question

shaunm001 avatar image
0 Votes"
shaunm001 asked LeonLaude action

Smart Card authentication not an option when logging into server core console

Trying to use Smart Card authentication to log into our Windows Server 2016 Server Core machine. If I log into it using RDP, I'm able to use smart card authentication. However, if I log into it at the console, I'm only given the option to use a password (see below). I checked to make sure "Smart Card" and "Certificate Propagation" services are running, USB drivers are working on the server. Are there any special tricks to enable this at the console?

66021-untitled.png


windows-server-core
untitled.png (11.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AliceYang-MSFT avatar image
0 Votes"
AliceYang-MSFT answered shaunm001 edited

Hi,

I'm unfamiliar with server core but can provide you with some information about smart card authentication.

Smart card authentication requires ADCS being installed and a CA infrastructure should be available. Can you please check whether the server meets the requirements. These cmdlets might help,
Get-WindowsFeature

If you need information about deploying a CA infrastructure, please refer to these links,
Smart Card Deployment Planning Considerations
Configuration instructions

If the information doesn't help solving the issue, please let me know.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We have ADCS installed and CA infrastructure in place. I am able to sign into the Server Core machines via remote desktop and authenticate using smart card. I am able to sign into other servers (with full GUI installed) at the console using smart card. But for some reason our Server Core machines are not giving me the option to use smart card at the console, only password (see screenshot). Need help figuring out how to make that an option.

0 Votes 0 ·
AliceYang-MSFT avatar image
0 Votes"
AliceYang-MSFT answered

Hi,

Sorry that I didn't reply for a long time. I was trying to find a solution and now I get one that might work.

Before we go to the solution, I'd like to know the meaning of "able to use smart card authentication using RDP". Do you mean when smartcard is connected to the physical server using smartcard reader and smartcard sign-in option is available in the RDP computer?

If so, we can try setting smartcard sign-in as a must for the server. Please see, Additional smart card Group Policy settings and registry keys.

The following smart card-related Group Policy settings are in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

Interactive logon: Require smart card
This security policy setting requires users to sign in to a computer by using a smart card.
Enabled Users can sign in to the computer only by using a smart card.

To manage local group policy for Server Core, please see
Server Core 216 - How do I access/edit local group policy for Computer-Windows Settings-Security Settings
Managing local group policy on Windows Server 2008 Core Edition

After setting this policy to enabled, the server has to sign in with a smartcard. If smartcard sign-in option is still missing, sorry that I have no other solutions. If you'd like to, please contact Microsoft Support for Business or call Microsoft. There will be a dedicated Support Professional can troubleshoot this issue with you.

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.