Windows Smart Card Technical Reference

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

The Smart Card Technical Reference describes the Windows smart card infrastructure and how smart card–related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card–based strong authentication in the enterprise.

Audience

This document explains how the Windows smart card infrastructure works. To understand this information, you should have basic knowledge of public key infrastructure (PKI) and smart card concepts. This document is intended for:

• Enterprise IT developers, managers, and staff who are planning to deploy or deploying smart cards in their organization.

• Smart card vendors who write smart card minidrivers or credential providers.

What are smart cards?

Smart cards are tamper-resistant, portable storage devices that can enhance the security of tasks, such as client authentication, code signing, securing e-mail, and logging on with a Windows domain account.

Smart cards provide:

• Tamper-resistant storage for protecting private keys and other forms of personal information.

• Isolation of security-critical computations involving authentication, digital signatures, and key exchange from other parts of the computer. The security-critical operations are performed on the smart card.

• Portability of credentials and other private information between computers at work, home, or on the road.

Smart cards can be used to log on to domain accounts only, not local accounts. When you use a password to log on interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.

In this technical reference

• Smart Card Enhancements

• Smart Card Architecture

• Windows Smart Card Services

• Smart Card Logon

• Smart Card and Remote Desktop Services

• Smart Cards Debugging and Developer Information

• Smart Card Tools and Settings

Additional resources

• Microsoft Base Smart Card Cryptographic Service Provider (Base CSP) for Windows 2000, 2003 and XP (https://go.microsoft.com/fwlink/?LinkId=93341)

• Smart Card Mini Driver Specification(https://go.microsoft.com/fwlink/?LinkId=93343)

• Smart Card Certification Requirements (https://go.microsoft.com/fwlink/?LinkId=93345)

• PC/SC Workgroup (https://go.microsoft.com/fwlink/?LinkId=93346)

• WinSCard API Reference (https://go.microsoft.com/fwlink/?LinkId=93347)

• OSCP support for PKINIT (https://go.microsoft.com/fwlink/?LinkId=93348)

• Session 0 in Windows Vista (https://go.microsoft.com/fwlink/?LinkId=93350)

• Global Platform Specifications (https://go.microsoft.com/fwlink/?LinkId=93351)

• Troubleshooting PKI Problems on Windows Vista (https://go.microsoft.com/fwlink/?LinkId=89570)

• RFC 4556: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (https://go.microsoft.com/fwlink/?LinkId=93352)

• Active Directory Certificate Server Enhancements in Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=83212)

• For the latest smart card information and feedback, Smart Card Infrastructure Blog (https://go.microsoft.com/fwlink/?LinkId=96591)