Click here to get back home

Certificate attributes for Smart Card Logon

 HomeNewsGroups | Search

get this group's latest topics as an RSS feed  microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late!

please rate
this thread
If you were  Registered and logged in, you could reply and use other advanced thread options
Posted by Aumy on January 13, 2009, 3:31 am
Hi,

I set up smart card logon to my windows 2003 domain for XP clients. I use a
AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My domain
controllers each already have their own certificates.

Question: the default certificate templates "smartcard logon" and "smartcard
user" both have the key usage settings "digital signature" and "allow key
exchange only with key encryption (key encipherment)" set.  However, the
knowledge base article
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains that
smart card certificates only need the "digital signature" key usage
attribute. But further down, the article also says that "...Smartcard logon
certificates must have a Key Exchange(AT_KEYEXCHANGE) private key type...".

However, I tested both with and without "allow key exchange only with key
encryption (key encipherment)" set and both types of certificates work for
smart card logon!

So is there anybody out there who can tell me if smart card logon
certificates necessarily need the "key encipherment" attribute?

Thanks,
Chris

PS: we intend to use the same certificate for S/MIME signing (but not
encryption). So if  "key encipherment" is set, this certificates can
unfortunately also be used for S/MIME encryption. So it would be nice if
smart card logon reliably works without the "key encipherment" attribute...



Posted by Brian Komar \(MVP\) on January 13, 2009, 8:30 pm
Just ensure that on the Request Handling tab that the Purpose is set to
Signature and Smartcard logon (rather than Signature and Encryption).
If you enable the Smart Card Logon, Client Authentication, and Secure Email
application Policies, this ensure that the smart card cannot be used for
actual encryption.
Brian




Posted by Aumy on January 14, 2009, 6:06 am
Thanks Brian.

unfortunately, as far as I know if you have the "Secure Email" application
Policy set, a certificate by default may not just be used for email
signature but also email encryption (Microsoft makes no difference)! This is


encryption keypair
- S/MIME (encryption only)
- Encrypting File System

authentication&signature keypair
- S/MIME (signature only)
- Client Authentication
- Smartcard Logon

I have to use the purpose "Signature" in the "Request Handling" tab for the
authentication&signature keypair due to our token management system, for
which the "Enroll subject without requiring any user input" field must be
selected. The "Application Policies" extensions then shows the 3 application
policies mentioned above. But then, the key usage settings "allow key
exchange only with key encryption (key encipherment)" is not selectable.
This is OK for secure email, because S/MIME encryption will not word with
this keypair (S/MIME signature will work).

Question: For smartcard logon, is it a must to select "allow key exchange
only with key encryption (key encipherment)"? If yes, then we have a problem
with the approach mentioned above...
Reason for the question: both default templates "smartcard logon" and
"smartcard user" have this setting set to on... However, I tested it in my
lab with a certificate template like the one mentioned above and see,
smartcard logon did work without the setting "allow key exchange only with
key encryption (key encipherment)". Is it just a coincidence?

Thanks, Chris







Posted by Brian Komar \(MVP\) on January 14, 2009, 6:55 am
Answers inline...



Well, this is a problem with your Token Management System then. You should




No, if you had at created the certificate template as I recommended, you
would see that only Digital Signature is enabled, which prevents the use of
the SMIME application policy for SMIME encryption.



However, I tested it in my





Posted by Aumy on January 14, 2009, 12:59 pm
Hi Brian,

thanks for your help and sorry for my silly questions - I don't have the
possibilities for "real" tests, so that's why I tried to get answers by
asking you again. I definitely don't blame MS PKI.

I read you book while setting up the PKI - It helped me alot, thanks!

cu,
Chris







Subject Author Date
Certificate attributes for Smart Card Logon Aumy 01-13-2009
If you were  Registered and logged in, you could reply and use other advanced thread options

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Driving a better car - Fuelzilla.com

Cabling site for homeowners and pros alike - Cabling-Design.com

1-Script XML SitemapXML Sitemap
Privacy Policy