Set up smart card logon in Active Directory

This article describes the prerequisites for smart card logon to laptops and servers using Windows. Click the links for instructions how to do the needed configurations. 

Prerequisites for smart card logon in Active Directory

For smart card logon to work, make sure that the following is set up: 

In the Active Directory domain:

1. Active Directory must trust the CA certificates of the certificate authority (CA) that issued the card certificates. 
   See Manually integrate third party CA in Active Directory. 
2. The domain controllers must have issued certificates that support smart card login. 
   If they don't already have certificates, then follow the instructions in Issue domain controller certificates. 
3. The domain controllers must have access to at least one of the following: 
   1. a valid certificate revocation list (CRL) 
   2. an Online Certificate Status Protocol (OCSP) 
   3. Authority Information Access (AIA) 

On the client:

1. A card reader must be connected to the computer. 
2. The computer must have a correct driver.
3. A smart card must be available and contain certificates for the needed operation; authentication, signing or encryption. 
4. A Cryptographic Service Provider (CSP) software must be installed, for example Nexus Personal Desktop.
5. The CA certificates must be imported into the truststore of the Windows client. 
   See Publish CA certificates to clients. 

Troubleshooting

For more information, see the following links: 

• Troubleshoot smart card logon to Windows 

Related information

• Guidelines for enabling smart card logon with third-party certification authorities
• Smart Card Group Policy and Registry Settings