Hello
I'm trying to use the Belgian eID so I can logon from a workstation to the domain. I followed several guides available at the internet, however I can't seem to get it to work. Some of those guides are outdated while others are for smart cards in general. The Belgian eID also has lots of certificates (see: http://certs.eid.belgium.be/) that needs to be stored in the correct place for someone who is inexperienced with certificates this is rather hard, also since no documentation about the certificates is supplied.
An eID has a Belgium root certificate as root, these are named belgiumrca, belgiumrca2, belgiumrs, belgiumrs2. The ones with rca are selfsigned the ones with rs are signed by GlobalSign. I placed those certificates on the domain controller (local computer) in the Trusted Root CA and Third-Party Root CA. I also added these to a GPO in the Trusted Root CA of Public Key Policies. Also used dspublish to add them to NTAuthCA.
As intermediate certificate an eID can have several (citizen, foreigner). I placed the citizen certificates (citizen & citizen2) and the ones from 2010 (citizen201001 - citizen201012) on the domain controller (local computer) in the Intermediate CA and Third-Party Root CA. I also added these to a GPO in the Intermediate CA of Public Key Policies. I use my own eID card to test this, I am a citizen and my card was distributed in June 2010. Also used dspublish to add them to NTAuthCA.
In the GPO I also enabled Smart Card in Computer Configuration, Policies, Administrative Templates, Windows Components, Smart Card. In Enabled the following: Allow certificates with no extended key usage certificate attribute, allow signature keys valid for Logon, Turn on certificate propagation from smart card, Turn on root certificate propagation from smart card, Force the reading of all certificates from the smart card, Allow user name hint.
I ran gpupdate on the client and confirmed that the GPO was applied correctly and the certificates where inherited by the client (local computer).
Finally I exported my personal certificate MyName (Authentication) by using the command certutil -scinfo. I added this to my Personal Certificate store on the client (local computer). Afterwards I mapped this certificate to my AD account. I rebooted both client and server.
When I start the client I see the smart card login option. However when I insert my card and try to login by entering my PIN the error says "The system could not be unlocked. You cannot use a smart card to log on because smart card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.". I used google for this error but no solution provided leaded to a succesful login attempt.
I would also like to note that the DC has a self signed certificate, this wasn't configured by me but by an experienced system engineer so I have faith in it that this was done correctly. I am a student currently at internship.
I was wondering if someone has any ideas, experiences. A guide that was used to succesful implement eID logon would also be appreciated. Thanks in advance