Smart Card Certificate Enrollment Process description

Discussion in 'Server Security' started by MC, Nov 4, 2004.

  1. MC

    MC Guest


    - Smart Card logon certificates must be enrolled by a trusted admin (using
    smart card enrollment agent)
    - User must not be able to enroll for smart card logon certificates if he
    doesn't yet own one
    - Certificate renwal must be performed automatically (user must just enter
    pin code to access the private key on the card)

    - Windows Server 2003 Enterprise CA
    - Windows Server 2003 Active Directory Forest in Native Mode
    - WIndows XP SP1 Clients

    My solution would be the following:
    - An admin user gets an smart card enrollment certificate, that he can
    enroll on behalf users for smart card logon certificates
    - duplicate the original smart card logon certificate
    - configure the custom smart card logon template, that renwal is only
    possible if an smart card logon certificate still exists
    - configure certificate auto enrollment in active directory GPO
    - create a global group "smart card users", which has enroll and autoenroll
    permissions on the custom smart card logon template
    - when a user is enrolled by an admin, the user's account becomes a member
    of the "smart card users" group -> so user's are able to renew their
    existing certificates automatically

    Do someone think about any troubles regarding that config ?
    MC, Nov 4, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.