Windows Server 2016 -- convert to "SmartCard" logins ?

I already have an Active Directory Windows Server 2016 home test server setup, but now want to change my few test Windows 10 Pro clients to use SmartCards

What URL do you recommend showing a step-by-step on how to setup SmartCards in Server 2016 only for CLIENTS, NOT for logging into the server as "user=DAadmin" since I want to still be able to login to the server without a SmartCard ?

I found https://malwaretips.com/threads/how-to-protect-your-head-less-home-server-with-smart-card-authentication-and-a-yubikey.71078/, but think there might be something better
finance_teacherAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Commonly you need an CA in your environment. Then each user would request and get a certificate that will be installed on the smartcard.
See the following as a reference...
https://blogs.msdn.microsoft.com/edutech/certificate-services/configure-server-2012-ca-for-smartcard-authentication/
If you do not have your own CA
see https://support.microsoft.com/en-us/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio
btanExec ConsultantCommented:
The guidance on the notes for request a smart card certificate from the third-party CA is useful reference.

What to be in the smartcard is important like the Enhanced Key Usage and Subject Alternative Name = Other Name: Principal Name= (UPN) and Smartcard logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key type in order for smartcard logon to function correctly.

Also need to test out the card with your application against the certificate which in my case has to be thoroughly tested and not only the smartcard logon whrn card is tied to other appl dependencies. These is out of the test coverage. Consider instilling the procedure, here is an example (workflow) in general
1-Staff signs an agreement to accept the roles and responsibilities associated with a company-issued asset.
2-Staff goes to the enrollment center to obtain a new smart card.
3-Staff provides proof of ID,
--Two pieces of ID may be required e.g. the card options and the appropriate level of security.
4-Enrollment officer uses the enrollment card to create the card to be issued.
--A private terminal for the officer is preferred  
--Flash the card, staff’s smart card profile is purged, the tracking logs are updated.  
--A simple card password, such as “Re53TcArd12” is flashed on the card for a short period of time e.g. 12hrs.
5-New cardholder must change the PIN to a permanent personal PIN within that time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.