Joining computers to a domain with Smart Card authentication


smartcard

So my main business computer recently switched from a Dell Desktop to an HP NC8430 laptop.  I am traveling more and more, and it is very nice to be able to log in from a local library or coffee shop and stay on top of email.  The NC8430 has a TPM chip (allowing me to run BitLocker Drive Encryption), so I do not lose sleep overnight that a lost or stolen laptop will leave me responsible for a Microsoft loses information on 50,000 customers headline.  I did not notice a slowdown on the computer after enabling Bitlocker, which makes the full volume encryption ever so much more palatable.

The other neat feature of the NC8430 (being a business-class laptop) is that it has a built-in Smart Card Reader, meaning that I do not need to carry around a long external smart card reader when VPN-ing into work.  I just pop my card in the side and connect right up.  Quite convenient. 

I ran into an interesting question from a former co-worker of mine recently relating to smart cards.  He accepted a position close to where he grew up as a Network Admin for the Army base there.  The military, for the most part, has switched their logins away from username/passwords to Smart Card login.  After having done so, my friend was running into an interesting problem.  He could authenticate to the domain with no problems using his Smart Card, but could not join any computers to the domain.

The dialog box indicates User ID/Password or Smart Card. If we use a username/password combo, all is well. If a smart card is used, then an error is displayed on the Windows XP Professional workstation stating the following:

“Logon failure: Unknown user name or bad password”

A netmon capture revealed the following:

NETLOGON: LMT Token = WindowsNT Networking
NETLOGON: LM20 Token = OS/2 LAN Manager 2.0 (or later) Networking
NETLOGON: Unknown Type
NETLOGON: Opcode = 0x0019

I pinged an internal Discussion List for the solution, which turned out to be:

XP doesn’t support domain join via Smart Card — Vista does though.

Moral of the story… before you wholesale replace the authentication mechanism for your domain… set up a lab environment to make sure that everything works as you expect it to.  Unfortunately for my friend, this change was made before he was hired.

While the marketing folks trumpet the “flashy” new features of Microsoft releases, sometimes it is the engineering under the hood that makes the biggest difference in day-to-day operations (such as the added support for joining computers to domains with Smart Cards).

More information on Smart Cards:


Comments (9)

  1. maggie says:

    Smart card&RFID maker in China hope to find a way to cooperate with you.

  2. maggie says:

    Smartcard&RFID tags maker in China hope to find a way to cooperate with you.

  3. wqa says:

    Beijing on June 10 morning news, according to Bloomberg survey report GTM Research and the American Solar Energy Industries Association released the first quarter of this year, US home solar power system capacity increase of 76% over last year, to 437
    megawatts (MW) ,Solar Batteries http://www.poweroak.net the nation’s new generating capacity, more than half of which is a photovoltaic power generation. The report shows that a quarter of the US solar power capacity by
    1.3 gigawatts (GW), the sixth consecutive quarterly increase of over 1 GW. The total annual installed capacity is expected to reach 7.9 GW, Solar Power Penerator
    http://www.poweroak.net , Solar Power Pack
    http://www.poweroak.net representing an increase of 27%.
    The report predicts that by 2016 solar power will meet the electricity needs of about 800 million households in the United States to offset 45 million metric tons of carbon emissions, equivalent to removing 10 million cars. energy storage system
    http://www.poweroak.net/energy-storage-system-c-1.html

  4. za says:

    Call ZUHI . We provide High quality Escorts service in Mumbai. Here you will get fantastic Escorts Girls, Service offering by our beautiful escorts models. 3/5/7 Star hotel and home 24 hrs service in all Mumbai.
    http://zuhi.biz
    http://zuhi.biz/about.html
    http://zuhi.biz/gallery.html
    http://zuhi.biz/contact.html

  5. wa says:

    Call PIYA: Mumbai Escorts. If you wish to obtain escorts in Mumbai, Piya.biz is the place for you, your source for different type of College girls, Models, Airhostess, Housewife, Russian, Mumbai call girls and independent call girls in Mumbai.
    http://piya.biz

    http://piya.biz/about.html
    http://piya.biz/gallery.html
    http://piya.biz/contact.html

  6. sa says:

    Call SARA: we provide High quality Escorts service in Mumbai city. Here you will get fantastic Escorts Girls like College girls, Models, Airhostess, Housewife, Russian, Mumbai call girls and independent call girls in Mumbai for full service.
    http://daut.in
    http://daut.in/gallery.html
    http://daut.in/services.html
    http://daut.in/contact.html

  7. da says:

    Doxy.in offers you the finest escort’s in Mumbai. Call 24 hrs Ms Nimita to find quality Mumbai escorts service like Airhostess, Models, College girls, Housewife, working girls, Russian and more.
    http://doxy.in

    http://doxy.in/about.html
    http://doxy.in/gallery.html
    http://doxy.in/contact.html

  8. qa says:

    Call Prachi for 24/7 sexy Mumbai escorts direct to your room in 20 minutes or less. Pink Angels of Mumbai have girls who come from a range of backgrounds and include glamour, fashion and young students. They are all beautiful, elegant, sexy, warm, fresh,
    sweet, young and stunning. http://pinkangelsofmumbai.in

    http://pinkangelsofmumbai.in/about.html
    http://pinkangelsofmumbai.in/gallery.html
    http://pinkangelsofmumbai.in/contact.html