What requirements must be met on the infrastructure side for smartcard logins to be possible?

In order for a smart card login to be successful, some requirements must be met in the Active Directory environment:

Requirements

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Domain controller certificates must allow logon

Domain controllers must have Have certificates that enable smart card login. One of the following criteria must apply.

• The Extended Key Usage extension includes the Extended Key Usage for KDC Authentication (1.3.6.1.5.2.3.5) or
• The Extended Key Usage extension includes the Extended Key Usage for Smartcard Logon (1.3.6.1.4.1.311.20.2.2) or
• A "Template Name" extension exists and has the value "DomainController".

Microsoft uses the term "Enhanced Key Usage", the correct name according to RFC 5280 is "Extended Key Usage"..

Certification authority certificates must be registered in NTAuthCertificates

The following certification authority certificates must be stored in the Active Directory object "NTAuthCertificates". See also article "Editing the NTAuthCertificates object in Active Directory„.

• The certification authority certificate of the certification authority that issues the domain controller certificates
• The certification authority certificate of the certification authority issuing the user certificates

Certification authority certificates must allow the corresponding extended key usage

The certificate authority certificate of the certification authority issuing the user certificates must support either Extended Key Usage "Smart Card Logon" or "Client Authentication", i.e. it is not prohibited by a corresponding Extended Key Usages extension.

The above requirements are met by default settings, i.e. if a certificate authority integrated into Active Directory is installed, the required settings are set as above. The default certificate templates for domain controllers have the corresponding properties.

Related links:

• Domain Controller Certificate Templates and Smartcard Logon
• Editing the NTAuthCertificates object in Active Directory
• Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates

External sources

• Smartcard logon using certificates from a 3rd party on a Domain Controller and KDC Event ID 29 (Microsoft)