The Smartcard Removal Policy Service and VPN

The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the Smartcard Removal Policy Service). The VPN client (Connection Manager aka CM) on the other hand doesn’t use the Credential Provider architecture, it uses its own code for picking which certificate from the smartcard will be used for logon. The VPN component not…

2

Deconstructing the Smartcard Removal Policy Service

Windows Vista and Windows Server 2008 introduced a new service that is dedicated to monitoring the removal of smartcards on the system and handling of the event as defined by the Smartcard Removal Policy service (ScRemoveOption) that is configured for the system.  This service (ScPolicySvc) is hosted in one of the svchost.exe processes on the…

7

Enforce Smartcard on Access Check in Windows 2008 R2

A feature request I’ve seen customers frequently make is the ability to secure resources based on whether a smartcard was used to log on or a normal username/password combination was used. This is now possible in a W2k8 R2 domain (domain functionality must be at W2k8 R2 level). In short; the process is as follows:…

0

Fun with LDIFDE and MS09-056

The LDIFDE export tool that has shipped with all flavors of Windows since Windows 2000 is one of the more useful tools that can be used for troubleshooting. A fraction of the things you can do with it include: conditional exporting of data from Active Directory bulk modifying specific attributes testing ACL’s through running LDIFDE…

0

Government issued ID cards and smartcard logons

  I was recently involved in a support case concerning implementing government-issued ID cards (National ID with a chip on it) and how to use them to do a smartcard logon. Before you begin, make sure the CSP being used fully supports smartcard logons on Vista/W2k8.Running certutil –scinfo from within an elevated command prompt while…

0

Schannel 36872 or Schannel 36870 on a Domain Controller

This event (and its cousin Schannel 36870) can indicate that there is a problem with the server certificate on the system that is logging the event. The error is typically logged when a service (for example LSASS on a Domain Controller) has attempted to load and verify the private and public key pair of the…

2

Requiring Smart Cards for logon – what happens when CRL publication fails

Let’s say your organization wants to make smartcards mandatory for all users as part of a security push, i.e. implement ‘two-factor authentication’ (“something you have and something you know”). The concern however is that if revocation checks for either the Domain Controller certificate (from the client side) or the Smartcard certificate (from the Domain Controller…

2