Re: Win 2000 Smartcard Logon - need help...

[Tobi Anton]

Hi,

well I don't want to use Microsofts CA (!), we run our own based on 
OpenSSL. MS says that they don't give support, but Dr. Stephen Henson 
posted a few weeks ago, that he got it to work to logon by smartcard to 
w2k with a certificate generated by 0.9.8-dev...

@Stephen Henson: what requirements on the windows side are needed?

regards,
Tobi
Hendriks Bas wrote:

Tobi,

I used w2k certifcates from w2k certificate service and that worked fine.
Microsoft stated that non w2k certificates are not supported e.g. verisign (i wanted 
these but didn't work default)
Only when you add different vendor software it will work.
met vriendelijke groet,
with kind regards,
Bas Hendriks
[EMAIL PROTECTED]
Pinkroccade, PRInS, TES, Webhosting
Fauststraat 1
Apeldoorn
+31(0) 55577 8062
+31(0) 62952 6542


-----Original Message-----
From: Tobi Anton [mailto:[EMAIL PROTECTED]
Sent: donderdag 13 november 2003 11:25
To: [EMAIL PROTECTED]
Subject: Win 2000 Smartcard Logon - need help...
Hi,

I'm trying to logon to my Win 2000 server by using smartcard logon. It 
doesn't work yet and I don't know how to go on. This is what I got:

I generated a client certificate with 0.9.8-dev. The openssl.conf looks 
like this:

...

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:[EMAIL PROTECTED]

# Copy subject details
# issuerAltName=issuer:copy
nsCaRevocationUrl               = http://mydomain.de/crl.crl
nsBaseUrl                       = http://mydomain.de/test
nsCaPolicyUrl            = http://mydomain.de/policy.pdf
crlDistributionPoints=URI:http://mydomain/crl.crl

#end
...
I imported the ca signed client certificate (private key included) on 
the smartcard. I imported the client certificate to the user profile in 
Active Directory. I then imported the CA certificate into the NTAuth 
store as described in MS Knowledge Base article 295663. I also imported 
it as a trusted party into the Default Domain Policy in Active Directory.

The logon fails with the error, that my permission can't be verified.
Who has an idea what else I need to do? After some research the 
openssl.conf looks good to me!? I think there's just something on the 
Microsoft side I need to setup. What do you think?

Thanks,
Tobi
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]