Starting with Windows 2000, Microsoft has built-in support for smart card/token-based logon to a Windows domain using public key certificates matched to a user account in Active Directory. SafeNet Axis client authentication software fully supports Windows smart card logon mechanisms, whether based on public key certificates or passwords. The certificates and passwords are stored on the smart card or USB token for secure two-factor authentication. To log on to the network, the user must insert their SafeNet smart card into the reader, or their SafeNet iKeyT token into the USB port, and enter their PIN to activate the card.
How Does It Work?
Windows recognizes insertion of an iKey into the USB port, or insertion of the SafeNet smart card into the reader, as an alternative to the standard CTRL+ALT+DEL key sequence, to initiate a logon. The user is then prompted for their user PIN, which controls access to public-private key data stored on the smart card or token. Since the PKI credentials and/or passwords are stored on the card or token, the user can roam within the network (use any other workstation), providing scope for a very flexible deployment of systems and users.
For customers requiring high assurance, SafeNet's smart cards and iKey tokens support a number of additional security features:
- On-board key generation
- On-board signing (private key never leaves the card or token)
- Tamper-evident option (FIPS 140-1 and 140-2 validations)
Windows Public Key Integration:
Microsoft PKI adds Certificate Services to the network.
Microsoft Certificate Services:
This allows for deployment of one or more Certificate Authorities (CA). These may be Microsoft CAs or third Party CAs (e.g., Entrust, Cybertrust Unicert, Verisign). These CAs support issuing and revocation of digital certificates. The Certificate Service is integrated with Windows Active Directory.
The Windows integration of PKI does not replace existing Windows domain trust-authorization mechanisms. However, it does enable the managing of Public Key applications to all Windows workstations and servers connected to a Windows Active Directory network (e.g., including Windows NT and Windows 98 systems used as workstations).