A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory Domains document has just been posted to the download center. The follow-up document demonstrates the increased flexibility of FIPS 201 PIV-II compliant smart cards with Windows Server® 2008 R2 Active Directory, Windows 7 and Office 2010. Included within this document are detailed steps to configure Windows Server 2008 R2 Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Windows® 7, and Microsoft® Office 2010 to perform traditional UPN based smart card logon, explicit smart card logon (client authentication certificate mapped to multiple accounts), explicit cross-forest smart card logon and NIST SP800-78-3 compliant S/MIME email exchanges.
You can find both the original and follow-up document on the Microsoft download center HSPD-12 Logical Access Authentication and Active Directory Domains
Very nice article.
One thing that confuse me (ok there is more than one), but the one that really stands out is the GLOBAL PIN.
From the little info I can find and make sense of, it looks like this is a second "user" PIN. And it seems to be a recent addition to the cards.
Here, in our secret underground lair (Moms Basement), we have begun to notice “issues” where the users are changing their PINS with Windows Mini-Driver, and then have trouble when the “badge office” has to do card work. It looks like Windows is only seeing / changing the User PIN, and leaving the Global PIN alone. Which later makes it confusing when you go to the “badge office” and they use both PINS.
Has anyone else started to see this?
Is there plans to evolve the HSPD-12 Mini-driver to see the Global PIN?
Does anyone know of a Mini-driver that does see the Global PIN?
And does anyone plan on using it?
Thank you for your feedback and question. When NIST releases the PIV Test Cards to the public they will publish documentation explaining how the cards are configured. This white paper was developed with the draft release of that document. NIST Test PIV Cards 3 & 7 implement the Discovery Object which says the Global PIN is primary. The smart card minidriver was developed to the 800-73-2 specifications and the Discovery Object was/is an optional feature that was not implemented. Therefore to unlock the PIV Card Applications the PIV Card Application PIN is used. The following is from the draft NIST PIV Test Cards documentation.
Card PIV Card Application PIN Global PIN
Test Card 3 90909090 111111
Test Card 7 90909090 111111
For cards 3 & 7 the Global PIN is the primary based upon the Discovery Object. More information about the Discovery Object can be found in section 3.2.6 of NIST SP800-73-3 (csrc.nist.gov/.../sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf).
I have revised the white paper. Thank you for bringing this to my attention.
The NIST PIV Test Cards used in this whitepaper are now available. More information can be found at csrc.nist.gov/.../testcards.html