Smart Card Login + Certificate Login to AD -> Lost smart card

[Guest]

We have AD login using smart card + certificate working fine. We also know
what needs to be done in the event the user forgets the smart card when they
come to the office (let them temporarily login using a password and disable
it the next day). However, what are people (companies who have implemented
this MS solution, including MS) doing with the user who is a traveler with a
laptop, has a good cached profile (from the last successful smart card login
from the office before disconnecting), loses the smart card and needs to
logon to the desktop at a foregin country (or anywhere where they are not
connected to the corporate network and can't due to the inability to logon to
the desktop in the first place?)?

Does anyone have a solution for this? Is there no solution?

 

[goatmanbeware]

Any feedback?

I have the same question. The only idea I have is fairly convoluted. I hope you've come across something more streamline:
The user contacts the domain admin for another local account configured on the workstation. This local account is set up for UID/PW. Under typical operations the end user is not aware of this account. This account is set up with a VPN client profile to a user group on the RADIUS server that permits UID/PW access to the network; this account is assigned to a security group on the domain called DomainName\RemoteSmartCardUsersTempException. This account is also configured with a remote access client shortcut to the user's actual account on the same machine. The admin provides the user with the temporary password to the user's actual account which allows the user to cache the updated domain account privileges permitting UID/PW authentication. Once that is done, the "secret account" is disabled, and a new one set up remotely by the domain admin. For added security to the "secret account", the domain policy should require machine cert authentication.