JSI Tip 4539. How do I install a smart card reader?
December 11, 2001
NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.
Microsoft Knowledge Base article Q313557 contains:
IN THIS TASK
SUMMARY
To Install a Smart Card Reader on a Computer
To Enable Smart Card or Other Certificate Authentication
To Log On to a Computer with a Smart Card
Use Plug and Play Smart Card Readers
Troubleshooting
REFERENCES
SUMMARY
This article describes how to install a smart card reader.
Logging on to a network with a smart card provides a strong form of authentication because cryptography-based identification and proof of possession is used when a user is authenticated on a domain. For example, if a malicious person were to obtain a user's password, the malicious person could assume the user's identity on the network by using only the password. Many people choose passwords that they can remember easily. This makes passwords inherently weak and open to attack. With a smart card, the malicious person would have to obtain both the user's smart card and the personal identification number (PIN) to impersonate the user. This combination is more difficult to attack because an additional layer of information is needed to impersonate a user. An additional benefit is thata smart card is locked after a small number of unsuccessful PIN inputs occur consecutively. This makes a "dictionary" attack against a smart card difficult. Note that a PIN does not have to be a series of numbers, it can also use other alphanumeric characters.
back to the top
To Install a Smart Card Reader on a Computer
If your reader includes instructions from the manufacturer, use those instructions. If no instructions are included, use the following general procedure:
Make sure that you have the Windows 2000 CD-ROM and any media from the smart card reader manufacturer that contains the appropriate device drivers.
Shut down and turn off the computer.
Depending on the type of reader you purchased, connect your reader to an available serial port or insert the PC Card card reader into an available PC Card Type II slot.
If your serial reader has a supplementary PS/2 cable or connector, connect your keyboard or mouse connector to the connector, and then plug that into your computer's keyboard or mouse port. Many new smart card readers take power from the keyboard or mouse port because power is not always provided by RS-232 ports and a separate power supply can be expensive and cumbersome.
Restart your computer and log on as an administrator.
Use one of the following methods:
If the device driver for the smart card reader is available in the Driver.cab file that is installed automatically with Windows 2000, the smart card reader is installed without any prompts or intervention. This may take a few minutes.You can confirm that the reader was installed if the Unplug or Eject Hardwareicon appears in the status area of the taskbar (if the icon was not previously present) and if the reader appears in the list of hardware devices in the Unplug or Eject Hardwaredialog box.
If the device driver for the smart card reader is not available in the Driver.cab file, the Add/Remove Hardware Wizard starts. Follow the instructions for installing the device driver. You may be prompted for the media (such as a CD-ROM or floppy disk) from the smart card reader manufacturer that contains the device driver. Or, your administrator may tell you about a network share from which to obtain the driver.
If the smart card reader is not installed automatically or the Add/Remove Hardware Wizard does not start automatically, your smart card reader may not be a Plug and Play device. Contact the smart card reader manufacturer to obtain the device driver and instructions about how to install and configure the device.
back to the top
To Enable Smart Card or Other Certificate Authentication
Click Start, point to Settings, and then click Network and Dial-up Connections.
Right-click the dial-up, VPN, or incoming connection on which you want to use smart card or other certificate authentication, and then click Properties.
If you are using typical settings for your smart card, click Typical (recommended settings)on the Securitytab, and then click Use smartcardin the Validate my identity as followsbox.
If you are individually enabling, configuring, and disabling authentication methods and encryption requirements, click Advanced (custom settings)on the Securitytab, and then click Settings.
Under Logon security, click Use Extensible Authentication Protocol (EAP), click Smart card or other certificate (TLS) (encryption enabled), click Properties, and then use one of the following methods:
If you want to use the certificate that resides on your smart card, click Use my smartcard.
If you want to use the certificate that resides in the certificate store on your computer, click Use a certificate on this computer.
If you want to verify that the server certificate that is presented to your computer has not expired, has the correct signature, and has a trusted root certificate authority, select the Validate server certificatecheck box.
If you want to connect only to servers in a particular domain, select the Connect only if server name ends withcheck box, and then type the name of the domain.
To specify that the root certificate authority for your server certificate must be in a particular root certificate authority, click the appropriate certificate authority in the Trusted root certificate authoritybox.
To use a different user name if the user name in the smart card or certificate is not the same as the user name in the domain to which you are logging on, select the Use a different user name for the connectioncheck box.
Notes:
If, for example, you want to connect only to servers in the Microsoft.com domain, type Microsoft.comin the Connect only if server name ends inbox.
If, for example, you are working for a consulting company and you must log on to the domain of the company to which you are assigned, but your smart card contains a user name that is specific to your home company, select the Send a different user name from the one on the smartcard or certificatecheck box.
If you select the Send a different user name from the one on the smartcard or certificatecheck box, your certificate is exported without private keys and submitted to your system administrator to be explicitly mapped to your domain user account.
If you select the Connect only if server name ends withcheck box, and you do not type a domain name, you are prompted to use the domain name in the server certificate when you connect.
back to the top
To Log On to a Computer with a Smart Card
To log on to a computer with a smart card, you do not need to press CTRL+ALT+DELETE. When you insert the smart card into the smart card reader, you are prompted for your personal identification number (PIN) instead of your user name and password (and, if applicable, your domain).
To log on to a computer with a smart card:
When the logon screen is displayed, insert your smart card in the smart card reader.
Type the PIN for your smart card when you are prompted.
If the PIN that you type is recognized as legitimate, you are logged on to the computer and to the domain, based on the permissions that are assigned to your user account by the domain administrator.
If you type an incorrect PIN for a smart card several times in a row, you cannot log on to the computer with that smart card. The number of allowable incorrect logon attempts before you are locked out varies according to the smart card manufacturer. Contact your administrator for a replacement PIN.
back to the top
Use Plug and Play Smart Card Readers
Microsoft recommends that you use on Windows 2000-based computers only smart card readers that have been tested by the Microsoft Windows Hardware Quality Lab and that have obtained the Windows-compatible logo.
Microsoft does not recommend that you use on Windows 2000-based computers smart card readers that are not Plug and Play-compliant. If you are using such a reader, you must obtain installation instructions (and the device drivers) directly from the manufacturer of the smart card reader. Microsoft does not support the use of non-Plug and Play smart card readers.
The following smart card readers are supported by Windows 2000. The drivers for these readers are installed only when Windows detects that you have connected the corresponding Plug and Play smart card reader.
Manufacturer
Smart card reader
Interface
Device driver
Bull
CP8 Smart TLP3
RS-232
Bulltlp3.sys
Gemplus
GCR410P
RS-232
Gcr410p.sys
Gemplus
GPR400
PCMCIA
Gpr400.sys
Litronic
220P
RS-232
Lit220p.sys
Rainbow Technologies
3531
RS-232
Rnbo3531.sys
SCM Microsystems
SwapSmart
RS-232
Scmstcs.sys
SCM Microsystems
SwapSmart
PCMCIA
Pscr.sys
back to the top
Troubleshooting
When you log off from a workstation that has a smart card reader installed, there may be a delay of up to one minute.This delay can occur if you log on to a workstation, lock the workstation and let a screen saver run for a few minutes, unlock the workstation, and then log off. The delay occurs in the Winlogon process.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, please see the following article in theMicrosoft Knowledge Base:
Q260910How to Obtain the Latest Windows 2000 Service Pack
When you use a Web folder that requires a security certificate, you are prompted to select a certificate and supply a PIN for each program that attempts to access the Web share.This issue occurs because certificates are not globally cached on the workstation. Each process must query for the smart card PIN when the process first uses a certificate that is stored in the smart card.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, please see the following article in theMicrosoft Knowledge Base:
Q260910How to Obtain the Latest Windows 2000 Service Pack
When you attempt to log on with a password, you may receive the following error message:
Your account has been disabled. Please see your system administrator.
This behavior can occur if your account is configured to allow logging on only with a smart card, but you attempt to log on with a password. You cannot log on without using a smart card until your administrator removesthis restriction from your user account.
back to the top
REFERENCES
For additional general information about using smart cards, see the following Microsoft Web site:
For additional information about installing smart cards, see the following Microsoft Web site:
For additional information about supported smart card readers, see the following Microsoft Web site:
For additional information about logging on to a computer with a smart card, see the following Microsoft Web site:
For additional information about administering smart cards , see the following Microsoft Web site:
back to the top
About the Author
You May Also Like