|
 microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late!
|
|
If you were Registered and logged in, you could reply and use other advanced thread options
|
Posted by Aumy on January 13, 2009, 3:31 am
Hi,
I set up smart card logon to my windows 2003 domain for XP clients. I use a
AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My domain
controllers each already have their own certificates.
Question: the default certificate templates "smartcard logon" and "smartcard
user" both have the key usage settings "digital signature" and "allow key
exchange only with key encryption (key encipherment)" set. However, the
knowledge base article
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains that
smart card certificates only need the "digital signature" key usage
attribute. But further down, the article also says that "...Smartcard logon
certificates must have a Key Exchange(AT_KEYEXCHANGE) private key type...".
However, I tested both with and without "allow key exchange only with key
encryption (key encipherment)" set and both types of certificates work for
smart card logon!
So is there anybody out there who can tell me if smart card logon
certificates necessarily need the "key encipherment" attribute?
Thanks,
Chris
PS: we intend to use the same certificate for S/MIME signing (but not
encryption). So if "key encipherment" is set, this certificates can
unfortunately also be used for S/MIME encryption. So it would be nice if
smart card logon reliably works without the "key encipherment" attribute...
|
|
Posted by Brian Komar \(MVP\) on January 13, 2009, 8:30 pm
Just ensure that on the Request Handling tab that the Purpose is set to
Signature and Smartcard logon (rather than Signature and Encryption).
If you enable the Smart Card Logon, Client Authentication, and Secure Email
application Policies, this ensure that the smart card cannot be used for
actual encryption.
Brian
|
|
Posted by Aumy on January 14, 2009, 6:06 am
Thanks Brian.
unfortunately, as far as I know if you have the "Secure Email" application
Policy set, a certificate by default may not just be used for email
signature but also email encryption (Microsoft makes no difference)! This is
not what we are looking for --> we "try" have two different keypairs on the
smart card with the following purposes/application policies:
encryption keypair
- S/MIME (encryption only)
- Encrypting File System
authentication&signature keypair
- S/MIME (signature only)
- Client Authentication
- Smartcard Logon
I have to use the purpose "Signature" in the "Request Handling" tab for the
authentication&signature keypair due to our token management system, for
which the "Enroll subject without requiring any user input" field must be
selected. The "Application Policies" extensions then shows the 3 application
policies mentioned above. But then, the key usage settings "allow key
exchange only with key encryption (key encipherment)" is not selectable.
This is OK for secure email, because S/MIME encryption will not word with
this keypair (S/MIME signature will work).
Question: For smartcard logon, is it a must to select "allow key exchange
only with key encryption (key encipherment)"? If yes, then we have a problem
with the approach mentioned above...
Reason for the question: both default templates "smartcard logon" and
"smartcard user" have this setting set to on... However, I tested it in my
lab with a certificate template like the one mentioned above and see,
smartcard logon did work without the setting "allow key exchange only with
key encryption (key encipherment)". Is it just a coincidence?
Thanks, Chris
|
|
Posted by Brian Komar \(MVP\) on January 14, 2009, 6:55 am
Answers inline...
> Thanks Brian.
> unfortunately, as far as I know if you have the "Secure Email" application
> Policy set, a certificate by default may not just be used for email
> signature but also email encryption (Microsoft makes no difference)! This
> is not what we are looking for --> we "try" have two different keypairs on
> the smart card with the following purposes/application policies:
> encryption keypair
> - S/MIME (encryption only)
> - Encrypting File System
> authentication&signature keypair
> - S/MIME (signature only)
> - Client Authentication
> - Smartcard Logon
> I have to use the purpose "Signature" in the "Request Handling" tab for
> the authentication&signature keypair due to our token management system,
> for which the "Enroll subject without requiring any user input" field must
> be selected. The "Application Policies" extensions then shows the 3
> application policies mentioned above. But then, the key usage settings
> "allow key exchange only with key encryption (key encipherment)" is not
> selectable. This is OK for secure email, because S/MIME encryption will
> not word with this keypair (S/MIME signature will work).
Well, this is a problem with your Token Management System then. You should
really take this up with them and not blame the MS PKI <G>.
> Question: For smartcard logon, is it a must to select "allow key exchange
> only with key encryption (key encipherment)"? If yes, then we have a
> problem with the approach mentioned above...
No, if you had at created the certificate template as I recommended, you
would see that only Digital Signature is enabled, which prevents the use of
the SMIME application policy for SMIME encryption.
> Reason for the question: both default templates "smartcard logon" and
> "smartcard user" have this setting set to on...
These are V1 multipurpose certificates.
However, I tested it in my
> lab with a certificate template like the one mentioned above and see,
> smartcard logon did work without the setting "allow key exchange only with
> key encryption (key encipherment)". Is it just a coincidence?
|
|
Posted by Aumy on January 14, 2009, 12:59 pm
Hi Brian,
thanks for your help and sorry for my silly questions - I don't have the
possibilities for "real" tests, so that's why I tried to get answers by
asking you again. I definitely don't blame MS PKI.
I read you book while setting up the PKI - It helped me alot, thanks!
cu,
Chris
|
This Thread
If you were Registered and logged in, you could reply and use other advanced thread options
Related Posts
Latest Posts
|
|
XML Sitemap
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
> I set up smart card logon to my windows 2003 domain for XP clients. I use
> a AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My domain
> controllers each already have their own certificates.
> Question: the default certificate templates "smartcard logon" and
> "smartcard user" both have the key usage settings "digital signature" and
> "allow key exchange only with key encryption (key encipherment)" set.
> However, the knowledge base article
> http://support.microsoft.com/default.aspx?scid=kb;en-us;281245" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains
> that smart card certificates only need the "digital signature" key usage
> attribute. But further down, the article also says that "...Smartcard
> logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key
> type...".
> However, I tested both with and without "allow key exchange only with key
> encryption (key encipherment)" set and both types of certificates work for
> smart card logon!
> So is there anybody out there who can tell me if smart card logon
> certificates necessarily need the "key encipherment" attribute?
> Thanks,
> Chris
> PS: we intend to use the same certificate for S/MIME signing (but not
> encryption). So if "key encipherment" is set, this certificates can
> unfortunately also be used for S/MIME encryption. So it would be nice if
> smart card logon reliably works without the "key encipherment"
> attribute...
>