Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Dell Endpoint Security Smartcard Configuration Guide

Summary: This guide helps an administrator configure their environment and offers guidance to configure SmartCard Authentication.

This article applies to   This article does not apply to 
Check out resources for

Symptoms

Affected Products:

  • Dell Encryption Enterprise
  • Dell Data Protection | Enterprise Edition
  • Dell Security Management Server
  • Dell Data Protection | Enterprise Edition

Affected Versions:

  • v8.0 and Later

Cause

Not Applicable

Resolution

This guide outlines certificate creation and issuance by a trusted administrator, writing the certificates to smartcards leveraged by end users.

An administrator must:

  • Setup and Configure Templates
  • Complete the Dell Security Management Server Configuration
  • Complete Smartcard Enrollment
There is also an Appendix of information. Select the appropriate section for more information. 

To leverage smartcard authentication with the Dell Endpoint Security Pre-Boot Environment, we must configure Active Directory to allow for certificate enrollment and generation.

An Enrollment Agent certificate must be assigned to any users who are attempting to assign certificates to smartcards for other users.

To setup and configure templates, Enable the Certificate Template for the Enrollment Agent, and then Add a New Smartcard User Template.

To enable the certificate template for the enrollment agent:

  1. Open the Certification Authority Microsoft Management Console (MMC).

Open Certification Authority
Figure 1: (English Only) Open Certification Authority

  1. Expand to Certificate Templates.
  2. Right-click the right-pane and then click Manage.

Click Manage
Figure 2: (English Only) Click Manage

  1. Right-click Enrollment Agent and then click Duplicate Template.

Click Duplicate Template
Figure 3: (English Only) Click Duplicate Template

  1. Go to the General tab.
  2. Select the option to Publish certificate in Active Directory.
  3. Optionally, update the Template display name, and Template name.

Update Template display name and Template name
Figure 4: (English Only) Update Template display name and Template name

To add a smartcard user template:

  1. In the Certification Authority’s Certificate Template Console, right-click the Smartcard User template and then click Duplicate Template.

Click Duplicate Template
Figure 5: (English Only) Click Duplicate Template

  1. Under the Request Handling tab, modify the Purpose to Signature and smartcard logon.

Modify Purpose to Signature and smartcard logon
Figure 6: (English Only) Modify Purpose to Signature and smartcard logon

  1. Accept the resulting prompt.

Click Yes
Figure 7: (English Only) Click Yes

  1. Ensure that Allow private key to be exported is checked.

Ensure that Allow private key to be exported is checked
Figure 8: (English Only) Ensure that Allow private key to be exported is checked

  1. Within the Subject Name tab, options are present by default to require a defined email address to be used as an alternate validation method. Some environments may want to clear these options to avoid issues with users that may not have Active Directory defined email addresses.
    1. Clear the checkbox for Include e-mail name in subject name.

Clear checkbox for Include e-mail name in subject name
Figure 9: (English Only) Clear checkbox for Include e-mail name in subject name

  1. Clear E-mail name under the Include this information in alternate subject name section.

Clear E-mail name
Figure 10: (English Only) Clear E-mail name

  1. Under the Issuance Requirements tab, select This Number of authorized signatures box.
    1. Leave This number of authorized signatures set to 1.
    2. Leave the Policy Type required in the signature as Application Policy.
    3. Modify the Application Policy to Certificate Request Agent.

Update the This Number of authorized signature box
Figure 11: (English Only) Update This Number of authorized signature box

  1. Click OK to publish this template.
  2. Allow both templates to be issued by right-clicking Certificate Templates in the Certification Authority MMC, and then clicking Certificate Template to Issue.

Click Certificate Template to Issue
Figure 12: (English Only) Click Certificate Template to Issue

  1. Select the two new Certificate Templates that you created.

Select the two new Certificate Templates
Figure 13: (English Only) Select the two new Certificate Templates

  1. Click OK.

This section describes the changes necessary to the Dell Security Management Server to allow smartcard functionality in the Pre-Boot Authentication environment.

An administrator must Import the Root CA and Modify Policy. Click the appropriate process for more information.

Since the smartcard certificates are signed by the internal certificate authority (CA) in this guide, we must ensure the root CA, and any intermediaries (not shown in this guide) are imported into the certificate chain.

To import the root CA:

  1. Export the root Certification Authority’s certificate from the certificate Microsoft Management Console (MMC).
    1. Launch MMC.
    2. Click File.
    3. Click Add/Remove Snap-in.
    4. Select Certificates.
    5. Click Add.
    6. Select the Computer account radial.
    7. Click Finish.
    8. Click OK.

Export the root Certification Authority's certificate
Figure 14: (English Only) Export the root Certification Authority's certificate

  1. Expand the Certificates.
  2. Expand the Trusted Root Certification Authorities.
  3. Select Certificates.
  4. Right-click the certificate issued by your domain’s CA. These are synced with Group Policy.

Right-click the certificate issued by your domain's CA
Figure 15: (English Only) Right-click the certificate issued by your domain's CA

  1. Select All Tasks and then click Export.
  2. Export the certificate as DER encoded binary X.509 (.CER).
  3. Save it and then record the location as it is used shortly.
  1. Import this certificate into the Trusted Certificates of the Java keystore.
    1. Open an administrative Command Prompt.
    2. Modify the path to allow keytool commands to be ran by typing Set path=%PATH%;"C:\Program Files\Dell\Java Runtime\jre1.8\bin" and then type Enter.
Note: For Dell Security Management Server version 9.2 and earlier, type Set path=%PATH%;"C:\Program Files\Dell\Java Runtime\jre1.7\bin" and then press Enter.
  1. Go to the Security Server’s conf directory by typing %INSTALLDIR%\Enterprise Edition\Security Server\conf\ and then press Enter.

Type %INSTALLDIR%\Enterprise Edition\Security Server\conf\
Figure 16: (English Only) Type %INSTALLDIR%\Enterprise Edition\Security Server\conf\

  1. Import the .cer file that we exported in Step 1 into the Java keystore (cacerts) by typing Keytool –import –alias RootCA –file C:\exportedroot.cer –keystore cacerts and then press Enter.

Typing Keytool –import –alias RootCA –file C:\exportedroot.cer –keystore cacerts
Figure 17: (English Only) Typing Keytool –import –alias RootCA –file C:\exportedroot.cer –keystore cacerts

  1. Enter the cacerts file password.
  2. Accept the prompt to trust the certificate by typing Y.

Type Y
Figure 18: (English Only) Type Y

  1. Restart the Security Server to complete the import.

Click the Dell Data Security server version for appropriate policy configurations. For versioning information, reference How to Identify the Dell Data Security / Dell Data Protection Server Version.

To modify the policy to allow smartcards for the PBA authentication mechanism:

  1. Open the Dell Data Security Administration Console.
Note: For more information, reference How to Access the Dell Data Security / Dell Data Protection Server Administration Console.
  1. Log in as a user who can modify and commit policy.
  2. Go to the population where you want to make the policy change. For example, select Populations and then click Enterprise.
  3. Select the Security Policies tab.

Click Security Policies tab
Figure 19: (English Only) Click Security Policies tab

  1. Select Pre-Boot Authentication.
  2. Modify the SED Authentication Method from Password to Smartcard.
Note: Ensure that a self-encrypting drive policy is set to on to enable this for the entire enterprise.

Modify the SED Authentication Method from Password to Smartcard
Figure 20: (English Only) Modify the SED Authentication Method from Password to Smartcard

  1. Save and commit policies.
Note: For more information, reference How to Commit Policies for Dell Data Security / Dell Data Protection Servers.

To modify the policy to allow smartcards for the PBA authentication mechanism:

  1. Open the Dell Data Protection Administration Console.
Note: For more information, reference How to Access the Dell Data Security / Dell Data Protection Server Administration Console.
  1. Log in as a user who can modify and commit policy.
  2. Go to the population where you want to make the policy change. For example, select Populations and then click Enterprise.
  3. Select the Security Policies tab.

Click Security Policies tab
Figure 21: (English Only) Click the Security Policies tab

  1. Select Self-Encrypting Drive (SED).
  2. Modify the SED Authentication Method from Password to Smartcard.
Note: Ensure that a self-encrypting drive policy is set to on to enable this for the entire enterprise.

Modify the SED Authentication Method from Password to Smartcard
Figure 22: (English Only) Modify the SED Authentication Method from Password to Smartcard

  1. Save and commit policies.
Note: For more information, reference How to Commit Policies for Dell Data Security / Dell Data Protection Servers.

To modify the policy to allow smartcards for the PBA authentication mechanism:

  1. Modify the policy to allow smartcards as the authentication mechanism for PBA.
    1. Open the Remote Management Console.
Note: For more information, reference How to Access the Dell Data Security / Dell Data Protection Server Administration Console.
  1. Log in as a user who can modify and commit policy.
  2. Go to Enterprise.
  3. Click Security Policies at the top.
  4. Override (not available in Virtual Edition).
  5. Modify the Policy Category drop-down to Self-Encrypting Drives.

Modify the Policy Category drop-down to Self-Encrypting Drives
Figure 23: (English Only) Modify the Policy Category drop-down to Self-Encrypting Drives

  1. Expand SED Administration.
  2. Modify the SED Authentication Method from Password to Smartcard.

Modify the SED Authentication Method from Password to Smartcard
Figure 24: (English Only) Modify the SED Authentication Method from Password to Smartcard

Note: Ensure that Enable SED Management and Activate PBA are set to True to enable this for the entire enterprise.
  1. Save this policy.
  2. Click Commit Policies on the left.
  3. Click Apply Changes.

Smartcards are blank by default. Each smartcard must have a certificate that is assigned to it to add a certificate for authentication. Certificates are typically assigned to smartcards through a middleware application. The examples below outline the import through a legacy Charismathics software for enterprise-class smartcards, and VersaSec for personal identity verification (PIV)-based smartcards. An administrator must Enable Single Sign-on to Windows Using Smartcards after assigning the certificate. Select the appropriate process for more information.

To leverage smartcards, we must have an enrollment agent who can assign certificates to the device and a middleware which translates the certificate information coming from the Microsoft Certification Authority into something the card can use.

Most smartcards do not have security tokens preset on them. An administrator must Stage a Security Token on a New Smartcard, Add a Certificate for the Enrollment Agent, and then Enroll Users and Push Certificates. Click the appropriate process for more information.

To stage a security token on a new smartcard:

  1. Open the Cryptographic Service Provider (CSP).
  2. When we insert a card without an active token, we get basic information.

Basic information of active token
Figure 25: (English Only) Basic information of the active token

  1. Once we create a security token, we must ensure it is set for a PKCS15 profile.

Ensure PKCS15 is set
Figure 26: (English Only) Ensure that PKCS15 is set

  1. After this is created, we will have many more options, and can import a certificate properly.

Security Token Staged on a New Smartcard
Figure 27: (English Only) Security Token Staged on a New Smartcard

To add a certificate for the enrollment agent:

  1. Open the Microsoft Management Console (MMC).
  2. Click File.
  3. Click Add/Remove snap-ins.
  4. Select Certificates.
  5. Click Add.
  6. Select the radial for My user account.
  7. Click Finish.
  8. Click OK.
  9. Expand Certificates - Current User.
  10. Expand Personal.
  11. Expand Certificates if it exists.
  12. Right-click in the center pane, select All Tasks, and then Request New Certificate.

Click Request New Certificate
Figure 28: (English Only) Click Request New Certificate

  1. Click Next.
  2. Leave Active Directory Enrollment Policy selected.
  3. Click Next.
  4. Select the Enrollment Agent Certificate that we created and published earlier.

Select the Enrollment Agent Certificate
Figure 29: (English Only) Select the Enrollment Agent Certificate

  1. Click Enroll.
  2. Click Finish once it is completed.

Now we can Enroll users into the smartcard that we generated and push certificates to the card using the certificate MMC.

To enroll users and push certificates:

  1. Open the Microsoft Management Console (MMC).
  2. Click File.
  3. Click Add/Remove snap-ins.
  4. Select Certificates.
  5. Click Add.
  6. Select the radial for My user account.
  7. Click Finish.
  8. Click OK.
  9. Expand Certificates - Current User.
  10. Expand Personal.
  11. Expand Certificates if it exists.
  12. Right-click in the center pane, select All Tasks, Advanced Operations, and then Enroll on Behalf Of.

Click Enroll on Behalf Of
Figure 30: (English Only) Click Enroll on Behalf Of

  1. Click Next.
  2. Leave Active Directory Enrollment Policy selected.
  3. Click Next.
  4. Click Browse.
  5. Select the Enrollment Agent Certificate that we generated earlier and then click OK.

Select the Enrollment Agent Certificate
Figure 31: (English Only) Select the Enrollment Agent Certificate

  1. Click Next.
  2. Select the radial for the Smartcard User Template that we generated earlier.

Select the radial for the Smartcard User Template
Figure 32: (English Only) Select the radial for the Smartcard User Template

  1. Select the Details dropdown and then click Properties.

Click Properties
Figure 33: (English Only) Click Properties

  1. Modify the Cryptographic Service Provider to the application that you are leveraging. In this case, it is Charismathics.

Modify the Cryptographic Service Provider
Figure 34: (English Only) Modify the Cryptographic Service Provider

  1. Click OK.
  2. Click Next.
  3. Click Browse and then modify the Locations to pull from your domain.

Click locations
Figure 35: (English Only) Click locations

Locations on your domain
Figure 36: (English Only) Locations on your domain

  1. Enter the username of the user to enroll.
  2. Click Check Names to validate the user.

Click Check Names
Figure 37: (English Only) Click Check Names

  1. Click OK.
  2. Click Enroll.
  3. Follow the prompts.

Insert Smart card prompt
Figure 38: (English Only) Insert Smart card prompt

Charismathics Smart Security Interface CSP prompt
Figure 39: (English Only) Charismathics Smart Security Interface CSP prompt

Certificate installation Results prompt
Figure 40: (English Only) Certificate installation Results prompt

  1. Either click Next User to enroll further users using the same method or click Close to continue.

Smartcards can now be leveraged for PBA authentication.

VersaSec uses previously generated certificates for new certificate enrolling. This process uses certificate templates that are created through Active Directory to enable an employee to generate log-in certificates for other employees to use during their log-in session. An administrator must complete Certificate Enrollment, Certificate Export, and then Assign a Certificate to a Smartcard. Click the appropriate process for more information.

To enroll a certificate:

  1. Open Microsoft Management Console (MMC) as an administrator assigning certificates on a device joined to the domain where certificate templates have been configured.

Open Microsoft Management Console
Figure 41: (English Only) Open Microsoft Management Console 

  1. Select the option to Add/Remove Snap-in.

Click Add/Remove Snap-in
Figure 42: (English Only) Click Add/Remove Snap-in

  1. Select Certificates then select Add.

Click Add
Figure 43: (English Only) Click Add

  1. Ensure that the option for My user account is selected.

Ensure that the option for My user account is selected
Figure 44: (English Only) Ensure that the option for My user account is selected

  1. Select OK to load the selected snap-ins.

Click OK
Figure 45: (English Only) Click OK

  1. Expand the Certificates - Current User pane, right-click the right pane, and then select All Tasks, then Request New Certificate.

Click Request New Certificate
Figure 46: (English Only) Click Request New Certificate

  1. Ensure that the option for Active Directory Enrollment Policy is selected and then click Next.

Click Next
Figure 47: (English Only) Click Next

  1. Select the certificate template that allows for an Enrollment Agent to be created for the current user, then select Enroll. This example uses the previously created Enrollment Agent Registration template.

Click Enroll
Figure 48: (English Only) Click Enroll

  1. Once the enrollment is completed, click Finish.

Click Finish
Figure 49: (English Only) Click Finish

  1. With an Enrollment Agent certificate, generate a smartcard user certificate that is based on a pregenerated template by selecting the Certificates folder in the left pane. Select All Tasks, Advanced Operations, then Enroll On Behalf Of.

Click Enroll on Behalf of
Figure 50: (English Only) Click Enroll on Behalf of

  1. Ensure that the option for Active Directory Enrollment Policy is selected and then click Next.

Click Next
Figure 51: (English Only) Click Next

  1. Select Browse when an Enrollment Agent Certificate is requested.

Click Browse
Figure 52: (English Only) Click Browse

  1. Ensure that the appropriate certificate is selected and then click OK.

Click OK
Figure 53: (English Only) Click OK

  1. Confirm that the appropriate user is defined and then click Next.

Click Next
Figure 54: (English Only) Click Next

  1. Select the template that has been precreated for smartcard user enrollment and then click Next. This example leverages a template that is called Smartcard User Enrollment.

Click Next
Figure 55: (English Only) Click Next

  1. Select Browse to find the appropriate user.

Click Browse
Figure 56: (English Only) Click Browse

  1. Modify the location to search the entire directory by clicking Location.

Click Location
Figure 57: (English Only) Click Location

  1. Select the appropriate domain or organizational unit and then click OK.

Click OK
Figure 58: (English Only) Click OK

  1. Enter the user that you want to generate a smartcard certificate for, then select Check Names to validate the user principal name (UPN).

Click Check Names
Figure 59: (English Only) Click Check Names

  1. Confirm the correct user if multiple users are found and then select OK.

Click OK
Figure 60: (English Only) Click OK

  1. Confirm the user information and then click OK.

Click OK
Figure 61: (English Only) Click OK

  1. Confirm the user information again and then click Enroll.

Click Enroll
Figure 62: (English Only) Click Enroll

  1. The enrollment completes quickly. Either select Next User to generate another user certificate, or select Close to complete the certificate generation process. More certificates can be created for additional users at any time in the future.

Click Next User
Figure 63: (English Only) Click Next User

Certificates first be exported in PKCS12 format to be assigned to smartcards. Certificates must include the private key and the full certificate chain.

To export a certificate:

  1. Open Microsoft Management Console (MMC) as an administrator who is assigning certificates on a device that is joined to the domain where certificate templates are configured.

Open Microsoft Management Console
Figure 64: (English Only) Open Microsoft Management Console

  1. Select the option to Add/Remove Snap-in.

Click Add/Remove Snap-in
Figure 65: (English Only) Click Add/Remove Snap-in

  1. Select Certificates and then select Add.

Click Add
Figure 66: (English Only) Click Add

  1. Ensure that the option for My user account is selected.

Ensure that the option for My user account is selected
Figure 66: (English Only) Ensure that the option for My user account is selected

  1. Select OK to load the selected snap-ins.

Click OK
Figure 67: (English Only) Click OK

  1. Expand the Certificates - Current User pane, then right-click the user to export. Select All Tasks and then click Export.

Click Export
Figure 68: (English Only) Click Export

  1. Select the option Yes, export the private key, and then select Next.

Click Next
Figure 69: (English Only) Click Next

  1. Clear the option to Enable certificate privacy, select Export all extended properties, and then click Next.

Click Next
Figure 70: (English Only) Click Next

  1. Select the option for Password, assign a secure password for the certificate, and then select Next.

Click Next
Figure 71: (English Only) Click Next

Note: Do not modify the Encryption option.
  1. Assign a filename and location, then select Next.

Click Next
Figure 72: (English Only) Click Next

  1. Confirm the details, then select Finish to complete the export.

Click Finish
Figure 73: (English Only) Click Finish

Install and download the VersaSec software and any administrative middleware that may be required for the smartcards that are being provisioned.

To assign a certificate to a smartcard:

  1. Launch the VersaSec agent and insert a smartcard.
  2. Go to Card Actions - Certificates and Keys, then select Import.

Click Import In VersaSec agent
Figure 74: (English Only) Click Import In VersaSec agent

  1. Browse to and select the exported certificate to bind to the Smartcard. Enter the certificate password within the Password field, then select Import.

Click Import
Figure 75: (English Only) Click Import

  1. Enter the user pin when prompted for the Passcode and then select OK.

Click OK
Figure 76: (English Only) Click OK

  1. Once the certificate is finalized being written, it appears within the list.

Certificate appears in list
Figure 77: (English Only) Certificate appears in list

  1. Once all certificates for all accounts are written to the smartcard, it can be used to log in to Windows or the Dell preboot authentication environment.

The process to enable single sign-on to Windows using smartcards differs depending on the version of Dell Encryption Enterprise that is in use. Select the appropriate version for more information. For versioning information, reference How to Identify the Dell Encryption Enterprise or Dell Encryption Personal Version.

No endpoint changes are required. Once the policy has been set through the management console, all endpoint changes occur automatically.

Smartcards themselves may require a middleware. Consult with your smartcard vendor to determine if a middleware solution must be installed on each endpoint to allow for authentication into Windows.

Warning: The next step is a Windows Registry edit:

The client machines will not single sign-on by default. A registry key must be added to allow this to occur.

The registry key is:

[HKLM\SOFTWARE\DigitalPersona\Policies\Default\Smartcards]
"MSSmartcardSupport"=dword:1
0 or no key = Smart Card Support Off, 1 = Smart Card Support On
  1. Open Registry Editor
  2. Expand HKEY Local Machine.
  3. Expand Software.
  4. Expand DigitalPersona.
  5. Expand Policies.
  6. Expand Default.
  7. Create a Key and then name it Smartcards.

Open Registry Editor
Figure 78: (English Only) Open Registry Editor

  1. Create a DWORD and then name it MSSmartcardSupport.

Create a DWORD and then name it MSSmartcardSupport
Figure 79: (English Only) Create a DWORD and then name it MSSmartcardSupport

  1. Set the Value data to 1.

Set the Value data to 1
Figure 80: (English Only) Set the Value data to 1

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

 

Additional Information

Appendix A

Configuring a Microsoft Certificate Authority

https://technet.microsoft.com/library/cc772393%28v=ws.10%29.aspx This hyperlink is taking you to a website outside of Dell Technologies.

Required Role Services:

  • Certification Authority
  • Certification Authority Web Enrollment
  • Online Responder

Appendix B

Failure Scenarios and Resulting Logs

Certificates are not being accepted in the PBA.

PBA logs show:

[2015.04.07 17:53:18] [3C9ADA3BD9] [3061987072] [898]
[E:](CCredPasswordDlg::SmartcardAuthentication()) No smartcard certificate!

Resolution:

Assign a Certificate through the Certificates MMC instead of through the CSP.

Unable to log in to PBA with a valid smartcard that works fine in Windows:

  • Security Server’s output (post v8.5) or Security Server’s SED.log files give errors with invalid certificate errors.

Caused by:

java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
2015-05-04 21:06:00,169 ERROR SED [qtp914277914-24] - PBA auth error. Code=InvalidCertificate com.credant.sed.pba.resources.AuthException
2015-05-04 21:06:00,138 INFO SED [qtp914277914-24] - Smartcard auth from agent abbc4a5d-6e6d-4fac-9181-2a1dee1599ee
2015-05-04 21:06:00,169 ERROR SED [qtp914277914-24] - Invalid smartcard cert com.credant.security.x509.InvalidCertificateException: Invalid cert path
at com.credant.security.x509.CertificateVerifier.validate(CertificateVerifier.java:141)

Resolution:

Import the Certification Authority’s root or intermediary certificate into the Java keystore for Security Server and restart the Security Server service.

Affected Products

Dell Encryption
Article Properties
Article Number: 000126656
Article Type: Solution
Last Modified: 02 Oct 2023
Version:  15
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.