The Win7 account log on and Smart Card log on behavior problem
Hi,
I have a question between Windows account log on and smart card log on using Windows 7.
I created one of Windows account and one of smart card account for user log on.
If log on with smart card->enter OS->remove smart card- or smart card reader-> screen is locked and back to log in page, this behavior is fine.
If I log on using Windows account-> insert smart card->remove the smart->screen locked
but if I log on using Windows account-> insert smart card->remove the
smart Reader->screen will not locked
how can I do something to solve this issue?
July 6th, 2012 3:10pm
Hi,
I would like to discuss this issue with you based my research and knowledge.
1. If you log on with
smart card->enter OS->remove smart card- or smart card reader-> screen is locked and back to log in page.
The system verifies the credential via the Smart Card. In this authentication mechanism, when the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for logon, but they remain in the user's
certificate store (MYSTORE). You may refer to this.
Certificate Enumeration
This behavior occurs is caused by the Group Policy setting Interactive logon: Smart card removal behavior has been set to Lock Workstation. You can refer to this.
Smart Card Group Policy and Registry Settings
Please note, it requires the Smart Card Removal Policy service must be started.
2. If you log on using Windows account-> insert smart card->remove the smart->screen locked.
As I mentioned above, the system recognizes the Smart Card has been removed. It meets the condition of Interactive logon: Smart card removal behavior. As a result, the system locks automatically.
3. if you log on using Windows account-> insert smart card->remove the smart Reader->screen will not locked.
In my opinion, the system should recognize the device has been unplugged instead of removing the Smart Card. Because of the system verifies the credential in the traditional way, the Smart Card certificates in the temporary secure cache store are removed should
not affect the current logged account.Kim Zhou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2012 5:56am
Hi Kim,
Very thanks for your reply.
so, the smart card certificates is removed if reader is unplugged.
have a way to lock current logged account if i remove reader?
July 11th, 2012 11:26am
Hi,
I would like to discuss this issue with you based my research and knowledge.
1. If you log on with
smart card->enter OS->remove smart card- or smart card reader-> screen is locked and back to log in page.
The system verifies the credential via the Smart Card. In this authentication mechanism, when the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for logon, but they remain in the user's
certificate store (MYSTORE). You may refer to this.
Certificate Enumeration
This behavior occurs is caused by the Group Policy setting Interactive logon: Smart card removal behavior has been set to Lock Workstation. You can refer to this.
Smart Card Group Policy and Registry Settings
Please note, it requires the Smart Card Removal Policy service must be started.
2. If you log on using Windows account-> insert smart card->remove the smart->screen locked.
As I mentioned above, the system recognizes the Smart Card has been removed. It meets the condition of Interactive logon: Smart card removal behavior. As a result, the system locks automatically.
3. if you log on using Windows account-> insert smart card->remove the smart Reader->screen will not locked.
In my opinion, the system should recognize the device has been unplugged instead of removing the Smart Card. Because of the system verifies the credential in the traditional way, the Smart Card certificates in the temporary secure cache store are removed should
not affect the current logged account.Kim Zhou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2012 12:48am
Hi,
Based my research, we may not be able to achieve it on Microsoft site.Kim Zhou
TechNet Community Support
July 13th, 2012 9:43pm