diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 040348819b..aa4f877c04 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -218,6 +218,8 @@ "identity-protection/hello-for-business/*.md": "erikdau", "identity-protection/credential-guard/*.md": "zwhittington", "identity-protection/access-control/*.md": "sulahiri", + "identity-protection/smart-cards/*.md": "ardenw", + "identity-protection/virtual-smart-cards/*.md": "ardenw", "operating-system-security/network-security/windows-firewall/*.md": "paoloma", "operating-system-security/network-security/vpn/*.md": "pesmith", "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda", @@ -231,7 +233,7 @@ "threat-protection/auditing/*.md": "tier3", "operating-system-security/data-protection/bitlocker/*.md": "tier1", "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1", - "operating-system-security/network-security/windows-firewall/*.md": [ "tier3", "must-keep" ] + "operating-system-security/network-security/windows-firewall/*.md": [ "tier2", "must-keep" ] } }, "template": [], diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index c71e953a49..d4578ba511 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -3,7 +3,6 @@ ms.date: 11/06/2023 title: Smart Card and Remote Desktop Services description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ms.topic: conceptual -ms.reviewer: ardenw --- # Smart Card and Remote Desktop Services @@ -13,8 +12,8 @@ Smart card redirection logic and *WinSCard API* are combined to support multiple Smart card support is required to enable many Remote Desktop Services scenarios. These include: -- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session -- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files +- Using Fast User Switching or Remote Desktop Services. A user isn't able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt isn't successful in Fast User Switching or from a Remote Desktop Services session +- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS isn't able to locate the smart card reader or certificate, EFS can't decrypt user files ## Remote Desktop Services redirection @@ -37,9 +36,9 @@ Notes about the redirection model: As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN. -Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit. +Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it can't be unencrypted during transit. -When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures. +When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user isn't prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user doesn't receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures. ### Remote Desktop Services and smart card sign-in @@ -47,7 +46,7 @@ Remote Desktop Services enables users to sign in with a smart card by entering a In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in. -To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate: +To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate: ```cmd certutil.exe -dspublish NTAuthCA "DSCDPContainer" @@ -88,4 +87,4 @@ For information about this option for the command-line tool, see [-addstore](/pr Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: `@`. -The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). +The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol can't determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 97b5d943d7..1146a19d8a 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -1,7 +1,6 @@ --- title: Smart Card Architecture description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. -ms.reviewer: ardenw ms.topic: reference-architecture ms.date: 11/06/2023 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index 9aa4972ebf..9c38e2a06c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -1,7 +1,6 @@ --- title: Certificate Propagation Service description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. -ms.reviewer: ardenw ms.topic: concept-article ms.date: 08/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index 6d032bebd3..bbde74b92e 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -1,7 +1,6 @@ --- title: Certificate Requirements and Enumeration description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. -ms.reviewer: ardenw ms.topic: concept-article ms.date: 11/06/2023 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index 86aa2d80de..df3203f5f6 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -1,10 +1,6 @@ --- title: Smart Card Troubleshooting description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. -ms.reviewer: ardenw -ms.collection: - - highpri - - tier2 ms.topic: troubleshooting ms.date: 11/06/2023 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index 9cd57a98c5..f502e16622 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -1,7 +1,6 @@ --- title: Smart Card Group Policy and Registry Settings description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. -ms.reviewer: ardenw ms.topic: reference ms.date: 11/06/2023 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index d3cd7bcdca..15ffe7ff5d 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -1,7 +1,6 @@ --- title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. -ms.reviewer: ardenw ms.topic: overview ms.date: 1/06/2023 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 4b9fd9a3fd..73879b5833 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -1,7 +1,6 @@ --- title: Smart Card Removal Policy Service description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. -ms.reviewer: ardenw ms.topic: concept-article ms.date: 09/24/2021 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index c982c67613..6d468b9bda 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -1,7 +1,6 @@ --- title: Smart Cards for Windows Service description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. -ms.reviewer: ardenw ms.topic: concept-article ms.date: 11/06/2023 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index 00d223bfe5..737d2d83fc 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -1,7 +1,6 @@ --- title: Smart Card Tools and Settings description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. -ms.reviewer: ardenw ms.topic: conceptual ms.date: 11/06/2023 --- diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 677009a880..23a8ac72f8 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -1,7 +1,6 @@ --- title: Smart Card Technical Reference description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. -ms.reviewer: ardenw ms.topic: overview ms.date: 11/06/2023 --- diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 89cc719e7d..8fafa7059b 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -1,7 +1,6 @@ --- title: Understanding and Evaluating Virtual Smart Cards description: Learn how smart card technology can fit into your authentication design. -ms.prod: windows-client ms.topic: conceptual ms.date: 11/06/2023 ---