If the smartcard was not already put into the smartcard user's personal store in the enrollment process in step 4, then you must import the certificate into the user's personal store. To do so:. If the file that contains the certificates is a Personal Information Exchange PKCS 12 file, type the password that you used to encrypt the private key, click to select the appropriate check box if you want the private key to be exportable, and then turn on strong private key protection if you want to use this feature.
Select the option to automatically put the certificate in a certificate store based on the type of certificate. Install the third-party smartcard certificate onto the smartcard. See the vendor's documentations for instructions. The SubjAltName field of the smartcard certificate is badly formatted. For each of the following conditions, you must request a new valid domain controller certificate. If your valid domain controller certificate has expired, you may renew the domain controller certificate, but this process is more complex and typically more difficult than if you request a new domain controller certificate.
If the domain controllers or smartcard workstations do not trust the Root CA to which the domain controller's certificate chains, then you must configure those computers to trust that Root CA. The smartcard has an untrusted certificate.
If the domain controllers or smartcard workstations do not trust the Root CA to which the user's smartcard certificate chains, then you must configure those computers to trust that Root CA. The certificate of the smart card is not installed in the user's store on the workstation.
The certificate that is stored on the smartcard must reside on the smartcard workstation in the profile of the user who is logging on with the smart card. You do not have to store the private key in the user's profile on the workstation. It is only required to be stored on the smartcard. The correct smartcard certificate or private key is not installed on the smartcard. The valid smartcard certificate must be installed on the smartcard with the private key and the certificate must match a certificate stored in the smartcard user's profile on the smartcard workstation.
The certificate of the smart card cannot be retrieved from the smartcard reader. It can be a problem with the smartcard reader hardware or the smartcard reader's driver software. Verify that you can use the smartcard reader vendor's software to view the certificate and the private key on the smartcard.
The smartcard has an otherwise malformed or incomplete certificate. For each of these conditions, you must request a new valid smartcard certificate and install it onto the smartcard and into the profile of the user on the smartcard workstation.
The smartcard certificate must meet the requirements described earlier in this article, which include a correctly formatted UPN field in the SubjAltName field. If your valid smartcard certificate has expired, you may also renew the smartcard certificate, which is more complex and difficult than requesting a new smartcard certificate. If the revocation checking fails when the domain controller validates the smart card logon certificate, the domain controller denies the logon.
The Smart Cards for Windows service, Scardsvr, has the following service description:. Note For winscard. By default, the service is configured for manual mode. Creators of smart card reader drivers must configure their INFs so that they start the service automatically and winscard.
The entry point is defined as part of the SmartCardReader class, and it is not called directly. If a device advertises itself as part of this class, the entry point is automatically invoked to start the service when the device is inserted.
Using this method ensures that the service is enabled when it is needed, but it is also disabled for users who do not use smart cards. It registers itself for Plug and Play PnP notifications related to device removal and additions. Note For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service.
It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority. Download the user installation package and the endpoint installation package for the appropriate versions of Windows.
Install the user virtual smart card. Distribute the VSC User Installer to all users within your company who require remote smart card functionality.
The user smart card can be installed manually or via a software deployment tool.
0コメント