Published: February 01, 2000 One of the new features of the Microsoft® Windows® 2000 operating system is platform support for smart cards and smart card readers. Smart cards enhance software-only solutions such as client authentication, log on, code signing, and secure e-mail, where private key operations are performed on the smart card and not on the host computer. On This Page Introduction Smart card logon is a strong form of authentication because it uses cryptographically-based identification and proof-of-possession when authenticating a user to a domain. Malicious users who obtain someone's password can use the password to assume that person's identity on the network. Many users choose passwords they can remember easily, which makes passwords inherently weak and open to dictionary attack. In the smart card case, that same malicious person would have to obtain the user's smart card and Personal Identification Number (PIN) to impersonate the user.

1. Tnpds
2. Smart Card Bd

This combination is obviously more difficult to attack because an additional layer of information is needed to impersonate a user. A further benefit is that smart cards lock after a PIN is entered incorrectly a small number of times in a row (for example, three times).This makes a dictionary attack against a smart card extremely difficult. In general, smart cards provide the following:. Tamper-resistant storage for protecting private keys and other forms of personal information. Isolation of security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system that do not have a need to know.

HSBCnet Smart Card English by HSBC. Versions: 4.2. Configuring Pass-through with Smart Card Authentication. HKLM Software Microsoft WindowsNT CurrentVersion Winlogon Notify. Change the DWORD value to 1.

HSBCnet Smart Card English by HSBC. Versions: 4.2.

Portability of credentials and other private information between computers at work, home, or on the road. Requirements and Prerequisites This step-by-step guide assumes that you have run the procedures in the The common infrastructure documents specify a particular hardware and software configuration. If you are not using the common infrastructure, you need take that into account when using this document. The most current information about hardware requirements and compatibility for servers, clients, and peripherals is available from the Windows 2000 Product Compatibility site. Installing a Smart Card Reader Smart card readers generally come with instructions on how to connect any necessary cables.

If you do not have instructions, use the following general procedure. The smart card reader should be installed on the Windows 2000 Professional workstation. To connect a smart card reader. Shut down and turn off your computer.

Attach the reader to an available serial port, or insert the PC Card reader into an available PCMCIA Type II slot. If your serial reader has a supplementary PS/2 cable/connector, attach your keyboard or mouse connector to it, and plug it into your computer's keyboard or mouse port. Many new smart card readers take power from keyboard or mouse ports because it is not always provided by RS-232 ports and it is both expensive and cumbersome to require a separate power supply. Boot your machine and log on as a user with administrative privileges. Installing a Smart Card Reader Device Driver If the smart card reader has been detected and installed, the Welcome to Windows logon screen will acknowledge this.

If not:. Follow the onscreen directions for installing the device driver software. This will require either the Windows 2000 CD or media that contains the appropriate device driver from the manufacturer of the smart card reader. (Alternatively, your system administrator may provide you with a network share from which to obtain the driver.). Right-click the My Computer icon on your desktop, and click Manage on the submenu.

Expand the Services and Applications node, and click Services. In the right pane, right-click Smart Card.

Click Properties on the submenu. On the General tab, select Automatic in the Startup Type drop-down list. Reboot your machine if the Hardware wizard instructs you to do so. If the Hardware wizard does not start automatically, then your smart card reader is not a Plug and Play device. We strongly advise that you use only Plug and Play Smart Card Readers with Windows 2000. Smart Card Certificate Enrollment A domain user cannot enroll for a Smart Card Logon (authentication) or Smart Card User (authentication plus e-mail) certificate unless a system administrator has granted the user access rights to the Certificate Template stored in the Microsoft® Windows® 2000 operating system Active Directory TM service.

This is done this way because enrollment for a smart card certificate must be a controlled procedure in the same manner that employee badges are controlled for identification and physical access purposes. The recommended method for enrolling users for smart card-based certificates and keys is through the enroll-on-behalf-of station that is integrated with Certificate Services in Windows® 2000 Server and Windows 2000 Advanced Server. When an Enterprise Certification Authority (CA) is installed, the installation includes the enroll-on-behalf-of station.

This station allows an administrator to act on behalf of a specific user to request and install a Smart Card Logon or Smart Card User certificate onto the user's smart card. The enrollment station does not provide any card-personalization functions, such as creating a file structure or setting of the personal identification number (PIN), because those are card-specific functions and can only be performed using specialized software provided by the smart card manufacturer. The procedures in this step-by-step guide should be performed by an administrator. Enrolling for a Smart Card Certificate These steps show what an administrator must do to enroll for a Smart Card Logon or Smart Card User certificate on behalf of a specific user. Double-click the Microsoft Internet Explorer icon on the desktop. To connect to a Certification Authority, type machine-name/certsrv into the Address field of Microsoft Internet Explorer (where machine-name is replaced with the name of the computer running the issuing Certification Authority). The Microsoft Certificate Services Welcome page appears.

Select Request a certificate, and then click Next. The Choose Request Type page appears. Select Advanced request, and then click Next. The Advanced Certificate Requests page appears. Select Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment Station, and click Next. The very first time you use the Smart Card Enrollment Station, a digitally signed Microsoft® ActiveX® control is downloaded from the Certification Authority server to the enrollment station computer.

To use the enrollment station, select Yes in the Security Warning dialog box to install the control. The Smart Card Enrollment Station page appears. On this page, you must do the following before submitting a certificate request on behalf of another user:.

Select either the Smart Card Logon or Smart Card User Certificate Template. Select a Certification Authority. Select a Cryptographic Service Provider. Select an Administrator Signing Certificate. Select the User To Enroll. Complete the first three items by selecting each item from the drop-down list boxes on the Smart Card Enrollment Station page. After selecting the Certificate Template, Certification Authority, and Cryptographic Service Provider, select the Administrator Signing Certificate by clicking Select Certificate.

A dialog box appears, showing a list of certificates that can be used. Choose only one certificate from the list (if more than one certificate is displayed) then click OK. Optionally, you can view the certificate by clicking View Certificate. Clicking Cancel results in no certificate being selected. Select the user who is being enrolled for the certificate. Click Select User.

Tnpds

Patch pes6 2014 startimes. Click OK to complete. You are now ready to submit the certificate request. Click Enroll.

If the target smart card is not already in the smart card reader, a dialog box appears, prompting you to insert the requested smart card. Once the card is inserted into the smart card reader, click the Retry button. As part of the certificate enrollment procedure, the request must be digitally signed by the private key that corresponds to the public key included in the certificate request. Because the private key is stored on the smart card, the digital signature requires that the signer of the request authenticate the card to ensure that the signer is the owner of the smart card (and, by extension, of the private key). Type in the PIN for the card, and then click OK. Also, the user can change his or her PIN by clicking Change.This opens a new dialog box, where the user can input a new alphanumeric PIN.

Changing the PIN requires that the user provide the old PIN first to prove ownership of the card. If the Certification Authority successfully processes the certificate request, the Smart Card Enrollment Station page informs you that the enrollment is complete and the smart card is ready. You can either view the certificate by clicking View Certificate or specify a new user by clicking New User. Logging On with a Smart Card Once the client has been properly configured with a smart card reader, the Welcome to Windows dialog box appears. When logging on, the user is given the option of inserting the smart card rather than typing in a user name and password. A password-based logon requires that the user press the Ctrl+Alt+Del keys at the same time in order to signal a Secure Attention Sequence (SAS). For smart card logon, the user needs to only insert the smart card into the smart card reader.

The secure logon process prompts the user to input the Personal Identification Number (PIN) instead of the typical username, password, and domain. To log on to a Windows 2000 domain that has been configured to support smart card logon. Insert either the Gemplus GemSAFE or Schlumberger Cryptoflex smart card containing a public key certificate previously issued by the Enterprise Certification Authority (CA).

Smart Card Bd

(See the CA step-by-step guides for more information on public key certificates.). Enter your Personal Identification Number (PIN), and click OK. The default PIN for Gemplus GemSAFE (identified by the oval shape of its metal contact) is 1234. The default PIN for Schlumberger Cryptoflex (identified by the square shape of its metal contact) is 00000000. Note: If a Domain Controller is not available, smart card logon fails even if the user has previously logged onto the computer using a smart card. If the Domain Controller is available but does not have a valid Certificate Revocation List (CRL) for the issuing Certification Authority, then the logon fails.

The error message in each of the above cases is the same: The system could not log you on. Your credentials could not be verified.

Locking and Unlocking Using a Smart Card To lock a computer (instead of logging out). Press the Ctrl+Alt+Del keys at the same time, and then select Lock Computer. To use a smart card to unlock a computer. Insert the smart card into the smart card reader, and type in your PIN. (Unlock works the same way as a smart card logon.).