Problem with smart card login

[Fredrik]

Hi

I have 2000 domain, with a 2003 enterprice certsrv. I have enable
autoentrollent to the users, but if a user get a certificate and it
works find. The user can login with it, but if the user delete the
certificate from the smart card the user can still can log in to the
computer the user has loggd in before he deletes the certificate.

Are windows cashing som informatiion somewhere?
I have not found som certificates on the local machine



/Fredrik

 

[Steven L Umbach]

Depending on your security policy, a user may be able to logon with username
and password if the smart card logon is not available. Can he logon if both
the certificate and the private key have been deleted from the smart card??
If you do not want a user to logon with a particular certificate, revoke the
certificate and consider disabling the user account. For Windows 2000 it may
take a computer up to a week to update it's CRL with the current one as the
computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
default publishes the changes to the current CRL daily. Windows will cache
some certificate information such as that for EFS until computer is
rebooted. You might also try rebooting the computer to see if there is a
change in behavior. --- Steve

 

[Brian Komar]

Hi

I have 2000 domain, with a 2003 enterprice certsrv. I have enable
autoentrollent to the users, but if a user get a certificate and it
works find. The user can login with it, but if the user delete the
certificate from the smart card the user can still can log in to the
computer the user has loggd in before he deletes the certificate.

Are windows cashing som informatiion somewhere?
I have not found som certificates on the local machine



/Fredrik

What is the operating system used by the user. When you say that the
certificate is deleted, what process did you use to delete the
certificate (and private key???).

When the user is logging in, are they typing the PIN for the smart card?

Just need some more details.

Brian

 

[Brian Komar]

Depending on your security policy, a user may be able to logon with username
and password if the smart card logon is not available. Can he logon if both
the certificate and the private key have been deleted from the smart card??
If you do not want a user to logon with a particular certificate, revoke the
certificate and consider disabling the user account. For Windows 2000 it may
take a computer up to a week to update it's CRL with the current one as the
computer does cache the CRL. W2003/XP Pro can use a Delta CRL which by
default publishes the changes to the current CRL daily. Windows will cache
some certificate information such as that for EFS until computer is
rebooted. You might also try rebooting the computer to see if there is a
change in behavior. --- Steve

<snip>
Just one clarification...
Windows 2000 will also use delta CRLs if the MS04-11 patch is applied to
the system. Windows 2000 with MS04-11 uses the same certificate
validation process as Windows XP and Windows Server 2003.

If you are using Windows 2000, the deletion of a certificate will
require a reboot to clear the certificate, as mentioned by Steve.

Brian

 

[Steven L Umbach]

Thanks for that information Brian. --- Steve

<snip>
Just one clarification...
Windows 2000 will also use delta CRLs if the MS04-11 patch is applied to
the system. Windows 2000 with MS04-11 uses the same certificate
validation process as Windows XP and Windows Server 2003.

If you are using Windows 2000, the deletion of a certificate will
require a reboot to clear the certificate, as mentioned by Steve.

Brian