Guest Tariq Posted November 23, 2008 Posted November 23, 2008 Can anyone provide me with some guidance and recommendations on the use of smartcards and offline login with Windows XP based client laptops? My organization currently issues XP based laptops attached to our corporate domain to our global user base. The current image/configuration uses cached login's to enable offline login using a user's AD credentials to the local machine. I'm in the midst of deploying a Windows 2008 based PKI environment to support smartcard based logins. We're going to be deploying smartcards with mandatory login to a small number of laptop users, but I'd like to see that they have the same functionality as our non-smartcard based users in that they should be able to log in to their laptops while disconnected from our corporate network. I've seen some references online to the effect that the smartcard login is also "cached" to enable this ability, but I'd like to be able to reference to some definitive documentation to that effect. Thanks, Tariq Quote
Guest David H. Lipman Posted November 23, 2008 Posted November 23, 2008 From: "Tariq" <Tariq@discussions.microsoft.com> | Can anyone provide me with some guidance and recommendations on the use of | smartcards and offline login with Windows XP based client laptops? | My organization currently issues XP based laptops attached to our corporate | domain to our global user base. The current image/configuration uses cached | login's to enable offline login using a user's AD credentials to the local | machine. | I'm in the midst of deploying a Windows 2008 based PKI environment to | support smartcard based logins. We're going to be deploying smartcards with | mandatory login to a small number of laptop users, but I'd like to see that | they have the same functionality as our non-smartcard based users in that | they should be able to log in to their laptops while disconnected from our | corporate network. I've seen some references online to the effect that the | smartcard login is also "cached" to enable this ability, but I'd like to be | able to reference to some definitive documentation to that effect. | Thanks, | Tariq If the user uses cryptographic logons when connected to the Domain then their credentilas from their smart card will also be cached. When off lan and not connected to the Domain controller they will still be able to use their respective Smart Cards to logon to their notebook susing their caced credentials. Is you not enforcing cryptographic logons and the user can logon with a Domain Name and password as well as by using their Smart Card then you must make sure that the user does BOTH kinds of logons prior to going off lan. This will ensure that all their credentials will be cached and they can login with their Domain Name and password as well as by using their Smart Card when off lan. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Brian Komar Posted November 23, 2008 Posted November 23, 2008 One correction. When working with Windows XP, the client can only cache one of: - username/password logon - smart card logon Whatever one they did last when connected to the network will be cached. If they are using Vista, then both the username/password and smartcard logon will be cached, allowing either authentication method when not connected to the network (as long as they logged on at least once while connected with each authentication method. Brian "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:O841NubTJHA.6028@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "Tariq" <Tariq@discussions.microsoft.com> > > | Can anyone provide me with some guidance and recommendations on the use > of > | smartcards and offline login with Windows XP based client laptops? > > | My organization currently issues XP based laptops attached to our > corporate > | domain to our global user base. The current image/configuration uses > cached > | login's to enable offline login using a user's AD credentials to the > local > | machine. > > | I'm in the midst of deploying a Windows 2008 based PKI environment to > | support smartcard based logins. We're going to be deploying smartcards > with > | mandatory login to a small number of laptop users, but I'd like to see > that > | they have the same functionality as our non-smartcard based users in > that > | they should be able to log in to their laptops while disconnected from > our > | corporate network. I've seen some references online to the effect that > the > | smartcard login is also "cached" to enable this ability, but I'd like to > be > | able to reference to some definitive documentation to that effect. > > | Thanks, > > | Tariq > > If the user uses cryptographic logons when connected to the Domain then > their credentilas > from their smart card will also be cached. When off lan and not connected > to the Domain > controller they will still be able to use their respective Smart Cards to > logon to their > notebook susing their caced credentials. > > Is you not enforcing cryptographic logons and the user can logon with a > Domain Name and > password as well as by using their Smart Card then you must make sure that > the user does > BOTH kinds of logons prior to going off lan. This will ensure that all > their credentials > will be cached and they can login with their Domain Name and password as > well as by using > their Smart Card when off lan. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest David H. Lipman Posted November 23, 2008 Posted November 23, 2008 From: "Brian Komar" <brian.komar@nospam.identit.ca> | One correction. | When working with Windows XP, the client can only cache one of: | - username/password logon | - smart card logon | Whatever one they did last when connected to the network will be cached. | If they are using Vista, then both the username/password and smartcard logon | will be cached, allowing either authentication method when not connected to | the network (as long as they logged on at least once while connected with | each authentication method. | Brian Thanx for the correction. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Tariq Posted November 24, 2008 Posted November 24, 2008 We're using XP for the client OS. Our expectation is to force/lock the client machine to require a valid smartcard for login, so no logins with regular AD credentials. The "smartcard cached login" ability is music to my ears - can you point me to some documentation that explains how this works? How long is the cache good for, etc. Some more related smartcard questions: -) I had been considering publishing the CDP/AIA information to a public website as a stopgap should our travelling laptop client's need to access that info - any recommendations as to whether this should be done or not? -) Any recommendations as to CDP publish timing? We'll be using smartcards for both laptop login as well as thin-client based Citrix login access - opinions on how often the CRL's should be published/updated? -) Should the enrollment station be a dedicated/physically secured machine (a la "behind a locked door") or can/should it be associated with a security officer's computer? We're going to have a single security officer at the site where the smartcards will be deployed - our expectation is that the officer will be responsible for the operational support of the smartcards - new issues, revocation, etc.. This security officer will be one of the users with a laptop and a smartcard required for login. I'm leaning towards the dedicated/physically secured machine, but the trade-off then is that there would be no-one to provide local smartcard support when the officer is travelling/working from home, etc. -) Anyone have any CPS templates for me to work off of? Thanks, Tariq "David H. Lipman" wrote: <span style="color:blue"> > From: "Brian Komar" <brian.komar@nospam.identit.ca> > > | One correction. > | When working with Windows XP, the client can only cache one of: > | - username/password logon > | - smart card logon > | Whatever one they did last when connected to the network will be cached. > | If they are using Vista, then both the username/password and smartcard logon > | will be cached, allowing either authentication method when not connected to > | the network (as long as they logged on at least once while connected with > | each authentication method. > | Brian > > Thanx for the correction. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest Brian Komar Posted November 24, 2008 Posted November 24, 2008 Some answers inline... "Tariq" <Tariq@discussions.microsoft.com> wrote in message news:85B10BC7-7482-4D7F-802F-731E0D704EDF@microsoft.com...<span style="color:blue"> > We're using XP for the client OS. Our expectation is to force/lock the > client machine to require a valid smartcard for login, so no logins with > regular AD credentials. The "smartcard cached login" ability is music to > my > ears - can you point me to some documentation that explains how this > works? > How long is the cache good for, etc. > > Some more related smartcard questions: > > -) I had been considering publishing the CDP/AIA information to a public > website as a stopgap should our travelling laptop client's need to access > that info - any recommendations as to whether this should be done or not?</span> This is a best practice.<span style="color:blue"> > > -) Any recommendations as to CDP publish timing? We'll be using > smartcards > for both laptop login as well as thin-client based Citrix login access - > opinions on how often the CRL's should be published/updated?</span> Not enough information. You can only decide this by looking at your full requirements (technical, policy), what is written in your CP/CPS, etc. A simple answer does not take in all of the facts. <span style="color:blue"> > > -) Should the enrollment station be a dedicated/physically secured machine > (a la "behind a locked door") or can/should it be associated with a > security > officer's computer? We're going to have a single security officer at the > site where the smartcards will be deployed - our expectation is that the > officer will be responsible for the operational support of the > smartcards - > new issues, revocation, etc.. This security officer will be one of the > users > with a laptop and a smartcard required for login. I'm leaning towards the > dedicated/physically secured machine, but the trade-off then is that there > would be no-one to provide local smartcard support when the officer is > travelling/working from home, etc.</span> Again, need design requirements <span style="color:blue"> > > -) Anyone have any CPS templates for me to work off of?</span> Drop me a line at my email address to discuss. <span style="color:blue"> > > Thanks, > > Tariq > > "David H. Lipman" wrote: ><span style="color:green"> >> From: "Brian Komar" <brian.komar@nospam.identit.ca> >> >> | One correction. >> | When working with Windows XP, the client can only cache one of: >> | - username/password logon >> | - smart card logon >> | Whatever one they did last when connected to the network will be >> cached. >> | If they are using Vista, then both the username/password and smartcard >> logon >> | will be cached, allowing either authentication method when not >> connected to >> | the network (as long as they logged on at least once while connected >> with >> | each authentication method. >> | Brian >> >> Thanx for the correction. >> >> -- >> Dave >> http://www.claymania.com/removal-trojan-adware.html >> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp >> >> >> </span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.