Enforce Smartcard on Access Check in Windows 2008 R2
A feature request I’ve seen customers frequently make is the ability to secure resources based on whether a smartcard was used to log on or a normal username/password combination was used.
This is now possible in a W2k8 R2 domain (domain functionality must be at W2k8 R2 level).
In short; the process is as follows:
- Admin associates a certificate template with a specific security group
- Admin assigns permissions to that group on the resource (a file share or database for example).
- the KDC on W2k8 R2 DC’s will add the Sid of that group to the user’s token if that certificate (typically a smartcard certificate) was used to log on.
The result: When the user logs on with a smartcard they have access to the resource through the group Sid that is present in their access token. When they log on with a username and password they don’t have access as the Sid for the group is not present in their access token in that case.
Further details:
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd378897(WS.10).aspx
What's new in smartcards in Windows 7 and Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/dd367851(WS.10).aspx