{"id":887,"date":"2012-10-19T23:36:22","date_gmt":"2012-10-19T20:36:22","guid":{"rendered":"http:\/\/saisa.eu\/blogs\/Guidance\/?p=887"},"modified":"2012-10-21T10:52:50","modified_gmt":"2012-10-21T07:52:50","slug":"eidauthenticate-tool-for-smart-card-logon","status":"publish","type":"post","link":"https:\/\/saisa.eu\/blogs\/Guidance\/?p=887","title":{"rendered":"EIDAuthenticate, Tool for smart card logon"},"content":{"rendered":"<p>With open source <a href=\"http:\/\/www.mysmartlogon.com\/products\/eidauthenticate.html\">EIDAuthenticate<\/a> it is possible to use 2-factor authentication, smart card + PIN, to login to Windows. EIDAuthenticate is for Windows Vista &amp; later on stand alone computer (computer not in domain, ie. no Active Directory in use).<\/p>\n<p><img loading=\"lazy\" height=\"396\" alt=\"eidauthenticate-loginscreen\" src=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/10\/eidauthenticate-loginscreen.jpg\" width=\"450\" \/><\/p>\n<p><strong>What is needed<\/strong><\/p>\n<ul>\n<li>\n<div>Software EIDAuthenticate<\/div>\n<\/li>\n<li>\n<div>Smart Card Reader<\/div>\n<ul>\n<li>\n<div>I used <a href=\"http:\/\/www.akasa.com.tw\/update.php?tpl=product\/product.detail.tpl&amp;no=181&amp;type=Card%20Reader\/Hub&amp;type_sub=Card%20Reader&amp;model=AK-CR-02BK\">akasa \u00e9lite<\/a><\/div>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<div>Smart Card<\/div>\n<ul>\n<li>\n<div>I used <a href=\"http:\/\/www.aventra.fi\/English\/products_MyEID_E.html\">MyEID PKI Card<\/a><\/div>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<div>A local user account<\/div>\n<\/li>\n<\/ul>\n<p>List of supported cards can be found on their web <a href=\"http:\/\/www.mysmartlogon.com\/products\/eidauthenticate.html\">site<\/a>. A more <a href=\"http:\/\/database.mysmartlogon.com\/Default.aspx\">complete list<\/a> with details, is also available.<\/p>\n<p><strong>Flow<\/strong><\/p>\n<ul>\n<li>\n<div>Install first card vendor&#8217;s tools and drivers (<a href=\"http:\/\/www.aventra.fi\/English\/downloads_MyClient_E.html\">ActiveSecurity MyClient<\/a>), and then EIDAuthenticate.<\/div>\n<\/li>\n<\/ul>\n<ul>\n<li>\n<div>Initialize the card. I used initialization script &#8220;small&#8221; which basically creates 3 PINs on the card: Basic, Signature and Management (SO). At this point, there is no certificates on the card yet.<\/div>\n<\/li>\n<\/ul>\n<ul>\n<li>\n<div>Follow <a href=\"http:\/\/wiki.mysmartlogon.com\/Configure_a_brand_new_smart_card_to_works_with_EIDAuthenticate\">instructions<\/a>, start by <a href=\"http:\/\/wiki.mysmartlogon.com\/Launch_the_EIDAuthenticate_wizard\">launching<\/a> the wizard in the Windows Control Panel.<\/div>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" height=\"477\" alt=\"eidauthenticate-wizard\" src=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/10\/eidauthenticate-wizard.jpg\" width=\"450\" \/><\/p>\n<ul>\n<li>At the end of the wizard, there is a test to verify if PIN works. After succesfull test, wizard ask if result can be send to online <a href=\"http:\/\/database.mysmartlogon.com\/Default.aspx\">database<\/a>.<\/li>\n<\/ul>\n<p><strong>Tips<\/strong><\/p>\n<ul>\n<li>\n<div>Initialize the smart card with the card vendor&#8217;s tools (not with <a href=\"http:\/\/www.opensc-project.org\/opensc\">opensc<\/a>).<\/div>\n<\/li>\n<li>\n<div>The self signed Root certificate created by the wizard is visible in the <a href=\"http:\/\/windows.microsoft.com\/is-IS\/windows-vista\/View-or-manage-your-certificates\">Certificate Manager<\/a> tool (certmgr.msc) in Windows 7. Look the certificates under tree branch &#8220;Trusted Root Certification Authorities\\Certificates&#8221;.<\/div>\n<\/li>\n<li>\n<div>Before logon attempt, one can view certification path via link &#8220;Certicate Details&#8221; (see first figure in this blog).<\/div>\n<\/li>\n<li>\n<div>For troubleshooting, one can use <a href=\"http:\/\/wiki.mysmartlogon.com\/How_to_get_internal_logs\">EIDLogManager<\/a>tool.<\/div>\n<\/li>\n<\/ul>\n<blockquote>\n<p><img loading=\"lazy\" height=\"206\" alt=\"EIDlogmanager\" src=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/10\/eidlogmanager.jpg\" width=\"225\" \/><\/p>\n<\/blockquote>\n<ul dir=\"ltr\">\n<li>\n<div>One can use card vendor&#8217;s tool, or opensc, to view the content of the smart card. The figure below shows the card vendor&#8217;s tool. The certificate on the card is for user &#8220;Lauri&#8221;, issued by &#8220;Lauri-PC&#8221;.<\/div>\n<\/li>\n<\/ul>\n<blockquote>\n<p><img loading=\"lazy\" height=\"772\" alt=\"EIDAuthenticate-certificate\" src=\"http:\/\/saisa.eu\/blogs\/Guidance\/wp-content\/uploads\/2012\/10\/eidauthenticate-certificate.jpg\" width=\"424\" \/><\/p>\n<\/blockquote>\n<ul>\n<li>\n<div><a href=\"http:\/\/www.opensc-project.org\/opensc\">OpenSC<\/a> and <a href=\"http:\/\/www.openssl.org\/\">OpenSSL<\/a> can be good tools to retrieve information from &#8220;common&#8221; smart cards. To extract the certificate out from the card, can be done in this case by command<\/div>\n<\/li>\n<\/ul>\n<blockquote>\n<p><u>pkcs15-tool &#8211;read-certificate 45 &#8211;output certificate.pem<\/u><\/p>\n<\/blockquote>\n<ul>\n<li>and to extract issuer and subject out from the certificate, can be done by commad<\/li>\n<\/ul>\n<blockquote>\n<p><u>openssl x509 -in certificate.pem -issuer -subject -noout<\/u><\/p>\n<\/blockquote>\n<ul>\n<li>which is the same as subjectCN and issuerCN in figure above.<\/li>\n<\/ul>\n<blockquote>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>With open source EIDAuthenticate it is possible to use 2-factor authentication, smart card + PIN, to login to Windows. EIDAuthenticate is for Windows Vista &amp; later on stand alone computer (computer not in domain, ie. no Active Directory in use). &hellip; <a href=\"https:\/\/saisa.eu\/blogs\/Guidance\/?p=887\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17,6,10],"tags":[],"_links":{"self":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts\/887"}],"collection":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=887"}],"version-history":[{"count":2,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts\/887\/revisions"}],"predecessor-version":[{"id":892,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts\/887\/revisions\/892"}],"wp:attachment":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}