Smart Card based Logon & User ID and Password

Hello group,

Regarding Smart Card based logon, all of the documention I'm reading
indicates that in order for this to work, the username field in AD must
contain the EID number off of the Smart Card. My question is, is there a way
to maintain the username field as an actual name instead of an IED?


--
Nestor L. Cabrera

In article <A8DE0858-439E-4A16-A21A-7F2683C2F226@microsoft.com>, in the
microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
<bill@discussions.microsoft.com> says...

> Hello group,
>
> Regarding Smart Card based logon, all of the documention I'm reading
> indicates that in order for this to work, the username field in AD must
> contain the EID number off of the Smart Card. My question is, is there a way
> to maintain the username field as an actual name instead of an IED?

I've no idea what you've been reading, but whatever your source is, it
is completely wrong.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

In article <MPG.1d1ca7dc87e8c02f989dc0@msnews.microsoft.com>,
padare@newsguy.com says...
> In article <A8DE0858-439E-4A16-A21A-7F2683C2F226@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
> <bill@discussions.microsoft.com> says...
>
> > Hello group,
> >
> > Regarding Smart Card based logon, all of the documention I'm reading
> > indicates that in order for this to work, the username field in AD must
> > contain the EID number off of the Smart Card. My question is, is there a way
> > to maintain the username field as an actual name instead of an IED?
>
> I've no idea what you've been reading, but whatever your source is, it
> is completely wrong.
>
>
Further to what Paul said, the smart card must contain the user's UPN.
It is a matching of the UPN to the user's UPN that identifies the holder
of the smart card.

Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

Ok, then how do you configure it to just use the username instead of the EID?
--
Nestor L. Cabrera


"Paul Adare" wrote:

> In article <A8DE0858-439E-4A16-A21A-7F2683C2F226@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
> <bill@discussions.microsoft.com> says...
>
> > Hello group,
> >
> > Regarding Smart Card based logon, all of the documention I'm reading
> > indicates that in order for this to work, the username field in AD must
> > contain the EID number off of the Smart Card. My question is, is there a way
> > to maintain the username field as an actual name instead of an IED?
>
> I've no idea what you've been reading, but whatever your source is, it
> is completely wrong.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>

In article <AF8B0705-6552-41CF-9F4B-E0B3D0DF6347@microsoft.com>, in the
microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
<bill@discussions.microsoft.com> says...

> Ok, then how do you configure it to just use the username instead of the EID?
>

You don't have to do anything. When the smart card certificate is
issued, it will contain the UPN (Universal Principal Name) of the user
to whom the certificate has been issued. In Windows, the UPN is used
when logging on with a smart card.
I don't understand why you feel that you're constrained to using the
EID, nor exactly what you mean by EID in the first place.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

I should clarify a bit:

I'm using third party issued smart cards and certificates, not Microsoft
issued certs.

Perhaps it's a different term, but what I mean by EID is the number
associated with the person's name on the smart card. The Microsoft document
I'm referencing (and where I got most of my guidance) is Q281245
http://support.microsoft.com/?id=281245

So, from this I gathered that when using third party certificates you can
only create user accounts with the number, not the user name. Otherwise
Windows has no way of associating the user account with the card. Is this
assumption correct?
--



"Paul Adare" wrote:

> In article <AF8B0705-6552-41CF-9F4B-E0B3D0DF6347@microsoft.com>, in the
> microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
> <bill@discussions.microsoft.com> says...
>
> > Ok, then how do you configure it to just use the username instead of the EID?
> >
>
> You don't have to do anything. When the smart card certificate is
> issued, it will contain the UPN (Universal Principal Name) of the user
> to whom the certificate has been issued. In Windows, the UPN is used
> when logging on with a smart card.
> I don't understand why you feel that you're constrained to using the
> EID, nor exactly what you mean by EID in the first place.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>

In article <3519755A-A3D8-448C-BFF7-C2AD9F90FC1A@microsoft.com>, in the
microsoft.public.security news group, =?Utf-8?B?YmlsbA==?=
<bill@discussions.microsoft.com> says...

> I'm using third party issued smart cards and certificates, not Microsoft
> issued certs.
>
> Perhaps it's a different term, but what I mean by EID is the number
> associated with the person's name on the smart card. The Microsoft document
> I'm referencing (and where I got most of my guidance) is Q281245
> http://support.microsoft.com/?id=281245
>
> So, from this I gathered that when using third party certificates you can
> only create user accounts with the number, not the user name. Otherwise
> Windows has no way of associating the user account with the card. Is this
> assumption correct?
>

You're not reading that article correctly. If you look at step 5.
Request a smart card certificate from the third-party CA you'll see the
following:

Subject Alternative Name = Other Name: Principal Name= (UPN). For
example:
UPN = user1@name.com
The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
The UPN OtherName value: Must be ASN1-encoded UTF8 string

? Subject = Distinguished name of user. This field is a mandatory
extension, but the population of this field is optional.

The Subject Alternative Name field is the key here for smart card logon.
This _must_ follow the above rules. Not that the contents of this field
needs to be the UPN in the format of someuser@somedomain.com. This needs
to match the UPN assigned to the user's account in Active Directory. I
don't know if you're confused or not, but the number referred to above
is an Object Identifier (OID) that describes what goes into that field.
It isn't the actual contents of that field.

If your 3rd party CA can't properly configure the SAN field in your
certificates, you won't be able to use them for smart card logon.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

In article <MPG.1d384e588b8b6e39989de2@msnews.microsoft.com>, in the
microsoft.public.security news group, Paul Adare <padare@newsguy.com>
says...

> Not that the contents
>

Sorry, this should read, "Note that the contents..."

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea