Smart card and other certificate authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Smart card and other certificate authentication

If a user certificate is installed, either in the certificate store on your computer or on a smart card, Extensible Authentication Protocol (EAP) is enabled, and Smart Card or other Certificate EAP type (EAP-TLS) is selected, you can use certificate-based authentication in a single network logon process, which provides tamper-resistant storage of authentication information.

A certificate is an encrypted set of authentication credentials. A certificate includes a digital signature from the certification authority that issued the certificate. In the EAP-TLS certificate authentication process, your computer presents its user certificate to the remote access server, and the remote access server presents its computer certificate to your computer, providing mutual authentication. Certificates are authenticated by using a public key to verify the included digital signature. The digital signature is contained in a trusted root certification authority certificate that is stored on your computer. These trusted root certificates are the basis for certificate verification. The Windows ServerĀ 2003 family provides many trusted root certificates. You should add or remove trusted root certificates only if your system administrator advises.

Certificates can reside either in the certificate store on your computer or on a smart card. A smart card is a credit-card-sized device that is inserted into a smart card reader, which is either installed internally in your computer or connected externally to your computer.

If you configure the advanced security settings for a connection, you can choose to use a smart card or other certificate, and you can specify particular certificate requirements. For example, you can specify that the computer certificate for the server must be validated, that the server name must end in a particular value, and that the computer certificate must be issued by a specific trusted root certification authority for the server.

When you double-click New Connection Wizard in the Network Connections folder and a smart card reader is installed, Windows detects it and prompts you to use it as the authentication method for the connection. If you decide not to use the smart card at the time you create a connection, you can modify the connection to use the smart card or other certificate at a later time. For more information, see Enable smart card or other certificate authentication.

If you are a member of an Active Directory domain, and need to request a certificate, see Request a certificate. If you are not a member of an Active Directory domain, or you need to request a certificate from the Internet, see Submit a user certificate request via the Web. For information about mobile users and certificates, see Mobile users and certificates.