LocalID Configurations of Active Directory Certificate Template

Pre-Requisites

The following configuration items must be in place before users can issue and renew smart cards:

  • Server Role” Active Directory Certificate Authority” needs to be configured and running.

  • A certificate template for smart card Login must be configured, please see section “Configuration of Certificate Template”.

Configuration of Certificate Template

The configuration of LocalID Active Directory Certificate Template is required for LocalID.

 

Configuration of a LocalID Default Template

To start the configuration of the LocalID template, will need to open the “Certificate Authority” on the Active Directory:

 

Right-click on ”Certificate Templates” and select ”Manage” in the context menu.

 

Right-click on ”SmartCard Logon” template and select ”Duplicate Template” in the context menu.

 

In the following process will click on the “General” Tab and change  both “Template Display Name” and “Template name” to LocalID. Will insert 3 years for the “Validity period”  and 820 days for the “Renewal period” and tick the “Publish Certificate in Active Directory”

 

In the “Request Handling” tab will change the Purpose section to ”Signatur and Smartcard logon”

 

In the “Cryptography” tab will let the Minimums key size to default, which is 2048, thereby tick the

”Request must use one of the following providers” and select ”Microsoft Base Smart Card Crypto Provider”

 

In the Security tab will  select ”Authenticated Users” and tick the Enroll under Allow

 

In the “Extensions” tab will select the “Application Policies” and click edit

 

List of Application policies must include the selection below. If any are missing - click Add and select the missing item(s):

The Following Policies should be added to the “Application policies Extension”

  • Client Authentication

  • Document Encryption

  • Encrypting File System

  • Secure Email

  • Smart Card Logon

When done, click OK to save 

 

Activation of Liga GlobalID Default Certificate Template

When saved, go back to the Certification Authority, and right click on the “Certificate Templates” → “New” → “Certificate Template To Issue”

 

Find and add “LocalID”

 

In some cases a restart of the Certification Authority can be needed.

 

Creating Certificate on Console Root (Optional):

If you are experiencing the "You cannot use a smart card to log on because smart card logon is not supported for your user account" error when attempting to log in to your Windows computer using the smart card. this indicates your domain controller does not have a valid certificate. To resolve this, you can use the steps below request a new certificate.

 

Log in to the domain controller (Which in this case is the ADDEV) and open the Run prompt: mmc.exe

 

On top right corner of the Console Root application, click on File à Add/Remove Snap-in:

 

Select Certificates and click add:

 

Select Computer account and click Next:

 

Select local computer and click finish:

 

Then click on OK:

 

In the Tree view on the left, navigate to Certificates (Local Computer) → Personal → Certificates:

 

Click Action → All Tasks → Request New Certificates

 

Click Next:

 

Select Domain controller Authentication and click on enroll:

 

Click Finish:

 

Now the issue with ("You cannot use a smart card to log on because smart card logon is not supported for your user account") should be gone:

 

Default smart card login

 

https://social.technet.microsoft.com/Forums/en-US/4c2aea7c-b52f-480e-a7ba-ec08c43be16b/windows-10-smart-card-login-by-default?forum=win10itprosetup 

© All rights reserved Liga Software ApS 2014 - 2022