protection par carte à puce

Bonjour

C'est malheureusement un peu plus compliqué que cela notamment il faudra
mettre en oeuvre une structure de clé publique

Pour l'explication: la documentation sous windows est bien faite mais
egalement le document ci dessous

Désolé le comment faire que j'ai est en anglais

Smart Card Logon - Set Up Procedures



3 Installing the Windows 2000 Server

3.1 System Requirements

Before you begin, ensure that you have the appropriate hardware and
software:

· Windows 2000 Server or Advanced Server - Release Candidate 1

· Network card - hooked up to a network or local hub or Microsoft Network
Lookup Adaptator

(network software emulation)

· smart cards (one for the Administrator / one or more for the user)

· Card reader -

3.2 Installation

First, you must install the Windows 2000 Server on your computer. For the
cleanest installation, you may

wish to reformat your hard drive and boot from the Windows 2000 CD.

1. Load from the Windows 2000 Server CD.

2. Follow the installation instructions from the Windows 2000 Server CD,
taking careful note of the

following:

· Format the drive partition using the NTFS file system.

· Remember the administrator password you assign.

· At the Windows 2000 Components window, select Next.

· At Windows 2000 Network Settings, select Typical.

· Accept the default value at Windows WORKGROUP and click Next.

3. Click Finish to complete the Setup Wizard and restart.

4. After the computer restarts, log in as an Administrator using the
password you assigned earlier.

5. Do not use the Setup Wizard to configure Windows 2000 once the
installation is complete.

6. Right-click Desktop, select Properties, and click Settings.

7. Choose High Color (16 bit) and a Screen Area Resolution of 1024x768
pixels.

3.3 Installing the DNS Server

Note: Do not insert or connect the card reader until the Windows 2000 Server
has been installed and

the computer restarted.

Smart Card Logon - Set Up Procedures 3

Active Directory clients use Domain Name Service (DNS) to locate domain
controllers. If you have

already installed and configured a DNS server to support the Active
Directory domain and its domain

controllers, you can proceed to the next step. If not, Microsoft recommends
that you install Windows

2000 DNS on your first domain controller. During the installation, you may
be asked to assign this

server a static IP address (e.g. 10.10.1.1 Netmask 255.0.0.0). DNS servers
require at least one statically

assigned IP address on the computer in order to function correctly.

1. Click Start, point to Settings, and click Control Panel.

2. Double click Add/Remove Programs.

3. Click Add/Remove Windows Components.

4. Highlight Networking Services, and click Details. (Make sure that you do
not check the

Networking Services Box. This will install all of the Networking Services.
Simply highlight the

Networking Services option.)

5. Click the box beside Domain Name Service (DNS).

6. Click OK.

7. Click Next to install the DNS server software. If it is not already
inserted, you will be prompted to

insert the Windows 2000 Release Candidate 1 CD.

If you see a pop-up window asking you to assign a static IP address, click
OK and proceed

with the following:

· In the Local Area Connection Properties window, click Internet Protocol
(TCP/IP),

and click Properties.

· Select Use the following IP address, and type values for IP address,
Subnet mask,

and Default Gateway. If you are not sure what values to use, contact your
network

administrator. If you are on a private network, you can use values from the
reserved

Class A space 10.x.x.x. For example, assign this computer the IP address
10.10.1.1,

accept the default subnet mask, and leave the gateway field empty. Each
computer

must have a unique IP address.

· If you have other DNS servers on your network. click Use the following DNS

server addresses and type the IP address of your DNS server (10.10.1.1) in
the

Primary DNS Server field.

· Click OK to dismiss the Internet Protocol (TCP/IP) Properties.

· Click OK to dismiss the Connection configuration page.

· Click Finish to complete DNS setup

8. Close the Add/Remove Programs window. The DNS server is now installed.

3.4 Running the Active Directory Installation Wizard

Servers are promoted into the domain controller role using the Active
Directory Installation Wizard, also

known as DCpromo.

1. Click Start/Run.

2. Type Dcpromo, and click OK.

3. The DCpromo Wizard starts. Click Next to continue.

4. If you receive a message informing you that the path you selected is not
on an NTFS 5.0 partition,

and you have only a FAT partition on the system, then you must convert that
partition to NTFS

5.0. If you do not receive this message, then skip to step 9.

5. Click OK to dismiss the message.

6. Click Cancel to dismiss the DCpromo Wizard.

Note: With a Static IP Address Setting, you cannot select Obtain DNS server
address

automatically. This is a function of DHCP.

Note: If you have NTFS Installed from Windows the 2000 CD-ROM Installation
then begin at

step 9.

Smart Card Logon - Set Up Procedures 4

7. Click Start, point to Programs, and click Command Prompt.

8. Type convert <drive:> /FS:NTFS. <drive:> is the drive letter of the
volume Windows 2000 is

installed.

9. Convert tells you the drive's current file system and informs you that
you need to restart. Type Y

and press Enter.

10. The volume will be converted to NTFS 5.0 during the start sequence. Log
on, restart DCpromo, go

to the System Volume Path page, and continue.

11. Select Domain controller for a new domain and click Next.

12. Select Create new domain tree and click Next.

13. Select Create a new forest of domain trees and click Next.

14. Enter the full DNS name that you selected for your first Active
Directory domain, for example,

"nttest.microsoft.com," and click Next. DCpromo verifies that the name is
not already in use.

15. DCpromo suggests a NetBIOS name for the domain. Down-level clients such
as Windows NT®

4.0 use this name to identify the domain. Accept the default or enter a name
of your choice and

click Next.

16. DCpromo suggests file paths for the Active Directory database and log
files. Accept the default or

select new file paths, and click Next.

17. DCpromo suggests a file path for the replicated System Volume. Accept
the default or select a

new file path, and click Next.

18. If you receive a pop-up window warning you that DCpromo could not
contact the DNS server for

the name you selected, click OK.

19. Select Yes to direct DCpromo to configure your DNS for you, and click
Next.

20. Select No to weaken permissions to allow Windows NT 4.0 RAS access, and
click Next.

21. Skip Directory Services Restore. step by clicking Next.

22. Read the summary on the Confirmation page, and click Next to start the
promotion process. This

will take several minutes.

23. Click Finish.

24. Click Restart Now.

Congratulations! You have just set up your first Active Directory domain.
After the computer has restarted,

you can log on using the domain Administrator account. Use the same
administrator password that you

used before the computer was promoted.

At this point you can continue to add domain controllers in various roles,
or you can begin to experiment

with the directory right away.

3.5 Setting up a Certification Authority

A Certification Authority (CA) is a service that issues the certificates
needed to run a public key

infrastructure. A CA can be an external commercial body, or run by your
company. The certificates enable

a user to perform smart card logon, send encrypted e-mail, sign documents,
and more. Since a CA is an

important trust point in an organization, most organizations will have their
own CA.

Windows 2000 provides two types of CAs, determined by which policy modules
are selected during

installation- an enterprise CA or a standalone CA.

Although Certificate Services is a component of Windows 2000 and is included
with the Windows 2000

Server, it is not installed as part of the initial Windows 2000 installation
process. You can create Enterprise

Note: Typically, you should install Enterprise CA if you will be issuing
certificates to users or

computers inside an organization that is part of a Windows 2000 domain.
Enterprise CA requires

that all users requesting certificates have an entry in the Windows 2000
Active DirectoryT services.

Smart Card Logon - Set Up Procedures 5

CA for purposes such as digital signatures, secure e-mail, web
authentication, and logging on to a Windows

2000 domain using a smart card.

1. Click Start, point to Settings, and click Control Panel.

2. Double-click Add/Remove Programs, and click Add/Remove Windows
Components.

3. In the Windows Components Wizard, select Certificate Services and
Internet Information

Services (IIS), and click Next.

4. If a pop--up window appears regarding Microsoft Certificate Services,
click Yes to continue.

5. Click Enterprise Root CA and do not select Advanced Options.

6. Type the name of the CA and other necessary information, and click Next.

7. Use the default settings for Certificate database, Database log, and
Shared folder then click

Next.

8. If the World Wide Web Publishing Services is running, you will receive a
request to exit the

service before proceeding with the installation. Click OK.

4 Installing a Smart Card Reader

1. Log on using the local Administrator account for this computer.

2. Attach the reader to an available serial port, or insert the PC Card
reader into an available

PCMCIA Type II slot.

3. The Hardware Wizard detects your new reader as a Plug and Play device.

4. Select My Computer / Control Panel / Add & Remove Hardware and click
Next.

5. Once this procedure is run, either the Gemplus GemPC410 (GCR410P) Serial
Smart Card Reader

or Gemplus GemPC400 (GPR400) PCMCIA Smart Card Reader is detected.

6. Follow the wizard's directions for installing the device driver software.
This may require the

Windows 2000 CD, which contains the appropriate device driver.

7. Restart your computer if the Hardware Wizard instructs you to do so.

5 Setup the Administrator

5.1 Configure the Microsoft Management Console

1. Click Start, select Run, type mmc, and click OK.

2. Select Console from the Menu and select Add/Remove Snap-in.

3. Click Add and choose the following Standalone Snap-ins by clicking Add
again:

· Active Directory Users and Computers

· Certificates

· Select My user account and click Finish.

· Certificate Authority

· Select Local computer and click Finish.

4. Verify that these three snap-ins are displayed beneath the Console Root
directory.

5. Select OK to load files under the Console Root directory.

5.2 Enabling Smart Card Certificate Templates

1. Open Certificate Authority (Local) and right-click the CA you created in
Chapter 4.

2. Verify whether the Service has been started. It has been started if the
button is gray and not

selectable. If it has not been started, click Start Service.

3. Open the CA and right-click Policy Settings.

4. Select New in pop-up window and click Certificate to Issue.

Smart Card Logon - Set Up Procedures 6

5. Choose Smartcard User <OK>, Smartcard Logon <OK>, and Enrollment Agent
<OK>.

5.3 Creating and Load Administrator Certificate on Smart Card

This Smart Card will not be used for logon (see Enterprise Policy chapter
2). Microsoft and Gemplus do

not recommend to use a Smart Card User certificate template for the
Administrator. Use the Administrator

certificate template. This card will be used to allow creating new Users,
Computers and Printers. This card

could also be used to sign the document macros of the enterprise.

1. Certificates - Current User, open Personal directory, and right-click
Certificates.

2. Select All Tasks in pop-up window and click Request New Certificate.

3. Click Next at Certificate Wizard Request.

4. First, you must create an Administrator certificate. Select
Administrator, check Advanced

Options, and click Next.

5. Highlight Gemplus GemSAFE Card CSP v1.0 and click Next.

6. Keep the default CA and Computer settings, and click Next.

7. Add a Friendly Name, click Next.

8. Click Finish.

9. You will be prompted to insert the GemSAFE Administrator smart card into
the reader, click OK.

10. Enter 4-digit PIN code (Default PIN code is 1234) and click OK.

11. Click Install Certificate.

5.4 Creating an Enrollment Agent Certificate

1. Open Certificates - Current User.

2. Open Personal Directory and right-click Certificates.

3. Select All Tasks in the pop-up window and click Request New Certificate.

4. Click Next at the Certificate Wizard's request.

5. You will need to create certificates on behalf of other users, therefore
you must create an

Enrollment Agent Certificate. Select Enrollment Agent and click Next.

6. Keep the default CA and Computer Settings, and click Next.

7. Add a Friendly Name and Description if you wish, click Next.

8. Click Finish.

9. Click Install Certificate.

5.5 Adding Users

1. Open Active Directory Users and Computers.

2. Right-click the domain you created earlier.

3. Select New in pop-up window and choose Organizational Unit.

4. Type a name and click OK.

5. Right-click the Organizational Unit you just created and select
Properties.

6. Click Group Policy and click Add.

7. Click All, select Default Domain Policy, and click OK until all pop-up
windows are closed.

8. Right-click the new Organizational Unit, select New, and click User.

9. Give the user a First Name, Last Name, and a logon name.

10. The Password window is optional, click Next when finished.

11. Click Finish.

12. If you receive a prompt indicating <Insert Your GemSAFE Smart Card>,
insert your

Administrator Card, click OK and type your PIN (default PIN code is 1234).

13. Double-click New User and complete the profile information.

Smart Card Logon - Set Up Procedures 7

14. Enter the e-mail address for the user. This is very important for secure
E-mail. You must enter the

same e-mail address when you configure your e-mail Account.

15. If you want that this User will be able to log on the Server: Click
Member Of and add Print

Operators or Server Operator (Mandatory for demonstration on a single
computer).

16. Close Console and Save changes.

6 Enrolling Smart Card Certificates

When Enterprise CA is installed with Microsoft Certificate Server, the
installation includes the Enroll On-

Behalf-Of-Station procedure. This station allows an administrator to act on
behalf of a specific user to

request and install smart card logon or a smart card user certificate on the
user's GemSAFE card. While

the enrollment station does not provide any card personalization functions
such as creating file structure or

setting of the PIN, it does interact with these GemSAFE card-specific
functions that have been

pre-installed with Windows 2000.

Each of the following dialog boxes shows what an administrator must do to
enroll smart card logon or a

smart card user certificate on behalf of a specific user. Note that all of
this is done through Microsoft

Internet Explorer.

1. To Connect to the CA, type http://<machine-name>/certsrv in the Address
field of Microsoft

Internet Explorer (where <machine-name> is replaced with the name of the
computer running the

issuing CA).

2. From the Microsoft Certificate Services Welcome page, select Request a
certificate, and click

Next to continue.

Figure 6.1 Welcome

Smart Card Logon - Set Up Procedures 8

3. From the Choose Request Type page, select Advanced request, and click
Next to continue.

Figure 6.2 Choose Request Type

Smart Card Logon - Set Up Procedures 9

4. From the Advanced Certificate Requests page, select Request a certificate
for a smart card on

behalf of another user using the Smart Card Enrollment Station, and click
Next to continue.

Figure 6.3 Advanced Certificate Requests

Smart Card Logon - Set Up Procedures 10

5. The very first time you use the Smart Card Enrollment Station, a
digitally signed Microsoft

ActiveX® control is downloaded from the CA server to the enrollment station
computer. To use

the enrollment station, select Yes from the Security Warning dialog box to
install the control.

Figure 6.4 Security Warning

6. The Smart Card Enrollment Station page appears.

Figure 6.5 Smart Card Enrollment Station

Smart Card Logon - Set Up Procedures 11

7. Select either the Smart Card Logon or Smart Card User Certification
Template. Smart Card

User is preferred due to additional secure e-mail features. Click OK.

8. Select the Certification Authority you created earlier and click OK.

9. Select Gemplus GemSAFE Card CSP v1.0 for a Cryptographic Service Provider
and click

OK.

10. Select an Administrator Signing Certificate. A dialog box appears,
showing a list of certificates

that can be used to enroll a certificate for another user. Choose the
certificate generated earlier for

the Administrator and click OK.

11. Select the user who is being enrolled for the certificate and click OK.

Smart Card Logon - Set Up Procedures 12

12. Click Submit Certificate Request.

13. If the target smart card is not already in the card reader, a dialog box
prompting you to insert the

requested smart card appears. Once the card is inserted in the card reader
and it is recognized by

the system, the OK button is enabled. Click OK to continue the enrollment
process.

14. As part of the certificate enrollment procedure, the request must be
digitally signed by the private

key, which corresponds to the public key included in the certificate
request. Type the PIN (the

default PIN code is 1234) for the card, and click OK.

Smart Card Logon - Set Up Procedures 13

Entering your PIN

15. If the CA successfully processes the certificate request, the Smart Card
Enrollment Station page

informs you that the enrollment is completed and the smart card is ready.
You can either view the

certificate by clicking View Certificate or specify a new user by clicking
New User.

7 Logging on to Windows 2000 with smartcard

Once the client has been properly configured with a smart card reader, the
Welcome to Windows message

appears.

Password-based logon requires you to press the Ctrl-Alt-Del keys at the same
time in order signal a Secure

Attention Sequence (SAS). This is not required for a smart card logon. For a
smart card logon you only

need to insert the smart card in the reader in order for the secure logon
process to prompt you to input your

PIN instead of the typical username, password, and domain.



CDlt


--
Fabrice Meillon
Architecte Infrastructure
Division Développeurs et Plate-Forme d'Entreprise
Microsoft France


"Thierry" <emilie.rouby@free.fr> wrote in message
news:ulF5xjbzEHA.1196@TK2MSFTNGP15.phx.gbl...

Bonjour,

je dispose d'un lecteur de carte à puce "INGENICO" connecter au COM1 et je
souhaiterai m'en servir pour m'identifier à l'ouverture d'une session sous
W2K au lieu de CTRL+ALT+SUPP.

Quelle type de carte utiliser?
Oû trouver les drivers?
Existe t'il un programme pour pouvoir gérer plusieurs utilisateurs?
Y à t'il une possibilité de réaliser cela en VB6?

Merci à tout ceux qui pourrons m'aider à avancer sur ce sujet.

Salutations, Thierry.