Step-by-Step Guide to Installing and Using a Smart Card Reader

	On this page Introduction Installing a Smart Card Reader Smart Card Certificate Enrollment Logging On with a Smart Card Related Links Part 1: Installing a Windows 2000 Server as a Domain Controller Part 2: Installing a Windows 2000 Professional Workstation and Connecting it to a Domain Windows 2000 Server Online Help Windows 2000 Planning and Deployment Guide Security Services Windows 2000/NT Forum

Introduction

One of the new features of the Microsoft® Windows® 2000 operating system is platform support for smart cards and smart card readers. Smart cards enhance software-only solutions such as client authentication, log on, code signing, and secure e-mail, where private key operations are performed on the smart card and not on the host computer.

Smart card logon is a strong form of authentication because it uses cryptographically-based identification and proof-of-possession when authenticating a user to a domain. Malicious users who obtain someone’s password can use the password to assume that person’s identity on the network. Many users choose passwords they can remember easily, which makes passwords inherently weak and open to dictionary attack.

In the smart card case, that same malicious person would have to obtain the user’s smart card and Personal Identification Number (PIN) to impersonate the user. This combination is obviously more difficult to attack because an additional layer of information is needed to impersonate a user. A further benefit is that smart cards lock after a PIN is entered incorrectly a small number of times in a row (for example, three times).This makes a dictionary attack against a smart card extremely difficult.

In general, smart cards provide the following:

• Tamper-resistant storage for protecting private keys and other forms of personal information.
• Isolation of security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system that do not have a need to know.
• Portability of credentials and other private information between computers at work, home, or on the road.

Requirements and Prerequisites

This step-by-step guide assumes that you have run the procedures in the Step-by-Step Guide to Common Infrastructure for Windows 2000 Server Deployment, Parts One and Two.

The common infrastructure documents specify a particular hardware and software configuration. If you are not using the common infrastructure, you need take that into account when using this document. The most current information about hardware requirements and compatibility for servers, clients, and peripherals is available from the Windows 2000 Product Compatibility site.

This guide also assumes you have already completed:

• Step-by-Step Guide to Managing the Active Directory
• Step-by-Step Guide to Setting up a Certification Authority
• Step-by-Step Guide to Setting up Certification Authority Trust for a Domain
• Step-by-Step Guide to Administering Certificate Services
• Step-by-Step Guide to Advanced Certificate Management
• Step-by-Step Guide to End User Certificate Management

If you have not completed those step-by-step guides, you must still create the following environment to be successful with the procedures described in this document:

• A Windows 2000 Server domain controller with Active Directory services installed. The domain must support both password Microsoft Windows NT® LAN Manager (NTLM) and Kerberos authentication protocol, as well as public key (smart card) authentication.
• You have installed the Windows 2000 Professional operating system on a computer in a Windows 2000 domain.

The procedures in this document detail the installation and use of a smart card reader on the Windows 2000 Professional workstation that is connected to the Windows 2000 domain controller, as described above.

Supported Smart Card Readers

Before you can use a smart card, you must install a smart card reader on your host computer. The smart card reader device drivers listed in the table below are included in the Microsoft® Windows® 2000 operating system, but are only installed upon detection of the corresponding Plug and Play-compliant smart card reader hardware.

This document describes installation and use of Plug and Play-compatible smart card readers only. Non-Plug and Play smart card readers are not recommended on the Windows 2000 platform. If you are using a non-Plug and Play reader, you must obtain installation instructions including associated device driver software directly from the manufacturer of the smart card reader. Microsoft does not support nor recommend the use of non-Plug and Play smart card readers.

Microsoft has developed a logo program for smart card readers, much like Microsoft has done for other hardware devices (network cards, sound cards, and so on), to provide customers the best experience by ensuring that smart card readers from one manufacturer work with cards from another. This logo program is based on the personal computer/smart card (PC/SC) specifications and ensures that smart card readers are interoperable on the Windows platform. Please refer to the Windows Hardware Compatibility List for information on Windows-compatible smart card readers.

Note: It is strongly recommended that only smart card readers that have been tested by the Microsoft Windows Hardware Quality Lab (WHQL) and have received the Windows-compatible logo be installed on computers running the Windows 2000 operating system. There are many smart card readers on the market that do not work together, although many claim to be PC/SC compatible. The term PC/SC compatible is meaningless because there is no formal testing to verify functionality with the PC/SC specifications.

Supported Smart Cards

When you install Windows 2000, support for the Gemplus GemSAFE and Schlumberger Cryptoflex cryptographic smart cards is included in the default installation. You do not need to configure anything on the client or server to use any of these cards. Cryptographic smart cards can only be obtained directly from the respective companies and not from Microsoft Corporation.

The table below lists the differences between the cards from the user’s perspective.

Note 1: While support for the above cards is included in Windows 2000, other Rivest-Shamir-Adleman-based (RSA-based) cryptographic smart cards also work with the Windows 2000 PKI provided that the card vendor has developed a Cryptographic Service Provider (CSP) for the card using CryptoAPI and the Smart Card SDK available through Microsoft Developer Network (MSDN).

Note 2: Card PINs can be changed any time the private key PIN dialog is displayed by the CSP. PIN management is the responsibility of the card CSP and the user. Windows 2000 does not manage PINs.

Installing a Smart Card Reader

Smart card readers generally come with instructions on how to connect any necessary cables. If you do not have instructions, use the following general procedure. The smart card reader should be installed on the Windows 2000 Professional workstation.

To connect a smart card reader

1. Shut down and turn off your computer.
2. Attach the reader to an available serial port, or insert the PC Card reader into an available PCMCIA Type II slot.
3. If your serial reader has a supplementary PS/2 cable/connector, attach your keyboard or mouse connector to it, and plug it into your computer’s keyboard or mouse port. Many new smart card readers take power from keyboard or mouse ports because it is not always provided by RS-232 ports and it is both expensive and cumbersome to require a separate power supply.
4. Boot your machine and log on as a user with administrative privileges.

Installing a Smart Card Reader Device Driver

If the smart card reader has been detected and installed, the Welcome to Windows logon screen will acknowledge this. If not:

1. Follow the onscreen directions for installing the device driver software. This will require either the Windows 2000 CD or media that contains the appropriate device driver from the manufacturer of the smart card reader . (Alternatively, your system administrator may provide you with a network share from which to obtain the driver.)
2. Right-click the My Computer icon on your desktop, and click Manage on the submenu.
3. Expand the Services and Applications node, and click Services.
4. In the right pane, right-click Smart Card. Click Properties on the submenu.
5. On the General tab, select Automatic in the Startup Type drop-down list. Click OK.
6. Reboot your machine if the Hardware wizard instructs you to do so.

If the Hardware wizard does not start automatically, then your smart card reader is not a Plug and Play device. We strongly advise that you use only Plug and Play Smart Card Readers with Windows 2000.

Smart Card Certificate Enrollment

A domain user cannot enroll for a Smart Card Logon (authentication) or Smart Card User (authentication plus e-mail) certificate unless a system administrator has granted the user access rights to the Certificate Template stored in the Microsoft® Windows® 2000 operating system Active Directory^TM service. This is done this way because enrollment for a smart card certificate must be a controlled procedure in the same manner that employee badges are controlled for identification and physical access purposes. The recommended method for enrolling users for smart card-based certificates and keys is through the enroll-on-behalf-of station that is integrated with Certificate Services in Windows® 2000 Server and Windows 2000 Advanced Server.

When an Enterprise Certification Authority (CA) is installed, the installation includes the enroll-on-behalf-of station. This station allows an administrator to act on behalf of a specific user to request and install a Smart Card Logon or Smart Card User certificate onto the user’s smart card. The enrollment station does not provide any card-personalization functions, such as creating a file structure or setting of the personal identification number (PIN), because those are card-specific functions and can only be performed using specialized software provided by the smart card manufacturer.

The procedures in this step-by-step guide should be performed by an administrator.

Enrolling for a Smart Card Certificate

These steps show what an administrator must do to enroll for a Smart Card Logon or Smart Card User certificate on behalf of a specific user.

1. Double-click the Microsoft Internet Explorer icon on the desktop.
2. To connect to a Certification Authority, type http://machine-name/certsrv into the Address field of Microsoft Internet Explorer (where machine-name is replaced with the name of the computer running the issuing Certification Authority).
3. The Microsoft Certificate Services Welcome page appears. Select Request a certificate, and then click Next.
4. The Choose Request Type page appears. Select Advanced request, and then click Next.
5. The Advanced Certificate Requests page appears. Select Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment Station, and click Next.
6. The very first time you use the Smart Card Enrollment Station, a digitally signed Microsoft® ActiveX® control is downloaded from the Certification Authority server to the enrollment station computer. To use the enrollment station, select Yes in the Security Warning dialog box to install the control.
7. The Smart Card Enrollment Station page appears. On this page, you must do the following before submitting a certificate request on behalf of another user:
   
   
   • Select either the Smart Card Logon or Smart Card User Certificate Template.
   • Select a Certification Authority.
   • Select a Cryptographic Service Provider.
   • Select an Administrator Signing Certificate.
   • Select the User To Enroll.
   Complete the first three items by selecting each item from the drop-down list boxes on the Smart Card Enrollment Station page.
8. After selecting the Certificate Template, Certification Authority, and Cryptographic Service Provider, select the Administrator Signing Certificate by clicking Select Certificate. A dialog box appears, showing a list of certificates that can be used. Choose only one certificate from the list (if more than one certificate is displayed) then click OK. Optionally, you can view the certificate by clicking View Certificate. Clicking Cancel results in no certificate being selected.
9. Select the user who is being enrolled for the certificate. Click Select User. Click OK to complete.
10. You are now ready to submit the certificate request. Click Enroll.
11. If the target smart card is not already in the smart card reader, a dialog box appears, prompting you to insert the requested smart card. Once the card is inserted into the smart card reader, click the Retry button.
12. As part of the certificate enrollment procedure, the request must be digitally signed by the private key that corresponds to the public key included in the certificate request. Because the private key is stored on the smart card, the digital signature requires that the signer of the request authenticate the card to ensure that the signer is the owner of the smart card (and, by extension, of the private key). Type in the PIN for the card, and then click OK.

Also, the user can change his or her PIN by clicking Change. This opens a new dialog box, where the user can input a new alphanumeric PIN. Changing the PIN requires that the user provide the old PIN first to prove ownership of the card. If the Certification Authority successfully processes the certificate request, the Smart Card Enrollment Station page informs you that the enrollment is complete and the smart card is ready. You can either view the certificate by clicking View Certificate or specify a new user by clicking New User.

Logging On with a Smart Card

Once the client has been properly configured with a smart card reader, the Welcome to Windows dialog box appears. When logging on, the user is given the option of inserting the smart card rather than typing in a user name and password.

A password-based logon requires that the user press the Ctrl+Alt+Del keys at the same time in order to signal a Secure Attention Sequence (SAS). For smart card logon, the user needs to only insert the smart card into the smart card reader. The secure logon process prompts the user to input the Personal Identification Number (PIN) instead of the typical username, password, and domain.

To log on to a Windows 2000 domain that has been configured to support smart card logon

1. Insert either the Gemplus GemSAFE or Schlumberger Cryptoflex smart card containing a public key certificate previously issued by the Enterprise Certification Authority (CA). (See the CA step-by-step guides for more information on public key certificates.)
2. Enter your Personal Identification Number (PIN), and click OK.
   
   
   • The default PIN for Gemplus GemSAFE (identified by the oval shape of its metal contact) is 1234.
   • The default PIN for Schlumberger Cryptoflex (identified by the square shape of its metal contact) is 00000000.

Note: If a Domain Controller is not available, smart card logon fails even if the user has previously logged onto the computer using a smart card. If the Domain Controller is available but does not have a valid Certificate Revocation List (CRL) for the issuing Certification Authority, then the logon fails. The error message in each of the above cases is the same:

Locking and Unlocking Using a Smart Card

To lock a computer (instead of logging out)

• Press the Ctrl+Alt+Del keys at the same time, and then select Lock Computer.

To use a smart card to unlock a computer

• Insert the smart card into the smart card reader, and type in your PIN. (Unlock works the same way as a smart card logon.)