These documents are probably going to be more valuable to those that support federal customers in the US but they are a good read for anyone planning to deploy smart cards in their environment.
For those not familiar with HSPD-12 in a nut shell it is a mandate for federal organizations to issue common ID/Smart cards to their users. This comes into play in the Active Directory arena as the cards are used for login using two-factor authentication/smart card login. The two-factors in this case are:
- Something the user has - the smart card
- Something the user knows - PIN
Everyone has seen this referenced in the Account tab of a user in AD Users & Computers.
Those in the military or who have supported US Military customers will hear the term CAC Card used for their smart cards. Those supporting civilian agencies/.gov will hear the term PIV Card for their smart cards.
You can get the updated Microsoft documentation here:
Included within this document are detailed steps to configure Windows Server 2008 R2 Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Windows® 7, and Microsoft® Office 2010 to perform traditional UPN based smart card logon, explicit smart card logon (client authentication certificate mapped to multiple accounts), explicit cross-forest smart card logon and NIST SP800-78-3 compliant S/MIME email exchanges.Smart card/HSPD-12 adoption within agencies varies. DoD has definitely been the leader in this space. There are other agencies that I've been at that are also rolling but there are also those that haven't even started issuing smart cards to the majority of their users yet. I'm not naming names here :)