|
Posted by Brian Delaney [MSFT] on December 8, 2006, 12:50 pm
Please log in for more thread options
Hi,
Is the enrollment agent certificate on a smart card as well? The same
smart card or different from the smart card authentication certificate?
Please review
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/webenroll.mspx, particularly the part regarding the error you are
encountering:
Too many smart cards of the same type are inserted.
In a scenario where an enrollment agent requires a smart card certificate
to log on and a certificate that is stored on a different smart card is
used to sign the certificate requests, this error message is displayed: Too
many smart cards of the same type are inserted. Please insert only one user
smart card and try again.
The smart card enrollment station control on the Web enrollment pages,
which accesses the smart card enrollment agent certificate, expects the
certificate in the key container that is associated with the default
container on the smart card. However, if the default container is
associated with the logon certificate on the other smart card, access to
the enrollment agent certificate will fail.
If the logon certificate and enrollment agent certificate must reside on a
smart card, it is recommended that you enroll and use a single certificate
to the enrollment agent that can be used for certificate enrollment and
smart card logon.
Also, another reference from a Microsoft Press Book - Windows Server 2003
PKI and Certificate Security indicates "Important: If the Enrollment Agent
certificate is stored on a smart card, the Enrollment Agent smart card and
the user's smart card must use different CSPs. If the two smart cards use
the same CSP, the enrollment request will fail with a message tating that
too many smart cards of the same type are inserted." (pg. 346)
Hope this helps,
Brian Delaney
Microsoft Canada
--
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Newsgroups: microsoft.public.windows.server.security
>Subject: Smart Card - two readers
>Date: 8 Dec 2006 05:28:53 -0800
>Organization: http://groups.google.com
>
>Hi !
>
>I'm trying to create enrollment station and designate one administrator
>
>as enrollment agent.
>A typical enrollment station is a computer that has two smart card
>readers attached - so I did it.
>I use one smart card to log on to the enrollment station.
>
>
>I open the Web page for certificate services (http://server/certsrv/)
>--> request certificate --> advanced request --> request for smart
>card.
>
>
>Then I use SmartCard User template, my CA, "Advanced Setec SetCSP",
>enrolment agent certificate.
>I choose user from AD and I put second (fresh-empty) smart card.
>
>
>When I try to enroll smart card I get error like !!! :
>"Too many smart cards the same type. Plug only one smart card for user
>and try again".
>
>
>I have GPO that is locking station when I remove my (administrator)
>smart card from the reader.
>When I change GPO I can remove card (also then I can login using
>username and password) and then I can enroll new cards on both my
>readers but that's not the point. I must use very restricted policy
>even for myself.
>
>
>If anyone know something about it - HELP, pleassssseee.
>
>
> Best Regards
> Dominik.
>
>
| 
XML Sitemap