1X Profile Using Smart Card Certificate

  My company has just implemented a new wireless network that requires users to use a USB Smart Card security device.
  This works fine for Windows, as the OS will allow the end user to configure more advanced authentication/authorization methods (802.1X, etc.) Unfortunately, OS X removed this functionality several versions back; 802.1X and advanced Wi-Fi configurations must now be handled by some sort of profile creation utility. Unfortunately, I've yet to find a utility (iPhone Configuration Utility, Apple Configurator) that will allow the creation of an 802.1X / Wireless Network Configuration that allows the use of a smart card for authentication. They all require that you actually upload the entire key-pair combo(?) in the form of a .p12 file. This is impossible with a smart card; by design you are not allowed to export the private key.
  I'm wondering if there is some way around this? Is it even an option? I know Mac OS will allow me to select "EAP-TLS" when configuring a new wireless network in System Preferences, then even allows me to select my certificate/identity from the Smart Card. Unfortunately, the network I'm trying to connect to doesn't support EAP-TLS/needs some additional configuration options/settings (EAP-TTLS for one).
  Any help/ideas would be greatly appreciated. Thanks!!

  Hello,
  exactly my topic I have been fighting now for months and already gave up.
  My setup is a Lion Server and a Lion WLAN client. My goal is to have the system profile 802.1x WLAN authentication up and running but I just don't get it working. First I tried to create a machine certificate (TLS) but this did not work. Then I tried the option to use Computer Object credentials (TTLS) (Open Directory Computer Object account credentials) to establish network connection before a user logs on but also this does't work.
  As said I'm using Lion Server with Open Directory and Lion Server Radius.
  Any help or guide appreciated!
  Robert

• Outlook 2010 "The server is unavailable" using smart card Exchange 2010

  I have a XenApp 6.5 environment, that uses smart card authenication for login. All the office applications will open except for outlook. Outlook opens up and shows a prompt saying "Connecting" ...."Then server is unavailable".
  If I removed the smart card authenication from the XenApp environment, User are able to open Outlook with no problem.
  My question, is there something with exchange 2010 that needs to be turned on for smart card authenication?

  Hi,
  I suggest you remove any existing certificate-based credentials from the Credential Manager and use the
  EnableSmartCard registry setting to check the result. The Outlook client may not be properly configured to work with saved smart card credentials.
  Important
  Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it,
  back up the registry for restoration in
  case problems occur.
  Remove existing certificate based credentials
  The first step to prevent a PIN lockout is to delete any existing certificate based credentials that were saved by Outlook.
  Open Control Panel.
  Double-click Credential Manager.
  See whether there is a Certificate-Based credential similar to the following:
  @@BSUgiZQZ54Pf6cEtxKflWHH
  Also, see whether there is a Generic credential similar to one of the following:
  MS.Outlook.14:[email protected]:PUT
  MS.Outlook.15:[email protected]:PUT
  Note 14 indicates Outlook 2010 saved the credential and 15 indicates Outlook 2013.
  If these are both present and were created or changed at the same time, they are likely smart card credentials saved from Outlook. Click the first credential to expand it and to show the details. Then, click Remove to delete the
  credential from Credential Manager.
  Repeat step 4 for each one of the credentials listed in step 3.
  When you are finished, close Credential Manager.
  Configure the EnableSmartCard registry setting
  The second step to prevent a PIN lockout is to create the EnableSmartCard registry setting.
  Outlook 2010
  For Outlook 2010, the EnableSmartCard registry setting was introduced with the Microsoft Outlook 2010 hotfix package dated December 13, 2011 (KB2597028). We recommend that you install the most recent build of Outlook 2010. For more information
  about the latest applicable updates for Outlook, click the following article number to view the article in the Microsoft Knowledge Base:
  2625547 How to install the latest applicable updates for Microsoft Outlook (US English only)
  To create the EnableSmartCard registry value, follow these steps:
  Exit Outlook.
  Start Registry Editor.
  Create the following registry values at the specified locations:
  Note Manually create any registry keys or values if they do not exist.
  Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC
  DWORD: EnableSmartCard
  Value: 1
  Exit Registry Editor.
  For this question, if you need to get more information about Exchange 2010, I suggest you post the question in Exchange forum:
  https://social.technet.microsoft.com/Forums/exchange/en-US/home?category=exchangeserver
  Regards,
  Melon Chen
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Disabling normal login and only using smart card login?

  I've managed to setup login using BELPIC (Belgian Identity Card (smart card). However I can still login using username/password. Is it possible to restrict the system only using smart card login? (maybe via tweaking the authorize file?)
  Thanks

  The problem isn't with the provider part of the code - it has to do with security privleges. Java code running from the command line has full access to the file-system. Servlets running inside a container do not.
  In order to access cryptographic keystores, the JVM must allow the servlet code to access local files (and through them, the device drivers to the crypto token). Servlet code running inside a web/application server container, by design, are restricted in their ability to access local files on the servlet container machine (other than configuration files and application code under the servlet context root).
  In order to continue with my project, I had to temporarily provide the servlet full access to the machine's file-system in the java.policy file for your JVM, along the lines of the following:
  grant {
  permission java.security.SecurityPermission "authProvider.SunPKCS11-NSS", "getSignerPrivateKey";
  I hope to go back and restrict this access so that only the specific security grants are available to the servlet to access the private key (the above is too lenient).
  You will need to do something similar to your JVM's java.policy to allow the servlet to access the private key. Substitute the "authProvider.SunPKCS11-NSS" with the driver for your own token.

• HT2731 i used debit card for purchasing i dont have credit card now its showing your payment method is decline use another payment method what shoul i do i dont have credit card

  i used debit card for purchasing i dont have credit card now its showing your payment method is decline use another payment method what should i do i dont have credit card or any another account

  I don't think that debit cards are still accepted as a valid payment method - they are not listed on this page and there have been a number of posts recently about them being declined. You could try contacting iTunes support and see if they can help, but I don't think you will be able to use a debit card : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page
  Are iTunes gift cards available in your country ? They are not available in all, and they are country-specific (they can only be used in their country of issue), but if there you could possibly use them as your payment method.

• Can I use debit card for purchasing from iTunes in India?

  Can I use debit card for purchasing from iTunes in India?

  Hi
  There is a small discussion that iTunes takes debit card with a Visa/Mastercard logo.  I have no idea what the banking rules are in India.  But this may another option to try.
  https://discussions.apple.com/thread/3658843?start=0&tstart=0
  Cheers

• I'm confused about buying used smart cases for iPad mini 1, 2, and 3.

  I'm trying to buy used smart covers for the iPad mini 1, 2, and 3 but I'm not sure which smart cover versions will fit which mini.
  So far, in pink, I've been able to find MGNN2ZM/A and MF061ZM/A. But I want all the other colors too.
  MacMall.com says MGNN2ZM/A is compatible with iPad mini 1, 2, and 3 and MF061ZM/A is compatible with iPad mini 1 and 2. (Apple doesn't provide the part numbers on their web page)
  Basically, I could really use a list of iPad mini, iPad and iPad Air accessories' parts numbers,  and the device/cover compatibilities, if such a list exists.
  Eventually, I want to buy smart covers in every color for iPad 1, 2, 3, 4, 5 (Air), and 6 (Air 2).
  Thank you for your help in advance ^^

      Hello there ctemple,
  That is a great question, thank you for taking the time to contact us. I am sorry to hear your phone is on it's last leg and not working as it should be. I know how important it is to have a working device at all times so will be more than happy to assist you today.
  Great news on our Verizon Edge program you can upgrade to pretty much any phone in our lineup. You pay a small installment every month over a 24-month span on your bill instead of paying full retail or the two-year pricing all at once.
  If you like you can view additional information about our Edge program by going to http://vz.to/1kqnEzS
  Please let us know if you have additonal questions or concerns. Have a great day!
  KarenC_VZW
  Follow us on twitter @VZWSupport

• Does Premiere Pro 2 use graphics card for playback?

  Does Premiere Pro 2 use graphics card for playback? I am using a 350W PSU, so my nVidia 6600GT runs in low-power mode, and my video playback in Premiere is choppy. The same .avi files play fine in a media player, so it can't be a disc issue I guess... Please advise, thank you!

  Only the latest CS5 uses SELECTED card's GPU for video acceleration
  >same .avi files play fine in a media player
  Playback is not at all the same as editing
  Use the FREE http://www.headbands.com/gspot/ to find out what codec is inside that AVI wrapper
  Anything other than DV AVI type 2 with 48khz sound is not going to do well in Premiere

• I USE GIFT CARDS FOR PURCHASES(VISA, MC) NOW I CAN'T MAKE A PURCHASE. THEY SAY I HAVE TOO MANY CREDIT CARDS ON FILE

  They say I have too many credit cards on file for my username- purchase cancelled.  I use gift cards for gaming purchases (Visa,MC) so I have used a few, but its a gift card.

  This is most likely a security precaution since they probably assume that someone using multiple credit cards over a short period of time may well have stolen them. Go here:
  http://www.apple.com/support/itunes/contact/
  and follow the instructions to report the issue to the iTunes Store and request assistance.
  Regards.

• HT1918 can I just use gift cards for itunes and not put a credit card on my account

  can I just use gift cards for itunes and not put a credit card on my account

  Welcome to the Apple Support Communities
  You can do that without any problem. That's what some people do to purchase content from the iTunes Store, App Store or iBookstore

• HT5621 I often use credit card for iTunes but also use iTunes but systems won't let me change back to my iTunes. I have redeemed and gives me a balance but I am unable to access.

  I often use credit card for iTunes but also use iTunes but systems won't let me change back to my iTunes. I have redeemed and gives me a balance but I am unable to access.

  If you can't find anything for exactly that amount then you can try contacting iTunes support and see if they will remove the balance for you : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page