A lot of requests about smart card based logon, certificate integration and Kerberos are currently coming in; I don’t know if it is mainly because many customers are thinking about strong authentication anyway or because they see this as a good opportunity while switching their client OS to Windows Vista. Below are some links to good information on those topics:
(This article describes the smart cards and their implementation in the Windows platform)
RFC: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
(This document describes protocol extensions (hereafter called PKINIT) to the Kerberos protocol)
However, with Windows Vista, we have changed parts of the involved components needed for smart card authentication:
Even the logon architecture is changed on Windows Vista. On previous versions of Windows, the Winlogon process loaded the Graphical Identification and Authentication (GINA) DLL specified in the registry to display a logon UI that asked users for their credentials. Unfortunately, the GINA model suffers from several limitations, including the fact that only one GINA can be configured, writing a complete GINA is difficult for third parties, and custom GINAs that have non-standard user interfaces change the Windows user experience. Instead of a GINA, Windows Vista uses the new Credential Provider architecture. Winlogon launches a separate process, the Logon User Interface Host (Logonui.exe), that loads credential providers that are configured in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\Authentication\Credential Providers. Logonui can host multiple credential providers concurrently; in fact, Windows Vista ships with interactive (Authui.dll) and smartcard (Smart-cardcredentialprovider.dll) providers. To ensure a uniform user experience, LogonUI manages the user interface that is displayed to end users, but it also allows credential providers to specify custom elements like text, icons, and edit controls.