Site Tools


pc-logon

Using smartcards to logon to Windows

 This article shows how to register and issue a user with a Windows smart card logon certificate using eJavaToken..

Preface

1. Theft and sensitive data loss

Research studies show that a laptop is stolen every minute and that 97% are never recovered. Though a lost computer may be possible to measure with money, but the loss of documents, project management data, personal identity information and contact data could prove to have a much higher value. And the same applies to desktop PCs. Although smartcard-based authentication may not prevent a theft in the first place, it can stop many attempts to read private data, can help to prevent ‘leakage’ of messages.

2. Password laziness and Improving Security 

Studies have shown that the average person cannot remember more than 6 random numbers or letters unless these are firmly committed to memory, but it's common for organisations to require 8 character passwords, which may change frequently. Unfortunately, people forced to use passwords are often inclined to pick either very simple ones (which are easy to guess) or otherwise they often write them down. Many also use the same password for everything.

It’s common knowledge that the best option for improving security over and above the use of a username and password is to combine ‘what you have’ with ‘what you know’. This is called two-factor authentication, and is the same principle used to secure chip-and-PIN transactions. Wherever user authentication is used, it’s vital that the only right people are able to access the information that they are authorised to see. By using smartcards, we can increase the level of security for authentication, while at the same time improving the user experience.

Preparation

1.  eJavaToken(Make sure that PKI applet has been already upload).

2. PC with Windows server 2008 (used to set up domain server).

Usage

1. Set up smart card certificate management environment

The main task of this phase is to configure CA management environment in Windows server 2008 . It contains adding some roles from Server Manage , such as DNS Server, Active Directory Domain Services  “Web Server (IIS)” , “Active Directory Certificate Services” , and so on.

Click here to know more details.

2. Issue smart card certificate management

To let smart card users login windows workstation, workstation should issue smart card certificate to users firstly.  Smart card certificate is a digital certificate stored in user’s smart card.

Click here to know more details.

3. Apply for smart card certificate management

In general the smart card have to contain a certificate and the corresponding private key. The certificate contains the user information used for identifying the user. When logging in via a smart card you should enter the PIN of the smart card instead of your regular password.

You must prepare the smart card by creating the appropriate credentials before using it to log on to the computer. Click here to know more details.

4. Issue smart card certificate management  

Typically, an existing networked infrastructure of client and server PCs can be secured irrespective of whether they are based on ad-hoc “workgroup” or centralised “domain-based” management, since the essential username and password login system remains the same. The smartcard logon software simply changes the standard Windows logon box, and adds the facility to retrieve these details from the card (subject to correct PIN entry) and then submit them automatically.

Smart card logon only works for computers that are joined to a domain. Click here  to know more about adding user account to domain.

5. Use eJavaToken to logon local computer 

Click here to know more information about how to logon windows.

If you enter the incorrect PIN for a smart card several times in a row, you will be unable to log on to the computer using that smart card. The number of allowable invalid logon attempts before lockout occurs varies according to the smart card manufacturer. Contact your administrator for assistance.

 

pc-logon.txt · Last modified: 2017/05/15 08:18 by Tarantino