How to Configure Smart Card Authentication on Windows Server 2012 R2

How to Configure Smart Card Authentication on Windows Server 2012 R2

Smart card authentication implements true two-factor authentication (2FA) by requiring something the user has (the physical smart card) and something the user knows (the PIN). On Windows Server 2012 R2, smart card logon uses certificate-based Kerberos authentication, eliminating reliance on passwords for privileged access scenarios. This guide covers configuring Active Directory Certificate Services (AD CS) to issue smart card certificates, configuring Group Policy to require smart card logon for privileged accounts, and troubleshooting common smart card authentication issues.

Prerequisites

• Active Directory domain with Windows Server 2012 R2 domain controllers
• Active Directory Certificate Services (AD CS) deployed with an Enterprise CA
• Smart card reader hardware on the authenticating workstation
• Physical smart cards or virtual smart cards (available on Windows 8.1+ devices with TPM)
• The Smart Card Logon certificate template configured and published

Step 1: Install and Configure Active Directory Certificate Services

If AD CS is not already deployed, install an Enterprise CA:

Install-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools

# Configure as Enterprise Root CA
Install-AdcsCertificationAuthority `
    -CAType EnterpriseRootCa `
    -CACommonName "Corp-Enterprise-CA" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 10 `
    -Force

Step 2: Configure the Smart Card Logon Certificate Template

Open the Certificate Templates console (certtmpl.msc) on the CA server and duplicate the Smartcard Logon template:

1. Right-click Smartcard Logon → Duplicate Template
2. Compatibility tab: Set CA to Windows Server 2012 R2, Certificate recipient to Windows 8.1 / Server 2012 R2
3. General tab: Name it Corp-SmartcardLogon; Validity period: 1 year
4. Subject Name tab: Build from this Active Directory information; Subject name format: Fully distinguished name; Include email name in subject name: unchecked
5. Extensions tab: Application Policies must include Client Authentication and Smart Card Logon
6. Security tab: Add the group that will enroll smart card certificates (e.g., Smart Card Users), grant Read and Enroll

# Publish the new template on the CA
Add-CATemplate -TemplateName "Corp-SmartcardLogon"

# Verify the template is available
certutil -catemplates | findstr "SmartCard"

Step 3: Configure Auto-Enrollment via Group Policy

Configure auto-enrollment so that users who need smart cards automatically receive certificates when their smart card is inserted. Navigate to:

User Configuration → Windows Settings → Security Settings → Public Key Policies → Certificate Services Client – Auto-Enrollment

Set to Enabled with both checkboxes selected (renew expired certificates, update certificates that use certificate templates).

Also configure Certificate Services Client – Certificate Enrollment Policy:

# Verify auto-enrollment configuration
gpresult /r | Select-String -Pattern "Certificate"

# Trigger certificate enrollment manually for testing
certutil -pulse

Step 4: Enroll a Smart Card Certificate

For administrator-enrolled smart cards (where an enrollment agent issues cards on behalf of users), configure an Enrollment Agent certificate first:

# Request an Enrollment Agent certificate (allows admin to enroll certs on behalf of users)
# Via certmgr.msc → Personal → Certificates → Request New Certificate
# Select the Enrollment Agent template and enroll

# For automated enrollment via command line:
certreq -enroll -machine "Corp-SmartcardLogon"

To enroll a certificate onto a physical smart card using the Certificate Manager:

1. Insert the smart card in the reader
2. Open certmgr.msc on the enrollment workstation
3. Navigate to Personal → Certificates → All Tasks → Request New Certificate
4. Select Corp-SmartcardLogon template
5. Click Enroll—Windows will write the certificate and key to the smart card
6. Set the smart card PIN when prompted

Step 5: Require Smart Card Logon for Privileged Accounts

Configure specific accounts to require smart card authentication. This prevents password-based logon for those accounts:

# Require smart card for a specific account
Set-ADUser -Identity "DomainAdmin1" -SmartcardLogonRequired $true

# Verify
Get-ADUser -Identity "DomainAdmin1" -Properties SmartcardLogonRequired |
    Select-Object Name, SmartcardLogonRequired

# Apply to all members of Domain Admins (use carefully - ensure all have smart cards first)
$domainAdmins = Get-ADGroupMember -Identity "Domain Admins" | Where-Object { $_.objectClass -eq "user" }
foreach ($admin in $domainAdmins) {
    Set-ADUser -Identity $admin.SamAccountName -SmartcardLogonRequired $true
    Write-Host "Smart card required for: $($admin.Name)"
}

Step 6: Configure Interactive Logon Policy

Use Group Policy to enforce smart card requirements for interactive logon on sensitive servers. Navigate to:

Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

• Interactive logon: Require smart card — Set to Enabled on servers that should only accept smart card interactive logon
• Interactive logon: Smart card removal behavior — Set to Lock workstation (locks the console when smart card is removed)

# Set via registry:
# Require smart card for interactive logon
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" `
    -Name "ScRemoveOption" -Value 1 -Type String  # 1=Lock workstation

# Verify
(Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem").ScRemoveOption

Step 7: Configure UPN for Smart Card Certificates

Smart card certificates must contain the user’s User Principal Name (UPN) in the Subject Alternative Name field for domain authentication to work correctly. Verify this on an issued certificate:

# View certificate details including SAN
certutil -store -user My | findstr "UPN|Subject|Issuer"

# Or view via PowerShell:
$cert = Get-ChildItem Cert:CurrentUserMy | Where-Object { $_.Extensions.Oid.FriendlyName -contains "Subject Alternative Name" }
$cert | Select-Object Subject, Issuer, NotAfter |
    ForEach-Object {
        $san = $_.Extensions | Where-Object { $_.Oid.FriendlyName -eq "Subject Alternative Name" }
        Write-Host "SAN: $($san.Format($false))"
    }

Step 8: Troubleshooting Smart Card Logon

Common smart card issues and diagnostic commands:

# Check smart card service is running
Get-Service SCardSvr, SCPolicySvc | Select-Object Name, Status, StartType

# Start smart card services if stopped
Start-Service SCardSvr

# Check smart card readers recognized by Windows
certutil -scinfo

# View smart card logon failure events in the Security log
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4625]]" -MaxEvents 20 |
    Where-Object { $_.Message -match "SmartCard|PKINIT|Certificate" } |
    Select-Object TimeCreated, Message

# Check CRL accessibility (smart card logon fails if the CRL cannot be reached)
certutil -url "http://CASERVER/crls/Corp-Enterprise-CA.crl"

Summary

Smart card authentication on Windows Server 2012 R2 provides strong two-factor authentication for privileged accounts and interactive console access. By deploying an Enterprise CA, creating a customized smart card logon template, configuring auto-enrollment, requiring smart card logon for Domain Admin accounts, and configuring the lock-on-removal policy, you have eliminated password-based authentication for your most critical accounts. This significantly reduces the risk of credential theft attacks and satisfies multi-factor authentication requirements in frameworks such as PCI DSS, HIPAA, and NIST 800-53.