Google Verification

Thursday, July 14, 2011

Configuring Smart Card Removal Behaviour

Companies deploying Smart Cards for SCLO want to control what happens when a user removes their Smart Card or token from the computer.  You have four options:
  1. Do nothing (default)
  2. Lock workstation
  3. Force Log-off
  4. Disconnect if a Remote Desktop Services connection.
All companies I work with want the workstation to Lock.  Here is how to configure it.

Microsoft changed the way it handles Smart Card removal in Windows 7.  They introduced a "Smart Card Removal Policy" service that must be running for this to work.  By default this service is configured to start up manually.  To test this locally, open up the Services console (services.msc),find the "Smart Card Removal Policy" service, and change the start up type to "automatic" and start the service.


Next, modify the Local Group Policy for your computer.
  • Open gpedit.msc
  • Expand Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options.
  • Edit the "Interactive logon: Smart card removal behavior" policy to perform the desired action.

That is all there is to it!  Of course you will need to configure the Domain Policy to push these changes out to all of your users!

Posted by barrhavenite at 2 comments
Labels:

Tuesday, July 12, 2011

Why don't you try Symantec's Managed PKI?

Every day I help companies to deploy certificates across their Enterprises for use by users, devices and applications.  The #1 application for certificates is for securing mobile devices accessing internal company resources.

If you're looking for a PKI, and you don't have the time to figure out how to install and run one yourself, you should have a look at Symantec's cloud based PKI service.  It is a fast and easy way to get up and running with a fully functional PKI for all of your needs.  Whether you need certificates for DirectAccess, 802.1x, SCOM/SSCM, or for your mobile devices - we can do it all.

Symantec offers a free Test Drive that allows you to try the service yourself.  Sign up and give it a try.  If you have questions - don't hesitate to contact me.
Posted by barrhavenite at 3 comments
Labels:

Domain Controller Certificates for Win2K8 R2

I thought I would highlight an issue (or requirements) for Domain Controller certificates issued by a Symantec PKI to Windows 2008 R2 domains for SCLO.


If the certificate doesn't contain the necessary OIDs, you will see KDC Event 29 and KDC Event 19 errors in the Event Viewer. 


You require the following OIDs:

EKU OIDs:
Server Authentication(1.3.6.1.5.5.7.3.1) 
Client Authentication (1.3.6.1.5.5.7.3.2) 
KDC Authentication (1.3.6.1.5.2.3.5) 
Smartcard Logon (1.3.6.1.4.1.311.20.2.2)

Certificate template name:
DomainController

KU:
Key Encipherment
Digital Signature


This source for this post came from a Microsoft blog here:
http://blogs.technet.com/b/instan/archive/2011/05/17/smartcard-logon-using-certificates-from-a-3rd-party-on-a-domain-controller-and-kdc-event-id-29.aspx


Finding this information is hard, so hopefully this blog will serve as an additional source for it.
Posted by barrhavenite at 2 comments
Labels:
Subscribe to: Posts (Atom)