Smart Card Authenticatyion to standalone PC

Smart Card Authenticatyion to standalone PC
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Smart Card Authenticatyion to standalone PC MattLaw 01-10-2008
Posted by =?Utf-8?B?TWF0dExhdw==?= on January 10, 2008, 7:27 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,
I hope someone can shed some light on this.

I have a PKI setup issuing certificates from the root CA onto Smart Cards.
these work fine for the machines that are connected to my domain for Windows
authentication.

The problem I have is there a a number of mobil PC units that do not connect
to the domain and use local accounts for authentication. I need to enable
these machines with the ability to use a smart card with cert for
authentication.

Can you install a copy of the root CA locally or generate a certificate for
a local user account so that this can be acheived?

The desktops are XP and Vista and the root CA is on a 2003 server.

Many thanks

Posted by Paul Adare on January 10, 2008, 7:37 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Thu, 10 Jan 2008 04:27:03 -0800, MattLaw wrote:

> I have a PKI setup issuing certificates from the root CA onto Smart Cards.
> these work fine for the machines that are connected to my domain for Windows
> authentication.
>
> The problem I have is there a a number of mobil PC units that do not connect
> to the domain and use local accounts for authentication. I need to enable
> these machines with the ability to use a smart card with cert for
> authentication.
>
> Can you install a copy of the root CA locally or generate a certificate for
> a local user account so that this can be acheived?
>
> The desktops are XP and Vista and the root CA is on a 2003 server.

You can't do this. Smart card logon in Windows requires Kerberos and there
is no kerberos when using local accounts. Join the mobile computers to the
domain and use domain accounts.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
You can't make a program without broken egos.

Posted by =?Utf-8?B?TWF0dExhdw==?= on January 10, 2008, 8:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Paul,

Thanks for the answer I thought that was the case but wasn't 100%.

Thanks

"Paul Adare" wrote:

> On Thu, 10 Jan 2008 04:27:03 -0800, MattLaw wrote:
>
> > I have a PKI setup issuing certificates from the root CA onto Smart Cards.
> > these work fine for the machines that are connected to my domain for Windows
> > authentication.
> >
> > The problem I have is there a a number of mobil PC units that do not connect
> > to the domain and use local accounts for authentication. I need to enable
> > these machines with the ability to use a smart card with cert for
> > authentication.
> >
> > Can you install a copy of the root CA locally or generate a certificate for
> > a local user account so that this can be acheived?
> >
> > The desktops are XP and Vista and the root CA is on a 2003 server.
>
> You can't do this. Smart card logon in Windows requires Kerberos and there
> is no kerberos when using local accounts. Join the mobile computers to the
> domain and use domain accounts.
>
> --
> Paul Adare
> MVP - Virtual Machines
> http://www.identit.ca
> You can't make a program without broken egos.
>

Posted by David H. Lipman on January 10, 2008, 6:38 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Hi Paul,
|
| Thanks for the answer I thought that was the case but wasn't 100%.
|
| Thanks
|

Once they login with their Smart Cards on the Domain, their credentials will be
cached and
they will be able to logon when not connected to the Domain.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by Brian Komar on January 11, 2008, 12:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
David,
You missed the point that the comptuers are not domain members.
No domain = no Kerberos = no smart card logon
Brian
>
> | Hi Paul,
> |
> | Thanks for the answer I thought that was the case but wasn't 100%.
> |
> | Thanks
> |
>
> Once they login with their Smart Cards on the Domain, their credentials
> will be cached and
> they will be able to logon when not connected to the Domain.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>


Similar ThreadsPosted
Smart Card Login + Certificate Login to AD -> Lost smart card December 15, 2005, 10:03 pm
Smart Card Login + Certificate Login to AD -> Lost smart card December 15, 2005, 10:41 pm
Smart Card Logon July 20, 2006, 2:39 am
Smart Card - two readers December 8, 2006, 8:16 am
Look at the contents of a smart card? April 24, 2007, 12:04 pm
CRL caching and smart card logon November 28, 2005, 3:08 pm
Slow logon with smart card November 30, 2005, 1:35 pm
Q: Seconary certificate on a smart card August 5, 2006, 6:24 am
Smart Card Logon and 802.1x Authentication November 27, 2007, 1:20 pm
Certificate for Smart Card User September 3, 2008, 5:26 am

The site map in XML format XML site map

Contact Us | Privacy Policy