Windows Server 2016 -- convert to "SmartCard" logins ?

finance_teacher
finance_teacher used Ask the Experts™
on
I already have an Active Directory Windows Server 2016 home test server setup, but now want to change my few test Windows 10 Pro clients to use SmartCards

What URL do you recommend showing a step-by-step on how to setup SmartCards in Server 2016 only for CLIENTS, NOT for logging into the server as "user=DAadmin" since I want to still be able to login to the server without a SmartCard ?

I found https://malwaretips.com/threads/how-to-protect-your-head-less-home-server-with-smart-card-authentication-and-a-yubikey.71078/, but think there might be something better
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Commonly you need an CA in your environment. Then each user would request and get a certificate that will be installed on the smartcard.
See the following as a reference...
https://blogs.msdn.microsoft.com/edutech/certificate-services/configure-server-2012-ca-for-smartcard-authentication/
If you do not have your own CA
see https://support.microsoft.com/en-us/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio
Exec Consultant
Distinguished Expert 2018
Commented:
The guidance on the notes for request a smart card certificate from the third-party CA is useful reference.

What to be in the smartcard is important like the Enhanced Key Usage and Subject Alternative Name = Other Name: Principal Name= (UPN) and Smartcard logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key type in order for smartcard logon to function correctly.

Also need to test out the card with your application against the certificate which in my case has to be thoroughly tested and not only the smartcard logon whrn card is tied to other appl dependencies. These is out of the test coverage. Consider instilling the procedure, here is an example (workflow) in general
1-Staff signs an agreement to accept the roles and responsibilities associated with a company-issued asset.
2-Staff goes to the enrollment center to obtain a new smart card.
3-Staff provides proof of ID,
--Two pieces of ID may be required e.g. the card options and the appropriate level of security.
4-Enrollment officer uses the enrollment card to create the card to be issued.
--A private terminal for the officer is preferred  
--Flash the card, staff’s smart card profile is purged, the tracking logs are updated.  
--A simple card password, such as “Re53TcArd12” is flashed on the card for a short period of time e.g. 12hrs.
5-New cardholder must change the PIN to a permanent personal PIN within that time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial