Smartcards in Windows 7 and Windows Server 2008 R2

One of my favorite features of Windows 2000 was its built-in support for smartcards. As Windows has evolved since then, through XP and Server 2003, to Vista and Server 2008, and now with Seven and Server 2008 R2, we have greater and more solid support for smart cards. In this article, I’d like to describe the current support in Windows 7 and Server 2008 R2 for smartcards; a later article will delve into fingerprint reader (biometrics) support.

One of the Windows 7 and Windows Server 2008 R2 changes includes support for the United States Federal Government Employee and Contractor Personal Identity Verification (PIV) extensions to the Common Access Card (CAC) use of smartcards. A vendor of biometrics or other identity verification hardware which is compliant with the PIV standards can issue specialized drivers through Windows Update. When an end user inserts their PIV-compliant smartcard for authentication, the appropriate device drivers can potentially be downloaded to the Windows 7 workstation automatically. This extends the basic smartcard plug and play functionality with support for PIV-compliant systems. There is even a generic driver included with Windows 7 in support of scenarios where a specific driver is not available.

But what if you don’t work for the U.S. Federal government – is there anything else new in the way Windows 7 supports smartcards which could be useful to you?

Since Windows 2000, there has been support for using smartcard public key (PK) authentication for the initial Active Directory-based Kerberos authentication at user logon. As the standards for this have evolved, newer versions of Windows have kept up. Windows 7 and Windows Server 2008 R2 implement the Internet RFC 4556 called PKINIT which describes this public key initial (PKINIT) authentication as an open specification.

Windows Vista introduced an update to the Cryptographic Application Programming Interface (CryptoAPI) used in Windows 2000 and XP – this update is called the Cryptography API: Next Generation (CNG). This CNG has been further enhanced in Windows 7 and Windows Server 2008 R2 for additional plug and play capabilities similar to the PIV driver update ability via Windows Update, but for supporting smartcards in any application software that implements the CNG. Therefore, any line-of-business (LOB) applications which are properly developed could integrate with basic and enhanced smartcard functionality.

Let’s go back to the updates to PKINIT support and smartcard logon. Diffie-Hellman (DH) and Rivest-Shamir-Adleman (RSA) forms of public key cryptography and the classic forms of shared secret key cryptography (e.g. DES, 3DES, RC4) have been supported in Windows for many years. But when the combined with the CNG support of Elliptic Curve algorithms for public key cryptography (e.g. ECDH, ECDSA) and more modern shared secret key algorithms (e.g. AES128 and AES256) and longer key lengths for hashing (e.g. SHA384), the modern versions of the Kerberos and PKINIT in Windows 7 and Windows Server 2008 R2 can provide a solid foundation in your security infrastructure which support PIV extensions as well.

For securing documents, email, and other network traffic, the combination of CNG, PKINIT, and PIV can be extended to IPsec, S/MIME, and XPS for a powerful array of features targeted at deployments requiring defense in depth strategies. What if you want to encrypt whole disk volumes? If you’re using the Enterprise or Ultimate editions of Windows 7, smartcards can be used to unlock BitLocker encrypted disk volumes. Again, if you need PIV support, any specialized device drivers can be downloaded via Windows Update.

It’s a matter of evolution rather than earth-shatteringly new features, however Windows 7 and Windows Server 2008 R2 strongly continue the tradition of Windows support for smartcards which began with Windows 2000. What has changed is the ease of deployment and management of smartcards in Windows, enhancements to security with newer protocols and algorithms, and support for newer multi-factor authentication standards in an authentication, authorization, auditing system. Are you using smartcards yet? Or are you still trusting your systems to password/passphrase security?

-Brad

In this article

Join the Conversation

6 comments

  1. Jean-christophe Linden Reply

    Hi, great enhancements but can we use smartcard for authentication without Kerberos or Active Directory ? On a stand alone computer for example…
    Jean-christophe.

  2. Brad Werner Reply

    Hello, the quick answer is yes. The other answer is no. Let me try to explain what I mean. 🙂

    It really depends on what kind of authentication you want to do. As I mentioned in the post above, if you want Active Directory Domain Services (AD DS) authentication, then a public key infrastructure and of course Active Directory Domain Services, inevitably including Kerberos would be involved. There are actually several possible scenarios for how the public key authentication done with the smartcard and PIN works with Active Directory, but the domain controller which gets proof of authentication will issue a Kerberos ticket granting ticket in those cases.

    Now to your question. Yes, there are other kinds of authentication which can certainly make great use of smartcard where Active Directory (AD DS) is either not involved at all, or not directly involved with the machine we’re using the smartcard on.

    For example, Windows should let Internet Explorer pass on smartcard credentials to web sites which want “client certificates” for mutual authentication with SSL/TLS (i.e. https://…).

    Remote Desktop Services (a.k.a. Terminal Services) also allows authentication using a smartcard. Various web-based applications such as Outlook Web Access may obtain their credentials from the web services which use SSL/TLS client authentication.

    Other services such as S/MIME, BitLocker, and third-party applications and middleware can also make use of the public key authentication possible with the smartcard. Many of these services can work either with or without an Active Directory relationship on the computer with the smartcard.

    I hope that helps! Does it answer your questions? Does it raise more?

    Cheers,
    Brad

  3. JR Aratea Reply

    I had Windows 2003 domain controllers (DCs) and XP and Vista clients. I had enabled the cryptographic logon (CLO) using the common access card (CAC) smart card and was successful and working fine. Then I upgraded my domain to Windows 2008 R2 DCs and Windows 7 clients and now the CLO is having an issue. The error says: “The system could not log you on. You cannot use a smart card to log on because smart card log on is not supported for your user account.”

  4. Brad Werner Reply

    JR,

    I don’t know what the problem is, however here are a few things to try if you haven’t already, and some questions too:

    (a) What kind of smart card readers are you using? (e.g. SCR331)
    (b) Have you updated the firmware for the smartcard readers to a version compatible with Windows 7?
    (c) Did you do an in-domain transition from the 2003 to 2008R2 DCs? Or did you change domains and migrate user accounts during the change from 2003 to 2008R2 DCs?
    (d) Is the “Smart card is required for interactive logon” account option checked in the users’ Account properties? While this isn’t required to be able to use the CAC or other smart card, it’s good to check the account status as well as this setting. If this is not set, can the users still log on using username/password authentication?
    (e) Are there still Windows XP/Vista workstations in the upgraded AD DS environment, and if so, do those still work while Windows 7 fails for smartcard logon?
    (f) If you are using the same domain (see question (c) above), has there been any change to Group Policy configuration of public key policies when upgrading? Are the Trusted Root Certification Authorities the same as before?
    (g) Has the public key infrastructure, such as Active Directory Certificate Services changed in any way other than what you checked in question (e)? Have the certificate servers been upgraded as well?
    (h) Have you checked the event logs on the workstations and the domain controllers for public key authentication issues?

    If you have any questions on how to check any of these things, please let me know.

    I hope this helps!

    Thanks,
    Brad

  5. Mah Reply

    Greetings,

    I plan to deploy smart card log on using a token on windows server 2008 R2. Is there any step by step guide to do so which explains from the scratch?

    Thanks,

  6. sam Reply

    Hello Brad,

    I am testing smartcard in a lab environment, using a piv card, it had been working for several days and also decided to test with mcafee endpoint encryption. I just started getting an error “The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your account. Contact your sys admin to ensure that smart card logon is configured for your organization”. Did something go wrong with AD, did the certs get corrupt? am loss for ideas can you provide guidances.

    Thanks
    Sam