In order for a smart card login to be successful, some requirements must be met in the Active Directory environment:
Requirements
Domain controller certificates must allow logon
Domain controllers must have Have certificates that enable smart card login. One of the following criteria must apply.
- The Enhanced Key Usage extension includes the Extended Key Usage for KDC Authentication (1.3.6.1.5.2.3.5) or
- The Enhanced Key Usage extension includes the Extended Key Usage for Smartcard Logon (1.3.6.1.4.1.311.20.2.2) or
- A "Template Name" extension exists and has the value "DomainController".
Microsoft uses the term "Enhanced Key Usage", the correct name according to RFC 5280 is "Extended Key Usage"..
Certification authority certificates must be registered in NTAuthCertificates
The following certification authority certificates must be stored in the Active Directory object "NTAuthCertificates". See also article "Editing the NTAuthCertificates object in Active Directory„.
- The certification authority certificate of the certification authority that issues the domain controller certificates
- The certification authority certificate of the certification authority issuing the user certificates
Certification authority certificates must allow the corresponding extended key usage
The certificate authority certificate of the certification authority issuing the user certificates must support either Extended Key Usage "Smart Card Logon" or "Client Authentication", i.e. it is not prohibited by a corresponding Extended Key Usages extension.
The above requirements are met by default settings, i.e. if a certificate authority integrated into Active Directory is installed, the required settings are set as above. The default certificate templates for domain controllers have the corresponding properties.
Related links:
- Domain Controller Certificate Templates and Smartcard Logon
- Editing the NTAuthCertificates object in Active Directory
- Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates
English 
Deutsch
5 thoughts on “Welche Voraussetzungen müssen auf Infrastruktur-Seite erfüllt sein, damit Smartcard-Anmeldungen möglich sind?”
Comments are closed.