Skip to main content

Smart Card Logon

A user attempting to logon to a Windows Server 2003 domain using a smart card, must go through the following sequence of steps:

  1. The user inserts smart card into reader.
  1. The WINLOGON service traps the smart card arrival event and dispatches it to MSGINA (Microsoft Graphical Identification and Authentication).
  1. MSGINA prompts the user to enter his personal identification number (PIN).
  1. The user types in his PIN.
  1. MSGINA sends the user-supplied PIN to the Local Security Authority (LSA).
  1. LSA uses the PIN to access the smart card and retrieve the user's certificate.
  1. Once the user's public key credentials are retrieved, the Kerberos Security Service Provider (SSP) on the local machine sends a signed user certificate to the Key Distribution Center (KDC).
  1. The KDC compares the user's certificate with the certificate that is stored in Active Directory. Since the user certificate is signed with the user's private key, the KDC can validate the integrity of the client certificate.
  1. Once the user certificate is validated, the KDC generates a logon session key, encrypts it along with the Ticket Granting Ticket (TGT), using the public key extracted from the client certificate, and sends the encrypted contents to the client. This guarantees that only the holder of the private key can decrypt the logon session key.
  1. 10. The client receives the encrypted logon session key and TGT and uses its private key to decrypt them. After decryption the client can present the TGT to the Ticket Granting Service (TGS). Once the client is in possession of the logon session key, all Kerberos communication will use symmetric encryption.

Your logbook for this topic should provide documentary evidence that you can identify the appropriate type of certificate authority to support certificate issuance requirements and plan the enrolment and distribution of certificates.

Next: Plan a Framework for Planning and Implementing Security