The use of smart cards for user authentication is the strongest form of authentication in Windows 2000. For remote access connections, you must use the Extensible Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known as EAP-Transport Level Security (EAP-TLS). To use smart cards for remote access authentication, you must do the following:
-
Configure remote access on the remote access server.
-
Install a computer certificate on the remote access server computer.
-
Enable a smart card logon process for the domain.
-
Enable the Extensible Authentication Protocol (EAP) and configure the Smart card or other certificate (TLS) EAP type on the remote access server computer.
-
Enable smart card authentication on the dial-up or VPN connection on the remote access client computer.
You can configure the remote access server running Windows 2000 as described in Using the remote access server as a corporate remote access server for dial-in remote access or Using the remote access server for remote access VPN connections for VPN remote access.
In order to configure EAP-TLS on the remote access server computer, you must install a computer certificate, also known as a machine certificate. To install a computer certificate on the remote access server computer, a certificate authority must be present to issue certificates. Once the certificate authority is configured, you can install a certificate on the remote access server computer in two different ways:
-
By configuring the automatic allocation of computer certificates to computers in a Windows 2000 domain.
-
By using Certificate Manager to obtain a computer certificate.
Based on the certificate policies in your organization, you only need to perform one of these two allocations.
To configure a certificate authority and install the computer certificate, perform the following steps :
-
Install the Windows 2000 Certificate Services component as an enterprise root certificate authority. This step is only necessary if you do not already have an enterprise root certificate authority (CA).
-
If necessary, promote the computer that will be a CA to a domain controller (DC). For more information, see To install a domain controller
-
Install the Windows 2000 Certificate Services component as an enterprise root CA. For more information, see To install an enterprise root certification authority
-
For auto-enrollment of machine certificates, configure the Windows 2000 domain. For more information, see To configure automatic certificate allocation from an enterprise CA
To create a computer certificate for the remote access server computer that is a member of the domain for which auto-enrollment is configured (as well as other computers that are members of the domain), restart the computer or type secedit /refreshpolicy machine_policy from the Windows 2000 command prompt.
-
To manually enroll machine certificates, use Certificate Manager to install the CA root certificate. For more information, see To manage certificates for a computer and To request a certificate
To enable a smart card logon process for the domain, you can perform the following procedures:
-
To configure a certification authority to issue smart card logon certificates
-
To prepare a smart card certificate enrollment station
-
To set up a smart card for user logon
To configure the remote access server running Windows 2000 for smart card remote access, see To configure smart card remote access
You need to install a smart card reader on the remote access client computer. For more information, see To install a smart card reader on a computer
Once a smart card reader is installed on the computer running Windows 2000, you are prompted whether you want to use the smart card for authentication when you create dial-up or VPN connections.
For existing dial-up or VPN connections, you can enable smart card authentication on the properties of the dial-up or VPN connection. For more information, see To enable smart card or other certificate authentication