versasec.com 1(15)

Windows Smart Card Logon Use Case

versasec.com 2(15)

Table of Contents

Windows Smart Card Logon Use Case ................................................................3

Step 1 – Configuring a Windows Smart Card Logon Template ...........................3

Step 2 – Configuring Card Template ....................................................................5

Step 3 – Issue Smart Card Token .......................................................................12

Step 4 – Perform Windows Smart Card Logon ...................................................15

versasec.com 3(15)

Windows Smart Card Logon Use Case

Before beginning this article, it is necessary that you have successfully completed the article Install and Issuing your first Full Feature Operator Card.

Follow the instructions in this article to setup and configure the S-Series such that it will be possible to issue and manage a smart card token to be used for Windows smart card logon.

Note: The PKI used in this example use case will be an MS CA.

Note: The smart card type that will be managed in this use case will be a generic mini-driver smart card token.

Step 1 – Configuring a Windows Smart Card Logon Template

1. From Windows open MMC.

versasec.com 4(15)

2. Click the File – Add/Remove snap in… and add Certificate Templates and Certification Authority for your local computer and click OK.

3. Click Certificate Templates and right click the Smart Card Logon template and click Duplicate Template. Then click the General tab and enter a new name for this template under Template display name. Go to the Issuance Requirements tab and ensure that “The number of authorised signatures” is set to 1, and the Application policy is set to “Certificate Request Agent” click Apply and click OK to exit.

versasec.com 5(15)

4. Go to Certification Authority (Local), Your Certification Authority, and right click on Certificate Templates. Choose New, Certificate Template to Issue and choose the template you just configured and click OK.

Step 2 – Configuring Card Template

1. Navigate to Options - Smart Cards page. When the page is loaded attach the smart card token that is to be issued with the S-Series. The S-Series will filter the card type and present the smart card template available in the S-Series.

versasec.com 6(15)

2. Select the entry and click Edit. For Smart Card Access ensure that Use minidriver if possible is selected and click Save.

3. From Templates - Card Templates click the Add button.

versasec.com 7(15)

4. Click the Edit link for General.

5. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the S-Series to detect the smart card token type that is to be used for this card template. Click Ok to close the dialog.

versasec.com 8(15)

6. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.

versasec.com 9(15)

7. Click the Edit link for Issue Card.

8. From User ID Options section enable Assign User ID and select the AD connection already configured.

versasec.com 10(15)

9. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA connection already configured from the Certificate Authority drop down list and select the smart card logon certificate template as configured on your CA from the Certificate template list and click Ok to save and close the dialog.

versasec.com 11(15)

10. Allow all other defaults for the Issue Card dialog and click Ok to save and close.

11. Click Ok to save and close the card template configuration.

versasec.com 12(15)

Step 3 – Issue Smart Card Token

1. From the Lifecycle page attach the smart card token that is to be issued and click the Issued oval. Select the card template from the Select card template drop-down list and click the Execute button.

2. Enter the Operator token PIN (Passcode) code when prompted.

3. Select a user from AD that the smart card token is to be issued to.

versasec.com 13(15)

4. When the issuance completes a message dialog indicating that an authentication key has been added to the S-Series will appear followed by a short summary dialog with details on what operations have been performed.

The smart card token is now in an Issued state as can be seen from the process diagram. By default, the smart card PIN will be blocked so it will be necessary to unblock the smart card. Typically, the person who will use this smart card will set the PIN code on the smart card.

5. Click the Active oval and click the Execute button.

6. Enter the Operator token PIN (Passcode) code when prompted.

7. Enter the PIN code that will be set on the smart card token. Click Initiate to set the PIN code on the smart card and make it active.

versasec.com 14(15)

8. A summary dialog will appear. Click Ok to close.

versasec.com 15(15)

Step 4 – Perform Windows Smart Card Logon

On a Windows system connected to the domain attach the smart card token and enter the smart card PIN code created earlier to logon.

This completes the use case.