Microsoft KB Archive/313557

= HOW TO: Install a Smart Card Reader in Windows 2000 =

PSS ID Number: 313557

Article Last Modified on 12/3/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional
 * Microsoft Small Business Server 2000

-



This article was previously published under Q313557



IN THIS TASK

 * SUMMARY
 * ** To Install a Smart Card Reader on a Computer
 * To Enable Smart Card or Other Certificate Authentication
 * To Log On to a Computer with a Smart Card
 * Use Plug and Play Smart Card Readers
 * Troubleshooting
 * REFERENCES



SUMMARY
This article describes how to install a smart card reader.

Logging on to a network with a smart card provides a strong form of authentication because cryptography-based identification and proof of possession is used when a user is authenticated on a domain. For example, if a malicious person were to obtain a user's password, the malicious person could assume the user's identity on the network by using only the password. Many people choose passwords that they can remember easily. This makes passwords inherently weak and open to attack. With a smart card, the malicious person would have to obtain both the user's smart card and the personal identification number (PIN) to impersonate the user. This combination is more difficult to attack because an additional layer of information is needed to impersonate a user. An additional benefit is that a smart card is locked after a small number of unsuccessful PIN inputs occur consecutively. This makes a &quot;dictionary&quot; attack against a smart card difficult. Note that a PIN does not have to be a series of numbers, it can also use other alphanumeric characters.

back to the top

To Install a Smart Card Reader on a Computer
If your reader includes instructions from the manufacturer, use those instructions. If no instructions are included, use the following general procedure:
 * 1) Make sure that you have the Windows 2000 CD-ROM and any media from the smart card reader manufacturer that contains the appropriate device drivers.
 * 2) Shut down and turn off the computer.
 * 3) Depending on the type of reader you purchased, connect your reader to an available serial port or insert the PC Card card reader into an available PC Card Type II slot.
 * 4) If your serial reader has a supplementary PS/2 cable or connector, connect your keyboard or mouse connector to the connector, and then plug that into your computer's keyboard or mouse port. Many new smart card readers take power from the keyboard or mouse port because power is not always provided by RS-232 ports and a separate power supply can be expensive and cumbersome.
 * 5) Restart your computer and log on as an administrator.
 * 6) Use one of the following methods:
 * 7) * If the device driver for the smart card reader is available in the Driver.cab file that is installed automatically with Windows 2000, the smart card reader is installed without any prompts or intervention. This may take a few minutes.

You can confirm that the reader was installed if the Unplug or Eject Hardware icon appears in the status area of the taskbar (if the icon was not previously present) and if the reader appears in the list of hardware devices in the Unplug or Eject Hardware dialog box.
 * 1) * If the device driver for the smart card reader is not available in the Driver.cab file, the Add/Remove Hardware Wizard starts. Follow the instructions for installing the device driver.

You may be prompted for the media (such as a CD-ROM or floppy disk) from the smart card reader manufacturer that contains the device driver. Or, your administrator may tell you about a network share from which to obtain the driver.

If the smart card reader is not installed automatically or the Add/Remove Hardware Wizard does not start automatically, your smart card reader may not be a Plug and Play device. Contact the smart card reader manufacturer to obtain the device driver and instructions about how to install and configure the device.

back to the top

To Enable Smart Card or Other Certificate Authentication
 Click Start, point to Settings, and then click Network and Dial-up Connections. Right-click the dial-up, VPN, or incoming connection on which you want to use smart card or other certificate authentication, and then click Properties. If you are using typical settings for your smart card, click Typical (recommended settings) on the Security tab, and then click Use smartcard in the Validate my identity as follows box. If you are individually enabling, configuring, and disabling authentication methods and encryption requirements, click Advanced (custom settings) on the Security tab, and then click Settings. Under Logon security, click Use Extensible Authentication Protocol (EAP), click Smart card or other certificate (TLS) (encryption enabled), click Properties, and then use one of the following methods:  If you want to use the certificate that resides on your smart card, click Use my smartcard. If you want to use the certificate that resides in the certificate store on your computer, click Use a certificate on this computer.</li> If you want to verify that the server certificate that is presented to your computer has not expired, has the correct signature, and has a trusted root certificate authority, select the Validate server certificate check box.</li> If you want to connect only to servers in a particular domain, select the Connect only if server name ends with check box, and then type the name of the domain.</li> To specify that the root certificate authority for your server certificate must be in a particular root certificate authority, click the appropriate certificate authority in the Trusted root certificate authority box.</li> To use a different user name if the user name in the smart card or certificate is not the same as the user name in the domain to which you are logging on, select the Use a different user name for the connection check box.</li></ul>

Notes:

<ul> If, for example, you want to connect only to servers in the Microsoft.com domain, type Microsoft.com in the Connect only if server name ends in box.</li> If, for example, you are working for a consulting company and you must log on to the domain of the company to which you are assigned, but your smart card contains a user name that is specific to your home company, select the Send a different user name from the one on the smartcard or certificate check box.</li> If you select the Send a different user name from the one on the smartcard or certificate check box, your certificate is exported without private keys and submitted to your system administrator to be explicitly mapped to your domain user account.</li> If you select the Connect only if server name ends with check box, and you do not type a domain name, you are prompted to use the domain name in the server certificate when you connect.</li></ul> </li></ol>

back to the top

To Log On to a Computer with a Smart Card
To log on to a computer with a smart card, you do not need to press CTRL+ALT+DELETE. When you insert the smart card into the smart card reader, you are prompted for your personal identification number (PIN) instead of your user name and password (and, if applicable, your domain).

To log on to a computer with a smart card:
 * 1) When the logon screen is displayed, insert your smart card in the smart card reader.
 * 2) Type the PIN for your smart card when you are prompted.

If the PIN that you type is recognized as legitimate, you are logged on to the computer and to the domain, based on the permissions that are assigned to your user account by the domain administrator.

If you type an incorrect PIN for a smart card several times in a row, you cannot log on to the computer with that smart card. The number of allowable incorrect logon attempts before you are locked out varies according to the smart card manufacturer. Contact your administrator for a replacement PIN.

back to the top

Use Plug and Play Smart Card Readers
Microsoft recommends that you use on Windows 2000-based computers only smart card readers that have been tested by the Microsoft Windows Hardware Quality Lab and that have obtained the Windows-compatible logo.

Microsoft does not recommend that you use on Windows 2000-based computers smart card readers that are not Plug and Play-compliant. If you are using such a reader, you must obtain installation instructions (and the device drivers) directly from the manufacturer of the smart card reader. Microsoft does not support the use of non-Plug and Play smart card readers.

The following smart card readers are supported by Windows 2000. The drivers for these readers are installed only when Windows detects that you have connected the corresponding Plug and Play smart card reader.

back to the top

Troubleshooting
<ul> When you log off from a workstation that has a smart card reader installed, there may be a delay of up to one minute.

This delay can occur if you log on to a workstation, lock the workstation and let a screen saver run for a few minutes, unlock the workstation, and then log off. The delay occurs in the Winlogon process. To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

</li> When you use a Web folder that requires a security certificate, you are prompted to select a certificate and supply a PIN for each program that attempts to access the Web share.

This issue occurs because certificates are not globally cached on the workstation. Each process must query for the smart card PIN when the process first uses a certificate that is stored in the smart card.To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

</li> When you attempt to log on with a password, you may receive the following error message:

Your account has been disabled. Please see your system administrator.

This behavior can occur if your account is configured to allow logging on only with a smart card, but you attempt to log on with a password. You cannot log on without using a smart card until your administrator removes this restriction from your user account.</li></ul>

back to the top

<div class="references_section">