Home > Solutions > SafeSign IC Partner Solutions > for Windows Logon
SafeSign Identity Client for Microsoft Windows Logon
Strong authentication with cryptographic smart cards and USB tokens
Microsoft Windows 2000 Server and 2003 Server integrate smart card capabilities in the Operating System. The Microsoft Windows 2000 / 2003 operating system includes a native Public Key Infrastructure (with its own Certificate Server) and introduces smart card authentication as an alternative to passwords to achieve strong network authentication.
Windows 2000 / 2003 enables administrators to set up an internal Certification Authority (CA) on the Windows 2000 / 2003 server and to issue digital certificates to users. Through the Smart Card Enrollment Station, administrators (with a valid enrollment agent certificate) can request certificates for users and can store each user’s certificate directly on an individual token. A certificate can be specified for logon authorization (Smart Card Logon) only, or for both logon authorization and email security (Smart Card User). These certificates can be used to authenticate the user when logging on to the network, and for securing email with digital signatures and encryption.
Windows 2000 / 2003 enables administrators to set up an internal Certification Authority (CA) on the Windows 2000 / 2003 server and to issue digital certificates to users. Through the Smart Card Enrollment Station, administrators (with a valid enrollment agent certificate) can request certificates for users and can store each user’s certificate directly on an individual token. A certificate can be specified for logon authorization (Smart Card Logon) only, or for both logon authorization and email security (Smart Card User). These certificates can be used to authenticate the user when logging on to the network, and for securing email with digital signatures and encryption.
SafeSign Identity Client for Windows Logon
Integration with SafeSign Identity Client is easy and works virtually out of the box: when SafeSign Identity Client is installed on the Smart Card Enrolment Station, the SafeSign Identity Client CSP will allow authorized agents to generate keys and store certificates directly on a SafeSign Identity Client compatible token.
A significant element of the architecture is the CryptoAPI, through which applications can access strong cryptographic services for providing the required security characteristics. Users logging on to a domain must authenticate themselves, which may happen using a username and passwords. When using a smart card to do so, further possibilities are provided for, in particular, the login process can verify if the user has the proper credentials for accessing the system (authorization) and can check the Certificate Revocation List to confirm that the certificate presented is still valid. The user does not only authenticate himself in this way with a certificate, he should be known in the Active Directory of the Windows server, where authorization can be set what he may or may not access. Moreover, the administrator can configure smart card removal behaviour on the server, for example, to lock the workstation when the user removes his smart card to go to lunch.
Interactive Logon using a smart card begins when a user inserts a smart card into a smart card reader. This signals the Windows 2000/XP/2003/Vista operating system to prompt for a Personal Identification Number (PIN) instead of a username, domain name and password.
The card insertion event is equivalent to the familiar Ctrl-Alt-Del secure attention sequence used to initiate a password-based logon. However, the PIN the user provides to the logon dialog is used to authenticate only to the smart card and not to the domain itself. A public key certificate stored on the smart card is used to authenticate to the domain. After a user inputs a PIN to the logon dialog, the operating system begins a sequence of actions to determine whether the user can be identified and authenticated based on credential information the user has provided (PIN and smart card), among which certificate verification, digital signature verification and user account lookup.
SafeSign Identity Client seamlessly integrates with Windows 2000 / 2003 Certificate Services (PKI) and the Windows Smart Card Logon service enabling strong two-factor authentication that can be deployed for Windows 2000/XP/2003/Vista services and applications:
A significant element of the architecture is the CryptoAPI, through which applications can access strong cryptographic services for providing the required security characteristics. Users logging on to a domain must authenticate themselves, which may happen using a username and passwords. When using a smart card to do so, further possibilities are provided for, in particular, the login process can verify if the user has the proper credentials for accessing the system (authorization) and can check the Certificate Revocation List to confirm that the certificate presented is still valid. The user does not only authenticate himself in this way with a certificate, he should be known in the Active Directory of the Windows server, where authorization can be set what he may or may not access. Moreover, the administrator can configure smart card removal behaviour on the server, for example, to lock the workstation when the user removes his smart card to go to lunch.
Interactive Logon using a smart card begins when a user inserts a smart card into a smart card reader. This signals the Windows 2000/XP/2003/Vista operating system to prompt for a Personal Identification Number (PIN) instead of a username, domain name and password.
The card insertion event is equivalent to the familiar Ctrl-Alt-Del secure attention sequence used to initiate a password-based logon. However, the PIN the user provides to the logon dialog is used to authenticate only to the smart card and not to the domain itself. A public key certificate stored on the smart card is used to authenticate to the domain. After a user inputs a PIN to the logon dialog, the operating system begins a sequence of actions to determine whether the user can be identified and authenticated based on credential information the user has provided (PIN and smart card), among which certificate verification, digital signature verification and user account lookup.
SafeSign Identity Client seamlessly integrates with Windows 2000 / 2003 Certificate Services (PKI) and the Windows Smart Card Logon service enabling strong two-factor authentication that can be deployed for Windows 2000/XP/2003/Vista services and applications:
- Secure user authentication from a Windows 2000, XP, 2003 or Vista client to the Windows 2000/2003 domain
- Secure VPN client logon for remote access to corporate network
- Email encryption and email signing with Microsoft Outlook
- Windows 2003 Terminal Services
