Smart card authentication

    Note: Smart Card Authentication is an Advanced Authenticator available as part of the Professional edition of ADSelfService Plus.

    ADSelfService Plus offers Smart Card Authentication as one of its MFA methods to verify user identities.

    What is a smart card?

    A smart card is a security tool that combines a digital certificate with a private key to authenticate a user's identity.

    • A digital certificate is an electronic document issued by a Certificate Authority (CA) that binds a user's identity to a public key. This certificate is used to identify a user and is publicly distributed between entities to prove the user's identity.
    • A private key is a cryptographic secret that is paired to the public key. It is securely stored on the smart card and is never distributed. It is used for cryptographic operations such as digitally signing data to verify authenticity or decrypting data encrypted with the corresponding public key, thus authenticating the user.

    Types of smart cards

    Smart cards on machines: This is a password-protected file (of PFX or other PKCS#12 key formats) in the personal certificate store on the user's machine that contains the user's digital certificate and corresponding private key.

    Physical smart cards:
    • This can be hardware devices that are smart-card or certification-based-authentication compatible, such as YubiKeys, SafeNet IDPrime smart cards, or similar Personal Identity Verification (PIV) cards with an integrated chip, on which the certificate and private key are stored. These physical smart cards are further secured with PINs and distributed to users by the admin. A card reader is required to extract the digital certificates from physical smart cards during authentication.
    • ADSelfService Plus supports PIV cards, Common Access Cards (CACs), and other PKI certificate-based (X509-compliant) smart cards. Please contact your smart card vendor to check if your devices are supported.
    • Radio frequency identification (RFID) or near field communication (NFC) cards used as identity verification access cards do not support the X509 certificate and cannot be used for smart card authentication.

    How Smart Card Authentication works

    Once a user initiates authentication by inserting their smart card and providing the smart card PIN, fingerprint, or any other 2FA method configured, ADSelfService Plus verifies their identity by comparing the certificate file on the user's smart card with the one in AD. Here's how the authentication process works:

    1. ADSelfService Plus requests the user's digital certificate from the browser (or login agent in the case of machine MFA).
    2. Depending on the type of smart card, the browser (or agent) does one of the following:
      • Smart cards on user machines: The browser or login agent retrieves the certificate from the machine’s certificate store and prompts the user for their password.
      • Physical smart cards:
        • Note: To use physical smart cards for Endpoint MFA for Windows, the vendor's Smart Card Minidriver implementing the Microsoft's Cryptographic Service Provider must be installed on the Windows machine. Please refer to the documentation provided by your smart card vendor for the installation steps.
      • The certificate and private key are automatically injected into the device’s certificate store when the hardware device is inserted into the machine or the PIV USB device is read by a card reader. If there are multiple certificates on the smart card, the user is asked to select the appropriate one. The browser or agent then retrieves the certificate from the store and prompts for PIN verification to unlock the smart card or certificate for authentication.
    3. After successful verification by the browser or agent, the certificate is sent to ADSelfService Plus for authorization, which checks if:
      • The certificate is valid and was issued by the trusted CA configured in ADSelfService Plus.
      • The certificate matches the userCertificate attribute in AD.

    If the certificate passes these checks, the user's identity is verified, and MFA is successful.

    Configuring Smart Card Authentication via ADSelfService Plus

    Using ADSelfService Plus, you can use smart cards in the following ways:

    • Secure user identities using MFA: Smart cards can be used as an authentication factor to protect enterprise apps, Windows machines, self-service actions like password resets and account unlocks, OWA logins, VPN logins via secure verification links, and logins to ADSelfService Plus. Click here to learn how to configure the Smart Card Authenticator for MFA.
    • Enable passwordless logins: Admins can add a Smart Card button to the ADSelfService Plus login screen, letting users access the self-service portal and applications securely in one click, without requiring a username or a password. Click here to learn how to configure the Smart Card Authenticator for passwordless logins.