Smart Card


It is possible to use a plastic card (smart card) to login instead of using a keyboard to type username if having a smart card reader.
This service manages and controls access to a smart card inserted into a smart card reader attached to the computer.

There is registry entry that can enable additional protection from PKINIT-related vulnerabilities:

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \Kerberos]
RequireAsChecksum = 1 (Default WinXP = 0)

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \Kerberos \Parameters]
RequireAsChecksum = 1 (Default Win2k/Win2k3 = 0)

Note before enabling this setting on the client-machines, one should make sure that MS KB899587 is installed on the domain controller or else the smart card login will fail. More info MS KB904766

  • Manual.
Default State:
  • Manual
Process Name:
  • None