Version:


Table of Contents

Download PDF
Copy Link

Create Smart Card Logon User on the domain controller server

Create a Domain user on DC server. Try to logon with this user from a Windows workstation, without smart card, make sure this user works without smart card.

  1. Create a certificate request , using for example scuser.inf as shown below:

  2. [NewRequest]

    Subject = "CN=scuser,DC=vm-lab,DC=vm-eb,DC=com"

    KeyLength = 2048

    MachineKeySet = False

    ProviderName = "FEITIAN CSP For Fortinet V1.0"

    KeySpec = 1

    KeyUsage = 0xf0

    ProviderType = 1

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.2 ;

    OID=1.3.6.1.4.1.311.20.2.2

  3. Make sure the two OIDs are included in the .inf file.

  4. Use certreq.exe from the Windows PC workstation, with the FTK300 USB token plugged in, and FTK300 CSP installed to create the CSR.

    For example: certreq –new scuser.inf scuser.req

  5. Sign the certificate request (scuser.req) with the Root CA certificate in FortiAuthenticator.

  6. Download the signed request ( *.cer) from FortiAuthenticator to the PC.

  7. Use the following command to install the cert onto FTK300 USB token:

    certreq -accept scuser.cer ( use your file name for the .cer file )

  8. Make sure the FortiAuthenticator Root CA Cert installed on this Windows Workstation PC before creating the certificate requests.

  9. Copy the FortiAuthenticator signed .cer file to domain controller server and map to that Domain User.

  10. On domain controller server, go to Administration Tool > Active Directory Users, Computers > Users.

  11. Right-click the user name associated with a FTK300 USB token.

  12. Add the user’s .cer file to this user account.

  13. Select Smart Card is required for interactive logon for this Domain user from the User Properties menu.

  14. Save all settings and reboot the domain controller server.

  15. Restart Windows client workstation.

  16. Plug in FTK300 with the Smartcard login cert installed.

  17. Select the FTK300 USER on Windows logon screen.

  18. Enter the PIN for the FTK300.

User will be logged on to the Domain.

Create Smart Card Logon User on the domain controller server

Create a Domain user on DC server. Try to logon with this user from a Windows workstation, without smart card, make sure this user works without smart card.

  1. Create a certificate request , using for example scuser.inf as shown below:

  2. [NewRequest]

    Subject = "CN=scuser,DC=vm-lab,DC=vm-eb,DC=com"

    KeyLength = 2048

    MachineKeySet = False

    ProviderName = "FEITIAN CSP For Fortinet V1.0"

    KeySpec = 1

    KeyUsage = 0xf0

    ProviderType = 1

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.2 ;

    OID=1.3.6.1.4.1.311.20.2.2

  3. Make sure the two OIDs are included in the .inf file.

  4. Use certreq.exe from the Windows PC workstation, with the FTK300 USB token plugged in, and FTK300 CSP installed to create the CSR.

    For example: certreq –new scuser.inf scuser.req

  5. Sign the certificate request (scuser.req) with the Root CA certificate in FortiAuthenticator.

  6. Download the signed request ( *.cer) from FortiAuthenticator to the PC.

  7. Use the following command to install the cert onto FTK300 USB token:

    certreq -accept scuser.cer ( use your file name for the .cer file )

  8. Make sure the FortiAuthenticator Root CA Cert installed on this Windows Workstation PC before creating the certificate requests.

  9. Copy the FortiAuthenticator signed .cer file to domain controller server and map to that Domain User.

  10. On domain controller server, go to Administration Tool > Active Directory Users, Computers > Users.

  11. Right-click the user name associated with a FTK300 USB token.

  12. Add the user’s .cer file to this user account.

  13. Select Smart Card is required for interactive logon for this Domain user from the User Properties menu.

  14. Save all settings and reboot the domain controller server.

  15. Restart Windows client workstation.

  16. Plug in FTK300 with the Smartcard login cert installed.

  17. Select the FTK300 USER on Windows logon screen.

  18. Enter the PIN for the FTK300.

User will be logged on to the Domain.