Smartcards and cached logons...
Smartcards and cached credentials.
Scenario – large customer using a smartcard client from vendor XYZ.
When a user was online ( plugged into the network ) and would logon to the domain via smartcard it would not cache the credentials. If they tried to logon offline using Smartcard cached creds – it would fail.
If the user logged on with the username and password it cached properly.
Many people don’t realize that when it comes to smartcards, and the user experience, that much of it relies on the vendor.
The basic architecture is like this:
Another thing to note, is that if you logon with a smartcard, it is a unique entry in the cached logon list.
If the user Bob has a smartcard and logons twice, once as domain\bob and his password, and once with his smartcard and PIN - he will have 2 entries in the cached logon list
Likewise, if the same user Bob has 2 smartcards, and he logs on with SC1 and then SC2 , the cached info for SC2 will be the only card he can use to logon with cached creds, as it will overwrite the data from the cached logon from SC1 ( most times ).
This scenario has come up where they issue a user 2 cards , one in case he leaves the other at home or work. He logs on at work with SC1 and when he gets home, expects to logon cached via SC2 etc...
Anyway - back to our real story...
In this story, the CSP in this case was failing the call to CPGenRandom as shown in the above diagram.
From MSDN: https://windowssdk.msdn.microsoft.com/en-us/library/aa378205.aspx
If the function succeeds, the return value is TRUE.
If the function fails, the return value is FALSE, and the appropriate error code from the following table must be set using SetLastError.
So, after a call in to the vendor it appeared that they had never tested an offline scenario – all tests in their QA was via live DC’s
spatdsg
Comments
Anonymous
October 16, 2006
In a recent post I outlined a number of ‘challenges’ to implementing smartcards. I also asked about peopleAnonymous
May 26, 2007
It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting postsAnonymous
July 10, 2007
It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting posts