Smart Card login screen authentication

Similar Messages

• Cisco ISE Guest portal - smart card login

  Does anyone know if Cisco ISE support smart card login to the guest portal page?                    

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• TACACS+ and Smart Card login

  We are currently using Cisco ACS 5.3 integrated with Active Directory for authentication to our Cisco devices. We are looking to move to smart card logins and trying to find out if this is possible to authenticate to the console/ssh on the router/switch using a smart card.

  Direct Smart card authentication is not supported for vty / console session on IOS. However, via TACACS to a AAA server (e.g. Cisco ACS) you can turn it to use a two factor-based external authentication store. Even if the Smart card get the PKI cert of some kind to the client PC and then to the terminal emulator like Putty or SecureCRT, AAA with Tacacs + would not be possible as Tacacs is not capable for encapsulating any kind of PKI.
  Jatin Katyal
  - Do rate helpful posts -

• How to configure smart card login in sunray 2fs??

  Hi all,
  Please help me to configure smart card login using Sun Ray Server Software 4.0... How to assign a smart card for a particular user? Do I need to flash th smart card for user information or any other method exists?

  I'm not sure what you know or don't know about this so I'll give you what I know:
  1. Create a token reader and a token
  * Plugin a Sun Ray DTU/client
  * Check the MAC address of the Sun Ray you just plugged in
  * Access the Sun Ray admin GUI
  * Choose the 'Desktop Units' tab
  * See if your Sun Ray DTU is listed (if it isn't listed you have Sun Ray Server configuration issues...)
  * If it is listed click the identifier
  * Check the status of the DTU to see if this particular unit is already a token reader (normally it is not, i.e. by default a Sun Ray DTU is not)
  * Click 'Edit'
  * Check 'Token Reader'
  * Click 'OK'
  * /opt/SUNWut/sbin/utrestart (I'm not sure if a warm restart is OK or a hard restart is necessary)
  Now insert a shiny new Java card into your token reader's slot
  * In the Sun Ray admin GUI choose the 'Tokens' tab
  * Search for currently used tokens
  * You should see a token identifier such as 'Payflex.blah' under your desktop unit (i.e. the token reader)
  * Click the token identifier and click 'Edit'
  * Assign a username (i.e. Unix username) to the token under 'Owner'
  * Click 'OK' and remove the smart card from the token reader
  2. Assign the Token
  * Insert your smart card from step 1 into the token reader
  * In the Sun Ray GUI click 'Tokens' and 'New'
  * Under 'Identifier' you should see 'Read Identifier from Token Reader' checked
  * Click 'Read Token'
  * Assign an owner (i.e. Unix user account) and a session type (Kiosk or Regular)
  * Click 'OK'
  Item 2 from the notes I used for this looks alot like item 1 so I can't say that it is strictly necessary.
  I don't have a Sun Ray Server accessible to me at the moment to confirm but this procedure should help I hope.

• Smart card login

  Hi Guys,
  I have just enabled smart card login to my mac but want to disable the password login option (i.e. I can login with smart card but if I don't plugin the card reader/card, I am prompted for password login). How can I enforce smart card only login?
  Many Thanks
  Michael

  Are you getting all user icons, plus the smartcard icon, or just the smartcard icon and "Other..." ?
  If the latter, then disable root user (which displays the "Other..." prompt on the login window, even if smartcards login is enabled).

• Smart card login and sparsebundle password

  Hi,
  I am using a PIV profiled card to login to my mac. I am using Snow Leopard 10.6.2 and have successfully used the card to login to the machine and do signed and encrypted emails. Every login I get prompted after smart card login for the password for my sparsebundle (I had been using filevault prior to introducing the card) and even though I tick the "save password" option I still am prompted on each login. Does anyone know if there is any way to associate my smartcard login with an existing sparsebundle? Also, is there any way to force the machine to use a smart card login only (i.e. remove the password option)?
  Many thanks
  Michael

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Smart Card login for ordinary folk

  Hi,
  I used to use the OpenSC project for Smart Card login, but I believe that with changes in OS X 10.8 it's no longer an option.
  What affordable solutions are there for genuine Smart Card login for OS X 10.8?  YubiKey doesn't support anything more than entering a static password pre-stored on the device, and when I last tried Rohos it was abysmal.

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Disabling normal login and only using smart card login?

  I've managed to setup login using BELPIC (Belgian Identity Card (smart card). However I can still login using username/password. Is it possible to restrict the system only using smart card login? (maybe via tweaking the authorize file?)
  Thanks

  The problem isn't with the provider part of the code - it has to do with security privleges. Java code running from the command line has full access to the file-system. Servlets running inside a container do not.
  In order to access cryptographic keystores, the JVM must allow the servlet code to access local files (and through them, the device drivers to the crypto token). Servlet code running inside a web/application server container, by design, are restricted in their ability to access local files on the servlet container machine (other than configuration files and application code under the servlet context root).
  In order to continue with my project, I had to temporarily provide the servlet full access to the machine's file-system in the java.policy file for your JVM, along the lines of the following:
  grant {
  permission java.security.SecurityPermission "authProvider.SunPKCS11-NSS", "getSignerPrivateKey";
  I hope to go back and restrict this access so that only the specific security grants are available to the servlet to access the private key (the above is too lenient).
  You will need to do something similar to your JVM's java.policy to allow the servlet to access the private key. Substitute the "authProvider.SunPKCS11-NSS" with the driver for your own token.

• Issues regarding Smart Card login inside domain and on SmartPhones

  Hi
  i am planning to implemnt at my domain login ONLY with smartcard
  i saw i have some option how to do it , one with GPO that covers all the computers (or some computers with defined groups)
  or i can check the "smart card is  required ...." this could be the easy way but when i check this  box
  the users with the smartphones no longer can authenticate with it to get emails , also the OWA is not availble for them
  is there any solution so the users will have to login with smartcard and still get the emails to the smartphones ?
  thanks
  TK

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• FileVault plus Smart Card Login

  I was wondering if there is any way to use FileVault when using a smart card to log into an account on Mac OS X?

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Ever since i plugged my CAC card in, every admin action i take forces the "Insert Smart Card" authorization screen

  For months now, I keep getting told to plug in a smart card every time I want to download a game, update a program, or just change settings to my user account. It also keeps telling me my PIN to my CAC is wrong, but I KNOW my PIN still works. I am still
  able to log in on all of my Army sites and use those sites with out problems. How do I switch it back? Why is it telling me my PIN is wrong?

  Hi,
  Would you please let me know if your account associated with your CAC card is a domain account?
  Have you tried to contact the domain admin to reset the permission on CAC card to check the issue?
  In addition, if the permission for this card is set correctly after confirmation, I would like to know if this issue just happened recently.
  If so, you can try to boot into safe mode with local administrator or built-in admin and perform the system restore to see if this issue can be fixed.
  Kate Li
  TechNet Community Support

• Windows 7 Smart Card Logon

  Hi,
  Testing PKI with Windows 7 x64 under a (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcard and validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart card appears ok but when I try to logon with the user and the smartcard inserted in the machine, I get the following error message:
  "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
  Kind of weird message :-/ The smart card reader is in-built on a Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to the card via the netsolutions site at Gemalto ... Windows 7 reads the smart card and the user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....
  Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....
  Both the smart card service and the certificate propogation service are running...
  Regards,
  Mylo

  Stigh,
  OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)
  "I actually disagree."
  I can see you're healthy motivated to fix the problem.. which is good :-)
  "As long as there is a EKU in the certificate, it should work for local logon."
  Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes..  a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose is set to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo...
  "In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
  In my case I haven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers.
  "Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"
  The Gemalto drivers from Windows 7 RTM worked ok for me.
  "The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain.
  OK, but here's where I disagree :-) .. the machine in question will need to connect back to your Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates are valid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e. reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is diluting security even further. 
  "Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."
  I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is a workable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV as you may run into trust issues when sending encrypted mails to parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.
  On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machine and the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle.
  Good luck and post back if you want to discuss further!
  Regards,
  Mylo

• Authenticate to the Domain using a Smart Card

  Hi,
  I'm trying to get authenticated using the Smart Card but got the following error messages:
  On the Windows XP client, we inserted the PIV card, entered the PIN but received an error message “The system could not log you on.  The server authenticating you reported an error (0xC00000BB).”
  On the Windows 7 client, we received an error message “The system could not log you on.  You cannot use a smart card to log on because smart card logon is not supported for your user account.”
  Here is our environment:
  -          Domain:  Windows 2008 R2
  -          Client:  Windows XP SP3 and Windows 7
  -          Smart Card:  USAccess issued PIV card
  -          Care Reader:  SCR3310
  -          Middleware:  ActiveClient
  Here is what I have already done:
  -          Imported the following Entrust certificates from http://sspweb.managed.entrust.com/EMSPKIFSSPCACertificateInformation.html into the Domain under the Trusted Root Certification Authorities
  o   Common Policy CA Certificate
  o   Common Policy to EMSPKI trust certificate
  o   Federal Root CA Expires 06/01/2012
  o   Federal SSP CA Expires 05/31/2012
  o   Federal Root CA Expires 05/09/2019
  o   Federal SSP CA Expires 05/08/2019
  -          Added the certificates to the NTAuth store in the Domain
  -          Posted Domain controller certificate (issued by NIST internal CA) in the NTAuth store
  -          Updated my UPN on the domain to match with the Subject Alternative Name on the card “[email protected]”
  -          Domain policy pushed down the Entrust certificates and Domain Controller certificate to the client computer
  -          Made PIV Card certificates available to the Windows via ActiveClient middleware
  Am I missing some steps or configuration? 
  Thank you,

  To solve one of the issues related to:
  "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact
  your system administrator to ensure that smart card logon is configured for your organization."
  On the client side.
  Ensure that the Certificate is assigned the Client Authentication function.
  You can do this on Internet Explorer:
  Tools -> Internet Options -> Content -> Certificates
  Then select the certificate
  Click the ‘Advanced’ button, this opens the Advanced Options dialog box.
  Under ‘Certificate purposes:’ box check:
  |X| Client Authentication

• SCCM 2012 SP1 Remote Control Smart Card Support?

  Hi,
  We're currently running SCCM 2012 SP1.  We have implemented mandatory smart card login on our Win 7 workstations using GPO.  Is it correct to say that SCCM's Remote Control Viewer does not support passing of smart card credentials through the session? 
  Our testing thus far would indicate that it does not.  This is problematic for our help desk that often uses the Remote Viewer to connect to end user machines and then elevate rights to perform admin level tasks.  So far the only way we have developed
  to work around it is to run a script that temporarily changes the GPO to remove the smart card enforcement requirement.  Is there a better way to address this issue?
  Thanks
  Josh

  Just to add to Wally's comments, there's actually no way this will ever happen without significant investments and development time (if it's possible at all) and it's really not anything that the ConfigMgr product group could implement as it has to with
  authentication which is handled by the OS. Passing smart card credentials across the network is inherently flawed and poses a huge security risk. When this was discussed internally at Microsoft, the security teams there said they could easily hack any mechanism
  that tried to do this and compromise the credentials.
  The recommendation from Microsoft is to use local admin accounts on workstations for elevation. This goes for *any* type of remote control (including remote desktop btw) because the same security weakness exists regardless of the remote tool being used.
  Jason | http://blog.configmgrftw.com

• Customize Non-Smart Card Mobility (NSCM) login screen

  Is there a way to customize the NSCM login screen to have customer-specific content in it?

  Hi Chris,
  I also have this issue. I think it is a known issue for Windows.
  I did some more research in web and found what I was looking for.
  RUNAS /SMARTCARD Only Supports a Single Smart Card Reader
  http://support.microsoft.com/kb/2013976
  How Smart Card Logon Works in Windows
  http://technet.microsoft.com/en-us/library/ff404285(v=WS.10).aspx
  Guidelines for enabling smart card logon with third-party certification authorities
  http://support.microsoft.com/kb/281245
  Thanks