Share via

Prevent Local Cached Smart Card Login Being Invalidated After AD Password Change?

jdbst56 6 Reputation points
2020-10-07T15:39:02.883+00:00

We currently enforce smart card login to our Windows 10 Enterprise (1809/1909) workstations using group policy. Our user AD accounts have the smart card certificates mapped in the altsecurityidentities attribute (certificate mapping). Passwords are also used on the same AD accounts for applications that do no support smart card authentication. Our cached logon count is set to 10 in our GPO baseline.

The issue we have is when users change their AD passwords while connected to VPN, their cached smart card logon is invalidated. Users will received "no domain specified" error message when attempting to login to the system locally using the smart card following the AD password change. Our current workaround is to use our out of band management solution to temporarily disable smart card enforcement on the machine, then have the user logon locally with the username/password. Then upon connecting to the VPN, we have them "switch user" and authenticate to the domain using the smart card. This refreshes the locally cached smart card credential and allows the user to login offline to the system using the smart card.

Is there any other method to ensure that a change of the AD password does not invalidate the locally cached smart card credential?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-10-16T02:45:54.94+00:00

    Hello
    Thank you for your update.

    Based on my research, we can know:

    1.Ticking the ‘Smart Card is required for interactive logon’checkbox for a user resets the password for that user to a random complex password that is unknown to anyone and the UserAccountControl attribute of the user gets the flag SMARTCARD_REQUIRED added to it.

    2.In addition to this, the DONT_EXPIRE_PASSWORD flag on the account is set so that the user’s password never expires. The GINA or LogonUI components on the client check for the presence of the SMARTCARD_REQUIRED flag during an interactive logon (console or RDP) and reject the logon if it isn’t made with a smartcard when it is set for the user.

    We can try the possible method in the following link.
    Expire Passwords On Smart Card Only Accounts
    https://secureidentity.se/expire-passwords-on-smart-card-only-accounts/

    References
    Enforcing smart card authentication
    https://docs.centrify.com/Content/zint-linux-smartcd/AuthEnforce.htm

    Requiring Smart Cards for Interactive Logons
    https://www.itprotoday.com/security/requiring-smart-cards-interactive-logons

    Similar case.
    Require smart card for interactive logon random password
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b29595f4-f8c2-47c7-8ad9-d15f747a5462/require-smart-card-for-interactive-logon-random-password?forum=winserversecurity

    Best Regards,
    Daisy Zhou

  2. Anonymous
    2020-10-20T03:07:32.17+00:00

    Hello @jdbst56 ,

    Thank you for your update.

    For the function of "smart card is required for interactive logon" or "Interactive logon: Require smart card" GPO setting, both function need to keep password never expired, if we change the passowrd for user, old credential information is cached in smart card , so cached smart card credential will be invalid.

    Best Regards,
    Daisy Zhou

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.