How to Support Smart Card Logon for Remote Access VPN Connections

On This Page

Introduction
Smart Card Technologies
Smart Card Logon for Remote Access VPN Scenario
Summary

Introduction

Advances in communication technologies, driven by the need to keep costs down and stay competitive in an expanding marketplace, enable organizations not only to maintain communication channels 24 hours a day, seven days a week, but also to provide connectivity to business data and services from remote locations.

The Internet provides organizations and individuals with the ability to use computers to communicate and share data throughout the world, providing such benefits as accessibility, scalability, performance, and a reduction in business-related costs. However, the Internet is a non-secure, potentially hostile environment for organizations to operate in. The challenge is for organizations to harness the benefits that the Internet provides while they maintain necessary levels of data and communication security.

Virtual private networks (VPNs) enable organizations to utilize the Internet while helping to limit exposure for data and communication channels; they do this by providing a number of security features, including reliable authentication and encryption mechanisms.

Who Should Read This Guide

The intended audience for this guide includes information technology (IT) professionals who are responsible for deploying a VPN service in their network environments.

The information in this guide applies to small-to-medium businesses that must deliver reliable remote access to their networks.

Overview

When you configure remote VPN access to your network resources, you can use the same set of credentials that you use to access the network when at work: a network user name and password. However, this may not be the most secure solution. Business cards or documentation often include user names, for example. They are also susceptible to trial-and-error attacks. If third parties become aware of your user name, then your password remains the only security mechanism safeguarding your corporate network.

Single secrets, such as passwords, can be effective security controls. A long password that consists of random letters, numbers, and special characters can be very difficult to crack. In addition, pass phrases offer better security than single passwords.

Unfortunately, users cannot always remember complex secrets and may resort to writing them down. When you place no restrictions on password complexity, though, users tend to create passwords that are easy to remember and, therefore, easy to guess.

User name and password solutions are termed single-factor because you only use something that you know to access the network. Multi-factor authentication systems overcome the issues of single-factor authentication by a combination of requirements, including:

  • Something the user knows, such as a password or personal identification number (PIN).

  • Something the user has, such as a hardware token or smart card.

  • Something the user is, such as a fingerprint or retina scan.

Smart cards and their associated PINs are an increasingly popular, reliable, and cost-effective form of two-factor authentication. Users must have their smart cards and know the PINs to gain access to network resources. The two-factor requirement significantly reduces the likelihood of unauthorized access to your organization’s network.

VPN Benefits

When your organization has to connect networks that contain sensitive and proprietary data to the Internet for remote access, the increased connectivity exposes a significant security risk.

In the potentially hostile environment of the Internet, your VPN solution becomes critical, because in addition to potential operational savings it helps to maintain the security associated with a private network infrastructure. A VPN solution provides security because it uses a secure tunneled connection, encrypting data and allowing only authenticated users to access the corporate network.

VPNs support a wide range of authentication methods, tunneling protocols, and encryption technologies to maintain business data security.

VPN authentication methods include:

  • Password Authentication Protocol (PAP).

  • Challenge-Handshake Authentication Protocol (CHAP).

  • Microsoft® Challenge-Handshake Authentication Protocol (MS-CHAP).

  • MS-CHAP version 2 (MS-CHAP v2).

  • Extensible Authentication Protocol (EAP).

VPN tunneling protocols include:

  • Point-to-Point Tunneling Protocol (PPTP).

  • Layer 2 Tunneling Protocol (L2TP).

VPN encryption protocols include:

  • Microsoft Point-to-Point Encryption (MPPE).

  • IP Security (IPsec).

To support the widest range of Microsoft client operating systems, use a version of MS-CHAP, PPTP, and MPPE.

If you use Microsoft Windows® 2000 or later, you can provide greater levels of security if you use EAP, L2TP, and IPsec.

For more information about VPN authentication, tunneling, and encryption, see the Virtual Private Networking: An Overview white paper on Microsoft TechNet at www.microsoft.com/technet/prodtechnol/windows2000serv/plan/vpnoverview.mspx.

Smart Card Technologies

Smart cards provide two-factor authentication. Two-factor authentication goes beyond the simple user name and password combination and requires a user to submit some form of unique token together with a PIN.

Smart cards are credit card-sized plastic items that contain a microcomputer and a small amount of memory. They provide secure, tamper-proof storage for private keys and X.509 security certificates.

To authenticate to a computer or over a remote access connection, the user inserts the smart card into a suitable reader and types his or her PIN. The user cannot gain access to the network with just the PIN, or with just the smart card. Extended brute-force attacks on smart card PINs are not possible, because the smart card locks after a number of unsuccessful attempts to type the correct PIN.

Smart cards run embedded operating systems and a form of file system in which data can be stored. The smart card operating system must be able to perform the following tasks:

  • Store a user's public and private keys

  • Store an associated public key certificate

  • Retrieve the public key certificate

  • Perform private key operations on behalf of the user

For more information about smart cards and a list of Microsoft-supported smart card readers, see the Smart Cards topic on Microsoft TechNet at www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx.

Smart Card Deployment Requirements

To support smart card logon for remote access VPNs, your computer system requires particular hardware and software components.

For more information about specifications and requirements for smart card deployment, see The Secure Access Using Smart Cards Planning Guide on Microsoft TechNet at www.microsoft.com/technet/security/guidance/networksecurity/securesmartcards/
default.mspx.

Smart Card Client Hardware Requirements

To support the smart card VPN solution, users are required to have a client computer capable of running Windows XP.

In addition, users require a smart card reader attached to a standard peripheral interface, such as RS-232 serial, PS/2, PC Card, or Universal Serial Bus (USB).

Smart Card Client Software Requirements

Your remote access clients require Windows XP to support the smart card VPN solution. In addition, it is recommended that they install Service Pack 2 (SP2).

Each client computer will require installation of a cryptographic service provider (CSP) that supports the chosen smart card. Windows XP includes a CSP that supports a number of smart card solutions. Alternatively, the smart card solution vendor will provide a CSP. The CSP carries out the following functions:

  • Cryptography features, including digital signing

  • Private key management

  • Secure communication between the client computer’s smart card reader and the smart card

Each client computer will require the installation of device drivers for the specific smart card reader. The device drivers map the functionality of the reader to the native services provided by Windows XP and the smart card infrastructure. The smart card reader device driver communicates card insertion and removal events and provides data communication capabilities to and from the card.

Connection Manager is a standard feature of Windows XP that facilitates and manages network, dial-up, and VPN connections. In addition, you can use the Connection Manager Administration Kit (CMAK) to customize Connection Manager profiles and create an installation file that automatically configures the VPN connection, which is distributed to clients.

Smart card deployment can include card management software on the client. The software includes smart card management, connectivity, and security tools that enable you to view the contents of smart cards, reset the PINs, and add additional certificates.

VPN Server Hardware Requirements

VPN connections place an additional processor load on the remote access server. Smart card-secured logon does not add noticeably to that load. VPN remote access servers that service a high volume of inbound connections require fast processors, preferably in a multiprocessor configuration, in addition to support for high network throughput. Organizations that use IPsec-secured VPNs can implement network cards that offload the IPsec encryption process onto a separate processor located on the network card.

VPN Server Software Requirements

VPN server software requirements for smart card access are relatively straightforward. The remote access servers must run Windows 2000 Server or later, have Routing and Remote Access enabled, and must support Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).

EAP-TLS is a mutual authentication mechanism developed for use in conjunction with security devices, such as smart cards and hardware tokens. EAP-TLS supports Point-to-Point Protocol (PPP) and VPN connections, and enables exchange of shared secret keys for MPPE, in addition to IPsec.

The main benefits of EAP-TLS are its resistance to brute-force attacks and its support for mutual authentication. With mutual authentication, both client and server must prove their identities to each other. If either client or server does not send a certificate to validate its identity, the connection terminates.

Microsoft Windows Server™ 2003 supports EAP-TLS for dial-up and VPN connections, which enables the use of smart cards for remote users. For more information about EAP-TLS, see the Extensible Authentication Protocol (EAP) topic at www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/auth\_eap.mspx.

For more information about EAP certificate requirements, see the Microsoft Knowledge Base article "Certificate Requirements when you use EAP-TLS or PEAP with EAP-TLS" at https://support.microsoft.com/default.aspx?scid=814394.

Network Infrastructure Prerequisites for Smart Card Deployment

Smart cards require a suitable infrastructure with support from the operating system and network elements. Before you begin the smart card deployment process, address the need for the following components:

  • User requirements

  • Public key infrastructure (PKI)

  • Certificate templates

  • The Active Directory® directory service

  • Security groups

  • Enrollment stations and enrollment agents

User Requirements

The identification of users and groups that require VPN access is an important part of your smart card deployment. Identify these accounts early in the process to help define the scope of the project and control costs.

Public Key Infrastructure (PKI)

Smart card solutions require a PKI to provide certificates with public key/private key pairs that enable account mapping in Active Directory. You can implement this PKI in one of two ways: Provision the internal certificate infrastructure to an external organization, or use Certificate Services in Windows Server 2003. To use Certificate Services in Windows Server 2003 for your smart card solution, the certification authority (CA) must be an enterprise authority, which requires Active Directory.

For more information about Certificate Services in Windows Server 2003, see the Public Key Infrastructure for Windows Server 2003 Web site at www.microsoft.com/windowsserver2003/technologies/pki/default.mspx.

The PKI must have a mechanism that deals with certificate revocation. Certificate revocation is necessary when a certificate expires or when an attacker could have compromised a certificate. By revoking a certificate, an administrator denies access to anyone that uses the certificate. Each certificate includes the location of its certificate revocation list (CRL).

For more information about how to manage certificate revocation, see the Manage Certificate Revocation topic on Microsoft TechNet at https://technet2.microsoft.com/WindowsServer/en/library/92a5e655-3eb2-4843-b9cb-58c84c0a91d61033.mspx?mfr=true.

You use the PKI to assign a certificate to every smart card in your VPN solution. A CA that the VPN server trusts must issue the certificate. If you use Certificate Services in Windows Server 2003, make sure that you install the PKI root certificate on the VPN server.

For mutual authentication, you must assign a certificate to the VPN server from a CA that the client trusts. If you use Certificate Services in Windows Server 2003, make sure that you install the PKI root certificate on the VPN client.

Certificate Templates

Windows Server 2003 provides specific certificate templates to issue digital certificates for use with smart card solutions. The three certificate templates for smart card use are:

  • Enrollment agent, which allows an authorized user to request certificates for other users.

  • Smart card user, which lets a user log on with a smart card and sign e-mail. In addition, this certificate provides client authentication.

  • Smart card logon, which enables a user to log on with a smart card and provides client authentication, but does not enable signed e-mail.

Note   Microsoft strongly recommends that you upgrade a current Windows Server 2003 PKI to a Windows Server 2003 with Service Pack 1 (SP1) PKI to take advantage of enhanced security features.

Your VPN solution will require at least one administrator with an enrollment agent certificate who assigns certificates to the smart cards. In addition, your clients will require smart card logon certificates on their smart cards.

For more information about certificate templates, see the Certificate Templates topic on TechNet at https://technet2.microsoft.com/WindowsServer/en/Library/7d82b420-10ef-4f20-a56f-17ee7ee352d21033.mspx?mfr=true.

Active Directory

Active Directory provides the means to manage the identities and relationships that make up network environments and is a key component for the implementation of smart card solutions. Active Directory in Windows Server 2003 contains built-in support to enforce smart card logon and the ability to map accounts to certificates. This capability to map user accounts to certificates ties the private key on the smart card to the certificate held in Active Directory.

When your enrollment agent assigns a certificate to a smart card for a specific user, the process maps the certificate to the user account in Active Directory. The presentation of smart card credentials at logon requires Active Directory to match that specific card to the user account, which provides the user with the relevant permissions and capabilities on the network.

For more information about certificate mapping, see the Map certificates to user accounts topic on Microsoft TechNet at technet2.microsoft.com/windowsserver/en/library/0539dcf5-82c5-48e6-be8a-57bca16c7e171033.mspx?mfr=true.

For more information about Active Directory, see the Windows Server 2003 Active Directory page at www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/
default.mspx.

Security Groups

The smart card deployment and management process is significantly easier if you use security groups within Active Directory to organize users. For example, a typical smart card deployment might require you to create the following security groups:

  • Smart card enrollment agents. Smart card enrollment agents are responsible for distribution of smart cards to users.

  • Smart card staging. The smart card staging group contains all users who receive smart cards but for whom an enrollment agent has not yet enrolled and activated their cards.

  • Smart card users. The smart card users group contains all users who have completed the enrollment process and have an activated smart card. The enrollment agent moves the user from the smart card staging group to the smart card users group.

  • Smart card temporary exceptions. The smart card temporary exceptions group is for users who require temporary exceptions to the smart card requirements, for example, after the loss of their smart cards or when they forget their smart card.

  • Smart card permanent exceptions. The smart card permanent exceptions group includes accounts that need permanent exceptions to the requirement for smart card logon.

At the very least, your VPN solution will require groups for enrollment agents and smart card users. The creation of these groups enables you to manage and configure multiple users more easily.

Enrollment Stations and Enrollment Agents

It is possible to use a Web-based interface to issue or enroll users for smart cards, but this approach is not recommended. Because users must enter their user names and passwords to obtain their smart cards, this approach effectively downgrades the security for the smart card to the same level as the credentials presented to the Web interface. The preferred solution is to create enrollment stations and designate one or more administrators as enrollment agents.

A typical enrollment station is a computer that has a smart card reader and a smart card writer attached. The reader lets the enrollment agent log on, and the writer issues new smart cards to users. The enrollment station has a Group Policy setting that forces logoff as soon as the enrollment agent removes his or her smart card.

A designated administrator takes on the role of the enrollment agent and uses their smart card to log on to the enrollment station. Then they open the Web page for Certificate Services, verify the identity of the user, enroll the user, and issue the enrolled smart card. Enrollment agents require an enrollment agent certificate and must have permission to access the certificate templates.

Operational Considerations

Your smart card VPN solution must address the ability to monitor the operational health of the solution. The monitor tools must show the necessary information that you need to provide operational support. If the solution does not meet this requirement, security personnel cannot determine whether the solution maintains secure remote access connections effectively.

Operational considerations include:

  • Test authentication to internal applications. A smart card should affect initial logon only. The pilot program should test and verify successful authentication to internal applications.

  • Troubleshoot remote client issues. To troubleshoot successfully, client issues can require close cooperation of multiple teams spread across different time zones. Rigorous tests and a proper pilot deployment help reduce support calls.

  • Understand organizational remote access scenarios and threats. You must understand your organization's remote access scenarios and security threats, as well as the balance between them. You must prioritize the assets that need the most protection and determine the appropriate balance between cost and risk.

  • Anticipate technical challenges. You should anticipate technical challenges, such as installation routines and distribution of smart card management tools. You might need to integrate the smart card solution into your existing enterprise management tools.

  • Monitor and manage performance issues. You must monitor and manage performance issues and set user expectations in advance of the deployment.

  • Consider personal assets. Remember that employees’ home computers are their personal property and are not managed by an organization's IT department. If an employee is unable to install the hardware and software to support smart card-secured remote access, other options are available. For example, Microsoft Outlook® Web Access (OWA) provides employees with access to their Microsoft Exchange Server mailboxes over encrypted secure sockets layer (SSL) connections.

    For more information about e-mail security, see the "How to Protect E-mail Confidentiality in Regulated Industries" paper in this series at https://go.microsoft.com/fwlink/?LinkId=71176.

  • Manage changes to the solution. You must manage any changes and enhancements to the solution through similar processes to those required for the initial deployment.

  • Optimize the solution. All aspects of the smart card solution require periodic review and optimization. On a regular basis, you need to review the processes for enrollment and the need for account exceptions with the goal to improve security and integrity.

Smart Card Logon for Remote Access VPN Scenario

The process defined in this section for configuring smart card logon for remote access VPNs relates to small and medium business scenarios. The following figure shows a medium-sized business network; you may have some or all of the services shown in your own environment.

Figure 1. Remote Access in the Medium IT Environment

Figure 1. Remote Access in the Medium IT Environment

Specifically, this process fits scenarios in which remote users require access to corporate data and services from external locations. To achieve this access, the remote users create a VPN connection to a Windows Server 2003 VPN server and use smart cards for authentication.

The following procedures will help you prepare, deploy, and configure smart card support for remote access VPNs.

How to Prepare a CA to Issue Smart Card Certificates

First, you must prepare the CA to assign the necessary certificates, enrollment agent, and smart card logon.

To prepare a CA to issue smart card certificates

  1. Log on with Administrator rights.

  2. Open Active Directory Sites and Services.

  3. Click the View menu, and then select Show Services Node.

  4. Expand Services, click Public Key Services, and then click Certificate Templates (shown in the following screen shot).

    Active Directory Sites and Services

  5. Right-click the EnrollmentAgent certificate template, and then select Properties.

  6. Add the security group for the enrollment agents that you created as part of the deployment prerequisites and assign Read and Enroll permissions (shown in the following screen shot). Then click OK.

    EnrollmentAgent Properties >

  7. Close Active Directory Sites and Services.

  8. Open Certificate Authority.

  9. Expand the server name, and then select Certificate Templates. In the right pane, you can see the list of certificates that the CA can assign (shown in the following screen shot).

    Certification Authority

  10. Right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

  11. Press and hold down the CTRL key, and in the Enable Certificate Templates list, select Enrollment Agent and Smartcard Logon (shown in the following screen shot). Then click OK.

    Enable Certificate Templates

  12. Close Certificate Authority.

How to Deploy Certificates to Smart Cards

Next, you can assign certificates to smart cards for remote users. Log on as an enrollment agent for the domain where the user's account is located.

To deploy certificates to smart cards

  1. Open Microsoft Internet Explorer®.

  2. In the address bar, type the address of the CA that issues smart card logon certificates, and then press ENTER.

  3. Click Request a certificate, and then Advanced certificate request. A screen similar to the following will display.

    Microsoft Certificate Services

  4. Click Request a certificate for a smart card on behalf of another user using the smart card certificate enrollment station. If you are prompted to accept a Microsoft ActiveX® control, click Yes. You must enable the use of ActiveX controls in Internet Explorer.

  5. On the Smart Card Certificate Enrollment Station screen (shown in the following screen shot), select Smartcard Logon. In addition, you should see the names of the Certification Authority, Cryptographic Service Provider, and Administrator Signing Certificate. If you cannot select an Administrator Signing Certificate, you have not assigned the logged on user an Enrollment Agent certificate.

    Microsoft Smart Card Enrollment Station

  6. From the Certification Authority drop-down list, select the name of the CA that you want to issue the smart card certificate.

  7. From the Cryptographic Service Provider drop-down list, select the smart card's manufacturer.

  8. In Administrator Signing Certificate, type the name of the Enrollment Agent certificate that will sign the enrollment request, or click Select Certificate to select a name.

  9. Click Select User, and then select the appropriate user account. Click Enroll.

  10. When prompted, insert the smart card into the smart card reader on your computer, and then click OK. When prompted for a personal identification number (PIN), type the PIN for the smart card.

How to Configure VPN Servers for Smart Card Authentication

Now you can configure the VPN server.

To configure the Routing and Remote Access service to accept EAP authentication

  1. Start the Routing and Remote Access snap-in.

  2. Right-click <servername> , click Properties, and then click the Security tab.

  3. Click Authentication Methods.

  4. Select the Extensible authentication protocol (EAP) check box (shown in the following screen shot), and then click OK.

    DCI(local) Properties

  5. Click OK.

How to Configure Remote Access Policies for Smart Card Authentication

You can now enable EAP in Remote Access Policies. The Remote Access Policies component is included in the Routing and Remote Access snap-in by default. However, if Internet Authentication Service (IAS) (also known as Remote Authentication Dial-in User Service or RADIUS) is installed, the Remote Access Policies component is included with the IAS snap-in instead.

To enable EAP with remote access policies

  1. In the left pane of Routing and Remote Access, click Remote Access Policies.

  2. In the right pane, double-click Connections to Microsoft Routing and Remote Access Server. A screen similar to the following will display.

    Connection to Microsoft Routing and Remote Access server

  3. Click Edit Profile, click the Authentication tab, and then click EAP Methods (shown in the following screen shot).

    Edit Dial-in Profile

  4. If Smart Card or other certificate does not appear in the EAP types list as shown in the following screen shot, click Add, select Smart Card or other certificate, and then click OK.

    Select EAP Providers

  5. Select Smart Card or other certificate, and then click Edit. A screen similar to the following will display.

    Smart Card or other Certificate Properties

  6. In the drop-down list, select the certificate that you want to use for EAP authentication, and then click OK three times.

  7. Make sure that Grant remote access permission is selected, click OK, and then close Routing and Remote Access.

How to Configure VPN Clients for Smart Card Authentication

Next, you configure the client to use the EAP authentication to support smart cards.

To create a phonebook entry

  1. Click Start, point to Connect To, point to Show all connections, and then in the Network Tasks list click Create a new connection. Then click Next on the New Connection Wizard welcome screen. The following screen will display.

    New Connection Wizard

  2. Select Connect to the network at my workplace, and then click Next.

  3. Select Virtual Private Network connection, and then click Next.

  4. Type a name for the connection in the Company Name box, and then click Next. The following screen will display.

    New Connection Wizard

  5. If you have a permanent connection to the Internet, select Do not dial the initial connection, and then click Next. Alternatively, if you need to dial a connection before creating the VPN, select Automatically dial this initial connection, select the connection to dial from the drop-down list, and then click Next.

  6. Type the VPN server name or IP address into the Host name or IP address box, and then click Next.

  7. Select Use my smart card, click Next, and then click Finish.

After you have created the phonebook entry, configure this entry to use EAP.

To configure a current connection to use smart card authentication

  1. Right-click the connection, select Properties, and then select the Security tab. The following screen will display.

    MyCompany Properties

  2. Ensure that Typical (recommended settings) is selected, and then select Use smart card in the Validate my identity as follows drop-down list.

  3. Select Advanced (custom settings), and then click Settings.

  4. Click Smart Card or other Certificate (encryption enabled).

  5. Click Properties, and then click Use my smart card.

  6. Ensure that the Validate Server certificate option is enabled.

  7. If necessary, select the Connect only if server name ends with check box.

  8. In the Trusted root certificate authority box, click the name of the CA that issued the certificate for use with a smart card or the user certificate that is installed.

  9. If necessary, select the Use a different user name for the connection check box.

  10. The user must be logged on to the computer to use EAP with a user certificate.

How to Configure VPN Clients for Smart Card Authentication Using Connection Manager

If you need to configure VPN connections for multiple clients, you can use Connection Manager.

To install the CMAK on a computer running Windows Server 2003

  1. Click Start, select Control Panel, and then Add or Remove Programs.

  2. In the Add or Remove Programs dialog box, click Add/Remove Windows Components.

  3. On the Windows Components Wizard screen, select Management and Monitoring Tools, and then click Details. A screen similar to the following will display.

    Management and Monitoring Tools

  4. In the Management and Monitoring Tools dialog box, select Connection Manager Administration Kit, click OK, click Next, and then click Finish.

To use the CMAK to create a VPN connection profile that you can distribute to your users

  1. Click Start, click Administrative Tools, and then click Connection Manager Administration Kit.

  2. On the Welcome to the Connection Manager Administration Kit Wizard screen, click Next.

  3. Make sure that New profile is selected, and then click Next.

  4. Type a name for the profile in the Service name box, and a name for the executable file that you distribute to clients in the File name box.

  5. The Realm Name screen (shown in the following screen shot) enables you to add a realm name to the user name. You might be required to add a realm name to identify your users if they connect to your VPN through a third-party network access server that uses RADIUS to transmit network authentication credentials to your Internet Authentication Service (IAS) servers.

    Select Do not add a realm name to the user name (unless it is required), and then click Next.

    Connection Manager Administration Kit Wizard

  6. The Merging Profile Information screen enables you to merge previously configured Connection Manager profiles. You will do this if you need to incorporate information contained in other profiles (such as network access numbers) into the current profile. Add any necessary profiles, and then click Next.

  7. The VPN Support screen (shown in the following screen shot) enables you to create a phonebook from the profile and configure the VPN server, or servers, for your VPN clients.

    Connection Manager Administration Kit Wizard

    A phone book contains information such as area code, phone number, and user authentication methods. The Connection Manager phone book also includes various network settings that you configure when you run the CMAK wizard.

    If you want your client to have the option to connect to multiple VPN servers, you can create a VPN server list in a text file (shown in the following screen shot). If you want the connection to use a VPN server list, select Allow the user to choose a VPN server before connecting, browse to the text file, and then click Next.

    vpnlist.txt-Notepad

  8. On the VPN Entries screen, select the profile that you are creating, click Edit, and then click the Security tab. The following dialog box will display.

    Edit Virtual Private Networking Entry

  9. In the Security settings drop-down list, select Use advanced security settings, and then click Configure. The following dialog box will display.

    Advanced Security Settings

  10. Ensure that the Data encryption drop-down list has Require encryption enabled and that you select the correct tunneling protocol in the VPN strategy drop-down list.

    Select Use Extensible Authentication Protocol (EAP) and Smart Card or other certificate (encryption enabled) in the corresponding drop-down list, and then click Properties. A screen similar to the following will display.

    Smart Card or Other Certificate Properties

  11. Ensure that Use my smart card is selected and Validate server certificate if you want the client to confirm the validity of the server. In addition, you can type the name of one or more servers to connect to and the certificate root certification authority to validate the server against. If your client must authenticate using a different user name to that in the certificate, select Use a different user name for the connection. Click OK three times, and then click Next.

  12. The Phone Book screen enables you to include an additional phone book file with the profile and automatically download phone book updates. The phone book includes information such as area code, phone number, and user authentication methods supported. The Connection Manager phone book also includes various network settings that you configure when you run the CMAK wizard. If you select Automatically download phone book updates, you must type the location from which the updates are downloaded. If you do not need to download phone book updates, do not select this option. Click Next.

  13. If you are using dial-up networking with the connection, select the entry and then click Edit on the Dial-up Networking Entries screen. (If you are not using dial-up networking for the connection, you will see how to disable it in a subsequent procedure.) When you have made the necessary configuration, or if you do not need to use dial-up networking, click Next. The wizard screens described in tasks 14 through 25 configure optional components that primarily change the look and feel of the connection.

  14. You can use the settings on the Routing Table Update screen to configure routing information for the connection. The default setting is to have the VPN client connect to all non-directly connected networks through the VPN interface. However, if you do not configure the VPN client to use the VPN connection as its default gateway, then you can create custom routing table entries that allow the VPN client to access selected subnets on the internal network. When you are finished, click Next.

  15. You can use the settings on the Automatic Proxy Configuration screen to force VPN clients to use the VPN server as its Web Proxy server. Click Next.

  16. You can use the settings on the Custom Actions screen to specify programs to start automatically before, after, or during the VPN connection. Click Next.

  17. You can use the settings on the Logon Bitmap screen to create a special graphic that appears when the user opens the VPN connection. If you create a custom graphic, make sure that it is 330x140 pixels. Click Next.

  18. You can use the settings on the Phone Book Bitmap screen to create a special graphic that appears when the user opens the phone book. If you create a custom graphic, make sure that it is 114x309 pixels. Click Next.

  19. You can use the settings on the Icons screen to specify icons that you want to display in the Connection Manager user interface (UI). Click Next.

  20. You can use the settings on the Notification Area Shortcut Menu screen to add items to the Connection Manager context menus. Click Next.

  21. You can use the settings on the Help File screen to assign a custom Help file to your users. Click Next.

  22. You can use the settings on the Support Information screen to provide support information for your users. Click Next.

  23. You can review the settings on the Connection Manager Software screen. You have the option to install Connection Manager version 1.3 on clients that do not already have it installed on their computers. Click Next.

  24. You can use the settings on the License Agreement screen to include a custom license agreement for the connection. Click Next.

  25. You can use the Additional Files screen to include additional files in the Connection Manager profile. Click Next.

  26. On the Ready to Build the Service Profile screen, select Advanced Customization, and then click Next.

  27. The Advanced Customization screen (shown in the following screen shot) enables you to configure the value of settings in your profile configuration files. For smart card-enabled VPN connections, you should disable Dialup by setting the value to 0. The HideDomain, HideUserName, and HidePassword settings have also been enabled.

    Connection Manager Administration Kit Wizard

  28. The profile configuration files are text based and have .inf, .cms, and .cmp file name extensions. The wizard reads in the default template.inf, template.cms, and template.cmp files installed with the CMAK.

    When you finish the wizard, new configuration files are created for the profile as profilename.inf, profilename.cms, and profilename.cmp. You can edit the default template files to add additional settings that can be configured by any users of the wizard.

    For more information about advanced customization options for Connection Manager, see the Advanced Customization Options for Connection Manager page at www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ierk/Ch14\_d.mspx.

    The template.cms file (shown in the following screen shot) has been edited to include the capability to hide the domain, user name, and password boxes so that the functionality can be included when required. MPPE uses the user password in the encryption process, so in some cases the solution requires user name and password boxes.

    template.cms-Notepad

  29. When you have completed all settings changes, click Next to create the executable and configuration files. Make a note of where the files will be stored, and then click Finish. You distribute the executable file to clients through your standard software distribution mechanisms. The client can manually execute the file, or you can automate the process to install the VPN connection.

How to Verify the Smart Card VPN Solution

The goal of the verification process is to identify any problems with the design or configuration of the solution before full deployment. To verify the smart card VPN solution, you must carry out the major procedures of the solution. The major procedures to verify are:

  • Assignment of a certificate to a smart card.

  • Distribution of the Connection Manager profile.

  • Installation of the Connection Manager profile.

  • Connection to the VPN server by using smart card authentication.

  • Access to internal network resources through the VPN connection.

How to Troubleshoot the Smart Card VPN Solution

The goal of the verification process is to troubleshoot the solution, identify where the process is failing, and concentrate effort in that area.

The following table shows some smart card-VPN solution troubleshooting guidelines.

Table 1. Smart Card VPN Troubleshooting Guidelines

Problem

Solution

Relevant certificates are not available in the CA.

Enable certificate templates in Active Directory Sites and Services.

Assign enroll permissions.

Cannot assign certificates to the smart card.

Install smart card writer.

Assign Enrollment Agent certificate.

VPN server cannot authenticate remote clients.

Configure the server to support EAP-TLS authentication.

Ensure that the certificate used on the server is trusted by the client.

The client attempts to dial a connection before creating the VPN.

Configure the client so that it does not dial an initial connection.

The client does not attempt to dial a connection before creating the VPN.

Configure the client to dial an initial connection.

When the client attempts to create the VPN, the client is prompted for a user name, domain name, and password.

Ensure that the VPN connection is configured to use a smart card.

Ensure that the HideUserName, HideDomain, and HidePassword settings are enabled.

The client does not have a connection object in network connections.

Ensure that the Connection Manager profile has been delivered to the client.

Ensure that the Connection Manager profile executable has run.

The client does not connect to the VPN server.

Ensure that the client connection is configured with the correct VPN server name.

Ensure that the client is selecting the correct server from the VPN server list.

The client cannot authenticate with the VPN server.

Ensure that the client is connecting to the correct VPN server.

Ensure that the smart card has a certificate that is trusted by the VPN server.

For more information about general troubleshooting for VPN connections, see the ** VPN Troubleshooting topic on Microsoft TechNet at https://technet2.microsoft.com/WindowsServer/en/Library/4543aff5-e10f-487c-92ad-bb5518a736201033.mspx.

Summary

The implementation of smart cards to authenticate remote access connections provides greater security than simple user name and password combinations. Smart cards implement two-factor authentication through a combination of the smart card and a PIN. Two-factor authentication is significantly more difficult to compromise, and the PIN is easier for a user to remember than a strong password.

The provision of smart card authentication for remote access users helps provide a reliable and cost effective method that increases network security.

Download

Get the How to Support Smart Card Log-on for Remote Access VPN Connections paper