Smart Card Authenticatyion to standalone PC

M

MattLaw

Hi,
I hope someone can shed some light on this.

I have a PKI setup issuing certificates from the root CA onto Smart Cards.
these work fine for the machines that are connected to my domain for Windows
authentication.

The problem I have is there a a number of mobil PC units that do not connect
to the domain and use local accounts for authentication. I need to enable
these machines with the ability to use a smart card with cert for
authentication.

Can you install a copy of the root CA locally or generate a certificate for
a local user account so that this can be acheived?

The desktops are XP and Vista and the root CA is on a 2003 server.

Many thanks
 
P

Paul Adare

On Thu, 10 Jan 2008 04:27:03 -0800, MattLaw wrote:

> I have a PKI setup issuing certificates from the root CA onto Smart Cards.
> these work fine for the machines that are connected to my domain for Windows
> authentication.
>
> The problem I have is there a a number of mobil PC units that do not connect
> to the domain and use local accounts for authentication. I need to enable
> these machines with the ability to use a smart card with cert for
> authentication.
>
> Can you install a copy of the root CA locally or generate a certificate for
> a local user account so that this can be acheived?
>
> The desktops are XP and Vista and the root CA is on a 2003 server.

You can't do this. Smart card logon in Windows requires Kerberos and there
is no kerberos when using local accounts. Join the mobile computers to the
domain and use domain accounts.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
You can't make a program without broken egos.
 
M

MattLaw

Hi Paul,

Thanks for the answer I thought that was the case but wasn't 100%.

Thanks

"Paul Adare" wrote:

> On Thu, 10 Jan 2008 04:27:03 -0800, MattLaw wrote:
>
> > I have a PKI setup issuing certificates from the root CA onto Smart Cards.
> > these work fine for the machines that are connected to my domain for Windows
> > authentication.
> >
> > The problem I have is there a a number of mobil PC units that do not connect
> > to the domain and use local accounts for authentication. I need to enable
> > these machines with the ability to use a smart card with cert for
> > authentication.
> >
> > Can you install a copy of the root CA locally or generate a certificate for
> > a local user account so that this can be acheived?
> >
> > The desktops are XP and Vista and the root CA is on a 2003 server.
>
> You can't do this. Smart card logon in Windows requires Kerberos and there
> is no kerberos when using local accounts. Join the mobile computers to the
> domain and use domain accounts.
>
> --
> Paul Adare
> MVP - Virtual Machines
> http://www.identit.ca
> You can't make a program without broken egos.
>
 
B

Brian Komar

David,
You missed the point that the comptuers are not domain members.
No domain = no Kerberos = no smart card logon
Brian
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uzUkYH%23UIHA.5208@TK2MSFTNGP04.phx.gbl...
> From: "MattLaw" <MattLaw@discussions.microsoft.com>
>
> | Hi Paul,
> |
> | Thanks for the answer I thought that was the case but wasn't 100%.
> |
> | Thanks
> |
>
> Once they login with their Smart Cards on the Domain, their credentials
> will be cached and
> they will be able to logon when not connected to the Domain.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
M

MattLaw

Thanks, the info is just confirming what I knew I just wondered if there was
any other way...these machines will never connect to the domain so teh
authentication would have to take place locally. The end-users have smart
cards which they use when they are on the domain but when they access one of
the mobile machines that is never on the domain they currently login using a
local account (generic) then login to an SSL VPN then login to a Citrix
session then login to a SSO interface...I am trying to take some of teh steps
away to simplify the process.

I may automate the windows login in the registry but this reduces a level of
security even though it is a generic login.

Thanks



"Brian Komar" wrote:

> David,
> You missed the point that the comptuers are not domain members.
> No domain = no Kerberos = no smart card logon
> Brian
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:uzUkYH%23UIHA.5208@TK2MSFTNGP04.phx.gbl...
> > From: "MattLaw" <MattLaw@discussions.microsoft.com>
> >
> > | Hi Paul,
> > |
> > | Thanks for the answer I thought that was the case but wasn't 100%.
> > |
> > | Thanks
> > |
> >
> > Once they login with their Smart Cards on the Domain, their credentials
> > will be cached and
> > they will be able to logon when not connected to the Domain.
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
> >
> >
>
 
P

Paul Adare

On Fri, 11 Jan 2008 01:37:05 -0800, MattLaw wrote:

> Thanks, the info is just confirming what I knew I just wondered if there was
> any other way...these machines will never connect to the domain so teh
> authentication would have to take place locally. The end-users have smart
> cards which they use when they are on the domain but when they access one of
> the mobile machines that is never on the domain they currently login using a
> local account (generic) then login to an SSL VPN then login to a Citrix
> session then login to a SSO interface...I am trying to take some of teh steps
> away to simplify the process.
>
> I may automate the windows login in the registry but this reduces a level of
> security even though it is a generic login.

Is there no way that you can connect these mobile systems to the domain at
least once? If you can, then as long as the users logon once with their
smart cards they will continue to be able to do so even after they are
disconnected from the domain.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
A computer scientist is someone who fixes things that aren't broken.
 
M

MattLaw

Unfortunately not...these are machines in cars the only connection is over
the VPN which is after the domain authentication process.

"Paul Adare" wrote:

> On Fri, 11 Jan 2008 01:37:05 -0800, MattLaw wrote:
>
> > Thanks, the info is just confirming what I knew I just wondered if there was
> > any other way...these machines will never connect to the domain so teh
> > authentication would have to take place locally. The end-users have smart
> > cards which they use when they are on the domain but when they access one of
> > the mobile machines that is never on the domain they currently login using a
> > local account (generic) then login to an SSL VPN then login to a Citrix
> > session then login to a SSO interface...I am trying to take some of teh steps
> > away to simplify the process.
> >
> > I may automate the windows login in the registry but this reduces a level of
> > security even though it is a generic login.
>
> Is there no way that you can connect these mobile systems to the domain at
> least once? If you can, then as long as the users logon once with their
> smart cards they will continue to be able to do so even after they are
> disconnected from the domain.
>
> --
> Paul Adare
> MVP - Virtual Machines
> http://www.identit.ca
> A computer scientist is someone who fixes things that aren't broken.
>
 
You must log in or register to reply here.

Similar threads

M
Weird certificate (XBL Client IPsec Issuing CA) found in my certificate store
Replies
0
Views
705
MaijaMeika_947
M
B
  • Article
Releasing Windows 10 Build 19044.1806 to Release Preview Channel
Replies
0
Views
248
Brandon LeBlanc
B
B
  • Article
Releasing Windows 11 Build 22000.776 to the Release Preview Channel
Replies
0
Views
255
Brandon LeBlanc
B
P
How not to use the smart card reader when invoking a site in https
Replies
0
Views
154
Pino GIAIMO
P
G
Smart Card Authentication and Cached Logons
Replies
0
Views
140
Gene Strickland
G
Back
Top Bottom