Joining computers to a domain with Smart Card authentication

smartcard

So my main business computer recently switched from a Dell Desktop to an HP NC8430 laptop.  I am traveling more and more, and it is very nice to be able to log in from a local library or coffee shop and stay on top of email.  The NC8430 has a TPM chip (allowing me to run BitLocker Drive Encryption), so I do not lose sleep overnight that a lost or stolen laptop will leave me responsible for a Microsoft loses information on 50,000 customers headline.  I did not notice a slowdown on the computer after enabling Bitlocker, which makes the full volume encryption ever so much more palatable.

The other neat feature of the NC8430 (being a business-class laptop) is that it has a built-in Smart Card Reader, meaning that I do not need to carry around a long external smart card reader when VPN-ing into work.  I just pop my card in the side and connect right up.  Quite convenient. 

I ran into an interesting question from a former co-worker of mine recently relating to smart cards.  He accepted a position close to where he grew up as a Network Admin for the Army base there.  The military, for the most part, has switched their logins away from username/passwords to Smart Card login.  After having done so, my friend was running into an interesting problem.  He could authenticate to the domain with no problems using his Smart Card, but could not join any computers to the domain.

The dialog box indicates User ID/Password or Smart Card. If we use a username/password combo, all is well. If a smart card is used, then an error is displayed on the Windows XP Professional workstation stating the following:

“Logon failure: Unknown user name or bad password”

A netmon capture revealed the following:

NETLOGON: LMT Token = WindowsNT Networking
NETLOGON: LM20 Token = OS/2 LAN Manager 2.0 (or later) Networking
NETLOGON: Unknown Type
NETLOGON: Opcode = 0x0019

I pinged an internal Discussion List for the solution, which turned out to be:

XP doesn't support domain join via Smart Card -- Vista does though.

Moral of the story... before you wholesale replace the authentication mechanism for your domain... set up a lab environment to make sure that everything works as you expect it to.  Unfortunately for my friend, this change was made before he was hired.

While the marketing folks trumpet the "flashy" new features of Microsoft releases, sometimes it is the engineering under the hood that makes the biggest difference in day-to-day operations (such as the added support for joining computers to domains with Smart Cards).

More information on Smart Cards: