Re: Smart Card Log-in

From: Eric Perlin [MS] (ericperl@microsoft.com)
Date: 01/30/03 

From: "Eric Perlin [MS]" <ericperl@microsoft.com>
Date: Thu, 30 Jan 2003 10:58:13 -0800

There is a white paper about enabling 3rd party CAs for SC logon.
This is completely orthogonal to the other questions. 

-- 
Eric Perlin [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
---
"GeeCee" <graham.connell@i-solve.co.uk> wrote in message
news:023101c2c84b$465a2350$8df82ecf@TK2MSFTNGXA02...
> Rick
>
> I guess my original question was a bit vague.
>
> My understanding is that the default means of
> authentication in a purely W2K environment is via
> Kerberos, with the primary authentication being enabled
> either by UID/PWD or via smart card using the GINA.
> Ref -
> http://www.microsoft.com/technet/treeview/default.asp?
> url=/technet/prodtechnol/windows2000serv/maintain/security/
> pkintop.asp?frame=true
> - the para on smart card logon.
>
> However in mixed W2K and NT server environments, my
> understanding is that it is possible to disable Kerberos
> and use NTLM for domain level authentication. So I guess
> my question really is does NTLM support logon via smart
> card? And if so would it therefore be feasible to leave it
> disabled in a purely Win2K environment.
>
> The reason I ask ????
>
> Well if you do use the Win2K smart card based logon it
> insists on the certs being issued from the Windows CA,
> rather than a 3rd party CA. So I'm trying to see if
> there's a way round this, as my client wants to use
> Identrus certs.
>
> This is the real problem I'm trying to solve so any advice
> would be most welcome.
>
> KR,
>
> Graham
> >-----Original Message-----
> >I might be missing the bigger picture here.  Most smart
> cards work on
> >certificates.  Kerberos would be necessary for the
> interdomain communication
> >after the fact.
> >
> >How's your PKI and CA?   ;)
> >
> >--
> >Rick Kingslan  MCSE, MCSA, MCT
> >Microsoft MVP - Windows 2000/NT
> >Beta ID #108394
> >
> >
> >"GeeCee" <graham.connell@i-solve.co.uk> wrote in message
> >news:0a0f01c2c7a3$91fb5700$d4f82ecf@TK2MSFTNGXA11...
> >> Is it possible to enable smart card login to a Windows
> >> 2000 domain without Kerberos, i.e. in NTLM mode?
> >
> >
> >.
> >

Relevant Pages

  • Re: Smart Card Log-in
    ... You can use third party CAs for smartcard logon if they comply with the ... > either by UID/PWD or via smart card using the GINA. ... > understanding is that it is possible to disable Kerberos ...
    (microsoft.public.win2000.security)
  • Re: Problems loggin in Windows Vista with a smart card enabled acc
    ... account configured for smart card logon in Windows Vista. ... in the paper published by Microsoft that is titled 'Windows Vista Smart Card ... The provider may be returning a "no PIN prompt" flag and the SC ... press CTRL + ALT + DEL to be able to log on with a different account. ...
    (microsoft.public.platformsdk.security)
  • Re: Problems loggin in Windows Vista with a smart card enabled acc
    ... account configured for smart card logon in Windows Vista. ... in the paper published by Microsoft that is titled 'Windows Vista Smart Card ... The provider may be returning a "no PIN prompt" flag and the SC ... The second tile says "other user" ...
    (microsoft.public.platformsdk.security)
  • Re: Local system and user account - registry
    ... If their account is set to to use a Smart Card then they are forced to use a Smart ... Either they logon as "User Name" or with a Smart Card. ... Since you're checking this registry value in your script I'm assuming ... or a logon with a UPN will both cause your script to ...
    (microsoft.public.security)
  • Re: Problems loggin in Windows Vista with a smart card enabled acc
    ... account configured for smart card logon in Windows Vista. ... in the paper published by Microsoft that is titled 'Windows Vista Smart Card ... press CTRL + ALT + DEL to be able to log on with a different account. ... In the hint I write the account I want to log on to: ...
    (microsoft.public.platformsdk.security)