Enforce Smartcard on Access Check in Windows 2008 R2

  • Article

Home

A feature request I’ve seen customers frequently make is the ability to secure resources based on whether a smartcard was used to log on or a normal username/password combination was used.

This is now possible in a W2k8 R2 domain (domain functionality must be at W2k8 R2 level).

In short; the process is as follows:

  • Admin associates a certificate template with a specific security group
  • Admin assigns permissions to that group on the resource (a file share or database for example).
  • the KDC on W2k8 R2 DC’s will add the Sid of that group to the user’s token if that certificate (typically a smartcard certificate) was used to log on.

The result: When the user logs on with a smartcard they have access to the resource through the group Sid that is present in their access token.  When they log on with a username and password they don’t have access as the Sid for the group is not present in their access token in that case.

Further details:

Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd378897(WS.10).aspx

What's new in smartcards in Windows 7 and Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/dd367851(WS.10).aspx