Sign in with
Sign up | Sign in
Your question

Problem with smart card login

Tags:
  • Login
  • Certificate
  • Windows
  • Product
Last response: in Windows 2000/NT
Share
Anonymous
April 17, 2005 6:57:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

I have 2000 domain, with a 2003 enterprice certsrv. I have enable
autoentrollent to the users, but if a user get a certificate and it
works find. The user can login with it, but if the user delete the
certificate from the smart card the user can still can log in to the
computer the user has loggd in before he deletes the certificate.

Are windows cashing som informatiion somewhere?
I have not found som certificates on the local machine



/Fredrik

More about : problem smart card login

Anonymous
April 18, 2005 6:53:28 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Depending on your security policy, a user may be able to logon with username
and password if the smart card logon is not available. Can he logon if both
the certificate and the private key have been deleted from the smart card??
If you do not want a user to logon with a particular certificate, revoke the
certificate and consider disabling the user account. For Windows 2000 it may
take a computer up to a week to update it's CRL with the current one as the
computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
default publishes the changes to the current CRL daily. Windows will cache
some certificate information such as that for EFS until computer is
rebooted. You might also try rebooting the computer to see if there is a
change in behavior. --- Steve


"Fredrik" <ftg@nordmaling.se> wrote in message
news:D 5d323c.0504170157.69e9af8e@posting.google.com...
> Hi
>
> I have 2000 domain, with a 2003 enterprice certsrv. I have enable
> autoentrollent to the users, but if a user get a certificate and it
> works find. The user can login with it, but if the user delete the
> certificate from the smart card the user can still can log in to the
> computer the user has loggd in before he deletes the certificate.
>
> Are windows cashing som informatiion somewhere?
> I have not found som certificates on the local machine
>
>
>
> /Fredrik
Anonymous
April 19, 2005 3:46:10 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <d5d323c.0504170157.69e9af8e@posting.google.com>,
ftg@nordmaling.se says...
> Hi
>
> I have 2000 domain, with a 2003 enterprice certsrv. I have enable
> autoentrollent to the users, but if a user get a certificate and it
> works find. The user can login with it, but if the user delete the
> certificate from the smart card the user can still can log in to the
> computer the user has loggd in before he deletes the certificate.
>
> Are windows cashing som informatiion somewhere?
> I have not found som certificates on the local machine
>
>
>
> /Fredrik
>
What is the operating system used by the user. When you say that the
certificate is deleted, what process did you use to delete the
certificate (and private key???).

When the user is logging in, are they typing the PIN for the smart card?

Just need some more details.

Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian
Related resources
Anonymous
April 19, 2005 3:47:50 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <OI1JEBFRFHA.1236@TK2MSFTNGP14.phx.gbl>, n9rou@nospam-
comcast.net says...
> Depending on your security policy, a user may be able to logon with username
> and password if the smart card logon is not available. Can he logon if both
> the certificate and the private key have been deleted from the smart card??
> If you do not want a user to logon with a particular certificate, revoke the
> certificate and consider disabling the user account. For Windows 2000 it may
> take a computer up to a week to update it's CRL with the current one as the
> computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
> default publishes the changes to the current CRL daily. Windows will cache
> some certificate information such as that for EFS until computer is
> rebooted. You might also try rebooting the computer to see if there is a
> change in behavior. --- Steve
>
<snip>
Just one clarification...
Windows 2000 will also use delta CRLs if the MS04-11 patch is applied to
the system. Windows 2000 with MS04-11 uses the same certificate
validation process as Windows XP and Windows Server 2003.

If you are using Windows 2000, the deletion of a certificate will
require a reboot to clear the certificate, as mentioned by Steve.

Brian
Anonymous
April 19, 2005 6:29:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for that information Brian. --- Steve


"Brian Komar" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1cce49712fb5383989691@msnews.microsoft.com...
> In article <OI1JEBFRFHA.1236@TK2MSFTNGP14.phx.gbl>, n9rou@nospam-
> comcast.net says...
>> Depending on your security policy, a user may be able to logon with
>> username
>> and password if the smart card logon is not available. Can he logon if
>> both
>> the certificate and the private key have been deleted from the smart
>> card??
>> If you do not want a user to logon with a particular certificate, revoke
>> the
>> certificate and consider disabling the user account. For Windows 2000 it
>> may
>> take a computer up to a week to update it's CRL with the current one as
>> the
>> computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
>> default publishes the changes to the current CRL daily. Windows will
>> cache
>> some certificate information such as that for EFS until computer is
>> rebooted. You might also try rebooting the computer to see if there is a
>> change in behavior. --- Steve
>>
> <snip>
> Just one clarification...
> Windows 2000 will also use delta CRLs if the MS04-11 patch is applied to
> the system. Windows 2000 with MS04-11 uses the same certificate
> validation process as Windows XP and Windows Server 2003.
>
> If you are using Windows 2000, the deletion of a certificate will
> require a reboot to clear the certificate, as mentioned by Steve.
>
> Brian
!