HID C1150 User Manual

15370 Barranca Parkway Irvine, CA 92618

ADMINISTRATION GUIDE

Product Version C1150

November 2013

HID GLOBAL CONFIDENTIAL AND PROPRIETARY INFORMATION. Use and disclosure of this information is strictly restricted by the terms of a non-disclosure agreement with HID Global Corporation. If you have received this information and are not an intended recipient or are not subject to or do not agree to be bound by the terms of the non-disclosure agreement, please immediately return this document to HID Global Corporation, 15370 Barranca Pkwy, Irvine, CA 92618-3106. © 2013 HID Global Corporation. All rights reserved.

HID Global Crescendo C1150 – Administration Guide

Page 2 of 115 November 2013

Contents

About this Guide ............................................................................................................................ 6

1.1 Purpose ................................................................................................................. 6

1.2 Audience ................................................................................................................ 7

1.3 Scope of Document ............................................................................................... 7

1.4 Typographic Conventions ...................................................................................... 7

2.0 Introduction ....................................................................................................................... 8

2.1 Product Overview .................................................................................................. 8

2.2 Installation and Upgrades ...................................................................................... 9

2.3 Supported Deployment Modes .............................................................................. 9

2.3.1 Standalone Mode with Mini Driver ............................................................ 10

2.3.2 Standalone Mode with Advanced Middleware ......................................... 10

2.3.3 Managed Mode with Microsoft Forefront Identity Manager (FIM) ............ 11

2.3.4 Managed Mode with HID Global naviGO ................................................. 11

2.3.5 Managed Mode with HID Global 4TRESS AAA Server ........................... 11

2.3.6 Managed Mode with HID Global ActivID CMS and ActivID CMS Appliance

.................................................................................................................. 12

2.4 Choosing Smart Card Middleware ........................................................................ 12

2.4.1 Services Available with Both Mini Driver and ActivClient ......................... 12

2.4.2 Additional Services Available with ActivClient .......................................... 13

3.0 Installing the Mini Driver .................................................................................................. 15

3.1 Mini Driver System Requirements ......................................................................... 15

3.2 Automatic Download .............................................................................................. 15

3.3 Manually Download and Install the Mini Driver ..................................................... 15

3.4 Uninstall the Mini Driver ......................................................................................... 19

4.0 Managing a Smart Card with the Mini Driver ................................................................. 20

4.1 Prerequisites .......................................................................................................... 20

4.2 Issuing a Smart Card using Microsoft Certificate Authority ................................... 21

4.2.1 Enroll a Smart Card for a User with Internet Explorer .............................. 21

4.2.2 Enroll a Smart Card for a User with MMC ................................................ 22

4.3 Importing Certificates Using Microsoft Windows ................................................... 30

4.3.1 Download a PKI Certificate with Internet Explorer ................................... 30

4.3.2 Download a PKI Certificate with MMC ..................................................... 31

4.4 Changing the PIN Code Using Microsoft Windows ............................................... 40

4.4.1 Change the PIN Code on Microsoft Windows Vista, Windows 7 or Windows 8

.................................................................................................................. 40

4.4.2 Change the PIN Code on Microsoft Windows XP .................................... 41

4.5 Unlocking the PIN Code Using Microsoft Windows .............................................. 44

4.5.1 Unlock the PIN Code on Microsoft Windows Vista, Windows 7 or Windows 8

.................................................................................................................. 44

4.5.2 Unlock the PIN Code on Microsoft Windows XP ...................................... 47

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 3 of 115

5.0 Managing a Smart Card using Microsoft Forefront Identify Manager (FIM) ............... 50

5.1 Prerequisites .......................................................................................................... 50

5.2 Initialize a Permanent Card ................................................................................... 51

5.3 Change the PIN Code Using FIM .......................................................................... 53

5.4 Unlocking the Smart Card Using FIM - Online ...................................................... 55

5.4.1 Unlock the Smart Card as an Administrator ............................................. 55

5.4.2 Unlock the Smart Card as an End User ................................................... 59

5.4.3 Using the Unblock Wizard ........................................................................ 60

5.5 Unlocking the Smart Card Using FIM - Offline ...................................................... 61

5.5.1 Verify that the Offline Unlock Policy is Enabled ....................................... 61

5.5.2 Launch Offline Unlock Request ................................................................ 64

5.6 Reset the Smart Card Using FIM .......................................................................... 71

6.0 Managing a Smart Card with ActivClient ....................................................................... 73

6.1 Issue a Smart Card with ActivClient ...................................................................... 73

6.2 Change the PIN Code with ActivClient .................................................................. 76

6.3 Unlock the Smart Card Using ActivClient .............................................................. 78

6.4 Reset the Smart Card Using ActivClient ............................................................... 80

6.5 Importing Certificates Using ActivClient ................................................................ 83

6.5.1 Request a Certificate ................................................................................ 83

6.5.2 Import the Certificate ................................................................................ 84

7.0 Managing a Smart Card with naviGO ............................................................................. 85

7.1 Prerequisites .......................................................................................................... 85

7.2 Initialize a Smart Card ........................................................................................... 85

8.0 Managing a Smart Card with 4TRESS AAA Server ....................................................... 97

8.1 Issue a Smart Card Using 4TRESS AAA Server .................................................. 98

8.2 Change the PIN Code ........................................................................................... 102

8.3 Unlock the Smart Card with 4TRESS AAA Server ................................................ 102

8.3.1 Unlock the Smart Card with the Administration Console ......................... 102

8.3.2 Unlock the Smart Card with the Web Help Desk ..................................... 103

8.3.3 Unlock the Smart Card with the Web Self Help Desk .............................. 103

8.4 Importing Certificates ............................................................................................. 105

9.0 Using the Smart Card ....................................................................................................... 106

9.1 Logging On to Microsoft Windows ......................................................................... 106

9.2 Authenticating to Secure Websites ....................................................................... 106

9.3 Sending and Reading Secure Emails .................................................................... 107

9.3.1 Send Signed/Encrypted Emails ................................................................ 107

9.3.2 Read Signed/Encrypted Emails ................................................................ 107

9.4 Encrypting and Decrypting Files ............................................................................ 107

9.4.1 Encrypt a File or Folder ............................................................................ 107

9.4.2 Decrypt a File or Folder ............................................................................ 108

HID Global Crescendo C1150 – Administration Guide

Page 4 of 115 November 2013

10.0 Troubleshooting ............................................................................................................... 109

10.1 ActiveX Error During Certificate Requests ............................................................ 109

10.2 Smart Card Enrollment Errors ............................................................................... 109

10.2.1 Wrong CSP ............................................................................................... 109

10.2.2 Key Length Setting ................................................................................... 109

10.2.3 Enrollment Rights ..................................................................................... 110

11.0 Security Guidelines .......................................................................................................... 111

11.1 SHA-2 Compliance ................................................................................................ 111

11.1.1 Card Content Signed with SHA-2 ............................................................. 111

11.1.2 Using SHA-2 for Digital Signature Operations ......................................... 112

11.2 PIN Policies ........................................................................................................... 113

11.3 Log Handling ......................................................................................................... 113

11.4 Additional Recommendations ................................................................................ 113

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 5 of 115

Date

Author

Description

Document Version

JAN13

SIS

Added managed with 4TRESS AAA Server procedures.

A.1

NOV13

SIS

Updated with default PIN details and HID Unblock tool.

A.2

North America

15370 Barranca Parkway Irvine, CA 92618 USA Phone: 800 237 7769 Fax: 949 732 2120

Trademarks

HID GLOBAL, HID, the HID logo, Crescendo, OMNIKEY, ActivID ActivClient, 4TRESS and ActivID CMS are trademarks or registered trademarks of HID Global Corporation, or its licensors, in the U.S. and other countries.

Revision History

Contacts

support.hidglobal.com

HID Global Crescendo C1150 – Administration Guide

Page 6 of 115 November 2013

NOTE

The instructions provided for third party products are meant as guidance only. HID Global cannot be held liable for any malfunctioning from configuring these products; refer to the vendor documentation for complete information.

About this Guide

The information contained in this document is provided “AS IS” without any warranty.

HID GLOBAL HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE INFORMATION CONTAINED HEREIN, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT.

IN NO EVENT SHALL HID GLOBAL BE LIABLE, WHETHER IN CONTRACT, TORT OR OTHERWISE FOR ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING FROM USE OF INFORMATION CONTAINED IN THIS DOCUMENT.

Windows is a registered trademark of Microsoft Corporation in the United States and other countries.

1.1 Purpose

This document describes different options how you can manage and use your HID® Crescendo™ smart card with a variety of software options.

The Crescendo C1150 smart card is versatile and can be deployed in standalone mode (that is, without any central card management system) or in an enterprise-managed environment (that is, with a central card management system).

The Crescendo C1150 smart card can be used on a variety of environments, providing a wide range of strong authentication, digital signature and encryption services – such as secure Windows logon, secure authentication to web sites, secure authentication to remote sessions, email digital signature, email and file encryption.

This document presents the services available via the Crescendo C1150 Mini Driver, a free middleware from HID Global designed specifically for this card. The Mini Driver is compatible with a number of card management systems (such as Microsoft® Forefront Identity Manager or HID Global naviGO™) and end-user applications (such as Microsoft Windows®, Internet Explorer®, Microsoft Office® or Adobe® Acrobat).

The document also presents additional services available via the HID Global ActivID ActivClient™ middleware, bringing support for additional applications (such as Mozilla® Firefox® or remote access / VPN products).

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 7 of 115

Typography

Description

Arial bold

Action steps: paths, buttons, options (checkboxes). Field and dropdown list labels. Notes, important notes, and warnings. Emphasis and captions.

Italic black

File names, document titles, and file extensions.

ARIAL BOLD SMALL CAPS

CUSTOM BLUE

“Callouts” used to flag important tips or technical information.

Arial blue

Cross-references within the document (no underlines).

1.2 Audience

This manual is specifically designed for IT administrators, who want to use their HID Crescendo C1150 card to obtain strong authentication in their Microsoft environment.

1.3 Scope of Document

This document assumes that the system administrator has already installed and configured other necessary components (such as Microsoft Windows, a certificate server) and that you have a Crescendo C1150 card.

1.4 Typographic Conventions

HID Global Crescendo C1150 – Administration Guide

Page 8 of 115 November 2013

2.0 Introduction

2.1 Product Overview

This release of the Mini Driver is designed to support the Crescendo C1150 and is a key component of the HID logical and physical access convergence solution.

Crescendo smart cards include a PKI chip that provides extended cryptographic capabilities, expanding the number of supported services:

 Authenticate to Microsoft Windows (online or offline).

 Authenticate to secure web sites.

 Authenticate to remote networks via a VPN.

 Authenticate to remote sessions authentication using Citrix® or Microsoft terminal

server technologies.

 Sign emails, forms and documents.

 Encrypt emails, documents and disks.

The Mini Driver also enables users to personalize their smart cards by:

 Defining a PIN code.

 Downloading certificates.

If the same smart card is used on a workstation with ActivID ActivClient instead of the Mini Driver, you have access to additional services, such as:

 PKI services with a PKCS#11 library (compatibility with Mozilla Firefox, Thunderbird®).

 Automated configuration for PKI applications (such as Microsoft Outlook).

 One-Time Password services enabling support for a wider range of remote access and

VPN services.

 User-based card management services (card content viewer, diagnostics tool,

notifications, standalone management services, etc.).

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 9 of 115

NOTE

If a supported middleware is already installed on the machine, the Windows Update download is not triggered.

NOTE

If the Crescendo C1150 card is used with its Mini Driver (installed either from Windows Update or by the MSI package), you can upgrade to ActivClient 6.2 (version 6.2.0.162 or later) to gain access to additional services. When ActivClient is installed, it takes precedence over the Mini Driver.

2.2 Installation and Upgrades

The Mini Driver is a free component and can be automatically downloaded from Microsoft Windows Update (applicable to Windows 7, Windows Server 2008 R2 and later versions).

It is also available for download as a Microsoft Windows installer package (.msi) from the HID web site http://www.hidglobal.com/main/crescendo/

This is useful for:

 Older Windows versions where the automatic download is not available.

 Workstations not connected to the internet, or with Windows Update disabled.

For further information about the installation process, see chapter 3.0 Installing the Mini Driver on page 15.

In addition, the installer package detects potential middleware existing on the machine and acts accordingly. For example, if the ActivClient middleware is detected, the Mini Driver installation is not possible as you cannot have two middleware for the same card on the same Windows workstation, and as ActivClient provides enhanced services compared to the Mini Driver.

2.3 Supported Deployment Modes

This section describes several Crescendo C1150 deployment modes, either in standalone mode (that is without any central card management system), or in an enterprise managed environment (that is, with a central card management system).

Some of these deployment modes require the Crescendo C1150 Mini Driver, which is free middleware from HID Global. Some deployment modes require additional software products, such as ActivID ActivClient, Microsoft Forefront Identity Manager, and HID Global naviGO. Contact the product vendor for licensing information.

HID Global Crescendo C1150 – Administration Guide

Page 10 of 115 November 2013

2.3.1 Standalone Mode with Mini Driver

This is the simplest (and also least secure) mode in which the Mini Driver can be installed and used with the Crescendo C1150 card to provide the following services:

 The card comes with a default PIN code (00000000) that you can change at any time:

 On Microsoft Windows Vista and 7 - using the native Ctrl+Alt+Del Change

Password feature.

 On Microsoft Windows XP - using the Microsoft PIN Tool (pintool.exe) included

with the Base Smart Card CSP package.

 While there is no “simple” PIN unlock feature, if you know the ADMIN Key (set to a

default binary value 000000000000000000000000000000000000000000000000) and have a tool to generate a response based on the challenge (3DES algorithm), you can unlock the card. The user can then use the Microsoft Windows 7 or Windows 8 PIN Unlock user interface. It is recommended that you use card management software to manage these keys.

 You can download a certificate onto the card from the Microsoft Certificate Authority (or

other CA), by selecting the Microsoft Base Smart Card CSP.

 You can use certificates for standard PKI services based on the Mini Driver, such as

Windows logon, authentication to web sites (with Internet Explorer) and PKI-compatible VPNs, email signature and encryption (with Microsoft Outlook).

For further information, see chapter 4.0 Managing a Smart Card with the Mini Driver on page

20.

2.3.2 Standalone Mode with Advanced Middleware

Using advanced middleware such as ActivID ActivClient, you have access to additional card management services, and you can use your card with more applications.

 You can initialize a Crescendo C1150 card with the ActivClient PIN Initialization Tool,

resetting the PIN from the default value and obtaining a static unlock code.

 You can change the PIN using the ActivClient PIN Change Tool (on any Windows

version).

 If the card PIN is locked, you can unlock it with the static unlock code displayed at

initialization.

 You can reset the card with the ActivClient PIN Initialization Tool.

 You can download a certificate onto the card from the Microsoft CA (or other CA) by

selecting the ActivClient CSP.

 You can use certificates for standard PKI services based on the CSP or PKCS#11

technologies, which provides more options than in the previous mode – such as Windows logon, authentication to web sites (with Internet Explorer or Mozilla Firefox) and PKI-compatible VPNs, email signature and encryption (with Microsoft Outlook or Lotus Notes).

 The user can use other ActivClient services for improved usability (card management

utility, card activity notification, application auto-configuration, etc.).

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 11 of 115

For further information, see chapter 6.0 Managing a Smart Card with ActivClient on page 73.

2.3.3 Managed Mode with Microsoft Forefront Identity Manager (FIM)

In this mode, the card is managed with Microsoft Forefront Identity Manager (FIM), and end users can use the card on their workstation with either the Mini Driver or with advanced middleware.

 The card is managed by Microsoft FIM 2010 via the Mini Driver.

 The card comes with a default PIN (00000000) and default ADMIN Key (binary value

000000000000000000000000000000000000000000000000).

The Administrator imports this data into FIM.

 With FIM, the administrator can load certificates on the card (and update them later),

and unlock the card PIN if it is locked.

 If the end user has the Crescendo C1150 Mini Driver on his workstation, he can use

certificates for standard PKI services based on the Mini Driver.

 If the end user has ActivClient on his workstation, he can use certificates for standard

PKI services based on the CSP or PKCS#11 technologies. He can also use other ActivClient services for improved usability.

For further information, see chapter 5.0 Managing a Smart Card using Microsoft Forefront

Identify Manager (FIM) on page 50.

2.3.4 Managed Mode with HID Global naviGO

In this mode, the card is managed with naviGO; end users use the card on their workstation with the Crescendo Mini Driver.

 The card is managed by naviGO via the Mini Driver.

 With naviGO, the administrator can load certificates on the card (and update them

later), and unlock the card PIN if it is locked.

 The default PIN code (00000000) is used during the issuance process.

 The default ADMIN Key is 000000000000000000000000000000000000000000000000

(binary value).

 The end user has the Crescendo C1150 Mini Driver on his workstation; he can use

certificates for standard PKI services based on the Mini Driver.

 naviGO also provides emergency access authentication in case the card is lost or

forgotten.

For further information, see chapter 7.0 Managing a Smart Card with naviGO on page 85.

2.3.5 Managed Mode with HID Global 4TRESS AAA Server

In this mode, the card is managed with 4TRESS AAA Server 6.7 (version 6.7.2.15 or later), and end users can use the card on their workstation with the ActivClient middleware (version

6.2.0.162 or later).

HID Global Crescendo C1150 – Administration Guide

Page 12 of 115 November 2013

4TRESS AAA Server adds one-time password services to Crescendo C1150 cards, enabling support for legacy applications that are not PKI-enabled, such as many remote access and VPN applications.

 The card is managed by 4TRESS AAA Server via the ActivClient middleware.

 The administrator initializes the Crescendo C1150 cards with 4TRESS AAA Server,

adding one-time password (OTP) capabilities to the cards.

 Administrators or end users can download a certificate onto the card from the Microsoft

CA (or other CA), by selecting the ActivClient CSP.

 If the card PIN is locked, you can unlock it with the challenge/response unlock code

managed by 4TRESS AAA Server.

 The end user has ActivClient on his workstation; he can use certificates for standard

PKI services based on the CSP or PKCS#11 technologies.

 He can also use the Crescendo C1150 for remote access/VPN services using one-time

passwords.

 He can also use other ActivClient services for improved usability.

For further information, see section 8.0 Managing a Smart Card with 4TRESS AAA Server on page 97.

2.3.6 Managed Mode with HID Global ActivID CMS and ActivID CMS Appliance

To deploy Crescendo cards with ActivID Card Management System (CMS), use the Crescendo C1100 instead of the Crescendo C1150.

To deploy Crescendo cards with ActivID CMS Appliance, use the Crescendo C800 instead of the Crescendo C1150.

2.4 C hoosi ng S mart Car d Mid dlew are

You have a choice of Crescendo C1150 smart card middleware for end user workstations:

 You can choose to deploy the Crescendo C1150 Mini Driver, which is available free of

charge.

 You can choose to deploy the ActivClient software that provides enhanced capabilities.

This section presents the similarities and differences between the two options.

2.4.1 Services Available with Both Mini Driver and ActivClient

Both middleware options support the same applications for PKI services:

 Windows Logon

 Web authentication with Internet Explorer and Google Chrome

 VPN authentication with Windows, Cisco, Juniper, etc.

 Authentication to Citrix or Terminal Server sessions

 Email signature and encryption with Microsoft Outlook and Exchange

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 13 of 115

 Document signature with Microsoft Office and Adobe Acrobat

 File encryption with Windows EFS

 Disk encryption with Windows BitLocker To Go

 Compatibility with more applications based on Microsoft CAPI / CNG

Both middleware options support some basic card management services:

 PIN change

 PIN unlock (with Mini Driver, not applicable to all deployment modes – requires a card

management system or utility to support the challenge / response unlock model)

2.4.2 Additional Services Available with ActivClient

The following services are available only with the ActivClient middleware:

 ActivClient is compatible with a wider range of PKI-enabled applications thanks to a

PKCS#11 compliant library:

 Web authentication with Firefox.

 Email signature and encryption with Lotus Notes and Thunderbird.

 Compatibility with more applications based on PKCS#11.

 ActivClient provides usability enhancements with Microsoft Outlook, enabling users to

sign and encrypt emails without the need to learn how to configure and use it.

 Outlook is automatically configured on card insertion with the user’s signature and

encryption certificates. This guarantees that users are using up-to-date credentials, and no longer use software certificates. This also automatically configures the hash and encryption algorithms for consistency within an organization.

 Certificates are automatically published to the Exchange Global Address List (GAL)

on card insertion. This guarantees that all email encryption is performed with up-todate certificates.

 Contacts’ certificates are automatically added to the user’s Outlook Contacts upon

reception of an email.

 Option to automatically decrypt and save encrypted emails. This guarantees that

older encrypted emails can be read even if old encryption key is not on the card.

 ActivClient provides usability enhancements with Firefox and Thunderbird, making it

easier to use PKI services with Mozilla products: ActivClient PKCS#11 library is automatically registered into these apps, to automatically enable new users with smart card services, negating the need for additional configuration and training.

HID Global Crescendo C1150 – Administration Guide

Page 14 of 115 November 2013

 ActivClient enables using smart cards with additional credentials than PKI keys and

certificates. ActivClient supports one-time passwords (OTP) on the Crescendo C1150 card, enabling organizations to use smart cards for remote access (authentication to VPNs) even if these systems are not PKI-capable. Organizations that have deployed an OTP Strong Authentication Server (such as 4TRESS AAA Server) and OTP hardware tokens or soft tokens can now deploy smart cards to additional users and enable a mixed OTP token / Crescendo smart card deployment. This enables a smooth transition to PKI environments.

 ActivClient includes a User Console to view and edit the card content (certificates and

other credentials). This console helps identify certificates on the card vs. all the certificates loaded on the PC, as Windows does. The console also enables importing keys and certificates into the card, and exporting certificates from the card. Users can

also select a “default certificate” in the case several Windows Logon certificates are

present on the card.

 ActivClient includes utilities to manage the Crescendo smart cards in standalone mode:

initialization, unlock, reset cards. This provides organizations with a simple and efficient model to deploy and manage smart cards in small deployments when a card management system may be considered too complex.

 ActivClient includes a smart Card indicator icon in Windows notification area, which,

helps identify when the card is in use.

 ActivClient provides notifications to end users, helping them use and manage their

smart card. For example:

 Certificate expiration notification, informing users that their certificates need to be

updated before they expire, preventing users to log on.

 Unattended card notification, reminding users to take their card when they leave

their workstation.

 No smart card reader notification, informing users when no reader is detected.

 ActivClient has close to 100 policies, enabling organizations to configure the

middleware to match their specific security and usability requirements. For example:

 Option to unregister certificates on card removal or logoff: this is a security feature

for shared workstations.

 PIN cache for increased usability: the ActivClient PIN Cache provides a sort of

SSO for the PIN: users enter the PIN once, use it for multiple services (Windows Logon, secure email, secure web, etc.), and securely! PIN Cache policies provide the right mix of security and usability; for example PIN Cache timeout (by default 15 min – configurable), or “Per-process” PIN cache (one PIN entry per application).

 ActivClient supports additional smart cards in addition to the Crescendo C1150, and is

certified by NIST and GSA to support the FIPS 201 PIV standard smart cards.

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 15 of 115

NOTES

 Microsoft Windows XP and Server 2003 require a Windows update

available at http://support.microsoft.com/kb/909520 to install the Microsoft Smart Card Base CSP.

 The Crescendo C1150 Mini Driver is supported with PC/SC smart card

readers.

3.0 Installing the Mini Driver

3.1 Mini Driver System Requirements

One of the following Microsoft operating systems is required:

 Windows XP SP3 (32 and 64-bit)

 Windows Vista SP1 (32 and 64-bit)

 Windows 7 and Windows 7 SP1 (32 and 64-bit)

 Windows 8 (32 and 64-bit)

 Windows Server 2003 (32 and 64-bit)

 Windows Server 2008 and 2008 SP2 (32 and 64-bit)

 Windows Server 2008 R2 (64-bit)

 Windows Server 2012 (64-bit)

3.2 Automatic Download

Crescendo C1150 Mini Driver can be downloaded automatically using the Microsoft Windows Update feature.

When you insert the Crescendo C1150 card into a reader connected to Microsoft Windows 7 or Windows 8 (32 and 64-bit) workstation, or Windows Server 2008 R2 or Windows Server 2012 (64-bit) server, the driver is automatically downloaded and installed.

3.3 Manually Download and Install the Mini Driver

If the automatic download is not available, the Mini Driver can also be downloaded as a

Windows Installer (MSI) package from HID’s web site:

http://www.hidglobal.com/main/crescendo/.

 Crescendo C1150 Mini Driver x64 2.0.msi

 Crescendo C1150 Mini Driver x86 2.0.msi

HID Global Crescendo C1150 – Administration Guide

Page 16 of 115 November 2013

1. Launch the Mini Driver setup using the .msi file that corresponds to your operating system.

2. Click Next.

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 17 of 115

3. Select I accept… and click Next.

HID Global Crescendo C1150 – Administration Guide

Page 18 of 115 November 2013

4. Click Install.

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 19 of 115

5. Click Finish.

The Mini Driver is installed in the following directory:

[ProgramFiles]\HID Global\Crescendo C1150 Mini Driver

3.4 Uninstall the Mini Driver

You can remove the Crescendo C1150 Mini Driver using the standard Add/Remove Programs (Microsoft Windows XP) or Programs and Features (Microsoft Windows 7 and Windows 8) tools.

HID Global Crescendo C1150 – Administration Guide

Page 20 of 115 November 2013

NOTE

Enrollment for a smart card certificate must be a controlled procedure, in the same manner that employee badges are controlled for purposes of identification and physical access.

The recommended method for enrolling users for smart card-based certificates and keys is through the Smart Card Enrollment station that is integrated with Certificate Services in Microsoft Windows Server 2008.

Therefore, section 4.2 describes the process of how to enroll for a smart card user or smart card logon certificate through the Smart Card Enrollment Station. This process is likely completed by your system administrator.

As a user, request your own certificate through the Microsoft Certificate Services interface on your local workstation. In this case, a domain user cannot enroll for a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus the capability to secure e-mail) unless a system administrator has granted the user access rights to the certificate template stored in Active Directory. This is described in section 4.3.

4.0 Managing a Smart Card with the Mini Driver

This section explains how to issue a smart card for other users as well as for you.

4.1 Prerequisites

 Microsoft Windows 2008 Server is installed and configured as a Primary Domain

Controller.

 Active Directory is configured to manage users and computers.

 DNS Server is configured with your domain name.

 Internet Information Services (IIS) is installed (to be able to request a certificate through

the Smart Card Enrollment Station.

 Microsoft Windows Certificate Services is installed and configured.

 Microsoft CA is configured with an issuance Certificate Template for smart card logon

onto the domain. It must include the following certificates:

 Enrollment Agent - a certificate intended for the entity that should be able to enroll

certificates for other entities than itself. For example, when an administrator wants

 Microsoft CA Registration Authority (RA) station is created with:

to deploy smart card logon certificates for the employees in an organization, he would require an “Enrollment Agent” certificate.

 Smartcard Logon - intended for smart card logon onto the domain.

 Smartcard User - an all-round certificate, intended both for smart card logon and,

for example, signing and encrypting e-mail messages and web authentication.

 All the drivers required for your HID Crescendo C1150 card and smart card reader.

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 21 of 115

NOTE

If you encounter an “ActiveX” error upon connecting to this page, see section

10.1 ActiveX Error During Certificate Requests on page 109.

 An Enrollment Agent Certificate configured with Microsoft Enhanced

Cryptographic Provider 1.0 or similar as the CSP.

4.2 Issuing a Smart Card using Microsoft Certificate Authority

4.2.1 Enroll a Smart Card for a User with Internet Explorer

1. From the enrollment station, connect to the “Smart card Certificate Enrollment Station” web page of the CA.

This smart card enrollment web page can be found at http://<machine-name>/certsrv/ where the <machine-name> is the machine where you have installed the CA.

2. Select Request a certificate.

3. Select advanced certificate request.

4. Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.

The Smart Card Certificate Enrollment Station window opens.

5. Under Enrollment Options:

6. From the Certificate Template drop-down list, choose Smartcard User.

7. From the Cryptographic Service Provider drop-down list, select Microsoft Base Smart Card Crypto Provider.

8. Ensure the correct Enrollment Agent certificate is selected in the Administrator Signing Certificate box.

9. Select a User to Enroll by clicking Select User.

10. Enter the user name in which you are enrolling a certificate in the Enter the object name to select field.

11. Click Check Names to verify the entry, and then click OK.

12. Verify the user’s smart card is inserted into the smart card reader.

13. Click Enroll to enroll a smartcard user certificate for the user.

14. Enter the PIN, and then click OK to continue.

After the certificate request has been made, the CA will sign the request and return a certificate. This certificate is automatically placed on the smart card. You might be prompted to confirm the issuance of a certificate.

At the end of the smart card enrollment process, you are informed that the smart card is ready for use.

HID Global Crescendo C1150 – Administration Guide

Page 22 of 115 November 2013

15. You can verify if the certificate contains the correct personal information about the user by clicking View Certificate. You also have the opportunity to enroll a new user by clicking New User.

4.2.2 Enroll a Smart Card for a User with MMC

1. Open the management console by typing mmc in the Start > Run menu.

2. Add the Certificates snap-in from the File > Add/Remove Snap-in menu.

3. Right-click on the Certificates node.

4. Go to All Tasks, then Advanced Operations, and then click Enroll on behalf of.

5. Click Next.

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 23 of 115

6. Browse to the Enrollment Agent Certificate that you created on the enrollment station.

HID Global Crescendo C1150 – Administration Guide

Page 24 of 115 November 2013

7. Select Smartcard User, and expand the Details view.

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 25 of 115

8. Click Properties.

HID Global Crescendo C1150 – Administration Guide

Page 26 of 115 November 2013

9. Make sure that Microsoft Base Smart Card Crypto Provider is selected as the CSP, and click OK.

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 27 of 115

10. Click Browse to select the user for whom you want to enroll the smart card.

HID Global Crescendo C1150 – Administration Guide

Page 28 of 115 November 2013

11. Enter the user name, and click OK. If necessary, click Check Names to make sure you have selected the correct user.

12. When prompted, insert the smart card into the reader.

13. If you are prompted to enter the PIN, do so and then click OK to continue.

After the certificate request has been made, the CA will sign the request and return a certificate. This certificate is automatically placed on the smart card.

HID Global Crescendo C1150 – Administration Guide

November 2013 Page 29 of 115

14. Click Finish.

HID Global Crescendo C1150 – Administration Guide

Page 30 of 115 November 2013

4.3 Importing Certificates Using Microsoft Windows

You can download PKI certificates from the CA onto the smart card using Internet Explorer or Microsoft Management Console (MMC).

4.3.1 Download a PKI Certificate with Internet Explorer

When creating the certificate request, make sure that the Microsoft Base Smart Card Crypto Provider is selected as the CSP.

+ 85 hidden pages