Microsoft KB Archive/313490

= HOW TO: Enroll a Certificate on Behalf of Another for Smart Cards Users =

PSS ID Number: 313490

Article Last Modified on 6/6/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Server

-



This article was previously published under Q313490



IN THIS TASK

 * SUMMARY
 * Obtain an Enrollment Agent Certificate
 * Set Up a Smart Card for Another User



SUMMARY
In a high security environment, ordinary user account/password authentication may not be sufficient to make sure that your sensitive network data is protected from unauthorized access. Deploying smart cards for user logon can increase security, because the user must physically possess the card to log on.

Smart card authentication is based on digital certificates that are issued by a certification authority as part of your organization's PKI. Microsoft recommends that the Smart Card enrollment station, included as part of the Windows 2000 server family's certificate services and automatically installed when an enterprise certification authority (CA) is installed, be used to enroll smart card certificates and keys.

A user requires access rights to the certificate template in Active Directory to enroll for a Smart Card certificate. However, domain administrators can enroll a certificate on behalf of another user, to install Smart Card logon certificates or Smart Card user certificates on users' cards. The latter can be used to send secure e-mail messages and for logon authentication.

back to top

Obtain an Enrollment Agent Certificate
Before you can request and enroll a certificate on behalf of another user, you must have an enrollment agent certificate. To obtain the enrollment agent certificate:
 * 1) Log on to a Windows 2000-based computer that will be used as a smart card enrollment station. Note that a smart card reader must be installed.
 * 2) In the Certificates MMC snap-in, expand the Certificates - Current User node in the left console pane.
 * 3) Right-click the Personal node, point to All Tasks, and then Request New Certificate.
 * 4) The Certificate Request Wizard guides you through the steps. Click Enrollment Agent certificate template, and then type a name for the certificate.
 * 5) Click Install Certificate when prompted. You can use Advanced Options to install the certificate on a smart card if you want, by using the smart card vendor's Cryptographic Service Provider.

back to top

Set Up a Smart Card for Another User
After you have the enrollment agent certificate installed, set up a smart card for another user:
 * 1) Log on as the enrollment agent by using the account for which you requested an enrollment agent certificate.
 * 2) Access the certificate services Web pages for the CA in your organization that issues smart card certificates. In Microsoft Internet Explorer, type the address of the CA in the Address box, and then press ENTER. The address is typically http://servername/certsrv.
 * 3) Click Request a certificate, and then click Next.
 * 4) Click Advanced Request, and then click Next.
 * 5) Click Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment Station, and then click Next.
 * 6) Click Yes when prompted to accept the smart card signing certificate.
 * 7) In the Certificate Template box, select the type of Smart Card certificate you want to request, Logon for authentication only, or User for authentication and e-mail security.
 * 8) In the Certification Authority box, click the name of the CA that will issue the certificate.
 * 9) In the Cryptographic Service Provider box, select the CSP that is designated by the smart card vendor.
 * 10) In the Administrator Signing Certificate box, click the enrollment agent certificate that will be used to sign the request.
 * 11) Type the user account name for which you are requesting and installing the certificate.
 * 12) Click Submit Certificate Request.

You are prompted to insert the smart card into the reader, and then type a PIN. If you are reusing a card that already has a certificate installed, you may be prompted if you want to replace the existing certificate. If you are prompted to do so, click Yes. The certificate will be installed, and you can view it or start the process again to request another certificate.

back to top

Keywords: kbhowto kbHOWTOmaster KB313490

Technology: kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.