Joining computers to a domain with Smart Card authentication
So my main business computer recently switched from a Dell Desktop to an HP NC8430 laptop. I am traveling more and more, and it is very nice to be able to log in from a local library or coffee shop and stay on top of email. The NC8430 has a TPM chip (allowing me to run BitLocker Drive Encryption), so I do not lose sleep overnight that a lost or stolen laptop will leave me responsible for a Microsoft loses information on 50,000 customers headline. I did not notice a slowdown on the computer after enabling Bitlocker, which makes the full volume encryption ever so much more palatable.
The other neat feature of the NC8430 (being a business-class laptop) is that it has a built-in Smart Card Reader, meaning that I do not need to carry around a long external smart card reader when VPN-ing into work. I just pop my card in the side and connect right up. Quite convenient.
I ran into an interesting question from a former co-worker of mine recently relating to smart cards. He accepted a position close to where he grew up as a Network Admin for the Army base there. The military, for the most part, has switched their logins away from username/passwords to Smart Card login. After having done so, my friend was running into an interesting problem. He could authenticate to the domain with no problems using his Smart Card, but could not join any computers to the domain.
The dialog box indicates User ID/Password or Smart Card. If we use a username/password combo, all is well. If a smart card is used, then an error is displayed on the Windows XP Professional workstation stating the following:
“Logon failure: Unknown user name or bad password”
A netmon capture revealed the following:
NETLOGON: LMT Token = WindowsNT Networking
NETLOGON: LM20 Token = OS/2 LAN Manager 2.0 (or later) Networking
NETLOGON: Unknown Type
NETLOGON: Opcode = 0x0019
I pinged an internal Discussion List for the solution, which turned out to be:
XP doesn't support domain join via Smart Card -- Vista does though.
Moral of the story... before you wholesale replace the authentication mechanism for your domain... set up a lab environment to make sure that everything works as you expect it to. Unfortunately for my friend, this change was made before he was hired.
While the marketing folks trumpet the "flashy" new features of Microsoft releases, sometimes it is the engineering under the hood that makes the biggest difference in day-to-day operations (such as the added support for joining computers to domains with Smart Cards).
More information on Smart Cards:
Comments
Anonymous
January 01, 2003
PingBack from http://www.hilpers.it/2779082-accesso-smartcard-a-dominioAnonymous
March 26, 2013
Smart card&RFID maker in China hope to find a way to cooperate with you.Anonymous
May 15, 2013
Smartcard&RFID tags maker in China hope to find a way to cooperate with you.Anonymous
June 10, 2015
Beijing on June 10 morning news, according to Bloomberg survey report GTM Research and the American Solar Energy Industries Association released the first quarter of this year, US home solar power system capacity increase of 76% over last year, to 437 megawatts (MW) ,Solar Batteries http://www.poweroak.net the nation's new generating capacity, more than half of which is a photovoltaic power generation. The report shows that a quarter of the US solar power capacity by 1.3 gigawatts (GW), the sixth consecutive quarterly increase of over 1 GW. The total annual installed capacity is expected to reach 7.9 GW, Solar Power Peneratorhttp://www.poweroak.net , Solar Power Pack http://www.poweroak.net representing an increase of 27%.
The report predicts that by 2016 solar power will meet the electricity needs of about 800 million households in the United States to offset 45 million metric tons of carbon emissions, equivalent to removing 10 million cars. energy storage systemhttp://www.poweroak.net/energy-storage-system-c-1.html