Enrolling users for smart card authentication in Lync Server 2013
Topic Last Modified: 2013-07-03
There are generally two methods for enrolling users for smart card authentication. The easier method involves having users enroll directly for smart card authentication using web enrollment, while the more complex method involves using an enrollment agent. This topic focuses on self-enrollment for smartcard certificates.
For more information on enrolling on behalf of users as an enrollment agent, see Enroll for Certificates on Behalf of Other Users at http://go.microsoft.com/fwlink/p/?LinkID=313367.
To Enroll Users for Smart Card Authentication
Log in to the Windows 8 workstation using the credentials of a Lync-enabled user.
Launch Internet Explorer.
Browse to the Certificate Authority Web Enrollment page (e.g. https://MyCA.contoso.com/certsrv).
If you are using Internet Explorer 10, you may need to view this website in Compatibility Mode.
On the Welcome Page, select Request a certificate.
Next, select Advanced Request.
Select Create and submit a request to this CA.
Select Smartcard User under the Certificate Template section and complete the advanced certificate request with the following values:
Key Options confirm he following settings:
Select the Create new key set radio button
For CSP, select Microsoft Base Smart Card Crypto Provider
For Key Usage, select Exchange (this is the only option available).
For Key Size, enter 2048
Confirm that Automatic key container name is selected
Leave the other boxes unchecked.
Under Additional Options confirm the following values:
For Request Format select CMC.
For Hash Algorithm select sha1.
For Friendly Name enter Smardcard Certificate.
If you are using a physical smartcard reader, insert the smart card into the device.
Click Submit to submit the certificate request.
When prompted, enter the PIN that was used to create the virtual smart card.
The default virtual smart card PIN value is ‘12345678’.
Once the certificate has been issued, click Install this certificate to complete the enrollment process.
If your certificate request fails with the error “This Web browser does not support the generation of certificate requests,” there are three possible ways to resolve the issue:
Enable Compatibility View in Internet Explorer
Enable the Turn on Intranet settings option in Internet Explorer
Select the Reset all zones to default level setting under the Security tab in the Internet Explorer options menu.