Your network contains an Active Directory domain named contoso.com.
The domain contains an enterprise certification authority (CA).
You plan to deploy certificates to all of the domain users. The certificates will be based on a
custom Smartcard Logon template.
You need to recommend a solution to ensure that the users can log on to the domain by
using smart cards.
What should you include in the recommendation?
A.
From Certificate Templates, set the minimum certificate key size to 512.
B.
From Active Directory Users and Computers, select Use Kerberos DES encryption types
for this account.
C.
From Certificate Templates, include the user principal name (UPN) in the subject
alternate name (SAN) of the template.
D.
From Active Directory Users and Computers, configure Published Certificates for user
accounts.
Explanation:
Request a smart card certificate from the third-party CA.
Enroll for a certificate from the third-party CA that meets the stated requirements. The
method for enrollment varies by the CA vendor.
The smart card certificate has specific format requirements:
* Subject Alternative Name = Other Name: Principal Name= (UPN). For example:
UPN = [email protected]
The UPN OtherName OID is : “1.3.6.1.4.1.311.20.2.3”
The UPN OtherName value: Must be ASN1-encoded UTF8 string
* Subject = Distinguished name of user.
* The CRL Distribution Point (CDP) location (where CRL is the Certification Revocation List)
must be populated, online, and available.
* Key Usage = Digital Signature
* Basic Constraints [Subject Type=End Entity, Path Length Constraint=None] (Optional)
* Enhanced Key Usage