Smart Card Authentication with Active Directory

Industry leaders are constantly looking for solutions to improve wireless network security and efficiency. Organizations must ensure their users can easily access their networks at any time without any security risks. Meanwhile, users shouldn’t have to go through a long and confusing process to secure their devices and access the network.

In an effort to improve security and efficiency, industry leaders pushed the smart card, a physical card distributed to employees containing their identifying information. When logging into an app, users are prompted to provide their smart card information, which authenticates the user and approves them for network access. Should the smart card be lost or stolen, many organizations implement Multi-Factor Authentication and protect the card with a PIN.

Smart cards have elevated wireless network standards, and Microsoft admins can configure smart card software and Active Directory with an approved certificate authority (CA) to digitally sign and use certificates for user authentication. However, security and efficiency can still be upgraded if users are authenticated with digital x.509 certificates.

What is Smart Card PIV Authentication?

Smart card PIV authentication, or smart card logon, is the process of authenticating users by administering smart cards with digital x.509 certificates approved by trusted CAs. Admins can input user information and policies onto a certificate it will serve as the user’s authentication identity.

Certificate-Based Smart Card Authentication

An apparent caveat with certificates is the idea of manually configuring every device and smart card with a customized certificate. To be fair, the configuration process involves a complicated list of steps that must be followed and a high level of IT knowledge to even understand. It’s simply too complex for the average network user to follow and dumping the project on to the IT department would overflow their workload.

Implementing a PKI is a complicated, labor-intensive, and expensive task that requires a team of trained professionals to manage (and compensation matching their expertise). Luckily, SecureW2 provides a turnkey managed cloud PKI solution that can be set up in under an hour and doesn’t require PKI expertise.

Microsoft admins are able to configure AD with our services and administer digital certificates to all network users containing their specific user credentials. Our certificate onboarding solutions allow smart card users to easily self-configure their cards with a digital certificate that will verify their identities.

SecureW2’s Managed PKI software ties an issued certificate to its respective smart card, unlike passwords that can be shared or stolen. Users can easily self-configure their smart cards using SecureW2’s JoinNow MultiOS onboarding software, simplifying their entire process. By providing identity context and their AD credentials, users can be enrolled for certificates that will verify authentication going forward. Completely passwordless authentication.

Enabling Smart Card Logon Using Active Directory

The process for setting up smart card authentication by configuring AD can be simple. This article by Microsoft covers an in-depth overview of configuring smart card authentication with third-party CAs.

Here’s a quick overview of the configuration process:

  1. Download the certificate chain from the CA that issues certificates to smart cards.
  2. Import the CA into SecureW2 and configure AD as the Identity Provider.
    • Admins will be able to customize certificates specific to users by inputting their credentials and policies from AD.
  3. Add the SecureW2 root CA to the trusted roots in AD and configure a GPO to distribute the CA to all domain computers.
  4. Add SecureW2’s CA to NTauth store in AD.
    • The logon process will not work unless the CA issuing the smart card certificate is added to the NTauth store.
  5. Install certificates onto the domain controllers that will authenticate smart cards.
    • Admins can customize and install certificates on both devices and servers, ensuring they only connect with each other because they can verify one another with their certificates.
  6. Request a smart card certificate from the CA.
    • Smart card logon certificates must have a Key Exchange private key for the process to work.
  7. Integrate smart card software with PKI infrastructure.
  8. Equip all network smart cards with an appropriate smart card certificate.

From now on, smart cards will automatically access the network.

Smart Card Logon with Active Directory and SecureW2

AD-domain environments can offer far better wireless network security and user experience with certificate-based authentication. Passwords are obsolete and incredibly vulnerable, while certificates eliminate over-the-air credential theft and prevent a user’s credentials from being compromised. By integrating you environments with SecureW2’s PKI and configuring AD as the Identity Provider, admins can input user attributes and policies into certificates and distribute them to end user devices automatically. All this comes at a fraction of the cost on an on-prem solution for AD and smart cards.

Learn about this author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.

Sam Metzler

Smart Card Authentication with Active Directory