Smart cards and remote access VPN connections

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Smart cards and remote access VPN connections

The use of smart cards for user authentication is the strongest form of authentication in the Windows Server 2003 family. For remote access VPN connections, you must use Extensible Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known as EAP-Transport Level Security (EAP-TLS).

To use smart cards for remote access VPN authentication, you must do the following:

  • Configure the VPN server to provide remote access VPN services.

  • Install a computer certificate on the VPN server.

  • Enable a smart card logon process for the domain.

  • Enable EAP and configure the Smartcard or other certificate (TLS) EAP type on the VPN server computer.

  • Enable smart card authentication on the VPN connection on the remote access client computer.

Configuring the VPN server to provide remote access VPN services

Configure the VPN server running Windows Server 2003 as described in Deploying Remote Access VPNs.

Installing a computer certificate on the VPN server

In order to configure EAP-TLS on the VPN server computer, you must install a computer certificate, also known as a machine certificate. To install a computer certificate on the VPN server computer, a certification authority (CA) must be present to issue certificates. Once the CA is configured, you can install a certificate on the VPN server computer in one of three different ways:

  • By configuring the automatic enrollment, or auto-enrollment, of computer certificates to computers in a Windows Server 2003 domain.

  • By using the Certificates snap-in to request and install a computer certificate.

  • By using your browser to connect to the CA Web enrollment pages to request and install a certificate on the local computer or to a floppy disk for installation on another computer, such as a user's home computer.

Based on the certificate policies in your organization, you need to perform only one of these enrollment methods.

For more information, see Network access authentication and certificates.

To configure a CA and install the computer certificate, perform the following steps:

  1. If you do not already have an enterprise root CA:

    1. Promote the computer that will be a CA to a domain controller (DC), if necessary.

    2. Install the Certificate Services component on a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; as an enterprise root CA. For more information, see Install an enterprise root certification authority.

  2. To auto-enroll computer certificates, configure the Windows Server 2003 domain. For more information, see Configure automatic certificate allocation from an enterprise CA.

    To create a computer certificate for the VPN server that is a member of the domain for which auto-enrollment is configured (as well as other computers that are members of the domain), restart the computer or type gpupdate /target:computer from a Windows Server 2003 command prompt.

  3. To manually enroll computer certificates, use the Certificates snap-in to install the CA root certificate, or use your browser to connect to the CA Web enrollment pages. For more information, see Use Windows Server 2003 Certificate Services Web Pages, Manage certificates for a computer, and Request a certificate.

Note

  • VPN servers that terminate connections for remote users must have a certificate that contains the Server Authentication purpose in the Enhanced Key Usage extensions. VPN servers that are used for site-to-site VPN connections both originate and terminate connections. For this reason the certificate on these servers must contain both the Server Authentication purpose and the Client Authentication purpose in the Enhanced Key Usage extensions. For more information, see Network access authentication and certificates.

Enabling a smart card logon process for the domain

To enable a smart card logon process for the domain, complete the following procedures:

  1. Prepare a certification authority to issue smart card certificates

  2. Prepare a smart card certificate enrollment station

  3. Set up a smart card for user logon

Configuring the VPN server for smart card remote access

To configure the VPN server running Windows Server 2003 for smart card remote access, see Configure smart card remote access.

Configuring the remote access client for smart card remote access

You need to install a smart card reader on the remote access client computer. For more information, see Install a smart card reader on a computer.

Once a smart card reader is installed on the computer running Windows XP, then you are prompted about whether you want to use the smart card for authentication when you create dial-up or VPN connections.

For existing dial-up or VPN connections, you can enable smart card authentication from the properties of the dial-up or VPN connection. For more information, see Enable smart card or other certificate authentication.

Note

  • On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling Protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling Protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.