Problem with smart card login

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

I have 2000 domain, with a 2003 enterprice certsrv. I have enable
autoentrollent to the users, but if a user get a certificate and it
works find. The user can login with it, but if the user delete the
certificate from the smart card the user can still can log in to the
computer the user has loggd in before he deletes the certificate.

Are windows cashing som informatiion somewhere?
I have not found som certificates on the local machine


/Fredrik
4 answers Last reply
More about problem smart card login
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Depending on your security policy, a user may be able to logon with username
    and password if the smart card logon is not available. Can he logon if both
    the certificate and the private key have been deleted from the smart card??
    If you do not want a user to logon with a particular certificate, revoke the
    certificate and consider disabling the user account. For Windows 2000 it may
    take a computer up to a week to update it's CRL with the current one as the
    computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
    default publishes the changes to the current CRL daily. Windows will cache
    some certificate information such as that for EFS until computer is
    rebooted. You might also try rebooting the computer to see if there is a
    change in behavior. --- Steve


    "Fredrik" <ftg@nordmaling.se> wrote in message
    news:d5d323c.0504170157.69e9af8e@posting.google.com...
    > Hi
    >
    > I have 2000 domain, with a 2003 enterprice certsrv. I have enable
    > autoentrollent to the users, but if a user get a certificate and it
    > works find. The user can login with it, but if the user delete the
    > certificate from the smart card the user can still can log in to the
    > computer the user has loggd in before he deletes the certificate.
    >
    > Are windows cashing som informatiion somewhere?
    > I have not found som certificates on the local machine
    >
    >
    >
    > /Fredrik
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <d5d323c.0504170157.69e9af8e@posting.google.com>,
    ftg@nordmaling.se says...
    > Hi
    >
    > I have 2000 domain, with a 2003 enterprice certsrv. I have enable
    > autoentrollent to the users, but if a user get a certificate and it
    > works find. The user can login with it, but if the user delete the
    > certificate from the smart card the user can still can log in to the
    > computer the user has loggd in before he deletes the certificate.
    >
    > Are windows cashing som informatiion somewhere?
    > I have not found som certificates on the local machine
    >
    >
    >
    > /Fredrik
    >
    What is the operating system used by the user. When you say that the
    certificate is deleted, what process did you use to delete the
    certificate (and private key???).

    When the user is logging in, are they typing the PIN for the smart card?

    Just need some more details.

    Brian
    --
    ==
    Brian Komar
    MVP - Windows - Security
    http://www.identit.ca/blogs/brian
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <OI1JEBFRFHA.1236@TK2MSFTNGP14.phx.gbl>, n9rou@nospam-
    comcast.net says...
    > Depending on your security policy, a user may be able to logon with username
    > and password if the smart card logon is not available. Can he logon if both
    > the certificate and the private key have been deleted from the smart card??
    > If you do not want a user to logon with a particular certificate, revoke the
    > certificate and consider disabling the user account. For Windows 2000 it may
    > take a computer up to a week to update it's CRL with the current one as the
    > computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
    > default publishes the changes to the current CRL daily. Windows will cache
    > some certificate information such as that for EFS until computer is
    > rebooted. You might also try rebooting the computer to see if there is a
    > change in behavior. --- Steve
    >
    <snip>
    Just one clarification...
    Windows 2000 will also use delta CRLs if the MS04-11 patch is applied to
    the system. Windows 2000 with MS04-11 uses the same certificate
    validation process as Windows XP and Windows Server 2003.

    If you are using Windows 2000, the deletion of a certificate will
    require a reboot to clear the certificate, as mentioned by Steve.

    Brian
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks for that information Brian. --- Steve


    "Brian Komar" <bkomar@nospam.identit.ca> wrote in message
    news:MPG.1cce49712fb5383989691@msnews.microsoft.com...
    > In article <OI1JEBFRFHA.1236@TK2MSFTNGP14.phx.gbl>, n9rou@nospam-
    > comcast.net says...
    >> Depending on your security policy, a user may be able to logon with
    >> username
    >> and password if the smart card logon is not available. Can he logon if
    >> both
    >> the certificate and the private key have been deleted from the smart
    >> card??
    >> If you do not want a user to logon with a particular certificate, revoke
    >> the
    >> certificate and consider disabling the user account. For Windows 2000 it
    >> may
    >> take a computer up to a week to update it's CRL with the current one as
    >> the
    >> computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
    >> default publishes the changes to the current CRL daily. Windows will
    >> cache
    >> some certificate information such as that for EFS until computer is
    >> rebooted. You might also try rebooting the computer to see if there is a
    >> change in behavior. --- Steve
    >>
    > <snip>
    > Just one clarification...
    > Windows 2000 will also use delta CRLs if the MS04-11 patch is applied to
    > the system. Windows 2000 with MS04-11 uses the same certificate
    > validation process as Windows XP and Windows Server 2003.
    >
    > If you are using Windows 2000, the deletion of a certificate will
    > require a reboot to clear the certificate, as mentioned by Steve.
    >
    > Brian
Ask a new question

Read More

Login Certificate Windows Product