Smart Card Enrolment problems

I am currently testing a smart card implementation and while I have most things working I have a problem with enrolling smart cards

I have setup my PKI environment and CA servers without difficulty and I am able to successfully enroll on behalf of to generate the smart card user certificates.

My problem is that per the documentation I have read (see link) the enroll on behalf of process is supposed to a) ask me to set a PIN and b) put the certificate on the smartcard.  But it does neither of these.  Instead I have to export the certificate and then go to where I am able to copy the exportd certificate and set the PIN.

This is one of the documents I have followed

All servers are 2012 R2
All test clients are Windows 7

All patches have been applied to all systems

LVL 23
Erik BjersPrincipal Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Rather similar steps (instead go thru web) as well advised by Gemalto for .NET2 card (instead), see this from Gemalto
I rather see it is the card driver and reader driver that does not seems to recognise the card and the card or reader itself may not even be the one similar to those article...reader has to be PC/SC compliant and smartcard. Maybe good to check out the diagnostic tool under Gemalto suggested list to make the two entities are working as expected first...
Erik BjersPrincipal Systems AdministratorAuthor Commented:

Your first link is outdated and no longer valid, smartcard enrollment through the certsrv web interface was removed after Windows Server 2003

The smartcard diagnostics pass without issue.  As I said in the post the smartcards are working, I am able to copy certificates to the cards and use them for login.

The problem is, according to the documentation the enroll on behalf of process should ask me to set a PIN on the card and copy the certificate to the card.  It is not doing either of these.

See step 9 in the link I posted in the original question, or the attached screen shot.  This window never comes up during the process.
btanExec ConsultantCommented:
Noted - the web req has no different to the one cert issuance via the actual MMC too.

or even from MS itself

I notice in the issuance policy configured stated 3 options and default used is "Enroll subject without requiring any user input" compared to other
Prompt the user during enrollment -
The user will receive a message and may need to take an action when enrollment is performed. This action may be necessary when the certificate is intended for a smart card, which would require the user to provide their personal identification (PIN).
Prompt the user during enrollment and require user input when the private key is used-
This setting prompts the user both during enrollment and whenever the private key is used. This is the most interactive autoenrollment behavior, as it requires the user to confirm all use of the private key. It is also the setting that provides the highest level of user awareness regarding key usage.
The PIN asked should be another new user's smart card (normally blank smart card )
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Erik BjersPrincipal Systems AdministratorAuthor Commented:

web enrollment for smart cards has not been supported since 2003, it is not an option anymore.

Anyway I found the problem, it was my selected crypto provider.  I had Microsoft Base Cryptographic Provider selected and I needed Microsoft Base Smart Card Crypto Provider

For some reason this provider was not listed in my template and I had to delete and recreate it.  Once I created a new template and selected the correct provider everything started working.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
I understand the web enrollment, thanks for sharing on the CSP aspects, that is inside the steps as well.
Erik BjersPrincipal Systems AdministratorAuthor Commented:
Yes it is inside the steps but somehow the correct provider was missing from my template and I selected the one that was closest (without realizing I was not selecting the correct provider).

I am not sure why it was not available in my template, but recreating took care of t
btanExec ConsultantCommented:
thanks for sharing, indeed in fact the two CSP is just one next to each other and shouldnt be missed out by the system in the listing esp when it is native CSP with windows 2012.  Specifically, the registry store it (below) as well for all installed CSPs. Hope to assist in a way.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider
Erik BjersPrincipal Systems AdministratorAuthor Commented:
I resolved the issue on my own.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.