Prevent Local Cached Smart Card Login Being Invalidated After AD Password Change?

jdbst56 6 Reputation points
2020-10-07T15:39:02.883+00:00

We currently enforce smart card login to our Windows 10 Enterprise (1809/1909) workstations using group policy. Our user AD accounts have the smart card certificates mapped in the altsecurityidentities attribute (certificate mapping). Passwords are also used on the same AD accounts for applications that do no support smart card authentication. Our cached logon count is set to 10 in our GPO baseline.

The issue we have is when users change their AD passwords while connected to VPN, their cached smart card logon is invalidated. Users will received "no domain specified" error message when attempting to login to the system locally using the smart card following the AD password change. Our current workaround is to use our out of band management solution to temporarily disable smart card enforcement on the machine, then have the user logon locally with the username/password. Then upon connecting to the VPN, we have them "switch user" and authenticate to the domain using the smart card. This refreshes the locally cached smart card credential and allows the user to login offline to the system using the smart card.

Is there any other method to ensure that a change of the AD password does not invalidate the locally cached smart card credential?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,198 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,562 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,696 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Daisy Zhou 17,241 Reputation points Microsoft Vendor
    2020-10-16T02:45:54.94+00:00

    Hello
    Thank you for your update.

    Based on my research, we can know:

    1.Ticking the ‘Smart Card is required for interactive logon’checkbox for a user resets the password for that user to a random complex password that is unknown to anyone and the UserAccountControl attribute of the user gets the flag SMARTCARD_REQUIRED added to it.

    2.In addition to this, the DONT_EXPIRE_PASSWORD flag on the account is set so that the user’s password never expires. The GINA or LogonUI components on the client check for the presence of the SMARTCARD_REQUIRED flag during an interactive logon (console or RDP) and reject the logon if it isn’t made with a smartcard when it is set for the user.

    We can try the possible method in the following link.
    Expire Passwords On Smart Card Only Accounts
    https://secureidentity.se/expire-passwords-on-smart-card-only-accounts/

    References
    Enforcing smart card authentication
    https://docs.centrify.com/Content/zint-linux-smartcd/AuthEnforce.htm

    Requiring Smart Cards for Interactive Logons
    https://www.itprotoday.com/security/requiring-smart-cards-interactive-logons

    Similar case.
    Require smart card for interactive logon random password
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b29595f4-f8c2-47c7-8ad9-d15f747a5462/require-smart-card-for-interactive-logon-random-password?forum=winserversecurity

    Best Regards,
    Daisy Zhou


  2. Daisy Zhou 17,241 Reputation points Microsoft Vendor
    2020-10-20T03:07:32.17+00:00

    Hello @jdbst56 ,

    Thank you for your update.

    For the function of "smart card is required for interactive logon" or "Interactive logon: Require smart card" GPO setting, both function need to keep password never expired, if we change the passowrd for user, old credential information is cached in smart card , so cached smart card credential will be invalid.

    Best Regards,
    Daisy Zhou