how to support smart card logon for remote access vpn connections

8/2/2019 How to Support Smart Card Logon for Remote Access VPN Connections

1/31

How to Support Smart Card Logon for

Remote Access VPN Connections

2 out of 4 rated this helpfulRate this topicPublished: August 29, 2006

On This Page

Introduction

Smart Card Technologies

Smart Card Logon for Remote Access VPN Scenario

Summary

Introduction

Advances in communication technologies, driven by the need to keep costs down and stay

competitive in an expanding marketplace, enable organizations not only to maintain

communication channels 24 hours a day, seven days a week, but also to provide connectivity tobusiness data and services from remote locations.

The Internet provides organizations and individuals with the ability to use computers tocommunicate and share data throughout the world, providing such benefits as accessibility,

scalability, performance, and a reduction in business-related costs. However, the Internet is a

non-secure, potentially hostile environment for organizations to operate in. The challenge is for

organizations to harness the benefits that the Internet provides while they maintain necessarylevels of data and communication security.

Virtual private networks (VPNs) enable organizations to utilize the Internet while helping to

limit exposure for data and communication channels; they do this by providing a number of

security features, including reliable authentication and encryption mechanisms.

Who Should Read This Guide

The intended audience for this guide includes information technology (IT) professionals who are

responsible for deploying a VPN service in their network environments.

The information in this guide applies to small-to-medium businesses that must deliver reliable

remote access to their networks.

Overview

When you configure remote VPN access to your network resources, you can use the same set of

credentials that you use to access the network when at work: a network user name and password.
http://technet.microsoft.com/en-us/library/cc875840.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875840.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875840.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EAAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EAAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EAAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875840.aspx#feedback


2/31

However, this may not be the most secure solution. Business cards or documentation often

include user names, for example. They are also susceptible to trial-and-error attacks. If thirdparties become aware of your user name, then your password remains the only security

mechanism safeguarding your corporate network.

Single secrets, such as passwords, can be effective security controls. A long password thatconsists of random letters, numbers, and special characters can be very difficult to crack. In

addition, pass phrases offer better security than single passwords.

Unfortunately, users cannot always remember complex secrets and may resort to writing them

down. When you place no restrictions on password complexity, though, users tend to createpasswords that are easy to remember and, therefore, easy to guess.

User name and password solutions are termed single-factor because you only use something thatyou know to access the network. Multi-factor authentication systems overcome the issues of

single-factor authentication by a combination of requirements, including:

Something the user knows, such as a password or personal identification number (PIN). Something the user has, such as a hardware token or smart card. Something the user is, such as a fingerprint or retina scan.

Smart cards and their associated PINs are an increasingly popular, reliable, and cost-effective

form of two-factor authentication. Users must have their smart cards and know the PINs to gainaccess to network resources. The two-factor requirement significantly reduces the likelihood of

unauthorized access to your organizations network.

VPN Benefits

When your organization has to connect networks that contain sensitive and proprietary data tothe Internet for remote access, the increased connectivity exposes a significant security risk.

In the potentially hostile environment of the Internet, your VPN solution becomes critical,

because in addition to potential operational savings it helps to maintain the security associated

with a private network infrastructure. A VPN solution provides security because it uses a securetunneled connection, encrypting data and allowing only authenticated users to access the

corporate network.

VPNs support a wide range of authentication methods, tunneling protocols, and encryption

technologies to maintain business data security.

VPN authentication methods include:

Password Authentication Protocol (PAP). Challenge-Handshake Authentication Protocol (CHAP). Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP). MS-CHAP version 2 (MS-CHAP v2).


3/31

Extensible Authentication Protocol (EAP).VPN tunneling protocols include:

Point-to-Point Tunneling Protocol (PPTP).

Layer 2 Tunneling Protocol (L2TP).

VPN encryption protocols include:

Microsoft Point-to-Point Encryption (MPPE). IP Security (IPsec).

To support the widest range of Microsoft client operating systems, use a version of MS-CHAP,

PPTP, and MPPE.

If you use Microsoft Windows 2000 or later, you can provide greater levels of security if you

use EAP, L2TP, and IPsec.

For more information about VPN authentication, tunneling, and encryption, see theVirtual

Private Networking: An Overviewwhite paper on Microsoft TechNet at

www.microsoft.com/technet/prodtechnol/windows2000serv/plan/vpnoverview.mspx.

Top Of Page

Smart Card Technologies

Smart cards provide two-factor authentication. Two-factor authentication goes beyond the simple

user name and password combination and requires a user to submit some form of unique tokentogether with a PIN.

Smart cards are credit card-sized plastic items that contain a microcomputer and a small amount

of memory. They provide secure, tamper-proof storage for private keys and X.509 security

certificates.

To authenticate to a computer or over a remote access connection, the user inserts the smart card

into a suitable reader and types his or her PIN. The user cannot gain access to the network withjust the PIN, or with just the smart card. Extended brute-force attacks on smart card PINs are not

possible, because the smart card locks after a number of unsuccessful attempts to type the correct

PIN.

Smart cards run embedded operating systems and a form of file system in which data can be

stored. The smart card operating system must be able to perform the following tasks:

Store a user's public and private keys Store an associated public key certificate Retrieve the public key certificate
http://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/vpnoverview.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/vpnoverview.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/vpnoverview.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/vpnoverview.mspxhttp://technet.microsoft.com/en-us/library/cc875840.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875840.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875840.aspx#mainSectionhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/vpnoverview.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/vpnoverview.mspx


4/31

Perform private key operations on behalf of the userFor more information about smart cards and a list of Microsoft-supported smart card readers, see

theSmart Cardstopic on Microsoft TechNet at

www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx.

Smart Card Deployment Requirements

To support smart card logon for remote access VPNs, your computer system requires particular

hardware and software components.

For more information about specifications and requirements for smart card deployment, see The

Secure Access Using Smart Cards Planning Guideon Microsoft TechNet at

www.microsoft.com/technet/security/guidance/networksecurity/securesmartcards/

default.mspx.

Smart Card Client Hardware Requirements

To support the smart card VPN solution, users are required to have a client computer capable ofrunning Windows XP.

In addition, users require a smart card reader attached to a standard peripheral interface, such asRS-232 serial, PS/2, PC Card, or Universal Serial Bus (USB).

Smart Card Client Software Requirements

Your remote access clients require Windows XP to support the smart card VPN solution. Inaddition, it is recommended that they install Service Pack 2 (SP2).

Each client computer will require installation of a cryptographic service provider (CSP) that

supports the chosen smart card. Windows XP includes a CSP that supports a number of smartcard solutions. Alternatively, the smart card solution vendor will provide a CSP. The CSP carries

out the following functions:

Cryptography features, including digital signing Private key management Secure communication between the client computers smart card reader and the smart

card

Each client computer will require the installation of device drivers for the specific smart cardreader. The device drivers map the functionality of the reader to the native services provided byWindows XP and the smart card infrastructure. The smart card reader device driver

communicates card insertion and removal events and provides data communication capabilities

to and from the card.

Connection Manager is a standard feature of Windows XP that facilitates and manages network,

dial-up, and VPN connections. In addition, you can use the Connection Manager Administration
http://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspxhttp://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspxhttp://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspxhttp://www.microsoft.com/technet/security/guidance/networksecurity/securesmartcards/default.mspxhttp://www.microsoft.com/technet/security/guidance/networksecurity/securesmartcards/default.mspxhttp://www.microsoft.com/technet/security/guidance/networksecurity/securesmartcards/default.mspxhttp://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx


5/31

Kit (CMAK) to customize Connection Manager profiles and create an installation file that

automatically configures the VPN connection, which is distributed to clients.

Smart card deployment can include card management software on the client. The software

includes smart card management, connectivity, and security tools that enable you to view the

contents of smart cards, reset the PINs, and add additional certificates.

VPN Server Hardware Requirements

VPN connections place an additional processor load on the remote access server. Smart card-

secured logon does not add noticeably to that load. VPN remote access servers that service ahigh volume of inbound connections require fast processors, preferably in a multiprocessor

configuration, in addition to support for high network throughput. Organizations that use IPsec-

secured VPNs can implement network cards that offload the IPsec encryption process onto a

separate processor located on the network card.

VPN Server Software Requirements

VPN server software requirements for smart card access are relatively straightforward. The

remote access servers must run Windows 2000 Server or later, have Routing and Remote Access

enabled, and must support Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).

EAP-TLS is a mutual authentication mechanism developed for use in conjunction with securitydevices, such as smart cards and hardware tokens. EAP-TLS supports Point-to-Point Protocol

(PPP) and VPN connections, and enables exchange of shared secret keys for MPPE, in addition

to IPsec.

The main benefits of EAP-TLS are its resistance to brute-force attacks and its support for mutualauthentication. With mutual authentication, both client and server must prove their identities toeach other. If either client or server does not send a certificate to validate its identity, the

connection terminates.

Microsoft Windows Server 2003 supports EAP-TLS for dial-up and VPN connections, which

enables the use of smart cards for remote users. For more information about EAP-TLS, see the

Extensible Authentication Protocol (EAP)topic atwww.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/auth_eap.mspx.

For more information about EAP certificate requirements, see the Microsoft Knowledge Base

article "Certificate Requirements when you use EAP-TLS or PEAP with EAP-TLS" athttp://support.microsoft.com/default.aspx?scid=814394.

Network Infrastructure Prerequisites for Smart Card Deployment

Smart cards require a suitable infrastructure with support from the operating system and network

elements. Before you begin the smart card deployment process, address the need for the

following components:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/auth_eap.mspxhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/auth_eap.mspxhttp://support.microsoft.com/default.aspx?scid=814394http://support.microsoft.com/default.aspx?scid=814394http://support.microsoft.com/default.aspx?scid=814394http://support.microsoft.com/default.aspx?scid=814394http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/auth_eap.mspx


6/31

User requirements Public key infrastructure (PKI) Certificate templates The Active Directory directory service Security groups

Enrollment stations and enrollment agents

User Requirements

The identification of users and groups that require VPN access is an important part of your smart

card deployment. Identify these accounts early in the process to help define the scope of theproject and control costs.

Public Key Infrastructure (PKI)

Smart card solutions require a PKI to provide certificates with public key/private key pairs that

enable account mapping in Active Directory. You can implement this PKI in one of two ways:

Provision the internal certificate infrastructure to an external organization, or use CertificateServices in Windows Server 2003. To use Certificate Services in Windows Server 2003 for your

smart card solution, the certification authority (CA) must be an enterprise authority, which

requires Active Directory.

For more information about Certificate Services in Windows Server 2003, see thePublic Key

Infrastructure for Windows Server 2003Web site atwww.microsoft.com/windowsserver2003/technologies/pki/default.mspx.

The PKI must have a mechanism that deals with certificate revocation. Certificate revocation isnecessary when a certificate expires or when an attacker could have compromised a certificate.

By revoking a certificate, an administrator denies access to anyone that uses the certificate. Eachcertificate includes the location of its certificate revocation list (CRL).

For more information about how to manage certificate revocation, see theManage Certificate

Revocationtopic on Microsoft TechNet athttp://technet2.microsoft.com/WindowsServer/en/library/92a5e655-3eb2-4843-b9cb-

58c84c0a91d61033.mspx?mfr=true.

You use the PKI to assign a certificate to every smart card in your VPN solution. A CA that the

VPN server trusts must issue the certificate. If you use Certificate Services in Windows Server

2003, make sure that you install the PKI root certificate on the VPN server.

For mutual authentication, you must assign a certificate to the VPN server from a CA that the

client trusts. If you use Certificate Services in Windows Server 2003, make sure that you install

the PKI root certificate on the VPN client.

Certificate Templates
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspxhttp://www.microsoft.com/windowsserver2003/technologies/pki/default.mspxhttp://www.microsoft.com/windowsserver2003/technologies/pki/default.mspxhttp://www.microsoft.com/windowsserver2003/technologies/pki/default.mspxhttp://technet2.microsoft.com/WindowsServer/en/library/92a5e655-3eb2-4843-b9cb-58c84c0a91d61033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServer/en/library/92a5e655-3eb2-4843-b9cb-58c84c0a91d61033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServer/en/library/92a5e655-3eb2-4843-b9cb-58c84c0a91d61033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServer/en/library/92a5e655-3eb2-4843-b9cb-58c84c0a91d61033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServer/en/library/92a5e655-3eb2-4843-b9cb-58c84c0a91d61033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServer/en/library/92a5e655-3eb2-4843-b9cb-58c84c0a91d61033.mspx?mfr=truehttp://www.microsoft.com/windowsserver2003/technologies/pki/default.mspxhttp://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx


7/31

Windows Server 2003 provides specific certificate templates to issue digital certificates for use

with smart card solutions. The three certificate templates for smart card use are:

Enrollment agent, which allows an authorized user to request certificates for other users. Smart card user, which lets a user log on with a smart card and sign e-mail. In addition,

this certificate provides client authentication. Smart card logon, which enables a user to log on with a smart card and provides client

authentication, but does not enable signed e-mail.

Note Microsoft strongly recommends that you upgrade a current Windows Server 2003 PKI to a

Windows Server 2003 with Service Pack 1 (SP1) PKI to take advantage of enhanced securityfeatures.

Your VPN solution will require at least one administrator with an enrollment agent certificatewho assigns certificates to the smart cards. In addition, your clients will require smart card logon

certificates on their smart cards.

For more information about certificate templates, see theCertificate Templatestopic on TechNet

at http://technet2.microsoft.com/WindowsServer/en/Library/7d82b420-10ef-4f20-a56f-

17ee7ee352d21033.mspx?mfr=true.

Active Directory

Active Directory provides the means to manage the identities and relationships that make up

network environments and is a key component for the implementation of smart card solutions.

Active Directory in Windows Server 2003 contains built-in support to enforce smart card logonand the ability to map accounts to certificates. This capability to map user accounts to certificates

ties the private key on the smart card to the certificate held in Active Directory.

When your enrollment agent assigns a certificate to a smart card for a specific user, the process

maps the certificate to the user account in Active Directory. The presentation of smart card

credentials at logon requires Active Directory to match that specific card to the user account,

which provides the user with the relevant permissions and capabilities on the network.

For more information about certificate mapping, see theMap certificates to user accountstopicon Microsoft TechNet at technet2.microsoft.com/windowsserver/en/library/0539dcf5-82c5-48e6-

be8a-57bca16c7e171033.mspx?mfr=true.

For more information about Active Directory, see theWindows Server 2003 Active Directory

page at www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/

default.mspx.

Security Groups

The smart card deployment and management process is significantly easier if you use security

groups within Active Directory to organize users. For example, a typical smart card deployment

might require you to create the following security groups:
http://technet2.microsoft.com/WindowsServer/en/Library/7d82b420-10ef-4f20-a56f-17ee7ee352d21033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServer/en/Library/7d82b420-10ef-4f20-a56f-17ee7ee352d21033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServer/en/Library/7d82b420-10ef-4f20-a56f-17ee7ee352d21033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/0539dcf5-82c5-48e6-be8a-57bca16c7e171033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/0539dcf5-82c5-48e6-be8a-57bca16c7e171033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/0539dcf5-82c5-48e6-be8a-57bca16c7e171033.mspx?mfr=truehttp://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspxhttp://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspxhttp://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspxhttp://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspxhttp://technet2.microsoft.com/windowsserver/en/library/0539dcf5-82c5-48e6-be8a-57bca16c7e171033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServer/en/Library/7d82b420-10ef-4f20-a56f-17ee7ee352d21033.mspx?mfr=true


8/31

Smart card enrollment agents. Smart card enrollment agents are responsible fordistribution of smart cards to users.

Smart card staging. The smart card staging group contains all users who receive smartcards but for whom an enrollment agent has not yet enrolled and activated their cards.

Smart card users. The smart card users group contains all users who have completed theenrollment process and have an activated smart card. The enrollment agent moves theuser from the smart card staging group to the smart card users group.

Smart card temporary exceptions. The smart card temporary exceptions group is forusers who require temporary exceptions to the smart card requirements, for example,after the loss of their smart cards or when they forget their smart card.

Smart card permanent exceptions. The smart card permanent exceptions groupincludes accounts that need permanent exceptions to the requirement for smart cardlogon.

At the very least, your VPN solution will require groups for enrollment agents and smart cardusers. The creation of these groups enables you to manage and configure multiple users more

easily.

Enrollment Stations and Enrollment Agents

It is possible to use a Web-based interface to issue or enroll users for smart cards, but thisapproach is not recommended. Because users must enter their user names and passwords to

obtain their smart cards, this approach effectively downgrades the security for the smart card to

the same level as the credentials presented to the Web interface. The preferred solution is to

create enrollment stations and designate one or more administrators as enrollment agents.

A typical enrollment station is a computer that has a smart card reader and a smart card writer

attached. The reader lets the enrollment agent log on, and the writer issues new smart cards tousers. The enrollment station has a Group Policy setting that forces logoff as soon as the

enrollment agent removes his or her smart card.

A designated administrator takes on the role of the enrollment agent and uses their smart card to

log on to the enrollment station. Then they open the Web page for Certificate Services, verify the

identity of the user, enroll the user, and issue the enrolled smart card. Enrollment agents requirean enrollment agent certificate and must have permission to access the certificate templates.

Operational Considerations

Your smart card VPN solution must address the ability to monitor the operational health of the

solution. The monitor tools must show the necessary information that you need to provideoperational support. If the solution does not meet this requirement, security personnel cannot

determine whether the solution maintains secure remote access connections effectively.

Operational considerations include:


9/31

Test authentication to internal applications. A smart card should affect initial logononly. The pilot program should test and verify successful authentication to internalapplications.

Troubleshoot remote client issues. To troubleshoot successfully, client issues canrequire close cooperation of multiple teams spread across different time zones. Rigorous

tests and a proper pilot deployment help reduce support calls. Understand organizational remote access scenarios and threats. You must understand

your organization's remote access scenarios and security threats, as well as the balance

between them. You must prioritize the assets that need the most protection and determinethe appropriate balance between cost and risk.

Anticipate technical challenges. You should anticipate technical challenges, such asinstallation routines and distribution of smart card management tools. You might need tointegrate the smart card solution into your existing enterprise management tools.

Monitor and manage performance issues. You must monitor and manage performanceissues and set user expectations in advance of the deployment.

Consider personal assets. Remember that employees home computers are theirpersonal property and are not managed by an organization's IT department. If anemployee is unable to install the hardware and software to support smart card-secured

remote access, other options are available. For example, Microsoft Outlook WebAccess (OWA) provides employees with access to their Microsoft Exchange Server

mailboxes over encrypted secure sockets layer (SSL) connections.

For more information about e-mail security, see the "How to Protect E-mail

Confidentiality in Regulated Industries" paper in this series at

http://go.microsoft.com/fwlink/?LinkId=71176.

Manage changes to the solution. You must manage any changes and enhancements tothe solution through similar processes to those required for the initial deployment.

Optimize the solution. All aspects of the smart card solution require periodic review andoptimization. On a regular basis, you need to review the processes for enrollment and the

need for account exceptions with the goal to improve security and integrity.

Top Of Page

Smart Card Logon for Remote Access VPN Scenario

The process defined in this section for configuring smart card logon for remote access VPNs

relates to small and medium business scenarios. The following figure shows a medium-sized

business network; you may have some or all of the services shown in your own environment.
http://go.microsoft.com/fwlink/?LinkId=71176http://go.microsoft.com/fwlink/?LinkId=71176http://go.microsoft.com/fwlink/?LinkId=71176http://go.microsoft.com/fwlink/?LinkId=71176http://technet.microsoft.com/en-us/library/cc875840.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875840.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875840.aspx#mainSectionhttp://go.microsoft.com/fwlink/?LinkId=71176http://go.microsoft.com/fwlink/?LinkId=71176


10/31

Figure 1. Remote Access in the Medium IT Environment

Specifically, this process fits scenarios in which remote users require access to corporate dataand services from external locations. To achieve this access, the remote users create a VPN

connection to a Windows Server 2003 VPN server and use smart cards for authentication.

The following procedures will help you prepare, deploy, and configure smart card support for

remote access VPNs.

How to Prepare a CA to Issue Smart Card Certificates

First, you must prepare the CA to assign the necessary certificates, enrollment agent, and smart

card logon.

To prepare a CA to issue smart card certificates

1. Log on with Administrator rights.2. Open Active Directory Sites and Services.3. Click the View menu, and then select Show Services Node.4. Expand Services, clickPublic Key Services, and then clickCertificate Templates

(shown in the following screen shot).


11/31

5. Right-click the EnrollmentAgent certificate template, and then select Properties.6. Add the security group for the enrollment agents that you created as part of the

deployment prerequisites and assign Read and Enroll permissions (shown in the

following screen shot). Then clickOK.

>
http://technet.microsoft.com/en-us/library/Cc875840.sclvpn03_big(l=en-us).gifhttp://technet.microsoft.com/en-us/library/Cc875840.sclvpn02_big(l=en-us).gifhttp://technet.microsoft.com/en-us/library/Cc875840.sclvpn03_big(l=en-us).gifhttp://technet.microsoft.com/en-us/library/Cc875840.sclvpn02_big(l=en-us).gif


12/31

7. Close Active Directory Sites and Services.8. Open Certificate Authority.9. Expand the server name, and then select Certificate Templates. In the right pane, you

can see the list of certificates that the CA can assign (shown in the following screen shot).

10.Right-clickCertificate Templates, point to New, and then clickCertificate Templateto Issue.

11.Press and hold down the CTRL key, and in the Enable Certificate Templates list, selectEnrollment Agent and Smartcard Logon (shown in the following screen shot). Then

clickOK.
http://technet.microsoft.com/en-us/library/Cc875840.sclvpn04_big(l=en-us).gif


13/31

12.Close Certificate Authority.How to Deploy Certificates to Smart Cards

Next, you can assign certificates to smart cards for remote users. Log on as an enrollment agentfor the domain where the user's account is located.

To deploy certificates to smart cards

1. Open Microsoft Internet Explorer.2. In the address bar, type the address of the CA that issues smart card logon certificates,

and then press ENTER.

3. ClickRequest a certificate, and then Advanced certificate request. A screen similar tothe following will display.


14/31

4. ClickRequest a certificate for a smart card on behalf of another user using thesmart card certificate enrollment station. If you are prompted to accept a Microsoft

ActiveX control, clickYes. You must enable the use of ActiveX controls in Internet

Explorer.5. On the Smart Card Certificate Enrollment Station screen (shown in the following

screen shot), select Smartcard Logon. In addition, you should see the names of the

Certification Authority, Cryptographic Service Provider, and Administrator Signing

Certificate. If you cannot select an Administrator Signing Certificate, you have notassigned the logged on user an Enrollment Agent certificate.


15/31

6. From the Certification Authority drop-down list, select the name of the CA that youwant to issue the smart card certificate.

7. From the Cryptographic Service Provider drop-down list, select the smart card'smanufacturer.

8. In Administrator Signing Certificate, type the name of the Enrollment Agent certificatethat will sign the enrollment request, or clickSelect Certificate to select a name.

9. ClickSelect User, and then select the appropriate user account. ClickEnroll.10.When prompted, insert the smart card into the smart card reader on your computer, and

then clickOK. When prompted for a personal identification number (PIN), type the PIN

for the smart card.

How to Configure VPN Servers for Smart Card Authentication

Now you can configure the VPN server.

To configure the Routing and Remote Access service to accept EAP authentication

1. Start the Routing and Remote Access snap-in.2. Right-click, clickProperties, and then click the Security tab.3. ClickAuthentication Methods.4. Select the Extensible authentication protocol (EAP) check box (shown in the following

screen shot), and then clickOK.


16/31

5. ClickOK.How to Configure Remote Access Policies for Smart Card Authentication

You can now enable EAP in Remote Access Policies. The Remote Access Policies component is

included in the Routing and Remote Access snap-in by default. However, if Internet

Authentication Service (IAS) (also known as Remote Authentication Dial-in User Service orRADIUS) is installed, the Remote Access Policies component is included with the IAS snap-in

instead.

To enable EAP with remote access policies

1. In the left pane of Routing and Remote Access, clickRemote Access Policies.2. In the right pane, double-clickConnections to Microsoft Routing and Remote Access

Server. A screen similar to the following will display.


17/31

3. ClickEdit Profile, click the Authentication tab, and then clickEAP Methods (shown inthe following screen shot).
http://technet.microsoft.com/en-us/library/Cc875840.sclvpn10_big(l=en-us).gifhttp://technet.microsoft.com/en-us/library/Cc875840.sclvpn09_big(l=en-us).gifhttp://technet.microsoft.com/en-us/library/Cc875840.sclvpn10_big(l=en-us).gifhttp://technet.microsoft.com/en-us/library/Cc875840.sclvpn09_big(l=en-us).gif


18/31

4. IfSmart Card or other certificate does not appear in the EAP types list as shown in thefollowing screen shot, clickAdd, select Smart Card or other certificate, and then click

OK.

5. Select Smart Card or other certificate, and then clickEdit. A screen similar to thefollowing will display.


19/31

6. In the drop-down list, select the certificate that you want to use for EAP authentication,and then clickOK three times.

7. Make sure that Grant remote access permission is selected, clickOK, and then closeRouting and Remote Access.

How to Configure VPN Clients for Smart Card Authentication

Next, you configure the client to use the EAP authentication to support smart cards.

To create a phonebook entry

1. ClickStart, point to Connect To, point to Show all connections, and then in theNetwork Tasks list clickCreate a new connection. Then clickNext on the NewConnection Wizard welcome screen. The following screen will display.


20/31

2. Select Connect to the network at my workplace, and then clickNext.3. Select Virtual Private Network connection, and then clickNext.4. Type a name for the connection in the Company Name box, and then clickNext. The

following screen will display.
http://technet.microsoft.com/en-us/library/Cc875840.sclvpn13_big(l=en-us).gifhttp://technet.microsoft.com/en-us/library/Cc875840.sclvpn13_big(l=en-us).gif


21/31

5. If you have a permanent connection to the Internet, select Do not dial the initialconnection, and then clickNext. Alternatively, if you need to dial a connection beforecreating the VPN, select Automatically dial this initial connection, select the

connection to dial from the drop-down list, and then clickNext.

6. Type the VPN server name or IP address into the Host name or IP address box, andthen clickNext.7. Select Use my smart card, clickNext, and then clickFinish.

After you have created the phonebook entry, configure this entry to use EAP.

To configure a current connection to use smart card authentication

1. Right-click the connection, select Properties, and then select the Security tab. Thefollowing screen will display.


22/31

2. Ensure that Typical (recommended settings) is selected, and then select Use smartcard in the Validate my identity as follows drop-down list.

3. Select Advanced (custom settings), and then clickSettings.4. ClickSmart Card or other Certificate (encryption enabled).5. ClickProperties, and then clickUse my smart card.6.

Ensure that the Validate Server certificate option is enabled.7. If necessary, select the Connect only if server name ends with check box.

8. In the Trusted root certificate authority box, click the name of the CA that issued thecertificate for use with a smart card or the user certificate that is installed.

9. If necessary, select the Use a different user name for the connection check box.10.The user must be logged on to the computer to use EAP with a user certificate.

How to Configure VPN Clients for Smart Card Authentication Using Connection Manager

If you need to configure VPN connections for multiple clients, you can use Connection Manager.

To install the CMAK on a computer running Windows Server 2003

1. ClickStart, select Control Panel, and then Add or Remove Programs.2. In the Add or Remove Programs dialog box, clickAdd/Remove Windows

Components.

3. On the Windows Components Wizard screen, select Management and MonitoringTools, and then clickDetails. A screen similar to the following will display.


23/31

4. In the Management and Monitoring Tools dialog box, select Connection ManagerAdministration Kit, clickOK, clickNext, and then clickFinish.

To use the CMAK to create a VPN connection profile that you can distribute to your users

1.

ClickStart, clickAdministrative Tools, and then clickConnection ManagerAdministration Kit.2. On the Welcome to the Connection Manager Administration Kit Wizard screen, click

Next.

3. Make sure that New profile is selected, and then clickNext.4. Type a name for the profile in the Service name box, and a name for the executable file

that you distribute to clients in the File name box.

5. The Realm Name screen (shown in the following screen shot) enables you to add a realmname to the user name. You might be required to add a realm name to identify your users

if they connect to your VPN through a third-party network access server that usesRADIUS to transmit network authentication credentials to your Internet Authentication

Service (IAS) servers.

Select Do not add a realm name to the user name (unless it is required), and then click

Next.

6. The Merging Profile Information screen enables you to merge previously configuredConnection Manager profiles. You will do this if you need to incorporate information


24/31

contained in other profiles (such as network access numbers) into the current profile. Add

any necessary profiles, and then clickNext.7. The VPN Support screen (shown in the following screen shot) enables you to create a

phonebook from the profile and configure the VPN server, or servers, for your VPN

clients.

A phone book contains information such as area code, phone number, and userauthentication methods. The Connection Manager phone book also includes various

network settings that you configure when you run the CMAK wizard.

If you want your client to have the option to connect to multiple VPN servers, you can

create a VPN server list in a text file (shown in the following screen shot). If you want

the connection to use a VPN server list, select Allow the user to choose a VPN server

before connecting, browse to the text file, and then clickNext.


25/31

8. On the VPN Entries screen, select the profile that you are creating, clickEdit, and thenclick the Security tab. The following dialog box will display.

9. In the Security settings drop-down list, select Use advanced security settings, and thenclickConfigure. The following dialog box will display.
http://technet.microsoft.com/en-us/library/Cc875840.sclvpn20_big(l=en-us).gifhttp://technet.microsoft.com/en-us/library/Cc875840.sclvpn20_big(l=en-us).gif


26/31

10.Ensure that the Data encryption drop-down list has Require encryption enabled andthat you select the correct tunneling protocol in the VPN strategy drop-down list.

Select Use Extensible Authentication Protocol (EAP) and Smart Card or othercertificate (encryption enabled) in the corresponding drop-down list, and then click

Properties. A screen similar to the following will display.


27/31

11.Ensure that Use my smart card is selected and Validate server certificate if you wantthe client to confirm the validity of the server. In addition, you can type the name of oneor more servers to connect to and the certificate root certification authority to validate theserver against. If your client must authenticate using a different user name to that in the

certificate, select Use a different user name for the connection . ClickOK three times,

and then clickNext.

12.The Phone Book screen enables you to include an additional phone book file with theprofile and automatically download phone book updates. The phone book includes

information such as area code, phone number, and user authentication methods

supported. The Connection Manager phone book also includes various network settingsthat you configure when you run the CMAK wizard. If you select Automatically

download phone book updates, you must type the location from which the updates are

downloaded. If you do not need to download phone book updates, do not select thisoption. ClickNext.

13.If you are using dial-up networking with the connection, select the entry and then clickEdit on the Dial-up Networking Entries screen. (If you are not using dial-up networking

for the connection, you will see how to disable it in a subsequent procedure.) When youhave made the necessary configuration, or if you do not need to use dial-up networking,clickNext. The wizard screens described in tasks 14 through 25 configure optional

components that primarily change the look and feel of the connection.


28/31

14.You can use the settings on the Routing Table Update screen to configure routinginformation for the connection. The default setting is to have the VPN client connect toall non-directly connected networks through the VPN interface. However, if you do not

configure the VPN client to use the VPN connection as its default gateway, then you can

create custom routing table entries that allow the VPN client to access selected subnets on

the internal network. When you are finished, clickNext.15.You can use the settings on the Automatic Proxy Configuration screen to force VPNclients to use the VPN server as its Web Proxy server. ClickNext.

16.You can use the settings on the Custom Actions screen to specify programs to startautomatically before, after, or during the VPN connection. ClickNext.

17.You can use the settings on the Logon Bitmap screen to create a special graphic thatappears when the user opens the VPN connection. If you create a custom graphic, makesure that it is 330x140 pixels. ClickNext.

18.You can use the settings on the Phone Book Bitmap screen to create a special graphicthat appears when the user opens the phone book. If you create a custom graphic, make

sure that it is 114x309 pixels. ClickNext.

19.You can use the settings on the Icons screen to specify icons that you want to display inthe Connection Manager user interface (UI). ClickNext.

20.You can use the settings on the Notification Area Shortcut Menu screen to add items tothe Connection Manager context menus. ClickNext.

21.You can use the settings on the Help File screen to assign a custom Help file to yourusers. ClickNext.

22.You can use the settings on the Support Information screen to provide supportinformation for your users. ClickNext.

23.You can review the settings on the Connection Manager Software screen. You have theoption to install Connection Manager version 1.3 on clients that do not already have itinstalled on their computers. ClickNext.

24.You can use the settings on the License Agreement screen to include a custom licenseagreement for the connection. ClickNext.

25.You can use the Additional Files screen to include additional files in the ConnectionManager profile. ClickNext.

26.On the Ready to Build the Service Profile screen, select Advanced Customization, andthen clickNext.

27.The Advanced Customization screen (shown in the following screen shot) enables youto configure the value of settings in your profile configuration files. For smart card-

enabled VPN connections, you should disable Dialup by setting the value to 0. TheHideDomain, HideUserName, and HidePassword settings have also been enabled.


29/31

28.The profile configuration files are text based and have .inf, .cms, and .cmp file nameextensions. The wizard reads in the default template.inf, template.cms, and template.cmp

files installed with the CMAK.

When you finish the wizard, new configuration files are created for the profile asprofilename.inf, profilename.cms, and profilename.cmp. You can edit the defaulttemplate files to add additional settings that can be configured by any users of the wizard.

For more information about advanced customization options for Connection Manager,see theAdvanced Customization Options for Connection Managerpage at

www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ierk/Ch14_d.mspx.

The template.cms file (shown in the following screen shot) has been edited to include

the capability to hide the domain, user name, and password boxes so that the functionality

can be included when required. MPPE uses the user password in the encryption process,

so in some cases the solution requires user name and password boxes.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ierk/Ch14_d.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ierk/Ch14_d.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ierk/Ch14_d.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ierk/Ch14_d.mspx


30/31

29.When you have completed all settings changes, clickNext to create the executable andconfiguration files. Make a note of where the files will be stored, and then click Finish.

You distribute the executable file to clients through your standard software distribution

mechanisms. The client can manually execute the file, or you can automate the process to

install the VPN connection.

How to Verify the Smart Card VPN Solution

The goal of the verification process is to identify any problems with the design or configuration

of the solution before full deployment. To verify the smart card VPN solution, you must carry

out the major procedures of the solution. The major procedures to verify are:

Assignment of a certificate to a smart card. Distribution of the Connection Manager profile. Installation of the Connection Manager profile. Connection to the VPN server by using smart card authentication. Access to internal network resources through the VPN connection.

How to Troubleshoot the Smart Card VPN Solution

The goal of the verification process is to troubleshoot the solution, identify where the process is

failing, and concentrate effort in that area.

The following table shows some smart card-VPN solution troubleshooting guidelines.

Table 1. Smart Card VPN Troubleshooting Guidelines


31/31

Problem Solution

Relevant certificates are not available in the CA.

Enable certificate templates in ActiveDirectory Sites and Services.

Assign enroll permissions.

Cannot assign certificates to the smart card.Install smart card writer.

Assign Enrollment Agent certificate.

VPN server cannot authenticate remote clients.

Configure the server to support EAP-TLS

authentication.

Ensure that the certificate used on the

server is trusted by the client.

The client attempts to dial a connection before

creating the VPN.

Configure the client so that it does not dial

an initial connection.

The client does not attempt to dial a connectionbefore creating the VPN.

Configure the client to dial an initialconnection.

When the client attempts to create the VPN, the

client is prompted for a user name, domain name,and password.

Ensure that the VPN connection is

configured to use a smart card.

Ensure that the HideUserName,

HideDomain, and HidePassword settingsare enabled.

The client does not have a connection object in

network connections.

Ensure that the Connection Manager profile

has been delivered to the client.

Ensure that the Connection Manager profileexecutable has run.

The client does not connect to the VPN server.

Ensure that the client connection isconfigured with the correct VPN server

name.

Ensure that the client is selecting the

correct server from the VPN server list.

The client cannot authenticate with the VPN server.

Ensure that the client is connecting to the

correct VPN server.

Ensure that the smart card has a certificatethat is trusted by the VPN server.

how to support smart card logon for remote access vpn connections

Documents