Smart Card

Description:
It is possible to use a plastic card (smart card) to login instead of using a keyboard to type username if having a smart card reader.
This service manages and controls access to a smart card inserted into a smart card reader attached to the computer.

There is registry entry that can enable additional protection from PKINIT-related vulnerabilities:

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \Kerberos]
RequireAsChecksum = 1 (Default WinXP = 0)

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \Kerberos \Parameters]
RequireAsChecksum = 1 (Default Win2k/Win2k3 = 0)

Note before enabling this setting on the client-machines, one should make sure that MS KB899587 is installed on the domain controller or else the smart card login will fail. More info MS KB904766

Recommended State:
  • Manual.
Default State:
  • Manual
Process Name:
Supports:
  • None
Depends:

Updated: 20 September 2009

Leave a Reply

Your email address will not be published. Required fields are marked *