|
Posted by S. Pidgorny on August 5, 2006, 6:24 am
Please log in for more thread options
G'day,
I have implemented smart card logon system. Now I have an issue with
secondary (administrative) logons. If I put a second smart card logon
certificate on a card, it becomes the only one used by Windows logon (which
is understandable) and also runas... Basically, the original cert becomes of
no use.
I'm interested how secondary logon works in current smart card deployment
scenarios. Any help and ideas appeciated.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
|
|
Posted by Paul Adare on August 5, 2006, 8:38 am
Please log in for more thread options
show/hide quoted text
microsoft.public.security news group, S. Pidgorny <MVP>
show/hide quoted text
> G'day,
>
> I have implemented smart card logon system. Now I have an issue with
> secondary (administrative) logons. If I put a second smart card logon
> certificate on a card, it becomes the only one used by Windows logon (which
> is understandable) and also runas... Basically, the original cert becomes of
> no use.
>
> I'm interested how secondary logon works in current smart card deployment
> scenarios. Any help and ideas appeciated.
Until Vista is released you'll either need to live with the fact that
you need a separate smart card for each account. While you can put
multiple smart card logon certificates on a card, Windows will only be
able to use the certificate in the default container on the card.
Depending on the middleware, the tools installed, and the technical
acumen of your users, they may be able to manually switch the certs
between the default containers.
--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
|
|
Posted by S. Pidgorny on August 7, 2006, 6:04 am
Please log in for more thread options Thanks Paul... Guess Vista ecosystem will help smart card deployment
greatly. Looking at "identity management suites" that are glorified password
synchronisation systems doesn't make me lough any more, and viable strong
uthentication as a primary mean of logging on to everything in the
enterprise seems to be a bit off.
In your experience - are smart cards used primarily for admin tasks, for
general user logon, or for remote access/apps?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
show/hide quoted text
>> G'day,
>> I have implemented smart card logon system. Now I have an issue with
>> secondary (administrative) logons. If I put a second smart card logon
>> certificate on a card, it becomes the only one used by Windows logon
>> (which
>> is understandable) and also runas... Basically, the original cert becomes
>> of
>> no use.
>> I'm interested how secondary logon works in current smart card deployment
>> scenarios. Any help and ideas appeciated.
> Until Vista is released you'll either need to live with the fact that
> you need a separate smart card for each account. While you can put
> multiple smart card logon certificates on a card, Windows will only be
> able to use the certificate in the default container on the card.
> Depending on the middleware, the tools installed, and the technical
> acumen of your users, they may be able to manually switch the certs
> between the default containers.
> --
> Paul Adare - MVP Virtual Machines
> It all began with Adam. He was the first man to tell a joke--or a lie.
> How lucky Adam was. He knew when he said a good thing, nobody had said
> it before. Adam was not alone in the Garden of Eden, however, and does
> not deserve all the credit; much is due to Eve, the first woman, and
> Satan, the first consultant." - Mark Twain
|
|
Posted by Paul Adare on August 7, 2006, 6:10 am
Please log in for more thread options show/hide quoted text
microsoft.public.security news group, S. Pidgorny <MVP>
show/hide quoted text
> Thanks Paul... Guess Vista ecosystem will help smart card deployment
> greatly. Looking at "identity management suites" that are glorified password
> synchronisation systems doesn't make me lough any more, and viable strong
> uthentication as a primary mean of logging on to everything in the
> enterprise seems to be a bit off.
>
> In your experience - are smart cards used primarily for admin tasks, for
> general user logon, or for remote access/apps?
In my experience, admin tasks and remote access with remote access
being the most common usage.
Until such time as all applications are Kerberos aware, requiring smart
cards for interactive logon is going to continue to be a challenge. Not
that it can't be done as I do have one customer with 130K users who are
using smart cards for all authentication, it is just currently much
harder than it should be.
--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
|
|
Posted by bagins on August 7, 2006, 8:57 am
Please log in for more thread options show/hide quoted text
<quote>
it is just currently much harder than it should be
show/hide quoted text
</quote>
Why? You mean harder for admins or users? I am interested in your opinion,
because I don't have experience with enterprise networks using smart card
logon.
I agree with you about remote access and admin tasks being the most common
usage.
--
************************
Best regards
Bagins
************************
show/hide quoted text
>> Thanks Paul... Guess Vista ecosystem will help smart card deployment
>> greatly. Looking at "identity management suites" that are glorified
>> password
>> synchronisation systems doesn't make me lough any more, and viable strong
>> uthentication as a primary mean of logging on to everything in the
>> enterprise seems to be a bit off.
>> In your experience - are smart cards used primarily for admin tasks, for
>> general user logon, or for remote access/apps?
> In my experience, admin tasks and remote access with remote access
> being the most common usage.
> Until such time as all applications are Kerberos aware, requiring smart
> cards for interactive logon is going to continue to be a challenge. Not
> that it can't be done as I do have one customer with 130K users who are
> using smart cards for all authentication, it is just currently much
> harder than it should be.
> --
> Paul Adare - MVP Virtual Machines
> It all began with Adam. He was the first man to tell a joke--or a lie.
> How lucky Adam was. He knew when he said a good thing, nobody had said
> it before. Adam was not alone in the Garden of Eden, however, and does
> not deserve all the credit; much is due to Eve, the first woman, and
> Satan, the first consultant." - Mark Twain
|
| Similar Threads | Posted | | Smart Card Login + Certificate Login to AD -> Lost smart card | December 15, 2005, 10:03 pm |
| Certificate attributes for Smart Card Logon | January 13, 2009, 3:31 am |
| Smart card reader and card supplier in Australia | May 5, 2008, 10:37 pm |
| Re-initialize smart card | June 3, 2005, 8:34 am |
| Smart Card - two readers | December 8, 2006, 8:28 am |
| Smart Card and VPN in Vista. | May 26, 2008, 3:36 am |
| smart card offline logon | July 7, 2005, 9:02 am |
| Base Smart Card CSP Update | December 7, 2005, 3:12 pm |
| Question Regarding Smart Card Deployment | September 12, 2007, 2:16 pm |
| Using a flash drive instead of a smart card. | April 28, 2008, 1:25 am |
|
XML Sitemap