In this blog post, I will be sharing with you random thoughts and tips when dealing with smart cards.

Smart cards in Safe Mode

Smart cards in Safe Mode is an interested topic to me personally, as I was in a situation where my Windows installation is in Safe Mode, and I was wondering, what is supported in such environment. There is not much to say but to list those operations.

Smart cards

Cache Credentials and smart cards

Cache credentials in windows are useful if you want to access your machine while you don’t have domain controller connectivity. You can use group policy to turn on or off this feature and determine how many accounts to cache.

If Bob has a smart card and he logged in twice, once as domain\bob and his password, and once with his smartcard and PIN, he will have 2 entries in the cached logon list. So, he can go home (offline) and log on using username and password or smart card
Likewise, if the same user Bob has 2 smartcards, and he logs on with SC1 and then SC2, the cached info for SC2 will be the only card he can use to logon with cached credentials, as it will overwrite the data from the cached logon from SC1 (most times).

This scenario has come up where the security team issues 2 cards, one in case he leaves the other at home or work. He logs on at work with SC1 and when he gets home, expects to still benefit from cached credentials via SC2. Because of the way logon information is cached, the certificate for the second smart card must be issued by another issuing certification authority (CA). If a different CA is not used, the last smart card that the user used online is the only smart card that can be used to log on when they are offline.

Root certificate propagation service

Certificate Propagation Service is a critical service that kicks off when a logged-on user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user’s Personal store. It also allows smart cards to supply trustworthy root certificates which, among other uses, can be used as a method of logon. The Windows smart card framework requires that the following critical services are running when a smart card is inserted in the reader:

  • Certificate Propagation service
  • Smart Card service

Root certificate propagation is responsible for specific smart card deployment scenarios where public key infrastructure (PKI) trust has not yet been established like:

  • Joining the domain
  • Accessing a network remotely

In both cases, the computer is not joined to a domain, and trust is not being managed by group policy. However, the objective is to authenticate to a remote server, such as the domain controller or the RADIUS server. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
On smart card insertion, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise. You may also use a subsequent cleanup action when the user’s smart card is removed from the reader, or when the user logs off.