Using smart cards for remote access

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using smart cards for remote access

The use of smart cards for user authentication is the strongest form of authentication in the Windows Server 2003 family. For remote access connections, you must use the Extensible Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known as EAP-Transport Level Security (EAP-TLS). To use smart cards for remote access authentication, you must do the following:

  • Configure remote access on the remote access server.

  • Install a computer certificate on the remote access server computer.

  • Configure the Smart card or other certificate (TLS) EAP type in remote access policies.

  • Enable smart card authentication on the dial-up or VPN connection on the remote access client.

Configuring the remote access server to provide remote access

You can configure the server running Routing and Remote Access as described in Using the remote access server as a corporate remote access server for dial-in remote access or Deploying Remote Access VPNs for VPN remote access.

Installing a computer certificate on the remote access server

In order to configure EAP-TLS on the remote access server, you must install a computer certificate, also known as a machine certificate. To install a computer certificate on the remote access server, a certification authority must be present to issue certificates. Once the certification authority is configured, you can install a certificate on the remote access server in two different ways:

  1. By configuring the automatic allocation of computer certificates to computers in a domain.

  2. By using Certificate Manager to obtain a computer certificate.

Based on the certificate policies in your organization, you only need to perform one of these two allocations.

To configure a certification authority and install the computer certificate, perform the following steps:

  1. Install the Certificate Services component as an enterprise root certification authority. This step is only necessary if you do not already have an enterprise root certification authority (CA). For more information, see Install an enterprise root certification authority.

  2. Do one of the following:

    • For auto-enrollment of computer certificates, configure the domain. For more information, see Configure automatic certificate allocation from an enterprise CA.

      To create a computer certificate for the remote access server computer that is a member of the domain for which auto-enrollment is configured (as well as other computers that are members of the domain), restart the remote access server or type secedit /refreshpolicy machine_policy from the command prompt.

    • To manually enroll computer certificates, use Certificate Manager to install the CA root certificate. For more information, see Manage certificates for a computer and Request a certificate.

Important

  • EAP-TLS authentication requires that the remote access client computer certificate is configured with the Client Authentication purpose and the remote access server computer certificate is configured with the Server Authentication purpose. A certificate purpose is identified using an object identifier (also known as OID). EAP-TLS checks the EKU extension for the client computer certificate to determine whether the Client Authentication purpose is present. When the EKU extension includes the Client Authentication purpose, EAP-TLS can use the certificate for authentication. For more information, see Network access authentication and certificates.

Enabling a smart card logon process for the domain

To enable a smart card logon process for the domain, you can perform the following procedures:

  1. Prepare a certification authority to issue smart card certificates

  2. Prepare a smart card certificate enrollment station

Configuring the remote access server for smart card remote access

To configure the server running Routing and Remote Access for smart card remote access, see Configure smart card remote access.

Configuring the remote access client for smart card remote access

You need to install a smart card reader on the remote access client computer. For more information, see Install a smart card reader on a computer.

Once a smart card reader is installed on the computer, you are prompted whether you want to use the smart card for authentication when you create dial-up or VPN connections.

For existing dial-up or VPN connections, you can enable smart card authentication on the properties of the dial-up or VPN connection. For more information, see Enable smart card or other certificate authentication.