To set up a smart card for user logon

1. Log on as an enrollment agent for the domain where the user's account is located.
2. Open Internet Explorer.
3. In Address, type the address of the certification authority (CA) that issues smart card certificates, and then press ENTER.
4. Click Request a certificate and then click advanced certificate request.
5. Click Request a certificate for a smart card on behalf of another user using the smart card certificate enrollment station. If you are prompted to accept the smart card signing certificate, click Yes.
6. On the Smart Card Certificate Enrollment Station Web page, in Certificate Template, do one of the following:
   • Click Smart Card Logon if you want to use the smart card for logging on to Windows only.
   • Click Smart Card User if you want to use the smart card for secure e-mail as well as logging on to Windows.
7. In Certification Authority, click the name of the CA you want to issue the smart card certificate.
8. In Cryptographic Service Provider, select the cryptographic service provider (CSP) of the smart card's manufacturer.
9. In Administrator Signing Certificate, click the Enrollment Agent certificate that will sign the enrollment request.
10. In User To Enroll, click Select User, select the appropriate user account, and then click Enroll.
11. When prompted by the system, insert the smart card into the smart card reader on your computer, click OK, and then, when prompted by the system, enter the personal identification number (PIN) for the smart card.
12. (Optional) If the smart card you are setting up has a previously installed certificate on it, a message appears, asking whether you want to replace the existing credentials on the card. Click Yes.
13. After the certificate is installed on the smart card, the CA Web page will give you the option of viewing the certificate you just installed or beginning a new smart card certificate request.

Notes

• XOX
• In the first step, anyone in the domain who has an Enrollment Agent certificate and has security permissions to issue smart card certificates is considered an enrollment agent.
• The address of the certification server is the name of the server followed by /Certsrv. For example, in order to connect to the CA on a server named SmartcardCA, you would connect to:

  http://SmartcardCA/Certsrv

  Be sure to use the name of the server that the CA is installed on, not the CA name itself. In many cases, these names will be different.

• If you have no Enrollment Agent certificate available, see Related Topics.
• Users that will be logging on to computers running the Windows 2000 operating system must have a smart card enrolled from a computer running Windows 2000. Users that will log on to computers running XOX or XOX can have a smart card enrolled from a computer running any of these operating systems.

Related Topics