Set up a smart card for user logon
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To set up a smart card for user logon
Log on as an enrollment agent for the domain where the user's account is located.
Open Internet Explorer.
In Address, type the address of the certification authority (CA) that issues smart card certificates, and then press ENTER.
Click Request a certificate and then click advanced certificate request.
Click Request a certificate for a smart card on behalf of another user using the smart card certificate enrollment station. If you are prompted to accept the smart card signing certificate, click Yes.
On the Smart Card Certificate Enrollment Station Web page, in Certificate Template, do one of the following:
Click Smart Card Logon if you want to use the smart card for logging on to Windows only.
Click Smart Card User if you want to use the smart card for secure e-mail as well as logging on to Windows.
In Certification Authority, click the name of the CA you want to issue the smart card certificate.
In Cryptographic Service Provider, select the cryptographic service provider (CSP) of the smart card's manufacturer.
In Administrator Signing Certificate, click the Enrollment Agent certificate that will sign the enrollment request.
In User To Enroll, click Select User, select the appropriate user account, and then click Enroll.
When prompted by the system, insert the smart card into the smart card reader on your computer, click OK, and then, when prompted by the system, enter the personal identification number (PIN) for the smart card.
(Optional) If the smart card you are setting up has a previously installed certificate on it, a message appears, asking whether you want to replace the existing credentials on the card. Click Yes.
After the certificate is installed on the smart card, the CA Web page will give you the option of viewing the certificate you just installed or beginning a new smart card certificate request.
To open Internet Explorer, click Start, point to All programs, and then click Internet Explorer.
In the first step, anyone in the domain who has an Enrollment Agent certificate and has security permissions to issue smart card certificates is considered an enrollment agent.
The address of the certification server is the name of the server followed by /Certsrv. For example, in order to connect to the CA on a server named SmartcardCA, you would connect to: http://SmartcardCA/Certsrv
Be sure to use the name of the server that the CA is installed on, not the CA name itself. In many cases, these names will be different.
If you have no Enrollment Agent certificate available, see Related Topics.
Users that will be logging on to computers running the Windows 2000 operating system must have a smart card enrolled from a computer running Windows 2000. Users that will log on to computers running Windows XP or Windows Server 2003, Standard Edition can have a smart card enrolled from a computer running any of these operating systems.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
Enrolling for a smart card certificate
Supported smart cards
Smart card readers
Prepare a certification authority to issue smart card certificates
Prepare a smart card certificate enrollment station
Certification authority Web enrollment services