Enable smart card or other certificate authentication

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 7

You can use this procedure to configure smart card or other certificate-based authentication.

Smart card and certificate authentication are considered to be more secure than the traditional combination of a user name and password. Knowledge of the user name and password is inadequate, and you must have access to the smart card or certificate in order to complete the connection. Certificates, including those embedded in a smart card, are encrypted and can be validated against a trusted certification authority.

Check with the administrator of the remote host to which you want to connect for the security options supported by that computer.

Any user account can be used to complete this procedure.

To enable smart card or other certificate authentication

1. Open the Network Connections folder and view available connections.

2. Right-click the dial-up, virtual private network (VPN), or broadband (PPPoE) connection on which you want to use smart card or other certificate authentication, and then click Properties.

3. If you are using typical settings for your smart card, on the Security tab, click Typical (recommended settings), and in the Validate my identity as follows list, click Use smart card, and then click OK.

4. If you are individually enabling, configuring, and disabling authentication methods and encryption requirements, on the Security tab, click Advanced (custom settings), and then click Settings.

5. In Logon security, click Use Extensible Authentication Protocol (EAP), select Smart card or other certificate (encryption enabled) from the list, click Properties, and then do the following:

   • If you want to use the certificate on your smart card, click Use my smart card.

   • If you want to use the certificate in the certificate store on your computer, click Use a certificate on this computer.

   • If you want to verify that the server certificate presented to your computer has not expired, has the correct signature, and has a trusted root certification authority, select the Validate server certificate check box.

   • If you only want to connect to specific servers, select the Connect to these servers, and then type the name of the servers.

   • If you want to specify that the root certification authority for your server certificate must be in a particular root certification authority, in Trusted root certification authority, click the appropriate certification authority.

   • If you want to use a different user name when the user name in the smart card or certificate is not the same as the user name in the domain that you are logging on to, select the Use a different user name for the connection check box.

Additional considerations

• If, for example, you work for a consulting company where you need to log on to the domain of the company to which you are assigned, but your smart card contains a user name specific to your home company, select the Use a different user name for the connection check box.

• If you select the Use a different user name for the connection check box, your certificate is exported without private keys and submitted to the administrator of your remote server to be explicitly mapped to your domain user account.

Additional references

• For more information about smart cards, see "Smart Cards" at https://go.microsoft.com/fwlink/?LinkId=89077.

See Also

Concepts

Configure identity authentication and data encryption settings Configuring Terminal and Scripting Options