Smartcards and cached logons...

  • Article

Smartcards and cached credentials.

Scenario – large customer using a smartcard client from vendor XYZ.

 

When a user was online ( plugged into the network ) and would logon to the domain via smartcard it would not cache the credentials. If they tried to logon offline using Smartcard cached creds – it would fail.

If the user logged on with the username and password it cached properly.

Many people don’t realize that when it comes to smartcards, and the user experience, that much of it relies on the vendor.

The basic architecture is like this:

Another thing to note, is that if you logon with a smartcard, it is a unique entry in the cached logon list.

 

If the user Bob has a smartcard and logons twice, once as domain\bob and his password, and once with his smartcard and PIN - he will have 2 entries in the cached logon list

Likewise, if the same user Bob has 2 smartcards, and he logs on with SC1 and then SC2 , the cached info for SC2 will be the only card he can use to logon with cached creds, as it will overwrite the data from the cached logon from SC1 ( most times ).

This scenario has come up where they issue a user 2 cards , one in case he leaves the other at home or work. He logs on at work with SC1 and when he gets home, expects to logon cached via SC2 etc...

 

Anyway - back to our real story...

In this story, the CSP in this case was failing the call to CPGenRandom as shown in the above diagram.

 

 

From MSDN: https://windowssdk.msdn.microsoft.com/en-us/library/aa378205.aspx

If the function succeeds, the return value is TRUE.

If the function fails, the return value is FALSE, and the appropriate error code from the following table must be set using SetLastError.

So, after a call in to the vendor it appeared that they had never tested an offline scenario – all tests in their QA was via live DC’s

 

spatdsg