Smart Card based Logon & User ID and Password

TheMSsForum.com: The Microsoft Software Forum

Hello group,

Regarding Smart Card based logon, all of the documention I'm reading
indicates that in order for this to work, the username field in AD must
contain the EID number off of the Smart Card. My question is, is there a way
to maintain the username field as an actual name instead of an IED?


--
Nestor L. Cabrera
Top

Re: Smart Card based Logon & User ID and Password by Brian

Brian
Fri Jun 17 14:19:08 CDT 2005

In article <MPG.1d1ca7dc87e8c02f989dc0@msnews.microsoft.com>,
padare@newsguy.com says...
> In article <A8DE0858-439E-4A16-A21A-7F2683C2F226@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
> <bill@discussions.microsoft.com> says...
>
> > Hello group,
> >
> > Regarding Smart Card based logon, all of the documention I'm reading
> > indicates that in order for this to work, the username field in AD must
> > contain the EID number off of the Smart Card. My question is, is there a way
> > to maintain the username field as an actual name instead of an IED?
>
> I've no idea what you've been reading, but whatever your source is, it
> is completely wrong.
>
>
Further to what Paul said, the smart card must contain the user's UPN.
It is a matching of the UPN to the user's UPN that identifies the holder
of the smart card.

Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian
Top

Re: Smart Card based Logon & User ID and Password by bill

bill
Wed Jul 06 09:59:04 CDT 2005

Ok, then how do you configure it to just use the username instead of the EID?
--
Nestor L. Cabrera


"Paul Adare" wrote:

> In article <A8DE0858-439E-4A16-A21A-7F2683C2F226@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
> <bill@discussions.microsoft.com> says...
>
> > Hello group,
> >
> > Regarding Smart Card based logon, all of the documention I'm reading
> > indicates that in order for this to work, the username field in AD must
> > contain the EID number off of the Smart Card. My question is, is there a way
> > to maintain the username field as an actual name instead of an IED?
>
> I've no idea what you've been reading, but whatever your source is, it
> is completely wrong.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>
Top

Re: Smart Card based Logon & User ID and Password by bill

bill
Fri Jul 08 07:59:36 CDT 2005

I should clarify a bit:

I'm using third party issued smart cards and certificates, not Microsoft
issued certs.

Perhaps it's a different term, but what I mean by EID is the number
associated with the person's name on the smart card. The Microsoft document
I'm referencing (and where I got most of my guidance) is Q281245
http://support.microsoft.com/?id=281245

So, from this I gathered that when using third party certificates you can
only create user accounts with the number, not the user name. Otherwise
Windows has no way of associating the user account with the card. Is this
assumption correct?
--



"Paul Adare" wrote:

> In article <AF8B0705-6552-41CF-9F4B-E0B3D0DF6347@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
> <bill@discussions.microsoft.com> says...
>
> > Ok, then how do you configure it to just use the username instead of the EID?
> >
>
> You don't have to do anything. When the smart card certificate is
> issued, it will contain the UPN (Universal Principal Name) of the user
> to whom the certificate has been issued. In Windows, the UPN is used
> when logging on with a smart card.
> I don't understand why you feel that you're constrained to using the
> EID, nor exactly what you mean by EID in the first place.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>
Top

Re: Smart Card based Logon & User ID and Password by bill

bill
Mon Jul 11 07:49:06 CDT 2005

Thank you Paul, I think I understand this a lot better now. I did a test on
what you were referring to (the UPN name) and it worked fine. Thanks again.



"Paul Adare" wrote:

> In article <MPG.1d384e588b8b6e39989de2@msnews.microsoft.com>, in the
> microsoft.public.security news group, Paul Adare <padare@newsguy.com>
> says...
>
> > Not that the contents
> >
>
> Sorry, this should read, "Note that the contents..."
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>
Top

Re: Smart Card based Logon & User ID and Password by bill

bill
Mon Jul 11 07:51:01 CDT 2005

Oh, and the number I was looking at was the number right after the Subject
Alternative name on the card, not the OID number.
-


"Paul Adare" wrote:

> In article <MPG.1d384e588b8b6e39989de2@msnews.microsoft.com>, in the
> microsoft.public.security news group, Paul Adare <padare@newsguy.com>
> says...
>
> > Not that the contents
> >
>
> Sorry, this should read, "Note that the contents..."
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>
Top