A feature request I’ve seen customers frequently make is the ability to secure resources based on whether a smartcard was used to log on or a normal username/password combination was used.
This is now possible in a W2k8 R2 domain (domain functionality must be at W2k8 R2 level).
In short; the process is as follows:
- Admin associates a certificate template with a specific security group
- Admin assigns permissions to that group on the resource (a file share or database for example).
- the KDC on W2k8 R2 DC’s will add the Sid of that group to the user’s token if that certificate (typically a smartcard certificate) was used to log on.
The result: When the user logs on with a smartcard they have access to the resource through the group Sid that is present in their access token. When they log on with a username and password they don’t have access as the Sid for the group is not present in their access token in that case.
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide
What's new in smartcards in Windows 7 and Windows Server 2008 R2