Re: Problem with smart card login

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/18/05

• Next message: Steven L Umbach: "Re: PC reboots automatic"
• Previous message: Steven L Umbach: "Re: Security log is full"
• In reply to: Fredrik: "Problem with smart card login"
• Next in thread: Brian Komar: "Re: Problem with smart card login"
• Reply: Brian Komar: "Re: Problem with smart card login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 18 Apr 2005 14:53:28 -0500

Depending on your security policy, a user may be able to logon with username
and password if the smart card logon is not available. Can he logon if both
the certificate and the private key have been deleted from the smart card??
If you do not want a user to logon with a particular certificate, revoke the
certificate and consider disabling the user account. For Windows 2000 it may
take a computer up to a week to update it's CRL with the current one as the
computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
default publishes the changes to the current CRL daily. Windows will cache
some certificate information such as that for EFS until computer is
rebooted. You might also try rebooting the computer to see if there is a
change in behavior. --- Steve

"Fredrik" <ftg@nordmaling.se> wrote in message
news:d5d323c.0504170157.69e9af8e@posting.google.com...
> Hi
>
> I have 2000 domain, with a 2003 enterprice certsrv. I have enable
> autoentrollent to the users, but if a user get a certificate and it
> works find. The user can login with it, but if the user delete the
> certificate from the smart card the user can still can log in to the
> computer the user has loggd in before he deletes the certificate.
>
> Are windows cashing som informatiion somewhere?
> I have not found som certificates on the local machine
>
>
>
> /Fredrik

• Next message: Steven L Umbach: "Re: PC reboots automatic"
• Previous message: Steven L Umbach: "Re: Security log is full"
• In reply to: Fredrik: "Problem with smart card login"
• Next in thread: Brian Komar: "Re: Problem with smart card login"
• Reply: Brian Komar: "Re: Problem with smart card login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Offline Smart Card Logon ... So smart card logon would only work as long the notebooks have a vaild, ... If the CRL has expired, ... > For successful smart card logon, a valid CRL (certificate revocation list) ... (microsoft.public.windows.server.security) Re: Offline Smart Card Logon ... >>> So smart card logon would only work as long the notebooks have a vaild, ... >>> expired CRL in their cache. ... >>>> For successful smart card logon, a valid CRL (certificate revocation ... (microsoft.public.windows.server.security) Re: Problem with smart card login ... > and password if the smart card logon is not available. ... > If you do not want a user to logon with a particular certificate, ... For Windows 2000 it may ... > computer does cache the CRL. ... (microsoft.public.win2000.security) Re: Windows 2003 Kerberos error Event ID #8 ... The certificate is valid and the CRLS are uptodate. ... The user can logon sometimes. ... The CRL is huge but other sites are not having the same problem. ... >> Where can I find out what the error data bytes mean ... (microsoft.public.windows.server.security) Re: Windows logon through smart card. ... A real PKINIT SC logon uses a private key on the card. ... architecture and to enable smart card logon we have to hook msgina. ... If its a certificate based logon then how ... (microsoft.public.platformsdk.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint