3

My customer is planning to introduce new Policy regarding smart card removal in their Windows Environment, most probably session break since it's a Citrix environment. Microsoft documentation on the policy

I've provided them with a third party PKI and a smart card management system where end users have access to the portal in which they can check the status of their credentials, change PIN and renew their card when needed.

Users are using smart cards to authenticate in the system.

When an end user is using the renewal process his smart card is formatted (completely zeroized) before it is re-encoded and the new/recovered certificates are placed on it. Hence my question is this rewal going to trigger the card removal policy? Or is it happening when the card is physically removed from the reader?

nethero
  • 238
  • 1
  • 9
  • You use the token also to login in to the system? Because I'm not sure the policy will applied in other condition. – AtomiX84 Jan 15 '19 at 12:32
  • Users have smartcards with authentication certificate on them. They use them for login on the systems. Tokens are zeroized during renewal. Is that going to trigger the lockout? – nethero Jan 15 '19 at 13:06

1 Answers1

1

Yes, it will work. Due the authentication process of MS read the subject alternatives name to verify if the user match in to AD and also verify if the certificate is not revoked but once the user is logged in with certificate the removal policy will always apply when smart card are removed, does not meter the certificate change over the time. We had an authentication system with tird party certificate and we use (manual) but same process for install new cert in the token/smart card, we zero head them, and all works nominally.

AtomiX84
  • 415
  • 2
  • 7
  • Imagine a situation. I log onto the machine that has removal Policy enabled. And during this session i zeroize the card (token used to authenticate) which is in the reader without physically removing the card. Would that trigger the removal policy? I'm predicting that card is temporarly gone from the system (like when you are formatting the drive). – nethero Jan 15 '19 at 14:52
  • during the renewal process the windows stops to see the smart card? If yes probably the lock policy will act. The best solution I can provide to you it is to apply the policy on a test OU with a computer and try it out, this particular aspect in the environment I describe was never happen because the renewal process was not self served. I'm sorry could not give you a more specific answer. – AtomiX84 Jan 15 '19 at 15:26
  • That is basically my question. When you format a hard drive it disappears for a little while. I would predict the same behavior with a smart cart. – nethero Jan 15 '19 at 15:42